From 2315b05d989b8847f3a2257bddce32d2b9373df0 Mon Sep 17 00:00:00 2001 From: Eric Christensen Date: Tue, 7 May 2013 23:27:13 -0400 Subject: [PATCH] Adding translations --- .../el-GR_translation | 35 + .../en_US_translation | 35 + .../es-ES_translation | 36 + .../fi-FI_translation | 35 + .../fr-FR_translation | 36 + .../gl-ES_translation | 35 + .../id-ID_translation | 35 + .../it-IT_translation | 35 + .../ko-KR_translation | 35 + .../ru-RU_translation | 35 + .../sl-SI_translation | 35 + .../el-GR_translation | 38 + .../en_US_translation | 38 + .../fi-FI_translation | 38 + .../fr-FR_translation | 39 + .../gl-ES_translation | 38 + .../id-ID_translation | 38 + .../it-IT_translation | 38 + .../ko-KR_translation | 38 + .../ru-RU_translation | 38 + .../sl-SI_translation | 38 + defensive-coding/bo/Author_Group.po | 35 + defensive-coding/bo/Book_Info.po | 38 + defensive-coding/bo/C/Allocators.po | 265 ++++ defensive-coding/bo/C/C.po | 20 + defensive-coding/bo/C/Libc.po | 278 ++++ .../bo/C/snippets/Arithmetic-add.po | 36 + .../bo/C/snippets/Arithmetic-mult.po | 29 + .../bo/C/snippets/Pointers-remaining.po | 64 + .../bo/C/snippets/String-Functions-format.po | 33 + .../C/snippets/String-Functions-snprintf.po | 23 + .../bo/C/snippets/String-Functions-strncpy.po | 24 + defensive-coding/bo/CXX/CXX.po | 20 + defensive-coding/bo/CXX/Language.po | 234 ++++ defensive-coding/bo/CXX/Std.po | 55 + defensive-coding/bo/Defensive_Coding.po | 30 + .../bo/Features/Authentication.po | 231 ++++ defensive-coding/bo/Features/TLS.po | 1120 ++++++++++++++++ .../snippets/TLS-Client-GNUTLS-Connect.po | 71 ++ .../snippets/TLS-Client-GNUTLS-Credentials.po | 47 + .../snippets/TLS-Client-GNUTLS-Match.po | 48 + .../snippets/TLS-Client-GNUTLS-Verify.po | 61 + .../Features/snippets/TLS-Client-NSS-Close.po | 31 + .../snippets/TLS-Client-NSS-Connect.po | 132 ++ .../snippets/TLS-Client-OpenJDK-Connect.po | 41 + .../snippets/TLS-Client-OpenJDK-Context.po | 41 + .../TLS-Client-OpenJDK-Context_For_Cert.po | 37 + .../snippets/TLS-Client-OpenJDK-Hostname.po | 22 + .../snippets/TLS-Client-OpenJDK-Import.po | 33 + .../TLS-Client-OpenJDK-MyTrustManager.po | 53 + .../snippets/TLS-Client-OpenJDK-Use.po | 28 + .../snippets/TLS-Client-OpenSSL-CTX.po | 86 ++ .../snippets/TLS-Client-OpenSSL-Connect.po | 72 ++ .../TLS-Client-OpenSSL-Connection-Use.po | 32 + .../snippets/TLS-Client-OpenSSL-Init.po | 28 + .../snippets/TLS-Client-Python-Connect.po | 29 + .../TLS-Client-Python-check_host_name.po | 44 + .../snippets/TLS-GNUTLS-Credentials-Close.po | 22 + .../snippets/TLS-GNUTLS-Disconnect.po | 30 + .../bo/Features/snippets/TLS-GNUTLS-Init.po | 22 + .../bo/Features/snippets/TLS-GNUTLS-Use.po | 38 + .../bo/Features/snippets/TLS-NSS-Close.po | 23 + .../bo/Features/snippets/TLS-NSS-Includes.po | 35 + .../bo/Features/snippets/TLS-NSS-Init.po | 83 ++ .../bo/Features/snippets/TLS-NSS-Use.po | 42 + .../bo/Features/snippets/TLS-Nagle.po | 27 + .../snippets/TLS-OpenJDK-Parameters.po | 42 + .../snippets/TLS-OpenSSL-Connection-Close.po | 46 + .../snippets/TLS-OpenSSL-Context-Close.po | 22 + .../Features/snippets/TLS-OpenSSL-Errors.po | 51 + .../bo/Features/snippets/TLS-Python-Close.po | 22 + .../bo/Features/snippets/TLS-Python-Use.po | 26 + defensive-coding/bo/Revision_History.po | 35 + defensive-coding/bo/Tasks/Cryptography.po | 199 +++ defensive-coding/bo/Tasks/Descriptors.po | 332 +++++ defensive-coding/bo/Tasks/File_System.po | 396 ++++++ defensive-coding/bo/Tasks/Library_Design.po | 267 ++++ defensive-coding/bo/Tasks/Processes.po | 597 +++++++++ defensive-coding/bo/Tasks/Serialization.po | 513 ++++++++ defensive-coding/bo/Tasks/Temporary_Files.po | 309 +++++ .../Serialization-XML-Expat-Create.po | 33 + ...rialization-XML-Expat-EntityDeclHandler.po | 31 + .../Serialization-XML-OpenJDK-Errors.po | 37 + .../Serialization-XML-OpenJDK-Imports.po | 42 + ...ialization-XML-OpenJDK-NoEntityResolver.po | 30 + ...lization-XML-OpenJDK-NoResourceResolver.po | 32 + .../Serialization-XML-OpenJDK_Parse-DOM.po | 34 + ...ization-XML-OpenJDK_Parse-XMLSchema_DOM.po | 38 + ...ization-XML-OpenJDK_Parse-XMLSchema_SAX.po | 41 + defensive-coding/cs-CZ/Author_Group.po | 35 + defensive-coding/cs-CZ/Book_Info.po | 38 + defensive-coding/cs-CZ/C/Allocators.po | 265 ++++ defensive-coding/cs-CZ/C/C.po | 20 + defensive-coding/cs-CZ/C/Libc.po | 278 ++++ .../cs-CZ/C/snippets/Arithmetic-add.po | 36 + .../cs-CZ/C/snippets/Arithmetic-mult.po | 29 + .../cs-CZ/C/snippets/Pointers-remaining.po | 64 + .../C/snippets/String-Functions-format.po | 33 + .../C/snippets/String-Functions-snprintf.po | 23 + .../C/snippets/String-Functions-strncpy.po | 24 + defensive-coding/cs-CZ/CXX/CXX.po | 20 + defensive-coding/cs-CZ/CXX/Language.po | 234 ++++ defensive-coding/cs-CZ/CXX/Std.po | 55 + defensive-coding/cs-CZ/Defensive_Coding.po | 30 + .../cs-CZ/Features/Authentication.po | 231 ++++ defensive-coding/cs-CZ/Features/TLS.po | 1120 ++++++++++++++++ .../snippets/TLS-Client-GNUTLS-Connect.po | 71 ++ .../snippets/TLS-Client-GNUTLS-Credentials.po | 47 + .../snippets/TLS-Client-GNUTLS-Match.po | 48 + .../snippets/TLS-Client-GNUTLS-Verify.po | 61 + .../Features/snippets/TLS-Client-NSS-Close.po | 31 + .../snippets/TLS-Client-NSS-Connect.po | 132 ++ .../snippets/TLS-Client-OpenJDK-Connect.po | 41 + .../snippets/TLS-Client-OpenJDK-Context.po | 41 + .../TLS-Client-OpenJDK-Context_For_Cert.po | 37 + .../snippets/TLS-Client-OpenJDK-Hostname.po | 22 + .../snippets/TLS-Client-OpenJDK-Import.po | 33 + .../TLS-Client-OpenJDK-MyTrustManager.po | 53 + .../snippets/TLS-Client-OpenJDK-Use.po | 28 + .../snippets/TLS-Client-OpenSSL-CTX.po | 86 ++ .../snippets/TLS-Client-OpenSSL-Connect.po | 72 ++ .../TLS-Client-OpenSSL-Connection-Use.po | 32 + .../snippets/TLS-Client-OpenSSL-Init.po | 28 + .../snippets/TLS-Client-Python-Connect.po | 29 + .../TLS-Client-Python-check_host_name.po | 44 + .../snippets/TLS-GNUTLS-Credentials-Close.po | 22 + .../snippets/TLS-GNUTLS-Disconnect.po | 30 + .../Features/snippets/TLS-GNUTLS-Init.po | 22 + .../cs-CZ/Features/snippets/TLS-GNUTLS-Use.po | 38 + .../cs-CZ/Features/snippets/TLS-NSS-Close.po | 23 + .../Features/snippets/TLS-NSS-Includes.po | 35 + .../cs-CZ/Features/snippets/TLS-NSS-Init.po | 83 ++ .../cs-CZ/Features/snippets/TLS-NSS-Use.po | 42 + .../cs-CZ/Features/snippets/TLS-Nagle.po | 27 + .../snippets/TLS-OpenJDK-Parameters.po | 42 + .../snippets/TLS-OpenSSL-Connection-Close.po | 46 + .../snippets/TLS-OpenSSL-Context-Close.po | 22 + .../Features/snippets/TLS-OpenSSL-Errors.po | 51 + .../Features/snippets/TLS-Python-Close.po | 22 + .../cs-CZ/Features/snippets/TLS-Python-Use.po | 26 + defensive-coding/cs-CZ/Revision_History.po | 35 + defensive-coding/cs-CZ/Tasks/Cryptography.po | 199 +++ defensive-coding/cs-CZ/Tasks/Descriptors.po | 332 +++++ defensive-coding/cs-CZ/Tasks/File_System.po | 396 ++++++ .../cs-CZ/Tasks/Library_Design.po | 267 ++++ defensive-coding/cs-CZ/Tasks/Processes.po | 597 +++++++++ defensive-coding/cs-CZ/Tasks/Serialization.po | 513 ++++++++ .../cs-CZ/Tasks/Temporary_Files.po | 309 +++++ .../Serialization-XML-Expat-Create.po | 33 + ...rialization-XML-Expat-EntityDeclHandler.po | 31 + .../Serialization-XML-OpenJDK-Errors.po | 37 + .../Serialization-XML-OpenJDK-Imports.po | 42 + ...ialization-XML-OpenJDK-NoEntityResolver.po | 30 + ...lization-XML-OpenJDK-NoResourceResolver.po | 32 + .../Serialization-XML-OpenJDK_Parse-DOM.po | 34 + ...ization-XML-OpenJDK_Parse-XMLSchema_DOM.po | 38 + ...ization-XML-OpenJDK_Parse-XMLSchema_SAX.po | 41 + defensive-coding/de-DE/Author_Group.po | 35 + defensive-coding/de-DE/Book_Info.po | 38 + defensive-coding/de-DE/C/Allocators.po | 265 ++++ defensive-coding/de-DE/C/C.po | 20 + defensive-coding/de-DE/C/Libc.po | 278 ++++ .../de-DE/C/snippets/Arithmetic-add.po | 36 + .../de-DE/C/snippets/Arithmetic-mult.po | 29 + .../de-DE/C/snippets/Pointers-remaining.po | 64 + .../C/snippets/String-Functions-format.po | 33 + .../C/snippets/String-Functions-snprintf.po | 23 + .../C/snippets/String-Functions-strncpy.po | 24 + defensive-coding/de-DE/CXX/CXX.po | 20 + defensive-coding/de-DE/CXX/Language.po | 234 ++++ defensive-coding/de-DE/CXX/Std.po | 55 + defensive-coding/de-DE/Defensive_Coding.po | 30 + .../de-DE/Features/Authentication.po | 231 ++++ defensive-coding/de-DE/Features/TLS.po | 1120 ++++++++++++++++ .../snippets/TLS-Client-GNUTLS-Connect.po | 71 ++ .../snippets/TLS-Client-GNUTLS-Credentials.po | 47 + .../snippets/TLS-Client-GNUTLS-Match.po | 48 + .../snippets/TLS-Client-GNUTLS-Verify.po | 61 + .../Features/snippets/TLS-Client-NSS-Close.po | 31 + .../snippets/TLS-Client-NSS-Connect.po | 132 ++ .../snippets/TLS-Client-OpenJDK-Connect.po | 41 + .../snippets/TLS-Client-OpenJDK-Context.po | 41 + .../TLS-Client-OpenJDK-Context_For_Cert.po | 37 + .../snippets/TLS-Client-OpenJDK-Hostname.po | 22 + .../snippets/TLS-Client-OpenJDK-Import.po | 33 + .../TLS-Client-OpenJDK-MyTrustManager.po | 53 + .../snippets/TLS-Client-OpenJDK-Use.po | 28 + .../snippets/TLS-Client-OpenSSL-CTX.po | 86 ++ .../snippets/TLS-Client-OpenSSL-Connect.po | 72 ++ .../TLS-Client-OpenSSL-Connection-Use.po | 32 + .../snippets/TLS-Client-OpenSSL-Init.po | 28 + .../snippets/TLS-Client-Python-Connect.po | 29 + .../TLS-Client-Python-check_host_name.po | 44 + .../snippets/TLS-GNUTLS-Credentials-Close.po | 22 + .../snippets/TLS-GNUTLS-Disconnect.po | 30 + .../Features/snippets/TLS-GNUTLS-Init.po | 22 + .../de-DE/Features/snippets/TLS-GNUTLS-Use.po | 38 + .../de-DE/Features/snippets/TLS-NSS-Close.po | 23 + .../Features/snippets/TLS-NSS-Includes.po | 35 + .../de-DE/Features/snippets/TLS-NSS-Init.po | 83 ++ .../de-DE/Features/snippets/TLS-NSS-Use.po | 42 + .../de-DE/Features/snippets/TLS-Nagle.po | 27 + .../snippets/TLS-OpenJDK-Parameters.po | 42 + .../snippets/TLS-OpenSSL-Connection-Close.po | 46 + .../snippets/TLS-OpenSSL-Context-Close.po | 22 + .../Features/snippets/TLS-OpenSSL-Errors.po | 51 + .../Features/snippets/TLS-Python-Close.po | 22 + .../de-DE/Features/snippets/TLS-Python-Use.po | 26 + defensive-coding/de-DE/Revision_History.po | 35 + defensive-coding/de-DE/Tasks/Cryptography.po | 199 +++ defensive-coding/de-DE/Tasks/Descriptors.po | 332 +++++ defensive-coding/de-DE/Tasks/File_System.po | 396 ++++++ .../de-DE/Tasks/Library_Design.po | 267 ++++ defensive-coding/de-DE/Tasks/Processes.po | 597 +++++++++ defensive-coding/de-DE/Tasks/Serialization.po | 513 ++++++++ .../de-DE/Tasks/Temporary_Files.po | 309 +++++ .../Serialization-XML-Expat-Create.po | 33 + ...rialization-XML-Expat-EntityDeclHandler.po | 31 + .../Serialization-XML-OpenJDK-Errors.po | 37 + .../Serialization-XML-OpenJDK-Imports.po | 42 + ...ialization-XML-OpenJDK-NoEntityResolver.po | 30 + ...lization-XML-OpenJDK-NoResourceResolver.po | 32 + .../Serialization-XML-OpenJDK_Parse-DOM.po | 34 + ...ization-XML-OpenJDK_Parse-XMLSchema_DOM.po | 38 + ...ization-XML-OpenJDK_Parse-XMLSchema_SAX.po | 41 + defensive-coding/el-GR/Author_Group.po | 35 + defensive-coding/el-GR/Book_Info.po | 38 + defensive-coding/el-GR/C/Allocators.po | 265 ++++ defensive-coding/el-GR/C/C.po | 20 + defensive-coding/el-GR/C/Libc.po | 278 ++++ .../el-GR/C/snippets/Arithmetic-add.po | 36 + .../el-GR/C/snippets/Arithmetic-mult.po | 29 + .../el-GR/C/snippets/Pointers-remaining.po | 64 + .../C/snippets/String-Functions-format.po | 33 + .../C/snippets/String-Functions-snprintf.po | 23 + .../C/snippets/String-Functions-strncpy.po | 24 + defensive-coding/el-GR/CXX/CXX.po | 20 + defensive-coding/el-GR/CXX/Language.po | 234 ++++ defensive-coding/el-GR/CXX/Std.po | 55 + defensive-coding/el-GR/Defensive_Coding.po | 30 + .../el-GR/Features/Authentication.po | 231 ++++ defensive-coding/el-GR/Features/TLS.po | 1120 ++++++++++++++++ .../snippets/TLS-Client-GNUTLS-Connect.po | 71 ++ .../snippets/TLS-Client-GNUTLS-Credentials.po | 47 + .../snippets/TLS-Client-GNUTLS-Match.po | 48 + .../snippets/TLS-Client-GNUTLS-Verify.po | 61 + .../Features/snippets/TLS-Client-NSS-Close.po | 31 + .../snippets/TLS-Client-NSS-Connect.po | 132 ++ .../snippets/TLS-Client-OpenJDK-Connect.po | 41 + .../snippets/TLS-Client-OpenJDK-Context.po | 41 + .../TLS-Client-OpenJDK-Context_For_Cert.po | 37 + .../snippets/TLS-Client-OpenJDK-Hostname.po | 22 + .../snippets/TLS-Client-OpenJDK-Import.po | 33 + .../TLS-Client-OpenJDK-MyTrustManager.po | 53 + .../snippets/TLS-Client-OpenJDK-Use.po | 28 + .../snippets/TLS-Client-OpenSSL-CTX.po | 86 ++ .../snippets/TLS-Client-OpenSSL-Connect.po | 72 ++ .../TLS-Client-OpenSSL-Connection-Use.po | 32 + .../snippets/TLS-Client-OpenSSL-Init.po | 28 + .../snippets/TLS-Client-Python-Connect.po | 29 + .../TLS-Client-Python-check_host_name.po | 44 + .../snippets/TLS-GNUTLS-Credentials-Close.po | 22 + .../snippets/TLS-GNUTLS-Disconnect.po | 30 + .../Features/snippets/TLS-GNUTLS-Init.po | 22 + .../el-GR/Features/snippets/TLS-GNUTLS-Use.po | 38 + .../el-GR/Features/snippets/TLS-NSS-Close.po | 23 + .../Features/snippets/TLS-NSS-Includes.po | 35 + .../el-GR/Features/snippets/TLS-NSS-Init.po | 83 ++ .../el-GR/Features/snippets/TLS-NSS-Use.po | 42 + .../el-GR/Features/snippets/TLS-Nagle.po | 27 + .../snippets/TLS-OpenJDK-Parameters.po | 42 + .../snippets/TLS-OpenSSL-Connection-Close.po | 46 + .../snippets/TLS-OpenSSL-Context-Close.po | 22 + .../Features/snippets/TLS-OpenSSL-Errors.po | 51 + .../Features/snippets/TLS-Python-Close.po | 22 + .../el-GR/Features/snippets/TLS-Python-Use.po | 26 + defensive-coding/el-GR/Revision_History.po | 35 + defensive-coding/el-GR/Tasks/Cryptography.po | 199 +++ defensive-coding/el-GR/Tasks/Descriptors.po | 332 +++++ defensive-coding/el-GR/Tasks/File_System.po | 396 ++++++ .../el-GR/Tasks/Library_Design.po | 267 ++++ defensive-coding/el-GR/Tasks/Processes.po | 597 +++++++++ defensive-coding/el-GR/Tasks/Serialization.po | 513 ++++++++ .../el-GR/Tasks/Temporary_Files.po | 309 +++++ .../Serialization-XML-Expat-Create.po | 33 + ...rialization-XML-Expat-EntityDeclHandler.po | 31 + .../Serialization-XML-OpenJDK-Errors.po | 37 + .../Serialization-XML-OpenJDK-Imports.po | 42 + ...ialization-XML-OpenJDK-NoEntityResolver.po | 30 + ...lization-XML-OpenJDK-NoResourceResolver.po | 32 + .../Serialization-XML-OpenJDK_Parse-DOM.po | 34 + ...ization-XML-OpenJDK_Parse-XMLSchema_DOM.po | 38 + ...ization-XML-OpenJDK_Parse-XMLSchema_SAX.po | 41 + defensive-coding/en_US/Author_Group.po | 35 + defensive-coding/en_US/Book_Info.po | 38 + defensive-coding/en_US/C/Allocators.po | 265 ++++ defensive-coding/en_US/C/C.po | 20 + defensive-coding/en_US/C/Libc.po | 278 ++++ .../en_US/C/snippets/Arithmetic-add.po | 36 + .../en_US/C/snippets/Arithmetic-mult.po | 29 + .../en_US/C/snippets/Pointers-remaining.po | 64 + .../C/snippets/String-Functions-format.po | 33 + .../C/snippets/String-Functions-snprintf.po | 23 + .../C/snippets/String-Functions-strncpy.po | 24 + defensive-coding/en_US/CXX/CXX.po | 20 + defensive-coding/en_US/CXX/Language.po | 234 ++++ defensive-coding/en_US/CXX/Std.po | 55 + defensive-coding/en_US/Defensive_Coding.po | 30 + .../en_US/Features/Authentication.po | 231 ++++ defensive-coding/en_US/Features/TLS.po | 1120 ++++++++++++++++ .../snippets/TLS-Client-GNUTLS-Connect.po | 71 ++ .../snippets/TLS-Client-GNUTLS-Credentials.po | 47 + .../snippets/TLS-Client-GNUTLS-Match.po | 48 + .../snippets/TLS-Client-GNUTLS-Verify.po | 61 + .../Features/snippets/TLS-Client-NSS-Close.po | 31 + .../snippets/TLS-Client-NSS-Connect.po | 132 ++ .../snippets/TLS-Client-OpenJDK-Connect.po | 41 + .../snippets/TLS-Client-OpenJDK-Context.po | 41 + .../TLS-Client-OpenJDK-Context_For_Cert.po | 37 + .../snippets/TLS-Client-OpenJDK-Hostname.po | 22 + .../snippets/TLS-Client-OpenJDK-Import.po | 33 + .../TLS-Client-OpenJDK-MyTrustManager.po | 53 + .../snippets/TLS-Client-OpenJDK-Use.po | 28 + .../snippets/TLS-Client-OpenSSL-CTX.po | 86 ++ .../snippets/TLS-Client-OpenSSL-Connect.po | 72 ++ .../TLS-Client-OpenSSL-Connection-Use.po | 32 + .../snippets/TLS-Client-OpenSSL-Init.po | 28 + .../snippets/TLS-Client-Python-Connect.po | 29 + .../TLS-Client-Python-check_host_name.po | 44 + .../snippets/TLS-GNUTLS-Credentials-Close.po | 22 + .../snippets/TLS-GNUTLS-Disconnect.po | 30 + .../Features/snippets/TLS-GNUTLS-Init.po | 22 + .../en_US/Features/snippets/TLS-GNUTLS-Use.po | 38 + .../en_US/Features/snippets/TLS-NSS-Close.po | 23 + .../Features/snippets/TLS-NSS-Includes.po | 35 + .../en_US/Features/snippets/TLS-NSS-Init.po | 83 ++ .../en_US/Features/snippets/TLS-NSS-Use.po | 42 + .../en_US/Features/snippets/TLS-Nagle.po | 27 + .../snippets/TLS-OpenJDK-Parameters.po | 42 + .../snippets/TLS-OpenSSL-Connection-Close.po | 46 + .../snippets/TLS-OpenSSL-Context-Close.po | 22 + .../Features/snippets/TLS-OpenSSL-Errors.po | 51 + .../Features/snippets/TLS-Python-Close.po | 22 + .../en_US/Features/snippets/TLS-Python-Use.po | 26 + defensive-coding/en_US/Revision_History.po | 35 + defensive-coding/en_US/Tasks/Cryptography.po | 199 +++ defensive-coding/en_US/Tasks/Descriptors.po | 332 +++++ defensive-coding/en_US/Tasks/File_System.po | 396 ++++++ .../en_US/Tasks/Library_Design.po | 267 ++++ defensive-coding/en_US/Tasks/Processes.po | 597 +++++++++ defensive-coding/en_US/Tasks/Serialization.po | 513 ++++++++ .../en_US/Tasks/Temporary_Files.po | 309 +++++ .../Serialization-XML-Expat-Create.po | 33 + ...rialization-XML-Expat-EntityDeclHandler.po | 31 + .../Serialization-XML-OpenJDK-Errors.po | 37 + .../Serialization-XML-OpenJDK-Imports.po | 42 + ...ialization-XML-OpenJDK-NoEntityResolver.po | 30 + ...lization-XML-OpenJDK-NoResourceResolver.po | 32 + .../Serialization-XML-OpenJDK_Parse-DOM.po | 34 + ...ization-XML-OpenJDK_Parse-XMLSchema_DOM.po | 38 + ...ization-XML-OpenJDK_Parse-XMLSchema_SAX.po | 41 + defensive-coding/es-ES/Author_Group.po | 36 + defensive-coding/es-ES/Book_Info.po | 38 + defensive-coding/es-ES/C/Allocators.po | 265 ++++ defensive-coding/es-ES/C/C.po | 20 + defensive-coding/es-ES/C/Libc.po | 278 ++++ .../es-ES/C/snippets/Arithmetic-add.po | 36 + .../es-ES/C/snippets/Arithmetic-mult.po | 29 + .../es-ES/C/snippets/Pointers-remaining.po | 64 + .../C/snippets/String-Functions-format.po | 33 + .../C/snippets/String-Functions-snprintf.po | 23 + .../C/snippets/String-Functions-strncpy.po | 24 + defensive-coding/es-ES/CXX/CXX.po | 20 + defensive-coding/es-ES/CXX/Language.po | 234 ++++ defensive-coding/es-ES/CXX/Std.po | 55 + defensive-coding/es-ES/Defensive_Coding.po | 30 + .../es-ES/Features/Authentication.po | 231 ++++ defensive-coding/es-ES/Features/TLS.po | 1120 ++++++++++++++++ .../snippets/TLS-Client-GNUTLS-Connect.po | 71 ++ .../snippets/TLS-Client-GNUTLS-Credentials.po | 47 + .../snippets/TLS-Client-GNUTLS-Match.po | 48 + .../snippets/TLS-Client-GNUTLS-Verify.po | 61 + .../Features/snippets/TLS-Client-NSS-Close.po | 31 + .../snippets/TLS-Client-NSS-Connect.po | 132 ++ .../snippets/TLS-Client-OpenJDK-Connect.po | 41 + .../snippets/TLS-Client-OpenJDK-Context.po | 41 + .../TLS-Client-OpenJDK-Context_For_Cert.po | 37 + .../snippets/TLS-Client-OpenJDK-Hostname.po | 22 + .../snippets/TLS-Client-OpenJDK-Import.po | 33 + .../TLS-Client-OpenJDK-MyTrustManager.po | 53 + .../snippets/TLS-Client-OpenJDK-Use.po | 28 + .../snippets/TLS-Client-OpenSSL-CTX.po | 86 ++ .../snippets/TLS-Client-OpenSSL-Connect.po | 72 ++ .../TLS-Client-OpenSSL-Connection-Use.po | 32 + .../snippets/TLS-Client-OpenSSL-Init.po | 28 + .../snippets/TLS-Client-Python-Connect.po | 29 + .../TLS-Client-Python-check_host_name.po | 44 + .../snippets/TLS-GNUTLS-Credentials-Close.po | 22 + .../snippets/TLS-GNUTLS-Disconnect.po | 30 + .../Features/snippets/TLS-GNUTLS-Init.po | 22 + .../es-ES/Features/snippets/TLS-GNUTLS-Use.po | 38 + .../es-ES/Features/snippets/TLS-NSS-Close.po | 23 + .../Features/snippets/TLS-NSS-Includes.po | 35 + .../es-ES/Features/snippets/TLS-NSS-Init.po | 83 ++ .../es-ES/Features/snippets/TLS-NSS-Use.po | 42 + .../es-ES/Features/snippets/TLS-Nagle.po | 27 + .../snippets/TLS-OpenJDK-Parameters.po | 42 + .../snippets/TLS-OpenSSL-Connection-Close.po | 46 + .../snippets/TLS-OpenSSL-Context-Close.po | 22 + .../Features/snippets/TLS-OpenSSL-Errors.po | 51 + .../Features/snippets/TLS-Python-Close.po | 22 + .../es-ES/Features/snippets/TLS-Python-Use.po | 26 + defensive-coding/es-ES/Revision_History.po | 35 + defensive-coding/es-ES/Tasks/Cryptography.po | 199 +++ defensive-coding/es-ES/Tasks/Descriptors.po | 332 +++++ defensive-coding/es-ES/Tasks/File_System.po | 396 ++++++ .../es-ES/Tasks/Library_Design.po | 267 ++++ defensive-coding/es-ES/Tasks/Processes.po | 597 +++++++++ defensive-coding/es-ES/Tasks/Serialization.po | 513 ++++++++ .../es-ES/Tasks/Temporary_Files.po | 309 +++++ .../Serialization-XML-Expat-Create.po | 33 + ...rialization-XML-Expat-EntityDeclHandler.po | 31 + .../Serialization-XML-OpenJDK-Errors.po | 37 + .../Serialization-XML-OpenJDK-Imports.po | 42 + ...ialization-XML-OpenJDK-NoEntityResolver.po | 30 + ...lization-XML-OpenJDK-NoResourceResolver.po | 32 + .../Serialization-XML-OpenJDK_Parse-DOM.po | 34 + ...ization-XML-OpenJDK_Parse-XMLSchema_DOM.po | 38 + ...ization-XML-OpenJDK_Parse-XMLSchema_SAX.po | 41 + defensive-coding/fi-FI/Author_Group.po | 35 + defensive-coding/fi-FI/Book_Info.po | 38 + defensive-coding/fr-FR/Author_Group.po | 36 + defensive-coding/fr-FR/Book_Info.po | 39 + defensive-coding/fr-FR/C/Allocators.po | 266 ++++ defensive-coding/fr-FR/C/C.po | 21 + defensive-coding/fr-FR/C/Libc.po | 279 ++++ .../fr-FR/C/snippets/Arithmetic-add.po | 37 + .../fr-FR/C/snippets/Arithmetic-mult.po | 30 + .../fr-FR/C/snippets/Pointers-remaining.po | 65 + .../C/snippets/String-Functions-format.po | 34 + .../C/snippets/String-Functions-snprintf.po | 24 + .../C/snippets/String-Functions-strncpy.po | 25 + defensive-coding/fr-FR/CXX/CXX.po | 21 + defensive-coding/fr-FR/CXX/Language.po | 235 ++++ defensive-coding/fr-FR/CXX/Std.po | 56 + defensive-coding/fr-FR/Defensive_Coding.po | 31 + .../fr-FR/Features/Authentication.po | 232 ++++ defensive-coding/fr-FR/Features/TLS.po | 1121 +++++++++++++++++ .../snippets/TLS-Client-GNUTLS-Connect.po | 72 ++ .../snippets/TLS-Client-GNUTLS-Credentials.po | 48 + .../snippets/TLS-Client-GNUTLS-Match.po | 49 + .../snippets/TLS-Client-GNUTLS-Verify.po | 62 + .../Features/snippets/TLS-Client-NSS-Close.po | 32 + .../snippets/TLS-Client-NSS-Connect.po | 133 ++ .../snippets/TLS-Client-OpenJDK-Connect.po | 42 + .../snippets/TLS-Client-OpenJDK-Context.po | 42 + .../TLS-Client-OpenJDK-Context_For_Cert.po | 38 + .../snippets/TLS-Client-OpenJDK-Hostname.po | 23 + .../snippets/TLS-Client-OpenJDK-Import.po | 34 + .../TLS-Client-OpenJDK-MyTrustManager.po | 54 + .../snippets/TLS-Client-OpenJDK-Use.po | 29 + .../snippets/TLS-Client-OpenSSL-CTX.po | 87 ++ .../snippets/TLS-Client-OpenSSL-Connect.po | 73 ++ .../TLS-Client-OpenSSL-Connection-Use.po | 33 + .../snippets/TLS-Client-OpenSSL-Init.po | 29 + .../snippets/TLS-Client-Python-Connect.po | 30 + .../TLS-Client-Python-check_host_name.po | 45 + .../snippets/TLS-GNUTLS-Credentials-Close.po | 23 + .../snippets/TLS-GNUTLS-Disconnect.po | 31 + .../Features/snippets/TLS-GNUTLS-Init.po | 23 + .../fr-FR/Features/snippets/TLS-GNUTLS-Use.po | 39 + .../fr-FR/Features/snippets/TLS-NSS-Close.po | 24 + .../Features/snippets/TLS-NSS-Includes.po | 36 + .../fr-FR/Features/snippets/TLS-NSS-Init.po | 84 ++ .../fr-FR/Features/snippets/TLS-NSS-Use.po | 43 + .../fr-FR/Features/snippets/TLS-Nagle.po | 28 + .../snippets/TLS-OpenJDK-Parameters.po | 43 + .../snippets/TLS-OpenSSL-Connection-Close.po | 47 + .../snippets/TLS-OpenSSL-Context-Close.po | 23 + .../Features/snippets/TLS-OpenSSL-Errors.po | 52 + .../Features/snippets/TLS-Python-Close.po | 23 + .../fr-FR/Features/snippets/TLS-Python-Use.po | 27 + defensive-coding/fr-FR/Revision_History.po | 36 + defensive-coding/fr-FR/Tasks/Cryptography.po | 200 +++ defensive-coding/fr-FR/Tasks/Descriptors.po | 333 +++++ defensive-coding/fr-FR/Tasks/File_System.po | 397 ++++++ .../fr-FR/Tasks/Library_Design.po | 268 ++++ defensive-coding/fr-FR/Tasks/Processes.po | 598 +++++++++ defensive-coding/fr-FR/Tasks/Serialization.po | 514 ++++++++ .../fr-FR/Tasks/Temporary_Files.po | 310 +++++ .../Serialization-XML-Expat-Create.po | 34 + ...rialization-XML-Expat-EntityDeclHandler.po | 32 + .../Serialization-XML-OpenJDK-Errors.po | 38 + .../Serialization-XML-OpenJDK-Imports.po | 43 + ...ialization-XML-OpenJDK-NoEntityResolver.po | 31 + ...lization-XML-OpenJDK-NoResourceResolver.po | 33 + .../Serialization-XML-OpenJDK_Parse-DOM.po | 35 + ...ization-XML-OpenJDK_Parse-XMLSchema_DOM.po | 39 + ...ization-XML-OpenJDK_Parse-XMLSchema_SAX.po | 42 + defensive-coding/gl-ES/Author_Group.po | 35 + defensive-coding/gl-ES/Book_Info.po | 38 + defensive-coding/hi-IN/Author_Group.po | 35 + defensive-coding/hi-IN/Book_Info.po | 38 + defensive-coding/hi-IN/C/Allocators.po | 265 ++++ defensive-coding/hi-IN/C/C.po | 20 + defensive-coding/hi-IN/C/Libc.po | 278 ++++ .../hi-IN/C/snippets/Arithmetic-add.po | 36 + .../hi-IN/C/snippets/Arithmetic-mult.po | 29 + .../hi-IN/C/snippets/Pointers-remaining.po | 64 + .../C/snippets/String-Functions-format.po | 33 + .../C/snippets/String-Functions-snprintf.po | 23 + .../C/snippets/String-Functions-strncpy.po | 24 + defensive-coding/hi-IN/CXX/CXX.po | 20 + defensive-coding/hi-IN/CXX/Language.po | 234 ++++ defensive-coding/hi-IN/CXX/Std.po | 55 + defensive-coding/hi-IN/Defensive_Coding.po | 30 + .../hi-IN/Features/Authentication.po | 231 ++++ defensive-coding/hi-IN/Features/TLS.po | 1120 ++++++++++++++++ .../snippets/TLS-Client-GNUTLS-Connect.po | 71 ++ .../snippets/TLS-Client-GNUTLS-Credentials.po | 47 + .../snippets/TLS-Client-GNUTLS-Match.po | 48 + .../snippets/TLS-Client-GNUTLS-Verify.po | 61 + .../Features/snippets/TLS-Client-NSS-Close.po | 31 + .../snippets/TLS-Client-NSS-Connect.po | 132 ++ .../snippets/TLS-Client-OpenJDK-Connect.po | 41 + .../snippets/TLS-Client-OpenJDK-Context.po | 41 + .../TLS-Client-OpenJDK-Context_For_Cert.po | 37 + .../snippets/TLS-Client-OpenJDK-Hostname.po | 22 + .../snippets/TLS-Client-OpenJDK-Import.po | 33 + .../TLS-Client-OpenJDK-MyTrustManager.po | 53 + .../snippets/TLS-Client-OpenJDK-Use.po | 28 + .../snippets/TLS-Client-OpenSSL-CTX.po | 86 ++ .../snippets/TLS-Client-OpenSSL-Connect.po | 72 ++ .../TLS-Client-OpenSSL-Connection-Use.po | 32 + .../snippets/TLS-Client-OpenSSL-Init.po | 28 + .../snippets/TLS-Client-Python-Connect.po | 29 + .../TLS-Client-Python-check_host_name.po | 44 + .../snippets/TLS-GNUTLS-Credentials-Close.po | 22 + .../snippets/TLS-GNUTLS-Disconnect.po | 30 + .../Features/snippets/TLS-GNUTLS-Init.po | 22 + .../hi-IN/Features/snippets/TLS-GNUTLS-Use.po | 38 + .../hi-IN/Features/snippets/TLS-NSS-Close.po | 23 + .../Features/snippets/TLS-NSS-Includes.po | 35 + .../hi-IN/Features/snippets/TLS-NSS-Init.po | 83 ++ .../hi-IN/Features/snippets/TLS-NSS-Use.po | 42 + .../hi-IN/Features/snippets/TLS-Nagle.po | 27 + .../snippets/TLS-OpenJDK-Parameters.po | 42 + .../snippets/TLS-OpenSSL-Connection-Close.po | 46 + .../snippets/TLS-OpenSSL-Context-Close.po | 22 + .../Features/snippets/TLS-OpenSSL-Errors.po | 51 + .../Features/snippets/TLS-Python-Close.po | 22 + .../hi-IN/Features/snippets/TLS-Python-Use.po | 26 + defensive-coding/hi-IN/Revision_History.po | 35 + defensive-coding/hi-IN/Tasks/Cryptography.po | 199 +++ defensive-coding/hi-IN/Tasks/Descriptors.po | 332 +++++ defensive-coding/hi-IN/Tasks/File_System.po | 396 ++++++ .../hi-IN/Tasks/Library_Design.po | 267 ++++ defensive-coding/hi-IN/Tasks/Processes.po | 597 +++++++++ defensive-coding/hi-IN/Tasks/Serialization.po | 513 ++++++++ .../hi-IN/Tasks/Temporary_Files.po | 309 +++++ .../Serialization-XML-Expat-Create.po | 33 + ...rialization-XML-Expat-EntityDeclHandler.po | 31 + .../Serialization-XML-OpenJDK-Errors.po | 37 + .../Serialization-XML-OpenJDK-Imports.po | 42 + ...ialization-XML-OpenJDK-NoEntityResolver.po | 30 + ...lization-XML-OpenJDK-NoResourceResolver.po | 32 + .../Serialization-XML-OpenJDK_Parse-DOM.po | 34 + ...ization-XML-OpenJDK_Parse-XMLSchema_DOM.po | 38 + ...ization-XML-OpenJDK_Parse-XMLSchema_SAX.po | 41 + defensive-coding/ia/Author_Group.po | 35 + defensive-coding/ia/Book_Info.po | 38 + defensive-coding/ia/C/Allocators.po | 265 ++++ defensive-coding/ia/C/C.po | 20 + defensive-coding/ia/C/Libc.po | 278 ++++ .../ia/C/snippets/Arithmetic-add.po | 36 + .../ia/C/snippets/Arithmetic-mult.po | 29 + .../ia/C/snippets/Pointers-remaining.po | 64 + .../ia/C/snippets/String-Functions-format.po | 33 + .../C/snippets/String-Functions-snprintf.po | 23 + .../ia/C/snippets/String-Functions-strncpy.po | 24 + defensive-coding/ia/CXX/CXX.po | 20 + defensive-coding/ia/CXX/Language.po | 234 ++++ defensive-coding/ia/CXX/Std.po | 55 + defensive-coding/ia/Defensive_Coding.po | 30 + .../ia/Features/Authentication.po | 231 ++++ defensive-coding/ia/Features/TLS.po | 1120 ++++++++++++++++ .../snippets/TLS-Client-GNUTLS-Connect.po | 71 ++ .../snippets/TLS-Client-GNUTLS-Credentials.po | 47 + .../snippets/TLS-Client-GNUTLS-Match.po | 48 + .../snippets/TLS-Client-GNUTLS-Verify.po | 61 + .../Features/snippets/TLS-Client-NSS-Close.po | 31 + .../snippets/TLS-Client-NSS-Connect.po | 132 ++ .../snippets/TLS-Client-OpenJDK-Connect.po | 41 + .../snippets/TLS-Client-OpenJDK-Context.po | 41 + .../TLS-Client-OpenJDK-Context_For_Cert.po | 37 + .../snippets/TLS-Client-OpenJDK-Hostname.po | 22 + .../snippets/TLS-Client-OpenJDK-Import.po | 33 + .../TLS-Client-OpenJDK-MyTrustManager.po | 53 + .../snippets/TLS-Client-OpenJDK-Use.po | 28 + .../snippets/TLS-Client-OpenSSL-CTX.po | 86 ++ .../snippets/TLS-Client-OpenSSL-Connect.po | 72 ++ .../TLS-Client-OpenSSL-Connection-Use.po | 32 + .../snippets/TLS-Client-OpenSSL-Init.po | 28 + .../snippets/TLS-Client-Python-Connect.po | 29 + .../TLS-Client-Python-check_host_name.po | 44 + .../snippets/TLS-GNUTLS-Credentials-Close.po | 22 + .../snippets/TLS-GNUTLS-Disconnect.po | 30 + .../ia/Features/snippets/TLS-GNUTLS-Init.po | 22 + .../ia/Features/snippets/TLS-GNUTLS-Use.po | 38 + .../ia/Features/snippets/TLS-NSS-Close.po | 23 + .../ia/Features/snippets/TLS-NSS-Includes.po | 35 + .../ia/Features/snippets/TLS-NSS-Init.po | 83 ++ .../ia/Features/snippets/TLS-NSS-Use.po | 42 + .../ia/Features/snippets/TLS-Nagle.po | 27 + .../snippets/TLS-OpenJDK-Parameters.po | 42 + .../snippets/TLS-OpenSSL-Connection-Close.po | 46 + .../snippets/TLS-OpenSSL-Context-Close.po | 22 + .../Features/snippets/TLS-OpenSSL-Errors.po | 51 + .../ia/Features/snippets/TLS-Python-Close.po | 22 + .../ia/Features/snippets/TLS-Python-Use.po | 26 + defensive-coding/ia/Revision_History.po | 35 + defensive-coding/ia/Tasks/Cryptography.po | 199 +++ defensive-coding/ia/Tasks/Descriptors.po | 332 +++++ defensive-coding/ia/Tasks/File_System.po | 396 ++++++ defensive-coding/ia/Tasks/Library_Design.po | 267 ++++ defensive-coding/ia/Tasks/Processes.po | 597 +++++++++ defensive-coding/ia/Tasks/Serialization.po | 513 ++++++++ defensive-coding/ia/Tasks/Temporary_Files.po | 309 +++++ .../Serialization-XML-Expat-Create.po | 33 + ...rialization-XML-Expat-EntityDeclHandler.po | 31 + .../Serialization-XML-OpenJDK-Errors.po | 37 + .../Serialization-XML-OpenJDK-Imports.po | 42 + ...ialization-XML-OpenJDK-NoEntityResolver.po | 30 + ...lization-XML-OpenJDK-NoResourceResolver.po | 32 + .../Serialization-XML-OpenJDK_Parse-DOM.po | 34 + ...ization-XML-OpenJDK_Parse-XMLSchema_DOM.po | 38 + ...ization-XML-OpenJDK_Parse-XMLSchema_SAX.po | 41 + defensive-coding/id-ID/Author_Group.po | 35 + defensive-coding/id-ID/Book_Info.po | 38 + defensive-coding/it-IT/Author_Group.po | 35 + defensive-coding/it-IT/Book_Info.po | 38 + defensive-coding/it-IT/C/Allocators.po | 265 ++++ defensive-coding/it-IT/C/C.po | 20 + defensive-coding/it-IT/C/Libc.po | 278 ++++ .../it-IT/C/snippets/Arithmetic-add.po | 36 + .../it-IT/C/snippets/Arithmetic-mult.po | 29 + .../it-IT/C/snippets/Pointers-remaining.po | 64 + .../C/snippets/String-Functions-format.po | 33 + .../C/snippets/String-Functions-snprintf.po | 23 + .../C/snippets/String-Functions-strncpy.po | 24 + defensive-coding/it-IT/CXX/CXX.po | 20 + defensive-coding/it-IT/CXX/Language.po | 234 ++++ defensive-coding/it-IT/CXX/Std.po | 55 + defensive-coding/it-IT/Defensive_Coding.po | 30 + .../it-IT/Features/Authentication.po | 231 ++++ defensive-coding/it-IT/Features/TLS.po | 1120 ++++++++++++++++ .../snippets/TLS-Client-GNUTLS-Connect.po | 71 ++ .../snippets/TLS-Client-GNUTLS-Credentials.po | 47 + .../snippets/TLS-Client-GNUTLS-Match.po | 48 + .../snippets/TLS-Client-GNUTLS-Verify.po | 61 + .../Features/snippets/TLS-Client-NSS-Close.po | 31 + .../snippets/TLS-Client-NSS-Connect.po | 132 ++ .../snippets/TLS-Client-OpenJDK-Connect.po | 41 + .../snippets/TLS-Client-OpenJDK-Context.po | 41 + .../TLS-Client-OpenJDK-Context_For_Cert.po | 37 + .../snippets/TLS-Client-OpenJDK-Hostname.po | 22 + .../snippets/TLS-Client-OpenJDK-Import.po | 33 + .../TLS-Client-OpenJDK-MyTrustManager.po | 53 + .../snippets/TLS-Client-OpenJDK-Use.po | 28 + .../snippets/TLS-Client-OpenSSL-CTX.po | 86 ++ .../snippets/TLS-Client-OpenSSL-Connect.po | 72 ++ .../TLS-Client-OpenSSL-Connection-Use.po | 32 + .../snippets/TLS-Client-OpenSSL-Init.po | 28 + .../snippets/TLS-Client-Python-Connect.po | 29 + .../TLS-Client-Python-check_host_name.po | 44 + .../snippets/TLS-GNUTLS-Credentials-Close.po | 22 + .../snippets/TLS-GNUTLS-Disconnect.po | 30 + .../Features/snippets/TLS-GNUTLS-Init.po | 22 + .../it-IT/Features/snippets/TLS-GNUTLS-Use.po | 38 + .../it-IT/Features/snippets/TLS-NSS-Close.po | 23 + .../Features/snippets/TLS-NSS-Includes.po | 35 + .../it-IT/Features/snippets/TLS-NSS-Init.po | 83 ++ .../it-IT/Features/snippets/TLS-NSS-Use.po | 42 + .../it-IT/Features/snippets/TLS-Nagle.po | 27 + .../snippets/TLS-OpenJDK-Parameters.po | 42 + .../snippets/TLS-OpenSSL-Connection-Close.po | 46 + .../snippets/TLS-OpenSSL-Context-Close.po | 22 + .../Features/snippets/TLS-OpenSSL-Errors.po | 51 + .../Features/snippets/TLS-Python-Close.po | 22 + .../it-IT/Features/snippets/TLS-Python-Use.po | 26 + defensive-coding/it-IT/Revision_History.po | 35 + defensive-coding/it-IT/Tasks/Cryptography.po | 199 +++ defensive-coding/it-IT/Tasks/Descriptors.po | 332 +++++ defensive-coding/it-IT/Tasks/File_System.po | 396 ++++++ .../it-IT/Tasks/Library_Design.po | 267 ++++ defensive-coding/it-IT/Tasks/Processes.po | 597 +++++++++ defensive-coding/it-IT/Tasks/Serialization.po | 513 ++++++++ .../it-IT/Tasks/Temporary_Files.po | 309 +++++ .../Serialization-XML-Expat-Create.po | 33 + ...rialization-XML-Expat-EntityDeclHandler.po | 31 + .../Serialization-XML-OpenJDK-Errors.po | 37 + .../Serialization-XML-OpenJDK-Imports.po | 42 + ...ialization-XML-OpenJDK-NoEntityResolver.po | 30 + ...lization-XML-OpenJDK-NoResourceResolver.po | 32 + .../Serialization-XML-OpenJDK_Parse-DOM.po | 34 + ...ization-XML-OpenJDK_Parse-XMLSchema_DOM.po | 38 + ...ization-XML-OpenJDK_Parse-XMLSchema_SAX.po | 41 + defensive-coding/ka/Author_Group.po | 35 + defensive-coding/ka/Book_Info.po | 38 + defensive-coding/ka/C/Allocators.po | 265 ++++ defensive-coding/ka/C/C.po | 20 + defensive-coding/ka/C/Libc.po | 278 ++++ .../ka/C/snippets/Arithmetic-add.po | 36 + .../ka/C/snippets/Arithmetic-mult.po | 29 + .../ka/C/snippets/Pointers-remaining.po | 64 + .../ka/C/snippets/String-Functions-format.po | 33 + .../C/snippets/String-Functions-snprintf.po | 23 + .../ka/C/snippets/String-Functions-strncpy.po | 24 + defensive-coding/ka/CXX/CXX.po | 20 + defensive-coding/ka/CXX/Language.po | 234 ++++ defensive-coding/ka/CXX/Std.po | 55 + defensive-coding/ka/Defensive_Coding.po | 30 + .../ka/Features/Authentication.po | 231 ++++ defensive-coding/ka/Features/TLS.po | 1120 ++++++++++++++++ .../snippets/TLS-Client-GNUTLS-Connect.po | 71 ++ .../snippets/TLS-Client-GNUTLS-Credentials.po | 47 + .../snippets/TLS-Client-GNUTLS-Match.po | 48 + .../snippets/TLS-Client-GNUTLS-Verify.po | 61 + .../Features/snippets/TLS-Client-NSS-Close.po | 31 + .../snippets/TLS-Client-NSS-Connect.po | 132 ++ .../snippets/TLS-Client-OpenJDK-Connect.po | 41 + .../snippets/TLS-Client-OpenJDK-Context.po | 41 + .../TLS-Client-OpenJDK-Context_For_Cert.po | 37 + .../snippets/TLS-Client-OpenJDK-Hostname.po | 22 + .../snippets/TLS-Client-OpenJDK-Import.po | 33 + .../TLS-Client-OpenJDK-MyTrustManager.po | 53 + .../snippets/TLS-Client-OpenJDK-Use.po | 28 + .../snippets/TLS-Client-OpenSSL-CTX.po | 86 ++ .../snippets/TLS-Client-OpenSSL-Connect.po | 72 ++ .../TLS-Client-OpenSSL-Connection-Use.po | 32 + .../snippets/TLS-Client-OpenSSL-Init.po | 28 + .../snippets/TLS-Client-Python-Connect.po | 29 + .../TLS-Client-Python-check_host_name.po | 44 + .../snippets/TLS-GNUTLS-Credentials-Close.po | 22 + .../snippets/TLS-GNUTLS-Disconnect.po | 30 + .../ka/Features/snippets/TLS-GNUTLS-Init.po | 22 + .../ka/Features/snippets/TLS-GNUTLS-Use.po | 38 + .../ka/Features/snippets/TLS-NSS-Close.po | 23 + .../ka/Features/snippets/TLS-NSS-Includes.po | 35 + .../ka/Features/snippets/TLS-NSS-Init.po | 83 ++ .../ka/Features/snippets/TLS-NSS-Use.po | 42 + .../ka/Features/snippets/TLS-Nagle.po | 27 + .../snippets/TLS-OpenJDK-Parameters.po | 42 + .../snippets/TLS-OpenSSL-Connection-Close.po | 46 + .../snippets/TLS-OpenSSL-Context-Close.po | 22 + .../Features/snippets/TLS-OpenSSL-Errors.po | 51 + .../ka/Features/snippets/TLS-Python-Close.po | 22 + .../ka/Features/snippets/TLS-Python-Use.po | 26 + defensive-coding/ka/Revision_History.po | 35 + defensive-coding/ka/Tasks/Cryptography.po | 199 +++ defensive-coding/ka/Tasks/Descriptors.po | 332 +++++ defensive-coding/ka/Tasks/File_System.po | 396 ++++++ defensive-coding/ka/Tasks/Library_Design.po | 267 ++++ defensive-coding/ka/Tasks/Processes.po | 597 +++++++++ defensive-coding/ka/Tasks/Serialization.po | 513 ++++++++ defensive-coding/ka/Tasks/Temporary_Files.po | 309 +++++ .../Serialization-XML-Expat-Create.po | 33 + ...rialization-XML-Expat-EntityDeclHandler.po | 31 + .../Serialization-XML-OpenJDK-Errors.po | 37 + .../Serialization-XML-OpenJDK-Imports.po | 42 + ...ialization-XML-OpenJDK-NoEntityResolver.po | 30 + ...lization-XML-OpenJDK-NoResourceResolver.po | 32 + .../Serialization-XML-OpenJDK_Parse-DOM.po | 34 + ...ization-XML-OpenJDK_Parse-XMLSchema_DOM.po | 38 + ...ization-XML-OpenJDK_Parse-XMLSchema_SAX.po | 41 + defensive-coding/kn-IN/Author_Group.po | 35 + defensive-coding/kn-IN/Book_Info.po | 38 + defensive-coding/kn-IN/C/Allocators.po | 265 ++++ defensive-coding/kn-IN/C/C.po | 20 + defensive-coding/kn-IN/C/Libc.po | 278 ++++ .../kn-IN/C/snippets/Arithmetic-add.po | 36 + .../kn-IN/C/snippets/Arithmetic-mult.po | 29 + .../kn-IN/C/snippets/Pointers-remaining.po | 64 + .../C/snippets/String-Functions-format.po | 33 + .../C/snippets/String-Functions-snprintf.po | 23 + .../C/snippets/String-Functions-strncpy.po | 24 + defensive-coding/kn-IN/CXX/CXX.po | 20 + defensive-coding/kn-IN/CXX/Language.po | 234 ++++ defensive-coding/kn-IN/CXX/Std.po | 55 + defensive-coding/kn-IN/Defensive_Coding.po | 30 + .../kn-IN/Features/Authentication.po | 231 ++++ defensive-coding/kn-IN/Features/TLS.po | 1120 ++++++++++++++++ .../snippets/TLS-Client-GNUTLS-Connect.po | 71 ++ .../snippets/TLS-Client-GNUTLS-Credentials.po | 47 + .../snippets/TLS-Client-GNUTLS-Match.po | 48 + .../snippets/TLS-Client-GNUTLS-Verify.po | 61 + .../Features/snippets/TLS-Client-NSS-Close.po | 31 + .../snippets/TLS-Client-NSS-Connect.po | 132 ++ .../snippets/TLS-Client-OpenJDK-Connect.po | 41 + .../snippets/TLS-Client-OpenJDK-Context.po | 41 + .../TLS-Client-OpenJDK-Context_For_Cert.po | 37 + .../snippets/TLS-Client-OpenJDK-Hostname.po | 22 + .../snippets/TLS-Client-OpenJDK-Import.po | 33 + .../TLS-Client-OpenJDK-MyTrustManager.po | 53 + .../snippets/TLS-Client-OpenJDK-Use.po | 28 + .../snippets/TLS-Client-OpenSSL-CTX.po | 86 ++ .../snippets/TLS-Client-OpenSSL-Connect.po | 72 ++ .../TLS-Client-OpenSSL-Connection-Use.po | 32 + .../snippets/TLS-Client-OpenSSL-Init.po | 28 + .../snippets/TLS-Client-Python-Connect.po | 29 + .../TLS-Client-Python-check_host_name.po | 44 + .../snippets/TLS-GNUTLS-Credentials-Close.po | 22 + .../snippets/TLS-GNUTLS-Disconnect.po | 30 + .../Features/snippets/TLS-GNUTLS-Init.po | 22 + .../kn-IN/Features/snippets/TLS-GNUTLS-Use.po | 38 + .../kn-IN/Features/snippets/TLS-NSS-Close.po | 23 + .../Features/snippets/TLS-NSS-Includes.po | 35 + .../kn-IN/Features/snippets/TLS-NSS-Init.po | 83 ++ .../kn-IN/Features/snippets/TLS-NSS-Use.po | 42 + .../kn-IN/Features/snippets/TLS-Nagle.po | 27 + .../snippets/TLS-OpenJDK-Parameters.po | 42 + .../snippets/TLS-OpenSSL-Connection-Close.po | 46 + .../snippets/TLS-OpenSSL-Context-Close.po | 22 + .../Features/snippets/TLS-OpenSSL-Errors.po | 51 + .../Features/snippets/TLS-Python-Close.po | 22 + .../kn-IN/Features/snippets/TLS-Python-Use.po | 26 + defensive-coding/kn-IN/Revision_History.po | 35 + defensive-coding/kn-IN/Tasks/Cryptography.po | 199 +++ defensive-coding/kn-IN/Tasks/Descriptors.po | 332 +++++ defensive-coding/kn-IN/Tasks/File_System.po | 396 ++++++ .../kn-IN/Tasks/Library_Design.po | 267 ++++ defensive-coding/kn-IN/Tasks/Processes.po | 597 +++++++++ defensive-coding/kn-IN/Tasks/Serialization.po | 513 ++++++++ .../kn-IN/Tasks/Temporary_Files.po | 309 +++++ .../Serialization-XML-Expat-Create.po | 33 + ...rialization-XML-Expat-EntityDeclHandler.po | 31 + .../Serialization-XML-OpenJDK-Errors.po | 37 + .../Serialization-XML-OpenJDK-Imports.po | 42 + ...ialization-XML-OpenJDK-NoEntityResolver.po | 30 + ...lization-XML-OpenJDK-NoResourceResolver.po | 32 + .../Serialization-XML-OpenJDK_Parse-DOM.po | 34 + ...ization-XML-OpenJDK_Parse-XMLSchema_DOM.po | 38 + ...ization-XML-OpenJDK_Parse-XMLSchema_SAX.po | 41 + defensive-coding/ko-KR/Author_Group.po | 35 + defensive-coding/ko-KR/Book_Info.po | 38 + defensive-coding/nl-NL/Author_Group.po | 35 + defensive-coding/nl-NL/Book_Info.po | 38 + defensive-coding/nl-NL/C/Allocators.po | 265 ++++ defensive-coding/nl-NL/C/C.po | 20 + defensive-coding/nl-NL/C/Libc.po | 278 ++++ .../nl-NL/C/snippets/Arithmetic-add.po | 36 + .../nl-NL/C/snippets/Arithmetic-mult.po | 29 + .../nl-NL/C/snippets/Pointers-remaining.po | 64 + .../C/snippets/String-Functions-format.po | 33 + .../C/snippets/String-Functions-snprintf.po | 23 + .../C/snippets/String-Functions-strncpy.po | 24 + defensive-coding/nl-NL/CXX/CXX.po | 20 + defensive-coding/nl-NL/CXX/Language.po | 234 ++++ defensive-coding/nl-NL/CXX/Std.po | 55 + defensive-coding/nl-NL/Defensive_Coding.po | 30 + .../nl-NL/Features/Authentication.po | 231 ++++ defensive-coding/nl-NL/Features/TLS.po | 1120 ++++++++++++++++ .../snippets/TLS-Client-GNUTLS-Connect.po | 71 ++ .../snippets/TLS-Client-GNUTLS-Credentials.po | 47 + .../snippets/TLS-Client-GNUTLS-Match.po | 48 + .../snippets/TLS-Client-GNUTLS-Verify.po | 61 + .../Features/snippets/TLS-Client-NSS-Close.po | 31 + .../snippets/TLS-Client-NSS-Connect.po | 132 ++ .../snippets/TLS-Client-OpenJDK-Connect.po | 41 + .../snippets/TLS-Client-OpenJDK-Context.po | 41 + .../TLS-Client-OpenJDK-Context_For_Cert.po | 37 + .../snippets/TLS-Client-OpenJDK-Hostname.po | 22 + .../snippets/TLS-Client-OpenJDK-Import.po | 33 + .../TLS-Client-OpenJDK-MyTrustManager.po | 53 + .../snippets/TLS-Client-OpenJDK-Use.po | 28 + .../snippets/TLS-Client-OpenSSL-CTX.po | 86 ++ .../snippets/TLS-Client-OpenSSL-Connect.po | 72 ++ .../TLS-Client-OpenSSL-Connection-Use.po | 32 + .../snippets/TLS-Client-OpenSSL-Init.po | 28 + .../snippets/TLS-Client-Python-Connect.po | 29 + .../TLS-Client-Python-check_host_name.po | 44 + .../snippets/TLS-GNUTLS-Credentials-Close.po | 22 + .../snippets/TLS-GNUTLS-Disconnect.po | 30 + .../Features/snippets/TLS-GNUTLS-Init.po | 22 + .../nl-NL/Features/snippets/TLS-GNUTLS-Use.po | 38 + .../nl-NL/Features/snippets/TLS-NSS-Close.po | 23 + .../Features/snippets/TLS-NSS-Includes.po | 35 + .../nl-NL/Features/snippets/TLS-NSS-Init.po | 83 ++ .../nl-NL/Features/snippets/TLS-NSS-Use.po | 42 + .../nl-NL/Features/snippets/TLS-Nagle.po | 27 + .../snippets/TLS-OpenJDK-Parameters.po | 42 + .../snippets/TLS-OpenSSL-Connection-Close.po | 46 + .../snippets/TLS-OpenSSL-Context-Close.po | 22 + .../Features/snippets/TLS-OpenSSL-Errors.po | 51 + .../Features/snippets/TLS-Python-Close.po | 22 + .../nl-NL/Features/snippets/TLS-Python-Use.po | 26 + defensive-coding/nl-NL/Revision_History.po | 35 + defensive-coding/nl-NL/Tasks/Cryptography.po | 199 +++ defensive-coding/nl-NL/Tasks/Descriptors.po | 332 +++++ defensive-coding/nl-NL/Tasks/File_System.po | 396 ++++++ .../nl-NL/Tasks/Library_Design.po | 267 ++++ defensive-coding/nl-NL/Tasks/Processes.po | 597 +++++++++ defensive-coding/nl-NL/Tasks/Serialization.po | 513 ++++++++ .../nl-NL/Tasks/Temporary_Files.po | 309 +++++ .../Serialization-XML-Expat-Create.po | 33 + ...rialization-XML-Expat-EntityDeclHandler.po | 31 + .../Serialization-XML-OpenJDK-Errors.po | 37 + .../Serialization-XML-OpenJDK-Imports.po | 42 + ...ialization-XML-OpenJDK-NoEntityResolver.po | 30 + ...lization-XML-OpenJDK-NoResourceResolver.po | 32 + .../Serialization-XML-OpenJDK_Parse-DOM.po | 34 + ...ization-XML-OpenJDK_Parse-XMLSchema_DOM.po | 38 + ...ization-XML-OpenJDK_Parse-XMLSchema_SAX.po | 41 + defensive-coding/pt-BR/Author_Group.po | 35 + defensive-coding/pt-BR/Book_Info.po | 38 + defensive-coding/pt-BR/C/Allocators.po | 265 ++++ defensive-coding/pt-BR/C/C.po | 20 + defensive-coding/pt-BR/C/Libc.po | 278 ++++ .../pt-BR/C/snippets/Arithmetic-add.po | 36 + .../pt-BR/C/snippets/Arithmetic-mult.po | 29 + .../pt-BR/C/snippets/Pointers-remaining.po | 64 + .../C/snippets/String-Functions-format.po | 33 + .../C/snippets/String-Functions-snprintf.po | 23 + .../C/snippets/String-Functions-strncpy.po | 24 + defensive-coding/pt-BR/CXX/CXX.po | 20 + defensive-coding/pt-BR/CXX/Language.po | 234 ++++ defensive-coding/pt-BR/CXX/Std.po | 55 + defensive-coding/pt-BR/Defensive_Coding.po | 30 + .../pt-BR/Features/Authentication.po | 231 ++++ defensive-coding/pt-BR/Features/TLS.po | 1120 ++++++++++++++++ .../snippets/TLS-Client-GNUTLS-Connect.po | 71 ++ .../snippets/TLS-Client-GNUTLS-Credentials.po | 47 + .../snippets/TLS-Client-GNUTLS-Match.po | 48 + .../snippets/TLS-Client-GNUTLS-Verify.po | 61 + .../Features/snippets/TLS-Client-NSS-Close.po | 31 + .../snippets/TLS-Client-NSS-Connect.po | 132 ++ .../snippets/TLS-Client-OpenJDK-Connect.po | 41 + .../snippets/TLS-Client-OpenJDK-Context.po | 41 + .../TLS-Client-OpenJDK-Context_For_Cert.po | 37 + .../snippets/TLS-Client-OpenJDK-Hostname.po | 22 + .../snippets/TLS-Client-OpenJDK-Import.po | 33 + .../TLS-Client-OpenJDK-MyTrustManager.po | 53 + .../snippets/TLS-Client-OpenJDK-Use.po | 28 + .../snippets/TLS-Client-OpenSSL-CTX.po | 86 ++ .../snippets/TLS-Client-OpenSSL-Connect.po | 72 ++ .../TLS-Client-OpenSSL-Connection-Use.po | 32 + .../snippets/TLS-Client-OpenSSL-Init.po | 28 + .../snippets/TLS-Client-Python-Connect.po | 29 + .../TLS-Client-Python-check_host_name.po | 44 + .../snippets/TLS-GNUTLS-Credentials-Close.po | 22 + .../snippets/TLS-GNUTLS-Disconnect.po | 30 + .../Features/snippets/TLS-GNUTLS-Init.po | 22 + .../pt-BR/Features/snippets/TLS-GNUTLS-Use.po | 38 + .../pt-BR/Features/snippets/TLS-NSS-Close.po | 23 + .../Features/snippets/TLS-NSS-Includes.po | 35 + .../pt-BR/Features/snippets/TLS-NSS-Init.po | 83 ++ .../pt-BR/Features/snippets/TLS-NSS-Use.po | 42 + .../pt-BR/Features/snippets/TLS-Nagle.po | 27 + .../snippets/TLS-OpenJDK-Parameters.po | 42 + .../snippets/TLS-OpenSSL-Connection-Close.po | 46 + .../snippets/TLS-OpenSSL-Context-Close.po | 22 + .../Features/snippets/TLS-OpenSSL-Errors.po | 51 + .../Features/snippets/TLS-Python-Close.po | 22 + .../pt-BR/Features/snippets/TLS-Python-Use.po | 26 + defensive-coding/pt-BR/Revision_History.po | 35 + defensive-coding/pt-BR/Tasks/Cryptography.po | 199 +++ defensive-coding/pt-BR/Tasks/Descriptors.po | 332 +++++ defensive-coding/pt-BR/Tasks/File_System.po | 396 ++++++ .../pt-BR/Tasks/Library_Design.po | 267 ++++ defensive-coding/pt-BR/Tasks/Processes.po | 597 +++++++++ defensive-coding/pt-BR/Tasks/Serialization.po | 513 ++++++++ .../pt-BR/Tasks/Temporary_Files.po | 309 +++++ .../Serialization-XML-Expat-Create.po | 33 + ...rialization-XML-Expat-EntityDeclHandler.po | 31 + .../Serialization-XML-OpenJDK-Errors.po | 37 + .../Serialization-XML-OpenJDK-Imports.po | 42 + ...ialization-XML-OpenJDK-NoEntityResolver.po | 30 + ...lization-XML-OpenJDK-NoResourceResolver.po | 32 + .../Serialization-XML-OpenJDK_Parse-DOM.po | 34 + ...ization-XML-OpenJDK_Parse-XMLSchema_DOM.po | 38 + ...ization-XML-OpenJDK_Parse-XMLSchema_SAX.po | 41 + defensive-coding/pt-PT/Author_Group.po | 35 + defensive-coding/pt-PT/Book_Info.po | 38 + defensive-coding/pt-PT/C/Allocators.po | 265 ++++ defensive-coding/pt-PT/C/C.po | 20 + defensive-coding/pt-PT/C/Libc.po | 278 ++++ .../pt-PT/C/snippets/Arithmetic-add.po | 36 + .../pt-PT/C/snippets/Arithmetic-mult.po | 29 + .../pt-PT/C/snippets/Pointers-remaining.po | 64 + .../C/snippets/String-Functions-format.po | 33 + .../C/snippets/String-Functions-snprintf.po | 23 + .../C/snippets/String-Functions-strncpy.po | 24 + defensive-coding/pt-PT/CXX/CXX.po | 20 + defensive-coding/pt-PT/CXX/Language.po | 234 ++++ defensive-coding/pt-PT/CXX/Std.po | 55 + defensive-coding/pt-PT/Defensive_Coding.po | 30 + .../pt-PT/Features/Authentication.po | 231 ++++ defensive-coding/pt-PT/Features/TLS.po | 1120 ++++++++++++++++ .../snippets/TLS-Client-GNUTLS-Connect.po | 71 ++ .../snippets/TLS-Client-GNUTLS-Credentials.po | 47 + .../snippets/TLS-Client-GNUTLS-Match.po | 48 + .../snippets/TLS-Client-GNUTLS-Verify.po | 61 + .../Features/snippets/TLS-Client-NSS-Close.po | 31 + .../snippets/TLS-Client-NSS-Connect.po | 132 ++ .../snippets/TLS-Client-OpenJDK-Connect.po | 41 + .../snippets/TLS-Client-OpenJDK-Context.po | 41 + .../TLS-Client-OpenJDK-Context_For_Cert.po | 37 + .../snippets/TLS-Client-OpenJDK-Hostname.po | 22 + .../snippets/TLS-Client-OpenJDK-Import.po | 33 + .../TLS-Client-OpenJDK-MyTrustManager.po | 53 + .../snippets/TLS-Client-OpenJDK-Use.po | 28 + .../snippets/TLS-Client-OpenSSL-CTX.po | 86 ++ .../snippets/TLS-Client-OpenSSL-Connect.po | 72 ++ .../TLS-Client-OpenSSL-Connection-Use.po | 32 + .../snippets/TLS-Client-OpenSSL-Init.po | 28 + .../snippets/TLS-Client-Python-Connect.po | 29 + .../TLS-Client-Python-check_host_name.po | 44 + .../snippets/TLS-GNUTLS-Credentials-Close.po | 22 + .../snippets/TLS-GNUTLS-Disconnect.po | 30 + .../Features/snippets/TLS-GNUTLS-Init.po | 22 + .../pt-PT/Features/snippets/TLS-GNUTLS-Use.po | 38 + .../pt-PT/Features/snippets/TLS-NSS-Close.po | 23 + .../Features/snippets/TLS-NSS-Includes.po | 35 + .../pt-PT/Features/snippets/TLS-NSS-Init.po | 83 ++ .../pt-PT/Features/snippets/TLS-NSS-Use.po | 42 + .../pt-PT/Features/snippets/TLS-Nagle.po | 27 + .../snippets/TLS-OpenJDK-Parameters.po | 42 + .../snippets/TLS-OpenSSL-Connection-Close.po | 46 + .../snippets/TLS-OpenSSL-Context-Close.po | 22 + .../Features/snippets/TLS-OpenSSL-Errors.po | 51 + .../Features/snippets/TLS-Python-Close.po | 22 + .../pt-PT/Features/snippets/TLS-Python-Use.po | 26 + defensive-coding/pt-PT/Revision_History.po | 35 + defensive-coding/pt-PT/Tasks/Cryptography.po | 199 +++ defensive-coding/pt-PT/Tasks/Descriptors.po | 332 +++++ defensive-coding/pt-PT/Tasks/File_System.po | 396 ++++++ .../pt-PT/Tasks/Library_Design.po | 267 ++++ defensive-coding/pt-PT/Tasks/Processes.po | 597 +++++++++ defensive-coding/pt-PT/Tasks/Serialization.po | 513 ++++++++ .../pt-PT/Tasks/Temporary_Files.po | 309 +++++ .../Serialization-XML-Expat-Create.po | 33 + ...rialization-XML-Expat-EntityDeclHandler.po | 31 + .../Serialization-XML-OpenJDK-Errors.po | 37 + .../Serialization-XML-OpenJDK-Imports.po | 42 + ...ialization-XML-OpenJDK-NoEntityResolver.po | 30 + ...lization-XML-OpenJDK-NoResourceResolver.po | 32 + .../Serialization-XML-OpenJDK_Parse-DOM.po | 34 + ...ization-XML-OpenJDK_Parse-XMLSchema_DOM.po | 38 + ...ization-XML-OpenJDK_Parse-XMLSchema_SAX.po | 41 + defensive-coding/ru-RU/Author_Group.po | 35 + defensive-coding/ru-RU/Book_Info.po | 38 + defensive-coding/sl-SI/Author_Group.po | 35 + defensive-coding/sl-SI/Book_Info.po | 38 + defensive-coding/te-IN/Author_Group.po | 35 + defensive-coding/te-IN/Book_Info.po | 38 + defensive-coding/te-IN/C/Allocators.po | 265 ++++ defensive-coding/te-IN/C/C.po | 20 + defensive-coding/te-IN/C/Libc.po | 278 ++++ .../te-IN/C/snippets/Arithmetic-add.po | 36 + .../te-IN/C/snippets/Arithmetic-mult.po | 29 + .../te-IN/C/snippets/Pointers-remaining.po | 64 + .../C/snippets/String-Functions-format.po | 33 + .../C/snippets/String-Functions-snprintf.po | 23 + .../C/snippets/String-Functions-strncpy.po | 24 + defensive-coding/te-IN/CXX/CXX.po | 20 + defensive-coding/te-IN/CXX/Language.po | 234 ++++ defensive-coding/te-IN/CXX/Std.po | 55 + defensive-coding/te-IN/Defensive_Coding.po | 30 + .../te-IN/Features/Authentication.po | 231 ++++ defensive-coding/te-IN/Features/TLS.po | 1120 ++++++++++++++++ .../snippets/TLS-Client-GNUTLS-Connect.po | 71 ++ .../snippets/TLS-Client-GNUTLS-Credentials.po | 47 + .../snippets/TLS-Client-GNUTLS-Match.po | 48 + .../snippets/TLS-Client-GNUTLS-Verify.po | 61 + .../Features/snippets/TLS-Client-NSS-Close.po | 31 + .../snippets/TLS-Client-NSS-Connect.po | 132 ++ .../snippets/TLS-Client-OpenJDK-Connect.po | 41 + .../snippets/TLS-Client-OpenJDK-Context.po | 41 + .../TLS-Client-OpenJDK-Context_For_Cert.po | 37 + .../snippets/TLS-Client-OpenJDK-Hostname.po | 22 + .../snippets/TLS-Client-OpenJDK-Import.po | 33 + .../TLS-Client-OpenJDK-MyTrustManager.po | 53 + .../snippets/TLS-Client-OpenJDK-Use.po | 28 + .../snippets/TLS-Client-OpenSSL-CTX.po | 86 ++ .../snippets/TLS-Client-OpenSSL-Connect.po | 72 ++ .../TLS-Client-OpenSSL-Connection-Use.po | 32 + .../snippets/TLS-Client-OpenSSL-Init.po | 28 + .../snippets/TLS-Client-Python-Connect.po | 29 + .../TLS-Client-Python-check_host_name.po | 44 + .../snippets/TLS-GNUTLS-Credentials-Close.po | 22 + .../snippets/TLS-GNUTLS-Disconnect.po | 30 + .../Features/snippets/TLS-GNUTLS-Init.po | 22 + .../te-IN/Features/snippets/TLS-GNUTLS-Use.po | 38 + .../te-IN/Features/snippets/TLS-NSS-Close.po | 23 + .../Features/snippets/TLS-NSS-Includes.po | 35 + .../te-IN/Features/snippets/TLS-NSS-Init.po | 83 ++ .../te-IN/Features/snippets/TLS-NSS-Use.po | 42 + .../te-IN/Features/snippets/TLS-Nagle.po | 27 + .../snippets/TLS-OpenJDK-Parameters.po | 42 + .../snippets/TLS-OpenSSL-Connection-Close.po | 46 + .../snippets/TLS-OpenSSL-Context-Close.po | 22 + .../Features/snippets/TLS-OpenSSL-Errors.po | 51 + .../Features/snippets/TLS-Python-Close.po | 22 + .../te-IN/Features/snippets/TLS-Python-Use.po | 26 + defensive-coding/te-IN/Revision_History.po | 35 + defensive-coding/te-IN/Tasks/Cryptography.po | 199 +++ defensive-coding/te-IN/Tasks/Descriptors.po | 332 +++++ defensive-coding/te-IN/Tasks/File_System.po | 396 ++++++ .../te-IN/Tasks/Library_Design.po | 267 ++++ defensive-coding/te-IN/Tasks/Processes.po | 597 +++++++++ defensive-coding/te-IN/Tasks/Serialization.po | 513 ++++++++ .../te-IN/Tasks/Temporary_Files.po | 309 +++++ .../Serialization-XML-Expat-Create.po | 33 + ...rialization-XML-Expat-EntityDeclHandler.po | 31 + .../Serialization-XML-OpenJDK-Errors.po | 37 + .../Serialization-XML-OpenJDK-Imports.po | 42 + ...ialization-XML-OpenJDK-NoEntityResolver.po | 30 + ...lization-XML-OpenJDK-NoResourceResolver.po | 32 + .../Serialization-XML-OpenJDK_Parse-DOM.po | 34 + ...ization-XML-OpenJDK_Parse-XMLSchema_DOM.po | 38 + ...ization-XML-OpenJDK_Parse-XMLSchema_SAX.po | 41 + defensive-coding/tr-TR/Author_Group.po | 35 + defensive-coding/tr-TR/Book_Info.po | 38 + defensive-coding/tr-TR/C/Allocators.po | 265 ++++ defensive-coding/tr-TR/C/C.po | 20 + defensive-coding/tr-TR/C/Libc.po | 278 ++++ .../tr-TR/C/snippets/Arithmetic-add.po | 36 + .../tr-TR/C/snippets/Arithmetic-mult.po | 29 + .../tr-TR/C/snippets/Pointers-remaining.po | 64 + .../C/snippets/String-Functions-format.po | 33 + .../C/snippets/String-Functions-snprintf.po | 23 + .../C/snippets/String-Functions-strncpy.po | 24 + defensive-coding/tr-TR/CXX/CXX.po | 20 + defensive-coding/tr-TR/CXX/Language.po | 234 ++++ defensive-coding/tr-TR/CXX/Std.po | 55 + defensive-coding/tr-TR/Defensive_Coding.po | 30 + .../tr-TR/Features/Authentication.po | 231 ++++ defensive-coding/tr-TR/Features/TLS.po | 1120 ++++++++++++++++ .../snippets/TLS-Client-GNUTLS-Connect.po | 71 ++ .../snippets/TLS-Client-GNUTLS-Credentials.po | 47 + .../snippets/TLS-Client-GNUTLS-Match.po | 48 + .../snippets/TLS-Client-GNUTLS-Verify.po | 61 + .../Features/snippets/TLS-Client-NSS-Close.po | 31 + .../snippets/TLS-Client-NSS-Connect.po | 132 ++ .../snippets/TLS-Client-OpenJDK-Connect.po | 41 + .../snippets/TLS-Client-OpenJDK-Context.po | 41 + .../TLS-Client-OpenJDK-Context_For_Cert.po | 37 + .../snippets/TLS-Client-OpenJDK-Hostname.po | 22 + .../snippets/TLS-Client-OpenJDK-Import.po | 33 + .../TLS-Client-OpenJDK-MyTrustManager.po | 53 + .../snippets/TLS-Client-OpenJDK-Use.po | 28 + .../snippets/TLS-Client-OpenSSL-CTX.po | 86 ++ .../snippets/TLS-Client-OpenSSL-Connect.po | 72 ++ .../TLS-Client-OpenSSL-Connection-Use.po | 32 + .../snippets/TLS-Client-OpenSSL-Init.po | 28 + .../snippets/TLS-Client-Python-Connect.po | 29 + .../TLS-Client-Python-check_host_name.po | 44 + .../snippets/TLS-GNUTLS-Credentials-Close.po | 22 + .../snippets/TLS-GNUTLS-Disconnect.po | 30 + .../Features/snippets/TLS-GNUTLS-Init.po | 22 + .../tr-TR/Features/snippets/TLS-GNUTLS-Use.po | 38 + .../tr-TR/Features/snippets/TLS-NSS-Close.po | 23 + .../Features/snippets/TLS-NSS-Includes.po | 35 + .../tr-TR/Features/snippets/TLS-NSS-Init.po | 83 ++ .../tr-TR/Features/snippets/TLS-NSS-Use.po | 42 + .../tr-TR/Features/snippets/TLS-Nagle.po | 27 + .../snippets/TLS-OpenJDK-Parameters.po | 42 + .../snippets/TLS-OpenSSL-Connection-Close.po | 46 + .../snippets/TLS-OpenSSL-Context-Close.po | 22 + .../Features/snippets/TLS-OpenSSL-Errors.po | 51 + .../Features/snippets/TLS-Python-Close.po | 22 + .../tr-TR/Features/snippets/TLS-Python-Use.po | 26 + defensive-coding/tr-TR/Revision_History.po | 35 + defensive-coding/tr-TR/Tasks/Cryptography.po | 199 +++ defensive-coding/tr-TR/Tasks/Descriptors.po | 332 +++++ defensive-coding/tr-TR/Tasks/File_System.po | 396 ++++++ .../tr-TR/Tasks/Library_Design.po | 267 ++++ defensive-coding/tr-TR/Tasks/Processes.po | 597 +++++++++ defensive-coding/tr-TR/Tasks/Serialization.po | 513 ++++++++ .../tr-TR/Tasks/Temporary_Files.po | 309 +++++ .../Serialization-XML-Expat-Create.po | 33 + ...rialization-XML-Expat-EntityDeclHandler.po | 31 + .../Serialization-XML-OpenJDK-Errors.po | 37 + .../Serialization-XML-OpenJDK-Imports.po | 42 + ...ialization-XML-OpenJDK-NoEntityResolver.po | 30 + ...lization-XML-OpenJDK-NoResourceResolver.po | 32 + .../Serialization-XML-OpenJDK_Parse-DOM.po | 34 + ...ization-XML-OpenJDK_Parse-XMLSchema_DOM.po | 38 + ...ization-XML-OpenJDK_Parse-XMLSchema_SAX.po | 41 + defensive-coding/vi-VN/Author_Group.po | 35 + defensive-coding/vi-VN/Book_Info.po | 38 + defensive-coding/vi-VN/C/Allocators.po | 265 ++++ defensive-coding/vi-VN/C/C.po | 20 + defensive-coding/vi-VN/C/Libc.po | 278 ++++ .../vi-VN/C/snippets/Arithmetic-add.po | 36 + .../vi-VN/C/snippets/Arithmetic-mult.po | 29 + .../vi-VN/C/snippets/Pointers-remaining.po | 64 + .../C/snippets/String-Functions-format.po | 33 + .../C/snippets/String-Functions-snprintf.po | 23 + .../C/snippets/String-Functions-strncpy.po | 24 + defensive-coding/vi-VN/CXX/CXX.po | 20 + defensive-coding/vi-VN/CXX/Language.po | 234 ++++ defensive-coding/vi-VN/CXX/Std.po | 55 + defensive-coding/vi-VN/Defensive_Coding.po | 30 + .../vi-VN/Features/Authentication.po | 231 ++++ defensive-coding/vi-VN/Features/TLS.po | 1120 ++++++++++++++++ .../snippets/TLS-Client-GNUTLS-Connect.po | 71 ++ .../snippets/TLS-Client-GNUTLS-Credentials.po | 47 + .../snippets/TLS-Client-GNUTLS-Match.po | 48 + .../snippets/TLS-Client-GNUTLS-Verify.po | 61 + .../Features/snippets/TLS-Client-NSS-Close.po | 31 + .../snippets/TLS-Client-NSS-Connect.po | 132 ++ .../snippets/TLS-Client-OpenJDK-Connect.po | 41 + .../snippets/TLS-Client-OpenJDK-Context.po | 41 + .../TLS-Client-OpenJDK-Context_For_Cert.po | 37 + .../snippets/TLS-Client-OpenJDK-Hostname.po | 22 + .../snippets/TLS-Client-OpenJDK-Import.po | 33 + .../TLS-Client-OpenJDK-MyTrustManager.po | 53 + .../snippets/TLS-Client-OpenJDK-Use.po | 28 + .../snippets/TLS-Client-OpenSSL-CTX.po | 86 ++ .../snippets/TLS-Client-OpenSSL-Connect.po | 72 ++ .../TLS-Client-OpenSSL-Connection-Use.po | 32 + .../snippets/TLS-Client-OpenSSL-Init.po | 28 + .../snippets/TLS-Client-Python-Connect.po | 29 + .../TLS-Client-Python-check_host_name.po | 44 + .../snippets/TLS-GNUTLS-Credentials-Close.po | 22 + .../snippets/TLS-GNUTLS-Disconnect.po | 30 + .../Features/snippets/TLS-GNUTLS-Init.po | 22 + .../vi-VN/Features/snippets/TLS-GNUTLS-Use.po | 38 + .../vi-VN/Features/snippets/TLS-NSS-Close.po | 23 + .../Features/snippets/TLS-NSS-Includes.po | 35 + .../vi-VN/Features/snippets/TLS-NSS-Init.po | 83 ++ .../vi-VN/Features/snippets/TLS-NSS-Use.po | 42 + .../vi-VN/Features/snippets/TLS-Nagle.po | 27 + .../snippets/TLS-OpenJDK-Parameters.po | 42 + .../snippets/TLS-OpenSSL-Connection-Close.po | 46 + .../snippets/TLS-OpenSSL-Context-Close.po | 22 + .../Features/snippets/TLS-OpenSSL-Errors.po | 51 + .../Features/snippets/TLS-Python-Close.po | 22 + .../vi-VN/Features/snippets/TLS-Python-Use.po | 26 + defensive-coding/vi-VN/Revision_History.po | 35 + defensive-coding/vi-VN/Tasks/Cryptography.po | 199 +++ defensive-coding/vi-VN/Tasks/Descriptors.po | 332 +++++ defensive-coding/vi-VN/Tasks/File_System.po | 396 ++++++ .../vi-VN/Tasks/Library_Design.po | 267 ++++ defensive-coding/vi-VN/Tasks/Processes.po | 597 +++++++++ defensive-coding/vi-VN/Tasks/Serialization.po | 513 ++++++++ .../vi-VN/Tasks/Temporary_Files.po | 309 +++++ .../Serialization-XML-Expat-Create.po | 33 + ...rialization-XML-Expat-EntityDeclHandler.po | 31 + .../Serialization-XML-OpenJDK-Errors.po | 37 + .../Serialization-XML-OpenJDK-Imports.po | 42 + ...ialization-XML-OpenJDK-NoEntityResolver.po | 30 + ...lization-XML-OpenJDK-NoResourceResolver.po | 32 + .../Serialization-XML-OpenJDK_Parse-DOM.po | 34 + ...ization-XML-OpenJDK_Parse-XMLSchema_DOM.po | 38 + ...ization-XML-OpenJDK_Parse-XMLSchema_SAX.po | 41 + defensive-coding/zh-CN/Author_Group.po | 36 + defensive-coding/zh-CN/Book_Info.po | 39 + defensive-coding/zh-CN/C/Allocators.po | 265 ++++ defensive-coding/zh-CN/C/C.po | 21 + defensive-coding/zh-CN/C/Libc.po | 279 ++++ .../zh-CN/C/snippets/Arithmetic-add.po | 36 + .../zh-CN/C/snippets/Arithmetic-mult.po | 29 + .../zh-CN/C/snippets/Pointers-remaining.po | 64 + .../C/snippets/String-Functions-format.po | 33 + .../C/snippets/String-Functions-snprintf.po | 23 + .../C/snippets/String-Functions-strncpy.po | 24 + defensive-coding/zh-CN/CXX/CXX.po | 21 + defensive-coding/zh-CN/CXX/Language.po | 235 ++++ defensive-coding/zh-CN/CXX/Std.po | 56 + defensive-coding/zh-CN/Defensive_Coding.po | 30 + .../zh-CN/Features/Authentication.po | 231 ++++ defensive-coding/zh-CN/Features/TLS.po | 1120 ++++++++++++++++ .../snippets/TLS-Client-GNUTLS-Connect.po | 71 ++ .../snippets/TLS-Client-GNUTLS-Credentials.po | 47 + .../snippets/TLS-Client-GNUTLS-Match.po | 48 + .../snippets/TLS-Client-GNUTLS-Verify.po | 61 + .../Features/snippets/TLS-Client-NSS-Close.po | 31 + .../snippets/TLS-Client-NSS-Connect.po | 132 ++ .../snippets/TLS-Client-OpenJDK-Connect.po | 41 + .../snippets/TLS-Client-OpenJDK-Context.po | 41 + .../TLS-Client-OpenJDK-Context_For_Cert.po | 37 + .../snippets/TLS-Client-OpenJDK-Hostname.po | 22 + .../snippets/TLS-Client-OpenJDK-Import.po | 33 + .../TLS-Client-OpenJDK-MyTrustManager.po | 53 + .../snippets/TLS-Client-OpenJDK-Use.po | 28 + .../snippets/TLS-Client-OpenSSL-CTX.po | 86 ++ .../snippets/TLS-Client-OpenSSL-Connect.po | 72 ++ .../TLS-Client-OpenSSL-Connection-Use.po | 32 + .../snippets/TLS-Client-OpenSSL-Init.po | 28 + .../snippets/TLS-Client-Python-Connect.po | 29 + .../TLS-Client-Python-check_host_name.po | 44 + .../snippets/TLS-GNUTLS-Credentials-Close.po | 22 + .../snippets/TLS-GNUTLS-Disconnect.po | 30 + .../Features/snippets/TLS-GNUTLS-Init.po | 22 + .../zh-CN/Features/snippets/TLS-GNUTLS-Use.po | 38 + .../zh-CN/Features/snippets/TLS-NSS-Close.po | 23 + .../Features/snippets/TLS-NSS-Includes.po | 35 + .../zh-CN/Features/snippets/TLS-NSS-Init.po | 83 ++ .../zh-CN/Features/snippets/TLS-NSS-Use.po | 42 + .../zh-CN/Features/snippets/TLS-Nagle.po | 27 + .../snippets/TLS-OpenJDK-Parameters.po | 42 + .../snippets/TLS-OpenSSL-Connection-Close.po | 46 + .../snippets/TLS-OpenSSL-Context-Close.po | 22 + .../Features/snippets/TLS-OpenSSL-Errors.po | 51 + .../Features/snippets/TLS-Python-Close.po | 22 + .../zh-CN/Features/snippets/TLS-Python-Use.po | 26 + defensive-coding/zh-CN/Revision_History.po | 36 + defensive-coding/zh-CN/Tasks/Cryptography.po | 199 +++ defensive-coding/zh-CN/Tasks/Descriptors.po | 332 +++++ defensive-coding/zh-CN/Tasks/File_System.po | 397 ++++++ .../zh-CN/Tasks/Library_Design.po | 267 ++++ defensive-coding/zh-CN/Tasks/Processes.po | 597 +++++++++ defensive-coding/zh-CN/Tasks/Serialization.po | 513 ++++++++ .../zh-CN/Tasks/Temporary_Files.po | 309 +++++ .../Serialization-XML-Expat-Create.po | 33 + ...rialization-XML-Expat-EntityDeclHandler.po | 31 + .../Serialization-XML-OpenJDK-Errors.po | 37 + .../Serialization-XML-OpenJDK-Imports.po | 42 + ...ialization-XML-OpenJDK-NoEntityResolver.po | 30 + ...lization-XML-OpenJDK-NoResourceResolver.po | 32 + .../Serialization-XML-OpenJDK_Parse-DOM.po | 34 + ...ization-XML-OpenJDK_Parse-XMLSchema_DOM.po | 38 + ...ization-XML-OpenJDK_Parse-XMLSchema_SAX.po | 41 + defensive-coding/zh-TW/Author_Group.po | 35 + defensive-coding/zh-TW/Book_Info.po | 38 + defensive-coding/zh-TW/C/Allocators.po | 265 ++++ defensive-coding/zh-TW/C/C.po | 20 + defensive-coding/zh-TW/C/Libc.po | 278 ++++ .../zh-TW/C/snippets/Arithmetic-add.po | 36 + .../zh-TW/C/snippets/Arithmetic-mult.po | 29 + .../zh-TW/C/snippets/Pointers-remaining.po | 64 + .../C/snippets/String-Functions-format.po | 33 + .../C/snippets/String-Functions-snprintf.po | 23 + .../C/snippets/String-Functions-strncpy.po | 24 + defensive-coding/zh-TW/CXX/CXX.po | 20 + defensive-coding/zh-TW/CXX/Language.po | 234 ++++ defensive-coding/zh-TW/CXX/Std.po | 55 + defensive-coding/zh-TW/Defensive_Coding.po | 30 + .../zh-TW/Features/Authentication.po | 231 ++++ defensive-coding/zh-TW/Features/TLS.po | 1120 ++++++++++++++++ .../snippets/TLS-Client-GNUTLS-Connect.po | 71 ++ .../snippets/TLS-Client-GNUTLS-Credentials.po | 47 + .../snippets/TLS-Client-GNUTLS-Match.po | 48 + .../snippets/TLS-Client-GNUTLS-Verify.po | 61 + .../Features/snippets/TLS-Client-NSS-Close.po | 31 + .../snippets/TLS-Client-NSS-Connect.po | 132 ++ .../snippets/TLS-Client-OpenJDK-Connect.po | 41 + .../snippets/TLS-Client-OpenJDK-Context.po | 41 + .../TLS-Client-OpenJDK-Context_For_Cert.po | 37 + .../snippets/TLS-Client-OpenJDK-Hostname.po | 22 + .../snippets/TLS-Client-OpenJDK-Import.po | 33 + .../TLS-Client-OpenJDK-MyTrustManager.po | 53 + .../snippets/TLS-Client-OpenJDK-Use.po | 28 + .../snippets/TLS-Client-OpenSSL-CTX.po | 86 ++ .../snippets/TLS-Client-OpenSSL-Connect.po | 72 ++ .../TLS-Client-OpenSSL-Connection-Use.po | 32 + .../snippets/TLS-Client-OpenSSL-Init.po | 28 + .../snippets/TLS-Client-Python-Connect.po | 29 + .../TLS-Client-Python-check_host_name.po | 44 + .../snippets/TLS-GNUTLS-Credentials-Close.po | 22 + .../snippets/TLS-GNUTLS-Disconnect.po | 30 + .../Features/snippets/TLS-GNUTLS-Init.po | 22 + .../zh-TW/Features/snippets/TLS-GNUTLS-Use.po | 38 + .../zh-TW/Features/snippets/TLS-NSS-Close.po | 23 + .../Features/snippets/TLS-NSS-Includes.po | 35 + .../zh-TW/Features/snippets/TLS-NSS-Init.po | 83 ++ .../zh-TW/Features/snippets/TLS-NSS-Use.po | 42 + .../zh-TW/Features/snippets/TLS-Nagle.po | 27 + .../snippets/TLS-OpenJDK-Parameters.po | 42 + .../snippets/TLS-OpenSSL-Connection-Close.po | 46 + .../snippets/TLS-OpenSSL-Context-Close.po | 22 + .../Features/snippets/TLS-OpenSSL-Errors.po | 51 + .../Features/snippets/TLS-Python-Close.po | 22 + .../zh-TW/Features/snippets/TLS-Python-Use.po | 26 + defensive-coding/zh-TW/Revision_History.po | 35 + defensive-coding/zh-TW/Tasks/Cryptography.po | 199 +++ defensive-coding/zh-TW/Tasks/Descriptors.po | 332 +++++ defensive-coding/zh-TW/Tasks/File_System.po | 396 ++++++ .../zh-TW/Tasks/Library_Design.po | 267 ++++ defensive-coding/zh-TW/Tasks/Processes.po | 597 +++++++++ defensive-coding/zh-TW/Tasks/Serialization.po | 513 ++++++++ .../zh-TW/Tasks/Temporary_Files.po | 309 +++++ .../Serialization-XML-Expat-Create.po | 33 + ...rialization-XML-Expat-EntityDeclHandler.po | 31 + .../Serialization-XML-OpenJDK-Errors.po | 37 + .../Serialization-XML-OpenJDK-Imports.po | 42 + ...ialization-XML-OpenJDK-NoEntityResolver.po | 30 + ...lization-XML-OpenJDK-NoResourceResolver.po | 32 + .../Serialization-XML-OpenJDK_Parse-DOM.po | 34 + ...ization-XML-OpenJDK_Parse-XMLSchema_DOM.po | 38 + ...ization-XML-OpenJDK_Parse-XMLSchema_SAX.po | 41 + 1393 files changed, 140644 insertions(+) create mode 100644 defensive-coding/.tx/defensive-coding-guide.Author_Group/el-GR_translation create mode 100644 defensive-coding/.tx/defensive-coding-guide.Author_Group/en_US_translation create mode 100644 defensive-coding/.tx/defensive-coding-guide.Author_Group/es-ES_translation create mode 100644 defensive-coding/.tx/defensive-coding-guide.Author_Group/fi-FI_translation create mode 100644 defensive-coding/.tx/defensive-coding-guide.Author_Group/fr-FR_translation create mode 100644 defensive-coding/.tx/defensive-coding-guide.Author_Group/gl-ES_translation create mode 100644 defensive-coding/.tx/defensive-coding-guide.Author_Group/id-ID_translation create mode 100644 defensive-coding/.tx/defensive-coding-guide.Author_Group/it-IT_translation create mode 100644 defensive-coding/.tx/defensive-coding-guide.Author_Group/ko-KR_translation create mode 100644 defensive-coding/.tx/defensive-coding-guide.Author_Group/ru-RU_translation create mode 100644 defensive-coding/.tx/defensive-coding-guide.Author_Group/sl-SI_translation create mode 100644 defensive-coding/.tx/defensive-coding-guide.Book_Info/el-GR_translation create mode 100644 defensive-coding/.tx/defensive-coding-guide.Book_Info/en_US_translation create mode 100644 defensive-coding/.tx/defensive-coding-guide.Book_Info/fi-FI_translation create mode 100644 defensive-coding/.tx/defensive-coding-guide.Book_Info/fr-FR_translation create mode 100644 defensive-coding/.tx/defensive-coding-guide.Book_Info/gl-ES_translation create mode 100644 defensive-coding/.tx/defensive-coding-guide.Book_Info/id-ID_translation create mode 100644 defensive-coding/.tx/defensive-coding-guide.Book_Info/it-IT_translation create mode 100644 defensive-coding/.tx/defensive-coding-guide.Book_Info/ko-KR_translation create mode 100644 defensive-coding/.tx/defensive-coding-guide.Book_Info/ru-RU_translation create mode 100644 defensive-coding/.tx/defensive-coding-guide.Book_Info/sl-SI_translation create mode 100644 defensive-coding/bo/Author_Group.po create mode 100644 defensive-coding/bo/Book_Info.po create mode 100644 defensive-coding/bo/C/Allocators.po create mode 100644 defensive-coding/bo/C/C.po create mode 100644 defensive-coding/bo/C/Libc.po create mode 100644 defensive-coding/bo/C/snippets/Arithmetic-add.po create mode 100644 defensive-coding/bo/C/snippets/Arithmetic-mult.po create mode 100644 defensive-coding/bo/C/snippets/Pointers-remaining.po create mode 100644 defensive-coding/bo/C/snippets/String-Functions-format.po create mode 100644 defensive-coding/bo/C/snippets/String-Functions-snprintf.po create mode 100644 defensive-coding/bo/C/snippets/String-Functions-strncpy.po create mode 100644 defensive-coding/bo/CXX/CXX.po create mode 100644 defensive-coding/bo/CXX/Language.po create mode 100644 defensive-coding/bo/CXX/Std.po create mode 100644 defensive-coding/bo/Defensive_Coding.po create mode 100644 defensive-coding/bo/Features/Authentication.po create mode 100644 defensive-coding/bo/Features/TLS.po create mode 100644 defensive-coding/bo/Features/snippets/TLS-Client-GNUTLS-Connect.po create mode 100644 defensive-coding/bo/Features/snippets/TLS-Client-GNUTLS-Credentials.po create mode 100644 defensive-coding/bo/Features/snippets/TLS-Client-GNUTLS-Match.po create mode 100644 defensive-coding/bo/Features/snippets/TLS-Client-GNUTLS-Verify.po create mode 100644 defensive-coding/bo/Features/snippets/TLS-Client-NSS-Close.po create mode 100644 defensive-coding/bo/Features/snippets/TLS-Client-NSS-Connect.po create mode 100644 defensive-coding/bo/Features/snippets/TLS-Client-OpenJDK-Connect.po create mode 100644 defensive-coding/bo/Features/snippets/TLS-Client-OpenJDK-Context.po create mode 100644 defensive-coding/bo/Features/snippets/TLS-Client-OpenJDK-Context_For_Cert.po create mode 100644 defensive-coding/bo/Features/snippets/TLS-Client-OpenJDK-Hostname.po create mode 100644 defensive-coding/bo/Features/snippets/TLS-Client-OpenJDK-Import.po create mode 100644 defensive-coding/bo/Features/snippets/TLS-Client-OpenJDK-MyTrustManager.po create mode 100644 defensive-coding/bo/Features/snippets/TLS-Client-OpenJDK-Use.po create mode 100644 defensive-coding/bo/Features/snippets/TLS-Client-OpenSSL-CTX.po create mode 100644 defensive-coding/bo/Features/snippets/TLS-Client-OpenSSL-Connect.po create mode 100644 defensive-coding/bo/Features/snippets/TLS-Client-OpenSSL-Connection-Use.po create mode 100644 defensive-coding/bo/Features/snippets/TLS-Client-OpenSSL-Init.po create mode 100644 defensive-coding/bo/Features/snippets/TLS-Client-Python-Connect.po create mode 100644 defensive-coding/bo/Features/snippets/TLS-Client-Python-check_host_name.po create mode 100644 defensive-coding/bo/Features/snippets/TLS-GNUTLS-Credentials-Close.po create mode 100644 defensive-coding/bo/Features/snippets/TLS-GNUTLS-Disconnect.po create mode 100644 defensive-coding/bo/Features/snippets/TLS-GNUTLS-Init.po create mode 100644 defensive-coding/bo/Features/snippets/TLS-GNUTLS-Use.po create mode 100644 defensive-coding/bo/Features/snippets/TLS-NSS-Close.po create mode 100644 defensive-coding/bo/Features/snippets/TLS-NSS-Includes.po create mode 100644 defensive-coding/bo/Features/snippets/TLS-NSS-Init.po create mode 100644 defensive-coding/bo/Features/snippets/TLS-NSS-Use.po create mode 100644 defensive-coding/bo/Features/snippets/TLS-Nagle.po create mode 100644 defensive-coding/bo/Features/snippets/TLS-OpenJDK-Parameters.po create mode 100644 defensive-coding/bo/Features/snippets/TLS-OpenSSL-Connection-Close.po create mode 100644 defensive-coding/bo/Features/snippets/TLS-OpenSSL-Context-Close.po create mode 100644 defensive-coding/bo/Features/snippets/TLS-OpenSSL-Errors.po create mode 100644 defensive-coding/bo/Features/snippets/TLS-Python-Close.po create mode 100644 defensive-coding/bo/Features/snippets/TLS-Python-Use.po create mode 100644 defensive-coding/bo/Revision_History.po create mode 100644 defensive-coding/bo/Tasks/Cryptography.po create mode 100644 defensive-coding/bo/Tasks/Descriptors.po create mode 100644 defensive-coding/bo/Tasks/File_System.po create mode 100644 defensive-coding/bo/Tasks/Library_Design.po create mode 100644 defensive-coding/bo/Tasks/Processes.po create mode 100644 defensive-coding/bo/Tasks/Serialization.po create mode 100644 defensive-coding/bo/Tasks/Temporary_Files.po create mode 100644 defensive-coding/bo/Tasks/snippets/Serialization-XML-Expat-Create.po create mode 100644 defensive-coding/bo/Tasks/snippets/Serialization-XML-Expat-EntityDeclHandler.po create mode 100644 defensive-coding/bo/Tasks/snippets/Serialization-XML-OpenJDK-Errors.po create mode 100644 defensive-coding/bo/Tasks/snippets/Serialization-XML-OpenJDK-Imports.po create mode 100644 defensive-coding/bo/Tasks/snippets/Serialization-XML-OpenJDK-NoEntityResolver.po create mode 100644 defensive-coding/bo/Tasks/snippets/Serialization-XML-OpenJDK-NoResourceResolver.po create mode 100644 defensive-coding/bo/Tasks/snippets/Serialization-XML-OpenJDK_Parse-DOM.po create mode 100644 defensive-coding/bo/Tasks/snippets/Serialization-XML-OpenJDK_Parse-XMLSchema_DOM.po create mode 100644 defensive-coding/bo/Tasks/snippets/Serialization-XML-OpenJDK_Parse-XMLSchema_SAX.po create mode 100644 defensive-coding/cs-CZ/Author_Group.po create mode 100644 defensive-coding/cs-CZ/Book_Info.po create mode 100644 defensive-coding/cs-CZ/C/Allocators.po create mode 100644 defensive-coding/cs-CZ/C/C.po create mode 100644 defensive-coding/cs-CZ/C/Libc.po create mode 100644 defensive-coding/cs-CZ/C/snippets/Arithmetic-add.po create mode 100644 defensive-coding/cs-CZ/C/snippets/Arithmetic-mult.po create mode 100644 defensive-coding/cs-CZ/C/snippets/Pointers-remaining.po create mode 100644 defensive-coding/cs-CZ/C/snippets/String-Functions-format.po create mode 100644 defensive-coding/cs-CZ/C/snippets/String-Functions-snprintf.po create mode 100644 defensive-coding/cs-CZ/C/snippets/String-Functions-strncpy.po create mode 100644 defensive-coding/cs-CZ/CXX/CXX.po create mode 100644 defensive-coding/cs-CZ/CXX/Language.po create mode 100644 defensive-coding/cs-CZ/CXX/Std.po create mode 100644 defensive-coding/cs-CZ/Defensive_Coding.po create mode 100644 defensive-coding/cs-CZ/Features/Authentication.po create mode 100644 defensive-coding/cs-CZ/Features/TLS.po create mode 100644 defensive-coding/cs-CZ/Features/snippets/TLS-Client-GNUTLS-Connect.po create mode 100644 defensive-coding/cs-CZ/Features/snippets/TLS-Client-GNUTLS-Credentials.po create mode 100644 defensive-coding/cs-CZ/Features/snippets/TLS-Client-GNUTLS-Match.po create mode 100644 defensive-coding/cs-CZ/Features/snippets/TLS-Client-GNUTLS-Verify.po create mode 100644 defensive-coding/cs-CZ/Features/snippets/TLS-Client-NSS-Close.po create mode 100644 defensive-coding/cs-CZ/Features/snippets/TLS-Client-NSS-Connect.po create mode 100644 defensive-coding/cs-CZ/Features/snippets/TLS-Client-OpenJDK-Connect.po create mode 100644 defensive-coding/cs-CZ/Features/snippets/TLS-Client-OpenJDK-Context.po create mode 100644 defensive-coding/cs-CZ/Features/snippets/TLS-Client-OpenJDK-Context_For_Cert.po create mode 100644 defensive-coding/cs-CZ/Features/snippets/TLS-Client-OpenJDK-Hostname.po create mode 100644 defensive-coding/cs-CZ/Features/snippets/TLS-Client-OpenJDK-Import.po create mode 100644 defensive-coding/cs-CZ/Features/snippets/TLS-Client-OpenJDK-MyTrustManager.po create mode 100644 defensive-coding/cs-CZ/Features/snippets/TLS-Client-OpenJDK-Use.po create mode 100644 defensive-coding/cs-CZ/Features/snippets/TLS-Client-OpenSSL-CTX.po create mode 100644 defensive-coding/cs-CZ/Features/snippets/TLS-Client-OpenSSL-Connect.po create mode 100644 defensive-coding/cs-CZ/Features/snippets/TLS-Client-OpenSSL-Connection-Use.po create mode 100644 defensive-coding/cs-CZ/Features/snippets/TLS-Client-OpenSSL-Init.po create mode 100644 defensive-coding/cs-CZ/Features/snippets/TLS-Client-Python-Connect.po create mode 100644 defensive-coding/cs-CZ/Features/snippets/TLS-Client-Python-check_host_name.po create mode 100644 defensive-coding/cs-CZ/Features/snippets/TLS-GNUTLS-Credentials-Close.po create mode 100644 defensive-coding/cs-CZ/Features/snippets/TLS-GNUTLS-Disconnect.po create mode 100644 defensive-coding/cs-CZ/Features/snippets/TLS-GNUTLS-Init.po create mode 100644 defensive-coding/cs-CZ/Features/snippets/TLS-GNUTLS-Use.po create mode 100644 defensive-coding/cs-CZ/Features/snippets/TLS-NSS-Close.po create mode 100644 defensive-coding/cs-CZ/Features/snippets/TLS-NSS-Includes.po create mode 100644 defensive-coding/cs-CZ/Features/snippets/TLS-NSS-Init.po create mode 100644 defensive-coding/cs-CZ/Features/snippets/TLS-NSS-Use.po create mode 100644 defensive-coding/cs-CZ/Features/snippets/TLS-Nagle.po create mode 100644 defensive-coding/cs-CZ/Features/snippets/TLS-OpenJDK-Parameters.po create mode 100644 defensive-coding/cs-CZ/Features/snippets/TLS-OpenSSL-Connection-Close.po create mode 100644 defensive-coding/cs-CZ/Features/snippets/TLS-OpenSSL-Context-Close.po create mode 100644 defensive-coding/cs-CZ/Features/snippets/TLS-OpenSSL-Errors.po create mode 100644 defensive-coding/cs-CZ/Features/snippets/TLS-Python-Close.po create mode 100644 defensive-coding/cs-CZ/Features/snippets/TLS-Python-Use.po create mode 100644 defensive-coding/cs-CZ/Revision_History.po create mode 100644 defensive-coding/cs-CZ/Tasks/Cryptography.po create mode 100644 defensive-coding/cs-CZ/Tasks/Descriptors.po create mode 100644 defensive-coding/cs-CZ/Tasks/File_System.po create mode 100644 defensive-coding/cs-CZ/Tasks/Library_Design.po create mode 100644 defensive-coding/cs-CZ/Tasks/Processes.po create mode 100644 defensive-coding/cs-CZ/Tasks/Serialization.po create mode 100644 defensive-coding/cs-CZ/Tasks/Temporary_Files.po create mode 100644 defensive-coding/cs-CZ/Tasks/snippets/Serialization-XML-Expat-Create.po create mode 100644 defensive-coding/cs-CZ/Tasks/snippets/Serialization-XML-Expat-EntityDeclHandler.po create mode 100644 defensive-coding/cs-CZ/Tasks/snippets/Serialization-XML-OpenJDK-Errors.po create mode 100644 defensive-coding/cs-CZ/Tasks/snippets/Serialization-XML-OpenJDK-Imports.po create mode 100644 defensive-coding/cs-CZ/Tasks/snippets/Serialization-XML-OpenJDK-NoEntityResolver.po create mode 100644 defensive-coding/cs-CZ/Tasks/snippets/Serialization-XML-OpenJDK-NoResourceResolver.po create mode 100644 defensive-coding/cs-CZ/Tasks/snippets/Serialization-XML-OpenJDK_Parse-DOM.po create mode 100644 defensive-coding/cs-CZ/Tasks/snippets/Serialization-XML-OpenJDK_Parse-XMLSchema_DOM.po create mode 100644 defensive-coding/cs-CZ/Tasks/snippets/Serialization-XML-OpenJDK_Parse-XMLSchema_SAX.po create mode 100644 defensive-coding/de-DE/Author_Group.po create mode 100644 defensive-coding/de-DE/Book_Info.po create mode 100644 defensive-coding/de-DE/C/Allocators.po create mode 100644 defensive-coding/de-DE/C/C.po create mode 100644 defensive-coding/de-DE/C/Libc.po create mode 100644 defensive-coding/de-DE/C/snippets/Arithmetic-add.po create mode 100644 defensive-coding/de-DE/C/snippets/Arithmetic-mult.po create mode 100644 defensive-coding/de-DE/C/snippets/Pointers-remaining.po create mode 100644 defensive-coding/de-DE/C/snippets/String-Functions-format.po create mode 100644 defensive-coding/de-DE/C/snippets/String-Functions-snprintf.po create mode 100644 defensive-coding/de-DE/C/snippets/String-Functions-strncpy.po create mode 100644 defensive-coding/de-DE/CXX/CXX.po create mode 100644 defensive-coding/de-DE/CXX/Language.po create mode 100644 defensive-coding/de-DE/CXX/Std.po create mode 100644 defensive-coding/de-DE/Defensive_Coding.po create mode 100644 defensive-coding/de-DE/Features/Authentication.po create mode 100644 defensive-coding/de-DE/Features/TLS.po create mode 100644 defensive-coding/de-DE/Features/snippets/TLS-Client-GNUTLS-Connect.po create mode 100644 defensive-coding/de-DE/Features/snippets/TLS-Client-GNUTLS-Credentials.po create mode 100644 defensive-coding/de-DE/Features/snippets/TLS-Client-GNUTLS-Match.po create mode 100644 defensive-coding/de-DE/Features/snippets/TLS-Client-GNUTLS-Verify.po create mode 100644 defensive-coding/de-DE/Features/snippets/TLS-Client-NSS-Close.po create mode 100644 defensive-coding/de-DE/Features/snippets/TLS-Client-NSS-Connect.po create mode 100644 defensive-coding/de-DE/Features/snippets/TLS-Client-OpenJDK-Connect.po create mode 100644 defensive-coding/de-DE/Features/snippets/TLS-Client-OpenJDK-Context.po create mode 100644 defensive-coding/de-DE/Features/snippets/TLS-Client-OpenJDK-Context_For_Cert.po create mode 100644 defensive-coding/de-DE/Features/snippets/TLS-Client-OpenJDK-Hostname.po create mode 100644 defensive-coding/de-DE/Features/snippets/TLS-Client-OpenJDK-Import.po create mode 100644 defensive-coding/de-DE/Features/snippets/TLS-Client-OpenJDK-MyTrustManager.po create mode 100644 defensive-coding/de-DE/Features/snippets/TLS-Client-OpenJDK-Use.po create mode 100644 defensive-coding/de-DE/Features/snippets/TLS-Client-OpenSSL-CTX.po create mode 100644 defensive-coding/de-DE/Features/snippets/TLS-Client-OpenSSL-Connect.po create mode 100644 defensive-coding/de-DE/Features/snippets/TLS-Client-OpenSSL-Connection-Use.po create mode 100644 defensive-coding/de-DE/Features/snippets/TLS-Client-OpenSSL-Init.po create mode 100644 defensive-coding/de-DE/Features/snippets/TLS-Client-Python-Connect.po create mode 100644 defensive-coding/de-DE/Features/snippets/TLS-Client-Python-check_host_name.po create mode 100644 defensive-coding/de-DE/Features/snippets/TLS-GNUTLS-Credentials-Close.po create mode 100644 defensive-coding/de-DE/Features/snippets/TLS-GNUTLS-Disconnect.po create mode 100644 defensive-coding/de-DE/Features/snippets/TLS-GNUTLS-Init.po create mode 100644 defensive-coding/de-DE/Features/snippets/TLS-GNUTLS-Use.po create mode 100644 defensive-coding/de-DE/Features/snippets/TLS-NSS-Close.po create mode 100644 defensive-coding/de-DE/Features/snippets/TLS-NSS-Includes.po create mode 100644 defensive-coding/de-DE/Features/snippets/TLS-NSS-Init.po create mode 100644 defensive-coding/de-DE/Features/snippets/TLS-NSS-Use.po create mode 100644 defensive-coding/de-DE/Features/snippets/TLS-Nagle.po create mode 100644 defensive-coding/de-DE/Features/snippets/TLS-OpenJDK-Parameters.po create mode 100644 defensive-coding/de-DE/Features/snippets/TLS-OpenSSL-Connection-Close.po create mode 100644 defensive-coding/de-DE/Features/snippets/TLS-OpenSSL-Context-Close.po create mode 100644 defensive-coding/de-DE/Features/snippets/TLS-OpenSSL-Errors.po create mode 100644 defensive-coding/de-DE/Features/snippets/TLS-Python-Close.po create mode 100644 defensive-coding/de-DE/Features/snippets/TLS-Python-Use.po create mode 100644 defensive-coding/de-DE/Revision_History.po create mode 100644 defensive-coding/de-DE/Tasks/Cryptography.po create mode 100644 defensive-coding/de-DE/Tasks/Descriptors.po create mode 100644 defensive-coding/de-DE/Tasks/File_System.po create mode 100644 defensive-coding/de-DE/Tasks/Library_Design.po create mode 100644 defensive-coding/de-DE/Tasks/Processes.po create mode 100644 defensive-coding/de-DE/Tasks/Serialization.po create mode 100644 defensive-coding/de-DE/Tasks/Temporary_Files.po create mode 100644 defensive-coding/de-DE/Tasks/snippets/Serialization-XML-Expat-Create.po create mode 100644 defensive-coding/de-DE/Tasks/snippets/Serialization-XML-Expat-EntityDeclHandler.po create mode 100644 defensive-coding/de-DE/Tasks/snippets/Serialization-XML-OpenJDK-Errors.po create mode 100644 defensive-coding/de-DE/Tasks/snippets/Serialization-XML-OpenJDK-Imports.po create mode 100644 defensive-coding/de-DE/Tasks/snippets/Serialization-XML-OpenJDK-NoEntityResolver.po create mode 100644 defensive-coding/de-DE/Tasks/snippets/Serialization-XML-OpenJDK-NoResourceResolver.po create mode 100644 defensive-coding/de-DE/Tasks/snippets/Serialization-XML-OpenJDK_Parse-DOM.po create mode 100644 defensive-coding/de-DE/Tasks/snippets/Serialization-XML-OpenJDK_Parse-XMLSchema_DOM.po create mode 100644 defensive-coding/de-DE/Tasks/snippets/Serialization-XML-OpenJDK_Parse-XMLSchema_SAX.po create mode 100644 defensive-coding/el-GR/Author_Group.po create mode 100644 defensive-coding/el-GR/Book_Info.po create mode 100644 defensive-coding/el-GR/C/Allocators.po create mode 100644 defensive-coding/el-GR/C/C.po create mode 100644 defensive-coding/el-GR/C/Libc.po create mode 100644 defensive-coding/el-GR/C/snippets/Arithmetic-add.po create mode 100644 defensive-coding/el-GR/C/snippets/Arithmetic-mult.po create mode 100644 defensive-coding/el-GR/C/snippets/Pointers-remaining.po create mode 100644 defensive-coding/el-GR/C/snippets/String-Functions-format.po create mode 100644 defensive-coding/el-GR/C/snippets/String-Functions-snprintf.po create mode 100644 defensive-coding/el-GR/C/snippets/String-Functions-strncpy.po create mode 100644 defensive-coding/el-GR/CXX/CXX.po create mode 100644 defensive-coding/el-GR/CXX/Language.po create mode 100644 defensive-coding/el-GR/CXX/Std.po create mode 100644 defensive-coding/el-GR/Defensive_Coding.po create mode 100644 defensive-coding/el-GR/Features/Authentication.po create mode 100644 defensive-coding/el-GR/Features/TLS.po create mode 100644 defensive-coding/el-GR/Features/snippets/TLS-Client-GNUTLS-Connect.po create mode 100644 defensive-coding/el-GR/Features/snippets/TLS-Client-GNUTLS-Credentials.po create mode 100644 defensive-coding/el-GR/Features/snippets/TLS-Client-GNUTLS-Match.po create mode 100644 defensive-coding/el-GR/Features/snippets/TLS-Client-GNUTLS-Verify.po create mode 100644 defensive-coding/el-GR/Features/snippets/TLS-Client-NSS-Close.po create mode 100644 defensive-coding/el-GR/Features/snippets/TLS-Client-NSS-Connect.po create mode 100644 defensive-coding/el-GR/Features/snippets/TLS-Client-OpenJDK-Connect.po create mode 100644 defensive-coding/el-GR/Features/snippets/TLS-Client-OpenJDK-Context.po create mode 100644 defensive-coding/el-GR/Features/snippets/TLS-Client-OpenJDK-Context_For_Cert.po create mode 100644 defensive-coding/el-GR/Features/snippets/TLS-Client-OpenJDK-Hostname.po create mode 100644 defensive-coding/el-GR/Features/snippets/TLS-Client-OpenJDK-Import.po create mode 100644 defensive-coding/el-GR/Features/snippets/TLS-Client-OpenJDK-MyTrustManager.po create mode 100644 defensive-coding/el-GR/Features/snippets/TLS-Client-OpenJDK-Use.po create mode 100644 defensive-coding/el-GR/Features/snippets/TLS-Client-OpenSSL-CTX.po create mode 100644 defensive-coding/el-GR/Features/snippets/TLS-Client-OpenSSL-Connect.po create mode 100644 defensive-coding/el-GR/Features/snippets/TLS-Client-OpenSSL-Connection-Use.po create mode 100644 defensive-coding/el-GR/Features/snippets/TLS-Client-OpenSSL-Init.po create mode 100644 defensive-coding/el-GR/Features/snippets/TLS-Client-Python-Connect.po create mode 100644 defensive-coding/el-GR/Features/snippets/TLS-Client-Python-check_host_name.po create mode 100644 defensive-coding/el-GR/Features/snippets/TLS-GNUTLS-Credentials-Close.po create mode 100644 defensive-coding/el-GR/Features/snippets/TLS-GNUTLS-Disconnect.po create mode 100644 defensive-coding/el-GR/Features/snippets/TLS-GNUTLS-Init.po create mode 100644 defensive-coding/el-GR/Features/snippets/TLS-GNUTLS-Use.po create mode 100644 defensive-coding/el-GR/Features/snippets/TLS-NSS-Close.po create mode 100644 defensive-coding/el-GR/Features/snippets/TLS-NSS-Includes.po create mode 100644 defensive-coding/el-GR/Features/snippets/TLS-NSS-Init.po create mode 100644 defensive-coding/el-GR/Features/snippets/TLS-NSS-Use.po create mode 100644 defensive-coding/el-GR/Features/snippets/TLS-Nagle.po create mode 100644 defensive-coding/el-GR/Features/snippets/TLS-OpenJDK-Parameters.po create mode 100644 defensive-coding/el-GR/Features/snippets/TLS-OpenSSL-Connection-Close.po create mode 100644 defensive-coding/el-GR/Features/snippets/TLS-OpenSSL-Context-Close.po create mode 100644 defensive-coding/el-GR/Features/snippets/TLS-OpenSSL-Errors.po create mode 100644 defensive-coding/el-GR/Features/snippets/TLS-Python-Close.po create mode 100644 defensive-coding/el-GR/Features/snippets/TLS-Python-Use.po create mode 100644 defensive-coding/el-GR/Revision_History.po create mode 100644 defensive-coding/el-GR/Tasks/Cryptography.po create mode 100644 defensive-coding/el-GR/Tasks/Descriptors.po create mode 100644 defensive-coding/el-GR/Tasks/File_System.po create mode 100644 defensive-coding/el-GR/Tasks/Library_Design.po create mode 100644 defensive-coding/el-GR/Tasks/Processes.po create mode 100644 defensive-coding/el-GR/Tasks/Serialization.po create mode 100644 defensive-coding/el-GR/Tasks/Temporary_Files.po create mode 100644 defensive-coding/el-GR/Tasks/snippets/Serialization-XML-Expat-Create.po create mode 100644 defensive-coding/el-GR/Tasks/snippets/Serialization-XML-Expat-EntityDeclHandler.po create mode 100644 defensive-coding/el-GR/Tasks/snippets/Serialization-XML-OpenJDK-Errors.po create mode 100644 defensive-coding/el-GR/Tasks/snippets/Serialization-XML-OpenJDK-Imports.po create mode 100644 defensive-coding/el-GR/Tasks/snippets/Serialization-XML-OpenJDK-NoEntityResolver.po create mode 100644 defensive-coding/el-GR/Tasks/snippets/Serialization-XML-OpenJDK-NoResourceResolver.po create mode 100644 defensive-coding/el-GR/Tasks/snippets/Serialization-XML-OpenJDK_Parse-DOM.po create mode 100644 defensive-coding/el-GR/Tasks/snippets/Serialization-XML-OpenJDK_Parse-XMLSchema_DOM.po create mode 100644 defensive-coding/el-GR/Tasks/snippets/Serialization-XML-OpenJDK_Parse-XMLSchema_SAX.po create mode 100644 defensive-coding/en_US/Author_Group.po create mode 100644 defensive-coding/en_US/Book_Info.po create mode 100644 defensive-coding/en_US/C/Allocators.po create mode 100644 defensive-coding/en_US/C/C.po create mode 100644 defensive-coding/en_US/C/Libc.po create mode 100644 defensive-coding/en_US/C/snippets/Arithmetic-add.po create mode 100644 defensive-coding/en_US/C/snippets/Arithmetic-mult.po create mode 100644 defensive-coding/en_US/C/snippets/Pointers-remaining.po create mode 100644 defensive-coding/en_US/C/snippets/String-Functions-format.po create mode 100644 defensive-coding/en_US/C/snippets/String-Functions-snprintf.po create mode 100644 defensive-coding/en_US/C/snippets/String-Functions-strncpy.po create mode 100644 defensive-coding/en_US/CXX/CXX.po create mode 100644 defensive-coding/en_US/CXX/Language.po create mode 100644 defensive-coding/en_US/CXX/Std.po create mode 100644 defensive-coding/en_US/Defensive_Coding.po create mode 100644 defensive-coding/en_US/Features/Authentication.po create mode 100644 defensive-coding/en_US/Features/TLS.po create mode 100644 defensive-coding/en_US/Features/snippets/TLS-Client-GNUTLS-Connect.po create mode 100644 defensive-coding/en_US/Features/snippets/TLS-Client-GNUTLS-Credentials.po create mode 100644 defensive-coding/en_US/Features/snippets/TLS-Client-GNUTLS-Match.po create mode 100644 defensive-coding/en_US/Features/snippets/TLS-Client-GNUTLS-Verify.po create mode 100644 defensive-coding/en_US/Features/snippets/TLS-Client-NSS-Close.po create mode 100644 defensive-coding/en_US/Features/snippets/TLS-Client-NSS-Connect.po create mode 100644 defensive-coding/en_US/Features/snippets/TLS-Client-OpenJDK-Connect.po create mode 100644 defensive-coding/en_US/Features/snippets/TLS-Client-OpenJDK-Context.po create mode 100644 defensive-coding/en_US/Features/snippets/TLS-Client-OpenJDK-Context_For_Cert.po create mode 100644 defensive-coding/en_US/Features/snippets/TLS-Client-OpenJDK-Hostname.po create mode 100644 defensive-coding/en_US/Features/snippets/TLS-Client-OpenJDK-Import.po create mode 100644 defensive-coding/en_US/Features/snippets/TLS-Client-OpenJDK-MyTrustManager.po create mode 100644 defensive-coding/en_US/Features/snippets/TLS-Client-OpenJDK-Use.po create mode 100644 defensive-coding/en_US/Features/snippets/TLS-Client-OpenSSL-CTX.po create mode 100644 defensive-coding/en_US/Features/snippets/TLS-Client-OpenSSL-Connect.po create mode 100644 defensive-coding/en_US/Features/snippets/TLS-Client-OpenSSL-Connection-Use.po create mode 100644 defensive-coding/en_US/Features/snippets/TLS-Client-OpenSSL-Init.po create mode 100644 defensive-coding/en_US/Features/snippets/TLS-Client-Python-Connect.po create mode 100644 defensive-coding/en_US/Features/snippets/TLS-Client-Python-check_host_name.po create mode 100644 defensive-coding/en_US/Features/snippets/TLS-GNUTLS-Credentials-Close.po create mode 100644 defensive-coding/en_US/Features/snippets/TLS-GNUTLS-Disconnect.po create mode 100644 defensive-coding/en_US/Features/snippets/TLS-GNUTLS-Init.po create mode 100644 defensive-coding/en_US/Features/snippets/TLS-GNUTLS-Use.po create mode 100644 defensive-coding/en_US/Features/snippets/TLS-NSS-Close.po create mode 100644 defensive-coding/en_US/Features/snippets/TLS-NSS-Includes.po create mode 100644 defensive-coding/en_US/Features/snippets/TLS-NSS-Init.po create mode 100644 defensive-coding/en_US/Features/snippets/TLS-NSS-Use.po create mode 100644 defensive-coding/en_US/Features/snippets/TLS-Nagle.po create mode 100644 defensive-coding/en_US/Features/snippets/TLS-OpenJDK-Parameters.po create mode 100644 defensive-coding/en_US/Features/snippets/TLS-OpenSSL-Connection-Close.po create mode 100644 defensive-coding/en_US/Features/snippets/TLS-OpenSSL-Context-Close.po create mode 100644 defensive-coding/en_US/Features/snippets/TLS-OpenSSL-Errors.po create mode 100644 defensive-coding/en_US/Features/snippets/TLS-Python-Close.po create mode 100644 defensive-coding/en_US/Features/snippets/TLS-Python-Use.po create mode 100644 defensive-coding/en_US/Revision_History.po create mode 100644 defensive-coding/en_US/Tasks/Cryptography.po create mode 100644 defensive-coding/en_US/Tasks/Descriptors.po create mode 100644 defensive-coding/en_US/Tasks/File_System.po create mode 100644 defensive-coding/en_US/Tasks/Library_Design.po create mode 100644 defensive-coding/en_US/Tasks/Processes.po create mode 100644 defensive-coding/en_US/Tasks/Serialization.po create mode 100644 defensive-coding/en_US/Tasks/Temporary_Files.po create mode 100644 defensive-coding/en_US/Tasks/snippets/Serialization-XML-Expat-Create.po create mode 100644 defensive-coding/en_US/Tasks/snippets/Serialization-XML-Expat-EntityDeclHandler.po create mode 100644 defensive-coding/en_US/Tasks/snippets/Serialization-XML-OpenJDK-Errors.po create mode 100644 defensive-coding/en_US/Tasks/snippets/Serialization-XML-OpenJDK-Imports.po create mode 100644 defensive-coding/en_US/Tasks/snippets/Serialization-XML-OpenJDK-NoEntityResolver.po create mode 100644 defensive-coding/en_US/Tasks/snippets/Serialization-XML-OpenJDK-NoResourceResolver.po create mode 100644 defensive-coding/en_US/Tasks/snippets/Serialization-XML-OpenJDK_Parse-DOM.po create mode 100644 defensive-coding/en_US/Tasks/snippets/Serialization-XML-OpenJDK_Parse-XMLSchema_DOM.po create mode 100644 defensive-coding/en_US/Tasks/snippets/Serialization-XML-OpenJDK_Parse-XMLSchema_SAX.po create mode 100644 defensive-coding/es-ES/Author_Group.po create mode 100644 defensive-coding/es-ES/Book_Info.po create mode 100644 defensive-coding/es-ES/C/Allocators.po create mode 100644 defensive-coding/es-ES/C/C.po create mode 100644 defensive-coding/es-ES/C/Libc.po create mode 100644 defensive-coding/es-ES/C/snippets/Arithmetic-add.po create mode 100644 defensive-coding/es-ES/C/snippets/Arithmetic-mult.po create mode 100644 defensive-coding/es-ES/C/snippets/Pointers-remaining.po create mode 100644 defensive-coding/es-ES/C/snippets/String-Functions-format.po create mode 100644 defensive-coding/es-ES/C/snippets/String-Functions-snprintf.po create mode 100644 defensive-coding/es-ES/C/snippets/String-Functions-strncpy.po create mode 100644 defensive-coding/es-ES/CXX/CXX.po create mode 100644 defensive-coding/es-ES/CXX/Language.po create mode 100644 defensive-coding/es-ES/CXX/Std.po create mode 100644 defensive-coding/es-ES/Defensive_Coding.po create mode 100644 defensive-coding/es-ES/Features/Authentication.po create mode 100644 defensive-coding/es-ES/Features/TLS.po create mode 100644 defensive-coding/es-ES/Features/snippets/TLS-Client-GNUTLS-Connect.po create mode 100644 defensive-coding/es-ES/Features/snippets/TLS-Client-GNUTLS-Credentials.po create mode 100644 defensive-coding/es-ES/Features/snippets/TLS-Client-GNUTLS-Match.po create mode 100644 defensive-coding/es-ES/Features/snippets/TLS-Client-GNUTLS-Verify.po create mode 100644 defensive-coding/es-ES/Features/snippets/TLS-Client-NSS-Close.po create mode 100644 defensive-coding/es-ES/Features/snippets/TLS-Client-NSS-Connect.po create mode 100644 defensive-coding/es-ES/Features/snippets/TLS-Client-OpenJDK-Connect.po create mode 100644 defensive-coding/es-ES/Features/snippets/TLS-Client-OpenJDK-Context.po create mode 100644 defensive-coding/es-ES/Features/snippets/TLS-Client-OpenJDK-Context_For_Cert.po create mode 100644 defensive-coding/es-ES/Features/snippets/TLS-Client-OpenJDK-Hostname.po create mode 100644 defensive-coding/es-ES/Features/snippets/TLS-Client-OpenJDK-Import.po create mode 100644 defensive-coding/es-ES/Features/snippets/TLS-Client-OpenJDK-MyTrustManager.po create mode 100644 defensive-coding/es-ES/Features/snippets/TLS-Client-OpenJDK-Use.po create mode 100644 defensive-coding/es-ES/Features/snippets/TLS-Client-OpenSSL-CTX.po create mode 100644 defensive-coding/es-ES/Features/snippets/TLS-Client-OpenSSL-Connect.po create mode 100644 defensive-coding/es-ES/Features/snippets/TLS-Client-OpenSSL-Connection-Use.po create mode 100644 defensive-coding/es-ES/Features/snippets/TLS-Client-OpenSSL-Init.po create mode 100644 defensive-coding/es-ES/Features/snippets/TLS-Client-Python-Connect.po create mode 100644 defensive-coding/es-ES/Features/snippets/TLS-Client-Python-check_host_name.po create mode 100644 defensive-coding/es-ES/Features/snippets/TLS-GNUTLS-Credentials-Close.po create mode 100644 defensive-coding/es-ES/Features/snippets/TLS-GNUTLS-Disconnect.po create mode 100644 defensive-coding/es-ES/Features/snippets/TLS-GNUTLS-Init.po create mode 100644 defensive-coding/es-ES/Features/snippets/TLS-GNUTLS-Use.po create mode 100644 defensive-coding/es-ES/Features/snippets/TLS-NSS-Close.po create mode 100644 defensive-coding/es-ES/Features/snippets/TLS-NSS-Includes.po create mode 100644 defensive-coding/es-ES/Features/snippets/TLS-NSS-Init.po create mode 100644 defensive-coding/es-ES/Features/snippets/TLS-NSS-Use.po create mode 100644 defensive-coding/es-ES/Features/snippets/TLS-Nagle.po create mode 100644 defensive-coding/es-ES/Features/snippets/TLS-OpenJDK-Parameters.po create mode 100644 defensive-coding/es-ES/Features/snippets/TLS-OpenSSL-Connection-Close.po create mode 100644 defensive-coding/es-ES/Features/snippets/TLS-OpenSSL-Context-Close.po create mode 100644 defensive-coding/es-ES/Features/snippets/TLS-OpenSSL-Errors.po create mode 100644 defensive-coding/es-ES/Features/snippets/TLS-Python-Close.po create mode 100644 defensive-coding/es-ES/Features/snippets/TLS-Python-Use.po create mode 100644 defensive-coding/es-ES/Revision_History.po create mode 100644 defensive-coding/es-ES/Tasks/Cryptography.po create mode 100644 defensive-coding/es-ES/Tasks/Descriptors.po create mode 100644 defensive-coding/es-ES/Tasks/File_System.po create mode 100644 defensive-coding/es-ES/Tasks/Library_Design.po create mode 100644 defensive-coding/es-ES/Tasks/Processes.po create mode 100644 defensive-coding/es-ES/Tasks/Serialization.po create mode 100644 defensive-coding/es-ES/Tasks/Temporary_Files.po create mode 100644 defensive-coding/es-ES/Tasks/snippets/Serialization-XML-Expat-Create.po create mode 100644 defensive-coding/es-ES/Tasks/snippets/Serialization-XML-Expat-EntityDeclHandler.po create mode 100644 defensive-coding/es-ES/Tasks/snippets/Serialization-XML-OpenJDK-Errors.po create mode 100644 defensive-coding/es-ES/Tasks/snippets/Serialization-XML-OpenJDK-Imports.po create mode 100644 defensive-coding/es-ES/Tasks/snippets/Serialization-XML-OpenJDK-NoEntityResolver.po create mode 100644 defensive-coding/es-ES/Tasks/snippets/Serialization-XML-OpenJDK-NoResourceResolver.po create mode 100644 defensive-coding/es-ES/Tasks/snippets/Serialization-XML-OpenJDK_Parse-DOM.po create mode 100644 defensive-coding/es-ES/Tasks/snippets/Serialization-XML-OpenJDK_Parse-XMLSchema_DOM.po create mode 100644 defensive-coding/es-ES/Tasks/snippets/Serialization-XML-OpenJDK_Parse-XMLSchema_SAX.po create mode 100644 defensive-coding/fi-FI/Author_Group.po create mode 100644 defensive-coding/fi-FI/Book_Info.po create mode 100644 defensive-coding/fr-FR/Author_Group.po create mode 100644 defensive-coding/fr-FR/Book_Info.po create mode 100644 defensive-coding/fr-FR/C/Allocators.po create mode 100644 defensive-coding/fr-FR/C/C.po create mode 100644 defensive-coding/fr-FR/C/Libc.po create mode 100644 defensive-coding/fr-FR/C/snippets/Arithmetic-add.po create mode 100644 defensive-coding/fr-FR/C/snippets/Arithmetic-mult.po create mode 100644 defensive-coding/fr-FR/C/snippets/Pointers-remaining.po create mode 100644 defensive-coding/fr-FR/C/snippets/String-Functions-format.po create mode 100644 defensive-coding/fr-FR/C/snippets/String-Functions-snprintf.po create mode 100644 defensive-coding/fr-FR/C/snippets/String-Functions-strncpy.po create mode 100644 defensive-coding/fr-FR/CXX/CXX.po create mode 100644 defensive-coding/fr-FR/CXX/Language.po create mode 100644 defensive-coding/fr-FR/CXX/Std.po create mode 100644 defensive-coding/fr-FR/Defensive_Coding.po create mode 100644 defensive-coding/fr-FR/Features/Authentication.po create mode 100644 defensive-coding/fr-FR/Features/TLS.po create mode 100644 defensive-coding/fr-FR/Features/snippets/TLS-Client-GNUTLS-Connect.po create mode 100644 defensive-coding/fr-FR/Features/snippets/TLS-Client-GNUTLS-Credentials.po create mode 100644 defensive-coding/fr-FR/Features/snippets/TLS-Client-GNUTLS-Match.po create mode 100644 defensive-coding/fr-FR/Features/snippets/TLS-Client-GNUTLS-Verify.po create mode 100644 defensive-coding/fr-FR/Features/snippets/TLS-Client-NSS-Close.po create mode 100644 defensive-coding/fr-FR/Features/snippets/TLS-Client-NSS-Connect.po create mode 100644 defensive-coding/fr-FR/Features/snippets/TLS-Client-OpenJDK-Connect.po create mode 100644 defensive-coding/fr-FR/Features/snippets/TLS-Client-OpenJDK-Context.po create mode 100644 defensive-coding/fr-FR/Features/snippets/TLS-Client-OpenJDK-Context_For_Cert.po create mode 100644 defensive-coding/fr-FR/Features/snippets/TLS-Client-OpenJDK-Hostname.po create mode 100644 defensive-coding/fr-FR/Features/snippets/TLS-Client-OpenJDK-Import.po create mode 100644 defensive-coding/fr-FR/Features/snippets/TLS-Client-OpenJDK-MyTrustManager.po create mode 100644 defensive-coding/fr-FR/Features/snippets/TLS-Client-OpenJDK-Use.po create mode 100644 defensive-coding/fr-FR/Features/snippets/TLS-Client-OpenSSL-CTX.po create mode 100644 defensive-coding/fr-FR/Features/snippets/TLS-Client-OpenSSL-Connect.po create mode 100644 defensive-coding/fr-FR/Features/snippets/TLS-Client-OpenSSL-Connection-Use.po create mode 100644 defensive-coding/fr-FR/Features/snippets/TLS-Client-OpenSSL-Init.po create mode 100644 defensive-coding/fr-FR/Features/snippets/TLS-Client-Python-Connect.po create mode 100644 defensive-coding/fr-FR/Features/snippets/TLS-Client-Python-check_host_name.po create mode 100644 defensive-coding/fr-FR/Features/snippets/TLS-GNUTLS-Credentials-Close.po create mode 100644 defensive-coding/fr-FR/Features/snippets/TLS-GNUTLS-Disconnect.po create mode 100644 defensive-coding/fr-FR/Features/snippets/TLS-GNUTLS-Init.po create mode 100644 defensive-coding/fr-FR/Features/snippets/TLS-GNUTLS-Use.po create mode 100644 defensive-coding/fr-FR/Features/snippets/TLS-NSS-Close.po create mode 100644 defensive-coding/fr-FR/Features/snippets/TLS-NSS-Includes.po create mode 100644 defensive-coding/fr-FR/Features/snippets/TLS-NSS-Init.po create mode 100644 defensive-coding/fr-FR/Features/snippets/TLS-NSS-Use.po create mode 100644 defensive-coding/fr-FR/Features/snippets/TLS-Nagle.po create mode 100644 defensive-coding/fr-FR/Features/snippets/TLS-OpenJDK-Parameters.po create mode 100644 defensive-coding/fr-FR/Features/snippets/TLS-OpenSSL-Connection-Close.po create mode 100644 defensive-coding/fr-FR/Features/snippets/TLS-OpenSSL-Context-Close.po create mode 100644 defensive-coding/fr-FR/Features/snippets/TLS-OpenSSL-Errors.po create mode 100644 defensive-coding/fr-FR/Features/snippets/TLS-Python-Close.po create mode 100644 defensive-coding/fr-FR/Features/snippets/TLS-Python-Use.po create mode 100644 defensive-coding/fr-FR/Revision_History.po create mode 100644 defensive-coding/fr-FR/Tasks/Cryptography.po create mode 100644 defensive-coding/fr-FR/Tasks/Descriptors.po create mode 100644 defensive-coding/fr-FR/Tasks/File_System.po create mode 100644 defensive-coding/fr-FR/Tasks/Library_Design.po create mode 100644 defensive-coding/fr-FR/Tasks/Processes.po create mode 100644 defensive-coding/fr-FR/Tasks/Serialization.po create mode 100644 defensive-coding/fr-FR/Tasks/Temporary_Files.po create mode 100644 defensive-coding/fr-FR/Tasks/snippets/Serialization-XML-Expat-Create.po create mode 100644 defensive-coding/fr-FR/Tasks/snippets/Serialization-XML-Expat-EntityDeclHandler.po create mode 100644 defensive-coding/fr-FR/Tasks/snippets/Serialization-XML-OpenJDK-Errors.po create mode 100644 defensive-coding/fr-FR/Tasks/snippets/Serialization-XML-OpenJDK-Imports.po create mode 100644 defensive-coding/fr-FR/Tasks/snippets/Serialization-XML-OpenJDK-NoEntityResolver.po create mode 100644 defensive-coding/fr-FR/Tasks/snippets/Serialization-XML-OpenJDK-NoResourceResolver.po create mode 100644 defensive-coding/fr-FR/Tasks/snippets/Serialization-XML-OpenJDK_Parse-DOM.po create mode 100644 defensive-coding/fr-FR/Tasks/snippets/Serialization-XML-OpenJDK_Parse-XMLSchema_DOM.po create mode 100644 defensive-coding/fr-FR/Tasks/snippets/Serialization-XML-OpenJDK_Parse-XMLSchema_SAX.po create mode 100644 defensive-coding/gl-ES/Author_Group.po create mode 100644 defensive-coding/gl-ES/Book_Info.po create mode 100644 defensive-coding/hi-IN/Author_Group.po create mode 100644 defensive-coding/hi-IN/Book_Info.po create mode 100644 defensive-coding/hi-IN/C/Allocators.po create mode 100644 defensive-coding/hi-IN/C/C.po create mode 100644 defensive-coding/hi-IN/C/Libc.po create mode 100644 defensive-coding/hi-IN/C/snippets/Arithmetic-add.po create mode 100644 defensive-coding/hi-IN/C/snippets/Arithmetic-mult.po create mode 100644 defensive-coding/hi-IN/C/snippets/Pointers-remaining.po create mode 100644 defensive-coding/hi-IN/C/snippets/String-Functions-format.po create mode 100644 defensive-coding/hi-IN/C/snippets/String-Functions-snprintf.po create mode 100644 defensive-coding/hi-IN/C/snippets/String-Functions-strncpy.po create mode 100644 defensive-coding/hi-IN/CXX/CXX.po create mode 100644 defensive-coding/hi-IN/CXX/Language.po create mode 100644 defensive-coding/hi-IN/CXX/Std.po create mode 100644 defensive-coding/hi-IN/Defensive_Coding.po create mode 100644 defensive-coding/hi-IN/Features/Authentication.po create mode 100644 defensive-coding/hi-IN/Features/TLS.po create mode 100644 defensive-coding/hi-IN/Features/snippets/TLS-Client-GNUTLS-Connect.po create mode 100644 defensive-coding/hi-IN/Features/snippets/TLS-Client-GNUTLS-Credentials.po create mode 100644 defensive-coding/hi-IN/Features/snippets/TLS-Client-GNUTLS-Match.po create mode 100644 defensive-coding/hi-IN/Features/snippets/TLS-Client-GNUTLS-Verify.po create mode 100644 defensive-coding/hi-IN/Features/snippets/TLS-Client-NSS-Close.po create mode 100644 defensive-coding/hi-IN/Features/snippets/TLS-Client-NSS-Connect.po create mode 100644 defensive-coding/hi-IN/Features/snippets/TLS-Client-OpenJDK-Connect.po create mode 100644 defensive-coding/hi-IN/Features/snippets/TLS-Client-OpenJDK-Context.po create mode 100644 defensive-coding/hi-IN/Features/snippets/TLS-Client-OpenJDK-Context_For_Cert.po create mode 100644 defensive-coding/hi-IN/Features/snippets/TLS-Client-OpenJDK-Hostname.po create mode 100644 defensive-coding/hi-IN/Features/snippets/TLS-Client-OpenJDK-Import.po create mode 100644 defensive-coding/hi-IN/Features/snippets/TLS-Client-OpenJDK-MyTrustManager.po create mode 100644 defensive-coding/hi-IN/Features/snippets/TLS-Client-OpenJDK-Use.po create mode 100644 defensive-coding/hi-IN/Features/snippets/TLS-Client-OpenSSL-CTX.po create mode 100644 defensive-coding/hi-IN/Features/snippets/TLS-Client-OpenSSL-Connect.po create mode 100644 defensive-coding/hi-IN/Features/snippets/TLS-Client-OpenSSL-Connection-Use.po create mode 100644 defensive-coding/hi-IN/Features/snippets/TLS-Client-OpenSSL-Init.po create mode 100644 defensive-coding/hi-IN/Features/snippets/TLS-Client-Python-Connect.po create mode 100644 defensive-coding/hi-IN/Features/snippets/TLS-Client-Python-check_host_name.po create mode 100644 defensive-coding/hi-IN/Features/snippets/TLS-GNUTLS-Credentials-Close.po create mode 100644 defensive-coding/hi-IN/Features/snippets/TLS-GNUTLS-Disconnect.po create mode 100644 defensive-coding/hi-IN/Features/snippets/TLS-GNUTLS-Init.po create mode 100644 defensive-coding/hi-IN/Features/snippets/TLS-GNUTLS-Use.po create mode 100644 defensive-coding/hi-IN/Features/snippets/TLS-NSS-Close.po create mode 100644 defensive-coding/hi-IN/Features/snippets/TLS-NSS-Includes.po create mode 100644 defensive-coding/hi-IN/Features/snippets/TLS-NSS-Init.po create mode 100644 defensive-coding/hi-IN/Features/snippets/TLS-NSS-Use.po create mode 100644 defensive-coding/hi-IN/Features/snippets/TLS-Nagle.po create mode 100644 defensive-coding/hi-IN/Features/snippets/TLS-OpenJDK-Parameters.po create mode 100644 defensive-coding/hi-IN/Features/snippets/TLS-OpenSSL-Connection-Close.po create mode 100644 defensive-coding/hi-IN/Features/snippets/TLS-OpenSSL-Context-Close.po create mode 100644 defensive-coding/hi-IN/Features/snippets/TLS-OpenSSL-Errors.po create mode 100644 defensive-coding/hi-IN/Features/snippets/TLS-Python-Close.po create mode 100644 defensive-coding/hi-IN/Features/snippets/TLS-Python-Use.po create mode 100644 defensive-coding/hi-IN/Revision_History.po create mode 100644 defensive-coding/hi-IN/Tasks/Cryptography.po create mode 100644 defensive-coding/hi-IN/Tasks/Descriptors.po create mode 100644 defensive-coding/hi-IN/Tasks/File_System.po create mode 100644 defensive-coding/hi-IN/Tasks/Library_Design.po create mode 100644 defensive-coding/hi-IN/Tasks/Processes.po create mode 100644 defensive-coding/hi-IN/Tasks/Serialization.po create mode 100644 defensive-coding/hi-IN/Tasks/Temporary_Files.po create mode 100644 defensive-coding/hi-IN/Tasks/snippets/Serialization-XML-Expat-Create.po create mode 100644 defensive-coding/hi-IN/Tasks/snippets/Serialization-XML-Expat-EntityDeclHandler.po create mode 100644 defensive-coding/hi-IN/Tasks/snippets/Serialization-XML-OpenJDK-Errors.po create mode 100644 defensive-coding/hi-IN/Tasks/snippets/Serialization-XML-OpenJDK-Imports.po create mode 100644 defensive-coding/hi-IN/Tasks/snippets/Serialization-XML-OpenJDK-NoEntityResolver.po create mode 100644 defensive-coding/hi-IN/Tasks/snippets/Serialization-XML-OpenJDK-NoResourceResolver.po create mode 100644 defensive-coding/hi-IN/Tasks/snippets/Serialization-XML-OpenJDK_Parse-DOM.po create mode 100644 defensive-coding/hi-IN/Tasks/snippets/Serialization-XML-OpenJDK_Parse-XMLSchema_DOM.po create mode 100644 defensive-coding/hi-IN/Tasks/snippets/Serialization-XML-OpenJDK_Parse-XMLSchema_SAX.po create mode 100644 defensive-coding/ia/Author_Group.po create mode 100644 defensive-coding/ia/Book_Info.po create mode 100644 defensive-coding/ia/C/Allocators.po create mode 100644 defensive-coding/ia/C/C.po create mode 100644 defensive-coding/ia/C/Libc.po create mode 100644 defensive-coding/ia/C/snippets/Arithmetic-add.po create mode 100644 defensive-coding/ia/C/snippets/Arithmetic-mult.po create mode 100644 defensive-coding/ia/C/snippets/Pointers-remaining.po create mode 100644 defensive-coding/ia/C/snippets/String-Functions-format.po create mode 100644 defensive-coding/ia/C/snippets/String-Functions-snprintf.po create mode 100644 defensive-coding/ia/C/snippets/String-Functions-strncpy.po create mode 100644 defensive-coding/ia/CXX/CXX.po create mode 100644 defensive-coding/ia/CXX/Language.po create mode 100644 defensive-coding/ia/CXX/Std.po create mode 100644 defensive-coding/ia/Defensive_Coding.po create mode 100644 defensive-coding/ia/Features/Authentication.po create mode 100644 defensive-coding/ia/Features/TLS.po create mode 100644 defensive-coding/ia/Features/snippets/TLS-Client-GNUTLS-Connect.po create mode 100644 defensive-coding/ia/Features/snippets/TLS-Client-GNUTLS-Credentials.po create mode 100644 defensive-coding/ia/Features/snippets/TLS-Client-GNUTLS-Match.po create mode 100644 defensive-coding/ia/Features/snippets/TLS-Client-GNUTLS-Verify.po create mode 100644 defensive-coding/ia/Features/snippets/TLS-Client-NSS-Close.po create mode 100644 defensive-coding/ia/Features/snippets/TLS-Client-NSS-Connect.po create mode 100644 defensive-coding/ia/Features/snippets/TLS-Client-OpenJDK-Connect.po create mode 100644 defensive-coding/ia/Features/snippets/TLS-Client-OpenJDK-Context.po create mode 100644 defensive-coding/ia/Features/snippets/TLS-Client-OpenJDK-Context_For_Cert.po create mode 100644 defensive-coding/ia/Features/snippets/TLS-Client-OpenJDK-Hostname.po create mode 100644 defensive-coding/ia/Features/snippets/TLS-Client-OpenJDK-Import.po create mode 100644 defensive-coding/ia/Features/snippets/TLS-Client-OpenJDK-MyTrustManager.po create mode 100644 defensive-coding/ia/Features/snippets/TLS-Client-OpenJDK-Use.po create mode 100644 defensive-coding/ia/Features/snippets/TLS-Client-OpenSSL-CTX.po create mode 100644 defensive-coding/ia/Features/snippets/TLS-Client-OpenSSL-Connect.po create mode 100644 defensive-coding/ia/Features/snippets/TLS-Client-OpenSSL-Connection-Use.po create mode 100644 defensive-coding/ia/Features/snippets/TLS-Client-OpenSSL-Init.po create mode 100644 defensive-coding/ia/Features/snippets/TLS-Client-Python-Connect.po create mode 100644 defensive-coding/ia/Features/snippets/TLS-Client-Python-check_host_name.po create mode 100644 defensive-coding/ia/Features/snippets/TLS-GNUTLS-Credentials-Close.po create mode 100644 defensive-coding/ia/Features/snippets/TLS-GNUTLS-Disconnect.po create mode 100644 defensive-coding/ia/Features/snippets/TLS-GNUTLS-Init.po create mode 100644 defensive-coding/ia/Features/snippets/TLS-GNUTLS-Use.po create mode 100644 defensive-coding/ia/Features/snippets/TLS-NSS-Close.po create mode 100644 defensive-coding/ia/Features/snippets/TLS-NSS-Includes.po create mode 100644 defensive-coding/ia/Features/snippets/TLS-NSS-Init.po create mode 100644 defensive-coding/ia/Features/snippets/TLS-NSS-Use.po create mode 100644 defensive-coding/ia/Features/snippets/TLS-Nagle.po create mode 100644 defensive-coding/ia/Features/snippets/TLS-OpenJDK-Parameters.po create mode 100644 defensive-coding/ia/Features/snippets/TLS-OpenSSL-Connection-Close.po create mode 100644 defensive-coding/ia/Features/snippets/TLS-OpenSSL-Context-Close.po create mode 100644 defensive-coding/ia/Features/snippets/TLS-OpenSSL-Errors.po create mode 100644 defensive-coding/ia/Features/snippets/TLS-Python-Close.po create mode 100644 defensive-coding/ia/Features/snippets/TLS-Python-Use.po create mode 100644 defensive-coding/ia/Revision_History.po create mode 100644 defensive-coding/ia/Tasks/Cryptography.po create mode 100644 defensive-coding/ia/Tasks/Descriptors.po create mode 100644 defensive-coding/ia/Tasks/File_System.po create mode 100644 defensive-coding/ia/Tasks/Library_Design.po create mode 100644 defensive-coding/ia/Tasks/Processes.po create mode 100644 defensive-coding/ia/Tasks/Serialization.po create mode 100644 defensive-coding/ia/Tasks/Temporary_Files.po create mode 100644 defensive-coding/ia/Tasks/snippets/Serialization-XML-Expat-Create.po create mode 100644 defensive-coding/ia/Tasks/snippets/Serialization-XML-Expat-EntityDeclHandler.po create mode 100644 defensive-coding/ia/Tasks/snippets/Serialization-XML-OpenJDK-Errors.po create mode 100644 defensive-coding/ia/Tasks/snippets/Serialization-XML-OpenJDK-Imports.po create mode 100644 defensive-coding/ia/Tasks/snippets/Serialization-XML-OpenJDK-NoEntityResolver.po create mode 100644 defensive-coding/ia/Tasks/snippets/Serialization-XML-OpenJDK-NoResourceResolver.po create mode 100644 defensive-coding/ia/Tasks/snippets/Serialization-XML-OpenJDK_Parse-DOM.po create mode 100644 defensive-coding/ia/Tasks/snippets/Serialization-XML-OpenJDK_Parse-XMLSchema_DOM.po create mode 100644 defensive-coding/ia/Tasks/snippets/Serialization-XML-OpenJDK_Parse-XMLSchema_SAX.po create mode 100644 defensive-coding/id-ID/Author_Group.po create mode 100644 defensive-coding/id-ID/Book_Info.po create mode 100644 defensive-coding/it-IT/Author_Group.po create mode 100644 defensive-coding/it-IT/Book_Info.po create mode 100644 defensive-coding/it-IT/C/Allocators.po create mode 100644 defensive-coding/it-IT/C/C.po create mode 100644 defensive-coding/it-IT/C/Libc.po create mode 100644 defensive-coding/it-IT/C/snippets/Arithmetic-add.po create mode 100644 defensive-coding/it-IT/C/snippets/Arithmetic-mult.po create mode 100644 defensive-coding/it-IT/C/snippets/Pointers-remaining.po create mode 100644 defensive-coding/it-IT/C/snippets/String-Functions-format.po create mode 100644 defensive-coding/it-IT/C/snippets/String-Functions-snprintf.po create mode 100644 defensive-coding/it-IT/C/snippets/String-Functions-strncpy.po create mode 100644 defensive-coding/it-IT/CXX/CXX.po create mode 100644 defensive-coding/it-IT/CXX/Language.po create mode 100644 defensive-coding/it-IT/CXX/Std.po create mode 100644 defensive-coding/it-IT/Defensive_Coding.po create mode 100644 defensive-coding/it-IT/Features/Authentication.po create mode 100644 defensive-coding/it-IT/Features/TLS.po create mode 100644 defensive-coding/it-IT/Features/snippets/TLS-Client-GNUTLS-Connect.po create mode 100644 defensive-coding/it-IT/Features/snippets/TLS-Client-GNUTLS-Credentials.po create mode 100644 defensive-coding/it-IT/Features/snippets/TLS-Client-GNUTLS-Match.po create mode 100644 defensive-coding/it-IT/Features/snippets/TLS-Client-GNUTLS-Verify.po create mode 100644 defensive-coding/it-IT/Features/snippets/TLS-Client-NSS-Close.po create mode 100644 defensive-coding/it-IT/Features/snippets/TLS-Client-NSS-Connect.po create mode 100644 defensive-coding/it-IT/Features/snippets/TLS-Client-OpenJDK-Connect.po create mode 100644 defensive-coding/it-IT/Features/snippets/TLS-Client-OpenJDK-Context.po create mode 100644 defensive-coding/it-IT/Features/snippets/TLS-Client-OpenJDK-Context_For_Cert.po create mode 100644 defensive-coding/it-IT/Features/snippets/TLS-Client-OpenJDK-Hostname.po create mode 100644 defensive-coding/it-IT/Features/snippets/TLS-Client-OpenJDK-Import.po create mode 100644 defensive-coding/it-IT/Features/snippets/TLS-Client-OpenJDK-MyTrustManager.po create mode 100644 defensive-coding/it-IT/Features/snippets/TLS-Client-OpenJDK-Use.po create mode 100644 defensive-coding/it-IT/Features/snippets/TLS-Client-OpenSSL-CTX.po create mode 100644 defensive-coding/it-IT/Features/snippets/TLS-Client-OpenSSL-Connect.po create mode 100644 defensive-coding/it-IT/Features/snippets/TLS-Client-OpenSSL-Connection-Use.po create mode 100644 defensive-coding/it-IT/Features/snippets/TLS-Client-OpenSSL-Init.po create mode 100644 defensive-coding/it-IT/Features/snippets/TLS-Client-Python-Connect.po create mode 100644 defensive-coding/it-IT/Features/snippets/TLS-Client-Python-check_host_name.po create mode 100644 defensive-coding/it-IT/Features/snippets/TLS-GNUTLS-Credentials-Close.po create mode 100644 defensive-coding/it-IT/Features/snippets/TLS-GNUTLS-Disconnect.po create mode 100644 defensive-coding/it-IT/Features/snippets/TLS-GNUTLS-Init.po create mode 100644 defensive-coding/it-IT/Features/snippets/TLS-GNUTLS-Use.po create mode 100644 defensive-coding/it-IT/Features/snippets/TLS-NSS-Close.po create mode 100644 defensive-coding/it-IT/Features/snippets/TLS-NSS-Includes.po create mode 100644 defensive-coding/it-IT/Features/snippets/TLS-NSS-Init.po create mode 100644 defensive-coding/it-IT/Features/snippets/TLS-NSS-Use.po create mode 100644 defensive-coding/it-IT/Features/snippets/TLS-Nagle.po create mode 100644 defensive-coding/it-IT/Features/snippets/TLS-OpenJDK-Parameters.po create mode 100644 defensive-coding/it-IT/Features/snippets/TLS-OpenSSL-Connection-Close.po create mode 100644 defensive-coding/it-IT/Features/snippets/TLS-OpenSSL-Context-Close.po create mode 100644 defensive-coding/it-IT/Features/snippets/TLS-OpenSSL-Errors.po create mode 100644 defensive-coding/it-IT/Features/snippets/TLS-Python-Close.po create mode 100644 defensive-coding/it-IT/Features/snippets/TLS-Python-Use.po create mode 100644 defensive-coding/it-IT/Revision_History.po create mode 100644 defensive-coding/it-IT/Tasks/Cryptography.po create mode 100644 defensive-coding/it-IT/Tasks/Descriptors.po create mode 100644 defensive-coding/it-IT/Tasks/File_System.po create mode 100644 defensive-coding/it-IT/Tasks/Library_Design.po create mode 100644 defensive-coding/it-IT/Tasks/Processes.po create mode 100644 defensive-coding/it-IT/Tasks/Serialization.po create mode 100644 defensive-coding/it-IT/Tasks/Temporary_Files.po create mode 100644 defensive-coding/it-IT/Tasks/snippets/Serialization-XML-Expat-Create.po create mode 100644 defensive-coding/it-IT/Tasks/snippets/Serialization-XML-Expat-EntityDeclHandler.po create mode 100644 defensive-coding/it-IT/Tasks/snippets/Serialization-XML-OpenJDK-Errors.po create mode 100644 defensive-coding/it-IT/Tasks/snippets/Serialization-XML-OpenJDK-Imports.po create mode 100644 defensive-coding/it-IT/Tasks/snippets/Serialization-XML-OpenJDK-NoEntityResolver.po create mode 100644 defensive-coding/it-IT/Tasks/snippets/Serialization-XML-OpenJDK-NoResourceResolver.po create mode 100644 defensive-coding/it-IT/Tasks/snippets/Serialization-XML-OpenJDK_Parse-DOM.po create mode 100644 defensive-coding/it-IT/Tasks/snippets/Serialization-XML-OpenJDK_Parse-XMLSchema_DOM.po create mode 100644 defensive-coding/it-IT/Tasks/snippets/Serialization-XML-OpenJDK_Parse-XMLSchema_SAX.po create mode 100644 defensive-coding/ka/Author_Group.po create mode 100644 defensive-coding/ka/Book_Info.po create mode 100644 defensive-coding/ka/C/Allocators.po create mode 100644 defensive-coding/ka/C/C.po create mode 100644 defensive-coding/ka/C/Libc.po create mode 100644 defensive-coding/ka/C/snippets/Arithmetic-add.po create mode 100644 defensive-coding/ka/C/snippets/Arithmetic-mult.po create mode 100644 defensive-coding/ka/C/snippets/Pointers-remaining.po create mode 100644 defensive-coding/ka/C/snippets/String-Functions-format.po create mode 100644 defensive-coding/ka/C/snippets/String-Functions-snprintf.po create mode 100644 defensive-coding/ka/C/snippets/String-Functions-strncpy.po create mode 100644 defensive-coding/ka/CXX/CXX.po create mode 100644 defensive-coding/ka/CXX/Language.po create mode 100644 defensive-coding/ka/CXX/Std.po create mode 100644 defensive-coding/ka/Defensive_Coding.po create mode 100644 defensive-coding/ka/Features/Authentication.po create mode 100644 defensive-coding/ka/Features/TLS.po create mode 100644 defensive-coding/ka/Features/snippets/TLS-Client-GNUTLS-Connect.po create mode 100644 defensive-coding/ka/Features/snippets/TLS-Client-GNUTLS-Credentials.po create mode 100644 defensive-coding/ka/Features/snippets/TLS-Client-GNUTLS-Match.po create mode 100644 defensive-coding/ka/Features/snippets/TLS-Client-GNUTLS-Verify.po create mode 100644 defensive-coding/ka/Features/snippets/TLS-Client-NSS-Close.po create mode 100644 defensive-coding/ka/Features/snippets/TLS-Client-NSS-Connect.po create mode 100644 defensive-coding/ka/Features/snippets/TLS-Client-OpenJDK-Connect.po create mode 100644 defensive-coding/ka/Features/snippets/TLS-Client-OpenJDK-Context.po create mode 100644 defensive-coding/ka/Features/snippets/TLS-Client-OpenJDK-Context_For_Cert.po create mode 100644 defensive-coding/ka/Features/snippets/TLS-Client-OpenJDK-Hostname.po create mode 100644 defensive-coding/ka/Features/snippets/TLS-Client-OpenJDK-Import.po create mode 100644 defensive-coding/ka/Features/snippets/TLS-Client-OpenJDK-MyTrustManager.po create mode 100644 defensive-coding/ka/Features/snippets/TLS-Client-OpenJDK-Use.po create mode 100644 defensive-coding/ka/Features/snippets/TLS-Client-OpenSSL-CTX.po create mode 100644 defensive-coding/ka/Features/snippets/TLS-Client-OpenSSL-Connect.po create mode 100644 defensive-coding/ka/Features/snippets/TLS-Client-OpenSSL-Connection-Use.po create mode 100644 defensive-coding/ka/Features/snippets/TLS-Client-OpenSSL-Init.po create mode 100644 defensive-coding/ka/Features/snippets/TLS-Client-Python-Connect.po create mode 100644 defensive-coding/ka/Features/snippets/TLS-Client-Python-check_host_name.po create mode 100644 defensive-coding/ka/Features/snippets/TLS-GNUTLS-Credentials-Close.po create mode 100644 defensive-coding/ka/Features/snippets/TLS-GNUTLS-Disconnect.po create mode 100644 defensive-coding/ka/Features/snippets/TLS-GNUTLS-Init.po create mode 100644 defensive-coding/ka/Features/snippets/TLS-GNUTLS-Use.po create mode 100644 defensive-coding/ka/Features/snippets/TLS-NSS-Close.po create mode 100644 defensive-coding/ka/Features/snippets/TLS-NSS-Includes.po create mode 100644 defensive-coding/ka/Features/snippets/TLS-NSS-Init.po create mode 100644 defensive-coding/ka/Features/snippets/TLS-NSS-Use.po create mode 100644 defensive-coding/ka/Features/snippets/TLS-Nagle.po create mode 100644 defensive-coding/ka/Features/snippets/TLS-OpenJDK-Parameters.po create mode 100644 defensive-coding/ka/Features/snippets/TLS-OpenSSL-Connection-Close.po create mode 100644 defensive-coding/ka/Features/snippets/TLS-OpenSSL-Context-Close.po create mode 100644 defensive-coding/ka/Features/snippets/TLS-OpenSSL-Errors.po create mode 100644 defensive-coding/ka/Features/snippets/TLS-Python-Close.po create mode 100644 defensive-coding/ka/Features/snippets/TLS-Python-Use.po create mode 100644 defensive-coding/ka/Revision_History.po create mode 100644 defensive-coding/ka/Tasks/Cryptography.po create mode 100644 defensive-coding/ka/Tasks/Descriptors.po create mode 100644 defensive-coding/ka/Tasks/File_System.po create mode 100644 defensive-coding/ka/Tasks/Library_Design.po create mode 100644 defensive-coding/ka/Tasks/Processes.po create mode 100644 defensive-coding/ka/Tasks/Serialization.po create mode 100644 defensive-coding/ka/Tasks/Temporary_Files.po create mode 100644 defensive-coding/ka/Tasks/snippets/Serialization-XML-Expat-Create.po create mode 100644 defensive-coding/ka/Tasks/snippets/Serialization-XML-Expat-EntityDeclHandler.po create mode 100644 defensive-coding/ka/Tasks/snippets/Serialization-XML-OpenJDK-Errors.po create mode 100644 defensive-coding/ka/Tasks/snippets/Serialization-XML-OpenJDK-Imports.po create mode 100644 defensive-coding/ka/Tasks/snippets/Serialization-XML-OpenJDK-NoEntityResolver.po create mode 100644 defensive-coding/ka/Tasks/snippets/Serialization-XML-OpenJDK-NoResourceResolver.po create mode 100644 defensive-coding/ka/Tasks/snippets/Serialization-XML-OpenJDK_Parse-DOM.po create mode 100644 defensive-coding/ka/Tasks/snippets/Serialization-XML-OpenJDK_Parse-XMLSchema_DOM.po create mode 100644 defensive-coding/ka/Tasks/snippets/Serialization-XML-OpenJDK_Parse-XMLSchema_SAX.po create mode 100644 defensive-coding/kn-IN/Author_Group.po create mode 100644 defensive-coding/kn-IN/Book_Info.po create mode 100644 defensive-coding/kn-IN/C/Allocators.po create mode 100644 defensive-coding/kn-IN/C/C.po create mode 100644 defensive-coding/kn-IN/C/Libc.po create mode 100644 defensive-coding/kn-IN/C/snippets/Arithmetic-add.po create mode 100644 defensive-coding/kn-IN/C/snippets/Arithmetic-mult.po create mode 100644 defensive-coding/kn-IN/C/snippets/Pointers-remaining.po create mode 100644 defensive-coding/kn-IN/C/snippets/String-Functions-format.po create mode 100644 defensive-coding/kn-IN/C/snippets/String-Functions-snprintf.po create mode 100644 defensive-coding/kn-IN/C/snippets/String-Functions-strncpy.po create mode 100644 defensive-coding/kn-IN/CXX/CXX.po create mode 100644 defensive-coding/kn-IN/CXX/Language.po create mode 100644 defensive-coding/kn-IN/CXX/Std.po create mode 100644 defensive-coding/kn-IN/Defensive_Coding.po create mode 100644 defensive-coding/kn-IN/Features/Authentication.po create mode 100644 defensive-coding/kn-IN/Features/TLS.po create mode 100644 defensive-coding/kn-IN/Features/snippets/TLS-Client-GNUTLS-Connect.po create mode 100644 defensive-coding/kn-IN/Features/snippets/TLS-Client-GNUTLS-Credentials.po create mode 100644 defensive-coding/kn-IN/Features/snippets/TLS-Client-GNUTLS-Match.po create mode 100644 defensive-coding/kn-IN/Features/snippets/TLS-Client-GNUTLS-Verify.po create mode 100644 defensive-coding/kn-IN/Features/snippets/TLS-Client-NSS-Close.po create mode 100644 defensive-coding/kn-IN/Features/snippets/TLS-Client-NSS-Connect.po create mode 100644 defensive-coding/kn-IN/Features/snippets/TLS-Client-OpenJDK-Connect.po create mode 100644 defensive-coding/kn-IN/Features/snippets/TLS-Client-OpenJDK-Context.po create mode 100644 defensive-coding/kn-IN/Features/snippets/TLS-Client-OpenJDK-Context_For_Cert.po create mode 100644 defensive-coding/kn-IN/Features/snippets/TLS-Client-OpenJDK-Hostname.po create mode 100644 defensive-coding/kn-IN/Features/snippets/TLS-Client-OpenJDK-Import.po create mode 100644 defensive-coding/kn-IN/Features/snippets/TLS-Client-OpenJDK-MyTrustManager.po create mode 100644 defensive-coding/kn-IN/Features/snippets/TLS-Client-OpenJDK-Use.po create mode 100644 defensive-coding/kn-IN/Features/snippets/TLS-Client-OpenSSL-CTX.po create mode 100644 defensive-coding/kn-IN/Features/snippets/TLS-Client-OpenSSL-Connect.po create mode 100644 defensive-coding/kn-IN/Features/snippets/TLS-Client-OpenSSL-Connection-Use.po create mode 100644 defensive-coding/kn-IN/Features/snippets/TLS-Client-OpenSSL-Init.po create mode 100644 defensive-coding/kn-IN/Features/snippets/TLS-Client-Python-Connect.po create mode 100644 defensive-coding/kn-IN/Features/snippets/TLS-Client-Python-check_host_name.po create mode 100644 defensive-coding/kn-IN/Features/snippets/TLS-GNUTLS-Credentials-Close.po create mode 100644 defensive-coding/kn-IN/Features/snippets/TLS-GNUTLS-Disconnect.po create mode 100644 defensive-coding/kn-IN/Features/snippets/TLS-GNUTLS-Init.po create mode 100644 defensive-coding/kn-IN/Features/snippets/TLS-GNUTLS-Use.po create mode 100644 defensive-coding/kn-IN/Features/snippets/TLS-NSS-Close.po create mode 100644 defensive-coding/kn-IN/Features/snippets/TLS-NSS-Includes.po create mode 100644 defensive-coding/kn-IN/Features/snippets/TLS-NSS-Init.po create mode 100644 defensive-coding/kn-IN/Features/snippets/TLS-NSS-Use.po create mode 100644 defensive-coding/kn-IN/Features/snippets/TLS-Nagle.po create mode 100644 defensive-coding/kn-IN/Features/snippets/TLS-OpenJDK-Parameters.po create mode 100644 defensive-coding/kn-IN/Features/snippets/TLS-OpenSSL-Connection-Close.po create mode 100644 defensive-coding/kn-IN/Features/snippets/TLS-OpenSSL-Context-Close.po create mode 100644 defensive-coding/kn-IN/Features/snippets/TLS-OpenSSL-Errors.po create mode 100644 defensive-coding/kn-IN/Features/snippets/TLS-Python-Close.po create mode 100644 defensive-coding/kn-IN/Features/snippets/TLS-Python-Use.po create mode 100644 defensive-coding/kn-IN/Revision_History.po create mode 100644 defensive-coding/kn-IN/Tasks/Cryptography.po create mode 100644 defensive-coding/kn-IN/Tasks/Descriptors.po create mode 100644 defensive-coding/kn-IN/Tasks/File_System.po create mode 100644 defensive-coding/kn-IN/Tasks/Library_Design.po create mode 100644 defensive-coding/kn-IN/Tasks/Processes.po create mode 100644 defensive-coding/kn-IN/Tasks/Serialization.po create mode 100644 defensive-coding/kn-IN/Tasks/Temporary_Files.po create mode 100644 defensive-coding/kn-IN/Tasks/snippets/Serialization-XML-Expat-Create.po create mode 100644 defensive-coding/kn-IN/Tasks/snippets/Serialization-XML-Expat-EntityDeclHandler.po create mode 100644 defensive-coding/kn-IN/Tasks/snippets/Serialization-XML-OpenJDK-Errors.po create mode 100644 defensive-coding/kn-IN/Tasks/snippets/Serialization-XML-OpenJDK-Imports.po create mode 100644 defensive-coding/kn-IN/Tasks/snippets/Serialization-XML-OpenJDK-NoEntityResolver.po create mode 100644 defensive-coding/kn-IN/Tasks/snippets/Serialization-XML-OpenJDK-NoResourceResolver.po create mode 100644 defensive-coding/kn-IN/Tasks/snippets/Serialization-XML-OpenJDK_Parse-DOM.po create mode 100644 defensive-coding/kn-IN/Tasks/snippets/Serialization-XML-OpenJDK_Parse-XMLSchema_DOM.po create mode 100644 defensive-coding/kn-IN/Tasks/snippets/Serialization-XML-OpenJDK_Parse-XMLSchema_SAX.po create mode 100644 defensive-coding/ko-KR/Author_Group.po create mode 100644 defensive-coding/ko-KR/Book_Info.po create mode 100644 defensive-coding/nl-NL/Author_Group.po create mode 100644 defensive-coding/nl-NL/Book_Info.po create mode 100644 defensive-coding/nl-NL/C/Allocators.po create mode 100644 defensive-coding/nl-NL/C/C.po create mode 100644 defensive-coding/nl-NL/C/Libc.po create mode 100644 defensive-coding/nl-NL/C/snippets/Arithmetic-add.po create mode 100644 defensive-coding/nl-NL/C/snippets/Arithmetic-mult.po create mode 100644 defensive-coding/nl-NL/C/snippets/Pointers-remaining.po create mode 100644 defensive-coding/nl-NL/C/snippets/String-Functions-format.po create mode 100644 defensive-coding/nl-NL/C/snippets/String-Functions-snprintf.po create mode 100644 defensive-coding/nl-NL/C/snippets/String-Functions-strncpy.po create mode 100644 defensive-coding/nl-NL/CXX/CXX.po create mode 100644 defensive-coding/nl-NL/CXX/Language.po create mode 100644 defensive-coding/nl-NL/CXX/Std.po create mode 100644 defensive-coding/nl-NL/Defensive_Coding.po create mode 100644 defensive-coding/nl-NL/Features/Authentication.po create mode 100644 defensive-coding/nl-NL/Features/TLS.po create mode 100644 defensive-coding/nl-NL/Features/snippets/TLS-Client-GNUTLS-Connect.po create mode 100644 defensive-coding/nl-NL/Features/snippets/TLS-Client-GNUTLS-Credentials.po create mode 100644 defensive-coding/nl-NL/Features/snippets/TLS-Client-GNUTLS-Match.po create mode 100644 defensive-coding/nl-NL/Features/snippets/TLS-Client-GNUTLS-Verify.po create mode 100644 defensive-coding/nl-NL/Features/snippets/TLS-Client-NSS-Close.po create mode 100644 defensive-coding/nl-NL/Features/snippets/TLS-Client-NSS-Connect.po create mode 100644 defensive-coding/nl-NL/Features/snippets/TLS-Client-OpenJDK-Connect.po create mode 100644 defensive-coding/nl-NL/Features/snippets/TLS-Client-OpenJDK-Context.po create mode 100644 defensive-coding/nl-NL/Features/snippets/TLS-Client-OpenJDK-Context_For_Cert.po create mode 100644 defensive-coding/nl-NL/Features/snippets/TLS-Client-OpenJDK-Hostname.po create mode 100644 defensive-coding/nl-NL/Features/snippets/TLS-Client-OpenJDK-Import.po create mode 100644 defensive-coding/nl-NL/Features/snippets/TLS-Client-OpenJDK-MyTrustManager.po create mode 100644 defensive-coding/nl-NL/Features/snippets/TLS-Client-OpenJDK-Use.po create mode 100644 defensive-coding/nl-NL/Features/snippets/TLS-Client-OpenSSL-CTX.po create mode 100644 defensive-coding/nl-NL/Features/snippets/TLS-Client-OpenSSL-Connect.po create mode 100644 defensive-coding/nl-NL/Features/snippets/TLS-Client-OpenSSL-Connection-Use.po create mode 100644 defensive-coding/nl-NL/Features/snippets/TLS-Client-OpenSSL-Init.po create mode 100644 defensive-coding/nl-NL/Features/snippets/TLS-Client-Python-Connect.po create mode 100644 defensive-coding/nl-NL/Features/snippets/TLS-Client-Python-check_host_name.po create mode 100644 defensive-coding/nl-NL/Features/snippets/TLS-GNUTLS-Credentials-Close.po create mode 100644 defensive-coding/nl-NL/Features/snippets/TLS-GNUTLS-Disconnect.po create mode 100644 defensive-coding/nl-NL/Features/snippets/TLS-GNUTLS-Init.po create mode 100644 defensive-coding/nl-NL/Features/snippets/TLS-GNUTLS-Use.po create mode 100644 defensive-coding/nl-NL/Features/snippets/TLS-NSS-Close.po create mode 100644 defensive-coding/nl-NL/Features/snippets/TLS-NSS-Includes.po create mode 100644 defensive-coding/nl-NL/Features/snippets/TLS-NSS-Init.po create mode 100644 defensive-coding/nl-NL/Features/snippets/TLS-NSS-Use.po create mode 100644 defensive-coding/nl-NL/Features/snippets/TLS-Nagle.po create mode 100644 defensive-coding/nl-NL/Features/snippets/TLS-OpenJDK-Parameters.po create mode 100644 defensive-coding/nl-NL/Features/snippets/TLS-OpenSSL-Connection-Close.po create mode 100644 defensive-coding/nl-NL/Features/snippets/TLS-OpenSSL-Context-Close.po create mode 100644 defensive-coding/nl-NL/Features/snippets/TLS-OpenSSL-Errors.po create mode 100644 defensive-coding/nl-NL/Features/snippets/TLS-Python-Close.po create mode 100644 defensive-coding/nl-NL/Features/snippets/TLS-Python-Use.po create mode 100644 defensive-coding/nl-NL/Revision_History.po create mode 100644 defensive-coding/nl-NL/Tasks/Cryptography.po create mode 100644 defensive-coding/nl-NL/Tasks/Descriptors.po create mode 100644 defensive-coding/nl-NL/Tasks/File_System.po create mode 100644 defensive-coding/nl-NL/Tasks/Library_Design.po create mode 100644 defensive-coding/nl-NL/Tasks/Processes.po create mode 100644 defensive-coding/nl-NL/Tasks/Serialization.po create mode 100644 defensive-coding/nl-NL/Tasks/Temporary_Files.po create mode 100644 defensive-coding/nl-NL/Tasks/snippets/Serialization-XML-Expat-Create.po create mode 100644 defensive-coding/nl-NL/Tasks/snippets/Serialization-XML-Expat-EntityDeclHandler.po create mode 100644 defensive-coding/nl-NL/Tasks/snippets/Serialization-XML-OpenJDK-Errors.po create mode 100644 defensive-coding/nl-NL/Tasks/snippets/Serialization-XML-OpenJDK-Imports.po create mode 100644 defensive-coding/nl-NL/Tasks/snippets/Serialization-XML-OpenJDK-NoEntityResolver.po create mode 100644 defensive-coding/nl-NL/Tasks/snippets/Serialization-XML-OpenJDK-NoResourceResolver.po create mode 100644 defensive-coding/nl-NL/Tasks/snippets/Serialization-XML-OpenJDK_Parse-DOM.po create mode 100644 defensive-coding/nl-NL/Tasks/snippets/Serialization-XML-OpenJDK_Parse-XMLSchema_DOM.po create mode 100644 defensive-coding/nl-NL/Tasks/snippets/Serialization-XML-OpenJDK_Parse-XMLSchema_SAX.po create mode 100644 defensive-coding/pt-BR/Author_Group.po create mode 100644 defensive-coding/pt-BR/Book_Info.po create mode 100644 defensive-coding/pt-BR/C/Allocators.po create mode 100644 defensive-coding/pt-BR/C/C.po create mode 100644 defensive-coding/pt-BR/C/Libc.po create mode 100644 defensive-coding/pt-BR/C/snippets/Arithmetic-add.po create mode 100644 defensive-coding/pt-BR/C/snippets/Arithmetic-mult.po create mode 100644 defensive-coding/pt-BR/C/snippets/Pointers-remaining.po create mode 100644 defensive-coding/pt-BR/C/snippets/String-Functions-format.po create mode 100644 defensive-coding/pt-BR/C/snippets/String-Functions-snprintf.po create mode 100644 defensive-coding/pt-BR/C/snippets/String-Functions-strncpy.po create mode 100644 defensive-coding/pt-BR/CXX/CXX.po create mode 100644 defensive-coding/pt-BR/CXX/Language.po create mode 100644 defensive-coding/pt-BR/CXX/Std.po create mode 100644 defensive-coding/pt-BR/Defensive_Coding.po create mode 100644 defensive-coding/pt-BR/Features/Authentication.po create mode 100644 defensive-coding/pt-BR/Features/TLS.po create mode 100644 defensive-coding/pt-BR/Features/snippets/TLS-Client-GNUTLS-Connect.po create mode 100644 defensive-coding/pt-BR/Features/snippets/TLS-Client-GNUTLS-Credentials.po create mode 100644 defensive-coding/pt-BR/Features/snippets/TLS-Client-GNUTLS-Match.po create mode 100644 defensive-coding/pt-BR/Features/snippets/TLS-Client-GNUTLS-Verify.po create mode 100644 defensive-coding/pt-BR/Features/snippets/TLS-Client-NSS-Close.po create mode 100644 defensive-coding/pt-BR/Features/snippets/TLS-Client-NSS-Connect.po create mode 100644 defensive-coding/pt-BR/Features/snippets/TLS-Client-OpenJDK-Connect.po create mode 100644 defensive-coding/pt-BR/Features/snippets/TLS-Client-OpenJDK-Context.po create mode 100644 defensive-coding/pt-BR/Features/snippets/TLS-Client-OpenJDK-Context_For_Cert.po create mode 100644 defensive-coding/pt-BR/Features/snippets/TLS-Client-OpenJDK-Hostname.po create mode 100644 defensive-coding/pt-BR/Features/snippets/TLS-Client-OpenJDK-Import.po create mode 100644 defensive-coding/pt-BR/Features/snippets/TLS-Client-OpenJDK-MyTrustManager.po create mode 100644 defensive-coding/pt-BR/Features/snippets/TLS-Client-OpenJDK-Use.po create mode 100644 defensive-coding/pt-BR/Features/snippets/TLS-Client-OpenSSL-CTX.po create mode 100644 defensive-coding/pt-BR/Features/snippets/TLS-Client-OpenSSL-Connect.po create mode 100644 defensive-coding/pt-BR/Features/snippets/TLS-Client-OpenSSL-Connection-Use.po create mode 100644 defensive-coding/pt-BR/Features/snippets/TLS-Client-OpenSSL-Init.po create mode 100644 defensive-coding/pt-BR/Features/snippets/TLS-Client-Python-Connect.po create mode 100644 defensive-coding/pt-BR/Features/snippets/TLS-Client-Python-check_host_name.po create mode 100644 defensive-coding/pt-BR/Features/snippets/TLS-GNUTLS-Credentials-Close.po create mode 100644 defensive-coding/pt-BR/Features/snippets/TLS-GNUTLS-Disconnect.po create mode 100644 defensive-coding/pt-BR/Features/snippets/TLS-GNUTLS-Init.po create mode 100644 defensive-coding/pt-BR/Features/snippets/TLS-GNUTLS-Use.po create mode 100644 defensive-coding/pt-BR/Features/snippets/TLS-NSS-Close.po create mode 100644 defensive-coding/pt-BR/Features/snippets/TLS-NSS-Includes.po create mode 100644 defensive-coding/pt-BR/Features/snippets/TLS-NSS-Init.po create mode 100644 defensive-coding/pt-BR/Features/snippets/TLS-NSS-Use.po create mode 100644 defensive-coding/pt-BR/Features/snippets/TLS-Nagle.po create mode 100644 defensive-coding/pt-BR/Features/snippets/TLS-OpenJDK-Parameters.po create mode 100644 defensive-coding/pt-BR/Features/snippets/TLS-OpenSSL-Connection-Close.po create mode 100644 defensive-coding/pt-BR/Features/snippets/TLS-OpenSSL-Context-Close.po create mode 100644 defensive-coding/pt-BR/Features/snippets/TLS-OpenSSL-Errors.po create mode 100644 defensive-coding/pt-BR/Features/snippets/TLS-Python-Close.po create mode 100644 defensive-coding/pt-BR/Features/snippets/TLS-Python-Use.po create mode 100644 defensive-coding/pt-BR/Revision_History.po create mode 100644 defensive-coding/pt-BR/Tasks/Cryptography.po create mode 100644 defensive-coding/pt-BR/Tasks/Descriptors.po create mode 100644 defensive-coding/pt-BR/Tasks/File_System.po create mode 100644 defensive-coding/pt-BR/Tasks/Library_Design.po create mode 100644 defensive-coding/pt-BR/Tasks/Processes.po create mode 100644 defensive-coding/pt-BR/Tasks/Serialization.po create mode 100644 defensive-coding/pt-BR/Tasks/Temporary_Files.po create mode 100644 defensive-coding/pt-BR/Tasks/snippets/Serialization-XML-Expat-Create.po create mode 100644 defensive-coding/pt-BR/Tasks/snippets/Serialization-XML-Expat-EntityDeclHandler.po create mode 100644 defensive-coding/pt-BR/Tasks/snippets/Serialization-XML-OpenJDK-Errors.po create mode 100644 defensive-coding/pt-BR/Tasks/snippets/Serialization-XML-OpenJDK-Imports.po create mode 100644 defensive-coding/pt-BR/Tasks/snippets/Serialization-XML-OpenJDK-NoEntityResolver.po create mode 100644 defensive-coding/pt-BR/Tasks/snippets/Serialization-XML-OpenJDK-NoResourceResolver.po create mode 100644 defensive-coding/pt-BR/Tasks/snippets/Serialization-XML-OpenJDK_Parse-DOM.po create mode 100644 defensive-coding/pt-BR/Tasks/snippets/Serialization-XML-OpenJDK_Parse-XMLSchema_DOM.po create mode 100644 defensive-coding/pt-BR/Tasks/snippets/Serialization-XML-OpenJDK_Parse-XMLSchema_SAX.po create mode 100644 defensive-coding/pt-PT/Author_Group.po create mode 100644 defensive-coding/pt-PT/Book_Info.po create mode 100644 defensive-coding/pt-PT/C/Allocators.po create mode 100644 defensive-coding/pt-PT/C/C.po create mode 100644 defensive-coding/pt-PT/C/Libc.po create mode 100644 defensive-coding/pt-PT/C/snippets/Arithmetic-add.po create mode 100644 defensive-coding/pt-PT/C/snippets/Arithmetic-mult.po create mode 100644 defensive-coding/pt-PT/C/snippets/Pointers-remaining.po create mode 100644 defensive-coding/pt-PT/C/snippets/String-Functions-format.po create mode 100644 defensive-coding/pt-PT/C/snippets/String-Functions-snprintf.po create mode 100644 defensive-coding/pt-PT/C/snippets/String-Functions-strncpy.po create mode 100644 defensive-coding/pt-PT/CXX/CXX.po create mode 100644 defensive-coding/pt-PT/CXX/Language.po create mode 100644 defensive-coding/pt-PT/CXX/Std.po create mode 100644 defensive-coding/pt-PT/Defensive_Coding.po create mode 100644 defensive-coding/pt-PT/Features/Authentication.po create mode 100644 defensive-coding/pt-PT/Features/TLS.po create mode 100644 defensive-coding/pt-PT/Features/snippets/TLS-Client-GNUTLS-Connect.po create mode 100644 defensive-coding/pt-PT/Features/snippets/TLS-Client-GNUTLS-Credentials.po create mode 100644 defensive-coding/pt-PT/Features/snippets/TLS-Client-GNUTLS-Match.po create mode 100644 defensive-coding/pt-PT/Features/snippets/TLS-Client-GNUTLS-Verify.po create mode 100644 defensive-coding/pt-PT/Features/snippets/TLS-Client-NSS-Close.po create mode 100644 defensive-coding/pt-PT/Features/snippets/TLS-Client-NSS-Connect.po create mode 100644 defensive-coding/pt-PT/Features/snippets/TLS-Client-OpenJDK-Connect.po create mode 100644 defensive-coding/pt-PT/Features/snippets/TLS-Client-OpenJDK-Context.po create mode 100644 defensive-coding/pt-PT/Features/snippets/TLS-Client-OpenJDK-Context_For_Cert.po create mode 100644 defensive-coding/pt-PT/Features/snippets/TLS-Client-OpenJDK-Hostname.po create mode 100644 defensive-coding/pt-PT/Features/snippets/TLS-Client-OpenJDK-Import.po create mode 100644 defensive-coding/pt-PT/Features/snippets/TLS-Client-OpenJDK-MyTrustManager.po create mode 100644 defensive-coding/pt-PT/Features/snippets/TLS-Client-OpenJDK-Use.po create mode 100644 defensive-coding/pt-PT/Features/snippets/TLS-Client-OpenSSL-CTX.po create mode 100644 defensive-coding/pt-PT/Features/snippets/TLS-Client-OpenSSL-Connect.po create mode 100644 defensive-coding/pt-PT/Features/snippets/TLS-Client-OpenSSL-Connection-Use.po create mode 100644 defensive-coding/pt-PT/Features/snippets/TLS-Client-OpenSSL-Init.po create mode 100644 defensive-coding/pt-PT/Features/snippets/TLS-Client-Python-Connect.po create mode 100644 defensive-coding/pt-PT/Features/snippets/TLS-Client-Python-check_host_name.po create mode 100644 defensive-coding/pt-PT/Features/snippets/TLS-GNUTLS-Credentials-Close.po create mode 100644 defensive-coding/pt-PT/Features/snippets/TLS-GNUTLS-Disconnect.po create mode 100644 defensive-coding/pt-PT/Features/snippets/TLS-GNUTLS-Init.po create mode 100644 defensive-coding/pt-PT/Features/snippets/TLS-GNUTLS-Use.po create mode 100644 defensive-coding/pt-PT/Features/snippets/TLS-NSS-Close.po create mode 100644 defensive-coding/pt-PT/Features/snippets/TLS-NSS-Includes.po create mode 100644 defensive-coding/pt-PT/Features/snippets/TLS-NSS-Init.po create mode 100644 defensive-coding/pt-PT/Features/snippets/TLS-NSS-Use.po create mode 100644 defensive-coding/pt-PT/Features/snippets/TLS-Nagle.po create mode 100644 defensive-coding/pt-PT/Features/snippets/TLS-OpenJDK-Parameters.po create mode 100644 defensive-coding/pt-PT/Features/snippets/TLS-OpenSSL-Connection-Close.po create mode 100644 defensive-coding/pt-PT/Features/snippets/TLS-OpenSSL-Context-Close.po create mode 100644 defensive-coding/pt-PT/Features/snippets/TLS-OpenSSL-Errors.po create mode 100644 defensive-coding/pt-PT/Features/snippets/TLS-Python-Close.po create mode 100644 defensive-coding/pt-PT/Features/snippets/TLS-Python-Use.po create mode 100644 defensive-coding/pt-PT/Revision_History.po create mode 100644 defensive-coding/pt-PT/Tasks/Cryptography.po create mode 100644 defensive-coding/pt-PT/Tasks/Descriptors.po create mode 100644 defensive-coding/pt-PT/Tasks/File_System.po create mode 100644 defensive-coding/pt-PT/Tasks/Library_Design.po create mode 100644 defensive-coding/pt-PT/Tasks/Processes.po create mode 100644 defensive-coding/pt-PT/Tasks/Serialization.po create mode 100644 defensive-coding/pt-PT/Tasks/Temporary_Files.po create mode 100644 defensive-coding/pt-PT/Tasks/snippets/Serialization-XML-Expat-Create.po create mode 100644 defensive-coding/pt-PT/Tasks/snippets/Serialization-XML-Expat-EntityDeclHandler.po create mode 100644 defensive-coding/pt-PT/Tasks/snippets/Serialization-XML-OpenJDK-Errors.po create mode 100644 defensive-coding/pt-PT/Tasks/snippets/Serialization-XML-OpenJDK-Imports.po create mode 100644 defensive-coding/pt-PT/Tasks/snippets/Serialization-XML-OpenJDK-NoEntityResolver.po create mode 100644 defensive-coding/pt-PT/Tasks/snippets/Serialization-XML-OpenJDK-NoResourceResolver.po create mode 100644 defensive-coding/pt-PT/Tasks/snippets/Serialization-XML-OpenJDK_Parse-DOM.po create mode 100644 defensive-coding/pt-PT/Tasks/snippets/Serialization-XML-OpenJDK_Parse-XMLSchema_DOM.po create mode 100644 defensive-coding/pt-PT/Tasks/snippets/Serialization-XML-OpenJDK_Parse-XMLSchema_SAX.po create mode 100644 defensive-coding/ru-RU/Author_Group.po create mode 100644 defensive-coding/ru-RU/Book_Info.po create mode 100644 defensive-coding/sl-SI/Author_Group.po create mode 100644 defensive-coding/sl-SI/Book_Info.po create mode 100644 defensive-coding/te-IN/Author_Group.po create mode 100644 defensive-coding/te-IN/Book_Info.po create mode 100644 defensive-coding/te-IN/C/Allocators.po create mode 100644 defensive-coding/te-IN/C/C.po create mode 100644 defensive-coding/te-IN/C/Libc.po create mode 100644 defensive-coding/te-IN/C/snippets/Arithmetic-add.po create mode 100644 defensive-coding/te-IN/C/snippets/Arithmetic-mult.po create mode 100644 defensive-coding/te-IN/C/snippets/Pointers-remaining.po create mode 100644 defensive-coding/te-IN/C/snippets/String-Functions-format.po create mode 100644 defensive-coding/te-IN/C/snippets/String-Functions-snprintf.po create mode 100644 defensive-coding/te-IN/C/snippets/String-Functions-strncpy.po create mode 100644 defensive-coding/te-IN/CXX/CXX.po create mode 100644 defensive-coding/te-IN/CXX/Language.po create mode 100644 defensive-coding/te-IN/CXX/Std.po create mode 100644 defensive-coding/te-IN/Defensive_Coding.po create mode 100644 defensive-coding/te-IN/Features/Authentication.po create mode 100644 defensive-coding/te-IN/Features/TLS.po create mode 100644 defensive-coding/te-IN/Features/snippets/TLS-Client-GNUTLS-Connect.po create mode 100644 defensive-coding/te-IN/Features/snippets/TLS-Client-GNUTLS-Credentials.po create mode 100644 defensive-coding/te-IN/Features/snippets/TLS-Client-GNUTLS-Match.po create mode 100644 defensive-coding/te-IN/Features/snippets/TLS-Client-GNUTLS-Verify.po create mode 100644 defensive-coding/te-IN/Features/snippets/TLS-Client-NSS-Close.po create mode 100644 defensive-coding/te-IN/Features/snippets/TLS-Client-NSS-Connect.po create mode 100644 defensive-coding/te-IN/Features/snippets/TLS-Client-OpenJDK-Connect.po create mode 100644 defensive-coding/te-IN/Features/snippets/TLS-Client-OpenJDK-Context.po create mode 100644 defensive-coding/te-IN/Features/snippets/TLS-Client-OpenJDK-Context_For_Cert.po create mode 100644 defensive-coding/te-IN/Features/snippets/TLS-Client-OpenJDK-Hostname.po create mode 100644 defensive-coding/te-IN/Features/snippets/TLS-Client-OpenJDK-Import.po create mode 100644 defensive-coding/te-IN/Features/snippets/TLS-Client-OpenJDK-MyTrustManager.po create mode 100644 defensive-coding/te-IN/Features/snippets/TLS-Client-OpenJDK-Use.po create mode 100644 defensive-coding/te-IN/Features/snippets/TLS-Client-OpenSSL-CTX.po create mode 100644 defensive-coding/te-IN/Features/snippets/TLS-Client-OpenSSL-Connect.po create mode 100644 defensive-coding/te-IN/Features/snippets/TLS-Client-OpenSSL-Connection-Use.po create mode 100644 defensive-coding/te-IN/Features/snippets/TLS-Client-OpenSSL-Init.po create mode 100644 defensive-coding/te-IN/Features/snippets/TLS-Client-Python-Connect.po create mode 100644 defensive-coding/te-IN/Features/snippets/TLS-Client-Python-check_host_name.po create mode 100644 defensive-coding/te-IN/Features/snippets/TLS-GNUTLS-Credentials-Close.po create mode 100644 defensive-coding/te-IN/Features/snippets/TLS-GNUTLS-Disconnect.po create mode 100644 defensive-coding/te-IN/Features/snippets/TLS-GNUTLS-Init.po create mode 100644 defensive-coding/te-IN/Features/snippets/TLS-GNUTLS-Use.po create mode 100644 defensive-coding/te-IN/Features/snippets/TLS-NSS-Close.po create mode 100644 defensive-coding/te-IN/Features/snippets/TLS-NSS-Includes.po create mode 100644 defensive-coding/te-IN/Features/snippets/TLS-NSS-Init.po create mode 100644 defensive-coding/te-IN/Features/snippets/TLS-NSS-Use.po create mode 100644 defensive-coding/te-IN/Features/snippets/TLS-Nagle.po create mode 100644 defensive-coding/te-IN/Features/snippets/TLS-OpenJDK-Parameters.po create mode 100644 defensive-coding/te-IN/Features/snippets/TLS-OpenSSL-Connection-Close.po create mode 100644 defensive-coding/te-IN/Features/snippets/TLS-OpenSSL-Context-Close.po create mode 100644 defensive-coding/te-IN/Features/snippets/TLS-OpenSSL-Errors.po create mode 100644 defensive-coding/te-IN/Features/snippets/TLS-Python-Close.po create mode 100644 defensive-coding/te-IN/Features/snippets/TLS-Python-Use.po create mode 100644 defensive-coding/te-IN/Revision_History.po create mode 100644 defensive-coding/te-IN/Tasks/Cryptography.po create mode 100644 defensive-coding/te-IN/Tasks/Descriptors.po create mode 100644 defensive-coding/te-IN/Tasks/File_System.po create mode 100644 defensive-coding/te-IN/Tasks/Library_Design.po create mode 100644 defensive-coding/te-IN/Tasks/Processes.po create mode 100644 defensive-coding/te-IN/Tasks/Serialization.po create mode 100644 defensive-coding/te-IN/Tasks/Temporary_Files.po create mode 100644 defensive-coding/te-IN/Tasks/snippets/Serialization-XML-Expat-Create.po create mode 100644 defensive-coding/te-IN/Tasks/snippets/Serialization-XML-Expat-EntityDeclHandler.po create mode 100644 defensive-coding/te-IN/Tasks/snippets/Serialization-XML-OpenJDK-Errors.po create mode 100644 defensive-coding/te-IN/Tasks/snippets/Serialization-XML-OpenJDK-Imports.po create mode 100644 defensive-coding/te-IN/Tasks/snippets/Serialization-XML-OpenJDK-NoEntityResolver.po create mode 100644 defensive-coding/te-IN/Tasks/snippets/Serialization-XML-OpenJDK-NoResourceResolver.po create mode 100644 defensive-coding/te-IN/Tasks/snippets/Serialization-XML-OpenJDK_Parse-DOM.po create mode 100644 defensive-coding/te-IN/Tasks/snippets/Serialization-XML-OpenJDK_Parse-XMLSchema_DOM.po create mode 100644 defensive-coding/te-IN/Tasks/snippets/Serialization-XML-OpenJDK_Parse-XMLSchema_SAX.po create mode 100644 defensive-coding/tr-TR/Author_Group.po create mode 100644 defensive-coding/tr-TR/Book_Info.po create mode 100644 defensive-coding/tr-TR/C/Allocators.po create mode 100644 defensive-coding/tr-TR/C/C.po create mode 100644 defensive-coding/tr-TR/C/Libc.po create mode 100644 defensive-coding/tr-TR/C/snippets/Arithmetic-add.po create mode 100644 defensive-coding/tr-TR/C/snippets/Arithmetic-mult.po create mode 100644 defensive-coding/tr-TR/C/snippets/Pointers-remaining.po create mode 100644 defensive-coding/tr-TR/C/snippets/String-Functions-format.po create mode 100644 defensive-coding/tr-TR/C/snippets/String-Functions-snprintf.po create mode 100644 defensive-coding/tr-TR/C/snippets/String-Functions-strncpy.po create mode 100644 defensive-coding/tr-TR/CXX/CXX.po create mode 100644 defensive-coding/tr-TR/CXX/Language.po create mode 100644 defensive-coding/tr-TR/CXX/Std.po create mode 100644 defensive-coding/tr-TR/Defensive_Coding.po create mode 100644 defensive-coding/tr-TR/Features/Authentication.po create mode 100644 defensive-coding/tr-TR/Features/TLS.po create mode 100644 defensive-coding/tr-TR/Features/snippets/TLS-Client-GNUTLS-Connect.po create mode 100644 defensive-coding/tr-TR/Features/snippets/TLS-Client-GNUTLS-Credentials.po create mode 100644 defensive-coding/tr-TR/Features/snippets/TLS-Client-GNUTLS-Match.po create mode 100644 defensive-coding/tr-TR/Features/snippets/TLS-Client-GNUTLS-Verify.po create mode 100644 defensive-coding/tr-TR/Features/snippets/TLS-Client-NSS-Close.po create mode 100644 defensive-coding/tr-TR/Features/snippets/TLS-Client-NSS-Connect.po create mode 100644 defensive-coding/tr-TR/Features/snippets/TLS-Client-OpenJDK-Connect.po create mode 100644 defensive-coding/tr-TR/Features/snippets/TLS-Client-OpenJDK-Context.po create mode 100644 defensive-coding/tr-TR/Features/snippets/TLS-Client-OpenJDK-Context_For_Cert.po create mode 100644 defensive-coding/tr-TR/Features/snippets/TLS-Client-OpenJDK-Hostname.po create mode 100644 defensive-coding/tr-TR/Features/snippets/TLS-Client-OpenJDK-Import.po create mode 100644 defensive-coding/tr-TR/Features/snippets/TLS-Client-OpenJDK-MyTrustManager.po create mode 100644 defensive-coding/tr-TR/Features/snippets/TLS-Client-OpenJDK-Use.po create mode 100644 defensive-coding/tr-TR/Features/snippets/TLS-Client-OpenSSL-CTX.po create mode 100644 defensive-coding/tr-TR/Features/snippets/TLS-Client-OpenSSL-Connect.po create mode 100644 defensive-coding/tr-TR/Features/snippets/TLS-Client-OpenSSL-Connection-Use.po create mode 100644 defensive-coding/tr-TR/Features/snippets/TLS-Client-OpenSSL-Init.po create mode 100644 defensive-coding/tr-TR/Features/snippets/TLS-Client-Python-Connect.po create mode 100644 defensive-coding/tr-TR/Features/snippets/TLS-Client-Python-check_host_name.po create mode 100644 defensive-coding/tr-TR/Features/snippets/TLS-GNUTLS-Credentials-Close.po create mode 100644 defensive-coding/tr-TR/Features/snippets/TLS-GNUTLS-Disconnect.po create mode 100644 defensive-coding/tr-TR/Features/snippets/TLS-GNUTLS-Init.po create mode 100644 defensive-coding/tr-TR/Features/snippets/TLS-GNUTLS-Use.po create mode 100644 defensive-coding/tr-TR/Features/snippets/TLS-NSS-Close.po create mode 100644 defensive-coding/tr-TR/Features/snippets/TLS-NSS-Includes.po create mode 100644 defensive-coding/tr-TR/Features/snippets/TLS-NSS-Init.po create mode 100644 defensive-coding/tr-TR/Features/snippets/TLS-NSS-Use.po create mode 100644 defensive-coding/tr-TR/Features/snippets/TLS-Nagle.po create mode 100644 defensive-coding/tr-TR/Features/snippets/TLS-OpenJDK-Parameters.po create mode 100644 defensive-coding/tr-TR/Features/snippets/TLS-OpenSSL-Connection-Close.po create mode 100644 defensive-coding/tr-TR/Features/snippets/TLS-OpenSSL-Context-Close.po create mode 100644 defensive-coding/tr-TR/Features/snippets/TLS-OpenSSL-Errors.po create mode 100644 defensive-coding/tr-TR/Features/snippets/TLS-Python-Close.po create mode 100644 defensive-coding/tr-TR/Features/snippets/TLS-Python-Use.po create mode 100644 defensive-coding/tr-TR/Revision_History.po create mode 100644 defensive-coding/tr-TR/Tasks/Cryptography.po create mode 100644 defensive-coding/tr-TR/Tasks/Descriptors.po create mode 100644 defensive-coding/tr-TR/Tasks/File_System.po create mode 100644 defensive-coding/tr-TR/Tasks/Library_Design.po create mode 100644 defensive-coding/tr-TR/Tasks/Processes.po create mode 100644 defensive-coding/tr-TR/Tasks/Serialization.po create mode 100644 defensive-coding/tr-TR/Tasks/Temporary_Files.po create mode 100644 defensive-coding/tr-TR/Tasks/snippets/Serialization-XML-Expat-Create.po create mode 100644 defensive-coding/tr-TR/Tasks/snippets/Serialization-XML-Expat-EntityDeclHandler.po create mode 100644 defensive-coding/tr-TR/Tasks/snippets/Serialization-XML-OpenJDK-Errors.po create mode 100644 defensive-coding/tr-TR/Tasks/snippets/Serialization-XML-OpenJDK-Imports.po create mode 100644 defensive-coding/tr-TR/Tasks/snippets/Serialization-XML-OpenJDK-NoEntityResolver.po create mode 100644 defensive-coding/tr-TR/Tasks/snippets/Serialization-XML-OpenJDK-NoResourceResolver.po create mode 100644 defensive-coding/tr-TR/Tasks/snippets/Serialization-XML-OpenJDK_Parse-DOM.po create mode 100644 defensive-coding/tr-TR/Tasks/snippets/Serialization-XML-OpenJDK_Parse-XMLSchema_DOM.po create mode 100644 defensive-coding/tr-TR/Tasks/snippets/Serialization-XML-OpenJDK_Parse-XMLSchema_SAX.po create mode 100644 defensive-coding/vi-VN/Author_Group.po create mode 100644 defensive-coding/vi-VN/Book_Info.po create mode 100644 defensive-coding/vi-VN/C/Allocators.po create mode 100644 defensive-coding/vi-VN/C/C.po create mode 100644 defensive-coding/vi-VN/C/Libc.po create mode 100644 defensive-coding/vi-VN/C/snippets/Arithmetic-add.po create mode 100644 defensive-coding/vi-VN/C/snippets/Arithmetic-mult.po create mode 100644 defensive-coding/vi-VN/C/snippets/Pointers-remaining.po create mode 100644 defensive-coding/vi-VN/C/snippets/String-Functions-format.po create mode 100644 defensive-coding/vi-VN/C/snippets/String-Functions-snprintf.po create mode 100644 defensive-coding/vi-VN/C/snippets/String-Functions-strncpy.po create mode 100644 defensive-coding/vi-VN/CXX/CXX.po create mode 100644 defensive-coding/vi-VN/CXX/Language.po create mode 100644 defensive-coding/vi-VN/CXX/Std.po create mode 100644 defensive-coding/vi-VN/Defensive_Coding.po create mode 100644 defensive-coding/vi-VN/Features/Authentication.po create mode 100644 defensive-coding/vi-VN/Features/TLS.po create mode 100644 defensive-coding/vi-VN/Features/snippets/TLS-Client-GNUTLS-Connect.po create mode 100644 defensive-coding/vi-VN/Features/snippets/TLS-Client-GNUTLS-Credentials.po create mode 100644 defensive-coding/vi-VN/Features/snippets/TLS-Client-GNUTLS-Match.po create mode 100644 defensive-coding/vi-VN/Features/snippets/TLS-Client-GNUTLS-Verify.po create mode 100644 defensive-coding/vi-VN/Features/snippets/TLS-Client-NSS-Close.po create mode 100644 defensive-coding/vi-VN/Features/snippets/TLS-Client-NSS-Connect.po create mode 100644 defensive-coding/vi-VN/Features/snippets/TLS-Client-OpenJDK-Connect.po create mode 100644 defensive-coding/vi-VN/Features/snippets/TLS-Client-OpenJDK-Context.po create mode 100644 defensive-coding/vi-VN/Features/snippets/TLS-Client-OpenJDK-Context_For_Cert.po create mode 100644 defensive-coding/vi-VN/Features/snippets/TLS-Client-OpenJDK-Hostname.po create mode 100644 defensive-coding/vi-VN/Features/snippets/TLS-Client-OpenJDK-Import.po create mode 100644 defensive-coding/vi-VN/Features/snippets/TLS-Client-OpenJDK-MyTrustManager.po create mode 100644 defensive-coding/vi-VN/Features/snippets/TLS-Client-OpenJDK-Use.po create mode 100644 defensive-coding/vi-VN/Features/snippets/TLS-Client-OpenSSL-CTX.po create mode 100644 defensive-coding/vi-VN/Features/snippets/TLS-Client-OpenSSL-Connect.po create mode 100644 defensive-coding/vi-VN/Features/snippets/TLS-Client-OpenSSL-Connection-Use.po create mode 100644 defensive-coding/vi-VN/Features/snippets/TLS-Client-OpenSSL-Init.po create mode 100644 defensive-coding/vi-VN/Features/snippets/TLS-Client-Python-Connect.po create mode 100644 defensive-coding/vi-VN/Features/snippets/TLS-Client-Python-check_host_name.po create mode 100644 defensive-coding/vi-VN/Features/snippets/TLS-GNUTLS-Credentials-Close.po create mode 100644 defensive-coding/vi-VN/Features/snippets/TLS-GNUTLS-Disconnect.po create mode 100644 defensive-coding/vi-VN/Features/snippets/TLS-GNUTLS-Init.po create mode 100644 defensive-coding/vi-VN/Features/snippets/TLS-GNUTLS-Use.po create mode 100644 defensive-coding/vi-VN/Features/snippets/TLS-NSS-Close.po create mode 100644 defensive-coding/vi-VN/Features/snippets/TLS-NSS-Includes.po create mode 100644 defensive-coding/vi-VN/Features/snippets/TLS-NSS-Init.po create mode 100644 defensive-coding/vi-VN/Features/snippets/TLS-NSS-Use.po create mode 100644 defensive-coding/vi-VN/Features/snippets/TLS-Nagle.po create mode 100644 defensive-coding/vi-VN/Features/snippets/TLS-OpenJDK-Parameters.po create mode 100644 defensive-coding/vi-VN/Features/snippets/TLS-OpenSSL-Connection-Close.po create mode 100644 defensive-coding/vi-VN/Features/snippets/TLS-OpenSSL-Context-Close.po create mode 100644 defensive-coding/vi-VN/Features/snippets/TLS-OpenSSL-Errors.po create mode 100644 defensive-coding/vi-VN/Features/snippets/TLS-Python-Close.po create mode 100644 defensive-coding/vi-VN/Features/snippets/TLS-Python-Use.po create mode 100644 defensive-coding/vi-VN/Revision_History.po create mode 100644 defensive-coding/vi-VN/Tasks/Cryptography.po create mode 100644 defensive-coding/vi-VN/Tasks/Descriptors.po create mode 100644 defensive-coding/vi-VN/Tasks/File_System.po create mode 100644 defensive-coding/vi-VN/Tasks/Library_Design.po create mode 100644 defensive-coding/vi-VN/Tasks/Processes.po create mode 100644 defensive-coding/vi-VN/Tasks/Serialization.po create mode 100644 defensive-coding/vi-VN/Tasks/Temporary_Files.po create mode 100644 defensive-coding/vi-VN/Tasks/snippets/Serialization-XML-Expat-Create.po create mode 100644 defensive-coding/vi-VN/Tasks/snippets/Serialization-XML-Expat-EntityDeclHandler.po create mode 100644 defensive-coding/vi-VN/Tasks/snippets/Serialization-XML-OpenJDK-Errors.po create mode 100644 defensive-coding/vi-VN/Tasks/snippets/Serialization-XML-OpenJDK-Imports.po create mode 100644 defensive-coding/vi-VN/Tasks/snippets/Serialization-XML-OpenJDK-NoEntityResolver.po create mode 100644 defensive-coding/vi-VN/Tasks/snippets/Serialization-XML-OpenJDK-NoResourceResolver.po create mode 100644 defensive-coding/vi-VN/Tasks/snippets/Serialization-XML-OpenJDK_Parse-DOM.po create mode 100644 defensive-coding/vi-VN/Tasks/snippets/Serialization-XML-OpenJDK_Parse-XMLSchema_DOM.po create mode 100644 defensive-coding/vi-VN/Tasks/snippets/Serialization-XML-OpenJDK_Parse-XMLSchema_SAX.po create mode 100644 defensive-coding/zh-CN/Author_Group.po create mode 100644 defensive-coding/zh-CN/Book_Info.po create mode 100644 defensive-coding/zh-CN/C/Allocators.po create mode 100644 defensive-coding/zh-CN/C/C.po create mode 100644 defensive-coding/zh-CN/C/Libc.po create mode 100644 defensive-coding/zh-CN/C/snippets/Arithmetic-add.po create mode 100644 defensive-coding/zh-CN/C/snippets/Arithmetic-mult.po create mode 100644 defensive-coding/zh-CN/C/snippets/Pointers-remaining.po create mode 100644 defensive-coding/zh-CN/C/snippets/String-Functions-format.po create mode 100644 defensive-coding/zh-CN/C/snippets/String-Functions-snprintf.po create mode 100644 defensive-coding/zh-CN/C/snippets/String-Functions-strncpy.po create mode 100644 defensive-coding/zh-CN/CXX/CXX.po create mode 100644 defensive-coding/zh-CN/CXX/Language.po create mode 100644 defensive-coding/zh-CN/CXX/Std.po create mode 100644 defensive-coding/zh-CN/Defensive_Coding.po create mode 100644 defensive-coding/zh-CN/Features/Authentication.po create mode 100644 defensive-coding/zh-CN/Features/TLS.po create mode 100644 defensive-coding/zh-CN/Features/snippets/TLS-Client-GNUTLS-Connect.po create mode 100644 defensive-coding/zh-CN/Features/snippets/TLS-Client-GNUTLS-Credentials.po create mode 100644 defensive-coding/zh-CN/Features/snippets/TLS-Client-GNUTLS-Match.po create mode 100644 defensive-coding/zh-CN/Features/snippets/TLS-Client-GNUTLS-Verify.po create mode 100644 defensive-coding/zh-CN/Features/snippets/TLS-Client-NSS-Close.po create mode 100644 defensive-coding/zh-CN/Features/snippets/TLS-Client-NSS-Connect.po create mode 100644 defensive-coding/zh-CN/Features/snippets/TLS-Client-OpenJDK-Connect.po create mode 100644 defensive-coding/zh-CN/Features/snippets/TLS-Client-OpenJDK-Context.po create mode 100644 defensive-coding/zh-CN/Features/snippets/TLS-Client-OpenJDK-Context_For_Cert.po create mode 100644 defensive-coding/zh-CN/Features/snippets/TLS-Client-OpenJDK-Hostname.po create mode 100644 defensive-coding/zh-CN/Features/snippets/TLS-Client-OpenJDK-Import.po create mode 100644 defensive-coding/zh-CN/Features/snippets/TLS-Client-OpenJDK-MyTrustManager.po create mode 100644 defensive-coding/zh-CN/Features/snippets/TLS-Client-OpenJDK-Use.po create mode 100644 defensive-coding/zh-CN/Features/snippets/TLS-Client-OpenSSL-CTX.po create mode 100644 defensive-coding/zh-CN/Features/snippets/TLS-Client-OpenSSL-Connect.po create mode 100644 defensive-coding/zh-CN/Features/snippets/TLS-Client-OpenSSL-Connection-Use.po create mode 100644 defensive-coding/zh-CN/Features/snippets/TLS-Client-OpenSSL-Init.po create mode 100644 defensive-coding/zh-CN/Features/snippets/TLS-Client-Python-Connect.po create mode 100644 defensive-coding/zh-CN/Features/snippets/TLS-Client-Python-check_host_name.po create mode 100644 defensive-coding/zh-CN/Features/snippets/TLS-GNUTLS-Credentials-Close.po create mode 100644 defensive-coding/zh-CN/Features/snippets/TLS-GNUTLS-Disconnect.po create mode 100644 defensive-coding/zh-CN/Features/snippets/TLS-GNUTLS-Init.po create mode 100644 defensive-coding/zh-CN/Features/snippets/TLS-GNUTLS-Use.po create mode 100644 defensive-coding/zh-CN/Features/snippets/TLS-NSS-Close.po create mode 100644 defensive-coding/zh-CN/Features/snippets/TLS-NSS-Includes.po create mode 100644 defensive-coding/zh-CN/Features/snippets/TLS-NSS-Init.po create mode 100644 defensive-coding/zh-CN/Features/snippets/TLS-NSS-Use.po create mode 100644 defensive-coding/zh-CN/Features/snippets/TLS-Nagle.po create mode 100644 defensive-coding/zh-CN/Features/snippets/TLS-OpenJDK-Parameters.po create mode 100644 defensive-coding/zh-CN/Features/snippets/TLS-OpenSSL-Connection-Close.po create mode 100644 defensive-coding/zh-CN/Features/snippets/TLS-OpenSSL-Context-Close.po create mode 100644 defensive-coding/zh-CN/Features/snippets/TLS-OpenSSL-Errors.po create mode 100644 defensive-coding/zh-CN/Features/snippets/TLS-Python-Close.po create mode 100644 defensive-coding/zh-CN/Features/snippets/TLS-Python-Use.po create mode 100644 defensive-coding/zh-CN/Revision_History.po create mode 100644 defensive-coding/zh-CN/Tasks/Cryptography.po create mode 100644 defensive-coding/zh-CN/Tasks/Descriptors.po create mode 100644 defensive-coding/zh-CN/Tasks/File_System.po create mode 100644 defensive-coding/zh-CN/Tasks/Library_Design.po create mode 100644 defensive-coding/zh-CN/Tasks/Processes.po create mode 100644 defensive-coding/zh-CN/Tasks/Serialization.po create mode 100644 defensive-coding/zh-CN/Tasks/Temporary_Files.po create mode 100644 defensive-coding/zh-CN/Tasks/snippets/Serialization-XML-Expat-Create.po create mode 100644 defensive-coding/zh-CN/Tasks/snippets/Serialization-XML-Expat-EntityDeclHandler.po create mode 100644 defensive-coding/zh-CN/Tasks/snippets/Serialization-XML-OpenJDK-Errors.po create mode 100644 defensive-coding/zh-CN/Tasks/snippets/Serialization-XML-OpenJDK-Imports.po create mode 100644 defensive-coding/zh-CN/Tasks/snippets/Serialization-XML-OpenJDK-NoEntityResolver.po create mode 100644 defensive-coding/zh-CN/Tasks/snippets/Serialization-XML-OpenJDK-NoResourceResolver.po create mode 100644 defensive-coding/zh-CN/Tasks/snippets/Serialization-XML-OpenJDK_Parse-DOM.po create mode 100644 defensive-coding/zh-CN/Tasks/snippets/Serialization-XML-OpenJDK_Parse-XMLSchema_DOM.po create mode 100644 defensive-coding/zh-CN/Tasks/snippets/Serialization-XML-OpenJDK_Parse-XMLSchema_SAX.po create mode 100644 defensive-coding/zh-TW/Author_Group.po create mode 100644 defensive-coding/zh-TW/Book_Info.po create mode 100644 defensive-coding/zh-TW/C/Allocators.po create mode 100644 defensive-coding/zh-TW/C/C.po create mode 100644 defensive-coding/zh-TW/C/Libc.po create mode 100644 defensive-coding/zh-TW/C/snippets/Arithmetic-add.po create mode 100644 defensive-coding/zh-TW/C/snippets/Arithmetic-mult.po create mode 100644 defensive-coding/zh-TW/C/snippets/Pointers-remaining.po create mode 100644 defensive-coding/zh-TW/C/snippets/String-Functions-format.po create mode 100644 defensive-coding/zh-TW/C/snippets/String-Functions-snprintf.po create mode 100644 defensive-coding/zh-TW/C/snippets/String-Functions-strncpy.po create mode 100644 defensive-coding/zh-TW/CXX/CXX.po create mode 100644 defensive-coding/zh-TW/CXX/Language.po create mode 100644 defensive-coding/zh-TW/CXX/Std.po create mode 100644 defensive-coding/zh-TW/Defensive_Coding.po create mode 100644 defensive-coding/zh-TW/Features/Authentication.po create mode 100644 defensive-coding/zh-TW/Features/TLS.po create mode 100644 defensive-coding/zh-TW/Features/snippets/TLS-Client-GNUTLS-Connect.po create mode 100644 defensive-coding/zh-TW/Features/snippets/TLS-Client-GNUTLS-Credentials.po create mode 100644 defensive-coding/zh-TW/Features/snippets/TLS-Client-GNUTLS-Match.po create mode 100644 defensive-coding/zh-TW/Features/snippets/TLS-Client-GNUTLS-Verify.po create mode 100644 defensive-coding/zh-TW/Features/snippets/TLS-Client-NSS-Close.po create mode 100644 defensive-coding/zh-TW/Features/snippets/TLS-Client-NSS-Connect.po create mode 100644 defensive-coding/zh-TW/Features/snippets/TLS-Client-OpenJDK-Connect.po create mode 100644 defensive-coding/zh-TW/Features/snippets/TLS-Client-OpenJDK-Context.po create mode 100644 defensive-coding/zh-TW/Features/snippets/TLS-Client-OpenJDK-Context_For_Cert.po create mode 100644 defensive-coding/zh-TW/Features/snippets/TLS-Client-OpenJDK-Hostname.po create mode 100644 defensive-coding/zh-TW/Features/snippets/TLS-Client-OpenJDK-Import.po create mode 100644 defensive-coding/zh-TW/Features/snippets/TLS-Client-OpenJDK-MyTrustManager.po create mode 100644 defensive-coding/zh-TW/Features/snippets/TLS-Client-OpenJDK-Use.po create mode 100644 defensive-coding/zh-TW/Features/snippets/TLS-Client-OpenSSL-CTX.po create mode 100644 defensive-coding/zh-TW/Features/snippets/TLS-Client-OpenSSL-Connect.po create mode 100644 defensive-coding/zh-TW/Features/snippets/TLS-Client-OpenSSL-Connection-Use.po create mode 100644 defensive-coding/zh-TW/Features/snippets/TLS-Client-OpenSSL-Init.po create mode 100644 defensive-coding/zh-TW/Features/snippets/TLS-Client-Python-Connect.po create mode 100644 defensive-coding/zh-TW/Features/snippets/TLS-Client-Python-check_host_name.po create mode 100644 defensive-coding/zh-TW/Features/snippets/TLS-GNUTLS-Credentials-Close.po create mode 100644 defensive-coding/zh-TW/Features/snippets/TLS-GNUTLS-Disconnect.po create mode 100644 defensive-coding/zh-TW/Features/snippets/TLS-GNUTLS-Init.po create mode 100644 defensive-coding/zh-TW/Features/snippets/TLS-GNUTLS-Use.po create mode 100644 defensive-coding/zh-TW/Features/snippets/TLS-NSS-Close.po create mode 100644 defensive-coding/zh-TW/Features/snippets/TLS-NSS-Includes.po create mode 100644 defensive-coding/zh-TW/Features/snippets/TLS-NSS-Init.po create mode 100644 defensive-coding/zh-TW/Features/snippets/TLS-NSS-Use.po create mode 100644 defensive-coding/zh-TW/Features/snippets/TLS-Nagle.po create mode 100644 defensive-coding/zh-TW/Features/snippets/TLS-OpenJDK-Parameters.po create mode 100644 defensive-coding/zh-TW/Features/snippets/TLS-OpenSSL-Connection-Close.po create mode 100644 defensive-coding/zh-TW/Features/snippets/TLS-OpenSSL-Context-Close.po create mode 100644 defensive-coding/zh-TW/Features/snippets/TLS-OpenSSL-Errors.po create mode 100644 defensive-coding/zh-TW/Features/snippets/TLS-Python-Close.po create mode 100644 defensive-coding/zh-TW/Features/snippets/TLS-Python-Use.po create mode 100644 defensive-coding/zh-TW/Revision_History.po create mode 100644 defensive-coding/zh-TW/Tasks/Cryptography.po create mode 100644 defensive-coding/zh-TW/Tasks/Descriptors.po create mode 100644 defensive-coding/zh-TW/Tasks/File_System.po create mode 100644 defensive-coding/zh-TW/Tasks/Library_Design.po create mode 100644 defensive-coding/zh-TW/Tasks/Processes.po create mode 100644 defensive-coding/zh-TW/Tasks/Serialization.po create mode 100644 defensive-coding/zh-TW/Tasks/Temporary_Files.po create mode 100644 defensive-coding/zh-TW/Tasks/snippets/Serialization-XML-Expat-Create.po create mode 100644 defensive-coding/zh-TW/Tasks/snippets/Serialization-XML-Expat-EntityDeclHandler.po create mode 100644 defensive-coding/zh-TW/Tasks/snippets/Serialization-XML-OpenJDK-Errors.po create mode 100644 defensive-coding/zh-TW/Tasks/snippets/Serialization-XML-OpenJDK-Imports.po create mode 100644 defensive-coding/zh-TW/Tasks/snippets/Serialization-XML-OpenJDK-NoEntityResolver.po create mode 100644 defensive-coding/zh-TW/Tasks/snippets/Serialization-XML-OpenJDK-NoResourceResolver.po create mode 100644 defensive-coding/zh-TW/Tasks/snippets/Serialization-XML-OpenJDK_Parse-DOM.po create mode 100644 defensive-coding/zh-TW/Tasks/snippets/Serialization-XML-OpenJDK_Parse-XMLSchema_DOM.po create mode 100644 defensive-coding/zh-TW/Tasks/snippets/Serialization-XML-OpenJDK_Parse-XMLSchema_SAX.po diff --git a/defensive-coding/.tx/defensive-coding-guide.Author_Group/el-GR_translation b/defensive-coding/.tx/defensive-coding-guide.Author_Group/el-GR_translation new file mode 100644 index 0000000..a9c8520 --- /dev/null +++ b/defensive-coding/.tx/defensive-coding-guide.Author_Group/el-GR_translation @@ -0,0 +1,35 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-12 04:18+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Greek \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: el\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: firstname +#, no-c-format +msgid "Florian" +msgstr "" + +#. Tag: surname +#, no-c-format +msgid "Weimer" +msgstr "" + +#. Tag: orgname +#, no-c-format +msgid "Red Hat" +msgstr "" + +#. Tag: orgdiv +#, no-c-format +msgid "Product Security Team" +msgstr "" diff --git a/defensive-coding/.tx/defensive-coding-guide.Author_Group/en_US_translation b/defensive-coding/.tx/defensive-coding-guide.Author_Group/en_US_translation new file mode 100644 index 0000000..b1b8548 --- /dev/null +++ b/defensive-coding/.tx/defensive-coding-guide.Author_Group/en_US_translation @@ -0,0 +1,35 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-12 04:18+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: None\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: en_US\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: firstname +#, no-c-format +msgid "Florian" +msgstr "Florian" + +#. Tag: surname +#, no-c-format +msgid "Weimer" +msgstr "Weimer" + +#. Tag: orgname +#, no-c-format +msgid "Red Hat" +msgstr "Red Hat" + +#. Tag: orgdiv +#, no-c-format +msgid "Product Security Team" +msgstr "Product Security Team" diff --git a/defensive-coding/.tx/defensive-coding-guide.Author_Group/es-ES_translation b/defensive-coding/.tx/defensive-coding-guide.Author_Group/es-ES_translation new file mode 100644 index 0000000..441adb1 --- /dev/null +++ b/defensive-coding/.tx/defensive-coding-guide.Author_Group/es-ES_translation @@ -0,0 +1,36 @@ +# AUTHOR , YEAR. +# +# Translators: +# , 2013. +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-14 07:50+0000\n" +"Last-Translator: vareli \n" +"Language-Team: Spanish \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: es\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: firstname +#, no-c-format +msgid "Florian" +msgstr "Florian" + +#. Tag: surname +#, no-c-format +msgid "Weimer" +msgstr "Weimer" + +#. Tag: orgname +#, no-c-format +msgid "Red Hat" +msgstr "Red Hat" + +#. Tag: orgdiv +#, no-c-format +msgid "Product Security Team" +msgstr "Equipo de Seguridad del Producto" diff --git a/defensive-coding/.tx/defensive-coding-guide.Author_Group/fi-FI_translation b/defensive-coding/.tx/defensive-coding-guide.Author_Group/fi-FI_translation new file mode 100644 index 0000000..e34b4a9 --- /dev/null +++ b/defensive-coding/.tx/defensive-coding-guide.Author_Group/fi-FI_translation @@ -0,0 +1,35 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-12 04:18+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Finnish (http://www.transifex.com/projects/p/fedora/language/fi/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: fi\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: firstname +#, no-c-format +msgid "Florian" +msgstr "" + +#. Tag: surname +#, no-c-format +msgid "Weimer" +msgstr "" + +#. Tag: orgname +#, no-c-format +msgid "Red Hat" +msgstr "" + +#. Tag: orgdiv +#, no-c-format +msgid "Product Security Team" +msgstr "" diff --git a/defensive-coding/.tx/defensive-coding-guide.Author_Group/fr-FR_translation b/defensive-coding/.tx/defensive-coding-guide.Author_Group/fr-FR_translation new file mode 100644 index 0000000..839f704 --- /dev/null +++ b/defensive-coding/.tx/defensive-coding-guide.Author_Group/fr-FR_translation @@ -0,0 +1,36 @@ +# AUTHOR , YEAR. +# +# Translators: +# Jérôme Fenal , 2013. +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-16 14:20+0000\n" +"Last-Translator: Jérôme Fenal \n" +"Language-Team: French \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: fr\n" +"Plural-Forms: nplurals=2; plural=(n > 1);\n" + +#. Tag: firstname +#, no-c-format +msgid "Florian" +msgstr "Florian" + +#. Tag: surname +#, no-c-format +msgid "Weimer" +msgstr "Weimer" + +#. Tag: orgname +#, no-c-format +msgid "Red Hat" +msgstr "Red Hat" + +#. Tag: orgdiv +#, no-c-format +msgid "Product Security Team" +msgstr "Équipe Sécurité Produit" diff --git a/defensive-coding/.tx/defensive-coding-guide.Author_Group/gl-ES_translation b/defensive-coding/.tx/defensive-coding-guide.Author_Group/gl-ES_translation new file mode 100644 index 0000000..c87f190 --- /dev/null +++ b/defensive-coding/.tx/defensive-coding-guide.Author_Group/gl-ES_translation @@ -0,0 +1,35 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-12 04:18+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Galician (http://www.transifex.com/projects/p/fedora/language/gl/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: gl\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: firstname +#, no-c-format +msgid "Florian" +msgstr "" + +#. Tag: surname +#, no-c-format +msgid "Weimer" +msgstr "" + +#. Tag: orgname +#, no-c-format +msgid "Red Hat" +msgstr "" + +#. Tag: orgdiv +#, no-c-format +msgid "Product Security Team" +msgstr "" diff --git a/defensive-coding/.tx/defensive-coding-guide.Author_Group/id-ID_translation b/defensive-coding/.tx/defensive-coding-guide.Author_Group/id-ID_translation new file mode 100644 index 0000000..91b6ab6 --- /dev/null +++ b/defensive-coding/.tx/defensive-coding-guide.Author_Group/id-ID_translation @@ -0,0 +1,35 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-12 04:18+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Indonesian \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: id\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: firstname +#, no-c-format +msgid "Florian" +msgstr "" + +#. Tag: surname +#, no-c-format +msgid "Weimer" +msgstr "" + +#. Tag: orgname +#, no-c-format +msgid "Red Hat" +msgstr "" + +#. Tag: orgdiv +#, no-c-format +msgid "Product Security Team" +msgstr "" diff --git a/defensive-coding/.tx/defensive-coding-guide.Author_Group/it-IT_translation b/defensive-coding/.tx/defensive-coding-guide.Author_Group/it-IT_translation new file mode 100644 index 0000000..d0b5639 --- /dev/null +++ b/defensive-coding/.tx/defensive-coding-guide.Author_Group/it-IT_translation @@ -0,0 +1,35 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-12 04:18+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Italian \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: it\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: firstname +#, no-c-format +msgid "Florian" +msgstr "" + +#. Tag: surname +#, no-c-format +msgid "Weimer" +msgstr "" + +#. Tag: orgname +#, no-c-format +msgid "Red Hat" +msgstr "" + +#. Tag: orgdiv +#, no-c-format +msgid "Product Security Team" +msgstr "" diff --git a/defensive-coding/.tx/defensive-coding-guide.Author_Group/ko-KR_translation b/defensive-coding/.tx/defensive-coding-guide.Author_Group/ko-KR_translation new file mode 100644 index 0000000..b1b6eb7 --- /dev/null +++ b/defensive-coding/.tx/defensive-coding-guide.Author_Group/ko-KR_translation @@ -0,0 +1,35 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-12 04:18+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Korean (http://www.transifex.com/projects/p/fedora/language/ko/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: ko\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: firstname +#, no-c-format +msgid "Florian" +msgstr "" + +#. Tag: surname +#, no-c-format +msgid "Weimer" +msgstr "" + +#. Tag: orgname +#, no-c-format +msgid "Red Hat" +msgstr "" + +#. Tag: orgdiv +#, no-c-format +msgid "Product Security Team" +msgstr "" diff --git a/defensive-coding/.tx/defensive-coding-guide.Author_Group/ru-RU_translation b/defensive-coding/.tx/defensive-coding-guide.Author_Group/ru-RU_translation new file mode 100644 index 0000000..e683b3a --- /dev/null +++ b/defensive-coding/.tx/defensive-coding-guide.Author_Group/ru-RU_translation @@ -0,0 +1,35 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-12 04:18+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Russian \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: ru\n" +"Plural-Forms: nplurals=3; plural=(n%10==1 && n%100!=11 ? 0 : n%10>=2 && n%10<=4 && (n%100<10 || n%100>=20) ? 1 : 2);\n" + +#. Tag: firstname +#, no-c-format +msgid "Florian" +msgstr "" + +#. Tag: surname +#, no-c-format +msgid "Weimer" +msgstr "" + +#. Tag: orgname +#, no-c-format +msgid "Red Hat" +msgstr "" + +#. Tag: orgdiv +#, no-c-format +msgid "Product Security Team" +msgstr "" diff --git a/defensive-coding/.tx/defensive-coding-guide.Author_Group/sl-SI_translation b/defensive-coding/.tx/defensive-coding-guide.Author_Group/sl-SI_translation new file mode 100644 index 0000000..db2f3e2 --- /dev/null +++ b/defensive-coding/.tx/defensive-coding-guide.Author_Group/sl-SI_translation @@ -0,0 +1,35 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-12 04:18+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Slovenian (http://www.transifex.com/projects/p/fedora/language/sl/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: sl\n" +"Plural-Forms: nplurals=4; plural=(n%100==1 ? 0 : n%100==2 ? 1 : n%100==3 || n%100==4 ? 2 : 3);\n" + +#. Tag: firstname +#, no-c-format +msgid "Florian" +msgstr "" + +#. Tag: surname +#, no-c-format +msgid "Weimer" +msgstr "" + +#. Tag: orgname +#, no-c-format +msgid "Red Hat" +msgstr "" + +#. Tag: orgdiv +#, no-c-format +msgid "Product Security Team" +msgstr "" diff --git a/defensive-coding/.tx/defensive-coding-guide.Book_Info/el-GR_translation b/defensive-coding/.tx/defensive-coding-guide.Book_Info/el-GR_translation new file mode 100644 index 0000000..db161ac --- /dev/null +++ b/defensive-coding/.tx/defensive-coding-guide.Book_Info/el-GR_translation @@ -0,0 +1,38 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-12 04:19+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Greek \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: el\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: title +#, no-c-format +msgid "Defensive Coding" +msgstr "" + +#. Tag: subtitle +#, no-c-format +msgid "A Guide to Improving Software Security" +msgstr "" + +#. Tag: productname +#, no-c-format +msgid "Fedora Security Team" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"This document provides guidelines for improving software security through " +"secure coding. It covers common programming languages and libraries, and " +"focuses on concrete recommendations." +msgstr "" diff --git a/defensive-coding/.tx/defensive-coding-guide.Book_Info/en_US_translation b/defensive-coding/.tx/defensive-coding-guide.Book_Info/en_US_translation new file mode 100644 index 0000000..9e4b250 --- /dev/null +++ b/defensive-coding/.tx/defensive-coding-guide.Book_Info/en_US_translation @@ -0,0 +1,38 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-12 04:19+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: None\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: en_US\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: title +#, no-c-format +msgid "Defensive Coding" +msgstr "Defensive Coding" + +#. Tag: subtitle +#, no-c-format +msgid "A Guide to Improving Software Security" +msgstr "A Guide to Improving Software Security" + +#. Tag: productname +#, no-c-format +msgid "Fedora Security Team" +msgstr "Fedora Security Team" + +#. Tag: para +#, no-c-format +msgid "" +"This document provides guidelines for improving software security through " +"secure coding. It covers common programming languages and libraries, and " +"focuses on concrete recommendations." +msgstr "This document provides guidelines for improving software security through secure coding. It covers common programming languages and libraries, and focuses on concrete recommendations." diff --git a/defensive-coding/.tx/defensive-coding-guide.Book_Info/fi-FI_translation b/defensive-coding/.tx/defensive-coding-guide.Book_Info/fi-FI_translation new file mode 100644 index 0000000..efb074a --- /dev/null +++ b/defensive-coding/.tx/defensive-coding-guide.Book_Info/fi-FI_translation @@ -0,0 +1,38 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-12 04:19+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Finnish (http://www.transifex.com/projects/p/fedora/language/fi/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: fi\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: title +#, no-c-format +msgid "Defensive Coding" +msgstr "" + +#. Tag: subtitle +#, no-c-format +msgid "A Guide to Improving Software Security" +msgstr "" + +#. Tag: productname +#, no-c-format +msgid "Fedora Security Team" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"This document provides guidelines for improving software security through " +"secure coding. It covers common programming languages and libraries, and " +"focuses on concrete recommendations." +msgstr "" diff --git a/defensive-coding/.tx/defensive-coding-guide.Book_Info/fr-FR_translation b/defensive-coding/.tx/defensive-coding-guide.Book_Info/fr-FR_translation new file mode 100644 index 0000000..301ba65 --- /dev/null +++ b/defensive-coding/.tx/defensive-coding-guide.Book_Info/fr-FR_translation @@ -0,0 +1,39 @@ +# AUTHOR , YEAR. +# +# Translators: +# Jérôme Fenal , 2013. +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-16 14:20+0000\n" +"Last-Translator: Jérôme Fenal \n" +"Language-Team: French \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: fr\n" +"Plural-Forms: nplurals=2; plural=(n > 1);\n" + +#. Tag: title +#, no-c-format +msgid "Defensive Coding" +msgstr "Développement défensif" + +#. Tag: subtitle +#, no-c-format +msgid "A Guide to Improving Software Security" +msgstr "Un guide visant à améliorer la sécurité des logiciels" + +#. Tag: productname +#, no-c-format +msgid "Fedora Security Team" +msgstr "Équipe Sécurité Fedora" + +#. Tag: para +#, no-c-format +msgid "" +"This document provides guidelines for improving software security through " +"secure coding. It covers common programming languages and libraries, and " +"focuses on concrete recommendations." +msgstr "Ce document fournit des conseils visant à améliorer la sécurité des logiciels par un développement prenant en compte la sécurité. Cela couvre les langages et bibliothèques les plus courants, et se concentre sur des recommandations concrètes." diff --git a/defensive-coding/.tx/defensive-coding-guide.Book_Info/gl-ES_translation b/defensive-coding/.tx/defensive-coding-guide.Book_Info/gl-ES_translation new file mode 100644 index 0000000..fd20ab6 --- /dev/null +++ b/defensive-coding/.tx/defensive-coding-guide.Book_Info/gl-ES_translation @@ -0,0 +1,38 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-12 04:19+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Galician (http://www.transifex.com/projects/p/fedora/language/gl/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: gl\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: title +#, no-c-format +msgid "Defensive Coding" +msgstr "" + +#. Tag: subtitle +#, no-c-format +msgid "A Guide to Improving Software Security" +msgstr "" + +#. Tag: productname +#, no-c-format +msgid "Fedora Security Team" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"This document provides guidelines for improving software security through " +"secure coding. It covers common programming languages and libraries, and " +"focuses on concrete recommendations." +msgstr "" diff --git a/defensive-coding/.tx/defensive-coding-guide.Book_Info/id-ID_translation b/defensive-coding/.tx/defensive-coding-guide.Book_Info/id-ID_translation new file mode 100644 index 0000000..cb4f370 --- /dev/null +++ b/defensive-coding/.tx/defensive-coding-guide.Book_Info/id-ID_translation @@ -0,0 +1,38 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-12 04:19+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Indonesian \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: id\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: title +#, no-c-format +msgid "Defensive Coding" +msgstr "" + +#. Tag: subtitle +#, no-c-format +msgid "A Guide to Improving Software Security" +msgstr "" + +#. Tag: productname +#, no-c-format +msgid "Fedora Security Team" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"This document provides guidelines for improving software security through " +"secure coding. It covers common programming languages and libraries, and " +"focuses on concrete recommendations." +msgstr "" diff --git a/defensive-coding/.tx/defensive-coding-guide.Book_Info/it-IT_translation b/defensive-coding/.tx/defensive-coding-guide.Book_Info/it-IT_translation new file mode 100644 index 0000000..36b4b89 --- /dev/null +++ b/defensive-coding/.tx/defensive-coding-guide.Book_Info/it-IT_translation @@ -0,0 +1,38 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-12 04:19+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Italian \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: it\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: title +#, no-c-format +msgid "Defensive Coding" +msgstr "" + +#. Tag: subtitle +#, no-c-format +msgid "A Guide to Improving Software Security" +msgstr "" + +#. Tag: productname +#, no-c-format +msgid "Fedora Security Team" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"This document provides guidelines for improving software security through " +"secure coding. It covers common programming languages and libraries, and " +"focuses on concrete recommendations." +msgstr "" diff --git a/defensive-coding/.tx/defensive-coding-guide.Book_Info/ko-KR_translation b/defensive-coding/.tx/defensive-coding-guide.Book_Info/ko-KR_translation new file mode 100644 index 0000000..02b2d06 --- /dev/null +++ b/defensive-coding/.tx/defensive-coding-guide.Book_Info/ko-KR_translation @@ -0,0 +1,38 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-12 04:19+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Korean (http://www.transifex.com/projects/p/fedora/language/ko/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: ko\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: title +#, no-c-format +msgid "Defensive Coding" +msgstr "" + +#. Tag: subtitle +#, no-c-format +msgid "A Guide to Improving Software Security" +msgstr "" + +#. Tag: productname +#, no-c-format +msgid "Fedora Security Team" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"This document provides guidelines for improving software security through " +"secure coding. It covers common programming languages and libraries, and " +"focuses on concrete recommendations." +msgstr "" diff --git a/defensive-coding/.tx/defensive-coding-guide.Book_Info/ru-RU_translation b/defensive-coding/.tx/defensive-coding-guide.Book_Info/ru-RU_translation new file mode 100644 index 0000000..7ecaf0f --- /dev/null +++ b/defensive-coding/.tx/defensive-coding-guide.Book_Info/ru-RU_translation @@ -0,0 +1,38 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-12 04:19+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Russian \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: ru\n" +"Plural-Forms: nplurals=3; plural=(n%10==1 && n%100!=11 ? 0 : n%10>=2 && n%10<=4 && (n%100<10 || n%100>=20) ? 1 : 2);\n" + +#. Tag: title +#, no-c-format +msgid "Defensive Coding" +msgstr "" + +#. Tag: subtitle +#, no-c-format +msgid "A Guide to Improving Software Security" +msgstr "" + +#. Tag: productname +#, no-c-format +msgid "Fedora Security Team" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"This document provides guidelines for improving software security through " +"secure coding. It covers common programming languages and libraries, and " +"focuses on concrete recommendations." +msgstr "" diff --git a/defensive-coding/.tx/defensive-coding-guide.Book_Info/sl-SI_translation b/defensive-coding/.tx/defensive-coding-guide.Book_Info/sl-SI_translation new file mode 100644 index 0000000..9691fb8 --- /dev/null +++ b/defensive-coding/.tx/defensive-coding-guide.Book_Info/sl-SI_translation @@ -0,0 +1,38 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-12 04:19+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Slovenian (http://www.transifex.com/projects/p/fedora/language/sl/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: sl\n" +"Plural-Forms: nplurals=4; plural=(n%100==1 ? 0 : n%100==2 ? 1 : n%100==3 || n%100==4 ? 2 : 3);\n" + +#. Tag: title +#, no-c-format +msgid "Defensive Coding" +msgstr "" + +#. Tag: subtitle +#, no-c-format +msgid "A Guide to Improving Software Security" +msgstr "" + +#. Tag: productname +#, no-c-format +msgid "Fedora Security Team" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"This document provides guidelines for improving software security through " +"secure coding. It covers common programming languages and libraries, and " +"focuses on concrete recommendations." +msgstr "" diff --git a/defensive-coding/bo/Author_Group.po b/defensive-coding/bo/Author_Group.po new file mode 100644 index 0000000..ec7e403 --- /dev/null +++ b/defensive-coding/bo/Author_Group.po @@ -0,0 +1,35 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-12 04:18+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Tibetan \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: bo\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: firstname +#, no-c-format +msgid "Florian" +msgstr "" + +#. Tag: surname +#, no-c-format +msgid "Weimer" +msgstr "" + +#. Tag: orgname +#, no-c-format +msgid "Red Hat" +msgstr "" + +#. Tag: orgdiv +#, no-c-format +msgid "Product Security Team" +msgstr "" diff --git a/defensive-coding/bo/Book_Info.po b/defensive-coding/bo/Book_Info.po new file mode 100644 index 0000000..15c9e54 --- /dev/null +++ b/defensive-coding/bo/Book_Info.po @@ -0,0 +1,38 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-12 04:19+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Tibetan \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: bo\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: title +#, no-c-format +msgid "Defensive Coding" +msgstr "" + +#. Tag: subtitle +#, no-c-format +msgid "A Guide to Improving Software Security" +msgstr "" + +#. Tag: productname +#, no-c-format +msgid "Fedora Security Team" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"This document provides guidelines for improving software security through " +"secure coding. It covers common programming languages and libraries, and " +"focuses on concrete recommendations." +msgstr "" diff --git a/defensive-coding/bo/C/Allocators.po b/defensive-coding/bo/C/Allocators.po new file mode 100644 index 0000000..9969a2c --- /dev/null +++ b/defensive-coding/bo/C/Allocators.po @@ -0,0 +1,265 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:30+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Tibetan \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: bo\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: title +#, no-c-format +msgid "Memory allocators" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "malloc and related functions" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The C library interfaces for memory allocation are provided by " +"malloc, free and " +"realloc, and the calloc function. " +"In addition to these generic functions, there are derived functions such as " +"strdup which perform allocation using " +"malloc internally, but do not return untyped heap " +"memory (which could be used for any object)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The C compiler knows about these functions and can use their expected " +"behavior for optimizations. For instance, the compiler assumes that an " +"existing pointer (or a pointer derived from an existing pointer by " +"arithmetic) will not point into the memory area returned by " +"malloc." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If the allocation fails, realloc does not free the old " +"pointer. Therefore, the idiom ptr = realloc(ptr, size); " +"is wrong because the memory pointed to by ptr leaks in " +"case of an error." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Use-after-free errors" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"After free, the pointer is invalid. Further pointer " +"dereferences are not allowed (and are usually detected by " +"valgrind). Less obvious is that any " +"use of the old pointer value is not allowed, either. In" +" particular, comparisons with any other pointer (or the null pointer) are " +"undefined according to the C standard." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The same rules apply to realloc if the memory area " +"cannot be enlarged in-place. For instance, the compiler may assume that a " +"comparison between the old and new pointer will always return false, so it " +"is impossible to detect movement this way." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Handling memory allocation errors" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Recovering from out-of-memory errors is often difficult or even impossible. " +"In these cases, malloc and other allocation functions " +"return a null pointer. Dereferencing this pointer lead to a crash. Such " +"dereferences can even be exploitable for code execution if the dereference " +"is combined with an array subscript." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In general, if you cannot check all allocation calls and handle failure, you" +" should abort the program on allocation failure, and not rely on the null " +"pointer dereference to terminate the process. See for related memory " +"allocation concerns." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "alloca and other forms of stack-based allocation" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Allocation on the stack is risky because stack overflow checking is " +"implicit. There is a guard page at the end of the memory area reserved for " +"the stack. If the program attempts to read from or write to this guard page," +" a SIGSEGV signal is generated and the program typically " +"terminates." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"This is sufficient for detecting typical stack overflow situations such as " +"unbounded recursion, but it fails when the stack grows in increments larger " +"than the size of the guard page. In this case, it is possible that the stack" +" pointer ends up pointing into a memory area which has been allocated for a " +"different purposes. Such misbehavior can be exploitable." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"A common source for large stack growth are calls to " +"alloca and related functions such as " +"strdupa. These functions should be avoided because of " +"the lack of error checking. (They can be used safely if the allocated size " +"is less than the page size (typically, 4096 bytes), but this case is " +"relatively rare.) Additionally, relying on alloca makes" +" it more difficult to reorgnize the code because it is not allowed to use " +"the pointer after the function calling alloca has " +"returned, even if this function has been inlined into its caller." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Similar concerns apply to variable-length arrays " +"(VLAs), a feature of the C99 standard which started as a GNU extension. For " +"large objects exceeding the page size, there is no error checking, either." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In both cases, negative or very large sizes can trigger a stack-pointer " +"wraparound, and the stack pointer and end up pointing into caller stack " +"frames, which is fatal and can be exploitable." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If you want to use alloca or VLAs for performance " +"reasons, consider using a small on-stack array (less than the page size, " +"large enough to fulfill most requests). If the requested size is small " +"enough, use the on-stack array. Otherwise, call malloc." +" When exiting the function, check if malloc had been " +"called, and free the buffer as needed." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Array allocation" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When allocating arrays, it is important to check for overflows. The " +"calloc function performs such checks." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If malloc or realloc is used, the " +"size check must be written manually. For instance, to allocate an array of " +"n elements of type T, check that the " +"requested size is not greater than n / sizeof(T)." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Custom memory allocators" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Custom memory allocates come in two forms: replacements for " +"malloc, and completely different interfaces for memory " +"management. Both approaches can reduce the effectiveness of " +"valgrind and similar tools, and the heap " +"corruption detection provided by GNU libc, so they should be avoided." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Memory allocators are difficult to write and contain many performance and " +"security pitfalls." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When computing array sizes or rounding up allocation requests (to the next " +"allocation granularity, or for alignment purposes), checks for arithmetic " +"overflow are required." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Size computations for array allocations need overflow checking. See ." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"It can be difficult to beat well-tuned general-purpose allocators. In micro-" +"benchmarks, pool allocators can show huge wins, and size-specific pools can " +"reduce internal fragmentation. But often, utilization of individual pools is" +" poor, and" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Conservative garbage collection" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Garbage collection can be an alternative to explicit memory management using" +" malloc and free. The Boehm-" +"Dehmers-Weiser allocator can be used from C programs, with minimal type " +"annotations. Performance is competitive with malloc on " +"64-bit architectures, especially for multi-threaded programs. The stop-the-" +"world pauses may be problematic for some real-time applications, though." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"However, using a conservative garbage collector may reduce opertunities for " +"code reduce because once one library in a program uses garbage collection, " +"the whole process memory needs to be subject to it, so that no pointers are " +"missed. The Boehm-Dehmers-Weiser collector also reserves certain signals for" +" internal use, so it is not fully transparent to the rest of the program." +msgstr "" diff --git a/defensive-coding/bo/C/C.po b/defensive-coding/bo/C/C.po new file mode 100644 index 0000000..7dc11c4 --- /dev/null +++ b/defensive-coding/bo/C/C.po @@ -0,0 +1,20 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:30+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Tibetan \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: bo\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: title +#, no-c-format +msgid "The C Programming Language" +msgstr "" diff --git a/defensive-coding/bo/C/Libc.po b/defensive-coding/bo/C/Libc.po new file mode 100644 index 0000000..b72f90c --- /dev/null +++ b/defensive-coding/bo/C/Libc.po @@ -0,0 +1,278 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:30+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Tibetan \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: bo\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: title +#, no-c-format +msgid "The C standard library" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Parts of the C standard library (and the UNIX and GNU extensions) are " +"difficult to use, so you shoud avoid them." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Please check the applicable documentation before using the recommended " +"replacements. Many of these functions allocate buffers using " +"malloc which your code must deallocate explicitly using" +" free." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Absolutely banned interfaces" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The functions listed below must not be used because they are almost always " +"unsafe. Use the indicated replacements instead." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "getsfgets" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"getwdgetcwd or " +"get_current_dir_name" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "readdir_rreaddir" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"realpath (with a non-NULL second parameter) ⟶ " +"realpath with NULL as the second parameter, or " +"canonicalize_file_name" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The constants listed below must not be used, either. Instead, code must " +"allocate memory dynamically and use interfaces with length checking." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"NAME_MAX (limit not actually enforced by the kernel)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"PATH_MAX (limit not actually enforced by the kernel)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"_PC_NAME_MAX (This limit, returned by the " +"pathconf function, is not enforced by the kernel.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"_PC_PATH_MAX (This limit, returned by the " +"pathconf function, is not enforced by the kernel.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "The following structure members must not be used." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"f_namemax in struct statvfs (limit not" +" actually enforced by the kernel, see _PC_NAME_MAX above)" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Functions to avoid" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The following string manipulation functions can be used securely in " +"principle, but their use should be avoided because they are difficult to use" +" correctly. Calls to these functions can be replaced with " +"asprintf or vasprintf. (For non-" +"GNU targets, these functions are available from Gnulib.) In some cases, the " +"snprintf function might be a suitable replacement, see " +"." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "sprintf" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "strcat" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "strcpy" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "vsprintf" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Use the indicated replacements for the functions below." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"allocamalloc and " +"free (see )" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"putenv ⟶ explicit envp argument in " +"process creation (see )" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"setenv ⟶ explicit envp argument in " +"process creation (see )" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"strdupastrdup and " +"free (see )" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"strndupastrndup and " +"free (see )" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"systemposix_spawn or " +"fork/execve/ (see )" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"unsetenv ⟶ explicit envp argument in" +" process creation (see )" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "String Functions With Explicit Length Arguments" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The snprintf function provides a way to construct a " +"string in a statically-sized buffer. (If the buffer size is dynamic, use " +"asprintf instead.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The second argument to the snprintf should always be " +"the size of the buffer in the first argument (which should be a character " +"array). Complex pointer and length arithmetic can introduce errors and " +"nullify the security benefits of snprintf. If you need " +"to construct a string iteratively, by repeatedly appending fragments, " +"consider constructing the string on the heap, increasing the buffer with " +"realloc as needed. (snprintf does " +"not support overlapping the result buffer with argument strings.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If you use vsnprintf (or snprintf)" +" with a format string which is not a constant, but a function argument, it " +"is important to annotate the function with a format " +"function attribute, so that GCC can warn about misuse of your function (see " +")." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "The format function attribute" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"There are other functions which operator on NUL-terminated strings and take " +"a length argument which affects the number of bytes written to the " +"destination: strncpy, strncat, and" +" stpncpy. These functions do not ensure that the result" +" string is NUL-terminated. For strncpy, NUL termination" +" can be added this way:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Some systems support strlcpy and " +"strlcat functions which behave this way, but these " +"functions are not part of GNU libc. Using snprintf with" +" a suitable format string is a simple (albeit slightly slower) replacement." +msgstr "" diff --git a/defensive-coding/bo/C/snippets/Arithmetic-add.po b/defensive-coding/bo/C/snippets/Arithmetic-add.po new file mode 100644 index 0000000..757c942 --- /dev/null +++ b/defensive-coding/bo/C/snippets/Arithmetic-add.po @@ -0,0 +1,36 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:30+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Tibetan \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: bo\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"void report_overflow(void);\n" +"\n" +"int\n" +"add(int a, int b)\n" +"{\n" +" int result = a + b;\n" +" if (a < 0 || b < 0) {\n" +" return -1;\n" +" }\n" +" // The compiler can optimize away the following if statement.\n" +" if (result < 0) {\n" +" report_overflow();\n" +" }\n" +" return result;\n" +"}\n" +msgstr "" diff --git a/defensive-coding/bo/C/snippets/Arithmetic-mult.po b/defensive-coding/bo/C/snippets/Arithmetic-mult.po new file mode 100644 index 0000000..a55448b --- /dev/null +++ b/defensive-coding/bo/C/snippets/Arithmetic-mult.po @@ -0,0 +1,29 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:30+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Tibetan \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: bo\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"unsigned\n" +"mul(unsigned a, unsigned b)\n" +"{\n" +" if (b && a > ((unsigned)-1) / b) {\n" +" report_overflow();\n" +" }\n" +" return a * b;\n" +"}\n" +msgstr "" diff --git a/defensive-coding/bo/C/snippets/Pointers-remaining.po b/defensive-coding/bo/C/snippets/Pointers-remaining.po new file mode 100644 index 0000000..b141338 --- /dev/null +++ b/defensive-coding/bo/C/snippets/Pointers-remaining.po @@ -0,0 +1,64 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:30+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Tibetan \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: bo\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"ssize_t\n" +"extract_strings(const char *in, size_t inlen, char **out, size_t outlen)\n" +"{\n" +" const char *inp = in;\n" +" const char *inend = in + inlen;\n" +" char **outp = out;\n" +" char **outend = out + outlen;\n" +"\n" +" while (inp != inend) {\n" +" size_t len;\n" +" char *s;\n" +" if (outp == outend) {\n" +" errno = ENOSPC;\n" +" goto err;\n" +" }\n" +" len = (unsigned char)*inp;\n" +" ++inp;\n" +" if (len > (size_t)(inend - inp)) {\n" +" errno = EINVAL;\n" +" goto err;\n" +" }\n" +" s = malloc(len + 1);\n" +" if (s == NULL) {\n" +" goto err;\n" +" }\n" +" memcpy(s, inp, len);\n" +" inp += len;\n" +" s[len] = '\\0';\n" +" *outp = s;\n" +" ++outp;\n" +" }\n" +" return outp - out;\n" +"err:\n" +" {\n" +" int errno_old = errno;\n" +" while (out != outp) {\n" +" free(*out);\n" +" ++out;\n" +" }\n" +" errno = errno_old;\n" +" }\n" +" return -1;\n" +"}\n" +msgstr "" diff --git a/defensive-coding/bo/C/snippets/String-Functions-format.po b/defensive-coding/bo/C/snippets/String-Functions-format.po new file mode 100644 index 0000000..4a7032f --- /dev/null +++ b/defensive-coding/bo/C/snippets/String-Functions-format.po @@ -0,0 +1,33 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:30+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Tibetan \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: bo\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"void log_format(const char *format, ...) __attribute__((format(printf, 1, 2)));\n" +"\n" +"void\n" +"log_format(const char *format, ...)\n" +"{\n" +" char buf[1000];\n" +" va_list ap;\n" +" va_start(ap, format);\n" +" vsnprintf(buf, sizeof(buf), format, ap);\n" +" va_end(ap);\n" +" log_string(buf);\n" +"}\n" +msgstr "" diff --git a/defensive-coding/bo/C/snippets/String-Functions-snprintf.po b/defensive-coding/bo/C/snippets/String-Functions-snprintf.po new file mode 100644 index 0000000..d22e2b6 --- /dev/null +++ b/defensive-coding/bo/C/snippets/String-Functions-snprintf.po @@ -0,0 +1,23 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:30+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Tibetan \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: bo\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"char fraction[30];\n" +"snprintf(fraction, sizeof(fraction), \"%d/%d\", numerator, denominator);\n" +msgstr "" diff --git a/defensive-coding/bo/C/snippets/String-Functions-strncpy.po b/defensive-coding/bo/C/snippets/String-Functions-strncpy.po new file mode 100644 index 0000000..62c1841 --- /dev/null +++ b/defensive-coding/bo/C/snippets/String-Functions-strncpy.po @@ -0,0 +1,24 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:30+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Tibetan \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: bo\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"char buf[10];\n" +"strncpy(buf, data, sizeof(buf));\n" +"buf[sizeof(buf) - 1] = '\\0';\n" +msgstr "" diff --git a/defensive-coding/bo/CXX/CXX.po b/defensive-coding/bo/CXX/CXX.po new file mode 100644 index 0000000..6cfd813 --- /dev/null +++ b/defensive-coding/bo/CXX/CXX.po @@ -0,0 +1,20 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:31+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Tibetan \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: bo\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: title +#, no-c-format +msgid "The C++ Programming Language" +msgstr "" diff --git a/defensive-coding/bo/CXX/Language.po b/defensive-coding/bo/CXX/Language.po new file mode 100644 index 0000000..6263965 --- /dev/null +++ b/defensive-coding/bo/CXX/Language.po @@ -0,0 +1,234 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:18+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Tibetan \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: bo\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: title +#, no-c-format +msgid "The core language" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"C++ includes a large subset of the C language. As far as the C subset is " +"used, the recommendations in " +"apply." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Array allocation with operator new[]" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"For very large values of n, an expression like " +"new T[n] can return a pointer to a heap region which is " +"too small. In other words, not all array elements are actually backed with " +"heap memory reserved to the array. Current GCC versions generate code that " +"performs a computation of the form sizeof(T) * size_t(n) + " +"cookie_size, where cookie_size is currently at " +"most 8. This computation can overflow, and GCC-generated code does not " +"detect this." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The std::vector template can be used instead an explicit " +"array allocation. (The GCC implementation detects overflow internally.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If there is no alternative to operator new[], code which " +"allocates arrays with a variable length must check for overflow manually. " +"For the new T[n] example, the size check could be " +"n || (n > 0 && n > (size_t(-1) - 8) / " +"sizeof(T)). (See .) If there are additional dimensions " +"(which must be constants according to the C++ standard), these should be " +"included as factors in the divisor." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"These countermeasures prevent out-of-bounds writes and potential code " +"execution. Very large memory allocations can still lead to a denial of " +"service. contains suggestions for mitigating this problem when " +"processing untrusted data." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"See for array" +" allocation advice for C-style memory allocation." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Overloading" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Do not overload functions with versions that have different security " +"characteristics. For instance, do not implement a function " +"strcat which works on std::string " +"arguments. Similarly, do not name methods after such functions." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "ABI compatibility and preparing for security updates" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"A stable binary interface (ABI) is vastly preferred for security updates. " +"Without a stable ABI, all reverse dependencies need recompiling, which can " +"be a lot of work and could even be impossible in some cases. Ideally, a " +"security update only updates a single dynamic shared object, and is picked " +"up automatically after restarting affected processes." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Outside of extremely performance-critical code, you should ensure that a " +"wide range of changes is possible without breaking ABI. Some very basic " +"guidelines are:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Avoid inline functions." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Use the pointer-to-implementation idiom." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Try to avoid templates. Use them if the increased type safety provides a " +"benefit to the programmer." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Move security-critical code out of templated code, so that it can be patched" +" in a central place if necessary." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The KDE project publishes a document with more extensive guidelines on ABI-" +"preserving changes to C++ code, Policies/Binary" +" Compatibility Issues With C++ (d-pointer " +"refers to the pointer-to-implementation idiom)." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "C++0X and C++11 support" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "GCC offers different language compatibility modes:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid " for the original 1998 C++ standard" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +" for the 1998 standard with the changes from the " +"TR1 technical report" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +" for the 2011 C++ standard. This option should " +"not be used." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +" for several different versions of C++11 support " +"in development, depending on the GCC version. This option should not be " +"used." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"For each of these flags, there are variants which also enable GNU extensions" +" (mostly language features also found in C99 or C11): " +", , " +". Again, should " +"not be used." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If you enable C++11 support, the ABI of the standard C++ library " +"libstdc++ will change in subtle ways. Currently, no C++ " +"libraries are compiled in C++11 mode, so if you compile your code in C++11 " +"mode, it will be incompatible with the rest of the system. Unfortunately, " +"this is also the case if you do not use any C++11 features. Currently, there" +" is no safe way to enable C++11 mode (except for freestanding applications)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The meaning of C++0X mode changed from GCC release to GCC release. Earlier " +"versions were still ABI-compatible with C++98 mode, but in the most recent " +"versions, switching to C++0X mode activates C++11 support, with its " +"compatibility problems." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Some C++11 features (or approximations thereof) are available with TR1 " +"support, that is, with or " +" and in the <tr1/*> " +"header files. This includes std::tr1::shared_ptr (from " +"<tr1/memory>) and " +"std::tr1::function (from " +"<tr1/functional>). For other C++11 features, the " +"Boost C++ library contains replacements." +msgstr "" diff --git a/defensive-coding/bo/CXX/Std.po b/defensive-coding/bo/CXX/Std.po new file mode 100644 index 0000000..8cd9d30 --- /dev/null +++ b/defensive-coding/bo/CXX/Std.po @@ -0,0 +1,55 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:30+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Tibetan \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: bo\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: title +#, no-c-format +msgid "The C++ standard library" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The C++ standard library includes most of its C counterpart by reference, " +"see ." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Containers and operator[]" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Many containers similar to std::vector provide both " +"operator[](size_type) and a member function " +"at(size_type). This applies to " +"std::vector itself, std::array, " +"std::string and other instances of " +"std::basic_string." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"operator[](size_type) is not required by the standard to " +"perform bounds checking (and the implementation in GCC does not). In " +"contrast, at(size_type) must perform such a check. " +"Therefore, in code which is not performance-critical, you should prefer " +"at(size_type) over " +"operator[](size_type), even though it is slightly more " +"verbose." +msgstr "" diff --git a/defensive-coding/bo/Defensive_Coding.po b/defensive-coding/bo/Defensive_Coding.po new file mode 100644 index 0000000..53a4371 --- /dev/null +++ b/defensive-coding/bo/Defensive_Coding.po @@ -0,0 +1,30 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:18+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Tibetan \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: bo\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: title +#, no-c-format +msgid "Programming Languages" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Specific Programming Tasks" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Implementing Security Features" +msgstr "" diff --git a/defensive-coding/bo/Features/Authentication.po b/defensive-coding/bo/Features/Authentication.po new file mode 100644 index 0000000..cc645fb --- /dev/null +++ b/defensive-coding/bo/Features/Authentication.po @@ -0,0 +1,231 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:31+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Tibetan \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: bo\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: title +#, no-c-format +msgid "Authentication and Authorization" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Authenticating servers" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When connecting to a server, a client has to make sure that it is actually " +"talking to the server it expects. There are two different aspects, securing " +"the network path, and making sure that the expected user runs the process on" +" the target host. There are several ways to ensure that:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The server uses a TLS certificate which is valid according to the web " +"browser public key infrastructure, and the client verifies the certificate " +"and the host name." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The server uses a TLS certificate which is expectedby the client (perhaps it" +" is stored in a configuration file read by the client). In this case, no " +"host name checking is required." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"On Linux, UNIX domain sockets (of the PF_UNIX protocol " +"family, sometimes called PF_LOCAL) are restricted by file" +" system permissions. If the server socket path is not world-writable, the " +"server identity cannot be spoofed by local users." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Port numbers less than 1024 (trusted ports) can only be" +" used by root, so if a UDP or TCP server is running on " +"the local host and it uses a trusted port, its identity is assured. (Not all" +" operating systems enforce the trusted ports concept, and the network might " +"not be trusted, so it is only useful on the local system.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"TLS () is the recommended way " +"for securing connections over untrusted networks." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If the server port number is 1024 is higher, a local user can impersonate " +"the process by binding to this socket, perhaps after crashing the real " +"server by exploiting a denial-of-service vulnerability." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Host-based authentication" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Host-based authentication uses access control lists (ACLs) to accept or deny" +" requests from clients. Thsis authentication method comes in two flavors: " +"IP-based (or, more generally, address-based) and name-based (with the name " +"coming from DNS or /etc/hosts). IP-based ACLs often use" +" prefix notation to extend access to entire subnets. Name-based ACLs " +"sometimes use wildcards for adding groups of hosts (from entire DNS " +"subtrees). (In the SSH context, host-based authentication means something " +"completely different and is not covered in this section.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Host-based authentication trust the network and may not offer sufficient " +"granularity, so it has to be considered a weak form of authentication. On " +"the other hand, IP-based authentication can be made extremely robust and can" +" be applied very early in input processing, so it offers an opportunity for " +"significantly reducing the number of potential attackers for many services." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The names returned by gethostbyaddr and " +"getnameinfo functions cannot be trusted. (DNS PTR " +"records can be set to arbitrary values, not just names belong to the address" +" owner.) If these names are used for ACL matching, a forward lookup using " +"gethostbyaddr or getaddrinfo has " +"to be performed. The name is only valid if the original address is found " +"among the results of the forward lookup (double-reverse " +"lookup)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"An empty ACL should deny all access (deny-by-default). If empty ACLs permits" +" all access, configuring any access list must switch to deny-by-default for " +"all unconfigured protocols, in both name-based and address-based variants." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Similarly, if an address or name is not matched by the list, it should be " +"denied. However, many implementations behave differently, so the actual " +"behavior must be documented properly." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"IPv6 addresses can embed IPv4 addresses. There is no universally correct way" +" to deal with this ambiguity. The behavior of the ACL implementation should " +"be documented." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "UNIX domain socket authentication" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"UNIX domain sockets (with address family AF_UNIX or " +"AF_LOCAL) are restricted to the local host and offer a " +"special authentication mechanism: credentials passing." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Nowadays, most systems support the SO_PEERCRED (Linux) or" +" LOCAL_PEERCRED (FreeBSD) socket options, or the " +"getpeereid (other BSDs, MacOS X). These interfaces " +"provide direct access to the (effective) user ID on the other end of a " +"domain socket connect, without cooperation from the other end." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Historically, credentials passing was implemented using ancillary data in " +"the sendmsg and recvmsg functions." +" On some systems, only credentials data that the peer has explicitly sent " +"can be received, and the kernel checks the data for correctness on the " +"sending side. This means that both peers need to deal with ancillary data. " +"Compared to that, the modern interfaces are easier to use. Both sets of " +"interfaces vary considerably among UNIX-like systems, unfortunately." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If you want to authenticate based on supplementary groups, you should obtain" +" the user ID using one of these methods, and look up the list of " +"supplementary groups using getpwuid (or " +"getpwuid_r) and getgrouplist. " +"Using the PID and information from /proc/PID/status is " +"prone to race conditions and insecure." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "AF_NETLINK authentication of origin" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Netlink messages are used as a high-performance data transfer mechanism " +"between the kernel and the userspace. Traditionally, they are used to " +"exchange information related to the network statck, such as routing table " +"entries." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When processing Netlink messages from the kernel, it is important to check " +"that these messages actually originate from the kernel, by checking that the" +" port ID (or PID) field nl_pid in the " +"sockaddr_nl structure is 0. (This " +"structure can be obtained using recvfrom or " +"recvmsg, it is different from the " +"nlmsghdr structure.) The kernel does not prevent other " +"processes from sending unicast Netlink messages, but the " +"nl_pid field in the sender's socket address will be non-" +"zero in such cases." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Applications should not use AF_NETLINK sockets as an IPC " +"mechanism among processes, but prefer UNIX domain sockets for this tasks." +msgstr "" diff --git a/defensive-coding/bo/Features/TLS.po b/defensive-coding/bo/Features/TLS.po new file mode 100644 index 0000000..5d2e06f --- /dev/null +++ b/defensive-coding/bo/Features/TLS.po @@ -0,0 +1,1120 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:31+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Tibetan \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: bo\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: title +#, no-c-format +msgid "Transport Layer Security" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Transport Layer Security (TLS, formerly Secure Sockets Layer/SSL) is the " +"recommended way to to protect integrity and confidentiality while data is " +"transferred over an untrusted network connection, and to identify the " +"endpoint." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Common Pitfalls" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"TLS implementations are difficult to use, and most of them lack a clean API " +"design. The following sections contain implementation-specific advice, and " +"some generic pitfalls are mentioned below." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Most TLS implementations have questionable default TLS cipher suites. Most " +"of them enable anonymous Diffie-Hellman key exchange (but we generally want " +"servers to authenticate themselves). Many do not disable ciphers which are " +"subject to brute-force attacks because of restricted key lengths. Some even " +"disable all variants of AES in the default configuration." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When overriding the cipher suite defaults, it is recommended to disable all " +"cipher suites which are not present on a whitelist, instead of simply " +"enabling a list of cipher suites. This way, if an algorithm is disabled by " +"default in the TLS implementation in a future security update, the " +"application will not re-enable it." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The name which is used in certificate validation must match the name " +"provided by the user or configuration file. No host name canonicalization or" +" IP address lookup must be performed." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The TLS handshake has very poor performance if the TCP Nagle algorithm is " +"active. You should switch on the TCP_NODELAY socket " +"option (at least for the duration of the handshake), or use the Linux-" +"specific TCP_CORK option." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Deactivating the TCP Nagle algorithm" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Implementing proper session resumption decreases handshake overhead " +"considerably. This is important if the upper-layer protocol uses short-lived" +" connections (like most application of HTTPS)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Both client and server should work towards an orderly connection shutdown, " +"that is send close_notify alerts and respond to them. " +"This is especially important if the upper-layer protocol does not provide " +"means to detect connection truncation (like some uses of HTTP)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When implementing a server using event-driven programming, it is important " +"to handle the TLS handshake properly because it includes multiple network " +"round-trips which can block when an ordinary TCP accept" +" would not. Otherwise, a client which fails to complete the TLS handshake " +"for some reason will prevent the server from handling input from other " +"clients." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Unlike regular file descriptors, TLS connections cannot be passed between " +"processes. Some TLS implementations add additional restrictions, and TLS " +"connections generally cannot be used across fork " +"function calls (see )." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "OpenSSL Pitfalls" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Some OpenSSL function use tri-state return values. " +"Correct error checking is extremely important. Several functions return " +"int values with the following meaning:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The value 1 indicates success (for example, a successful " +"signature verification)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The value 0 indicates semantic failure (for example, a " +"signature verification which was unsuccessful because the signing " +"certificate was self-signed)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The value -1 indicates a low-level error in the system, " +"such as failure to allocate memory using malloc." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Treating such tri-state return values as booleans can lead to security " +"vulnerabilities. Note that some OpenSSL functions return boolean results or " +"yet another set of status indicators. Each function needs to be checked " +"individually." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Recovering precise error information is difficult. shows how to obtain a more precise " +"error code after a function call on an SSL object has " +"failed. However, there are still cases where no detailed error information " +"is available (e.g., if SSL_shutdown fails due to a " +"connection teardown by the other end)." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Obtaining OpenSSL error codes" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The OPENSSL_config function is documented to never " +"fail. In reality, it can terminate the entire process if there is a failure " +"accessing the configuration file. An error message is written to standard " +"error, but which might not be visible if the function is called from a " +"daemon process." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"OpenSSL contains two separate ASN.1 DER decoders. One set of decoders " +"operate on BIO handles (the input/output stream abstraction provided by " +"OpenSSL); their decoder function names start with d2i_ " +"and end in _fp or _bio (e.g., " +"d2i_X509_fp or d2i_X509_bio). " +"These decoders must not be used for parsing data from untrusted sources; " +"instead, the variants without the _fp and " +"_bio (e.g., d2i_X509) shall be used." +" The BIO variants have received considerably less testing and are not very " +"robust." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"For the same reason, the OpenSSL command line tools (such as " +"openssl x509) are generally generally less robust than " +"the actual library code. They use the BIO functions internally, and not the " +"more robust variants." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The command line tools do not always indicate failure in the exit status of " +"the openssl process. For instance, a verification" +" failure in openssl verify result in an exit status of " +"zero." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The OpenSSL server and client applications (openssl " +"s_client and openssl s_server) are debugging " +"tools and should never be used as generic clients. For " +"instance, the s_client tool reacts in a " +"surprisign way to lines starting with R and " +"Q." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"OpenSSL allows application code to access private key material over " +"documented interfaces. This can significantly increase the part of the code " +"base which has to undergo security certification." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "GNUTLS Pitfalls" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"libgnutls.so.26 links to " +"libpthread.so.0. Loading the threading library too late" +" causes problems, so the main program should be linked with " +"-lpthread as well. As a result, it can be difficult to " +"use GNUTLS in a plugin which is loaded with the dlopen " +"function. Another side effect is that applications which merely link against" +" GNUTLS (even without actually using it) may incur a substantial overhead " +"because other libraries automatically switch to thread-safe algorithms." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The gnutls_global_init function must be called before " +"using any functionality provided by the library. This function is not " +"thread-safe, so external locking is required, but it is not clear which lock" +" should be used. Omitting the synchronization does not just lead to a memory" +" leak, as it is suggested in the GNUTLS documentation, but to undefined " +"behavior because there is no barrier that would enforce memory ordering." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The gnutls_global_deinit function does not actually " +"deallocate all resources allocated by " +"gnutls_global_init. It is currently not thread-safe. " +"Therefore, it is best to avoid calling it altogether." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The X.509 implementation in GNUTLS is rather lenient. For example, it is " +"possible to create and process X.509 version 1 certificates which carry" +" extensions. These certificates are (correctly) rejected by other " +"implementations." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "OpenJDK Pitfalls" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The Java cryptographic framework is highly modular. As a result, when you " +"request an object implementing some cryptographic functionality, you cannot " +"be completely sure that you end up with the well-tested, reviewed " +"implementation in OpenJDK." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"OpenJDK (in the source code as published by Oracle) and other " +"implementations of the Java platform require that the system administrator " +"has installed so-called unlimited strength jurisdiction policy " +"files. Without this step, it is not possible to use the secure " +"algorithms which offer sufficient cryptographic strength. Most downstream " +"redistributors of OpenJDK remove this requirement." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Some versions of OpenJDK use /dev/random as the " +"randomness source for nonces and other random data which is needed for TLS " +"operation, but does not actually require physical randomness. As a result, " +"TLS applications can block, waiting for more bits to become available in " +"/dev/random." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "NSS Pitfalls" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"NSS was not designed to be used by other libraries which can be linked into " +"applications without modifying them. There is a lot of global state. There " +"does not seem to be a way to perform required NSS initialization without " +"race conditions." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If the NSPR descriptor is in an unexpected state, the " +"SSL_ForceHandshake function can succeed, but no TLS " +"handshake takes place, the peer is not authenticated, and subsequent data is" +" exchanged in the clear." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"NSS disables itself if it detects that the process underwent a " +"fork after the library has been initialized. This " +"behavior is required by the PKCS#11 API specification." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "TLS Clients" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Secure use of TLS in a client generally involves all of the following steps." +" (Individual instructions for specific TLS implementations follow in the " +"next sections.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The client must configure the TLS library to use a set of trusted root " +"certificates. These certificates are provided by the system in /etc/ssl/certs or files derived from it." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The client selects sufficiently strong cryptographic primitives and disables" +" insecure ones (such as no-op encryption). Compression and SSL version 2 " +"support must be disabled (including the SSLv2-compatible handshake)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The client initiates the TLS connection. The Server Name Indication " +"extension should be used if supported by the TLS implementation. Before " +"switching to the encrypted connection state, the contents of all input and " +"output buffers must be discarded." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The client needs to validate the peer certificate provided by the server, " +"that is, the client must check that there is a cryptographically protected " +"chain from a trusted root certificate to the peer certificate. (Depending on" +" the TLS implementation, a TLS handshake can succeed even if the certificate" +" cannot be validated.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The client must check that the configured or user-provided server name " +"matches the peer certificate provided by the server." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"It is safe to provide users detailed diagnostics on certificate validation " +"failures. Other causes of handshake failures and, generally speaking, any " +"details on other errors reported by the TLS implementation (particularly " +"exception tracebacks), must not be divulged in ways that make them " +"accessible to potential attackers. Otherwise, it is possible to create " +"decryption oracles." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Depending on the application, revocation checking (against certificate " +"revocations lists or via OCSP) and session resumption are important aspects " +"of production-quality client. These aspects are not yet covered." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Implementation TLS Clients With OpenSSL" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In the following code, the error handling is only exploratory. Proper error " +"handling is required for production use, especially in libraries." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The OpenSSL library needs explicit initialization (see )." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "OpenSSL library initialization" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"After that, a context object has to be created, which acts as a factory for " +"connection objects (). We use an explicit cipher list so that we do not pick up any " +"strange ciphers when OpenSSL is upgraded. The actual version requested in " +"the client hello depends on additional restrictions in the OpenSSL library. " +"If possible, you should follow the example code and use the default list of " +"trusted root certificate authorities provided by the system because you " +"would have to maintain your own set otherwise, which can be cumbersome." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "OpenSSL client context creation" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"A single context object can be used to create multiple connection objects. " +"It is safe to use the same SSL_CTX object for creating " +"connections concurrently from multiple threads, provided that the " +"SSL_CTX object is not modified (e.g., callbacks must not " +"be changed)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"After creating the TCP socket and disabling the Nagle algorithm (per ), the actual connection object " +"needs to be created, as show in . If the handshake started by " +"SSL_connect fails, the " +"ssl_print_error_and_exit function from is called." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The certificate_validity_override function provides an " +"opportunity to override the validity of the certificate in case the OpenSSL " +"check fails. If such functionality is not required, the call can be removed," +" otherwise, the application developer has to implement it." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The host name passed to the functions " +"SSL_set_tlsext_host_name and " +"X509_check_host must be the name that was passed to " +"getaddrinfo or a similar name resolution function. No " +"host name canonicalization must be performed. The " +"X509_check_host function used in the final step for " +"host name matching is currently only implemented in OpenSSL 1.1, which is " +"not released yet. In case host name matching fails, the function " +"certificate_host_name_override is called. This function" +" should check user-specific certificate store, to allow a connection even if" +" the host name does not match the certificate. This function has to be " +"provided by the application developer. Note that the override must be keyed " +"by both the certificate and the host name." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Creating a client connection using OpenSSL" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The connection object can be used for sending and receiving data, as in " +". It is " +"also possible to create a BIO object and use the " +"SSL object as the underlying transport, using " +"BIO_set_ssl." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Using an OpenSSL connection to send and receive data" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When it is time to close the connection, the " +"SSL_shutdown function needs to be called twice for an " +"orderly, synchronous connection termination (). This exchanges " +"close_notify alerts with the server. The additional logic" +" is required to deal with an unexpected close_notify from" +" the server. Note that is necessary to explicitly close the underlying " +"socket after the connection object has been freed." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Closing an OpenSSL connection in an orderly fashion" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +" shows how" +" to deallocate the context object when it is no longer needed because no " +"further TLS connections will be established." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Implementation TLS Clients With GNUTLS" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"This section describes how to implement a TLS client with full certificate " +"validation (but without certificate revocation checking). Note that the " +"error handling in is only exploratory and needs to be replaced before " +"production use." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "The GNUTLS library needs explicit initialization:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Failing to do so can result in obscure failures in Base64 decoding. See " +" for " +"additional aspects of initialization." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Before setting up TLS connections, a credentials objects has to be allocated" +" and initialized with the set of trusted root CAs ()." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Initializing a GNUTLS credentials structure" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"After the last TLS connection has been closed, this credentials object " +"should be freed:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"During its lifetime, the credentials object can be used to initialize TLS " +"session objects from multiple threads, provided that it is not changed." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Once the TCP connection has been established, the Nagle algorithm should be " +"disabled (see ). After " +"that, the socket can be associated with a new GNUTLS session object. The " +"previously allocated credentials object provides the set of root CAs. The " +"NORMAL set of cipher suites and protocols provides a " +"reasonable default. Then the TLS handshake must be initiated. This is shown " +"in ." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Establishing a TLS client connection using GNUTLS" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"After the handshake has been completed, the server certificate needs to be " +"verified (). In the example, the user-defined " +"certificate_validity_override function is called if the" +" verification fails, so that a separate, user-specific trust store can be " +"checked. This function call can be omitted if the functionality is not " +"needed." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Verifying a server certificate using GNUTLS" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In the next step (, the certificate must be matched against the host name (note the " +"unusual return value from " +"gnutls_x509_crt_check_hostname). Again, an override " +"function certificate_host_name_override is called. Note" +" that the override must be keyed to the certificate and" +" the host name. The function call can be omitted if the override is not " +"needed." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Matching the server host name and certificate in a GNUTLS client" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In newer GNUTLS versions, certificate checking and host name validation can " +"be combined using the gnutls_certificate_verify_peers3 " +"function." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"An established TLS session can be used for sending and receiving data, as in" +" ." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Using a GNUTLS session" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In order to shut down a connection in an orderly manner, you should call the" +" gnutls_bye function. Finally, the session object can " +"be deallocated using gnutls_deinit (see )." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Implementing TLS Clients With OpenJDK" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "The examples below use the following cryptographic-related classes:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If compatibility with OpenJDK 6 is required, it is necessary to use the " +"internal class sun.security.util.HostnameChecker. (The " +"public OpenJDK API does not provide any support for dissecting the subject " +"distinguished name of an X.509 certificate, so a custom-written DER parser " +"is needed—or we have to use an internal class, which we do below.) In " +"OpenJDK 7, the setEndpointIdentificationAlgorithm " +"method was added to the javax.net.ssl.SSLParameters " +"class, providing an official way to implement host name checking." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"TLS connections are established using an SSLContext " +"instance. With a properly configured OpenJDK installation, the " +"SunJSSE provider uses the system-wide set of trusted root" +" certificate authorities, so no further configuration is necessary. For " +"backwards compatibility with OpenJDK 6, the TLSv1 " +"provider has to be supported as a fall-back option. This is shown in ." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Setting up an SSLContext for OpenJDK TLS clients" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In addition to the context, a TLS parameter object will be needed which " +"adjusts the cipher suites and protocols (). Like the context, these " +"parameters can be reused for multiple TLS connections." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Setting up SSLParameters for TLS use with OpenJDK" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"As initialized above, the parameter object does not yet require host name " +"checking. This has to be enabled separately, and this is only supported by " +"OpenJDK 7 and later:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"All application protocols can use the \"HTTPS\" " +"algorithm. (The algorithms have minor differences with regard to wildcard " +"handling, which should not matter in practice.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +" shows " +"how to establish the connection. Before the handshake is initialized, the " +"protocol and cipher configuration has to be performed, by applying the " +"parameter object params. (After this point, changes to " +"params will not affect this TLS socket.) As mentioned " +"initially, host name checking requires using an internal API on OpenJDK 6." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Establishing a TLS connection with OpenJDK" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Starting with OpenJDK 7, the last lines can be omitted, provided that host " +"name verification has been enabled by calling the " +"setEndpointIdentificationAlgorithm method on the " +"params object (before it was applied to the socket)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The TLS socket can be used as a regular socket, as shown in ." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Using a TLS client socket in OpenJDK" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Overriding server certificate validation with OpenJDK 6" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Overriding certificate validation requires a custom trust manager. With " +"OpenJDK 6, the trust manager lacks information about the TLS session, and to" +" which server the connection is made. Certificate overrides have to be tied " +"to specific servers (host names). Consequently, different " +"TrustManager and SSLContext objects " +"have to be used for different servers." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In the trust manager shown in , the server certificate is identified by its " +"SHA-256 hash." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "A customer trust manager for OpenJDK TLS clients" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"This trust manager has to be passed to the init method of" +" the SSLContext object, as show in ." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Using a custom TLS trust manager with OpenJDK" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When certificate overrides are in place, host name verification should not " +"be performed because there is no security requirement that the host name in " +"the certificate matches the host name used to establish the connection (and " +"it often will not). However, without host name verification, it is not " +"possible to perform transparent fallback to certification validation using " +"the system certificate store." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The approach described above works with OpenJDK 6 and later versions. " +"Starting with OpenJDK 7, it is possible to use a custom subclass of the " +"javax.net.ssl.X509ExtendedTrustManager class. The OpenJDK" +" TLS implementation will call the new methods, passing along TLS session " +"information. This can be used to implement certificate overrides as a " +"fallback (if certificate or host name verification fails), and a trust " +"manager object can be used for multiple servers because the server address " +"is available to the trust manager." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Implementing TLS Clients With NSS" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The following code shows how to implement a simple TLS client using NSS. " +"Note that the error handling needs replacing before production use." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Using NSS needs several header files, as shown in ." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Include files for NSS" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Initializing the NSS library is a complex task (). It is not thread-safe. By default, the " +"library is in export mode, and all strong ciphers are disabled. Therefore, " +"after creating the NSSInitCContext object, we probe all " +"the strong ciphers we want to use, and check if at least one of them is " +"available. If not, we call NSS_SetDomesticPolicy to " +"switch to unrestricted policy mode. This function replaces the existing " +"global cipher suite policy, that is why we avoid calling it unless " +"absolutely necessary." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The simplest way to configured the trusted root certificates involves " +"loading the libnssckbi.so NSS module with a call to the" +" SECMOD_LoadUserModule function. The root certificates " +"are compiled into this module. (The PEM module for NSS, " +"libnsspem.so, offers a way to load trusted CA " +"certificates from a file.)" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Initializing the NSS library" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Some of the effects of the initialization can be reverted with the following" +" function calls:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"After NSS has been initialized, the TLS connection can be created (). The internal " +"PR_ImportTCPSocket function is used to turn the POSIX " +"file descriptor sockfd into an NSPR file descriptor. " +"(This function is de-facto part of the NSS public ABI, so it will not go " +"away.) Creating the TLS-capable file descriptor requires a " +"model descriptor, which is configured with the desired " +"set of protocols and ciphers. (The good_ciphers variable " +"is part of .) We cannot" +" resort to disabling ciphers not on a whitelist because by default, the AES " +"cipher suites are disabled. The model descriptor is not needed anymore after" +" TLS support has been activated for the existing connection descriptor." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The call to SSL_BadCertHook can be omitted if no " +"mechanism to override certificate verification is needed. The " +"bad_certificate function must check both the host name " +"specified for the connection and the certificate before granting the " +"override." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Triggering the actual handshake requires three function calls, " +"SSL_ResetHandshake, SSL_SetURL, " +"and SSL_ForceHandshake. (If " +"SSL_ResetHandshake is omitted, " +"SSL_ForceHandshake will succeed, but the data will not " +"be encrypted.) During the handshake, the certificate is verified and matched" +" against the host name." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Creating a TLS connection with NSS" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"After the connection has been established, shows how to use the NSPR descriptor to " +"communicate with the server." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Using NSS for sending and receiving data" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +" shows how to " +"close the connection." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Closing NSS client connections" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Implementing TLS Clients With Python" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The Python distribution provides a TLS implementation in the " +"ssl module (actually a wrapper around OpenSSL). The " +"exported interface is somewhat restricted, so that the client code shown " +"below does not fully implement the recommendations in ." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Currently, most Python function which accept https:// " +"URLs or otherwise implement HTTPS support do not perform certificate " +"validation at all. (For example, this is true for the " +"httplib and xmlrpclib modules.) If you" +" use HTTPS, you should not use the built-in HTTP clients. The " +"Curl class in the curl module, as " +"provided by the python-pycurl package implements proper " +"certificate validation." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The ssl module currently does not perform host name " +"checking on the server certificate. shows how to implement certificate " +"matching, using the parsed certificate returned by " +"getpeercert." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Implementing TLS host name checking Python (without wildcard support)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"To turn a regular, connected TCP socket into a TLS-enabled socket, use the " +"ssl.wrap_socket function. The function call in provides " +"additional arguments to override questionable defaults in OpenSSL and in the" +" Python module." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"ciphers=\"HIGH:-aNULL:-eNULL:-PSK:RC4-SHA:RC4-MD5\" " +"selects relatively strong cipher suites with certificate-based " +"authentication. (The call to check_host_name function " +"provides additional protection against anonymous cipher suites.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"ssl_version=ssl.PROTOCOL_TLSv1 disables SSL 2.0 support. " +"By default, the ssl module sends an SSL 2.0 client hello," +" which is rejected by some servers. Ideally, we would request OpenSSL to " +"negotiated the most recent TLS version supported by the server and the " +"client, but the Python module does not allow this." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"cert_reqs=ssl.CERT_REQUIRED turns on certificate " +"validation." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"ca_certs='/etc/ssl/certs/ca-bundle.crt' initializes the " +"certificate store with a set of trusted root CAs. Unfortunately, it is " +"necessary to hard-code this path into applications because the default path " +"in OpenSSL is not available through the Python ssl " +"module." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The ssl module (and OpenSSL) perform certificate " +"validation, but the certificate must be compared manually against the host " +"name, by calling the check_host_name defined above." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Establishing a TLS client connection with Python" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"After the connection has been established, the TLS socket can be used like a" +" regular socket:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Closing the TLS socket is straightforward as well:" +msgstr "" diff --git a/defensive-coding/bo/Features/snippets/TLS-Client-GNUTLS-Connect.po b/defensive-coding/bo/Features/snippets/TLS-Client-GNUTLS-Connect.po new file mode 100644 index 0000000..f6d61e6 --- /dev/null +++ b/defensive-coding/bo/Features/snippets/TLS-Client-GNUTLS-Connect.po @@ -0,0 +1,71 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:33+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Tibetan \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: bo\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Create the session object.\n" +"gnutls_session_t session;\n" +"ret = gnutls_init(&session, GNUTLS_CLIENT);\n" +"if (ret != GNUTLS_E_SUCCESS) {\n" +" fprintf(stderr, \"error: gnutls_init: %s\n" +"\",\n" +"\t gnutls_strerror(ret));\n" +" exit(1);\n" +"}\n" +"\n" +"// Configure the cipher preferences.\n" +"const char *errptr = NULL;\n" +"ret = gnutls_priority_set_direct(session, \"NORMAL\", &errptr);\n" +"if (ret != GNUTLS_E_SUCCESS) {\n" +" fprintf(stderr, \"error: gnutls_priority_set_direct: %s\n" +"\"\n" +"\t \"error: at: \\\"%s\\\"\n" +"\", gnutls_strerror(ret), errptr);\n" +" exit(1);\n" +"}\n" +"\n" +"// Install the trusted certificates.\n" +"ret = gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, cred);\n" +"if (ret != GNUTLS_E_SUCCESS) {\n" +" fprintf(stderr, \"error: gnutls_credentials_set: %s\n" +"\",\n" +"\t gnutls_strerror(ret));\n" +" exit(1);\n" +"}\n" +"\n" +"// Associate the socket with the session object and set the server\n" +"// name.\n" +"gnutls_transport_set_ptr(session, (gnutls_transport_ptr_t)(uintptr_t)sockfd);\n" +"ret = gnutls_server_name_set(session, GNUTLS_NAME_DNS,\n" +"\t\t\t host, strlen(host));\n" +"if (ret != GNUTLS_E_SUCCESS) {\n" +" fprintf(stderr, \"error: gnutls_server_name_set: %s\n" +"\",\n" +"\t gnutls_strerror(ret));\n" +" exit(1);\n" +"}\n" +"\n" +"// Establish the session.\n" +"ret = gnutls_handshake(session);\n" +"if (ret != GNUTLS_E_SUCCESS) {\n" +" fprintf(stderr, \"error: gnutls_handshake: %s\n" +"\",\n" +"\t gnutls_strerror(ret));\n" +" exit(1);\n" +"}\n" +msgstr "" diff --git a/defensive-coding/bo/Features/snippets/TLS-Client-GNUTLS-Credentials.po b/defensive-coding/bo/Features/snippets/TLS-Client-GNUTLS-Credentials.po new file mode 100644 index 0000000..395dece --- /dev/null +++ b/defensive-coding/bo/Features/snippets/TLS-Client-GNUTLS-Credentials.po @@ -0,0 +1,47 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:33+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Tibetan \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: bo\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Load the trusted CA certificates.\n" +"gnutls_certificate_credentials_t cred = NULL;\n" +"int ret = gnutls_certificate_allocate_credentials (&cred);\n" +"if (ret != GNUTLS_E_SUCCESS) {\n" +" fprintf(stderr, \"error: gnutls_certificate_allocate_credentials: %s\n" +"\",\n" +"\t gnutls_strerror(ret));\n" +" exit(1);\n" +"}\n" +"// gnutls_certificate_set_x509_system_trust needs GNUTLS version 3.0\n" +"// or newer, so we hard-code the path to the certificate store\n" +"// instead.\n" +"static const char ca_bundle[] = \"/etc/ssl/certs/ca-bundle.crt\";\n" +"ret = gnutls_certificate_set_x509_trust_file\n" +" (cred, ca_bundle, GNUTLS_X509_FMT_PEM);\n" +"if (ret == 0) {\n" +" fprintf(stderr, \"error: no certificates found in: %s\n" +"\", ca_bundle);\n" +" exit(1);\n" +"}\n" +"if (ret < 0) {\n" +" fprintf(stderr, \"error: gnutls_certificate_set_x509_trust_files(%s): %s\n" +"\",\n" +"\t ca_bundle, gnutls_strerror(ret));\n" +" exit(1);\n" +"}\n" +msgstr "" diff --git a/defensive-coding/bo/Features/snippets/TLS-Client-GNUTLS-Match.po b/defensive-coding/bo/Features/snippets/TLS-Client-GNUTLS-Match.po new file mode 100644 index 0000000..b2286d6 --- /dev/null +++ b/defensive-coding/bo/Features/snippets/TLS-Client-GNUTLS-Match.po @@ -0,0 +1,48 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:32+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Tibetan \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: bo\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Match the peer certificate against the host name.\n" +"// We can only obtain a set of DER-encoded certificates from the\n" +"// session object, so we have to re-parse the peer certificate into\n" +"// a certificate object.\n" +"gnutls_x509_crt_t cert;\n" +"ret = gnutls_x509_crt_init(&cert);\n" +"if (ret != GNUTLS_E_SUCCESS) {\n" +" fprintf(stderr, \"error: gnutls_x509_crt_init: %s\n" +"\",\n" +"\t gnutls_strerror(ret));\n" +" exit(1);\n" +"}\n" +"// The peer certificate is the first certificate in the list.\n" +"ret = gnutls_x509_crt_import(cert, certs, GNUTLS_X509_FMT_DER);\n" +"if (ret != GNUTLS_E_SUCCESS) {\n" +" fprintf(stderr, \"error: gnutls_x509_crt_import: %s\n" +"\",\n" +"\t gnutls_strerror(ret));\n" +" exit(1);\n" +"}\n" +"ret = gnutls_x509_crt_check_hostname(cert, host);\n" +"if (ret == 0 && !certificate_host_name_override(certs[0], host)) {\n" +" fprintf(stderr, \"error: host name does not match certificate\n" +"\");\n" +" exit(1);\n" +"}\n" +"gnutls_x509_crt_deinit(cert);\n" +msgstr "" diff --git a/defensive-coding/bo/Features/snippets/TLS-Client-GNUTLS-Verify.po b/defensive-coding/bo/Features/snippets/TLS-Client-GNUTLS-Verify.po new file mode 100644 index 0000000..149672b --- /dev/null +++ b/defensive-coding/bo/Features/snippets/TLS-Client-GNUTLS-Verify.po @@ -0,0 +1,61 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:33+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Tibetan \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: bo\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Obtain the server certificate chain. The server certificate\n" +"// itself is stored in the first element of the array.\n" +"unsigned certslen = 0;\n" +"const gnutls_datum_t *const certs =\n" +" gnutls_certificate_get_peers(session, &certslen);\n" +"if (certs == NULL || certslen == 0) {\n" +" fprintf(stderr, \"error: could not obtain peer certificate\n" +"\");\n" +" exit(1);\n" +"}\n" +"\n" +"// Validate the certificate chain.\n" +"unsigned status = (unsigned)-1;\n" +"ret = gnutls_certificate_verify_peers2(session, &status);\n" +"if (ret != GNUTLS_E_SUCCESS) {\n" +" fprintf(stderr, \"error: gnutls_certificate_verify_peers2: %s\n" +"\",\n" +"\t gnutls_strerror(ret));\n" +" exit(1);\n" +"}\n" +"if (status != 0 && !certificate_validity_override(certs[0])) {\n" +" gnutls_datum_t msg;\n" +"#if GNUTLS_VERSION_AT_LEAST_3_1_4\n" +" int type = gnutls_certificate_type_get (session);\n" +" ret = gnutls_certificate_verification_status_print(status, type, &out, 0);\n" +"#else\n" +" ret = -1;\n" +"#endif\n" +" if (ret == 0) {\n" +" fprintf(stderr, \"error: %s\n" +"\", msg.data);\n" +" gnutls_free(msg.data);\n" +" exit(1);\n" +" } else {\n" +" fprintf(stderr, \"error: certificate validation failed with code 0x%x\n" +"\",\n" +"\t status);\n" +" exit(1);\n" +" }\n" +"}\n" +msgstr "" diff --git a/defensive-coding/bo/Features/snippets/TLS-Client-NSS-Close.po b/defensive-coding/bo/Features/snippets/TLS-Client-NSS-Close.po new file mode 100644 index 0000000..053a99e --- /dev/null +++ b/defensive-coding/bo/Features/snippets/TLS-Client-NSS-Close.po @@ -0,0 +1,31 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:32+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Tibetan \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: bo\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Send close_notify alert.\n" +"if (PR_Shutdown(nspr, PR_SHUTDOWN_BOTH) != PR_SUCCESS) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: PR_Read error %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +"}\n" +"// Closes the underlying POSIX file descriptor, too.\n" +"PR_Close(nspr);\n" +msgstr "" diff --git a/defensive-coding/bo/Features/snippets/TLS-Client-NSS-Connect.po b/defensive-coding/bo/Features/snippets/TLS-Client-NSS-Connect.po new file mode 100644 index 0000000..7b8375c --- /dev/null +++ b/defensive-coding/bo/Features/snippets/TLS-Client-NSS-Connect.po @@ -0,0 +1,132 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:33+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Tibetan \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: bo\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Wrap the POSIX file descriptor. This is an internal NSPR\n" +"// function, but it is very unlikely to change.\n" +"PRFileDesc* nspr = PR_ImportTCPSocket(sockfd);\n" +"sockfd = -1; // Has been taken over by NSPR.\n" +"\n" +"// Add the SSL layer.\n" +"{\n" +" PRFileDesc *model = PR_NewTCPSocket();\n" +" PRFileDesc *newfd = SSL_ImportFD(NULL, model);\n" +" if (newfd == NULL) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: NSPR error code %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +" }\n" +" model = newfd;\n" +" newfd = NULL;\n" +" if (SSL_OptionSet(model, SSL_ENABLE_SSL2, PR_FALSE) != SECSuccess) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: set SSL_ENABLE_SSL2 error %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +" }\n" +" if (SSL_OptionSet(model, SSL_V2_COMPATIBLE_HELLO, PR_FALSE) != SECSuccess) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: set SSL_V2_COMPATIBLE_HELLO error %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +" }\n" +" if (SSL_OptionSet(model, SSL_ENABLE_DEFLATE, PR_FALSE) != SECSuccess) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: set SSL_ENABLE_DEFLATE error %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +" }\n" +"\n" +" // Disable all ciphers (except RC4-based ciphers, for backwards\n" +" // compatibility).\n" +" const PRUint16 *const ciphers = SSL_GetImplementedCiphers();\n" +" for (unsigned i = 0; i < SSL_GetNumImplementedCiphers(); i++) {\n" +" if (ciphers[i] != SSL_RSA_WITH_RC4_128_SHA\n" +"\t && ciphers[i] != SSL_RSA_WITH_RC4_128_MD5) {\n" +"\tif (SSL_CipherPrefSet(model, ciphers[i], PR_FALSE) != SECSuccess) {\n" +"\t const PRErrorCode err = PR_GetError();\n" +"\t fprintf(stderr, \"error: disable cipher %u: error %d: %s\n" +"\",\n" +"\t\t (unsigned)ciphers[i], err, PR_ErrorToName(err));\n" +"\t exit(1);\n" +"\t}\n" +" }\n" +" }\n" +"\n" +" // Enable the strong ciphers.\n" +" for (const PRUint16 *p = good_ciphers; *p != SSL_NULL_WITH_NULL_NULL;\n" +"\t ++p) {\n" +" if (SSL_CipherPrefSet(model, *p, PR_TRUE) != SECSuccess) {\n" +"\tconst PRErrorCode err = PR_GetError();\n" +"\tfprintf(stderr, \"error: enable cipher %u: error %d: %s\n" +"\",\n" +"\t\t(unsigned)*p, err, PR_ErrorToName(err));\n" +"\texit(1);\n" +" }\n" +" }\n" +"\n" +" // Allow overriding invalid certificate.\n" +" if (SSL_BadCertHook(model, bad_certificate, (char *)host) != SECSuccess) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: SSL_BadCertHook error %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +" }\n" +"\n" +" newfd = SSL_ImportFD(model, nspr);\n" +" if (newfd == NULL) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: SSL_ImportFD error %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +" }\n" +" nspr = newfd;\n" +" PR_Close(model);\n" +"}\n" +"\n" +"// Perform the handshake.\n" +"if (SSL_ResetHandshake(nspr, PR_FALSE) != SECSuccess) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: SSL_ResetHandshake error %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +"}\n" +"if (SSL_SetURL(nspr, host) != SECSuccess) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: SSL_SetURL error %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +"}\n" +"if (SSL_ForceHandshake(nspr) != SECSuccess) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: SSL_ForceHandshake error %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +"}\n" +msgstr "" diff --git a/defensive-coding/bo/Features/snippets/TLS-Client-OpenJDK-Connect.po b/defensive-coding/bo/Features/snippets/TLS-Client-OpenJDK-Connect.po new file mode 100644 index 0000000..30218cf --- /dev/null +++ b/defensive-coding/bo/Features/snippets/TLS-Client-OpenJDK-Connect.po @@ -0,0 +1,41 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:32+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Tibetan \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: bo\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Create the socket and connect it at the TCP layer.\n" +"SSLSocket socket = (SSLSocket) ctx.getSocketFactory()\n" +" .createSocket(host, port);\n" +"\n" +"// Disable the Nagle algorithm.\n" +"socket.setTcpNoDelay(true);\n" +"\n" +"// Adjust ciphers and protocols.\n" +"socket.setSSLParameters(params);\n" +"\n" +"// Perform the handshake.\n" +"socket.startHandshake();\n" +"\n" +"// Validate the host name. The match() method throws\n" +"// CertificateException on failure.\n" +"X509Certificate peer = (X509Certificate)\n" +" socket.getSession().getPeerCertificates()[0];\n" +"// This is the only way to perform host name checking on OpenJDK 6.\n" +"HostnameChecker.getInstance(HostnameChecker.TYPE_TLS).match(\n" +" host, peer);\n" +msgstr "" diff --git a/defensive-coding/bo/Features/snippets/TLS-Client-OpenJDK-Context.po b/defensive-coding/bo/Features/snippets/TLS-Client-OpenJDK-Context.po new file mode 100644 index 0000000..a3017cd --- /dev/null +++ b/defensive-coding/bo/Features/snippets/TLS-Client-OpenJDK-Context.po @@ -0,0 +1,41 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:32+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Tibetan \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: bo\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Create the context. Specify the SunJSSE provider to avoid\n" +"// picking up third-party providers. Try the TLS 1.2 provider\n" +"// first, then fall back to TLS 1.0.\n" +"SSLContext ctx;\n" +"try {\n" +" ctx = SSLContext.getInstance(\"TLSv1.2\", \"SunJSSE\");\n" +"} catch (NoSuchAlgorithmException e) {\n" +" try {\n" +" ctx = SSLContext.getInstance(\"TLSv1\", \"SunJSSE\");\n" +" } catch (NoSuchAlgorithmException e1) {\n" +" // The TLS 1.0 provider should always be available.\n" +" throw new AssertionError(e1);\n" +" } catch (NoSuchProviderException e1) {\n" +" throw new AssertionError(e1);\n" +" } \n" +"} catch (NoSuchProviderException e) {\n" +" // The SunJSSE provider should always be available.\n" +" throw new AssertionError(e);\n" +"}\n" +"ctx.init(null, null, null);\n" +msgstr "" diff --git a/defensive-coding/bo/Features/snippets/TLS-Client-OpenJDK-Context_For_Cert.po b/defensive-coding/bo/Features/snippets/TLS-Client-OpenJDK-Context_For_Cert.po new file mode 100644 index 0000000..63f78dc --- /dev/null +++ b/defensive-coding/bo/Features/snippets/TLS-Client-OpenJDK-Context_For_Cert.po @@ -0,0 +1,37 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:33+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Tibetan \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: bo\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"SSLContext ctx;\n" +"try {\n" +" ctx = SSLContext.getInstance(\"TLSv1.2\", \"SunJSSE\");\n" +"} catch (NoSuchAlgorithmException e) {\n" +" try {\n" +" ctx = SSLContext.getInstance(\"TLSv1\", \"SunJSSE\");\n" +" } catch (NoSuchAlgorithmException e1) {\n" +" throw new AssertionError(e1);\n" +" } catch (NoSuchProviderException e1) {\n" +" throw new AssertionError(e1);\n" +" }\n" +"} catch (NoSuchProviderException e) {\n" +" throw new AssertionError(e);\n" +"}\n" +"MyTrustManager tm = new MyTrustManager(certHash);\n" +"ctx.init(null, new TrustManager[] {tm}, null);\n" +msgstr "" diff --git a/defensive-coding/bo/Features/snippets/TLS-Client-OpenJDK-Hostname.po b/defensive-coding/bo/Features/snippets/TLS-Client-OpenJDK-Hostname.po new file mode 100644 index 0000000..b350021 --- /dev/null +++ b/defensive-coding/bo/Features/snippets/TLS-Client-OpenJDK-Hostname.po @@ -0,0 +1,22 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:31+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Tibetan \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: bo\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"params.setEndpointIdentificationAlgorithm(\"HTTPS\");\n" +msgstr "" diff --git a/defensive-coding/bo/Features/snippets/TLS-Client-OpenJDK-Import.po b/defensive-coding/bo/Features/snippets/TLS-Client-OpenJDK-Import.po new file mode 100644 index 0000000..affed3e --- /dev/null +++ b/defensive-coding/bo/Features/snippets/TLS-Client-OpenJDK-Import.po @@ -0,0 +1,33 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:31+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Tibetan \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: bo\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"import java.security.NoSuchAlgorithmException;\n" +"import java.security.NoSuchProviderException;\n" +"import java.security.cert.CertificateEncodingException;\n" +"import java.security.cert.CertificateException;\n" +"import java.security.cert.X509Certificate;\n" +"import javax.net.ssl.SSLContext;\n" +"import javax.net.ssl.SSLParameters;\n" +"import javax.net.ssl.SSLSocket;\n" +"import javax.net.ssl.TrustManager;\n" +"import javax.net.ssl.X509TrustManager;\n" +"\n" +"import sun.security.util.HostnameChecker;\n" +msgstr "" diff --git a/defensive-coding/bo/Features/snippets/TLS-Client-OpenJDK-MyTrustManager.po b/defensive-coding/bo/Features/snippets/TLS-Client-OpenJDK-MyTrustManager.po new file mode 100644 index 0000000..7bcce49 --- /dev/null +++ b/defensive-coding/bo/Features/snippets/TLS-Client-OpenJDK-MyTrustManager.po @@ -0,0 +1,53 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:31+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Tibetan \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: bo\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"public class MyTrustManager implements X509TrustManager {\n" +" private final byte[] certHash;\n" +"\n" +" public MyTrustManager(byte[] certHash) throws Exception {\n" +" this.certHash = certHash;\n" +" }\n" +"\n" +" @Override\n" +" public void checkClientTrusted(X509Certificate[] chain, String authType)\n" +" throws CertificateException {\n" +" throw new UnsupportedOperationException();\n" +" }\n" +"\n" +" @Override\n" +" public void checkServerTrusted(X509Certificate[] chain,\n" +" String authType) throws CertificateException {\n" +" byte[] digest = getCertificateDigest(chain[0]);\n" +" String digestHex = formatHex(digest);\n" +"\n" +" if (Arrays.equals(digest, certHash)) {\n" +" System.err.println(\"info: accepting certificate: \" + digestHex);\n" +" } else {\n" +" throw new CertificateException(\"certificate rejected: \" +\n" +" digestHex);\n" +" }\n" +" }\n" +"\n" +" @Override\n" +" public X509Certificate[] getAcceptedIssuers() {\n" +" return new X509Certificate[0];\n" +" }\n" +"}\n" +msgstr "" diff --git a/defensive-coding/bo/Features/snippets/TLS-Client-OpenJDK-Use.po b/defensive-coding/bo/Features/snippets/TLS-Client-OpenJDK-Use.po new file mode 100644 index 0000000..69bcb00 --- /dev/null +++ b/defensive-coding/bo/Features/snippets/TLS-Client-OpenJDK-Use.po @@ -0,0 +1,28 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:31+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Tibetan \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: bo\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"socket.getOutputStream().write(\"GET / HTTP/1.0\\r\n" +"\\r\n" +"\"\n" +" .getBytes(Charset.forName(\"UTF-8\")));\n" +"byte[] buffer = new byte[4096];\n" +"int count = socket.getInputStream().read(buffer);\n" +"System.out.write(buffer, 0, count);\n" +msgstr "" diff --git a/defensive-coding/bo/Features/snippets/TLS-Client-OpenSSL-CTX.po b/defensive-coding/bo/Features/snippets/TLS-Client-OpenSSL-CTX.po new file mode 100644 index 0000000..87472f3 --- /dev/null +++ b/defensive-coding/bo/Features/snippets/TLS-Client-OpenSSL-CTX.po @@ -0,0 +1,86 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:32+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Tibetan \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: bo\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Configure a client connection context. Send a hendshake for the\n" +"// highest supported TLS version, and disable compression.\n" +"const SSL_METHOD *const req_method = SSLv23_client_method();\n" +"SSL_CTX *const ctx = SSL_CTX_new(req_method);\n" +"if (ctx == NULL) {\n" +" ERR_print_errors(bio_err);\n" +" exit(1);\n" +"}\n" +"SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_COMPRESSION);\n" +"\n" +"// Adjust the ciphers list based on a whitelist. First enable all\n" +"// ciphers of at least medium strength, to get the list which is\n" +"// compiled into OpenSSL.\n" +"if (SSL_CTX_set_cipher_list(ctx, \"HIGH:MEDIUM\") != 1) {\n" +" ERR_print_errors(bio_err);\n" +" exit(1);\n" +"}\n" +"{\n" +" // Create a dummy SSL session to obtain the cipher list.\n" +" SSL *ssl = SSL_new(ctx);\n" +" if (ssl == NULL) {\n" +" ERR_print_errors(bio_err);\n" +" exit(1);\n" +" }\n" +" STACK_OF(SSL_CIPHER) *active_ciphers = SSL_get_ciphers(ssl);\n" +" if (active_ciphers == NULL) {\n" +" ERR_print_errors(bio_err);\n" +" exit(1);\n" +" }\n" +" // Whitelist of candidate ciphers.\n" +" static const char *const candidates[] = {\n" +" \"AES128-GCM-SHA256\", \"AES128-SHA256\", \"AES256-SHA256\", // strong ciphers\n" +" \"AES128-SHA\", \"AES256-SHA\", // strong ciphers, also in older versions\n" +" \"RC4-SHA\", \"RC4-MD5\", // backwards compatibility, supposed to be weak\n" +" \"DES-CBC3-SHA\", \"DES-CBC3-MD5\", // more backwards compatibility\n" +" NULL\n" +" };\n" +" // Actually selected ciphers.\n" +" char ciphers[300];\n" +" ciphers[0] = '\\0';\n" +" for (const char *const *c = candidates; *c; ++c) {\n" +" for (int i = 0; i < sk_SSL_CIPHER_num(active_ciphers); ++i) {\n" +"\tif (strcmp(SSL_CIPHER_get_name(sk_SSL_CIPHER_value(active_ciphers, i)),\n" +"\t\t *c) == 0) {\n" +"\t if (*ciphers) {\n" +"\t strcat(ciphers, \":\");\n" +"\t }\n" +"\t strcat(ciphers, *c);\n" +"\t break;\n" +"\t}\n" +" }\n" +" }\n" +" SSL_free(ssl);\n" +" // Apply final cipher list.\n" +" if (SSL_CTX_set_cipher_list(ctx, ciphers) != 1) {\n" +" ERR_print_errors(bio_err);\n" +" exit(1);\n" +" }\n" +"}\n" +"\n" +"// Load the set of trusted root certificates.\n" +"if (!SSL_CTX_set_default_verify_paths(ctx)) {\n" +" ERR_print_errors(bio_err);\n" +" exit(1);\n" +"}\n" +msgstr "" diff --git a/defensive-coding/bo/Features/snippets/TLS-Client-OpenSSL-Connect.po b/defensive-coding/bo/Features/snippets/TLS-Client-OpenSSL-Connect.po new file mode 100644 index 0000000..c7fbab9 --- /dev/null +++ b/defensive-coding/bo/Features/snippets/TLS-Client-OpenSSL-Connect.po @@ -0,0 +1,72 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:33+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Tibetan \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: bo\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Create the connection object.\n" +"SSL *ssl = SSL_new(ctx);\n" +"if (ssl == NULL) {\n" +" ERR_print_errors(bio_err);\n" +" exit(1);\n" +"}\n" +"SSL_set_fd(ssl, sockfd);\n" +"\n" +"// Enable the ServerNameIndication extension\n" +"if (!SSL_set_tlsext_host_name(ssl, host)) {\n" +" ERR_print_errors(bio_err);\n" +" exit(1);\n" +"}\n" +"\n" +"// Perform the TLS handshake with the server.\n" +"ret = SSL_connect(ssl);\n" +"if (ret != 1) {\n" +" // Error status can be 0 or negative.\n" +" ssl_print_error_and_exit(ssl, \"SSL_connect\", ret);\n" +"}\n" +"\n" +"// Obtain the server certificate.\n" +"X509 *peercert = SSL_get_peer_certificate(ssl);\n" +"if (peercert == NULL) {\n" +" fprintf(stderr, \"peer certificate missing\");\n" +" exit(1);\n" +"}\n" +"\n" +"// Check the certificate verification result. Allow an explicit\n" +"// certificate validation override in case verification fails.\n" +"int verifystatus = SSL_get_verify_result(ssl);\n" +"if (verifystatus != X509_V_OK && !certificate_validity_override(peercert)) {\n" +" fprintf(stderr, \"SSL_connect: verify result: %s\n" +"\",\n" +"\t X509_verify_cert_error_string(verifystatus));\n" +" exit(1);\n" +"}\n" +"\n" +"// Check if the server certificate matches the host name used to\n" +"// establish the connection.\n" +"// FIXME: Currently needs OpenSSL 1.1.\n" +"if (X509_check_host(peercert, (const unsigned char *)host, strlen(host),\n" +"\t\t 0) != 1\n" +" && !certificate_host_name_override(peercert, host)) {\n" +" fprintf(stderr, \"SSL certificate does not match host name\n" +"\");\n" +" exit(1);\n" +"}\n" +"\n" +"X509_free(peercert);\n" +"\n" +msgstr "" diff --git a/defensive-coding/bo/Features/snippets/TLS-Client-OpenSSL-Connection-Use.po b/defensive-coding/bo/Features/snippets/TLS-Client-OpenSSL-Connection-Use.po new file mode 100644 index 0000000..c85e92a --- /dev/null +++ b/defensive-coding/bo/Features/snippets/TLS-Client-OpenSSL-Connection-Use.po @@ -0,0 +1,32 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:32+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Tibetan \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: bo\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"const char *const req = \"GET / HTTP/1.0\\r\n" +"\\r\n" +"\";\n" +"if (SSL_write(ssl, req, strlen(req)) < 0) {\n" +" ssl_print_error_and_exit(ssl, \"SSL_write\", ret);\n" +"}\n" +"char buf[4096];\n" +"ret = SSL_read(ssl, buf, sizeof(buf));\n" +"if (ret < 0) {\n" +" ssl_print_error_and_exit(ssl, \"SSL_read\", ret);\n" +"}\n" +msgstr "" diff --git a/defensive-coding/bo/Features/snippets/TLS-Client-OpenSSL-Init.po b/defensive-coding/bo/Features/snippets/TLS-Client-OpenSSL-Init.po new file mode 100644 index 0000000..ab21582 --- /dev/null +++ b/defensive-coding/bo/Features/snippets/TLS-Client-OpenSSL-Init.po @@ -0,0 +1,28 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:32+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Tibetan \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: bo\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// The following call prints an error message and calls exit() if\n" +"// the OpenSSL configuration file is unreadable.\n" +"OPENSSL_config(NULL);\n" +"// Provide human-readable error messages.\n" +"SSL_load_error_strings();\n" +"// Register ciphers.\n" +"SSL_library_init();\n" +msgstr "" diff --git a/defensive-coding/bo/Features/snippets/TLS-Client-Python-Connect.po b/defensive-coding/bo/Features/snippets/TLS-Client-Python-Connect.po new file mode 100644 index 0000000..5d1614c --- /dev/null +++ b/defensive-coding/bo/Features/snippets/TLS-Client-Python-Connect.po @@ -0,0 +1,29 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:32+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Tibetan \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: bo\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"sock = ssl.wrap_socket(sock,\n" +" ciphers=\"HIGH:-aNULL:-eNULL:-PSK:RC4-SHA:RC4-MD5\",\n" +" ssl_version=ssl.PROTOCOL_TLSv1,\n" +" cert_reqs=ssl.CERT_REQUIRED,\n" +" ca_certs='/etc/ssl/certs/ca-bundle.crt')\n" +"# getpeercert() triggers the handshake as a side effect.\n" +"if not check_host_name(sock.getpeercert(), host):\n" +" raise IOError(\"peer certificate does not match host name\")\n" +msgstr "" diff --git a/defensive-coding/bo/Features/snippets/TLS-Client-Python-check_host_name.po b/defensive-coding/bo/Features/snippets/TLS-Client-Python-check_host_name.po new file mode 100644 index 0000000..3c01df6 --- /dev/null +++ b/defensive-coding/bo/Features/snippets/TLS-Client-Python-check_host_name.po @@ -0,0 +1,44 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:31+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Tibetan \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: bo\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"def check_host_name(peercert, name):\n" +" \"\"\"Simple certificate/host name checker. Returns True if the\n" +" certificate matches, False otherwise. Does not support\n" +" wildcards.\"\"\"\n" +" # Check that the peer has supplied a certificate.\n" +" # None/{} is not acceptable.\n" +" if not peercert:\n" +" return False\n" +" if peercert.has_key(\"subjectAltName\"):\n" +" for typ, val in peercert[\"subjectAltName\"]:\n" +" if typ == \"DNS\" and val == name:\n" +" return True\n" +" else:\n" +" # Only check the subject DN if there is no subject alternative\n" +" # name.\n" +" cn = None\n" +" for attr, val in peercert[\"subject\"]:\n" +" # Use most-specific (last) commonName attribute.\n" +" if attr == \"commonName\":\n" +" cn = val\n" +" if cn is not None:\n" +" return cn == name\n" +" return False\n" +msgstr "" diff --git a/defensive-coding/bo/Features/snippets/TLS-GNUTLS-Credentials-Close.po b/defensive-coding/bo/Features/snippets/TLS-GNUTLS-Credentials-Close.po new file mode 100644 index 0000000..53d7622 --- /dev/null +++ b/defensive-coding/bo/Features/snippets/TLS-GNUTLS-Credentials-Close.po @@ -0,0 +1,22 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:31+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Tibetan \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: bo\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"gnutls_certificate_free_credentials(cred);\n" +msgstr "" diff --git a/defensive-coding/bo/Features/snippets/TLS-GNUTLS-Disconnect.po b/defensive-coding/bo/Features/snippets/TLS-GNUTLS-Disconnect.po new file mode 100644 index 0000000..957b2c1 --- /dev/null +++ b/defensive-coding/bo/Features/snippets/TLS-GNUTLS-Disconnect.po @@ -0,0 +1,30 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:32+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Tibetan \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: bo\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Initiate an orderly connection shutdown.\n" +"ret = gnutls_bye(session, GNUTLS_SHUT_RDWR);\n" +"if (ret < 0) {\n" +" fprintf(stderr, \"error: gnutls_bye: %s\n" +"\", gnutls_strerror(ret));\n" +" exit(1);\n" +"}\n" +"// Free the session object.\n" +"gnutls_deinit(session);\n" +msgstr "" diff --git a/defensive-coding/bo/Features/snippets/TLS-GNUTLS-Init.po b/defensive-coding/bo/Features/snippets/TLS-GNUTLS-Init.po new file mode 100644 index 0000000..0ba3a8b --- /dev/null +++ b/defensive-coding/bo/Features/snippets/TLS-GNUTLS-Init.po @@ -0,0 +1,22 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:32+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Tibetan \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: bo\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"gnutls_global_init();\n" +msgstr "" diff --git a/defensive-coding/bo/Features/snippets/TLS-GNUTLS-Use.po b/defensive-coding/bo/Features/snippets/TLS-GNUTLS-Use.po new file mode 100644 index 0000000..8cab146 --- /dev/null +++ b/defensive-coding/bo/Features/snippets/TLS-GNUTLS-Use.po @@ -0,0 +1,38 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:33+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Tibetan \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: bo\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"char buf[4096];\n" +"snprintf(buf, sizeof(buf), \"GET / HTTP/1.0\\r\n" +"Host: %s\\r\n" +"\\r\n" +"\", host);\n" +"ret = gnutls_record_send(session, buf, strlen(buf));\n" +"if (ret < 0) {\n" +" fprintf(stderr, \"error: gnutls_record_send: %s\n" +"\", gnutls_strerror(ret));\n" +" exit(1);\n" +"}\n" +"ret = gnutls_record_recv(session, buf, sizeof(buf));\n" +"if (ret < 0) {\n" +" fprintf(stderr, \"error: gnutls_record_recv: %s\n" +"\", gnutls_strerror(ret));\n" +" exit(1);\n" +"}\n" +msgstr "" diff --git a/defensive-coding/bo/Features/snippets/TLS-NSS-Close.po b/defensive-coding/bo/Features/snippets/TLS-NSS-Close.po new file mode 100644 index 0000000..25d75dc --- /dev/null +++ b/defensive-coding/bo/Features/snippets/TLS-NSS-Close.po @@ -0,0 +1,23 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:31+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Tibetan \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: bo\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"SECMOD_DestroyModule(module);\n" +"NSS_ShutdownContext(ctx);\n" +msgstr "" diff --git a/defensive-coding/bo/Features/snippets/TLS-NSS-Includes.po b/defensive-coding/bo/Features/snippets/TLS-NSS-Includes.po new file mode 100644 index 0000000..1e2ed22 --- /dev/null +++ b/defensive-coding/bo/Features/snippets/TLS-NSS-Includes.po @@ -0,0 +1,35 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:33+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Tibetan \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: bo\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// NSPR include files\n" +"#include <prerror.h>\n" +"#include <prinit.h>\n" +"\n" +"// NSS include files\n" +"#include <nss.h>\n" +"#include <pk11pub.h>\n" +"#include <secmod.h>\n" +"#include <ssl.h>\n" +"#include <sslproto.h>\n" +"\n" +"// Private API, no other way to turn a POSIX file descriptor into an\n" +"// NSPR handle.\n" +"NSPR_API(PRFileDesc*) PR_ImportTCPSocket(int);\n" +msgstr "" diff --git a/defensive-coding/bo/Features/snippets/TLS-NSS-Init.po b/defensive-coding/bo/Features/snippets/TLS-NSS-Init.po new file mode 100644 index 0000000..8295998 --- /dev/null +++ b/defensive-coding/bo/Features/snippets/TLS-NSS-Init.po @@ -0,0 +1,83 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:33+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Tibetan \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: bo\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"PR_Init(PR_USER_THREAD, PR_PRIORITY_NORMAL, 0);\n" +"NSSInitContext *const ctx =\n" +" NSS_InitContext(\"sql:/etc/pki/nssdb\", \"\", \"\", \"\", NULL,\n" +"\t\t NSS_INIT_READONLY | NSS_INIT_PK11RELOAD);\n" +"if (ctx == NULL) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: NSPR error code %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +"}\n" +"\n" +"// Ciphers to enable.\n" +"static const PRUint16 good_ciphers[] = {\n" +" TLS_RSA_WITH_AES_128_CBC_SHA,\n" +" TLS_RSA_WITH_AES_256_CBC_SHA,\n" +" SSL_RSA_WITH_3DES_EDE_CBC_SHA,\n" +" SSL_NULL_WITH_NULL_NULL // sentinel\n" +"};\n" +"\n" +"// Check if the current policy allows any strong ciphers. If it\n" +"// doesn't, switch to the \"domestic\" (unrestricted) policy. This is\n" +"// not thread-safe and has global impact. Consequently, we only do\n" +"// it if absolutely necessary.\n" +"int found_good_cipher = 0;\n" +"for (const PRUint16 *p = good_ciphers; *p != SSL_NULL_WITH_NULL_NULL;\n" +" ++p) {\n" +" PRInt32 policy;\n" +" if (SSL_CipherPolicyGet(*p, &policy) != SECSuccess) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: policy for cipher %u: error %d: %s\n" +"\",\n" +"\t (unsigned)*p, err, PR_ErrorToName(err));\n" +" exit(1);\n" +" }\n" +" if (policy == SSL_ALLOWED) {\n" +" fprintf(stderr, \"info: found cipher %x\n" +"\", (unsigned)*p);\n" +" found_good_cipher = 1;\n" +" break;\n" +" }\n" +"}\n" +"if (!found_good_cipher) {\n" +" if (NSS_SetDomesticPolicy() != SECSuccess) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: NSS_SetDomesticPolicy: error %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +" }\n" +"}\n" +"\n" +"// Initialize the trusted certificate store.\n" +"char module_name[] = \"library=libnssckbi.so name=\\\"Root Certs\\\"\";\n" +"SECMODModule *module = SECMOD_LoadUserModule(module_name, NULL, PR_FALSE);\n" +"if (module == NULL || !module->loaded) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: NSPR error code %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +"}\n" +msgstr "" diff --git a/defensive-coding/bo/Features/snippets/TLS-NSS-Use.po b/defensive-coding/bo/Features/snippets/TLS-NSS-Use.po new file mode 100644 index 0000000..8158d18 --- /dev/null +++ b/defensive-coding/bo/Features/snippets/TLS-NSS-Use.po @@ -0,0 +1,42 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:32+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Tibetan \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: bo\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"char buf[4096];\n" +"snprintf(buf, sizeof(buf), \"GET / HTTP/1.0\\r\n" +"Host: %s\\r\n" +"\\r\n" +"\", host);\n" +"PRInt32 ret = PR_Write(nspr, buf, strlen(buf));\n" +"if (ret < 0) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: PR_Write error %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +"}\n" +"ret = PR_Read(nspr, buf, sizeof(buf));\n" +"if (ret < 0) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: PR_Read error %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +"}\n" +msgstr "" diff --git a/defensive-coding/bo/Features/snippets/TLS-Nagle.po b/defensive-coding/bo/Features/snippets/TLS-Nagle.po new file mode 100644 index 0000000..5614fc3 --- /dev/null +++ b/defensive-coding/bo/Features/snippets/TLS-Nagle.po @@ -0,0 +1,27 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:31+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Tibetan \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: bo\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"const int val = 1;\n" +"int ret = setsockopt(sockfd, IPPROTO_TCP, TCP_NODELAY, &val, sizeof(val));\n" +"if (ret < 0) {\n" +" perror(\"setsockopt(TCP_NODELAY)\");\n" +" exit(1);\n" +"}\n" +msgstr "" diff --git a/defensive-coding/bo/Features/snippets/TLS-OpenJDK-Parameters.po b/defensive-coding/bo/Features/snippets/TLS-OpenJDK-Parameters.po new file mode 100644 index 0000000..e3b052a --- /dev/null +++ b/defensive-coding/bo/Features/snippets/TLS-OpenJDK-Parameters.po @@ -0,0 +1,42 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:33+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Tibetan \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: bo\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Prepare TLS parameters. These have to applied to every TLS\n" +"// socket before the handshake is triggered.\n" +"SSLParameters params = ctx.getDefaultSSLParameters();\n" +"// Do not send an SSL-2.0-compatible Client Hello.\n" +"ArrayList<String> protocols = new ArrayList<String>(\n" +" Arrays.asList(params.getProtocols()));\n" +"protocols.remove(\"SSLv2Hello\");\n" +"params.setProtocols(protocols.toArray(new String[protocols.size()]));\n" +"// Adjust the supported ciphers.\n" +"ArrayList<String> ciphers = new ArrayList<String>(\n" +" Arrays.asList(params.getCipherSuites()));\n" +"ciphers.retainAll(Arrays.asList(\n" +" \"TLS_RSA_WITH_AES_128_CBC_SHA256\",\n" +" \"TLS_RSA_WITH_AES_256_CBC_SHA256\",\n" +" \"TLS_RSA_WITH_AES_256_CBC_SHA\",\n" +" \"TLS_RSA_WITH_AES_128_CBC_SHA\",\n" +" \"SSL_RSA_WITH_3DES_EDE_CBC_SHA\",\n" +" \"SSL_RSA_WITH_RC4_128_SHA1\",\n" +" \"SSL_RSA_WITH_RC4_128_MD5\",\n" +" \"TLS_EMPTY_RENEGOTIATION_INFO_SCSV\"));\n" +"params.setCipherSuites(ciphers.toArray(new String[ciphers.size()]));\n" +msgstr "" diff --git a/defensive-coding/bo/Features/snippets/TLS-OpenSSL-Connection-Close.po b/defensive-coding/bo/Features/snippets/TLS-OpenSSL-Connection-Close.po new file mode 100644 index 0000000..d3b3c6e --- /dev/null +++ b/defensive-coding/bo/Features/snippets/TLS-OpenSSL-Connection-Close.po @@ -0,0 +1,46 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:33+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Tibetan \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: bo\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Send the close_notify alert.\n" +"ret = SSL_shutdown(ssl);\n" +"switch (ret) {\n" +"case 1:\n" +" // A close_notify alert has already been received.\n" +" break;\n" +"case 0:\n" +" // Wait for the close_notify alert from the peer.\n" +" ret = SSL_shutdown(ssl);\n" +" switch (ret) {\n" +" case 0:\n" +" fprintf(stderr, \"info: second SSL_shutdown returned zero\n" +"\");\n" +" break;\n" +" case 1:\n" +" break;\n" +" default:\n" +" ssl_print_error_and_exit(ssl, \"SSL_shutdown 2\", ret);\n" +" }\n" +" break;\n" +"default:\n" +" ssl_print_error_and_exit(ssl, \"SSL_shutdown 1\", ret);\n" +"}\n" +"SSL_free(ssl);\n" +"close(sockfd);\n" +msgstr "" diff --git a/defensive-coding/bo/Features/snippets/TLS-OpenSSL-Context-Close.po b/defensive-coding/bo/Features/snippets/TLS-OpenSSL-Context-Close.po new file mode 100644 index 0000000..d89b716 --- /dev/null +++ b/defensive-coding/bo/Features/snippets/TLS-OpenSSL-Context-Close.po @@ -0,0 +1,22 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:33+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Tibetan \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: bo\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"SSL_CTX_free(ctx);\n" +msgstr "" diff --git a/defensive-coding/bo/Features/snippets/TLS-OpenSSL-Errors.po b/defensive-coding/bo/Features/snippets/TLS-OpenSSL-Errors.po new file mode 100644 index 0000000..a70e98d --- /dev/null +++ b/defensive-coding/bo/Features/snippets/TLS-OpenSSL-Errors.po @@ -0,0 +1,51 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:32+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Tibetan \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: bo\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"static void __attribute__((noreturn))\n" +"ssl_print_error_and_exit(SSL *ssl, const char *op, int ret)\n" +"{\n" +" int subcode = SSL_get_error(ssl, ret);\n" +" switch (subcode) {\n" +" case SSL_ERROR_NONE:\n" +" fprintf(stderr, \"error: %s: no error to report\n" +"\", op);\n" +" break;\n" +" case SSL_ERROR_WANT_READ:\n" +" case SSL_ERROR_WANT_WRITE:\n" +" case SSL_ERROR_WANT_X509_LOOKUP:\n" +" case SSL_ERROR_WANT_CONNECT:\n" +" case SSL_ERROR_WANT_ACCEPT:\n" +" fprintf(stderr, \"error: %s: invalid blocking state %d\n" +"\", op, subcode);\n" +" break;\n" +" case SSL_ERROR_SSL:\n" +" fprintf(stderr, \"error: %s: TLS layer problem\n" +"\", op);\n" +" case SSL_ERROR_SYSCALL:\n" +" fprintf(stderr, \"error: %s: system call failed: %s\n" +"\", op, strerror(errno));\n" +" break;\n" +" case SSL_ERROR_ZERO_RETURN:\n" +" fprintf(stderr, \"error: %s: zero return\n" +"\", op);\n" +" }\n" +" exit(1);\n" +"}\n" +msgstr "" diff --git a/defensive-coding/bo/Features/snippets/TLS-Python-Close.po b/defensive-coding/bo/Features/snippets/TLS-Python-Close.po new file mode 100644 index 0000000..7fb1b64 --- /dev/null +++ b/defensive-coding/bo/Features/snippets/TLS-Python-Close.po @@ -0,0 +1,22 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:31+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Tibetan \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: bo\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"sock.close()\n" +msgstr "" diff --git a/defensive-coding/bo/Features/snippets/TLS-Python-Use.po b/defensive-coding/bo/Features/snippets/TLS-Python-Use.po new file mode 100644 index 0000000..d0a1ebf --- /dev/null +++ b/defensive-coding/bo/Features/snippets/TLS-Python-Use.po @@ -0,0 +1,26 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:32+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Tibetan \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: bo\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"sock.write(\"GET / HTTP/1.1\\r\n" +"Host: \" + host + \"\\r\n" +"\\r\n" +"\")\n" +"print sock.read()\n" +msgstr "" diff --git a/defensive-coding/bo/Revision_History.po b/defensive-coding/bo/Revision_History.po new file mode 100644 index 0000000..5a93bad --- /dev/null +++ b/defensive-coding/bo/Revision_History.po @@ -0,0 +1,35 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:18+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Tibetan \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: bo\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: title +#, no-c-format +msgid "Revision History" +msgstr "" + +#. Tag: firstname +#, no-c-format +msgid "Eric" +msgstr "" + +#. Tag: surname +#, no-c-format +msgid "Christensen" +msgstr "" + +#. Tag: member +#, no-c-format +msgid "Initial publication." +msgstr "" diff --git a/defensive-coding/bo/Tasks/Cryptography.po b/defensive-coding/bo/Tasks/Cryptography.po new file mode 100644 index 0000000..6975b82 --- /dev/null +++ b/defensive-coding/bo/Tasks/Cryptography.po @@ -0,0 +1,199 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:29+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Tibetan \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: bo\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: title +#, no-c-format +msgid "Cryptography" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Primitives" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Chosing from the following cryptographic primitives is recommended:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "RSA with 2048 bit keys and OAEP" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "AES-128 in CBC mode" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "SHA-256" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "HMAC-SHA-256" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "HMAC-SHA-1" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Other cryptographic algorithms can be used if they are required for " +"interoperability with existing software:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "RSA with key sizes larger than 1024 and legacy padding" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "AES-192" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "AES-256" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "3DES (triple DES, with two or three 56 bit keys)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "RC4 (but very, very strongly discouraged)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "SHA-1" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "HMAC-MD5" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Important" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"These primitives are difficult to use in a secure way. Custom implementation" +" of security protocols should be avoided. For protecting confidentiality and" +" integrity of network transmissions, TLS should be used ()." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Randomness" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The following facilities can be used to generate unpredictable and non-" +"repeating values. When these functions are used without special safeguards, " +"each individual rnadom value should be at least 12 bytes long." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"PK11_GenerateRandom in the NSS library (usable for high" +" data rates)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"RAND_bytes in the OpenSSL library (usable for high data" +" rates)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"gnutls_rnd in GNUTLS, with " +"GNUTLS_RND_RANDOM as the first argument (usable for high " +"data rates)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"java.security.SecureRandom in Java (usable for high data rates)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "os.urandom in Python" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Reading from the /dev/urandom character device" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"All these functions should be non-blocking, and they should not wait until " +"physical randomness becomes available. (Some cryptography providers for Java" +" can cause java.security.SecureRandom to block, however.) Those" +" functions which do not obtain all bits directly from " +"/dev/urandom are suitable for high data rates because " +"they do not deplete the system-wide entropy pool." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Difficult to use API" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Both RAND_bytes and " +"PK11_GenerateRandom have three-state return values " +"(with conflicting meanings). Careful error checking is required. Please " +"review the documentation when using these functions." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Other sources of randomness should be considered predictable." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Generating randomness for cryptographic keys in long-term use may need " +"different steps and is best left to cryptographic libraries." +msgstr "" diff --git a/defensive-coding/bo/Tasks/Descriptors.po b/defensive-coding/bo/Tasks/Descriptors.po new file mode 100644 index 0000000..94816b7 --- /dev/null +++ b/defensive-coding/bo/Tasks/Descriptors.po @@ -0,0 +1,332 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:29+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Tibetan \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: bo\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: title +#, no-c-format +msgid "File Descriptor Management" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"File descriptors underlie all input/output mechanisms offered by the system." +" They are used to implementation the FILE *-based " +"functions found in <stdio.h>, and all the file and " +"network communication facilities provided by the Python and Java " +"environments are eventually implemented in them." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"File descriptors are small, non-negative integers in userspace, and are " +"backed on the kernel side with complicated data structures which can " +"sometimes grow very large." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Closing descriptors" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If a descriptor is no longer used by a program and is not closed explicitly," +" its number cannot be reused (which is problematic in itself, see ), and the " +"kernel resources are not freed. Therefore, it is important to close all " +"descriptors at the earlierst point in time possible, but not earlier." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Error handling during descriptor close" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The close system call is always successful in the sense" +" that the passed file descriptor is never valid after the function has been " +"called. However, close still can return an error, for " +"example if there was a file system failure. But this error is not very " +"useful because the absence of an error does not mean that all caches have " +"been emptied and previous writes have been made durable. Programs which need" +" such guarantees must open files with O_SYNC or use " +"fsync or fdatasync, and may also have " +"to fsync the directory containing the file." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Closing descriptors and race conditions" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Unlike process IDs, which are recycle only gradually, the kernel always " +"allocates the lowest unused file descriptor when a new descriptor is " +"created. This means that in a multi-threaded program which constantly opens " +"and closes file descriptors, descriptors are reused very quickly. Unless " +"descriptor closing and other operations on the same file descriptor are " +"synchronized (typically, using a mutex), there will be race coniditons and " +"I/O operations will be applied to the wrong file descriptor." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Sometimes, it is necessary to close a file descriptor concurrently, while " +"another thread might be about to use it in a system call. In order to " +"support this, a program needs to create a single special file descriptor, " +"one on which all I/O operations fail. One way to achieve this is to use " +"socketpair, close one of the descriptors, and call " +"shutdown(fd, SHUTRDWR) on the other." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When a descriptor is closed concurrently, the program does not call " +"close on the descriptor. Instead it program uses " +"dup2 to replace the descriptor to be closed with the " +"dummy descriptor created earlier. This way, the kernel will not reuse the " +"descriptor, but it will carry out all other steps associated with calling a " +"descriptor (for instance, if the descriptor refers to a stream socket, the " +"peer will be notified)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"This is just a sketch, and many details are missing. Additional data " +"structures are needed to determine when it is safe to really close the " +"descriptor, and proper locking is required for that." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Lingering state after close" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"By default, closing a stream socket returns immediately, and the kernel will" +" try to send the data in the background. This means that it is impossible to" +" implement accurate accounting of network-related resource utilization from " +"userspace." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The SO_LINGER socket option alters the behavior of " +"close, so that it will return only after the lingering " +"data has been processed, either by sending it to the peer successfully, or " +"by discarding it after the configured timeout. However, there is no " +"interface which could perform this operation in the background, so a " +"separate userspace thread is needed for each close " +"call, causing scalability issues." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Currently, there is no application-level countermeasure which applies " +"universally. Mitigation is possible with iptables" +" (the connlimit match type in particular) and specialized" +" filtering devices for denial-of-service network traffic." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"These problems are not related to the TIME_WAIT state " +"commonly seen in netstat output. The kernel " +"automatically expires such sockets if necessary." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Preventing file descriptor leaks to child processes" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Child processes created with fork share the initial set" +" of file descriptors with their parent process. By default, file descriptors" +" are also preserved if a new process image is created with " +"execve (or any of the other functions such as " +"system or posix_spawn)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Usually, this behavior is not desirable. There are two ways to turn it off, " +"that is, to prevent new process images from inheriting the file descriptors " +"in the parent process:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Set the close-on-exec flag on all newly created file descriptors. " +"Traditionally, this flag is controlled by the FD_CLOEXEC " +"flag, using F_GETFD and F_SETFD " +"operations of the fcntl function." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"However, in a multi-threaded process, there is a race condition: a " +"subprocess could have been created between the time the descriptor was " +"created and the FD_CLOEXEC was set. Therefore, many " +"system calls which create descriptors (such as open and" +" openat) now accept the O_CLOEXEC " +"flag (SOCK_CLOEXEC for socket and " +"socketpair), which cause the " +"FD_CLOEXEC flag to be set for the file descriptor in an " +"atomic fashion. In addition, a few new systems calls were introduced, such " +"as pipe2 and dup3." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The downside of this approach is that every descriptor needs to receive " +"special treatment at the time of creation, otherwise it is not completely " +"effective." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"After calling fork, but before creating a new process " +"image with execve, all file descriptors which the child" +" process will not need are closed." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Traditionally, this was implemented as a loop over file descriptors ranging " +"from 3 to 255 and later " +"1023. But this is only an approximatio because it is " +"possible to create file descriptors outside this range easily (see ). Another " +"approach reads /proc/self/fd and closes the unexpected " +"descriptors listed there, but this approach is much slower." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"At present, environments which care about file descriptor leakage implement " +"the second approach. OpenJDK 6 and 7 are among them." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Dealing with the select limit" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"By default, a user is allowed to open only 1024 files in a single process, " +"but the system administrator can easily change this limit (which is " +"necessary for busy network servers). However, there is another restriction " +"which is more difficult to overcome." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The select function only supports a maximum of " +"FD_SETSIZE file descriptors (that is, the maximum " +"permitted value for a file descriptor is FD_SETSIZE - 1, " +"usually 1023.) If a process opens many files, descriptors may exceed such " +"limits. It is impossible to query such descriptors using " +"select." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If a library which creates many file descriptors is used in the same process" +" as a library which uses select, at least one of them " +"needs to be changed. Calls to select can be replaced " +"with calls to poll or another event handling mechanism." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Alternatively, the library with high descriptor usage can relocate " +"descriptors above the FD_SETSIZE limit using the " +"following procedure." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Create the file descriptor fd as usual, preferably with " +"the O_CLOEXEC flag." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Before doing anything else with the descriptor fd, " +"invoke:" +msgstr "" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"\t int newfd = fcntl(fd, F_DUPFD_CLOEXEC, (long)FD_SETSIZE);\n" +"\t" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Check that newfd result is non-negative, otherwise close " +"fd and report an error, and return." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Close fd and continue to use newfd." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The new descriptor has been allocated above the " +"FD_SETSIZE. Even though this algorithm is racy in the " +"sense that the FD_SETSIZE first descriptors could fill " +"up, a very high degree of physical parallelism is required before this " +"becomes a problem." +msgstr "" diff --git a/defensive-coding/bo/Tasks/File_System.po b/defensive-coding/bo/Tasks/File_System.po new file mode 100644 index 0000000..de3f376 --- /dev/null +++ b/defensive-coding/bo/Tasks/File_System.po @@ -0,0 +1,396 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:25+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Tibetan \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: bo\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: title +#, no-c-format +msgid "File system manipulation" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In this chapter, we discuss general file system manipulation, with a focus " +"on access files and directories to which an other, potentially untrusted " +"user has write access." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Temporary files are covered in their own chapter, ." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Working with files and directories owned by other users" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Sometimes, it is necessary to operate on files and directories owned by " +"other (potentially untrusted) users. For example, a system administrator " +"could remove the home directory of a user, or a package manager could update" +" a file in a directory which is owned by an application-specific user. This " +"differs from accessing the file system as a specific user; see ." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Accessing files across trust boundaries faces several challenges, " +"particularly if an entire directory tree is being traversed:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Another user might add file names to a writable directory at any time. This " +"can interfere with file creation and the order of names returned by " +"readdir." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Merely opening and closing a file can have side effects. For instance, an " +"automounter can be triggered, or a tape device rewound. Opening a file on a " +"local file system can block indefinitely, due to mandatory file locking, " +"unless the O_NONBLOCK flag is specified." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Hard links and symbolic links can redirect the effect of file system " +"operations in unexpected ways. The O_NOFOLLOW and " +"AT_SYMLINK_NOFOLLOW variants of system calls only " +"affected final path name component." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The structure of a directory tree can change. For example, the parent " +"directory of what used to be a subdirectory within the directory tree being " +"processed could suddenly point outside that directory tree." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Files should always be created with the O_CREAT and " +"O_EXCL flags, so that creating the file will fail if it " +"already exists. This guards against the unexpected appearance of file names," +" either due to creation of a new file, or hard-linking of an existing file. " +"In multi-threaded programs, rather than manipulating the umask, create the " +"files with mode 000 if possible, and adjust it afterwards" +" with fchmod." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"To avoid issues related to symbolic links and directory tree restructuring, " +"the “at” variants of system calls have to be used (that " +"is, functions like openat, " +"fchownat, fchmodat, and " +"unlinkat, together with O_NOFOLLOW " +"or AT_SYMLINK_NOFOLLOW). Path names passed to these " +"functions must have just a single component (that is, without a slash). When" +" descending, the descriptors of parent directories must be kept open. The " +"missing opendirat function can be emulated with " +"openat (with an O_DIRECTORY flag, to " +"avoid opening special files with side effects), followed by " +"fdopendir." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If the “at” functions are not available, it is possible " +"to emulate them by changing the current directory. (Obviously, this only " +"works if the process is not multi-threaded.) fchdir has" +" to be used to change the current directory, and the descriptors of the " +"parent directories have to be kept open, just as with the " +"“at”-based approach. chdir(\"...\") is" +" unsafe because it might ascend outside the intended directory tree." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"This “at” function emulation is currently required when " +"manipulating extended attributes. In this case, the " +"lsetxattr function can be used, with a relative path " +"name consisting of a single component. This also applies to SELinux contexts" +" and the lsetfilecon function." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Currently, it is not possible to avoid opening special files " +"and changes to files with hard links if the directory " +"containing them is owned by an untrusted user. (Device nodes can be hard-" +"linked, just as regular files.) fchmodat and " +"fchownat affect files whose link count is greater than " +"one. But opening the files, checking that the link count is one with " +"fstat, and using fchmod and " +"fchown on the file descriptor may have unwanted side " +"effects, due to item 2 above. When creating directories, it is therefore " +"important to change the ownership and permissions only after it has been " +"fully created. Until that point, file names are stable, and no files with " +"unexpected hard links can be introduced." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Similarly, when just reading a directory owned by an untrusted user, it is " +"currently impossible to reliably avoid opening special files." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"There is no workaround against the instability of the file list returned by " +"readdir. Concurrent modification of the directory can " +"result in a list of files being returned which never actually existed on " +"disk." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Hard links and symbolic links can be safely deleted using " +"unlinkat without further checks because deletion only " +"affects the name within the directory tree being processed." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Accessing the file system as a different user" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"This section deals with access to the file system as a specific user. This " +"is different from accessing files and directories owned by a different, " +"potentially untrusted user; see ." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"One approach is to spawn a child process which runs under the target user " +"and group IDs (both effective and real IDs). Note that this child process " +"can block indefinitely, even when processing regular files only. For " +"example, a special FUSE file system could cause the process to hang in " +"uninterruptible sleep inside a stat system call." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"An existing process could change its user and group ID using " +"setfsuid and setfsgid. (These " +"functions are preferred over seteuid and " +"setegid because they do not allow the impersonated user" +" to send signals to the process.) These functions are not thread safe. In " +"multi-threaded processes, these operations need to be performed in a single-" +"threaded child process. Unexpected blocking may occur as well." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"It is not recommended to try to reimplement the kernel permission checks in " +"user space because the required checks are complex. It is also very " +"difficult to avoid race conditions during path name resolution." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "File system limits" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"For historical reasons, there are preprocessor constants such as " +"PATH_MAX, NAME_MAX. However, on most " +"systems, the length of canonical path names (absolute path names with all " +"symbolic links resolved, as returned by realpath or " +"canonicalize_file_name) can exceed " +"PATH_MAX bytes, and individual file name components can " +"be longer than NAME_MAX. This is also true of the " +"_PC_PATH_MAX and _PC_NAME_MAX values " +"returned by pathconf, and the " +"f_namemax member of struct statvfs. " +"Therefore, these constants should not be used. This is also reason why the " +"readdir_r should never be used (instead, use " +"readdir)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"You should not write code in a way that assumes that there is an upper limit" +" on the number of subdirectories of a directory, the number of regular files" +" in a directory, or the link count of an inode." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "File system features" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Not all file systems support all features. This makes it very difficult to " +"write general-purpose tools for copying files. For example, a copy operation" +" intending to preserve file permissions will generally fail when copying to " +"a FAT file system." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Some file systems are case-insensitive. Most should be case-preserving, " +"though." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Name length limits vary greatly, from eight to thousands of bytes. Path " +"length limits differ as well. Most systems impose an upper bound on path " +"names passed to the kernel, but using relative path names, it is possible to" +" create and access files whose absolute path name is essentially of " +"unbounded length." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Some file systems do not store names as fairly unrestricted byte sequences, " +"as it has been traditionally the case on GNU systems. This means that some " +"byte sequences (outside the POSIX safe character set) are not valid names. " +"Conversely, names of existing files may not be representable as byte " +"sequences, and the files are thus inaccessible on GNU systems. Some file " +"systems perform Unicode canonicalization on file names. These file systems " +"preserve case, but reading the name of a just-created file using " +"readdir might still result in a different byte " +"sequence." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Permissions and owners are not universally supported (and SUID/SGID bits may" +" not be available). For example, FAT file systems assign ownership based on " +"a mount option, and generally mark all files as executable. Any attempt to " +"change permissions would result in an error." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Non-regular files (device nodes, FIFOs) are not generally available." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Only on some file systems, files can have holes, that is, not all of their " +"contents is backed by disk storage." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"ioctl support (even fairly generic functionality such " +"as FIEMAP for discovering physical file layout and holes)" +" is file-system-specific." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Not all file systems support extended attributes, ACLs and SELinux metadata." +" Size and naming restriction on extended attributes vary." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Hard links may not be supported at all (FAT) or only within the same " +"directory (AFS). Symbolic links may not be available, either. Reflinks (hard" +" links with copy-on-write semantics) are still very rare. Recent systems " +"restrict creation of hard links to users which own the target file or have " +"read/write access to it, but older systems do not." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Renaming (or moving) files using rename can fail (even " +"when stat indicates that the source and target " +"directories are located on the same file system). This system call should " +"work if the old and new paths are located in the same directory, though." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Locking semantics vary among file systems. This affects advisory and " +"mandatory locks. For example, some network file systems do not allow " +"deleting files which are opened by any process." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Resolution of time stamps varies from two seconds to nanoseconds. Not all " +"time stamps are available on all file systems. File creation time " +"(birth time) is not exposed over the " +"stat/fstat interface, even if " +"stored by the file system." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Checking free space" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The statvfs and fstatvfs functions" +" allow programs to examine the number of available blocks and inodes, " +"through the members f_bfree, f_bavail," +" f_ffree, and f_favail of " +"struct statvfs. Some file systems return fictional values" +" in the f_ffree and f_favail fields, " +"so the only reliable way to discover if the file system still has space for " +"a file is to try to create it. The f_bfree field should " +"be reasonably accurate, though." +msgstr "" diff --git a/defensive-coding/bo/Tasks/Library_Design.po b/defensive-coding/bo/Tasks/Library_Design.po new file mode 100644 index 0000000..975be21 --- /dev/null +++ b/defensive-coding/bo/Tasks/Library_Design.po @@ -0,0 +1,267 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:29+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Tibetan \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: bo\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: title +#, no-c-format +msgid "Library Design" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Throught this section, the term client code refers to " +"applications and other libraries using the library." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "State management" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Global state" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Global state should be avoided." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If this is impossible, the global state must be protected with a lock. For " +"C/C++, you can use the pthread_mutex_lock and " +"pthread_mutex_unlock functions without linking against " +"-lpthread because the system provides stubs for non-" +"threaded processes." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"For compatibility with fork, these locks should be " +"acquired and released in helpers registered with " +"pthread_atfork. This function is not available without " +"-lpthread, so you need to use dlsym " +"or a weak symbol to obtain its address." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If you need fork protection for other reasons, you " +"should store the process ID and compare it to the value returned by " +"getpid each time you access the global state. " +"(getpid is not implemented as a system call and is " +"fast.) If the value changes, you know that you have to re-create the state " +"object. (This needs to be combined with locking, of course.)" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Handles" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Library state should be kept behind a curtain. Client code should receive " +"only a handle. In C, the handle can be a pointer to an incomplete " +"struct. In C++, the handle can be a pointer to an " +"abstract base class, or it can be hidden using the pointer-to-implementation" +" idiom." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The library should provide functions for creating and destroying handles. " +"(In C++, it is possible to use virtual destructors for the latter.) " +"Consistency between creation and destruction of handles is strongly " +"recommended: If the client code created a handle, it is the responsibility " +"of the client code to destroy it. (This is not always possible or " +"convenient, so sometimes, a transfer of ownership has to happen.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Using handles ensures that it is possible to change the way the library " +"represents state in a way that is transparent to client code. This is " +"important to facilitate security updates and many other code changes." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"It is not always necessary to protect state behind a handle with a lock. " +"This depends on the level of thread safety the library provides." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Object orientation" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Classes should be either designed as base classes, or it should be " +"impossible to use them as base classes (like final " +"classes in Java). Classes which are not designed for inheritance and are " +"used as base classes nevertheless create potential maintenance hazards " +"because it is difficult to predict how client code will react when calls to " +"virtual methods are added, reordered or removed." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Virtual member functions can be used as callbacks. See for some of the " +"challenges involved." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Callbacks" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Higher-order code is difficult to analyze for humans and computers alike, so" +" it should be avoided. Often, an iterator-based interface (a library " +"function which is called repeatedly by client code and returns a stream of " +"events) leads to a better design which is easier to document and use." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "If callbacks are unavoidable, some guidelines for them follow." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In modern C++ code, std::function objects should be used " +"for callbacks." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In older C++ code and in C code, all callbacks must have an additional " +"closure parameter of type void *, the value of which can " +"be specified by client code. If possible, the value of the closure parameter" +" should be provided by client code at the same time a specific callback is " +"registered (or specified as a function argument). If a single closure " +"parameter is shared by multiple callbacks, flexibility is greatly reduced, " +"and conflicts between different pieces of client code using the same library" +" object could be unresolvable. In some cases, it makes sense to provide a " +"de-registration callback which can be used to destroy the closure parameter " +"when the callback is no longer used." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Callbacks can throw exceptions or call longjmp. If " +"possible, all library objects should remain in a valid state. (All further " +"operations on them can fail, but it should be possible to deallocate them " +"without causing resource leaks.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The presence of callbacks raises the question if functions provided by the " +"library are reentrant. Unless a library was designed " +"for such use, bad things will happen if a callback function uses functions " +"in the same library (particularly if they are invoked on the same objects " +"and manipulate the same state). When the callback is invoked, the library " +"can be in an inconsistent state. Reentrant functions are more difficult to " +"write than thread-safe functions (by definition, simple locking would " +"immediately lead to deadlocks). It is also difficult to decide what to do " +"when destruction of an object which is currently processing a callback is " +"requested." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Process attributes" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Several attributes are global and affect all code in the process, not just " +"the library that manipulates them." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"environment variables (see )" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "umask" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "user IDs, group IDs and capabilities" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "current working directory" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "signal handlers, signal masks and signal delivery" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"file locks (especially fcntl locks behave in surprising" +" ways, not just in a multi-threaded environment)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Library code should avoid manipulating these global process attributes. It " +"should not rely on environment variables, umask, the current working " +"directory and signal masks because these attributes can be inherted from an " +"untrusted source." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In addition, there are obvious process-wide aspects such as the virtual " +"memory layout, the set of open files and dynamic shared objects, but with " +"the exception of shared objects, these can be manipulated in a relatively " +"isolated way." +msgstr "" diff --git a/defensive-coding/bo/Tasks/Processes.po b/defensive-coding/bo/Tasks/Processes.po new file mode 100644 index 0000000..39c6029 --- /dev/null +++ b/defensive-coding/bo/Tasks/Processes.po @@ -0,0 +1,597 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:29+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Tibetan \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: bo\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: title +#, no-c-format +msgid "Processes" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Safe process creation" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"This section describes how to create new child processes in a safe manner. " +"In addition to the concerns addressed below, there is the possibility of " +"file descriptor leaks, see ." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Obtaining the program path and the command line template" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The name and path to the program being invoked should be hard-coded or " +"controlled by a static configuration file stored at a fixed location (at an " +"file system absolute path). The same applies to the template for generating " +"the command line." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The configured program name should be an absolute path. If it is a relative " +"path, the contents of the PATH must be obtained in s secure " +"manner (see )." +" If the PATH variable is not set or untrusted, the safe " +"default /bin:/usr/bin must be used." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If too much flexibility is provided here, it may allow invocation of " +"arbitrary programs without proper authorization." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Bypassing the shell" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Child processes should be created without involving the system shell." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"For C/C++, system should not be used. The " +"posix_spawn function can be used instead, or a " +"combination fork and execve. (In " +"some cases, it may be preferable to use vfork or the " +"Linux-specific clone system call instead of " +"fork.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In Python, the subprocess module bypasses the shell by " +"default (when the shell keyword argument is not set to " +"true). os.system should not be used." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The Java class java.lang.ProcessBuilder can be used to create " +"subprocesses without interference from the system shell." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Portability notice" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"On Windows, there is no argument vector, only a single argument string. Each" +" application is responsible for parsing this string into an argument vector." +" There is considerable variance among the quoting style recognized by " +"applications. Some of them expand shell wildcards, others do not. Extensive " +"application-specific testing is required to make this secure." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Note that some common applications (notably ssh) " +"unconditionally introduce the use of a shell, even if invoked directly " +"without a shell. It is difficult to use these applications in a secure " +"manner. In this case, untrusted data should be supplied by other means. For " +"example, standard input could be used, instead of the command line." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Specifying the process environment" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Child processes should be created with a minimal set of environment " +"variables. This is absolutely essential if there is a trust transition " +"involved, either when the parent process was created, or during the creation" +" of the child process." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In C/C++, the environment should be constructed as an array of strings and " +"passed as the envp argument to " +"posix_spawn or execve. The " +"functions setenv, unsetenv and " +"putenv should not be used. They are not thread-safe and" +" suffer from memory leaks." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Python programs need to specify a dict for the the " +"env argument of the subprocess.Popen" +" constructor. The Java class java.lang.ProcessBuilder " +"provides a environment() method, which returns a map " +"that can be manipulated." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The following list provides guidelines for selecting the set of environment " +"variables passed to the child process." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"PATH should be initialized to " +"/bin:/usr/bin." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"USER and HOME can be inhereted from the parent" +" process environment, or they can be initialized from the " +"pwent structure for the user." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The DISPLAY and XAUTHORITY variables should be" +" passed to the subprocess if it is an X program. Note that this will " +"typically not work across trust boundaries because XAUTHORITY" +" refers to a file with 0600 permissions." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The location-related environment variables LANG, " +"LANGUAGE, LC_ADDRESS, LC_ALL, " +"LC_COLLATE, LC_CTYPE, " +"LC_IDENTIFICATION, LC_MEASUREMENT, " +"LC_MESSAGES, LC_MONETARY, " +"LC_NAME, LC_NUMERIC, LC_PAPER, " +"LC_TELEPHONE and LC_TIME can be passed to the " +"subprocess if present." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The called process may need application-specific environment variables, for " +"example for passing passwords. (See .)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"All other environment variables should be dropped. Names for new environment" +" variables should not be accepted from untrusted sources." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Robust argument list processing" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When invoking a program, it is sometimes necessary to include data from " +"untrusted sources. Such data should be check against embedded " +"NUL characters because the system APIs will sliently " +"truncate argument strings at the first NUL character." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The following recommendations assume that the program being invoked uses " +"GNU-style option processing using getopt_long. This " +"convention is widely used, but it is just that, and individual programs " +"might interpret a command line in a different way." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If the untrusted data has to go into an option, use the --option-" +"name=VALUE syntax, placing the option and its value into the same " +"command line argument. This avoids any potential confusion if the data " +"starts with -." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"For positional arguments, terminate the option list with a single " +" marker after the last option, and include the data at " +"the right position. The marker terminates option " +"processing, and the data will not be treated as an option even if it starts " +"with a dash." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Passing secrets to subprocesses" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The command line (the name of the program and its argument) of a running " +"process is traditionally available to all local users. The called program " +"can overwrite this information, but only after it has run for a bit of time," +" during which the information may have been read by other processes. " +"However, on Linux, the process environment is restricted to the user who " +"runs the process. Therefore, if you need a convenient way to pass a password" +" to a child process, use an environment variable, and not a command line " +"argument. (See .)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"On some UNIX-like systems (notably Solaris), environment variables can be " +"read by any system user, just like command lines." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If the environment-based approach cannot be used due to portability " +"concerns, the data can be passed on standard input. Some programs (notably " +"gpg) use special file descriptors whose numbers " +"are specified on the command line. Temporary files are an option as well, " +"but they might give digital forensics access to sensitive data (such as " +"passphrases) because it is difficult to safely delete them in all cases." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Handling child process termination" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When child processes terminate, the parent process is signalled. A stub of " +"the terminated processes (a zombie, shown as " +"<defunct> by ps) is kept" +" around until the status information is collected " +"(reaped) by the parent process. Over the years, several" +" interfaces for this have been invented:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The parent process calls wait, " +"waitpid, waitid, " +"wait3 or wait4, without specifying" +" a process ID. This will deliver any matching process ID. This approach is " +"typically used from within event loops." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The parent process calls waitpid, " +"waitid, or wait4, with a specific " +"process ID. Only data for the specific process ID is returned. This is " +"typically used in code which spawns a single subprocess in a synchronous " +"manner." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The parent process installs a handler for the SIGCHLD " +"signal, using sigaction, and specifies to the " +"SA_NOCLDWAIT flag. This approach could be used by event " +"loops as well." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"None of these approaches can be used to wait for child process terminated in" +" a completely thread-safe manner. The parent process might execute an event " +"loop in another thread, which could pick up the termination signal. This " +"means that libraries typically cannot make free use of child processes (for " +"example, to run problematic code with reduced privileges in a separate " +"address space)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"At the moment, the parent process should explicitly wait for termination of " +"the child process using waitpid or " +"waitpid, and hope that the status is not collected by " +"an event loop first." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "SUID/SGID processes" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Programs can be marked in the file system to indicate to the kernel that a " +"trust transition should happen if the program is run. The " +"SUID file permission bit indicates that an executable " +"should run with the effective user ID equal to the owner of the executable " +"file. Similarly, with the SGID bit, the effective group " +"ID is set to the group of the executable file." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Linux supports fscaps, which can grant additional " +"capabilities to a process in a finer-grained manner. Additional mechanisms " +"can be provided by loadable security modules." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When such a trust transition has happened, the process runs in a potentially" +" hostile environment. Additional care is necessary not to rely on any " +"untrusted information. These concerns also apply to libraries which can be " +"linked into such processes." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Accessing environment variables" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The following steps are required so that a program does not accidentally " +"pick up untrusted data from environment variables." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Compile your C/C++ sources with -D_GNU_SOURCE. The " +"Autoconf macro AC_GNU_SOURCE ensures this." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Check for the presence of the secure_getenv and " +"__secure_getenv function. The Autoconf directive " +"AC_CHECK_FUNCS([__secure_getenv secure_getenv]) performs " +"these checks." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Arrange for a proper definition of the secure_getenv " +"function. See ." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Use secure_getenv instead of " +"getenv to obtain the value of critical environment " +"variables. secure_getenv will pretend the variable has " +"not bee set if the process environment is not trusted." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Critical environment variables are debugging flags, configuration file " +"locations, plug-in and log file locations, and anything else that might be " +"used to bypass security restrictions or cause a privileged process to behave" +" in an unexpected way." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Either the secure_getenv function or the " +"__secure_getenv is available from GNU libc." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Obtaining a definition for secure_getenv" +msgstr "" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"\n" +"#include <stdlib.h>\n" +"\n" +"#ifndef HAVE_SECURE_GETENV\n" +"# ifdef HAVE__SECURE_GETENV\n" +"# define secure_getenv __secure_getenv\n" +"# else\n" +"# error neither secure_getenv nor __secure_getenv are available\n" +"# endif\n" +"#endif\n" +"\n" +"\t" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Daemons" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Background processes providing system services " +"(daemons) need to decouple themselves from the " +"controlling terminal and the parent process environment:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Fork." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In the child process, call setsid. The parent process " +"can simply exit (using _exit, to avoid running clean-up" +" actions twice)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In the child process, fork again. Processing continues in the child process." +" Again, the parent process should just exit." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Replace the descriptors 0, 1, 2 with a descriptor for " +"/dev/null. Logging should be redirected to " +"syslog." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Older instructions for creating daemon processes recommended a call to " +"umask(0). This is risky because it often leads to world-" +"writable files and directories, resulting in security vulnerabilities such " +"as arbitrary process termination by untrusted local users, or log file " +"truncation. If the umask needs setting, a restrictive " +"value such as 027 or 077 is " +"recommended." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Other aspects of the process environment may have to changed as well " +"(environment variables, signal handler disposition)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"It is increasingly common that server processes do not run as background " +"processes, but as regular foreground process under a supervising master " +"process (such as systemd). Server processes " +"should offer a command line option which disables forking and replacement of" +" the standard output and standard error streams. Such an option is also " +"useful for debugging." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Semantics of command line arguments" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"After process creation and option processing, it is up to the child process " +"to interpret the arguments. Arguments can be file names, host names, or " +"URLs, and many other things. URLs can refer to the local network, some " +"server on the Internet, or to the local file system. Some applications even " +"accept arbitrary code in arguments (for example, " +"python with the option)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Similar concerns apply to environment variables, the contents of the current" +" directory and its subdirectories." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Consequently, careful analysis is required if it is safe to pass untrusted " +"data to another program." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "fork as a primitive for parallelism" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"A call to fork which is not immediately followed by a " +"call to execve (perhaps after rearranging and closing " +"file descriptors) is typically unsafe, especially from a library which does " +"not control the state of the entire process. Such use of " +"fork should be replaced with proper child processes or " +"threads." +msgstr "" diff --git a/defensive-coding/bo/Tasks/Serialization.po b/defensive-coding/bo/Tasks/Serialization.po new file mode 100644 index 0000000..f0605b1 --- /dev/null +++ b/defensive-coding/bo/Tasks/Serialization.po @@ -0,0 +1,513 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:45\n" +"PO-Revision-Date: 2013-03-19 15:29+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Tibetan \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: bo\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: title +#, no-c-format +msgid "Serialization and Deserialization" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Protocol decoders and file format parsers are often the most-exposed part of" +" an application because they are exposed with little or no user interaction " +"and before any authentication and security checks are made. They are also " +"difficult to write robustly in languages which are not memory-safe." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Recommendations for manually written decoders" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"For C and C++, the advice in applies. In addition, avoid non-character " +"pointers directly into input buffers. Pointer misalignment causes crashes on" +" some architectures." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When reading variable-sized objects, do not allocate large amounts of data " +"solely based on the value of a size field. If possible, grow the data " +"structure as more data is read from the source, and stop when no data is " +"available. This helps to avoid denial-of-service attacks where little " +"amounts of input data results in enormous memory allocations during " +"decoding. Alternatively, you can impose reasonable bounds on memory " +"allocations, but some protocols do not permit this." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Protocol design" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Binary formats with explicit length fields are more difficult to parse " +"robustly than those where the length of dynamically-sized elements is " +"derived from sentinel values. A protocol which does not use length fields " +"and can be written in printable ASCII characters simplifies testing and " +"debugging. However, binary protocols with length fields may be more " +"efficient to parse." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Library support for deserialization" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"For some languages, generic libraries are available which allow to serialize" +" and deserialize user-defined objects. The deserialization part comes in one" +" of two flavors, depending on the library. The first kind uses type " +"information in the data stream to control which objects are instantiated. " +"The second kind uses type definitions supplied by the programmer. The first " +"one allows arbitrary object instantiation, the second one generally does " +"not." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The following serialization frameworks are in the first category, are known " +"to be unsafe, and must not be used for untrusted data:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Python's pickle and cPickle modules" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Perl's Storable package" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Java serialization (java.io.ObjectInputStream)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "PHP serialization (unserialize)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Most implementations of YAML" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When using a type-directed deserialization format where the types of the " +"deserialized objects are specified by the programmer, make sure that the " +"objects which can be instantiated cannot perform any destructive actions in " +"their destructors, even when the data members have been manipulated." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"JSON decoders do not suffer from this problem. But you must not use the " +"eval function to parse JSON objects in Javascript; even" +" with the regular expression filter from RFC 4627, there are still " +"information leaks remaining." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "XML serialization" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "External references" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"XML documents can contain external references. They can occur in various " +"places." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "In the DTD declaration in the header of an XML document:" +msgstr "" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"<!DOCTYPE html PUBLIC\n" +" \"-//W3C//DTD XHTML 1.0 Transitional//EN\"\n" +" \"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd\">\n" +"\t " +msgstr "" + +#. Tag: para +#, no-c-format +msgid "In a namespace declaration:" +msgstr "" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"<xsd:schema xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\">\n" +"\t " +msgstr "" + +#. Tag: para +#, no-c-format +msgid "In an entity defintion:" +msgstr "" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"<!ENTITY sys SYSTEM \"http://www.example.com/ent.xml\">\n" +"<!ENTITY pub PUBLIC \"-//Example//Public Entity//EN\"\n" +" \"http://www.example.com/pub-ent.xml\">\n" +"\t " +msgstr "" + +#. Tag: para +#, no-c-format +msgid "In a notation:" +msgstr "" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"<!NOTATION not SYSTEM \"../not.xml\">\n" +"\t " +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Originally, these external references were intended as unique identifiers, " +"but by many XML implementations, they are used for locating the data for the" +" referenced element. This causes unwanted network traffic, and may disclose " +"file system contents or otherwise unreachable network resources, so this " +"functionality should be disabled." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Depending on the XML library, external referenced might be processed not " +"just when parsing XML, but also when generating it." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Entity expansion" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When external DTD processing is disabled, an internal DTD subset can still " +"contain entity definitions. Entity declarations can reference other " +"entities. Some XML libraries expand entities automatically, and this " +"processing cannot be switched off in some places (such as attribute values " +"or content models). Without limits on the entity nesting level, this " +"expansion results in data which can grow exponentially in length with size " +"of the input. (If there is a limit on the nesting level, the growth is still" +" polynomial, unless further limits are imposed.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Consequently, the processing internal DTD subsets should be disabled if " +"possible, and only trusted DTDs should be processed. If a particular XML " +"application does not permit such restrictions, then application-specific " +"limits are called for." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "XInclude processing" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"XInclude processing can reference file and network resources and include " +"them into the document, much like external entity references. When parsing " +"untrusted XML documents, XInclude processing should be truned off." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"XInclude processing is also fairly complex and may pull in support for the " +"XPointer and XPath specifications, considerably increasing the amount of " +"code required for XML processing." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Algorithmic complexity of XML validation" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"DTD-based XML validation uses regular expressions for content models. The " +"XML specification requires that content models are deterministic, which " +"means that efficient validation is possible. However, some implementations " +"do not enforce determinism, and require exponential (or just polynomial) " +"amount of space or time for validating some DTD/document combinations." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"XML schemas and RELAX NG (via the xsd: prefix) directly " +"support textual regular expressions which are not required to be " +"deterministic." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Using Expat for XML parsing" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"By default, Expat does not try to resolve external IDs, so no steps are " +"required to block them. However, internal entity declarations are processed." +" Installing a callback which stops parsing as soon as such entities are " +"encountered disables them, see . Expat does not perform any " +"validation, so there are no problems related to that." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Disabling XML entity processing with Expat" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"This handler must be installed when the XML_Parser object" +" is created ()." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Creating an Expat XML parser" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"It is also possible to reject internal DTD subsets altogeher, using a " +"suitable XML_StartDoctypeDeclHandler handler installed " +"with XML_SetDoctypeDeclHandler." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Using OpenJDK for XML parsing and validation" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"OpenJDK contains facilities for DOM-based, SAX-based, and StAX-based " +"document parsing. Documents can be validated against DTDs or XML schemas." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The approach taken to deal with entity expansion differs from the general " +"recommendation in . We enable the the feature flag " +"javax.xml.XMLConstants.FEATURE_SECURE_PROCESSING, which " +"enforces heuristic restrictions on the number of entity expansions. Note " +"that this flag alone does not prevent resolution of external references " +"(system IDs or public IDs), so it is slightly misnamed." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In the following sections, we use helper classes to prevent external ID " +"resolution." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Helper class to prevent DTD external entity resolution in OpenJDK" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Helper class to prevent schema resolution in OpenJDK" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +" shows the imports used by the examples." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Java imports for OpenJDK XML parsing" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "DOM-based XML parsing and DTD validation in OpenJDK" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"This approach produces a org.w3c.dom.Document object from" +" an input stream. use the data from the " +"java.io.InputStream instance in the " +"inputStream variable." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "DOM-based XML parsing in OpenJDK" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"External entity references are prohibited using the " +"NoEntityResolver class in . " +"Because external DTD references are prohibited, DTD validation (if enabled) " +"will only happen against the internal DTD subset embedded in the XML " +"document." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"To validate the document against an external DTD, use a " +"javax.xml.transform.Transformer class to add the DTD " +"reference to the document, and an entity resolver which whitelists this " +"external reference." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "XML Schema validation in OpenJDK" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +" shows how to validate a document against an XML Schema, " +"using a SAX-based approach. The XML data is read from an " +"java.io.InputStream in the inputStream" +" variable." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "SAX-based validation against an XML schema in OpenJDK" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The NoResourceResolver class is defined in ." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If you need to validate a document against an XML schema, use the code in " +" to create the document, but do not enable validation at this point." +" Then use to perform the schema-based validation on " +"the org.w3c.dom.Document instance " +"document." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Validation of a DOM document against an XML schema in OpenJDK" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Protocol Encoders" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"For protocol encoders, you should write bytes to a buffer which grows as " +"needed, using an exponential sizing policy. Explicit lengths can be patched " +"in later, once they are known. Allocating the required number of bytes " +"upfront typically requires separate code to compute the final size, which " +"must be kept in sync with the actual encoding step, or vulnerabilities may " +"result. In multi-threaded code, parts of the object being deserialized might" +" change, so that the computed size is out of date." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"You should avoid copying data directly from a received packet during " +"encoding, disregarding the format. Propagating malformed data could enable " +"attacks on other recipients of that data." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When using C or C++ and copying whole data structures directly into the " +"output, make sure that you do not leak information in padding bytes between " +"fields or at the end of the struct." +msgstr "" diff --git a/defensive-coding/bo/Tasks/Temporary_Files.po b/defensive-coding/bo/Tasks/Temporary_Files.po new file mode 100644 index 0000000..27df597 --- /dev/null +++ b/defensive-coding/bo/Tasks/Temporary_Files.po @@ -0,0 +1,309 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:45\n" +"PO-Revision-Date: 2013-03-19 15:29+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Tibetan \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: bo\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: title +#, no-c-format +msgid "Temporary files" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In this chapter, we describe how to create temporary files and directories, " +"how to remove them, and how to work with programs which do not create files " +"in ways that a safe with a shared directory for temporary files. General " +"file system manipulation is treated in a separate chapter, ." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Secure creation of temporary files has four different aspects." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The location of the directory for temporary files must be obtained in a " +"secure manner (that is, untrusted environment variables must be ignored, see" +" )." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"A new file must be created. Reusing an existing file must be avoided (the " +"/tmp race condition). This is " +"tricky because traditionally, system-wide temporary directories shared by " +"all users are used." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The file must be created in a way that makes it impossible for other users " +"to open it." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "The descriptor for the temporary file should not leak to subprocesses." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "All functions mentioned below will take care of these aspects." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Traditionally, temporary files are often used to reduce memory usage of " +"programs. More and more systems use RAM-based file systems such as " +"tmpfs for storing temporary files, to increase " +"performance and decrease wear on Flash storage. As a result, spooling data " +"to temporary files does not result in any memory savings, and the related " +"complexity can be avoided if the data is kept in process memory." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Obtaining the location of temporary directory" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Some functions below need the location of a directory which stores temporary" +" files. For C/C++ programs, use the following steps to obtain that " +"directory:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Use secure_getenv to obtain the value of the " +"TMPDIR environment variable. If it is set, convert the " +"path to a fully-resolved absolute path, using realpath(path, " +"NULL). Check if the new path refers to a directory and is " +"writeable. In this case, use it as the temporary directory." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Fall back to /tmp." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In Python, you can use the tempfile.tempdir variable." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Java does not support SUID/SGID programs, so you can use the " +"java.lang.System.getenv(String) method to obtain the " +"value of the TMPDIR environment variable, and follow the " +"two steps described above. (Java's default directory selection does not " +"honor TMPDIR.)" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Named temporary files" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The mkostemp function creates a named temporary file. " +"You should specify the O_CLOEXEC flag to avoid file " +"descriptor leaks to subprocesses. (Applications which do not use multiple " +"threads can also use mkstemp, but libraries should use " +"mkostemp.) For determining the directory part of the " +"file name pattern, see ." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The file is not removed automatically. It is not safe to rename or delete " +"the file before processing, or transform the name in any way (for example, " +"by adding a file extension). If you need multiple temporary files, call " +"mkostemp multiple times. Do not create additional file " +"names derived from the name provided by a previous " +"mkostemp call. However, it is safe to close the " +"descriptor returned by mkostemp and reopen the file " +"using the generated name." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The Python class tempfile.NamedTemporaryFile provides " +"similar functionality, except that the file is deleted automatically by " +"default. Note that you may have to use the file attribute" +" to obtain the actual file object because some programming interfaces cannot" +" deal with file-like objects. The C function mkostemp " +"is also available as tempfile.mkstemp." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In Java, you can use the java.io.File.createTempFile(String, " +"String, File) function, using the temporary file location " +"determined according to . Do not use " +"java.io.File.deleteOnExit() to delete temporary files, " +"and do not register a shutdown hook for each temporary file you create. In " +"both cases, the deletion hint cannot be removed from the system if you " +"delete the temporary file prior to termination of the VM, causing a memory " +"leak." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Temporary files without names" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The tmpfile function creates a temporary file and " +"immediately deletes it, while keeping the file open. As a result, the file " +"lacks a name and its space is deallocated as soon as the file descriptor is " +"closed (including the implicit close when the process terminates). This " +"avoids cluttering the temporary directory with orphaned files." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Alternatively, if the maximum size of the temporary file is known " +"beforehand, the fmemopen function can be used to create" +" a FILE * object which is backed by memory." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In Python, unnamed temporary files are provided by the " +"tempfile.TemporaryFile class, and the " +"tempfile.SpooledTemporaryFile class provides a way to " +"avoid creation of small temporary files." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Java does not support unnamed temporary files." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Temporary directories" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The mkdtemp function can be used to create a temporary " +"directory. (For determining the directory part of the file name pattern, see" +" .)" +" The directory is not automatically removed. In Python, this function is " +"available as tempfile.mkdtemp. In Java 7, temporary " +"directories can be created using the " +"java.nio.file.Files.createTempDirectory(Path, String, " +"FileAttribute...) function." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When creating files in the temporary directory, use automatically generated " +"names, e.g., derived from a sequential counter. Files with externally " +"provided names could be picked up in unexpected contexts, and crafted names " +"could actually point outside of the tempoary directory (due to " +"directory traversal)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Removing a directory tree in a completely safe manner is complicated. Unless" +" there are overriding performance concerns, the " +"rm program should be used, with the " +" and options." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Compensating for unsafe file creation" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"There are two ways to make a function or program which excepts a file name " +"safe for use with temporary files. See , for details on subprocess " +"creation." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Create a temporary directory and place the file there. If possible, run the " +"program in a subprocess which uses the temporary directory as its current " +"directory, with a restricted environment. Use generated names for all files " +"in that temporary directory. (See .)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Create the temporary file and pass the generated file name to the function " +"or program. This only works if the function or program can cope with a zero-" +"length existing file. It is safe only under additional assumptions:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The function or program must not create additional files whose name is " +"derived from the specified file name or are otherwise predictable." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "The function or program must not delete the file before processing it." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "It must not access any existing files in the same directory." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"It is often difficult to check whether these additional assumptions are " +"matched, therefore this approach is not recommended." +msgstr "" diff --git a/defensive-coding/bo/Tasks/snippets/Serialization-XML-Expat-Create.po b/defensive-coding/bo/Tasks/snippets/Serialization-XML-Expat-Create.po new file mode 100644 index 0000000..bdd4a66 --- /dev/null +++ b/defensive-coding/bo/Tasks/snippets/Serialization-XML-Expat-Create.po @@ -0,0 +1,33 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:45\n" +"PO-Revision-Date: 2013-03-19 15:29+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Tibetan \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: bo\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"XML_Parser parser = XML_ParserCreate(\"UTF-8\");\n" +"if (parser == NULL) {\n" +" fprintf(stderr, \"XML_ParserCreate failed\n" +"\");\n" +" close(fd);\n" +" exit(1);\n" +"}\n" +"// EntityDeclHandler needs a reference to the parser to stop\n" +"// parsing.\n" +"XML_SetUserData(parser, parser);\n" +"// Disable entity processing, to inhibit entity expansion.\n" +"XML_SetEntityDeclHandler(parser, EntityDeclHandler);\n" +msgstr "" diff --git a/defensive-coding/bo/Tasks/snippets/Serialization-XML-Expat-EntityDeclHandler.po b/defensive-coding/bo/Tasks/snippets/Serialization-XML-Expat-EntityDeclHandler.po new file mode 100644 index 0000000..00ddaad --- /dev/null +++ b/defensive-coding/bo/Tasks/snippets/Serialization-XML-Expat-EntityDeclHandler.po @@ -0,0 +1,31 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:45\n" +"PO-Revision-Date: 2013-03-19 15:30+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Tibetan \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: bo\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Stop the parser when an entity declaration is encountered.\n" +"static void\n" +"EntityDeclHandler(void *userData,\n" +"\t\t const XML_Char *entityName, int is_parameter_entity,\n" +"\t\t const XML_Char *value, int value_length,\n" +"\t\t const XML_Char *base, const XML_Char *systemId,\n" +"\t\t const XML_Char *publicId, const XML_Char *notationName)\n" +"{\n" +" XML_StopParser((XML_Parser)userData, XML_FALSE);\n" +"}\n" +msgstr "" diff --git a/defensive-coding/bo/Tasks/snippets/Serialization-XML-OpenJDK-Errors.po b/defensive-coding/bo/Tasks/snippets/Serialization-XML-OpenJDK-Errors.po new file mode 100644 index 0000000..bda39c5 --- /dev/null +++ b/defensive-coding/bo/Tasks/snippets/Serialization-XML-OpenJDK-Errors.po @@ -0,0 +1,37 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:45\n" +"PO-Revision-Date: 2013-03-19 15:29+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Tibetan \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: bo\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"class Errors implements ErrorHandler {\n" +" @Override\n" +" public void warning(SAXParseException exception) {\n" +" exception.printStackTrace();\n" +" }\n" +" \n" +" @Override\n" +" public void fatalError(SAXParseException exception) {\n" +" exception.printStackTrace();\n" +" }\n" +" \n" +" @Override\n" +" public void error(SAXParseException exception) {\n" +" exception.printStackTrace();\n" +" }\n" +"}\n" +msgstr "" diff --git a/defensive-coding/bo/Tasks/snippets/Serialization-XML-OpenJDK-Imports.po b/defensive-coding/bo/Tasks/snippets/Serialization-XML-OpenJDK-Imports.po new file mode 100644 index 0000000..e6404f3 --- /dev/null +++ b/defensive-coding/bo/Tasks/snippets/Serialization-XML-OpenJDK-Imports.po @@ -0,0 +1,42 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:45\n" +"PO-Revision-Date: 2013-03-19 15:30+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Tibetan \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: bo\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"import javax.xml.XMLConstants;\n" +"import javax.xml.parsers.DocumentBuilder;\n" +"import javax.xml.parsers.DocumentBuilderFactory;\n" +"import javax.xml.parsers.ParserConfigurationException;\n" +"import javax.xml.parsers.SAXParser;\n" +"import javax.xml.parsers.SAXParserFactory;\n" +"import javax.xml.transform.dom.DOMSource;\n" +"import javax.xml.transform.sax.SAXSource;\n" +"import javax.xml.validation.Schema;\n" +"import javax.xml.validation.SchemaFactory;\n" +"import javax.xml.validation.Validator;\n" +"\n" +"import org.w3c.dom.Document;\n" +"import org.w3c.dom.ls.LSInput;\n" +"import org.w3c.dom.ls.LSResourceResolver;\n" +"import org.xml.sax.EntityResolver;\n" +"import org.xml.sax.ErrorHandler;\n" +"import org.xml.sax.InputSource;\n" +"import org.xml.sax.SAXException;\n" +"import org.xml.sax.SAXParseException;\n" +"import org.xml.sax.XMLReader;\n" +msgstr "" diff --git a/defensive-coding/bo/Tasks/snippets/Serialization-XML-OpenJDK-NoEntityResolver.po b/defensive-coding/bo/Tasks/snippets/Serialization-XML-OpenJDK-NoEntityResolver.po new file mode 100644 index 0000000..db89efe --- /dev/null +++ b/defensive-coding/bo/Tasks/snippets/Serialization-XML-OpenJDK-NoEntityResolver.po @@ -0,0 +1,30 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:45\n" +"PO-Revision-Date: 2013-03-19 15:30+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Tibetan \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: bo\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"class NoEntityResolver implements EntityResolver {\n" +" @Override\n" +" public InputSource resolveEntity(String publicId, String systemId)\n" +" throws SAXException, IOException {\n" +" // Throwing an exception stops validation.\n" +" throw new IOException(String.format(\n" +" \"attempt to resolve \\\"%s\\\" \\\"%s\\\"\", publicId, systemId));\n" +" }\n" +"}\n" +msgstr "" diff --git a/defensive-coding/bo/Tasks/snippets/Serialization-XML-OpenJDK-NoResourceResolver.po b/defensive-coding/bo/Tasks/snippets/Serialization-XML-OpenJDK-NoResourceResolver.po new file mode 100644 index 0000000..c10ddf6 --- /dev/null +++ b/defensive-coding/bo/Tasks/snippets/Serialization-XML-OpenJDK-NoResourceResolver.po @@ -0,0 +1,32 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:45\n" +"PO-Revision-Date: 2013-03-19 15:29+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Tibetan \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: bo\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"class NoResourceResolver implements LSResourceResolver {\n" +" @Override\n" +" public LSInput resolveResource(String type, String namespaceURI,\n" +" String publicId, String systemId, String baseURI) {\n" +" // Throwing an exception stops validation.\n" +" throw new RuntimeException(String.format(\n" +" \"resolution attempt: type=%s namespace=%s \" +\n" +" \"publicId=%s systemId=%s baseURI=%s\",\n" +" type, namespaceURI, publicId, systemId, baseURI));\n" +" }\n" +"}\n" +msgstr "" diff --git a/defensive-coding/bo/Tasks/snippets/Serialization-XML-OpenJDK_Parse-DOM.po b/defensive-coding/bo/Tasks/snippets/Serialization-XML-OpenJDK_Parse-DOM.po new file mode 100644 index 0000000..6824423 --- /dev/null +++ b/defensive-coding/bo/Tasks/snippets/Serialization-XML-OpenJDK_Parse-DOM.po @@ -0,0 +1,34 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:45\n" +"PO-Revision-Date: 2013-03-19 15:29+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Tibetan \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: bo\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();\n" +"// Impose restrictions on the complexity of the DTD.\n" +"factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);\n" +"\n" +"// Turn on validation.\n" +"// This step can be omitted if validation is not desired.\n" +"factory.setValidating(true);\n" +"\n" +"// Parse the document.\n" +"DocumentBuilder builder = factory.newDocumentBuilder();\n" +"builder.setEntityResolver(new NoEntityResolver());\n" +"builder.setErrorHandler(new Errors());\n" +"Document document = builder.parse(inputStream);\n" +msgstr "" diff --git a/defensive-coding/bo/Tasks/snippets/Serialization-XML-OpenJDK_Parse-XMLSchema_DOM.po b/defensive-coding/bo/Tasks/snippets/Serialization-XML-OpenJDK_Parse-XMLSchema_DOM.po new file mode 100644 index 0000000..9a47b78 --- /dev/null +++ b/defensive-coding/bo/Tasks/snippets/Serialization-XML-OpenJDK_Parse-XMLSchema_DOM.po @@ -0,0 +1,38 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:45\n" +"PO-Revision-Date: 2013-03-19 15:29+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Tibetan \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: bo\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"SchemaFactory factory = SchemaFactory.newInstance(\n" +" XMLConstants.W3C_XML_SCHEMA_NS_URI);\n" +"\n" +"// This enables restrictions on schema complexity.\n" +"factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);\n" +"\n" +"// The following line prevents resource resolution\n" +"// by the schema itself.\n" +"factory.setResourceResolver(new NoResourceResolver());\n" +"\n" +"Schema schema = factory.newSchema(schemaFile);\n" +"\n" +"Validator validator = schema.newValidator();\n" +"\n" +"// This prevents external resource resolution.\n" +"validator.setResourceResolver(new NoResourceResolver());\n" +"validator.validate(new DOMSource(document));\n" +msgstr "" diff --git a/defensive-coding/bo/Tasks/snippets/Serialization-XML-OpenJDK_Parse-XMLSchema_SAX.po b/defensive-coding/bo/Tasks/snippets/Serialization-XML-OpenJDK_Parse-XMLSchema_SAX.po new file mode 100644 index 0000000..921a604 --- /dev/null +++ b/defensive-coding/bo/Tasks/snippets/Serialization-XML-OpenJDK_Parse-XMLSchema_SAX.po @@ -0,0 +1,41 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:45\n" +"PO-Revision-Date: 2013-03-19 15:29+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Tibetan \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: bo\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"SchemaFactory factory = SchemaFactory.newInstance(\n" +" XMLConstants.W3C_XML_SCHEMA_NS_URI);\n" +"\n" +"// This enables restrictions on the schema and document\n" +"// complexity.\n" +"factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);\n" +"\n" +"// This prevents resource resolution by the schema itself.\n" +"// If the schema is trusted and references additional files,\n" +"// this line must be omitted, otherwise loading these files\n" +"// will fail.\n" +"factory.setResourceResolver(new NoResourceResolver());\n" +"\n" +"Schema schema = factory.newSchema(schemaFile);\n" +"Validator validator = schema.newValidator();\n" +"\n" +"// This prevents external resource resolution.\n" +"validator.setResourceResolver(new NoResourceResolver());\n" +"\n" +"validator.validate(new SAXSource(new InputSource(inputStream)));\n" +msgstr "" diff --git a/defensive-coding/cs-CZ/Author_Group.po b/defensive-coding/cs-CZ/Author_Group.po new file mode 100644 index 0000000..0849e61 --- /dev/null +++ b/defensive-coding/cs-CZ/Author_Group.po @@ -0,0 +1,35 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-12 04:18+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Czech (http://www.transifex.com/projects/p/fedora/language/cs/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: cs\n" +"Plural-Forms: nplurals=3; plural=(n==1) ? 0 : (n>=2 && n<=4) ? 1 : 2;\n" + +#. Tag: firstname +#, no-c-format +msgid "Florian" +msgstr "" + +#. Tag: surname +#, no-c-format +msgid "Weimer" +msgstr "" + +#. Tag: orgname +#, no-c-format +msgid "Red Hat" +msgstr "" + +#. Tag: orgdiv +#, no-c-format +msgid "Product Security Team" +msgstr "" diff --git a/defensive-coding/cs-CZ/Book_Info.po b/defensive-coding/cs-CZ/Book_Info.po new file mode 100644 index 0000000..3f46657 --- /dev/null +++ b/defensive-coding/cs-CZ/Book_Info.po @@ -0,0 +1,38 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-12 04:19+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Czech (http://www.transifex.com/projects/p/fedora/language/cs/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: cs\n" +"Plural-Forms: nplurals=3; plural=(n==1) ? 0 : (n>=2 && n<=4) ? 1 : 2;\n" + +#. Tag: title +#, no-c-format +msgid "Defensive Coding" +msgstr "" + +#. Tag: subtitle +#, no-c-format +msgid "A Guide to Improving Software Security" +msgstr "" + +#. Tag: productname +#, no-c-format +msgid "Fedora Security Team" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"This document provides guidelines for improving software security through " +"secure coding. It covers common programming languages and libraries, and " +"focuses on concrete recommendations." +msgstr "" diff --git a/defensive-coding/cs-CZ/C/Allocators.po b/defensive-coding/cs-CZ/C/Allocators.po new file mode 100644 index 0000000..42eff0a --- /dev/null +++ b/defensive-coding/cs-CZ/C/Allocators.po @@ -0,0 +1,265 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:30+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Czech (http://www.transifex.com/projects/p/fedora/language/cs/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: cs\n" +"Plural-Forms: nplurals=3; plural=(n==1) ? 0 : (n>=2 && n<=4) ? 1 : 2;\n" + +#. Tag: title +#, no-c-format +msgid "Memory allocators" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "malloc and related functions" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The C library interfaces for memory allocation are provided by " +"malloc, free and " +"realloc, and the calloc function. " +"In addition to these generic functions, there are derived functions such as " +"strdup which perform allocation using " +"malloc internally, but do not return untyped heap " +"memory (which could be used for any object)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The C compiler knows about these functions and can use their expected " +"behavior for optimizations. For instance, the compiler assumes that an " +"existing pointer (or a pointer derived from an existing pointer by " +"arithmetic) will not point into the memory area returned by " +"malloc." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If the allocation fails, realloc does not free the old " +"pointer. Therefore, the idiom ptr = realloc(ptr, size); " +"is wrong because the memory pointed to by ptr leaks in " +"case of an error." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Use-after-free errors" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"After free, the pointer is invalid. Further pointer " +"dereferences are not allowed (and are usually detected by " +"valgrind). Less obvious is that any " +"use of the old pointer value is not allowed, either. In" +" particular, comparisons with any other pointer (or the null pointer) are " +"undefined according to the C standard." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The same rules apply to realloc if the memory area " +"cannot be enlarged in-place. For instance, the compiler may assume that a " +"comparison between the old and new pointer will always return false, so it " +"is impossible to detect movement this way." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Handling memory allocation errors" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Recovering from out-of-memory errors is often difficult or even impossible. " +"In these cases, malloc and other allocation functions " +"return a null pointer. Dereferencing this pointer lead to a crash. Such " +"dereferences can even be exploitable for code execution if the dereference " +"is combined with an array subscript." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In general, if you cannot check all allocation calls and handle failure, you" +" should abort the program on allocation failure, and not rely on the null " +"pointer dereference to terminate the process. See for related memory " +"allocation concerns." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "alloca and other forms of stack-based allocation" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Allocation on the stack is risky because stack overflow checking is " +"implicit. There is a guard page at the end of the memory area reserved for " +"the stack. If the program attempts to read from or write to this guard page," +" a SIGSEGV signal is generated and the program typically " +"terminates." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"This is sufficient for detecting typical stack overflow situations such as " +"unbounded recursion, but it fails when the stack grows in increments larger " +"than the size of the guard page. In this case, it is possible that the stack" +" pointer ends up pointing into a memory area which has been allocated for a " +"different purposes. Such misbehavior can be exploitable." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"A common source for large stack growth are calls to " +"alloca and related functions such as " +"strdupa. These functions should be avoided because of " +"the lack of error checking. (They can be used safely if the allocated size " +"is less than the page size (typically, 4096 bytes), but this case is " +"relatively rare.) Additionally, relying on alloca makes" +" it more difficult to reorgnize the code because it is not allowed to use " +"the pointer after the function calling alloca has " +"returned, even if this function has been inlined into its caller." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Similar concerns apply to variable-length arrays " +"(VLAs), a feature of the C99 standard which started as a GNU extension. For " +"large objects exceeding the page size, there is no error checking, either." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In both cases, negative or very large sizes can trigger a stack-pointer " +"wraparound, and the stack pointer and end up pointing into caller stack " +"frames, which is fatal and can be exploitable." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If you want to use alloca or VLAs for performance " +"reasons, consider using a small on-stack array (less than the page size, " +"large enough to fulfill most requests). If the requested size is small " +"enough, use the on-stack array. Otherwise, call malloc." +" When exiting the function, check if malloc had been " +"called, and free the buffer as needed." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Array allocation" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When allocating arrays, it is important to check for overflows. The " +"calloc function performs such checks." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If malloc or realloc is used, the " +"size check must be written manually. For instance, to allocate an array of " +"n elements of type T, check that the " +"requested size is not greater than n / sizeof(T)." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Custom memory allocators" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Custom memory allocates come in two forms: replacements for " +"malloc, and completely different interfaces for memory " +"management. Both approaches can reduce the effectiveness of " +"valgrind and similar tools, and the heap " +"corruption detection provided by GNU libc, so they should be avoided." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Memory allocators are difficult to write and contain many performance and " +"security pitfalls." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When computing array sizes or rounding up allocation requests (to the next " +"allocation granularity, or for alignment purposes), checks for arithmetic " +"overflow are required." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Size computations for array allocations need overflow checking. See ." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"It can be difficult to beat well-tuned general-purpose allocators. In micro-" +"benchmarks, pool allocators can show huge wins, and size-specific pools can " +"reduce internal fragmentation. But often, utilization of individual pools is" +" poor, and" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Conservative garbage collection" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Garbage collection can be an alternative to explicit memory management using" +" malloc and free. The Boehm-" +"Dehmers-Weiser allocator can be used from C programs, with minimal type " +"annotations. Performance is competitive with malloc on " +"64-bit architectures, especially for multi-threaded programs. The stop-the-" +"world pauses may be problematic for some real-time applications, though." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"However, using a conservative garbage collector may reduce opertunities for " +"code reduce because once one library in a program uses garbage collection, " +"the whole process memory needs to be subject to it, so that no pointers are " +"missed. The Boehm-Dehmers-Weiser collector also reserves certain signals for" +" internal use, so it is not fully transparent to the rest of the program." +msgstr "" diff --git a/defensive-coding/cs-CZ/C/C.po b/defensive-coding/cs-CZ/C/C.po new file mode 100644 index 0000000..33a6eec --- /dev/null +++ b/defensive-coding/cs-CZ/C/C.po @@ -0,0 +1,20 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:30+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Czech (http://www.transifex.com/projects/p/fedora/language/cs/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: cs\n" +"Plural-Forms: nplurals=3; plural=(n==1) ? 0 : (n>=2 && n<=4) ? 1 : 2;\n" + +#. Tag: title +#, no-c-format +msgid "The C Programming Language" +msgstr "" diff --git a/defensive-coding/cs-CZ/C/Libc.po b/defensive-coding/cs-CZ/C/Libc.po new file mode 100644 index 0000000..bc1c110 --- /dev/null +++ b/defensive-coding/cs-CZ/C/Libc.po @@ -0,0 +1,278 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:30+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Czech (http://www.transifex.com/projects/p/fedora/language/cs/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: cs\n" +"Plural-Forms: nplurals=3; plural=(n==1) ? 0 : (n>=2 && n<=4) ? 1 : 2;\n" + +#. Tag: title +#, no-c-format +msgid "The C standard library" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Parts of the C standard library (and the UNIX and GNU extensions) are " +"difficult to use, so you shoud avoid them." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Please check the applicable documentation before using the recommended " +"replacements. Many of these functions allocate buffers using " +"malloc which your code must deallocate explicitly using" +" free." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Absolutely banned interfaces" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The functions listed below must not be used because they are almost always " +"unsafe. Use the indicated replacements instead." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "getsfgets" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"getwdgetcwd or " +"get_current_dir_name" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "readdir_rreaddir" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"realpath (with a non-NULL second parameter) ⟶ " +"realpath with NULL as the second parameter, or " +"canonicalize_file_name" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The constants listed below must not be used, either. Instead, code must " +"allocate memory dynamically and use interfaces with length checking." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"NAME_MAX (limit not actually enforced by the kernel)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"PATH_MAX (limit not actually enforced by the kernel)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"_PC_NAME_MAX (This limit, returned by the " +"pathconf function, is not enforced by the kernel.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"_PC_PATH_MAX (This limit, returned by the " +"pathconf function, is not enforced by the kernel.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "The following structure members must not be used." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"f_namemax in struct statvfs (limit not" +" actually enforced by the kernel, see _PC_NAME_MAX above)" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Functions to avoid" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The following string manipulation functions can be used securely in " +"principle, but their use should be avoided because they are difficult to use" +" correctly. Calls to these functions can be replaced with " +"asprintf or vasprintf. (For non-" +"GNU targets, these functions are available from Gnulib.) In some cases, the " +"snprintf function might be a suitable replacement, see " +"." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "sprintf" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "strcat" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "strcpy" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "vsprintf" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Use the indicated replacements for the functions below." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"allocamalloc and " +"free (see )" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"putenv ⟶ explicit envp argument in " +"process creation (see )" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"setenv ⟶ explicit envp argument in " +"process creation (see )" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"strdupastrdup and " +"free (see )" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"strndupastrndup and " +"free (see )" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"systemposix_spawn or " +"fork/execve/ (see )" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"unsetenv ⟶ explicit envp argument in" +" process creation (see )" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "String Functions With Explicit Length Arguments" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The snprintf function provides a way to construct a " +"string in a statically-sized buffer. (If the buffer size is dynamic, use " +"asprintf instead.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The second argument to the snprintf should always be " +"the size of the buffer in the first argument (which should be a character " +"array). Complex pointer and length arithmetic can introduce errors and " +"nullify the security benefits of snprintf. If you need " +"to construct a string iteratively, by repeatedly appending fragments, " +"consider constructing the string on the heap, increasing the buffer with " +"realloc as needed. (snprintf does " +"not support overlapping the result buffer with argument strings.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If you use vsnprintf (or snprintf)" +" with a format string which is not a constant, but a function argument, it " +"is important to annotate the function with a format " +"function attribute, so that GCC can warn about misuse of your function (see " +")." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "The format function attribute" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"There are other functions which operator on NUL-terminated strings and take " +"a length argument which affects the number of bytes written to the " +"destination: strncpy, strncat, and" +" stpncpy. These functions do not ensure that the result" +" string is NUL-terminated. For strncpy, NUL termination" +" can be added this way:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Some systems support strlcpy and " +"strlcat functions which behave this way, but these " +"functions are not part of GNU libc. Using snprintf with" +" a suitable format string is a simple (albeit slightly slower) replacement." +msgstr "" diff --git a/defensive-coding/cs-CZ/C/snippets/Arithmetic-add.po b/defensive-coding/cs-CZ/C/snippets/Arithmetic-add.po new file mode 100644 index 0000000..f3a175b --- /dev/null +++ b/defensive-coding/cs-CZ/C/snippets/Arithmetic-add.po @@ -0,0 +1,36 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:30+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Czech (http://www.transifex.com/projects/p/fedora/language/cs/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: cs\n" +"Plural-Forms: nplurals=3; plural=(n==1) ? 0 : (n>=2 && n<=4) ? 1 : 2;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"void report_overflow(void);\n" +"\n" +"int\n" +"add(int a, int b)\n" +"{\n" +" int result = a + b;\n" +" if (a < 0 || b < 0) {\n" +" return -1;\n" +" }\n" +" // The compiler can optimize away the following if statement.\n" +" if (result < 0) {\n" +" report_overflow();\n" +" }\n" +" return result;\n" +"}\n" +msgstr "" diff --git a/defensive-coding/cs-CZ/C/snippets/Arithmetic-mult.po b/defensive-coding/cs-CZ/C/snippets/Arithmetic-mult.po new file mode 100644 index 0000000..55b426e --- /dev/null +++ b/defensive-coding/cs-CZ/C/snippets/Arithmetic-mult.po @@ -0,0 +1,29 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:30+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Czech (http://www.transifex.com/projects/p/fedora/language/cs/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: cs\n" +"Plural-Forms: nplurals=3; plural=(n==1) ? 0 : (n>=2 && n<=4) ? 1 : 2;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"unsigned\n" +"mul(unsigned a, unsigned b)\n" +"{\n" +" if (b && a > ((unsigned)-1) / b) {\n" +" report_overflow();\n" +" }\n" +" return a * b;\n" +"}\n" +msgstr "" diff --git a/defensive-coding/cs-CZ/C/snippets/Pointers-remaining.po b/defensive-coding/cs-CZ/C/snippets/Pointers-remaining.po new file mode 100644 index 0000000..7e3ced6 --- /dev/null +++ b/defensive-coding/cs-CZ/C/snippets/Pointers-remaining.po @@ -0,0 +1,64 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:30+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Czech (http://www.transifex.com/projects/p/fedora/language/cs/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: cs\n" +"Plural-Forms: nplurals=3; plural=(n==1) ? 0 : (n>=2 && n<=4) ? 1 : 2;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"ssize_t\n" +"extract_strings(const char *in, size_t inlen, char **out, size_t outlen)\n" +"{\n" +" const char *inp = in;\n" +" const char *inend = in + inlen;\n" +" char **outp = out;\n" +" char **outend = out + outlen;\n" +"\n" +" while (inp != inend) {\n" +" size_t len;\n" +" char *s;\n" +" if (outp == outend) {\n" +" errno = ENOSPC;\n" +" goto err;\n" +" }\n" +" len = (unsigned char)*inp;\n" +" ++inp;\n" +" if (len > (size_t)(inend - inp)) {\n" +" errno = EINVAL;\n" +" goto err;\n" +" }\n" +" s = malloc(len + 1);\n" +" if (s == NULL) {\n" +" goto err;\n" +" }\n" +" memcpy(s, inp, len);\n" +" inp += len;\n" +" s[len] = '\\0';\n" +" *outp = s;\n" +" ++outp;\n" +" }\n" +" return outp - out;\n" +"err:\n" +" {\n" +" int errno_old = errno;\n" +" while (out != outp) {\n" +" free(*out);\n" +" ++out;\n" +" }\n" +" errno = errno_old;\n" +" }\n" +" return -1;\n" +"}\n" +msgstr "" diff --git a/defensive-coding/cs-CZ/C/snippets/String-Functions-format.po b/defensive-coding/cs-CZ/C/snippets/String-Functions-format.po new file mode 100644 index 0000000..891bfb5 --- /dev/null +++ b/defensive-coding/cs-CZ/C/snippets/String-Functions-format.po @@ -0,0 +1,33 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:30+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Czech (http://www.transifex.com/projects/p/fedora/language/cs/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: cs\n" +"Plural-Forms: nplurals=3; plural=(n==1) ? 0 : (n>=2 && n<=4) ? 1 : 2;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"void log_format(const char *format, ...) __attribute__((format(printf, 1, 2)));\n" +"\n" +"void\n" +"log_format(const char *format, ...)\n" +"{\n" +" char buf[1000];\n" +" va_list ap;\n" +" va_start(ap, format);\n" +" vsnprintf(buf, sizeof(buf), format, ap);\n" +" va_end(ap);\n" +" log_string(buf);\n" +"}\n" +msgstr "" diff --git a/defensive-coding/cs-CZ/C/snippets/String-Functions-snprintf.po b/defensive-coding/cs-CZ/C/snippets/String-Functions-snprintf.po new file mode 100644 index 0000000..33581d4 --- /dev/null +++ b/defensive-coding/cs-CZ/C/snippets/String-Functions-snprintf.po @@ -0,0 +1,23 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:30+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Czech (http://www.transifex.com/projects/p/fedora/language/cs/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: cs\n" +"Plural-Forms: nplurals=3; plural=(n==1) ? 0 : (n>=2 && n<=4) ? 1 : 2;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"char fraction[30];\n" +"snprintf(fraction, sizeof(fraction), \"%d/%d\", numerator, denominator);\n" +msgstr "" diff --git a/defensive-coding/cs-CZ/C/snippets/String-Functions-strncpy.po b/defensive-coding/cs-CZ/C/snippets/String-Functions-strncpy.po new file mode 100644 index 0000000..b6f30cd --- /dev/null +++ b/defensive-coding/cs-CZ/C/snippets/String-Functions-strncpy.po @@ -0,0 +1,24 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:30+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Czech (http://www.transifex.com/projects/p/fedora/language/cs/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: cs\n" +"Plural-Forms: nplurals=3; plural=(n==1) ? 0 : (n>=2 && n<=4) ? 1 : 2;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"char buf[10];\n" +"strncpy(buf, data, sizeof(buf));\n" +"buf[sizeof(buf) - 1] = '\\0';\n" +msgstr "" diff --git a/defensive-coding/cs-CZ/CXX/CXX.po b/defensive-coding/cs-CZ/CXX/CXX.po new file mode 100644 index 0000000..2d9662f --- /dev/null +++ b/defensive-coding/cs-CZ/CXX/CXX.po @@ -0,0 +1,20 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:31+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Czech (http://www.transifex.com/projects/p/fedora/language/cs/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: cs\n" +"Plural-Forms: nplurals=3; plural=(n==1) ? 0 : (n>=2 && n<=4) ? 1 : 2;\n" + +#. Tag: title +#, no-c-format +msgid "The C++ Programming Language" +msgstr "" diff --git a/defensive-coding/cs-CZ/CXX/Language.po b/defensive-coding/cs-CZ/CXX/Language.po new file mode 100644 index 0000000..567a787 --- /dev/null +++ b/defensive-coding/cs-CZ/CXX/Language.po @@ -0,0 +1,234 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:18+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Czech (http://www.transifex.com/projects/p/fedora/language/cs/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: cs\n" +"Plural-Forms: nplurals=3; plural=(n==1) ? 0 : (n>=2 && n<=4) ? 1 : 2;\n" + +#. Tag: title +#, no-c-format +msgid "The core language" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"C++ includes a large subset of the C language. As far as the C subset is " +"used, the recommendations in " +"apply." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Array allocation with operator new[]" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"For very large values of n, an expression like " +"new T[n] can return a pointer to a heap region which is " +"too small. In other words, not all array elements are actually backed with " +"heap memory reserved to the array. Current GCC versions generate code that " +"performs a computation of the form sizeof(T) * size_t(n) + " +"cookie_size, where cookie_size is currently at " +"most 8. This computation can overflow, and GCC-generated code does not " +"detect this." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The std::vector template can be used instead an explicit " +"array allocation. (The GCC implementation detects overflow internally.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If there is no alternative to operator new[], code which " +"allocates arrays with a variable length must check for overflow manually. " +"For the new T[n] example, the size check could be " +"n || (n > 0 && n > (size_t(-1) - 8) / " +"sizeof(T)). (See .) If there are additional dimensions " +"(which must be constants according to the C++ standard), these should be " +"included as factors in the divisor." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"These countermeasures prevent out-of-bounds writes and potential code " +"execution. Very large memory allocations can still lead to a denial of " +"service. contains suggestions for mitigating this problem when " +"processing untrusted data." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"See for array" +" allocation advice for C-style memory allocation." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Overloading" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Do not overload functions with versions that have different security " +"characteristics. For instance, do not implement a function " +"strcat which works on std::string " +"arguments. Similarly, do not name methods after such functions." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "ABI compatibility and preparing for security updates" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"A stable binary interface (ABI) is vastly preferred for security updates. " +"Without a stable ABI, all reverse dependencies need recompiling, which can " +"be a lot of work and could even be impossible in some cases. Ideally, a " +"security update only updates a single dynamic shared object, and is picked " +"up automatically after restarting affected processes." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Outside of extremely performance-critical code, you should ensure that a " +"wide range of changes is possible without breaking ABI. Some very basic " +"guidelines are:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Avoid inline functions." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Use the pointer-to-implementation idiom." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Try to avoid templates. Use them if the increased type safety provides a " +"benefit to the programmer." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Move security-critical code out of templated code, so that it can be patched" +" in a central place if necessary." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The KDE project publishes a document with more extensive guidelines on ABI-" +"preserving changes to C++ code, Policies/Binary" +" Compatibility Issues With C++ (d-pointer " +"refers to the pointer-to-implementation idiom)." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "C++0X and C++11 support" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "GCC offers different language compatibility modes:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid " for the original 1998 C++ standard" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +" for the 1998 standard with the changes from the " +"TR1 technical report" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +" for the 2011 C++ standard. This option should " +"not be used." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +" for several different versions of C++11 support " +"in development, depending on the GCC version. This option should not be " +"used." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"For each of these flags, there are variants which also enable GNU extensions" +" (mostly language features also found in C99 or C11): " +", , " +". Again, should " +"not be used." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If you enable C++11 support, the ABI of the standard C++ library " +"libstdc++ will change in subtle ways. Currently, no C++ " +"libraries are compiled in C++11 mode, so if you compile your code in C++11 " +"mode, it will be incompatible with the rest of the system. Unfortunately, " +"this is also the case if you do not use any C++11 features. Currently, there" +" is no safe way to enable C++11 mode (except for freestanding applications)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The meaning of C++0X mode changed from GCC release to GCC release. Earlier " +"versions were still ABI-compatible with C++98 mode, but in the most recent " +"versions, switching to C++0X mode activates C++11 support, with its " +"compatibility problems." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Some C++11 features (or approximations thereof) are available with TR1 " +"support, that is, with or " +" and in the <tr1/*> " +"header files. This includes std::tr1::shared_ptr (from " +"<tr1/memory>) and " +"std::tr1::function (from " +"<tr1/functional>). For other C++11 features, the " +"Boost C++ library contains replacements." +msgstr "" diff --git a/defensive-coding/cs-CZ/CXX/Std.po b/defensive-coding/cs-CZ/CXX/Std.po new file mode 100644 index 0000000..3e446a5 --- /dev/null +++ b/defensive-coding/cs-CZ/CXX/Std.po @@ -0,0 +1,55 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:30+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Czech (http://www.transifex.com/projects/p/fedora/language/cs/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: cs\n" +"Plural-Forms: nplurals=3; plural=(n==1) ? 0 : (n>=2 && n<=4) ? 1 : 2;\n" + +#. Tag: title +#, no-c-format +msgid "The C++ standard library" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The C++ standard library includes most of its C counterpart by reference, " +"see ." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Containers and operator[]" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Many containers similar to std::vector provide both " +"operator[](size_type) and a member function " +"at(size_type). This applies to " +"std::vector itself, std::array, " +"std::string and other instances of " +"std::basic_string." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"operator[](size_type) is not required by the standard to " +"perform bounds checking (and the implementation in GCC does not). In " +"contrast, at(size_type) must perform such a check. " +"Therefore, in code which is not performance-critical, you should prefer " +"at(size_type) over " +"operator[](size_type), even though it is slightly more " +"verbose." +msgstr "" diff --git a/defensive-coding/cs-CZ/Defensive_Coding.po b/defensive-coding/cs-CZ/Defensive_Coding.po new file mode 100644 index 0000000..789982e --- /dev/null +++ b/defensive-coding/cs-CZ/Defensive_Coding.po @@ -0,0 +1,30 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:18+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Czech (http://www.transifex.com/projects/p/fedora/language/cs/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: cs\n" +"Plural-Forms: nplurals=3; plural=(n==1) ? 0 : (n>=2 && n<=4) ? 1 : 2;\n" + +#. Tag: title +#, no-c-format +msgid "Programming Languages" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Specific Programming Tasks" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Implementing Security Features" +msgstr "" diff --git a/defensive-coding/cs-CZ/Features/Authentication.po b/defensive-coding/cs-CZ/Features/Authentication.po new file mode 100644 index 0000000..6ce92af --- /dev/null +++ b/defensive-coding/cs-CZ/Features/Authentication.po @@ -0,0 +1,231 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:31+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Czech (http://www.transifex.com/projects/p/fedora/language/cs/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: cs\n" +"Plural-Forms: nplurals=3; plural=(n==1) ? 0 : (n>=2 && n<=4) ? 1 : 2;\n" + +#. Tag: title +#, no-c-format +msgid "Authentication and Authorization" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Authenticating servers" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When connecting to a server, a client has to make sure that it is actually " +"talking to the server it expects. There are two different aspects, securing " +"the network path, and making sure that the expected user runs the process on" +" the target host. There are several ways to ensure that:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The server uses a TLS certificate which is valid according to the web " +"browser public key infrastructure, and the client verifies the certificate " +"and the host name." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The server uses a TLS certificate which is expectedby the client (perhaps it" +" is stored in a configuration file read by the client). In this case, no " +"host name checking is required." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"On Linux, UNIX domain sockets (of the PF_UNIX protocol " +"family, sometimes called PF_LOCAL) are restricted by file" +" system permissions. If the server socket path is not world-writable, the " +"server identity cannot be spoofed by local users." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Port numbers less than 1024 (trusted ports) can only be" +" used by root, so if a UDP or TCP server is running on " +"the local host and it uses a trusted port, its identity is assured. (Not all" +" operating systems enforce the trusted ports concept, and the network might " +"not be trusted, so it is only useful on the local system.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"TLS () is the recommended way " +"for securing connections over untrusted networks." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If the server port number is 1024 is higher, a local user can impersonate " +"the process by binding to this socket, perhaps after crashing the real " +"server by exploiting a denial-of-service vulnerability." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Host-based authentication" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Host-based authentication uses access control lists (ACLs) to accept or deny" +" requests from clients. Thsis authentication method comes in two flavors: " +"IP-based (or, more generally, address-based) and name-based (with the name " +"coming from DNS or /etc/hosts). IP-based ACLs often use" +" prefix notation to extend access to entire subnets. Name-based ACLs " +"sometimes use wildcards for adding groups of hosts (from entire DNS " +"subtrees). (In the SSH context, host-based authentication means something " +"completely different and is not covered in this section.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Host-based authentication trust the network and may not offer sufficient " +"granularity, so it has to be considered a weak form of authentication. On " +"the other hand, IP-based authentication can be made extremely robust and can" +" be applied very early in input processing, so it offers an opportunity for " +"significantly reducing the number of potential attackers for many services." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The names returned by gethostbyaddr and " +"getnameinfo functions cannot be trusted. (DNS PTR " +"records can be set to arbitrary values, not just names belong to the address" +" owner.) If these names are used for ACL matching, a forward lookup using " +"gethostbyaddr or getaddrinfo has " +"to be performed. The name is only valid if the original address is found " +"among the results of the forward lookup (double-reverse " +"lookup)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"An empty ACL should deny all access (deny-by-default). If empty ACLs permits" +" all access, configuring any access list must switch to deny-by-default for " +"all unconfigured protocols, in both name-based and address-based variants." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Similarly, if an address or name is not matched by the list, it should be " +"denied. However, many implementations behave differently, so the actual " +"behavior must be documented properly." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"IPv6 addresses can embed IPv4 addresses. There is no universally correct way" +" to deal with this ambiguity. The behavior of the ACL implementation should " +"be documented." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "UNIX domain socket authentication" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"UNIX domain sockets (with address family AF_UNIX or " +"AF_LOCAL) are restricted to the local host and offer a " +"special authentication mechanism: credentials passing." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Nowadays, most systems support the SO_PEERCRED (Linux) or" +" LOCAL_PEERCRED (FreeBSD) socket options, or the " +"getpeereid (other BSDs, MacOS X). These interfaces " +"provide direct access to the (effective) user ID on the other end of a " +"domain socket connect, without cooperation from the other end." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Historically, credentials passing was implemented using ancillary data in " +"the sendmsg and recvmsg functions." +" On some systems, only credentials data that the peer has explicitly sent " +"can be received, and the kernel checks the data for correctness on the " +"sending side. This means that both peers need to deal with ancillary data. " +"Compared to that, the modern interfaces are easier to use. Both sets of " +"interfaces vary considerably among UNIX-like systems, unfortunately." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If you want to authenticate based on supplementary groups, you should obtain" +" the user ID using one of these methods, and look up the list of " +"supplementary groups using getpwuid (or " +"getpwuid_r) and getgrouplist. " +"Using the PID and information from /proc/PID/status is " +"prone to race conditions and insecure." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "AF_NETLINK authentication of origin" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Netlink messages are used as a high-performance data transfer mechanism " +"between the kernel and the userspace. Traditionally, they are used to " +"exchange information related to the network statck, such as routing table " +"entries." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When processing Netlink messages from the kernel, it is important to check " +"that these messages actually originate from the kernel, by checking that the" +" port ID (or PID) field nl_pid in the " +"sockaddr_nl structure is 0. (This " +"structure can be obtained using recvfrom or " +"recvmsg, it is different from the " +"nlmsghdr structure.) The kernel does not prevent other " +"processes from sending unicast Netlink messages, but the " +"nl_pid field in the sender's socket address will be non-" +"zero in such cases." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Applications should not use AF_NETLINK sockets as an IPC " +"mechanism among processes, but prefer UNIX domain sockets for this tasks." +msgstr "" diff --git a/defensive-coding/cs-CZ/Features/TLS.po b/defensive-coding/cs-CZ/Features/TLS.po new file mode 100644 index 0000000..eeacb47 --- /dev/null +++ b/defensive-coding/cs-CZ/Features/TLS.po @@ -0,0 +1,1120 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:31+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Czech (http://www.transifex.com/projects/p/fedora/language/cs/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: cs\n" +"Plural-Forms: nplurals=3; plural=(n==1) ? 0 : (n>=2 && n<=4) ? 1 : 2;\n" + +#. Tag: title +#, no-c-format +msgid "Transport Layer Security" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Transport Layer Security (TLS, formerly Secure Sockets Layer/SSL) is the " +"recommended way to to protect integrity and confidentiality while data is " +"transferred over an untrusted network connection, and to identify the " +"endpoint." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Common Pitfalls" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"TLS implementations are difficult to use, and most of them lack a clean API " +"design. The following sections contain implementation-specific advice, and " +"some generic pitfalls are mentioned below." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Most TLS implementations have questionable default TLS cipher suites. Most " +"of them enable anonymous Diffie-Hellman key exchange (but we generally want " +"servers to authenticate themselves). Many do not disable ciphers which are " +"subject to brute-force attacks because of restricted key lengths. Some even " +"disable all variants of AES in the default configuration." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When overriding the cipher suite defaults, it is recommended to disable all " +"cipher suites which are not present on a whitelist, instead of simply " +"enabling a list of cipher suites. This way, if an algorithm is disabled by " +"default in the TLS implementation in a future security update, the " +"application will not re-enable it." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The name which is used in certificate validation must match the name " +"provided by the user or configuration file. No host name canonicalization or" +" IP address lookup must be performed." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The TLS handshake has very poor performance if the TCP Nagle algorithm is " +"active. You should switch on the TCP_NODELAY socket " +"option (at least for the duration of the handshake), or use the Linux-" +"specific TCP_CORK option." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Deactivating the TCP Nagle algorithm" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Implementing proper session resumption decreases handshake overhead " +"considerably. This is important if the upper-layer protocol uses short-lived" +" connections (like most application of HTTPS)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Both client and server should work towards an orderly connection shutdown, " +"that is send close_notify alerts and respond to them. " +"This is especially important if the upper-layer protocol does not provide " +"means to detect connection truncation (like some uses of HTTP)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When implementing a server using event-driven programming, it is important " +"to handle the TLS handshake properly because it includes multiple network " +"round-trips which can block when an ordinary TCP accept" +" would not. Otherwise, a client which fails to complete the TLS handshake " +"for some reason will prevent the server from handling input from other " +"clients." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Unlike regular file descriptors, TLS connections cannot be passed between " +"processes. Some TLS implementations add additional restrictions, and TLS " +"connections generally cannot be used across fork " +"function calls (see )." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "OpenSSL Pitfalls" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Some OpenSSL function use tri-state return values. " +"Correct error checking is extremely important. Several functions return " +"int values with the following meaning:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The value 1 indicates success (for example, a successful " +"signature verification)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The value 0 indicates semantic failure (for example, a " +"signature verification which was unsuccessful because the signing " +"certificate was self-signed)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The value -1 indicates a low-level error in the system, " +"such as failure to allocate memory using malloc." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Treating such tri-state return values as booleans can lead to security " +"vulnerabilities. Note that some OpenSSL functions return boolean results or " +"yet another set of status indicators. Each function needs to be checked " +"individually." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Recovering precise error information is difficult. shows how to obtain a more precise " +"error code after a function call on an SSL object has " +"failed. However, there are still cases where no detailed error information " +"is available (e.g., if SSL_shutdown fails due to a " +"connection teardown by the other end)." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Obtaining OpenSSL error codes" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The OPENSSL_config function is documented to never " +"fail. In reality, it can terminate the entire process if there is a failure " +"accessing the configuration file. An error message is written to standard " +"error, but which might not be visible if the function is called from a " +"daemon process." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"OpenSSL contains two separate ASN.1 DER decoders. One set of decoders " +"operate on BIO handles (the input/output stream abstraction provided by " +"OpenSSL); their decoder function names start with d2i_ " +"and end in _fp or _bio (e.g., " +"d2i_X509_fp or d2i_X509_bio). " +"These decoders must not be used for parsing data from untrusted sources; " +"instead, the variants without the _fp and " +"_bio (e.g., d2i_X509) shall be used." +" The BIO variants have received considerably less testing and are not very " +"robust." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"For the same reason, the OpenSSL command line tools (such as " +"openssl x509) are generally generally less robust than " +"the actual library code. They use the BIO functions internally, and not the " +"more robust variants." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The command line tools do not always indicate failure in the exit status of " +"the openssl process. For instance, a verification" +" failure in openssl verify result in an exit status of " +"zero." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The OpenSSL server and client applications (openssl " +"s_client and openssl s_server) are debugging " +"tools and should never be used as generic clients. For " +"instance, the s_client tool reacts in a " +"surprisign way to lines starting with R and " +"Q." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"OpenSSL allows application code to access private key material over " +"documented interfaces. This can significantly increase the part of the code " +"base which has to undergo security certification." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "GNUTLS Pitfalls" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"libgnutls.so.26 links to " +"libpthread.so.0. Loading the threading library too late" +" causes problems, so the main program should be linked with " +"-lpthread as well. As a result, it can be difficult to " +"use GNUTLS in a plugin which is loaded with the dlopen " +"function. Another side effect is that applications which merely link against" +" GNUTLS (even without actually using it) may incur a substantial overhead " +"because other libraries automatically switch to thread-safe algorithms." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The gnutls_global_init function must be called before " +"using any functionality provided by the library. This function is not " +"thread-safe, so external locking is required, but it is not clear which lock" +" should be used. Omitting the synchronization does not just lead to a memory" +" leak, as it is suggested in the GNUTLS documentation, but to undefined " +"behavior because there is no barrier that would enforce memory ordering." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The gnutls_global_deinit function does not actually " +"deallocate all resources allocated by " +"gnutls_global_init. It is currently not thread-safe. " +"Therefore, it is best to avoid calling it altogether." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The X.509 implementation in GNUTLS is rather lenient. For example, it is " +"possible to create and process X.509 version 1 certificates which carry" +" extensions. These certificates are (correctly) rejected by other " +"implementations." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "OpenJDK Pitfalls" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The Java cryptographic framework is highly modular. As a result, when you " +"request an object implementing some cryptographic functionality, you cannot " +"be completely sure that you end up with the well-tested, reviewed " +"implementation in OpenJDK." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"OpenJDK (in the source code as published by Oracle) and other " +"implementations of the Java platform require that the system administrator " +"has installed so-called unlimited strength jurisdiction policy " +"files. Without this step, it is not possible to use the secure " +"algorithms which offer sufficient cryptographic strength. Most downstream " +"redistributors of OpenJDK remove this requirement." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Some versions of OpenJDK use /dev/random as the " +"randomness source for nonces and other random data which is needed for TLS " +"operation, but does not actually require physical randomness. As a result, " +"TLS applications can block, waiting for more bits to become available in " +"/dev/random." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "NSS Pitfalls" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"NSS was not designed to be used by other libraries which can be linked into " +"applications without modifying them. There is a lot of global state. There " +"does not seem to be a way to perform required NSS initialization without " +"race conditions." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If the NSPR descriptor is in an unexpected state, the " +"SSL_ForceHandshake function can succeed, but no TLS " +"handshake takes place, the peer is not authenticated, and subsequent data is" +" exchanged in the clear." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"NSS disables itself if it detects that the process underwent a " +"fork after the library has been initialized. This " +"behavior is required by the PKCS#11 API specification." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "TLS Clients" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Secure use of TLS in a client generally involves all of the following steps." +" (Individual instructions for specific TLS implementations follow in the " +"next sections.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The client must configure the TLS library to use a set of trusted root " +"certificates. These certificates are provided by the system in /etc/ssl/certs or files derived from it." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The client selects sufficiently strong cryptographic primitives and disables" +" insecure ones (such as no-op encryption). Compression and SSL version 2 " +"support must be disabled (including the SSLv2-compatible handshake)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The client initiates the TLS connection. The Server Name Indication " +"extension should be used if supported by the TLS implementation. Before " +"switching to the encrypted connection state, the contents of all input and " +"output buffers must be discarded." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The client needs to validate the peer certificate provided by the server, " +"that is, the client must check that there is a cryptographically protected " +"chain from a trusted root certificate to the peer certificate. (Depending on" +" the TLS implementation, a TLS handshake can succeed even if the certificate" +" cannot be validated.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The client must check that the configured or user-provided server name " +"matches the peer certificate provided by the server." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"It is safe to provide users detailed diagnostics on certificate validation " +"failures. Other causes of handshake failures and, generally speaking, any " +"details on other errors reported by the TLS implementation (particularly " +"exception tracebacks), must not be divulged in ways that make them " +"accessible to potential attackers. Otherwise, it is possible to create " +"decryption oracles." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Depending on the application, revocation checking (against certificate " +"revocations lists or via OCSP) and session resumption are important aspects " +"of production-quality client. These aspects are not yet covered." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Implementation TLS Clients With OpenSSL" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In the following code, the error handling is only exploratory. Proper error " +"handling is required for production use, especially in libraries." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The OpenSSL library needs explicit initialization (see )." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "OpenSSL library initialization" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"After that, a context object has to be created, which acts as a factory for " +"connection objects (). We use an explicit cipher list so that we do not pick up any " +"strange ciphers when OpenSSL is upgraded. The actual version requested in " +"the client hello depends on additional restrictions in the OpenSSL library. " +"If possible, you should follow the example code and use the default list of " +"trusted root certificate authorities provided by the system because you " +"would have to maintain your own set otherwise, which can be cumbersome." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "OpenSSL client context creation" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"A single context object can be used to create multiple connection objects. " +"It is safe to use the same SSL_CTX object for creating " +"connections concurrently from multiple threads, provided that the " +"SSL_CTX object is not modified (e.g., callbacks must not " +"be changed)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"After creating the TCP socket and disabling the Nagle algorithm (per ), the actual connection object " +"needs to be created, as show in . If the handshake started by " +"SSL_connect fails, the " +"ssl_print_error_and_exit function from is called." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The certificate_validity_override function provides an " +"opportunity to override the validity of the certificate in case the OpenSSL " +"check fails. If such functionality is not required, the call can be removed," +" otherwise, the application developer has to implement it." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The host name passed to the functions " +"SSL_set_tlsext_host_name and " +"X509_check_host must be the name that was passed to " +"getaddrinfo or a similar name resolution function. No " +"host name canonicalization must be performed. The " +"X509_check_host function used in the final step for " +"host name matching is currently only implemented in OpenSSL 1.1, which is " +"not released yet. In case host name matching fails, the function " +"certificate_host_name_override is called. This function" +" should check user-specific certificate store, to allow a connection even if" +" the host name does not match the certificate. This function has to be " +"provided by the application developer. Note that the override must be keyed " +"by both the certificate and the host name." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Creating a client connection using OpenSSL" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The connection object can be used for sending and receiving data, as in " +". It is " +"also possible to create a BIO object and use the " +"SSL object as the underlying transport, using " +"BIO_set_ssl." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Using an OpenSSL connection to send and receive data" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When it is time to close the connection, the " +"SSL_shutdown function needs to be called twice for an " +"orderly, synchronous connection termination (). This exchanges " +"close_notify alerts with the server. The additional logic" +" is required to deal with an unexpected close_notify from" +" the server. Note that is necessary to explicitly close the underlying " +"socket after the connection object has been freed." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Closing an OpenSSL connection in an orderly fashion" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +" shows how" +" to deallocate the context object when it is no longer needed because no " +"further TLS connections will be established." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Implementation TLS Clients With GNUTLS" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"This section describes how to implement a TLS client with full certificate " +"validation (but without certificate revocation checking). Note that the " +"error handling in is only exploratory and needs to be replaced before " +"production use." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "The GNUTLS library needs explicit initialization:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Failing to do so can result in obscure failures in Base64 decoding. See " +" for " +"additional aspects of initialization." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Before setting up TLS connections, a credentials objects has to be allocated" +" and initialized with the set of trusted root CAs ()." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Initializing a GNUTLS credentials structure" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"After the last TLS connection has been closed, this credentials object " +"should be freed:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"During its lifetime, the credentials object can be used to initialize TLS " +"session objects from multiple threads, provided that it is not changed." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Once the TCP connection has been established, the Nagle algorithm should be " +"disabled (see ). After " +"that, the socket can be associated with a new GNUTLS session object. The " +"previously allocated credentials object provides the set of root CAs. The " +"NORMAL set of cipher suites and protocols provides a " +"reasonable default. Then the TLS handshake must be initiated. This is shown " +"in ." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Establishing a TLS client connection using GNUTLS" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"After the handshake has been completed, the server certificate needs to be " +"verified (). In the example, the user-defined " +"certificate_validity_override function is called if the" +" verification fails, so that a separate, user-specific trust store can be " +"checked. This function call can be omitted if the functionality is not " +"needed." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Verifying a server certificate using GNUTLS" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In the next step (, the certificate must be matched against the host name (note the " +"unusual return value from " +"gnutls_x509_crt_check_hostname). Again, an override " +"function certificate_host_name_override is called. Note" +" that the override must be keyed to the certificate and" +" the host name. The function call can be omitted if the override is not " +"needed." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Matching the server host name and certificate in a GNUTLS client" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In newer GNUTLS versions, certificate checking and host name validation can " +"be combined using the gnutls_certificate_verify_peers3 " +"function." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"An established TLS session can be used for sending and receiving data, as in" +" ." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Using a GNUTLS session" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In order to shut down a connection in an orderly manner, you should call the" +" gnutls_bye function. Finally, the session object can " +"be deallocated using gnutls_deinit (see )." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Implementing TLS Clients With OpenJDK" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "The examples below use the following cryptographic-related classes:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If compatibility with OpenJDK 6 is required, it is necessary to use the " +"internal class sun.security.util.HostnameChecker. (The " +"public OpenJDK API does not provide any support for dissecting the subject " +"distinguished name of an X.509 certificate, so a custom-written DER parser " +"is needed—or we have to use an internal class, which we do below.) In " +"OpenJDK 7, the setEndpointIdentificationAlgorithm " +"method was added to the javax.net.ssl.SSLParameters " +"class, providing an official way to implement host name checking." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"TLS connections are established using an SSLContext " +"instance. With a properly configured OpenJDK installation, the " +"SunJSSE provider uses the system-wide set of trusted root" +" certificate authorities, so no further configuration is necessary. For " +"backwards compatibility with OpenJDK 6, the TLSv1 " +"provider has to be supported as a fall-back option. This is shown in ." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Setting up an SSLContext for OpenJDK TLS clients" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In addition to the context, a TLS parameter object will be needed which " +"adjusts the cipher suites and protocols (). Like the context, these " +"parameters can be reused for multiple TLS connections." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Setting up SSLParameters for TLS use with OpenJDK" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"As initialized above, the parameter object does not yet require host name " +"checking. This has to be enabled separately, and this is only supported by " +"OpenJDK 7 and later:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"All application protocols can use the \"HTTPS\" " +"algorithm. (The algorithms have minor differences with regard to wildcard " +"handling, which should not matter in practice.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +" shows " +"how to establish the connection. Before the handshake is initialized, the " +"protocol and cipher configuration has to be performed, by applying the " +"parameter object params. (After this point, changes to " +"params will not affect this TLS socket.) As mentioned " +"initially, host name checking requires using an internal API on OpenJDK 6." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Establishing a TLS connection with OpenJDK" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Starting with OpenJDK 7, the last lines can be omitted, provided that host " +"name verification has been enabled by calling the " +"setEndpointIdentificationAlgorithm method on the " +"params object (before it was applied to the socket)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The TLS socket can be used as a regular socket, as shown in ." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Using a TLS client socket in OpenJDK" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Overriding server certificate validation with OpenJDK 6" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Overriding certificate validation requires a custom trust manager. With " +"OpenJDK 6, the trust manager lacks information about the TLS session, and to" +" which server the connection is made. Certificate overrides have to be tied " +"to specific servers (host names). Consequently, different " +"TrustManager and SSLContext objects " +"have to be used for different servers." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In the trust manager shown in , the server certificate is identified by its " +"SHA-256 hash." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "A customer trust manager for OpenJDK TLS clients" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"This trust manager has to be passed to the init method of" +" the SSLContext object, as show in ." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Using a custom TLS trust manager with OpenJDK" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When certificate overrides are in place, host name verification should not " +"be performed because there is no security requirement that the host name in " +"the certificate matches the host name used to establish the connection (and " +"it often will not). However, without host name verification, it is not " +"possible to perform transparent fallback to certification validation using " +"the system certificate store." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The approach described above works with OpenJDK 6 and later versions. " +"Starting with OpenJDK 7, it is possible to use a custom subclass of the " +"javax.net.ssl.X509ExtendedTrustManager class. The OpenJDK" +" TLS implementation will call the new methods, passing along TLS session " +"information. This can be used to implement certificate overrides as a " +"fallback (if certificate or host name verification fails), and a trust " +"manager object can be used for multiple servers because the server address " +"is available to the trust manager." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Implementing TLS Clients With NSS" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The following code shows how to implement a simple TLS client using NSS. " +"Note that the error handling needs replacing before production use." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Using NSS needs several header files, as shown in ." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Include files for NSS" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Initializing the NSS library is a complex task (). It is not thread-safe. By default, the " +"library is in export mode, and all strong ciphers are disabled. Therefore, " +"after creating the NSSInitCContext object, we probe all " +"the strong ciphers we want to use, and check if at least one of them is " +"available. If not, we call NSS_SetDomesticPolicy to " +"switch to unrestricted policy mode. This function replaces the existing " +"global cipher suite policy, that is why we avoid calling it unless " +"absolutely necessary." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The simplest way to configured the trusted root certificates involves " +"loading the libnssckbi.so NSS module with a call to the" +" SECMOD_LoadUserModule function. The root certificates " +"are compiled into this module. (The PEM module for NSS, " +"libnsspem.so, offers a way to load trusted CA " +"certificates from a file.)" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Initializing the NSS library" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Some of the effects of the initialization can be reverted with the following" +" function calls:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"After NSS has been initialized, the TLS connection can be created (). The internal " +"PR_ImportTCPSocket function is used to turn the POSIX " +"file descriptor sockfd into an NSPR file descriptor. " +"(This function is de-facto part of the NSS public ABI, so it will not go " +"away.) Creating the TLS-capable file descriptor requires a " +"model descriptor, which is configured with the desired " +"set of protocols and ciphers. (The good_ciphers variable " +"is part of .) We cannot" +" resort to disabling ciphers not on a whitelist because by default, the AES " +"cipher suites are disabled. The model descriptor is not needed anymore after" +" TLS support has been activated for the existing connection descriptor." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The call to SSL_BadCertHook can be omitted if no " +"mechanism to override certificate verification is needed. The " +"bad_certificate function must check both the host name " +"specified for the connection and the certificate before granting the " +"override." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Triggering the actual handshake requires three function calls, " +"SSL_ResetHandshake, SSL_SetURL, " +"and SSL_ForceHandshake. (If " +"SSL_ResetHandshake is omitted, " +"SSL_ForceHandshake will succeed, but the data will not " +"be encrypted.) During the handshake, the certificate is verified and matched" +" against the host name." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Creating a TLS connection with NSS" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"After the connection has been established, shows how to use the NSPR descriptor to " +"communicate with the server." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Using NSS for sending and receiving data" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +" shows how to " +"close the connection." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Closing NSS client connections" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Implementing TLS Clients With Python" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The Python distribution provides a TLS implementation in the " +"ssl module (actually a wrapper around OpenSSL). The " +"exported interface is somewhat restricted, so that the client code shown " +"below does not fully implement the recommendations in ." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Currently, most Python function which accept https:// " +"URLs or otherwise implement HTTPS support do not perform certificate " +"validation at all. (For example, this is true for the " +"httplib and xmlrpclib modules.) If you" +" use HTTPS, you should not use the built-in HTTP clients. The " +"Curl class in the curl module, as " +"provided by the python-pycurl package implements proper " +"certificate validation." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The ssl module currently does not perform host name " +"checking on the server certificate. shows how to implement certificate " +"matching, using the parsed certificate returned by " +"getpeercert." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Implementing TLS host name checking Python (without wildcard support)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"To turn a regular, connected TCP socket into a TLS-enabled socket, use the " +"ssl.wrap_socket function. The function call in provides " +"additional arguments to override questionable defaults in OpenSSL and in the" +" Python module." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"ciphers=\"HIGH:-aNULL:-eNULL:-PSK:RC4-SHA:RC4-MD5\" " +"selects relatively strong cipher suites with certificate-based " +"authentication. (The call to check_host_name function " +"provides additional protection against anonymous cipher suites.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"ssl_version=ssl.PROTOCOL_TLSv1 disables SSL 2.0 support. " +"By default, the ssl module sends an SSL 2.0 client hello," +" which is rejected by some servers. Ideally, we would request OpenSSL to " +"negotiated the most recent TLS version supported by the server and the " +"client, but the Python module does not allow this." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"cert_reqs=ssl.CERT_REQUIRED turns on certificate " +"validation." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"ca_certs='/etc/ssl/certs/ca-bundle.crt' initializes the " +"certificate store with a set of trusted root CAs. Unfortunately, it is " +"necessary to hard-code this path into applications because the default path " +"in OpenSSL is not available through the Python ssl " +"module." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The ssl module (and OpenSSL) perform certificate " +"validation, but the certificate must be compared manually against the host " +"name, by calling the check_host_name defined above." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Establishing a TLS client connection with Python" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"After the connection has been established, the TLS socket can be used like a" +" regular socket:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Closing the TLS socket is straightforward as well:" +msgstr "" diff --git a/defensive-coding/cs-CZ/Features/snippets/TLS-Client-GNUTLS-Connect.po b/defensive-coding/cs-CZ/Features/snippets/TLS-Client-GNUTLS-Connect.po new file mode 100644 index 0000000..c385bfb --- /dev/null +++ b/defensive-coding/cs-CZ/Features/snippets/TLS-Client-GNUTLS-Connect.po @@ -0,0 +1,71 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:33+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Czech (http://www.transifex.com/projects/p/fedora/language/cs/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: cs\n" +"Plural-Forms: nplurals=3; plural=(n==1) ? 0 : (n>=2 && n<=4) ? 1 : 2;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Create the session object.\n" +"gnutls_session_t session;\n" +"ret = gnutls_init(&session, GNUTLS_CLIENT);\n" +"if (ret != GNUTLS_E_SUCCESS) {\n" +" fprintf(stderr, \"error: gnutls_init: %s\n" +"\",\n" +"\t gnutls_strerror(ret));\n" +" exit(1);\n" +"}\n" +"\n" +"// Configure the cipher preferences.\n" +"const char *errptr = NULL;\n" +"ret = gnutls_priority_set_direct(session, \"NORMAL\", &errptr);\n" +"if (ret != GNUTLS_E_SUCCESS) {\n" +" fprintf(stderr, \"error: gnutls_priority_set_direct: %s\n" +"\"\n" +"\t \"error: at: \\\"%s\\\"\n" +"\", gnutls_strerror(ret), errptr);\n" +" exit(1);\n" +"}\n" +"\n" +"// Install the trusted certificates.\n" +"ret = gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, cred);\n" +"if (ret != GNUTLS_E_SUCCESS) {\n" +" fprintf(stderr, \"error: gnutls_credentials_set: %s\n" +"\",\n" +"\t gnutls_strerror(ret));\n" +" exit(1);\n" +"}\n" +"\n" +"// Associate the socket with the session object and set the server\n" +"// name.\n" +"gnutls_transport_set_ptr(session, (gnutls_transport_ptr_t)(uintptr_t)sockfd);\n" +"ret = gnutls_server_name_set(session, GNUTLS_NAME_DNS,\n" +"\t\t\t host, strlen(host));\n" +"if (ret != GNUTLS_E_SUCCESS) {\n" +" fprintf(stderr, \"error: gnutls_server_name_set: %s\n" +"\",\n" +"\t gnutls_strerror(ret));\n" +" exit(1);\n" +"}\n" +"\n" +"// Establish the session.\n" +"ret = gnutls_handshake(session);\n" +"if (ret != GNUTLS_E_SUCCESS) {\n" +" fprintf(stderr, \"error: gnutls_handshake: %s\n" +"\",\n" +"\t gnutls_strerror(ret));\n" +" exit(1);\n" +"}\n" +msgstr "" diff --git a/defensive-coding/cs-CZ/Features/snippets/TLS-Client-GNUTLS-Credentials.po b/defensive-coding/cs-CZ/Features/snippets/TLS-Client-GNUTLS-Credentials.po new file mode 100644 index 0000000..ddc4da5 --- /dev/null +++ b/defensive-coding/cs-CZ/Features/snippets/TLS-Client-GNUTLS-Credentials.po @@ -0,0 +1,47 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:33+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Czech (http://www.transifex.com/projects/p/fedora/language/cs/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: cs\n" +"Plural-Forms: nplurals=3; plural=(n==1) ? 0 : (n>=2 && n<=4) ? 1 : 2;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Load the trusted CA certificates.\n" +"gnutls_certificate_credentials_t cred = NULL;\n" +"int ret = gnutls_certificate_allocate_credentials (&cred);\n" +"if (ret != GNUTLS_E_SUCCESS) {\n" +" fprintf(stderr, \"error: gnutls_certificate_allocate_credentials: %s\n" +"\",\n" +"\t gnutls_strerror(ret));\n" +" exit(1);\n" +"}\n" +"// gnutls_certificate_set_x509_system_trust needs GNUTLS version 3.0\n" +"// or newer, so we hard-code the path to the certificate store\n" +"// instead.\n" +"static const char ca_bundle[] = \"/etc/ssl/certs/ca-bundle.crt\";\n" +"ret = gnutls_certificate_set_x509_trust_file\n" +" (cred, ca_bundle, GNUTLS_X509_FMT_PEM);\n" +"if (ret == 0) {\n" +" fprintf(stderr, \"error: no certificates found in: %s\n" +"\", ca_bundle);\n" +" exit(1);\n" +"}\n" +"if (ret < 0) {\n" +" fprintf(stderr, \"error: gnutls_certificate_set_x509_trust_files(%s): %s\n" +"\",\n" +"\t ca_bundle, gnutls_strerror(ret));\n" +" exit(1);\n" +"}\n" +msgstr "" diff --git a/defensive-coding/cs-CZ/Features/snippets/TLS-Client-GNUTLS-Match.po b/defensive-coding/cs-CZ/Features/snippets/TLS-Client-GNUTLS-Match.po new file mode 100644 index 0000000..e4e737e --- /dev/null +++ b/defensive-coding/cs-CZ/Features/snippets/TLS-Client-GNUTLS-Match.po @@ -0,0 +1,48 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:32+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Czech (http://www.transifex.com/projects/p/fedora/language/cs/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: cs\n" +"Plural-Forms: nplurals=3; plural=(n==1) ? 0 : (n>=2 && n<=4) ? 1 : 2;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Match the peer certificate against the host name.\n" +"// We can only obtain a set of DER-encoded certificates from the\n" +"// session object, so we have to re-parse the peer certificate into\n" +"// a certificate object.\n" +"gnutls_x509_crt_t cert;\n" +"ret = gnutls_x509_crt_init(&cert);\n" +"if (ret != GNUTLS_E_SUCCESS) {\n" +" fprintf(stderr, \"error: gnutls_x509_crt_init: %s\n" +"\",\n" +"\t gnutls_strerror(ret));\n" +" exit(1);\n" +"}\n" +"// The peer certificate is the first certificate in the list.\n" +"ret = gnutls_x509_crt_import(cert, certs, GNUTLS_X509_FMT_DER);\n" +"if (ret != GNUTLS_E_SUCCESS) {\n" +" fprintf(stderr, \"error: gnutls_x509_crt_import: %s\n" +"\",\n" +"\t gnutls_strerror(ret));\n" +" exit(1);\n" +"}\n" +"ret = gnutls_x509_crt_check_hostname(cert, host);\n" +"if (ret == 0 && !certificate_host_name_override(certs[0], host)) {\n" +" fprintf(stderr, \"error: host name does not match certificate\n" +"\");\n" +" exit(1);\n" +"}\n" +"gnutls_x509_crt_deinit(cert);\n" +msgstr "" diff --git a/defensive-coding/cs-CZ/Features/snippets/TLS-Client-GNUTLS-Verify.po b/defensive-coding/cs-CZ/Features/snippets/TLS-Client-GNUTLS-Verify.po new file mode 100644 index 0000000..70ab58e --- /dev/null +++ b/defensive-coding/cs-CZ/Features/snippets/TLS-Client-GNUTLS-Verify.po @@ -0,0 +1,61 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:33+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Czech (http://www.transifex.com/projects/p/fedora/language/cs/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: cs\n" +"Plural-Forms: nplurals=3; plural=(n==1) ? 0 : (n>=2 && n<=4) ? 1 : 2;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Obtain the server certificate chain. The server certificate\n" +"// itself is stored in the first element of the array.\n" +"unsigned certslen = 0;\n" +"const gnutls_datum_t *const certs =\n" +" gnutls_certificate_get_peers(session, &certslen);\n" +"if (certs == NULL || certslen == 0) {\n" +" fprintf(stderr, \"error: could not obtain peer certificate\n" +"\");\n" +" exit(1);\n" +"}\n" +"\n" +"// Validate the certificate chain.\n" +"unsigned status = (unsigned)-1;\n" +"ret = gnutls_certificate_verify_peers2(session, &status);\n" +"if (ret != GNUTLS_E_SUCCESS) {\n" +" fprintf(stderr, \"error: gnutls_certificate_verify_peers2: %s\n" +"\",\n" +"\t gnutls_strerror(ret));\n" +" exit(1);\n" +"}\n" +"if (status != 0 && !certificate_validity_override(certs[0])) {\n" +" gnutls_datum_t msg;\n" +"#if GNUTLS_VERSION_AT_LEAST_3_1_4\n" +" int type = gnutls_certificate_type_get (session);\n" +" ret = gnutls_certificate_verification_status_print(status, type, &out, 0);\n" +"#else\n" +" ret = -1;\n" +"#endif\n" +" if (ret == 0) {\n" +" fprintf(stderr, \"error: %s\n" +"\", msg.data);\n" +" gnutls_free(msg.data);\n" +" exit(1);\n" +" } else {\n" +" fprintf(stderr, \"error: certificate validation failed with code 0x%x\n" +"\",\n" +"\t status);\n" +" exit(1);\n" +" }\n" +"}\n" +msgstr "" diff --git a/defensive-coding/cs-CZ/Features/snippets/TLS-Client-NSS-Close.po b/defensive-coding/cs-CZ/Features/snippets/TLS-Client-NSS-Close.po new file mode 100644 index 0000000..80e48ab --- /dev/null +++ b/defensive-coding/cs-CZ/Features/snippets/TLS-Client-NSS-Close.po @@ -0,0 +1,31 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:32+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Czech (http://www.transifex.com/projects/p/fedora/language/cs/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: cs\n" +"Plural-Forms: nplurals=3; plural=(n==1) ? 0 : (n>=2 && n<=4) ? 1 : 2;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Send close_notify alert.\n" +"if (PR_Shutdown(nspr, PR_SHUTDOWN_BOTH) != PR_SUCCESS) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: PR_Read error %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +"}\n" +"// Closes the underlying POSIX file descriptor, too.\n" +"PR_Close(nspr);\n" +msgstr "" diff --git a/defensive-coding/cs-CZ/Features/snippets/TLS-Client-NSS-Connect.po b/defensive-coding/cs-CZ/Features/snippets/TLS-Client-NSS-Connect.po new file mode 100644 index 0000000..bf7ced6 --- /dev/null +++ b/defensive-coding/cs-CZ/Features/snippets/TLS-Client-NSS-Connect.po @@ -0,0 +1,132 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:33+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Czech (http://www.transifex.com/projects/p/fedora/language/cs/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: cs\n" +"Plural-Forms: nplurals=3; plural=(n==1) ? 0 : (n>=2 && n<=4) ? 1 : 2;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Wrap the POSIX file descriptor. This is an internal NSPR\n" +"// function, but it is very unlikely to change.\n" +"PRFileDesc* nspr = PR_ImportTCPSocket(sockfd);\n" +"sockfd = -1; // Has been taken over by NSPR.\n" +"\n" +"// Add the SSL layer.\n" +"{\n" +" PRFileDesc *model = PR_NewTCPSocket();\n" +" PRFileDesc *newfd = SSL_ImportFD(NULL, model);\n" +" if (newfd == NULL) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: NSPR error code %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +" }\n" +" model = newfd;\n" +" newfd = NULL;\n" +" if (SSL_OptionSet(model, SSL_ENABLE_SSL2, PR_FALSE) != SECSuccess) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: set SSL_ENABLE_SSL2 error %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +" }\n" +" if (SSL_OptionSet(model, SSL_V2_COMPATIBLE_HELLO, PR_FALSE) != SECSuccess) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: set SSL_V2_COMPATIBLE_HELLO error %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +" }\n" +" if (SSL_OptionSet(model, SSL_ENABLE_DEFLATE, PR_FALSE) != SECSuccess) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: set SSL_ENABLE_DEFLATE error %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +" }\n" +"\n" +" // Disable all ciphers (except RC4-based ciphers, for backwards\n" +" // compatibility).\n" +" const PRUint16 *const ciphers = SSL_GetImplementedCiphers();\n" +" for (unsigned i = 0; i < SSL_GetNumImplementedCiphers(); i++) {\n" +" if (ciphers[i] != SSL_RSA_WITH_RC4_128_SHA\n" +"\t && ciphers[i] != SSL_RSA_WITH_RC4_128_MD5) {\n" +"\tif (SSL_CipherPrefSet(model, ciphers[i], PR_FALSE) != SECSuccess) {\n" +"\t const PRErrorCode err = PR_GetError();\n" +"\t fprintf(stderr, \"error: disable cipher %u: error %d: %s\n" +"\",\n" +"\t\t (unsigned)ciphers[i], err, PR_ErrorToName(err));\n" +"\t exit(1);\n" +"\t}\n" +" }\n" +" }\n" +"\n" +" // Enable the strong ciphers.\n" +" for (const PRUint16 *p = good_ciphers; *p != SSL_NULL_WITH_NULL_NULL;\n" +"\t ++p) {\n" +" if (SSL_CipherPrefSet(model, *p, PR_TRUE) != SECSuccess) {\n" +"\tconst PRErrorCode err = PR_GetError();\n" +"\tfprintf(stderr, \"error: enable cipher %u: error %d: %s\n" +"\",\n" +"\t\t(unsigned)*p, err, PR_ErrorToName(err));\n" +"\texit(1);\n" +" }\n" +" }\n" +"\n" +" // Allow overriding invalid certificate.\n" +" if (SSL_BadCertHook(model, bad_certificate, (char *)host) != SECSuccess) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: SSL_BadCertHook error %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +" }\n" +"\n" +" newfd = SSL_ImportFD(model, nspr);\n" +" if (newfd == NULL) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: SSL_ImportFD error %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +" }\n" +" nspr = newfd;\n" +" PR_Close(model);\n" +"}\n" +"\n" +"// Perform the handshake.\n" +"if (SSL_ResetHandshake(nspr, PR_FALSE) != SECSuccess) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: SSL_ResetHandshake error %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +"}\n" +"if (SSL_SetURL(nspr, host) != SECSuccess) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: SSL_SetURL error %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +"}\n" +"if (SSL_ForceHandshake(nspr) != SECSuccess) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: SSL_ForceHandshake error %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +"}\n" +msgstr "" diff --git a/defensive-coding/cs-CZ/Features/snippets/TLS-Client-OpenJDK-Connect.po b/defensive-coding/cs-CZ/Features/snippets/TLS-Client-OpenJDK-Connect.po new file mode 100644 index 0000000..ad5d1d5 --- /dev/null +++ b/defensive-coding/cs-CZ/Features/snippets/TLS-Client-OpenJDK-Connect.po @@ -0,0 +1,41 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:32+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Czech (http://www.transifex.com/projects/p/fedora/language/cs/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: cs\n" +"Plural-Forms: nplurals=3; plural=(n==1) ? 0 : (n>=2 && n<=4) ? 1 : 2;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Create the socket and connect it at the TCP layer.\n" +"SSLSocket socket = (SSLSocket) ctx.getSocketFactory()\n" +" .createSocket(host, port);\n" +"\n" +"// Disable the Nagle algorithm.\n" +"socket.setTcpNoDelay(true);\n" +"\n" +"// Adjust ciphers and protocols.\n" +"socket.setSSLParameters(params);\n" +"\n" +"// Perform the handshake.\n" +"socket.startHandshake();\n" +"\n" +"// Validate the host name. The match() method throws\n" +"// CertificateException on failure.\n" +"X509Certificate peer = (X509Certificate)\n" +" socket.getSession().getPeerCertificates()[0];\n" +"// This is the only way to perform host name checking on OpenJDK 6.\n" +"HostnameChecker.getInstance(HostnameChecker.TYPE_TLS).match(\n" +" host, peer);\n" +msgstr "" diff --git a/defensive-coding/cs-CZ/Features/snippets/TLS-Client-OpenJDK-Context.po b/defensive-coding/cs-CZ/Features/snippets/TLS-Client-OpenJDK-Context.po new file mode 100644 index 0000000..921850b --- /dev/null +++ b/defensive-coding/cs-CZ/Features/snippets/TLS-Client-OpenJDK-Context.po @@ -0,0 +1,41 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:32+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Czech (http://www.transifex.com/projects/p/fedora/language/cs/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: cs\n" +"Plural-Forms: nplurals=3; plural=(n==1) ? 0 : (n>=2 && n<=4) ? 1 : 2;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Create the context. Specify the SunJSSE provider to avoid\n" +"// picking up third-party providers. Try the TLS 1.2 provider\n" +"// first, then fall back to TLS 1.0.\n" +"SSLContext ctx;\n" +"try {\n" +" ctx = SSLContext.getInstance(\"TLSv1.2\", \"SunJSSE\");\n" +"} catch (NoSuchAlgorithmException e) {\n" +" try {\n" +" ctx = SSLContext.getInstance(\"TLSv1\", \"SunJSSE\");\n" +" } catch (NoSuchAlgorithmException e1) {\n" +" // The TLS 1.0 provider should always be available.\n" +" throw new AssertionError(e1);\n" +" } catch (NoSuchProviderException e1) {\n" +" throw new AssertionError(e1);\n" +" } \n" +"} catch (NoSuchProviderException e) {\n" +" // The SunJSSE provider should always be available.\n" +" throw new AssertionError(e);\n" +"}\n" +"ctx.init(null, null, null);\n" +msgstr "" diff --git a/defensive-coding/cs-CZ/Features/snippets/TLS-Client-OpenJDK-Context_For_Cert.po b/defensive-coding/cs-CZ/Features/snippets/TLS-Client-OpenJDK-Context_For_Cert.po new file mode 100644 index 0000000..133e9ca --- /dev/null +++ b/defensive-coding/cs-CZ/Features/snippets/TLS-Client-OpenJDK-Context_For_Cert.po @@ -0,0 +1,37 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:33+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Czech (http://www.transifex.com/projects/p/fedora/language/cs/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: cs\n" +"Plural-Forms: nplurals=3; plural=(n==1) ? 0 : (n>=2 && n<=4) ? 1 : 2;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"SSLContext ctx;\n" +"try {\n" +" ctx = SSLContext.getInstance(\"TLSv1.2\", \"SunJSSE\");\n" +"} catch (NoSuchAlgorithmException e) {\n" +" try {\n" +" ctx = SSLContext.getInstance(\"TLSv1\", \"SunJSSE\");\n" +" } catch (NoSuchAlgorithmException e1) {\n" +" throw new AssertionError(e1);\n" +" } catch (NoSuchProviderException e1) {\n" +" throw new AssertionError(e1);\n" +" }\n" +"} catch (NoSuchProviderException e) {\n" +" throw new AssertionError(e);\n" +"}\n" +"MyTrustManager tm = new MyTrustManager(certHash);\n" +"ctx.init(null, new TrustManager[] {tm}, null);\n" +msgstr "" diff --git a/defensive-coding/cs-CZ/Features/snippets/TLS-Client-OpenJDK-Hostname.po b/defensive-coding/cs-CZ/Features/snippets/TLS-Client-OpenJDK-Hostname.po new file mode 100644 index 0000000..9b5552b --- /dev/null +++ b/defensive-coding/cs-CZ/Features/snippets/TLS-Client-OpenJDK-Hostname.po @@ -0,0 +1,22 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:31+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Czech (http://www.transifex.com/projects/p/fedora/language/cs/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: cs\n" +"Plural-Forms: nplurals=3; plural=(n==1) ? 0 : (n>=2 && n<=4) ? 1 : 2;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"params.setEndpointIdentificationAlgorithm(\"HTTPS\");\n" +msgstr "" diff --git a/defensive-coding/cs-CZ/Features/snippets/TLS-Client-OpenJDK-Import.po b/defensive-coding/cs-CZ/Features/snippets/TLS-Client-OpenJDK-Import.po new file mode 100644 index 0000000..c55d1d3 --- /dev/null +++ b/defensive-coding/cs-CZ/Features/snippets/TLS-Client-OpenJDK-Import.po @@ -0,0 +1,33 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:31+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Czech (http://www.transifex.com/projects/p/fedora/language/cs/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: cs\n" +"Plural-Forms: nplurals=3; plural=(n==1) ? 0 : (n>=2 && n<=4) ? 1 : 2;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"import java.security.NoSuchAlgorithmException;\n" +"import java.security.NoSuchProviderException;\n" +"import java.security.cert.CertificateEncodingException;\n" +"import java.security.cert.CertificateException;\n" +"import java.security.cert.X509Certificate;\n" +"import javax.net.ssl.SSLContext;\n" +"import javax.net.ssl.SSLParameters;\n" +"import javax.net.ssl.SSLSocket;\n" +"import javax.net.ssl.TrustManager;\n" +"import javax.net.ssl.X509TrustManager;\n" +"\n" +"import sun.security.util.HostnameChecker;\n" +msgstr "" diff --git a/defensive-coding/cs-CZ/Features/snippets/TLS-Client-OpenJDK-MyTrustManager.po b/defensive-coding/cs-CZ/Features/snippets/TLS-Client-OpenJDK-MyTrustManager.po new file mode 100644 index 0000000..38b7317 --- /dev/null +++ b/defensive-coding/cs-CZ/Features/snippets/TLS-Client-OpenJDK-MyTrustManager.po @@ -0,0 +1,53 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:31+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Czech (http://www.transifex.com/projects/p/fedora/language/cs/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: cs\n" +"Plural-Forms: nplurals=3; plural=(n==1) ? 0 : (n>=2 && n<=4) ? 1 : 2;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"public class MyTrustManager implements X509TrustManager {\n" +" private final byte[] certHash;\n" +"\n" +" public MyTrustManager(byte[] certHash) throws Exception {\n" +" this.certHash = certHash;\n" +" }\n" +"\n" +" @Override\n" +" public void checkClientTrusted(X509Certificate[] chain, String authType)\n" +" throws CertificateException {\n" +" throw new UnsupportedOperationException();\n" +" }\n" +"\n" +" @Override\n" +" public void checkServerTrusted(X509Certificate[] chain,\n" +" String authType) throws CertificateException {\n" +" byte[] digest = getCertificateDigest(chain[0]);\n" +" String digestHex = formatHex(digest);\n" +"\n" +" if (Arrays.equals(digest, certHash)) {\n" +" System.err.println(\"info: accepting certificate: \" + digestHex);\n" +" } else {\n" +" throw new CertificateException(\"certificate rejected: \" +\n" +" digestHex);\n" +" }\n" +" }\n" +"\n" +" @Override\n" +" public X509Certificate[] getAcceptedIssuers() {\n" +" return new X509Certificate[0];\n" +" }\n" +"}\n" +msgstr "" diff --git a/defensive-coding/cs-CZ/Features/snippets/TLS-Client-OpenJDK-Use.po b/defensive-coding/cs-CZ/Features/snippets/TLS-Client-OpenJDK-Use.po new file mode 100644 index 0000000..dce0c9d --- /dev/null +++ b/defensive-coding/cs-CZ/Features/snippets/TLS-Client-OpenJDK-Use.po @@ -0,0 +1,28 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:31+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Czech (http://www.transifex.com/projects/p/fedora/language/cs/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: cs\n" +"Plural-Forms: nplurals=3; plural=(n==1) ? 0 : (n>=2 && n<=4) ? 1 : 2;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"socket.getOutputStream().write(\"GET / HTTP/1.0\\r\n" +"\\r\n" +"\"\n" +" .getBytes(Charset.forName(\"UTF-8\")));\n" +"byte[] buffer = new byte[4096];\n" +"int count = socket.getInputStream().read(buffer);\n" +"System.out.write(buffer, 0, count);\n" +msgstr "" diff --git a/defensive-coding/cs-CZ/Features/snippets/TLS-Client-OpenSSL-CTX.po b/defensive-coding/cs-CZ/Features/snippets/TLS-Client-OpenSSL-CTX.po new file mode 100644 index 0000000..f7776f3 --- /dev/null +++ b/defensive-coding/cs-CZ/Features/snippets/TLS-Client-OpenSSL-CTX.po @@ -0,0 +1,86 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:32+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Czech (http://www.transifex.com/projects/p/fedora/language/cs/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: cs\n" +"Plural-Forms: nplurals=3; plural=(n==1) ? 0 : (n>=2 && n<=4) ? 1 : 2;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Configure a client connection context. Send a hendshake for the\n" +"// highest supported TLS version, and disable compression.\n" +"const SSL_METHOD *const req_method = SSLv23_client_method();\n" +"SSL_CTX *const ctx = SSL_CTX_new(req_method);\n" +"if (ctx == NULL) {\n" +" ERR_print_errors(bio_err);\n" +" exit(1);\n" +"}\n" +"SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_COMPRESSION);\n" +"\n" +"// Adjust the ciphers list based on a whitelist. First enable all\n" +"// ciphers of at least medium strength, to get the list which is\n" +"// compiled into OpenSSL.\n" +"if (SSL_CTX_set_cipher_list(ctx, \"HIGH:MEDIUM\") != 1) {\n" +" ERR_print_errors(bio_err);\n" +" exit(1);\n" +"}\n" +"{\n" +" // Create a dummy SSL session to obtain the cipher list.\n" +" SSL *ssl = SSL_new(ctx);\n" +" if (ssl == NULL) {\n" +" ERR_print_errors(bio_err);\n" +" exit(1);\n" +" }\n" +" STACK_OF(SSL_CIPHER) *active_ciphers = SSL_get_ciphers(ssl);\n" +" if (active_ciphers == NULL) {\n" +" ERR_print_errors(bio_err);\n" +" exit(1);\n" +" }\n" +" // Whitelist of candidate ciphers.\n" +" static const char *const candidates[] = {\n" +" \"AES128-GCM-SHA256\", \"AES128-SHA256\", \"AES256-SHA256\", // strong ciphers\n" +" \"AES128-SHA\", \"AES256-SHA\", // strong ciphers, also in older versions\n" +" \"RC4-SHA\", \"RC4-MD5\", // backwards compatibility, supposed to be weak\n" +" \"DES-CBC3-SHA\", \"DES-CBC3-MD5\", // more backwards compatibility\n" +" NULL\n" +" };\n" +" // Actually selected ciphers.\n" +" char ciphers[300];\n" +" ciphers[0] = '\\0';\n" +" for (const char *const *c = candidates; *c; ++c) {\n" +" for (int i = 0; i < sk_SSL_CIPHER_num(active_ciphers); ++i) {\n" +"\tif (strcmp(SSL_CIPHER_get_name(sk_SSL_CIPHER_value(active_ciphers, i)),\n" +"\t\t *c) == 0) {\n" +"\t if (*ciphers) {\n" +"\t strcat(ciphers, \":\");\n" +"\t }\n" +"\t strcat(ciphers, *c);\n" +"\t break;\n" +"\t}\n" +" }\n" +" }\n" +" SSL_free(ssl);\n" +" // Apply final cipher list.\n" +" if (SSL_CTX_set_cipher_list(ctx, ciphers) != 1) {\n" +" ERR_print_errors(bio_err);\n" +" exit(1);\n" +" }\n" +"}\n" +"\n" +"// Load the set of trusted root certificates.\n" +"if (!SSL_CTX_set_default_verify_paths(ctx)) {\n" +" ERR_print_errors(bio_err);\n" +" exit(1);\n" +"}\n" +msgstr "" diff --git a/defensive-coding/cs-CZ/Features/snippets/TLS-Client-OpenSSL-Connect.po b/defensive-coding/cs-CZ/Features/snippets/TLS-Client-OpenSSL-Connect.po new file mode 100644 index 0000000..8d935bd --- /dev/null +++ b/defensive-coding/cs-CZ/Features/snippets/TLS-Client-OpenSSL-Connect.po @@ -0,0 +1,72 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:33+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Czech (http://www.transifex.com/projects/p/fedora/language/cs/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: cs\n" +"Plural-Forms: nplurals=3; plural=(n==1) ? 0 : (n>=2 && n<=4) ? 1 : 2;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Create the connection object.\n" +"SSL *ssl = SSL_new(ctx);\n" +"if (ssl == NULL) {\n" +" ERR_print_errors(bio_err);\n" +" exit(1);\n" +"}\n" +"SSL_set_fd(ssl, sockfd);\n" +"\n" +"// Enable the ServerNameIndication extension\n" +"if (!SSL_set_tlsext_host_name(ssl, host)) {\n" +" ERR_print_errors(bio_err);\n" +" exit(1);\n" +"}\n" +"\n" +"// Perform the TLS handshake with the server.\n" +"ret = SSL_connect(ssl);\n" +"if (ret != 1) {\n" +" // Error status can be 0 or negative.\n" +" ssl_print_error_and_exit(ssl, \"SSL_connect\", ret);\n" +"}\n" +"\n" +"// Obtain the server certificate.\n" +"X509 *peercert = SSL_get_peer_certificate(ssl);\n" +"if (peercert == NULL) {\n" +" fprintf(stderr, \"peer certificate missing\");\n" +" exit(1);\n" +"}\n" +"\n" +"// Check the certificate verification result. Allow an explicit\n" +"// certificate validation override in case verification fails.\n" +"int verifystatus = SSL_get_verify_result(ssl);\n" +"if (verifystatus != X509_V_OK && !certificate_validity_override(peercert)) {\n" +" fprintf(stderr, \"SSL_connect: verify result: %s\n" +"\",\n" +"\t X509_verify_cert_error_string(verifystatus));\n" +" exit(1);\n" +"}\n" +"\n" +"// Check if the server certificate matches the host name used to\n" +"// establish the connection.\n" +"// FIXME: Currently needs OpenSSL 1.1.\n" +"if (X509_check_host(peercert, (const unsigned char *)host, strlen(host),\n" +"\t\t 0) != 1\n" +" && !certificate_host_name_override(peercert, host)) {\n" +" fprintf(stderr, \"SSL certificate does not match host name\n" +"\");\n" +" exit(1);\n" +"}\n" +"\n" +"X509_free(peercert);\n" +"\n" +msgstr "" diff --git a/defensive-coding/cs-CZ/Features/snippets/TLS-Client-OpenSSL-Connection-Use.po b/defensive-coding/cs-CZ/Features/snippets/TLS-Client-OpenSSL-Connection-Use.po new file mode 100644 index 0000000..73e970d --- /dev/null +++ b/defensive-coding/cs-CZ/Features/snippets/TLS-Client-OpenSSL-Connection-Use.po @@ -0,0 +1,32 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:32+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Czech (http://www.transifex.com/projects/p/fedora/language/cs/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: cs\n" +"Plural-Forms: nplurals=3; plural=(n==1) ? 0 : (n>=2 && n<=4) ? 1 : 2;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"const char *const req = \"GET / HTTP/1.0\\r\n" +"\\r\n" +"\";\n" +"if (SSL_write(ssl, req, strlen(req)) < 0) {\n" +" ssl_print_error_and_exit(ssl, \"SSL_write\", ret);\n" +"}\n" +"char buf[4096];\n" +"ret = SSL_read(ssl, buf, sizeof(buf));\n" +"if (ret < 0) {\n" +" ssl_print_error_and_exit(ssl, \"SSL_read\", ret);\n" +"}\n" +msgstr "" diff --git a/defensive-coding/cs-CZ/Features/snippets/TLS-Client-OpenSSL-Init.po b/defensive-coding/cs-CZ/Features/snippets/TLS-Client-OpenSSL-Init.po new file mode 100644 index 0000000..699cc6a --- /dev/null +++ b/defensive-coding/cs-CZ/Features/snippets/TLS-Client-OpenSSL-Init.po @@ -0,0 +1,28 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:32+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Czech (http://www.transifex.com/projects/p/fedora/language/cs/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: cs\n" +"Plural-Forms: nplurals=3; plural=(n==1) ? 0 : (n>=2 && n<=4) ? 1 : 2;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// The following call prints an error message and calls exit() if\n" +"// the OpenSSL configuration file is unreadable.\n" +"OPENSSL_config(NULL);\n" +"// Provide human-readable error messages.\n" +"SSL_load_error_strings();\n" +"// Register ciphers.\n" +"SSL_library_init();\n" +msgstr "" diff --git a/defensive-coding/cs-CZ/Features/snippets/TLS-Client-Python-Connect.po b/defensive-coding/cs-CZ/Features/snippets/TLS-Client-Python-Connect.po new file mode 100644 index 0000000..7643017 --- /dev/null +++ b/defensive-coding/cs-CZ/Features/snippets/TLS-Client-Python-Connect.po @@ -0,0 +1,29 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:32+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Czech (http://www.transifex.com/projects/p/fedora/language/cs/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: cs\n" +"Plural-Forms: nplurals=3; plural=(n==1) ? 0 : (n>=2 && n<=4) ? 1 : 2;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"sock = ssl.wrap_socket(sock,\n" +" ciphers=\"HIGH:-aNULL:-eNULL:-PSK:RC4-SHA:RC4-MD5\",\n" +" ssl_version=ssl.PROTOCOL_TLSv1,\n" +" cert_reqs=ssl.CERT_REQUIRED,\n" +" ca_certs='/etc/ssl/certs/ca-bundle.crt')\n" +"# getpeercert() triggers the handshake as a side effect.\n" +"if not check_host_name(sock.getpeercert(), host):\n" +" raise IOError(\"peer certificate does not match host name\")\n" +msgstr "" diff --git a/defensive-coding/cs-CZ/Features/snippets/TLS-Client-Python-check_host_name.po b/defensive-coding/cs-CZ/Features/snippets/TLS-Client-Python-check_host_name.po new file mode 100644 index 0000000..b19a3c8 --- /dev/null +++ b/defensive-coding/cs-CZ/Features/snippets/TLS-Client-Python-check_host_name.po @@ -0,0 +1,44 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:31+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Czech (http://www.transifex.com/projects/p/fedora/language/cs/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: cs\n" +"Plural-Forms: nplurals=3; plural=(n==1) ? 0 : (n>=2 && n<=4) ? 1 : 2;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"def check_host_name(peercert, name):\n" +" \"\"\"Simple certificate/host name checker. Returns True if the\n" +" certificate matches, False otherwise. Does not support\n" +" wildcards.\"\"\"\n" +" # Check that the peer has supplied a certificate.\n" +" # None/{} is not acceptable.\n" +" if not peercert:\n" +" return False\n" +" if peercert.has_key(\"subjectAltName\"):\n" +" for typ, val in peercert[\"subjectAltName\"]:\n" +" if typ == \"DNS\" and val == name:\n" +" return True\n" +" else:\n" +" # Only check the subject DN if there is no subject alternative\n" +" # name.\n" +" cn = None\n" +" for attr, val in peercert[\"subject\"]:\n" +" # Use most-specific (last) commonName attribute.\n" +" if attr == \"commonName\":\n" +" cn = val\n" +" if cn is not None:\n" +" return cn == name\n" +" return False\n" +msgstr "" diff --git a/defensive-coding/cs-CZ/Features/snippets/TLS-GNUTLS-Credentials-Close.po b/defensive-coding/cs-CZ/Features/snippets/TLS-GNUTLS-Credentials-Close.po new file mode 100644 index 0000000..50cc46d --- /dev/null +++ b/defensive-coding/cs-CZ/Features/snippets/TLS-GNUTLS-Credentials-Close.po @@ -0,0 +1,22 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:31+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Czech (http://www.transifex.com/projects/p/fedora/language/cs/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: cs\n" +"Plural-Forms: nplurals=3; plural=(n==1) ? 0 : (n>=2 && n<=4) ? 1 : 2;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"gnutls_certificate_free_credentials(cred);\n" +msgstr "" diff --git a/defensive-coding/cs-CZ/Features/snippets/TLS-GNUTLS-Disconnect.po b/defensive-coding/cs-CZ/Features/snippets/TLS-GNUTLS-Disconnect.po new file mode 100644 index 0000000..5a929b6 --- /dev/null +++ b/defensive-coding/cs-CZ/Features/snippets/TLS-GNUTLS-Disconnect.po @@ -0,0 +1,30 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:32+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Czech (http://www.transifex.com/projects/p/fedora/language/cs/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: cs\n" +"Plural-Forms: nplurals=3; plural=(n==1) ? 0 : (n>=2 && n<=4) ? 1 : 2;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Initiate an orderly connection shutdown.\n" +"ret = gnutls_bye(session, GNUTLS_SHUT_RDWR);\n" +"if (ret < 0) {\n" +" fprintf(stderr, \"error: gnutls_bye: %s\n" +"\", gnutls_strerror(ret));\n" +" exit(1);\n" +"}\n" +"// Free the session object.\n" +"gnutls_deinit(session);\n" +msgstr "" diff --git a/defensive-coding/cs-CZ/Features/snippets/TLS-GNUTLS-Init.po b/defensive-coding/cs-CZ/Features/snippets/TLS-GNUTLS-Init.po new file mode 100644 index 0000000..f6341a4 --- /dev/null +++ b/defensive-coding/cs-CZ/Features/snippets/TLS-GNUTLS-Init.po @@ -0,0 +1,22 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:32+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Czech (http://www.transifex.com/projects/p/fedora/language/cs/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: cs\n" +"Plural-Forms: nplurals=3; plural=(n==1) ? 0 : (n>=2 && n<=4) ? 1 : 2;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"gnutls_global_init();\n" +msgstr "" diff --git a/defensive-coding/cs-CZ/Features/snippets/TLS-GNUTLS-Use.po b/defensive-coding/cs-CZ/Features/snippets/TLS-GNUTLS-Use.po new file mode 100644 index 0000000..7d060ba --- /dev/null +++ b/defensive-coding/cs-CZ/Features/snippets/TLS-GNUTLS-Use.po @@ -0,0 +1,38 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:33+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Czech (http://www.transifex.com/projects/p/fedora/language/cs/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: cs\n" +"Plural-Forms: nplurals=3; plural=(n==1) ? 0 : (n>=2 && n<=4) ? 1 : 2;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"char buf[4096];\n" +"snprintf(buf, sizeof(buf), \"GET / HTTP/1.0\\r\n" +"Host: %s\\r\n" +"\\r\n" +"\", host);\n" +"ret = gnutls_record_send(session, buf, strlen(buf));\n" +"if (ret < 0) {\n" +" fprintf(stderr, \"error: gnutls_record_send: %s\n" +"\", gnutls_strerror(ret));\n" +" exit(1);\n" +"}\n" +"ret = gnutls_record_recv(session, buf, sizeof(buf));\n" +"if (ret < 0) {\n" +" fprintf(stderr, \"error: gnutls_record_recv: %s\n" +"\", gnutls_strerror(ret));\n" +" exit(1);\n" +"}\n" +msgstr "" diff --git a/defensive-coding/cs-CZ/Features/snippets/TLS-NSS-Close.po b/defensive-coding/cs-CZ/Features/snippets/TLS-NSS-Close.po new file mode 100644 index 0000000..69cb3b9 --- /dev/null +++ b/defensive-coding/cs-CZ/Features/snippets/TLS-NSS-Close.po @@ -0,0 +1,23 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:31+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Czech (http://www.transifex.com/projects/p/fedora/language/cs/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: cs\n" +"Plural-Forms: nplurals=3; plural=(n==1) ? 0 : (n>=2 && n<=4) ? 1 : 2;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"SECMOD_DestroyModule(module);\n" +"NSS_ShutdownContext(ctx);\n" +msgstr "" diff --git a/defensive-coding/cs-CZ/Features/snippets/TLS-NSS-Includes.po b/defensive-coding/cs-CZ/Features/snippets/TLS-NSS-Includes.po new file mode 100644 index 0000000..df21c74 --- /dev/null +++ b/defensive-coding/cs-CZ/Features/snippets/TLS-NSS-Includes.po @@ -0,0 +1,35 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:33+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Czech (http://www.transifex.com/projects/p/fedora/language/cs/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: cs\n" +"Plural-Forms: nplurals=3; plural=(n==1) ? 0 : (n>=2 && n<=4) ? 1 : 2;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// NSPR include files\n" +"#include <prerror.h>\n" +"#include <prinit.h>\n" +"\n" +"// NSS include files\n" +"#include <nss.h>\n" +"#include <pk11pub.h>\n" +"#include <secmod.h>\n" +"#include <ssl.h>\n" +"#include <sslproto.h>\n" +"\n" +"// Private API, no other way to turn a POSIX file descriptor into an\n" +"// NSPR handle.\n" +"NSPR_API(PRFileDesc*) PR_ImportTCPSocket(int);\n" +msgstr "" diff --git a/defensive-coding/cs-CZ/Features/snippets/TLS-NSS-Init.po b/defensive-coding/cs-CZ/Features/snippets/TLS-NSS-Init.po new file mode 100644 index 0000000..8fe1e90 --- /dev/null +++ b/defensive-coding/cs-CZ/Features/snippets/TLS-NSS-Init.po @@ -0,0 +1,83 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:33+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Czech (http://www.transifex.com/projects/p/fedora/language/cs/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: cs\n" +"Plural-Forms: nplurals=3; plural=(n==1) ? 0 : (n>=2 && n<=4) ? 1 : 2;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"PR_Init(PR_USER_THREAD, PR_PRIORITY_NORMAL, 0);\n" +"NSSInitContext *const ctx =\n" +" NSS_InitContext(\"sql:/etc/pki/nssdb\", \"\", \"\", \"\", NULL,\n" +"\t\t NSS_INIT_READONLY | NSS_INIT_PK11RELOAD);\n" +"if (ctx == NULL) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: NSPR error code %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +"}\n" +"\n" +"// Ciphers to enable.\n" +"static const PRUint16 good_ciphers[] = {\n" +" TLS_RSA_WITH_AES_128_CBC_SHA,\n" +" TLS_RSA_WITH_AES_256_CBC_SHA,\n" +" SSL_RSA_WITH_3DES_EDE_CBC_SHA,\n" +" SSL_NULL_WITH_NULL_NULL // sentinel\n" +"};\n" +"\n" +"// Check if the current policy allows any strong ciphers. If it\n" +"// doesn't, switch to the \"domestic\" (unrestricted) policy. This is\n" +"// not thread-safe and has global impact. Consequently, we only do\n" +"// it if absolutely necessary.\n" +"int found_good_cipher = 0;\n" +"for (const PRUint16 *p = good_ciphers; *p != SSL_NULL_WITH_NULL_NULL;\n" +" ++p) {\n" +" PRInt32 policy;\n" +" if (SSL_CipherPolicyGet(*p, &policy) != SECSuccess) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: policy for cipher %u: error %d: %s\n" +"\",\n" +"\t (unsigned)*p, err, PR_ErrorToName(err));\n" +" exit(1);\n" +" }\n" +" if (policy == SSL_ALLOWED) {\n" +" fprintf(stderr, \"info: found cipher %x\n" +"\", (unsigned)*p);\n" +" found_good_cipher = 1;\n" +" break;\n" +" }\n" +"}\n" +"if (!found_good_cipher) {\n" +" if (NSS_SetDomesticPolicy() != SECSuccess) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: NSS_SetDomesticPolicy: error %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +" }\n" +"}\n" +"\n" +"// Initialize the trusted certificate store.\n" +"char module_name[] = \"library=libnssckbi.so name=\\\"Root Certs\\\"\";\n" +"SECMODModule *module = SECMOD_LoadUserModule(module_name, NULL, PR_FALSE);\n" +"if (module == NULL || !module->loaded) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: NSPR error code %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +"}\n" +msgstr "" diff --git a/defensive-coding/cs-CZ/Features/snippets/TLS-NSS-Use.po b/defensive-coding/cs-CZ/Features/snippets/TLS-NSS-Use.po new file mode 100644 index 0000000..41bf1b5 --- /dev/null +++ b/defensive-coding/cs-CZ/Features/snippets/TLS-NSS-Use.po @@ -0,0 +1,42 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:32+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Czech (http://www.transifex.com/projects/p/fedora/language/cs/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: cs\n" +"Plural-Forms: nplurals=3; plural=(n==1) ? 0 : (n>=2 && n<=4) ? 1 : 2;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"char buf[4096];\n" +"snprintf(buf, sizeof(buf), \"GET / HTTP/1.0\\r\n" +"Host: %s\\r\n" +"\\r\n" +"\", host);\n" +"PRInt32 ret = PR_Write(nspr, buf, strlen(buf));\n" +"if (ret < 0) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: PR_Write error %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +"}\n" +"ret = PR_Read(nspr, buf, sizeof(buf));\n" +"if (ret < 0) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: PR_Read error %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +"}\n" +msgstr "" diff --git a/defensive-coding/cs-CZ/Features/snippets/TLS-Nagle.po b/defensive-coding/cs-CZ/Features/snippets/TLS-Nagle.po new file mode 100644 index 0000000..8d02314 --- /dev/null +++ b/defensive-coding/cs-CZ/Features/snippets/TLS-Nagle.po @@ -0,0 +1,27 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:31+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Czech (http://www.transifex.com/projects/p/fedora/language/cs/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: cs\n" +"Plural-Forms: nplurals=3; plural=(n==1) ? 0 : (n>=2 && n<=4) ? 1 : 2;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"const int val = 1;\n" +"int ret = setsockopt(sockfd, IPPROTO_TCP, TCP_NODELAY, &val, sizeof(val));\n" +"if (ret < 0) {\n" +" perror(\"setsockopt(TCP_NODELAY)\");\n" +" exit(1);\n" +"}\n" +msgstr "" diff --git a/defensive-coding/cs-CZ/Features/snippets/TLS-OpenJDK-Parameters.po b/defensive-coding/cs-CZ/Features/snippets/TLS-OpenJDK-Parameters.po new file mode 100644 index 0000000..5d21798 --- /dev/null +++ b/defensive-coding/cs-CZ/Features/snippets/TLS-OpenJDK-Parameters.po @@ -0,0 +1,42 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:33+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Czech (http://www.transifex.com/projects/p/fedora/language/cs/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: cs\n" +"Plural-Forms: nplurals=3; plural=(n==1) ? 0 : (n>=2 && n<=4) ? 1 : 2;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Prepare TLS parameters. These have to applied to every TLS\n" +"// socket before the handshake is triggered.\n" +"SSLParameters params = ctx.getDefaultSSLParameters();\n" +"// Do not send an SSL-2.0-compatible Client Hello.\n" +"ArrayList<String> protocols = new ArrayList<String>(\n" +" Arrays.asList(params.getProtocols()));\n" +"protocols.remove(\"SSLv2Hello\");\n" +"params.setProtocols(protocols.toArray(new String[protocols.size()]));\n" +"// Adjust the supported ciphers.\n" +"ArrayList<String> ciphers = new ArrayList<String>(\n" +" Arrays.asList(params.getCipherSuites()));\n" +"ciphers.retainAll(Arrays.asList(\n" +" \"TLS_RSA_WITH_AES_128_CBC_SHA256\",\n" +" \"TLS_RSA_WITH_AES_256_CBC_SHA256\",\n" +" \"TLS_RSA_WITH_AES_256_CBC_SHA\",\n" +" \"TLS_RSA_WITH_AES_128_CBC_SHA\",\n" +" \"SSL_RSA_WITH_3DES_EDE_CBC_SHA\",\n" +" \"SSL_RSA_WITH_RC4_128_SHA1\",\n" +" \"SSL_RSA_WITH_RC4_128_MD5\",\n" +" \"TLS_EMPTY_RENEGOTIATION_INFO_SCSV\"));\n" +"params.setCipherSuites(ciphers.toArray(new String[ciphers.size()]));\n" +msgstr "" diff --git a/defensive-coding/cs-CZ/Features/snippets/TLS-OpenSSL-Connection-Close.po b/defensive-coding/cs-CZ/Features/snippets/TLS-OpenSSL-Connection-Close.po new file mode 100644 index 0000000..885e015 --- /dev/null +++ b/defensive-coding/cs-CZ/Features/snippets/TLS-OpenSSL-Connection-Close.po @@ -0,0 +1,46 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:33+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Czech (http://www.transifex.com/projects/p/fedora/language/cs/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: cs\n" +"Plural-Forms: nplurals=3; plural=(n==1) ? 0 : (n>=2 && n<=4) ? 1 : 2;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Send the close_notify alert.\n" +"ret = SSL_shutdown(ssl);\n" +"switch (ret) {\n" +"case 1:\n" +" // A close_notify alert has already been received.\n" +" break;\n" +"case 0:\n" +" // Wait for the close_notify alert from the peer.\n" +" ret = SSL_shutdown(ssl);\n" +" switch (ret) {\n" +" case 0:\n" +" fprintf(stderr, \"info: second SSL_shutdown returned zero\n" +"\");\n" +" break;\n" +" case 1:\n" +" break;\n" +" default:\n" +" ssl_print_error_and_exit(ssl, \"SSL_shutdown 2\", ret);\n" +" }\n" +" break;\n" +"default:\n" +" ssl_print_error_and_exit(ssl, \"SSL_shutdown 1\", ret);\n" +"}\n" +"SSL_free(ssl);\n" +"close(sockfd);\n" +msgstr "" diff --git a/defensive-coding/cs-CZ/Features/snippets/TLS-OpenSSL-Context-Close.po b/defensive-coding/cs-CZ/Features/snippets/TLS-OpenSSL-Context-Close.po new file mode 100644 index 0000000..422d041 --- /dev/null +++ b/defensive-coding/cs-CZ/Features/snippets/TLS-OpenSSL-Context-Close.po @@ -0,0 +1,22 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:33+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Czech (http://www.transifex.com/projects/p/fedora/language/cs/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: cs\n" +"Plural-Forms: nplurals=3; plural=(n==1) ? 0 : (n>=2 && n<=4) ? 1 : 2;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"SSL_CTX_free(ctx);\n" +msgstr "" diff --git a/defensive-coding/cs-CZ/Features/snippets/TLS-OpenSSL-Errors.po b/defensive-coding/cs-CZ/Features/snippets/TLS-OpenSSL-Errors.po new file mode 100644 index 0000000..fb6970c --- /dev/null +++ b/defensive-coding/cs-CZ/Features/snippets/TLS-OpenSSL-Errors.po @@ -0,0 +1,51 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:32+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Czech (http://www.transifex.com/projects/p/fedora/language/cs/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: cs\n" +"Plural-Forms: nplurals=3; plural=(n==1) ? 0 : (n>=2 && n<=4) ? 1 : 2;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"static void __attribute__((noreturn))\n" +"ssl_print_error_and_exit(SSL *ssl, const char *op, int ret)\n" +"{\n" +" int subcode = SSL_get_error(ssl, ret);\n" +" switch (subcode) {\n" +" case SSL_ERROR_NONE:\n" +" fprintf(stderr, \"error: %s: no error to report\n" +"\", op);\n" +" break;\n" +" case SSL_ERROR_WANT_READ:\n" +" case SSL_ERROR_WANT_WRITE:\n" +" case SSL_ERROR_WANT_X509_LOOKUP:\n" +" case SSL_ERROR_WANT_CONNECT:\n" +" case SSL_ERROR_WANT_ACCEPT:\n" +" fprintf(stderr, \"error: %s: invalid blocking state %d\n" +"\", op, subcode);\n" +" break;\n" +" case SSL_ERROR_SSL:\n" +" fprintf(stderr, \"error: %s: TLS layer problem\n" +"\", op);\n" +" case SSL_ERROR_SYSCALL:\n" +" fprintf(stderr, \"error: %s: system call failed: %s\n" +"\", op, strerror(errno));\n" +" break;\n" +" case SSL_ERROR_ZERO_RETURN:\n" +" fprintf(stderr, \"error: %s: zero return\n" +"\", op);\n" +" }\n" +" exit(1);\n" +"}\n" +msgstr "" diff --git a/defensive-coding/cs-CZ/Features/snippets/TLS-Python-Close.po b/defensive-coding/cs-CZ/Features/snippets/TLS-Python-Close.po new file mode 100644 index 0000000..277e652 --- /dev/null +++ b/defensive-coding/cs-CZ/Features/snippets/TLS-Python-Close.po @@ -0,0 +1,22 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:31+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Czech (http://www.transifex.com/projects/p/fedora/language/cs/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: cs\n" +"Plural-Forms: nplurals=3; plural=(n==1) ? 0 : (n>=2 && n<=4) ? 1 : 2;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"sock.close()\n" +msgstr "" diff --git a/defensive-coding/cs-CZ/Features/snippets/TLS-Python-Use.po b/defensive-coding/cs-CZ/Features/snippets/TLS-Python-Use.po new file mode 100644 index 0000000..0add06f --- /dev/null +++ b/defensive-coding/cs-CZ/Features/snippets/TLS-Python-Use.po @@ -0,0 +1,26 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:32+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Czech (http://www.transifex.com/projects/p/fedora/language/cs/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: cs\n" +"Plural-Forms: nplurals=3; plural=(n==1) ? 0 : (n>=2 && n<=4) ? 1 : 2;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"sock.write(\"GET / HTTP/1.1\\r\n" +"Host: \" + host + \"\\r\n" +"\\r\n" +"\")\n" +"print sock.read()\n" +msgstr "" diff --git a/defensive-coding/cs-CZ/Revision_History.po b/defensive-coding/cs-CZ/Revision_History.po new file mode 100644 index 0000000..d9db225 --- /dev/null +++ b/defensive-coding/cs-CZ/Revision_History.po @@ -0,0 +1,35 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:18+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Czech (http://www.transifex.com/projects/p/fedora/language/cs/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: cs\n" +"Plural-Forms: nplurals=3; plural=(n==1) ? 0 : (n>=2 && n<=4) ? 1 : 2;\n" + +#. Tag: title +#, no-c-format +msgid "Revision History" +msgstr "" + +#. Tag: firstname +#, no-c-format +msgid "Eric" +msgstr "" + +#. Tag: surname +#, no-c-format +msgid "Christensen" +msgstr "" + +#. Tag: member +#, no-c-format +msgid "Initial publication." +msgstr "" diff --git a/defensive-coding/cs-CZ/Tasks/Cryptography.po b/defensive-coding/cs-CZ/Tasks/Cryptography.po new file mode 100644 index 0000000..69a215c --- /dev/null +++ b/defensive-coding/cs-CZ/Tasks/Cryptography.po @@ -0,0 +1,199 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:29+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Czech (http://www.transifex.com/projects/p/fedora/language/cs/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: cs\n" +"Plural-Forms: nplurals=3; plural=(n==1) ? 0 : (n>=2 && n<=4) ? 1 : 2;\n" + +#. Tag: title +#, no-c-format +msgid "Cryptography" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Primitives" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Chosing from the following cryptographic primitives is recommended:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "RSA with 2048 bit keys and OAEP" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "AES-128 in CBC mode" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "SHA-256" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "HMAC-SHA-256" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "HMAC-SHA-1" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Other cryptographic algorithms can be used if they are required for " +"interoperability with existing software:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "RSA with key sizes larger than 1024 and legacy padding" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "AES-192" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "AES-256" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "3DES (triple DES, with two or three 56 bit keys)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "RC4 (but very, very strongly discouraged)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "SHA-1" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "HMAC-MD5" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Important" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"These primitives are difficult to use in a secure way. Custom implementation" +" of security protocols should be avoided. For protecting confidentiality and" +" integrity of network transmissions, TLS should be used ()." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Randomness" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The following facilities can be used to generate unpredictable and non-" +"repeating values. When these functions are used without special safeguards, " +"each individual rnadom value should be at least 12 bytes long." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"PK11_GenerateRandom in the NSS library (usable for high" +" data rates)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"RAND_bytes in the OpenSSL library (usable for high data" +" rates)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"gnutls_rnd in GNUTLS, with " +"GNUTLS_RND_RANDOM as the first argument (usable for high " +"data rates)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"java.security.SecureRandom in Java (usable for high data rates)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "os.urandom in Python" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Reading from the /dev/urandom character device" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"All these functions should be non-blocking, and they should not wait until " +"physical randomness becomes available. (Some cryptography providers for Java" +" can cause java.security.SecureRandom to block, however.) Those" +" functions which do not obtain all bits directly from " +"/dev/urandom are suitable for high data rates because " +"they do not deplete the system-wide entropy pool." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Difficult to use API" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Both RAND_bytes and " +"PK11_GenerateRandom have three-state return values " +"(with conflicting meanings). Careful error checking is required. Please " +"review the documentation when using these functions." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Other sources of randomness should be considered predictable." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Generating randomness for cryptographic keys in long-term use may need " +"different steps and is best left to cryptographic libraries." +msgstr "" diff --git a/defensive-coding/cs-CZ/Tasks/Descriptors.po b/defensive-coding/cs-CZ/Tasks/Descriptors.po new file mode 100644 index 0000000..acb73d6 --- /dev/null +++ b/defensive-coding/cs-CZ/Tasks/Descriptors.po @@ -0,0 +1,332 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:29+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Czech (http://www.transifex.com/projects/p/fedora/language/cs/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: cs\n" +"Plural-Forms: nplurals=3; plural=(n==1) ? 0 : (n>=2 && n<=4) ? 1 : 2;\n" + +#. Tag: title +#, no-c-format +msgid "File Descriptor Management" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"File descriptors underlie all input/output mechanisms offered by the system." +" They are used to implementation the FILE *-based " +"functions found in <stdio.h>, and all the file and " +"network communication facilities provided by the Python and Java " +"environments are eventually implemented in them." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"File descriptors are small, non-negative integers in userspace, and are " +"backed on the kernel side with complicated data structures which can " +"sometimes grow very large." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Closing descriptors" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If a descriptor is no longer used by a program and is not closed explicitly," +" its number cannot be reused (which is problematic in itself, see ), and the " +"kernel resources are not freed. Therefore, it is important to close all " +"descriptors at the earlierst point in time possible, but not earlier." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Error handling during descriptor close" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The close system call is always successful in the sense" +" that the passed file descriptor is never valid after the function has been " +"called. However, close still can return an error, for " +"example if there was a file system failure. But this error is not very " +"useful because the absence of an error does not mean that all caches have " +"been emptied and previous writes have been made durable. Programs which need" +" such guarantees must open files with O_SYNC or use " +"fsync or fdatasync, and may also have " +"to fsync the directory containing the file." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Closing descriptors and race conditions" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Unlike process IDs, which are recycle only gradually, the kernel always " +"allocates the lowest unused file descriptor when a new descriptor is " +"created. This means that in a multi-threaded program which constantly opens " +"and closes file descriptors, descriptors are reused very quickly. Unless " +"descriptor closing and other operations on the same file descriptor are " +"synchronized (typically, using a mutex), there will be race coniditons and " +"I/O operations will be applied to the wrong file descriptor." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Sometimes, it is necessary to close a file descriptor concurrently, while " +"another thread might be about to use it in a system call. In order to " +"support this, a program needs to create a single special file descriptor, " +"one on which all I/O operations fail. One way to achieve this is to use " +"socketpair, close one of the descriptors, and call " +"shutdown(fd, SHUTRDWR) on the other." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When a descriptor is closed concurrently, the program does not call " +"close on the descriptor. Instead it program uses " +"dup2 to replace the descriptor to be closed with the " +"dummy descriptor created earlier. This way, the kernel will not reuse the " +"descriptor, but it will carry out all other steps associated with calling a " +"descriptor (for instance, if the descriptor refers to a stream socket, the " +"peer will be notified)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"This is just a sketch, and many details are missing. Additional data " +"structures are needed to determine when it is safe to really close the " +"descriptor, and proper locking is required for that." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Lingering state after close" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"By default, closing a stream socket returns immediately, and the kernel will" +" try to send the data in the background. This means that it is impossible to" +" implement accurate accounting of network-related resource utilization from " +"userspace." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The SO_LINGER socket option alters the behavior of " +"close, so that it will return only after the lingering " +"data has been processed, either by sending it to the peer successfully, or " +"by discarding it after the configured timeout. However, there is no " +"interface which could perform this operation in the background, so a " +"separate userspace thread is needed for each close " +"call, causing scalability issues." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Currently, there is no application-level countermeasure which applies " +"universally. Mitigation is possible with iptables" +" (the connlimit match type in particular) and specialized" +" filtering devices for denial-of-service network traffic." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"These problems are not related to the TIME_WAIT state " +"commonly seen in netstat output. The kernel " +"automatically expires such sockets if necessary." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Preventing file descriptor leaks to child processes" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Child processes created with fork share the initial set" +" of file descriptors with their parent process. By default, file descriptors" +" are also preserved if a new process image is created with " +"execve (or any of the other functions such as " +"system or posix_spawn)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Usually, this behavior is not desirable. There are two ways to turn it off, " +"that is, to prevent new process images from inheriting the file descriptors " +"in the parent process:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Set the close-on-exec flag on all newly created file descriptors. " +"Traditionally, this flag is controlled by the FD_CLOEXEC " +"flag, using F_GETFD and F_SETFD " +"operations of the fcntl function." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"However, in a multi-threaded process, there is a race condition: a " +"subprocess could have been created between the time the descriptor was " +"created and the FD_CLOEXEC was set. Therefore, many " +"system calls which create descriptors (such as open and" +" openat) now accept the O_CLOEXEC " +"flag (SOCK_CLOEXEC for socket and " +"socketpair), which cause the " +"FD_CLOEXEC flag to be set for the file descriptor in an " +"atomic fashion. In addition, a few new systems calls were introduced, such " +"as pipe2 and dup3." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The downside of this approach is that every descriptor needs to receive " +"special treatment at the time of creation, otherwise it is not completely " +"effective." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"After calling fork, but before creating a new process " +"image with execve, all file descriptors which the child" +" process will not need are closed." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Traditionally, this was implemented as a loop over file descriptors ranging " +"from 3 to 255 and later " +"1023. But this is only an approximatio because it is " +"possible to create file descriptors outside this range easily (see ). Another " +"approach reads /proc/self/fd and closes the unexpected " +"descriptors listed there, but this approach is much slower." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"At present, environments which care about file descriptor leakage implement " +"the second approach. OpenJDK 6 and 7 are among them." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Dealing with the select limit" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"By default, a user is allowed to open only 1024 files in a single process, " +"but the system administrator can easily change this limit (which is " +"necessary for busy network servers). However, there is another restriction " +"which is more difficult to overcome." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The select function only supports a maximum of " +"FD_SETSIZE file descriptors (that is, the maximum " +"permitted value for a file descriptor is FD_SETSIZE - 1, " +"usually 1023.) If a process opens many files, descriptors may exceed such " +"limits. It is impossible to query such descriptors using " +"select." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If a library which creates many file descriptors is used in the same process" +" as a library which uses select, at least one of them " +"needs to be changed. Calls to select can be replaced " +"with calls to poll or another event handling mechanism." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Alternatively, the library with high descriptor usage can relocate " +"descriptors above the FD_SETSIZE limit using the " +"following procedure." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Create the file descriptor fd as usual, preferably with " +"the O_CLOEXEC flag." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Before doing anything else with the descriptor fd, " +"invoke:" +msgstr "" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"\t int newfd = fcntl(fd, F_DUPFD_CLOEXEC, (long)FD_SETSIZE);\n" +"\t" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Check that newfd result is non-negative, otherwise close " +"fd and report an error, and return." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Close fd and continue to use newfd." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The new descriptor has been allocated above the " +"FD_SETSIZE. Even though this algorithm is racy in the " +"sense that the FD_SETSIZE first descriptors could fill " +"up, a very high degree of physical parallelism is required before this " +"becomes a problem." +msgstr "" diff --git a/defensive-coding/cs-CZ/Tasks/File_System.po b/defensive-coding/cs-CZ/Tasks/File_System.po new file mode 100644 index 0000000..ce89514 --- /dev/null +++ b/defensive-coding/cs-CZ/Tasks/File_System.po @@ -0,0 +1,396 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:25+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Czech (http://www.transifex.com/projects/p/fedora/language/cs/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: cs\n" +"Plural-Forms: nplurals=3; plural=(n==1) ? 0 : (n>=2 && n<=4) ? 1 : 2;\n" + +#. Tag: title +#, no-c-format +msgid "File system manipulation" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In this chapter, we discuss general file system manipulation, with a focus " +"on access files and directories to which an other, potentially untrusted " +"user has write access." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Temporary files are covered in their own chapter, ." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Working with files and directories owned by other users" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Sometimes, it is necessary to operate on files and directories owned by " +"other (potentially untrusted) users. For example, a system administrator " +"could remove the home directory of a user, or a package manager could update" +" a file in a directory which is owned by an application-specific user. This " +"differs from accessing the file system as a specific user; see ." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Accessing files across trust boundaries faces several challenges, " +"particularly if an entire directory tree is being traversed:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Another user might add file names to a writable directory at any time. This " +"can interfere with file creation and the order of names returned by " +"readdir." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Merely opening and closing a file can have side effects. For instance, an " +"automounter can be triggered, or a tape device rewound. Opening a file on a " +"local file system can block indefinitely, due to mandatory file locking, " +"unless the O_NONBLOCK flag is specified." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Hard links and symbolic links can redirect the effect of file system " +"operations in unexpected ways. The O_NOFOLLOW and " +"AT_SYMLINK_NOFOLLOW variants of system calls only " +"affected final path name component." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The structure of a directory tree can change. For example, the parent " +"directory of what used to be a subdirectory within the directory tree being " +"processed could suddenly point outside that directory tree." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Files should always be created with the O_CREAT and " +"O_EXCL flags, so that creating the file will fail if it " +"already exists. This guards against the unexpected appearance of file names," +" either due to creation of a new file, or hard-linking of an existing file. " +"In multi-threaded programs, rather than manipulating the umask, create the " +"files with mode 000 if possible, and adjust it afterwards" +" with fchmod." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"To avoid issues related to symbolic links and directory tree restructuring, " +"the “at” variants of system calls have to be used (that " +"is, functions like openat, " +"fchownat, fchmodat, and " +"unlinkat, together with O_NOFOLLOW " +"or AT_SYMLINK_NOFOLLOW). Path names passed to these " +"functions must have just a single component (that is, without a slash). When" +" descending, the descriptors of parent directories must be kept open. The " +"missing opendirat function can be emulated with " +"openat (with an O_DIRECTORY flag, to " +"avoid opening special files with side effects), followed by " +"fdopendir." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If the “at” functions are not available, it is possible " +"to emulate them by changing the current directory. (Obviously, this only " +"works if the process is not multi-threaded.) fchdir has" +" to be used to change the current directory, and the descriptors of the " +"parent directories have to be kept open, just as with the " +"“at”-based approach. chdir(\"...\") is" +" unsafe because it might ascend outside the intended directory tree." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"This “at” function emulation is currently required when " +"manipulating extended attributes. In this case, the " +"lsetxattr function can be used, with a relative path " +"name consisting of a single component. This also applies to SELinux contexts" +" and the lsetfilecon function." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Currently, it is not possible to avoid opening special files " +"and changes to files with hard links if the directory " +"containing them is owned by an untrusted user. (Device nodes can be hard-" +"linked, just as regular files.) fchmodat and " +"fchownat affect files whose link count is greater than " +"one. But opening the files, checking that the link count is one with " +"fstat, and using fchmod and " +"fchown on the file descriptor may have unwanted side " +"effects, due to item 2 above. When creating directories, it is therefore " +"important to change the ownership and permissions only after it has been " +"fully created. Until that point, file names are stable, and no files with " +"unexpected hard links can be introduced." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Similarly, when just reading a directory owned by an untrusted user, it is " +"currently impossible to reliably avoid opening special files." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"There is no workaround against the instability of the file list returned by " +"readdir. Concurrent modification of the directory can " +"result in a list of files being returned which never actually existed on " +"disk." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Hard links and symbolic links can be safely deleted using " +"unlinkat without further checks because deletion only " +"affects the name within the directory tree being processed." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Accessing the file system as a different user" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"This section deals with access to the file system as a specific user. This " +"is different from accessing files and directories owned by a different, " +"potentially untrusted user; see ." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"One approach is to spawn a child process which runs under the target user " +"and group IDs (both effective and real IDs). Note that this child process " +"can block indefinitely, even when processing regular files only. For " +"example, a special FUSE file system could cause the process to hang in " +"uninterruptible sleep inside a stat system call." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"An existing process could change its user and group ID using " +"setfsuid and setfsgid. (These " +"functions are preferred over seteuid and " +"setegid because they do not allow the impersonated user" +" to send signals to the process.) These functions are not thread safe. In " +"multi-threaded processes, these operations need to be performed in a single-" +"threaded child process. Unexpected blocking may occur as well." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"It is not recommended to try to reimplement the kernel permission checks in " +"user space because the required checks are complex. It is also very " +"difficult to avoid race conditions during path name resolution." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "File system limits" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"For historical reasons, there are preprocessor constants such as " +"PATH_MAX, NAME_MAX. However, on most " +"systems, the length of canonical path names (absolute path names with all " +"symbolic links resolved, as returned by realpath or " +"canonicalize_file_name) can exceed " +"PATH_MAX bytes, and individual file name components can " +"be longer than NAME_MAX. This is also true of the " +"_PC_PATH_MAX and _PC_NAME_MAX values " +"returned by pathconf, and the " +"f_namemax member of struct statvfs. " +"Therefore, these constants should not be used. This is also reason why the " +"readdir_r should never be used (instead, use " +"readdir)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"You should not write code in a way that assumes that there is an upper limit" +" on the number of subdirectories of a directory, the number of regular files" +" in a directory, or the link count of an inode." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "File system features" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Not all file systems support all features. This makes it very difficult to " +"write general-purpose tools for copying files. For example, a copy operation" +" intending to preserve file permissions will generally fail when copying to " +"a FAT file system." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Some file systems are case-insensitive. Most should be case-preserving, " +"though." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Name length limits vary greatly, from eight to thousands of bytes. Path " +"length limits differ as well. Most systems impose an upper bound on path " +"names passed to the kernel, but using relative path names, it is possible to" +" create and access files whose absolute path name is essentially of " +"unbounded length." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Some file systems do not store names as fairly unrestricted byte sequences, " +"as it has been traditionally the case on GNU systems. This means that some " +"byte sequences (outside the POSIX safe character set) are not valid names. " +"Conversely, names of existing files may not be representable as byte " +"sequences, and the files are thus inaccessible on GNU systems. Some file " +"systems perform Unicode canonicalization on file names. These file systems " +"preserve case, but reading the name of a just-created file using " +"readdir might still result in a different byte " +"sequence." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Permissions and owners are not universally supported (and SUID/SGID bits may" +" not be available). For example, FAT file systems assign ownership based on " +"a mount option, and generally mark all files as executable. Any attempt to " +"change permissions would result in an error." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Non-regular files (device nodes, FIFOs) are not generally available." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Only on some file systems, files can have holes, that is, not all of their " +"contents is backed by disk storage." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"ioctl support (even fairly generic functionality such " +"as FIEMAP for discovering physical file layout and holes)" +" is file-system-specific." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Not all file systems support extended attributes, ACLs and SELinux metadata." +" Size and naming restriction on extended attributes vary." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Hard links may not be supported at all (FAT) or only within the same " +"directory (AFS). Symbolic links may not be available, either. Reflinks (hard" +" links with copy-on-write semantics) are still very rare. Recent systems " +"restrict creation of hard links to users which own the target file or have " +"read/write access to it, but older systems do not." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Renaming (or moving) files using rename can fail (even " +"when stat indicates that the source and target " +"directories are located on the same file system). This system call should " +"work if the old and new paths are located in the same directory, though." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Locking semantics vary among file systems. This affects advisory and " +"mandatory locks. For example, some network file systems do not allow " +"deleting files which are opened by any process." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Resolution of time stamps varies from two seconds to nanoseconds. Not all " +"time stamps are available on all file systems. File creation time " +"(birth time) is not exposed over the " +"stat/fstat interface, even if " +"stored by the file system." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Checking free space" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The statvfs and fstatvfs functions" +" allow programs to examine the number of available blocks and inodes, " +"through the members f_bfree, f_bavail," +" f_ffree, and f_favail of " +"struct statvfs. Some file systems return fictional values" +" in the f_ffree and f_favail fields, " +"so the only reliable way to discover if the file system still has space for " +"a file is to try to create it. The f_bfree field should " +"be reasonably accurate, though." +msgstr "" diff --git a/defensive-coding/cs-CZ/Tasks/Library_Design.po b/defensive-coding/cs-CZ/Tasks/Library_Design.po new file mode 100644 index 0000000..6fa2e0a --- /dev/null +++ b/defensive-coding/cs-CZ/Tasks/Library_Design.po @@ -0,0 +1,267 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:29+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Czech (http://www.transifex.com/projects/p/fedora/language/cs/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: cs\n" +"Plural-Forms: nplurals=3; plural=(n==1) ? 0 : (n>=2 && n<=4) ? 1 : 2;\n" + +#. Tag: title +#, no-c-format +msgid "Library Design" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Throught this section, the term client code refers to " +"applications and other libraries using the library." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "State management" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Global state" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Global state should be avoided." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If this is impossible, the global state must be protected with a lock. For " +"C/C++, you can use the pthread_mutex_lock and " +"pthread_mutex_unlock functions without linking against " +"-lpthread because the system provides stubs for non-" +"threaded processes." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"For compatibility with fork, these locks should be " +"acquired and released in helpers registered with " +"pthread_atfork. This function is not available without " +"-lpthread, so you need to use dlsym " +"or a weak symbol to obtain its address." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If you need fork protection for other reasons, you " +"should store the process ID and compare it to the value returned by " +"getpid each time you access the global state. " +"(getpid is not implemented as a system call and is " +"fast.) If the value changes, you know that you have to re-create the state " +"object. (This needs to be combined with locking, of course.)" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Handles" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Library state should be kept behind a curtain. Client code should receive " +"only a handle. In C, the handle can be a pointer to an incomplete " +"struct. In C++, the handle can be a pointer to an " +"abstract base class, or it can be hidden using the pointer-to-implementation" +" idiom." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The library should provide functions for creating and destroying handles. " +"(In C++, it is possible to use virtual destructors for the latter.) " +"Consistency between creation and destruction of handles is strongly " +"recommended: If the client code created a handle, it is the responsibility " +"of the client code to destroy it. (This is not always possible or " +"convenient, so sometimes, a transfer of ownership has to happen.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Using handles ensures that it is possible to change the way the library " +"represents state in a way that is transparent to client code. This is " +"important to facilitate security updates and many other code changes." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"It is not always necessary to protect state behind a handle with a lock. " +"This depends on the level of thread safety the library provides." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Object orientation" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Classes should be either designed as base classes, or it should be " +"impossible to use them as base classes (like final " +"classes in Java). Classes which are not designed for inheritance and are " +"used as base classes nevertheless create potential maintenance hazards " +"because it is difficult to predict how client code will react when calls to " +"virtual methods are added, reordered or removed." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Virtual member functions can be used as callbacks. See for some of the " +"challenges involved." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Callbacks" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Higher-order code is difficult to analyze for humans and computers alike, so" +" it should be avoided. Often, an iterator-based interface (a library " +"function which is called repeatedly by client code and returns a stream of " +"events) leads to a better design which is easier to document and use." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "If callbacks are unavoidable, some guidelines for them follow." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In modern C++ code, std::function objects should be used " +"for callbacks." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In older C++ code and in C code, all callbacks must have an additional " +"closure parameter of type void *, the value of which can " +"be specified by client code. If possible, the value of the closure parameter" +" should be provided by client code at the same time a specific callback is " +"registered (or specified as a function argument). If a single closure " +"parameter is shared by multiple callbacks, flexibility is greatly reduced, " +"and conflicts between different pieces of client code using the same library" +" object could be unresolvable. In some cases, it makes sense to provide a " +"de-registration callback which can be used to destroy the closure parameter " +"when the callback is no longer used." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Callbacks can throw exceptions or call longjmp. If " +"possible, all library objects should remain in a valid state. (All further " +"operations on them can fail, but it should be possible to deallocate them " +"without causing resource leaks.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The presence of callbacks raises the question if functions provided by the " +"library are reentrant. Unless a library was designed " +"for such use, bad things will happen if a callback function uses functions " +"in the same library (particularly if they are invoked on the same objects " +"and manipulate the same state). When the callback is invoked, the library " +"can be in an inconsistent state. Reentrant functions are more difficult to " +"write than thread-safe functions (by definition, simple locking would " +"immediately lead to deadlocks). It is also difficult to decide what to do " +"when destruction of an object which is currently processing a callback is " +"requested." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Process attributes" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Several attributes are global and affect all code in the process, not just " +"the library that manipulates them." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"environment variables (see )" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "umask" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "user IDs, group IDs and capabilities" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "current working directory" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "signal handlers, signal masks and signal delivery" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"file locks (especially fcntl locks behave in surprising" +" ways, not just in a multi-threaded environment)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Library code should avoid manipulating these global process attributes. It " +"should not rely on environment variables, umask, the current working " +"directory and signal masks because these attributes can be inherted from an " +"untrusted source." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In addition, there are obvious process-wide aspects such as the virtual " +"memory layout, the set of open files and dynamic shared objects, but with " +"the exception of shared objects, these can be manipulated in a relatively " +"isolated way." +msgstr "" diff --git a/defensive-coding/cs-CZ/Tasks/Processes.po b/defensive-coding/cs-CZ/Tasks/Processes.po new file mode 100644 index 0000000..6de7f81 --- /dev/null +++ b/defensive-coding/cs-CZ/Tasks/Processes.po @@ -0,0 +1,597 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:29+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Czech (http://www.transifex.com/projects/p/fedora/language/cs/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: cs\n" +"Plural-Forms: nplurals=3; plural=(n==1) ? 0 : (n>=2 && n<=4) ? 1 : 2;\n" + +#. Tag: title +#, no-c-format +msgid "Processes" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Safe process creation" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"This section describes how to create new child processes in a safe manner. " +"In addition to the concerns addressed below, there is the possibility of " +"file descriptor leaks, see ." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Obtaining the program path and the command line template" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The name and path to the program being invoked should be hard-coded or " +"controlled by a static configuration file stored at a fixed location (at an " +"file system absolute path). The same applies to the template for generating " +"the command line." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The configured program name should be an absolute path. If it is a relative " +"path, the contents of the PATH must be obtained in s secure " +"manner (see )." +" If the PATH variable is not set or untrusted, the safe " +"default /bin:/usr/bin must be used." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If too much flexibility is provided here, it may allow invocation of " +"arbitrary programs without proper authorization." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Bypassing the shell" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Child processes should be created without involving the system shell." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"For C/C++, system should not be used. The " +"posix_spawn function can be used instead, or a " +"combination fork and execve. (In " +"some cases, it may be preferable to use vfork or the " +"Linux-specific clone system call instead of " +"fork.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In Python, the subprocess module bypasses the shell by " +"default (when the shell keyword argument is not set to " +"true). os.system should not be used." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The Java class java.lang.ProcessBuilder can be used to create " +"subprocesses without interference from the system shell." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Portability notice" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"On Windows, there is no argument vector, only a single argument string. Each" +" application is responsible for parsing this string into an argument vector." +" There is considerable variance among the quoting style recognized by " +"applications. Some of them expand shell wildcards, others do not. Extensive " +"application-specific testing is required to make this secure." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Note that some common applications (notably ssh) " +"unconditionally introduce the use of a shell, even if invoked directly " +"without a shell. It is difficult to use these applications in a secure " +"manner. In this case, untrusted data should be supplied by other means. For " +"example, standard input could be used, instead of the command line." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Specifying the process environment" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Child processes should be created with a minimal set of environment " +"variables. This is absolutely essential if there is a trust transition " +"involved, either when the parent process was created, or during the creation" +" of the child process." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In C/C++, the environment should be constructed as an array of strings and " +"passed as the envp argument to " +"posix_spawn or execve. The " +"functions setenv, unsetenv and " +"putenv should not be used. They are not thread-safe and" +" suffer from memory leaks." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Python programs need to specify a dict for the the " +"env argument of the subprocess.Popen" +" constructor. The Java class java.lang.ProcessBuilder " +"provides a environment() method, which returns a map " +"that can be manipulated." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The following list provides guidelines for selecting the set of environment " +"variables passed to the child process." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"PATH should be initialized to " +"/bin:/usr/bin." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"USER and HOME can be inhereted from the parent" +" process environment, or they can be initialized from the " +"pwent structure for the user." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The DISPLAY and XAUTHORITY variables should be" +" passed to the subprocess if it is an X program. Note that this will " +"typically not work across trust boundaries because XAUTHORITY" +" refers to a file with 0600 permissions." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The location-related environment variables LANG, " +"LANGUAGE, LC_ADDRESS, LC_ALL, " +"LC_COLLATE, LC_CTYPE, " +"LC_IDENTIFICATION, LC_MEASUREMENT, " +"LC_MESSAGES, LC_MONETARY, " +"LC_NAME, LC_NUMERIC, LC_PAPER, " +"LC_TELEPHONE and LC_TIME can be passed to the " +"subprocess if present." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The called process may need application-specific environment variables, for " +"example for passing passwords. (See .)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"All other environment variables should be dropped. Names for new environment" +" variables should not be accepted from untrusted sources." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Robust argument list processing" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When invoking a program, it is sometimes necessary to include data from " +"untrusted sources. Such data should be check against embedded " +"NUL characters because the system APIs will sliently " +"truncate argument strings at the first NUL character." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The following recommendations assume that the program being invoked uses " +"GNU-style option processing using getopt_long. This " +"convention is widely used, but it is just that, and individual programs " +"might interpret a command line in a different way." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If the untrusted data has to go into an option, use the --option-" +"name=VALUE syntax, placing the option and its value into the same " +"command line argument. This avoids any potential confusion if the data " +"starts with -." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"For positional arguments, terminate the option list with a single " +" marker after the last option, and include the data at " +"the right position. The marker terminates option " +"processing, and the data will not be treated as an option even if it starts " +"with a dash." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Passing secrets to subprocesses" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The command line (the name of the program and its argument) of a running " +"process is traditionally available to all local users. The called program " +"can overwrite this information, but only after it has run for a bit of time," +" during which the information may have been read by other processes. " +"However, on Linux, the process environment is restricted to the user who " +"runs the process. Therefore, if you need a convenient way to pass a password" +" to a child process, use an environment variable, and not a command line " +"argument. (See .)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"On some UNIX-like systems (notably Solaris), environment variables can be " +"read by any system user, just like command lines." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If the environment-based approach cannot be used due to portability " +"concerns, the data can be passed on standard input. Some programs (notably " +"gpg) use special file descriptors whose numbers " +"are specified on the command line. Temporary files are an option as well, " +"but they might give digital forensics access to sensitive data (such as " +"passphrases) because it is difficult to safely delete them in all cases." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Handling child process termination" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When child processes terminate, the parent process is signalled. A stub of " +"the terminated processes (a zombie, shown as " +"<defunct> by ps) is kept" +" around until the status information is collected " +"(reaped) by the parent process. Over the years, several" +" interfaces for this have been invented:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The parent process calls wait, " +"waitpid, waitid, " +"wait3 or wait4, without specifying" +" a process ID. This will deliver any matching process ID. This approach is " +"typically used from within event loops." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The parent process calls waitpid, " +"waitid, or wait4, with a specific " +"process ID. Only data for the specific process ID is returned. This is " +"typically used in code which spawns a single subprocess in a synchronous " +"manner." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The parent process installs a handler for the SIGCHLD " +"signal, using sigaction, and specifies to the " +"SA_NOCLDWAIT flag. This approach could be used by event " +"loops as well." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"None of these approaches can be used to wait for child process terminated in" +" a completely thread-safe manner. The parent process might execute an event " +"loop in another thread, which could pick up the termination signal. This " +"means that libraries typically cannot make free use of child processes (for " +"example, to run problematic code with reduced privileges in a separate " +"address space)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"At the moment, the parent process should explicitly wait for termination of " +"the child process using waitpid or " +"waitpid, and hope that the status is not collected by " +"an event loop first." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "SUID/SGID processes" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Programs can be marked in the file system to indicate to the kernel that a " +"trust transition should happen if the program is run. The " +"SUID file permission bit indicates that an executable " +"should run with the effective user ID equal to the owner of the executable " +"file. Similarly, with the SGID bit, the effective group " +"ID is set to the group of the executable file." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Linux supports fscaps, which can grant additional " +"capabilities to a process in a finer-grained manner. Additional mechanisms " +"can be provided by loadable security modules." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When such a trust transition has happened, the process runs in a potentially" +" hostile environment. Additional care is necessary not to rely on any " +"untrusted information. These concerns also apply to libraries which can be " +"linked into such processes." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Accessing environment variables" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The following steps are required so that a program does not accidentally " +"pick up untrusted data from environment variables." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Compile your C/C++ sources with -D_GNU_SOURCE. The " +"Autoconf macro AC_GNU_SOURCE ensures this." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Check for the presence of the secure_getenv and " +"__secure_getenv function. The Autoconf directive " +"AC_CHECK_FUNCS([__secure_getenv secure_getenv]) performs " +"these checks." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Arrange for a proper definition of the secure_getenv " +"function. See ." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Use secure_getenv instead of " +"getenv to obtain the value of critical environment " +"variables. secure_getenv will pretend the variable has " +"not bee set if the process environment is not trusted." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Critical environment variables are debugging flags, configuration file " +"locations, plug-in and log file locations, and anything else that might be " +"used to bypass security restrictions or cause a privileged process to behave" +" in an unexpected way." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Either the secure_getenv function or the " +"__secure_getenv is available from GNU libc." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Obtaining a definition for secure_getenv" +msgstr "" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"\n" +"#include <stdlib.h>\n" +"\n" +"#ifndef HAVE_SECURE_GETENV\n" +"# ifdef HAVE__SECURE_GETENV\n" +"# define secure_getenv __secure_getenv\n" +"# else\n" +"# error neither secure_getenv nor __secure_getenv are available\n" +"# endif\n" +"#endif\n" +"\n" +"\t" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Daemons" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Background processes providing system services " +"(daemons) need to decouple themselves from the " +"controlling terminal and the parent process environment:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Fork." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In the child process, call setsid. The parent process " +"can simply exit (using _exit, to avoid running clean-up" +" actions twice)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In the child process, fork again. Processing continues in the child process." +" Again, the parent process should just exit." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Replace the descriptors 0, 1, 2 with a descriptor for " +"/dev/null. Logging should be redirected to " +"syslog." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Older instructions for creating daemon processes recommended a call to " +"umask(0). This is risky because it often leads to world-" +"writable files and directories, resulting in security vulnerabilities such " +"as arbitrary process termination by untrusted local users, or log file " +"truncation. If the umask needs setting, a restrictive " +"value such as 027 or 077 is " +"recommended." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Other aspects of the process environment may have to changed as well " +"(environment variables, signal handler disposition)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"It is increasingly common that server processes do not run as background " +"processes, but as regular foreground process under a supervising master " +"process (such as systemd). Server processes " +"should offer a command line option which disables forking and replacement of" +" the standard output and standard error streams. Such an option is also " +"useful for debugging." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Semantics of command line arguments" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"After process creation and option processing, it is up to the child process " +"to interpret the arguments. Arguments can be file names, host names, or " +"URLs, and many other things. URLs can refer to the local network, some " +"server on the Internet, or to the local file system. Some applications even " +"accept arbitrary code in arguments (for example, " +"python with the option)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Similar concerns apply to environment variables, the contents of the current" +" directory and its subdirectories." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Consequently, careful analysis is required if it is safe to pass untrusted " +"data to another program." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "fork as a primitive for parallelism" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"A call to fork which is not immediately followed by a " +"call to execve (perhaps after rearranging and closing " +"file descriptors) is typically unsafe, especially from a library which does " +"not control the state of the entire process. Such use of " +"fork should be replaced with proper child processes or " +"threads." +msgstr "" diff --git a/defensive-coding/cs-CZ/Tasks/Serialization.po b/defensive-coding/cs-CZ/Tasks/Serialization.po new file mode 100644 index 0000000..0709989 --- /dev/null +++ b/defensive-coding/cs-CZ/Tasks/Serialization.po @@ -0,0 +1,513 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:45\n" +"PO-Revision-Date: 2013-03-19 15:29+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Czech (http://www.transifex.com/projects/p/fedora/language/cs/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: cs\n" +"Plural-Forms: nplurals=3; plural=(n==1) ? 0 : (n>=2 && n<=4) ? 1 : 2;\n" + +#. Tag: title +#, no-c-format +msgid "Serialization and Deserialization" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Protocol decoders and file format parsers are often the most-exposed part of" +" an application because they are exposed with little or no user interaction " +"and before any authentication and security checks are made. They are also " +"difficult to write robustly in languages which are not memory-safe." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Recommendations for manually written decoders" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"For C and C++, the advice in applies. In addition, avoid non-character " +"pointers directly into input buffers. Pointer misalignment causes crashes on" +" some architectures." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When reading variable-sized objects, do not allocate large amounts of data " +"solely based on the value of a size field. If possible, grow the data " +"structure as more data is read from the source, and stop when no data is " +"available. This helps to avoid denial-of-service attacks where little " +"amounts of input data results in enormous memory allocations during " +"decoding. Alternatively, you can impose reasonable bounds on memory " +"allocations, but some protocols do not permit this." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Protocol design" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Binary formats with explicit length fields are more difficult to parse " +"robustly than those where the length of dynamically-sized elements is " +"derived from sentinel values. A protocol which does not use length fields " +"and can be written in printable ASCII characters simplifies testing and " +"debugging. However, binary protocols with length fields may be more " +"efficient to parse." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Library support for deserialization" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"For some languages, generic libraries are available which allow to serialize" +" and deserialize user-defined objects. The deserialization part comes in one" +" of two flavors, depending on the library. The first kind uses type " +"information in the data stream to control which objects are instantiated. " +"The second kind uses type definitions supplied by the programmer. The first " +"one allows arbitrary object instantiation, the second one generally does " +"not." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The following serialization frameworks are in the first category, are known " +"to be unsafe, and must not be used for untrusted data:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Python's pickle and cPickle modules" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Perl's Storable package" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Java serialization (java.io.ObjectInputStream)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "PHP serialization (unserialize)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Most implementations of YAML" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When using a type-directed deserialization format where the types of the " +"deserialized objects are specified by the programmer, make sure that the " +"objects which can be instantiated cannot perform any destructive actions in " +"their destructors, even when the data members have been manipulated." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"JSON decoders do not suffer from this problem. But you must not use the " +"eval function to parse JSON objects in Javascript; even" +" with the regular expression filter from RFC 4627, there are still " +"information leaks remaining." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "XML serialization" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "External references" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"XML documents can contain external references. They can occur in various " +"places." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "In the DTD declaration in the header of an XML document:" +msgstr "" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"<!DOCTYPE html PUBLIC\n" +" \"-//W3C//DTD XHTML 1.0 Transitional//EN\"\n" +" \"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd\">\n" +"\t " +msgstr "" + +#. Tag: para +#, no-c-format +msgid "In a namespace declaration:" +msgstr "" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"<xsd:schema xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\">\n" +"\t " +msgstr "" + +#. Tag: para +#, no-c-format +msgid "In an entity defintion:" +msgstr "" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"<!ENTITY sys SYSTEM \"http://www.example.com/ent.xml\">\n" +"<!ENTITY pub PUBLIC \"-//Example//Public Entity//EN\"\n" +" \"http://www.example.com/pub-ent.xml\">\n" +"\t " +msgstr "" + +#. Tag: para +#, no-c-format +msgid "In a notation:" +msgstr "" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"<!NOTATION not SYSTEM \"../not.xml\">\n" +"\t " +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Originally, these external references were intended as unique identifiers, " +"but by many XML implementations, they are used for locating the data for the" +" referenced element. This causes unwanted network traffic, and may disclose " +"file system contents or otherwise unreachable network resources, so this " +"functionality should be disabled." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Depending on the XML library, external referenced might be processed not " +"just when parsing XML, but also when generating it." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Entity expansion" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When external DTD processing is disabled, an internal DTD subset can still " +"contain entity definitions. Entity declarations can reference other " +"entities. Some XML libraries expand entities automatically, and this " +"processing cannot be switched off in some places (such as attribute values " +"or content models). Without limits on the entity nesting level, this " +"expansion results in data which can grow exponentially in length with size " +"of the input. (If there is a limit on the nesting level, the growth is still" +" polynomial, unless further limits are imposed.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Consequently, the processing internal DTD subsets should be disabled if " +"possible, and only trusted DTDs should be processed. If a particular XML " +"application does not permit such restrictions, then application-specific " +"limits are called for." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "XInclude processing" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"XInclude processing can reference file and network resources and include " +"them into the document, much like external entity references. When parsing " +"untrusted XML documents, XInclude processing should be truned off." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"XInclude processing is also fairly complex and may pull in support for the " +"XPointer and XPath specifications, considerably increasing the amount of " +"code required for XML processing." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Algorithmic complexity of XML validation" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"DTD-based XML validation uses regular expressions for content models. The " +"XML specification requires that content models are deterministic, which " +"means that efficient validation is possible. However, some implementations " +"do not enforce determinism, and require exponential (or just polynomial) " +"amount of space or time for validating some DTD/document combinations." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"XML schemas and RELAX NG (via the xsd: prefix) directly " +"support textual regular expressions which are not required to be " +"deterministic." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Using Expat for XML parsing" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"By default, Expat does not try to resolve external IDs, so no steps are " +"required to block them. However, internal entity declarations are processed." +" Installing a callback which stops parsing as soon as such entities are " +"encountered disables them, see . Expat does not perform any " +"validation, so there are no problems related to that." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Disabling XML entity processing with Expat" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"This handler must be installed when the XML_Parser object" +" is created ()." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Creating an Expat XML parser" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"It is also possible to reject internal DTD subsets altogeher, using a " +"suitable XML_StartDoctypeDeclHandler handler installed " +"with XML_SetDoctypeDeclHandler." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Using OpenJDK for XML parsing and validation" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"OpenJDK contains facilities for DOM-based, SAX-based, and StAX-based " +"document parsing. Documents can be validated against DTDs or XML schemas." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The approach taken to deal with entity expansion differs from the general " +"recommendation in . We enable the the feature flag " +"javax.xml.XMLConstants.FEATURE_SECURE_PROCESSING, which " +"enforces heuristic restrictions on the number of entity expansions. Note " +"that this flag alone does not prevent resolution of external references " +"(system IDs or public IDs), so it is slightly misnamed." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In the following sections, we use helper classes to prevent external ID " +"resolution." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Helper class to prevent DTD external entity resolution in OpenJDK" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Helper class to prevent schema resolution in OpenJDK" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +" shows the imports used by the examples." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Java imports for OpenJDK XML parsing" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "DOM-based XML parsing and DTD validation in OpenJDK" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"This approach produces a org.w3c.dom.Document object from" +" an input stream. use the data from the " +"java.io.InputStream instance in the " +"inputStream variable." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "DOM-based XML parsing in OpenJDK" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"External entity references are prohibited using the " +"NoEntityResolver class in . " +"Because external DTD references are prohibited, DTD validation (if enabled) " +"will only happen against the internal DTD subset embedded in the XML " +"document." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"To validate the document against an external DTD, use a " +"javax.xml.transform.Transformer class to add the DTD " +"reference to the document, and an entity resolver which whitelists this " +"external reference." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "XML Schema validation in OpenJDK" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +" shows how to validate a document against an XML Schema, " +"using a SAX-based approach. The XML data is read from an " +"java.io.InputStream in the inputStream" +" variable." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "SAX-based validation against an XML schema in OpenJDK" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The NoResourceResolver class is defined in ." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If you need to validate a document against an XML schema, use the code in " +" to create the document, but do not enable validation at this point." +" Then use to perform the schema-based validation on " +"the org.w3c.dom.Document instance " +"document." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Validation of a DOM document against an XML schema in OpenJDK" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Protocol Encoders" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"For protocol encoders, you should write bytes to a buffer which grows as " +"needed, using an exponential sizing policy. Explicit lengths can be patched " +"in later, once they are known. Allocating the required number of bytes " +"upfront typically requires separate code to compute the final size, which " +"must be kept in sync with the actual encoding step, or vulnerabilities may " +"result. In multi-threaded code, parts of the object being deserialized might" +" change, so that the computed size is out of date." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"You should avoid copying data directly from a received packet during " +"encoding, disregarding the format. Propagating malformed data could enable " +"attacks on other recipients of that data." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When using C or C++ and copying whole data structures directly into the " +"output, make sure that you do not leak information in padding bytes between " +"fields or at the end of the struct." +msgstr "" diff --git a/defensive-coding/cs-CZ/Tasks/Temporary_Files.po b/defensive-coding/cs-CZ/Tasks/Temporary_Files.po new file mode 100644 index 0000000..1458b9c --- /dev/null +++ b/defensive-coding/cs-CZ/Tasks/Temporary_Files.po @@ -0,0 +1,309 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:45\n" +"PO-Revision-Date: 2013-03-19 15:29+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Czech (http://www.transifex.com/projects/p/fedora/language/cs/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: cs\n" +"Plural-Forms: nplurals=3; plural=(n==1) ? 0 : (n>=2 && n<=4) ? 1 : 2;\n" + +#. Tag: title +#, no-c-format +msgid "Temporary files" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In this chapter, we describe how to create temporary files and directories, " +"how to remove them, and how to work with programs which do not create files " +"in ways that a safe with a shared directory for temporary files. General " +"file system manipulation is treated in a separate chapter, ." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Secure creation of temporary files has four different aspects." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The location of the directory for temporary files must be obtained in a " +"secure manner (that is, untrusted environment variables must be ignored, see" +" )." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"A new file must be created. Reusing an existing file must be avoided (the " +"/tmp race condition). This is " +"tricky because traditionally, system-wide temporary directories shared by " +"all users are used." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The file must be created in a way that makes it impossible for other users " +"to open it." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "The descriptor for the temporary file should not leak to subprocesses." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "All functions mentioned below will take care of these aspects." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Traditionally, temporary files are often used to reduce memory usage of " +"programs. More and more systems use RAM-based file systems such as " +"tmpfs for storing temporary files, to increase " +"performance and decrease wear on Flash storage. As a result, spooling data " +"to temporary files does not result in any memory savings, and the related " +"complexity can be avoided if the data is kept in process memory." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Obtaining the location of temporary directory" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Some functions below need the location of a directory which stores temporary" +" files. For C/C++ programs, use the following steps to obtain that " +"directory:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Use secure_getenv to obtain the value of the " +"TMPDIR environment variable. If it is set, convert the " +"path to a fully-resolved absolute path, using realpath(path, " +"NULL). Check if the new path refers to a directory and is " +"writeable. In this case, use it as the temporary directory." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Fall back to /tmp." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In Python, you can use the tempfile.tempdir variable." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Java does not support SUID/SGID programs, so you can use the " +"java.lang.System.getenv(String) method to obtain the " +"value of the TMPDIR environment variable, and follow the " +"two steps described above. (Java's default directory selection does not " +"honor TMPDIR.)" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Named temporary files" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The mkostemp function creates a named temporary file. " +"You should specify the O_CLOEXEC flag to avoid file " +"descriptor leaks to subprocesses. (Applications which do not use multiple " +"threads can also use mkstemp, but libraries should use " +"mkostemp.) For determining the directory part of the " +"file name pattern, see ." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The file is not removed automatically. It is not safe to rename or delete " +"the file before processing, or transform the name in any way (for example, " +"by adding a file extension). If you need multiple temporary files, call " +"mkostemp multiple times. Do not create additional file " +"names derived from the name provided by a previous " +"mkostemp call. However, it is safe to close the " +"descriptor returned by mkostemp and reopen the file " +"using the generated name." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The Python class tempfile.NamedTemporaryFile provides " +"similar functionality, except that the file is deleted automatically by " +"default. Note that you may have to use the file attribute" +" to obtain the actual file object because some programming interfaces cannot" +" deal with file-like objects. The C function mkostemp " +"is also available as tempfile.mkstemp." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In Java, you can use the java.io.File.createTempFile(String, " +"String, File) function, using the temporary file location " +"determined according to . Do not use " +"java.io.File.deleteOnExit() to delete temporary files, " +"and do not register a shutdown hook for each temporary file you create. In " +"both cases, the deletion hint cannot be removed from the system if you " +"delete the temporary file prior to termination of the VM, causing a memory " +"leak." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Temporary files without names" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The tmpfile function creates a temporary file and " +"immediately deletes it, while keeping the file open. As a result, the file " +"lacks a name and its space is deallocated as soon as the file descriptor is " +"closed (including the implicit close when the process terminates). This " +"avoids cluttering the temporary directory with orphaned files." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Alternatively, if the maximum size of the temporary file is known " +"beforehand, the fmemopen function can be used to create" +" a FILE * object which is backed by memory." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In Python, unnamed temporary files are provided by the " +"tempfile.TemporaryFile class, and the " +"tempfile.SpooledTemporaryFile class provides a way to " +"avoid creation of small temporary files." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Java does not support unnamed temporary files." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Temporary directories" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The mkdtemp function can be used to create a temporary " +"directory. (For determining the directory part of the file name pattern, see" +" .)" +" The directory is not automatically removed. In Python, this function is " +"available as tempfile.mkdtemp. In Java 7, temporary " +"directories can be created using the " +"java.nio.file.Files.createTempDirectory(Path, String, " +"FileAttribute...) function." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When creating files in the temporary directory, use automatically generated " +"names, e.g., derived from a sequential counter. Files with externally " +"provided names could be picked up in unexpected contexts, and crafted names " +"could actually point outside of the tempoary directory (due to " +"directory traversal)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Removing a directory tree in a completely safe manner is complicated. Unless" +" there are overriding performance concerns, the " +"rm program should be used, with the " +" and options." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Compensating for unsafe file creation" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"There are two ways to make a function or program which excepts a file name " +"safe for use with temporary files. See , for details on subprocess " +"creation." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Create a temporary directory and place the file there. If possible, run the " +"program in a subprocess which uses the temporary directory as its current " +"directory, with a restricted environment. Use generated names for all files " +"in that temporary directory. (See .)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Create the temporary file and pass the generated file name to the function " +"or program. This only works if the function or program can cope with a zero-" +"length existing file. It is safe only under additional assumptions:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The function or program must not create additional files whose name is " +"derived from the specified file name or are otherwise predictable." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "The function or program must not delete the file before processing it." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "It must not access any existing files in the same directory." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"It is often difficult to check whether these additional assumptions are " +"matched, therefore this approach is not recommended." +msgstr "" diff --git a/defensive-coding/cs-CZ/Tasks/snippets/Serialization-XML-Expat-Create.po b/defensive-coding/cs-CZ/Tasks/snippets/Serialization-XML-Expat-Create.po new file mode 100644 index 0000000..d101f57 --- /dev/null +++ b/defensive-coding/cs-CZ/Tasks/snippets/Serialization-XML-Expat-Create.po @@ -0,0 +1,33 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:45\n" +"PO-Revision-Date: 2013-03-19 15:29+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Czech (http://www.transifex.com/projects/p/fedora/language/cs/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: cs\n" +"Plural-Forms: nplurals=3; plural=(n==1) ? 0 : (n>=2 && n<=4) ? 1 : 2;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"XML_Parser parser = XML_ParserCreate(\"UTF-8\");\n" +"if (parser == NULL) {\n" +" fprintf(stderr, \"XML_ParserCreate failed\n" +"\");\n" +" close(fd);\n" +" exit(1);\n" +"}\n" +"// EntityDeclHandler needs a reference to the parser to stop\n" +"// parsing.\n" +"XML_SetUserData(parser, parser);\n" +"// Disable entity processing, to inhibit entity expansion.\n" +"XML_SetEntityDeclHandler(parser, EntityDeclHandler);\n" +msgstr "" diff --git a/defensive-coding/cs-CZ/Tasks/snippets/Serialization-XML-Expat-EntityDeclHandler.po b/defensive-coding/cs-CZ/Tasks/snippets/Serialization-XML-Expat-EntityDeclHandler.po new file mode 100644 index 0000000..63dbf25 --- /dev/null +++ b/defensive-coding/cs-CZ/Tasks/snippets/Serialization-XML-Expat-EntityDeclHandler.po @@ -0,0 +1,31 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:45\n" +"PO-Revision-Date: 2013-03-19 15:30+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Czech (http://www.transifex.com/projects/p/fedora/language/cs/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: cs\n" +"Plural-Forms: nplurals=3; plural=(n==1) ? 0 : (n>=2 && n<=4) ? 1 : 2;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Stop the parser when an entity declaration is encountered.\n" +"static void\n" +"EntityDeclHandler(void *userData,\n" +"\t\t const XML_Char *entityName, int is_parameter_entity,\n" +"\t\t const XML_Char *value, int value_length,\n" +"\t\t const XML_Char *base, const XML_Char *systemId,\n" +"\t\t const XML_Char *publicId, const XML_Char *notationName)\n" +"{\n" +" XML_StopParser((XML_Parser)userData, XML_FALSE);\n" +"}\n" +msgstr "" diff --git a/defensive-coding/cs-CZ/Tasks/snippets/Serialization-XML-OpenJDK-Errors.po b/defensive-coding/cs-CZ/Tasks/snippets/Serialization-XML-OpenJDK-Errors.po new file mode 100644 index 0000000..f7b3ca8 --- /dev/null +++ b/defensive-coding/cs-CZ/Tasks/snippets/Serialization-XML-OpenJDK-Errors.po @@ -0,0 +1,37 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:45\n" +"PO-Revision-Date: 2013-03-19 15:29+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Czech (http://www.transifex.com/projects/p/fedora/language/cs/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: cs\n" +"Plural-Forms: nplurals=3; plural=(n==1) ? 0 : (n>=2 && n<=4) ? 1 : 2;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"class Errors implements ErrorHandler {\n" +" @Override\n" +" public void warning(SAXParseException exception) {\n" +" exception.printStackTrace();\n" +" }\n" +" \n" +" @Override\n" +" public void fatalError(SAXParseException exception) {\n" +" exception.printStackTrace();\n" +" }\n" +" \n" +" @Override\n" +" public void error(SAXParseException exception) {\n" +" exception.printStackTrace();\n" +" }\n" +"}\n" +msgstr "" diff --git a/defensive-coding/cs-CZ/Tasks/snippets/Serialization-XML-OpenJDK-Imports.po b/defensive-coding/cs-CZ/Tasks/snippets/Serialization-XML-OpenJDK-Imports.po new file mode 100644 index 0000000..6d80a63 --- /dev/null +++ b/defensive-coding/cs-CZ/Tasks/snippets/Serialization-XML-OpenJDK-Imports.po @@ -0,0 +1,42 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:45\n" +"PO-Revision-Date: 2013-03-19 15:30+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Czech (http://www.transifex.com/projects/p/fedora/language/cs/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: cs\n" +"Plural-Forms: nplurals=3; plural=(n==1) ? 0 : (n>=2 && n<=4) ? 1 : 2;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"import javax.xml.XMLConstants;\n" +"import javax.xml.parsers.DocumentBuilder;\n" +"import javax.xml.parsers.DocumentBuilderFactory;\n" +"import javax.xml.parsers.ParserConfigurationException;\n" +"import javax.xml.parsers.SAXParser;\n" +"import javax.xml.parsers.SAXParserFactory;\n" +"import javax.xml.transform.dom.DOMSource;\n" +"import javax.xml.transform.sax.SAXSource;\n" +"import javax.xml.validation.Schema;\n" +"import javax.xml.validation.SchemaFactory;\n" +"import javax.xml.validation.Validator;\n" +"\n" +"import org.w3c.dom.Document;\n" +"import org.w3c.dom.ls.LSInput;\n" +"import org.w3c.dom.ls.LSResourceResolver;\n" +"import org.xml.sax.EntityResolver;\n" +"import org.xml.sax.ErrorHandler;\n" +"import org.xml.sax.InputSource;\n" +"import org.xml.sax.SAXException;\n" +"import org.xml.sax.SAXParseException;\n" +"import org.xml.sax.XMLReader;\n" +msgstr "" diff --git a/defensive-coding/cs-CZ/Tasks/snippets/Serialization-XML-OpenJDK-NoEntityResolver.po b/defensive-coding/cs-CZ/Tasks/snippets/Serialization-XML-OpenJDK-NoEntityResolver.po new file mode 100644 index 0000000..3c37e41 --- /dev/null +++ b/defensive-coding/cs-CZ/Tasks/snippets/Serialization-XML-OpenJDK-NoEntityResolver.po @@ -0,0 +1,30 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:45\n" +"PO-Revision-Date: 2013-03-19 15:30+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Czech (http://www.transifex.com/projects/p/fedora/language/cs/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: cs\n" +"Plural-Forms: nplurals=3; plural=(n==1) ? 0 : (n>=2 && n<=4) ? 1 : 2;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"class NoEntityResolver implements EntityResolver {\n" +" @Override\n" +" public InputSource resolveEntity(String publicId, String systemId)\n" +" throws SAXException, IOException {\n" +" // Throwing an exception stops validation.\n" +" throw new IOException(String.format(\n" +" \"attempt to resolve \\\"%s\\\" \\\"%s\\\"\", publicId, systemId));\n" +" }\n" +"}\n" +msgstr "" diff --git a/defensive-coding/cs-CZ/Tasks/snippets/Serialization-XML-OpenJDK-NoResourceResolver.po b/defensive-coding/cs-CZ/Tasks/snippets/Serialization-XML-OpenJDK-NoResourceResolver.po new file mode 100644 index 0000000..7ffc62d --- /dev/null +++ b/defensive-coding/cs-CZ/Tasks/snippets/Serialization-XML-OpenJDK-NoResourceResolver.po @@ -0,0 +1,32 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:45\n" +"PO-Revision-Date: 2013-03-19 15:29+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Czech (http://www.transifex.com/projects/p/fedora/language/cs/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: cs\n" +"Plural-Forms: nplurals=3; plural=(n==1) ? 0 : (n>=2 && n<=4) ? 1 : 2;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"class NoResourceResolver implements LSResourceResolver {\n" +" @Override\n" +" public LSInput resolveResource(String type, String namespaceURI,\n" +" String publicId, String systemId, String baseURI) {\n" +" // Throwing an exception stops validation.\n" +" throw new RuntimeException(String.format(\n" +" \"resolution attempt: type=%s namespace=%s \" +\n" +" \"publicId=%s systemId=%s baseURI=%s\",\n" +" type, namespaceURI, publicId, systemId, baseURI));\n" +" }\n" +"}\n" +msgstr "" diff --git a/defensive-coding/cs-CZ/Tasks/snippets/Serialization-XML-OpenJDK_Parse-DOM.po b/defensive-coding/cs-CZ/Tasks/snippets/Serialization-XML-OpenJDK_Parse-DOM.po new file mode 100644 index 0000000..a6e1dd4 --- /dev/null +++ b/defensive-coding/cs-CZ/Tasks/snippets/Serialization-XML-OpenJDK_Parse-DOM.po @@ -0,0 +1,34 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:45\n" +"PO-Revision-Date: 2013-03-19 15:29+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Czech (http://www.transifex.com/projects/p/fedora/language/cs/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: cs\n" +"Plural-Forms: nplurals=3; plural=(n==1) ? 0 : (n>=2 && n<=4) ? 1 : 2;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();\n" +"// Impose restrictions on the complexity of the DTD.\n" +"factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);\n" +"\n" +"// Turn on validation.\n" +"// This step can be omitted if validation is not desired.\n" +"factory.setValidating(true);\n" +"\n" +"// Parse the document.\n" +"DocumentBuilder builder = factory.newDocumentBuilder();\n" +"builder.setEntityResolver(new NoEntityResolver());\n" +"builder.setErrorHandler(new Errors());\n" +"Document document = builder.parse(inputStream);\n" +msgstr "" diff --git a/defensive-coding/cs-CZ/Tasks/snippets/Serialization-XML-OpenJDK_Parse-XMLSchema_DOM.po b/defensive-coding/cs-CZ/Tasks/snippets/Serialization-XML-OpenJDK_Parse-XMLSchema_DOM.po new file mode 100644 index 0000000..5dc6c4b --- /dev/null +++ b/defensive-coding/cs-CZ/Tasks/snippets/Serialization-XML-OpenJDK_Parse-XMLSchema_DOM.po @@ -0,0 +1,38 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:45\n" +"PO-Revision-Date: 2013-03-19 15:29+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Czech (http://www.transifex.com/projects/p/fedora/language/cs/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: cs\n" +"Plural-Forms: nplurals=3; plural=(n==1) ? 0 : (n>=2 && n<=4) ? 1 : 2;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"SchemaFactory factory = SchemaFactory.newInstance(\n" +" XMLConstants.W3C_XML_SCHEMA_NS_URI);\n" +"\n" +"// This enables restrictions on schema complexity.\n" +"factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);\n" +"\n" +"// The following line prevents resource resolution\n" +"// by the schema itself.\n" +"factory.setResourceResolver(new NoResourceResolver());\n" +"\n" +"Schema schema = factory.newSchema(schemaFile);\n" +"\n" +"Validator validator = schema.newValidator();\n" +"\n" +"// This prevents external resource resolution.\n" +"validator.setResourceResolver(new NoResourceResolver());\n" +"validator.validate(new DOMSource(document));\n" +msgstr "" diff --git a/defensive-coding/cs-CZ/Tasks/snippets/Serialization-XML-OpenJDK_Parse-XMLSchema_SAX.po b/defensive-coding/cs-CZ/Tasks/snippets/Serialization-XML-OpenJDK_Parse-XMLSchema_SAX.po new file mode 100644 index 0000000..ef33fc9 --- /dev/null +++ b/defensive-coding/cs-CZ/Tasks/snippets/Serialization-XML-OpenJDK_Parse-XMLSchema_SAX.po @@ -0,0 +1,41 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:45\n" +"PO-Revision-Date: 2013-03-19 15:29+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Czech (http://www.transifex.com/projects/p/fedora/language/cs/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: cs\n" +"Plural-Forms: nplurals=3; plural=(n==1) ? 0 : (n>=2 && n<=4) ? 1 : 2;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"SchemaFactory factory = SchemaFactory.newInstance(\n" +" XMLConstants.W3C_XML_SCHEMA_NS_URI);\n" +"\n" +"// This enables restrictions on the schema and document\n" +"// complexity.\n" +"factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);\n" +"\n" +"// This prevents resource resolution by the schema itself.\n" +"// If the schema is trusted and references additional files,\n" +"// this line must be omitted, otherwise loading these files\n" +"// will fail.\n" +"factory.setResourceResolver(new NoResourceResolver());\n" +"\n" +"Schema schema = factory.newSchema(schemaFile);\n" +"Validator validator = schema.newValidator();\n" +"\n" +"// This prevents external resource resolution.\n" +"validator.setResourceResolver(new NoResourceResolver());\n" +"\n" +"validator.validate(new SAXSource(new InputSource(inputStream)));\n" +msgstr "" diff --git a/defensive-coding/de-DE/Author_Group.po b/defensive-coding/de-DE/Author_Group.po new file mode 100644 index 0000000..3f1ce7e --- /dev/null +++ b/defensive-coding/de-DE/Author_Group.po @@ -0,0 +1,35 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-12 04:18+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: German \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: de\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: firstname +#, no-c-format +msgid "Florian" +msgstr "" + +#. Tag: surname +#, no-c-format +msgid "Weimer" +msgstr "" + +#. Tag: orgname +#, no-c-format +msgid "Red Hat" +msgstr "" + +#. Tag: orgdiv +#, no-c-format +msgid "Product Security Team" +msgstr "" diff --git a/defensive-coding/de-DE/Book_Info.po b/defensive-coding/de-DE/Book_Info.po new file mode 100644 index 0000000..6bbd889 --- /dev/null +++ b/defensive-coding/de-DE/Book_Info.po @@ -0,0 +1,38 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-12 04:19+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: German \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: de\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: title +#, no-c-format +msgid "Defensive Coding" +msgstr "" + +#. Tag: subtitle +#, no-c-format +msgid "A Guide to Improving Software Security" +msgstr "" + +#. Tag: productname +#, no-c-format +msgid "Fedora Security Team" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"This document provides guidelines for improving software security through " +"secure coding. It covers common programming languages and libraries, and " +"focuses on concrete recommendations." +msgstr "" diff --git a/defensive-coding/de-DE/C/Allocators.po b/defensive-coding/de-DE/C/Allocators.po new file mode 100644 index 0000000..9a516fe --- /dev/null +++ b/defensive-coding/de-DE/C/Allocators.po @@ -0,0 +1,265 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:30+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: German \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: de\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: title +#, no-c-format +msgid "Memory allocators" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "malloc and related functions" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The C library interfaces for memory allocation are provided by " +"malloc, free and " +"realloc, and the calloc function. " +"In addition to these generic functions, there are derived functions such as " +"strdup which perform allocation using " +"malloc internally, but do not return untyped heap " +"memory (which could be used for any object)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The C compiler knows about these functions and can use their expected " +"behavior for optimizations. For instance, the compiler assumes that an " +"existing pointer (or a pointer derived from an existing pointer by " +"arithmetic) will not point into the memory area returned by " +"malloc." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If the allocation fails, realloc does not free the old " +"pointer. Therefore, the idiom ptr = realloc(ptr, size); " +"is wrong because the memory pointed to by ptr leaks in " +"case of an error." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Use-after-free errors" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"After free, the pointer is invalid. Further pointer " +"dereferences are not allowed (and are usually detected by " +"valgrind). Less obvious is that any " +"use of the old pointer value is not allowed, either. In" +" particular, comparisons with any other pointer (or the null pointer) are " +"undefined according to the C standard." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The same rules apply to realloc if the memory area " +"cannot be enlarged in-place. For instance, the compiler may assume that a " +"comparison between the old and new pointer will always return false, so it " +"is impossible to detect movement this way." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Handling memory allocation errors" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Recovering from out-of-memory errors is often difficult or even impossible. " +"In these cases, malloc and other allocation functions " +"return a null pointer. Dereferencing this pointer lead to a crash. Such " +"dereferences can even be exploitable for code execution if the dereference " +"is combined with an array subscript." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In general, if you cannot check all allocation calls and handle failure, you" +" should abort the program on allocation failure, and not rely on the null " +"pointer dereference to terminate the process. See for related memory " +"allocation concerns." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "alloca and other forms of stack-based allocation" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Allocation on the stack is risky because stack overflow checking is " +"implicit. There is a guard page at the end of the memory area reserved for " +"the stack. If the program attempts to read from or write to this guard page," +" a SIGSEGV signal is generated and the program typically " +"terminates." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"This is sufficient for detecting typical stack overflow situations such as " +"unbounded recursion, but it fails when the stack grows in increments larger " +"than the size of the guard page. In this case, it is possible that the stack" +" pointer ends up pointing into a memory area which has been allocated for a " +"different purposes. Such misbehavior can be exploitable." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"A common source for large stack growth are calls to " +"alloca and related functions such as " +"strdupa. These functions should be avoided because of " +"the lack of error checking. (They can be used safely if the allocated size " +"is less than the page size (typically, 4096 bytes), but this case is " +"relatively rare.) Additionally, relying on alloca makes" +" it more difficult to reorgnize the code because it is not allowed to use " +"the pointer after the function calling alloca has " +"returned, even if this function has been inlined into its caller." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Similar concerns apply to variable-length arrays " +"(VLAs), a feature of the C99 standard which started as a GNU extension. For " +"large objects exceeding the page size, there is no error checking, either." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In both cases, negative or very large sizes can trigger a stack-pointer " +"wraparound, and the stack pointer and end up pointing into caller stack " +"frames, which is fatal and can be exploitable." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If you want to use alloca or VLAs for performance " +"reasons, consider using a small on-stack array (less than the page size, " +"large enough to fulfill most requests). If the requested size is small " +"enough, use the on-stack array. Otherwise, call malloc." +" When exiting the function, check if malloc had been " +"called, and free the buffer as needed." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Array allocation" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When allocating arrays, it is important to check for overflows. The " +"calloc function performs such checks." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If malloc or realloc is used, the " +"size check must be written manually. For instance, to allocate an array of " +"n elements of type T, check that the " +"requested size is not greater than n / sizeof(T)." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Custom memory allocators" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Custom memory allocates come in two forms: replacements for " +"malloc, and completely different interfaces for memory " +"management. Both approaches can reduce the effectiveness of " +"valgrind and similar tools, and the heap " +"corruption detection provided by GNU libc, so they should be avoided." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Memory allocators are difficult to write and contain many performance and " +"security pitfalls." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When computing array sizes or rounding up allocation requests (to the next " +"allocation granularity, or for alignment purposes), checks for arithmetic " +"overflow are required." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Size computations for array allocations need overflow checking. See ." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"It can be difficult to beat well-tuned general-purpose allocators. In micro-" +"benchmarks, pool allocators can show huge wins, and size-specific pools can " +"reduce internal fragmentation. But often, utilization of individual pools is" +" poor, and" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Conservative garbage collection" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Garbage collection can be an alternative to explicit memory management using" +" malloc and free. The Boehm-" +"Dehmers-Weiser allocator can be used from C programs, with minimal type " +"annotations. Performance is competitive with malloc on " +"64-bit architectures, especially for multi-threaded programs. The stop-the-" +"world pauses may be problematic for some real-time applications, though." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"However, using a conservative garbage collector may reduce opertunities for " +"code reduce because once one library in a program uses garbage collection, " +"the whole process memory needs to be subject to it, so that no pointers are " +"missed. The Boehm-Dehmers-Weiser collector also reserves certain signals for" +" internal use, so it is not fully transparent to the rest of the program." +msgstr "" diff --git a/defensive-coding/de-DE/C/C.po b/defensive-coding/de-DE/C/C.po new file mode 100644 index 0000000..4b45ab1 --- /dev/null +++ b/defensive-coding/de-DE/C/C.po @@ -0,0 +1,20 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:30+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: German \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: de\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: title +#, no-c-format +msgid "The C Programming Language" +msgstr "" diff --git a/defensive-coding/de-DE/C/Libc.po b/defensive-coding/de-DE/C/Libc.po new file mode 100644 index 0000000..676c615 --- /dev/null +++ b/defensive-coding/de-DE/C/Libc.po @@ -0,0 +1,278 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:30+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: German \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: de\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: title +#, no-c-format +msgid "The C standard library" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Parts of the C standard library (and the UNIX and GNU extensions) are " +"difficult to use, so you shoud avoid them." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Please check the applicable documentation before using the recommended " +"replacements. Many of these functions allocate buffers using " +"malloc which your code must deallocate explicitly using" +" free." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Absolutely banned interfaces" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The functions listed below must not be used because they are almost always " +"unsafe. Use the indicated replacements instead." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "getsfgets" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"getwdgetcwd or " +"get_current_dir_name" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "readdir_rreaddir" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"realpath (with a non-NULL second parameter) ⟶ " +"realpath with NULL as the second parameter, or " +"canonicalize_file_name" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The constants listed below must not be used, either. Instead, code must " +"allocate memory dynamically and use interfaces with length checking." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"NAME_MAX (limit not actually enforced by the kernel)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"PATH_MAX (limit not actually enforced by the kernel)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"_PC_NAME_MAX (This limit, returned by the " +"pathconf function, is not enforced by the kernel.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"_PC_PATH_MAX (This limit, returned by the " +"pathconf function, is not enforced by the kernel.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "The following structure members must not be used." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"f_namemax in struct statvfs (limit not" +" actually enforced by the kernel, see _PC_NAME_MAX above)" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Functions to avoid" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The following string manipulation functions can be used securely in " +"principle, but their use should be avoided because they are difficult to use" +" correctly. Calls to these functions can be replaced with " +"asprintf or vasprintf. (For non-" +"GNU targets, these functions are available from Gnulib.) In some cases, the " +"snprintf function might be a suitable replacement, see " +"." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "sprintf" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "strcat" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "strcpy" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "vsprintf" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Use the indicated replacements for the functions below." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"allocamalloc and " +"free (see )" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"putenv ⟶ explicit envp argument in " +"process creation (see )" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"setenv ⟶ explicit envp argument in " +"process creation (see )" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"strdupastrdup and " +"free (see )" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"strndupastrndup and " +"free (see )" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"systemposix_spawn or " +"fork/execve/ (see )" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"unsetenv ⟶ explicit envp argument in" +" process creation (see )" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "String Functions With Explicit Length Arguments" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The snprintf function provides a way to construct a " +"string in a statically-sized buffer. (If the buffer size is dynamic, use " +"asprintf instead.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The second argument to the snprintf should always be " +"the size of the buffer in the first argument (which should be a character " +"array). Complex pointer and length arithmetic can introduce errors and " +"nullify the security benefits of snprintf. If you need " +"to construct a string iteratively, by repeatedly appending fragments, " +"consider constructing the string on the heap, increasing the buffer with " +"realloc as needed. (snprintf does " +"not support overlapping the result buffer with argument strings.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If you use vsnprintf (or snprintf)" +" with a format string which is not a constant, but a function argument, it " +"is important to annotate the function with a format " +"function attribute, so that GCC can warn about misuse of your function (see " +")." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "The format function attribute" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"There are other functions which operator on NUL-terminated strings and take " +"a length argument which affects the number of bytes written to the " +"destination: strncpy, strncat, and" +" stpncpy. These functions do not ensure that the result" +" string is NUL-terminated. For strncpy, NUL termination" +" can be added this way:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Some systems support strlcpy and " +"strlcat functions which behave this way, but these " +"functions are not part of GNU libc. Using snprintf with" +" a suitable format string is a simple (albeit slightly slower) replacement." +msgstr "" diff --git a/defensive-coding/de-DE/C/snippets/Arithmetic-add.po b/defensive-coding/de-DE/C/snippets/Arithmetic-add.po new file mode 100644 index 0000000..9378ff7 --- /dev/null +++ b/defensive-coding/de-DE/C/snippets/Arithmetic-add.po @@ -0,0 +1,36 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:30+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: German \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: de\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"void report_overflow(void);\n" +"\n" +"int\n" +"add(int a, int b)\n" +"{\n" +" int result = a + b;\n" +" if (a < 0 || b < 0) {\n" +" return -1;\n" +" }\n" +" // The compiler can optimize away the following if statement.\n" +" if (result < 0) {\n" +" report_overflow();\n" +" }\n" +" return result;\n" +"}\n" +msgstr "" diff --git a/defensive-coding/de-DE/C/snippets/Arithmetic-mult.po b/defensive-coding/de-DE/C/snippets/Arithmetic-mult.po new file mode 100644 index 0000000..eafaa7a --- /dev/null +++ b/defensive-coding/de-DE/C/snippets/Arithmetic-mult.po @@ -0,0 +1,29 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:30+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: German \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: de\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"unsigned\n" +"mul(unsigned a, unsigned b)\n" +"{\n" +" if (b && a > ((unsigned)-1) / b) {\n" +" report_overflow();\n" +" }\n" +" return a * b;\n" +"}\n" +msgstr "" diff --git a/defensive-coding/de-DE/C/snippets/Pointers-remaining.po b/defensive-coding/de-DE/C/snippets/Pointers-remaining.po new file mode 100644 index 0000000..ec8e6fb --- /dev/null +++ b/defensive-coding/de-DE/C/snippets/Pointers-remaining.po @@ -0,0 +1,64 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:30+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: German \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: de\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"ssize_t\n" +"extract_strings(const char *in, size_t inlen, char **out, size_t outlen)\n" +"{\n" +" const char *inp = in;\n" +" const char *inend = in + inlen;\n" +" char **outp = out;\n" +" char **outend = out + outlen;\n" +"\n" +" while (inp != inend) {\n" +" size_t len;\n" +" char *s;\n" +" if (outp == outend) {\n" +" errno = ENOSPC;\n" +" goto err;\n" +" }\n" +" len = (unsigned char)*inp;\n" +" ++inp;\n" +" if (len > (size_t)(inend - inp)) {\n" +" errno = EINVAL;\n" +" goto err;\n" +" }\n" +" s = malloc(len + 1);\n" +" if (s == NULL) {\n" +" goto err;\n" +" }\n" +" memcpy(s, inp, len);\n" +" inp += len;\n" +" s[len] = '\\0';\n" +" *outp = s;\n" +" ++outp;\n" +" }\n" +" return outp - out;\n" +"err:\n" +" {\n" +" int errno_old = errno;\n" +" while (out != outp) {\n" +" free(*out);\n" +" ++out;\n" +" }\n" +" errno = errno_old;\n" +" }\n" +" return -1;\n" +"}\n" +msgstr "" diff --git a/defensive-coding/de-DE/C/snippets/String-Functions-format.po b/defensive-coding/de-DE/C/snippets/String-Functions-format.po new file mode 100644 index 0000000..e50b386 --- /dev/null +++ b/defensive-coding/de-DE/C/snippets/String-Functions-format.po @@ -0,0 +1,33 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:30+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: German \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: de\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"void log_format(const char *format, ...) __attribute__((format(printf, 1, 2)));\n" +"\n" +"void\n" +"log_format(const char *format, ...)\n" +"{\n" +" char buf[1000];\n" +" va_list ap;\n" +" va_start(ap, format);\n" +" vsnprintf(buf, sizeof(buf), format, ap);\n" +" va_end(ap);\n" +" log_string(buf);\n" +"}\n" +msgstr "" diff --git a/defensive-coding/de-DE/C/snippets/String-Functions-snprintf.po b/defensive-coding/de-DE/C/snippets/String-Functions-snprintf.po new file mode 100644 index 0000000..6d681e0 --- /dev/null +++ b/defensive-coding/de-DE/C/snippets/String-Functions-snprintf.po @@ -0,0 +1,23 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:30+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: German \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: de\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"char fraction[30];\n" +"snprintf(fraction, sizeof(fraction), \"%d/%d\", numerator, denominator);\n" +msgstr "" diff --git a/defensive-coding/de-DE/C/snippets/String-Functions-strncpy.po b/defensive-coding/de-DE/C/snippets/String-Functions-strncpy.po new file mode 100644 index 0000000..6aa716b --- /dev/null +++ b/defensive-coding/de-DE/C/snippets/String-Functions-strncpy.po @@ -0,0 +1,24 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:30+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: German \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: de\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"char buf[10];\n" +"strncpy(buf, data, sizeof(buf));\n" +"buf[sizeof(buf) - 1] = '\\0';\n" +msgstr "" diff --git a/defensive-coding/de-DE/CXX/CXX.po b/defensive-coding/de-DE/CXX/CXX.po new file mode 100644 index 0000000..aa37a5f --- /dev/null +++ b/defensive-coding/de-DE/CXX/CXX.po @@ -0,0 +1,20 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:31+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: German \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: de\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: title +#, no-c-format +msgid "The C++ Programming Language" +msgstr "" diff --git a/defensive-coding/de-DE/CXX/Language.po b/defensive-coding/de-DE/CXX/Language.po new file mode 100644 index 0000000..135f2b5 --- /dev/null +++ b/defensive-coding/de-DE/CXX/Language.po @@ -0,0 +1,234 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:18+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: German \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: de\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: title +#, no-c-format +msgid "The core language" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"C++ includes a large subset of the C language. As far as the C subset is " +"used, the recommendations in " +"apply." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Array allocation with operator new[]" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"For very large values of n, an expression like " +"new T[n] can return a pointer to a heap region which is " +"too small. In other words, not all array elements are actually backed with " +"heap memory reserved to the array. Current GCC versions generate code that " +"performs a computation of the form sizeof(T) * size_t(n) + " +"cookie_size, where cookie_size is currently at " +"most 8. This computation can overflow, and GCC-generated code does not " +"detect this." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The std::vector template can be used instead an explicit " +"array allocation. (The GCC implementation detects overflow internally.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If there is no alternative to operator new[], code which " +"allocates arrays with a variable length must check for overflow manually. " +"For the new T[n] example, the size check could be " +"n || (n > 0 && n > (size_t(-1) - 8) / " +"sizeof(T)). (See .) If there are additional dimensions " +"(which must be constants according to the C++ standard), these should be " +"included as factors in the divisor." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"These countermeasures prevent out-of-bounds writes and potential code " +"execution. Very large memory allocations can still lead to a denial of " +"service. contains suggestions for mitigating this problem when " +"processing untrusted data." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"See for array" +" allocation advice for C-style memory allocation." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Overloading" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Do not overload functions with versions that have different security " +"characteristics. For instance, do not implement a function " +"strcat which works on std::string " +"arguments. Similarly, do not name methods after such functions." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "ABI compatibility and preparing for security updates" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"A stable binary interface (ABI) is vastly preferred for security updates. " +"Without a stable ABI, all reverse dependencies need recompiling, which can " +"be a lot of work and could even be impossible in some cases. Ideally, a " +"security update only updates a single dynamic shared object, and is picked " +"up automatically after restarting affected processes." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Outside of extremely performance-critical code, you should ensure that a " +"wide range of changes is possible without breaking ABI. Some very basic " +"guidelines are:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Avoid inline functions." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Use the pointer-to-implementation idiom." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Try to avoid templates. Use them if the increased type safety provides a " +"benefit to the programmer." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Move security-critical code out of templated code, so that it can be patched" +" in a central place if necessary." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The KDE project publishes a document with more extensive guidelines on ABI-" +"preserving changes to C++ code, Policies/Binary" +" Compatibility Issues With C++ (d-pointer " +"refers to the pointer-to-implementation idiom)." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "C++0X and C++11 support" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "GCC offers different language compatibility modes:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid " for the original 1998 C++ standard" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +" for the 1998 standard with the changes from the " +"TR1 technical report" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +" for the 2011 C++ standard. This option should " +"not be used." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +" for several different versions of C++11 support " +"in development, depending on the GCC version. This option should not be " +"used." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"For each of these flags, there are variants which also enable GNU extensions" +" (mostly language features also found in C99 or C11): " +", , " +". Again, should " +"not be used." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If you enable C++11 support, the ABI of the standard C++ library " +"libstdc++ will change in subtle ways. Currently, no C++ " +"libraries are compiled in C++11 mode, so if you compile your code in C++11 " +"mode, it will be incompatible with the rest of the system. Unfortunately, " +"this is also the case if you do not use any C++11 features. Currently, there" +" is no safe way to enable C++11 mode (except for freestanding applications)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The meaning of C++0X mode changed from GCC release to GCC release. Earlier " +"versions were still ABI-compatible with C++98 mode, but in the most recent " +"versions, switching to C++0X mode activates C++11 support, with its " +"compatibility problems." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Some C++11 features (or approximations thereof) are available with TR1 " +"support, that is, with or " +" and in the <tr1/*> " +"header files. This includes std::tr1::shared_ptr (from " +"<tr1/memory>) and " +"std::tr1::function (from " +"<tr1/functional>). For other C++11 features, the " +"Boost C++ library contains replacements." +msgstr "" diff --git a/defensive-coding/de-DE/CXX/Std.po b/defensive-coding/de-DE/CXX/Std.po new file mode 100644 index 0000000..1d2c315 --- /dev/null +++ b/defensive-coding/de-DE/CXX/Std.po @@ -0,0 +1,55 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:30+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: German \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: de\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: title +#, no-c-format +msgid "The C++ standard library" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The C++ standard library includes most of its C counterpart by reference, " +"see ." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Containers and operator[]" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Many containers similar to std::vector provide both " +"operator[](size_type) and a member function " +"at(size_type). This applies to " +"std::vector itself, std::array, " +"std::string and other instances of " +"std::basic_string." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"operator[](size_type) is not required by the standard to " +"perform bounds checking (and the implementation in GCC does not). In " +"contrast, at(size_type) must perform such a check. " +"Therefore, in code which is not performance-critical, you should prefer " +"at(size_type) over " +"operator[](size_type), even though it is slightly more " +"verbose." +msgstr "" diff --git a/defensive-coding/de-DE/Defensive_Coding.po b/defensive-coding/de-DE/Defensive_Coding.po new file mode 100644 index 0000000..ac772fd --- /dev/null +++ b/defensive-coding/de-DE/Defensive_Coding.po @@ -0,0 +1,30 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:18+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: German \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: de\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: title +#, no-c-format +msgid "Programming Languages" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Specific Programming Tasks" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Implementing Security Features" +msgstr "" diff --git a/defensive-coding/de-DE/Features/Authentication.po b/defensive-coding/de-DE/Features/Authentication.po new file mode 100644 index 0000000..0b9ca0e --- /dev/null +++ b/defensive-coding/de-DE/Features/Authentication.po @@ -0,0 +1,231 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:31+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: German \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: de\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: title +#, no-c-format +msgid "Authentication and Authorization" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Authenticating servers" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When connecting to a server, a client has to make sure that it is actually " +"talking to the server it expects. There are two different aspects, securing " +"the network path, and making sure that the expected user runs the process on" +" the target host. There are several ways to ensure that:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The server uses a TLS certificate which is valid according to the web " +"browser public key infrastructure, and the client verifies the certificate " +"and the host name." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The server uses a TLS certificate which is expectedby the client (perhaps it" +" is stored in a configuration file read by the client). In this case, no " +"host name checking is required." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"On Linux, UNIX domain sockets (of the PF_UNIX protocol " +"family, sometimes called PF_LOCAL) are restricted by file" +" system permissions. If the server socket path is not world-writable, the " +"server identity cannot be spoofed by local users." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Port numbers less than 1024 (trusted ports) can only be" +" used by root, so if a UDP or TCP server is running on " +"the local host and it uses a trusted port, its identity is assured. (Not all" +" operating systems enforce the trusted ports concept, and the network might " +"not be trusted, so it is only useful on the local system.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"TLS () is the recommended way " +"for securing connections over untrusted networks." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If the server port number is 1024 is higher, a local user can impersonate " +"the process by binding to this socket, perhaps after crashing the real " +"server by exploiting a denial-of-service vulnerability." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Host-based authentication" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Host-based authentication uses access control lists (ACLs) to accept or deny" +" requests from clients. Thsis authentication method comes in two flavors: " +"IP-based (or, more generally, address-based) and name-based (with the name " +"coming from DNS or /etc/hosts). IP-based ACLs often use" +" prefix notation to extend access to entire subnets. Name-based ACLs " +"sometimes use wildcards for adding groups of hosts (from entire DNS " +"subtrees). (In the SSH context, host-based authentication means something " +"completely different and is not covered in this section.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Host-based authentication trust the network and may not offer sufficient " +"granularity, so it has to be considered a weak form of authentication. On " +"the other hand, IP-based authentication can be made extremely robust and can" +" be applied very early in input processing, so it offers an opportunity for " +"significantly reducing the number of potential attackers for many services." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The names returned by gethostbyaddr and " +"getnameinfo functions cannot be trusted. (DNS PTR " +"records can be set to arbitrary values, not just names belong to the address" +" owner.) If these names are used for ACL matching, a forward lookup using " +"gethostbyaddr or getaddrinfo has " +"to be performed. The name is only valid if the original address is found " +"among the results of the forward lookup (double-reverse " +"lookup)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"An empty ACL should deny all access (deny-by-default). If empty ACLs permits" +" all access, configuring any access list must switch to deny-by-default for " +"all unconfigured protocols, in both name-based and address-based variants." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Similarly, if an address or name is not matched by the list, it should be " +"denied. However, many implementations behave differently, so the actual " +"behavior must be documented properly." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"IPv6 addresses can embed IPv4 addresses. There is no universally correct way" +" to deal with this ambiguity. The behavior of the ACL implementation should " +"be documented." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "UNIX domain socket authentication" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"UNIX domain sockets (with address family AF_UNIX or " +"AF_LOCAL) are restricted to the local host and offer a " +"special authentication mechanism: credentials passing." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Nowadays, most systems support the SO_PEERCRED (Linux) or" +" LOCAL_PEERCRED (FreeBSD) socket options, or the " +"getpeereid (other BSDs, MacOS X). These interfaces " +"provide direct access to the (effective) user ID on the other end of a " +"domain socket connect, without cooperation from the other end." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Historically, credentials passing was implemented using ancillary data in " +"the sendmsg and recvmsg functions." +" On some systems, only credentials data that the peer has explicitly sent " +"can be received, and the kernel checks the data for correctness on the " +"sending side. This means that both peers need to deal with ancillary data. " +"Compared to that, the modern interfaces are easier to use. Both sets of " +"interfaces vary considerably among UNIX-like systems, unfortunately." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If you want to authenticate based on supplementary groups, you should obtain" +" the user ID using one of these methods, and look up the list of " +"supplementary groups using getpwuid (or " +"getpwuid_r) and getgrouplist. " +"Using the PID and information from /proc/PID/status is " +"prone to race conditions and insecure." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "AF_NETLINK authentication of origin" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Netlink messages are used as a high-performance data transfer mechanism " +"between the kernel and the userspace. Traditionally, they are used to " +"exchange information related to the network statck, such as routing table " +"entries." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When processing Netlink messages from the kernel, it is important to check " +"that these messages actually originate from the kernel, by checking that the" +" port ID (or PID) field nl_pid in the " +"sockaddr_nl structure is 0. (This " +"structure can be obtained using recvfrom or " +"recvmsg, it is different from the " +"nlmsghdr structure.) The kernel does not prevent other " +"processes from sending unicast Netlink messages, but the " +"nl_pid field in the sender's socket address will be non-" +"zero in such cases." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Applications should not use AF_NETLINK sockets as an IPC " +"mechanism among processes, but prefer UNIX domain sockets for this tasks." +msgstr "" diff --git a/defensive-coding/de-DE/Features/TLS.po b/defensive-coding/de-DE/Features/TLS.po new file mode 100644 index 0000000..fd47a20 --- /dev/null +++ b/defensive-coding/de-DE/Features/TLS.po @@ -0,0 +1,1120 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:31+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: German \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: de\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: title +#, no-c-format +msgid "Transport Layer Security" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Transport Layer Security (TLS, formerly Secure Sockets Layer/SSL) is the " +"recommended way to to protect integrity and confidentiality while data is " +"transferred over an untrusted network connection, and to identify the " +"endpoint." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Common Pitfalls" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"TLS implementations are difficult to use, and most of them lack a clean API " +"design. The following sections contain implementation-specific advice, and " +"some generic pitfalls are mentioned below." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Most TLS implementations have questionable default TLS cipher suites. Most " +"of them enable anonymous Diffie-Hellman key exchange (but we generally want " +"servers to authenticate themselves). Many do not disable ciphers which are " +"subject to brute-force attacks because of restricted key lengths. Some even " +"disable all variants of AES in the default configuration." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When overriding the cipher suite defaults, it is recommended to disable all " +"cipher suites which are not present on a whitelist, instead of simply " +"enabling a list of cipher suites. This way, if an algorithm is disabled by " +"default in the TLS implementation in a future security update, the " +"application will not re-enable it." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The name which is used in certificate validation must match the name " +"provided by the user or configuration file. No host name canonicalization or" +" IP address lookup must be performed." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The TLS handshake has very poor performance if the TCP Nagle algorithm is " +"active. You should switch on the TCP_NODELAY socket " +"option (at least for the duration of the handshake), or use the Linux-" +"specific TCP_CORK option." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Deactivating the TCP Nagle algorithm" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Implementing proper session resumption decreases handshake overhead " +"considerably. This is important if the upper-layer protocol uses short-lived" +" connections (like most application of HTTPS)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Both client and server should work towards an orderly connection shutdown, " +"that is send close_notify alerts and respond to them. " +"This is especially important if the upper-layer protocol does not provide " +"means to detect connection truncation (like some uses of HTTP)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When implementing a server using event-driven programming, it is important " +"to handle the TLS handshake properly because it includes multiple network " +"round-trips which can block when an ordinary TCP accept" +" would not. Otherwise, a client which fails to complete the TLS handshake " +"for some reason will prevent the server from handling input from other " +"clients." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Unlike regular file descriptors, TLS connections cannot be passed between " +"processes. Some TLS implementations add additional restrictions, and TLS " +"connections generally cannot be used across fork " +"function calls (see )." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "OpenSSL Pitfalls" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Some OpenSSL function use tri-state return values. " +"Correct error checking is extremely important. Several functions return " +"int values with the following meaning:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The value 1 indicates success (for example, a successful " +"signature verification)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The value 0 indicates semantic failure (for example, a " +"signature verification which was unsuccessful because the signing " +"certificate was self-signed)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The value -1 indicates a low-level error in the system, " +"such as failure to allocate memory using malloc." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Treating such tri-state return values as booleans can lead to security " +"vulnerabilities. Note that some OpenSSL functions return boolean results or " +"yet another set of status indicators. Each function needs to be checked " +"individually." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Recovering precise error information is difficult. shows how to obtain a more precise " +"error code after a function call on an SSL object has " +"failed. However, there are still cases where no detailed error information " +"is available (e.g., if SSL_shutdown fails due to a " +"connection teardown by the other end)." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Obtaining OpenSSL error codes" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The OPENSSL_config function is documented to never " +"fail. In reality, it can terminate the entire process if there is a failure " +"accessing the configuration file. An error message is written to standard " +"error, but which might not be visible if the function is called from a " +"daemon process." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"OpenSSL contains two separate ASN.1 DER decoders. One set of decoders " +"operate on BIO handles (the input/output stream abstraction provided by " +"OpenSSL); their decoder function names start with d2i_ " +"and end in _fp or _bio (e.g., " +"d2i_X509_fp or d2i_X509_bio). " +"These decoders must not be used for parsing data from untrusted sources; " +"instead, the variants without the _fp and " +"_bio (e.g., d2i_X509) shall be used." +" The BIO variants have received considerably less testing and are not very " +"robust." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"For the same reason, the OpenSSL command line tools (such as " +"openssl x509) are generally generally less robust than " +"the actual library code. They use the BIO functions internally, and not the " +"more robust variants." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The command line tools do not always indicate failure in the exit status of " +"the openssl process. For instance, a verification" +" failure in openssl verify result in an exit status of " +"zero." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The OpenSSL server and client applications (openssl " +"s_client and openssl s_server) are debugging " +"tools and should never be used as generic clients. For " +"instance, the s_client tool reacts in a " +"surprisign way to lines starting with R and " +"Q." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"OpenSSL allows application code to access private key material over " +"documented interfaces. This can significantly increase the part of the code " +"base which has to undergo security certification." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "GNUTLS Pitfalls" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"libgnutls.so.26 links to " +"libpthread.so.0. Loading the threading library too late" +" causes problems, so the main program should be linked with " +"-lpthread as well. As a result, it can be difficult to " +"use GNUTLS in a plugin which is loaded with the dlopen " +"function. Another side effect is that applications which merely link against" +" GNUTLS (even without actually using it) may incur a substantial overhead " +"because other libraries automatically switch to thread-safe algorithms." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The gnutls_global_init function must be called before " +"using any functionality provided by the library. This function is not " +"thread-safe, so external locking is required, but it is not clear which lock" +" should be used. Omitting the synchronization does not just lead to a memory" +" leak, as it is suggested in the GNUTLS documentation, but to undefined " +"behavior because there is no barrier that would enforce memory ordering." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The gnutls_global_deinit function does not actually " +"deallocate all resources allocated by " +"gnutls_global_init. It is currently not thread-safe. " +"Therefore, it is best to avoid calling it altogether." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The X.509 implementation in GNUTLS is rather lenient. For example, it is " +"possible to create and process X.509 version 1 certificates which carry" +" extensions. These certificates are (correctly) rejected by other " +"implementations." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "OpenJDK Pitfalls" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The Java cryptographic framework is highly modular. As a result, when you " +"request an object implementing some cryptographic functionality, you cannot " +"be completely sure that you end up with the well-tested, reviewed " +"implementation in OpenJDK." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"OpenJDK (in the source code as published by Oracle) and other " +"implementations of the Java platform require that the system administrator " +"has installed so-called unlimited strength jurisdiction policy " +"files. Without this step, it is not possible to use the secure " +"algorithms which offer sufficient cryptographic strength. Most downstream " +"redistributors of OpenJDK remove this requirement." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Some versions of OpenJDK use /dev/random as the " +"randomness source for nonces and other random data which is needed for TLS " +"operation, but does not actually require physical randomness. As a result, " +"TLS applications can block, waiting for more bits to become available in " +"/dev/random." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "NSS Pitfalls" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"NSS was not designed to be used by other libraries which can be linked into " +"applications without modifying them. There is a lot of global state. There " +"does not seem to be a way to perform required NSS initialization without " +"race conditions." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If the NSPR descriptor is in an unexpected state, the " +"SSL_ForceHandshake function can succeed, but no TLS " +"handshake takes place, the peer is not authenticated, and subsequent data is" +" exchanged in the clear." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"NSS disables itself if it detects that the process underwent a " +"fork after the library has been initialized. This " +"behavior is required by the PKCS#11 API specification." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "TLS Clients" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Secure use of TLS in a client generally involves all of the following steps." +" (Individual instructions for specific TLS implementations follow in the " +"next sections.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The client must configure the TLS library to use a set of trusted root " +"certificates. These certificates are provided by the system in /etc/ssl/certs or files derived from it." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The client selects sufficiently strong cryptographic primitives and disables" +" insecure ones (such as no-op encryption). Compression and SSL version 2 " +"support must be disabled (including the SSLv2-compatible handshake)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The client initiates the TLS connection. The Server Name Indication " +"extension should be used if supported by the TLS implementation. Before " +"switching to the encrypted connection state, the contents of all input and " +"output buffers must be discarded." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The client needs to validate the peer certificate provided by the server, " +"that is, the client must check that there is a cryptographically protected " +"chain from a trusted root certificate to the peer certificate. (Depending on" +" the TLS implementation, a TLS handshake can succeed even if the certificate" +" cannot be validated.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The client must check that the configured or user-provided server name " +"matches the peer certificate provided by the server." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"It is safe to provide users detailed diagnostics on certificate validation " +"failures. Other causes of handshake failures and, generally speaking, any " +"details on other errors reported by the TLS implementation (particularly " +"exception tracebacks), must not be divulged in ways that make them " +"accessible to potential attackers. Otherwise, it is possible to create " +"decryption oracles." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Depending on the application, revocation checking (against certificate " +"revocations lists or via OCSP) and session resumption are important aspects " +"of production-quality client. These aspects are not yet covered." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Implementation TLS Clients With OpenSSL" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In the following code, the error handling is only exploratory. Proper error " +"handling is required for production use, especially in libraries." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The OpenSSL library needs explicit initialization (see )." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "OpenSSL library initialization" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"After that, a context object has to be created, which acts as a factory for " +"connection objects (). We use an explicit cipher list so that we do not pick up any " +"strange ciphers when OpenSSL is upgraded. The actual version requested in " +"the client hello depends on additional restrictions in the OpenSSL library. " +"If possible, you should follow the example code and use the default list of " +"trusted root certificate authorities provided by the system because you " +"would have to maintain your own set otherwise, which can be cumbersome." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "OpenSSL client context creation" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"A single context object can be used to create multiple connection objects. " +"It is safe to use the same SSL_CTX object for creating " +"connections concurrently from multiple threads, provided that the " +"SSL_CTX object is not modified (e.g., callbacks must not " +"be changed)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"After creating the TCP socket and disabling the Nagle algorithm (per ), the actual connection object " +"needs to be created, as show in . If the handshake started by " +"SSL_connect fails, the " +"ssl_print_error_and_exit function from is called." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The certificate_validity_override function provides an " +"opportunity to override the validity of the certificate in case the OpenSSL " +"check fails. If such functionality is not required, the call can be removed," +" otherwise, the application developer has to implement it." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The host name passed to the functions " +"SSL_set_tlsext_host_name and " +"X509_check_host must be the name that was passed to " +"getaddrinfo or a similar name resolution function. No " +"host name canonicalization must be performed. The " +"X509_check_host function used in the final step for " +"host name matching is currently only implemented in OpenSSL 1.1, which is " +"not released yet. In case host name matching fails, the function " +"certificate_host_name_override is called. This function" +" should check user-specific certificate store, to allow a connection even if" +" the host name does not match the certificate. This function has to be " +"provided by the application developer. Note that the override must be keyed " +"by both the certificate and the host name." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Creating a client connection using OpenSSL" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The connection object can be used for sending and receiving data, as in " +". It is " +"also possible to create a BIO object and use the " +"SSL object as the underlying transport, using " +"BIO_set_ssl." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Using an OpenSSL connection to send and receive data" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When it is time to close the connection, the " +"SSL_shutdown function needs to be called twice for an " +"orderly, synchronous connection termination (). This exchanges " +"close_notify alerts with the server. The additional logic" +" is required to deal with an unexpected close_notify from" +" the server. Note that is necessary to explicitly close the underlying " +"socket after the connection object has been freed." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Closing an OpenSSL connection in an orderly fashion" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +" shows how" +" to deallocate the context object when it is no longer needed because no " +"further TLS connections will be established." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Implementation TLS Clients With GNUTLS" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"This section describes how to implement a TLS client with full certificate " +"validation (but without certificate revocation checking). Note that the " +"error handling in is only exploratory and needs to be replaced before " +"production use." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "The GNUTLS library needs explicit initialization:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Failing to do so can result in obscure failures in Base64 decoding. See " +" for " +"additional aspects of initialization." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Before setting up TLS connections, a credentials objects has to be allocated" +" and initialized with the set of trusted root CAs ()." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Initializing a GNUTLS credentials structure" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"After the last TLS connection has been closed, this credentials object " +"should be freed:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"During its lifetime, the credentials object can be used to initialize TLS " +"session objects from multiple threads, provided that it is not changed." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Once the TCP connection has been established, the Nagle algorithm should be " +"disabled (see ). After " +"that, the socket can be associated with a new GNUTLS session object. The " +"previously allocated credentials object provides the set of root CAs. The " +"NORMAL set of cipher suites and protocols provides a " +"reasonable default. Then the TLS handshake must be initiated. This is shown " +"in ." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Establishing a TLS client connection using GNUTLS" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"After the handshake has been completed, the server certificate needs to be " +"verified (). In the example, the user-defined " +"certificate_validity_override function is called if the" +" verification fails, so that a separate, user-specific trust store can be " +"checked. This function call can be omitted if the functionality is not " +"needed." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Verifying a server certificate using GNUTLS" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In the next step (, the certificate must be matched against the host name (note the " +"unusual return value from " +"gnutls_x509_crt_check_hostname). Again, an override " +"function certificate_host_name_override is called. Note" +" that the override must be keyed to the certificate and" +" the host name. The function call can be omitted if the override is not " +"needed." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Matching the server host name and certificate in a GNUTLS client" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In newer GNUTLS versions, certificate checking and host name validation can " +"be combined using the gnutls_certificate_verify_peers3 " +"function." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"An established TLS session can be used for sending and receiving data, as in" +" ." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Using a GNUTLS session" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In order to shut down a connection in an orderly manner, you should call the" +" gnutls_bye function. Finally, the session object can " +"be deallocated using gnutls_deinit (see )." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Implementing TLS Clients With OpenJDK" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "The examples below use the following cryptographic-related classes:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If compatibility with OpenJDK 6 is required, it is necessary to use the " +"internal class sun.security.util.HostnameChecker. (The " +"public OpenJDK API does not provide any support for dissecting the subject " +"distinguished name of an X.509 certificate, so a custom-written DER parser " +"is needed—or we have to use an internal class, which we do below.) In " +"OpenJDK 7, the setEndpointIdentificationAlgorithm " +"method was added to the javax.net.ssl.SSLParameters " +"class, providing an official way to implement host name checking." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"TLS connections are established using an SSLContext " +"instance. With a properly configured OpenJDK installation, the " +"SunJSSE provider uses the system-wide set of trusted root" +" certificate authorities, so no further configuration is necessary. For " +"backwards compatibility with OpenJDK 6, the TLSv1 " +"provider has to be supported as a fall-back option. This is shown in ." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Setting up an SSLContext for OpenJDK TLS clients" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In addition to the context, a TLS parameter object will be needed which " +"adjusts the cipher suites and protocols (). Like the context, these " +"parameters can be reused for multiple TLS connections." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Setting up SSLParameters for TLS use with OpenJDK" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"As initialized above, the parameter object does not yet require host name " +"checking. This has to be enabled separately, and this is only supported by " +"OpenJDK 7 and later:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"All application protocols can use the \"HTTPS\" " +"algorithm. (The algorithms have minor differences with regard to wildcard " +"handling, which should not matter in practice.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +" shows " +"how to establish the connection. Before the handshake is initialized, the " +"protocol and cipher configuration has to be performed, by applying the " +"parameter object params. (After this point, changes to " +"params will not affect this TLS socket.) As mentioned " +"initially, host name checking requires using an internal API on OpenJDK 6." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Establishing a TLS connection with OpenJDK" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Starting with OpenJDK 7, the last lines can be omitted, provided that host " +"name verification has been enabled by calling the " +"setEndpointIdentificationAlgorithm method on the " +"params object (before it was applied to the socket)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The TLS socket can be used as a regular socket, as shown in ." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Using a TLS client socket in OpenJDK" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Overriding server certificate validation with OpenJDK 6" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Overriding certificate validation requires a custom trust manager. With " +"OpenJDK 6, the trust manager lacks information about the TLS session, and to" +" which server the connection is made. Certificate overrides have to be tied " +"to specific servers (host names). Consequently, different " +"TrustManager and SSLContext objects " +"have to be used for different servers." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In the trust manager shown in , the server certificate is identified by its " +"SHA-256 hash." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "A customer trust manager for OpenJDK TLS clients" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"This trust manager has to be passed to the init method of" +" the SSLContext object, as show in ." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Using a custom TLS trust manager with OpenJDK" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When certificate overrides are in place, host name verification should not " +"be performed because there is no security requirement that the host name in " +"the certificate matches the host name used to establish the connection (and " +"it often will not). However, without host name verification, it is not " +"possible to perform transparent fallback to certification validation using " +"the system certificate store." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The approach described above works with OpenJDK 6 and later versions. " +"Starting with OpenJDK 7, it is possible to use a custom subclass of the " +"javax.net.ssl.X509ExtendedTrustManager class. The OpenJDK" +" TLS implementation will call the new methods, passing along TLS session " +"information. This can be used to implement certificate overrides as a " +"fallback (if certificate or host name verification fails), and a trust " +"manager object can be used for multiple servers because the server address " +"is available to the trust manager." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Implementing TLS Clients With NSS" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The following code shows how to implement a simple TLS client using NSS. " +"Note that the error handling needs replacing before production use." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Using NSS needs several header files, as shown in ." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Include files for NSS" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Initializing the NSS library is a complex task (). It is not thread-safe. By default, the " +"library is in export mode, and all strong ciphers are disabled. Therefore, " +"after creating the NSSInitCContext object, we probe all " +"the strong ciphers we want to use, and check if at least one of them is " +"available. If not, we call NSS_SetDomesticPolicy to " +"switch to unrestricted policy mode. This function replaces the existing " +"global cipher suite policy, that is why we avoid calling it unless " +"absolutely necessary." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The simplest way to configured the trusted root certificates involves " +"loading the libnssckbi.so NSS module with a call to the" +" SECMOD_LoadUserModule function. The root certificates " +"are compiled into this module. (The PEM module for NSS, " +"libnsspem.so, offers a way to load trusted CA " +"certificates from a file.)" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Initializing the NSS library" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Some of the effects of the initialization can be reverted with the following" +" function calls:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"After NSS has been initialized, the TLS connection can be created (). The internal " +"PR_ImportTCPSocket function is used to turn the POSIX " +"file descriptor sockfd into an NSPR file descriptor. " +"(This function is de-facto part of the NSS public ABI, so it will not go " +"away.) Creating the TLS-capable file descriptor requires a " +"model descriptor, which is configured with the desired " +"set of protocols and ciphers. (The good_ciphers variable " +"is part of .) We cannot" +" resort to disabling ciphers not on a whitelist because by default, the AES " +"cipher suites are disabled. The model descriptor is not needed anymore after" +" TLS support has been activated for the existing connection descriptor." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The call to SSL_BadCertHook can be omitted if no " +"mechanism to override certificate verification is needed. The " +"bad_certificate function must check both the host name " +"specified for the connection and the certificate before granting the " +"override." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Triggering the actual handshake requires three function calls, " +"SSL_ResetHandshake, SSL_SetURL, " +"and SSL_ForceHandshake. (If " +"SSL_ResetHandshake is omitted, " +"SSL_ForceHandshake will succeed, but the data will not " +"be encrypted.) During the handshake, the certificate is verified and matched" +" against the host name." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Creating a TLS connection with NSS" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"After the connection has been established, shows how to use the NSPR descriptor to " +"communicate with the server." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Using NSS for sending and receiving data" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +" shows how to " +"close the connection." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Closing NSS client connections" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Implementing TLS Clients With Python" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The Python distribution provides a TLS implementation in the " +"ssl module (actually a wrapper around OpenSSL). The " +"exported interface is somewhat restricted, so that the client code shown " +"below does not fully implement the recommendations in ." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Currently, most Python function which accept https:// " +"URLs or otherwise implement HTTPS support do not perform certificate " +"validation at all. (For example, this is true for the " +"httplib and xmlrpclib modules.) If you" +" use HTTPS, you should not use the built-in HTTP clients. The " +"Curl class in the curl module, as " +"provided by the python-pycurl package implements proper " +"certificate validation." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The ssl module currently does not perform host name " +"checking on the server certificate. shows how to implement certificate " +"matching, using the parsed certificate returned by " +"getpeercert." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Implementing TLS host name checking Python (without wildcard support)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"To turn a regular, connected TCP socket into a TLS-enabled socket, use the " +"ssl.wrap_socket function. The function call in provides " +"additional arguments to override questionable defaults in OpenSSL and in the" +" Python module." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"ciphers=\"HIGH:-aNULL:-eNULL:-PSK:RC4-SHA:RC4-MD5\" " +"selects relatively strong cipher suites with certificate-based " +"authentication. (The call to check_host_name function " +"provides additional protection against anonymous cipher suites.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"ssl_version=ssl.PROTOCOL_TLSv1 disables SSL 2.0 support. " +"By default, the ssl module sends an SSL 2.0 client hello," +" which is rejected by some servers. Ideally, we would request OpenSSL to " +"negotiated the most recent TLS version supported by the server and the " +"client, but the Python module does not allow this." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"cert_reqs=ssl.CERT_REQUIRED turns on certificate " +"validation." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"ca_certs='/etc/ssl/certs/ca-bundle.crt' initializes the " +"certificate store with a set of trusted root CAs. Unfortunately, it is " +"necessary to hard-code this path into applications because the default path " +"in OpenSSL is not available through the Python ssl " +"module." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The ssl module (and OpenSSL) perform certificate " +"validation, but the certificate must be compared manually against the host " +"name, by calling the check_host_name defined above." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Establishing a TLS client connection with Python" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"After the connection has been established, the TLS socket can be used like a" +" regular socket:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Closing the TLS socket is straightforward as well:" +msgstr "" diff --git a/defensive-coding/de-DE/Features/snippets/TLS-Client-GNUTLS-Connect.po b/defensive-coding/de-DE/Features/snippets/TLS-Client-GNUTLS-Connect.po new file mode 100644 index 0000000..bd85d97 --- /dev/null +++ b/defensive-coding/de-DE/Features/snippets/TLS-Client-GNUTLS-Connect.po @@ -0,0 +1,71 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:33+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: German \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: de\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Create the session object.\n" +"gnutls_session_t session;\n" +"ret = gnutls_init(&session, GNUTLS_CLIENT);\n" +"if (ret != GNUTLS_E_SUCCESS) {\n" +" fprintf(stderr, \"error: gnutls_init: %s\n" +"\",\n" +"\t gnutls_strerror(ret));\n" +" exit(1);\n" +"}\n" +"\n" +"// Configure the cipher preferences.\n" +"const char *errptr = NULL;\n" +"ret = gnutls_priority_set_direct(session, \"NORMAL\", &errptr);\n" +"if (ret != GNUTLS_E_SUCCESS) {\n" +" fprintf(stderr, \"error: gnutls_priority_set_direct: %s\n" +"\"\n" +"\t \"error: at: \\\"%s\\\"\n" +"\", gnutls_strerror(ret), errptr);\n" +" exit(1);\n" +"}\n" +"\n" +"// Install the trusted certificates.\n" +"ret = gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, cred);\n" +"if (ret != GNUTLS_E_SUCCESS) {\n" +" fprintf(stderr, \"error: gnutls_credentials_set: %s\n" +"\",\n" +"\t gnutls_strerror(ret));\n" +" exit(1);\n" +"}\n" +"\n" +"// Associate the socket with the session object and set the server\n" +"// name.\n" +"gnutls_transport_set_ptr(session, (gnutls_transport_ptr_t)(uintptr_t)sockfd);\n" +"ret = gnutls_server_name_set(session, GNUTLS_NAME_DNS,\n" +"\t\t\t host, strlen(host));\n" +"if (ret != GNUTLS_E_SUCCESS) {\n" +" fprintf(stderr, \"error: gnutls_server_name_set: %s\n" +"\",\n" +"\t gnutls_strerror(ret));\n" +" exit(1);\n" +"}\n" +"\n" +"// Establish the session.\n" +"ret = gnutls_handshake(session);\n" +"if (ret != GNUTLS_E_SUCCESS) {\n" +" fprintf(stderr, \"error: gnutls_handshake: %s\n" +"\",\n" +"\t gnutls_strerror(ret));\n" +" exit(1);\n" +"}\n" +msgstr "" diff --git a/defensive-coding/de-DE/Features/snippets/TLS-Client-GNUTLS-Credentials.po b/defensive-coding/de-DE/Features/snippets/TLS-Client-GNUTLS-Credentials.po new file mode 100644 index 0000000..2c84da3 --- /dev/null +++ b/defensive-coding/de-DE/Features/snippets/TLS-Client-GNUTLS-Credentials.po @@ -0,0 +1,47 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:33+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: German \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: de\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Load the trusted CA certificates.\n" +"gnutls_certificate_credentials_t cred = NULL;\n" +"int ret = gnutls_certificate_allocate_credentials (&cred);\n" +"if (ret != GNUTLS_E_SUCCESS) {\n" +" fprintf(stderr, \"error: gnutls_certificate_allocate_credentials: %s\n" +"\",\n" +"\t gnutls_strerror(ret));\n" +" exit(1);\n" +"}\n" +"// gnutls_certificate_set_x509_system_trust needs GNUTLS version 3.0\n" +"// or newer, so we hard-code the path to the certificate store\n" +"// instead.\n" +"static const char ca_bundle[] = \"/etc/ssl/certs/ca-bundle.crt\";\n" +"ret = gnutls_certificate_set_x509_trust_file\n" +" (cred, ca_bundle, GNUTLS_X509_FMT_PEM);\n" +"if (ret == 0) {\n" +" fprintf(stderr, \"error: no certificates found in: %s\n" +"\", ca_bundle);\n" +" exit(1);\n" +"}\n" +"if (ret < 0) {\n" +" fprintf(stderr, \"error: gnutls_certificate_set_x509_trust_files(%s): %s\n" +"\",\n" +"\t ca_bundle, gnutls_strerror(ret));\n" +" exit(1);\n" +"}\n" +msgstr "" diff --git a/defensive-coding/de-DE/Features/snippets/TLS-Client-GNUTLS-Match.po b/defensive-coding/de-DE/Features/snippets/TLS-Client-GNUTLS-Match.po new file mode 100644 index 0000000..31b0e7d --- /dev/null +++ b/defensive-coding/de-DE/Features/snippets/TLS-Client-GNUTLS-Match.po @@ -0,0 +1,48 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:32+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: German \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: de\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Match the peer certificate against the host name.\n" +"// We can only obtain a set of DER-encoded certificates from the\n" +"// session object, so we have to re-parse the peer certificate into\n" +"// a certificate object.\n" +"gnutls_x509_crt_t cert;\n" +"ret = gnutls_x509_crt_init(&cert);\n" +"if (ret != GNUTLS_E_SUCCESS) {\n" +" fprintf(stderr, \"error: gnutls_x509_crt_init: %s\n" +"\",\n" +"\t gnutls_strerror(ret));\n" +" exit(1);\n" +"}\n" +"// The peer certificate is the first certificate in the list.\n" +"ret = gnutls_x509_crt_import(cert, certs, GNUTLS_X509_FMT_DER);\n" +"if (ret != GNUTLS_E_SUCCESS) {\n" +" fprintf(stderr, \"error: gnutls_x509_crt_import: %s\n" +"\",\n" +"\t gnutls_strerror(ret));\n" +" exit(1);\n" +"}\n" +"ret = gnutls_x509_crt_check_hostname(cert, host);\n" +"if (ret == 0 && !certificate_host_name_override(certs[0], host)) {\n" +" fprintf(stderr, \"error: host name does not match certificate\n" +"\");\n" +" exit(1);\n" +"}\n" +"gnutls_x509_crt_deinit(cert);\n" +msgstr "" diff --git a/defensive-coding/de-DE/Features/snippets/TLS-Client-GNUTLS-Verify.po b/defensive-coding/de-DE/Features/snippets/TLS-Client-GNUTLS-Verify.po new file mode 100644 index 0000000..f1b6f66 --- /dev/null +++ b/defensive-coding/de-DE/Features/snippets/TLS-Client-GNUTLS-Verify.po @@ -0,0 +1,61 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:33+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: German \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: de\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Obtain the server certificate chain. The server certificate\n" +"// itself is stored in the first element of the array.\n" +"unsigned certslen = 0;\n" +"const gnutls_datum_t *const certs =\n" +" gnutls_certificate_get_peers(session, &certslen);\n" +"if (certs == NULL || certslen == 0) {\n" +" fprintf(stderr, \"error: could not obtain peer certificate\n" +"\");\n" +" exit(1);\n" +"}\n" +"\n" +"// Validate the certificate chain.\n" +"unsigned status = (unsigned)-1;\n" +"ret = gnutls_certificate_verify_peers2(session, &status);\n" +"if (ret != GNUTLS_E_SUCCESS) {\n" +" fprintf(stderr, \"error: gnutls_certificate_verify_peers2: %s\n" +"\",\n" +"\t gnutls_strerror(ret));\n" +" exit(1);\n" +"}\n" +"if (status != 0 && !certificate_validity_override(certs[0])) {\n" +" gnutls_datum_t msg;\n" +"#if GNUTLS_VERSION_AT_LEAST_3_1_4\n" +" int type = gnutls_certificate_type_get (session);\n" +" ret = gnutls_certificate_verification_status_print(status, type, &out, 0);\n" +"#else\n" +" ret = -1;\n" +"#endif\n" +" if (ret == 0) {\n" +" fprintf(stderr, \"error: %s\n" +"\", msg.data);\n" +" gnutls_free(msg.data);\n" +" exit(1);\n" +" } else {\n" +" fprintf(stderr, \"error: certificate validation failed with code 0x%x\n" +"\",\n" +"\t status);\n" +" exit(1);\n" +" }\n" +"}\n" +msgstr "" diff --git a/defensive-coding/de-DE/Features/snippets/TLS-Client-NSS-Close.po b/defensive-coding/de-DE/Features/snippets/TLS-Client-NSS-Close.po new file mode 100644 index 0000000..0277571 --- /dev/null +++ b/defensive-coding/de-DE/Features/snippets/TLS-Client-NSS-Close.po @@ -0,0 +1,31 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:32+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: German \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: de\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Send close_notify alert.\n" +"if (PR_Shutdown(nspr, PR_SHUTDOWN_BOTH) != PR_SUCCESS) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: PR_Read error %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +"}\n" +"// Closes the underlying POSIX file descriptor, too.\n" +"PR_Close(nspr);\n" +msgstr "" diff --git a/defensive-coding/de-DE/Features/snippets/TLS-Client-NSS-Connect.po b/defensive-coding/de-DE/Features/snippets/TLS-Client-NSS-Connect.po new file mode 100644 index 0000000..b1dc9e5 --- /dev/null +++ b/defensive-coding/de-DE/Features/snippets/TLS-Client-NSS-Connect.po @@ -0,0 +1,132 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:33+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: German \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: de\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Wrap the POSIX file descriptor. This is an internal NSPR\n" +"// function, but it is very unlikely to change.\n" +"PRFileDesc* nspr = PR_ImportTCPSocket(sockfd);\n" +"sockfd = -1; // Has been taken over by NSPR.\n" +"\n" +"// Add the SSL layer.\n" +"{\n" +" PRFileDesc *model = PR_NewTCPSocket();\n" +" PRFileDesc *newfd = SSL_ImportFD(NULL, model);\n" +" if (newfd == NULL) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: NSPR error code %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +" }\n" +" model = newfd;\n" +" newfd = NULL;\n" +" if (SSL_OptionSet(model, SSL_ENABLE_SSL2, PR_FALSE) != SECSuccess) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: set SSL_ENABLE_SSL2 error %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +" }\n" +" if (SSL_OptionSet(model, SSL_V2_COMPATIBLE_HELLO, PR_FALSE) != SECSuccess) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: set SSL_V2_COMPATIBLE_HELLO error %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +" }\n" +" if (SSL_OptionSet(model, SSL_ENABLE_DEFLATE, PR_FALSE) != SECSuccess) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: set SSL_ENABLE_DEFLATE error %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +" }\n" +"\n" +" // Disable all ciphers (except RC4-based ciphers, for backwards\n" +" // compatibility).\n" +" const PRUint16 *const ciphers = SSL_GetImplementedCiphers();\n" +" for (unsigned i = 0; i < SSL_GetNumImplementedCiphers(); i++) {\n" +" if (ciphers[i] != SSL_RSA_WITH_RC4_128_SHA\n" +"\t && ciphers[i] != SSL_RSA_WITH_RC4_128_MD5) {\n" +"\tif (SSL_CipherPrefSet(model, ciphers[i], PR_FALSE) != SECSuccess) {\n" +"\t const PRErrorCode err = PR_GetError();\n" +"\t fprintf(stderr, \"error: disable cipher %u: error %d: %s\n" +"\",\n" +"\t\t (unsigned)ciphers[i], err, PR_ErrorToName(err));\n" +"\t exit(1);\n" +"\t}\n" +" }\n" +" }\n" +"\n" +" // Enable the strong ciphers.\n" +" for (const PRUint16 *p = good_ciphers; *p != SSL_NULL_WITH_NULL_NULL;\n" +"\t ++p) {\n" +" if (SSL_CipherPrefSet(model, *p, PR_TRUE) != SECSuccess) {\n" +"\tconst PRErrorCode err = PR_GetError();\n" +"\tfprintf(stderr, \"error: enable cipher %u: error %d: %s\n" +"\",\n" +"\t\t(unsigned)*p, err, PR_ErrorToName(err));\n" +"\texit(1);\n" +" }\n" +" }\n" +"\n" +" // Allow overriding invalid certificate.\n" +" if (SSL_BadCertHook(model, bad_certificate, (char *)host) != SECSuccess) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: SSL_BadCertHook error %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +" }\n" +"\n" +" newfd = SSL_ImportFD(model, nspr);\n" +" if (newfd == NULL) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: SSL_ImportFD error %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +" }\n" +" nspr = newfd;\n" +" PR_Close(model);\n" +"}\n" +"\n" +"// Perform the handshake.\n" +"if (SSL_ResetHandshake(nspr, PR_FALSE) != SECSuccess) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: SSL_ResetHandshake error %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +"}\n" +"if (SSL_SetURL(nspr, host) != SECSuccess) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: SSL_SetURL error %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +"}\n" +"if (SSL_ForceHandshake(nspr) != SECSuccess) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: SSL_ForceHandshake error %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +"}\n" +msgstr "" diff --git a/defensive-coding/de-DE/Features/snippets/TLS-Client-OpenJDK-Connect.po b/defensive-coding/de-DE/Features/snippets/TLS-Client-OpenJDK-Connect.po new file mode 100644 index 0000000..666f967 --- /dev/null +++ b/defensive-coding/de-DE/Features/snippets/TLS-Client-OpenJDK-Connect.po @@ -0,0 +1,41 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:32+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: German \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: de\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Create the socket and connect it at the TCP layer.\n" +"SSLSocket socket = (SSLSocket) ctx.getSocketFactory()\n" +" .createSocket(host, port);\n" +"\n" +"// Disable the Nagle algorithm.\n" +"socket.setTcpNoDelay(true);\n" +"\n" +"// Adjust ciphers and protocols.\n" +"socket.setSSLParameters(params);\n" +"\n" +"// Perform the handshake.\n" +"socket.startHandshake();\n" +"\n" +"// Validate the host name. The match() method throws\n" +"// CertificateException on failure.\n" +"X509Certificate peer = (X509Certificate)\n" +" socket.getSession().getPeerCertificates()[0];\n" +"// This is the only way to perform host name checking on OpenJDK 6.\n" +"HostnameChecker.getInstance(HostnameChecker.TYPE_TLS).match(\n" +" host, peer);\n" +msgstr "" diff --git a/defensive-coding/de-DE/Features/snippets/TLS-Client-OpenJDK-Context.po b/defensive-coding/de-DE/Features/snippets/TLS-Client-OpenJDK-Context.po new file mode 100644 index 0000000..f2275ca --- /dev/null +++ b/defensive-coding/de-DE/Features/snippets/TLS-Client-OpenJDK-Context.po @@ -0,0 +1,41 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:32+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: German \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: de\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Create the context. Specify the SunJSSE provider to avoid\n" +"// picking up third-party providers. Try the TLS 1.2 provider\n" +"// first, then fall back to TLS 1.0.\n" +"SSLContext ctx;\n" +"try {\n" +" ctx = SSLContext.getInstance(\"TLSv1.2\", \"SunJSSE\");\n" +"} catch (NoSuchAlgorithmException e) {\n" +" try {\n" +" ctx = SSLContext.getInstance(\"TLSv1\", \"SunJSSE\");\n" +" } catch (NoSuchAlgorithmException e1) {\n" +" // The TLS 1.0 provider should always be available.\n" +" throw new AssertionError(e1);\n" +" } catch (NoSuchProviderException e1) {\n" +" throw new AssertionError(e1);\n" +" } \n" +"} catch (NoSuchProviderException e) {\n" +" // The SunJSSE provider should always be available.\n" +" throw new AssertionError(e);\n" +"}\n" +"ctx.init(null, null, null);\n" +msgstr "" diff --git a/defensive-coding/de-DE/Features/snippets/TLS-Client-OpenJDK-Context_For_Cert.po b/defensive-coding/de-DE/Features/snippets/TLS-Client-OpenJDK-Context_For_Cert.po new file mode 100644 index 0000000..8b1b5e8 --- /dev/null +++ b/defensive-coding/de-DE/Features/snippets/TLS-Client-OpenJDK-Context_For_Cert.po @@ -0,0 +1,37 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:33+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: German \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: de\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"SSLContext ctx;\n" +"try {\n" +" ctx = SSLContext.getInstance(\"TLSv1.2\", \"SunJSSE\");\n" +"} catch (NoSuchAlgorithmException e) {\n" +" try {\n" +" ctx = SSLContext.getInstance(\"TLSv1\", \"SunJSSE\");\n" +" } catch (NoSuchAlgorithmException e1) {\n" +" throw new AssertionError(e1);\n" +" } catch (NoSuchProviderException e1) {\n" +" throw new AssertionError(e1);\n" +" }\n" +"} catch (NoSuchProviderException e) {\n" +" throw new AssertionError(e);\n" +"}\n" +"MyTrustManager tm = new MyTrustManager(certHash);\n" +"ctx.init(null, new TrustManager[] {tm}, null);\n" +msgstr "" diff --git a/defensive-coding/de-DE/Features/snippets/TLS-Client-OpenJDK-Hostname.po b/defensive-coding/de-DE/Features/snippets/TLS-Client-OpenJDK-Hostname.po new file mode 100644 index 0000000..c6a2d7a --- /dev/null +++ b/defensive-coding/de-DE/Features/snippets/TLS-Client-OpenJDK-Hostname.po @@ -0,0 +1,22 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:31+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: German \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: de\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"params.setEndpointIdentificationAlgorithm(\"HTTPS\");\n" +msgstr "" diff --git a/defensive-coding/de-DE/Features/snippets/TLS-Client-OpenJDK-Import.po b/defensive-coding/de-DE/Features/snippets/TLS-Client-OpenJDK-Import.po new file mode 100644 index 0000000..713661b --- /dev/null +++ b/defensive-coding/de-DE/Features/snippets/TLS-Client-OpenJDK-Import.po @@ -0,0 +1,33 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:31+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: German \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: de\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"import java.security.NoSuchAlgorithmException;\n" +"import java.security.NoSuchProviderException;\n" +"import java.security.cert.CertificateEncodingException;\n" +"import java.security.cert.CertificateException;\n" +"import java.security.cert.X509Certificate;\n" +"import javax.net.ssl.SSLContext;\n" +"import javax.net.ssl.SSLParameters;\n" +"import javax.net.ssl.SSLSocket;\n" +"import javax.net.ssl.TrustManager;\n" +"import javax.net.ssl.X509TrustManager;\n" +"\n" +"import sun.security.util.HostnameChecker;\n" +msgstr "" diff --git a/defensive-coding/de-DE/Features/snippets/TLS-Client-OpenJDK-MyTrustManager.po b/defensive-coding/de-DE/Features/snippets/TLS-Client-OpenJDK-MyTrustManager.po new file mode 100644 index 0000000..5f3fe76 --- /dev/null +++ b/defensive-coding/de-DE/Features/snippets/TLS-Client-OpenJDK-MyTrustManager.po @@ -0,0 +1,53 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:31+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: German \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: de\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"public class MyTrustManager implements X509TrustManager {\n" +" private final byte[] certHash;\n" +"\n" +" public MyTrustManager(byte[] certHash) throws Exception {\n" +" this.certHash = certHash;\n" +" }\n" +"\n" +" @Override\n" +" public void checkClientTrusted(X509Certificate[] chain, String authType)\n" +" throws CertificateException {\n" +" throw new UnsupportedOperationException();\n" +" }\n" +"\n" +" @Override\n" +" public void checkServerTrusted(X509Certificate[] chain,\n" +" String authType) throws CertificateException {\n" +" byte[] digest = getCertificateDigest(chain[0]);\n" +" String digestHex = formatHex(digest);\n" +"\n" +" if (Arrays.equals(digest, certHash)) {\n" +" System.err.println(\"info: accepting certificate: \" + digestHex);\n" +" } else {\n" +" throw new CertificateException(\"certificate rejected: \" +\n" +" digestHex);\n" +" }\n" +" }\n" +"\n" +" @Override\n" +" public X509Certificate[] getAcceptedIssuers() {\n" +" return new X509Certificate[0];\n" +" }\n" +"}\n" +msgstr "" diff --git a/defensive-coding/de-DE/Features/snippets/TLS-Client-OpenJDK-Use.po b/defensive-coding/de-DE/Features/snippets/TLS-Client-OpenJDK-Use.po new file mode 100644 index 0000000..7cf0213 --- /dev/null +++ b/defensive-coding/de-DE/Features/snippets/TLS-Client-OpenJDK-Use.po @@ -0,0 +1,28 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:31+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: German \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: de\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"socket.getOutputStream().write(\"GET / HTTP/1.0\\r\n" +"\\r\n" +"\"\n" +" .getBytes(Charset.forName(\"UTF-8\")));\n" +"byte[] buffer = new byte[4096];\n" +"int count = socket.getInputStream().read(buffer);\n" +"System.out.write(buffer, 0, count);\n" +msgstr "" diff --git a/defensive-coding/de-DE/Features/snippets/TLS-Client-OpenSSL-CTX.po b/defensive-coding/de-DE/Features/snippets/TLS-Client-OpenSSL-CTX.po new file mode 100644 index 0000000..911b20c --- /dev/null +++ b/defensive-coding/de-DE/Features/snippets/TLS-Client-OpenSSL-CTX.po @@ -0,0 +1,86 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:32+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: German \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: de\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Configure a client connection context. Send a hendshake for the\n" +"// highest supported TLS version, and disable compression.\n" +"const SSL_METHOD *const req_method = SSLv23_client_method();\n" +"SSL_CTX *const ctx = SSL_CTX_new(req_method);\n" +"if (ctx == NULL) {\n" +" ERR_print_errors(bio_err);\n" +" exit(1);\n" +"}\n" +"SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_COMPRESSION);\n" +"\n" +"// Adjust the ciphers list based on a whitelist. First enable all\n" +"// ciphers of at least medium strength, to get the list which is\n" +"// compiled into OpenSSL.\n" +"if (SSL_CTX_set_cipher_list(ctx, \"HIGH:MEDIUM\") != 1) {\n" +" ERR_print_errors(bio_err);\n" +" exit(1);\n" +"}\n" +"{\n" +" // Create a dummy SSL session to obtain the cipher list.\n" +" SSL *ssl = SSL_new(ctx);\n" +" if (ssl == NULL) {\n" +" ERR_print_errors(bio_err);\n" +" exit(1);\n" +" }\n" +" STACK_OF(SSL_CIPHER) *active_ciphers = SSL_get_ciphers(ssl);\n" +" if (active_ciphers == NULL) {\n" +" ERR_print_errors(bio_err);\n" +" exit(1);\n" +" }\n" +" // Whitelist of candidate ciphers.\n" +" static const char *const candidates[] = {\n" +" \"AES128-GCM-SHA256\", \"AES128-SHA256\", \"AES256-SHA256\", // strong ciphers\n" +" \"AES128-SHA\", \"AES256-SHA\", // strong ciphers, also in older versions\n" +" \"RC4-SHA\", \"RC4-MD5\", // backwards compatibility, supposed to be weak\n" +" \"DES-CBC3-SHA\", \"DES-CBC3-MD5\", // more backwards compatibility\n" +" NULL\n" +" };\n" +" // Actually selected ciphers.\n" +" char ciphers[300];\n" +" ciphers[0] = '\\0';\n" +" for (const char *const *c = candidates; *c; ++c) {\n" +" for (int i = 0; i < sk_SSL_CIPHER_num(active_ciphers); ++i) {\n" +"\tif (strcmp(SSL_CIPHER_get_name(sk_SSL_CIPHER_value(active_ciphers, i)),\n" +"\t\t *c) == 0) {\n" +"\t if (*ciphers) {\n" +"\t strcat(ciphers, \":\");\n" +"\t }\n" +"\t strcat(ciphers, *c);\n" +"\t break;\n" +"\t}\n" +" }\n" +" }\n" +" SSL_free(ssl);\n" +" // Apply final cipher list.\n" +" if (SSL_CTX_set_cipher_list(ctx, ciphers) != 1) {\n" +" ERR_print_errors(bio_err);\n" +" exit(1);\n" +" }\n" +"}\n" +"\n" +"// Load the set of trusted root certificates.\n" +"if (!SSL_CTX_set_default_verify_paths(ctx)) {\n" +" ERR_print_errors(bio_err);\n" +" exit(1);\n" +"}\n" +msgstr "" diff --git a/defensive-coding/de-DE/Features/snippets/TLS-Client-OpenSSL-Connect.po b/defensive-coding/de-DE/Features/snippets/TLS-Client-OpenSSL-Connect.po new file mode 100644 index 0000000..2e22043 --- /dev/null +++ b/defensive-coding/de-DE/Features/snippets/TLS-Client-OpenSSL-Connect.po @@ -0,0 +1,72 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:33+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: German \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: de\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Create the connection object.\n" +"SSL *ssl = SSL_new(ctx);\n" +"if (ssl == NULL) {\n" +" ERR_print_errors(bio_err);\n" +" exit(1);\n" +"}\n" +"SSL_set_fd(ssl, sockfd);\n" +"\n" +"// Enable the ServerNameIndication extension\n" +"if (!SSL_set_tlsext_host_name(ssl, host)) {\n" +" ERR_print_errors(bio_err);\n" +" exit(1);\n" +"}\n" +"\n" +"// Perform the TLS handshake with the server.\n" +"ret = SSL_connect(ssl);\n" +"if (ret != 1) {\n" +" // Error status can be 0 or negative.\n" +" ssl_print_error_and_exit(ssl, \"SSL_connect\", ret);\n" +"}\n" +"\n" +"// Obtain the server certificate.\n" +"X509 *peercert = SSL_get_peer_certificate(ssl);\n" +"if (peercert == NULL) {\n" +" fprintf(stderr, \"peer certificate missing\");\n" +" exit(1);\n" +"}\n" +"\n" +"// Check the certificate verification result. Allow an explicit\n" +"// certificate validation override in case verification fails.\n" +"int verifystatus = SSL_get_verify_result(ssl);\n" +"if (verifystatus != X509_V_OK && !certificate_validity_override(peercert)) {\n" +" fprintf(stderr, \"SSL_connect: verify result: %s\n" +"\",\n" +"\t X509_verify_cert_error_string(verifystatus));\n" +" exit(1);\n" +"}\n" +"\n" +"// Check if the server certificate matches the host name used to\n" +"// establish the connection.\n" +"// FIXME: Currently needs OpenSSL 1.1.\n" +"if (X509_check_host(peercert, (const unsigned char *)host, strlen(host),\n" +"\t\t 0) != 1\n" +" && !certificate_host_name_override(peercert, host)) {\n" +" fprintf(stderr, \"SSL certificate does not match host name\n" +"\");\n" +" exit(1);\n" +"}\n" +"\n" +"X509_free(peercert);\n" +"\n" +msgstr "" diff --git a/defensive-coding/de-DE/Features/snippets/TLS-Client-OpenSSL-Connection-Use.po b/defensive-coding/de-DE/Features/snippets/TLS-Client-OpenSSL-Connection-Use.po new file mode 100644 index 0000000..8eccb48 --- /dev/null +++ b/defensive-coding/de-DE/Features/snippets/TLS-Client-OpenSSL-Connection-Use.po @@ -0,0 +1,32 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:32+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: German \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: de\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"const char *const req = \"GET / HTTP/1.0\\r\n" +"\\r\n" +"\";\n" +"if (SSL_write(ssl, req, strlen(req)) < 0) {\n" +" ssl_print_error_and_exit(ssl, \"SSL_write\", ret);\n" +"}\n" +"char buf[4096];\n" +"ret = SSL_read(ssl, buf, sizeof(buf));\n" +"if (ret < 0) {\n" +" ssl_print_error_and_exit(ssl, \"SSL_read\", ret);\n" +"}\n" +msgstr "" diff --git a/defensive-coding/de-DE/Features/snippets/TLS-Client-OpenSSL-Init.po b/defensive-coding/de-DE/Features/snippets/TLS-Client-OpenSSL-Init.po new file mode 100644 index 0000000..d32ca43 --- /dev/null +++ b/defensive-coding/de-DE/Features/snippets/TLS-Client-OpenSSL-Init.po @@ -0,0 +1,28 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:32+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: German \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: de\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// The following call prints an error message and calls exit() if\n" +"// the OpenSSL configuration file is unreadable.\n" +"OPENSSL_config(NULL);\n" +"// Provide human-readable error messages.\n" +"SSL_load_error_strings();\n" +"// Register ciphers.\n" +"SSL_library_init();\n" +msgstr "" diff --git a/defensive-coding/de-DE/Features/snippets/TLS-Client-Python-Connect.po b/defensive-coding/de-DE/Features/snippets/TLS-Client-Python-Connect.po new file mode 100644 index 0000000..5293ad8 --- /dev/null +++ b/defensive-coding/de-DE/Features/snippets/TLS-Client-Python-Connect.po @@ -0,0 +1,29 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:32+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: German \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: de\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"sock = ssl.wrap_socket(sock,\n" +" ciphers=\"HIGH:-aNULL:-eNULL:-PSK:RC4-SHA:RC4-MD5\",\n" +" ssl_version=ssl.PROTOCOL_TLSv1,\n" +" cert_reqs=ssl.CERT_REQUIRED,\n" +" ca_certs='/etc/ssl/certs/ca-bundle.crt')\n" +"# getpeercert() triggers the handshake as a side effect.\n" +"if not check_host_name(sock.getpeercert(), host):\n" +" raise IOError(\"peer certificate does not match host name\")\n" +msgstr "" diff --git a/defensive-coding/de-DE/Features/snippets/TLS-Client-Python-check_host_name.po b/defensive-coding/de-DE/Features/snippets/TLS-Client-Python-check_host_name.po new file mode 100644 index 0000000..3467658 --- /dev/null +++ b/defensive-coding/de-DE/Features/snippets/TLS-Client-Python-check_host_name.po @@ -0,0 +1,44 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:31+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: German \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: de\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"def check_host_name(peercert, name):\n" +" \"\"\"Simple certificate/host name checker. Returns True if the\n" +" certificate matches, False otherwise. Does not support\n" +" wildcards.\"\"\"\n" +" # Check that the peer has supplied a certificate.\n" +" # None/{} is not acceptable.\n" +" if not peercert:\n" +" return False\n" +" if peercert.has_key(\"subjectAltName\"):\n" +" for typ, val in peercert[\"subjectAltName\"]:\n" +" if typ == \"DNS\" and val == name:\n" +" return True\n" +" else:\n" +" # Only check the subject DN if there is no subject alternative\n" +" # name.\n" +" cn = None\n" +" for attr, val in peercert[\"subject\"]:\n" +" # Use most-specific (last) commonName attribute.\n" +" if attr == \"commonName\":\n" +" cn = val\n" +" if cn is not None:\n" +" return cn == name\n" +" return False\n" +msgstr "" diff --git a/defensive-coding/de-DE/Features/snippets/TLS-GNUTLS-Credentials-Close.po b/defensive-coding/de-DE/Features/snippets/TLS-GNUTLS-Credentials-Close.po new file mode 100644 index 0000000..efe016c --- /dev/null +++ b/defensive-coding/de-DE/Features/snippets/TLS-GNUTLS-Credentials-Close.po @@ -0,0 +1,22 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:31+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: German \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: de\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"gnutls_certificate_free_credentials(cred);\n" +msgstr "" diff --git a/defensive-coding/de-DE/Features/snippets/TLS-GNUTLS-Disconnect.po b/defensive-coding/de-DE/Features/snippets/TLS-GNUTLS-Disconnect.po new file mode 100644 index 0000000..f3f1fae --- /dev/null +++ b/defensive-coding/de-DE/Features/snippets/TLS-GNUTLS-Disconnect.po @@ -0,0 +1,30 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:32+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: German \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: de\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Initiate an orderly connection shutdown.\n" +"ret = gnutls_bye(session, GNUTLS_SHUT_RDWR);\n" +"if (ret < 0) {\n" +" fprintf(stderr, \"error: gnutls_bye: %s\n" +"\", gnutls_strerror(ret));\n" +" exit(1);\n" +"}\n" +"// Free the session object.\n" +"gnutls_deinit(session);\n" +msgstr "" diff --git a/defensive-coding/de-DE/Features/snippets/TLS-GNUTLS-Init.po b/defensive-coding/de-DE/Features/snippets/TLS-GNUTLS-Init.po new file mode 100644 index 0000000..6a5c97f --- /dev/null +++ b/defensive-coding/de-DE/Features/snippets/TLS-GNUTLS-Init.po @@ -0,0 +1,22 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:32+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: German \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: de\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"gnutls_global_init();\n" +msgstr "" diff --git a/defensive-coding/de-DE/Features/snippets/TLS-GNUTLS-Use.po b/defensive-coding/de-DE/Features/snippets/TLS-GNUTLS-Use.po new file mode 100644 index 0000000..f9a08ea --- /dev/null +++ b/defensive-coding/de-DE/Features/snippets/TLS-GNUTLS-Use.po @@ -0,0 +1,38 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:33+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: German \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: de\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"char buf[4096];\n" +"snprintf(buf, sizeof(buf), \"GET / HTTP/1.0\\r\n" +"Host: %s\\r\n" +"\\r\n" +"\", host);\n" +"ret = gnutls_record_send(session, buf, strlen(buf));\n" +"if (ret < 0) {\n" +" fprintf(stderr, \"error: gnutls_record_send: %s\n" +"\", gnutls_strerror(ret));\n" +" exit(1);\n" +"}\n" +"ret = gnutls_record_recv(session, buf, sizeof(buf));\n" +"if (ret < 0) {\n" +" fprintf(stderr, \"error: gnutls_record_recv: %s\n" +"\", gnutls_strerror(ret));\n" +" exit(1);\n" +"}\n" +msgstr "" diff --git a/defensive-coding/de-DE/Features/snippets/TLS-NSS-Close.po b/defensive-coding/de-DE/Features/snippets/TLS-NSS-Close.po new file mode 100644 index 0000000..c9e59f8 --- /dev/null +++ b/defensive-coding/de-DE/Features/snippets/TLS-NSS-Close.po @@ -0,0 +1,23 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:31+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: German \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: de\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"SECMOD_DestroyModule(module);\n" +"NSS_ShutdownContext(ctx);\n" +msgstr "" diff --git a/defensive-coding/de-DE/Features/snippets/TLS-NSS-Includes.po b/defensive-coding/de-DE/Features/snippets/TLS-NSS-Includes.po new file mode 100644 index 0000000..021dfb1 --- /dev/null +++ b/defensive-coding/de-DE/Features/snippets/TLS-NSS-Includes.po @@ -0,0 +1,35 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:33+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: German \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: de\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// NSPR include files\n" +"#include <prerror.h>\n" +"#include <prinit.h>\n" +"\n" +"// NSS include files\n" +"#include <nss.h>\n" +"#include <pk11pub.h>\n" +"#include <secmod.h>\n" +"#include <ssl.h>\n" +"#include <sslproto.h>\n" +"\n" +"// Private API, no other way to turn a POSIX file descriptor into an\n" +"// NSPR handle.\n" +"NSPR_API(PRFileDesc*) PR_ImportTCPSocket(int);\n" +msgstr "" diff --git a/defensive-coding/de-DE/Features/snippets/TLS-NSS-Init.po b/defensive-coding/de-DE/Features/snippets/TLS-NSS-Init.po new file mode 100644 index 0000000..e657ab1 --- /dev/null +++ b/defensive-coding/de-DE/Features/snippets/TLS-NSS-Init.po @@ -0,0 +1,83 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:33+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: German \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: de\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"PR_Init(PR_USER_THREAD, PR_PRIORITY_NORMAL, 0);\n" +"NSSInitContext *const ctx =\n" +" NSS_InitContext(\"sql:/etc/pki/nssdb\", \"\", \"\", \"\", NULL,\n" +"\t\t NSS_INIT_READONLY | NSS_INIT_PK11RELOAD);\n" +"if (ctx == NULL) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: NSPR error code %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +"}\n" +"\n" +"// Ciphers to enable.\n" +"static const PRUint16 good_ciphers[] = {\n" +" TLS_RSA_WITH_AES_128_CBC_SHA,\n" +" TLS_RSA_WITH_AES_256_CBC_SHA,\n" +" SSL_RSA_WITH_3DES_EDE_CBC_SHA,\n" +" SSL_NULL_WITH_NULL_NULL // sentinel\n" +"};\n" +"\n" +"// Check if the current policy allows any strong ciphers. If it\n" +"// doesn't, switch to the \"domestic\" (unrestricted) policy. This is\n" +"// not thread-safe and has global impact. Consequently, we only do\n" +"// it if absolutely necessary.\n" +"int found_good_cipher = 0;\n" +"for (const PRUint16 *p = good_ciphers; *p != SSL_NULL_WITH_NULL_NULL;\n" +" ++p) {\n" +" PRInt32 policy;\n" +" if (SSL_CipherPolicyGet(*p, &policy) != SECSuccess) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: policy for cipher %u: error %d: %s\n" +"\",\n" +"\t (unsigned)*p, err, PR_ErrorToName(err));\n" +" exit(1);\n" +" }\n" +" if (policy == SSL_ALLOWED) {\n" +" fprintf(stderr, \"info: found cipher %x\n" +"\", (unsigned)*p);\n" +" found_good_cipher = 1;\n" +" break;\n" +" }\n" +"}\n" +"if (!found_good_cipher) {\n" +" if (NSS_SetDomesticPolicy() != SECSuccess) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: NSS_SetDomesticPolicy: error %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +" }\n" +"}\n" +"\n" +"// Initialize the trusted certificate store.\n" +"char module_name[] = \"library=libnssckbi.so name=\\\"Root Certs\\\"\";\n" +"SECMODModule *module = SECMOD_LoadUserModule(module_name, NULL, PR_FALSE);\n" +"if (module == NULL || !module->loaded) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: NSPR error code %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +"}\n" +msgstr "" diff --git a/defensive-coding/de-DE/Features/snippets/TLS-NSS-Use.po b/defensive-coding/de-DE/Features/snippets/TLS-NSS-Use.po new file mode 100644 index 0000000..be848b5 --- /dev/null +++ b/defensive-coding/de-DE/Features/snippets/TLS-NSS-Use.po @@ -0,0 +1,42 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:32+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: German \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: de\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"char buf[4096];\n" +"snprintf(buf, sizeof(buf), \"GET / HTTP/1.0\\r\n" +"Host: %s\\r\n" +"\\r\n" +"\", host);\n" +"PRInt32 ret = PR_Write(nspr, buf, strlen(buf));\n" +"if (ret < 0) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: PR_Write error %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +"}\n" +"ret = PR_Read(nspr, buf, sizeof(buf));\n" +"if (ret < 0) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: PR_Read error %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +"}\n" +msgstr "" diff --git a/defensive-coding/de-DE/Features/snippets/TLS-Nagle.po b/defensive-coding/de-DE/Features/snippets/TLS-Nagle.po new file mode 100644 index 0000000..c19125d --- /dev/null +++ b/defensive-coding/de-DE/Features/snippets/TLS-Nagle.po @@ -0,0 +1,27 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:31+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: German \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: de\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"const int val = 1;\n" +"int ret = setsockopt(sockfd, IPPROTO_TCP, TCP_NODELAY, &val, sizeof(val));\n" +"if (ret < 0) {\n" +" perror(\"setsockopt(TCP_NODELAY)\");\n" +" exit(1);\n" +"}\n" +msgstr "" diff --git a/defensive-coding/de-DE/Features/snippets/TLS-OpenJDK-Parameters.po b/defensive-coding/de-DE/Features/snippets/TLS-OpenJDK-Parameters.po new file mode 100644 index 0000000..8280107 --- /dev/null +++ b/defensive-coding/de-DE/Features/snippets/TLS-OpenJDK-Parameters.po @@ -0,0 +1,42 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:33+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: German \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: de\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Prepare TLS parameters. These have to applied to every TLS\n" +"// socket before the handshake is triggered.\n" +"SSLParameters params = ctx.getDefaultSSLParameters();\n" +"// Do not send an SSL-2.0-compatible Client Hello.\n" +"ArrayList<String> protocols = new ArrayList<String>(\n" +" Arrays.asList(params.getProtocols()));\n" +"protocols.remove(\"SSLv2Hello\");\n" +"params.setProtocols(protocols.toArray(new String[protocols.size()]));\n" +"// Adjust the supported ciphers.\n" +"ArrayList<String> ciphers = new ArrayList<String>(\n" +" Arrays.asList(params.getCipherSuites()));\n" +"ciphers.retainAll(Arrays.asList(\n" +" \"TLS_RSA_WITH_AES_128_CBC_SHA256\",\n" +" \"TLS_RSA_WITH_AES_256_CBC_SHA256\",\n" +" \"TLS_RSA_WITH_AES_256_CBC_SHA\",\n" +" \"TLS_RSA_WITH_AES_128_CBC_SHA\",\n" +" \"SSL_RSA_WITH_3DES_EDE_CBC_SHA\",\n" +" \"SSL_RSA_WITH_RC4_128_SHA1\",\n" +" \"SSL_RSA_WITH_RC4_128_MD5\",\n" +" \"TLS_EMPTY_RENEGOTIATION_INFO_SCSV\"));\n" +"params.setCipherSuites(ciphers.toArray(new String[ciphers.size()]));\n" +msgstr "" diff --git a/defensive-coding/de-DE/Features/snippets/TLS-OpenSSL-Connection-Close.po b/defensive-coding/de-DE/Features/snippets/TLS-OpenSSL-Connection-Close.po new file mode 100644 index 0000000..4047d00 --- /dev/null +++ b/defensive-coding/de-DE/Features/snippets/TLS-OpenSSL-Connection-Close.po @@ -0,0 +1,46 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:33+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: German \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: de\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Send the close_notify alert.\n" +"ret = SSL_shutdown(ssl);\n" +"switch (ret) {\n" +"case 1:\n" +" // A close_notify alert has already been received.\n" +" break;\n" +"case 0:\n" +" // Wait for the close_notify alert from the peer.\n" +" ret = SSL_shutdown(ssl);\n" +" switch (ret) {\n" +" case 0:\n" +" fprintf(stderr, \"info: second SSL_shutdown returned zero\n" +"\");\n" +" break;\n" +" case 1:\n" +" break;\n" +" default:\n" +" ssl_print_error_and_exit(ssl, \"SSL_shutdown 2\", ret);\n" +" }\n" +" break;\n" +"default:\n" +" ssl_print_error_and_exit(ssl, \"SSL_shutdown 1\", ret);\n" +"}\n" +"SSL_free(ssl);\n" +"close(sockfd);\n" +msgstr "" diff --git a/defensive-coding/de-DE/Features/snippets/TLS-OpenSSL-Context-Close.po b/defensive-coding/de-DE/Features/snippets/TLS-OpenSSL-Context-Close.po new file mode 100644 index 0000000..dc2dae8 --- /dev/null +++ b/defensive-coding/de-DE/Features/snippets/TLS-OpenSSL-Context-Close.po @@ -0,0 +1,22 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:33+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: German \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: de\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"SSL_CTX_free(ctx);\n" +msgstr "" diff --git a/defensive-coding/de-DE/Features/snippets/TLS-OpenSSL-Errors.po b/defensive-coding/de-DE/Features/snippets/TLS-OpenSSL-Errors.po new file mode 100644 index 0000000..9196185 --- /dev/null +++ b/defensive-coding/de-DE/Features/snippets/TLS-OpenSSL-Errors.po @@ -0,0 +1,51 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:32+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: German \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: de\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"static void __attribute__((noreturn))\n" +"ssl_print_error_and_exit(SSL *ssl, const char *op, int ret)\n" +"{\n" +" int subcode = SSL_get_error(ssl, ret);\n" +" switch (subcode) {\n" +" case SSL_ERROR_NONE:\n" +" fprintf(stderr, \"error: %s: no error to report\n" +"\", op);\n" +" break;\n" +" case SSL_ERROR_WANT_READ:\n" +" case SSL_ERROR_WANT_WRITE:\n" +" case SSL_ERROR_WANT_X509_LOOKUP:\n" +" case SSL_ERROR_WANT_CONNECT:\n" +" case SSL_ERROR_WANT_ACCEPT:\n" +" fprintf(stderr, \"error: %s: invalid blocking state %d\n" +"\", op, subcode);\n" +" break;\n" +" case SSL_ERROR_SSL:\n" +" fprintf(stderr, \"error: %s: TLS layer problem\n" +"\", op);\n" +" case SSL_ERROR_SYSCALL:\n" +" fprintf(stderr, \"error: %s: system call failed: %s\n" +"\", op, strerror(errno));\n" +" break;\n" +" case SSL_ERROR_ZERO_RETURN:\n" +" fprintf(stderr, \"error: %s: zero return\n" +"\", op);\n" +" }\n" +" exit(1);\n" +"}\n" +msgstr "" diff --git a/defensive-coding/de-DE/Features/snippets/TLS-Python-Close.po b/defensive-coding/de-DE/Features/snippets/TLS-Python-Close.po new file mode 100644 index 0000000..7225918 --- /dev/null +++ b/defensive-coding/de-DE/Features/snippets/TLS-Python-Close.po @@ -0,0 +1,22 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:31+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: German \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: de\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"sock.close()\n" +msgstr "" diff --git a/defensive-coding/de-DE/Features/snippets/TLS-Python-Use.po b/defensive-coding/de-DE/Features/snippets/TLS-Python-Use.po new file mode 100644 index 0000000..8ce2f1f --- /dev/null +++ b/defensive-coding/de-DE/Features/snippets/TLS-Python-Use.po @@ -0,0 +1,26 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:32+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: German \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: de\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"sock.write(\"GET / HTTP/1.1\\r\n" +"Host: \" + host + \"\\r\n" +"\\r\n" +"\")\n" +"print sock.read()\n" +msgstr "" diff --git a/defensive-coding/de-DE/Revision_History.po b/defensive-coding/de-DE/Revision_History.po new file mode 100644 index 0000000..4ebbd16 --- /dev/null +++ b/defensive-coding/de-DE/Revision_History.po @@ -0,0 +1,35 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:18+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: German \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: de\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: title +#, no-c-format +msgid "Revision History" +msgstr "" + +#. Tag: firstname +#, no-c-format +msgid "Eric" +msgstr "" + +#. Tag: surname +#, no-c-format +msgid "Christensen" +msgstr "" + +#. Tag: member +#, no-c-format +msgid "Initial publication." +msgstr "" diff --git a/defensive-coding/de-DE/Tasks/Cryptography.po b/defensive-coding/de-DE/Tasks/Cryptography.po new file mode 100644 index 0000000..56f8b72 --- /dev/null +++ b/defensive-coding/de-DE/Tasks/Cryptography.po @@ -0,0 +1,199 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:29+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: German \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: de\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: title +#, no-c-format +msgid "Cryptography" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Primitives" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Chosing from the following cryptographic primitives is recommended:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "RSA with 2048 bit keys and OAEP" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "AES-128 in CBC mode" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "SHA-256" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "HMAC-SHA-256" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "HMAC-SHA-1" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Other cryptographic algorithms can be used if they are required for " +"interoperability with existing software:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "RSA with key sizes larger than 1024 and legacy padding" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "AES-192" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "AES-256" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "3DES (triple DES, with two or three 56 bit keys)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "RC4 (but very, very strongly discouraged)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "SHA-1" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "HMAC-MD5" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Important" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"These primitives are difficult to use in a secure way. Custom implementation" +" of security protocols should be avoided. For protecting confidentiality and" +" integrity of network transmissions, TLS should be used ()." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Randomness" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The following facilities can be used to generate unpredictable and non-" +"repeating values. When these functions are used without special safeguards, " +"each individual rnadom value should be at least 12 bytes long." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"PK11_GenerateRandom in the NSS library (usable for high" +" data rates)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"RAND_bytes in the OpenSSL library (usable for high data" +" rates)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"gnutls_rnd in GNUTLS, with " +"GNUTLS_RND_RANDOM as the first argument (usable for high " +"data rates)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"java.security.SecureRandom in Java (usable for high data rates)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "os.urandom in Python" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Reading from the /dev/urandom character device" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"All these functions should be non-blocking, and they should not wait until " +"physical randomness becomes available. (Some cryptography providers for Java" +" can cause java.security.SecureRandom to block, however.) Those" +" functions which do not obtain all bits directly from " +"/dev/urandom are suitable for high data rates because " +"they do not deplete the system-wide entropy pool." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Difficult to use API" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Both RAND_bytes and " +"PK11_GenerateRandom have three-state return values " +"(with conflicting meanings). Careful error checking is required. Please " +"review the documentation when using these functions." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Other sources of randomness should be considered predictable." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Generating randomness for cryptographic keys in long-term use may need " +"different steps and is best left to cryptographic libraries." +msgstr "" diff --git a/defensive-coding/de-DE/Tasks/Descriptors.po b/defensive-coding/de-DE/Tasks/Descriptors.po new file mode 100644 index 0000000..cbe0895 --- /dev/null +++ b/defensive-coding/de-DE/Tasks/Descriptors.po @@ -0,0 +1,332 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:29+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: German \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: de\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: title +#, no-c-format +msgid "File Descriptor Management" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"File descriptors underlie all input/output mechanisms offered by the system." +" They are used to implementation the FILE *-based " +"functions found in <stdio.h>, and all the file and " +"network communication facilities provided by the Python and Java " +"environments are eventually implemented in them." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"File descriptors are small, non-negative integers in userspace, and are " +"backed on the kernel side with complicated data structures which can " +"sometimes grow very large." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Closing descriptors" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If a descriptor is no longer used by a program and is not closed explicitly," +" its number cannot be reused (which is problematic in itself, see ), and the " +"kernel resources are not freed. Therefore, it is important to close all " +"descriptors at the earlierst point in time possible, but not earlier." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Error handling during descriptor close" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The close system call is always successful in the sense" +" that the passed file descriptor is never valid after the function has been " +"called. However, close still can return an error, for " +"example if there was a file system failure. But this error is not very " +"useful because the absence of an error does not mean that all caches have " +"been emptied and previous writes have been made durable. Programs which need" +" such guarantees must open files with O_SYNC or use " +"fsync or fdatasync, and may also have " +"to fsync the directory containing the file." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Closing descriptors and race conditions" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Unlike process IDs, which are recycle only gradually, the kernel always " +"allocates the lowest unused file descriptor when a new descriptor is " +"created. This means that in a multi-threaded program which constantly opens " +"and closes file descriptors, descriptors are reused very quickly. Unless " +"descriptor closing and other operations on the same file descriptor are " +"synchronized (typically, using a mutex), there will be race coniditons and " +"I/O operations will be applied to the wrong file descriptor." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Sometimes, it is necessary to close a file descriptor concurrently, while " +"another thread might be about to use it in a system call. In order to " +"support this, a program needs to create a single special file descriptor, " +"one on which all I/O operations fail. One way to achieve this is to use " +"socketpair, close one of the descriptors, and call " +"shutdown(fd, SHUTRDWR) on the other." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When a descriptor is closed concurrently, the program does not call " +"close on the descriptor. Instead it program uses " +"dup2 to replace the descriptor to be closed with the " +"dummy descriptor created earlier. This way, the kernel will not reuse the " +"descriptor, but it will carry out all other steps associated with calling a " +"descriptor (for instance, if the descriptor refers to a stream socket, the " +"peer will be notified)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"This is just a sketch, and many details are missing. Additional data " +"structures are needed to determine when it is safe to really close the " +"descriptor, and proper locking is required for that." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Lingering state after close" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"By default, closing a stream socket returns immediately, and the kernel will" +" try to send the data in the background. This means that it is impossible to" +" implement accurate accounting of network-related resource utilization from " +"userspace." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The SO_LINGER socket option alters the behavior of " +"close, so that it will return only after the lingering " +"data has been processed, either by sending it to the peer successfully, or " +"by discarding it after the configured timeout. However, there is no " +"interface which could perform this operation in the background, so a " +"separate userspace thread is needed for each close " +"call, causing scalability issues." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Currently, there is no application-level countermeasure which applies " +"universally. Mitigation is possible with iptables" +" (the connlimit match type in particular) and specialized" +" filtering devices for denial-of-service network traffic." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"These problems are not related to the TIME_WAIT state " +"commonly seen in netstat output. The kernel " +"automatically expires such sockets if necessary." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Preventing file descriptor leaks to child processes" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Child processes created with fork share the initial set" +" of file descriptors with their parent process. By default, file descriptors" +" are also preserved if a new process image is created with " +"execve (or any of the other functions such as " +"system or posix_spawn)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Usually, this behavior is not desirable. There are two ways to turn it off, " +"that is, to prevent new process images from inheriting the file descriptors " +"in the parent process:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Set the close-on-exec flag on all newly created file descriptors. " +"Traditionally, this flag is controlled by the FD_CLOEXEC " +"flag, using F_GETFD and F_SETFD " +"operations of the fcntl function." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"However, in a multi-threaded process, there is a race condition: a " +"subprocess could have been created between the time the descriptor was " +"created and the FD_CLOEXEC was set. Therefore, many " +"system calls which create descriptors (such as open and" +" openat) now accept the O_CLOEXEC " +"flag (SOCK_CLOEXEC for socket and " +"socketpair), which cause the " +"FD_CLOEXEC flag to be set for the file descriptor in an " +"atomic fashion. In addition, a few new systems calls were introduced, such " +"as pipe2 and dup3." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The downside of this approach is that every descriptor needs to receive " +"special treatment at the time of creation, otherwise it is not completely " +"effective." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"After calling fork, but before creating a new process " +"image with execve, all file descriptors which the child" +" process will not need are closed." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Traditionally, this was implemented as a loop over file descriptors ranging " +"from 3 to 255 and later " +"1023. But this is only an approximatio because it is " +"possible to create file descriptors outside this range easily (see ). Another " +"approach reads /proc/self/fd and closes the unexpected " +"descriptors listed there, but this approach is much slower." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"At present, environments which care about file descriptor leakage implement " +"the second approach. OpenJDK 6 and 7 are among them." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Dealing with the select limit" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"By default, a user is allowed to open only 1024 files in a single process, " +"but the system administrator can easily change this limit (which is " +"necessary for busy network servers). However, there is another restriction " +"which is more difficult to overcome." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The select function only supports a maximum of " +"FD_SETSIZE file descriptors (that is, the maximum " +"permitted value for a file descriptor is FD_SETSIZE - 1, " +"usually 1023.) If a process opens many files, descriptors may exceed such " +"limits. It is impossible to query such descriptors using " +"select." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If a library which creates many file descriptors is used in the same process" +" as a library which uses select, at least one of them " +"needs to be changed. Calls to select can be replaced " +"with calls to poll or another event handling mechanism." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Alternatively, the library with high descriptor usage can relocate " +"descriptors above the FD_SETSIZE limit using the " +"following procedure." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Create the file descriptor fd as usual, preferably with " +"the O_CLOEXEC flag." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Before doing anything else with the descriptor fd, " +"invoke:" +msgstr "" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"\t int newfd = fcntl(fd, F_DUPFD_CLOEXEC, (long)FD_SETSIZE);\n" +"\t" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Check that newfd result is non-negative, otherwise close " +"fd and report an error, and return." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Close fd and continue to use newfd." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The new descriptor has been allocated above the " +"FD_SETSIZE. Even though this algorithm is racy in the " +"sense that the FD_SETSIZE first descriptors could fill " +"up, a very high degree of physical parallelism is required before this " +"becomes a problem." +msgstr "" diff --git a/defensive-coding/de-DE/Tasks/File_System.po b/defensive-coding/de-DE/Tasks/File_System.po new file mode 100644 index 0000000..a488bd1 --- /dev/null +++ b/defensive-coding/de-DE/Tasks/File_System.po @@ -0,0 +1,396 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:25+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: German \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: de\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: title +#, no-c-format +msgid "File system manipulation" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In this chapter, we discuss general file system manipulation, with a focus " +"on access files and directories to which an other, potentially untrusted " +"user has write access." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Temporary files are covered in their own chapter, ." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Working with files and directories owned by other users" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Sometimes, it is necessary to operate on files and directories owned by " +"other (potentially untrusted) users. For example, a system administrator " +"could remove the home directory of a user, or a package manager could update" +" a file in a directory which is owned by an application-specific user. This " +"differs from accessing the file system as a specific user; see ." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Accessing files across trust boundaries faces several challenges, " +"particularly if an entire directory tree is being traversed:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Another user might add file names to a writable directory at any time. This " +"can interfere with file creation and the order of names returned by " +"readdir." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Merely opening and closing a file can have side effects. For instance, an " +"automounter can be triggered, or a tape device rewound. Opening a file on a " +"local file system can block indefinitely, due to mandatory file locking, " +"unless the O_NONBLOCK flag is specified." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Hard links and symbolic links can redirect the effect of file system " +"operations in unexpected ways. The O_NOFOLLOW and " +"AT_SYMLINK_NOFOLLOW variants of system calls only " +"affected final path name component." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The structure of a directory tree can change. For example, the parent " +"directory of what used to be a subdirectory within the directory tree being " +"processed could suddenly point outside that directory tree." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Files should always be created with the O_CREAT and " +"O_EXCL flags, so that creating the file will fail if it " +"already exists. This guards against the unexpected appearance of file names," +" either due to creation of a new file, or hard-linking of an existing file. " +"In multi-threaded programs, rather than manipulating the umask, create the " +"files with mode 000 if possible, and adjust it afterwards" +" with fchmod." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"To avoid issues related to symbolic links and directory tree restructuring, " +"the “at” variants of system calls have to be used (that " +"is, functions like openat, " +"fchownat, fchmodat, and " +"unlinkat, together with O_NOFOLLOW " +"or AT_SYMLINK_NOFOLLOW). Path names passed to these " +"functions must have just a single component (that is, without a slash). When" +" descending, the descriptors of parent directories must be kept open. The " +"missing opendirat function can be emulated with " +"openat (with an O_DIRECTORY flag, to " +"avoid opening special files with side effects), followed by " +"fdopendir." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If the “at” functions are not available, it is possible " +"to emulate them by changing the current directory. (Obviously, this only " +"works if the process is not multi-threaded.) fchdir has" +" to be used to change the current directory, and the descriptors of the " +"parent directories have to be kept open, just as with the " +"“at”-based approach. chdir(\"...\") is" +" unsafe because it might ascend outside the intended directory tree." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"This “at” function emulation is currently required when " +"manipulating extended attributes. In this case, the " +"lsetxattr function can be used, with a relative path " +"name consisting of a single component. This also applies to SELinux contexts" +" and the lsetfilecon function." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Currently, it is not possible to avoid opening special files " +"and changes to files with hard links if the directory " +"containing them is owned by an untrusted user. (Device nodes can be hard-" +"linked, just as regular files.) fchmodat and " +"fchownat affect files whose link count is greater than " +"one. But opening the files, checking that the link count is one with " +"fstat, and using fchmod and " +"fchown on the file descriptor may have unwanted side " +"effects, due to item 2 above. When creating directories, it is therefore " +"important to change the ownership and permissions only after it has been " +"fully created. Until that point, file names are stable, and no files with " +"unexpected hard links can be introduced." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Similarly, when just reading a directory owned by an untrusted user, it is " +"currently impossible to reliably avoid opening special files." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"There is no workaround against the instability of the file list returned by " +"readdir. Concurrent modification of the directory can " +"result in a list of files being returned which never actually existed on " +"disk." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Hard links and symbolic links can be safely deleted using " +"unlinkat without further checks because deletion only " +"affects the name within the directory tree being processed." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Accessing the file system as a different user" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"This section deals with access to the file system as a specific user. This " +"is different from accessing files and directories owned by a different, " +"potentially untrusted user; see ." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"One approach is to spawn a child process which runs under the target user " +"and group IDs (both effective and real IDs). Note that this child process " +"can block indefinitely, even when processing regular files only. For " +"example, a special FUSE file system could cause the process to hang in " +"uninterruptible sleep inside a stat system call." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"An existing process could change its user and group ID using " +"setfsuid and setfsgid. (These " +"functions are preferred over seteuid and " +"setegid because they do not allow the impersonated user" +" to send signals to the process.) These functions are not thread safe. In " +"multi-threaded processes, these operations need to be performed in a single-" +"threaded child process. Unexpected blocking may occur as well." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"It is not recommended to try to reimplement the kernel permission checks in " +"user space because the required checks are complex. It is also very " +"difficult to avoid race conditions during path name resolution." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "File system limits" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"For historical reasons, there are preprocessor constants such as " +"PATH_MAX, NAME_MAX. However, on most " +"systems, the length of canonical path names (absolute path names with all " +"symbolic links resolved, as returned by realpath or " +"canonicalize_file_name) can exceed " +"PATH_MAX bytes, and individual file name components can " +"be longer than NAME_MAX. This is also true of the " +"_PC_PATH_MAX and _PC_NAME_MAX values " +"returned by pathconf, and the " +"f_namemax member of struct statvfs. " +"Therefore, these constants should not be used. This is also reason why the " +"readdir_r should never be used (instead, use " +"readdir)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"You should not write code in a way that assumes that there is an upper limit" +" on the number of subdirectories of a directory, the number of regular files" +" in a directory, or the link count of an inode." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "File system features" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Not all file systems support all features. This makes it very difficult to " +"write general-purpose tools for copying files. For example, a copy operation" +" intending to preserve file permissions will generally fail when copying to " +"a FAT file system." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Some file systems are case-insensitive. Most should be case-preserving, " +"though." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Name length limits vary greatly, from eight to thousands of bytes. Path " +"length limits differ as well. Most systems impose an upper bound on path " +"names passed to the kernel, but using relative path names, it is possible to" +" create and access files whose absolute path name is essentially of " +"unbounded length." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Some file systems do not store names as fairly unrestricted byte sequences, " +"as it has been traditionally the case on GNU systems. This means that some " +"byte sequences (outside the POSIX safe character set) are not valid names. " +"Conversely, names of existing files may not be representable as byte " +"sequences, and the files are thus inaccessible on GNU systems. Some file " +"systems perform Unicode canonicalization on file names. These file systems " +"preserve case, but reading the name of a just-created file using " +"readdir might still result in a different byte " +"sequence." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Permissions and owners are not universally supported (and SUID/SGID bits may" +" not be available). For example, FAT file systems assign ownership based on " +"a mount option, and generally mark all files as executable. Any attempt to " +"change permissions would result in an error." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Non-regular files (device nodes, FIFOs) are not generally available." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Only on some file systems, files can have holes, that is, not all of their " +"contents is backed by disk storage." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"ioctl support (even fairly generic functionality such " +"as FIEMAP for discovering physical file layout and holes)" +" is file-system-specific." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Not all file systems support extended attributes, ACLs and SELinux metadata." +" Size and naming restriction on extended attributes vary." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Hard links may not be supported at all (FAT) or only within the same " +"directory (AFS). Symbolic links may not be available, either. Reflinks (hard" +" links with copy-on-write semantics) are still very rare. Recent systems " +"restrict creation of hard links to users which own the target file or have " +"read/write access to it, but older systems do not." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Renaming (or moving) files using rename can fail (even " +"when stat indicates that the source and target " +"directories are located on the same file system). This system call should " +"work if the old and new paths are located in the same directory, though." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Locking semantics vary among file systems. This affects advisory and " +"mandatory locks. For example, some network file systems do not allow " +"deleting files which are opened by any process." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Resolution of time stamps varies from two seconds to nanoseconds. Not all " +"time stamps are available on all file systems. File creation time " +"(birth time) is not exposed over the " +"stat/fstat interface, even if " +"stored by the file system." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Checking free space" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The statvfs and fstatvfs functions" +" allow programs to examine the number of available blocks and inodes, " +"through the members f_bfree, f_bavail," +" f_ffree, and f_favail of " +"struct statvfs. Some file systems return fictional values" +" in the f_ffree and f_favail fields, " +"so the only reliable way to discover if the file system still has space for " +"a file is to try to create it. The f_bfree field should " +"be reasonably accurate, though." +msgstr "" diff --git a/defensive-coding/de-DE/Tasks/Library_Design.po b/defensive-coding/de-DE/Tasks/Library_Design.po new file mode 100644 index 0000000..e5f6f89 --- /dev/null +++ b/defensive-coding/de-DE/Tasks/Library_Design.po @@ -0,0 +1,267 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:29+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: German \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: de\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: title +#, no-c-format +msgid "Library Design" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Throught this section, the term client code refers to " +"applications and other libraries using the library." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "State management" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Global state" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Global state should be avoided." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If this is impossible, the global state must be protected with a lock. For " +"C/C++, you can use the pthread_mutex_lock and " +"pthread_mutex_unlock functions without linking against " +"-lpthread because the system provides stubs for non-" +"threaded processes." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"For compatibility with fork, these locks should be " +"acquired and released in helpers registered with " +"pthread_atfork. This function is not available without " +"-lpthread, so you need to use dlsym " +"or a weak symbol to obtain its address." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If you need fork protection for other reasons, you " +"should store the process ID and compare it to the value returned by " +"getpid each time you access the global state. " +"(getpid is not implemented as a system call and is " +"fast.) If the value changes, you know that you have to re-create the state " +"object. (This needs to be combined with locking, of course.)" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Handles" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Library state should be kept behind a curtain. Client code should receive " +"only a handle. In C, the handle can be a pointer to an incomplete " +"struct. In C++, the handle can be a pointer to an " +"abstract base class, or it can be hidden using the pointer-to-implementation" +" idiom." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The library should provide functions for creating and destroying handles. " +"(In C++, it is possible to use virtual destructors for the latter.) " +"Consistency between creation and destruction of handles is strongly " +"recommended: If the client code created a handle, it is the responsibility " +"of the client code to destroy it. (This is not always possible or " +"convenient, so sometimes, a transfer of ownership has to happen.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Using handles ensures that it is possible to change the way the library " +"represents state in a way that is transparent to client code. This is " +"important to facilitate security updates and many other code changes." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"It is not always necessary to protect state behind a handle with a lock. " +"This depends on the level of thread safety the library provides." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Object orientation" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Classes should be either designed as base classes, or it should be " +"impossible to use them as base classes (like final " +"classes in Java). Classes which are not designed for inheritance and are " +"used as base classes nevertheless create potential maintenance hazards " +"because it is difficult to predict how client code will react when calls to " +"virtual methods are added, reordered or removed." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Virtual member functions can be used as callbacks. See for some of the " +"challenges involved." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Callbacks" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Higher-order code is difficult to analyze for humans and computers alike, so" +" it should be avoided. Often, an iterator-based interface (a library " +"function which is called repeatedly by client code and returns a stream of " +"events) leads to a better design which is easier to document and use." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "If callbacks are unavoidable, some guidelines for them follow." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In modern C++ code, std::function objects should be used " +"for callbacks." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In older C++ code and in C code, all callbacks must have an additional " +"closure parameter of type void *, the value of which can " +"be specified by client code. If possible, the value of the closure parameter" +" should be provided by client code at the same time a specific callback is " +"registered (or specified as a function argument). If a single closure " +"parameter is shared by multiple callbacks, flexibility is greatly reduced, " +"and conflicts between different pieces of client code using the same library" +" object could be unresolvable. In some cases, it makes sense to provide a " +"de-registration callback which can be used to destroy the closure parameter " +"when the callback is no longer used." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Callbacks can throw exceptions or call longjmp. If " +"possible, all library objects should remain in a valid state. (All further " +"operations on them can fail, but it should be possible to deallocate them " +"without causing resource leaks.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The presence of callbacks raises the question if functions provided by the " +"library are reentrant. Unless a library was designed " +"for such use, bad things will happen if a callback function uses functions " +"in the same library (particularly if they are invoked on the same objects " +"and manipulate the same state). When the callback is invoked, the library " +"can be in an inconsistent state. Reentrant functions are more difficult to " +"write than thread-safe functions (by definition, simple locking would " +"immediately lead to deadlocks). It is also difficult to decide what to do " +"when destruction of an object which is currently processing a callback is " +"requested." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Process attributes" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Several attributes are global and affect all code in the process, not just " +"the library that manipulates them." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"environment variables (see )" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "umask" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "user IDs, group IDs and capabilities" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "current working directory" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "signal handlers, signal masks and signal delivery" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"file locks (especially fcntl locks behave in surprising" +" ways, not just in a multi-threaded environment)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Library code should avoid manipulating these global process attributes. It " +"should not rely on environment variables, umask, the current working " +"directory and signal masks because these attributes can be inherted from an " +"untrusted source." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In addition, there are obvious process-wide aspects such as the virtual " +"memory layout, the set of open files and dynamic shared objects, but with " +"the exception of shared objects, these can be manipulated in a relatively " +"isolated way." +msgstr "" diff --git a/defensive-coding/de-DE/Tasks/Processes.po b/defensive-coding/de-DE/Tasks/Processes.po new file mode 100644 index 0000000..b112df2 --- /dev/null +++ b/defensive-coding/de-DE/Tasks/Processes.po @@ -0,0 +1,597 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:29+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: German \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: de\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: title +#, no-c-format +msgid "Processes" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Safe process creation" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"This section describes how to create new child processes in a safe manner. " +"In addition to the concerns addressed below, there is the possibility of " +"file descriptor leaks, see ." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Obtaining the program path and the command line template" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The name and path to the program being invoked should be hard-coded or " +"controlled by a static configuration file stored at a fixed location (at an " +"file system absolute path). The same applies to the template for generating " +"the command line." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The configured program name should be an absolute path. If it is a relative " +"path, the contents of the PATH must be obtained in s secure " +"manner (see )." +" If the PATH variable is not set or untrusted, the safe " +"default /bin:/usr/bin must be used." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If too much flexibility is provided here, it may allow invocation of " +"arbitrary programs without proper authorization." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Bypassing the shell" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Child processes should be created without involving the system shell." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"For C/C++, system should not be used. The " +"posix_spawn function can be used instead, or a " +"combination fork and execve. (In " +"some cases, it may be preferable to use vfork or the " +"Linux-specific clone system call instead of " +"fork.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In Python, the subprocess module bypasses the shell by " +"default (when the shell keyword argument is not set to " +"true). os.system should not be used." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The Java class java.lang.ProcessBuilder can be used to create " +"subprocesses without interference from the system shell." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Portability notice" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"On Windows, there is no argument vector, only a single argument string. Each" +" application is responsible for parsing this string into an argument vector." +" There is considerable variance among the quoting style recognized by " +"applications. Some of them expand shell wildcards, others do not. Extensive " +"application-specific testing is required to make this secure." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Note that some common applications (notably ssh) " +"unconditionally introduce the use of a shell, even if invoked directly " +"without a shell. It is difficult to use these applications in a secure " +"manner. In this case, untrusted data should be supplied by other means. For " +"example, standard input could be used, instead of the command line." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Specifying the process environment" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Child processes should be created with a minimal set of environment " +"variables. This is absolutely essential if there is a trust transition " +"involved, either when the parent process was created, or during the creation" +" of the child process." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In C/C++, the environment should be constructed as an array of strings and " +"passed as the envp argument to " +"posix_spawn or execve. The " +"functions setenv, unsetenv and " +"putenv should not be used. They are not thread-safe and" +" suffer from memory leaks." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Python programs need to specify a dict for the the " +"env argument of the subprocess.Popen" +" constructor. The Java class java.lang.ProcessBuilder " +"provides a environment() method, which returns a map " +"that can be manipulated." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The following list provides guidelines for selecting the set of environment " +"variables passed to the child process." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"PATH should be initialized to " +"/bin:/usr/bin." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"USER and HOME can be inhereted from the parent" +" process environment, or they can be initialized from the " +"pwent structure for the user." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The DISPLAY and XAUTHORITY variables should be" +" passed to the subprocess if it is an X program. Note that this will " +"typically not work across trust boundaries because XAUTHORITY" +" refers to a file with 0600 permissions." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The location-related environment variables LANG, " +"LANGUAGE, LC_ADDRESS, LC_ALL, " +"LC_COLLATE, LC_CTYPE, " +"LC_IDENTIFICATION, LC_MEASUREMENT, " +"LC_MESSAGES, LC_MONETARY, " +"LC_NAME, LC_NUMERIC, LC_PAPER, " +"LC_TELEPHONE and LC_TIME can be passed to the " +"subprocess if present." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The called process may need application-specific environment variables, for " +"example for passing passwords. (See .)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"All other environment variables should be dropped. Names for new environment" +" variables should not be accepted from untrusted sources." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Robust argument list processing" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When invoking a program, it is sometimes necessary to include data from " +"untrusted sources. Such data should be check against embedded " +"NUL characters because the system APIs will sliently " +"truncate argument strings at the first NUL character." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The following recommendations assume that the program being invoked uses " +"GNU-style option processing using getopt_long. This " +"convention is widely used, but it is just that, and individual programs " +"might interpret a command line in a different way." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If the untrusted data has to go into an option, use the --option-" +"name=VALUE syntax, placing the option and its value into the same " +"command line argument. This avoids any potential confusion if the data " +"starts with -." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"For positional arguments, terminate the option list with a single " +" marker after the last option, and include the data at " +"the right position. The marker terminates option " +"processing, and the data will not be treated as an option even if it starts " +"with a dash." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Passing secrets to subprocesses" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The command line (the name of the program and its argument) of a running " +"process is traditionally available to all local users. The called program " +"can overwrite this information, but only after it has run for a bit of time," +" during which the information may have been read by other processes. " +"However, on Linux, the process environment is restricted to the user who " +"runs the process. Therefore, if you need a convenient way to pass a password" +" to a child process, use an environment variable, and not a command line " +"argument. (See .)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"On some UNIX-like systems (notably Solaris), environment variables can be " +"read by any system user, just like command lines." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If the environment-based approach cannot be used due to portability " +"concerns, the data can be passed on standard input. Some programs (notably " +"gpg) use special file descriptors whose numbers " +"are specified on the command line. Temporary files are an option as well, " +"but they might give digital forensics access to sensitive data (such as " +"passphrases) because it is difficult to safely delete them in all cases." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Handling child process termination" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When child processes terminate, the parent process is signalled. A stub of " +"the terminated processes (a zombie, shown as " +"<defunct> by ps) is kept" +" around until the status information is collected " +"(reaped) by the parent process. Over the years, several" +" interfaces for this have been invented:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The parent process calls wait, " +"waitpid, waitid, " +"wait3 or wait4, without specifying" +" a process ID. This will deliver any matching process ID. This approach is " +"typically used from within event loops." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The parent process calls waitpid, " +"waitid, or wait4, with a specific " +"process ID. Only data for the specific process ID is returned. This is " +"typically used in code which spawns a single subprocess in a synchronous " +"manner." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The parent process installs a handler for the SIGCHLD " +"signal, using sigaction, and specifies to the " +"SA_NOCLDWAIT flag. This approach could be used by event " +"loops as well." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"None of these approaches can be used to wait for child process terminated in" +" a completely thread-safe manner. The parent process might execute an event " +"loop in another thread, which could pick up the termination signal. This " +"means that libraries typically cannot make free use of child processes (for " +"example, to run problematic code with reduced privileges in a separate " +"address space)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"At the moment, the parent process should explicitly wait for termination of " +"the child process using waitpid or " +"waitpid, and hope that the status is not collected by " +"an event loop first." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "SUID/SGID processes" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Programs can be marked in the file system to indicate to the kernel that a " +"trust transition should happen if the program is run. The " +"SUID file permission bit indicates that an executable " +"should run with the effective user ID equal to the owner of the executable " +"file. Similarly, with the SGID bit, the effective group " +"ID is set to the group of the executable file." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Linux supports fscaps, which can grant additional " +"capabilities to a process in a finer-grained manner. Additional mechanisms " +"can be provided by loadable security modules." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When such a trust transition has happened, the process runs in a potentially" +" hostile environment. Additional care is necessary not to rely on any " +"untrusted information. These concerns also apply to libraries which can be " +"linked into such processes." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Accessing environment variables" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The following steps are required so that a program does not accidentally " +"pick up untrusted data from environment variables." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Compile your C/C++ sources with -D_GNU_SOURCE. The " +"Autoconf macro AC_GNU_SOURCE ensures this." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Check for the presence of the secure_getenv and " +"__secure_getenv function. The Autoconf directive " +"AC_CHECK_FUNCS([__secure_getenv secure_getenv]) performs " +"these checks." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Arrange for a proper definition of the secure_getenv " +"function. See ." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Use secure_getenv instead of " +"getenv to obtain the value of critical environment " +"variables. secure_getenv will pretend the variable has " +"not bee set if the process environment is not trusted." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Critical environment variables are debugging flags, configuration file " +"locations, plug-in and log file locations, and anything else that might be " +"used to bypass security restrictions or cause a privileged process to behave" +" in an unexpected way." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Either the secure_getenv function or the " +"__secure_getenv is available from GNU libc." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Obtaining a definition for secure_getenv" +msgstr "" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"\n" +"#include <stdlib.h>\n" +"\n" +"#ifndef HAVE_SECURE_GETENV\n" +"# ifdef HAVE__SECURE_GETENV\n" +"# define secure_getenv __secure_getenv\n" +"# else\n" +"# error neither secure_getenv nor __secure_getenv are available\n" +"# endif\n" +"#endif\n" +"\n" +"\t" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Daemons" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Background processes providing system services " +"(daemons) need to decouple themselves from the " +"controlling terminal and the parent process environment:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Fork." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In the child process, call setsid. The parent process " +"can simply exit (using _exit, to avoid running clean-up" +" actions twice)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In the child process, fork again. Processing continues in the child process." +" Again, the parent process should just exit." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Replace the descriptors 0, 1, 2 with a descriptor for " +"/dev/null. Logging should be redirected to " +"syslog." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Older instructions for creating daemon processes recommended a call to " +"umask(0). This is risky because it often leads to world-" +"writable files and directories, resulting in security vulnerabilities such " +"as arbitrary process termination by untrusted local users, or log file " +"truncation. If the umask needs setting, a restrictive " +"value such as 027 or 077 is " +"recommended." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Other aspects of the process environment may have to changed as well " +"(environment variables, signal handler disposition)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"It is increasingly common that server processes do not run as background " +"processes, but as regular foreground process under a supervising master " +"process (such as systemd). Server processes " +"should offer a command line option which disables forking and replacement of" +" the standard output and standard error streams. Such an option is also " +"useful for debugging." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Semantics of command line arguments" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"After process creation and option processing, it is up to the child process " +"to interpret the arguments. Arguments can be file names, host names, or " +"URLs, and many other things. URLs can refer to the local network, some " +"server on the Internet, or to the local file system. Some applications even " +"accept arbitrary code in arguments (for example, " +"python with the option)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Similar concerns apply to environment variables, the contents of the current" +" directory and its subdirectories." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Consequently, careful analysis is required if it is safe to pass untrusted " +"data to another program." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "fork as a primitive for parallelism" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"A call to fork which is not immediately followed by a " +"call to execve (perhaps after rearranging and closing " +"file descriptors) is typically unsafe, especially from a library which does " +"not control the state of the entire process. Such use of " +"fork should be replaced with proper child processes or " +"threads." +msgstr "" diff --git a/defensive-coding/de-DE/Tasks/Serialization.po b/defensive-coding/de-DE/Tasks/Serialization.po new file mode 100644 index 0000000..26eb3fa --- /dev/null +++ b/defensive-coding/de-DE/Tasks/Serialization.po @@ -0,0 +1,513 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:45\n" +"PO-Revision-Date: 2013-03-19 15:29+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: German \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: de\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: title +#, no-c-format +msgid "Serialization and Deserialization" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Protocol decoders and file format parsers are often the most-exposed part of" +" an application because they are exposed with little or no user interaction " +"and before any authentication and security checks are made. They are also " +"difficult to write robustly in languages which are not memory-safe." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Recommendations for manually written decoders" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"For C and C++, the advice in applies. In addition, avoid non-character " +"pointers directly into input buffers. Pointer misalignment causes crashes on" +" some architectures." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When reading variable-sized objects, do not allocate large amounts of data " +"solely based on the value of a size field. If possible, grow the data " +"structure as more data is read from the source, and stop when no data is " +"available. This helps to avoid denial-of-service attacks where little " +"amounts of input data results in enormous memory allocations during " +"decoding. Alternatively, you can impose reasonable bounds on memory " +"allocations, but some protocols do not permit this." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Protocol design" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Binary formats with explicit length fields are more difficult to parse " +"robustly than those where the length of dynamically-sized elements is " +"derived from sentinel values. A protocol which does not use length fields " +"and can be written in printable ASCII characters simplifies testing and " +"debugging. However, binary protocols with length fields may be more " +"efficient to parse." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Library support for deserialization" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"For some languages, generic libraries are available which allow to serialize" +" and deserialize user-defined objects. The deserialization part comes in one" +" of two flavors, depending on the library. The first kind uses type " +"information in the data stream to control which objects are instantiated. " +"The second kind uses type definitions supplied by the programmer. The first " +"one allows arbitrary object instantiation, the second one generally does " +"not." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The following serialization frameworks are in the first category, are known " +"to be unsafe, and must not be used for untrusted data:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Python's pickle and cPickle modules" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Perl's Storable package" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Java serialization (java.io.ObjectInputStream)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "PHP serialization (unserialize)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Most implementations of YAML" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When using a type-directed deserialization format where the types of the " +"deserialized objects are specified by the programmer, make sure that the " +"objects which can be instantiated cannot perform any destructive actions in " +"their destructors, even when the data members have been manipulated." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"JSON decoders do not suffer from this problem. But you must not use the " +"eval function to parse JSON objects in Javascript; even" +" with the regular expression filter from RFC 4627, there are still " +"information leaks remaining." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "XML serialization" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "External references" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"XML documents can contain external references. They can occur in various " +"places." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "In the DTD declaration in the header of an XML document:" +msgstr "" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"<!DOCTYPE html PUBLIC\n" +" \"-//W3C//DTD XHTML 1.0 Transitional//EN\"\n" +" \"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd\">\n" +"\t " +msgstr "" + +#. Tag: para +#, no-c-format +msgid "In a namespace declaration:" +msgstr "" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"<xsd:schema xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\">\n" +"\t " +msgstr "" + +#. Tag: para +#, no-c-format +msgid "In an entity defintion:" +msgstr "" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"<!ENTITY sys SYSTEM \"http://www.example.com/ent.xml\">\n" +"<!ENTITY pub PUBLIC \"-//Example//Public Entity//EN\"\n" +" \"http://www.example.com/pub-ent.xml\">\n" +"\t " +msgstr "" + +#. Tag: para +#, no-c-format +msgid "In a notation:" +msgstr "" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"<!NOTATION not SYSTEM \"../not.xml\">\n" +"\t " +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Originally, these external references were intended as unique identifiers, " +"but by many XML implementations, they are used for locating the data for the" +" referenced element. This causes unwanted network traffic, and may disclose " +"file system contents or otherwise unreachable network resources, so this " +"functionality should be disabled." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Depending on the XML library, external referenced might be processed not " +"just when parsing XML, but also when generating it." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Entity expansion" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When external DTD processing is disabled, an internal DTD subset can still " +"contain entity definitions. Entity declarations can reference other " +"entities. Some XML libraries expand entities automatically, and this " +"processing cannot be switched off in some places (such as attribute values " +"or content models). Without limits on the entity nesting level, this " +"expansion results in data which can grow exponentially in length with size " +"of the input. (If there is a limit on the nesting level, the growth is still" +" polynomial, unless further limits are imposed.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Consequently, the processing internal DTD subsets should be disabled if " +"possible, and only trusted DTDs should be processed. If a particular XML " +"application does not permit such restrictions, then application-specific " +"limits are called for." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "XInclude processing" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"XInclude processing can reference file and network resources and include " +"them into the document, much like external entity references. When parsing " +"untrusted XML documents, XInclude processing should be truned off." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"XInclude processing is also fairly complex and may pull in support for the " +"XPointer and XPath specifications, considerably increasing the amount of " +"code required for XML processing." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Algorithmic complexity of XML validation" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"DTD-based XML validation uses regular expressions for content models. The " +"XML specification requires that content models are deterministic, which " +"means that efficient validation is possible. However, some implementations " +"do not enforce determinism, and require exponential (or just polynomial) " +"amount of space or time for validating some DTD/document combinations." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"XML schemas and RELAX NG (via the xsd: prefix) directly " +"support textual regular expressions which are not required to be " +"deterministic." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Using Expat for XML parsing" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"By default, Expat does not try to resolve external IDs, so no steps are " +"required to block them. However, internal entity declarations are processed." +" Installing a callback which stops parsing as soon as such entities are " +"encountered disables them, see . Expat does not perform any " +"validation, so there are no problems related to that." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Disabling XML entity processing with Expat" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"This handler must be installed when the XML_Parser object" +" is created ()." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Creating an Expat XML parser" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"It is also possible to reject internal DTD subsets altogeher, using a " +"suitable XML_StartDoctypeDeclHandler handler installed " +"with XML_SetDoctypeDeclHandler." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Using OpenJDK for XML parsing and validation" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"OpenJDK contains facilities for DOM-based, SAX-based, and StAX-based " +"document parsing. Documents can be validated against DTDs or XML schemas." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The approach taken to deal with entity expansion differs from the general " +"recommendation in . We enable the the feature flag " +"javax.xml.XMLConstants.FEATURE_SECURE_PROCESSING, which " +"enforces heuristic restrictions on the number of entity expansions. Note " +"that this flag alone does not prevent resolution of external references " +"(system IDs or public IDs), so it is slightly misnamed." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In the following sections, we use helper classes to prevent external ID " +"resolution." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Helper class to prevent DTD external entity resolution in OpenJDK" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Helper class to prevent schema resolution in OpenJDK" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +" shows the imports used by the examples." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Java imports for OpenJDK XML parsing" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "DOM-based XML parsing and DTD validation in OpenJDK" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"This approach produces a org.w3c.dom.Document object from" +" an input stream. use the data from the " +"java.io.InputStream instance in the " +"inputStream variable." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "DOM-based XML parsing in OpenJDK" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"External entity references are prohibited using the " +"NoEntityResolver class in . " +"Because external DTD references are prohibited, DTD validation (if enabled) " +"will only happen against the internal DTD subset embedded in the XML " +"document." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"To validate the document against an external DTD, use a " +"javax.xml.transform.Transformer class to add the DTD " +"reference to the document, and an entity resolver which whitelists this " +"external reference." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "XML Schema validation in OpenJDK" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +" shows how to validate a document against an XML Schema, " +"using a SAX-based approach. The XML data is read from an " +"java.io.InputStream in the inputStream" +" variable." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "SAX-based validation against an XML schema in OpenJDK" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The NoResourceResolver class is defined in ." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If you need to validate a document against an XML schema, use the code in " +" to create the document, but do not enable validation at this point." +" Then use to perform the schema-based validation on " +"the org.w3c.dom.Document instance " +"document." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Validation of a DOM document against an XML schema in OpenJDK" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Protocol Encoders" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"For protocol encoders, you should write bytes to a buffer which grows as " +"needed, using an exponential sizing policy. Explicit lengths can be patched " +"in later, once they are known. Allocating the required number of bytes " +"upfront typically requires separate code to compute the final size, which " +"must be kept in sync with the actual encoding step, or vulnerabilities may " +"result. In multi-threaded code, parts of the object being deserialized might" +" change, so that the computed size is out of date." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"You should avoid copying data directly from a received packet during " +"encoding, disregarding the format. Propagating malformed data could enable " +"attacks on other recipients of that data." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When using C or C++ and copying whole data structures directly into the " +"output, make sure that you do not leak information in padding bytes between " +"fields or at the end of the struct." +msgstr "" diff --git a/defensive-coding/de-DE/Tasks/Temporary_Files.po b/defensive-coding/de-DE/Tasks/Temporary_Files.po new file mode 100644 index 0000000..8413683 --- /dev/null +++ b/defensive-coding/de-DE/Tasks/Temporary_Files.po @@ -0,0 +1,309 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:45\n" +"PO-Revision-Date: 2013-03-19 15:29+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: German \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: de\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: title +#, no-c-format +msgid "Temporary files" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In this chapter, we describe how to create temporary files and directories, " +"how to remove them, and how to work with programs which do not create files " +"in ways that a safe with a shared directory for temporary files. General " +"file system manipulation is treated in a separate chapter, ." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Secure creation of temporary files has four different aspects." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The location of the directory for temporary files must be obtained in a " +"secure manner (that is, untrusted environment variables must be ignored, see" +" )." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"A new file must be created. Reusing an existing file must be avoided (the " +"/tmp race condition). This is " +"tricky because traditionally, system-wide temporary directories shared by " +"all users are used." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The file must be created in a way that makes it impossible for other users " +"to open it." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "The descriptor for the temporary file should not leak to subprocesses." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "All functions mentioned below will take care of these aspects." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Traditionally, temporary files are often used to reduce memory usage of " +"programs. More and more systems use RAM-based file systems such as " +"tmpfs for storing temporary files, to increase " +"performance and decrease wear on Flash storage. As a result, spooling data " +"to temporary files does not result in any memory savings, and the related " +"complexity can be avoided if the data is kept in process memory." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Obtaining the location of temporary directory" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Some functions below need the location of a directory which stores temporary" +" files. For C/C++ programs, use the following steps to obtain that " +"directory:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Use secure_getenv to obtain the value of the " +"TMPDIR environment variable. If it is set, convert the " +"path to a fully-resolved absolute path, using realpath(path, " +"NULL). Check if the new path refers to a directory and is " +"writeable. In this case, use it as the temporary directory." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Fall back to /tmp." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In Python, you can use the tempfile.tempdir variable." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Java does not support SUID/SGID programs, so you can use the " +"java.lang.System.getenv(String) method to obtain the " +"value of the TMPDIR environment variable, and follow the " +"two steps described above. (Java's default directory selection does not " +"honor TMPDIR.)" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Named temporary files" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The mkostemp function creates a named temporary file. " +"You should specify the O_CLOEXEC flag to avoid file " +"descriptor leaks to subprocesses. (Applications which do not use multiple " +"threads can also use mkstemp, but libraries should use " +"mkostemp.) For determining the directory part of the " +"file name pattern, see ." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The file is not removed automatically. It is not safe to rename or delete " +"the file before processing, or transform the name in any way (for example, " +"by adding a file extension). If you need multiple temporary files, call " +"mkostemp multiple times. Do not create additional file " +"names derived from the name provided by a previous " +"mkostemp call. However, it is safe to close the " +"descriptor returned by mkostemp and reopen the file " +"using the generated name." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The Python class tempfile.NamedTemporaryFile provides " +"similar functionality, except that the file is deleted automatically by " +"default. Note that you may have to use the file attribute" +" to obtain the actual file object because some programming interfaces cannot" +" deal with file-like objects. The C function mkostemp " +"is also available as tempfile.mkstemp." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In Java, you can use the java.io.File.createTempFile(String, " +"String, File) function, using the temporary file location " +"determined according to . Do not use " +"java.io.File.deleteOnExit() to delete temporary files, " +"and do not register a shutdown hook for each temporary file you create. In " +"both cases, the deletion hint cannot be removed from the system if you " +"delete the temporary file prior to termination of the VM, causing a memory " +"leak." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Temporary files without names" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The tmpfile function creates a temporary file and " +"immediately deletes it, while keeping the file open. As a result, the file " +"lacks a name and its space is deallocated as soon as the file descriptor is " +"closed (including the implicit close when the process terminates). This " +"avoids cluttering the temporary directory with orphaned files." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Alternatively, if the maximum size of the temporary file is known " +"beforehand, the fmemopen function can be used to create" +" a FILE * object which is backed by memory." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In Python, unnamed temporary files are provided by the " +"tempfile.TemporaryFile class, and the " +"tempfile.SpooledTemporaryFile class provides a way to " +"avoid creation of small temporary files." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Java does not support unnamed temporary files." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Temporary directories" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The mkdtemp function can be used to create a temporary " +"directory. (For determining the directory part of the file name pattern, see" +" .)" +" The directory is not automatically removed. In Python, this function is " +"available as tempfile.mkdtemp. In Java 7, temporary " +"directories can be created using the " +"java.nio.file.Files.createTempDirectory(Path, String, " +"FileAttribute...) function." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When creating files in the temporary directory, use automatically generated " +"names, e.g., derived from a sequential counter. Files with externally " +"provided names could be picked up in unexpected contexts, and crafted names " +"could actually point outside of the tempoary directory (due to " +"directory traversal)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Removing a directory tree in a completely safe manner is complicated. Unless" +" there are overriding performance concerns, the " +"rm program should be used, with the " +" and options." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Compensating for unsafe file creation" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"There are two ways to make a function or program which excepts a file name " +"safe for use with temporary files. See , for details on subprocess " +"creation." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Create a temporary directory and place the file there. If possible, run the " +"program in a subprocess which uses the temporary directory as its current " +"directory, with a restricted environment. Use generated names for all files " +"in that temporary directory. (See .)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Create the temporary file and pass the generated file name to the function " +"or program. This only works if the function or program can cope with a zero-" +"length existing file. It is safe only under additional assumptions:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The function or program must not create additional files whose name is " +"derived from the specified file name or are otherwise predictable." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "The function or program must not delete the file before processing it." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "It must not access any existing files in the same directory." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"It is often difficult to check whether these additional assumptions are " +"matched, therefore this approach is not recommended." +msgstr "" diff --git a/defensive-coding/de-DE/Tasks/snippets/Serialization-XML-Expat-Create.po b/defensive-coding/de-DE/Tasks/snippets/Serialization-XML-Expat-Create.po new file mode 100644 index 0000000..2cda298 --- /dev/null +++ b/defensive-coding/de-DE/Tasks/snippets/Serialization-XML-Expat-Create.po @@ -0,0 +1,33 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:45\n" +"PO-Revision-Date: 2013-03-19 15:29+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: German \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: de\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"XML_Parser parser = XML_ParserCreate(\"UTF-8\");\n" +"if (parser == NULL) {\n" +" fprintf(stderr, \"XML_ParserCreate failed\n" +"\");\n" +" close(fd);\n" +" exit(1);\n" +"}\n" +"// EntityDeclHandler needs a reference to the parser to stop\n" +"// parsing.\n" +"XML_SetUserData(parser, parser);\n" +"// Disable entity processing, to inhibit entity expansion.\n" +"XML_SetEntityDeclHandler(parser, EntityDeclHandler);\n" +msgstr "" diff --git a/defensive-coding/de-DE/Tasks/snippets/Serialization-XML-Expat-EntityDeclHandler.po b/defensive-coding/de-DE/Tasks/snippets/Serialization-XML-Expat-EntityDeclHandler.po new file mode 100644 index 0000000..ada9bf3 --- /dev/null +++ b/defensive-coding/de-DE/Tasks/snippets/Serialization-XML-Expat-EntityDeclHandler.po @@ -0,0 +1,31 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:45\n" +"PO-Revision-Date: 2013-03-19 15:30+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: German \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: de\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Stop the parser when an entity declaration is encountered.\n" +"static void\n" +"EntityDeclHandler(void *userData,\n" +"\t\t const XML_Char *entityName, int is_parameter_entity,\n" +"\t\t const XML_Char *value, int value_length,\n" +"\t\t const XML_Char *base, const XML_Char *systemId,\n" +"\t\t const XML_Char *publicId, const XML_Char *notationName)\n" +"{\n" +" XML_StopParser((XML_Parser)userData, XML_FALSE);\n" +"}\n" +msgstr "" diff --git a/defensive-coding/de-DE/Tasks/snippets/Serialization-XML-OpenJDK-Errors.po b/defensive-coding/de-DE/Tasks/snippets/Serialization-XML-OpenJDK-Errors.po new file mode 100644 index 0000000..5418b40 --- /dev/null +++ b/defensive-coding/de-DE/Tasks/snippets/Serialization-XML-OpenJDK-Errors.po @@ -0,0 +1,37 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:45\n" +"PO-Revision-Date: 2013-03-19 15:29+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: German \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: de\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"class Errors implements ErrorHandler {\n" +" @Override\n" +" public void warning(SAXParseException exception) {\n" +" exception.printStackTrace();\n" +" }\n" +" \n" +" @Override\n" +" public void fatalError(SAXParseException exception) {\n" +" exception.printStackTrace();\n" +" }\n" +" \n" +" @Override\n" +" public void error(SAXParseException exception) {\n" +" exception.printStackTrace();\n" +" }\n" +"}\n" +msgstr "" diff --git a/defensive-coding/de-DE/Tasks/snippets/Serialization-XML-OpenJDK-Imports.po b/defensive-coding/de-DE/Tasks/snippets/Serialization-XML-OpenJDK-Imports.po new file mode 100644 index 0000000..1ccce6a --- /dev/null +++ b/defensive-coding/de-DE/Tasks/snippets/Serialization-XML-OpenJDK-Imports.po @@ -0,0 +1,42 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:45\n" +"PO-Revision-Date: 2013-03-19 15:30+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: German \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: de\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"import javax.xml.XMLConstants;\n" +"import javax.xml.parsers.DocumentBuilder;\n" +"import javax.xml.parsers.DocumentBuilderFactory;\n" +"import javax.xml.parsers.ParserConfigurationException;\n" +"import javax.xml.parsers.SAXParser;\n" +"import javax.xml.parsers.SAXParserFactory;\n" +"import javax.xml.transform.dom.DOMSource;\n" +"import javax.xml.transform.sax.SAXSource;\n" +"import javax.xml.validation.Schema;\n" +"import javax.xml.validation.SchemaFactory;\n" +"import javax.xml.validation.Validator;\n" +"\n" +"import org.w3c.dom.Document;\n" +"import org.w3c.dom.ls.LSInput;\n" +"import org.w3c.dom.ls.LSResourceResolver;\n" +"import org.xml.sax.EntityResolver;\n" +"import org.xml.sax.ErrorHandler;\n" +"import org.xml.sax.InputSource;\n" +"import org.xml.sax.SAXException;\n" +"import org.xml.sax.SAXParseException;\n" +"import org.xml.sax.XMLReader;\n" +msgstr "" diff --git a/defensive-coding/de-DE/Tasks/snippets/Serialization-XML-OpenJDK-NoEntityResolver.po b/defensive-coding/de-DE/Tasks/snippets/Serialization-XML-OpenJDK-NoEntityResolver.po new file mode 100644 index 0000000..2afb97a --- /dev/null +++ b/defensive-coding/de-DE/Tasks/snippets/Serialization-XML-OpenJDK-NoEntityResolver.po @@ -0,0 +1,30 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:45\n" +"PO-Revision-Date: 2013-03-19 15:30+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: German \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: de\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"class NoEntityResolver implements EntityResolver {\n" +" @Override\n" +" public InputSource resolveEntity(String publicId, String systemId)\n" +" throws SAXException, IOException {\n" +" // Throwing an exception stops validation.\n" +" throw new IOException(String.format(\n" +" \"attempt to resolve \\\"%s\\\" \\\"%s\\\"\", publicId, systemId));\n" +" }\n" +"}\n" +msgstr "" diff --git a/defensive-coding/de-DE/Tasks/snippets/Serialization-XML-OpenJDK-NoResourceResolver.po b/defensive-coding/de-DE/Tasks/snippets/Serialization-XML-OpenJDK-NoResourceResolver.po new file mode 100644 index 0000000..90f021f --- /dev/null +++ b/defensive-coding/de-DE/Tasks/snippets/Serialization-XML-OpenJDK-NoResourceResolver.po @@ -0,0 +1,32 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:45\n" +"PO-Revision-Date: 2013-03-19 15:29+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: German \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: de\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"class NoResourceResolver implements LSResourceResolver {\n" +" @Override\n" +" public LSInput resolveResource(String type, String namespaceURI,\n" +" String publicId, String systemId, String baseURI) {\n" +" // Throwing an exception stops validation.\n" +" throw new RuntimeException(String.format(\n" +" \"resolution attempt: type=%s namespace=%s \" +\n" +" \"publicId=%s systemId=%s baseURI=%s\",\n" +" type, namespaceURI, publicId, systemId, baseURI));\n" +" }\n" +"}\n" +msgstr "" diff --git a/defensive-coding/de-DE/Tasks/snippets/Serialization-XML-OpenJDK_Parse-DOM.po b/defensive-coding/de-DE/Tasks/snippets/Serialization-XML-OpenJDK_Parse-DOM.po new file mode 100644 index 0000000..c3bff81 --- /dev/null +++ b/defensive-coding/de-DE/Tasks/snippets/Serialization-XML-OpenJDK_Parse-DOM.po @@ -0,0 +1,34 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:45\n" +"PO-Revision-Date: 2013-03-19 15:29+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: German \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: de\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();\n" +"// Impose restrictions on the complexity of the DTD.\n" +"factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);\n" +"\n" +"// Turn on validation.\n" +"// This step can be omitted if validation is not desired.\n" +"factory.setValidating(true);\n" +"\n" +"// Parse the document.\n" +"DocumentBuilder builder = factory.newDocumentBuilder();\n" +"builder.setEntityResolver(new NoEntityResolver());\n" +"builder.setErrorHandler(new Errors());\n" +"Document document = builder.parse(inputStream);\n" +msgstr "" diff --git a/defensive-coding/de-DE/Tasks/snippets/Serialization-XML-OpenJDK_Parse-XMLSchema_DOM.po b/defensive-coding/de-DE/Tasks/snippets/Serialization-XML-OpenJDK_Parse-XMLSchema_DOM.po new file mode 100644 index 0000000..f75e12d --- /dev/null +++ b/defensive-coding/de-DE/Tasks/snippets/Serialization-XML-OpenJDK_Parse-XMLSchema_DOM.po @@ -0,0 +1,38 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:45\n" +"PO-Revision-Date: 2013-03-19 15:29+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: German \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: de\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"SchemaFactory factory = SchemaFactory.newInstance(\n" +" XMLConstants.W3C_XML_SCHEMA_NS_URI);\n" +"\n" +"// This enables restrictions on schema complexity.\n" +"factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);\n" +"\n" +"// The following line prevents resource resolution\n" +"// by the schema itself.\n" +"factory.setResourceResolver(new NoResourceResolver());\n" +"\n" +"Schema schema = factory.newSchema(schemaFile);\n" +"\n" +"Validator validator = schema.newValidator();\n" +"\n" +"// This prevents external resource resolution.\n" +"validator.setResourceResolver(new NoResourceResolver());\n" +"validator.validate(new DOMSource(document));\n" +msgstr "" diff --git a/defensive-coding/de-DE/Tasks/snippets/Serialization-XML-OpenJDK_Parse-XMLSchema_SAX.po b/defensive-coding/de-DE/Tasks/snippets/Serialization-XML-OpenJDK_Parse-XMLSchema_SAX.po new file mode 100644 index 0000000..ee4b0b6 --- /dev/null +++ b/defensive-coding/de-DE/Tasks/snippets/Serialization-XML-OpenJDK_Parse-XMLSchema_SAX.po @@ -0,0 +1,41 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:45\n" +"PO-Revision-Date: 2013-03-19 15:29+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: German \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: de\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"SchemaFactory factory = SchemaFactory.newInstance(\n" +" XMLConstants.W3C_XML_SCHEMA_NS_URI);\n" +"\n" +"// This enables restrictions on the schema and document\n" +"// complexity.\n" +"factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);\n" +"\n" +"// This prevents resource resolution by the schema itself.\n" +"// If the schema is trusted and references additional files,\n" +"// this line must be omitted, otherwise loading these files\n" +"// will fail.\n" +"factory.setResourceResolver(new NoResourceResolver());\n" +"\n" +"Schema schema = factory.newSchema(schemaFile);\n" +"Validator validator = schema.newValidator();\n" +"\n" +"// This prevents external resource resolution.\n" +"validator.setResourceResolver(new NoResourceResolver());\n" +"\n" +"validator.validate(new SAXSource(new InputSource(inputStream)));\n" +msgstr "" diff --git a/defensive-coding/el-GR/Author_Group.po b/defensive-coding/el-GR/Author_Group.po new file mode 100644 index 0000000..a9c8520 --- /dev/null +++ b/defensive-coding/el-GR/Author_Group.po @@ -0,0 +1,35 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-12 04:18+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Greek \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: el\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: firstname +#, no-c-format +msgid "Florian" +msgstr "" + +#. Tag: surname +#, no-c-format +msgid "Weimer" +msgstr "" + +#. Tag: orgname +#, no-c-format +msgid "Red Hat" +msgstr "" + +#. Tag: orgdiv +#, no-c-format +msgid "Product Security Team" +msgstr "" diff --git a/defensive-coding/el-GR/Book_Info.po b/defensive-coding/el-GR/Book_Info.po new file mode 100644 index 0000000..db161ac --- /dev/null +++ b/defensive-coding/el-GR/Book_Info.po @@ -0,0 +1,38 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-12 04:19+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Greek \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: el\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: title +#, no-c-format +msgid "Defensive Coding" +msgstr "" + +#. Tag: subtitle +#, no-c-format +msgid "A Guide to Improving Software Security" +msgstr "" + +#. Tag: productname +#, no-c-format +msgid "Fedora Security Team" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"This document provides guidelines for improving software security through " +"secure coding. It covers common programming languages and libraries, and " +"focuses on concrete recommendations." +msgstr "" diff --git a/defensive-coding/el-GR/C/Allocators.po b/defensive-coding/el-GR/C/Allocators.po new file mode 100644 index 0000000..eab9a06 --- /dev/null +++ b/defensive-coding/el-GR/C/Allocators.po @@ -0,0 +1,265 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:30+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Greek \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: el\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: title +#, no-c-format +msgid "Memory allocators" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "malloc and related functions" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The C library interfaces for memory allocation are provided by " +"malloc, free and " +"realloc, and the calloc function. " +"In addition to these generic functions, there are derived functions such as " +"strdup which perform allocation using " +"malloc internally, but do not return untyped heap " +"memory (which could be used for any object)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The C compiler knows about these functions and can use their expected " +"behavior for optimizations. For instance, the compiler assumes that an " +"existing pointer (or a pointer derived from an existing pointer by " +"arithmetic) will not point into the memory area returned by " +"malloc." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If the allocation fails, realloc does not free the old " +"pointer. Therefore, the idiom ptr = realloc(ptr, size); " +"is wrong because the memory pointed to by ptr leaks in " +"case of an error." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Use-after-free errors" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"After free, the pointer is invalid. Further pointer " +"dereferences are not allowed (and are usually detected by " +"valgrind). Less obvious is that any " +"use of the old pointer value is not allowed, either. In" +" particular, comparisons with any other pointer (or the null pointer) are " +"undefined according to the C standard." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The same rules apply to realloc if the memory area " +"cannot be enlarged in-place. For instance, the compiler may assume that a " +"comparison between the old and new pointer will always return false, so it " +"is impossible to detect movement this way." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Handling memory allocation errors" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Recovering from out-of-memory errors is often difficult or even impossible. " +"In these cases, malloc and other allocation functions " +"return a null pointer. Dereferencing this pointer lead to a crash. Such " +"dereferences can even be exploitable for code execution if the dereference " +"is combined with an array subscript." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In general, if you cannot check all allocation calls and handle failure, you" +" should abort the program on allocation failure, and not rely on the null " +"pointer dereference to terminate the process. See for related memory " +"allocation concerns." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "alloca and other forms of stack-based allocation" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Allocation on the stack is risky because stack overflow checking is " +"implicit. There is a guard page at the end of the memory area reserved for " +"the stack. If the program attempts to read from or write to this guard page," +" a SIGSEGV signal is generated and the program typically " +"terminates." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"This is sufficient for detecting typical stack overflow situations such as " +"unbounded recursion, but it fails when the stack grows in increments larger " +"than the size of the guard page. In this case, it is possible that the stack" +" pointer ends up pointing into a memory area which has been allocated for a " +"different purposes. Such misbehavior can be exploitable." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"A common source for large stack growth are calls to " +"alloca and related functions such as " +"strdupa. These functions should be avoided because of " +"the lack of error checking. (They can be used safely if the allocated size " +"is less than the page size (typically, 4096 bytes), but this case is " +"relatively rare.) Additionally, relying on alloca makes" +" it more difficult to reorgnize the code because it is not allowed to use " +"the pointer after the function calling alloca has " +"returned, even if this function has been inlined into its caller." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Similar concerns apply to variable-length arrays " +"(VLAs), a feature of the C99 standard which started as a GNU extension. For " +"large objects exceeding the page size, there is no error checking, either." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In both cases, negative or very large sizes can trigger a stack-pointer " +"wraparound, and the stack pointer and end up pointing into caller stack " +"frames, which is fatal and can be exploitable." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If you want to use alloca or VLAs for performance " +"reasons, consider using a small on-stack array (less than the page size, " +"large enough to fulfill most requests). If the requested size is small " +"enough, use the on-stack array. Otherwise, call malloc." +" When exiting the function, check if malloc had been " +"called, and free the buffer as needed." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Array allocation" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When allocating arrays, it is important to check for overflows. The " +"calloc function performs such checks." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If malloc or realloc is used, the " +"size check must be written manually. For instance, to allocate an array of " +"n elements of type T, check that the " +"requested size is not greater than n / sizeof(T)." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Custom memory allocators" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Custom memory allocates come in two forms: replacements for " +"malloc, and completely different interfaces for memory " +"management. Both approaches can reduce the effectiveness of " +"valgrind and similar tools, and the heap " +"corruption detection provided by GNU libc, so they should be avoided." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Memory allocators are difficult to write and contain many performance and " +"security pitfalls." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When computing array sizes or rounding up allocation requests (to the next " +"allocation granularity, or for alignment purposes), checks for arithmetic " +"overflow are required." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Size computations for array allocations need overflow checking. See ." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"It can be difficult to beat well-tuned general-purpose allocators. In micro-" +"benchmarks, pool allocators can show huge wins, and size-specific pools can " +"reduce internal fragmentation. But often, utilization of individual pools is" +" poor, and" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Conservative garbage collection" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Garbage collection can be an alternative to explicit memory management using" +" malloc and free. The Boehm-" +"Dehmers-Weiser allocator can be used from C programs, with minimal type " +"annotations. Performance is competitive with malloc on " +"64-bit architectures, especially for multi-threaded programs. The stop-the-" +"world pauses may be problematic for some real-time applications, though." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"However, using a conservative garbage collector may reduce opertunities for " +"code reduce because once one library in a program uses garbage collection, " +"the whole process memory needs to be subject to it, so that no pointers are " +"missed. The Boehm-Dehmers-Weiser collector also reserves certain signals for" +" internal use, so it is not fully transparent to the rest of the program." +msgstr "" diff --git a/defensive-coding/el-GR/C/C.po b/defensive-coding/el-GR/C/C.po new file mode 100644 index 0000000..aa29782 --- /dev/null +++ b/defensive-coding/el-GR/C/C.po @@ -0,0 +1,20 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:30+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Greek \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: el\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: title +#, no-c-format +msgid "The C Programming Language" +msgstr "" diff --git a/defensive-coding/el-GR/C/Libc.po b/defensive-coding/el-GR/C/Libc.po new file mode 100644 index 0000000..49677dc --- /dev/null +++ b/defensive-coding/el-GR/C/Libc.po @@ -0,0 +1,278 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:30+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Greek \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: el\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: title +#, no-c-format +msgid "The C standard library" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Parts of the C standard library (and the UNIX and GNU extensions) are " +"difficult to use, so you shoud avoid them." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Please check the applicable documentation before using the recommended " +"replacements. Many of these functions allocate buffers using " +"malloc which your code must deallocate explicitly using" +" free." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Absolutely banned interfaces" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The functions listed below must not be used because they are almost always " +"unsafe. Use the indicated replacements instead." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "getsfgets" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"getwdgetcwd or " +"get_current_dir_name" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "readdir_rreaddir" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"realpath (with a non-NULL second parameter) ⟶ " +"realpath with NULL as the second parameter, or " +"canonicalize_file_name" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The constants listed below must not be used, either. Instead, code must " +"allocate memory dynamically and use interfaces with length checking." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"NAME_MAX (limit not actually enforced by the kernel)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"PATH_MAX (limit not actually enforced by the kernel)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"_PC_NAME_MAX (This limit, returned by the " +"pathconf function, is not enforced by the kernel.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"_PC_PATH_MAX (This limit, returned by the " +"pathconf function, is not enforced by the kernel.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "The following structure members must not be used." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"f_namemax in struct statvfs (limit not" +" actually enforced by the kernel, see _PC_NAME_MAX above)" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Functions to avoid" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The following string manipulation functions can be used securely in " +"principle, but their use should be avoided because they are difficult to use" +" correctly. Calls to these functions can be replaced with " +"asprintf or vasprintf. (For non-" +"GNU targets, these functions are available from Gnulib.) In some cases, the " +"snprintf function might be a suitable replacement, see " +"." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "sprintf" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "strcat" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "strcpy" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "vsprintf" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Use the indicated replacements for the functions below." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"allocamalloc and " +"free (see )" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"putenv ⟶ explicit envp argument in " +"process creation (see )" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"setenv ⟶ explicit envp argument in " +"process creation (see )" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"strdupastrdup and " +"free (see )" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"strndupastrndup and " +"free (see )" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"systemposix_spawn or " +"fork/execve/ (see )" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"unsetenv ⟶ explicit envp argument in" +" process creation (see )" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "String Functions With Explicit Length Arguments" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The snprintf function provides a way to construct a " +"string in a statically-sized buffer. (If the buffer size is dynamic, use " +"asprintf instead.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The second argument to the snprintf should always be " +"the size of the buffer in the first argument (which should be a character " +"array). Complex pointer and length arithmetic can introduce errors and " +"nullify the security benefits of snprintf. If you need " +"to construct a string iteratively, by repeatedly appending fragments, " +"consider constructing the string on the heap, increasing the buffer with " +"realloc as needed. (snprintf does " +"not support overlapping the result buffer with argument strings.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If you use vsnprintf (or snprintf)" +" with a format string which is not a constant, but a function argument, it " +"is important to annotate the function with a format " +"function attribute, so that GCC can warn about misuse of your function (see " +")." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "The format function attribute" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"There are other functions which operator on NUL-terminated strings and take " +"a length argument which affects the number of bytes written to the " +"destination: strncpy, strncat, and" +" stpncpy. These functions do not ensure that the result" +" string is NUL-terminated. For strncpy, NUL termination" +" can be added this way:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Some systems support strlcpy and " +"strlcat functions which behave this way, but these " +"functions are not part of GNU libc. Using snprintf with" +" a suitable format string is a simple (albeit slightly slower) replacement." +msgstr "" diff --git a/defensive-coding/el-GR/C/snippets/Arithmetic-add.po b/defensive-coding/el-GR/C/snippets/Arithmetic-add.po new file mode 100644 index 0000000..5c14a6a --- /dev/null +++ b/defensive-coding/el-GR/C/snippets/Arithmetic-add.po @@ -0,0 +1,36 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:30+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Greek \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: el\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"void report_overflow(void);\n" +"\n" +"int\n" +"add(int a, int b)\n" +"{\n" +" int result = a + b;\n" +" if (a < 0 || b < 0) {\n" +" return -1;\n" +" }\n" +" // The compiler can optimize away the following if statement.\n" +" if (result < 0) {\n" +" report_overflow();\n" +" }\n" +" return result;\n" +"}\n" +msgstr "" diff --git a/defensive-coding/el-GR/C/snippets/Arithmetic-mult.po b/defensive-coding/el-GR/C/snippets/Arithmetic-mult.po new file mode 100644 index 0000000..5f94a79 --- /dev/null +++ b/defensive-coding/el-GR/C/snippets/Arithmetic-mult.po @@ -0,0 +1,29 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:30+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Greek \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: el\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"unsigned\n" +"mul(unsigned a, unsigned b)\n" +"{\n" +" if (b && a > ((unsigned)-1) / b) {\n" +" report_overflow();\n" +" }\n" +" return a * b;\n" +"}\n" +msgstr "" diff --git a/defensive-coding/el-GR/C/snippets/Pointers-remaining.po b/defensive-coding/el-GR/C/snippets/Pointers-remaining.po new file mode 100644 index 0000000..9cefe9c --- /dev/null +++ b/defensive-coding/el-GR/C/snippets/Pointers-remaining.po @@ -0,0 +1,64 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:30+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Greek \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: el\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"ssize_t\n" +"extract_strings(const char *in, size_t inlen, char **out, size_t outlen)\n" +"{\n" +" const char *inp = in;\n" +" const char *inend = in + inlen;\n" +" char **outp = out;\n" +" char **outend = out + outlen;\n" +"\n" +" while (inp != inend) {\n" +" size_t len;\n" +" char *s;\n" +" if (outp == outend) {\n" +" errno = ENOSPC;\n" +" goto err;\n" +" }\n" +" len = (unsigned char)*inp;\n" +" ++inp;\n" +" if (len > (size_t)(inend - inp)) {\n" +" errno = EINVAL;\n" +" goto err;\n" +" }\n" +" s = malloc(len + 1);\n" +" if (s == NULL) {\n" +" goto err;\n" +" }\n" +" memcpy(s, inp, len);\n" +" inp += len;\n" +" s[len] = '\\0';\n" +" *outp = s;\n" +" ++outp;\n" +" }\n" +" return outp - out;\n" +"err:\n" +" {\n" +" int errno_old = errno;\n" +" while (out != outp) {\n" +" free(*out);\n" +" ++out;\n" +" }\n" +" errno = errno_old;\n" +" }\n" +" return -1;\n" +"}\n" +msgstr "" diff --git a/defensive-coding/el-GR/C/snippets/String-Functions-format.po b/defensive-coding/el-GR/C/snippets/String-Functions-format.po new file mode 100644 index 0000000..76fd237 --- /dev/null +++ b/defensive-coding/el-GR/C/snippets/String-Functions-format.po @@ -0,0 +1,33 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:30+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Greek \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: el\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"void log_format(const char *format, ...) __attribute__((format(printf, 1, 2)));\n" +"\n" +"void\n" +"log_format(const char *format, ...)\n" +"{\n" +" char buf[1000];\n" +" va_list ap;\n" +" va_start(ap, format);\n" +" vsnprintf(buf, sizeof(buf), format, ap);\n" +" va_end(ap);\n" +" log_string(buf);\n" +"}\n" +msgstr "" diff --git a/defensive-coding/el-GR/C/snippets/String-Functions-snprintf.po b/defensive-coding/el-GR/C/snippets/String-Functions-snprintf.po new file mode 100644 index 0000000..2f80ec1 --- /dev/null +++ b/defensive-coding/el-GR/C/snippets/String-Functions-snprintf.po @@ -0,0 +1,23 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:30+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Greek \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: el\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"char fraction[30];\n" +"snprintf(fraction, sizeof(fraction), \"%d/%d\", numerator, denominator);\n" +msgstr "" diff --git a/defensive-coding/el-GR/C/snippets/String-Functions-strncpy.po b/defensive-coding/el-GR/C/snippets/String-Functions-strncpy.po new file mode 100644 index 0000000..f3e590d --- /dev/null +++ b/defensive-coding/el-GR/C/snippets/String-Functions-strncpy.po @@ -0,0 +1,24 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:30+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Greek \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: el\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"char buf[10];\n" +"strncpy(buf, data, sizeof(buf));\n" +"buf[sizeof(buf) - 1] = '\\0';\n" +msgstr "" diff --git a/defensive-coding/el-GR/CXX/CXX.po b/defensive-coding/el-GR/CXX/CXX.po new file mode 100644 index 0000000..1f5533a --- /dev/null +++ b/defensive-coding/el-GR/CXX/CXX.po @@ -0,0 +1,20 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:31+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Greek \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: el\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: title +#, no-c-format +msgid "The C++ Programming Language" +msgstr "" diff --git a/defensive-coding/el-GR/CXX/Language.po b/defensive-coding/el-GR/CXX/Language.po new file mode 100644 index 0000000..9549b0d --- /dev/null +++ b/defensive-coding/el-GR/CXX/Language.po @@ -0,0 +1,234 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:18+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Greek \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: el\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: title +#, no-c-format +msgid "The core language" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"C++ includes a large subset of the C language. As far as the C subset is " +"used, the recommendations in " +"apply." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Array allocation with operator new[]" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"For very large values of n, an expression like " +"new T[n] can return a pointer to a heap region which is " +"too small. In other words, not all array elements are actually backed with " +"heap memory reserved to the array. Current GCC versions generate code that " +"performs a computation of the form sizeof(T) * size_t(n) + " +"cookie_size, where cookie_size is currently at " +"most 8. This computation can overflow, and GCC-generated code does not " +"detect this." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The std::vector template can be used instead an explicit " +"array allocation. (The GCC implementation detects overflow internally.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If there is no alternative to operator new[], code which " +"allocates arrays with a variable length must check for overflow manually. " +"For the new T[n] example, the size check could be " +"n || (n > 0 && n > (size_t(-1) - 8) / " +"sizeof(T)). (See .) If there are additional dimensions " +"(which must be constants according to the C++ standard), these should be " +"included as factors in the divisor." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"These countermeasures prevent out-of-bounds writes and potential code " +"execution. Very large memory allocations can still lead to a denial of " +"service. contains suggestions for mitigating this problem when " +"processing untrusted data." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"See for array" +" allocation advice for C-style memory allocation." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Overloading" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Do not overload functions with versions that have different security " +"characteristics. For instance, do not implement a function " +"strcat which works on std::string " +"arguments. Similarly, do not name methods after such functions." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "ABI compatibility and preparing for security updates" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"A stable binary interface (ABI) is vastly preferred for security updates. " +"Without a stable ABI, all reverse dependencies need recompiling, which can " +"be a lot of work and could even be impossible in some cases. Ideally, a " +"security update only updates a single dynamic shared object, and is picked " +"up automatically after restarting affected processes." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Outside of extremely performance-critical code, you should ensure that a " +"wide range of changes is possible without breaking ABI. Some very basic " +"guidelines are:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Avoid inline functions." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Use the pointer-to-implementation idiom." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Try to avoid templates. Use them if the increased type safety provides a " +"benefit to the programmer." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Move security-critical code out of templated code, so that it can be patched" +" in a central place if necessary." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The KDE project publishes a document with more extensive guidelines on ABI-" +"preserving changes to C++ code, Policies/Binary" +" Compatibility Issues With C++ (d-pointer " +"refers to the pointer-to-implementation idiom)." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "C++0X and C++11 support" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "GCC offers different language compatibility modes:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid " for the original 1998 C++ standard" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +" for the 1998 standard with the changes from the " +"TR1 technical report" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +" for the 2011 C++ standard. This option should " +"not be used." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +" for several different versions of C++11 support " +"in development, depending on the GCC version. This option should not be " +"used." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"For each of these flags, there are variants which also enable GNU extensions" +" (mostly language features also found in C99 or C11): " +", , " +". Again, should " +"not be used." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If you enable C++11 support, the ABI of the standard C++ library " +"libstdc++ will change in subtle ways. Currently, no C++ " +"libraries are compiled in C++11 mode, so if you compile your code in C++11 " +"mode, it will be incompatible with the rest of the system. Unfortunately, " +"this is also the case if you do not use any C++11 features. Currently, there" +" is no safe way to enable C++11 mode (except for freestanding applications)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The meaning of C++0X mode changed from GCC release to GCC release. Earlier " +"versions were still ABI-compatible with C++98 mode, but in the most recent " +"versions, switching to C++0X mode activates C++11 support, with its " +"compatibility problems." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Some C++11 features (or approximations thereof) are available with TR1 " +"support, that is, with or " +" and in the <tr1/*> " +"header files. This includes std::tr1::shared_ptr (from " +"<tr1/memory>) and " +"std::tr1::function (from " +"<tr1/functional>). For other C++11 features, the " +"Boost C++ library contains replacements." +msgstr "" diff --git a/defensive-coding/el-GR/CXX/Std.po b/defensive-coding/el-GR/CXX/Std.po new file mode 100644 index 0000000..5e396dc --- /dev/null +++ b/defensive-coding/el-GR/CXX/Std.po @@ -0,0 +1,55 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:30+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Greek \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: el\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: title +#, no-c-format +msgid "The C++ standard library" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The C++ standard library includes most of its C counterpart by reference, " +"see ." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Containers and operator[]" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Many containers similar to std::vector provide both " +"operator[](size_type) and a member function " +"at(size_type). This applies to " +"std::vector itself, std::array, " +"std::string and other instances of " +"std::basic_string." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"operator[](size_type) is not required by the standard to " +"perform bounds checking (and the implementation in GCC does not). In " +"contrast, at(size_type) must perform such a check. " +"Therefore, in code which is not performance-critical, you should prefer " +"at(size_type) over " +"operator[](size_type), even though it is slightly more " +"verbose." +msgstr "" diff --git a/defensive-coding/el-GR/Defensive_Coding.po b/defensive-coding/el-GR/Defensive_Coding.po new file mode 100644 index 0000000..689d143 --- /dev/null +++ b/defensive-coding/el-GR/Defensive_Coding.po @@ -0,0 +1,30 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:18+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Greek \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: el\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: title +#, no-c-format +msgid "Programming Languages" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Specific Programming Tasks" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Implementing Security Features" +msgstr "" diff --git a/defensive-coding/el-GR/Features/Authentication.po b/defensive-coding/el-GR/Features/Authentication.po new file mode 100644 index 0000000..5acbfaa --- /dev/null +++ b/defensive-coding/el-GR/Features/Authentication.po @@ -0,0 +1,231 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:31+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Greek \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: el\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: title +#, no-c-format +msgid "Authentication and Authorization" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Authenticating servers" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When connecting to a server, a client has to make sure that it is actually " +"talking to the server it expects. There are two different aspects, securing " +"the network path, and making sure that the expected user runs the process on" +" the target host. There are several ways to ensure that:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The server uses a TLS certificate which is valid according to the web " +"browser public key infrastructure, and the client verifies the certificate " +"and the host name." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The server uses a TLS certificate which is expectedby the client (perhaps it" +" is stored in a configuration file read by the client). In this case, no " +"host name checking is required." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"On Linux, UNIX domain sockets (of the PF_UNIX protocol " +"family, sometimes called PF_LOCAL) are restricted by file" +" system permissions. If the server socket path is not world-writable, the " +"server identity cannot be spoofed by local users." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Port numbers less than 1024 (trusted ports) can only be" +" used by root, so if a UDP or TCP server is running on " +"the local host and it uses a trusted port, its identity is assured. (Not all" +" operating systems enforce the trusted ports concept, and the network might " +"not be trusted, so it is only useful on the local system.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"TLS () is the recommended way " +"for securing connections over untrusted networks." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If the server port number is 1024 is higher, a local user can impersonate " +"the process by binding to this socket, perhaps after crashing the real " +"server by exploiting a denial-of-service vulnerability." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Host-based authentication" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Host-based authentication uses access control lists (ACLs) to accept or deny" +" requests from clients. Thsis authentication method comes in two flavors: " +"IP-based (or, more generally, address-based) and name-based (with the name " +"coming from DNS or /etc/hosts). IP-based ACLs often use" +" prefix notation to extend access to entire subnets. Name-based ACLs " +"sometimes use wildcards for adding groups of hosts (from entire DNS " +"subtrees). (In the SSH context, host-based authentication means something " +"completely different and is not covered in this section.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Host-based authentication trust the network and may not offer sufficient " +"granularity, so it has to be considered a weak form of authentication. On " +"the other hand, IP-based authentication can be made extremely robust and can" +" be applied very early in input processing, so it offers an opportunity for " +"significantly reducing the number of potential attackers for many services." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The names returned by gethostbyaddr and " +"getnameinfo functions cannot be trusted. (DNS PTR " +"records can be set to arbitrary values, not just names belong to the address" +" owner.) If these names are used for ACL matching, a forward lookup using " +"gethostbyaddr or getaddrinfo has " +"to be performed. The name is only valid if the original address is found " +"among the results of the forward lookup (double-reverse " +"lookup)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"An empty ACL should deny all access (deny-by-default). If empty ACLs permits" +" all access, configuring any access list must switch to deny-by-default for " +"all unconfigured protocols, in both name-based and address-based variants." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Similarly, if an address or name is not matched by the list, it should be " +"denied. However, many implementations behave differently, so the actual " +"behavior must be documented properly." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"IPv6 addresses can embed IPv4 addresses. There is no universally correct way" +" to deal with this ambiguity. The behavior of the ACL implementation should " +"be documented." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "UNIX domain socket authentication" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"UNIX domain sockets (with address family AF_UNIX or " +"AF_LOCAL) are restricted to the local host and offer a " +"special authentication mechanism: credentials passing." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Nowadays, most systems support the SO_PEERCRED (Linux) or" +" LOCAL_PEERCRED (FreeBSD) socket options, or the " +"getpeereid (other BSDs, MacOS X). These interfaces " +"provide direct access to the (effective) user ID on the other end of a " +"domain socket connect, without cooperation from the other end." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Historically, credentials passing was implemented using ancillary data in " +"the sendmsg and recvmsg functions." +" On some systems, only credentials data that the peer has explicitly sent " +"can be received, and the kernel checks the data for correctness on the " +"sending side. This means that both peers need to deal with ancillary data. " +"Compared to that, the modern interfaces are easier to use. Both sets of " +"interfaces vary considerably among UNIX-like systems, unfortunately." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If you want to authenticate based on supplementary groups, you should obtain" +" the user ID using one of these methods, and look up the list of " +"supplementary groups using getpwuid (or " +"getpwuid_r) and getgrouplist. " +"Using the PID and information from /proc/PID/status is " +"prone to race conditions and insecure." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "AF_NETLINK authentication of origin" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Netlink messages are used as a high-performance data transfer mechanism " +"between the kernel and the userspace. Traditionally, they are used to " +"exchange information related to the network statck, such as routing table " +"entries." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When processing Netlink messages from the kernel, it is important to check " +"that these messages actually originate from the kernel, by checking that the" +" port ID (or PID) field nl_pid in the " +"sockaddr_nl structure is 0. (This " +"structure can be obtained using recvfrom or " +"recvmsg, it is different from the " +"nlmsghdr structure.) The kernel does not prevent other " +"processes from sending unicast Netlink messages, but the " +"nl_pid field in the sender's socket address will be non-" +"zero in such cases." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Applications should not use AF_NETLINK sockets as an IPC " +"mechanism among processes, but prefer UNIX domain sockets for this tasks." +msgstr "" diff --git a/defensive-coding/el-GR/Features/TLS.po b/defensive-coding/el-GR/Features/TLS.po new file mode 100644 index 0000000..a721e6c --- /dev/null +++ b/defensive-coding/el-GR/Features/TLS.po @@ -0,0 +1,1120 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:31+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Greek \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: el\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: title +#, no-c-format +msgid "Transport Layer Security" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Transport Layer Security (TLS, formerly Secure Sockets Layer/SSL) is the " +"recommended way to to protect integrity and confidentiality while data is " +"transferred over an untrusted network connection, and to identify the " +"endpoint." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Common Pitfalls" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"TLS implementations are difficult to use, and most of them lack a clean API " +"design. The following sections contain implementation-specific advice, and " +"some generic pitfalls are mentioned below." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Most TLS implementations have questionable default TLS cipher suites. Most " +"of them enable anonymous Diffie-Hellman key exchange (but we generally want " +"servers to authenticate themselves). Many do not disable ciphers which are " +"subject to brute-force attacks because of restricted key lengths. Some even " +"disable all variants of AES in the default configuration." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When overriding the cipher suite defaults, it is recommended to disable all " +"cipher suites which are not present on a whitelist, instead of simply " +"enabling a list of cipher suites. This way, if an algorithm is disabled by " +"default in the TLS implementation in a future security update, the " +"application will not re-enable it." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The name which is used in certificate validation must match the name " +"provided by the user or configuration file. No host name canonicalization or" +" IP address lookup must be performed." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The TLS handshake has very poor performance if the TCP Nagle algorithm is " +"active. You should switch on the TCP_NODELAY socket " +"option (at least for the duration of the handshake), or use the Linux-" +"specific TCP_CORK option." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Deactivating the TCP Nagle algorithm" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Implementing proper session resumption decreases handshake overhead " +"considerably. This is important if the upper-layer protocol uses short-lived" +" connections (like most application of HTTPS)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Both client and server should work towards an orderly connection shutdown, " +"that is send close_notify alerts and respond to them. " +"This is especially important if the upper-layer protocol does not provide " +"means to detect connection truncation (like some uses of HTTP)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When implementing a server using event-driven programming, it is important " +"to handle the TLS handshake properly because it includes multiple network " +"round-trips which can block when an ordinary TCP accept" +" would not. Otherwise, a client which fails to complete the TLS handshake " +"for some reason will prevent the server from handling input from other " +"clients." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Unlike regular file descriptors, TLS connections cannot be passed between " +"processes. Some TLS implementations add additional restrictions, and TLS " +"connections generally cannot be used across fork " +"function calls (see )." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "OpenSSL Pitfalls" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Some OpenSSL function use tri-state return values. " +"Correct error checking is extremely important. Several functions return " +"int values with the following meaning:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The value 1 indicates success (for example, a successful " +"signature verification)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The value 0 indicates semantic failure (for example, a " +"signature verification which was unsuccessful because the signing " +"certificate was self-signed)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The value -1 indicates a low-level error in the system, " +"such as failure to allocate memory using malloc." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Treating such tri-state return values as booleans can lead to security " +"vulnerabilities. Note that some OpenSSL functions return boolean results or " +"yet another set of status indicators. Each function needs to be checked " +"individually." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Recovering precise error information is difficult. shows how to obtain a more precise " +"error code after a function call on an SSL object has " +"failed. However, there are still cases where no detailed error information " +"is available (e.g., if SSL_shutdown fails due to a " +"connection teardown by the other end)." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Obtaining OpenSSL error codes" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The OPENSSL_config function is documented to never " +"fail. In reality, it can terminate the entire process if there is a failure " +"accessing the configuration file. An error message is written to standard " +"error, but which might not be visible if the function is called from a " +"daemon process." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"OpenSSL contains two separate ASN.1 DER decoders. One set of decoders " +"operate on BIO handles (the input/output stream abstraction provided by " +"OpenSSL); their decoder function names start with d2i_ " +"and end in _fp or _bio (e.g., " +"d2i_X509_fp or d2i_X509_bio). " +"These decoders must not be used for parsing data from untrusted sources; " +"instead, the variants without the _fp and " +"_bio (e.g., d2i_X509) shall be used." +" The BIO variants have received considerably less testing and are not very " +"robust." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"For the same reason, the OpenSSL command line tools (such as " +"openssl x509) are generally generally less robust than " +"the actual library code. They use the BIO functions internally, and not the " +"more robust variants." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The command line tools do not always indicate failure in the exit status of " +"the openssl process. For instance, a verification" +" failure in openssl verify result in an exit status of " +"zero." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The OpenSSL server and client applications (openssl " +"s_client and openssl s_server) are debugging " +"tools and should never be used as generic clients. For " +"instance, the s_client tool reacts in a " +"surprisign way to lines starting with R and " +"Q." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"OpenSSL allows application code to access private key material over " +"documented interfaces. This can significantly increase the part of the code " +"base which has to undergo security certification." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "GNUTLS Pitfalls" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"libgnutls.so.26 links to " +"libpthread.so.0. Loading the threading library too late" +" causes problems, so the main program should be linked with " +"-lpthread as well. As a result, it can be difficult to " +"use GNUTLS in a plugin which is loaded with the dlopen " +"function. Another side effect is that applications which merely link against" +" GNUTLS (even without actually using it) may incur a substantial overhead " +"because other libraries automatically switch to thread-safe algorithms." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The gnutls_global_init function must be called before " +"using any functionality provided by the library. This function is not " +"thread-safe, so external locking is required, but it is not clear which lock" +" should be used. Omitting the synchronization does not just lead to a memory" +" leak, as it is suggested in the GNUTLS documentation, but to undefined " +"behavior because there is no barrier that would enforce memory ordering." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The gnutls_global_deinit function does not actually " +"deallocate all resources allocated by " +"gnutls_global_init. It is currently not thread-safe. " +"Therefore, it is best to avoid calling it altogether." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The X.509 implementation in GNUTLS is rather lenient. For example, it is " +"possible to create and process X.509 version 1 certificates which carry" +" extensions. These certificates are (correctly) rejected by other " +"implementations." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "OpenJDK Pitfalls" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The Java cryptographic framework is highly modular. As a result, when you " +"request an object implementing some cryptographic functionality, you cannot " +"be completely sure that you end up with the well-tested, reviewed " +"implementation in OpenJDK." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"OpenJDK (in the source code as published by Oracle) and other " +"implementations of the Java platform require that the system administrator " +"has installed so-called unlimited strength jurisdiction policy " +"files. Without this step, it is not possible to use the secure " +"algorithms which offer sufficient cryptographic strength. Most downstream " +"redistributors of OpenJDK remove this requirement." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Some versions of OpenJDK use /dev/random as the " +"randomness source for nonces and other random data which is needed for TLS " +"operation, but does not actually require physical randomness. As a result, " +"TLS applications can block, waiting for more bits to become available in " +"/dev/random." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "NSS Pitfalls" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"NSS was not designed to be used by other libraries which can be linked into " +"applications without modifying them. There is a lot of global state. There " +"does not seem to be a way to perform required NSS initialization without " +"race conditions." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If the NSPR descriptor is in an unexpected state, the " +"SSL_ForceHandshake function can succeed, but no TLS " +"handshake takes place, the peer is not authenticated, and subsequent data is" +" exchanged in the clear." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"NSS disables itself if it detects that the process underwent a " +"fork after the library has been initialized. This " +"behavior is required by the PKCS#11 API specification." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "TLS Clients" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Secure use of TLS in a client generally involves all of the following steps." +" (Individual instructions for specific TLS implementations follow in the " +"next sections.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The client must configure the TLS library to use a set of trusted root " +"certificates. These certificates are provided by the system in /etc/ssl/certs or files derived from it." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The client selects sufficiently strong cryptographic primitives and disables" +" insecure ones (such as no-op encryption). Compression and SSL version 2 " +"support must be disabled (including the SSLv2-compatible handshake)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The client initiates the TLS connection. The Server Name Indication " +"extension should be used if supported by the TLS implementation. Before " +"switching to the encrypted connection state, the contents of all input and " +"output buffers must be discarded." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The client needs to validate the peer certificate provided by the server, " +"that is, the client must check that there is a cryptographically protected " +"chain from a trusted root certificate to the peer certificate. (Depending on" +" the TLS implementation, a TLS handshake can succeed even if the certificate" +" cannot be validated.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The client must check that the configured or user-provided server name " +"matches the peer certificate provided by the server." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"It is safe to provide users detailed diagnostics on certificate validation " +"failures. Other causes of handshake failures and, generally speaking, any " +"details on other errors reported by the TLS implementation (particularly " +"exception tracebacks), must not be divulged in ways that make them " +"accessible to potential attackers. Otherwise, it is possible to create " +"decryption oracles." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Depending on the application, revocation checking (against certificate " +"revocations lists or via OCSP) and session resumption are important aspects " +"of production-quality client. These aspects are not yet covered." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Implementation TLS Clients With OpenSSL" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In the following code, the error handling is only exploratory. Proper error " +"handling is required for production use, especially in libraries." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The OpenSSL library needs explicit initialization (see )." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "OpenSSL library initialization" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"After that, a context object has to be created, which acts as a factory for " +"connection objects (). We use an explicit cipher list so that we do not pick up any " +"strange ciphers when OpenSSL is upgraded. The actual version requested in " +"the client hello depends on additional restrictions in the OpenSSL library. " +"If possible, you should follow the example code and use the default list of " +"trusted root certificate authorities provided by the system because you " +"would have to maintain your own set otherwise, which can be cumbersome." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "OpenSSL client context creation" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"A single context object can be used to create multiple connection objects. " +"It is safe to use the same SSL_CTX object for creating " +"connections concurrently from multiple threads, provided that the " +"SSL_CTX object is not modified (e.g., callbacks must not " +"be changed)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"After creating the TCP socket and disabling the Nagle algorithm (per ), the actual connection object " +"needs to be created, as show in . If the handshake started by " +"SSL_connect fails, the " +"ssl_print_error_and_exit function from is called." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The certificate_validity_override function provides an " +"opportunity to override the validity of the certificate in case the OpenSSL " +"check fails. If such functionality is not required, the call can be removed," +" otherwise, the application developer has to implement it." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The host name passed to the functions " +"SSL_set_tlsext_host_name and " +"X509_check_host must be the name that was passed to " +"getaddrinfo or a similar name resolution function. No " +"host name canonicalization must be performed. The " +"X509_check_host function used in the final step for " +"host name matching is currently only implemented in OpenSSL 1.1, which is " +"not released yet. In case host name matching fails, the function " +"certificate_host_name_override is called. This function" +" should check user-specific certificate store, to allow a connection even if" +" the host name does not match the certificate. This function has to be " +"provided by the application developer. Note that the override must be keyed " +"by both the certificate and the host name." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Creating a client connection using OpenSSL" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The connection object can be used for sending and receiving data, as in " +". It is " +"also possible to create a BIO object and use the " +"SSL object as the underlying transport, using " +"BIO_set_ssl." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Using an OpenSSL connection to send and receive data" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When it is time to close the connection, the " +"SSL_shutdown function needs to be called twice for an " +"orderly, synchronous connection termination (). This exchanges " +"close_notify alerts with the server. The additional logic" +" is required to deal with an unexpected close_notify from" +" the server. Note that is necessary to explicitly close the underlying " +"socket after the connection object has been freed." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Closing an OpenSSL connection in an orderly fashion" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +" shows how" +" to deallocate the context object when it is no longer needed because no " +"further TLS connections will be established." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Implementation TLS Clients With GNUTLS" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"This section describes how to implement a TLS client with full certificate " +"validation (but without certificate revocation checking). Note that the " +"error handling in is only exploratory and needs to be replaced before " +"production use." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "The GNUTLS library needs explicit initialization:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Failing to do so can result in obscure failures in Base64 decoding. See " +" for " +"additional aspects of initialization." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Before setting up TLS connections, a credentials objects has to be allocated" +" and initialized with the set of trusted root CAs ()." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Initializing a GNUTLS credentials structure" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"After the last TLS connection has been closed, this credentials object " +"should be freed:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"During its lifetime, the credentials object can be used to initialize TLS " +"session objects from multiple threads, provided that it is not changed." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Once the TCP connection has been established, the Nagle algorithm should be " +"disabled (see ). After " +"that, the socket can be associated with a new GNUTLS session object. The " +"previously allocated credentials object provides the set of root CAs. The " +"NORMAL set of cipher suites and protocols provides a " +"reasonable default. Then the TLS handshake must be initiated. This is shown " +"in ." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Establishing a TLS client connection using GNUTLS" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"After the handshake has been completed, the server certificate needs to be " +"verified (). In the example, the user-defined " +"certificate_validity_override function is called if the" +" verification fails, so that a separate, user-specific trust store can be " +"checked. This function call can be omitted if the functionality is not " +"needed." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Verifying a server certificate using GNUTLS" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In the next step (, the certificate must be matched against the host name (note the " +"unusual return value from " +"gnutls_x509_crt_check_hostname). Again, an override " +"function certificate_host_name_override is called. Note" +" that the override must be keyed to the certificate and" +" the host name. The function call can be omitted if the override is not " +"needed." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Matching the server host name and certificate in a GNUTLS client" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In newer GNUTLS versions, certificate checking and host name validation can " +"be combined using the gnutls_certificate_verify_peers3 " +"function." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"An established TLS session can be used for sending and receiving data, as in" +" ." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Using a GNUTLS session" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In order to shut down a connection in an orderly manner, you should call the" +" gnutls_bye function. Finally, the session object can " +"be deallocated using gnutls_deinit (see )." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Implementing TLS Clients With OpenJDK" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "The examples below use the following cryptographic-related classes:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If compatibility with OpenJDK 6 is required, it is necessary to use the " +"internal class sun.security.util.HostnameChecker. (The " +"public OpenJDK API does not provide any support for dissecting the subject " +"distinguished name of an X.509 certificate, so a custom-written DER parser " +"is needed—or we have to use an internal class, which we do below.) In " +"OpenJDK 7, the setEndpointIdentificationAlgorithm " +"method was added to the javax.net.ssl.SSLParameters " +"class, providing an official way to implement host name checking." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"TLS connections are established using an SSLContext " +"instance. With a properly configured OpenJDK installation, the " +"SunJSSE provider uses the system-wide set of trusted root" +" certificate authorities, so no further configuration is necessary. For " +"backwards compatibility with OpenJDK 6, the TLSv1 " +"provider has to be supported as a fall-back option. This is shown in ." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Setting up an SSLContext for OpenJDK TLS clients" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In addition to the context, a TLS parameter object will be needed which " +"adjusts the cipher suites and protocols (). Like the context, these " +"parameters can be reused for multiple TLS connections." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Setting up SSLParameters for TLS use with OpenJDK" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"As initialized above, the parameter object does not yet require host name " +"checking. This has to be enabled separately, and this is only supported by " +"OpenJDK 7 and later:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"All application protocols can use the \"HTTPS\" " +"algorithm. (The algorithms have minor differences with regard to wildcard " +"handling, which should not matter in practice.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +" shows " +"how to establish the connection. Before the handshake is initialized, the " +"protocol and cipher configuration has to be performed, by applying the " +"parameter object params. (After this point, changes to " +"params will not affect this TLS socket.) As mentioned " +"initially, host name checking requires using an internal API on OpenJDK 6." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Establishing a TLS connection with OpenJDK" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Starting with OpenJDK 7, the last lines can be omitted, provided that host " +"name verification has been enabled by calling the " +"setEndpointIdentificationAlgorithm method on the " +"params object (before it was applied to the socket)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The TLS socket can be used as a regular socket, as shown in ." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Using a TLS client socket in OpenJDK" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Overriding server certificate validation with OpenJDK 6" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Overriding certificate validation requires a custom trust manager. With " +"OpenJDK 6, the trust manager lacks information about the TLS session, and to" +" which server the connection is made. Certificate overrides have to be tied " +"to specific servers (host names). Consequently, different " +"TrustManager and SSLContext objects " +"have to be used for different servers." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In the trust manager shown in , the server certificate is identified by its " +"SHA-256 hash." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "A customer trust manager for OpenJDK TLS clients" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"This trust manager has to be passed to the init method of" +" the SSLContext object, as show in ." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Using a custom TLS trust manager with OpenJDK" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When certificate overrides are in place, host name verification should not " +"be performed because there is no security requirement that the host name in " +"the certificate matches the host name used to establish the connection (and " +"it often will not). However, without host name verification, it is not " +"possible to perform transparent fallback to certification validation using " +"the system certificate store." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The approach described above works with OpenJDK 6 and later versions. " +"Starting with OpenJDK 7, it is possible to use a custom subclass of the " +"javax.net.ssl.X509ExtendedTrustManager class. The OpenJDK" +" TLS implementation will call the new methods, passing along TLS session " +"information. This can be used to implement certificate overrides as a " +"fallback (if certificate or host name verification fails), and a trust " +"manager object can be used for multiple servers because the server address " +"is available to the trust manager." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Implementing TLS Clients With NSS" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The following code shows how to implement a simple TLS client using NSS. " +"Note that the error handling needs replacing before production use." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Using NSS needs several header files, as shown in ." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Include files for NSS" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Initializing the NSS library is a complex task (). It is not thread-safe. By default, the " +"library is in export mode, and all strong ciphers are disabled. Therefore, " +"after creating the NSSInitCContext object, we probe all " +"the strong ciphers we want to use, and check if at least one of them is " +"available. If not, we call NSS_SetDomesticPolicy to " +"switch to unrestricted policy mode. This function replaces the existing " +"global cipher suite policy, that is why we avoid calling it unless " +"absolutely necessary." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The simplest way to configured the trusted root certificates involves " +"loading the libnssckbi.so NSS module with a call to the" +" SECMOD_LoadUserModule function. The root certificates " +"are compiled into this module. (The PEM module for NSS, " +"libnsspem.so, offers a way to load trusted CA " +"certificates from a file.)" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Initializing the NSS library" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Some of the effects of the initialization can be reverted with the following" +" function calls:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"After NSS has been initialized, the TLS connection can be created (). The internal " +"PR_ImportTCPSocket function is used to turn the POSIX " +"file descriptor sockfd into an NSPR file descriptor. " +"(This function is de-facto part of the NSS public ABI, so it will not go " +"away.) Creating the TLS-capable file descriptor requires a " +"model descriptor, which is configured with the desired " +"set of protocols and ciphers. (The good_ciphers variable " +"is part of .) We cannot" +" resort to disabling ciphers not on a whitelist because by default, the AES " +"cipher suites are disabled. The model descriptor is not needed anymore after" +" TLS support has been activated for the existing connection descriptor." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The call to SSL_BadCertHook can be omitted if no " +"mechanism to override certificate verification is needed. The " +"bad_certificate function must check both the host name " +"specified for the connection and the certificate before granting the " +"override." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Triggering the actual handshake requires three function calls, " +"SSL_ResetHandshake, SSL_SetURL, " +"and SSL_ForceHandshake. (If " +"SSL_ResetHandshake is omitted, " +"SSL_ForceHandshake will succeed, but the data will not " +"be encrypted.) During the handshake, the certificate is verified and matched" +" against the host name." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Creating a TLS connection with NSS" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"After the connection has been established, shows how to use the NSPR descriptor to " +"communicate with the server." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Using NSS for sending and receiving data" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +" shows how to " +"close the connection." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Closing NSS client connections" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Implementing TLS Clients With Python" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The Python distribution provides a TLS implementation in the " +"ssl module (actually a wrapper around OpenSSL). The " +"exported interface is somewhat restricted, so that the client code shown " +"below does not fully implement the recommendations in ." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Currently, most Python function which accept https:// " +"URLs or otherwise implement HTTPS support do not perform certificate " +"validation at all. (For example, this is true for the " +"httplib and xmlrpclib modules.) If you" +" use HTTPS, you should not use the built-in HTTP clients. The " +"Curl class in the curl module, as " +"provided by the python-pycurl package implements proper " +"certificate validation." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The ssl module currently does not perform host name " +"checking on the server certificate. shows how to implement certificate " +"matching, using the parsed certificate returned by " +"getpeercert." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Implementing TLS host name checking Python (without wildcard support)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"To turn a regular, connected TCP socket into a TLS-enabled socket, use the " +"ssl.wrap_socket function. The function call in provides " +"additional arguments to override questionable defaults in OpenSSL and in the" +" Python module." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"ciphers=\"HIGH:-aNULL:-eNULL:-PSK:RC4-SHA:RC4-MD5\" " +"selects relatively strong cipher suites with certificate-based " +"authentication. (The call to check_host_name function " +"provides additional protection against anonymous cipher suites.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"ssl_version=ssl.PROTOCOL_TLSv1 disables SSL 2.0 support. " +"By default, the ssl module sends an SSL 2.0 client hello," +" which is rejected by some servers. Ideally, we would request OpenSSL to " +"negotiated the most recent TLS version supported by the server and the " +"client, but the Python module does not allow this." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"cert_reqs=ssl.CERT_REQUIRED turns on certificate " +"validation." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"ca_certs='/etc/ssl/certs/ca-bundle.crt' initializes the " +"certificate store with a set of trusted root CAs. Unfortunately, it is " +"necessary to hard-code this path into applications because the default path " +"in OpenSSL is not available through the Python ssl " +"module." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The ssl module (and OpenSSL) perform certificate " +"validation, but the certificate must be compared manually against the host " +"name, by calling the check_host_name defined above." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Establishing a TLS client connection with Python" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"After the connection has been established, the TLS socket can be used like a" +" regular socket:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Closing the TLS socket is straightforward as well:" +msgstr "" diff --git a/defensive-coding/el-GR/Features/snippets/TLS-Client-GNUTLS-Connect.po b/defensive-coding/el-GR/Features/snippets/TLS-Client-GNUTLS-Connect.po new file mode 100644 index 0000000..f1369d1 --- /dev/null +++ b/defensive-coding/el-GR/Features/snippets/TLS-Client-GNUTLS-Connect.po @@ -0,0 +1,71 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:33+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Greek \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: el\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Create the session object.\n" +"gnutls_session_t session;\n" +"ret = gnutls_init(&session, GNUTLS_CLIENT);\n" +"if (ret != GNUTLS_E_SUCCESS) {\n" +" fprintf(stderr, \"error: gnutls_init: %s\n" +"\",\n" +"\t gnutls_strerror(ret));\n" +" exit(1);\n" +"}\n" +"\n" +"// Configure the cipher preferences.\n" +"const char *errptr = NULL;\n" +"ret = gnutls_priority_set_direct(session, \"NORMAL\", &errptr);\n" +"if (ret != GNUTLS_E_SUCCESS) {\n" +" fprintf(stderr, \"error: gnutls_priority_set_direct: %s\n" +"\"\n" +"\t \"error: at: \\\"%s\\\"\n" +"\", gnutls_strerror(ret), errptr);\n" +" exit(1);\n" +"}\n" +"\n" +"// Install the trusted certificates.\n" +"ret = gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, cred);\n" +"if (ret != GNUTLS_E_SUCCESS) {\n" +" fprintf(stderr, \"error: gnutls_credentials_set: %s\n" +"\",\n" +"\t gnutls_strerror(ret));\n" +" exit(1);\n" +"}\n" +"\n" +"// Associate the socket with the session object and set the server\n" +"// name.\n" +"gnutls_transport_set_ptr(session, (gnutls_transport_ptr_t)(uintptr_t)sockfd);\n" +"ret = gnutls_server_name_set(session, GNUTLS_NAME_DNS,\n" +"\t\t\t host, strlen(host));\n" +"if (ret != GNUTLS_E_SUCCESS) {\n" +" fprintf(stderr, \"error: gnutls_server_name_set: %s\n" +"\",\n" +"\t gnutls_strerror(ret));\n" +" exit(1);\n" +"}\n" +"\n" +"// Establish the session.\n" +"ret = gnutls_handshake(session);\n" +"if (ret != GNUTLS_E_SUCCESS) {\n" +" fprintf(stderr, \"error: gnutls_handshake: %s\n" +"\",\n" +"\t gnutls_strerror(ret));\n" +" exit(1);\n" +"}\n" +msgstr "" diff --git a/defensive-coding/el-GR/Features/snippets/TLS-Client-GNUTLS-Credentials.po b/defensive-coding/el-GR/Features/snippets/TLS-Client-GNUTLS-Credentials.po new file mode 100644 index 0000000..e7bffde --- /dev/null +++ b/defensive-coding/el-GR/Features/snippets/TLS-Client-GNUTLS-Credentials.po @@ -0,0 +1,47 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:33+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Greek \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: el\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Load the trusted CA certificates.\n" +"gnutls_certificate_credentials_t cred = NULL;\n" +"int ret = gnutls_certificate_allocate_credentials (&cred);\n" +"if (ret != GNUTLS_E_SUCCESS) {\n" +" fprintf(stderr, \"error: gnutls_certificate_allocate_credentials: %s\n" +"\",\n" +"\t gnutls_strerror(ret));\n" +" exit(1);\n" +"}\n" +"// gnutls_certificate_set_x509_system_trust needs GNUTLS version 3.0\n" +"// or newer, so we hard-code the path to the certificate store\n" +"// instead.\n" +"static const char ca_bundle[] = \"/etc/ssl/certs/ca-bundle.crt\";\n" +"ret = gnutls_certificate_set_x509_trust_file\n" +" (cred, ca_bundle, GNUTLS_X509_FMT_PEM);\n" +"if (ret == 0) {\n" +" fprintf(stderr, \"error: no certificates found in: %s\n" +"\", ca_bundle);\n" +" exit(1);\n" +"}\n" +"if (ret < 0) {\n" +" fprintf(stderr, \"error: gnutls_certificate_set_x509_trust_files(%s): %s\n" +"\",\n" +"\t ca_bundle, gnutls_strerror(ret));\n" +" exit(1);\n" +"}\n" +msgstr "" diff --git a/defensive-coding/el-GR/Features/snippets/TLS-Client-GNUTLS-Match.po b/defensive-coding/el-GR/Features/snippets/TLS-Client-GNUTLS-Match.po new file mode 100644 index 0000000..3922a47 --- /dev/null +++ b/defensive-coding/el-GR/Features/snippets/TLS-Client-GNUTLS-Match.po @@ -0,0 +1,48 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:32+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Greek \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: el\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Match the peer certificate against the host name.\n" +"// We can only obtain a set of DER-encoded certificates from the\n" +"// session object, so we have to re-parse the peer certificate into\n" +"// a certificate object.\n" +"gnutls_x509_crt_t cert;\n" +"ret = gnutls_x509_crt_init(&cert);\n" +"if (ret != GNUTLS_E_SUCCESS) {\n" +" fprintf(stderr, \"error: gnutls_x509_crt_init: %s\n" +"\",\n" +"\t gnutls_strerror(ret));\n" +" exit(1);\n" +"}\n" +"// The peer certificate is the first certificate in the list.\n" +"ret = gnutls_x509_crt_import(cert, certs, GNUTLS_X509_FMT_DER);\n" +"if (ret != GNUTLS_E_SUCCESS) {\n" +" fprintf(stderr, \"error: gnutls_x509_crt_import: %s\n" +"\",\n" +"\t gnutls_strerror(ret));\n" +" exit(1);\n" +"}\n" +"ret = gnutls_x509_crt_check_hostname(cert, host);\n" +"if (ret == 0 && !certificate_host_name_override(certs[0], host)) {\n" +" fprintf(stderr, \"error: host name does not match certificate\n" +"\");\n" +" exit(1);\n" +"}\n" +"gnutls_x509_crt_deinit(cert);\n" +msgstr "" diff --git a/defensive-coding/el-GR/Features/snippets/TLS-Client-GNUTLS-Verify.po b/defensive-coding/el-GR/Features/snippets/TLS-Client-GNUTLS-Verify.po new file mode 100644 index 0000000..b38b124 --- /dev/null +++ b/defensive-coding/el-GR/Features/snippets/TLS-Client-GNUTLS-Verify.po @@ -0,0 +1,61 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:33+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Greek \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: el\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Obtain the server certificate chain. The server certificate\n" +"// itself is stored in the first element of the array.\n" +"unsigned certslen = 0;\n" +"const gnutls_datum_t *const certs =\n" +" gnutls_certificate_get_peers(session, &certslen);\n" +"if (certs == NULL || certslen == 0) {\n" +" fprintf(stderr, \"error: could not obtain peer certificate\n" +"\");\n" +" exit(1);\n" +"}\n" +"\n" +"// Validate the certificate chain.\n" +"unsigned status = (unsigned)-1;\n" +"ret = gnutls_certificate_verify_peers2(session, &status);\n" +"if (ret != GNUTLS_E_SUCCESS) {\n" +" fprintf(stderr, \"error: gnutls_certificate_verify_peers2: %s\n" +"\",\n" +"\t gnutls_strerror(ret));\n" +" exit(1);\n" +"}\n" +"if (status != 0 && !certificate_validity_override(certs[0])) {\n" +" gnutls_datum_t msg;\n" +"#if GNUTLS_VERSION_AT_LEAST_3_1_4\n" +" int type = gnutls_certificate_type_get (session);\n" +" ret = gnutls_certificate_verification_status_print(status, type, &out, 0);\n" +"#else\n" +" ret = -1;\n" +"#endif\n" +" if (ret == 0) {\n" +" fprintf(stderr, \"error: %s\n" +"\", msg.data);\n" +" gnutls_free(msg.data);\n" +" exit(1);\n" +" } else {\n" +" fprintf(stderr, \"error: certificate validation failed with code 0x%x\n" +"\",\n" +"\t status);\n" +" exit(1);\n" +" }\n" +"}\n" +msgstr "" diff --git a/defensive-coding/el-GR/Features/snippets/TLS-Client-NSS-Close.po b/defensive-coding/el-GR/Features/snippets/TLS-Client-NSS-Close.po new file mode 100644 index 0000000..9ac3e76 --- /dev/null +++ b/defensive-coding/el-GR/Features/snippets/TLS-Client-NSS-Close.po @@ -0,0 +1,31 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:32+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Greek \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: el\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Send close_notify alert.\n" +"if (PR_Shutdown(nspr, PR_SHUTDOWN_BOTH) != PR_SUCCESS) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: PR_Read error %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +"}\n" +"// Closes the underlying POSIX file descriptor, too.\n" +"PR_Close(nspr);\n" +msgstr "" diff --git a/defensive-coding/el-GR/Features/snippets/TLS-Client-NSS-Connect.po b/defensive-coding/el-GR/Features/snippets/TLS-Client-NSS-Connect.po new file mode 100644 index 0000000..024e3b0 --- /dev/null +++ b/defensive-coding/el-GR/Features/snippets/TLS-Client-NSS-Connect.po @@ -0,0 +1,132 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:33+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Greek \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: el\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Wrap the POSIX file descriptor. This is an internal NSPR\n" +"// function, but it is very unlikely to change.\n" +"PRFileDesc* nspr = PR_ImportTCPSocket(sockfd);\n" +"sockfd = -1; // Has been taken over by NSPR.\n" +"\n" +"// Add the SSL layer.\n" +"{\n" +" PRFileDesc *model = PR_NewTCPSocket();\n" +" PRFileDesc *newfd = SSL_ImportFD(NULL, model);\n" +" if (newfd == NULL) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: NSPR error code %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +" }\n" +" model = newfd;\n" +" newfd = NULL;\n" +" if (SSL_OptionSet(model, SSL_ENABLE_SSL2, PR_FALSE) != SECSuccess) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: set SSL_ENABLE_SSL2 error %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +" }\n" +" if (SSL_OptionSet(model, SSL_V2_COMPATIBLE_HELLO, PR_FALSE) != SECSuccess) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: set SSL_V2_COMPATIBLE_HELLO error %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +" }\n" +" if (SSL_OptionSet(model, SSL_ENABLE_DEFLATE, PR_FALSE) != SECSuccess) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: set SSL_ENABLE_DEFLATE error %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +" }\n" +"\n" +" // Disable all ciphers (except RC4-based ciphers, for backwards\n" +" // compatibility).\n" +" const PRUint16 *const ciphers = SSL_GetImplementedCiphers();\n" +" for (unsigned i = 0; i < SSL_GetNumImplementedCiphers(); i++) {\n" +" if (ciphers[i] != SSL_RSA_WITH_RC4_128_SHA\n" +"\t && ciphers[i] != SSL_RSA_WITH_RC4_128_MD5) {\n" +"\tif (SSL_CipherPrefSet(model, ciphers[i], PR_FALSE) != SECSuccess) {\n" +"\t const PRErrorCode err = PR_GetError();\n" +"\t fprintf(stderr, \"error: disable cipher %u: error %d: %s\n" +"\",\n" +"\t\t (unsigned)ciphers[i], err, PR_ErrorToName(err));\n" +"\t exit(1);\n" +"\t}\n" +" }\n" +" }\n" +"\n" +" // Enable the strong ciphers.\n" +" for (const PRUint16 *p = good_ciphers; *p != SSL_NULL_WITH_NULL_NULL;\n" +"\t ++p) {\n" +" if (SSL_CipherPrefSet(model, *p, PR_TRUE) != SECSuccess) {\n" +"\tconst PRErrorCode err = PR_GetError();\n" +"\tfprintf(stderr, \"error: enable cipher %u: error %d: %s\n" +"\",\n" +"\t\t(unsigned)*p, err, PR_ErrorToName(err));\n" +"\texit(1);\n" +" }\n" +" }\n" +"\n" +" // Allow overriding invalid certificate.\n" +" if (SSL_BadCertHook(model, bad_certificate, (char *)host) != SECSuccess) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: SSL_BadCertHook error %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +" }\n" +"\n" +" newfd = SSL_ImportFD(model, nspr);\n" +" if (newfd == NULL) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: SSL_ImportFD error %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +" }\n" +" nspr = newfd;\n" +" PR_Close(model);\n" +"}\n" +"\n" +"// Perform the handshake.\n" +"if (SSL_ResetHandshake(nspr, PR_FALSE) != SECSuccess) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: SSL_ResetHandshake error %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +"}\n" +"if (SSL_SetURL(nspr, host) != SECSuccess) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: SSL_SetURL error %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +"}\n" +"if (SSL_ForceHandshake(nspr) != SECSuccess) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: SSL_ForceHandshake error %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +"}\n" +msgstr "" diff --git a/defensive-coding/el-GR/Features/snippets/TLS-Client-OpenJDK-Connect.po b/defensive-coding/el-GR/Features/snippets/TLS-Client-OpenJDK-Connect.po new file mode 100644 index 0000000..8e4e235 --- /dev/null +++ b/defensive-coding/el-GR/Features/snippets/TLS-Client-OpenJDK-Connect.po @@ -0,0 +1,41 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:32+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Greek \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: el\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Create the socket and connect it at the TCP layer.\n" +"SSLSocket socket = (SSLSocket) ctx.getSocketFactory()\n" +" .createSocket(host, port);\n" +"\n" +"// Disable the Nagle algorithm.\n" +"socket.setTcpNoDelay(true);\n" +"\n" +"// Adjust ciphers and protocols.\n" +"socket.setSSLParameters(params);\n" +"\n" +"// Perform the handshake.\n" +"socket.startHandshake();\n" +"\n" +"// Validate the host name. The match() method throws\n" +"// CertificateException on failure.\n" +"X509Certificate peer = (X509Certificate)\n" +" socket.getSession().getPeerCertificates()[0];\n" +"// This is the only way to perform host name checking on OpenJDK 6.\n" +"HostnameChecker.getInstance(HostnameChecker.TYPE_TLS).match(\n" +" host, peer);\n" +msgstr "" diff --git a/defensive-coding/el-GR/Features/snippets/TLS-Client-OpenJDK-Context.po b/defensive-coding/el-GR/Features/snippets/TLS-Client-OpenJDK-Context.po new file mode 100644 index 0000000..e3182a9 --- /dev/null +++ b/defensive-coding/el-GR/Features/snippets/TLS-Client-OpenJDK-Context.po @@ -0,0 +1,41 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:32+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Greek \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: el\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Create the context. Specify the SunJSSE provider to avoid\n" +"// picking up third-party providers. Try the TLS 1.2 provider\n" +"// first, then fall back to TLS 1.0.\n" +"SSLContext ctx;\n" +"try {\n" +" ctx = SSLContext.getInstance(\"TLSv1.2\", \"SunJSSE\");\n" +"} catch (NoSuchAlgorithmException e) {\n" +" try {\n" +" ctx = SSLContext.getInstance(\"TLSv1\", \"SunJSSE\");\n" +" } catch (NoSuchAlgorithmException e1) {\n" +" // The TLS 1.0 provider should always be available.\n" +" throw new AssertionError(e1);\n" +" } catch (NoSuchProviderException e1) {\n" +" throw new AssertionError(e1);\n" +" } \n" +"} catch (NoSuchProviderException e) {\n" +" // The SunJSSE provider should always be available.\n" +" throw new AssertionError(e);\n" +"}\n" +"ctx.init(null, null, null);\n" +msgstr "" diff --git a/defensive-coding/el-GR/Features/snippets/TLS-Client-OpenJDK-Context_For_Cert.po b/defensive-coding/el-GR/Features/snippets/TLS-Client-OpenJDK-Context_For_Cert.po new file mode 100644 index 0000000..7fc8b27 --- /dev/null +++ b/defensive-coding/el-GR/Features/snippets/TLS-Client-OpenJDK-Context_For_Cert.po @@ -0,0 +1,37 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:33+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Greek \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: el\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"SSLContext ctx;\n" +"try {\n" +" ctx = SSLContext.getInstance(\"TLSv1.2\", \"SunJSSE\");\n" +"} catch (NoSuchAlgorithmException e) {\n" +" try {\n" +" ctx = SSLContext.getInstance(\"TLSv1\", \"SunJSSE\");\n" +" } catch (NoSuchAlgorithmException e1) {\n" +" throw new AssertionError(e1);\n" +" } catch (NoSuchProviderException e1) {\n" +" throw new AssertionError(e1);\n" +" }\n" +"} catch (NoSuchProviderException e) {\n" +" throw new AssertionError(e);\n" +"}\n" +"MyTrustManager tm = new MyTrustManager(certHash);\n" +"ctx.init(null, new TrustManager[] {tm}, null);\n" +msgstr "" diff --git a/defensive-coding/el-GR/Features/snippets/TLS-Client-OpenJDK-Hostname.po b/defensive-coding/el-GR/Features/snippets/TLS-Client-OpenJDK-Hostname.po new file mode 100644 index 0000000..47aaae8 --- /dev/null +++ b/defensive-coding/el-GR/Features/snippets/TLS-Client-OpenJDK-Hostname.po @@ -0,0 +1,22 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:31+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Greek \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: el\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"params.setEndpointIdentificationAlgorithm(\"HTTPS\");\n" +msgstr "" diff --git a/defensive-coding/el-GR/Features/snippets/TLS-Client-OpenJDK-Import.po b/defensive-coding/el-GR/Features/snippets/TLS-Client-OpenJDK-Import.po new file mode 100644 index 0000000..f85b4d5 --- /dev/null +++ b/defensive-coding/el-GR/Features/snippets/TLS-Client-OpenJDK-Import.po @@ -0,0 +1,33 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:31+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Greek \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: el\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"import java.security.NoSuchAlgorithmException;\n" +"import java.security.NoSuchProviderException;\n" +"import java.security.cert.CertificateEncodingException;\n" +"import java.security.cert.CertificateException;\n" +"import java.security.cert.X509Certificate;\n" +"import javax.net.ssl.SSLContext;\n" +"import javax.net.ssl.SSLParameters;\n" +"import javax.net.ssl.SSLSocket;\n" +"import javax.net.ssl.TrustManager;\n" +"import javax.net.ssl.X509TrustManager;\n" +"\n" +"import sun.security.util.HostnameChecker;\n" +msgstr "" diff --git a/defensive-coding/el-GR/Features/snippets/TLS-Client-OpenJDK-MyTrustManager.po b/defensive-coding/el-GR/Features/snippets/TLS-Client-OpenJDK-MyTrustManager.po new file mode 100644 index 0000000..548c5c6 --- /dev/null +++ b/defensive-coding/el-GR/Features/snippets/TLS-Client-OpenJDK-MyTrustManager.po @@ -0,0 +1,53 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:31+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Greek \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: el\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"public class MyTrustManager implements X509TrustManager {\n" +" private final byte[] certHash;\n" +"\n" +" public MyTrustManager(byte[] certHash) throws Exception {\n" +" this.certHash = certHash;\n" +" }\n" +"\n" +" @Override\n" +" public void checkClientTrusted(X509Certificate[] chain, String authType)\n" +" throws CertificateException {\n" +" throw new UnsupportedOperationException();\n" +" }\n" +"\n" +" @Override\n" +" public void checkServerTrusted(X509Certificate[] chain,\n" +" String authType) throws CertificateException {\n" +" byte[] digest = getCertificateDigest(chain[0]);\n" +" String digestHex = formatHex(digest);\n" +"\n" +" if (Arrays.equals(digest, certHash)) {\n" +" System.err.println(\"info: accepting certificate: \" + digestHex);\n" +" } else {\n" +" throw new CertificateException(\"certificate rejected: \" +\n" +" digestHex);\n" +" }\n" +" }\n" +"\n" +" @Override\n" +" public X509Certificate[] getAcceptedIssuers() {\n" +" return new X509Certificate[0];\n" +" }\n" +"}\n" +msgstr "" diff --git a/defensive-coding/el-GR/Features/snippets/TLS-Client-OpenJDK-Use.po b/defensive-coding/el-GR/Features/snippets/TLS-Client-OpenJDK-Use.po new file mode 100644 index 0000000..4e0b9b4 --- /dev/null +++ b/defensive-coding/el-GR/Features/snippets/TLS-Client-OpenJDK-Use.po @@ -0,0 +1,28 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:31+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Greek \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: el\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"socket.getOutputStream().write(\"GET / HTTP/1.0\\r\n" +"\\r\n" +"\"\n" +" .getBytes(Charset.forName(\"UTF-8\")));\n" +"byte[] buffer = new byte[4096];\n" +"int count = socket.getInputStream().read(buffer);\n" +"System.out.write(buffer, 0, count);\n" +msgstr "" diff --git a/defensive-coding/el-GR/Features/snippets/TLS-Client-OpenSSL-CTX.po b/defensive-coding/el-GR/Features/snippets/TLS-Client-OpenSSL-CTX.po new file mode 100644 index 0000000..c8fcc47 --- /dev/null +++ b/defensive-coding/el-GR/Features/snippets/TLS-Client-OpenSSL-CTX.po @@ -0,0 +1,86 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:32+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Greek \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: el\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Configure a client connection context. Send a hendshake for the\n" +"// highest supported TLS version, and disable compression.\n" +"const SSL_METHOD *const req_method = SSLv23_client_method();\n" +"SSL_CTX *const ctx = SSL_CTX_new(req_method);\n" +"if (ctx == NULL) {\n" +" ERR_print_errors(bio_err);\n" +" exit(1);\n" +"}\n" +"SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_COMPRESSION);\n" +"\n" +"// Adjust the ciphers list based on a whitelist. First enable all\n" +"// ciphers of at least medium strength, to get the list which is\n" +"// compiled into OpenSSL.\n" +"if (SSL_CTX_set_cipher_list(ctx, \"HIGH:MEDIUM\") != 1) {\n" +" ERR_print_errors(bio_err);\n" +" exit(1);\n" +"}\n" +"{\n" +" // Create a dummy SSL session to obtain the cipher list.\n" +" SSL *ssl = SSL_new(ctx);\n" +" if (ssl == NULL) {\n" +" ERR_print_errors(bio_err);\n" +" exit(1);\n" +" }\n" +" STACK_OF(SSL_CIPHER) *active_ciphers = SSL_get_ciphers(ssl);\n" +" if (active_ciphers == NULL) {\n" +" ERR_print_errors(bio_err);\n" +" exit(1);\n" +" }\n" +" // Whitelist of candidate ciphers.\n" +" static const char *const candidates[] = {\n" +" \"AES128-GCM-SHA256\", \"AES128-SHA256\", \"AES256-SHA256\", // strong ciphers\n" +" \"AES128-SHA\", \"AES256-SHA\", // strong ciphers, also in older versions\n" +" \"RC4-SHA\", \"RC4-MD5\", // backwards compatibility, supposed to be weak\n" +" \"DES-CBC3-SHA\", \"DES-CBC3-MD5\", // more backwards compatibility\n" +" NULL\n" +" };\n" +" // Actually selected ciphers.\n" +" char ciphers[300];\n" +" ciphers[0] = '\\0';\n" +" for (const char *const *c = candidates; *c; ++c) {\n" +" for (int i = 0; i < sk_SSL_CIPHER_num(active_ciphers); ++i) {\n" +"\tif (strcmp(SSL_CIPHER_get_name(sk_SSL_CIPHER_value(active_ciphers, i)),\n" +"\t\t *c) == 0) {\n" +"\t if (*ciphers) {\n" +"\t strcat(ciphers, \":\");\n" +"\t }\n" +"\t strcat(ciphers, *c);\n" +"\t break;\n" +"\t}\n" +" }\n" +" }\n" +" SSL_free(ssl);\n" +" // Apply final cipher list.\n" +" if (SSL_CTX_set_cipher_list(ctx, ciphers) != 1) {\n" +" ERR_print_errors(bio_err);\n" +" exit(1);\n" +" }\n" +"}\n" +"\n" +"// Load the set of trusted root certificates.\n" +"if (!SSL_CTX_set_default_verify_paths(ctx)) {\n" +" ERR_print_errors(bio_err);\n" +" exit(1);\n" +"}\n" +msgstr "" diff --git a/defensive-coding/el-GR/Features/snippets/TLS-Client-OpenSSL-Connect.po b/defensive-coding/el-GR/Features/snippets/TLS-Client-OpenSSL-Connect.po new file mode 100644 index 0000000..012918d --- /dev/null +++ b/defensive-coding/el-GR/Features/snippets/TLS-Client-OpenSSL-Connect.po @@ -0,0 +1,72 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:33+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Greek \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: el\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Create the connection object.\n" +"SSL *ssl = SSL_new(ctx);\n" +"if (ssl == NULL) {\n" +" ERR_print_errors(bio_err);\n" +" exit(1);\n" +"}\n" +"SSL_set_fd(ssl, sockfd);\n" +"\n" +"// Enable the ServerNameIndication extension\n" +"if (!SSL_set_tlsext_host_name(ssl, host)) {\n" +" ERR_print_errors(bio_err);\n" +" exit(1);\n" +"}\n" +"\n" +"// Perform the TLS handshake with the server.\n" +"ret = SSL_connect(ssl);\n" +"if (ret != 1) {\n" +" // Error status can be 0 or negative.\n" +" ssl_print_error_and_exit(ssl, \"SSL_connect\", ret);\n" +"}\n" +"\n" +"// Obtain the server certificate.\n" +"X509 *peercert = SSL_get_peer_certificate(ssl);\n" +"if (peercert == NULL) {\n" +" fprintf(stderr, \"peer certificate missing\");\n" +" exit(1);\n" +"}\n" +"\n" +"// Check the certificate verification result. Allow an explicit\n" +"// certificate validation override in case verification fails.\n" +"int verifystatus = SSL_get_verify_result(ssl);\n" +"if (verifystatus != X509_V_OK && !certificate_validity_override(peercert)) {\n" +" fprintf(stderr, \"SSL_connect: verify result: %s\n" +"\",\n" +"\t X509_verify_cert_error_string(verifystatus));\n" +" exit(1);\n" +"}\n" +"\n" +"// Check if the server certificate matches the host name used to\n" +"// establish the connection.\n" +"// FIXME: Currently needs OpenSSL 1.1.\n" +"if (X509_check_host(peercert, (const unsigned char *)host, strlen(host),\n" +"\t\t 0) != 1\n" +" && !certificate_host_name_override(peercert, host)) {\n" +" fprintf(stderr, \"SSL certificate does not match host name\n" +"\");\n" +" exit(1);\n" +"}\n" +"\n" +"X509_free(peercert);\n" +"\n" +msgstr "" diff --git a/defensive-coding/el-GR/Features/snippets/TLS-Client-OpenSSL-Connection-Use.po b/defensive-coding/el-GR/Features/snippets/TLS-Client-OpenSSL-Connection-Use.po new file mode 100644 index 0000000..b0c535b --- /dev/null +++ b/defensive-coding/el-GR/Features/snippets/TLS-Client-OpenSSL-Connection-Use.po @@ -0,0 +1,32 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:32+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Greek \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: el\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"const char *const req = \"GET / HTTP/1.0\\r\n" +"\\r\n" +"\";\n" +"if (SSL_write(ssl, req, strlen(req)) < 0) {\n" +" ssl_print_error_and_exit(ssl, \"SSL_write\", ret);\n" +"}\n" +"char buf[4096];\n" +"ret = SSL_read(ssl, buf, sizeof(buf));\n" +"if (ret < 0) {\n" +" ssl_print_error_and_exit(ssl, \"SSL_read\", ret);\n" +"}\n" +msgstr "" diff --git a/defensive-coding/el-GR/Features/snippets/TLS-Client-OpenSSL-Init.po b/defensive-coding/el-GR/Features/snippets/TLS-Client-OpenSSL-Init.po new file mode 100644 index 0000000..c0df333 --- /dev/null +++ b/defensive-coding/el-GR/Features/snippets/TLS-Client-OpenSSL-Init.po @@ -0,0 +1,28 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:32+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Greek \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: el\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// The following call prints an error message and calls exit() if\n" +"// the OpenSSL configuration file is unreadable.\n" +"OPENSSL_config(NULL);\n" +"// Provide human-readable error messages.\n" +"SSL_load_error_strings();\n" +"// Register ciphers.\n" +"SSL_library_init();\n" +msgstr "" diff --git a/defensive-coding/el-GR/Features/snippets/TLS-Client-Python-Connect.po b/defensive-coding/el-GR/Features/snippets/TLS-Client-Python-Connect.po new file mode 100644 index 0000000..eebbac4 --- /dev/null +++ b/defensive-coding/el-GR/Features/snippets/TLS-Client-Python-Connect.po @@ -0,0 +1,29 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:32+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Greek \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: el\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"sock = ssl.wrap_socket(sock,\n" +" ciphers=\"HIGH:-aNULL:-eNULL:-PSK:RC4-SHA:RC4-MD5\",\n" +" ssl_version=ssl.PROTOCOL_TLSv1,\n" +" cert_reqs=ssl.CERT_REQUIRED,\n" +" ca_certs='/etc/ssl/certs/ca-bundle.crt')\n" +"# getpeercert() triggers the handshake as a side effect.\n" +"if not check_host_name(sock.getpeercert(), host):\n" +" raise IOError(\"peer certificate does not match host name\")\n" +msgstr "" diff --git a/defensive-coding/el-GR/Features/snippets/TLS-Client-Python-check_host_name.po b/defensive-coding/el-GR/Features/snippets/TLS-Client-Python-check_host_name.po new file mode 100644 index 0000000..729865f --- /dev/null +++ b/defensive-coding/el-GR/Features/snippets/TLS-Client-Python-check_host_name.po @@ -0,0 +1,44 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:31+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Greek \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: el\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"def check_host_name(peercert, name):\n" +" \"\"\"Simple certificate/host name checker. Returns True if the\n" +" certificate matches, False otherwise. Does not support\n" +" wildcards.\"\"\"\n" +" # Check that the peer has supplied a certificate.\n" +" # None/{} is not acceptable.\n" +" if not peercert:\n" +" return False\n" +" if peercert.has_key(\"subjectAltName\"):\n" +" for typ, val in peercert[\"subjectAltName\"]:\n" +" if typ == \"DNS\" and val == name:\n" +" return True\n" +" else:\n" +" # Only check the subject DN if there is no subject alternative\n" +" # name.\n" +" cn = None\n" +" for attr, val in peercert[\"subject\"]:\n" +" # Use most-specific (last) commonName attribute.\n" +" if attr == \"commonName\":\n" +" cn = val\n" +" if cn is not None:\n" +" return cn == name\n" +" return False\n" +msgstr "" diff --git a/defensive-coding/el-GR/Features/snippets/TLS-GNUTLS-Credentials-Close.po b/defensive-coding/el-GR/Features/snippets/TLS-GNUTLS-Credentials-Close.po new file mode 100644 index 0000000..b75af0a --- /dev/null +++ b/defensive-coding/el-GR/Features/snippets/TLS-GNUTLS-Credentials-Close.po @@ -0,0 +1,22 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:31+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Greek \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: el\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"gnutls_certificate_free_credentials(cred);\n" +msgstr "" diff --git a/defensive-coding/el-GR/Features/snippets/TLS-GNUTLS-Disconnect.po b/defensive-coding/el-GR/Features/snippets/TLS-GNUTLS-Disconnect.po new file mode 100644 index 0000000..be58c61 --- /dev/null +++ b/defensive-coding/el-GR/Features/snippets/TLS-GNUTLS-Disconnect.po @@ -0,0 +1,30 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:32+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Greek \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: el\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Initiate an orderly connection shutdown.\n" +"ret = gnutls_bye(session, GNUTLS_SHUT_RDWR);\n" +"if (ret < 0) {\n" +" fprintf(stderr, \"error: gnutls_bye: %s\n" +"\", gnutls_strerror(ret));\n" +" exit(1);\n" +"}\n" +"// Free the session object.\n" +"gnutls_deinit(session);\n" +msgstr "" diff --git a/defensive-coding/el-GR/Features/snippets/TLS-GNUTLS-Init.po b/defensive-coding/el-GR/Features/snippets/TLS-GNUTLS-Init.po new file mode 100644 index 0000000..d4008ae --- /dev/null +++ b/defensive-coding/el-GR/Features/snippets/TLS-GNUTLS-Init.po @@ -0,0 +1,22 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:32+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Greek \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: el\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"gnutls_global_init();\n" +msgstr "" diff --git a/defensive-coding/el-GR/Features/snippets/TLS-GNUTLS-Use.po b/defensive-coding/el-GR/Features/snippets/TLS-GNUTLS-Use.po new file mode 100644 index 0000000..303f044 --- /dev/null +++ b/defensive-coding/el-GR/Features/snippets/TLS-GNUTLS-Use.po @@ -0,0 +1,38 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:33+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Greek \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: el\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"char buf[4096];\n" +"snprintf(buf, sizeof(buf), \"GET / HTTP/1.0\\r\n" +"Host: %s\\r\n" +"\\r\n" +"\", host);\n" +"ret = gnutls_record_send(session, buf, strlen(buf));\n" +"if (ret < 0) {\n" +" fprintf(stderr, \"error: gnutls_record_send: %s\n" +"\", gnutls_strerror(ret));\n" +" exit(1);\n" +"}\n" +"ret = gnutls_record_recv(session, buf, sizeof(buf));\n" +"if (ret < 0) {\n" +" fprintf(stderr, \"error: gnutls_record_recv: %s\n" +"\", gnutls_strerror(ret));\n" +" exit(1);\n" +"}\n" +msgstr "" diff --git a/defensive-coding/el-GR/Features/snippets/TLS-NSS-Close.po b/defensive-coding/el-GR/Features/snippets/TLS-NSS-Close.po new file mode 100644 index 0000000..a529779 --- /dev/null +++ b/defensive-coding/el-GR/Features/snippets/TLS-NSS-Close.po @@ -0,0 +1,23 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:31+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Greek \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: el\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"SECMOD_DestroyModule(module);\n" +"NSS_ShutdownContext(ctx);\n" +msgstr "" diff --git a/defensive-coding/el-GR/Features/snippets/TLS-NSS-Includes.po b/defensive-coding/el-GR/Features/snippets/TLS-NSS-Includes.po new file mode 100644 index 0000000..61579fc --- /dev/null +++ b/defensive-coding/el-GR/Features/snippets/TLS-NSS-Includes.po @@ -0,0 +1,35 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:33+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Greek \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: el\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// NSPR include files\n" +"#include <prerror.h>\n" +"#include <prinit.h>\n" +"\n" +"// NSS include files\n" +"#include <nss.h>\n" +"#include <pk11pub.h>\n" +"#include <secmod.h>\n" +"#include <ssl.h>\n" +"#include <sslproto.h>\n" +"\n" +"// Private API, no other way to turn a POSIX file descriptor into an\n" +"// NSPR handle.\n" +"NSPR_API(PRFileDesc*) PR_ImportTCPSocket(int);\n" +msgstr "" diff --git a/defensive-coding/el-GR/Features/snippets/TLS-NSS-Init.po b/defensive-coding/el-GR/Features/snippets/TLS-NSS-Init.po new file mode 100644 index 0000000..77d9a67 --- /dev/null +++ b/defensive-coding/el-GR/Features/snippets/TLS-NSS-Init.po @@ -0,0 +1,83 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:33+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Greek \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: el\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"PR_Init(PR_USER_THREAD, PR_PRIORITY_NORMAL, 0);\n" +"NSSInitContext *const ctx =\n" +" NSS_InitContext(\"sql:/etc/pki/nssdb\", \"\", \"\", \"\", NULL,\n" +"\t\t NSS_INIT_READONLY | NSS_INIT_PK11RELOAD);\n" +"if (ctx == NULL) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: NSPR error code %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +"}\n" +"\n" +"// Ciphers to enable.\n" +"static const PRUint16 good_ciphers[] = {\n" +" TLS_RSA_WITH_AES_128_CBC_SHA,\n" +" TLS_RSA_WITH_AES_256_CBC_SHA,\n" +" SSL_RSA_WITH_3DES_EDE_CBC_SHA,\n" +" SSL_NULL_WITH_NULL_NULL // sentinel\n" +"};\n" +"\n" +"// Check if the current policy allows any strong ciphers. If it\n" +"// doesn't, switch to the \"domestic\" (unrestricted) policy. This is\n" +"// not thread-safe and has global impact. Consequently, we only do\n" +"// it if absolutely necessary.\n" +"int found_good_cipher = 0;\n" +"for (const PRUint16 *p = good_ciphers; *p != SSL_NULL_WITH_NULL_NULL;\n" +" ++p) {\n" +" PRInt32 policy;\n" +" if (SSL_CipherPolicyGet(*p, &policy) != SECSuccess) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: policy for cipher %u: error %d: %s\n" +"\",\n" +"\t (unsigned)*p, err, PR_ErrorToName(err));\n" +" exit(1);\n" +" }\n" +" if (policy == SSL_ALLOWED) {\n" +" fprintf(stderr, \"info: found cipher %x\n" +"\", (unsigned)*p);\n" +" found_good_cipher = 1;\n" +" break;\n" +" }\n" +"}\n" +"if (!found_good_cipher) {\n" +" if (NSS_SetDomesticPolicy() != SECSuccess) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: NSS_SetDomesticPolicy: error %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +" }\n" +"}\n" +"\n" +"// Initialize the trusted certificate store.\n" +"char module_name[] = \"library=libnssckbi.so name=\\\"Root Certs\\\"\";\n" +"SECMODModule *module = SECMOD_LoadUserModule(module_name, NULL, PR_FALSE);\n" +"if (module == NULL || !module->loaded) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: NSPR error code %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +"}\n" +msgstr "" diff --git a/defensive-coding/el-GR/Features/snippets/TLS-NSS-Use.po b/defensive-coding/el-GR/Features/snippets/TLS-NSS-Use.po new file mode 100644 index 0000000..8d6ca64 --- /dev/null +++ b/defensive-coding/el-GR/Features/snippets/TLS-NSS-Use.po @@ -0,0 +1,42 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:32+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Greek \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: el\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"char buf[4096];\n" +"snprintf(buf, sizeof(buf), \"GET / HTTP/1.0\\r\n" +"Host: %s\\r\n" +"\\r\n" +"\", host);\n" +"PRInt32 ret = PR_Write(nspr, buf, strlen(buf));\n" +"if (ret < 0) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: PR_Write error %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +"}\n" +"ret = PR_Read(nspr, buf, sizeof(buf));\n" +"if (ret < 0) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: PR_Read error %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +"}\n" +msgstr "" diff --git a/defensive-coding/el-GR/Features/snippets/TLS-Nagle.po b/defensive-coding/el-GR/Features/snippets/TLS-Nagle.po new file mode 100644 index 0000000..a2ce48c --- /dev/null +++ b/defensive-coding/el-GR/Features/snippets/TLS-Nagle.po @@ -0,0 +1,27 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:31+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Greek \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: el\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"const int val = 1;\n" +"int ret = setsockopt(sockfd, IPPROTO_TCP, TCP_NODELAY, &val, sizeof(val));\n" +"if (ret < 0) {\n" +" perror(\"setsockopt(TCP_NODELAY)\");\n" +" exit(1);\n" +"}\n" +msgstr "" diff --git a/defensive-coding/el-GR/Features/snippets/TLS-OpenJDK-Parameters.po b/defensive-coding/el-GR/Features/snippets/TLS-OpenJDK-Parameters.po new file mode 100644 index 0000000..e709a91 --- /dev/null +++ b/defensive-coding/el-GR/Features/snippets/TLS-OpenJDK-Parameters.po @@ -0,0 +1,42 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:33+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Greek \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: el\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Prepare TLS parameters. These have to applied to every TLS\n" +"// socket before the handshake is triggered.\n" +"SSLParameters params = ctx.getDefaultSSLParameters();\n" +"// Do not send an SSL-2.0-compatible Client Hello.\n" +"ArrayList<String> protocols = new ArrayList<String>(\n" +" Arrays.asList(params.getProtocols()));\n" +"protocols.remove(\"SSLv2Hello\");\n" +"params.setProtocols(protocols.toArray(new String[protocols.size()]));\n" +"// Adjust the supported ciphers.\n" +"ArrayList<String> ciphers = new ArrayList<String>(\n" +" Arrays.asList(params.getCipherSuites()));\n" +"ciphers.retainAll(Arrays.asList(\n" +" \"TLS_RSA_WITH_AES_128_CBC_SHA256\",\n" +" \"TLS_RSA_WITH_AES_256_CBC_SHA256\",\n" +" \"TLS_RSA_WITH_AES_256_CBC_SHA\",\n" +" \"TLS_RSA_WITH_AES_128_CBC_SHA\",\n" +" \"SSL_RSA_WITH_3DES_EDE_CBC_SHA\",\n" +" \"SSL_RSA_WITH_RC4_128_SHA1\",\n" +" \"SSL_RSA_WITH_RC4_128_MD5\",\n" +" \"TLS_EMPTY_RENEGOTIATION_INFO_SCSV\"));\n" +"params.setCipherSuites(ciphers.toArray(new String[ciphers.size()]));\n" +msgstr "" diff --git a/defensive-coding/el-GR/Features/snippets/TLS-OpenSSL-Connection-Close.po b/defensive-coding/el-GR/Features/snippets/TLS-OpenSSL-Connection-Close.po new file mode 100644 index 0000000..71efdde --- /dev/null +++ b/defensive-coding/el-GR/Features/snippets/TLS-OpenSSL-Connection-Close.po @@ -0,0 +1,46 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:33+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Greek \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: el\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Send the close_notify alert.\n" +"ret = SSL_shutdown(ssl);\n" +"switch (ret) {\n" +"case 1:\n" +" // A close_notify alert has already been received.\n" +" break;\n" +"case 0:\n" +" // Wait for the close_notify alert from the peer.\n" +" ret = SSL_shutdown(ssl);\n" +" switch (ret) {\n" +" case 0:\n" +" fprintf(stderr, \"info: second SSL_shutdown returned zero\n" +"\");\n" +" break;\n" +" case 1:\n" +" break;\n" +" default:\n" +" ssl_print_error_and_exit(ssl, \"SSL_shutdown 2\", ret);\n" +" }\n" +" break;\n" +"default:\n" +" ssl_print_error_and_exit(ssl, \"SSL_shutdown 1\", ret);\n" +"}\n" +"SSL_free(ssl);\n" +"close(sockfd);\n" +msgstr "" diff --git a/defensive-coding/el-GR/Features/snippets/TLS-OpenSSL-Context-Close.po b/defensive-coding/el-GR/Features/snippets/TLS-OpenSSL-Context-Close.po new file mode 100644 index 0000000..02a2ec9 --- /dev/null +++ b/defensive-coding/el-GR/Features/snippets/TLS-OpenSSL-Context-Close.po @@ -0,0 +1,22 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:33+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Greek \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: el\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"SSL_CTX_free(ctx);\n" +msgstr "" diff --git a/defensive-coding/el-GR/Features/snippets/TLS-OpenSSL-Errors.po b/defensive-coding/el-GR/Features/snippets/TLS-OpenSSL-Errors.po new file mode 100644 index 0000000..aca37c6 --- /dev/null +++ b/defensive-coding/el-GR/Features/snippets/TLS-OpenSSL-Errors.po @@ -0,0 +1,51 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:32+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Greek \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: el\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"static void __attribute__((noreturn))\n" +"ssl_print_error_and_exit(SSL *ssl, const char *op, int ret)\n" +"{\n" +" int subcode = SSL_get_error(ssl, ret);\n" +" switch (subcode) {\n" +" case SSL_ERROR_NONE:\n" +" fprintf(stderr, \"error: %s: no error to report\n" +"\", op);\n" +" break;\n" +" case SSL_ERROR_WANT_READ:\n" +" case SSL_ERROR_WANT_WRITE:\n" +" case SSL_ERROR_WANT_X509_LOOKUP:\n" +" case SSL_ERROR_WANT_CONNECT:\n" +" case SSL_ERROR_WANT_ACCEPT:\n" +" fprintf(stderr, \"error: %s: invalid blocking state %d\n" +"\", op, subcode);\n" +" break;\n" +" case SSL_ERROR_SSL:\n" +" fprintf(stderr, \"error: %s: TLS layer problem\n" +"\", op);\n" +" case SSL_ERROR_SYSCALL:\n" +" fprintf(stderr, \"error: %s: system call failed: %s\n" +"\", op, strerror(errno));\n" +" break;\n" +" case SSL_ERROR_ZERO_RETURN:\n" +" fprintf(stderr, \"error: %s: zero return\n" +"\", op);\n" +" }\n" +" exit(1);\n" +"}\n" +msgstr "" diff --git a/defensive-coding/el-GR/Features/snippets/TLS-Python-Close.po b/defensive-coding/el-GR/Features/snippets/TLS-Python-Close.po new file mode 100644 index 0000000..6bbf5c2 --- /dev/null +++ b/defensive-coding/el-GR/Features/snippets/TLS-Python-Close.po @@ -0,0 +1,22 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:31+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Greek \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: el\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"sock.close()\n" +msgstr "" diff --git a/defensive-coding/el-GR/Features/snippets/TLS-Python-Use.po b/defensive-coding/el-GR/Features/snippets/TLS-Python-Use.po new file mode 100644 index 0000000..7efb1a3 --- /dev/null +++ b/defensive-coding/el-GR/Features/snippets/TLS-Python-Use.po @@ -0,0 +1,26 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:32+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Greek \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: el\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"sock.write(\"GET / HTTP/1.1\\r\n" +"Host: \" + host + \"\\r\n" +"\\r\n" +"\")\n" +"print sock.read()\n" +msgstr "" diff --git a/defensive-coding/el-GR/Revision_History.po b/defensive-coding/el-GR/Revision_History.po new file mode 100644 index 0000000..d30598e --- /dev/null +++ b/defensive-coding/el-GR/Revision_History.po @@ -0,0 +1,35 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:18+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Greek \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: el\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: title +#, no-c-format +msgid "Revision History" +msgstr "" + +#. Tag: firstname +#, no-c-format +msgid "Eric" +msgstr "" + +#. Tag: surname +#, no-c-format +msgid "Christensen" +msgstr "" + +#. Tag: member +#, no-c-format +msgid "Initial publication." +msgstr "" diff --git a/defensive-coding/el-GR/Tasks/Cryptography.po b/defensive-coding/el-GR/Tasks/Cryptography.po new file mode 100644 index 0000000..d5fce87 --- /dev/null +++ b/defensive-coding/el-GR/Tasks/Cryptography.po @@ -0,0 +1,199 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:29+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Greek \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: el\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: title +#, no-c-format +msgid "Cryptography" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Primitives" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Chosing from the following cryptographic primitives is recommended:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "RSA with 2048 bit keys and OAEP" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "AES-128 in CBC mode" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "SHA-256" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "HMAC-SHA-256" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "HMAC-SHA-1" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Other cryptographic algorithms can be used if they are required for " +"interoperability with existing software:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "RSA with key sizes larger than 1024 and legacy padding" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "AES-192" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "AES-256" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "3DES (triple DES, with two or three 56 bit keys)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "RC4 (but very, very strongly discouraged)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "SHA-1" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "HMAC-MD5" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Important" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"These primitives are difficult to use in a secure way. Custom implementation" +" of security protocols should be avoided. For protecting confidentiality and" +" integrity of network transmissions, TLS should be used ()." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Randomness" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The following facilities can be used to generate unpredictable and non-" +"repeating values. When these functions are used without special safeguards, " +"each individual rnadom value should be at least 12 bytes long." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"PK11_GenerateRandom in the NSS library (usable for high" +" data rates)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"RAND_bytes in the OpenSSL library (usable for high data" +" rates)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"gnutls_rnd in GNUTLS, with " +"GNUTLS_RND_RANDOM as the first argument (usable for high " +"data rates)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"java.security.SecureRandom in Java (usable for high data rates)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "os.urandom in Python" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Reading from the /dev/urandom character device" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"All these functions should be non-blocking, and they should not wait until " +"physical randomness becomes available. (Some cryptography providers for Java" +" can cause java.security.SecureRandom to block, however.) Those" +" functions which do not obtain all bits directly from " +"/dev/urandom are suitable for high data rates because " +"they do not deplete the system-wide entropy pool." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Difficult to use API" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Both RAND_bytes and " +"PK11_GenerateRandom have three-state return values " +"(with conflicting meanings). Careful error checking is required. Please " +"review the documentation when using these functions." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Other sources of randomness should be considered predictable." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Generating randomness for cryptographic keys in long-term use may need " +"different steps and is best left to cryptographic libraries." +msgstr "" diff --git a/defensive-coding/el-GR/Tasks/Descriptors.po b/defensive-coding/el-GR/Tasks/Descriptors.po new file mode 100644 index 0000000..a760d56 --- /dev/null +++ b/defensive-coding/el-GR/Tasks/Descriptors.po @@ -0,0 +1,332 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:29+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Greek \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: el\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: title +#, no-c-format +msgid "File Descriptor Management" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"File descriptors underlie all input/output mechanisms offered by the system." +" They are used to implementation the FILE *-based " +"functions found in <stdio.h>, and all the file and " +"network communication facilities provided by the Python and Java " +"environments are eventually implemented in them." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"File descriptors are small, non-negative integers in userspace, and are " +"backed on the kernel side with complicated data structures which can " +"sometimes grow very large." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Closing descriptors" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If a descriptor is no longer used by a program and is not closed explicitly," +" its number cannot be reused (which is problematic in itself, see ), and the " +"kernel resources are not freed. Therefore, it is important to close all " +"descriptors at the earlierst point in time possible, but not earlier." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Error handling during descriptor close" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The close system call is always successful in the sense" +" that the passed file descriptor is never valid after the function has been " +"called. However, close still can return an error, for " +"example if there was a file system failure. But this error is not very " +"useful because the absence of an error does not mean that all caches have " +"been emptied and previous writes have been made durable. Programs which need" +" such guarantees must open files with O_SYNC or use " +"fsync or fdatasync, and may also have " +"to fsync the directory containing the file." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Closing descriptors and race conditions" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Unlike process IDs, which are recycle only gradually, the kernel always " +"allocates the lowest unused file descriptor when a new descriptor is " +"created. This means that in a multi-threaded program which constantly opens " +"and closes file descriptors, descriptors are reused very quickly. Unless " +"descriptor closing and other operations on the same file descriptor are " +"synchronized (typically, using a mutex), there will be race coniditons and " +"I/O operations will be applied to the wrong file descriptor." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Sometimes, it is necessary to close a file descriptor concurrently, while " +"another thread might be about to use it in a system call. In order to " +"support this, a program needs to create a single special file descriptor, " +"one on which all I/O operations fail. One way to achieve this is to use " +"socketpair, close one of the descriptors, and call " +"shutdown(fd, SHUTRDWR) on the other." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When a descriptor is closed concurrently, the program does not call " +"close on the descriptor. Instead it program uses " +"dup2 to replace the descriptor to be closed with the " +"dummy descriptor created earlier. This way, the kernel will not reuse the " +"descriptor, but it will carry out all other steps associated with calling a " +"descriptor (for instance, if the descriptor refers to a stream socket, the " +"peer will be notified)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"This is just a sketch, and many details are missing. Additional data " +"structures are needed to determine when it is safe to really close the " +"descriptor, and proper locking is required for that." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Lingering state after close" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"By default, closing a stream socket returns immediately, and the kernel will" +" try to send the data in the background. This means that it is impossible to" +" implement accurate accounting of network-related resource utilization from " +"userspace." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The SO_LINGER socket option alters the behavior of " +"close, so that it will return only after the lingering " +"data has been processed, either by sending it to the peer successfully, or " +"by discarding it after the configured timeout. However, there is no " +"interface which could perform this operation in the background, so a " +"separate userspace thread is needed for each close " +"call, causing scalability issues." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Currently, there is no application-level countermeasure which applies " +"universally. Mitigation is possible with iptables" +" (the connlimit match type in particular) and specialized" +" filtering devices for denial-of-service network traffic." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"These problems are not related to the TIME_WAIT state " +"commonly seen in netstat output. The kernel " +"automatically expires such sockets if necessary." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Preventing file descriptor leaks to child processes" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Child processes created with fork share the initial set" +" of file descriptors with their parent process. By default, file descriptors" +" are also preserved if a new process image is created with " +"execve (or any of the other functions such as " +"system or posix_spawn)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Usually, this behavior is not desirable. There are two ways to turn it off, " +"that is, to prevent new process images from inheriting the file descriptors " +"in the parent process:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Set the close-on-exec flag on all newly created file descriptors. " +"Traditionally, this flag is controlled by the FD_CLOEXEC " +"flag, using F_GETFD and F_SETFD " +"operations of the fcntl function." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"However, in a multi-threaded process, there is a race condition: a " +"subprocess could have been created between the time the descriptor was " +"created and the FD_CLOEXEC was set. Therefore, many " +"system calls which create descriptors (such as open and" +" openat) now accept the O_CLOEXEC " +"flag (SOCK_CLOEXEC for socket and " +"socketpair), which cause the " +"FD_CLOEXEC flag to be set for the file descriptor in an " +"atomic fashion. In addition, a few new systems calls were introduced, such " +"as pipe2 and dup3." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The downside of this approach is that every descriptor needs to receive " +"special treatment at the time of creation, otherwise it is not completely " +"effective." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"After calling fork, but before creating a new process " +"image with execve, all file descriptors which the child" +" process will not need are closed." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Traditionally, this was implemented as a loop over file descriptors ranging " +"from 3 to 255 and later " +"1023. But this is only an approximatio because it is " +"possible to create file descriptors outside this range easily (see ). Another " +"approach reads /proc/self/fd and closes the unexpected " +"descriptors listed there, but this approach is much slower." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"At present, environments which care about file descriptor leakage implement " +"the second approach. OpenJDK 6 and 7 are among them." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Dealing with the select limit" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"By default, a user is allowed to open only 1024 files in a single process, " +"but the system administrator can easily change this limit (which is " +"necessary for busy network servers). However, there is another restriction " +"which is more difficult to overcome." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The select function only supports a maximum of " +"FD_SETSIZE file descriptors (that is, the maximum " +"permitted value for a file descriptor is FD_SETSIZE - 1, " +"usually 1023.) If a process opens many files, descriptors may exceed such " +"limits. It is impossible to query such descriptors using " +"select." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If a library which creates many file descriptors is used in the same process" +" as a library which uses select, at least one of them " +"needs to be changed. Calls to select can be replaced " +"with calls to poll or another event handling mechanism." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Alternatively, the library with high descriptor usage can relocate " +"descriptors above the FD_SETSIZE limit using the " +"following procedure." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Create the file descriptor fd as usual, preferably with " +"the O_CLOEXEC flag." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Before doing anything else with the descriptor fd, " +"invoke:" +msgstr "" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"\t int newfd = fcntl(fd, F_DUPFD_CLOEXEC, (long)FD_SETSIZE);\n" +"\t" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Check that newfd result is non-negative, otherwise close " +"fd and report an error, and return." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Close fd and continue to use newfd." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The new descriptor has been allocated above the " +"FD_SETSIZE. Even though this algorithm is racy in the " +"sense that the FD_SETSIZE first descriptors could fill " +"up, a very high degree of physical parallelism is required before this " +"becomes a problem." +msgstr "" diff --git a/defensive-coding/el-GR/Tasks/File_System.po b/defensive-coding/el-GR/Tasks/File_System.po new file mode 100644 index 0000000..d465f93 --- /dev/null +++ b/defensive-coding/el-GR/Tasks/File_System.po @@ -0,0 +1,396 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:25+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Greek \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: el\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: title +#, no-c-format +msgid "File system manipulation" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In this chapter, we discuss general file system manipulation, with a focus " +"on access files and directories to which an other, potentially untrusted " +"user has write access." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Temporary files are covered in their own chapter, ." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Working with files and directories owned by other users" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Sometimes, it is necessary to operate on files and directories owned by " +"other (potentially untrusted) users. For example, a system administrator " +"could remove the home directory of a user, or a package manager could update" +" a file in a directory which is owned by an application-specific user. This " +"differs from accessing the file system as a specific user; see ." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Accessing files across trust boundaries faces several challenges, " +"particularly if an entire directory tree is being traversed:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Another user might add file names to a writable directory at any time. This " +"can interfere with file creation and the order of names returned by " +"readdir." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Merely opening and closing a file can have side effects. For instance, an " +"automounter can be triggered, or a tape device rewound. Opening a file on a " +"local file system can block indefinitely, due to mandatory file locking, " +"unless the O_NONBLOCK flag is specified." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Hard links and symbolic links can redirect the effect of file system " +"operations in unexpected ways. The O_NOFOLLOW and " +"AT_SYMLINK_NOFOLLOW variants of system calls only " +"affected final path name component." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The structure of a directory tree can change. For example, the parent " +"directory of what used to be a subdirectory within the directory tree being " +"processed could suddenly point outside that directory tree." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Files should always be created with the O_CREAT and " +"O_EXCL flags, so that creating the file will fail if it " +"already exists. This guards against the unexpected appearance of file names," +" either due to creation of a new file, or hard-linking of an existing file. " +"In multi-threaded programs, rather than manipulating the umask, create the " +"files with mode 000 if possible, and adjust it afterwards" +" with fchmod." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"To avoid issues related to symbolic links and directory tree restructuring, " +"the “at” variants of system calls have to be used (that " +"is, functions like openat, " +"fchownat, fchmodat, and " +"unlinkat, together with O_NOFOLLOW " +"or AT_SYMLINK_NOFOLLOW). Path names passed to these " +"functions must have just a single component (that is, without a slash). When" +" descending, the descriptors of parent directories must be kept open. The " +"missing opendirat function can be emulated with " +"openat (with an O_DIRECTORY flag, to " +"avoid opening special files with side effects), followed by " +"fdopendir." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If the “at” functions are not available, it is possible " +"to emulate them by changing the current directory. (Obviously, this only " +"works if the process is not multi-threaded.) fchdir has" +" to be used to change the current directory, and the descriptors of the " +"parent directories have to be kept open, just as with the " +"“at”-based approach. chdir(\"...\") is" +" unsafe because it might ascend outside the intended directory tree." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"This “at” function emulation is currently required when " +"manipulating extended attributes. In this case, the " +"lsetxattr function can be used, with a relative path " +"name consisting of a single component. This also applies to SELinux contexts" +" and the lsetfilecon function." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Currently, it is not possible to avoid opening special files " +"and changes to files with hard links if the directory " +"containing them is owned by an untrusted user. (Device nodes can be hard-" +"linked, just as regular files.) fchmodat and " +"fchownat affect files whose link count is greater than " +"one. But opening the files, checking that the link count is one with " +"fstat, and using fchmod and " +"fchown on the file descriptor may have unwanted side " +"effects, due to item 2 above. When creating directories, it is therefore " +"important to change the ownership and permissions only after it has been " +"fully created. Until that point, file names are stable, and no files with " +"unexpected hard links can be introduced." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Similarly, when just reading a directory owned by an untrusted user, it is " +"currently impossible to reliably avoid opening special files." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"There is no workaround against the instability of the file list returned by " +"readdir. Concurrent modification of the directory can " +"result in a list of files being returned which never actually existed on " +"disk." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Hard links and symbolic links can be safely deleted using " +"unlinkat without further checks because deletion only " +"affects the name within the directory tree being processed." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Accessing the file system as a different user" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"This section deals with access to the file system as a specific user. This " +"is different from accessing files and directories owned by a different, " +"potentially untrusted user; see ." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"One approach is to spawn a child process which runs under the target user " +"and group IDs (both effective and real IDs). Note that this child process " +"can block indefinitely, even when processing regular files only. For " +"example, a special FUSE file system could cause the process to hang in " +"uninterruptible sleep inside a stat system call." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"An existing process could change its user and group ID using " +"setfsuid and setfsgid. (These " +"functions are preferred over seteuid and " +"setegid because they do not allow the impersonated user" +" to send signals to the process.) These functions are not thread safe. In " +"multi-threaded processes, these operations need to be performed in a single-" +"threaded child process. Unexpected blocking may occur as well." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"It is not recommended to try to reimplement the kernel permission checks in " +"user space because the required checks are complex. It is also very " +"difficult to avoid race conditions during path name resolution." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "File system limits" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"For historical reasons, there are preprocessor constants such as " +"PATH_MAX, NAME_MAX. However, on most " +"systems, the length of canonical path names (absolute path names with all " +"symbolic links resolved, as returned by realpath or " +"canonicalize_file_name) can exceed " +"PATH_MAX bytes, and individual file name components can " +"be longer than NAME_MAX. This is also true of the " +"_PC_PATH_MAX and _PC_NAME_MAX values " +"returned by pathconf, and the " +"f_namemax member of struct statvfs. " +"Therefore, these constants should not be used. This is also reason why the " +"readdir_r should never be used (instead, use " +"readdir)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"You should not write code in a way that assumes that there is an upper limit" +" on the number of subdirectories of a directory, the number of regular files" +" in a directory, or the link count of an inode." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "File system features" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Not all file systems support all features. This makes it very difficult to " +"write general-purpose tools for copying files. For example, a copy operation" +" intending to preserve file permissions will generally fail when copying to " +"a FAT file system." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Some file systems are case-insensitive. Most should be case-preserving, " +"though." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Name length limits vary greatly, from eight to thousands of bytes. Path " +"length limits differ as well. Most systems impose an upper bound on path " +"names passed to the kernel, but using relative path names, it is possible to" +" create and access files whose absolute path name is essentially of " +"unbounded length." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Some file systems do not store names as fairly unrestricted byte sequences, " +"as it has been traditionally the case on GNU systems. This means that some " +"byte sequences (outside the POSIX safe character set) are not valid names. " +"Conversely, names of existing files may not be representable as byte " +"sequences, and the files are thus inaccessible on GNU systems. Some file " +"systems perform Unicode canonicalization on file names. These file systems " +"preserve case, but reading the name of a just-created file using " +"readdir might still result in a different byte " +"sequence." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Permissions and owners are not universally supported (and SUID/SGID bits may" +" not be available). For example, FAT file systems assign ownership based on " +"a mount option, and generally mark all files as executable. Any attempt to " +"change permissions would result in an error." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Non-regular files (device nodes, FIFOs) are not generally available." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Only on some file systems, files can have holes, that is, not all of their " +"contents is backed by disk storage." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"ioctl support (even fairly generic functionality such " +"as FIEMAP for discovering physical file layout and holes)" +" is file-system-specific." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Not all file systems support extended attributes, ACLs and SELinux metadata." +" Size and naming restriction on extended attributes vary." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Hard links may not be supported at all (FAT) or only within the same " +"directory (AFS). Symbolic links may not be available, either. Reflinks (hard" +" links with copy-on-write semantics) are still very rare. Recent systems " +"restrict creation of hard links to users which own the target file or have " +"read/write access to it, but older systems do not." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Renaming (or moving) files using rename can fail (even " +"when stat indicates that the source and target " +"directories are located on the same file system). This system call should " +"work if the old and new paths are located in the same directory, though." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Locking semantics vary among file systems. This affects advisory and " +"mandatory locks. For example, some network file systems do not allow " +"deleting files which are opened by any process." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Resolution of time stamps varies from two seconds to nanoseconds. Not all " +"time stamps are available on all file systems. File creation time " +"(birth time) is not exposed over the " +"stat/fstat interface, even if " +"stored by the file system." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Checking free space" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The statvfs and fstatvfs functions" +" allow programs to examine the number of available blocks and inodes, " +"through the members f_bfree, f_bavail," +" f_ffree, and f_favail of " +"struct statvfs. Some file systems return fictional values" +" in the f_ffree and f_favail fields, " +"so the only reliable way to discover if the file system still has space for " +"a file is to try to create it. The f_bfree field should " +"be reasonably accurate, though." +msgstr "" diff --git a/defensive-coding/el-GR/Tasks/Library_Design.po b/defensive-coding/el-GR/Tasks/Library_Design.po new file mode 100644 index 0000000..ab963be --- /dev/null +++ b/defensive-coding/el-GR/Tasks/Library_Design.po @@ -0,0 +1,267 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:29+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Greek \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: el\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: title +#, no-c-format +msgid "Library Design" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Throught this section, the term client code refers to " +"applications and other libraries using the library." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "State management" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Global state" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Global state should be avoided." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If this is impossible, the global state must be protected with a lock. For " +"C/C++, you can use the pthread_mutex_lock and " +"pthread_mutex_unlock functions without linking against " +"-lpthread because the system provides stubs for non-" +"threaded processes." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"For compatibility with fork, these locks should be " +"acquired and released in helpers registered with " +"pthread_atfork. This function is not available without " +"-lpthread, so you need to use dlsym " +"or a weak symbol to obtain its address." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If you need fork protection for other reasons, you " +"should store the process ID and compare it to the value returned by " +"getpid each time you access the global state. " +"(getpid is not implemented as a system call and is " +"fast.) If the value changes, you know that you have to re-create the state " +"object. (This needs to be combined with locking, of course.)" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Handles" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Library state should be kept behind a curtain. Client code should receive " +"only a handle. In C, the handle can be a pointer to an incomplete " +"struct. In C++, the handle can be a pointer to an " +"abstract base class, or it can be hidden using the pointer-to-implementation" +" idiom." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The library should provide functions for creating and destroying handles. " +"(In C++, it is possible to use virtual destructors for the latter.) " +"Consistency between creation and destruction of handles is strongly " +"recommended: If the client code created a handle, it is the responsibility " +"of the client code to destroy it. (This is not always possible or " +"convenient, so sometimes, a transfer of ownership has to happen.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Using handles ensures that it is possible to change the way the library " +"represents state in a way that is transparent to client code. This is " +"important to facilitate security updates and many other code changes." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"It is not always necessary to protect state behind a handle with a lock. " +"This depends on the level of thread safety the library provides." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Object orientation" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Classes should be either designed as base classes, or it should be " +"impossible to use them as base classes (like final " +"classes in Java). Classes which are not designed for inheritance and are " +"used as base classes nevertheless create potential maintenance hazards " +"because it is difficult to predict how client code will react when calls to " +"virtual methods are added, reordered or removed." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Virtual member functions can be used as callbacks. See for some of the " +"challenges involved." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Callbacks" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Higher-order code is difficult to analyze for humans and computers alike, so" +" it should be avoided. Often, an iterator-based interface (a library " +"function which is called repeatedly by client code and returns a stream of " +"events) leads to a better design which is easier to document and use." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "If callbacks are unavoidable, some guidelines for them follow." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In modern C++ code, std::function objects should be used " +"for callbacks." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In older C++ code and in C code, all callbacks must have an additional " +"closure parameter of type void *, the value of which can " +"be specified by client code. If possible, the value of the closure parameter" +" should be provided by client code at the same time a specific callback is " +"registered (or specified as a function argument). If a single closure " +"parameter is shared by multiple callbacks, flexibility is greatly reduced, " +"and conflicts between different pieces of client code using the same library" +" object could be unresolvable. In some cases, it makes sense to provide a " +"de-registration callback which can be used to destroy the closure parameter " +"when the callback is no longer used." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Callbacks can throw exceptions or call longjmp. If " +"possible, all library objects should remain in a valid state. (All further " +"operations on them can fail, but it should be possible to deallocate them " +"without causing resource leaks.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The presence of callbacks raises the question if functions provided by the " +"library are reentrant. Unless a library was designed " +"for such use, bad things will happen if a callback function uses functions " +"in the same library (particularly if they are invoked on the same objects " +"and manipulate the same state). When the callback is invoked, the library " +"can be in an inconsistent state. Reentrant functions are more difficult to " +"write than thread-safe functions (by definition, simple locking would " +"immediately lead to deadlocks). It is also difficult to decide what to do " +"when destruction of an object which is currently processing a callback is " +"requested." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Process attributes" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Several attributes are global and affect all code in the process, not just " +"the library that manipulates them." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"environment variables (see )" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "umask" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "user IDs, group IDs and capabilities" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "current working directory" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "signal handlers, signal masks and signal delivery" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"file locks (especially fcntl locks behave in surprising" +" ways, not just in a multi-threaded environment)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Library code should avoid manipulating these global process attributes. It " +"should not rely on environment variables, umask, the current working " +"directory and signal masks because these attributes can be inherted from an " +"untrusted source." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In addition, there are obvious process-wide aspects such as the virtual " +"memory layout, the set of open files and dynamic shared objects, but with " +"the exception of shared objects, these can be manipulated in a relatively " +"isolated way." +msgstr "" diff --git a/defensive-coding/el-GR/Tasks/Processes.po b/defensive-coding/el-GR/Tasks/Processes.po new file mode 100644 index 0000000..cbe0f45 --- /dev/null +++ b/defensive-coding/el-GR/Tasks/Processes.po @@ -0,0 +1,597 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:29+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Greek \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: el\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: title +#, no-c-format +msgid "Processes" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Safe process creation" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"This section describes how to create new child processes in a safe manner. " +"In addition to the concerns addressed below, there is the possibility of " +"file descriptor leaks, see ." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Obtaining the program path and the command line template" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The name and path to the program being invoked should be hard-coded or " +"controlled by a static configuration file stored at a fixed location (at an " +"file system absolute path). The same applies to the template for generating " +"the command line." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The configured program name should be an absolute path. If it is a relative " +"path, the contents of the PATH must be obtained in s secure " +"manner (see )." +" If the PATH variable is not set or untrusted, the safe " +"default /bin:/usr/bin must be used." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If too much flexibility is provided here, it may allow invocation of " +"arbitrary programs without proper authorization." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Bypassing the shell" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Child processes should be created without involving the system shell." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"For C/C++, system should not be used. The " +"posix_spawn function can be used instead, or a " +"combination fork and execve. (In " +"some cases, it may be preferable to use vfork or the " +"Linux-specific clone system call instead of " +"fork.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In Python, the subprocess module bypasses the shell by " +"default (when the shell keyword argument is not set to " +"true). os.system should not be used." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The Java class java.lang.ProcessBuilder can be used to create " +"subprocesses without interference from the system shell." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Portability notice" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"On Windows, there is no argument vector, only a single argument string. Each" +" application is responsible for parsing this string into an argument vector." +" There is considerable variance among the quoting style recognized by " +"applications. Some of them expand shell wildcards, others do not. Extensive " +"application-specific testing is required to make this secure." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Note that some common applications (notably ssh) " +"unconditionally introduce the use of a shell, even if invoked directly " +"without a shell. It is difficult to use these applications in a secure " +"manner. In this case, untrusted data should be supplied by other means. For " +"example, standard input could be used, instead of the command line." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Specifying the process environment" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Child processes should be created with a minimal set of environment " +"variables. This is absolutely essential if there is a trust transition " +"involved, either when the parent process was created, or during the creation" +" of the child process." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In C/C++, the environment should be constructed as an array of strings and " +"passed as the envp argument to " +"posix_spawn or execve. The " +"functions setenv, unsetenv and " +"putenv should not be used. They are not thread-safe and" +" suffer from memory leaks." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Python programs need to specify a dict for the the " +"env argument of the subprocess.Popen" +" constructor. The Java class java.lang.ProcessBuilder " +"provides a environment() method, which returns a map " +"that can be manipulated." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The following list provides guidelines for selecting the set of environment " +"variables passed to the child process." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"PATH should be initialized to " +"/bin:/usr/bin." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"USER and HOME can be inhereted from the parent" +" process environment, or they can be initialized from the " +"pwent structure for the user." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The DISPLAY and XAUTHORITY variables should be" +" passed to the subprocess if it is an X program. Note that this will " +"typically not work across trust boundaries because XAUTHORITY" +" refers to a file with 0600 permissions." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The location-related environment variables LANG, " +"LANGUAGE, LC_ADDRESS, LC_ALL, " +"LC_COLLATE, LC_CTYPE, " +"LC_IDENTIFICATION, LC_MEASUREMENT, " +"LC_MESSAGES, LC_MONETARY, " +"LC_NAME, LC_NUMERIC, LC_PAPER, " +"LC_TELEPHONE and LC_TIME can be passed to the " +"subprocess if present." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The called process may need application-specific environment variables, for " +"example for passing passwords. (See .)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"All other environment variables should be dropped. Names for new environment" +" variables should not be accepted from untrusted sources." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Robust argument list processing" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When invoking a program, it is sometimes necessary to include data from " +"untrusted sources. Such data should be check against embedded " +"NUL characters because the system APIs will sliently " +"truncate argument strings at the first NUL character." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The following recommendations assume that the program being invoked uses " +"GNU-style option processing using getopt_long. This " +"convention is widely used, but it is just that, and individual programs " +"might interpret a command line in a different way." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If the untrusted data has to go into an option, use the --option-" +"name=VALUE syntax, placing the option and its value into the same " +"command line argument. This avoids any potential confusion if the data " +"starts with -." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"For positional arguments, terminate the option list with a single " +" marker after the last option, and include the data at " +"the right position. The marker terminates option " +"processing, and the data will not be treated as an option even if it starts " +"with a dash." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Passing secrets to subprocesses" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The command line (the name of the program and its argument) of a running " +"process is traditionally available to all local users. The called program " +"can overwrite this information, but only after it has run for a bit of time," +" during which the information may have been read by other processes. " +"However, on Linux, the process environment is restricted to the user who " +"runs the process. Therefore, if you need a convenient way to pass a password" +" to a child process, use an environment variable, and not a command line " +"argument. (See .)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"On some UNIX-like systems (notably Solaris), environment variables can be " +"read by any system user, just like command lines." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If the environment-based approach cannot be used due to portability " +"concerns, the data can be passed on standard input. Some programs (notably " +"gpg) use special file descriptors whose numbers " +"are specified on the command line. Temporary files are an option as well, " +"but they might give digital forensics access to sensitive data (such as " +"passphrases) because it is difficult to safely delete them in all cases." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Handling child process termination" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When child processes terminate, the parent process is signalled. A stub of " +"the terminated processes (a zombie, shown as " +"<defunct> by ps) is kept" +" around until the status information is collected " +"(reaped) by the parent process. Over the years, several" +" interfaces for this have been invented:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The parent process calls wait, " +"waitpid, waitid, " +"wait3 or wait4, without specifying" +" a process ID. This will deliver any matching process ID. This approach is " +"typically used from within event loops." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The parent process calls waitpid, " +"waitid, or wait4, with a specific " +"process ID. Only data for the specific process ID is returned. This is " +"typically used in code which spawns a single subprocess in a synchronous " +"manner." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The parent process installs a handler for the SIGCHLD " +"signal, using sigaction, and specifies to the " +"SA_NOCLDWAIT flag. This approach could be used by event " +"loops as well." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"None of these approaches can be used to wait for child process terminated in" +" a completely thread-safe manner. The parent process might execute an event " +"loop in another thread, which could pick up the termination signal. This " +"means that libraries typically cannot make free use of child processes (for " +"example, to run problematic code with reduced privileges in a separate " +"address space)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"At the moment, the parent process should explicitly wait for termination of " +"the child process using waitpid or " +"waitpid, and hope that the status is not collected by " +"an event loop first." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "SUID/SGID processes" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Programs can be marked in the file system to indicate to the kernel that a " +"trust transition should happen if the program is run. The " +"SUID file permission bit indicates that an executable " +"should run with the effective user ID equal to the owner of the executable " +"file. Similarly, with the SGID bit, the effective group " +"ID is set to the group of the executable file." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Linux supports fscaps, which can grant additional " +"capabilities to a process in a finer-grained manner. Additional mechanisms " +"can be provided by loadable security modules." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When such a trust transition has happened, the process runs in a potentially" +" hostile environment. Additional care is necessary not to rely on any " +"untrusted information. These concerns also apply to libraries which can be " +"linked into such processes." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Accessing environment variables" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The following steps are required so that a program does not accidentally " +"pick up untrusted data from environment variables." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Compile your C/C++ sources with -D_GNU_SOURCE. The " +"Autoconf macro AC_GNU_SOURCE ensures this." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Check for the presence of the secure_getenv and " +"__secure_getenv function. The Autoconf directive " +"AC_CHECK_FUNCS([__secure_getenv secure_getenv]) performs " +"these checks." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Arrange for a proper definition of the secure_getenv " +"function. See ." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Use secure_getenv instead of " +"getenv to obtain the value of critical environment " +"variables. secure_getenv will pretend the variable has " +"not bee set if the process environment is not trusted." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Critical environment variables are debugging flags, configuration file " +"locations, plug-in and log file locations, and anything else that might be " +"used to bypass security restrictions or cause a privileged process to behave" +" in an unexpected way." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Either the secure_getenv function or the " +"__secure_getenv is available from GNU libc." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Obtaining a definition for secure_getenv" +msgstr "" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"\n" +"#include <stdlib.h>\n" +"\n" +"#ifndef HAVE_SECURE_GETENV\n" +"# ifdef HAVE__SECURE_GETENV\n" +"# define secure_getenv __secure_getenv\n" +"# else\n" +"# error neither secure_getenv nor __secure_getenv are available\n" +"# endif\n" +"#endif\n" +"\n" +"\t" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Daemons" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Background processes providing system services " +"(daemons) need to decouple themselves from the " +"controlling terminal and the parent process environment:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Fork." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In the child process, call setsid. The parent process " +"can simply exit (using _exit, to avoid running clean-up" +" actions twice)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In the child process, fork again. Processing continues in the child process." +" Again, the parent process should just exit." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Replace the descriptors 0, 1, 2 with a descriptor for " +"/dev/null. Logging should be redirected to " +"syslog." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Older instructions for creating daemon processes recommended a call to " +"umask(0). This is risky because it often leads to world-" +"writable files and directories, resulting in security vulnerabilities such " +"as arbitrary process termination by untrusted local users, or log file " +"truncation. If the umask needs setting, a restrictive " +"value such as 027 or 077 is " +"recommended." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Other aspects of the process environment may have to changed as well " +"(environment variables, signal handler disposition)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"It is increasingly common that server processes do not run as background " +"processes, but as regular foreground process under a supervising master " +"process (such as systemd). Server processes " +"should offer a command line option which disables forking and replacement of" +" the standard output and standard error streams. Such an option is also " +"useful for debugging." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Semantics of command line arguments" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"After process creation and option processing, it is up to the child process " +"to interpret the arguments. Arguments can be file names, host names, or " +"URLs, and many other things. URLs can refer to the local network, some " +"server on the Internet, or to the local file system. Some applications even " +"accept arbitrary code in arguments (for example, " +"python with the option)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Similar concerns apply to environment variables, the contents of the current" +" directory and its subdirectories." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Consequently, careful analysis is required if it is safe to pass untrusted " +"data to another program." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "fork as a primitive for parallelism" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"A call to fork which is not immediately followed by a " +"call to execve (perhaps after rearranging and closing " +"file descriptors) is typically unsafe, especially from a library which does " +"not control the state of the entire process. Such use of " +"fork should be replaced with proper child processes or " +"threads." +msgstr "" diff --git a/defensive-coding/el-GR/Tasks/Serialization.po b/defensive-coding/el-GR/Tasks/Serialization.po new file mode 100644 index 0000000..48c8ad0 --- /dev/null +++ b/defensive-coding/el-GR/Tasks/Serialization.po @@ -0,0 +1,513 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:45\n" +"PO-Revision-Date: 2013-03-19 15:29+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Greek \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: el\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: title +#, no-c-format +msgid "Serialization and Deserialization" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Protocol decoders and file format parsers are often the most-exposed part of" +" an application because they are exposed with little or no user interaction " +"and before any authentication and security checks are made. They are also " +"difficult to write robustly in languages which are not memory-safe." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Recommendations for manually written decoders" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"For C and C++, the advice in applies. In addition, avoid non-character " +"pointers directly into input buffers. Pointer misalignment causes crashes on" +" some architectures." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When reading variable-sized objects, do not allocate large amounts of data " +"solely based on the value of a size field. If possible, grow the data " +"structure as more data is read from the source, and stop when no data is " +"available. This helps to avoid denial-of-service attacks where little " +"amounts of input data results in enormous memory allocations during " +"decoding. Alternatively, you can impose reasonable bounds on memory " +"allocations, but some protocols do not permit this." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Protocol design" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Binary formats with explicit length fields are more difficult to parse " +"robustly than those where the length of dynamically-sized elements is " +"derived from sentinel values. A protocol which does not use length fields " +"and can be written in printable ASCII characters simplifies testing and " +"debugging. However, binary protocols with length fields may be more " +"efficient to parse." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Library support for deserialization" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"For some languages, generic libraries are available which allow to serialize" +" and deserialize user-defined objects. The deserialization part comes in one" +" of two flavors, depending on the library. The first kind uses type " +"information in the data stream to control which objects are instantiated. " +"The second kind uses type definitions supplied by the programmer. The first " +"one allows arbitrary object instantiation, the second one generally does " +"not." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The following serialization frameworks are in the first category, are known " +"to be unsafe, and must not be used for untrusted data:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Python's pickle and cPickle modules" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Perl's Storable package" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Java serialization (java.io.ObjectInputStream)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "PHP serialization (unserialize)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Most implementations of YAML" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When using a type-directed deserialization format where the types of the " +"deserialized objects are specified by the programmer, make sure that the " +"objects which can be instantiated cannot perform any destructive actions in " +"their destructors, even when the data members have been manipulated." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"JSON decoders do not suffer from this problem. But you must not use the " +"eval function to parse JSON objects in Javascript; even" +" with the regular expression filter from RFC 4627, there are still " +"information leaks remaining." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "XML serialization" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "External references" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"XML documents can contain external references. They can occur in various " +"places." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "In the DTD declaration in the header of an XML document:" +msgstr "" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"<!DOCTYPE html PUBLIC\n" +" \"-//W3C//DTD XHTML 1.0 Transitional//EN\"\n" +" \"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd\">\n" +"\t " +msgstr "" + +#. Tag: para +#, no-c-format +msgid "In a namespace declaration:" +msgstr "" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"<xsd:schema xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\">\n" +"\t " +msgstr "" + +#. Tag: para +#, no-c-format +msgid "In an entity defintion:" +msgstr "" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"<!ENTITY sys SYSTEM \"http://www.example.com/ent.xml\">\n" +"<!ENTITY pub PUBLIC \"-//Example//Public Entity//EN\"\n" +" \"http://www.example.com/pub-ent.xml\">\n" +"\t " +msgstr "" + +#. Tag: para +#, no-c-format +msgid "In a notation:" +msgstr "" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"<!NOTATION not SYSTEM \"../not.xml\">\n" +"\t " +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Originally, these external references were intended as unique identifiers, " +"but by many XML implementations, they are used for locating the data for the" +" referenced element. This causes unwanted network traffic, and may disclose " +"file system contents or otherwise unreachable network resources, so this " +"functionality should be disabled." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Depending on the XML library, external referenced might be processed not " +"just when parsing XML, but also when generating it." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Entity expansion" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When external DTD processing is disabled, an internal DTD subset can still " +"contain entity definitions. Entity declarations can reference other " +"entities. Some XML libraries expand entities automatically, and this " +"processing cannot be switched off in some places (such as attribute values " +"or content models). Without limits on the entity nesting level, this " +"expansion results in data which can grow exponentially in length with size " +"of the input. (If there is a limit on the nesting level, the growth is still" +" polynomial, unless further limits are imposed.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Consequently, the processing internal DTD subsets should be disabled if " +"possible, and only trusted DTDs should be processed. If a particular XML " +"application does not permit such restrictions, then application-specific " +"limits are called for." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "XInclude processing" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"XInclude processing can reference file and network resources and include " +"them into the document, much like external entity references. When parsing " +"untrusted XML documents, XInclude processing should be truned off." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"XInclude processing is also fairly complex and may pull in support for the " +"XPointer and XPath specifications, considerably increasing the amount of " +"code required for XML processing." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Algorithmic complexity of XML validation" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"DTD-based XML validation uses regular expressions for content models. The " +"XML specification requires that content models are deterministic, which " +"means that efficient validation is possible. However, some implementations " +"do not enforce determinism, and require exponential (or just polynomial) " +"amount of space or time for validating some DTD/document combinations." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"XML schemas and RELAX NG (via the xsd: prefix) directly " +"support textual regular expressions which are not required to be " +"deterministic." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Using Expat for XML parsing" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"By default, Expat does not try to resolve external IDs, so no steps are " +"required to block them. However, internal entity declarations are processed." +" Installing a callback which stops parsing as soon as such entities are " +"encountered disables them, see . Expat does not perform any " +"validation, so there are no problems related to that." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Disabling XML entity processing with Expat" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"This handler must be installed when the XML_Parser object" +" is created ()." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Creating an Expat XML parser" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"It is also possible to reject internal DTD subsets altogeher, using a " +"suitable XML_StartDoctypeDeclHandler handler installed " +"with XML_SetDoctypeDeclHandler." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Using OpenJDK for XML parsing and validation" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"OpenJDK contains facilities for DOM-based, SAX-based, and StAX-based " +"document parsing. Documents can be validated against DTDs or XML schemas." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The approach taken to deal with entity expansion differs from the general " +"recommendation in . We enable the the feature flag " +"javax.xml.XMLConstants.FEATURE_SECURE_PROCESSING, which " +"enforces heuristic restrictions on the number of entity expansions. Note " +"that this flag alone does not prevent resolution of external references " +"(system IDs or public IDs), so it is slightly misnamed." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In the following sections, we use helper classes to prevent external ID " +"resolution." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Helper class to prevent DTD external entity resolution in OpenJDK" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Helper class to prevent schema resolution in OpenJDK" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +" shows the imports used by the examples." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Java imports for OpenJDK XML parsing" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "DOM-based XML parsing and DTD validation in OpenJDK" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"This approach produces a org.w3c.dom.Document object from" +" an input stream. use the data from the " +"java.io.InputStream instance in the " +"inputStream variable." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "DOM-based XML parsing in OpenJDK" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"External entity references are prohibited using the " +"NoEntityResolver class in . " +"Because external DTD references are prohibited, DTD validation (if enabled) " +"will only happen against the internal DTD subset embedded in the XML " +"document." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"To validate the document against an external DTD, use a " +"javax.xml.transform.Transformer class to add the DTD " +"reference to the document, and an entity resolver which whitelists this " +"external reference." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "XML Schema validation in OpenJDK" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +" shows how to validate a document against an XML Schema, " +"using a SAX-based approach. The XML data is read from an " +"java.io.InputStream in the inputStream" +" variable." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "SAX-based validation against an XML schema in OpenJDK" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The NoResourceResolver class is defined in ." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If you need to validate a document against an XML schema, use the code in " +" to create the document, but do not enable validation at this point." +" Then use to perform the schema-based validation on " +"the org.w3c.dom.Document instance " +"document." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Validation of a DOM document against an XML schema in OpenJDK" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Protocol Encoders" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"For protocol encoders, you should write bytes to a buffer which grows as " +"needed, using an exponential sizing policy. Explicit lengths can be patched " +"in later, once they are known. Allocating the required number of bytes " +"upfront typically requires separate code to compute the final size, which " +"must be kept in sync with the actual encoding step, or vulnerabilities may " +"result. In multi-threaded code, parts of the object being deserialized might" +" change, so that the computed size is out of date." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"You should avoid copying data directly from a received packet during " +"encoding, disregarding the format. Propagating malformed data could enable " +"attacks on other recipients of that data." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When using C or C++ and copying whole data structures directly into the " +"output, make sure that you do not leak information in padding bytes between " +"fields or at the end of the struct." +msgstr "" diff --git a/defensive-coding/el-GR/Tasks/Temporary_Files.po b/defensive-coding/el-GR/Tasks/Temporary_Files.po new file mode 100644 index 0000000..0ef3291 --- /dev/null +++ b/defensive-coding/el-GR/Tasks/Temporary_Files.po @@ -0,0 +1,309 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:45\n" +"PO-Revision-Date: 2013-03-19 15:29+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Greek \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: el\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: title +#, no-c-format +msgid "Temporary files" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In this chapter, we describe how to create temporary files and directories, " +"how to remove them, and how to work with programs which do not create files " +"in ways that a safe with a shared directory for temporary files. General " +"file system manipulation is treated in a separate chapter, ." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Secure creation of temporary files has four different aspects." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The location of the directory for temporary files must be obtained in a " +"secure manner (that is, untrusted environment variables must be ignored, see" +" )." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"A new file must be created. Reusing an existing file must be avoided (the " +"/tmp race condition). This is " +"tricky because traditionally, system-wide temporary directories shared by " +"all users are used." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The file must be created in a way that makes it impossible for other users " +"to open it." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "The descriptor for the temporary file should not leak to subprocesses." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "All functions mentioned below will take care of these aspects." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Traditionally, temporary files are often used to reduce memory usage of " +"programs. More and more systems use RAM-based file systems such as " +"tmpfs for storing temporary files, to increase " +"performance and decrease wear on Flash storage. As a result, spooling data " +"to temporary files does not result in any memory savings, and the related " +"complexity can be avoided if the data is kept in process memory." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Obtaining the location of temporary directory" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Some functions below need the location of a directory which stores temporary" +" files. For C/C++ programs, use the following steps to obtain that " +"directory:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Use secure_getenv to obtain the value of the " +"TMPDIR environment variable. If it is set, convert the " +"path to a fully-resolved absolute path, using realpath(path, " +"NULL). Check if the new path refers to a directory and is " +"writeable. In this case, use it as the temporary directory." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Fall back to /tmp." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In Python, you can use the tempfile.tempdir variable." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Java does not support SUID/SGID programs, so you can use the " +"java.lang.System.getenv(String) method to obtain the " +"value of the TMPDIR environment variable, and follow the " +"two steps described above. (Java's default directory selection does not " +"honor TMPDIR.)" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Named temporary files" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The mkostemp function creates a named temporary file. " +"You should specify the O_CLOEXEC flag to avoid file " +"descriptor leaks to subprocesses. (Applications which do not use multiple " +"threads can also use mkstemp, but libraries should use " +"mkostemp.) For determining the directory part of the " +"file name pattern, see ." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The file is not removed automatically. It is not safe to rename or delete " +"the file before processing, or transform the name in any way (for example, " +"by adding a file extension). If you need multiple temporary files, call " +"mkostemp multiple times. Do not create additional file " +"names derived from the name provided by a previous " +"mkostemp call. However, it is safe to close the " +"descriptor returned by mkostemp and reopen the file " +"using the generated name." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The Python class tempfile.NamedTemporaryFile provides " +"similar functionality, except that the file is deleted automatically by " +"default. Note that you may have to use the file attribute" +" to obtain the actual file object because some programming interfaces cannot" +" deal with file-like objects. The C function mkostemp " +"is also available as tempfile.mkstemp." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In Java, you can use the java.io.File.createTempFile(String, " +"String, File) function, using the temporary file location " +"determined according to . Do not use " +"java.io.File.deleteOnExit() to delete temporary files, " +"and do not register a shutdown hook for each temporary file you create. In " +"both cases, the deletion hint cannot be removed from the system if you " +"delete the temporary file prior to termination of the VM, causing a memory " +"leak." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Temporary files without names" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The tmpfile function creates a temporary file and " +"immediately deletes it, while keeping the file open. As a result, the file " +"lacks a name and its space is deallocated as soon as the file descriptor is " +"closed (including the implicit close when the process terminates). This " +"avoids cluttering the temporary directory with orphaned files." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Alternatively, if the maximum size of the temporary file is known " +"beforehand, the fmemopen function can be used to create" +" a FILE * object which is backed by memory." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In Python, unnamed temporary files are provided by the " +"tempfile.TemporaryFile class, and the " +"tempfile.SpooledTemporaryFile class provides a way to " +"avoid creation of small temporary files." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Java does not support unnamed temporary files." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Temporary directories" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The mkdtemp function can be used to create a temporary " +"directory. (For determining the directory part of the file name pattern, see" +" .)" +" The directory is not automatically removed. In Python, this function is " +"available as tempfile.mkdtemp. In Java 7, temporary " +"directories can be created using the " +"java.nio.file.Files.createTempDirectory(Path, String, " +"FileAttribute...) function." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When creating files in the temporary directory, use automatically generated " +"names, e.g., derived from a sequential counter. Files with externally " +"provided names could be picked up in unexpected contexts, and crafted names " +"could actually point outside of the tempoary directory (due to " +"directory traversal)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Removing a directory tree in a completely safe manner is complicated. Unless" +" there are overriding performance concerns, the " +"rm program should be used, with the " +" and options." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Compensating for unsafe file creation" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"There are two ways to make a function or program which excepts a file name " +"safe for use with temporary files. See , for details on subprocess " +"creation." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Create a temporary directory and place the file there. If possible, run the " +"program in a subprocess which uses the temporary directory as its current " +"directory, with a restricted environment. Use generated names for all files " +"in that temporary directory. (See .)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Create the temporary file and pass the generated file name to the function " +"or program. This only works if the function or program can cope with a zero-" +"length existing file. It is safe only under additional assumptions:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The function or program must not create additional files whose name is " +"derived from the specified file name or are otherwise predictable." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "The function or program must not delete the file before processing it." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "It must not access any existing files in the same directory." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"It is often difficult to check whether these additional assumptions are " +"matched, therefore this approach is not recommended." +msgstr "" diff --git a/defensive-coding/el-GR/Tasks/snippets/Serialization-XML-Expat-Create.po b/defensive-coding/el-GR/Tasks/snippets/Serialization-XML-Expat-Create.po new file mode 100644 index 0000000..2b9e68c --- /dev/null +++ b/defensive-coding/el-GR/Tasks/snippets/Serialization-XML-Expat-Create.po @@ -0,0 +1,33 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:45\n" +"PO-Revision-Date: 2013-03-19 15:29+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Greek \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: el\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"XML_Parser parser = XML_ParserCreate(\"UTF-8\");\n" +"if (parser == NULL) {\n" +" fprintf(stderr, \"XML_ParserCreate failed\n" +"\");\n" +" close(fd);\n" +" exit(1);\n" +"}\n" +"// EntityDeclHandler needs a reference to the parser to stop\n" +"// parsing.\n" +"XML_SetUserData(parser, parser);\n" +"// Disable entity processing, to inhibit entity expansion.\n" +"XML_SetEntityDeclHandler(parser, EntityDeclHandler);\n" +msgstr "" diff --git a/defensive-coding/el-GR/Tasks/snippets/Serialization-XML-Expat-EntityDeclHandler.po b/defensive-coding/el-GR/Tasks/snippets/Serialization-XML-Expat-EntityDeclHandler.po new file mode 100644 index 0000000..0284dfd --- /dev/null +++ b/defensive-coding/el-GR/Tasks/snippets/Serialization-XML-Expat-EntityDeclHandler.po @@ -0,0 +1,31 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:45\n" +"PO-Revision-Date: 2013-03-19 15:30+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Greek \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: el\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Stop the parser when an entity declaration is encountered.\n" +"static void\n" +"EntityDeclHandler(void *userData,\n" +"\t\t const XML_Char *entityName, int is_parameter_entity,\n" +"\t\t const XML_Char *value, int value_length,\n" +"\t\t const XML_Char *base, const XML_Char *systemId,\n" +"\t\t const XML_Char *publicId, const XML_Char *notationName)\n" +"{\n" +" XML_StopParser((XML_Parser)userData, XML_FALSE);\n" +"}\n" +msgstr "" diff --git a/defensive-coding/el-GR/Tasks/snippets/Serialization-XML-OpenJDK-Errors.po b/defensive-coding/el-GR/Tasks/snippets/Serialization-XML-OpenJDK-Errors.po new file mode 100644 index 0000000..1123c14 --- /dev/null +++ b/defensive-coding/el-GR/Tasks/snippets/Serialization-XML-OpenJDK-Errors.po @@ -0,0 +1,37 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:45\n" +"PO-Revision-Date: 2013-03-19 15:29+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Greek \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: el\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"class Errors implements ErrorHandler {\n" +" @Override\n" +" public void warning(SAXParseException exception) {\n" +" exception.printStackTrace();\n" +" }\n" +" \n" +" @Override\n" +" public void fatalError(SAXParseException exception) {\n" +" exception.printStackTrace();\n" +" }\n" +" \n" +" @Override\n" +" public void error(SAXParseException exception) {\n" +" exception.printStackTrace();\n" +" }\n" +"}\n" +msgstr "" diff --git a/defensive-coding/el-GR/Tasks/snippets/Serialization-XML-OpenJDK-Imports.po b/defensive-coding/el-GR/Tasks/snippets/Serialization-XML-OpenJDK-Imports.po new file mode 100644 index 0000000..a371bd0 --- /dev/null +++ b/defensive-coding/el-GR/Tasks/snippets/Serialization-XML-OpenJDK-Imports.po @@ -0,0 +1,42 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:45\n" +"PO-Revision-Date: 2013-03-19 15:30+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Greek \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: el\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"import javax.xml.XMLConstants;\n" +"import javax.xml.parsers.DocumentBuilder;\n" +"import javax.xml.parsers.DocumentBuilderFactory;\n" +"import javax.xml.parsers.ParserConfigurationException;\n" +"import javax.xml.parsers.SAXParser;\n" +"import javax.xml.parsers.SAXParserFactory;\n" +"import javax.xml.transform.dom.DOMSource;\n" +"import javax.xml.transform.sax.SAXSource;\n" +"import javax.xml.validation.Schema;\n" +"import javax.xml.validation.SchemaFactory;\n" +"import javax.xml.validation.Validator;\n" +"\n" +"import org.w3c.dom.Document;\n" +"import org.w3c.dom.ls.LSInput;\n" +"import org.w3c.dom.ls.LSResourceResolver;\n" +"import org.xml.sax.EntityResolver;\n" +"import org.xml.sax.ErrorHandler;\n" +"import org.xml.sax.InputSource;\n" +"import org.xml.sax.SAXException;\n" +"import org.xml.sax.SAXParseException;\n" +"import org.xml.sax.XMLReader;\n" +msgstr "" diff --git a/defensive-coding/el-GR/Tasks/snippets/Serialization-XML-OpenJDK-NoEntityResolver.po b/defensive-coding/el-GR/Tasks/snippets/Serialization-XML-OpenJDK-NoEntityResolver.po new file mode 100644 index 0000000..a1a0358 --- /dev/null +++ b/defensive-coding/el-GR/Tasks/snippets/Serialization-XML-OpenJDK-NoEntityResolver.po @@ -0,0 +1,30 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:45\n" +"PO-Revision-Date: 2013-03-19 15:30+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Greek \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: el\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"class NoEntityResolver implements EntityResolver {\n" +" @Override\n" +" public InputSource resolveEntity(String publicId, String systemId)\n" +" throws SAXException, IOException {\n" +" // Throwing an exception stops validation.\n" +" throw new IOException(String.format(\n" +" \"attempt to resolve \\\"%s\\\" \\\"%s\\\"\", publicId, systemId));\n" +" }\n" +"}\n" +msgstr "" diff --git a/defensive-coding/el-GR/Tasks/snippets/Serialization-XML-OpenJDK-NoResourceResolver.po b/defensive-coding/el-GR/Tasks/snippets/Serialization-XML-OpenJDK-NoResourceResolver.po new file mode 100644 index 0000000..42b926a --- /dev/null +++ b/defensive-coding/el-GR/Tasks/snippets/Serialization-XML-OpenJDK-NoResourceResolver.po @@ -0,0 +1,32 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:45\n" +"PO-Revision-Date: 2013-03-19 15:29+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Greek \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: el\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"class NoResourceResolver implements LSResourceResolver {\n" +" @Override\n" +" public LSInput resolveResource(String type, String namespaceURI,\n" +" String publicId, String systemId, String baseURI) {\n" +" // Throwing an exception stops validation.\n" +" throw new RuntimeException(String.format(\n" +" \"resolution attempt: type=%s namespace=%s \" +\n" +" \"publicId=%s systemId=%s baseURI=%s\",\n" +" type, namespaceURI, publicId, systemId, baseURI));\n" +" }\n" +"}\n" +msgstr "" diff --git a/defensive-coding/el-GR/Tasks/snippets/Serialization-XML-OpenJDK_Parse-DOM.po b/defensive-coding/el-GR/Tasks/snippets/Serialization-XML-OpenJDK_Parse-DOM.po new file mode 100644 index 0000000..9943749 --- /dev/null +++ b/defensive-coding/el-GR/Tasks/snippets/Serialization-XML-OpenJDK_Parse-DOM.po @@ -0,0 +1,34 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:45\n" +"PO-Revision-Date: 2013-03-19 15:29+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Greek \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: el\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();\n" +"// Impose restrictions on the complexity of the DTD.\n" +"factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);\n" +"\n" +"// Turn on validation.\n" +"// This step can be omitted if validation is not desired.\n" +"factory.setValidating(true);\n" +"\n" +"// Parse the document.\n" +"DocumentBuilder builder = factory.newDocumentBuilder();\n" +"builder.setEntityResolver(new NoEntityResolver());\n" +"builder.setErrorHandler(new Errors());\n" +"Document document = builder.parse(inputStream);\n" +msgstr "" diff --git a/defensive-coding/el-GR/Tasks/snippets/Serialization-XML-OpenJDK_Parse-XMLSchema_DOM.po b/defensive-coding/el-GR/Tasks/snippets/Serialization-XML-OpenJDK_Parse-XMLSchema_DOM.po new file mode 100644 index 0000000..0315039 --- /dev/null +++ b/defensive-coding/el-GR/Tasks/snippets/Serialization-XML-OpenJDK_Parse-XMLSchema_DOM.po @@ -0,0 +1,38 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:45\n" +"PO-Revision-Date: 2013-03-19 15:29+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Greek \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: el\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"SchemaFactory factory = SchemaFactory.newInstance(\n" +" XMLConstants.W3C_XML_SCHEMA_NS_URI);\n" +"\n" +"// This enables restrictions on schema complexity.\n" +"factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);\n" +"\n" +"// The following line prevents resource resolution\n" +"// by the schema itself.\n" +"factory.setResourceResolver(new NoResourceResolver());\n" +"\n" +"Schema schema = factory.newSchema(schemaFile);\n" +"\n" +"Validator validator = schema.newValidator();\n" +"\n" +"// This prevents external resource resolution.\n" +"validator.setResourceResolver(new NoResourceResolver());\n" +"validator.validate(new DOMSource(document));\n" +msgstr "" diff --git a/defensive-coding/el-GR/Tasks/snippets/Serialization-XML-OpenJDK_Parse-XMLSchema_SAX.po b/defensive-coding/el-GR/Tasks/snippets/Serialization-XML-OpenJDK_Parse-XMLSchema_SAX.po new file mode 100644 index 0000000..78eddbd --- /dev/null +++ b/defensive-coding/el-GR/Tasks/snippets/Serialization-XML-OpenJDK_Parse-XMLSchema_SAX.po @@ -0,0 +1,41 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:45\n" +"PO-Revision-Date: 2013-03-19 15:29+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Greek \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: el\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"SchemaFactory factory = SchemaFactory.newInstance(\n" +" XMLConstants.W3C_XML_SCHEMA_NS_URI);\n" +"\n" +"// This enables restrictions on the schema and document\n" +"// complexity.\n" +"factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);\n" +"\n" +"// This prevents resource resolution by the schema itself.\n" +"// If the schema is trusted and references additional files,\n" +"// this line must be omitted, otherwise loading these files\n" +"// will fail.\n" +"factory.setResourceResolver(new NoResourceResolver());\n" +"\n" +"Schema schema = factory.newSchema(schemaFile);\n" +"Validator validator = schema.newValidator();\n" +"\n" +"// This prevents external resource resolution.\n" +"validator.setResourceResolver(new NoResourceResolver());\n" +"\n" +"validator.validate(new SAXSource(new InputSource(inputStream)));\n" +msgstr "" diff --git a/defensive-coding/en_US/Author_Group.po b/defensive-coding/en_US/Author_Group.po new file mode 100644 index 0000000..b1b8548 --- /dev/null +++ b/defensive-coding/en_US/Author_Group.po @@ -0,0 +1,35 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-12 04:18+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: None\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: en_US\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: firstname +#, no-c-format +msgid "Florian" +msgstr "Florian" + +#. Tag: surname +#, no-c-format +msgid "Weimer" +msgstr "Weimer" + +#. Tag: orgname +#, no-c-format +msgid "Red Hat" +msgstr "Red Hat" + +#. Tag: orgdiv +#, no-c-format +msgid "Product Security Team" +msgstr "Product Security Team" diff --git a/defensive-coding/en_US/Book_Info.po b/defensive-coding/en_US/Book_Info.po new file mode 100644 index 0000000..9e4b250 --- /dev/null +++ b/defensive-coding/en_US/Book_Info.po @@ -0,0 +1,38 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-12 04:19+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: None\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: en_US\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: title +#, no-c-format +msgid "Defensive Coding" +msgstr "Defensive Coding" + +#. Tag: subtitle +#, no-c-format +msgid "A Guide to Improving Software Security" +msgstr "A Guide to Improving Software Security" + +#. Tag: productname +#, no-c-format +msgid "Fedora Security Team" +msgstr "Fedora Security Team" + +#. Tag: para +#, no-c-format +msgid "" +"This document provides guidelines for improving software security through " +"secure coding. It covers common programming languages and libraries, and " +"focuses on concrete recommendations." +msgstr "This document provides guidelines for improving software security through secure coding. It covers common programming languages and libraries, and focuses on concrete recommendations." diff --git a/defensive-coding/en_US/C/Allocators.po b/defensive-coding/en_US/C/Allocators.po new file mode 100644 index 0000000..83954d1 --- /dev/null +++ b/defensive-coding/en_US/C/Allocators.po @@ -0,0 +1,265 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:30+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: None\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: en_US\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: title +#, no-c-format +msgid "Memory allocators" +msgstr "Memory allocators" + +#. Tag: title +#, no-c-format +msgid "malloc and related functions" +msgstr "malloc and related functions" + +#. Tag: para +#, no-c-format +msgid "" +"The C library interfaces for memory allocation are provided by " +"malloc, free and " +"realloc, and the calloc function. " +"In addition to these generic functions, there are derived functions such as " +"strdup which perform allocation using " +"malloc internally, but do not return untyped heap " +"memory (which could be used for any object)." +msgstr "The C library interfaces for memory allocation are provided by malloc, free and realloc, and the calloc function. In addition to these generic functions, there are derived functions such as strdup which perform allocation using malloc internally, but do not return untyped heap memory (which could be used for any object)." + +#. Tag: para +#, no-c-format +msgid "" +"The C compiler knows about these functions and can use their expected " +"behavior for optimizations. For instance, the compiler assumes that an " +"existing pointer (or a pointer derived from an existing pointer by " +"arithmetic) will not point into the memory area returned by " +"malloc." +msgstr "The C compiler knows about these functions and can use their expected behavior for optimizations. For instance, the compiler assumes that an existing pointer (or a pointer derived from an existing pointer by arithmetic) will not point into the memory area returned by malloc." + +#. Tag: para +#, no-c-format +msgid "" +"If the allocation fails, realloc does not free the old " +"pointer. Therefore, the idiom ptr = realloc(ptr, size); " +"is wrong because the memory pointed to by ptr leaks in " +"case of an error." +msgstr "If the allocation fails, realloc does not free the old pointer. Therefore, the idiom ptr = realloc(ptr, size); is wrong because the memory pointed to by ptr leaks in case of an error." + +#. Tag: title +#, no-c-format +msgid "Use-after-free errors" +msgstr "Use-after-free errors" + +#. Tag: para +#, no-c-format +msgid "" +"After free, the pointer is invalid. Further pointer " +"dereferences are not allowed (and are usually detected by " +"valgrind). Less obvious is that any " +"use of the old pointer value is not allowed, either. In" +" particular, comparisons with any other pointer (or the null pointer) are " +"undefined according to the C standard." +msgstr "After free, the pointer is invalid. Further pointer dereferences are not allowed (and are usually detected by valgrind). Less obvious is that any use of the old pointer value is not allowed, either. In particular, comparisons with any other pointer (or the null pointer) are undefined according to the C standard." + +#. Tag: para +#, no-c-format +msgid "" +"The same rules apply to realloc if the memory area " +"cannot be enlarged in-place. For instance, the compiler may assume that a " +"comparison between the old and new pointer will always return false, so it " +"is impossible to detect movement this way." +msgstr "The same rules apply to realloc if the memory area cannot be enlarged in-place. For instance, the compiler may assume that a comparison between the old and new pointer will always return false, so it is impossible to detect movement this way." + +#. Tag: title +#, no-c-format +msgid "Handling memory allocation errors" +msgstr "Handling memory allocation errors" + +#. Tag: para +#, no-c-format +msgid "" +"Recovering from out-of-memory errors is often difficult or even impossible. " +"In these cases, malloc and other allocation functions " +"return a null pointer. Dereferencing this pointer lead to a crash. Such " +"dereferences can even be exploitable for code execution if the dereference " +"is combined with an array subscript." +msgstr "Recovering from out-of-memory errors is often difficult or even impossible. In these cases, malloc and other allocation functions return a null pointer. Dereferencing this pointer lead to a crash. Such dereferences can even be exploitable for code execution if the dereference is combined with an array subscript." + +#. Tag: para +#, no-c-format +msgid "" +"In general, if you cannot check all allocation calls and handle failure, you" +" should abort the program on allocation failure, and not rely on the null " +"pointer dereference to terminate the process. See for related memory " +"allocation concerns." +msgstr "In general, if you cannot check all allocation calls and handle failure, you should abort the program on allocation failure, and not rely on the null pointer dereference to terminate the process. See for related memory allocation concerns." + +#. Tag: title +#, no-c-format +msgid "alloca and other forms of stack-based allocation" +msgstr "alloca and other forms of stack-based allocation" + +#. Tag: para +#, no-c-format +msgid "" +"Allocation on the stack is risky because stack overflow checking is " +"implicit. There is a guard page at the end of the memory area reserved for " +"the stack. If the program attempts to read from or write to this guard page," +" a SIGSEGV signal is generated and the program typically " +"terminates." +msgstr "Allocation on the stack is risky because stack overflow checking is implicit. There is a guard page at the end of the memory area reserved for the stack. If the program attempts to read from or write to this guard page, a SIGSEGV signal is generated and the program typically terminates." + +#. Tag: para +#, no-c-format +msgid "" +"This is sufficient for detecting typical stack overflow situations such as " +"unbounded recursion, but it fails when the stack grows in increments larger " +"than the size of the guard page. In this case, it is possible that the stack" +" pointer ends up pointing into a memory area which has been allocated for a " +"different purposes. Such misbehavior can be exploitable." +msgstr "This is sufficient for detecting typical stack overflow situations such as unbounded recursion, but it fails when the stack grows in increments larger than the size of the guard page. In this case, it is possible that the stack pointer ends up pointing into a memory area which has been allocated for a different purposes. Such misbehavior can be exploitable." + +#. Tag: para +#, no-c-format +msgid "" +"A common source for large stack growth are calls to " +"alloca and related functions such as " +"strdupa. These functions should be avoided because of " +"the lack of error checking. (They can be used safely if the allocated size " +"is less than the page size (typically, 4096 bytes), but this case is " +"relatively rare.) Additionally, relying on alloca makes" +" it more difficult to reorgnize the code because it is not allowed to use " +"the pointer after the function calling alloca has " +"returned, even if this function has been inlined into its caller." +msgstr "A common source for large stack growth are calls to alloca and related functions such as strdupa. These functions should be avoided because of the lack of error checking. (They can be used safely if the allocated size is less than the page size (typically, 4096 bytes), but this case is relatively rare.) Additionally, relying on alloca makes it more difficult to reorgnize the code because it is not allowed to use the pointer after the function calling alloca has returned, even if this function has been inlined into its caller." + +#. Tag: para +#, no-c-format +msgid "" +"Similar concerns apply to variable-length arrays " +"(VLAs), a feature of the C99 standard which started as a GNU extension. For " +"large objects exceeding the page size, there is no error checking, either." +msgstr "Similar concerns apply to variable-length arrays (VLAs), a feature of the C99 standard which started as a GNU extension. For large objects exceeding the page size, there is no error checking, either." + +#. Tag: para +#, no-c-format +msgid "" +"In both cases, negative or very large sizes can trigger a stack-pointer " +"wraparound, and the stack pointer and end up pointing into caller stack " +"frames, which is fatal and can be exploitable." +msgstr "In both cases, negative or very large sizes can trigger a stack-pointer wraparound, and the stack pointer and end up pointing into caller stack frames, which is fatal and can be exploitable." + +#. Tag: para +#, no-c-format +msgid "" +"If you want to use alloca or VLAs for performance " +"reasons, consider using a small on-stack array (less than the page size, " +"large enough to fulfill most requests). If the requested size is small " +"enough, use the on-stack array. Otherwise, call malloc." +" When exiting the function, check if malloc had been " +"called, and free the buffer as needed." +msgstr "If you want to use alloca or VLAs for performance reasons, consider using a small on-stack array (less than the page size, large enough to fulfill most requests). If the requested size is small enough, use the on-stack array. Otherwise, call malloc. When exiting the function, check if malloc had been called, and free the buffer as needed." + +#. Tag: title +#, no-c-format +msgid "Array allocation" +msgstr "Array allocation" + +#. Tag: para +#, no-c-format +msgid "" +"When allocating arrays, it is important to check for overflows. The " +"calloc function performs such checks." +msgstr "When allocating arrays, it is important to check for overflows. The calloc function performs such checks." + +#. Tag: para +#, no-c-format +msgid "" +"If malloc or realloc is used, the " +"size check must be written manually. For instance, to allocate an array of " +"n elements of type T, check that the " +"requested size is not greater than n / sizeof(T)." +msgstr "If malloc or realloc is used, the size check must be written manually. For instance, to allocate an array of n elements of type T, check that the requested size is not greater than n / sizeof(T)." + +#. Tag: title +#, no-c-format +msgid "Custom memory allocators" +msgstr "Custom memory allocators" + +#. Tag: para +#, no-c-format +msgid "" +"Custom memory allocates come in two forms: replacements for " +"malloc, and completely different interfaces for memory " +"management. Both approaches can reduce the effectiveness of " +"valgrind and similar tools, and the heap " +"corruption detection provided by GNU libc, so they should be avoided." +msgstr "Custom memory allocates come in two forms: replacements for malloc, and completely different interfaces for memory management. Both approaches can reduce the effectiveness of valgrind and similar tools, and the heap corruption detection provided by GNU libc, so they should be avoided." + +#. Tag: para +#, no-c-format +msgid "" +"Memory allocators are difficult to write and contain many performance and " +"security pitfalls." +msgstr "Memory allocators are difficult to write and contain many performance and security pitfalls." + +#. Tag: para +#, no-c-format +msgid "" +"When computing array sizes or rounding up allocation requests (to the next " +"allocation granularity, or for alignment purposes), checks for arithmetic " +"overflow are required." +msgstr "When computing array sizes or rounding up allocation requests (to the next allocation granularity, or for alignment purposes), checks for arithmetic overflow are required." + +#. Tag: para +#, no-c-format +msgid "" +"Size computations for array allocations need overflow checking. See ." +msgstr "Size computations for array allocations need overflow checking. See ." + +#. Tag: para +#, no-c-format +msgid "" +"It can be difficult to beat well-tuned general-purpose allocators. In micro-" +"benchmarks, pool allocators can show huge wins, and size-specific pools can " +"reduce internal fragmentation. But often, utilization of individual pools is" +" poor, and" +msgstr "It can be difficult to beat well-tuned general-purpose allocators. In micro-benchmarks, pool allocators can show huge wins, and size-specific pools can reduce internal fragmentation. But often, utilization of individual pools is poor, and" + +#. Tag: title +#, no-c-format +msgid "Conservative garbage collection" +msgstr "Conservative garbage collection" + +#. Tag: para +#, no-c-format +msgid "" +"Garbage collection can be an alternative to explicit memory management using" +" malloc and free. The Boehm-" +"Dehmers-Weiser allocator can be used from C programs, with minimal type " +"annotations. Performance is competitive with malloc on " +"64-bit architectures, especially for multi-threaded programs. The stop-the-" +"world pauses may be problematic for some real-time applications, though." +msgstr "Garbage collection can be an alternative to explicit memory management using malloc and free. The Boehm-Dehmers-Weiser allocator can be used from C programs, with minimal type annotations. Performance is competitive with malloc on 64-bit architectures, especially for multi-threaded programs. The stop-the-world pauses may be problematic for some real-time applications, though." + +#. Tag: para +#, no-c-format +msgid "" +"However, using a conservative garbage collector may reduce opertunities for " +"code reduce because once one library in a program uses garbage collection, " +"the whole process memory needs to be subject to it, so that no pointers are " +"missed. The Boehm-Dehmers-Weiser collector also reserves certain signals for" +" internal use, so it is not fully transparent to the rest of the program." +msgstr "However, using a conservative garbage collector may reduce opertunities for code reduce because once one library in a program uses garbage collection, the whole process memory needs to be subject to it, so that no pointers are missed. The Boehm-Dehmers-Weiser collector also reserves certain signals for internal use, so it is not fully transparent to the rest of the program." diff --git a/defensive-coding/en_US/C/C.po b/defensive-coding/en_US/C/C.po new file mode 100644 index 0000000..c68ae1e --- /dev/null +++ b/defensive-coding/en_US/C/C.po @@ -0,0 +1,20 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:30+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: None\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: en_US\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: title +#, no-c-format +msgid "The C Programming Language" +msgstr "The C Programming Language" diff --git a/defensive-coding/en_US/C/Libc.po b/defensive-coding/en_US/C/Libc.po new file mode 100644 index 0000000..7de74ea --- /dev/null +++ b/defensive-coding/en_US/C/Libc.po @@ -0,0 +1,278 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:30+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: None\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: en_US\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: title +#, no-c-format +msgid "The C standard library" +msgstr "The C standard library" + +#. Tag: para +#, no-c-format +msgid "" +"Parts of the C standard library (and the UNIX and GNU extensions) are " +"difficult to use, so you shoud avoid them." +msgstr "Parts of the C standard library (and the UNIX and GNU extensions) are difficult to use, so you shoud avoid them." + +#. Tag: para +#, no-c-format +msgid "" +"Please check the applicable documentation before using the recommended " +"replacements. Many of these functions allocate buffers using " +"malloc which your code must deallocate explicitly using" +" free." +msgstr "Please check the applicable documentation before using the recommended replacements. Many of these functions allocate buffers using malloc which your code must deallocate explicitly using free." + +#. Tag: title +#, no-c-format +msgid "Absolutely banned interfaces" +msgstr "Absolutely banned interfaces" + +#. Tag: para +#, no-c-format +msgid "" +"The functions listed below must not be used because they are almost always " +"unsafe. Use the indicated replacements instead." +msgstr "The functions listed below must not be used because they are almost always unsafe. Use the indicated replacements instead." + +#. Tag: para +#, no-c-format +msgid "getsfgets" +msgstr "getsfgets" + +#. Tag: para +#, no-c-format +msgid "" +"getwdgetcwd or " +"get_current_dir_name" +msgstr "getwdgetcwd or get_current_dir_name" + +#. Tag: para +#, no-c-format +msgid "readdir_rreaddir" +msgstr "readdir_rreaddir" + +#. Tag: para +#, no-c-format +msgid "" +"realpath (with a non-NULL second parameter) ⟶ " +"realpath with NULL as the second parameter, or " +"canonicalize_file_name" +msgstr "realpath (with a non-NULL second parameter) ⟶ realpath with NULL as the second parameter, or canonicalize_file_name" + +#. Tag: para +#, no-c-format +msgid "" +"The constants listed below must not be used, either. Instead, code must " +"allocate memory dynamically and use interfaces with length checking." +msgstr "The constants listed below must not be used, either. Instead, code must allocate memory dynamically and use interfaces with length checking." + +#. Tag: para +#, no-c-format +msgid "" +"NAME_MAX (limit not actually enforced by the kernel)" +msgstr "NAME_MAX (limit not actually enforced by the kernel)" + +#. Tag: para +#, no-c-format +msgid "" +"PATH_MAX (limit not actually enforced by the kernel)" +msgstr "PATH_MAX (limit not actually enforced by the kernel)" + +#. Tag: para +#, no-c-format +msgid "" +"_PC_NAME_MAX (This limit, returned by the " +"pathconf function, is not enforced by the kernel.)" +msgstr "_PC_NAME_MAX (This limit, returned by the pathconf function, is not enforced by the kernel.)" + +#. Tag: para +#, no-c-format +msgid "" +"_PC_PATH_MAX (This limit, returned by the " +"pathconf function, is not enforced by the kernel.)" +msgstr "_PC_PATH_MAX (This limit, returned by the pathconf function, is not enforced by the kernel.)" + +#. Tag: para +#, no-c-format +msgid "The following structure members must not be used." +msgstr "The following structure members must not be used." + +#. Tag: para +#, no-c-format +msgid "" +"f_namemax in struct statvfs (limit not" +" actually enforced by the kernel, see _PC_NAME_MAX above)" +msgstr "f_namemax in struct statvfs (limit not actually enforced by the kernel, see _PC_NAME_MAX above)" + +#. Tag: title +#, no-c-format +msgid "Functions to avoid" +msgstr "Functions to avoid" + +#. Tag: para +#, no-c-format +msgid "" +"The following string manipulation functions can be used securely in " +"principle, but their use should be avoided because they are difficult to use" +" correctly. Calls to these functions can be replaced with " +"asprintf or vasprintf. (For non-" +"GNU targets, these functions are available from Gnulib.) In some cases, the " +"snprintf function might be a suitable replacement, see " +"." +msgstr "The following string manipulation functions can be used securely in principle, but their use should be avoided because they are difficult to use correctly. Calls to these functions can be replaced with asprintf or vasprintf. (For non-GNU targets, these functions are available from Gnulib.) In some cases, the snprintf function might be a suitable replacement, see ." + +#. Tag: para +#, no-c-format +msgid "sprintf" +msgstr "sprintf" + +#. Tag: para +#, no-c-format +msgid "strcat" +msgstr "strcat" + +#. Tag: para +#, no-c-format +msgid "strcpy" +msgstr "strcpy" + +#. Tag: para +#, no-c-format +msgid "vsprintf" +msgstr "vsprintf" + +#. Tag: para +#, no-c-format +msgid "Use the indicated replacements for the functions below." +msgstr "Use the indicated replacements for the functions below." + +#. Tag: para +#, no-c-format +msgid "" +"allocamalloc and " +"free (see )" +msgstr "allocamalloc and free (see )" + +#. Tag: para +#, no-c-format +msgid "" +"putenv ⟶ explicit envp argument in " +"process creation (see )" +msgstr "putenv ⟶ explicit envp argument in process creation (see )" + +#. Tag: para +#, no-c-format +msgid "" +"setenv ⟶ explicit envp argument in " +"process creation (see )" +msgstr "setenv ⟶ explicit envp argument in process creation (see )" + +#. Tag: para +#, no-c-format +msgid "" +"strdupastrdup and " +"free (see )" +msgstr "strdupastrdup and free (see )" + +#. Tag: para +#, no-c-format +msgid "" +"strndupastrndup and " +"free (see )" +msgstr "strndupastrndup and free (see )" + +#. Tag: para +#, no-c-format +msgid "" +"systemposix_spawn or " +"fork/execve/ (see )" +msgstr "systemposix_spawn or fork/execve/ (see )" + +#. Tag: para +#, no-c-format +msgid "" +"unsetenv ⟶ explicit envp argument in" +" process creation (see )" +msgstr "unsetenv ⟶ explicit envp argument in process creation (see )" + +#. Tag: title +#, no-c-format +msgid "String Functions With Explicit Length Arguments" +msgstr "String Functions With Explicit Length Arguments" + +#. Tag: para +#, no-c-format +msgid "" +"The snprintf function provides a way to construct a " +"string in a statically-sized buffer. (If the buffer size is dynamic, use " +"asprintf instead.)" +msgstr "The snprintf function provides a way to construct a string in a statically-sized buffer. (If the buffer size is dynamic, use asprintf instead.)" + +#. Tag: para +#, no-c-format +msgid "" +"The second argument to the snprintf should always be " +"the size of the buffer in the first argument (which should be a character " +"array). Complex pointer and length arithmetic can introduce errors and " +"nullify the security benefits of snprintf. If you need " +"to construct a string iteratively, by repeatedly appending fragments, " +"consider constructing the string on the heap, increasing the buffer with " +"realloc as needed. (snprintf does " +"not support overlapping the result buffer with argument strings.)" +msgstr "The second argument to the snprintf should always be the size of the buffer in the first argument (which should be a character array). Complex pointer and length arithmetic can introduce errors and nullify the security benefits of snprintf. If you need to construct a string iteratively, by repeatedly appending fragments, consider constructing the string on the heap, increasing the buffer with realloc as needed. (snprintf does not support overlapping the result buffer with argument strings.)" + +#. Tag: para +#, no-c-format +msgid "" +"If you use vsnprintf (or snprintf)" +" with a format string which is not a constant, but a function argument, it " +"is important to annotate the function with a format " +"function attribute, so that GCC can warn about misuse of your function (see " +")." +msgstr "If you use vsnprintf (or snprintf) with a format string which is not a constant, but a function argument, it is important to annotate the function with a format function attribute, so that GCC can warn about misuse of your function (see )." + +#. Tag: title +#, no-c-format +msgid "The format function attribute" +msgstr "The format function attribute" + +#. Tag: para +#, no-c-format +msgid "" +"There are other functions which operator on NUL-terminated strings and take " +"a length argument which affects the number of bytes written to the " +"destination: strncpy, strncat, and" +" stpncpy. These functions do not ensure that the result" +" string is NUL-terminated. For strncpy, NUL termination" +" can be added this way:" +msgstr "There are other functions which operator on NUL-terminated strings and take a length argument which affects the number of bytes written to the destination: strncpy, strncat, and stpncpy. These functions do not ensure that the result string is NUL-terminated. For strncpy, NUL termination can be added this way:" + +#. Tag: para +#, no-c-format +msgid "" +"Some systems support strlcpy and " +"strlcat functions which behave this way, but these " +"functions are not part of GNU libc. Using snprintf with" +" a suitable format string is a simple (albeit slightly slower) replacement." +msgstr "Some systems support strlcpy and strlcat functions which behave this way, but these functions are not part of GNU libc. Using snprintf with a suitable format string is a simple (albeit slightly slower) replacement." diff --git a/defensive-coding/en_US/C/snippets/Arithmetic-add.po b/defensive-coding/en_US/C/snippets/Arithmetic-add.po new file mode 100644 index 0000000..348b3ea --- /dev/null +++ b/defensive-coding/en_US/C/snippets/Arithmetic-add.po @@ -0,0 +1,36 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:30+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: None\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: en_US\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"void report_overflow(void);\n" +"\n" +"int\n" +"add(int a, int b)\n" +"{\n" +" int result = a + b;\n" +" if (a < 0 || b < 0) {\n" +" return -1;\n" +" }\n" +" // The compiler can optimize away the following if statement.\n" +" if (result < 0) {\n" +" report_overflow();\n" +" }\n" +" return result;\n" +"}\n" +msgstr "\nvoid report_overflow(void);\n\nint\nadd(int a, int b)\n{\n int result = a + b;\n if (a < 0 || b < 0) {\n return -1;\n }\n // The compiler can optimize away the following if statement.\n if (result < 0) {\n report_overflow();\n }\n return result;\n}\n" diff --git a/defensive-coding/en_US/C/snippets/Arithmetic-mult.po b/defensive-coding/en_US/C/snippets/Arithmetic-mult.po new file mode 100644 index 0000000..5dfab2b --- /dev/null +++ b/defensive-coding/en_US/C/snippets/Arithmetic-mult.po @@ -0,0 +1,29 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:30+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: None\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: en_US\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"unsigned\n" +"mul(unsigned a, unsigned b)\n" +"{\n" +" if (b && a > ((unsigned)-1) / b) {\n" +" report_overflow();\n" +" }\n" +" return a * b;\n" +"}\n" +msgstr "\nunsigned\nmul(unsigned a, unsigned b)\n{\n if (b && a > ((unsigned)-1) / b) {\n report_overflow();\n }\n return a * b;\n}\n" diff --git a/defensive-coding/en_US/C/snippets/Pointers-remaining.po b/defensive-coding/en_US/C/snippets/Pointers-remaining.po new file mode 100644 index 0000000..d530036 --- /dev/null +++ b/defensive-coding/en_US/C/snippets/Pointers-remaining.po @@ -0,0 +1,64 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:30+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: None\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: en_US\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"ssize_t\n" +"extract_strings(const char *in, size_t inlen, char **out, size_t outlen)\n" +"{\n" +" const char *inp = in;\n" +" const char *inend = in + inlen;\n" +" char **outp = out;\n" +" char **outend = out + outlen;\n" +"\n" +" while (inp != inend) {\n" +" size_t len;\n" +" char *s;\n" +" if (outp == outend) {\n" +" errno = ENOSPC;\n" +" goto err;\n" +" }\n" +" len = (unsigned char)*inp;\n" +" ++inp;\n" +" if (len > (size_t)(inend - inp)) {\n" +" errno = EINVAL;\n" +" goto err;\n" +" }\n" +" s = malloc(len + 1);\n" +" if (s == NULL) {\n" +" goto err;\n" +" }\n" +" memcpy(s, inp, len);\n" +" inp += len;\n" +" s[len] = '\\0';\n" +" *outp = s;\n" +" ++outp;\n" +" }\n" +" return outp - out;\n" +"err:\n" +" {\n" +" int errno_old = errno;\n" +" while (out != outp) {\n" +" free(*out);\n" +" ++out;\n" +" }\n" +" errno = errno_old;\n" +" }\n" +" return -1;\n" +"}\n" +msgstr "\nssize_t\nextract_strings(const char *in, size_t inlen, char **out, size_t outlen)\n{\n const char *inp = in;\n const char *inend = in + inlen;\n char **outp = out;\n char **outend = out + outlen;\n\n while (inp != inend) {\n size_t len;\n char *s;\n if (outp == outend) {\n errno = ENOSPC;\n goto err;\n }\n len = (unsigned char)*inp;\n ++inp;\n if (len > (size_t)(inend - inp)) {\n errno = EINVAL;\n goto err;\n }\n s = malloc(len + 1);\n if (s == NULL) {\n goto err;\n }\n memcpy(s, inp, len);\n inp += len;\n s[len] = '\\0';\n *outp = s;\n ++outp;\n }\n return outp - out;\nerr:\n {\n int errno_old = errno;\n while (out != outp) {\n free(*out);\n ++out;\n }\n errno = errno_old;\n }\n return -1;\n}\n" diff --git a/defensive-coding/en_US/C/snippets/String-Functions-format.po b/defensive-coding/en_US/C/snippets/String-Functions-format.po new file mode 100644 index 0000000..c6436a0 --- /dev/null +++ b/defensive-coding/en_US/C/snippets/String-Functions-format.po @@ -0,0 +1,33 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:30+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: None\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: en_US\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"void log_format(const char *format, ...) __attribute__((format(printf, 1, 2)));\n" +"\n" +"void\n" +"log_format(const char *format, ...)\n" +"{\n" +" char buf[1000];\n" +" va_list ap;\n" +" va_start(ap, format);\n" +" vsnprintf(buf, sizeof(buf), format, ap);\n" +" va_end(ap);\n" +" log_string(buf);\n" +"}\n" +msgstr "\nvoid log_format(const char *format, ...) __attribute__((format(printf, 1, 2)));\n\nvoid\nlog_format(const char *format, ...)\n{\n char buf[1000];\n va_list ap;\n va_start(ap, format);\n vsnprintf(buf, sizeof(buf), format, ap);\n va_end(ap);\n log_string(buf);\n}\n" diff --git a/defensive-coding/en_US/C/snippets/String-Functions-snprintf.po b/defensive-coding/en_US/C/snippets/String-Functions-snprintf.po new file mode 100644 index 0000000..a7d0298 --- /dev/null +++ b/defensive-coding/en_US/C/snippets/String-Functions-snprintf.po @@ -0,0 +1,23 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:30+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: None\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: en_US\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"char fraction[30];\n" +"snprintf(fraction, sizeof(fraction), \"%d/%d\", numerator, denominator);\n" +msgstr "\nchar fraction[30];\nsnprintf(fraction, sizeof(fraction), \"%d/%d\", numerator, denominator);\n" diff --git a/defensive-coding/en_US/C/snippets/String-Functions-strncpy.po b/defensive-coding/en_US/C/snippets/String-Functions-strncpy.po new file mode 100644 index 0000000..a7d969e --- /dev/null +++ b/defensive-coding/en_US/C/snippets/String-Functions-strncpy.po @@ -0,0 +1,24 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:30+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: None\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: en_US\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"char buf[10];\n" +"strncpy(buf, data, sizeof(buf));\n" +"buf[sizeof(buf) - 1] = '\\0';\n" +msgstr "\nchar buf[10];\nstrncpy(buf, data, sizeof(buf));\nbuf[sizeof(buf) - 1] = '\\0';\n" diff --git a/defensive-coding/en_US/CXX/CXX.po b/defensive-coding/en_US/CXX/CXX.po new file mode 100644 index 0000000..7d56476 --- /dev/null +++ b/defensive-coding/en_US/CXX/CXX.po @@ -0,0 +1,20 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:31+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: None\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: en_US\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: title +#, no-c-format +msgid "The C++ Programming Language" +msgstr "The C++ Programming Language" diff --git a/defensive-coding/en_US/CXX/Language.po b/defensive-coding/en_US/CXX/Language.po new file mode 100644 index 0000000..d77dae1 --- /dev/null +++ b/defensive-coding/en_US/CXX/Language.po @@ -0,0 +1,234 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:18+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: None\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: en_US\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: title +#, no-c-format +msgid "The core language" +msgstr "The core language" + +#. Tag: para +#, no-c-format +msgid "" +"C++ includes a large subset of the C language. As far as the C subset is " +"used, the recommendations in " +"apply." +msgstr "C++ includes a large subset of the C language. As far as the C subset is used, the recommendations in apply." + +#. Tag: title +#, no-c-format +msgid "Array allocation with operator new[]" +msgstr "Array allocation with operator new[]" + +#. Tag: para +#, no-c-format +msgid "" +"For very large values of n, an expression like " +"new T[n] can return a pointer to a heap region which is " +"too small. In other words, not all array elements are actually backed with " +"heap memory reserved to the array. Current GCC versions generate code that " +"performs a computation of the form sizeof(T) * size_t(n) + " +"cookie_size, where cookie_size is currently at " +"most 8. This computation can overflow, and GCC-generated code does not " +"detect this." +msgstr "For very large values of n, an expression like new T[n] can return a pointer to a heap region which is too small. In other words, not all array elements are actually backed with heap memory reserved to the array. Current GCC versions generate code that performs a computation of the form sizeof(T) * size_t(n) + cookie_size, where cookie_size is currently at most 8. This computation can overflow, and GCC-generated code does not detect this." + +#. Tag: para +#, no-c-format +msgid "" +"The std::vector template can be used instead an explicit " +"array allocation. (The GCC implementation detects overflow internally.)" +msgstr "The std::vector template can be used instead an explicit array allocation. (The GCC implementation detects overflow internally.)" + +#. Tag: para +#, no-c-format +msgid "" +"If there is no alternative to operator new[], code which " +"allocates arrays with a variable length must check for overflow manually. " +"For the new T[n] example, the size check could be " +"n || (n > 0 && n > (size_t(-1) - 8) / " +"sizeof(T)). (See .) If there are additional dimensions " +"(which must be constants according to the C++ standard), these should be " +"included as factors in the divisor." +msgstr "If there is no alternative to operator new[], code which allocates arrays with a variable length must check for overflow manually. For the new T[n] example, the size check could be n || (n > 0 && n > (size_t(-1) - 8) / sizeof(T)). (See .) If there are additional dimensions (which must be constants according to the C++ standard), these should be included as factors in the divisor." + +#. Tag: para +#, no-c-format +msgid "" +"These countermeasures prevent out-of-bounds writes and potential code " +"execution. Very large memory allocations can still lead to a denial of " +"service. contains suggestions for mitigating this problem when " +"processing untrusted data." +msgstr "These countermeasures prevent out-of-bounds writes and potential code execution. Very large memory allocations can still lead to a denial of service. contains suggestions for mitigating this problem when processing untrusted data." + +#. Tag: para +#, no-c-format +msgid "" +"See for array" +" allocation advice for C-style memory allocation." +msgstr "See for array allocation advice for C-style memory allocation." + +#. Tag: title +#, no-c-format +msgid "Overloading" +msgstr "Overloading" + +#. Tag: para +#, no-c-format +msgid "" +"Do not overload functions with versions that have different security " +"characteristics. For instance, do not implement a function " +"strcat which works on std::string " +"arguments. Similarly, do not name methods after such functions." +msgstr "Do not overload functions with versions that have different security characteristics. For instance, do not implement a function strcat which works on std::string arguments. Similarly, do not name methods after such functions." + +#. Tag: title +#, no-c-format +msgid "ABI compatibility and preparing for security updates" +msgstr "ABI compatibility and preparing for security updates" + +#. Tag: para +#, no-c-format +msgid "" +"A stable binary interface (ABI) is vastly preferred for security updates. " +"Without a stable ABI, all reverse dependencies need recompiling, which can " +"be a lot of work and could even be impossible in some cases. Ideally, a " +"security update only updates a single dynamic shared object, and is picked " +"up automatically after restarting affected processes." +msgstr "A stable binary interface (ABI) is vastly preferred for security updates. Without a stable ABI, all reverse dependencies need recompiling, which can be a lot of work and could even be impossible in some cases. Ideally, a security update only updates a single dynamic shared object, and is picked up automatically after restarting affected processes." + +#. Tag: para +#, no-c-format +msgid "" +"Outside of extremely performance-critical code, you should ensure that a " +"wide range of changes is possible without breaking ABI. Some very basic " +"guidelines are:" +msgstr "Outside of extremely performance-critical code, you should ensure that a wide range of changes is possible without breaking ABI. Some very basic guidelines are:" + +#. Tag: para +#, no-c-format +msgid "Avoid inline functions." +msgstr "Avoid inline functions." + +#. Tag: para +#, no-c-format +msgid "Use the pointer-to-implementation idiom." +msgstr "Use the pointer-to-implementation idiom." + +#. Tag: para +#, no-c-format +msgid "" +"Try to avoid templates. Use them if the increased type safety provides a " +"benefit to the programmer." +msgstr "Try to avoid templates. Use them if the increased type safety provides a benefit to the programmer." + +#. Tag: para +#, no-c-format +msgid "" +"Move security-critical code out of templated code, so that it can be patched" +" in a central place if necessary." +msgstr "Move security-critical code out of templated code, so that it can be patched in a central place if necessary." + +#. Tag: para +#, no-c-format +msgid "" +"The KDE project publishes a document with more extensive guidelines on ABI-" +"preserving changes to C++ code, Policies/Binary" +" Compatibility Issues With C++ (d-pointer " +"refers to the pointer-to-implementation idiom)." +msgstr "The KDE project publishes a document with more extensive guidelines on ABI-preserving changes to C++ code, Policies/Binary Compatibility Issues With C++ (d-pointer refers to the pointer-to-implementation idiom)." + +#. Tag: title +#, no-c-format +msgid "C++0X and C++11 support" +msgstr "C++0X and C++11 support" + +#. Tag: para +#, no-c-format +msgid "GCC offers different language compatibility modes:" +msgstr "GCC offers different language compatibility modes:" + +#. Tag: para +#, no-c-format +msgid " for the original 1998 C++ standard" +msgstr " for the original 1998 C++ standard" + +#. Tag: para +#, no-c-format +msgid "" +" for the 1998 standard with the changes from the " +"TR1 technical report" +msgstr " for the 1998 standard with the changes from the TR1 technical report" + +#. Tag: para +#, no-c-format +msgid "" +" for the 2011 C++ standard. This option should " +"not be used." +msgstr " for the 2011 C++ standard. This option should not be used." + +#. Tag: para +#, no-c-format +msgid "" +" for several different versions of C++11 support " +"in development, depending on the GCC version. This option should not be " +"used." +msgstr " for several different versions of C++11 support in development, depending on the GCC version. This option should not be used." + +#. Tag: para +#, no-c-format +msgid "" +"For each of these flags, there are variants which also enable GNU extensions" +" (mostly language features also found in C99 or C11): " +", , " +". Again, should " +"not be used." +msgstr "For each of these flags, there are variants which also enable GNU extensions (mostly language features also found in C99 or C11): , , . Again, should not be used." + +#. Tag: para +#, no-c-format +msgid "" +"If you enable C++11 support, the ABI of the standard C++ library " +"libstdc++ will change in subtle ways. Currently, no C++ " +"libraries are compiled in C++11 mode, so if you compile your code in C++11 " +"mode, it will be incompatible with the rest of the system. Unfortunately, " +"this is also the case if you do not use any C++11 features. Currently, there" +" is no safe way to enable C++11 mode (except for freestanding applications)." +msgstr "If you enable C++11 support, the ABI of the standard C++ library libstdc++ will change in subtle ways. Currently, no C++ libraries are compiled in C++11 mode, so if you compile your code in C++11 mode, it will be incompatible with the rest of the system. Unfortunately, this is also the case if you do not use any C++11 features. Currently, there is no safe way to enable C++11 mode (except for freestanding applications)." + +#. Tag: para +#, no-c-format +msgid "" +"The meaning of C++0X mode changed from GCC release to GCC release. Earlier " +"versions were still ABI-compatible with C++98 mode, but in the most recent " +"versions, switching to C++0X mode activates C++11 support, with its " +"compatibility problems." +msgstr "The meaning of C++0X mode changed from GCC release to GCC release. Earlier versions were still ABI-compatible with C++98 mode, but in the most recent versions, switching to C++0X mode activates C++11 support, with its compatibility problems." + +#. Tag: para +#, no-c-format +msgid "" +"Some C++11 features (or approximations thereof) are available with TR1 " +"support, that is, with or " +" and in the <tr1/*> " +"header files. This includes std::tr1::shared_ptr (from " +"<tr1/memory>) and " +"std::tr1::function (from " +"<tr1/functional>). For other C++11 features, the " +"Boost C++ library contains replacements." +msgstr "Some C++11 features (or approximations thereof) are available with TR1 support, that is, with or and in the <tr1/*> header files. This includes std::tr1::shared_ptr (from <tr1/memory>) and std::tr1::function (from <tr1/functional>). For other C++11 features, the Boost C++ library contains replacements." diff --git a/defensive-coding/en_US/CXX/Std.po b/defensive-coding/en_US/CXX/Std.po new file mode 100644 index 0000000..63c10a5 --- /dev/null +++ b/defensive-coding/en_US/CXX/Std.po @@ -0,0 +1,55 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:30+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: None\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: en_US\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: title +#, no-c-format +msgid "The C++ standard library" +msgstr "The C++ standard library" + +#. Tag: para +#, no-c-format +msgid "" +"The C++ standard library includes most of its C counterpart by reference, " +"see ." +msgstr "The C++ standard library includes most of its C counterpart by reference, see ." + +#. Tag: title +#, no-c-format +msgid "Containers and operator[]" +msgstr "Containers and operator[]" + +#. Tag: para +#, no-c-format +msgid "" +"Many containers similar to std::vector provide both " +"operator[](size_type) and a member function " +"at(size_type). This applies to " +"std::vector itself, std::array, " +"std::string and other instances of " +"std::basic_string." +msgstr "Many containers similar to std::vector provide both operator[](size_type) and a member function at(size_type). This applies to std::vector itself, std::array, std::string and other instances of std::basic_string." + +#. Tag: para +#, no-c-format +msgid "" +"operator[](size_type) is not required by the standard to " +"perform bounds checking (and the implementation in GCC does not). In " +"contrast, at(size_type) must perform such a check. " +"Therefore, in code which is not performance-critical, you should prefer " +"at(size_type) over " +"operator[](size_type), even though it is slightly more " +"verbose." +msgstr "operator[](size_type) is not required by the standard to perform bounds checking (and the implementation in GCC does not). In contrast, at(size_type) must perform such a check. Therefore, in code which is not performance-critical, you should prefer at(size_type) over operator[](size_type), even though it is slightly more verbose." diff --git a/defensive-coding/en_US/Defensive_Coding.po b/defensive-coding/en_US/Defensive_Coding.po new file mode 100644 index 0000000..55e3c78 --- /dev/null +++ b/defensive-coding/en_US/Defensive_Coding.po @@ -0,0 +1,30 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:18+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: None\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: en_US\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: title +#, no-c-format +msgid "Programming Languages" +msgstr "Programming Languages" + +#. Tag: title +#, no-c-format +msgid "Specific Programming Tasks" +msgstr "Specific Programming Tasks" + +#. Tag: title +#, no-c-format +msgid "Implementing Security Features" +msgstr "Implementing Security Features" diff --git a/defensive-coding/en_US/Features/Authentication.po b/defensive-coding/en_US/Features/Authentication.po new file mode 100644 index 0000000..b118190 --- /dev/null +++ b/defensive-coding/en_US/Features/Authentication.po @@ -0,0 +1,231 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:31+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: None\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: en_US\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: title +#, no-c-format +msgid "Authentication and Authorization" +msgstr "Authentication and Authorization" + +#. Tag: title +#, no-c-format +msgid "Authenticating servers" +msgstr "Authenticating servers" + +#. Tag: para +#, no-c-format +msgid "" +"When connecting to a server, a client has to make sure that it is actually " +"talking to the server it expects. There are two different aspects, securing " +"the network path, and making sure that the expected user runs the process on" +" the target host. There are several ways to ensure that:" +msgstr "When connecting to a server, a client has to make sure that it is actually talking to the server it expects. There are two different aspects, securing the network path, and making sure that the expected user runs the process on the target host. There are several ways to ensure that:" + +#. Tag: para +#, no-c-format +msgid "" +"The server uses a TLS certificate which is valid according to the web " +"browser public key infrastructure, and the client verifies the certificate " +"and the host name." +msgstr "The server uses a TLS certificate which is valid according to the web browser public key infrastructure, and the client verifies the certificate and the host name." + +#. Tag: para +#, no-c-format +msgid "" +"The server uses a TLS certificate which is expectedby the client (perhaps it" +" is stored in a configuration file read by the client). In this case, no " +"host name checking is required." +msgstr "The server uses a TLS certificate which is expectedby the client (perhaps it is stored in a configuration file read by the client). In this case, no host name checking is required." + +#. Tag: para +#, no-c-format +msgid "" +"On Linux, UNIX domain sockets (of the PF_UNIX protocol " +"family, sometimes called PF_LOCAL) are restricted by file" +" system permissions. If the server socket path is not world-writable, the " +"server identity cannot be spoofed by local users." +msgstr "On Linux, UNIX domain sockets (of the PF_UNIX protocol family, sometimes called PF_LOCAL) are restricted by file system permissions. If the server socket path is not world-writable, the server identity cannot be spoofed by local users." + +#. Tag: para +#, no-c-format +msgid "" +"Port numbers less than 1024 (trusted ports) can only be" +" used by root, so if a UDP or TCP server is running on " +"the local host and it uses a trusted port, its identity is assured. (Not all" +" operating systems enforce the trusted ports concept, and the network might " +"not be trusted, so it is only useful on the local system.)" +msgstr "Port numbers less than 1024 (trusted ports) can only be used by root, so if a UDP or TCP server is running on the local host and it uses a trusted port, its identity is assured. (Not all operating systems enforce the trusted ports concept, and the network might not be trusted, so it is only useful on the local system.)" + +#. Tag: para +#, no-c-format +msgid "" +"TLS () is the recommended way " +"for securing connections over untrusted networks." +msgstr "TLS () is the recommended way for securing connections over untrusted networks." + +#. Tag: para +#, no-c-format +msgid "" +"If the server port number is 1024 is higher, a local user can impersonate " +"the process by binding to this socket, perhaps after crashing the real " +"server by exploiting a denial-of-service vulnerability." +msgstr "If the server port number is 1024 is higher, a local user can impersonate the process by binding to this socket, perhaps after crashing the real server by exploiting a denial-of-service vulnerability." + +#. Tag: title +#, no-c-format +msgid "Host-based authentication" +msgstr "Host-based authentication" + +#. Tag: para +#, no-c-format +msgid "" +"Host-based authentication uses access control lists (ACLs) to accept or deny" +" requests from clients. Thsis authentication method comes in two flavors: " +"IP-based (or, more generally, address-based) and name-based (with the name " +"coming from DNS or /etc/hosts). IP-based ACLs often use" +" prefix notation to extend access to entire subnets. Name-based ACLs " +"sometimes use wildcards for adding groups of hosts (from entire DNS " +"subtrees). (In the SSH context, host-based authentication means something " +"completely different and is not covered in this section.)" +msgstr "Host-based authentication uses access control lists (ACLs) to accept or deny requests from clients. Thsis authentication method comes in two flavors: IP-based (or, more generally, address-based) and name-based (with the name coming from DNS or /etc/hosts). IP-based ACLs often use prefix notation to extend access to entire subnets. Name-based ACLs sometimes use wildcards for adding groups of hosts (from entire DNS subtrees). (In the SSH context, host-based authentication means something completely different and is not covered in this section.)" + +#. Tag: para +#, no-c-format +msgid "" +"Host-based authentication trust the network and may not offer sufficient " +"granularity, so it has to be considered a weak form of authentication. On " +"the other hand, IP-based authentication can be made extremely robust and can" +" be applied very early in input processing, so it offers an opportunity for " +"significantly reducing the number of potential attackers for many services." +msgstr "Host-based authentication trust the network and may not offer sufficient granularity, so it has to be considered a weak form of authentication. On the other hand, IP-based authentication can be made extremely robust and can be applied very early in input processing, so it offers an opportunity for significantly reducing the number of potential attackers for many services." + +#. Tag: para +#, no-c-format +msgid "" +"The names returned by gethostbyaddr and " +"getnameinfo functions cannot be trusted. (DNS PTR " +"records can be set to arbitrary values, not just names belong to the address" +" owner.) If these names are used for ACL matching, a forward lookup using " +"gethostbyaddr or getaddrinfo has " +"to be performed. The name is only valid if the original address is found " +"among the results of the forward lookup (double-reverse " +"lookup)." +msgstr "The names returned by gethostbyaddr and getnameinfo functions cannot be trusted. (DNS PTR records can be set to arbitrary values, not just names belong to the address owner.) If these names are used for ACL matching, a forward lookup using gethostbyaddr or getaddrinfo has to be performed. The name is only valid if the original address is found among the results of the forward lookup (double-reverse lookup)." + +#. Tag: para +#, no-c-format +msgid "" +"An empty ACL should deny all access (deny-by-default). If empty ACLs permits" +" all access, configuring any access list must switch to deny-by-default for " +"all unconfigured protocols, in both name-based and address-based variants." +msgstr "An empty ACL should deny all access (deny-by-default). If empty ACLs permits all access, configuring any access list must switch to deny-by-default for all unconfigured protocols, in both name-based and address-based variants." + +#. Tag: para +#, no-c-format +msgid "" +"Similarly, if an address or name is not matched by the list, it should be " +"denied. However, many implementations behave differently, so the actual " +"behavior must be documented properly." +msgstr "Similarly, if an address or name is not matched by the list, it should be denied. However, many implementations behave differently, so the actual behavior must be documented properly." + +#. Tag: para +#, no-c-format +msgid "" +"IPv6 addresses can embed IPv4 addresses. There is no universally correct way" +" to deal with this ambiguity. The behavior of the ACL implementation should " +"be documented." +msgstr "IPv6 addresses can embed IPv4 addresses. There is no universally correct way to deal with this ambiguity. The behavior of the ACL implementation should be documented." + +#. Tag: title +#, no-c-format +msgid "UNIX domain socket authentication" +msgstr "UNIX domain socket authentication" + +#. Tag: para +#, no-c-format +msgid "" +"UNIX domain sockets (with address family AF_UNIX or " +"AF_LOCAL) are restricted to the local host and offer a " +"special authentication mechanism: credentials passing." +msgstr "UNIX domain sockets (with address family AF_UNIX or AF_LOCAL) are restricted to the local host and offer a special authentication mechanism: credentials passing." + +#. Tag: para +#, no-c-format +msgid "" +"Nowadays, most systems support the SO_PEERCRED (Linux) or" +" LOCAL_PEERCRED (FreeBSD) socket options, or the " +"getpeereid (other BSDs, MacOS X). These interfaces " +"provide direct access to the (effective) user ID on the other end of a " +"domain socket connect, without cooperation from the other end." +msgstr "Nowadays, most systems support the SO_PEERCRED (Linux) or LOCAL_PEERCRED (FreeBSD) socket options, or the getpeereid (other BSDs, MacOS X). These interfaces provide direct access to the (effective) user ID on the other end of a domain socket connect, without cooperation from the other end." + +#. Tag: para +#, no-c-format +msgid "" +"Historically, credentials passing was implemented using ancillary data in " +"the sendmsg and recvmsg functions." +" On some systems, only credentials data that the peer has explicitly sent " +"can be received, and the kernel checks the data for correctness on the " +"sending side. This means that both peers need to deal with ancillary data. " +"Compared to that, the modern interfaces are easier to use. Both sets of " +"interfaces vary considerably among UNIX-like systems, unfortunately." +msgstr "Historically, credentials passing was implemented using ancillary data in the sendmsg and recvmsg functions. On some systems, only credentials data that the peer has explicitly sent can be received, and the kernel checks the data for correctness on the sending side. This means that both peers need to deal with ancillary data. Compared to that, the modern interfaces are easier to use. Both sets of interfaces vary considerably among UNIX-like systems, unfortunately." + +#. Tag: para +#, no-c-format +msgid "" +"If you want to authenticate based on supplementary groups, you should obtain" +" the user ID using one of these methods, and look up the list of " +"supplementary groups using getpwuid (or " +"getpwuid_r) and getgrouplist. " +"Using the PID and information from /proc/PID/status is " +"prone to race conditions and insecure." +msgstr "If you want to authenticate based on supplementary groups, you should obtain the user ID using one of these methods, and look up the list of supplementary groups using getpwuid (or getpwuid_r) and getgrouplist. Using the PID and information from /proc/PID/status is prone to race conditions and insecure." + +#. Tag: title +#, no-c-format +msgid "AF_NETLINK authentication of origin" +msgstr "AF_NETLINK authentication of origin" + +#. Tag: para +#, no-c-format +msgid "" +"Netlink messages are used as a high-performance data transfer mechanism " +"between the kernel and the userspace. Traditionally, they are used to " +"exchange information related to the network statck, such as routing table " +"entries." +msgstr "Netlink messages are used as a high-performance data transfer mechanism between the kernel and the userspace. Traditionally, they are used to exchange information related to the network statck, such as routing table entries." + +#. Tag: para +#, no-c-format +msgid "" +"When processing Netlink messages from the kernel, it is important to check " +"that these messages actually originate from the kernel, by checking that the" +" port ID (or PID) field nl_pid in the " +"sockaddr_nl structure is 0. (This " +"structure can be obtained using recvfrom or " +"recvmsg, it is different from the " +"nlmsghdr structure.) The kernel does not prevent other " +"processes from sending unicast Netlink messages, but the " +"nl_pid field in the sender's socket address will be non-" +"zero in such cases." +msgstr "When processing Netlink messages from the kernel, it is important to check that these messages actually originate from the kernel, by checking that the port ID (or PID) field nl_pid in the sockaddr_nl structure is 0. (This structure can be obtained using recvfrom or recvmsg, it is different from the nlmsghdr structure.) The kernel does not prevent other processes from sending unicast Netlink messages, but the nl_pid field in the sender's socket address will be non-zero in such cases." + +#. Tag: para +#, no-c-format +msgid "" +"Applications should not use AF_NETLINK sockets as an IPC " +"mechanism among processes, but prefer UNIX domain sockets for this tasks." +msgstr "Applications should not use AF_NETLINK sockets as an IPC mechanism among processes, but prefer UNIX domain sockets for this tasks." diff --git a/defensive-coding/en_US/Features/TLS.po b/defensive-coding/en_US/Features/TLS.po new file mode 100644 index 0000000..8bebf9d --- /dev/null +++ b/defensive-coding/en_US/Features/TLS.po @@ -0,0 +1,1120 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:31+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: None\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: en_US\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: title +#, no-c-format +msgid "Transport Layer Security" +msgstr "Transport Layer Security" + +#. Tag: para +#, no-c-format +msgid "" +"Transport Layer Security (TLS, formerly Secure Sockets Layer/SSL) is the " +"recommended way to to protect integrity and confidentiality while data is " +"transferred over an untrusted network connection, and to identify the " +"endpoint." +msgstr "Transport Layer Security (TLS, formerly Secure Sockets Layer/SSL) is the recommended way to to protect integrity and confidentiality while data is transferred over an untrusted network connection, and to identify the endpoint." + +#. Tag: title +#, no-c-format +msgid "Common Pitfalls" +msgstr "Common Pitfalls" + +#. Tag: para +#, no-c-format +msgid "" +"TLS implementations are difficult to use, and most of them lack a clean API " +"design. The following sections contain implementation-specific advice, and " +"some generic pitfalls are mentioned below." +msgstr "TLS implementations are difficult to use, and most of them lack a clean API design. The following sections contain implementation-specific advice, and some generic pitfalls are mentioned below." + +#. Tag: para +#, no-c-format +msgid "" +"Most TLS implementations have questionable default TLS cipher suites. Most " +"of them enable anonymous Diffie-Hellman key exchange (but we generally want " +"servers to authenticate themselves). Many do not disable ciphers which are " +"subject to brute-force attacks because of restricted key lengths. Some even " +"disable all variants of AES in the default configuration." +msgstr "Most TLS implementations have questionable default TLS cipher suites. Most of them enable anonymous Diffie-Hellman key exchange (but we generally want servers to authenticate themselves). Many do not disable ciphers which are subject to brute-force attacks because of restricted key lengths. Some even disable all variants of AES in the default configuration." + +#. Tag: para +#, no-c-format +msgid "" +"When overriding the cipher suite defaults, it is recommended to disable all " +"cipher suites which are not present on a whitelist, instead of simply " +"enabling a list of cipher suites. This way, if an algorithm is disabled by " +"default in the TLS implementation in a future security update, the " +"application will not re-enable it." +msgstr "When overriding the cipher suite defaults, it is recommended to disable all cipher suites which are not present on a whitelist, instead of simply enabling a list of cipher suites. This way, if an algorithm is disabled by default in the TLS implementation in a future security update, the application will not re-enable it." + +#. Tag: para +#, no-c-format +msgid "" +"The name which is used in certificate validation must match the name " +"provided by the user or configuration file. No host name canonicalization or" +" IP address lookup must be performed." +msgstr "The name which is used in certificate validation must match the name provided by the user or configuration file. No host name canonicalization or IP address lookup must be performed." + +#. Tag: para +#, no-c-format +msgid "" +"The TLS handshake has very poor performance if the TCP Nagle algorithm is " +"active. You should switch on the TCP_NODELAY socket " +"option (at least for the duration of the handshake), or use the Linux-" +"specific TCP_CORK option." +msgstr "The TLS handshake has very poor performance if the TCP Nagle algorithm is active. You should switch on the TCP_NODELAY socket option (at least for the duration of the handshake), or use the Linux-specific TCP_CORK option." + +#. Tag: title +#, no-c-format +msgid "Deactivating the TCP Nagle algorithm" +msgstr "Deactivating the TCP Nagle algorithm" + +#. Tag: para +#, no-c-format +msgid "" +"Implementing proper session resumption decreases handshake overhead " +"considerably. This is important if the upper-layer protocol uses short-lived" +" connections (like most application of HTTPS)." +msgstr "Implementing proper session resumption decreases handshake overhead considerably. This is important if the upper-layer protocol uses short-lived connections (like most application of HTTPS)." + +#. Tag: para +#, no-c-format +msgid "" +"Both client and server should work towards an orderly connection shutdown, " +"that is send close_notify alerts and respond to them. " +"This is especially important if the upper-layer protocol does not provide " +"means to detect connection truncation (like some uses of HTTP)." +msgstr "Both client and server should work towards an orderly connection shutdown, that is send close_notify alerts and respond to them. This is especially important if the upper-layer protocol does not provide means to detect connection truncation (like some uses of HTTP)." + +#. Tag: para +#, no-c-format +msgid "" +"When implementing a server using event-driven programming, it is important " +"to handle the TLS handshake properly because it includes multiple network " +"round-trips which can block when an ordinary TCP accept" +" would not. Otherwise, a client which fails to complete the TLS handshake " +"for some reason will prevent the server from handling input from other " +"clients." +msgstr "When implementing a server using event-driven programming, it is important to handle the TLS handshake properly because it includes multiple network round-trips which can block when an ordinary TCP accept would not. Otherwise, a client which fails to complete the TLS handshake for some reason will prevent the server from handling input from other clients." + +#. Tag: para +#, no-c-format +msgid "" +"Unlike regular file descriptors, TLS connections cannot be passed between " +"processes. Some TLS implementations add additional restrictions, and TLS " +"connections generally cannot be used across fork " +"function calls (see )." +msgstr "Unlike regular file descriptors, TLS connections cannot be passed between processes. Some TLS implementations add additional restrictions, and TLS connections generally cannot be used across fork function calls (see )." + +#. Tag: title +#, no-c-format +msgid "OpenSSL Pitfalls" +msgstr "OpenSSL Pitfalls" + +#. Tag: para +#, no-c-format +msgid "" +"Some OpenSSL function use tri-state return values. " +"Correct error checking is extremely important. Several functions return " +"int values with the following meaning:" +msgstr "Some OpenSSL function use tri-state return values. Correct error checking is extremely important. Several functions return int values with the following meaning:" + +#. Tag: para +#, no-c-format +msgid "" +"The value 1 indicates success (for example, a successful " +"signature verification)." +msgstr "The value 1 indicates success (for example, a successful signature verification)." + +#. Tag: para +#, no-c-format +msgid "" +"The value 0 indicates semantic failure (for example, a " +"signature verification which was unsuccessful because the signing " +"certificate was self-signed)." +msgstr "The value 0 indicates semantic failure (for example, a signature verification which was unsuccessful because the signing certificate was self-signed)." + +#. Tag: para +#, no-c-format +msgid "" +"The value -1 indicates a low-level error in the system, " +"such as failure to allocate memory using malloc." +msgstr "The value -1 indicates a low-level error in the system, such as failure to allocate memory using malloc." + +#. Tag: para +#, no-c-format +msgid "" +"Treating such tri-state return values as booleans can lead to security " +"vulnerabilities. Note that some OpenSSL functions return boolean results or " +"yet another set of status indicators. Each function needs to be checked " +"individually." +msgstr "Treating such tri-state return values as booleans can lead to security vulnerabilities. Note that some OpenSSL functions return boolean results or yet another set of status indicators. Each function needs to be checked individually." + +#. Tag: para +#, no-c-format +msgid "" +"Recovering precise error information is difficult. shows how to obtain a more precise " +"error code after a function call on an SSL object has " +"failed. However, there are still cases where no detailed error information " +"is available (e.g., if SSL_shutdown fails due to a " +"connection teardown by the other end)." +msgstr "Recovering precise error information is difficult. shows how to obtain a more precise error code after a function call on an SSL object has failed. However, there are still cases where no detailed error information is available (e.g., if SSL_shutdown fails due to a connection teardown by the other end)." + +#. Tag: title +#, no-c-format +msgid "Obtaining OpenSSL error codes" +msgstr "Obtaining OpenSSL error codes" + +#. Tag: para +#, no-c-format +msgid "" +"The OPENSSL_config function is documented to never " +"fail. In reality, it can terminate the entire process if there is a failure " +"accessing the configuration file. An error message is written to standard " +"error, but which might not be visible if the function is called from a " +"daemon process." +msgstr "The OPENSSL_config function is documented to never fail. In reality, it can terminate the entire process if there is a failure accessing the configuration file. An error message is written to standard error, but which might not be visible if the function is called from a daemon process." + +#. Tag: para +#, no-c-format +msgid "" +"OpenSSL contains two separate ASN.1 DER decoders. One set of decoders " +"operate on BIO handles (the input/output stream abstraction provided by " +"OpenSSL); their decoder function names start with d2i_ " +"and end in _fp or _bio (e.g., " +"d2i_X509_fp or d2i_X509_bio). " +"These decoders must not be used for parsing data from untrusted sources; " +"instead, the variants without the _fp and " +"_bio (e.g., d2i_X509) shall be used." +" The BIO variants have received considerably less testing and are not very " +"robust." +msgstr "OpenSSL contains two separate ASN.1 DER decoders. One set of decoders operate on BIO handles (the input/output stream abstraction provided by OpenSSL); their decoder function names start with d2i_ and end in _fp or _bio (e.g., d2i_X509_fp or d2i_X509_bio). These decoders must not be used for parsing data from untrusted sources; instead, the variants without the _fp and _bio (e.g., d2i_X509) shall be used. The BIO variants have received considerably less testing and are not very robust." + +#. Tag: para +#, no-c-format +msgid "" +"For the same reason, the OpenSSL command line tools (such as " +"openssl x509) are generally generally less robust than " +"the actual library code. They use the BIO functions internally, and not the " +"more robust variants." +msgstr "For the same reason, the OpenSSL command line tools (such as openssl x509) are generally generally less robust than the actual library code. They use the BIO functions internally, and not the more robust variants." + +#. Tag: para +#, no-c-format +msgid "" +"The command line tools do not always indicate failure in the exit status of " +"the openssl process. For instance, a verification" +" failure in openssl verify result in an exit status of " +"zero." +msgstr "The command line tools do not always indicate failure in the exit status of the openssl process. For instance, a verification failure in openssl verify result in an exit status of zero." + +#. Tag: para +#, no-c-format +msgid "" +"The OpenSSL server and client applications (openssl " +"s_client and openssl s_server) are debugging " +"tools and should never be used as generic clients. For " +"instance, the s_client tool reacts in a " +"surprisign way to lines starting with R and " +"Q." +msgstr "The OpenSSL server and client applications (openssl s_client and openssl s_server) are debugging tools and should never be used as generic clients. For instance, the s_client tool reacts in a surprisign way to lines starting with R and Q." + +#. Tag: para +#, no-c-format +msgid "" +"OpenSSL allows application code to access private key material over " +"documented interfaces. This can significantly increase the part of the code " +"base which has to undergo security certification." +msgstr "OpenSSL allows application code to access private key material over documented interfaces. This can significantly increase the part of the code base which has to undergo security certification." + +#. Tag: title +#, no-c-format +msgid "GNUTLS Pitfalls" +msgstr "GNUTLS Pitfalls" + +#. Tag: para +#, no-c-format +msgid "" +"libgnutls.so.26 links to " +"libpthread.so.0. Loading the threading library too late" +" causes problems, so the main program should be linked with " +"-lpthread as well. As a result, it can be difficult to " +"use GNUTLS in a plugin which is loaded with the dlopen " +"function. Another side effect is that applications which merely link against" +" GNUTLS (even without actually using it) may incur a substantial overhead " +"because other libraries automatically switch to thread-safe algorithms." +msgstr "libgnutls.so.26 links to libpthread.so.0. Loading the threading library too late causes problems, so the main program should be linked with -lpthread as well. As a result, it can be difficult to use GNUTLS in a plugin which is loaded with the dlopen function. Another side effect is that applications which merely link against GNUTLS (even without actually using it) may incur a substantial overhead because other libraries automatically switch to thread-safe algorithms." + +#. Tag: para +#, no-c-format +msgid "" +"The gnutls_global_init function must be called before " +"using any functionality provided by the library. This function is not " +"thread-safe, so external locking is required, but it is not clear which lock" +" should be used. Omitting the synchronization does not just lead to a memory" +" leak, as it is suggested in the GNUTLS documentation, but to undefined " +"behavior because there is no barrier that would enforce memory ordering." +msgstr "The gnutls_global_init function must be called before using any functionality provided by the library. This function is not thread-safe, so external locking is required, but it is not clear which lock should be used. Omitting the synchronization does not just lead to a memory leak, as it is suggested in the GNUTLS documentation, but to undefined behavior because there is no barrier that would enforce memory ordering." + +#. Tag: para +#, no-c-format +msgid "" +"The gnutls_global_deinit function does not actually " +"deallocate all resources allocated by " +"gnutls_global_init. It is currently not thread-safe. " +"Therefore, it is best to avoid calling it altogether." +msgstr "The gnutls_global_deinit function does not actually deallocate all resources allocated by gnutls_global_init. It is currently not thread-safe. Therefore, it is best to avoid calling it altogether." + +#. Tag: para +#, no-c-format +msgid "" +"The X.509 implementation in GNUTLS is rather lenient. For example, it is " +"possible to create and process X.509 version 1 certificates which carry" +" extensions. These certificates are (correctly) rejected by other " +"implementations." +msgstr "The X.509 implementation in GNUTLS is rather lenient. For example, it is possible to create and process X.509 version 1 certificates which carry extensions. These certificates are (correctly) rejected by other implementations." + +#. Tag: title +#, no-c-format +msgid "OpenJDK Pitfalls" +msgstr "OpenJDK Pitfalls" + +#. Tag: para +#, no-c-format +msgid "" +"The Java cryptographic framework is highly modular. As a result, when you " +"request an object implementing some cryptographic functionality, you cannot " +"be completely sure that you end up with the well-tested, reviewed " +"implementation in OpenJDK." +msgstr "The Java cryptographic framework is highly modular. As a result, when you request an object implementing some cryptographic functionality, you cannot be completely sure that you end up with the well-tested, reviewed implementation in OpenJDK." + +#. Tag: para +#, no-c-format +msgid "" +"OpenJDK (in the source code as published by Oracle) and other " +"implementations of the Java platform require that the system administrator " +"has installed so-called unlimited strength jurisdiction policy " +"files. Without this step, it is not possible to use the secure " +"algorithms which offer sufficient cryptographic strength. Most downstream " +"redistributors of OpenJDK remove this requirement." +msgstr "OpenJDK (in the source code as published by Oracle) and other implementations of the Java platform require that the system administrator has installed so-called unlimited strength jurisdiction policy files. Without this step, it is not possible to use the secure algorithms which offer sufficient cryptographic strength. Most downstream redistributors of OpenJDK remove this requirement." + +#. Tag: para +#, no-c-format +msgid "" +"Some versions of OpenJDK use /dev/random as the " +"randomness source for nonces and other random data which is needed for TLS " +"operation, but does not actually require physical randomness. As a result, " +"TLS applications can block, waiting for more bits to become available in " +"/dev/random." +msgstr "Some versions of OpenJDK use /dev/random as the randomness source for nonces and other random data which is needed for TLS operation, but does not actually require physical randomness. As a result, TLS applications can block, waiting for more bits to become available in /dev/random." + +#. Tag: title +#, no-c-format +msgid "NSS Pitfalls" +msgstr "NSS Pitfalls" + +#. Tag: para +#, no-c-format +msgid "" +"NSS was not designed to be used by other libraries which can be linked into " +"applications without modifying them. There is a lot of global state. There " +"does not seem to be a way to perform required NSS initialization without " +"race conditions." +msgstr "NSS was not designed to be used by other libraries which can be linked into applications without modifying them. There is a lot of global state. There does not seem to be a way to perform required NSS initialization without race conditions." + +#. Tag: para +#, no-c-format +msgid "" +"If the NSPR descriptor is in an unexpected state, the " +"SSL_ForceHandshake function can succeed, but no TLS " +"handshake takes place, the peer is not authenticated, and subsequent data is" +" exchanged in the clear." +msgstr "If the NSPR descriptor is in an unexpected state, the SSL_ForceHandshake function can succeed, but no TLS handshake takes place, the peer is not authenticated, and subsequent data is exchanged in the clear." + +#. Tag: para +#, no-c-format +msgid "" +"NSS disables itself if it detects that the process underwent a " +"fork after the library has been initialized. This " +"behavior is required by the PKCS#11 API specification." +msgstr "NSS disables itself if it detects that the process underwent a fork after the library has been initialized. This behavior is required by the PKCS#11 API specification." + +#. Tag: title +#, no-c-format +msgid "TLS Clients" +msgstr "TLS Clients" + +#. Tag: para +#, no-c-format +msgid "" +"Secure use of TLS in a client generally involves all of the following steps." +" (Individual instructions for specific TLS implementations follow in the " +"next sections.)" +msgstr "Secure use of TLS in a client generally involves all of the following steps. (Individual instructions for specific TLS implementations follow in the next sections.)" + +#. Tag: para +#, no-c-format +msgid "" +"The client must configure the TLS library to use a set of trusted root " +"certificates. These certificates are provided by the system in /etc/ssl/certs or files derived from it." +msgstr "The client must configure the TLS library to use a set of trusted root certificates. These certificates are provided by the system in /etc/ssl/certs or files derived from it." + +#. Tag: para +#, no-c-format +msgid "" +"The client selects sufficiently strong cryptographic primitives and disables" +" insecure ones (such as no-op encryption). Compression and SSL version 2 " +"support must be disabled (including the SSLv2-compatible handshake)." +msgstr "The client selects sufficiently strong cryptographic primitives and disables insecure ones (such as no-op encryption). Compression and SSL version 2 support must be disabled (including the SSLv2-compatible handshake)." + +#. Tag: para +#, no-c-format +msgid "" +"The client initiates the TLS connection. The Server Name Indication " +"extension should be used if supported by the TLS implementation. Before " +"switching to the encrypted connection state, the contents of all input and " +"output buffers must be discarded." +msgstr "The client initiates the TLS connection. The Server Name Indication extension should be used if supported by the TLS implementation. Before switching to the encrypted connection state, the contents of all input and output buffers must be discarded." + +#. Tag: para +#, no-c-format +msgid "" +"The client needs to validate the peer certificate provided by the server, " +"that is, the client must check that there is a cryptographically protected " +"chain from a trusted root certificate to the peer certificate. (Depending on" +" the TLS implementation, a TLS handshake can succeed even if the certificate" +" cannot be validated.)" +msgstr "The client needs to validate the peer certificate provided by the server, that is, the client must check that there is a cryptographically protected chain from a trusted root certificate to the peer certificate. (Depending on the TLS implementation, a TLS handshake can succeed even if the certificate cannot be validated.)" + +#. Tag: para +#, no-c-format +msgid "" +"The client must check that the configured or user-provided server name " +"matches the peer certificate provided by the server." +msgstr "The client must check that the configured or user-provided server name matches the peer certificate provided by the server." + +#. Tag: para +#, no-c-format +msgid "" +"It is safe to provide users detailed diagnostics on certificate validation " +"failures. Other causes of handshake failures and, generally speaking, any " +"details on other errors reported by the TLS implementation (particularly " +"exception tracebacks), must not be divulged in ways that make them " +"accessible to potential attackers. Otherwise, it is possible to create " +"decryption oracles." +msgstr "It is safe to provide users detailed diagnostics on certificate validation failures. Other causes of handshake failures and, generally speaking, any details on other errors reported by the TLS implementation (particularly exception tracebacks), must not be divulged in ways that make them accessible to potential attackers. Otherwise, it is possible to create decryption oracles." + +#. Tag: para +#, no-c-format +msgid "" +"Depending on the application, revocation checking (against certificate " +"revocations lists or via OCSP) and session resumption are important aspects " +"of production-quality client. These aspects are not yet covered." +msgstr "Depending on the application, revocation checking (against certificate revocations lists or via OCSP) and session resumption are important aspects of production-quality client. These aspects are not yet covered." + +#. Tag: title +#, no-c-format +msgid "Implementation TLS Clients With OpenSSL" +msgstr "Implementation TLS Clients With OpenSSL" + +#. Tag: para +#, no-c-format +msgid "" +"In the following code, the error handling is only exploratory. Proper error " +"handling is required for production use, especially in libraries." +msgstr "In the following code, the error handling is only exploratory. Proper error handling is required for production use, especially in libraries." + +#. Tag: para +#, no-c-format +msgid "" +"The OpenSSL library needs explicit initialization (see )." +msgstr "The OpenSSL library needs explicit initialization (see )." + +#. Tag: title +#, no-c-format +msgid "OpenSSL library initialization" +msgstr "OpenSSL library initialization" + +#. Tag: para +#, no-c-format +msgid "" +"After that, a context object has to be created, which acts as a factory for " +"connection objects (). We use an explicit cipher list so that we do not pick up any " +"strange ciphers when OpenSSL is upgraded. The actual version requested in " +"the client hello depends on additional restrictions in the OpenSSL library. " +"If possible, you should follow the example code and use the default list of " +"trusted root certificate authorities provided by the system because you " +"would have to maintain your own set otherwise, which can be cumbersome." +msgstr "After that, a context object has to be created, which acts as a factory for connection objects (). We use an explicit cipher list so that we do not pick up any strange ciphers when OpenSSL is upgraded. The actual version requested in the client hello depends on additional restrictions in the OpenSSL library. If possible, you should follow the example code and use the default list of trusted root certificate authorities provided by the system because you would have to maintain your own set otherwise, which can be cumbersome." + +#. Tag: title +#, no-c-format +msgid "OpenSSL client context creation" +msgstr "OpenSSL client context creation" + +#. Tag: para +#, no-c-format +msgid "" +"A single context object can be used to create multiple connection objects. " +"It is safe to use the same SSL_CTX object for creating " +"connections concurrently from multiple threads, provided that the " +"SSL_CTX object is not modified (e.g., callbacks must not " +"be changed)." +msgstr "A single context object can be used to create multiple connection objects. It is safe to use the same SSL_CTX object for creating connections concurrently from multiple threads, provided that the SSL_CTX object is not modified (e.g., callbacks must not be changed)." + +#. Tag: para +#, no-c-format +msgid "" +"After creating the TCP socket and disabling the Nagle algorithm (per ), the actual connection object " +"needs to be created, as show in . If the handshake started by " +"SSL_connect fails, the " +"ssl_print_error_and_exit function from is called." +msgstr "After creating the TCP socket and disabling the Nagle algorithm (per ), the actual connection object needs to be created, as show in . If the handshake started by SSL_connect fails, the ssl_print_error_and_exit function from is called." + +#. Tag: para +#, no-c-format +msgid "" +"The certificate_validity_override function provides an " +"opportunity to override the validity of the certificate in case the OpenSSL " +"check fails. If such functionality is not required, the call can be removed," +" otherwise, the application developer has to implement it." +msgstr "The certificate_validity_override function provides an opportunity to override the validity of the certificate in case the OpenSSL check fails. If such functionality is not required, the call can be removed, otherwise, the application developer has to implement it." + +#. Tag: para +#, no-c-format +msgid "" +"The host name passed to the functions " +"SSL_set_tlsext_host_name and " +"X509_check_host must be the name that was passed to " +"getaddrinfo or a similar name resolution function. No " +"host name canonicalization must be performed. The " +"X509_check_host function used in the final step for " +"host name matching is currently only implemented in OpenSSL 1.1, which is " +"not released yet. In case host name matching fails, the function " +"certificate_host_name_override is called. This function" +" should check user-specific certificate store, to allow a connection even if" +" the host name does not match the certificate. This function has to be " +"provided by the application developer. Note that the override must be keyed " +"by both the certificate and the host name." +msgstr "The host name passed to the functions SSL_set_tlsext_host_name and X509_check_host must be the name that was passed to getaddrinfo or a similar name resolution function. No host name canonicalization must be performed. The X509_check_host function used in the final step for host name matching is currently only implemented in OpenSSL 1.1, which is not released yet. In case host name matching fails, the function certificate_host_name_override is called. This function should check user-specific certificate store, to allow a connection even if the host name does not match the certificate. This function has to be provided by the application developer. Note that the override must be keyed by both the certificate and the host name." + +#. Tag: title +#, no-c-format +msgid "Creating a client connection using OpenSSL" +msgstr "Creating a client connection using OpenSSL" + +#. Tag: para +#, no-c-format +msgid "" +"The connection object can be used for sending and receiving data, as in " +". It is " +"also possible to create a BIO object and use the " +"SSL object as the underlying transport, using " +"BIO_set_ssl." +msgstr "The connection object can be used for sending and receiving data, as in . It is also possible to create a BIO object and use the SSL object as the underlying transport, using BIO_set_ssl." + +#. Tag: title +#, no-c-format +msgid "Using an OpenSSL connection to send and receive data" +msgstr "Using an OpenSSL connection to send and receive data" + +#. Tag: para +#, no-c-format +msgid "" +"When it is time to close the connection, the " +"SSL_shutdown function needs to be called twice for an " +"orderly, synchronous connection termination (). This exchanges " +"close_notify alerts with the server. The additional logic" +" is required to deal with an unexpected close_notify from" +" the server. Note that is necessary to explicitly close the underlying " +"socket after the connection object has been freed." +msgstr "When it is time to close the connection, the SSL_shutdown function needs to be called twice for an orderly, synchronous connection termination (). This exchanges close_notify alerts with the server. The additional logic is required to deal with an unexpected close_notify from the server. Note that is necessary to explicitly close the underlying socket after the connection object has been freed." + +#. Tag: title +#, no-c-format +msgid "Closing an OpenSSL connection in an orderly fashion" +msgstr "Closing an OpenSSL connection in an orderly fashion" + +#. Tag: para +#, no-c-format +msgid "" +" shows how" +" to deallocate the context object when it is no longer needed because no " +"further TLS connections will be established." +msgstr " shows how to deallocate the context object when it is no longer needed because no further TLS connections will be established." + +#. Tag: title +#, no-c-format +msgid "Implementation TLS Clients With GNUTLS" +msgstr "Implementation TLS Clients With GNUTLS" + +#. Tag: para +#, no-c-format +msgid "" +"This section describes how to implement a TLS client with full certificate " +"validation (but without certificate revocation checking). Note that the " +"error handling in is only exploratory and needs to be replaced before " +"production use." +msgstr "This section describes how to implement a TLS client with full certificate validation (but without certificate revocation checking). Note that the error handling in is only exploratory and needs to be replaced before production use." + +#. Tag: para +#, no-c-format +msgid "The GNUTLS library needs explicit initialization:" +msgstr "The GNUTLS library needs explicit initialization:" + +#. Tag: para +#, no-c-format +msgid "" +"Failing to do so can result in obscure failures in Base64 decoding. See " +" for " +"additional aspects of initialization." +msgstr "Failing to do so can result in obscure failures in Base64 decoding. See for additional aspects of initialization." + +#. Tag: para +#, no-c-format +msgid "" +"Before setting up TLS connections, a credentials objects has to be allocated" +" and initialized with the set of trusted root CAs ()." +msgstr "Before setting up TLS connections, a credentials objects has to be allocated and initialized with the set of trusted root CAs ()." + +#. Tag: title +#, no-c-format +msgid "Initializing a GNUTLS credentials structure" +msgstr "Initializing a GNUTLS credentials structure" + +#. Tag: para +#, no-c-format +msgid "" +"After the last TLS connection has been closed, this credentials object " +"should be freed:" +msgstr "After the last TLS connection has been closed, this credentials object should be freed:" + +#. Tag: para +#, no-c-format +msgid "" +"During its lifetime, the credentials object can be used to initialize TLS " +"session objects from multiple threads, provided that it is not changed." +msgstr "During its lifetime, the credentials object can be used to initialize TLS session objects from multiple threads, provided that it is not changed." + +#. Tag: para +#, no-c-format +msgid "" +"Once the TCP connection has been established, the Nagle algorithm should be " +"disabled (see ). After " +"that, the socket can be associated with a new GNUTLS session object. The " +"previously allocated credentials object provides the set of root CAs. The " +"NORMAL set of cipher suites and protocols provides a " +"reasonable default. Then the TLS handshake must be initiated. This is shown " +"in ." +msgstr "Once the TCP connection has been established, the Nagle algorithm should be disabled (see ). After that, the socket can be associated with a new GNUTLS session object. The previously allocated credentials object provides the set of root CAs. The NORMAL set of cipher suites and protocols provides a reasonable default. Then the TLS handshake must be initiated. This is shown in ." + +#. Tag: title +#, no-c-format +msgid "Establishing a TLS client connection using GNUTLS" +msgstr "Establishing a TLS client connection using GNUTLS" + +#. Tag: para +#, no-c-format +msgid "" +"After the handshake has been completed, the server certificate needs to be " +"verified (). In the example, the user-defined " +"certificate_validity_override function is called if the" +" verification fails, so that a separate, user-specific trust store can be " +"checked. This function call can be omitted if the functionality is not " +"needed." +msgstr "After the handshake has been completed, the server certificate needs to be verified (). In the example, the user-defined certificate_validity_override function is called if the verification fails, so that a separate, user-specific trust store can be checked. This function call can be omitted if the functionality is not needed." + +#. Tag: title +#, no-c-format +msgid "Verifying a server certificate using GNUTLS" +msgstr "Verifying a server certificate using GNUTLS" + +#. Tag: para +#, no-c-format +msgid "" +"In the next step (, the certificate must be matched against the host name (note the " +"unusual return value from " +"gnutls_x509_crt_check_hostname). Again, an override " +"function certificate_host_name_override is called. Note" +" that the override must be keyed to the certificate and" +" the host name. The function call can be omitted if the override is not " +"needed." +msgstr "In the next step (, the certificate must be matched against the host name (note the unusual return value from gnutls_x509_crt_check_hostname). Again, an override function certificate_host_name_override is called. Note that the override must be keyed to the certificate and the host name. The function call can be omitted if the override is not needed." + +#. Tag: title +#, no-c-format +msgid "Matching the server host name and certificate in a GNUTLS client" +msgstr "Matching the server host name and certificate in a GNUTLS client" + +#. Tag: para +#, no-c-format +msgid "" +"In newer GNUTLS versions, certificate checking and host name validation can " +"be combined using the gnutls_certificate_verify_peers3 " +"function." +msgstr "In newer GNUTLS versions, certificate checking and host name validation can be combined using the gnutls_certificate_verify_peers3 function." + +#. Tag: para +#, no-c-format +msgid "" +"An established TLS session can be used for sending and receiving data, as in" +" ." +msgstr "An established TLS session can be used for sending and receiving data, as in ." + +#. Tag: title +#, no-c-format +msgid "Using a GNUTLS session" +msgstr "Using a GNUTLS session" + +#. Tag: para +#, no-c-format +msgid "" +"In order to shut down a connection in an orderly manner, you should call the" +" gnutls_bye function. Finally, the session object can " +"be deallocated using gnutls_deinit (see )." +msgstr "In order to shut down a connection in an orderly manner, you should call the gnutls_bye function. Finally, the session object can be deallocated using gnutls_deinit (see )." + +#. Tag: title +#, no-c-format +msgid "Implementing TLS Clients With OpenJDK" +msgstr "Implementing TLS Clients With OpenJDK" + +#. Tag: para +#, no-c-format +msgid "The examples below use the following cryptographic-related classes:" +msgstr "The examples below use the following cryptographic-related classes:" + +#. Tag: para +#, no-c-format +msgid "" +"If compatibility with OpenJDK 6 is required, it is necessary to use the " +"internal class sun.security.util.HostnameChecker. (The " +"public OpenJDK API does not provide any support for dissecting the subject " +"distinguished name of an X.509 certificate, so a custom-written DER parser " +"is needed—or we have to use an internal class, which we do below.) In " +"OpenJDK 7, the setEndpointIdentificationAlgorithm " +"method was added to the javax.net.ssl.SSLParameters " +"class, providing an official way to implement host name checking." +msgstr "If compatibility with OpenJDK 6 is required, it is necessary to use the internal class sun.security.util.HostnameChecker. (The public OpenJDK API does not provide any support for dissecting the subject distinguished name of an X.509 certificate, so a custom-written DER parser is needed—or we have to use an internal class, which we do below.) In OpenJDK 7, the setEndpointIdentificationAlgorithm method was added to the javax.net.ssl.SSLParameters class, providing an official way to implement host name checking." + +#. Tag: para +#, no-c-format +msgid "" +"TLS connections are established using an SSLContext " +"instance. With a properly configured OpenJDK installation, the " +"SunJSSE provider uses the system-wide set of trusted root" +" certificate authorities, so no further configuration is necessary. For " +"backwards compatibility with OpenJDK 6, the TLSv1 " +"provider has to be supported as a fall-back option. This is shown in ." +msgstr "TLS connections are established using an SSLContext instance. With a properly configured OpenJDK installation, the SunJSSE provider uses the system-wide set of trusted root certificate authorities, so no further configuration is necessary. For backwards compatibility with OpenJDK 6, the TLSv1 provider has to be supported as a fall-back option. This is shown in ." + +#. Tag: title +#, no-c-format +msgid "Setting up an SSLContext for OpenJDK TLS clients" +msgstr "Setting up an SSLContext for OpenJDK TLS clients" + +#. Tag: para +#, no-c-format +msgid "" +"In addition to the context, a TLS parameter object will be needed which " +"adjusts the cipher suites and protocols (). Like the context, these " +"parameters can be reused for multiple TLS connections." +msgstr "In addition to the context, a TLS parameter object will be needed which adjusts the cipher suites and protocols (). Like the context, these parameters can be reused for multiple TLS connections." + +#. Tag: title +#, no-c-format +msgid "Setting up SSLParameters for TLS use with OpenJDK" +msgstr "Setting up SSLParameters for TLS use with OpenJDK" + +#. Tag: para +#, no-c-format +msgid "" +"As initialized above, the parameter object does not yet require host name " +"checking. This has to be enabled separately, and this is only supported by " +"OpenJDK 7 and later:" +msgstr "As initialized above, the parameter object does not yet require host name checking. This has to be enabled separately, and this is only supported by OpenJDK 7 and later:" + +#. Tag: para +#, no-c-format +msgid "" +"All application protocols can use the \"HTTPS\" " +"algorithm. (The algorithms have minor differences with regard to wildcard " +"handling, which should not matter in practice.)" +msgstr "All application protocols can use the \"HTTPS\" algorithm. (The algorithms have minor differences with regard to wildcard handling, which should not matter in practice.)" + +#. Tag: para +#, no-c-format +msgid "" +" shows " +"how to establish the connection. Before the handshake is initialized, the " +"protocol and cipher configuration has to be performed, by applying the " +"parameter object params. (After this point, changes to " +"params will not affect this TLS socket.) As mentioned " +"initially, host name checking requires using an internal API on OpenJDK 6." +msgstr " shows how to establish the connection. Before the handshake is initialized, the protocol and cipher configuration has to be performed, by applying the parameter object params. (After this point, changes to params will not affect this TLS socket.) As mentioned initially, host name checking requires using an internal API on OpenJDK 6." + +#. Tag: title +#, no-c-format +msgid "Establishing a TLS connection with OpenJDK" +msgstr "Establishing a TLS connection with OpenJDK" + +#. Tag: para +#, no-c-format +msgid "" +"Starting with OpenJDK 7, the last lines can be omitted, provided that host " +"name verification has been enabled by calling the " +"setEndpointIdentificationAlgorithm method on the " +"params object (before it was applied to the socket)." +msgstr "Starting with OpenJDK 7, the last lines can be omitted, provided that host name verification has been enabled by calling the setEndpointIdentificationAlgorithm method on the params object (before it was applied to the socket)." + +#. Tag: para +#, no-c-format +msgid "" +"The TLS socket can be used as a regular socket, as shown in ." +msgstr "The TLS socket can be used as a regular socket, as shown in ." + +#. Tag: title +#, no-c-format +msgid "Using a TLS client socket in OpenJDK" +msgstr "Using a TLS client socket in OpenJDK" + +#. Tag: title +#, no-c-format +msgid "Overriding server certificate validation with OpenJDK 6" +msgstr "Overriding server certificate validation with OpenJDK 6" + +#. Tag: para +#, no-c-format +msgid "" +"Overriding certificate validation requires a custom trust manager. With " +"OpenJDK 6, the trust manager lacks information about the TLS session, and to" +" which server the connection is made. Certificate overrides have to be tied " +"to specific servers (host names). Consequently, different " +"TrustManager and SSLContext objects " +"have to be used for different servers." +msgstr "Overriding certificate validation requires a custom trust manager. With OpenJDK 6, the trust manager lacks information about the TLS session, and to which server the connection is made. Certificate overrides have to be tied to specific servers (host names). Consequently, different TrustManager and SSLContext objects have to be used for different servers." + +#. Tag: para +#, no-c-format +msgid "" +"In the trust manager shown in , the server certificate is identified by its " +"SHA-256 hash." +msgstr "In the trust manager shown in , the server certificate is identified by its SHA-256 hash." + +#. Tag: title +#, no-c-format +msgid "A customer trust manager for OpenJDK TLS clients" +msgstr "A customer trust manager for OpenJDK TLS clients" + +#. Tag: para +#, no-c-format +msgid "" +"This trust manager has to be passed to the init method of" +" the SSLContext object, as show in ." +msgstr "This trust manager has to be passed to the init method of the SSLContext object, as show in ." + +#. Tag: title +#, no-c-format +msgid "Using a custom TLS trust manager with OpenJDK" +msgstr "Using a custom TLS trust manager with OpenJDK" + +#. Tag: para +#, no-c-format +msgid "" +"When certificate overrides are in place, host name verification should not " +"be performed because there is no security requirement that the host name in " +"the certificate matches the host name used to establish the connection (and " +"it often will not). However, without host name verification, it is not " +"possible to perform transparent fallback to certification validation using " +"the system certificate store." +msgstr "When certificate overrides are in place, host name verification should not be performed because there is no security requirement that the host name in the certificate matches the host name used to establish the connection (and it often will not). However, without host name verification, it is not possible to perform transparent fallback to certification validation using the system certificate store." + +#. Tag: para +#, no-c-format +msgid "" +"The approach described above works with OpenJDK 6 and later versions. " +"Starting with OpenJDK 7, it is possible to use a custom subclass of the " +"javax.net.ssl.X509ExtendedTrustManager class. The OpenJDK" +" TLS implementation will call the new methods, passing along TLS session " +"information. This can be used to implement certificate overrides as a " +"fallback (if certificate or host name verification fails), and a trust " +"manager object can be used for multiple servers because the server address " +"is available to the trust manager." +msgstr "The approach described above works with OpenJDK 6 and later versions. Starting with OpenJDK 7, it is possible to use a custom subclass of the javax.net.ssl.X509ExtendedTrustManager class. The OpenJDK TLS implementation will call the new methods, passing along TLS session information. This can be used to implement certificate overrides as a fallback (if certificate or host name verification fails), and a trust manager object can be used for multiple servers because the server address is available to the trust manager." + +#. Tag: title +#, no-c-format +msgid "Implementing TLS Clients With NSS" +msgstr "Implementing TLS Clients With NSS" + +#. Tag: para +#, no-c-format +msgid "" +"The following code shows how to implement a simple TLS client using NSS. " +"Note that the error handling needs replacing before production use." +msgstr "The following code shows how to implement a simple TLS client using NSS. Note that the error handling needs replacing before production use." + +#. Tag: para +#, no-c-format +msgid "" +"Using NSS needs several header files, as shown in ." +msgstr "Using NSS needs several header files, as shown in ." + +#. Tag: title +#, no-c-format +msgid "Include files for NSS" +msgstr "Include files for NSS" + +#. Tag: para +#, no-c-format +msgid "" +"Initializing the NSS library is a complex task (). It is not thread-safe. By default, the " +"library is in export mode, and all strong ciphers are disabled. Therefore, " +"after creating the NSSInitCContext object, we probe all " +"the strong ciphers we want to use, and check if at least one of them is " +"available. If not, we call NSS_SetDomesticPolicy to " +"switch to unrestricted policy mode. This function replaces the existing " +"global cipher suite policy, that is why we avoid calling it unless " +"absolutely necessary." +msgstr "Initializing the NSS library is a complex task (). It is not thread-safe. By default, the library is in export mode, and all strong ciphers are disabled. Therefore, after creating the NSSInitCContext object, we probe all the strong ciphers we want to use, and check if at least one of them is available. If not, we call NSS_SetDomesticPolicy to switch to unrestricted policy mode. This function replaces the existing global cipher suite policy, that is why we avoid calling it unless absolutely necessary." + +#. Tag: para +#, no-c-format +msgid "" +"The simplest way to configured the trusted root certificates involves " +"loading the libnssckbi.so NSS module with a call to the" +" SECMOD_LoadUserModule function. The root certificates " +"are compiled into this module. (The PEM module for NSS, " +"libnsspem.so, offers a way to load trusted CA " +"certificates from a file.)" +msgstr "The simplest way to configured the trusted root certificates involves loading the libnssckbi.so NSS module with a call to the SECMOD_LoadUserModule function. The root certificates are compiled into this module. (The PEM module for NSS, libnsspem.so, offers a way to load trusted CA certificates from a file.)" + +#. Tag: title +#, no-c-format +msgid "Initializing the NSS library" +msgstr "Initializing the NSS library" + +#. Tag: para +#, no-c-format +msgid "" +"Some of the effects of the initialization can be reverted with the following" +" function calls:" +msgstr "Some of the effects of the initialization can be reverted with the following function calls:" + +#. Tag: para +#, no-c-format +msgid "" +"After NSS has been initialized, the TLS connection can be created (). The internal " +"PR_ImportTCPSocket function is used to turn the POSIX " +"file descriptor sockfd into an NSPR file descriptor. " +"(This function is de-facto part of the NSS public ABI, so it will not go " +"away.) Creating the TLS-capable file descriptor requires a " +"model descriptor, which is configured with the desired " +"set of protocols and ciphers. (The good_ciphers variable " +"is part of .) We cannot" +" resort to disabling ciphers not on a whitelist because by default, the AES " +"cipher suites are disabled. The model descriptor is not needed anymore after" +" TLS support has been activated for the existing connection descriptor." +msgstr "After NSS has been initialized, the TLS connection can be created (). The internal PR_ImportTCPSocket function is used to turn the POSIX file descriptor sockfd into an NSPR file descriptor. (This function is de-facto part of the NSS public ABI, so it will not go away.) Creating the TLS-capable file descriptor requires a model descriptor, which is configured with the desired set of protocols and ciphers. (The good_ciphers variable is part of .) We cannot resort to disabling ciphers not on a whitelist because by default, the AES cipher suites are disabled. The model descriptor is not needed anymore after TLS support has been activated for the existing connection descriptor." + +#. Tag: para +#, no-c-format +msgid "" +"The call to SSL_BadCertHook can be omitted if no " +"mechanism to override certificate verification is needed. The " +"bad_certificate function must check both the host name " +"specified for the connection and the certificate before granting the " +"override." +msgstr "The call to SSL_BadCertHook can be omitted if no mechanism to override certificate verification is needed. The bad_certificate function must check both the host name specified for the connection and the certificate before granting the override." + +#. Tag: para +#, no-c-format +msgid "" +"Triggering the actual handshake requires three function calls, " +"SSL_ResetHandshake, SSL_SetURL, " +"and SSL_ForceHandshake. (If " +"SSL_ResetHandshake is omitted, " +"SSL_ForceHandshake will succeed, but the data will not " +"be encrypted.) During the handshake, the certificate is verified and matched" +" against the host name." +msgstr "Triggering the actual handshake requires three function calls, SSL_ResetHandshake, SSL_SetURL, and SSL_ForceHandshake. (If SSL_ResetHandshake is omitted, SSL_ForceHandshake will succeed, but the data will not be encrypted.) During the handshake, the certificate is verified and matched against the host name." + +#. Tag: title +#, no-c-format +msgid "Creating a TLS connection with NSS" +msgstr "Creating a TLS connection with NSS" + +#. Tag: para +#, no-c-format +msgid "" +"After the connection has been established, shows how to use the NSPR descriptor to " +"communicate with the server." +msgstr "After the connection has been established, shows how to use the NSPR descriptor to communicate with the server." + +#. Tag: title +#, no-c-format +msgid "Using NSS for sending and receiving data" +msgstr "Using NSS for sending and receiving data" + +#. Tag: para +#, no-c-format +msgid "" +" shows how to " +"close the connection." +msgstr " shows how to close the connection." + +#. Tag: title +#, no-c-format +msgid "Closing NSS client connections" +msgstr "Closing NSS client connections" + +#. Tag: title +#, no-c-format +msgid "Implementing TLS Clients With Python" +msgstr "Implementing TLS Clients With Python" + +#. Tag: para +#, no-c-format +msgid "" +"The Python distribution provides a TLS implementation in the " +"ssl module (actually a wrapper around OpenSSL). The " +"exported interface is somewhat restricted, so that the client code shown " +"below does not fully implement the recommendations in ." +msgstr "The Python distribution provides a TLS implementation in the ssl module (actually a wrapper around OpenSSL). The exported interface is somewhat restricted, so that the client code shown below does not fully implement the recommendations in ." + +#. Tag: para +#, no-c-format +msgid "" +"Currently, most Python function which accept https:// " +"URLs or otherwise implement HTTPS support do not perform certificate " +"validation at all. (For example, this is true for the " +"httplib and xmlrpclib modules.) If you" +" use HTTPS, you should not use the built-in HTTP clients. The " +"Curl class in the curl module, as " +"provided by the python-pycurl package implements proper " +"certificate validation." +msgstr "Currently, most Python function which accept https:// URLs or otherwise implement HTTPS support do not perform certificate validation at all. (For example, this is true for the httplib and xmlrpclib modules.) If you use HTTPS, you should not use the built-in HTTP clients. The Curl class in the curl module, as provided by the python-pycurl package implements proper certificate validation." + +#. Tag: para +#, no-c-format +msgid "" +"The ssl module currently does not perform host name " +"checking on the server certificate. shows how to implement certificate " +"matching, using the parsed certificate returned by " +"getpeercert." +msgstr "The ssl module currently does not perform host name checking on the server certificate. shows how to implement certificate matching, using the parsed certificate returned by getpeercert." + +#. Tag: title +#, no-c-format +msgid "Implementing TLS host name checking Python (without wildcard support)" +msgstr "Implementing TLS host name checking Python (without wildcard support)" + +#. Tag: para +#, no-c-format +msgid "" +"To turn a regular, connected TCP socket into a TLS-enabled socket, use the " +"ssl.wrap_socket function. The function call in provides " +"additional arguments to override questionable defaults in OpenSSL and in the" +" Python module." +msgstr "To turn a regular, connected TCP socket into a TLS-enabled socket, use the ssl.wrap_socket function. The function call in provides additional arguments to override questionable defaults in OpenSSL and in the Python module." + +#. Tag: para +#, no-c-format +msgid "" +"ciphers=\"HIGH:-aNULL:-eNULL:-PSK:RC4-SHA:RC4-MD5\" " +"selects relatively strong cipher suites with certificate-based " +"authentication. (The call to check_host_name function " +"provides additional protection against anonymous cipher suites.)" +msgstr "ciphers=\"HIGH:-aNULL:-eNULL:-PSK:RC4-SHA:RC4-MD5\" selects relatively strong cipher suites with certificate-based authentication. (The call to check_host_name function provides additional protection against anonymous cipher suites.)" + +#. Tag: para +#, no-c-format +msgid "" +"ssl_version=ssl.PROTOCOL_TLSv1 disables SSL 2.0 support. " +"By default, the ssl module sends an SSL 2.0 client hello," +" which is rejected by some servers. Ideally, we would request OpenSSL to " +"negotiated the most recent TLS version supported by the server and the " +"client, but the Python module does not allow this." +msgstr "ssl_version=ssl.PROTOCOL_TLSv1 disables SSL 2.0 support. By default, the ssl module sends an SSL 2.0 client hello, which is rejected by some servers. Ideally, we would request OpenSSL to negotiated the most recent TLS version supported by the server and the client, but the Python module does not allow this." + +#. Tag: para +#, no-c-format +msgid "" +"cert_reqs=ssl.CERT_REQUIRED turns on certificate " +"validation." +msgstr "cert_reqs=ssl.CERT_REQUIRED turns on certificate validation." + +#. Tag: para +#, no-c-format +msgid "" +"ca_certs='/etc/ssl/certs/ca-bundle.crt' initializes the " +"certificate store with a set of trusted root CAs. Unfortunately, it is " +"necessary to hard-code this path into applications because the default path " +"in OpenSSL is not available through the Python ssl " +"module." +msgstr "ca_certs='/etc/ssl/certs/ca-bundle.crt' initializes the certificate store with a set of trusted root CAs. Unfortunately, it is necessary to hard-code this path into applications because the default path in OpenSSL is not available through the Python ssl module." + +#. Tag: para +#, no-c-format +msgid "" +"The ssl module (and OpenSSL) perform certificate " +"validation, but the certificate must be compared manually against the host " +"name, by calling the check_host_name defined above." +msgstr "The ssl module (and OpenSSL) perform certificate validation, but the certificate must be compared manually against the host name, by calling the check_host_name defined above." + +#. Tag: title +#, no-c-format +msgid "Establishing a TLS client connection with Python" +msgstr "Establishing a TLS client connection with Python" + +#. Tag: para +#, no-c-format +msgid "" +"After the connection has been established, the TLS socket can be used like a" +" regular socket:" +msgstr "After the connection has been established, the TLS socket can be used like a regular socket:" + +#. Tag: para +#, no-c-format +msgid "Closing the TLS socket is straightforward as well:" +msgstr "Closing the TLS socket is straightforward as well:" diff --git a/defensive-coding/en_US/Features/snippets/TLS-Client-GNUTLS-Connect.po b/defensive-coding/en_US/Features/snippets/TLS-Client-GNUTLS-Connect.po new file mode 100644 index 0000000..56c1eee --- /dev/null +++ b/defensive-coding/en_US/Features/snippets/TLS-Client-GNUTLS-Connect.po @@ -0,0 +1,71 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:33+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: None\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: en_US\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Create the session object.\n" +"gnutls_session_t session;\n" +"ret = gnutls_init(&session, GNUTLS_CLIENT);\n" +"if (ret != GNUTLS_E_SUCCESS) {\n" +" fprintf(stderr, \"error: gnutls_init: %s\n" +"\",\n" +"\t gnutls_strerror(ret));\n" +" exit(1);\n" +"}\n" +"\n" +"// Configure the cipher preferences.\n" +"const char *errptr = NULL;\n" +"ret = gnutls_priority_set_direct(session, \"NORMAL\", &errptr);\n" +"if (ret != GNUTLS_E_SUCCESS) {\n" +" fprintf(stderr, \"error: gnutls_priority_set_direct: %s\n" +"\"\n" +"\t \"error: at: \\\"%s\\\"\n" +"\", gnutls_strerror(ret), errptr);\n" +" exit(1);\n" +"}\n" +"\n" +"// Install the trusted certificates.\n" +"ret = gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, cred);\n" +"if (ret != GNUTLS_E_SUCCESS) {\n" +" fprintf(stderr, \"error: gnutls_credentials_set: %s\n" +"\",\n" +"\t gnutls_strerror(ret));\n" +" exit(1);\n" +"}\n" +"\n" +"// Associate the socket with the session object and set the server\n" +"// name.\n" +"gnutls_transport_set_ptr(session, (gnutls_transport_ptr_t)(uintptr_t)sockfd);\n" +"ret = gnutls_server_name_set(session, GNUTLS_NAME_DNS,\n" +"\t\t\t host, strlen(host));\n" +"if (ret != GNUTLS_E_SUCCESS) {\n" +" fprintf(stderr, \"error: gnutls_server_name_set: %s\n" +"\",\n" +"\t gnutls_strerror(ret));\n" +" exit(1);\n" +"}\n" +"\n" +"// Establish the session.\n" +"ret = gnutls_handshake(session);\n" +"if (ret != GNUTLS_E_SUCCESS) {\n" +" fprintf(stderr, \"error: gnutls_handshake: %s\n" +"\",\n" +"\t gnutls_strerror(ret));\n" +" exit(1);\n" +"}\n" +msgstr "\n// Create the session object.\ngnutls_session_t session;\nret = gnutls_init(&session, GNUTLS_CLIENT);\nif (ret != GNUTLS_E_SUCCESS) {\n fprintf(stderr, \"error: gnutls_init: %s\n\",\n\t gnutls_strerror(ret));\n exit(1);\n}\n\n// Configure the cipher preferences.\nconst char *errptr = NULL;\nret = gnutls_priority_set_direct(session, \"NORMAL\", &errptr);\nif (ret != GNUTLS_E_SUCCESS) {\n fprintf(stderr, \"error: gnutls_priority_set_direct: %s\n\"\n\t \"error: at: \\\"%s\\\"\n\", gnutls_strerror(ret), errptr);\n exit(1);\n}\n\n// Install the trusted certificates.\nret = gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, cred);\nif (ret != GNUTLS_E_SUCCESS) {\n fprintf(stderr, \"error: gnutls_credentials_set: %s\n\",\n\t gnutls_strerror(ret));\n exit(1);\n}\n\n// Associate the socket with the session object and set the server\n// name.\ngnutls_transport_set_ptr(session, (gnutls_transport_ptr_t)(uintptr_t)sockfd);\nret = gnutls_server_name_set(session, GNUTLS_NAME_DNS,\n\t\t\t host, strlen(host));\nif (ret != GNUTLS_E_SUCCESS) {\n fprintf(stderr, \"error: gnutls_server_name_set: %s\n\",\n\t gnutls_strerror(ret));\n exit(1);\n}\n\n// Establish the session.\nret = gnutls_handshake(session);\nif (ret != GNUTLS_E_SUCCESS) {\n fprintf(stderr, \"error: gnutls_handshake: %s\n\",\n\t gnutls_strerror(ret));\n exit(1);\n}\n" diff --git a/defensive-coding/en_US/Features/snippets/TLS-Client-GNUTLS-Credentials.po b/defensive-coding/en_US/Features/snippets/TLS-Client-GNUTLS-Credentials.po new file mode 100644 index 0000000..70e2165 --- /dev/null +++ b/defensive-coding/en_US/Features/snippets/TLS-Client-GNUTLS-Credentials.po @@ -0,0 +1,47 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:33+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: None\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: en_US\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Load the trusted CA certificates.\n" +"gnutls_certificate_credentials_t cred = NULL;\n" +"int ret = gnutls_certificate_allocate_credentials (&cred);\n" +"if (ret != GNUTLS_E_SUCCESS) {\n" +" fprintf(stderr, \"error: gnutls_certificate_allocate_credentials: %s\n" +"\",\n" +"\t gnutls_strerror(ret));\n" +" exit(1);\n" +"}\n" +"// gnutls_certificate_set_x509_system_trust needs GNUTLS version 3.0\n" +"// or newer, so we hard-code the path to the certificate store\n" +"// instead.\n" +"static const char ca_bundle[] = \"/etc/ssl/certs/ca-bundle.crt\";\n" +"ret = gnutls_certificate_set_x509_trust_file\n" +" (cred, ca_bundle, GNUTLS_X509_FMT_PEM);\n" +"if (ret == 0) {\n" +" fprintf(stderr, \"error: no certificates found in: %s\n" +"\", ca_bundle);\n" +" exit(1);\n" +"}\n" +"if (ret < 0) {\n" +" fprintf(stderr, \"error: gnutls_certificate_set_x509_trust_files(%s): %s\n" +"\",\n" +"\t ca_bundle, gnutls_strerror(ret));\n" +" exit(1);\n" +"}\n" +msgstr "\n// Load the trusted CA certificates.\ngnutls_certificate_credentials_t cred = NULL;\nint ret = gnutls_certificate_allocate_credentials (&cred);\nif (ret != GNUTLS_E_SUCCESS) {\n fprintf(stderr, \"error: gnutls_certificate_allocate_credentials: %s\n\",\n\t gnutls_strerror(ret));\n exit(1);\n}\n// gnutls_certificate_set_x509_system_trust needs GNUTLS version 3.0\n// or newer, so we hard-code the path to the certificate store\n// instead.\nstatic const char ca_bundle[] = \"/etc/ssl/certs/ca-bundle.crt\";\nret = gnutls_certificate_set_x509_trust_file\n (cred, ca_bundle, GNUTLS_X509_FMT_PEM);\nif (ret == 0) {\n fprintf(stderr, \"error: no certificates found in: %s\n\", ca_bundle);\n exit(1);\n}\nif (ret < 0) {\n fprintf(stderr, \"error: gnutls_certificate_set_x509_trust_files(%s): %s\n\",\n\t ca_bundle, gnutls_strerror(ret));\n exit(1);\n}\n" diff --git a/defensive-coding/en_US/Features/snippets/TLS-Client-GNUTLS-Match.po b/defensive-coding/en_US/Features/snippets/TLS-Client-GNUTLS-Match.po new file mode 100644 index 0000000..75a24b6 --- /dev/null +++ b/defensive-coding/en_US/Features/snippets/TLS-Client-GNUTLS-Match.po @@ -0,0 +1,48 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:32+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: None\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: en_US\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Match the peer certificate against the host name.\n" +"// We can only obtain a set of DER-encoded certificates from the\n" +"// session object, so we have to re-parse the peer certificate into\n" +"// a certificate object.\n" +"gnutls_x509_crt_t cert;\n" +"ret = gnutls_x509_crt_init(&cert);\n" +"if (ret != GNUTLS_E_SUCCESS) {\n" +" fprintf(stderr, \"error: gnutls_x509_crt_init: %s\n" +"\",\n" +"\t gnutls_strerror(ret));\n" +" exit(1);\n" +"}\n" +"// The peer certificate is the first certificate in the list.\n" +"ret = gnutls_x509_crt_import(cert, certs, GNUTLS_X509_FMT_DER);\n" +"if (ret != GNUTLS_E_SUCCESS) {\n" +" fprintf(stderr, \"error: gnutls_x509_crt_import: %s\n" +"\",\n" +"\t gnutls_strerror(ret));\n" +" exit(1);\n" +"}\n" +"ret = gnutls_x509_crt_check_hostname(cert, host);\n" +"if (ret == 0 && !certificate_host_name_override(certs[0], host)) {\n" +" fprintf(stderr, \"error: host name does not match certificate\n" +"\");\n" +" exit(1);\n" +"}\n" +"gnutls_x509_crt_deinit(cert);\n" +msgstr "\n// Match the peer certificate against the host name.\n// We can only obtain a set of DER-encoded certificates from the\n// session object, so we have to re-parse the peer certificate into\n// a certificate object.\ngnutls_x509_crt_t cert;\nret = gnutls_x509_crt_init(&cert);\nif (ret != GNUTLS_E_SUCCESS) {\n fprintf(stderr, \"error: gnutls_x509_crt_init: %s\n\",\n\t gnutls_strerror(ret));\n exit(1);\n}\n// The peer certificate is the first certificate in the list.\nret = gnutls_x509_crt_import(cert, certs, GNUTLS_X509_FMT_DER);\nif (ret != GNUTLS_E_SUCCESS) {\n fprintf(stderr, \"error: gnutls_x509_crt_import: %s\n\",\n\t gnutls_strerror(ret));\n exit(1);\n}\nret = gnutls_x509_crt_check_hostname(cert, host);\nif (ret == 0 && !certificate_host_name_override(certs[0], host)) {\n fprintf(stderr, \"error: host name does not match certificate\n\");\n exit(1);\n}\ngnutls_x509_crt_deinit(cert);\n" diff --git a/defensive-coding/en_US/Features/snippets/TLS-Client-GNUTLS-Verify.po b/defensive-coding/en_US/Features/snippets/TLS-Client-GNUTLS-Verify.po new file mode 100644 index 0000000..490167a --- /dev/null +++ b/defensive-coding/en_US/Features/snippets/TLS-Client-GNUTLS-Verify.po @@ -0,0 +1,61 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:33+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: None\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: en_US\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Obtain the server certificate chain. The server certificate\n" +"// itself is stored in the first element of the array.\n" +"unsigned certslen = 0;\n" +"const gnutls_datum_t *const certs =\n" +" gnutls_certificate_get_peers(session, &certslen);\n" +"if (certs == NULL || certslen == 0) {\n" +" fprintf(stderr, \"error: could not obtain peer certificate\n" +"\");\n" +" exit(1);\n" +"}\n" +"\n" +"// Validate the certificate chain.\n" +"unsigned status = (unsigned)-1;\n" +"ret = gnutls_certificate_verify_peers2(session, &status);\n" +"if (ret != GNUTLS_E_SUCCESS) {\n" +" fprintf(stderr, \"error: gnutls_certificate_verify_peers2: %s\n" +"\",\n" +"\t gnutls_strerror(ret));\n" +" exit(1);\n" +"}\n" +"if (status != 0 && !certificate_validity_override(certs[0])) {\n" +" gnutls_datum_t msg;\n" +"#if GNUTLS_VERSION_AT_LEAST_3_1_4\n" +" int type = gnutls_certificate_type_get (session);\n" +" ret = gnutls_certificate_verification_status_print(status, type, &out, 0);\n" +"#else\n" +" ret = -1;\n" +"#endif\n" +" if (ret == 0) {\n" +" fprintf(stderr, \"error: %s\n" +"\", msg.data);\n" +" gnutls_free(msg.data);\n" +" exit(1);\n" +" } else {\n" +" fprintf(stderr, \"error: certificate validation failed with code 0x%x\n" +"\",\n" +"\t status);\n" +" exit(1);\n" +" }\n" +"}\n" +msgstr "\n// Obtain the server certificate chain. The server certificate\n// itself is stored in the first element of the array.\nunsigned certslen = 0;\nconst gnutls_datum_t *const certs =\n gnutls_certificate_get_peers(session, &certslen);\nif (certs == NULL || certslen == 0) {\n fprintf(stderr, \"error: could not obtain peer certificate\n\");\n exit(1);\n}\n\n// Validate the certificate chain.\nunsigned status = (unsigned)-1;\nret = gnutls_certificate_verify_peers2(session, &status);\nif (ret != GNUTLS_E_SUCCESS) {\n fprintf(stderr, \"error: gnutls_certificate_verify_peers2: %s\n\",\n\t gnutls_strerror(ret));\n exit(1);\n}\nif (status != 0 && !certificate_validity_override(certs[0])) {\n gnutls_datum_t msg;\n#if GNUTLS_VERSION_AT_LEAST_3_1_4\n int type = gnutls_certificate_type_get (session);\n ret = gnutls_certificate_verification_status_print(status, type, &out, 0);\n#else\n ret = -1;\n#endif\n if (ret == 0) {\n fprintf(stderr, \"error: %s\n\", msg.data);\n gnutls_free(msg.data);\n exit(1);\n } else {\n fprintf(stderr, \"error: certificate validation failed with code 0x%x\n\",\n\t status);\n exit(1);\n }\n}\n" diff --git a/defensive-coding/en_US/Features/snippets/TLS-Client-NSS-Close.po b/defensive-coding/en_US/Features/snippets/TLS-Client-NSS-Close.po new file mode 100644 index 0000000..de8ca04 --- /dev/null +++ b/defensive-coding/en_US/Features/snippets/TLS-Client-NSS-Close.po @@ -0,0 +1,31 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:32+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: None\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: en_US\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Send close_notify alert.\n" +"if (PR_Shutdown(nspr, PR_SHUTDOWN_BOTH) != PR_SUCCESS) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: PR_Read error %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +"}\n" +"// Closes the underlying POSIX file descriptor, too.\n" +"PR_Close(nspr);\n" +msgstr "\n// Send close_notify alert.\nif (PR_Shutdown(nspr, PR_SHUTDOWN_BOTH) != PR_SUCCESS) {\n const PRErrorCode err = PR_GetError();\n fprintf(stderr, \"error: PR_Read error %d: %s\n\",\n\t err, PR_ErrorToName(err));\n exit(1);\n}\n// Closes the underlying POSIX file descriptor, too.\nPR_Close(nspr);\n" diff --git a/defensive-coding/en_US/Features/snippets/TLS-Client-NSS-Connect.po b/defensive-coding/en_US/Features/snippets/TLS-Client-NSS-Connect.po new file mode 100644 index 0000000..92e4cd7 --- /dev/null +++ b/defensive-coding/en_US/Features/snippets/TLS-Client-NSS-Connect.po @@ -0,0 +1,132 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:33+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: None\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: en_US\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Wrap the POSIX file descriptor. This is an internal NSPR\n" +"// function, but it is very unlikely to change.\n" +"PRFileDesc* nspr = PR_ImportTCPSocket(sockfd);\n" +"sockfd = -1; // Has been taken over by NSPR.\n" +"\n" +"// Add the SSL layer.\n" +"{\n" +" PRFileDesc *model = PR_NewTCPSocket();\n" +" PRFileDesc *newfd = SSL_ImportFD(NULL, model);\n" +" if (newfd == NULL) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: NSPR error code %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +" }\n" +" model = newfd;\n" +" newfd = NULL;\n" +" if (SSL_OptionSet(model, SSL_ENABLE_SSL2, PR_FALSE) != SECSuccess) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: set SSL_ENABLE_SSL2 error %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +" }\n" +" if (SSL_OptionSet(model, SSL_V2_COMPATIBLE_HELLO, PR_FALSE) != SECSuccess) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: set SSL_V2_COMPATIBLE_HELLO error %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +" }\n" +" if (SSL_OptionSet(model, SSL_ENABLE_DEFLATE, PR_FALSE) != SECSuccess) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: set SSL_ENABLE_DEFLATE error %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +" }\n" +"\n" +" // Disable all ciphers (except RC4-based ciphers, for backwards\n" +" // compatibility).\n" +" const PRUint16 *const ciphers = SSL_GetImplementedCiphers();\n" +" for (unsigned i = 0; i < SSL_GetNumImplementedCiphers(); i++) {\n" +" if (ciphers[i] != SSL_RSA_WITH_RC4_128_SHA\n" +"\t && ciphers[i] != SSL_RSA_WITH_RC4_128_MD5) {\n" +"\tif (SSL_CipherPrefSet(model, ciphers[i], PR_FALSE) != SECSuccess) {\n" +"\t const PRErrorCode err = PR_GetError();\n" +"\t fprintf(stderr, \"error: disable cipher %u: error %d: %s\n" +"\",\n" +"\t\t (unsigned)ciphers[i], err, PR_ErrorToName(err));\n" +"\t exit(1);\n" +"\t}\n" +" }\n" +" }\n" +"\n" +" // Enable the strong ciphers.\n" +" for (const PRUint16 *p = good_ciphers; *p != SSL_NULL_WITH_NULL_NULL;\n" +"\t ++p) {\n" +" if (SSL_CipherPrefSet(model, *p, PR_TRUE) != SECSuccess) {\n" +"\tconst PRErrorCode err = PR_GetError();\n" +"\tfprintf(stderr, \"error: enable cipher %u: error %d: %s\n" +"\",\n" +"\t\t(unsigned)*p, err, PR_ErrorToName(err));\n" +"\texit(1);\n" +" }\n" +" }\n" +"\n" +" // Allow overriding invalid certificate.\n" +" if (SSL_BadCertHook(model, bad_certificate, (char *)host) != SECSuccess) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: SSL_BadCertHook error %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +" }\n" +"\n" +" newfd = SSL_ImportFD(model, nspr);\n" +" if (newfd == NULL) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: SSL_ImportFD error %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +" }\n" +" nspr = newfd;\n" +" PR_Close(model);\n" +"}\n" +"\n" +"// Perform the handshake.\n" +"if (SSL_ResetHandshake(nspr, PR_FALSE) != SECSuccess) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: SSL_ResetHandshake error %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +"}\n" +"if (SSL_SetURL(nspr, host) != SECSuccess) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: SSL_SetURL error %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +"}\n" +"if (SSL_ForceHandshake(nspr) != SECSuccess) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: SSL_ForceHandshake error %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +"}\n" +msgstr "\n// Wrap the POSIX file descriptor. This is an internal NSPR\n// function, but it is very unlikely to change.\nPRFileDesc* nspr = PR_ImportTCPSocket(sockfd);\nsockfd = -1; // Has been taken over by NSPR.\n\n// Add the SSL layer.\n{\n PRFileDesc *model = PR_NewTCPSocket();\n PRFileDesc *newfd = SSL_ImportFD(NULL, model);\n if (newfd == NULL) {\n const PRErrorCode err = PR_GetError();\n fprintf(stderr, \"error: NSPR error code %d: %s\n\",\n\t err, PR_ErrorToName(err));\n exit(1);\n }\n model = newfd;\n newfd = NULL;\n if (SSL_OptionSet(model, SSL_ENABLE_SSL2, PR_FALSE) != SECSuccess) {\n const PRErrorCode err = PR_GetError();\n fprintf(stderr, \"error: set SSL_ENABLE_SSL2 error %d: %s\n\",\n\t err, PR_ErrorToName(err));\n exit(1);\n }\n if (SSL_OptionSet(model, SSL_V2_COMPATIBLE_HELLO, PR_FALSE) != SECSuccess) {\n const PRErrorCode err = PR_GetError();\n fprintf(stderr, \"error: set SSL_V2_COMPATIBLE_HELLO error %d: %s\n\",\n\t err, PR_ErrorToName(err));\n exit(1);\n }\n if (SSL_OptionSet(model, SSL_ENABLE_DEFLATE, PR_FALSE) != SECSuccess) {\n const PRErrorCode err = PR_GetError();\n fprintf(stderr, \"error: set SSL_ENABLE_DEFLATE error %d: %s\n\",\n\t err, PR_ErrorToName(err));\n exit(1);\n }\n\n // Disable all ciphers (except RC4-based ciphers, for backwards\n // compatibility).\n const PRUint16 *const ciphers = SSL_GetImplementedCiphers();\n for (unsigned i = 0; i < SSL_GetNumImplementedCiphers(); i++) {\n if (ciphers[i] != SSL_RSA_WITH_RC4_128_SHA\n\t && ciphers[i] != SSL_RSA_WITH_RC4_128_MD5) {\n\tif (SSL_CipherPrefSet(model, ciphers[i], PR_FALSE) != SECSuccess) {\n\t const PRErrorCode err = PR_GetError();\n\t fprintf(stderr, \"error: disable cipher %u: error %d: %s\n\",\n\t\t (unsigned)ciphers[i], err, PR_ErrorToName(err));\n\t exit(1);\n\t}\n }\n }\n\n // Enable the strong ciphers.\n for (const PRUint16 *p = good_ciphers; *p != SSL_NULL_WITH_NULL_NULL;\n\t ++p) {\n if (SSL_CipherPrefSet(model, *p, PR_TRUE) != SECSuccess) {\n\tconst PRErrorCode err = PR_GetError();\n\tfprintf(stderr, \"error: enable cipher %u: error %d: %s\n\",\n\t\t(unsigned)*p, err, PR_ErrorToName(err));\n\texit(1);\n }\n }\n\n // Allow overriding invalid certificate.\n if (SSL_BadCertHook(model, bad_certificate, (char *)host) != SECSuccess) {\n const PRErrorCode err = PR_GetError();\n fprintf(stderr, \"error: SSL_BadCertHook error %d: %s\n\",\n\t err, PR_ErrorToName(err));\n exit(1);\n }\n\n newfd = SSL_ImportFD(model, nspr);\n if (newfd == NULL) {\n const PRErrorCode err = PR_GetError();\n fprintf(stderr, \"error: SSL_ImportFD error %d: %s\n\",\n\t err, PR_ErrorToName(err));\n exit(1);\n }\n nspr = newfd;\n PR_Close(model);\n}\n\n// Perform the handshake.\nif (SSL_ResetHandshake(nspr, PR_FALSE) != SECSuccess) {\n const PRErrorCode err = PR_GetError();\n fprintf(stderr, \"error: SSL_ResetHandshake error %d: %s\n\",\n\t err, PR_ErrorToName(err));\n exit(1);\n}\nif (SSL_SetURL(nspr, host) != SECSuccess) {\n const PRErrorCode err = PR_GetError();\n fprintf(stderr, \"error: SSL_SetURL error %d: %s\n\",\n\t err, PR_ErrorToName(err));\n exit(1);\n}\nif (SSL_ForceHandshake(nspr) != SECSuccess) {\n const PRErrorCode err = PR_GetError();\n fprintf(stderr, \"error: SSL_ForceHandshake error %d: %s\n\",\n\t err, PR_ErrorToName(err));\n exit(1);\n}\n" diff --git a/defensive-coding/en_US/Features/snippets/TLS-Client-OpenJDK-Connect.po b/defensive-coding/en_US/Features/snippets/TLS-Client-OpenJDK-Connect.po new file mode 100644 index 0000000..fd4870a --- /dev/null +++ b/defensive-coding/en_US/Features/snippets/TLS-Client-OpenJDK-Connect.po @@ -0,0 +1,41 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:32+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: None\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: en_US\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Create the socket and connect it at the TCP layer.\n" +"SSLSocket socket = (SSLSocket) ctx.getSocketFactory()\n" +" .createSocket(host, port);\n" +"\n" +"// Disable the Nagle algorithm.\n" +"socket.setTcpNoDelay(true);\n" +"\n" +"// Adjust ciphers and protocols.\n" +"socket.setSSLParameters(params);\n" +"\n" +"// Perform the handshake.\n" +"socket.startHandshake();\n" +"\n" +"// Validate the host name. The match() method throws\n" +"// CertificateException on failure.\n" +"X509Certificate peer = (X509Certificate)\n" +" socket.getSession().getPeerCertificates()[0];\n" +"// This is the only way to perform host name checking on OpenJDK 6.\n" +"HostnameChecker.getInstance(HostnameChecker.TYPE_TLS).match(\n" +" host, peer);\n" +msgstr "\n// Create the socket and connect it at the TCP layer.\nSSLSocket socket = (SSLSocket) ctx.getSocketFactory()\n .createSocket(host, port);\n\n// Disable the Nagle algorithm.\nsocket.setTcpNoDelay(true);\n\n// Adjust ciphers and protocols.\nsocket.setSSLParameters(params);\n\n// Perform the handshake.\nsocket.startHandshake();\n\n// Validate the host name. The match() method throws\n// CertificateException on failure.\nX509Certificate peer = (X509Certificate)\n socket.getSession().getPeerCertificates()[0];\n// This is the only way to perform host name checking on OpenJDK 6.\nHostnameChecker.getInstance(HostnameChecker.TYPE_TLS).match(\n host, peer);\n" diff --git a/defensive-coding/en_US/Features/snippets/TLS-Client-OpenJDK-Context.po b/defensive-coding/en_US/Features/snippets/TLS-Client-OpenJDK-Context.po new file mode 100644 index 0000000..2f4d01c --- /dev/null +++ b/defensive-coding/en_US/Features/snippets/TLS-Client-OpenJDK-Context.po @@ -0,0 +1,41 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:32+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: None\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: en_US\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Create the context. Specify the SunJSSE provider to avoid\n" +"// picking up third-party providers. Try the TLS 1.2 provider\n" +"// first, then fall back to TLS 1.0.\n" +"SSLContext ctx;\n" +"try {\n" +" ctx = SSLContext.getInstance(\"TLSv1.2\", \"SunJSSE\");\n" +"} catch (NoSuchAlgorithmException e) {\n" +" try {\n" +" ctx = SSLContext.getInstance(\"TLSv1\", \"SunJSSE\");\n" +" } catch (NoSuchAlgorithmException e1) {\n" +" // The TLS 1.0 provider should always be available.\n" +" throw new AssertionError(e1);\n" +" } catch (NoSuchProviderException e1) {\n" +" throw new AssertionError(e1);\n" +" } \n" +"} catch (NoSuchProviderException e) {\n" +" // The SunJSSE provider should always be available.\n" +" throw new AssertionError(e);\n" +"}\n" +"ctx.init(null, null, null);\n" +msgstr "\n// Create the context. Specify the SunJSSE provider to avoid\n// picking up third-party providers. Try the TLS 1.2 provider\n// first, then fall back to TLS 1.0.\nSSLContext ctx;\ntry {\n ctx = SSLContext.getInstance(\"TLSv1.2\", \"SunJSSE\");\n} catch (NoSuchAlgorithmException e) {\n try {\n ctx = SSLContext.getInstance(\"TLSv1\", \"SunJSSE\");\n } catch (NoSuchAlgorithmException e1) {\n // The TLS 1.0 provider should always be available.\n throw new AssertionError(e1);\n } catch (NoSuchProviderException e1) {\n throw new AssertionError(e1);\n } \n} catch (NoSuchProviderException e) {\n // The SunJSSE provider should always be available.\n throw new AssertionError(e);\n}\nctx.init(null, null, null);\n" diff --git a/defensive-coding/en_US/Features/snippets/TLS-Client-OpenJDK-Context_For_Cert.po b/defensive-coding/en_US/Features/snippets/TLS-Client-OpenJDK-Context_For_Cert.po new file mode 100644 index 0000000..2c1b31b --- /dev/null +++ b/defensive-coding/en_US/Features/snippets/TLS-Client-OpenJDK-Context_For_Cert.po @@ -0,0 +1,37 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:33+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: None\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: en_US\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"SSLContext ctx;\n" +"try {\n" +" ctx = SSLContext.getInstance(\"TLSv1.2\", \"SunJSSE\");\n" +"} catch (NoSuchAlgorithmException e) {\n" +" try {\n" +" ctx = SSLContext.getInstance(\"TLSv1\", \"SunJSSE\");\n" +" } catch (NoSuchAlgorithmException e1) {\n" +" throw new AssertionError(e1);\n" +" } catch (NoSuchProviderException e1) {\n" +" throw new AssertionError(e1);\n" +" }\n" +"} catch (NoSuchProviderException e) {\n" +" throw new AssertionError(e);\n" +"}\n" +"MyTrustManager tm = new MyTrustManager(certHash);\n" +"ctx.init(null, new TrustManager[] {tm}, null);\n" +msgstr "\nSSLContext ctx;\ntry {\n ctx = SSLContext.getInstance(\"TLSv1.2\", \"SunJSSE\");\n} catch (NoSuchAlgorithmException e) {\n try {\n ctx = SSLContext.getInstance(\"TLSv1\", \"SunJSSE\");\n } catch (NoSuchAlgorithmException e1) {\n throw new AssertionError(e1);\n } catch (NoSuchProviderException e1) {\n throw new AssertionError(e1);\n }\n} catch (NoSuchProviderException e) {\n throw new AssertionError(e);\n}\nMyTrustManager tm = new MyTrustManager(certHash);\nctx.init(null, new TrustManager[] {tm}, null);\n" diff --git a/defensive-coding/en_US/Features/snippets/TLS-Client-OpenJDK-Hostname.po b/defensive-coding/en_US/Features/snippets/TLS-Client-OpenJDK-Hostname.po new file mode 100644 index 0000000..7ea2cee --- /dev/null +++ b/defensive-coding/en_US/Features/snippets/TLS-Client-OpenJDK-Hostname.po @@ -0,0 +1,22 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:31+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: None\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: en_US\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"params.setEndpointIdentificationAlgorithm(\"HTTPS\");\n" +msgstr "\nparams.setEndpointIdentificationAlgorithm(\"HTTPS\");\n" diff --git a/defensive-coding/en_US/Features/snippets/TLS-Client-OpenJDK-Import.po b/defensive-coding/en_US/Features/snippets/TLS-Client-OpenJDK-Import.po new file mode 100644 index 0000000..7293d77 --- /dev/null +++ b/defensive-coding/en_US/Features/snippets/TLS-Client-OpenJDK-Import.po @@ -0,0 +1,33 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:31+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: None\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: en_US\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"import java.security.NoSuchAlgorithmException;\n" +"import java.security.NoSuchProviderException;\n" +"import java.security.cert.CertificateEncodingException;\n" +"import java.security.cert.CertificateException;\n" +"import java.security.cert.X509Certificate;\n" +"import javax.net.ssl.SSLContext;\n" +"import javax.net.ssl.SSLParameters;\n" +"import javax.net.ssl.SSLSocket;\n" +"import javax.net.ssl.TrustManager;\n" +"import javax.net.ssl.X509TrustManager;\n" +"\n" +"import sun.security.util.HostnameChecker;\n" +msgstr "\nimport java.security.NoSuchAlgorithmException;\nimport java.security.NoSuchProviderException;\nimport java.security.cert.CertificateEncodingException;\nimport java.security.cert.CertificateException;\nimport java.security.cert.X509Certificate;\nimport javax.net.ssl.SSLContext;\nimport javax.net.ssl.SSLParameters;\nimport javax.net.ssl.SSLSocket;\nimport javax.net.ssl.TrustManager;\nimport javax.net.ssl.X509TrustManager;\n\nimport sun.security.util.HostnameChecker;\n" diff --git a/defensive-coding/en_US/Features/snippets/TLS-Client-OpenJDK-MyTrustManager.po b/defensive-coding/en_US/Features/snippets/TLS-Client-OpenJDK-MyTrustManager.po new file mode 100644 index 0000000..6d229a8 --- /dev/null +++ b/defensive-coding/en_US/Features/snippets/TLS-Client-OpenJDK-MyTrustManager.po @@ -0,0 +1,53 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:31+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: None\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: en_US\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"public class MyTrustManager implements X509TrustManager {\n" +" private final byte[] certHash;\n" +"\n" +" public MyTrustManager(byte[] certHash) throws Exception {\n" +" this.certHash = certHash;\n" +" }\n" +"\n" +" @Override\n" +" public void checkClientTrusted(X509Certificate[] chain, String authType)\n" +" throws CertificateException {\n" +" throw new UnsupportedOperationException();\n" +" }\n" +"\n" +" @Override\n" +" public void checkServerTrusted(X509Certificate[] chain,\n" +" String authType) throws CertificateException {\n" +" byte[] digest = getCertificateDigest(chain[0]);\n" +" String digestHex = formatHex(digest);\n" +"\n" +" if (Arrays.equals(digest, certHash)) {\n" +" System.err.println(\"info: accepting certificate: \" + digestHex);\n" +" } else {\n" +" throw new CertificateException(\"certificate rejected: \" +\n" +" digestHex);\n" +" }\n" +" }\n" +"\n" +" @Override\n" +" public X509Certificate[] getAcceptedIssuers() {\n" +" return new X509Certificate[0];\n" +" }\n" +"}\n" +msgstr "\npublic class MyTrustManager implements X509TrustManager {\n private final byte[] certHash;\n\n public MyTrustManager(byte[] certHash) throws Exception {\n this.certHash = certHash;\n }\n\n @Override\n public void checkClientTrusted(X509Certificate[] chain, String authType)\n throws CertificateException {\n throw new UnsupportedOperationException();\n }\n\n @Override\n public void checkServerTrusted(X509Certificate[] chain,\n String authType) throws CertificateException {\n byte[] digest = getCertificateDigest(chain[0]);\n String digestHex = formatHex(digest);\n\n if (Arrays.equals(digest, certHash)) {\n System.err.println(\"info: accepting certificate: \" + digestHex);\n } else {\n throw new CertificateException(\"certificate rejected: \" +\n digestHex);\n }\n }\n\n @Override\n public X509Certificate[] getAcceptedIssuers() {\n return new X509Certificate[0];\n }\n}\n" diff --git a/defensive-coding/en_US/Features/snippets/TLS-Client-OpenJDK-Use.po b/defensive-coding/en_US/Features/snippets/TLS-Client-OpenJDK-Use.po new file mode 100644 index 0000000..5f1fe9b --- /dev/null +++ b/defensive-coding/en_US/Features/snippets/TLS-Client-OpenJDK-Use.po @@ -0,0 +1,28 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:31+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: None\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: en_US\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"socket.getOutputStream().write(\"GET / HTTP/1.0\\r\n" +"\\r\n" +"\"\n" +" .getBytes(Charset.forName(\"UTF-8\")));\n" +"byte[] buffer = new byte[4096];\n" +"int count = socket.getInputStream().read(buffer);\n" +"System.out.write(buffer, 0, count);\n" +msgstr "\nsocket.getOutputStream().write(\"GET / HTTP/1.0\\r\n\\r\n\"\n .getBytes(Charset.forName(\"UTF-8\")));\nbyte[] buffer = new byte[4096];\nint count = socket.getInputStream().read(buffer);\nSystem.out.write(buffer, 0, count);\n" diff --git a/defensive-coding/en_US/Features/snippets/TLS-Client-OpenSSL-CTX.po b/defensive-coding/en_US/Features/snippets/TLS-Client-OpenSSL-CTX.po new file mode 100644 index 0000000..4deb02a --- /dev/null +++ b/defensive-coding/en_US/Features/snippets/TLS-Client-OpenSSL-CTX.po @@ -0,0 +1,86 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:32+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: None\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: en_US\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Configure a client connection context. Send a hendshake for the\n" +"// highest supported TLS version, and disable compression.\n" +"const SSL_METHOD *const req_method = SSLv23_client_method();\n" +"SSL_CTX *const ctx = SSL_CTX_new(req_method);\n" +"if (ctx == NULL) {\n" +" ERR_print_errors(bio_err);\n" +" exit(1);\n" +"}\n" +"SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_COMPRESSION);\n" +"\n" +"// Adjust the ciphers list based on a whitelist. First enable all\n" +"// ciphers of at least medium strength, to get the list which is\n" +"// compiled into OpenSSL.\n" +"if (SSL_CTX_set_cipher_list(ctx, \"HIGH:MEDIUM\") != 1) {\n" +" ERR_print_errors(bio_err);\n" +" exit(1);\n" +"}\n" +"{\n" +" // Create a dummy SSL session to obtain the cipher list.\n" +" SSL *ssl = SSL_new(ctx);\n" +" if (ssl == NULL) {\n" +" ERR_print_errors(bio_err);\n" +" exit(1);\n" +" }\n" +" STACK_OF(SSL_CIPHER) *active_ciphers = SSL_get_ciphers(ssl);\n" +" if (active_ciphers == NULL) {\n" +" ERR_print_errors(bio_err);\n" +" exit(1);\n" +" }\n" +" // Whitelist of candidate ciphers.\n" +" static const char *const candidates[] = {\n" +" \"AES128-GCM-SHA256\", \"AES128-SHA256\", \"AES256-SHA256\", // strong ciphers\n" +" \"AES128-SHA\", \"AES256-SHA\", // strong ciphers, also in older versions\n" +" \"RC4-SHA\", \"RC4-MD5\", // backwards compatibility, supposed to be weak\n" +" \"DES-CBC3-SHA\", \"DES-CBC3-MD5\", // more backwards compatibility\n" +" NULL\n" +" };\n" +" // Actually selected ciphers.\n" +" char ciphers[300];\n" +" ciphers[0] = '\\0';\n" +" for (const char *const *c = candidates; *c; ++c) {\n" +" for (int i = 0; i < sk_SSL_CIPHER_num(active_ciphers); ++i) {\n" +"\tif (strcmp(SSL_CIPHER_get_name(sk_SSL_CIPHER_value(active_ciphers, i)),\n" +"\t\t *c) == 0) {\n" +"\t if (*ciphers) {\n" +"\t strcat(ciphers, \":\");\n" +"\t }\n" +"\t strcat(ciphers, *c);\n" +"\t break;\n" +"\t}\n" +" }\n" +" }\n" +" SSL_free(ssl);\n" +" // Apply final cipher list.\n" +" if (SSL_CTX_set_cipher_list(ctx, ciphers) != 1) {\n" +" ERR_print_errors(bio_err);\n" +" exit(1);\n" +" }\n" +"}\n" +"\n" +"// Load the set of trusted root certificates.\n" +"if (!SSL_CTX_set_default_verify_paths(ctx)) {\n" +" ERR_print_errors(bio_err);\n" +" exit(1);\n" +"}\n" +msgstr "\n// Configure a client connection context. Send a hendshake for the\n// highest supported TLS version, and disable compression.\nconst SSL_METHOD *const req_method = SSLv23_client_method();\nSSL_CTX *const ctx = SSL_CTX_new(req_method);\nif (ctx == NULL) {\n ERR_print_errors(bio_err);\n exit(1);\n}\nSSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_COMPRESSION);\n\n// Adjust the ciphers list based on a whitelist. First enable all\n// ciphers of at least medium strength, to get the list which is\n// compiled into OpenSSL.\nif (SSL_CTX_set_cipher_list(ctx, \"HIGH:MEDIUM\") != 1) {\n ERR_print_errors(bio_err);\n exit(1);\n}\n{\n // Create a dummy SSL session to obtain the cipher list.\n SSL *ssl = SSL_new(ctx);\n if (ssl == NULL) {\n ERR_print_errors(bio_err);\n exit(1);\n }\n STACK_OF(SSL_CIPHER) *active_ciphers = SSL_get_ciphers(ssl);\n if (active_ciphers == NULL) {\n ERR_print_errors(bio_err);\n exit(1);\n }\n // Whitelist of candidate ciphers.\n static const char *const candidates[] = {\n \"AES128-GCM-SHA256\", \"AES128-SHA256\", \"AES256-SHA256\", // strong ciphers\n \"AES128-SHA\", \"AES256-SHA\", // strong ciphers, also in older versions\n \"RC4-SHA\", \"RC4-MD5\", // backwards compatibility, supposed to be weak\n \"DES-CBC3-SHA\", \"DES-CBC3-MD5\", // more backwards compatibility\n NULL\n };\n // Actually selected ciphers.\n char ciphers[300];\n ciphers[0] = '\\0';\n for (const char *const *c = candidates; *c; ++c) {\n for (int i = 0; i < sk_SSL_CIPHER_num(active_ciphers); ++i) {\n\tif (strcmp(SSL_CIPHER_get_name(sk_SSL_CIPHER_value(active_ciphers, i)),\n\t\t *c) == 0) {\n\t if (*ciphers) {\n\t strcat(ciphers, \":\");\n\t }\n\t strcat(ciphers, *c);\n\t break;\n\t}\n }\n }\n SSL_free(ssl);\n // Apply final cipher list.\n if (SSL_CTX_set_cipher_list(ctx, ciphers) != 1) {\n ERR_print_errors(bio_err);\n exit(1);\n }\n}\n\n// Load the set of trusted root certificates.\nif (!SSL_CTX_set_default_verify_paths(ctx)) {\n ERR_print_errors(bio_err);\n exit(1);\n}\n" diff --git a/defensive-coding/en_US/Features/snippets/TLS-Client-OpenSSL-Connect.po b/defensive-coding/en_US/Features/snippets/TLS-Client-OpenSSL-Connect.po new file mode 100644 index 0000000..96d852b --- /dev/null +++ b/defensive-coding/en_US/Features/snippets/TLS-Client-OpenSSL-Connect.po @@ -0,0 +1,72 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:33+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: None\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: en_US\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Create the connection object.\n" +"SSL *ssl = SSL_new(ctx);\n" +"if (ssl == NULL) {\n" +" ERR_print_errors(bio_err);\n" +" exit(1);\n" +"}\n" +"SSL_set_fd(ssl, sockfd);\n" +"\n" +"// Enable the ServerNameIndication extension\n" +"if (!SSL_set_tlsext_host_name(ssl, host)) {\n" +" ERR_print_errors(bio_err);\n" +" exit(1);\n" +"}\n" +"\n" +"// Perform the TLS handshake with the server.\n" +"ret = SSL_connect(ssl);\n" +"if (ret != 1) {\n" +" // Error status can be 0 or negative.\n" +" ssl_print_error_and_exit(ssl, \"SSL_connect\", ret);\n" +"}\n" +"\n" +"// Obtain the server certificate.\n" +"X509 *peercert = SSL_get_peer_certificate(ssl);\n" +"if (peercert == NULL) {\n" +" fprintf(stderr, \"peer certificate missing\");\n" +" exit(1);\n" +"}\n" +"\n" +"// Check the certificate verification result. Allow an explicit\n" +"// certificate validation override in case verification fails.\n" +"int verifystatus = SSL_get_verify_result(ssl);\n" +"if (verifystatus != X509_V_OK && !certificate_validity_override(peercert)) {\n" +" fprintf(stderr, \"SSL_connect: verify result: %s\n" +"\",\n" +"\t X509_verify_cert_error_string(verifystatus));\n" +" exit(1);\n" +"}\n" +"\n" +"// Check if the server certificate matches the host name used to\n" +"// establish the connection.\n" +"// FIXME: Currently needs OpenSSL 1.1.\n" +"if (X509_check_host(peercert, (const unsigned char *)host, strlen(host),\n" +"\t\t 0) != 1\n" +" && !certificate_host_name_override(peercert, host)) {\n" +" fprintf(stderr, \"SSL certificate does not match host name\n" +"\");\n" +" exit(1);\n" +"}\n" +"\n" +"X509_free(peercert);\n" +"\n" +msgstr "\n// Create the connection object.\nSSL *ssl = SSL_new(ctx);\nif (ssl == NULL) {\n ERR_print_errors(bio_err);\n exit(1);\n}\nSSL_set_fd(ssl, sockfd);\n\n// Enable the ServerNameIndication extension\nif (!SSL_set_tlsext_host_name(ssl, host)) {\n ERR_print_errors(bio_err);\n exit(1);\n}\n\n// Perform the TLS handshake with the server.\nret = SSL_connect(ssl);\nif (ret != 1) {\n // Error status can be 0 or negative.\n ssl_print_error_and_exit(ssl, \"SSL_connect\", ret);\n}\n\n// Obtain the server certificate.\nX509 *peercert = SSL_get_peer_certificate(ssl);\nif (peercert == NULL) {\n fprintf(stderr, \"peer certificate missing\");\n exit(1);\n}\n\n// Check the certificate verification result. Allow an explicit\n// certificate validation override in case verification fails.\nint verifystatus = SSL_get_verify_result(ssl);\nif (verifystatus != X509_V_OK && !certificate_validity_override(peercert)) {\n fprintf(stderr, \"SSL_connect: verify result: %s\n\",\n\t X509_verify_cert_error_string(verifystatus));\n exit(1);\n}\n\n// Check if the server certificate matches the host name used to\n// establish the connection.\n// FIXME: Currently needs OpenSSL 1.1.\nif (X509_check_host(peercert, (const unsigned char *)host, strlen(host),\n\t\t 0) != 1\n && !certificate_host_name_override(peercert, host)) {\n fprintf(stderr, \"SSL certificate does not match host name\n\");\n exit(1);\n}\n\nX509_free(peercert);\n\n" diff --git a/defensive-coding/en_US/Features/snippets/TLS-Client-OpenSSL-Connection-Use.po b/defensive-coding/en_US/Features/snippets/TLS-Client-OpenSSL-Connection-Use.po new file mode 100644 index 0000000..521655b --- /dev/null +++ b/defensive-coding/en_US/Features/snippets/TLS-Client-OpenSSL-Connection-Use.po @@ -0,0 +1,32 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:32+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: None\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: en_US\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"const char *const req = \"GET / HTTP/1.0\\r\n" +"\\r\n" +"\";\n" +"if (SSL_write(ssl, req, strlen(req)) < 0) {\n" +" ssl_print_error_and_exit(ssl, \"SSL_write\", ret);\n" +"}\n" +"char buf[4096];\n" +"ret = SSL_read(ssl, buf, sizeof(buf));\n" +"if (ret < 0) {\n" +" ssl_print_error_and_exit(ssl, \"SSL_read\", ret);\n" +"}\n" +msgstr "\nconst char *const req = \"GET / HTTP/1.0\\r\n\\r\n\";\nif (SSL_write(ssl, req, strlen(req)) < 0) {\n ssl_print_error_and_exit(ssl, \"SSL_write\", ret);\n}\nchar buf[4096];\nret = SSL_read(ssl, buf, sizeof(buf));\nif (ret < 0) {\n ssl_print_error_and_exit(ssl, \"SSL_read\", ret);\n}\n" diff --git a/defensive-coding/en_US/Features/snippets/TLS-Client-OpenSSL-Init.po b/defensive-coding/en_US/Features/snippets/TLS-Client-OpenSSL-Init.po new file mode 100644 index 0000000..8eaf2d1 --- /dev/null +++ b/defensive-coding/en_US/Features/snippets/TLS-Client-OpenSSL-Init.po @@ -0,0 +1,28 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:32+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: None\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: en_US\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// The following call prints an error message and calls exit() if\n" +"// the OpenSSL configuration file is unreadable.\n" +"OPENSSL_config(NULL);\n" +"// Provide human-readable error messages.\n" +"SSL_load_error_strings();\n" +"// Register ciphers.\n" +"SSL_library_init();\n" +msgstr "\n// The following call prints an error message and calls exit() if\n// the OpenSSL configuration file is unreadable.\nOPENSSL_config(NULL);\n// Provide human-readable error messages.\nSSL_load_error_strings();\n// Register ciphers.\nSSL_library_init();\n" diff --git a/defensive-coding/en_US/Features/snippets/TLS-Client-Python-Connect.po b/defensive-coding/en_US/Features/snippets/TLS-Client-Python-Connect.po new file mode 100644 index 0000000..2abc6ba --- /dev/null +++ b/defensive-coding/en_US/Features/snippets/TLS-Client-Python-Connect.po @@ -0,0 +1,29 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:32+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: None\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: en_US\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"sock = ssl.wrap_socket(sock,\n" +" ciphers=\"HIGH:-aNULL:-eNULL:-PSK:RC4-SHA:RC4-MD5\",\n" +" ssl_version=ssl.PROTOCOL_TLSv1,\n" +" cert_reqs=ssl.CERT_REQUIRED,\n" +" ca_certs='/etc/ssl/certs/ca-bundle.crt')\n" +"# getpeercert() triggers the handshake as a side effect.\n" +"if not check_host_name(sock.getpeercert(), host):\n" +" raise IOError(\"peer certificate does not match host name\")\n" +msgstr "\nsock = ssl.wrap_socket(sock,\n ciphers=\"HIGH:-aNULL:-eNULL:-PSK:RC4-SHA:RC4-MD5\",\n ssl_version=ssl.PROTOCOL_TLSv1,\n cert_reqs=ssl.CERT_REQUIRED,\n ca_certs='/etc/ssl/certs/ca-bundle.crt')\n# getpeercert() triggers the handshake as a side effect.\nif not check_host_name(sock.getpeercert(), host):\n raise IOError(\"peer certificate does not match host name\")\n" diff --git a/defensive-coding/en_US/Features/snippets/TLS-Client-Python-check_host_name.po b/defensive-coding/en_US/Features/snippets/TLS-Client-Python-check_host_name.po new file mode 100644 index 0000000..651b967 --- /dev/null +++ b/defensive-coding/en_US/Features/snippets/TLS-Client-Python-check_host_name.po @@ -0,0 +1,44 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:31+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: None\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: en_US\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"def check_host_name(peercert, name):\n" +" \"\"\"Simple certificate/host name checker. Returns True if the\n" +" certificate matches, False otherwise. Does not support\n" +" wildcards.\"\"\"\n" +" # Check that the peer has supplied a certificate.\n" +" # None/{} is not acceptable.\n" +" if not peercert:\n" +" return False\n" +" if peercert.has_key(\"subjectAltName\"):\n" +" for typ, val in peercert[\"subjectAltName\"]:\n" +" if typ == \"DNS\" and val == name:\n" +" return True\n" +" else:\n" +" # Only check the subject DN if there is no subject alternative\n" +" # name.\n" +" cn = None\n" +" for attr, val in peercert[\"subject\"]:\n" +" # Use most-specific (last) commonName attribute.\n" +" if attr == \"commonName\":\n" +" cn = val\n" +" if cn is not None:\n" +" return cn == name\n" +" return False\n" +msgstr "\ndef check_host_name(peercert, name):\n \"\"\"Simple certificate/host name checker. Returns True if the\n certificate matches, False otherwise. Does not support\n wildcards.\"\"\"\n # Check that the peer has supplied a certificate.\n # None/{} is not acceptable.\n if not peercert:\n return False\n if peercert.has_key(\"subjectAltName\"):\n for typ, val in peercert[\"subjectAltName\"]:\n if typ == \"DNS\" and val == name:\n return True\n else:\n # Only check the subject DN if there is no subject alternative\n # name.\n cn = None\n for attr, val in peercert[\"subject\"]:\n # Use most-specific (last) commonName attribute.\n if attr == \"commonName\":\n cn = val\n if cn is not None:\n return cn == name\n return False\n" diff --git a/defensive-coding/en_US/Features/snippets/TLS-GNUTLS-Credentials-Close.po b/defensive-coding/en_US/Features/snippets/TLS-GNUTLS-Credentials-Close.po new file mode 100644 index 0000000..fc91524 --- /dev/null +++ b/defensive-coding/en_US/Features/snippets/TLS-GNUTLS-Credentials-Close.po @@ -0,0 +1,22 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:31+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: None\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: en_US\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"gnutls_certificate_free_credentials(cred);\n" +msgstr "\ngnutls_certificate_free_credentials(cred);\n" diff --git a/defensive-coding/en_US/Features/snippets/TLS-GNUTLS-Disconnect.po b/defensive-coding/en_US/Features/snippets/TLS-GNUTLS-Disconnect.po new file mode 100644 index 0000000..1b64735 --- /dev/null +++ b/defensive-coding/en_US/Features/snippets/TLS-GNUTLS-Disconnect.po @@ -0,0 +1,30 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:32+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: None\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: en_US\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Initiate an orderly connection shutdown.\n" +"ret = gnutls_bye(session, GNUTLS_SHUT_RDWR);\n" +"if (ret < 0) {\n" +" fprintf(stderr, \"error: gnutls_bye: %s\n" +"\", gnutls_strerror(ret));\n" +" exit(1);\n" +"}\n" +"// Free the session object.\n" +"gnutls_deinit(session);\n" +msgstr "\n// Initiate an orderly connection shutdown.\nret = gnutls_bye(session, GNUTLS_SHUT_RDWR);\nif (ret < 0) {\n fprintf(stderr, \"error: gnutls_bye: %s\n\", gnutls_strerror(ret));\n exit(1);\n}\n// Free the session object.\ngnutls_deinit(session);\n" diff --git a/defensive-coding/en_US/Features/snippets/TLS-GNUTLS-Init.po b/defensive-coding/en_US/Features/snippets/TLS-GNUTLS-Init.po new file mode 100644 index 0000000..e6f2cfe --- /dev/null +++ b/defensive-coding/en_US/Features/snippets/TLS-GNUTLS-Init.po @@ -0,0 +1,22 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:32+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: None\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: en_US\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"gnutls_global_init();\n" +msgstr "\ngnutls_global_init();\n" diff --git a/defensive-coding/en_US/Features/snippets/TLS-GNUTLS-Use.po b/defensive-coding/en_US/Features/snippets/TLS-GNUTLS-Use.po new file mode 100644 index 0000000..64b5ee8 --- /dev/null +++ b/defensive-coding/en_US/Features/snippets/TLS-GNUTLS-Use.po @@ -0,0 +1,38 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:33+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: None\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: en_US\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"char buf[4096];\n" +"snprintf(buf, sizeof(buf), \"GET / HTTP/1.0\\r\n" +"Host: %s\\r\n" +"\\r\n" +"\", host);\n" +"ret = gnutls_record_send(session, buf, strlen(buf));\n" +"if (ret < 0) {\n" +" fprintf(stderr, \"error: gnutls_record_send: %s\n" +"\", gnutls_strerror(ret));\n" +" exit(1);\n" +"}\n" +"ret = gnutls_record_recv(session, buf, sizeof(buf));\n" +"if (ret < 0) {\n" +" fprintf(stderr, \"error: gnutls_record_recv: %s\n" +"\", gnutls_strerror(ret));\n" +" exit(1);\n" +"}\n" +msgstr "\nchar buf[4096];\nsnprintf(buf, sizeof(buf), \"GET / HTTP/1.0\\r\nHost: %s\\r\n\\r\n\", host);\nret = gnutls_record_send(session, buf, strlen(buf));\nif (ret < 0) {\n fprintf(stderr, \"error: gnutls_record_send: %s\n\", gnutls_strerror(ret));\n exit(1);\n}\nret = gnutls_record_recv(session, buf, sizeof(buf));\nif (ret < 0) {\n fprintf(stderr, \"error: gnutls_record_recv: %s\n\", gnutls_strerror(ret));\n exit(1);\n}\n" diff --git a/defensive-coding/en_US/Features/snippets/TLS-NSS-Close.po b/defensive-coding/en_US/Features/snippets/TLS-NSS-Close.po new file mode 100644 index 0000000..2d9a291 --- /dev/null +++ b/defensive-coding/en_US/Features/snippets/TLS-NSS-Close.po @@ -0,0 +1,23 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:31+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: None\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: en_US\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"SECMOD_DestroyModule(module);\n" +"NSS_ShutdownContext(ctx);\n" +msgstr "\nSECMOD_DestroyModule(module);\nNSS_ShutdownContext(ctx);\n" diff --git a/defensive-coding/en_US/Features/snippets/TLS-NSS-Includes.po b/defensive-coding/en_US/Features/snippets/TLS-NSS-Includes.po new file mode 100644 index 0000000..4cbb138 --- /dev/null +++ b/defensive-coding/en_US/Features/snippets/TLS-NSS-Includes.po @@ -0,0 +1,35 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:33+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: None\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: en_US\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// NSPR include files\n" +"#include <prerror.h>\n" +"#include <prinit.h>\n" +"\n" +"// NSS include files\n" +"#include <nss.h>\n" +"#include <pk11pub.h>\n" +"#include <secmod.h>\n" +"#include <ssl.h>\n" +"#include <sslproto.h>\n" +"\n" +"// Private API, no other way to turn a POSIX file descriptor into an\n" +"// NSPR handle.\n" +"NSPR_API(PRFileDesc*) PR_ImportTCPSocket(int);\n" +msgstr "\n// NSPR include files\n#include <prerror.h>\n#include <prinit.h>\n\n// NSS include files\n#include <nss.h>\n#include <pk11pub.h>\n#include <secmod.h>\n#include <ssl.h>\n#include <sslproto.h>\n\n// Private API, no other way to turn a POSIX file descriptor into an\n// NSPR handle.\nNSPR_API(PRFileDesc*) PR_ImportTCPSocket(int);\n" diff --git a/defensive-coding/en_US/Features/snippets/TLS-NSS-Init.po b/defensive-coding/en_US/Features/snippets/TLS-NSS-Init.po new file mode 100644 index 0000000..2cb7b54 --- /dev/null +++ b/defensive-coding/en_US/Features/snippets/TLS-NSS-Init.po @@ -0,0 +1,83 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:33+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: None\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: en_US\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"PR_Init(PR_USER_THREAD, PR_PRIORITY_NORMAL, 0);\n" +"NSSInitContext *const ctx =\n" +" NSS_InitContext(\"sql:/etc/pki/nssdb\", \"\", \"\", \"\", NULL,\n" +"\t\t NSS_INIT_READONLY | NSS_INIT_PK11RELOAD);\n" +"if (ctx == NULL) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: NSPR error code %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +"}\n" +"\n" +"// Ciphers to enable.\n" +"static const PRUint16 good_ciphers[] = {\n" +" TLS_RSA_WITH_AES_128_CBC_SHA,\n" +" TLS_RSA_WITH_AES_256_CBC_SHA,\n" +" SSL_RSA_WITH_3DES_EDE_CBC_SHA,\n" +" SSL_NULL_WITH_NULL_NULL // sentinel\n" +"};\n" +"\n" +"// Check if the current policy allows any strong ciphers. If it\n" +"// doesn't, switch to the \"domestic\" (unrestricted) policy. This is\n" +"// not thread-safe and has global impact. Consequently, we only do\n" +"// it if absolutely necessary.\n" +"int found_good_cipher = 0;\n" +"for (const PRUint16 *p = good_ciphers; *p != SSL_NULL_WITH_NULL_NULL;\n" +" ++p) {\n" +" PRInt32 policy;\n" +" if (SSL_CipherPolicyGet(*p, &policy) != SECSuccess) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: policy for cipher %u: error %d: %s\n" +"\",\n" +"\t (unsigned)*p, err, PR_ErrorToName(err));\n" +" exit(1);\n" +" }\n" +" if (policy == SSL_ALLOWED) {\n" +" fprintf(stderr, \"info: found cipher %x\n" +"\", (unsigned)*p);\n" +" found_good_cipher = 1;\n" +" break;\n" +" }\n" +"}\n" +"if (!found_good_cipher) {\n" +" if (NSS_SetDomesticPolicy() != SECSuccess) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: NSS_SetDomesticPolicy: error %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +" }\n" +"}\n" +"\n" +"// Initialize the trusted certificate store.\n" +"char module_name[] = \"library=libnssckbi.so name=\\\"Root Certs\\\"\";\n" +"SECMODModule *module = SECMOD_LoadUserModule(module_name, NULL, PR_FALSE);\n" +"if (module == NULL || !module->loaded) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: NSPR error code %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +"}\n" +msgstr "\nPR_Init(PR_USER_THREAD, PR_PRIORITY_NORMAL, 0);\nNSSInitContext *const ctx =\n NSS_InitContext(\"sql:/etc/pki/nssdb\", \"\", \"\", \"\", NULL,\n\t\t NSS_INIT_READONLY | NSS_INIT_PK11RELOAD);\nif (ctx == NULL) {\n const PRErrorCode err = PR_GetError();\n fprintf(stderr, \"error: NSPR error code %d: %s\n\",\n\t err, PR_ErrorToName(err));\n exit(1);\n}\n\n// Ciphers to enable.\nstatic const PRUint16 good_ciphers[] = {\n TLS_RSA_WITH_AES_128_CBC_SHA,\n TLS_RSA_WITH_AES_256_CBC_SHA,\n SSL_RSA_WITH_3DES_EDE_CBC_SHA,\n SSL_NULL_WITH_NULL_NULL // sentinel\n};\n\n// Check if the current policy allows any strong ciphers. If it\n// doesn't, switch to the \"domestic\" (unrestricted) policy. This is\n// not thread-safe and has global impact. Consequently, we only do\n// it if absolutely necessary.\nint found_good_cipher = 0;\nfor (const PRUint16 *p = good_ciphers; *p != SSL_NULL_WITH_NULL_NULL;\n ++p) {\n PRInt32 policy;\n if (SSL_CipherPolicyGet(*p, &policy) != SECSuccess) {\n const PRErrorCode err = PR_GetError();\n fprintf(stderr, \"error: policy for cipher %u: error %d: %s\n\",\n\t (unsigned)*p, err, PR_ErrorToName(err));\n exit(1);\n }\n if (policy == SSL_ALLOWED) {\n fprintf(stderr, \"info: found cipher %x\n\", (unsigned)*p);\n found_good_cipher = 1;\n break;\n }\n}\nif (!found_good_cipher) {\n if (NSS_SetDomesticPolicy() != SECSuccess) {\n const PRErrorCode err = PR_GetError();\n fprintf(stderr, \"error: NSS_SetDomesticPolicy: error %d: %s\n\",\n\t err, PR_ErrorToName(err));\n exit(1);\n }\n}\n\n// Initialize the trusted certificate store.\nchar module_name[] = \"library=libnssckbi.so name=\\\"Root Certs\\\"\";\nSECMODModule *module = SECMOD_LoadUserModule(module_name, NULL, PR_FALSE);\nif (module == NULL || !module->loaded) {\n const PRErrorCode err = PR_GetError();\n fprintf(stderr, \"error: NSPR error code %d: %s\n\",\n\t err, PR_ErrorToName(err));\n exit(1);\n}\n" diff --git a/defensive-coding/en_US/Features/snippets/TLS-NSS-Use.po b/defensive-coding/en_US/Features/snippets/TLS-NSS-Use.po new file mode 100644 index 0000000..9402437 --- /dev/null +++ b/defensive-coding/en_US/Features/snippets/TLS-NSS-Use.po @@ -0,0 +1,42 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:32+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: None\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: en_US\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"char buf[4096];\n" +"snprintf(buf, sizeof(buf), \"GET / HTTP/1.0\\r\n" +"Host: %s\\r\n" +"\\r\n" +"\", host);\n" +"PRInt32 ret = PR_Write(nspr, buf, strlen(buf));\n" +"if (ret < 0) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: PR_Write error %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +"}\n" +"ret = PR_Read(nspr, buf, sizeof(buf));\n" +"if (ret < 0) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: PR_Read error %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +"}\n" +msgstr "\nchar buf[4096];\nsnprintf(buf, sizeof(buf), \"GET / HTTP/1.0\\r\nHost: %s\\r\n\\r\n\", host);\nPRInt32 ret = PR_Write(nspr, buf, strlen(buf));\nif (ret < 0) {\n const PRErrorCode err = PR_GetError();\n fprintf(stderr, \"error: PR_Write error %d: %s\n\",\n\t err, PR_ErrorToName(err));\n exit(1);\n}\nret = PR_Read(nspr, buf, sizeof(buf));\nif (ret < 0) {\n const PRErrorCode err = PR_GetError();\n fprintf(stderr, \"error: PR_Read error %d: %s\n\",\n\t err, PR_ErrorToName(err));\n exit(1);\n}\n" diff --git a/defensive-coding/en_US/Features/snippets/TLS-Nagle.po b/defensive-coding/en_US/Features/snippets/TLS-Nagle.po new file mode 100644 index 0000000..d3aaa25 --- /dev/null +++ b/defensive-coding/en_US/Features/snippets/TLS-Nagle.po @@ -0,0 +1,27 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:31+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: None\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: en_US\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"const int val = 1;\n" +"int ret = setsockopt(sockfd, IPPROTO_TCP, TCP_NODELAY, &val, sizeof(val));\n" +"if (ret < 0) {\n" +" perror(\"setsockopt(TCP_NODELAY)\");\n" +" exit(1);\n" +"}\n" +msgstr "\nconst int val = 1;\nint ret = setsockopt(sockfd, IPPROTO_TCP, TCP_NODELAY, &val, sizeof(val));\nif (ret < 0) {\n perror(\"setsockopt(TCP_NODELAY)\");\n exit(1);\n}\n" diff --git a/defensive-coding/en_US/Features/snippets/TLS-OpenJDK-Parameters.po b/defensive-coding/en_US/Features/snippets/TLS-OpenJDK-Parameters.po new file mode 100644 index 0000000..95973a2 --- /dev/null +++ b/defensive-coding/en_US/Features/snippets/TLS-OpenJDK-Parameters.po @@ -0,0 +1,42 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:33+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: None\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: en_US\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Prepare TLS parameters. These have to applied to every TLS\n" +"// socket before the handshake is triggered.\n" +"SSLParameters params = ctx.getDefaultSSLParameters();\n" +"// Do not send an SSL-2.0-compatible Client Hello.\n" +"ArrayList<String> protocols = new ArrayList<String>(\n" +" Arrays.asList(params.getProtocols()));\n" +"protocols.remove(\"SSLv2Hello\");\n" +"params.setProtocols(protocols.toArray(new String[protocols.size()]));\n" +"// Adjust the supported ciphers.\n" +"ArrayList<String> ciphers = new ArrayList<String>(\n" +" Arrays.asList(params.getCipherSuites()));\n" +"ciphers.retainAll(Arrays.asList(\n" +" \"TLS_RSA_WITH_AES_128_CBC_SHA256\",\n" +" \"TLS_RSA_WITH_AES_256_CBC_SHA256\",\n" +" \"TLS_RSA_WITH_AES_256_CBC_SHA\",\n" +" \"TLS_RSA_WITH_AES_128_CBC_SHA\",\n" +" \"SSL_RSA_WITH_3DES_EDE_CBC_SHA\",\n" +" \"SSL_RSA_WITH_RC4_128_SHA1\",\n" +" \"SSL_RSA_WITH_RC4_128_MD5\",\n" +" \"TLS_EMPTY_RENEGOTIATION_INFO_SCSV\"));\n" +"params.setCipherSuites(ciphers.toArray(new String[ciphers.size()]));\n" +msgstr "\n// Prepare TLS parameters. These have to applied to every TLS\n// socket before the handshake is triggered.\nSSLParameters params = ctx.getDefaultSSLParameters();\n// Do not send an SSL-2.0-compatible Client Hello.\nArrayList<String> protocols = new ArrayList<String>(\n Arrays.asList(params.getProtocols()));\nprotocols.remove(\"SSLv2Hello\");\nparams.setProtocols(protocols.toArray(new String[protocols.size()]));\n// Adjust the supported ciphers.\nArrayList<String> ciphers = new ArrayList<String>(\n Arrays.asList(params.getCipherSuites()));\nciphers.retainAll(Arrays.asList(\n \"TLS_RSA_WITH_AES_128_CBC_SHA256\",\n \"TLS_RSA_WITH_AES_256_CBC_SHA256\",\n \"TLS_RSA_WITH_AES_256_CBC_SHA\",\n \"TLS_RSA_WITH_AES_128_CBC_SHA\",\n \"SSL_RSA_WITH_3DES_EDE_CBC_SHA\",\n \"SSL_RSA_WITH_RC4_128_SHA1\",\n \"SSL_RSA_WITH_RC4_128_MD5\",\n \"TLS_EMPTY_RENEGOTIATION_INFO_SCSV\"));\nparams.setCipherSuites(ciphers.toArray(new String[ciphers.size()]));\n" diff --git a/defensive-coding/en_US/Features/snippets/TLS-OpenSSL-Connection-Close.po b/defensive-coding/en_US/Features/snippets/TLS-OpenSSL-Connection-Close.po new file mode 100644 index 0000000..84ce845 --- /dev/null +++ b/defensive-coding/en_US/Features/snippets/TLS-OpenSSL-Connection-Close.po @@ -0,0 +1,46 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:33+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: None\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: en_US\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Send the close_notify alert.\n" +"ret = SSL_shutdown(ssl);\n" +"switch (ret) {\n" +"case 1:\n" +" // A close_notify alert has already been received.\n" +" break;\n" +"case 0:\n" +" // Wait for the close_notify alert from the peer.\n" +" ret = SSL_shutdown(ssl);\n" +" switch (ret) {\n" +" case 0:\n" +" fprintf(stderr, \"info: second SSL_shutdown returned zero\n" +"\");\n" +" break;\n" +" case 1:\n" +" break;\n" +" default:\n" +" ssl_print_error_and_exit(ssl, \"SSL_shutdown 2\", ret);\n" +" }\n" +" break;\n" +"default:\n" +" ssl_print_error_and_exit(ssl, \"SSL_shutdown 1\", ret);\n" +"}\n" +"SSL_free(ssl);\n" +"close(sockfd);\n" +msgstr "\n// Send the close_notify alert.\nret = SSL_shutdown(ssl);\nswitch (ret) {\ncase 1:\n // A close_notify alert has already been received.\n break;\ncase 0:\n // Wait for the close_notify alert from the peer.\n ret = SSL_shutdown(ssl);\n switch (ret) {\n case 0:\n fprintf(stderr, \"info: second SSL_shutdown returned zero\n\");\n break;\n case 1:\n break;\n default:\n ssl_print_error_and_exit(ssl, \"SSL_shutdown 2\", ret);\n }\n break;\ndefault:\n ssl_print_error_and_exit(ssl, \"SSL_shutdown 1\", ret);\n}\nSSL_free(ssl);\nclose(sockfd);\n" diff --git a/defensive-coding/en_US/Features/snippets/TLS-OpenSSL-Context-Close.po b/defensive-coding/en_US/Features/snippets/TLS-OpenSSL-Context-Close.po new file mode 100644 index 0000000..e32598c --- /dev/null +++ b/defensive-coding/en_US/Features/snippets/TLS-OpenSSL-Context-Close.po @@ -0,0 +1,22 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:33+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: None\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: en_US\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"SSL_CTX_free(ctx);\n" +msgstr "\nSSL_CTX_free(ctx);\n" diff --git a/defensive-coding/en_US/Features/snippets/TLS-OpenSSL-Errors.po b/defensive-coding/en_US/Features/snippets/TLS-OpenSSL-Errors.po new file mode 100644 index 0000000..fc7eddf --- /dev/null +++ b/defensive-coding/en_US/Features/snippets/TLS-OpenSSL-Errors.po @@ -0,0 +1,51 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:32+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: None\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: en_US\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"static void __attribute__((noreturn))\n" +"ssl_print_error_and_exit(SSL *ssl, const char *op, int ret)\n" +"{\n" +" int subcode = SSL_get_error(ssl, ret);\n" +" switch (subcode) {\n" +" case SSL_ERROR_NONE:\n" +" fprintf(stderr, \"error: %s: no error to report\n" +"\", op);\n" +" break;\n" +" case SSL_ERROR_WANT_READ:\n" +" case SSL_ERROR_WANT_WRITE:\n" +" case SSL_ERROR_WANT_X509_LOOKUP:\n" +" case SSL_ERROR_WANT_CONNECT:\n" +" case SSL_ERROR_WANT_ACCEPT:\n" +" fprintf(stderr, \"error: %s: invalid blocking state %d\n" +"\", op, subcode);\n" +" break;\n" +" case SSL_ERROR_SSL:\n" +" fprintf(stderr, \"error: %s: TLS layer problem\n" +"\", op);\n" +" case SSL_ERROR_SYSCALL:\n" +" fprintf(stderr, \"error: %s: system call failed: %s\n" +"\", op, strerror(errno));\n" +" break;\n" +" case SSL_ERROR_ZERO_RETURN:\n" +" fprintf(stderr, \"error: %s: zero return\n" +"\", op);\n" +" }\n" +" exit(1);\n" +"}\n" +msgstr "\nstatic void __attribute__((noreturn))\nssl_print_error_and_exit(SSL *ssl, const char *op, int ret)\n{\n int subcode = SSL_get_error(ssl, ret);\n switch (subcode) {\n case SSL_ERROR_NONE:\n fprintf(stderr, \"error: %s: no error to report\n\", op);\n break;\n case SSL_ERROR_WANT_READ:\n case SSL_ERROR_WANT_WRITE:\n case SSL_ERROR_WANT_X509_LOOKUP:\n case SSL_ERROR_WANT_CONNECT:\n case SSL_ERROR_WANT_ACCEPT:\n fprintf(stderr, \"error: %s: invalid blocking state %d\n\", op, subcode);\n break;\n case SSL_ERROR_SSL:\n fprintf(stderr, \"error: %s: TLS layer problem\n\", op);\n case SSL_ERROR_SYSCALL:\n fprintf(stderr, \"error: %s: system call failed: %s\n\", op, strerror(errno));\n break;\n case SSL_ERROR_ZERO_RETURN:\n fprintf(stderr, \"error: %s: zero return\n\", op);\n }\n exit(1);\n}\n" diff --git a/defensive-coding/en_US/Features/snippets/TLS-Python-Close.po b/defensive-coding/en_US/Features/snippets/TLS-Python-Close.po new file mode 100644 index 0000000..35240a7 --- /dev/null +++ b/defensive-coding/en_US/Features/snippets/TLS-Python-Close.po @@ -0,0 +1,22 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:31+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: None\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: en_US\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"sock.close()\n" +msgstr "\nsock.close()\n" diff --git a/defensive-coding/en_US/Features/snippets/TLS-Python-Use.po b/defensive-coding/en_US/Features/snippets/TLS-Python-Use.po new file mode 100644 index 0000000..1f1ce0f --- /dev/null +++ b/defensive-coding/en_US/Features/snippets/TLS-Python-Use.po @@ -0,0 +1,26 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:32+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: None\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: en_US\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"sock.write(\"GET / HTTP/1.1\\r\n" +"Host: \" + host + \"\\r\n" +"\\r\n" +"\")\n" +"print sock.read()\n" +msgstr "\nsock.write(\"GET / HTTP/1.1\\r\nHost: \" + host + \"\\r\n\\r\n\")\nprint sock.read()\n" diff --git a/defensive-coding/en_US/Revision_History.po b/defensive-coding/en_US/Revision_History.po new file mode 100644 index 0000000..cadbbf7 --- /dev/null +++ b/defensive-coding/en_US/Revision_History.po @@ -0,0 +1,35 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:18+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: None\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: en_US\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: title +#, no-c-format +msgid "Revision History" +msgstr "Revision History" + +#. Tag: firstname +#, no-c-format +msgid "Eric" +msgstr "Eric" + +#. Tag: surname +#, no-c-format +msgid "Christensen" +msgstr "Christensen" + +#. Tag: member +#, no-c-format +msgid "Initial publication." +msgstr "Initial publication." diff --git a/defensive-coding/en_US/Tasks/Cryptography.po b/defensive-coding/en_US/Tasks/Cryptography.po new file mode 100644 index 0000000..da529bb --- /dev/null +++ b/defensive-coding/en_US/Tasks/Cryptography.po @@ -0,0 +1,199 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:29+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: None\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: en_US\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: title +#, no-c-format +msgid "Cryptography" +msgstr "Cryptography" + +#. Tag: title +#, no-c-format +msgid "Primitives" +msgstr "Primitives" + +#. Tag: para +#, no-c-format +msgid "Chosing from the following cryptographic primitives is recommended:" +msgstr "Chosing from the following cryptographic primitives is recommended:" + +#. Tag: para +#, no-c-format +msgid "RSA with 2048 bit keys and OAEP" +msgstr "RSA with 2048 bit keys and OAEP" + +#. Tag: para +#, no-c-format +msgid "AES-128 in CBC mode" +msgstr "AES-128 in CBC mode" + +#. Tag: para +#, no-c-format +msgid "SHA-256" +msgstr "SHA-256" + +#. Tag: para +#, no-c-format +msgid "HMAC-SHA-256" +msgstr "HMAC-SHA-256" + +#. Tag: para +#, no-c-format +msgid "HMAC-SHA-1" +msgstr "HMAC-SHA-1" + +#. Tag: para +#, no-c-format +msgid "" +"Other cryptographic algorithms can be used if they are required for " +"interoperability with existing software:" +msgstr "Other cryptographic algorithms can be used if they are required for interoperability with existing software:" + +#. Tag: para +#, no-c-format +msgid "RSA with key sizes larger than 1024 and legacy padding" +msgstr "RSA with key sizes larger than 1024 and legacy padding" + +#. Tag: para +#, no-c-format +msgid "AES-192" +msgstr "AES-192" + +#. Tag: para +#, no-c-format +msgid "AES-256" +msgstr "AES-256" + +#. Tag: para +#, no-c-format +msgid "3DES (triple DES, with two or three 56 bit keys)" +msgstr "3DES (triple DES, with two or three 56 bit keys)" + +#. Tag: para +#, no-c-format +msgid "RC4 (but very, very strongly discouraged)" +msgstr "RC4 (but very, very strongly discouraged)" + +#. Tag: para +#, no-c-format +msgid "SHA-1" +msgstr "SHA-1" + +#. Tag: para +#, no-c-format +msgid "HMAC-MD5" +msgstr "HMAC-MD5" + +#. Tag: title +#, no-c-format +msgid "Important" +msgstr "Important" + +#. Tag: para +#, no-c-format +msgid "" +"These primitives are difficult to use in a secure way. Custom implementation" +" of security protocols should be avoided. For protecting confidentiality and" +" integrity of network transmissions, TLS should be used ()." +msgstr "These primitives are difficult to use in a secure way. Custom implementation of security protocols should be avoided. For protecting confidentiality and integrity of network transmissions, TLS should be used ()." + +#. Tag: title +#, no-c-format +msgid "Randomness" +msgstr "Randomness" + +#. Tag: para +#, no-c-format +msgid "" +"The following facilities can be used to generate unpredictable and non-" +"repeating values. When these functions are used without special safeguards, " +"each individual rnadom value should be at least 12 bytes long." +msgstr "The following facilities can be used to generate unpredictable and non-repeating values. When these functions are used without special safeguards, each individual rnadom value should be at least 12 bytes long." + +#. Tag: para +#, no-c-format +msgid "" +"PK11_GenerateRandom in the NSS library (usable for high" +" data rates)" +msgstr "PK11_GenerateRandom in the NSS library (usable for high data rates)" + +#. Tag: para +#, no-c-format +msgid "" +"RAND_bytes in the OpenSSL library (usable for high data" +" rates)" +msgstr "RAND_bytes in the OpenSSL library (usable for high data rates)" + +#. Tag: para +#, no-c-format +msgid "" +"gnutls_rnd in GNUTLS, with " +"GNUTLS_RND_RANDOM as the first argument (usable for high " +"data rates)" +msgstr "gnutls_rnd in GNUTLS, with GNUTLS_RND_RANDOM as the first argument (usable for high data rates)" + +#. Tag: para +#, no-c-format +msgid "" +"java.security.SecureRandom in Java (usable for high data rates)" +msgstr "java.security.SecureRandom in Java (usable for high data rates)" + +#. Tag: para +#, no-c-format +msgid "os.urandom in Python" +msgstr "os.urandom in Python" + +#. Tag: para +#, no-c-format +msgid "Reading from the /dev/urandom character device" +msgstr "Reading from the /dev/urandom character device" + +#. Tag: para +#, no-c-format +msgid "" +"All these functions should be non-blocking, and they should not wait until " +"physical randomness becomes available. (Some cryptography providers for Java" +" can cause java.security.SecureRandom to block, however.) Those" +" functions which do not obtain all bits directly from " +"/dev/urandom are suitable for high data rates because " +"they do not deplete the system-wide entropy pool." +msgstr "All these functions should be non-blocking, and they should not wait until physical randomness becomes available. (Some cryptography providers for Java can cause java.security.SecureRandom to block, however.) Those functions which do not obtain all bits directly from /dev/urandom are suitable for high data rates because they do not deplete the system-wide entropy pool." + +#. Tag: title +#, no-c-format +msgid "Difficult to use API" +msgstr "Difficult to use API" + +#. Tag: para +#, no-c-format +msgid "" +"Both RAND_bytes and " +"PK11_GenerateRandom have three-state return values " +"(with conflicting meanings). Careful error checking is required. Please " +"review the documentation when using these functions." +msgstr "Both RAND_bytes and PK11_GenerateRandom have three-state return values (with conflicting meanings). Careful error checking is required. Please review the documentation when using these functions." + +#. Tag: para +#, no-c-format +msgid "Other sources of randomness should be considered predictable." +msgstr "Other sources of randomness should be considered predictable." + +#. Tag: para +#, no-c-format +msgid "" +"Generating randomness for cryptographic keys in long-term use may need " +"different steps and is best left to cryptographic libraries." +msgstr "Generating randomness for cryptographic keys in long-term use may need different steps and is best left to cryptographic libraries." diff --git a/defensive-coding/en_US/Tasks/Descriptors.po b/defensive-coding/en_US/Tasks/Descriptors.po new file mode 100644 index 0000000..101b229 --- /dev/null +++ b/defensive-coding/en_US/Tasks/Descriptors.po @@ -0,0 +1,332 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:29+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: None\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: en_US\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: title +#, no-c-format +msgid "File Descriptor Management" +msgstr "File Descriptor Management" + +#. Tag: para +#, no-c-format +msgid "" +"File descriptors underlie all input/output mechanisms offered by the system." +" They are used to implementation the FILE *-based " +"functions found in <stdio.h>, and all the file and " +"network communication facilities provided by the Python and Java " +"environments are eventually implemented in them." +msgstr "File descriptors underlie all input/output mechanisms offered by the system. They are used to implementation the FILE *-based functions found in <stdio.h>, and all the file and network communication facilities provided by the Python and Java environments are eventually implemented in them." + +#. Tag: para +#, no-c-format +msgid "" +"File descriptors are small, non-negative integers in userspace, and are " +"backed on the kernel side with complicated data structures which can " +"sometimes grow very large." +msgstr "File descriptors are small, non-negative integers in userspace, and are backed on the kernel side with complicated data structures which can sometimes grow very large." + +#. Tag: title +#, no-c-format +msgid "Closing descriptors" +msgstr "Closing descriptors" + +#. Tag: para +#, no-c-format +msgid "" +"If a descriptor is no longer used by a program and is not closed explicitly," +" its number cannot be reused (which is problematic in itself, see ), and the " +"kernel resources are not freed. Therefore, it is important to close all " +"descriptors at the earlierst point in time possible, but not earlier." +msgstr "If a descriptor is no longer used by a program and is not closed explicitly, its number cannot be reused (which is problematic in itself, see ), and the kernel resources are not freed. Therefore, it is important to close all descriptors at the earlierst point in time possible, but not earlier." + +#. Tag: title +#, no-c-format +msgid "Error handling during descriptor close" +msgstr "Error handling during descriptor close" + +#. Tag: para +#, no-c-format +msgid "" +"The close system call is always successful in the sense" +" that the passed file descriptor is never valid after the function has been " +"called. However, close still can return an error, for " +"example if there was a file system failure. But this error is not very " +"useful because the absence of an error does not mean that all caches have " +"been emptied and previous writes have been made durable. Programs which need" +" such guarantees must open files with O_SYNC or use " +"fsync or fdatasync, and may also have " +"to fsync the directory containing the file." +msgstr "The close system call is always successful in the sense that the passed file descriptor is never valid after the function has been called. However, close still can return an error, for example if there was a file system failure. But this error is not very useful because the absence of an error does not mean that all caches have been emptied and previous writes have been made durable. Programs which need such guarantees must open files with O_SYNC or use fsync or fdatasync, and may also have to fsync the directory containing the file." + +#. Tag: title +#, no-c-format +msgid "Closing descriptors and race conditions" +msgstr "Closing descriptors and race conditions" + +#. Tag: para +#, no-c-format +msgid "" +"Unlike process IDs, which are recycle only gradually, the kernel always " +"allocates the lowest unused file descriptor when a new descriptor is " +"created. This means that in a multi-threaded program which constantly opens " +"and closes file descriptors, descriptors are reused very quickly. Unless " +"descriptor closing and other operations on the same file descriptor are " +"synchronized (typically, using a mutex), there will be race coniditons and " +"I/O operations will be applied to the wrong file descriptor." +msgstr "Unlike process IDs, which are recycle only gradually, the kernel always allocates the lowest unused file descriptor when a new descriptor is created. This means that in a multi-threaded program which constantly opens and closes file descriptors, descriptors are reused very quickly. Unless descriptor closing and other operations on the same file descriptor are synchronized (typically, using a mutex), there will be race coniditons and I/O operations will be applied to the wrong file descriptor." + +#. Tag: para +#, no-c-format +msgid "" +"Sometimes, it is necessary to close a file descriptor concurrently, while " +"another thread might be about to use it in a system call. In order to " +"support this, a program needs to create a single special file descriptor, " +"one on which all I/O operations fail. One way to achieve this is to use " +"socketpair, close one of the descriptors, and call " +"shutdown(fd, SHUTRDWR) on the other." +msgstr "Sometimes, it is necessary to close a file descriptor concurrently, while another thread might be about to use it in a system call. In order to support this, a program needs to create a single special file descriptor, one on which all I/O operations fail. One way to achieve this is to use socketpair, close one of the descriptors, and call shutdown(fd, SHUTRDWR) on the other." + +#. Tag: para +#, no-c-format +msgid "" +"When a descriptor is closed concurrently, the program does not call " +"close on the descriptor. Instead it program uses " +"dup2 to replace the descriptor to be closed with the " +"dummy descriptor created earlier. This way, the kernel will not reuse the " +"descriptor, but it will carry out all other steps associated with calling a " +"descriptor (for instance, if the descriptor refers to a stream socket, the " +"peer will be notified)." +msgstr "When a descriptor is closed concurrently, the program does not call close on the descriptor. Instead it program uses dup2 to replace the descriptor to be closed with the dummy descriptor created earlier. This way, the kernel will not reuse the descriptor, but it will carry out all other steps associated with calling a descriptor (for instance, if the descriptor refers to a stream socket, the peer will be notified)." + +#. Tag: para +#, no-c-format +msgid "" +"This is just a sketch, and many details are missing. Additional data " +"structures are needed to determine when it is safe to really close the " +"descriptor, and proper locking is required for that." +msgstr "This is just a sketch, and many details are missing. Additional data structures are needed to determine when it is safe to really close the descriptor, and proper locking is required for that." + +#. Tag: title +#, no-c-format +msgid "Lingering state after close" +msgstr "Lingering state after close" + +#. Tag: para +#, no-c-format +msgid "" +"By default, closing a stream socket returns immediately, and the kernel will" +" try to send the data in the background. This means that it is impossible to" +" implement accurate accounting of network-related resource utilization from " +"userspace." +msgstr "By default, closing a stream socket returns immediately, and the kernel will try to send the data in the background. This means that it is impossible to implement accurate accounting of network-related resource utilization from userspace." + +#. Tag: para +#, no-c-format +msgid "" +"The SO_LINGER socket option alters the behavior of " +"close, so that it will return only after the lingering " +"data has been processed, either by sending it to the peer successfully, or " +"by discarding it after the configured timeout. However, there is no " +"interface which could perform this operation in the background, so a " +"separate userspace thread is needed for each close " +"call, causing scalability issues." +msgstr "The SO_LINGER socket option alters the behavior of close, so that it will return only after the lingering data has been processed, either by sending it to the peer successfully, or by discarding it after the configured timeout. However, there is no interface which could perform this operation in the background, so a separate userspace thread is needed for each close call, causing scalability issues." + +#. Tag: para +#, no-c-format +msgid "" +"Currently, there is no application-level countermeasure which applies " +"universally. Mitigation is possible with iptables" +" (the connlimit match type in particular) and specialized" +" filtering devices for denial-of-service network traffic." +msgstr "Currently, there is no application-level countermeasure which applies universally. Mitigation is possible with iptables (the connlimit match type in particular) and specialized filtering devices for denial-of-service network traffic." + +#. Tag: para +#, no-c-format +msgid "" +"These problems are not related to the TIME_WAIT state " +"commonly seen in netstat output. The kernel " +"automatically expires such sockets if necessary." +msgstr "These problems are not related to the TIME_WAIT state commonly seen in netstat output. The kernel automatically expires such sockets if necessary." + +#. Tag: title +#, no-c-format +msgid "Preventing file descriptor leaks to child processes" +msgstr "Preventing file descriptor leaks to child processes" + +#. Tag: para +#, no-c-format +msgid "" +"Child processes created with fork share the initial set" +" of file descriptors with their parent process. By default, file descriptors" +" are also preserved if a new process image is created with " +"execve (or any of the other functions such as " +"system or posix_spawn)." +msgstr "Child processes created with fork share the initial set of file descriptors with their parent process. By default, file descriptors are also preserved if a new process image is created with execve (or any of the other functions such as system or posix_spawn)." + +#. Tag: para +#, no-c-format +msgid "" +"Usually, this behavior is not desirable. There are two ways to turn it off, " +"that is, to prevent new process images from inheriting the file descriptors " +"in the parent process:" +msgstr "Usually, this behavior is not desirable. There are two ways to turn it off, that is, to prevent new process images from inheriting the file descriptors in the parent process:" + +#. Tag: para +#, no-c-format +msgid "" +"Set the close-on-exec flag on all newly created file descriptors. " +"Traditionally, this flag is controlled by the FD_CLOEXEC " +"flag, using F_GETFD and F_SETFD " +"operations of the fcntl function." +msgstr "Set the close-on-exec flag on all newly created file descriptors. Traditionally, this flag is controlled by the FD_CLOEXEC flag, using F_GETFD and F_SETFD operations of the fcntl function." + +#. Tag: para +#, no-c-format +msgid "" +"However, in a multi-threaded process, there is a race condition: a " +"subprocess could have been created between the time the descriptor was " +"created and the FD_CLOEXEC was set. Therefore, many " +"system calls which create descriptors (such as open and" +" openat) now accept the O_CLOEXEC " +"flag (SOCK_CLOEXEC for socket and " +"socketpair), which cause the " +"FD_CLOEXEC flag to be set for the file descriptor in an " +"atomic fashion. In addition, a few new systems calls were introduced, such " +"as pipe2 and dup3." +msgstr "However, in a multi-threaded process, there is a race condition: a subprocess could have been created between the time the descriptor was created and the FD_CLOEXEC was set. Therefore, many system calls which create descriptors (such as open and openat) now accept the O_CLOEXEC flag (SOCK_CLOEXEC for socket and socketpair), which cause the FD_CLOEXEC flag to be set for the file descriptor in an atomic fashion. In addition, a few new systems calls were introduced, such as pipe2 and dup3." + +#. Tag: para +#, no-c-format +msgid "" +"The downside of this approach is that every descriptor needs to receive " +"special treatment at the time of creation, otherwise it is not completely " +"effective." +msgstr "The downside of this approach is that every descriptor needs to receive special treatment at the time of creation, otherwise it is not completely effective." + +#. Tag: para +#, no-c-format +msgid "" +"After calling fork, but before creating a new process " +"image with execve, all file descriptors which the child" +" process will not need are closed." +msgstr "After calling fork, but before creating a new process image with execve, all file descriptors which the child process will not need are closed." + +#. Tag: para +#, no-c-format +msgid "" +"Traditionally, this was implemented as a loop over file descriptors ranging " +"from 3 to 255 and later " +"1023. But this is only an approximatio because it is " +"possible to create file descriptors outside this range easily (see ). Another " +"approach reads /proc/self/fd and closes the unexpected " +"descriptors listed there, but this approach is much slower." +msgstr "Traditionally, this was implemented as a loop over file descriptors ranging from 3 to 255 and later 1023. But this is only an approximatio because it is possible to create file descriptors outside this range easily (see ). Another approach reads /proc/self/fd and closes the unexpected descriptors listed there, but this approach is much slower." + +#. Tag: para +#, no-c-format +msgid "" +"At present, environments which care about file descriptor leakage implement " +"the second approach. OpenJDK 6 and 7 are among them." +msgstr "At present, environments which care about file descriptor leakage implement the second approach. OpenJDK 6 and 7 are among them." + +#. Tag: title +#, no-c-format +msgid "Dealing with the select limit" +msgstr "Dealing with the select limit" + +#. Tag: para +#, no-c-format +msgid "" +"By default, a user is allowed to open only 1024 files in a single process, " +"but the system administrator can easily change this limit (which is " +"necessary for busy network servers). However, there is another restriction " +"which is more difficult to overcome." +msgstr "By default, a user is allowed to open only 1024 files in a single process, but the system administrator can easily change this limit (which is necessary for busy network servers). However, there is another restriction which is more difficult to overcome." + +#. Tag: para +#, no-c-format +msgid "" +"The select function only supports a maximum of " +"FD_SETSIZE file descriptors (that is, the maximum " +"permitted value for a file descriptor is FD_SETSIZE - 1, " +"usually 1023.) If a process opens many files, descriptors may exceed such " +"limits. It is impossible to query such descriptors using " +"select." +msgstr "The select function only supports a maximum of FD_SETSIZE file descriptors (that is, the maximum permitted value for a file descriptor is FD_SETSIZE - 1, usually 1023.) If a process opens many files, descriptors may exceed such limits. It is impossible to query such descriptors using select." + +#. Tag: para +#, no-c-format +msgid "" +"If a library which creates many file descriptors is used in the same process" +" as a library which uses select, at least one of them " +"needs to be changed. Calls to select can be replaced " +"with calls to poll or another event handling mechanism." +msgstr "If a library which creates many file descriptors is used in the same process as a library which uses select, at least one of them needs to be changed. Calls to select can be replaced with calls to poll or another event handling mechanism." + +#. Tag: para +#, no-c-format +msgid "" +"Alternatively, the library with high descriptor usage can relocate " +"descriptors above the FD_SETSIZE limit using the " +"following procedure." +msgstr "Alternatively, the library with high descriptor usage can relocate descriptors above the FD_SETSIZE limit using the following procedure." + +#. Tag: para +#, no-c-format +msgid "" +"Create the file descriptor fd as usual, preferably with " +"the O_CLOEXEC flag." +msgstr "Create the file descriptor fd as usual, preferably with the O_CLOEXEC flag." + +#. Tag: para +#, no-c-format +msgid "" +"Before doing anything else with the descriptor fd, " +"invoke:" +msgstr "Before doing anything else with the descriptor fd, invoke:" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"\t int newfd = fcntl(fd, F_DUPFD_CLOEXEC, (long)FD_SETSIZE);\n" +"\t" +msgstr "\n\t int newfd = fcntl(fd, F_DUPFD_CLOEXEC, (long)FD_SETSIZE);\n\t" + +#. Tag: para +#, no-c-format +msgid "" +"Check that newfd result is non-negative, otherwise close " +"fd and report an error, and return." +msgstr "Check that newfd result is non-negative, otherwise close fd and report an error, and return." + +#. Tag: para +#, no-c-format +msgid "" +"Close fd and continue to use newfd." +msgstr "Close fd and continue to use newfd." + +#. Tag: para +#, no-c-format +msgid "" +"The new descriptor has been allocated above the " +"FD_SETSIZE. Even though this algorithm is racy in the " +"sense that the FD_SETSIZE first descriptors could fill " +"up, a very high degree of physical parallelism is required before this " +"becomes a problem." +msgstr "The new descriptor has been allocated above the FD_SETSIZE. Even though this algorithm is racy in the sense that the FD_SETSIZE first descriptors could fill up, a very high degree of physical parallelism is required before this becomes a problem." diff --git a/defensive-coding/en_US/Tasks/File_System.po b/defensive-coding/en_US/Tasks/File_System.po new file mode 100644 index 0000000..1f5ecdb --- /dev/null +++ b/defensive-coding/en_US/Tasks/File_System.po @@ -0,0 +1,396 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:25+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: None\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: en_US\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: title +#, no-c-format +msgid "File system manipulation" +msgstr "File system manipulation" + +#. Tag: para +#, no-c-format +msgid "" +"In this chapter, we discuss general file system manipulation, with a focus " +"on access files and directories to which an other, potentially untrusted " +"user has write access." +msgstr "In this chapter, we discuss general file system manipulation, with a focus on access files and directories to which an other, potentially untrusted user has write access." + +#. Tag: para +#, no-c-format +msgid "" +"Temporary files are covered in their own chapter, ." +msgstr "Temporary files are covered in their own chapter, ." + +#. Tag: title +#, no-c-format +msgid "Working with files and directories owned by other users" +msgstr "Working with files and directories owned by other users" + +#. Tag: para +#, no-c-format +msgid "" +"Sometimes, it is necessary to operate on files and directories owned by " +"other (potentially untrusted) users. For example, a system administrator " +"could remove the home directory of a user, or a package manager could update" +" a file in a directory which is owned by an application-specific user. This " +"differs from accessing the file system as a specific user; see ." +msgstr "Sometimes, it is necessary to operate on files and directories owned by other (potentially untrusted) users. For example, a system administrator could remove the home directory of a user, or a package manager could update a file in a directory which is owned by an application-specific user. This differs from accessing the file system as a specific user; see ." + +#. Tag: para +#, no-c-format +msgid "" +"Accessing files across trust boundaries faces several challenges, " +"particularly if an entire directory tree is being traversed:" +msgstr "Accessing files across trust boundaries faces several challenges, particularly if an entire directory tree is being traversed:" + +#. Tag: para +#, no-c-format +msgid "" +"Another user might add file names to a writable directory at any time. This " +"can interfere with file creation and the order of names returned by " +"readdir." +msgstr "Another user might add file names to a writable directory at any time. This can interfere with file creation and the order of names returned by readdir." + +#. Tag: para +#, no-c-format +msgid "" +"Merely opening and closing a file can have side effects. For instance, an " +"automounter can be triggered, or a tape device rewound. Opening a file on a " +"local file system can block indefinitely, due to mandatory file locking, " +"unless the O_NONBLOCK flag is specified." +msgstr "Merely opening and closing a file can have side effects. For instance, an automounter can be triggered, or a tape device rewound. Opening a file on a local file system can block indefinitely, due to mandatory file locking, unless the O_NONBLOCK flag is specified." + +#. Tag: para +#, no-c-format +msgid "" +"Hard links and symbolic links can redirect the effect of file system " +"operations in unexpected ways. The O_NOFOLLOW and " +"AT_SYMLINK_NOFOLLOW variants of system calls only " +"affected final path name component." +msgstr "Hard links and symbolic links can redirect the effect of file system operations in unexpected ways. The O_NOFOLLOW and AT_SYMLINK_NOFOLLOW variants of system calls only affected final path name component." + +#. Tag: para +#, no-c-format +msgid "" +"The structure of a directory tree can change. For example, the parent " +"directory of what used to be a subdirectory within the directory tree being " +"processed could suddenly point outside that directory tree." +msgstr "The structure of a directory tree can change. For example, the parent directory of what used to be a subdirectory within the directory tree being processed could suddenly point outside that directory tree." + +#. Tag: para +#, no-c-format +msgid "" +"Files should always be created with the O_CREAT and " +"O_EXCL flags, so that creating the file will fail if it " +"already exists. This guards against the unexpected appearance of file names," +" either due to creation of a new file, or hard-linking of an existing file. " +"In multi-threaded programs, rather than manipulating the umask, create the " +"files with mode 000 if possible, and adjust it afterwards" +" with fchmod." +msgstr "Files should always be created with the O_CREAT and O_EXCL flags, so that creating the file will fail if it already exists. This guards against the unexpected appearance of file names, either due to creation of a new file, or hard-linking of an existing file. In multi-threaded programs, rather than manipulating the umask, create the files with mode 000 if possible, and adjust it afterwards with fchmod." + +#. Tag: para +#, no-c-format +msgid "" +"To avoid issues related to symbolic links and directory tree restructuring, " +"the “at” variants of system calls have to be used (that " +"is, functions like openat, " +"fchownat, fchmodat, and " +"unlinkat, together with O_NOFOLLOW " +"or AT_SYMLINK_NOFOLLOW). Path names passed to these " +"functions must have just a single component (that is, without a slash). When" +" descending, the descriptors of parent directories must be kept open. The " +"missing opendirat function can be emulated with " +"openat (with an O_DIRECTORY flag, to " +"avoid opening special files with side effects), followed by " +"fdopendir." +msgstr "To avoid issues related to symbolic links and directory tree restructuring, the “at” variants of system calls have to be used (that is, functions like openat, fchownat, fchmodat, and unlinkat, together with O_NOFOLLOW or AT_SYMLINK_NOFOLLOW). Path names passed to these functions must have just a single component (that is, without a slash). When descending, the descriptors of parent directories must be kept open. The missing opendirat function can be emulated with openat (with an O_DIRECTORY flag, to avoid opening special files with side effects), followed by fdopendir." + +#. Tag: para +#, no-c-format +msgid "" +"If the “at” functions are not available, it is possible " +"to emulate them by changing the current directory. (Obviously, this only " +"works if the process is not multi-threaded.) fchdir has" +" to be used to change the current directory, and the descriptors of the " +"parent directories have to be kept open, just as with the " +"“at”-based approach. chdir(\"...\") is" +" unsafe because it might ascend outside the intended directory tree." +msgstr "If the “at” functions are not available, it is possible to emulate them by changing the current directory. (Obviously, this only works if the process is not multi-threaded.) fchdir has to be used to change the current directory, and the descriptors of the parent directories have to be kept open, just as with the “at”-based approach. chdir(\"...\") is unsafe because it might ascend outside the intended directory tree." + +#. Tag: para +#, no-c-format +msgid "" +"This “at” function emulation is currently required when " +"manipulating extended attributes. In this case, the " +"lsetxattr function can be used, with a relative path " +"name consisting of a single component. This also applies to SELinux contexts" +" and the lsetfilecon function." +msgstr "This “at” function emulation is currently required when manipulating extended attributes. In this case, the lsetxattr function can be used, with a relative path name consisting of a single component. This also applies to SELinux contexts and the lsetfilecon function." + +#. Tag: para +#, no-c-format +msgid "" +"Currently, it is not possible to avoid opening special files " +"and changes to files with hard links if the directory " +"containing them is owned by an untrusted user. (Device nodes can be hard-" +"linked, just as regular files.) fchmodat and " +"fchownat affect files whose link count is greater than " +"one. But opening the files, checking that the link count is one with " +"fstat, and using fchmod and " +"fchown on the file descriptor may have unwanted side " +"effects, due to item 2 above. When creating directories, it is therefore " +"important to change the ownership and permissions only after it has been " +"fully created. Until that point, file names are stable, and no files with " +"unexpected hard links can be introduced." +msgstr "Currently, it is not possible to avoid opening special files and changes to files with hard links if the directory containing them is owned by an untrusted user. (Device nodes can be hard-linked, just as regular files.) fchmodat and fchownat affect files whose link count is greater than one. But opening the files, checking that the link count is one with fstat, and using fchmod and fchown on the file descriptor may have unwanted side effects, due to item 2 above. When creating directories, it is therefore important to change the ownership and permissions only after it has been fully created. Until that point, file names are stable, and no files with unexpected hard links can be introduced." + +#. Tag: para +#, no-c-format +msgid "" +"Similarly, when just reading a directory owned by an untrusted user, it is " +"currently impossible to reliably avoid opening special files." +msgstr "Similarly, when just reading a directory owned by an untrusted user, it is currently impossible to reliably avoid opening special files." + +#. Tag: para +#, no-c-format +msgid "" +"There is no workaround against the instability of the file list returned by " +"readdir. Concurrent modification of the directory can " +"result in a list of files being returned which never actually existed on " +"disk." +msgstr "There is no workaround against the instability of the file list returned by readdir. Concurrent modification of the directory can result in a list of files being returned which never actually existed on disk." + +#. Tag: para +#, no-c-format +msgid "" +"Hard links and symbolic links can be safely deleted using " +"unlinkat without further checks because deletion only " +"affects the name within the directory tree being processed." +msgstr "Hard links and symbolic links can be safely deleted using unlinkat without further checks because deletion only affects the name within the directory tree being processed." + +#. Tag: title +#, no-c-format +msgid "Accessing the file system as a different user" +msgstr "Accessing the file system as a different user" + +#. Tag: para +#, no-c-format +msgid "" +"This section deals with access to the file system as a specific user. This " +"is different from accessing files and directories owned by a different, " +"potentially untrusted user; see ." +msgstr "This section deals with access to the file system as a specific user. This is different from accessing files and directories owned by a different, potentially untrusted user; see ." + +#. Tag: para +#, no-c-format +msgid "" +"One approach is to spawn a child process which runs under the target user " +"and group IDs (both effective and real IDs). Note that this child process " +"can block indefinitely, even when processing regular files only. For " +"example, a special FUSE file system could cause the process to hang in " +"uninterruptible sleep inside a stat system call." +msgstr "One approach is to spawn a child process which runs under the target user and group IDs (both effective and real IDs). Note that this child process can block indefinitely, even when processing regular files only. For example, a special FUSE file system could cause the process to hang in uninterruptible sleep inside a stat system call." + +#. Tag: para +#, no-c-format +msgid "" +"An existing process could change its user and group ID using " +"setfsuid and setfsgid. (These " +"functions are preferred over seteuid and " +"setegid because they do not allow the impersonated user" +" to send signals to the process.) These functions are not thread safe. In " +"multi-threaded processes, these operations need to be performed in a single-" +"threaded child process. Unexpected blocking may occur as well." +msgstr "An existing process could change its user and group ID using setfsuid and setfsgid. (These functions are preferred over seteuid and setegid because they do not allow the impersonated user to send signals to the process.) These functions are not thread safe. In multi-threaded processes, these operations need to be performed in a single-threaded child process. Unexpected blocking may occur as well." + +#. Tag: para +#, no-c-format +msgid "" +"It is not recommended to try to reimplement the kernel permission checks in " +"user space because the required checks are complex. It is also very " +"difficult to avoid race conditions during path name resolution." +msgstr "It is not recommended to try to reimplement the kernel permission checks in user space because the required checks are complex. It is also very difficult to avoid race conditions during path name resolution." + +#. Tag: title +#, no-c-format +msgid "File system limits" +msgstr "File system limits" + +#. Tag: para +#, no-c-format +msgid "" +"For historical reasons, there are preprocessor constants such as " +"PATH_MAX, NAME_MAX. However, on most " +"systems, the length of canonical path names (absolute path names with all " +"symbolic links resolved, as returned by realpath or " +"canonicalize_file_name) can exceed " +"PATH_MAX bytes, and individual file name components can " +"be longer than NAME_MAX. This is also true of the " +"_PC_PATH_MAX and _PC_NAME_MAX values " +"returned by pathconf, and the " +"f_namemax member of struct statvfs. " +"Therefore, these constants should not be used. This is also reason why the " +"readdir_r should never be used (instead, use " +"readdir)." +msgstr "For historical reasons, there are preprocessor constants such as PATH_MAX, NAME_MAX. However, on most systems, the length of canonical path names (absolute path names with all symbolic links resolved, as returned by realpath or canonicalize_file_name) can exceed PATH_MAX bytes, and individual file name components can be longer than NAME_MAX. This is also true of the _PC_PATH_MAX and _PC_NAME_MAX values returned by pathconf, and the f_namemax member of struct statvfs. Therefore, these constants should not be used. This is also reason why the readdir_r should never be used (instead, use readdir)." + +#. Tag: para +#, no-c-format +msgid "" +"You should not write code in a way that assumes that there is an upper limit" +" on the number of subdirectories of a directory, the number of regular files" +" in a directory, or the link count of an inode." +msgstr "You should not write code in a way that assumes that there is an upper limit on the number of subdirectories of a directory, the number of regular files in a directory, or the link count of an inode." + +#. Tag: title +#, no-c-format +msgid "File system features" +msgstr "File system features" + +#. Tag: para +#, no-c-format +msgid "" +"Not all file systems support all features. This makes it very difficult to " +"write general-purpose tools for copying files. For example, a copy operation" +" intending to preserve file permissions will generally fail when copying to " +"a FAT file system." +msgstr "Not all file systems support all features. This makes it very difficult to write general-purpose tools for copying files. For example, a copy operation intending to preserve file permissions will generally fail when copying to a FAT file system." + +#. Tag: para +#, no-c-format +msgid "" +"Some file systems are case-insensitive. Most should be case-preserving, " +"though." +msgstr "Some file systems are case-insensitive. Most should be case-preserving, though." + +#. Tag: para +#, no-c-format +msgid "" +"Name length limits vary greatly, from eight to thousands of bytes. Path " +"length limits differ as well. Most systems impose an upper bound on path " +"names passed to the kernel, but using relative path names, it is possible to" +" create and access files whose absolute path name is essentially of " +"unbounded length." +msgstr "Name length limits vary greatly, from eight to thousands of bytes. Path length limits differ as well. Most systems impose an upper bound on path names passed to the kernel, but using relative path names, it is possible to create and access files whose absolute path name is essentially of unbounded length." + +#. Tag: para +#, no-c-format +msgid "" +"Some file systems do not store names as fairly unrestricted byte sequences, " +"as it has been traditionally the case on GNU systems. This means that some " +"byte sequences (outside the POSIX safe character set) are not valid names. " +"Conversely, names of existing files may not be representable as byte " +"sequences, and the files are thus inaccessible on GNU systems. Some file " +"systems perform Unicode canonicalization on file names. These file systems " +"preserve case, but reading the name of a just-created file using " +"readdir might still result in a different byte " +"sequence." +msgstr "Some file systems do not store names as fairly unrestricted byte sequences, as it has been traditionally the case on GNU systems. This means that some byte sequences (outside the POSIX safe character set) are not valid names. Conversely, names of existing files may not be representable as byte sequences, and the files are thus inaccessible on GNU systems. Some file systems perform Unicode canonicalization on file names. These file systems preserve case, but reading the name of a just-created file using readdir might still result in a different byte sequence." + +#. Tag: para +#, no-c-format +msgid "" +"Permissions and owners are not universally supported (and SUID/SGID bits may" +" not be available). For example, FAT file systems assign ownership based on " +"a mount option, and generally mark all files as executable. Any attempt to " +"change permissions would result in an error." +msgstr "Permissions and owners are not universally supported (and SUID/SGID bits may not be available). For example, FAT file systems assign ownership based on a mount option, and generally mark all files as executable. Any attempt to change permissions would result in an error." + +#. Tag: para +#, no-c-format +msgid "Non-regular files (device nodes, FIFOs) are not generally available." +msgstr "Non-regular files (device nodes, FIFOs) are not generally available." + +#. Tag: para +#, no-c-format +msgid "" +"Only on some file systems, files can have holes, that is, not all of their " +"contents is backed by disk storage." +msgstr "Only on some file systems, files can have holes, that is, not all of their contents is backed by disk storage." + +#. Tag: para +#, no-c-format +msgid "" +"ioctl support (even fairly generic functionality such " +"as FIEMAP for discovering physical file layout and holes)" +" is file-system-specific." +msgstr "ioctl support (even fairly generic functionality such as FIEMAP for discovering physical file layout and holes) is file-system-specific." + +#. Tag: para +#, no-c-format +msgid "" +"Not all file systems support extended attributes, ACLs and SELinux metadata." +" Size and naming restriction on extended attributes vary." +msgstr "Not all file systems support extended attributes, ACLs and SELinux metadata. Size and naming restriction on extended attributes vary." + +#. Tag: para +#, no-c-format +msgid "" +"Hard links may not be supported at all (FAT) or only within the same " +"directory (AFS). Symbolic links may not be available, either. Reflinks (hard" +" links with copy-on-write semantics) are still very rare. Recent systems " +"restrict creation of hard links to users which own the target file or have " +"read/write access to it, but older systems do not." +msgstr "Hard links may not be supported at all (FAT) or only within the same directory (AFS). Symbolic links may not be available, either. Reflinks (hard links with copy-on-write semantics) are still very rare. Recent systems restrict creation of hard links to users which own the target file or have read/write access to it, but older systems do not." + +#. Tag: para +#, no-c-format +msgid "" +"Renaming (or moving) files using rename can fail (even " +"when stat indicates that the source and target " +"directories are located on the same file system). This system call should " +"work if the old and new paths are located in the same directory, though." +msgstr "Renaming (or moving) files using rename can fail (even when stat indicates that the source and target directories are located on the same file system). This system call should work if the old and new paths are located in the same directory, though." + +#. Tag: para +#, no-c-format +msgid "" +"Locking semantics vary among file systems. This affects advisory and " +"mandatory locks. For example, some network file systems do not allow " +"deleting files which are opened by any process." +msgstr "Locking semantics vary among file systems. This affects advisory and mandatory locks. For example, some network file systems do not allow deleting files which are opened by any process." + +#. Tag: para +#, no-c-format +msgid "" +"Resolution of time stamps varies from two seconds to nanoseconds. Not all " +"time stamps are available on all file systems. File creation time " +"(birth time) is not exposed over the " +"stat/fstat interface, even if " +"stored by the file system." +msgstr "Resolution of time stamps varies from two seconds to nanoseconds. Not all time stamps are available on all file systems. File creation time (birth time) is not exposed over the stat/fstat interface, even if stored by the file system." + +#. Tag: title +#, no-c-format +msgid "Checking free space" +msgstr "Checking free space" + +#. Tag: para +#, no-c-format +msgid "" +"The statvfs and fstatvfs functions" +" allow programs to examine the number of available blocks and inodes, " +"through the members f_bfree, f_bavail," +" f_ffree, and f_favail of " +"struct statvfs. Some file systems return fictional values" +" in the f_ffree and f_favail fields, " +"so the only reliable way to discover if the file system still has space for " +"a file is to try to create it. The f_bfree field should " +"be reasonably accurate, though." +msgstr "The statvfs and fstatvfs functions allow programs to examine the number of available blocks and inodes, through the members f_bfree, f_bavail, f_ffree, and f_favail of struct statvfs. Some file systems return fictional values in the f_ffree and f_favail fields, so the only reliable way to discover if the file system still has space for a file is to try to create it. The f_bfree field should be reasonably accurate, though." diff --git a/defensive-coding/en_US/Tasks/Library_Design.po b/defensive-coding/en_US/Tasks/Library_Design.po new file mode 100644 index 0000000..4eb7e13 --- /dev/null +++ b/defensive-coding/en_US/Tasks/Library_Design.po @@ -0,0 +1,267 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:29+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: None\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: en_US\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: title +#, no-c-format +msgid "Library Design" +msgstr "Library Design" + +#. Tag: para +#, no-c-format +msgid "" +"Throught this section, the term client code refers to " +"applications and other libraries using the library." +msgstr "Throught this section, the term client code refers to applications and other libraries using the library." + +#. Tag: title +#, no-c-format +msgid "State management" +msgstr "State management" + +#. Tag: title +#, no-c-format +msgid "Global state" +msgstr "Global state" + +#. Tag: para +#, no-c-format +msgid "Global state should be avoided." +msgstr "Global state should be avoided." + +#. Tag: para +#, no-c-format +msgid "" +"If this is impossible, the global state must be protected with a lock. For " +"C/C++, you can use the pthread_mutex_lock and " +"pthread_mutex_unlock functions without linking against " +"-lpthread because the system provides stubs for non-" +"threaded processes." +msgstr "If this is impossible, the global state must be protected with a lock. For C/C++, you can use the pthread_mutex_lock and pthread_mutex_unlock functions without linking against -lpthread because the system provides stubs for non-threaded processes." + +#. Tag: para +#, no-c-format +msgid "" +"For compatibility with fork, these locks should be " +"acquired and released in helpers registered with " +"pthread_atfork. This function is not available without " +"-lpthread, so you need to use dlsym " +"or a weak symbol to obtain its address." +msgstr "For compatibility with fork, these locks should be acquired and released in helpers registered with pthread_atfork. This function is not available without -lpthread, so you need to use dlsym or a weak symbol to obtain its address." + +#. Tag: para +#, no-c-format +msgid "" +"If you need fork protection for other reasons, you " +"should store the process ID and compare it to the value returned by " +"getpid each time you access the global state. " +"(getpid is not implemented as a system call and is " +"fast.) If the value changes, you know that you have to re-create the state " +"object. (This needs to be combined with locking, of course.)" +msgstr "If you need fork protection for other reasons, you should store the process ID and compare it to the value returned by getpid each time you access the global state. (getpid is not implemented as a system call and is fast.) If the value changes, you know that you have to re-create the state object. (This needs to be combined with locking, of course.)" + +#. Tag: title +#, no-c-format +msgid "Handles" +msgstr "Handles" + +#. Tag: para +#, no-c-format +msgid "" +"Library state should be kept behind a curtain. Client code should receive " +"only a handle. In C, the handle can be a pointer to an incomplete " +"struct. In C++, the handle can be a pointer to an " +"abstract base class, or it can be hidden using the pointer-to-implementation" +" idiom." +msgstr "Library state should be kept behind a curtain. Client code should receive only a handle. In C, the handle can be a pointer to an incomplete struct. In C++, the handle can be a pointer to an abstract base class, or it can be hidden using the pointer-to-implementation idiom." + +#. Tag: para +#, no-c-format +msgid "" +"The library should provide functions for creating and destroying handles. " +"(In C++, it is possible to use virtual destructors for the latter.) " +"Consistency between creation and destruction of handles is strongly " +"recommended: If the client code created a handle, it is the responsibility " +"of the client code to destroy it. (This is not always possible or " +"convenient, so sometimes, a transfer of ownership has to happen.)" +msgstr "The library should provide functions for creating and destroying handles. (In C++, it is possible to use virtual destructors for the latter.) Consistency between creation and destruction of handles is strongly recommended: If the client code created a handle, it is the responsibility of the client code to destroy it. (This is not always possible or convenient, so sometimes, a transfer of ownership has to happen.)" + +#. Tag: para +#, no-c-format +msgid "" +"Using handles ensures that it is possible to change the way the library " +"represents state in a way that is transparent to client code. This is " +"important to facilitate security updates and many other code changes." +msgstr "Using handles ensures that it is possible to change the way the library represents state in a way that is transparent to client code. This is important to facilitate security updates and many other code changes." + +#. Tag: para +#, no-c-format +msgid "" +"It is not always necessary to protect state behind a handle with a lock. " +"This depends on the level of thread safety the library provides." +msgstr "It is not always necessary to protect state behind a handle with a lock. This depends on the level of thread safety the library provides." + +#. Tag: title +#, no-c-format +msgid "Object orientation" +msgstr "Object orientation" + +#. Tag: para +#, no-c-format +msgid "" +"Classes should be either designed as base classes, or it should be " +"impossible to use them as base classes (like final " +"classes in Java). Classes which are not designed for inheritance and are " +"used as base classes nevertheless create potential maintenance hazards " +"because it is difficult to predict how client code will react when calls to " +"virtual methods are added, reordered or removed." +msgstr "Classes should be either designed as base classes, or it should be impossible to use them as base classes (like final classes in Java). Classes which are not designed for inheritance and are used as base classes nevertheless create potential maintenance hazards because it is difficult to predict how client code will react when calls to virtual methods are added, reordered or removed." + +#. Tag: para +#, no-c-format +msgid "" +"Virtual member functions can be used as callbacks. See for some of the " +"challenges involved." +msgstr "Virtual member functions can be used as callbacks. See for some of the challenges involved." + +#. Tag: title +#, no-c-format +msgid "Callbacks" +msgstr "Callbacks" + +#. Tag: para +#, no-c-format +msgid "" +"Higher-order code is difficult to analyze for humans and computers alike, so" +" it should be avoided. Often, an iterator-based interface (a library " +"function which is called repeatedly by client code and returns a stream of " +"events) leads to a better design which is easier to document and use." +msgstr "Higher-order code is difficult to analyze for humans and computers alike, so it should be avoided. Often, an iterator-based interface (a library function which is called repeatedly by client code and returns a stream of events) leads to a better design which is easier to document and use." + +#. Tag: para +#, no-c-format +msgid "If callbacks are unavoidable, some guidelines for them follow." +msgstr "If callbacks are unavoidable, some guidelines for them follow." + +#. Tag: para +#, no-c-format +msgid "" +"In modern C++ code, std::function objects should be used " +"for callbacks." +msgstr "In modern C++ code, std::function objects should be used for callbacks." + +#. Tag: para +#, no-c-format +msgid "" +"In older C++ code and in C code, all callbacks must have an additional " +"closure parameter of type void *, the value of which can " +"be specified by client code. If possible, the value of the closure parameter" +" should be provided by client code at the same time a specific callback is " +"registered (or specified as a function argument). If a single closure " +"parameter is shared by multiple callbacks, flexibility is greatly reduced, " +"and conflicts between different pieces of client code using the same library" +" object could be unresolvable. In some cases, it makes sense to provide a " +"de-registration callback which can be used to destroy the closure parameter " +"when the callback is no longer used." +msgstr "In older C++ code and in C code, all callbacks must have an additional closure parameter of type void *, the value of which can be specified by client code. If possible, the value of the closure parameter should be provided by client code at the same time a specific callback is registered (or specified as a function argument). If a single closure parameter is shared by multiple callbacks, flexibility is greatly reduced, and conflicts between different pieces of client code using the same library object could be unresolvable. In some cases, it makes sense to provide a de-registration callback which can be used to destroy the closure parameter when the callback is no longer used." + +#. Tag: para +#, no-c-format +msgid "" +"Callbacks can throw exceptions or call longjmp. If " +"possible, all library objects should remain in a valid state. (All further " +"operations on them can fail, but it should be possible to deallocate them " +"without causing resource leaks.)" +msgstr "Callbacks can throw exceptions or call longjmp. If possible, all library objects should remain in a valid state. (All further operations on them can fail, but it should be possible to deallocate them without causing resource leaks.)" + +#. Tag: para +#, no-c-format +msgid "" +"The presence of callbacks raises the question if functions provided by the " +"library are reentrant. Unless a library was designed " +"for such use, bad things will happen if a callback function uses functions " +"in the same library (particularly if they are invoked on the same objects " +"and manipulate the same state). When the callback is invoked, the library " +"can be in an inconsistent state. Reentrant functions are more difficult to " +"write than thread-safe functions (by definition, simple locking would " +"immediately lead to deadlocks). It is also difficult to decide what to do " +"when destruction of an object which is currently processing a callback is " +"requested." +msgstr "The presence of callbacks raises the question if functions provided by the library are reentrant. Unless a library was designed for such use, bad things will happen if a callback function uses functions in the same library (particularly if they are invoked on the same objects and manipulate the same state). When the callback is invoked, the library can be in an inconsistent state. Reentrant functions are more difficult to write than thread-safe functions (by definition, simple locking would immediately lead to deadlocks). It is also difficult to decide what to do when destruction of an object which is currently processing a callback is requested." + +#. Tag: title +#, no-c-format +msgid "Process attributes" +msgstr "Process attributes" + +#. Tag: para +#, no-c-format +msgid "" +"Several attributes are global and affect all code in the process, not just " +"the library that manipulates them." +msgstr "Several attributes are global and affect all code in the process, not just the library that manipulates them." + +#. Tag: para +#, no-c-format +msgid "" +"environment variables (see )" +msgstr "environment variables (see )" + +#. Tag: para +#, no-c-format +msgid "umask" +msgstr "umask" + +#. Tag: para +#, no-c-format +msgid "user IDs, group IDs and capabilities" +msgstr "user IDs, group IDs and capabilities" + +#. Tag: para +#, no-c-format +msgid "current working directory" +msgstr "current working directory" + +#. Tag: para +#, no-c-format +msgid "signal handlers, signal masks and signal delivery" +msgstr "signal handlers, signal masks and signal delivery" + +#. Tag: para +#, no-c-format +msgid "" +"file locks (especially fcntl locks behave in surprising" +" ways, not just in a multi-threaded environment)" +msgstr "file locks (especially fcntl locks behave in surprising ways, not just in a multi-threaded environment)" + +#. Tag: para +#, no-c-format +msgid "" +"Library code should avoid manipulating these global process attributes. It " +"should not rely on environment variables, umask, the current working " +"directory and signal masks because these attributes can be inherted from an " +"untrusted source." +msgstr "Library code should avoid manipulating these global process attributes. It should not rely on environment variables, umask, the current working directory and signal masks because these attributes can be inherted from an untrusted source." + +#. Tag: para +#, no-c-format +msgid "" +"In addition, there are obvious process-wide aspects such as the virtual " +"memory layout, the set of open files and dynamic shared objects, but with " +"the exception of shared objects, these can be manipulated in a relatively " +"isolated way." +msgstr "In addition, there are obvious process-wide aspects such as the virtual memory layout, the set of open files and dynamic shared objects, but with the exception of shared objects, these can be manipulated in a relatively isolated way." diff --git a/defensive-coding/en_US/Tasks/Processes.po b/defensive-coding/en_US/Tasks/Processes.po new file mode 100644 index 0000000..2e65f20 --- /dev/null +++ b/defensive-coding/en_US/Tasks/Processes.po @@ -0,0 +1,597 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:29+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: None\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: en_US\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: title +#, no-c-format +msgid "Processes" +msgstr "Processes" + +#. Tag: title +#, no-c-format +msgid "Safe process creation" +msgstr "Safe process creation" + +#. Tag: para +#, no-c-format +msgid "" +"This section describes how to create new child processes in a safe manner. " +"In addition to the concerns addressed below, there is the possibility of " +"file descriptor leaks, see ." +msgstr "This section describes how to create new child processes in a safe manner. In addition to the concerns addressed below, there is the possibility of file descriptor leaks, see ." + +#. Tag: title +#, no-c-format +msgid "Obtaining the program path and the command line template" +msgstr "Obtaining the program path and the command line template" + +#. Tag: para +#, no-c-format +msgid "" +"The name and path to the program being invoked should be hard-coded or " +"controlled by a static configuration file stored at a fixed location (at an " +"file system absolute path). The same applies to the template for generating " +"the command line." +msgstr "The name and path to the program being invoked should be hard-coded or controlled by a static configuration file stored at a fixed location (at an file system absolute path). The same applies to the template for generating the command line." + +#. Tag: para +#, no-c-format +msgid "" +"The configured program name should be an absolute path. If it is a relative " +"path, the contents of the PATH must be obtained in s secure " +"manner (see )." +" If the PATH variable is not set or untrusted, the safe " +"default /bin:/usr/bin must be used." +msgstr "The configured program name should be an absolute path. If it is a relative path, the contents of the PATH must be obtained in s secure manner (see ). If the PATH variable is not set or untrusted, the safe default /bin:/usr/bin must be used." + +#. Tag: para +#, no-c-format +msgid "" +"If too much flexibility is provided here, it may allow invocation of " +"arbitrary programs without proper authorization." +msgstr "If too much flexibility is provided here, it may allow invocation of arbitrary programs without proper authorization." + +#. Tag: title +#, no-c-format +msgid "Bypassing the shell" +msgstr "Bypassing the shell" + +#. Tag: para +#, no-c-format +msgid "Child processes should be created without involving the system shell." +msgstr "Child processes should be created without involving the system shell." + +#. Tag: para +#, no-c-format +msgid "" +"For C/C++, system should not be used. The " +"posix_spawn function can be used instead, or a " +"combination fork and execve. (In " +"some cases, it may be preferable to use vfork or the " +"Linux-specific clone system call instead of " +"fork.)" +msgstr "For C/C++, system should not be used. The posix_spawn function can be used instead, or a combination fork and execve. (In some cases, it may be preferable to use vfork or the Linux-specific clone system call instead of fork.)" + +#. Tag: para +#, no-c-format +msgid "" +"In Python, the subprocess module bypasses the shell by " +"default (when the shell keyword argument is not set to " +"true). os.system should not be used." +msgstr "In Python, the subprocess module bypasses the shell by default (when the shell keyword argument is not set to true). os.system should not be used." + +#. Tag: para +#, no-c-format +msgid "" +"The Java class java.lang.ProcessBuilder can be used to create " +"subprocesses without interference from the system shell." +msgstr "The Java class java.lang.ProcessBuilder can be used to create subprocesses without interference from the system shell." + +#. Tag: title +#, no-c-format +msgid "Portability notice" +msgstr "Portability notice" + +#. Tag: para +#, no-c-format +msgid "" +"On Windows, there is no argument vector, only a single argument string. Each" +" application is responsible for parsing this string into an argument vector." +" There is considerable variance among the quoting style recognized by " +"applications. Some of them expand shell wildcards, others do not. Extensive " +"application-specific testing is required to make this secure." +msgstr "On Windows, there is no argument vector, only a single argument string. Each application is responsible for parsing this string into an argument vector. There is considerable variance among the quoting style recognized by applications. Some of them expand shell wildcards, others do not. Extensive application-specific testing is required to make this secure." + +#. Tag: para +#, no-c-format +msgid "" +"Note that some common applications (notably ssh) " +"unconditionally introduce the use of a shell, even if invoked directly " +"without a shell. It is difficult to use these applications in a secure " +"manner. In this case, untrusted data should be supplied by other means. For " +"example, standard input could be used, instead of the command line." +msgstr "Note that some common applications (notably ssh) unconditionally introduce the use of a shell, even if invoked directly without a shell. It is difficult to use these applications in a secure manner. In this case, untrusted data should be supplied by other means. For example, standard input could be used, instead of the command line." + +#. Tag: title +#, no-c-format +msgid "Specifying the process environment" +msgstr "Specifying the process environment" + +#. Tag: para +#, no-c-format +msgid "" +"Child processes should be created with a minimal set of environment " +"variables. This is absolutely essential if there is a trust transition " +"involved, either when the parent process was created, or during the creation" +" of the child process." +msgstr "Child processes should be created with a minimal set of environment variables. This is absolutely essential if there is a trust transition involved, either when the parent process was created, or during the creation of the child process." + +#. Tag: para +#, no-c-format +msgid "" +"In C/C++, the environment should be constructed as an array of strings and " +"passed as the envp argument to " +"posix_spawn or execve. The " +"functions setenv, unsetenv and " +"putenv should not be used. They are not thread-safe and" +" suffer from memory leaks." +msgstr "In C/C++, the environment should be constructed as an array of strings and passed as the envp argument to posix_spawn or execve. The functions setenv, unsetenv and putenv should not be used. They are not thread-safe and suffer from memory leaks." + +#. Tag: para +#, no-c-format +msgid "" +"Python programs need to specify a dict for the the " +"env argument of the subprocess.Popen" +" constructor. The Java class java.lang.ProcessBuilder " +"provides a environment() method, which returns a map " +"that can be manipulated." +msgstr "Python programs need to specify a dict for the the env argument of the subprocess.Popen constructor. The Java class java.lang.ProcessBuilder provides a environment() method, which returns a map that can be manipulated." + +#. Tag: para +#, no-c-format +msgid "" +"The following list provides guidelines for selecting the set of environment " +"variables passed to the child process." +msgstr "The following list provides guidelines for selecting the set of environment variables passed to the child process." + +#. Tag: para +#, no-c-format +msgid "" +"PATH should be initialized to " +"/bin:/usr/bin." +msgstr "PATH should be initialized to /bin:/usr/bin." + +#. Tag: para +#, no-c-format +msgid "" +"USER and HOME can be inhereted from the parent" +" process environment, or they can be initialized from the " +"pwent structure for the user." +msgstr "USER and HOME can be inhereted from the parent process environment, or they can be initialized from the pwent structure for the user." + +#. Tag: para +#, no-c-format +msgid "" +"The DISPLAY and XAUTHORITY variables should be" +" passed to the subprocess if it is an X program. Note that this will " +"typically not work across trust boundaries because XAUTHORITY" +" refers to a file with 0600 permissions." +msgstr "The DISPLAY and XAUTHORITY variables should be passed to the subprocess if it is an X program. Note that this will typically not work across trust boundaries because XAUTHORITY refers to a file with 0600 permissions." + +#. Tag: para +#, no-c-format +msgid "" +"The location-related environment variables LANG, " +"LANGUAGE, LC_ADDRESS, LC_ALL, " +"LC_COLLATE, LC_CTYPE, " +"LC_IDENTIFICATION, LC_MEASUREMENT, " +"LC_MESSAGES, LC_MONETARY, " +"LC_NAME, LC_NUMERIC, LC_PAPER, " +"LC_TELEPHONE and LC_TIME can be passed to the " +"subprocess if present." +msgstr "The location-related environment variables LANG, LANGUAGE, LC_ADDRESS, LC_ALL, LC_COLLATE, LC_CTYPE, LC_IDENTIFICATION, LC_MEASUREMENT, LC_MESSAGES, LC_MONETARY, LC_NAME, LC_NUMERIC, LC_PAPER, LC_TELEPHONE and LC_TIME can be passed to the subprocess if present." + +#. Tag: para +#, no-c-format +msgid "" +"The called process may need application-specific environment variables, for " +"example for passing passwords. (See .)" +msgstr "The called process may need application-specific environment variables, for example for passing passwords. (See .)" + +#. Tag: para +#, no-c-format +msgid "" +"All other environment variables should be dropped. Names for new environment" +" variables should not be accepted from untrusted sources." +msgstr "All other environment variables should be dropped. Names for new environment variables should not be accepted from untrusted sources." + +#. Tag: title +#, no-c-format +msgid "Robust argument list processing" +msgstr "Robust argument list processing" + +#. Tag: para +#, no-c-format +msgid "" +"When invoking a program, it is sometimes necessary to include data from " +"untrusted sources. Such data should be check against embedded " +"NUL characters because the system APIs will sliently " +"truncate argument strings at the first NUL character." +msgstr "When invoking a program, it is sometimes necessary to include data from untrusted sources. Such data should be check against embedded NUL characters because the system APIs will sliently truncate argument strings at the first NUL character." + +#. Tag: para +#, no-c-format +msgid "" +"The following recommendations assume that the program being invoked uses " +"GNU-style option processing using getopt_long. This " +"convention is widely used, but it is just that, and individual programs " +"might interpret a command line in a different way." +msgstr "The following recommendations assume that the program being invoked uses GNU-style option processing using getopt_long. This convention is widely used, but it is just that, and individual programs might interpret a command line in a different way." + +#. Tag: para +#, no-c-format +msgid "" +"If the untrusted data has to go into an option, use the --option-" +"name=VALUE syntax, placing the option and its value into the same " +"command line argument. This avoids any potential confusion if the data " +"starts with -." +msgstr "If the untrusted data has to go into an option, use the --option-name=VALUE syntax, placing the option and its value into the same command line argument. This avoids any potential confusion if the data starts with -." + +#. Tag: para +#, no-c-format +msgid "" +"For positional arguments, terminate the option list with a single " +" marker after the last option, and include the data at " +"the right position. The marker terminates option " +"processing, and the data will not be treated as an option even if it starts " +"with a dash." +msgstr "For positional arguments, terminate the option list with a single marker after the last option, and include the data at the right position. The marker terminates option processing, and the data will not be treated as an option even if it starts with a dash." + +#. Tag: title +#, no-c-format +msgid "Passing secrets to subprocesses" +msgstr "Passing secrets to subprocesses" + +#. Tag: para +#, no-c-format +msgid "" +"The command line (the name of the program and its argument) of a running " +"process is traditionally available to all local users. The called program " +"can overwrite this information, but only after it has run for a bit of time," +" during which the information may have been read by other processes. " +"However, on Linux, the process environment is restricted to the user who " +"runs the process. Therefore, if you need a convenient way to pass a password" +" to a child process, use an environment variable, and not a command line " +"argument. (See .)" +msgstr "The command line (the name of the program and its argument) of a running process is traditionally available to all local users. The called program can overwrite this information, but only after it has run for a bit of time, during which the information may have been read by other processes. However, on Linux, the process environment is restricted to the user who runs the process. Therefore, if you need a convenient way to pass a password to a child process, use an environment variable, and not a command line argument. (See .)" + +#. Tag: para +#, no-c-format +msgid "" +"On some UNIX-like systems (notably Solaris), environment variables can be " +"read by any system user, just like command lines." +msgstr "On some UNIX-like systems (notably Solaris), environment variables can be read by any system user, just like command lines." + +#. Tag: para +#, no-c-format +msgid "" +"If the environment-based approach cannot be used due to portability " +"concerns, the data can be passed on standard input. Some programs (notably " +"gpg) use special file descriptors whose numbers " +"are specified on the command line. Temporary files are an option as well, " +"but they might give digital forensics access to sensitive data (such as " +"passphrases) because it is difficult to safely delete them in all cases." +msgstr "If the environment-based approach cannot be used due to portability concerns, the data can be passed on standard input. Some programs (notably gpg) use special file descriptors whose numbers are specified on the command line. Temporary files are an option as well, but they might give digital forensics access to sensitive data (such as passphrases) because it is difficult to safely delete them in all cases." + +#. Tag: title +#, no-c-format +msgid "Handling child process termination" +msgstr "Handling child process termination" + +#. Tag: para +#, no-c-format +msgid "" +"When child processes terminate, the parent process is signalled. A stub of " +"the terminated processes (a zombie, shown as " +"<defunct> by ps) is kept" +" around until the status information is collected " +"(reaped) by the parent process. Over the years, several" +" interfaces for this have been invented:" +msgstr "When child processes terminate, the parent process is signalled. A stub of the terminated processes (a zombie, shown as <defunct> by ps) is kept around until the status information is collected (reaped) by the parent process. Over the years, several interfaces for this have been invented:" + +#. Tag: para +#, no-c-format +msgid "" +"The parent process calls wait, " +"waitpid, waitid, " +"wait3 or wait4, without specifying" +" a process ID. This will deliver any matching process ID. This approach is " +"typically used from within event loops." +msgstr "The parent process calls wait, waitpid, waitid, wait3 or wait4, without specifying a process ID. This will deliver any matching process ID. This approach is typically used from within event loops." + +#. Tag: para +#, no-c-format +msgid "" +"The parent process calls waitpid, " +"waitid, or wait4, with a specific " +"process ID. Only data for the specific process ID is returned. This is " +"typically used in code which spawns a single subprocess in a synchronous " +"manner." +msgstr "The parent process calls waitpid, waitid, or wait4, with a specific process ID. Only data for the specific process ID is returned. This is typically used in code which spawns a single subprocess in a synchronous manner." + +#. Tag: para +#, no-c-format +msgid "" +"The parent process installs a handler for the SIGCHLD " +"signal, using sigaction, and specifies to the " +"SA_NOCLDWAIT flag. This approach could be used by event " +"loops as well." +msgstr "The parent process installs a handler for the SIGCHLD signal, using sigaction, and specifies to the SA_NOCLDWAIT flag. This approach could be used by event loops as well." + +#. Tag: para +#, no-c-format +msgid "" +"None of these approaches can be used to wait for child process terminated in" +" a completely thread-safe manner. The parent process might execute an event " +"loop in another thread, which could pick up the termination signal. This " +"means that libraries typically cannot make free use of child processes (for " +"example, to run problematic code with reduced privileges in a separate " +"address space)." +msgstr "None of these approaches can be used to wait for child process terminated in a completely thread-safe manner. The parent process might execute an event loop in another thread, which could pick up the termination signal. This means that libraries typically cannot make free use of child processes (for example, to run problematic code with reduced privileges in a separate address space)." + +#. Tag: para +#, no-c-format +msgid "" +"At the moment, the parent process should explicitly wait for termination of " +"the child process using waitpid or " +"waitpid, and hope that the status is not collected by " +"an event loop first." +msgstr "At the moment, the parent process should explicitly wait for termination of the child process using waitpid or waitpid, and hope that the status is not collected by an event loop first." + +#. Tag: title +#, no-c-format +msgid "SUID/SGID processes" +msgstr "SUID/SGID processes" + +#. Tag: para +#, no-c-format +msgid "" +"Programs can be marked in the file system to indicate to the kernel that a " +"trust transition should happen if the program is run. The " +"SUID file permission bit indicates that an executable " +"should run with the effective user ID equal to the owner of the executable " +"file. Similarly, with the SGID bit, the effective group " +"ID is set to the group of the executable file." +msgstr "Programs can be marked in the file system to indicate to the kernel that a trust transition should happen if the program is run. The SUID file permission bit indicates that an executable should run with the effective user ID equal to the owner of the executable file. Similarly, with the SGID bit, the effective group ID is set to the group of the executable file." + +#. Tag: para +#, no-c-format +msgid "" +"Linux supports fscaps, which can grant additional " +"capabilities to a process in a finer-grained manner. Additional mechanisms " +"can be provided by loadable security modules." +msgstr "Linux supports fscaps, which can grant additional capabilities to a process in a finer-grained manner. Additional mechanisms can be provided by loadable security modules." + +#. Tag: para +#, no-c-format +msgid "" +"When such a trust transition has happened, the process runs in a potentially" +" hostile environment. Additional care is necessary not to rely on any " +"untrusted information. These concerns also apply to libraries which can be " +"linked into such processes." +msgstr "When such a trust transition has happened, the process runs in a potentially hostile environment. Additional care is necessary not to rely on any untrusted information. These concerns also apply to libraries which can be linked into such processes." + +#. Tag: title +#, no-c-format +msgid "Accessing environment variables" +msgstr "Accessing environment variables" + +#. Tag: para +#, no-c-format +msgid "" +"The following steps are required so that a program does not accidentally " +"pick up untrusted data from environment variables." +msgstr "The following steps are required so that a program does not accidentally pick up untrusted data from environment variables." + +#. Tag: para +#, no-c-format +msgid "" +"Compile your C/C++ sources with -D_GNU_SOURCE. The " +"Autoconf macro AC_GNU_SOURCE ensures this." +msgstr "Compile your C/C++ sources with -D_GNU_SOURCE. The Autoconf macro AC_GNU_SOURCE ensures this." + +#. Tag: para +#, no-c-format +msgid "" +"Check for the presence of the secure_getenv and " +"__secure_getenv function. The Autoconf directive " +"AC_CHECK_FUNCS([__secure_getenv secure_getenv]) performs " +"these checks." +msgstr "Check for the presence of the secure_getenv and __secure_getenv function. The Autoconf directive AC_CHECK_FUNCS([__secure_getenv secure_getenv]) performs these checks." + +#. Tag: para +#, no-c-format +msgid "" +"Arrange for a proper definition of the secure_getenv " +"function. See ." +msgstr "Arrange for a proper definition of the secure_getenv function. See ." + +#. Tag: para +#, no-c-format +msgid "" +"Use secure_getenv instead of " +"getenv to obtain the value of critical environment " +"variables. secure_getenv will pretend the variable has " +"not bee set if the process environment is not trusted." +msgstr "Use secure_getenv instead of getenv to obtain the value of critical environment variables. secure_getenv will pretend the variable has not bee set if the process environment is not trusted." + +#. Tag: para +#, no-c-format +msgid "" +"Critical environment variables are debugging flags, configuration file " +"locations, plug-in and log file locations, and anything else that might be " +"used to bypass security restrictions or cause a privileged process to behave" +" in an unexpected way." +msgstr "Critical environment variables are debugging flags, configuration file locations, plug-in and log file locations, and anything else that might be used to bypass security restrictions or cause a privileged process to behave in an unexpected way." + +#. Tag: para +#, no-c-format +msgid "" +"Either the secure_getenv function or the " +"__secure_getenv is available from GNU libc." +msgstr "Either the secure_getenv function or the __secure_getenv is available from GNU libc." + +#. Tag: title +#, no-c-format +msgid "Obtaining a definition for secure_getenv" +msgstr "Obtaining a definition for secure_getenv" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"\n" +"#include <stdlib.h>\n" +"\n" +"#ifndef HAVE_SECURE_GETENV\n" +"# ifdef HAVE__SECURE_GETENV\n" +"# define secure_getenv __secure_getenv\n" +"# else\n" +"# error neither secure_getenv nor __secure_getenv are available\n" +"# endif\n" +"#endif\n" +"\n" +"\t" +msgstr "\n\n#include <stdlib.h>\n\n#ifndef HAVE_SECURE_GETENV\n# ifdef HAVE__SECURE_GETENV\n# define secure_getenv __secure_getenv\n# else\n# error neither secure_getenv nor __secure_getenv are available\n# endif\n#endif\n\n\t" + +#. Tag: title +#, no-c-format +msgid "Daemons" +msgstr "Daemons" + +#. Tag: para +#, no-c-format +msgid "" +"Background processes providing system services " +"(daemons) need to decouple themselves from the " +"controlling terminal and the parent process environment:" +msgstr "Background processes providing system services (daemons) need to decouple themselves from the controlling terminal and the parent process environment:" + +#. Tag: para +#, no-c-format +msgid "Fork." +msgstr "Fork." + +#. Tag: para +#, no-c-format +msgid "" +"In the child process, call setsid. The parent process " +"can simply exit (using _exit, to avoid running clean-up" +" actions twice)." +msgstr "In the child process, call setsid. The parent process can simply exit (using _exit, to avoid running clean-up actions twice)." + +#. Tag: para +#, no-c-format +msgid "" +"In the child process, fork again. Processing continues in the child process." +" Again, the parent process should just exit." +msgstr "In the child process, fork again. Processing continues in the child process. Again, the parent process should just exit." + +#. Tag: para +#, no-c-format +msgid "" +"Replace the descriptors 0, 1, 2 with a descriptor for " +"/dev/null. Logging should be redirected to " +"syslog." +msgstr "Replace the descriptors 0, 1, 2 with a descriptor for /dev/null. Logging should be redirected to syslog." + +#. Tag: para +#, no-c-format +msgid "" +"Older instructions for creating daemon processes recommended a call to " +"umask(0). This is risky because it often leads to world-" +"writable files and directories, resulting in security vulnerabilities such " +"as arbitrary process termination by untrusted local users, or log file " +"truncation. If the umask needs setting, a restrictive " +"value such as 027 or 077 is " +"recommended." +msgstr "Older instructions for creating daemon processes recommended a call to umask(0). This is risky because it often leads to world-writable files and directories, resulting in security vulnerabilities such as arbitrary process termination by untrusted local users, or log file truncation. If the umask needs setting, a restrictive value such as 027 or 077 is recommended." + +#. Tag: para +#, no-c-format +msgid "" +"Other aspects of the process environment may have to changed as well " +"(environment variables, signal handler disposition)." +msgstr "Other aspects of the process environment may have to changed as well (environment variables, signal handler disposition)." + +#. Tag: para +#, no-c-format +msgid "" +"It is increasingly common that server processes do not run as background " +"processes, but as regular foreground process under a supervising master " +"process (such as systemd). Server processes " +"should offer a command line option which disables forking and replacement of" +" the standard output and standard error streams. Such an option is also " +"useful for debugging." +msgstr "It is increasingly common that server processes do not run as background processes, but as regular foreground process under a supervising master process (such as systemd). Server processes should offer a command line option which disables forking and replacement of the standard output and standard error streams. Such an option is also useful for debugging." + +#. Tag: title +#, no-c-format +msgid "Semantics of command line arguments" +msgstr "Semantics of command line arguments" + +#. Tag: para +#, no-c-format +msgid "" +"After process creation and option processing, it is up to the child process " +"to interpret the arguments. Arguments can be file names, host names, or " +"URLs, and many other things. URLs can refer to the local network, some " +"server on the Internet, or to the local file system. Some applications even " +"accept arbitrary code in arguments (for example, " +"python with the option)." +msgstr "After process creation and option processing, it is up to the child process to interpret the arguments. Arguments can be file names, host names, or URLs, and many other things. URLs can refer to the local network, some server on the Internet, or to the local file system. Some applications even accept arbitrary code in arguments (for example, python with the option)." + +#. Tag: para +#, no-c-format +msgid "" +"Similar concerns apply to environment variables, the contents of the current" +" directory and its subdirectories." +msgstr "Similar concerns apply to environment variables, the contents of the current directory and its subdirectories." + +#. Tag: para +#, no-c-format +msgid "" +"Consequently, careful analysis is required if it is safe to pass untrusted " +"data to another program." +msgstr "Consequently, careful analysis is required if it is safe to pass untrusted data to another program." + +#. Tag: title +#, no-c-format +msgid "fork as a primitive for parallelism" +msgstr "fork as a primitive for parallelism" + +#. Tag: para +#, no-c-format +msgid "" +"A call to fork which is not immediately followed by a " +"call to execve (perhaps after rearranging and closing " +"file descriptors) is typically unsafe, especially from a library which does " +"not control the state of the entire process. Such use of " +"fork should be replaced with proper child processes or " +"threads." +msgstr "A call to fork which is not immediately followed by a call to execve (perhaps after rearranging and closing file descriptors) is typically unsafe, especially from a library which does not control the state of the entire process. Such use of fork should be replaced with proper child processes or threads." diff --git a/defensive-coding/en_US/Tasks/Serialization.po b/defensive-coding/en_US/Tasks/Serialization.po new file mode 100644 index 0000000..e6eb94d --- /dev/null +++ b/defensive-coding/en_US/Tasks/Serialization.po @@ -0,0 +1,513 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:45\n" +"PO-Revision-Date: 2013-03-19 15:29+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: None\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: en_US\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: title +#, no-c-format +msgid "Serialization and Deserialization" +msgstr "Serialization and Deserialization" + +#. Tag: para +#, no-c-format +msgid "" +"Protocol decoders and file format parsers are often the most-exposed part of" +" an application because they are exposed with little or no user interaction " +"and before any authentication and security checks are made. They are also " +"difficult to write robustly in languages which are not memory-safe." +msgstr "Protocol decoders and file format parsers are often the most-exposed part of an application because they are exposed with little or no user interaction and before any authentication and security checks are made. They are also difficult to write robustly in languages which are not memory-safe." + +#. Tag: title +#, no-c-format +msgid "Recommendations for manually written decoders" +msgstr "Recommendations for manually written decoders" + +#. Tag: para +#, no-c-format +msgid "" +"For C and C++, the advice in applies. In addition, avoid non-character " +"pointers directly into input buffers. Pointer misalignment causes crashes on" +" some architectures." +msgstr "For C and C++, the advice in applies. In addition, avoid non-character pointers directly into input buffers. Pointer misalignment causes crashes on some architectures." + +#. Tag: para +#, no-c-format +msgid "" +"When reading variable-sized objects, do not allocate large amounts of data " +"solely based on the value of a size field. If possible, grow the data " +"structure as more data is read from the source, and stop when no data is " +"available. This helps to avoid denial-of-service attacks where little " +"amounts of input data results in enormous memory allocations during " +"decoding. Alternatively, you can impose reasonable bounds on memory " +"allocations, but some protocols do not permit this." +msgstr "When reading variable-sized objects, do not allocate large amounts of data solely based on the value of a size field. If possible, grow the data structure as more data is read from the source, and stop when no data is available. This helps to avoid denial-of-service attacks where little amounts of input data results in enormous memory allocations during decoding. Alternatively, you can impose reasonable bounds on memory allocations, but some protocols do not permit this." + +#. Tag: title +#, no-c-format +msgid "Protocol design" +msgstr "Protocol design" + +#. Tag: para +#, no-c-format +msgid "" +"Binary formats with explicit length fields are more difficult to parse " +"robustly than those where the length of dynamically-sized elements is " +"derived from sentinel values. A protocol which does not use length fields " +"and can be written in printable ASCII characters simplifies testing and " +"debugging. However, binary protocols with length fields may be more " +"efficient to parse." +msgstr "Binary formats with explicit length fields are more difficult to parse robustly than those where the length of dynamically-sized elements is derived from sentinel values. A protocol which does not use length fields and can be written in printable ASCII characters simplifies testing and debugging. However, binary protocols with length fields may be more efficient to parse." + +#. Tag: title +#, no-c-format +msgid "Library support for deserialization" +msgstr "Library support for deserialization" + +#. Tag: para +#, no-c-format +msgid "" +"For some languages, generic libraries are available which allow to serialize" +" and deserialize user-defined objects. The deserialization part comes in one" +" of two flavors, depending on the library. The first kind uses type " +"information in the data stream to control which objects are instantiated. " +"The second kind uses type definitions supplied by the programmer. The first " +"one allows arbitrary object instantiation, the second one generally does " +"not." +msgstr "For some languages, generic libraries are available which allow to serialize and deserialize user-defined objects. The deserialization part comes in one of two flavors, depending on the library. The first kind uses type information in the data stream to control which objects are instantiated. The second kind uses type definitions supplied by the programmer. The first one allows arbitrary object instantiation, the second one generally does not." + +#. Tag: para +#, no-c-format +msgid "" +"The following serialization frameworks are in the first category, are known " +"to be unsafe, and must not be used for untrusted data:" +msgstr "The following serialization frameworks are in the first category, are known to be unsafe, and must not be used for untrusted data:" + +#. Tag: para +#, no-c-format +msgid "" +"Python's pickle and cPickle modules" +msgstr "Python's pickle and cPickle modules" + +#. Tag: para +#, no-c-format +msgid "Perl's Storable package" +msgstr "Perl's Storable package" + +#. Tag: para +#, no-c-format +msgid "Java serialization (java.io.ObjectInputStream)" +msgstr "Java serialization (java.io.ObjectInputStream)" + +#. Tag: para +#, no-c-format +msgid "PHP serialization (unserialize)" +msgstr "PHP serialization (unserialize)" + +#. Tag: para +#, no-c-format +msgid "Most implementations of YAML" +msgstr "Most implementations of YAML" + +#. Tag: para +#, no-c-format +msgid "" +"When using a type-directed deserialization format where the types of the " +"deserialized objects are specified by the programmer, make sure that the " +"objects which can be instantiated cannot perform any destructive actions in " +"their destructors, even when the data members have been manipulated." +msgstr "When using a type-directed deserialization format where the types of the deserialized objects are specified by the programmer, make sure that the objects which can be instantiated cannot perform any destructive actions in their destructors, even when the data members have been manipulated." + +#. Tag: para +#, no-c-format +msgid "" +"JSON decoders do not suffer from this problem. But you must not use the " +"eval function to parse JSON objects in Javascript; even" +" with the regular expression filter from RFC 4627, there are still " +"information leaks remaining." +msgstr "JSON decoders do not suffer from this problem. But you must not use the eval function to parse JSON objects in Javascript; even with the regular expression filter from RFC 4627, there are still information leaks remaining." + +#. Tag: title +#, no-c-format +msgid "XML serialization" +msgstr "XML serialization" + +#. Tag: title +#, no-c-format +msgid "External references" +msgstr "External references" + +#. Tag: para +#, no-c-format +msgid "" +"XML documents can contain external references. They can occur in various " +"places." +msgstr "XML documents can contain external references. They can occur in various places." + +#. Tag: para +#, no-c-format +msgid "In the DTD declaration in the header of an XML document:" +msgstr "In the DTD declaration in the header of an XML document:" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"<!DOCTYPE html PUBLIC\n" +" \"-//W3C//DTD XHTML 1.0 Transitional//EN\"\n" +" \"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd\">\n" +"\t " +msgstr "\n<!DOCTYPE html PUBLIC\n \"-//W3C//DTD XHTML 1.0 Transitional//EN\"\n \"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd\">\n\t " + +#. Tag: para +#, no-c-format +msgid "In a namespace declaration:" +msgstr "In a namespace declaration:" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"<xsd:schema xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\">\n" +"\t " +msgstr "\n<xsd:schema xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\">\n\t " + +#. Tag: para +#, no-c-format +msgid "In an entity defintion:" +msgstr "In an entity defintion:" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"<!ENTITY sys SYSTEM \"http://www.example.com/ent.xml\">\n" +"<!ENTITY pub PUBLIC \"-//Example//Public Entity//EN\"\n" +" \"http://www.example.com/pub-ent.xml\">\n" +"\t " +msgstr "\n<!ENTITY sys SYSTEM \"http://www.example.com/ent.xml\">\n<!ENTITY pub PUBLIC \"-//Example//Public Entity//EN\"\n \"http://www.example.com/pub-ent.xml\">\n\t " + +#. Tag: para +#, no-c-format +msgid "In a notation:" +msgstr "In a notation:" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"<!NOTATION not SYSTEM \"../not.xml\">\n" +"\t " +msgstr "\n<!NOTATION not SYSTEM \"../not.xml\">\n\t " + +#. Tag: para +#, no-c-format +msgid "" +"Originally, these external references were intended as unique identifiers, " +"but by many XML implementations, they are used for locating the data for the" +" referenced element. This causes unwanted network traffic, and may disclose " +"file system contents or otherwise unreachable network resources, so this " +"functionality should be disabled." +msgstr "Originally, these external references were intended as unique identifiers, but by many XML implementations, they are used for locating the data for the referenced element. This causes unwanted network traffic, and may disclose file system contents or otherwise unreachable network resources, so this functionality should be disabled." + +#. Tag: para +#, no-c-format +msgid "" +"Depending on the XML library, external referenced might be processed not " +"just when parsing XML, but also when generating it." +msgstr "Depending on the XML library, external referenced might be processed not just when parsing XML, but also when generating it." + +#. Tag: title +#, no-c-format +msgid "Entity expansion" +msgstr "Entity expansion" + +#. Tag: para +#, no-c-format +msgid "" +"When external DTD processing is disabled, an internal DTD subset can still " +"contain entity definitions. Entity declarations can reference other " +"entities. Some XML libraries expand entities automatically, and this " +"processing cannot be switched off in some places (such as attribute values " +"or content models). Without limits on the entity nesting level, this " +"expansion results in data which can grow exponentially in length with size " +"of the input. (If there is a limit on the nesting level, the growth is still" +" polynomial, unless further limits are imposed.)" +msgstr "When external DTD processing is disabled, an internal DTD subset can still contain entity definitions. Entity declarations can reference other entities. Some XML libraries expand entities automatically, and this processing cannot be switched off in some places (such as attribute values or content models). Without limits on the entity nesting level, this expansion results in data which can grow exponentially in length with size of the input. (If there is a limit on the nesting level, the growth is still polynomial, unless further limits are imposed.)" + +#. Tag: para +#, no-c-format +msgid "" +"Consequently, the processing internal DTD subsets should be disabled if " +"possible, and only trusted DTDs should be processed. If a particular XML " +"application does not permit such restrictions, then application-specific " +"limits are called for." +msgstr "Consequently, the processing internal DTD subsets should be disabled if possible, and only trusted DTDs should be processed. If a particular XML application does not permit such restrictions, then application-specific limits are called for." + +#. Tag: title +#, no-c-format +msgid "XInclude processing" +msgstr "XInclude processing" + +#. Tag: para +#, no-c-format +msgid "" +"XInclude processing can reference file and network resources and include " +"them into the document, much like external entity references. When parsing " +"untrusted XML documents, XInclude processing should be truned off." +msgstr "XInclude processing can reference file and network resources and include them into the document, much like external entity references. When parsing untrusted XML documents, XInclude processing should be truned off." + +#. Tag: para +#, no-c-format +msgid "" +"XInclude processing is also fairly complex and may pull in support for the " +"XPointer and XPath specifications, considerably increasing the amount of " +"code required for XML processing." +msgstr "XInclude processing is also fairly complex and may pull in support for the XPointer and XPath specifications, considerably increasing the amount of code required for XML processing." + +#. Tag: title +#, no-c-format +msgid "Algorithmic complexity of XML validation" +msgstr "Algorithmic complexity of XML validation" + +#. Tag: para +#, no-c-format +msgid "" +"DTD-based XML validation uses regular expressions for content models. The " +"XML specification requires that content models are deterministic, which " +"means that efficient validation is possible. However, some implementations " +"do not enforce determinism, and require exponential (or just polynomial) " +"amount of space or time for validating some DTD/document combinations." +msgstr "DTD-based XML validation uses regular expressions for content models. The XML specification requires that content models are deterministic, which means that efficient validation is possible. However, some implementations do not enforce determinism, and require exponential (or just polynomial) amount of space or time for validating some DTD/document combinations." + +#. Tag: para +#, no-c-format +msgid "" +"XML schemas and RELAX NG (via the xsd: prefix) directly " +"support textual regular expressions which are not required to be " +"deterministic." +msgstr "XML schemas and RELAX NG (via the xsd: prefix) directly support textual regular expressions which are not required to be deterministic." + +#. Tag: title +#, no-c-format +msgid "Using Expat for XML parsing" +msgstr "Using Expat for XML parsing" + +#. Tag: para +#, no-c-format +msgid "" +"By default, Expat does not try to resolve external IDs, so no steps are " +"required to block them. However, internal entity declarations are processed." +" Installing a callback which stops parsing as soon as such entities are " +"encountered disables them, see . Expat does not perform any " +"validation, so there are no problems related to that." +msgstr "By default, Expat does not try to resolve external IDs, so no steps are required to block them. However, internal entity declarations are processed. Installing a callback which stops parsing as soon as such entities are encountered disables them, see . Expat does not perform any validation, so there are no problems related to that." + +#. Tag: title +#, no-c-format +msgid "Disabling XML entity processing with Expat" +msgstr "Disabling XML entity processing with Expat" + +#. Tag: para +#, no-c-format +msgid "" +"This handler must be installed when the XML_Parser object" +" is created ()." +msgstr "This handler must be installed when the XML_Parser object is created ()." + +#. Tag: title +#, no-c-format +msgid "Creating an Expat XML parser" +msgstr "Creating an Expat XML parser" + +#. Tag: para +#, no-c-format +msgid "" +"It is also possible to reject internal DTD subsets altogeher, using a " +"suitable XML_StartDoctypeDeclHandler handler installed " +"with XML_SetDoctypeDeclHandler." +msgstr "It is also possible to reject internal DTD subsets altogeher, using a suitable XML_StartDoctypeDeclHandler handler installed with XML_SetDoctypeDeclHandler." + +#. Tag: title +#, no-c-format +msgid "Using OpenJDK for XML parsing and validation" +msgstr "Using OpenJDK for XML parsing and validation" + +#. Tag: para +#, no-c-format +msgid "" +"OpenJDK contains facilities for DOM-based, SAX-based, and StAX-based " +"document parsing. Documents can be validated against DTDs or XML schemas." +msgstr "OpenJDK contains facilities for DOM-based, SAX-based, and StAX-based document parsing. Documents can be validated against DTDs or XML schemas." + +#. Tag: para +#, no-c-format +msgid "" +"The approach taken to deal with entity expansion differs from the general " +"recommendation in . We enable the the feature flag " +"javax.xml.XMLConstants.FEATURE_SECURE_PROCESSING, which " +"enforces heuristic restrictions on the number of entity expansions. Note " +"that this flag alone does not prevent resolution of external references " +"(system IDs or public IDs), so it is slightly misnamed." +msgstr "The approach taken to deal with entity expansion differs from the general recommendation in . We enable the the feature flag javax.xml.XMLConstants.FEATURE_SECURE_PROCESSING, which enforces heuristic restrictions on the number of entity expansions. Note that this flag alone does not prevent resolution of external references (system IDs or public IDs), so it is slightly misnamed." + +#. Tag: para +#, no-c-format +msgid "" +"In the following sections, we use helper classes to prevent external ID " +"resolution." +msgstr "In the following sections, we use helper classes to prevent external ID resolution." + +#. Tag: title +#, no-c-format +msgid "Helper class to prevent DTD external entity resolution in OpenJDK" +msgstr "Helper class to prevent DTD external entity resolution in OpenJDK" + +#. Tag: title +#, no-c-format +msgid "Helper class to prevent schema resolution in OpenJDK" +msgstr "Helper class to prevent schema resolution in OpenJDK" + +#. Tag: para +#, no-c-format +msgid "" +" shows the imports used by the examples." +msgstr " shows the imports used by the examples." + +#. Tag: title +#, no-c-format +msgid "Java imports for OpenJDK XML parsing" +msgstr "Java imports for OpenJDK XML parsing" + +#. Tag: title +#, no-c-format +msgid "DOM-based XML parsing and DTD validation in OpenJDK" +msgstr "DOM-based XML parsing and DTD validation in OpenJDK" + +#. Tag: para +#, no-c-format +msgid "" +"This approach produces a org.w3c.dom.Document object from" +" an input stream. use the data from the " +"java.io.InputStream instance in the " +"inputStream variable." +msgstr "This approach produces a org.w3c.dom.Document object from an input stream. use the data from the java.io.InputStream instance in the inputStream variable." + +#. Tag: title +#, no-c-format +msgid "DOM-based XML parsing in OpenJDK" +msgstr "DOM-based XML parsing in OpenJDK" + +#. Tag: para +#, no-c-format +msgid "" +"External entity references are prohibited using the " +"NoEntityResolver class in . " +"Because external DTD references are prohibited, DTD validation (if enabled) " +"will only happen against the internal DTD subset embedded in the XML " +"document." +msgstr "External entity references are prohibited using the NoEntityResolver class in . Because external DTD references are prohibited, DTD validation (if enabled) will only happen against the internal DTD subset embedded in the XML document." + +#. Tag: para +#, no-c-format +msgid "" +"To validate the document against an external DTD, use a " +"javax.xml.transform.Transformer class to add the DTD " +"reference to the document, and an entity resolver which whitelists this " +"external reference." +msgstr "To validate the document against an external DTD, use a javax.xml.transform.Transformer class to add the DTD reference to the document, and an entity resolver which whitelists this external reference." + +#. Tag: title +#, no-c-format +msgid "XML Schema validation in OpenJDK" +msgstr "XML Schema validation in OpenJDK" + +#. Tag: para +#, no-c-format +msgid "" +" shows how to validate a document against an XML Schema, " +"using a SAX-based approach. The XML data is read from an " +"java.io.InputStream in the inputStream" +" variable." +msgstr " shows how to validate a document against an XML Schema, using a SAX-based approach. The XML data is read from an java.io.InputStream in the inputStream variable." + +#. Tag: title +#, no-c-format +msgid "SAX-based validation against an XML schema in OpenJDK" +msgstr "SAX-based validation against an XML schema in OpenJDK" + +#. Tag: para +#, no-c-format +msgid "" +"The NoResourceResolver class is defined in ." +msgstr "The NoResourceResolver class is defined in ." + +#. Tag: para +#, no-c-format +msgid "" +"If you need to validate a document against an XML schema, use the code in " +" to create the document, but do not enable validation at this point." +" Then use to perform the schema-based validation on " +"the org.w3c.dom.Document instance " +"document." +msgstr "If you need to validate a document against an XML schema, use the code in to create the document, but do not enable validation at this point. Then use to perform the schema-based validation on the org.w3c.dom.Document instance document." + +#. Tag: title +#, no-c-format +msgid "Validation of a DOM document against an XML schema in OpenJDK" +msgstr "Validation of a DOM document against an XML schema in OpenJDK" + +#. Tag: title +#, no-c-format +msgid "Protocol Encoders" +msgstr "Protocol Encoders" + +#. Tag: para +#, no-c-format +msgid "" +"For protocol encoders, you should write bytes to a buffer which grows as " +"needed, using an exponential sizing policy. Explicit lengths can be patched " +"in later, once they are known. Allocating the required number of bytes " +"upfront typically requires separate code to compute the final size, which " +"must be kept in sync with the actual encoding step, or vulnerabilities may " +"result. In multi-threaded code, parts of the object being deserialized might" +" change, so that the computed size is out of date." +msgstr "For protocol encoders, you should write bytes to a buffer which grows as needed, using an exponential sizing policy. Explicit lengths can be patched in later, once they are known. Allocating the required number of bytes upfront typically requires separate code to compute the final size, which must be kept in sync with the actual encoding step, or vulnerabilities may result. In multi-threaded code, parts of the object being deserialized might change, so that the computed size is out of date." + +#. Tag: para +#, no-c-format +msgid "" +"You should avoid copying data directly from a received packet during " +"encoding, disregarding the format. Propagating malformed data could enable " +"attacks on other recipients of that data." +msgstr "You should avoid copying data directly from a received packet during encoding, disregarding the format. Propagating malformed data could enable attacks on other recipients of that data." + +#. Tag: para +#, no-c-format +msgid "" +"When using C or C++ and copying whole data structures directly into the " +"output, make sure that you do not leak information in padding bytes between " +"fields or at the end of the struct." +msgstr "When using C or C++ and copying whole data structures directly into the output, make sure that you do not leak information in padding bytes between fields or at the end of the struct." diff --git a/defensive-coding/en_US/Tasks/Temporary_Files.po b/defensive-coding/en_US/Tasks/Temporary_Files.po new file mode 100644 index 0000000..ace4f2b --- /dev/null +++ b/defensive-coding/en_US/Tasks/Temporary_Files.po @@ -0,0 +1,309 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:45\n" +"PO-Revision-Date: 2013-03-19 15:29+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: None\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: en_US\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: title +#, no-c-format +msgid "Temporary files" +msgstr "Temporary files" + +#. Tag: para +#, no-c-format +msgid "" +"In this chapter, we describe how to create temporary files and directories, " +"how to remove them, and how to work with programs which do not create files " +"in ways that a safe with a shared directory for temporary files. General " +"file system manipulation is treated in a separate chapter, ." +msgstr "In this chapter, we describe how to create temporary files and directories, how to remove them, and how to work with programs which do not create files in ways that a safe with a shared directory for temporary files. General file system manipulation is treated in a separate chapter, ." + +#. Tag: para +#, no-c-format +msgid "Secure creation of temporary files has four different aspects." +msgstr "Secure creation of temporary files has four different aspects." + +#. Tag: para +#, no-c-format +msgid "" +"The location of the directory for temporary files must be obtained in a " +"secure manner (that is, untrusted environment variables must be ignored, see" +" )." +msgstr "The location of the directory for temporary files must be obtained in a secure manner (that is, untrusted environment variables must be ignored, see )." + +#. Tag: para +#, no-c-format +msgid "" +"A new file must be created. Reusing an existing file must be avoided (the " +"/tmp race condition). This is " +"tricky because traditionally, system-wide temporary directories shared by " +"all users are used." +msgstr "A new file must be created. Reusing an existing file must be avoided (the /tmp race condition). This is tricky because traditionally, system-wide temporary directories shared by all users are used." + +#. Tag: para +#, no-c-format +msgid "" +"The file must be created in a way that makes it impossible for other users " +"to open it." +msgstr "The file must be created in a way that makes it impossible for other users to open it." + +#. Tag: para +#, no-c-format +msgid "The descriptor for the temporary file should not leak to subprocesses." +msgstr "The descriptor for the temporary file should not leak to subprocesses." + +#. Tag: para +#, no-c-format +msgid "All functions mentioned below will take care of these aspects." +msgstr "All functions mentioned below will take care of these aspects." + +#. Tag: para +#, no-c-format +msgid "" +"Traditionally, temporary files are often used to reduce memory usage of " +"programs. More and more systems use RAM-based file systems such as " +"tmpfs for storing temporary files, to increase " +"performance and decrease wear on Flash storage. As a result, spooling data " +"to temporary files does not result in any memory savings, and the related " +"complexity can be avoided if the data is kept in process memory." +msgstr "Traditionally, temporary files are often used to reduce memory usage of programs. More and more systems use RAM-based file systems such as tmpfs for storing temporary files, to increase performance and decrease wear on Flash storage. As a result, spooling data to temporary files does not result in any memory savings, and the related complexity can be avoided if the data is kept in process memory." + +#. Tag: title +#, no-c-format +msgid "Obtaining the location of temporary directory" +msgstr "Obtaining the location of temporary directory" + +#. Tag: para +#, no-c-format +msgid "" +"Some functions below need the location of a directory which stores temporary" +" files. For C/C++ programs, use the following steps to obtain that " +"directory:" +msgstr "Some functions below need the location of a directory which stores temporary files. For C/C++ programs, use the following steps to obtain that directory:" + +#. Tag: para +#, no-c-format +msgid "" +"Use secure_getenv to obtain the value of the " +"TMPDIR environment variable. If it is set, convert the " +"path to a fully-resolved absolute path, using realpath(path, " +"NULL). Check if the new path refers to a directory and is " +"writeable. In this case, use it as the temporary directory." +msgstr "Use secure_getenv to obtain the value of the TMPDIR environment variable. If it is set, convert the path to a fully-resolved absolute path, using realpath(path, NULL). Check if the new path refers to a directory and is writeable. In this case, use it as the temporary directory." + +#. Tag: para +#, no-c-format +msgid "Fall back to /tmp." +msgstr "Fall back to /tmp." + +#. Tag: para +#, no-c-format +msgid "" +"In Python, you can use the tempfile.tempdir variable." +msgstr "In Python, you can use the tempfile.tempdir variable." + +#. Tag: para +#, no-c-format +msgid "" +"Java does not support SUID/SGID programs, so you can use the " +"java.lang.System.getenv(String) method to obtain the " +"value of the TMPDIR environment variable, and follow the " +"two steps described above. (Java's default directory selection does not " +"honor TMPDIR.)" +msgstr "Java does not support SUID/SGID programs, so you can use the java.lang.System.getenv(String) method to obtain the value of the TMPDIR environment variable, and follow the two steps described above. (Java's default directory selection does not honor TMPDIR.)" + +#. Tag: title +#, no-c-format +msgid "Named temporary files" +msgstr "Named temporary files" + +#. Tag: para +#, no-c-format +msgid "" +"The mkostemp function creates a named temporary file. " +"You should specify the O_CLOEXEC flag to avoid file " +"descriptor leaks to subprocesses. (Applications which do not use multiple " +"threads can also use mkstemp, but libraries should use " +"mkostemp.) For determining the directory part of the " +"file name pattern, see ." +msgstr "The mkostemp function creates a named temporary file. You should specify the O_CLOEXEC flag to avoid file descriptor leaks to subprocesses. (Applications which do not use multiple threads can also use mkstemp, but libraries should use mkostemp.) For determining the directory part of the file name pattern, see ." + +#. Tag: para +#, no-c-format +msgid "" +"The file is not removed automatically. It is not safe to rename or delete " +"the file before processing, or transform the name in any way (for example, " +"by adding a file extension). If you need multiple temporary files, call " +"mkostemp multiple times. Do not create additional file " +"names derived from the name provided by a previous " +"mkostemp call. However, it is safe to close the " +"descriptor returned by mkostemp and reopen the file " +"using the generated name." +msgstr "The file is not removed automatically. It is not safe to rename or delete the file before processing, or transform the name in any way (for example, by adding a file extension). If you need multiple temporary files, call mkostemp multiple times. Do not create additional file names derived from the name provided by a previous mkostemp call. However, it is safe to close the descriptor returned by mkostemp and reopen the file using the generated name." + +#. Tag: para +#, no-c-format +msgid "" +"The Python class tempfile.NamedTemporaryFile provides " +"similar functionality, except that the file is deleted automatically by " +"default. Note that you may have to use the file attribute" +" to obtain the actual file object because some programming interfaces cannot" +" deal with file-like objects. The C function mkostemp " +"is also available as tempfile.mkstemp." +msgstr "The Python class tempfile.NamedTemporaryFile provides similar functionality, except that the file is deleted automatically by default. Note that you may have to use the file attribute to obtain the actual file object because some programming interfaces cannot deal with file-like objects. The C function mkostemp is also available as tempfile.mkstemp." + +#. Tag: para +#, no-c-format +msgid "" +"In Java, you can use the java.io.File.createTempFile(String, " +"String, File) function, using the temporary file location " +"determined according to . Do not use " +"java.io.File.deleteOnExit() to delete temporary files, " +"and do not register a shutdown hook for each temporary file you create. In " +"both cases, the deletion hint cannot be removed from the system if you " +"delete the temporary file prior to termination of the VM, causing a memory " +"leak." +msgstr "In Java, you can use the java.io.File.createTempFile(String, String, File) function, using the temporary file location determined according to . Do not use java.io.File.deleteOnExit() to delete temporary files, and do not register a shutdown hook for each temporary file you create. In both cases, the deletion hint cannot be removed from the system if you delete the temporary file prior to termination of the VM, causing a memory leak." + +#. Tag: title +#, no-c-format +msgid "Temporary files without names" +msgstr "Temporary files without names" + +#. Tag: para +#, no-c-format +msgid "" +"The tmpfile function creates a temporary file and " +"immediately deletes it, while keeping the file open. As a result, the file " +"lacks a name and its space is deallocated as soon as the file descriptor is " +"closed (including the implicit close when the process terminates). This " +"avoids cluttering the temporary directory with orphaned files." +msgstr "The tmpfile function creates a temporary file and immediately deletes it, while keeping the file open. As a result, the file lacks a name and its space is deallocated as soon as the file descriptor is closed (including the implicit close when the process terminates). This avoids cluttering the temporary directory with orphaned files." + +#. Tag: para +#, no-c-format +msgid "" +"Alternatively, if the maximum size of the temporary file is known " +"beforehand, the fmemopen function can be used to create" +" a FILE * object which is backed by memory." +msgstr "Alternatively, if the maximum size of the temporary file is known beforehand, the fmemopen function can be used to create a FILE * object which is backed by memory." + +#. Tag: para +#, no-c-format +msgid "" +"In Python, unnamed temporary files are provided by the " +"tempfile.TemporaryFile class, and the " +"tempfile.SpooledTemporaryFile class provides a way to " +"avoid creation of small temporary files." +msgstr "In Python, unnamed temporary files are provided by the tempfile.TemporaryFile class, and the tempfile.SpooledTemporaryFile class provides a way to avoid creation of small temporary files." + +#. Tag: para +#, no-c-format +msgid "Java does not support unnamed temporary files." +msgstr "Java does not support unnamed temporary files." + +#. Tag: title +#, no-c-format +msgid "Temporary directories" +msgstr "Temporary directories" + +#. Tag: para +#, no-c-format +msgid "" +"The mkdtemp function can be used to create a temporary " +"directory. (For determining the directory part of the file name pattern, see" +" .)" +" The directory is not automatically removed. In Python, this function is " +"available as tempfile.mkdtemp. In Java 7, temporary " +"directories can be created using the " +"java.nio.file.Files.createTempDirectory(Path, String, " +"FileAttribute...) function." +msgstr "The mkdtemp function can be used to create a temporary directory. (For determining the directory part of the file name pattern, see .) The directory is not automatically removed. In Python, this function is available as tempfile.mkdtemp. In Java 7, temporary directories can be created using the java.nio.file.Files.createTempDirectory(Path, String, FileAttribute...) function." + +#. Tag: para +#, no-c-format +msgid "" +"When creating files in the temporary directory, use automatically generated " +"names, e.g., derived from a sequential counter. Files with externally " +"provided names could be picked up in unexpected contexts, and crafted names " +"could actually point outside of the tempoary directory (due to " +"directory traversal)." +msgstr "When creating files in the temporary directory, use automatically generated names, e.g., derived from a sequential counter. Files with externally provided names could be picked up in unexpected contexts, and crafted names could actually point outside of the tempoary directory (due to directory traversal)." + +#. Tag: para +#, no-c-format +msgid "" +"Removing a directory tree in a completely safe manner is complicated. Unless" +" there are overriding performance concerns, the " +"rm program should be used, with the " +" and options." +msgstr "Removing a directory tree in a completely safe manner is complicated. Unless there are overriding performance concerns, the rm program should be used, with the and options." + +#. Tag: title +#, no-c-format +msgid "Compensating for unsafe file creation" +msgstr "Compensating for unsafe file creation" + +#. Tag: para +#, no-c-format +msgid "" +"There are two ways to make a function or program which excepts a file name " +"safe for use with temporary files. See , for details on subprocess " +"creation." +msgstr "There are two ways to make a function or program which excepts a file name safe for use with temporary files. See , for details on subprocess creation." + +#. Tag: para +#, no-c-format +msgid "" +"Create a temporary directory and place the file there. If possible, run the " +"program in a subprocess which uses the temporary directory as its current " +"directory, with a restricted environment. Use generated names for all files " +"in that temporary directory. (See .)" +msgstr "Create a temporary directory and place the file there. If possible, run the program in a subprocess which uses the temporary directory as its current directory, with a restricted environment. Use generated names for all files in that temporary directory. (See .)" + +#. Tag: para +#, no-c-format +msgid "" +"Create the temporary file and pass the generated file name to the function " +"or program. This only works if the function or program can cope with a zero-" +"length existing file. It is safe only under additional assumptions:" +msgstr "Create the temporary file and pass the generated file name to the function or program. This only works if the function or program can cope with a zero-length existing file. It is safe only under additional assumptions:" + +#. Tag: para +#, no-c-format +msgid "" +"The function or program must not create additional files whose name is " +"derived from the specified file name or are otherwise predictable." +msgstr "The function or program must not create additional files whose name is derived from the specified file name or are otherwise predictable." + +#. Tag: para +#, no-c-format +msgid "The function or program must not delete the file before processing it." +msgstr "The function or program must not delete the file before processing it." + +#. Tag: para +#, no-c-format +msgid "It must not access any existing files in the same directory." +msgstr "It must not access any existing files in the same directory." + +#. Tag: para +#, no-c-format +msgid "" +"It is often difficult to check whether these additional assumptions are " +"matched, therefore this approach is not recommended." +msgstr "It is often difficult to check whether these additional assumptions are matched, therefore this approach is not recommended." diff --git a/defensive-coding/en_US/Tasks/snippets/Serialization-XML-Expat-Create.po b/defensive-coding/en_US/Tasks/snippets/Serialization-XML-Expat-Create.po new file mode 100644 index 0000000..c12c439 --- /dev/null +++ b/defensive-coding/en_US/Tasks/snippets/Serialization-XML-Expat-Create.po @@ -0,0 +1,33 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:45\n" +"PO-Revision-Date: 2013-03-19 15:29+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: None\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: en_US\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"XML_Parser parser = XML_ParserCreate(\"UTF-8\");\n" +"if (parser == NULL) {\n" +" fprintf(stderr, \"XML_ParserCreate failed\n" +"\");\n" +" close(fd);\n" +" exit(1);\n" +"}\n" +"// EntityDeclHandler needs a reference to the parser to stop\n" +"// parsing.\n" +"XML_SetUserData(parser, parser);\n" +"// Disable entity processing, to inhibit entity expansion.\n" +"XML_SetEntityDeclHandler(parser, EntityDeclHandler);\n" +msgstr "\nXML_Parser parser = XML_ParserCreate(\"UTF-8\");\nif (parser == NULL) {\n fprintf(stderr, \"XML_ParserCreate failed\n\");\n close(fd);\n exit(1);\n}\n// EntityDeclHandler needs a reference to the parser to stop\n// parsing.\nXML_SetUserData(parser, parser);\n// Disable entity processing, to inhibit entity expansion.\nXML_SetEntityDeclHandler(parser, EntityDeclHandler);\n" diff --git a/defensive-coding/en_US/Tasks/snippets/Serialization-XML-Expat-EntityDeclHandler.po b/defensive-coding/en_US/Tasks/snippets/Serialization-XML-Expat-EntityDeclHandler.po new file mode 100644 index 0000000..9ad1d01 --- /dev/null +++ b/defensive-coding/en_US/Tasks/snippets/Serialization-XML-Expat-EntityDeclHandler.po @@ -0,0 +1,31 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:45\n" +"PO-Revision-Date: 2013-03-19 15:30+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: None\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: en_US\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Stop the parser when an entity declaration is encountered.\n" +"static void\n" +"EntityDeclHandler(void *userData,\n" +"\t\t const XML_Char *entityName, int is_parameter_entity,\n" +"\t\t const XML_Char *value, int value_length,\n" +"\t\t const XML_Char *base, const XML_Char *systemId,\n" +"\t\t const XML_Char *publicId, const XML_Char *notationName)\n" +"{\n" +" XML_StopParser((XML_Parser)userData, XML_FALSE);\n" +"}\n" +msgstr "\n// Stop the parser when an entity declaration is encountered.\nstatic void\nEntityDeclHandler(void *userData,\n\t\t const XML_Char *entityName, int is_parameter_entity,\n\t\t const XML_Char *value, int value_length,\n\t\t const XML_Char *base, const XML_Char *systemId,\n\t\t const XML_Char *publicId, const XML_Char *notationName)\n{\n XML_StopParser((XML_Parser)userData, XML_FALSE);\n}\n" diff --git a/defensive-coding/en_US/Tasks/snippets/Serialization-XML-OpenJDK-Errors.po b/defensive-coding/en_US/Tasks/snippets/Serialization-XML-OpenJDK-Errors.po new file mode 100644 index 0000000..874bd5b --- /dev/null +++ b/defensive-coding/en_US/Tasks/snippets/Serialization-XML-OpenJDK-Errors.po @@ -0,0 +1,37 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:45\n" +"PO-Revision-Date: 2013-03-19 15:29+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: None\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: en_US\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"class Errors implements ErrorHandler {\n" +" @Override\n" +" public void warning(SAXParseException exception) {\n" +" exception.printStackTrace();\n" +" }\n" +" \n" +" @Override\n" +" public void fatalError(SAXParseException exception) {\n" +" exception.printStackTrace();\n" +" }\n" +" \n" +" @Override\n" +" public void error(SAXParseException exception) {\n" +" exception.printStackTrace();\n" +" }\n" +"}\n" +msgstr "\nclass Errors implements ErrorHandler {\n @Override\n public void warning(SAXParseException exception) {\n exception.printStackTrace();\n }\n \n @Override\n public void fatalError(SAXParseException exception) {\n exception.printStackTrace();\n }\n \n @Override\n public void error(SAXParseException exception) {\n exception.printStackTrace();\n }\n}\n" diff --git a/defensive-coding/en_US/Tasks/snippets/Serialization-XML-OpenJDK-Imports.po b/defensive-coding/en_US/Tasks/snippets/Serialization-XML-OpenJDK-Imports.po new file mode 100644 index 0000000..3fe3c2d --- /dev/null +++ b/defensive-coding/en_US/Tasks/snippets/Serialization-XML-OpenJDK-Imports.po @@ -0,0 +1,42 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:45\n" +"PO-Revision-Date: 2013-03-19 15:30+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: None\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: en_US\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"import javax.xml.XMLConstants;\n" +"import javax.xml.parsers.DocumentBuilder;\n" +"import javax.xml.parsers.DocumentBuilderFactory;\n" +"import javax.xml.parsers.ParserConfigurationException;\n" +"import javax.xml.parsers.SAXParser;\n" +"import javax.xml.parsers.SAXParserFactory;\n" +"import javax.xml.transform.dom.DOMSource;\n" +"import javax.xml.transform.sax.SAXSource;\n" +"import javax.xml.validation.Schema;\n" +"import javax.xml.validation.SchemaFactory;\n" +"import javax.xml.validation.Validator;\n" +"\n" +"import org.w3c.dom.Document;\n" +"import org.w3c.dom.ls.LSInput;\n" +"import org.w3c.dom.ls.LSResourceResolver;\n" +"import org.xml.sax.EntityResolver;\n" +"import org.xml.sax.ErrorHandler;\n" +"import org.xml.sax.InputSource;\n" +"import org.xml.sax.SAXException;\n" +"import org.xml.sax.SAXParseException;\n" +"import org.xml.sax.XMLReader;\n" +msgstr "\nimport javax.xml.XMLConstants;\nimport javax.xml.parsers.DocumentBuilder;\nimport javax.xml.parsers.DocumentBuilderFactory;\nimport javax.xml.parsers.ParserConfigurationException;\nimport javax.xml.parsers.SAXParser;\nimport javax.xml.parsers.SAXParserFactory;\nimport javax.xml.transform.dom.DOMSource;\nimport javax.xml.transform.sax.SAXSource;\nimport javax.xml.validation.Schema;\nimport javax.xml.validation.SchemaFactory;\nimport javax.xml.validation.Validator;\n\nimport org.w3c.dom.Document;\nimport org.w3c.dom.ls.LSInput;\nimport org.w3c.dom.ls.LSResourceResolver;\nimport org.xml.sax.EntityResolver;\nimport org.xml.sax.ErrorHandler;\nimport org.xml.sax.InputSource;\nimport org.xml.sax.SAXException;\nimport org.xml.sax.SAXParseException;\nimport org.xml.sax.XMLReader;\n" diff --git a/defensive-coding/en_US/Tasks/snippets/Serialization-XML-OpenJDK-NoEntityResolver.po b/defensive-coding/en_US/Tasks/snippets/Serialization-XML-OpenJDK-NoEntityResolver.po new file mode 100644 index 0000000..32706d0 --- /dev/null +++ b/defensive-coding/en_US/Tasks/snippets/Serialization-XML-OpenJDK-NoEntityResolver.po @@ -0,0 +1,30 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:45\n" +"PO-Revision-Date: 2013-03-19 15:30+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: None\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: en_US\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"class NoEntityResolver implements EntityResolver {\n" +" @Override\n" +" public InputSource resolveEntity(String publicId, String systemId)\n" +" throws SAXException, IOException {\n" +" // Throwing an exception stops validation.\n" +" throw new IOException(String.format(\n" +" \"attempt to resolve \\\"%s\\\" \\\"%s\\\"\", publicId, systemId));\n" +" }\n" +"}\n" +msgstr "\nclass NoEntityResolver implements EntityResolver {\n @Override\n public InputSource resolveEntity(String publicId, String systemId)\n throws SAXException, IOException {\n // Throwing an exception stops validation.\n throw new IOException(String.format(\n \"attempt to resolve \\\"%s\\\" \\\"%s\\\"\", publicId, systemId));\n }\n}\n" diff --git a/defensive-coding/en_US/Tasks/snippets/Serialization-XML-OpenJDK-NoResourceResolver.po b/defensive-coding/en_US/Tasks/snippets/Serialization-XML-OpenJDK-NoResourceResolver.po new file mode 100644 index 0000000..2009e6e --- /dev/null +++ b/defensive-coding/en_US/Tasks/snippets/Serialization-XML-OpenJDK-NoResourceResolver.po @@ -0,0 +1,32 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:45\n" +"PO-Revision-Date: 2013-03-19 15:29+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: None\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: en_US\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"class NoResourceResolver implements LSResourceResolver {\n" +" @Override\n" +" public LSInput resolveResource(String type, String namespaceURI,\n" +" String publicId, String systemId, String baseURI) {\n" +" // Throwing an exception stops validation.\n" +" throw new RuntimeException(String.format(\n" +" \"resolution attempt: type=%s namespace=%s \" +\n" +" \"publicId=%s systemId=%s baseURI=%s\",\n" +" type, namespaceURI, publicId, systemId, baseURI));\n" +" }\n" +"}\n" +msgstr "\nclass NoResourceResolver implements LSResourceResolver {\n @Override\n public LSInput resolveResource(String type, String namespaceURI,\n String publicId, String systemId, String baseURI) {\n // Throwing an exception stops validation.\n throw new RuntimeException(String.format(\n \"resolution attempt: type=%s namespace=%s \" +\n \"publicId=%s systemId=%s baseURI=%s\",\n type, namespaceURI, publicId, systemId, baseURI));\n }\n}\n" diff --git a/defensive-coding/en_US/Tasks/snippets/Serialization-XML-OpenJDK_Parse-DOM.po b/defensive-coding/en_US/Tasks/snippets/Serialization-XML-OpenJDK_Parse-DOM.po new file mode 100644 index 0000000..0e076cc --- /dev/null +++ b/defensive-coding/en_US/Tasks/snippets/Serialization-XML-OpenJDK_Parse-DOM.po @@ -0,0 +1,34 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:45\n" +"PO-Revision-Date: 2013-03-19 15:29+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: None\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: en_US\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();\n" +"// Impose restrictions on the complexity of the DTD.\n" +"factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);\n" +"\n" +"// Turn on validation.\n" +"// This step can be omitted if validation is not desired.\n" +"factory.setValidating(true);\n" +"\n" +"// Parse the document.\n" +"DocumentBuilder builder = factory.newDocumentBuilder();\n" +"builder.setEntityResolver(new NoEntityResolver());\n" +"builder.setErrorHandler(new Errors());\n" +"Document document = builder.parse(inputStream);\n" +msgstr "\nDocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();\n// Impose restrictions on the complexity of the DTD.\nfactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);\n\n// Turn on validation.\n// This step can be omitted if validation is not desired.\nfactory.setValidating(true);\n\n// Parse the document.\nDocumentBuilder builder = factory.newDocumentBuilder();\nbuilder.setEntityResolver(new NoEntityResolver());\nbuilder.setErrorHandler(new Errors());\nDocument document = builder.parse(inputStream);\n" diff --git a/defensive-coding/en_US/Tasks/snippets/Serialization-XML-OpenJDK_Parse-XMLSchema_DOM.po b/defensive-coding/en_US/Tasks/snippets/Serialization-XML-OpenJDK_Parse-XMLSchema_DOM.po new file mode 100644 index 0000000..c17bd59 --- /dev/null +++ b/defensive-coding/en_US/Tasks/snippets/Serialization-XML-OpenJDK_Parse-XMLSchema_DOM.po @@ -0,0 +1,38 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:45\n" +"PO-Revision-Date: 2013-03-19 15:29+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: None\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: en_US\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"SchemaFactory factory = SchemaFactory.newInstance(\n" +" XMLConstants.W3C_XML_SCHEMA_NS_URI);\n" +"\n" +"// This enables restrictions on schema complexity.\n" +"factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);\n" +"\n" +"// The following line prevents resource resolution\n" +"// by the schema itself.\n" +"factory.setResourceResolver(new NoResourceResolver());\n" +"\n" +"Schema schema = factory.newSchema(schemaFile);\n" +"\n" +"Validator validator = schema.newValidator();\n" +"\n" +"// This prevents external resource resolution.\n" +"validator.setResourceResolver(new NoResourceResolver());\n" +"validator.validate(new DOMSource(document));\n" +msgstr "\nSchemaFactory factory = SchemaFactory.newInstance(\n XMLConstants.W3C_XML_SCHEMA_NS_URI);\n\n// This enables restrictions on schema complexity.\nfactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);\n\n// The following line prevents resource resolution\n// by the schema itself.\nfactory.setResourceResolver(new NoResourceResolver());\n\nSchema schema = factory.newSchema(schemaFile);\n\nValidator validator = schema.newValidator();\n\n// This prevents external resource resolution.\nvalidator.setResourceResolver(new NoResourceResolver());\nvalidator.validate(new DOMSource(document));\n" diff --git a/defensive-coding/en_US/Tasks/snippets/Serialization-XML-OpenJDK_Parse-XMLSchema_SAX.po b/defensive-coding/en_US/Tasks/snippets/Serialization-XML-OpenJDK_Parse-XMLSchema_SAX.po new file mode 100644 index 0000000..0e48a12 --- /dev/null +++ b/defensive-coding/en_US/Tasks/snippets/Serialization-XML-OpenJDK_Parse-XMLSchema_SAX.po @@ -0,0 +1,41 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:45\n" +"PO-Revision-Date: 2013-03-19 15:29+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: None\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: en_US\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"SchemaFactory factory = SchemaFactory.newInstance(\n" +" XMLConstants.W3C_XML_SCHEMA_NS_URI);\n" +"\n" +"// This enables restrictions on the schema and document\n" +"// complexity.\n" +"factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);\n" +"\n" +"// This prevents resource resolution by the schema itself.\n" +"// If the schema is trusted and references additional files,\n" +"// this line must be omitted, otherwise loading these files\n" +"// will fail.\n" +"factory.setResourceResolver(new NoResourceResolver());\n" +"\n" +"Schema schema = factory.newSchema(schemaFile);\n" +"Validator validator = schema.newValidator();\n" +"\n" +"// This prevents external resource resolution.\n" +"validator.setResourceResolver(new NoResourceResolver());\n" +"\n" +"validator.validate(new SAXSource(new InputSource(inputStream)));\n" +msgstr "\nSchemaFactory factory = SchemaFactory.newInstance(\n XMLConstants.W3C_XML_SCHEMA_NS_URI);\n\n// This enables restrictions on the schema and document\n// complexity.\nfactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);\n\n// This prevents resource resolution by the schema itself.\n// If the schema is trusted and references additional files,\n// this line must be omitted, otherwise loading these files\n// will fail.\nfactory.setResourceResolver(new NoResourceResolver());\n\nSchema schema = factory.newSchema(schemaFile);\nValidator validator = schema.newValidator();\n\n// This prevents external resource resolution.\nvalidator.setResourceResolver(new NoResourceResolver());\n\nvalidator.validate(new SAXSource(new InputSource(inputStream)));\n" diff --git a/defensive-coding/es-ES/Author_Group.po b/defensive-coding/es-ES/Author_Group.po new file mode 100644 index 0000000..915457c --- /dev/null +++ b/defensive-coding/es-ES/Author_Group.po @@ -0,0 +1,36 @@ +# AUTHOR , YEAR. +# +# Translators: +# vareli , 2013 +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-14 07:50+0000\n" +"Last-Translator: vareli \n" +"Language-Team: Spanish \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: es\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: firstname +#, no-c-format +msgid "Florian" +msgstr "Florian" + +#. Tag: surname +#, no-c-format +msgid "Weimer" +msgstr "Weimer" + +#. Tag: orgname +#, no-c-format +msgid "Red Hat" +msgstr "Red Hat" + +#. Tag: orgdiv +#, no-c-format +msgid "Product Security Team" +msgstr "Equipo de Seguridad del Producto" diff --git a/defensive-coding/es-ES/Book_Info.po b/defensive-coding/es-ES/Book_Info.po new file mode 100644 index 0000000..89fd78a --- /dev/null +++ b/defensive-coding/es-ES/Book_Info.po @@ -0,0 +1,38 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-12 04:19+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Spanish \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: es\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: title +#, no-c-format +msgid "Defensive Coding" +msgstr "" + +#. Tag: subtitle +#, no-c-format +msgid "A Guide to Improving Software Security" +msgstr "" + +#. Tag: productname +#, no-c-format +msgid "Fedora Security Team" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"This document provides guidelines for improving software security through " +"secure coding. It covers common programming languages and libraries, and " +"focuses on concrete recommendations." +msgstr "" diff --git a/defensive-coding/es-ES/C/Allocators.po b/defensive-coding/es-ES/C/Allocators.po new file mode 100644 index 0000000..2f6a147 --- /dev/null +++ b/defensive-coding/es-ES/C/Allocators.po @@ -0,0 +1,265 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:30+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Spanish \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: es\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: title +#, no-c-format +msgid "Memory allocators" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "malloc and related functions" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The C library interfaces for memory allocation are provided by " +"malloc, free and " +"realloc, and the calloc function. " +"In addition to these generic functions, there are derived functions such as " +"strdup which perform allocation using " +"malloc internally, but do not return untyped heap " +"memory (which could be used for any object)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The C compiler knows about these functions and can use their expected " +"behavior for optimizations. For instance, the compiler assumes that an " +"existing pointer (or a pointer derived from an existing pointer by " +"arithmetic) will not point into the memory area returned by " +"malloc." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If the allocation fails, realloc does not free the old " +"pointer. Therefore, the idiom ptr = realloc(ptr, size); " +"is wrong because the memory pointed to by ptr leaks in " +"case of an error." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Use-after-free errors" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"After free, the pointer is invalid. Further pointer " +"dereferences are not allowed (and are usually detected by " +"valgrind). Less obvious is that any " +"use of the old pointer value is not allowed, either. In" +" particular, comparisons with any other pointer (or the null pointer) are " +"undefined according to the C standard." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The same rules apply to realloc if the memory area " +"cannot be enlarged in-place. For instance, the compiler may assume that a " +"comparison between the old and new pointer will always return false, so it " +"is impossible to detect movement this way." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Handling memory allocation errors" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Recovering from out-of-memory errors is often difficult or even impossible. " +"In these cases, malloc and other allocation functions " +"return a null pointer. Dereferencing this pointer lead to a crash. Such " +"dereferences can even be exploitable for code execution if the dereference " +"is combined with an array subscript." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In general, if you cannot check all allocation calls and handle failure, you" +" should abort the program on allocation failure, and not rely on the null " +"pointer dereference to terminate the process. See for related memory " +"allocation concerns." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "alloca and other forms of stack-based allocation" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Allocation on the stack is risky because stack overflow checking is " +"implicit. There is a guard page at the end of the memory area reserved for " +"the stack. If the program attempts to read from or write to this guard page," +" a SIGSEGV signal is generated and the program typically " +"terminates." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"This is sufficient for detecting typical stack overflow situations such as " +"unbounded recursion, but it fails when the stack grows in increments larger " +"than the size of the guard page. In this case, it is possible that the stack" +" pointer ends up pointing into a memory area which has been allocated for a " +"different purposes. Such misbehavior can be exploitable." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"A common source for large stack growth are calls to " +"alloca and related functions such as " +"strdupa. These functions should be avoided because of " +"the lack of error checking. (They can be used safely if the allocated size " +"is less than the page size (typically, 4096 bytes), but this case is " +"relatively rare.) Additionally, relying on alloca makes" +" it more difficult to reorgnize the code because it is not allowed to use " +"the pointer after the function calling alloca has " +"returned, even if this function has been inlined into its caller." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Similar concerns apply to variable-length arrays " +"(VLAs), a feature of the C99 standard which started as a GNU extension. For " +"large objects exceeding the page size, there is no error checking, either." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In both cases, negative or very large sizes can trigger a stack-pointer " +"wraparound, and the stack pointer and end up pointing into caller stack " +"frames, which is fatal and can be exploitable." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If you want to use alloca or VLAs for performance " +"reasons, consider using a small on-stack array (less than the page size, " +"large enough to fulfill most requests). If the requested size is small " +"enough, use the on-stack array. Otherwise, call malloc." +" When exiting the function, check if malloc had been " +"called, and free the buffer as needed." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Array allocation" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When allocating arrays, it is important to check for overflows. The " +"calloc function performs such checks." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If malloc or realloc is used, the " +"size check must be written manually. For instance, to allocate an array of " +"n elements of type T, check that the " +"requested size is not greater than n / sizeof(T)." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Custom memory allocators" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Custom memory allocates come in two forms: replacements for " +"malloc, and completely different interfaces for memory " +"management. Both approaches can reduce the effectiveness of " +"valgrind and similar tools, and the heap " +"corruption detection provided by GNU libc, so they should be avoided." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Memory allocators are difficult to write and contain many performance and " +"security pitfalls." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When computing array sizes or rounding up allocation requests (to the next " +"allocation granularity, or for alignment purposes), checks for arithmetic " +"overflow are required." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Size computations for array allocations need overflow checking. See ." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"It can be difficult to beat well-tuned general-purpose allocators. In micro-" +"benchmarks, pool allocators can show huge wins, and size-specific pools can " +"reduce internal fragmentation. But often, utilization of individual pools is" +" poor, and" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Conservative garbage collection" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Garbage collection can be an alternative to explicit memory management using" +" malloc and free. The Boehm-" +"Dehmers-Weiser allocator can be used from C programs, with minimal type " +"annotations. Performance is competitive with malloc on " +"64-bit architectures, especially for multi-threaded programs. The stop-the-" +"world pauses may be problematic for some real-time applications, though." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"However, using a conservative garbage collector may reduce opertunities for " +"code reduce because once one library in a program uses garbage collection, " +"the whole process memory needs to be subject to it, so that no pointers are " +"missed. The Boehm-Dehmers-Weiser collector also reserves certain signals for" +" internal use, so it is not fully transparent to the rest of the program." +msgstr "" diff --git a/defensive-coding/es-ES/C/C.po b/defensive-coding/es-ES/C/C.po new file mode 100644 index 0000000..cb1e51e --- /dev/null +++ b/defensive-coding/es-ES/C/C.po @@ -0,0 +1,20 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:30+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Spanish \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: es\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: title +#, no-c-format +msgid "The C Programming Language" +msgstr "" diff --git a/defensive-coding/es-ES/C/Libc.po b/defensive-coding/es-ES/C/Libc.po new file mode 100644 index 0000000..4fdb8ca --- /dev/null +++ b/defensive-coding/es-ES/C/Libc.po @@ -0,0 +1,278 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:30+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Spanish \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: es\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: title +#, no-c-format +msgid "The C standard library" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Parts of the C standard library (and the UNIX and GNU extensions) are " +"difficult to use, so you shoud avoid them." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Please check the applicable documentation before using the recommended " +"replacements. Many of these functions allocate buffers using " +"malloc which your code must deallocate explicitly using" +" free." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Absolutely banned interfaces" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The functions listed below must not be used because they are almost always " +"unsafe. Use the indicated replacements instead." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "getsfgets" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"getwdgetcwd or " +"get_current_dir_name" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "readdir_rreaddir" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"realpath (with a non-NULL second parameter) ⟶ " +"realpath with NULL as the second parameter, or " +"canonicalize_file_name" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The constants listed below must not be used, either. Instead, code must " +"allocate memory dynamically and use interfaces with length checking." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"NAME_MAX (limit not actually enforced by the kernel)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"PATH_MAX (limit not actually enforced by the kernel)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"_PC_NAME_MAX (This limit, returned by the " +"pathconf function, is not enforced by the kernel.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"_PC_PATH_MAX (This limit, returned by the " +"pathconf function, is not enforced by the kernel.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "The following structure members must not be used." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"f_namemax in struct statvfs (limit not" +" actually enforced by the kernel, see _PC_NAME_MAX above)" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Functions to avoid" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The following string manipulation functions can be used securely in " +"principle, but their use should be avoided because they are difficult to use" +" correctly. Calls to these functions can be replaced with " +"asprintf or vasprintf. (For non-" +"GNU targets, these functions are available from Gnulib.) In some cases, the " +"snprintf function might be a suitable replacement, see " +"." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "sprintf" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "strcat" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "strcpy" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "vsprintf" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Use the indicated replacements for the functions below." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"allocamalloc and " +"free (see )" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"putenv ⟶ explicit envp argument in " +"process creation (see )" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"setenv ⟶ explicit envp argument in " +"process creation (see )" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"strdupastrdup and " +"free (see )" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"strndupastrndup and " +"free (see )" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"systemposix_spawn or " +"fork/execve/ (see )" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"unsetenv ⟶ explicit envp argument in" +" process creation (see )" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "String Functions With Explicit Length Arguments" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The snprintf function provides a way to construct a " +"string in a statically-sized buffer. (If the buffer size is dynamic, use " +"asprintf instead.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The second argument to the snprintf should always be " +"the size of the buffer in the first argument (which should be a character " +"array). Complex pointer and length arithmetic can introduce errors and " +"nullify the security benefits of snprintf. If you need " +"to construct a string iteratively, by repeatedly appending fragments, " +"consider constructing the string on the heap, increasing the buffer with " +"realloc as needed. (snprintf does " +"not support overlapping the result buffer with argument strings.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If you use vsnprintf (or snprintf)" +" with a format string which is not a constant, but a function argument, it " +"is important to annotate the function with a format " +"function attribute, so that GCC can warn about misuse of your function (see " +")." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "The format function attribute" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"There are other functions which operator on NUL-terminated strings and take " +"a length argument which affects the number of bytes written to the " +"destination: strncpy, strncat, and" +" stpncpy. These functions do not ensure that the result" +" string is NUL-terminated. For strncpy, NUL termination" +" can be added this way:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Some systems support strlcpy and " +"strlcat functions which behave this way, but these " +"functions are not part of GNU libc. Using snprintf with" +" a suitable format string is a simple (albeit slightly slower) replacement." +msgstr "" diff --git a/defensive-coding/es-ES/C/snippets/Arithmetic-add.po b/defensive-coding/es-ES/C/snippets/Arithmetic-add.po new file mode 100644 index 0000000..f4c4090 --- /dev/null +++ b/defensive-coding/es-ES/C/snippets/Arithmetic-add.po @@ -0,0 +1,36 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:30+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Spanish \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: es\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"void report_overflow(void);\n" +"\n" +"int\n" +"add(int a, int b)\n" +"{\n" +" int result = a + b;\n" +" if (a < 0 || b < 0) {\n" +" return -1;\n" +" }\n" +" // The compiler can optimize away the following if statement.\n" +" if (result < 0) {\n" +" report_overflow();\n" +" }\n" +" return result;\n" +"}\n" +msgstr "" diff --git a/defensive-coding/es-ES/C/snippets/Arithmetic-mult.po b/defensive-coding/es-ES/C/snippets/Arithmetic-mult.po new file mode 100644 index 0000000..7d76560 --- /dev/null +++ b/defensive-coding/es-ES/C/snippets/Arithmetic-mult.po @@ -0,0 +1,29 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:30+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Spanish \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: es\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"unsigned\n" +"mul(unsigned a, unsigned b)\n" +"{\n" +" if (b && a > ((unsigned)-1) / b) {\n" +" report_overflow();\n" +" }\n" +" return a * b;\n" +"}\n" +msgstr "" diff --git a/defensive-coding/es-ES/C/snippets/Pointers-remaining.po b/defensive-coding/es-ES/C/snippets/Pointers-remaining.po new file mode 100644 index 0000000..d7f79ca --- /dev/null +++ b/defensive-coding/es-ES/C/snippets/Pointers-remaining.po @@ -0,0 +1,64 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:30+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Spanish \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: es\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"ssize_t\n" +"extract_strings(const char *in, size_t inlen, char **out, size_t outlen)\n" +"{\n" +" const char *inp = in;\n" +" const char *inend = in + inlen;\n" +" char **outp = out;\n" +" char **outend = out + outlen;\n" +"\n" +" while (inp != inend) {\n" +" size_t len;\n" +" char *s;\n" +" if (outp == outend) {\n" +" errno = ENOSPC;\n" +" goto err;\n" +" }\n" +" len = (unsigned char)*inp;\n" +" ++inp;\n" +" if (len > (size_t)(inend - inp)) {\n" +" errno = EINVAL;\n" +" goto err;\n" +" }\n" +" s = malloc(len + 1);\n" +" if (s == NULL) {\n" +" goto err;\n" +" }\n" +" memcpy(s, inp, len);\n" +" inp += len;\n" +" s[len] = '\\0';\n" +" *outp = s;\n" +" ++outp;\n" +" }\n" +" return outp - out;\n" +"err:\n" +" {\n" +" int errno_old = errno;\n" +" while (out != outp) {\n" +" free(*out);\n" +" ++out;\n" +" }\n" +" errno = errno_old;\n" +" }\n" +" return -1;\n" +"}\n" +msgstr "" diff --git a/defensive-coding/es-ES/C/snippets/String-Functions-format.po b/defensive-coding/es-ES/C/snippets/String-Functions-format.po new file mode 100644 index 0000000..0d9109f --- /dev/null +++ b/defensive-coding/es-ES/C/snippets/String-Functions-format.po @@ -0,0 +1,33 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:30+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Spanish \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: es\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"void log_format(const char *format, ...) __attribute__((format(printf, 1, 2)));\n" +"\n" +"void\n" +"log_format(const char *format, ...)\n" +"{\n" +" char buf[1000];\n" +" va_list ap;\n" +" va_start(ap, format);\n" +" vsnprintf(buf, sizeof(buf), format, ap);\n" +" va_end(ap);\n" +" log_string(buf);\n" +"}\n" +msgstr "" diff --git a/defensive-coding/es-ES/C/snippets/String-Functions-snprintf.po b/defensive-coding/es-ES/C/snippets/String-Functions-snprintf.po new file mode 100644 index 0000000..b074556 --- /dev/null +++ b/defensive-coding/es-ES/C/snippets/String-Functions-snprintf.po @@ -0,0 +1,23 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:30+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Spanish \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: es\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"char fraction[30];\n" +"snprintf(fraction, sizeof(fraction), \"%d/%d\", numerator, denominator);\n" +msgstr "" diff --git a/defensive-coding/es-ES/C/snippets/String-Functions-strncpy.po b/defensive-coding/es-ES/C/snippets/String-Functions-strncpy.po new file mode 100644 index 0000000..1ae936b --- /dev/null +++ b/defensive-coding/es-ES/C/snippets/String-Functions-strncpy.po @@ -0,0 +1,24 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:30+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Spanish \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: es\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"char buf[10];\n" +"strncpy(buf, data, sizeof(buf));\n" +"buf[sizeof(buf) - 1] = '\\0';\n" +msgstr "" diff --git a/defensive-coding/es-ES/CXX/CXX.po b/defensive-coding/es-ES/CXX/CXX.po new file mode 100644 index 0000000..cdf3fe6 --- /dev/null +++ b/defensive-coding/es-ES/CXX/CXX.po @@ -0,0 +1,20 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:31+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Spanish \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: es\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: title +#, no-c-format +msgid "The C++ Programming Language" +msgstr "" diff --git a/defensive-coding/es-ES/CXX/Language.po b/defensive-coding/es-ES/CXX/Language.po new file mode 100644 index 0000000..c12f1c1 --- /dev/null +++ b/defensive-coding/es-ES/CXX/Language.po @@ -0,0 +1,234 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:18+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Spanish \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: es\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: title +#, no-c-format +msgid "The core language" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"C++ includes a large subset of the C language. As far as the C subset is " +"used, the recommendations in " +"apply." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Array allocation with operator new[]" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"For very large values of n, an expression like " +"new T[n] can return a pointer to a heap region which is " +"too small. In other words, not all array elements are actually backed with " +"heap memory reserved to the array. Current GCC versions generate code that " +"performs a computation of the form sizeof(T) * size_t(n) + " +"cookie_size, where cookie_size is currently at " +"most 8. This computation can overflow, and GCC-generated code does not " +"detect this." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The std::vector template can be used instead an explicit " +"array allocation. (The GCC implementation detects overflow internally.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If there is no alternative to operator new[], code which " +"allocates arrays with a variable length must check for overflow manually. " +"For the new T[n] example, the size check could be " +"n || (n > 0 && n > (size_t(-1) - 8) / " +"sizeof(T)). (See .) If there are additional dimensions " +"(which must be constants according to the C++ standard), these should be " +"included as factors in the divisor." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"These countermeasures prevent out-of-bounds writes and potential code " +"execution. Very large memory allocations can still lead to a denial of " +"service. contains suggestions for mitigating this problem when " +"processing untrusted data." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"See for array" +" allocation advice for C-style memory allocation." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Overloading" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Do not overload functions with versions that have different security " +"characteristics. For instance, do not implement a function " +"strcat which works on std::string " +"arguments. Similarly, do not name methods after such functions." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "ABI compatibility and preparing for security updates" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"A stable binary interface (ABI) is vastly preferred for security updates. " +"Without a stable ABI, all reverse dependencies need recompiling, which can " +"be a lot of work and could even be impossible in some cases. Ideally, a " +"security update only updates a single dynamic shared object, and is picked " +"up automatically after restarting affected processes." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Outside of extremely performance-critical code, you should ensure that a " +"wide range of changes is possible without breaking ABI. Some very basic " +"guidelines are:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Avoid inline functions." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Use the pointer-to-implementation idiom." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Try to avoid templates. Use them if the increased type safety provides a " +"benefit to the programmer." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Move security-critical code out of templated code, so that it can be patched" +" in a central place if necessary." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The KDE project publishes a document with more extensive guidelines on ABI-" +"preserving changes to C++ code, Policies/Binary" +" Compatibility Issues With C++ (d-pointer " +"refers to the pointer-to-implementation idiom)." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "C++0X and C++11 support" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "GCC offers different language compatibility modes:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid " for the original 1998 C++ standard" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +" for the 1998 standard with the changes from the " +"TR1 technical report" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +" for the 2011 C++ standard. This option should " +"not be used." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +" for several different versions of C++11 support " +"in development, depending on the GCC version. This option should not be " +"used." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"For each of these flags, there are variants which also enable GNU extensions" +" (mostly language features also found in C99 or C11): " +", , " +". Again, should " +"not be used." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If you enable C++11 support, the ABI of the standard C++ library " +"libstdc++ will change in subtle ways. Currently, no C++ " +"libraries are compiled in C++11 mode, so if you compile your code in C++11 " +"mode, it will be incompatible with the rest of the system. Unfortunately, " +"this is also the case if you do not use any C++11 features. Currently, there" +" is no safe way to enable C++11 mode (except for freestanding applications)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The meaning of C++0X mode changed from GCC release to GCC release. Earlier " +"versions were still ABI-compatible with C++98 mode, but in the most recent " +"versions, switching to C++0X mode activates C++11 support, with its " +"compatibility problems." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Some C++11 features (or approximations thereof) are available with TR1 " +"support, that is, with or " +" and in the <tr1/*> " +"header files. This includes std::tr1::shared_ptr (from " +"<tr1/memory>) and " +"std::tr1::function (from " +"<tr1/functional>). For other C++11 features, the " +"Boost C++ library contains replacements." +msgstr "" diff --git a/defensive-coding/es-ES/CXX/Std.po b/defensive-coding/es-ES/CXX/Std.po new file mode 100644 index 0000000..8338622 --- /dev/null +++ b/defensive-coding/es-ES/CXX/Std.po @@ -0,0 +1,55 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:30+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Spanish \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: es\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: title +#, no-c-format +msgid "The C++ standard library" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The C++ standard library includes most of its C counterpart by reference, " +"see ." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Containers and operator[]" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Many containers similar to std::vector provide both " +"operator[](size_type) and a member function " +"at(size_type). This applies to " +"std::vector itself, std::array, " +"std::string and other instances of " +"std::basic_string." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"operator[](size_type) is not required by the standard to " +"perform bounds checking (and the implementation in GCC does not). In " +"contrast, at(size_type) must perform such a check. " +"Therefore, in code which is not performance-critical, you should prefer " +"at(size_type) over " +"operator[](size_type), even though it is slightly more " +"verbose." +msgstr "" diff --git a/defensive-coding/es-ES/Defensive_Coding.po b/defensive-coding/es-ES/Defensive_Coding.po new file mode 100644 index 0000000..ec09e2d --- /dev/null +++ b/defensive-coding/es-ES/Defensive_Coding.po @@ -0,0 +1,30 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:18+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Spanish \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: es\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: title +#, no-c-format +msgid "Programming Languages" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Specific Programming Tasks" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Implementing Security Features" +msgstr "" diff --git a/defensive-coding/es-ES/Features/Authentication.po b/defensive-coding/es-ES/Features/Authentication.po new file mode 100644 index 0000000..be45110 --- /dev/null +++ b/defensive-coding/es-ES/Features/Authentication.po @@ -0,0 +1,231 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:31+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Spanish \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: es\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: title +#, no-c-format +msgid "Authentication and Authorization" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Authenticating servers" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When connecting to a server, a client has to make sure that it is actually " +"talking to the server it expects. There are two different aspects, securing " +"the network path, and making sure that the expected user runs the process on" +" the target host. There are several ways to ensure that:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The server uses a TLS certificate which is valid according to the web " +"browser public key infrastructure, and the client verifies the certificate " +"and the host name." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The server uses a TLS certificate which is expectedby the client (perhaps it" +" is stored in a configuration file read by the client). In this case, no " +"host name checking is required." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"On Linux, UNIX domain sockets (of the PF_UNIX protocol " +"family, sometimes called PF_LOCAL) are restricted by file" +" system permissions. If the server socket path is not world-writable, the " +"server identity cannot be spoofed by local users." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Port numbers less than 1024 (trusted ports) can only be" +" used by root, so if a UDP or TCP server is running on " +"the local host and it uses a trusted port, its identity is assured. (Not all" +" operating systems enforce the trusted ports concept, and the network might " +"not be trusted, so it is only useful on the local system.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"TLS () is the recommended way " +"for securing connections over untrusted networks." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If the server port number is 1024 is higher, a local user can impersonate " +"the process by binding to this socket, perhaps after crashing the real " +"server by exploiting a denial-of-service vulnerability." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Host-based authentication" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Host-based authentication uses access control lists (ACLs) to accept or deny" +" requests from clients. Thsis authentication method comes in two flavors: " +"IP-based (or, more generally, address-based) and name-based (with the name " +"coming from DNS or /etc/hosts). IP-based ACLs often use" +" prefix notation to extend access to entire subnets. Name-based ACLs " +"sometimes use wildcards for adding groups of hosts (from entire DNS " +"subtrees). (In the SSH context, host-based authentication means something " +"completely different and is not covered in this section.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Host-based authentication trust the network and may not offer sufficient " +"granularity, so it has to be considered a weak form of authentication. On " +"the other hand, IP-based authentication can be made extremely robust and can" +" be applied very early in input processing, so it offers an opportunity for " +"significantly reducing the number of potential attackers for many services." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The names returned by gethostbyaddr and " +"getnameinfo functions cannot be trusted. (DNS PTR " +"records can be set to arbitrary values, not just names belong to the address" +" owner.) If these names are used for ACL matching, a forward lookup using " +"gethostbyaddr or getaddrinfo has " +"to be performed. The name is only valid if the original address is found " +"among the results of the forward lookup (double-reverse " +"lookup)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"An empty ACL should deny all access (deny-by-default). If empty ACLs permits" +" all access, configuring any access list must switch to deny-by-default for " +"all unconfigured protocols, in both name-based and address-based variants." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Similarly, if an address or name is not matched by the list, it should be " +"denied. However, many implementations behave differently, so the actual " +"behavior must be documented properly." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"IPv6 addresses can embed IPv4 addresses. There is no universally correct way" +" to deal with this ambiguity. The behavior of the ACL implementation should " +"be documented." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "UNIX domain socket authentication" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"UNIX domain sockets (with address family AF_UNIX or " +"AF_LOCAL) are restricted to the local host and offer a " +"special authentication mechanism: credentials passing." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Nowadays, most systems support the SO_PEERCRED (Linux) or" +" LOCAL_PEERCRED (FreeBSD) socket options, or the " +"getpeereid (other BSDs, MacOS X). These interfaces " +"provide direct access to the (effective) user ID on the other end of a " +"domain socket connect, without cooperation from the other end." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Historically, credentials passing was implemented using ancillary data in " +"the sendmsg and recvmsg functions." +" On some systems, only credentials data that the peer has explicitly sent " +"can be received, and the kernel checks the data for correctness on the " +"sending side. This means that both peers need to deal with ancillary data. " +"Compared to that, the modern interfaces are easier to use. Both sets of " +"interfaces vary considerably among UNIX-like systems, unfortunately." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If you want to authenticate based on supplementary groups, you should obtain" +" the user ID using one of these methods, and look up the list of " +"supplementary groups using getpwuid (or " +"getpwuid_r) and getgrouplist. " +"Using the PID and information from /proc/PID/status is " +"prone to race conditions and insecure." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "AF_NETLINK authentication of origin" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Netlink messages are used as a high-performance data transfer mechanism " +"between the kernel and the userspace. Traditionally, they are used to " +"exchange information related to the network statck, such as routing table " +"entries." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When processing Netlink messages from the kernel, it is important to check " +"that these messages actually originate from the kernel, by checking that the" +" port ID (or PID) field nl_pid in the " +"sockaddr_nl structure is 0. (This " +"structure can be obtained using recvfrom or " +"recvmsg, it is different from the " +"nlmsghdr structure.) The kernel does not prevent other " +"processes from sending unicast Netlink messages, but the " +"nl_pid field in the sender's socket address will be non-" +"zero in such cases." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Applications should not use AF_NETLINK sockets as an IPC " +"mechanism among processes, but prefer UNIX domain sockets for this tasks." +msgstr "" diff --git a/defensive-coding/es-ES/Features/TLS.po b/defensive-coding/es-ES/Features/TLS.po new file mode 100644 index 0000000..c7fc10b --- /dev/null +++ b/defensive-coding/es-ES/Features/TLS.po @@ -0,0 +1,1120 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:31+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Spanish \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: es\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: title +#, no-c-format +msgid "Transport Layer Security" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Transport Layer Security (TLS, formerly Secure Sockets Layer/SSL) is the " +"recommended way to to protect integrity and confidentiality while data is " +"transferred over an untrusted network connection, and to identify the " +"endpoint." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Common Pitfalls" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"TLS implementations are difficult to use, and most of them lack a clean API " +"design. The following sections contain implementation-specific advice, and " +"some generic pitfalls are mentioned below." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Most TLS implementations have questionable default TLS cipher suites. Most " +"of them enable anonymous Diffie-Hellman key exchange (but we generally want " +"servers to authenticate themselves). Many do not disable ciphers which are " +"subject to brute-force attacks because of restricted key lengths. Some even " +"disable all variants of AES in the default configuration." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When overriding the cipher suite defaults, it is recommended to disable all " +"cipher suites which are not present on a whitelist, instead of simply " +"enabling a list of cipher suites. This way, if an algorithm is disabled by " +"default in the TLS implementation in a future security update, the " +"application will not re-enable it." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The name which is used in certificate validation must match the name " +"provided by the user or configuration file. No host name canonicalization or" +" IP address lookup must be performed." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The TLS handshake has very poor performance if the TCP Nagle algorithm is " +"active. You should switch on the TCP_NODELAY socket " +"option (at least for the duration of the handshake), or use the Linux-" +"specific TCP_CORK option." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Deactivating the TCP Nagle algorithm" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Implementing proper session resumption decreases handshake overhead " +"considerably. This is important if the upper-layer protocol uses short-lived" +" connections (like most application of HTTPS)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Both client and server should work towards an orderly connection shutdown, " +"that is send close_notify alerts and respond to them. " +"This is especially important if the upper-layer protocol does not provide " +"means to detect connection truncation (like some uses of HTTP)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When implementing a server using event-driven programming, it is important " +"to handle the TLS handshake properly because it includes multiple network " +"round-trips which can block when an ordinary TCP accept" +" would not. Otherwise, a client which fails to complete the TLS handshake " +"for some reason will prevent the server from handling input from other " +"clients." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Unlike regular file descriptors, TLS connections cannot be passed between " +"processes. Some TLS implementations add additional restrictions, and TLS " +"connections generally cannot be used across fork " +"function calls (see )." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "OpenSSL Pitfalls" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Some OpenSSL function use tri-state return values. " +"Correct error checking is extremely important. Several functions return " +"int values with the following meaning:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The value 1 indicates success (for example, a successful " +"signature verification)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The value 0 indicates semantic failure (for example, a " +"signature verification which was unsuccessful because the signing " +"certificate was self-signed)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The value -1 indicates a low-level error in the system, " +"such as failure to allocate memory using malloc." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Treating such tri-state return values as booleans can lead to security " +"vulnerabilities. Note that some OpenSSL functions return boolean results or " +"yet another set of status indicators. Each function needs to be checked " +"individually." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Recovering precise error information is difficult. shows how to obtain a more precise " +"error code after a function call on an SSL object has " +"failed. However, there are still cases where no detailed error information " +"is available (e.g., if SSL_shutdown fails due to a " +"connection teardown by the other end)." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Obtaining OpenSSL error codes" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The OPENSSL_config function is documented to never " +"fail. In reality, it can terminate the entire process if there is a failure " +"accessing the configuration file. An error message is written to standard " +"error, but which might not be visible if the function is called from a " +"daemon process." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"OpenSSL contains two separate ASN.1 DER decoders. One set of decoders " +"operate on BIO handles (the input/output stream abstraction provided by " +"OpenSSL); their decoder function names start with d2i_ " +"and end in _fp or _bio (e.g., " +"d2i_X509_fp or d2i_X509_bio). " +"These decoders must not be used for parsing data from untrusted sources; " +"instead, the variants without the _fp and " +"_bio (e.g., d2i_X509) shall be used." +" The BIO variants have received considerably less testing and are not very " +"robust." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"For the same reason, the OpenSSL command line tools (such as " +"openssl x509) are generally generally less robust than " +"the actual library code. They use the BIO functions internally, and not the " +"more robust variants." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The command line tools do not always indicate failure in the exit status of " +"the openssl process. For instance, a verification" +" failure in openssl verify result in an exit status of " +"zero." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The OpenSSL server and client applications (openssl " +"s_client and openssl s_server) are debugging " +"tools and should never be used as generic clients. For " +"instance, the s_client tool reacts in a " +"surprisign way to lines starting with R and " +"Q." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"OpenSSL allows application code to access private key material over " +"documented interfaces. This can significantly increase the part of the code " +"base which has to undergo security certification." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "GNUTLS Pitfalls" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"libgnutls.so.26 links to " +"libpthread.so.0. Loading the threading library too late" +" causes problems, so the main program should be linked with " +"-lpthread as well. As a result, it can be difficult to " +"use GNUTLS in a plugin which is loaded with the dlopen " +"function. Another side effect is that applications which merely link against" +" GNUTLS (even without actually using it) may incur a substantial overhead " +"because other libraries automatically switch to thread-safe algorithms." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The gnutls_global_init function must be called before " +"using any functionality provided by the library. This function is not " +"thread-safe, so external locking is required, but it is not clear which lock" +" should be used. Omitting the synchronization does not just lead to a memory" +" leak, as it is suggested in the GNUTLS documentation, but to undefined " +"behavior because there is no barrier that would enforce memory ordering." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The gnutls_global_deinit function does not actually " +"deallocate all resources allocated by " +"gnutls_global_init. It is currently not thread-safe. " +"Therefore, it is best to avoid calling it altogether." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The X.509 implementation in GNUTLS is rather lenient. For example, it is " +"possible to create and process X.509 version 1 certificates which carry" +" extensions. These certificates are (correctly) rejected by other " +"implementations." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "OpenJDK Pitfalls" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The Java cryptographic framework is highly modular. As a result, when you " +"request an object implementing some cryptographic functionality, you cannot " +"be completely sure that you end up with the well-tested, reviewed " +"implementation in OpenJDK." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"OpenJDK (in the source code as published by Oracle) and other " +"implementations of the Java platform require that the system administrator " +"has installed so-called unlimited strength jurisdiction policy " +"files. Without this step, it is not possible to use the secure " +"algorithms which offer sufficient cryptographic strength. Most downstream " +"redistributors of OpenJDK remove this requirement." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Some versions of OpenJDK use /dev/random as the " +"randomness source for nonces and other random data which is needed for TLS " +"operation, but does not actually require physical randomness. As a result, " +"TLS applications can block, waiting for more bits to become available in " +"/dev/random." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "NSS Pitfalls" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"NSS was not designed to be used by other libraries which can be linked into " +"applications without modifying them. There is a lot of global state. There " +"does not seem to be a way to perform required NSS initialization without " +"race conditions." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If the NSPR descriptor is in an unexpected state, the " +"SSL_ForceHandshake function can succeed, but no TLS " +"handshake takes place, the peer is not authenticated, and subsequent data is" +" exchanged in the clear." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"NSS disables itself if it detects that the process underwent a " +"fork after the library has been initialized. This " +"behavior is required by the PKCS#11 API specification." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "TLS Clients" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Secure use of TLS in a client generally involves all of the following steps." +" (Individual instructions for specific TLS implementations follow in the " +"next sections.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The client must configure the TLS library to use a set of trusted root " +"certificates. These certificates are provided by the system in /etc/ssl/certs or files derived from it." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The client selects sufficiently strong cryptographic primitives and disables" +" insecure ones (such as no-op encryption). Compression and SSL version 2 " +"support must be disabled (including the SSLv2-compatible handshake)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The client initiates the TLS connection. The Server Name Indication " +"extension should be used if supported by the TLS implementation. Before " +"switching to the encrypted connection state, the contents of all input and " +"output buffers must be discarded." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The client needs to validate the peer certificate provided by the server, " +"that is, the client must check that there is a cryptographically protected " +"chain from a trusted root certificate to the peer certificate. (Depending on" +" the TLS implementation, a TLS handshake can succeed even if the certificate" +" cannot be validated.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The client must check that the configured or user-provided server name " +"matches the peer certificate provided by the server." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"It is safe to provide users detailed diagnostics on certificate validation " +"failures. Other causes of handshake failures and, generally speaking, any " +"details on other errors reported by the TLS implementation (particularly " +"exception tracebacks), must not be divulged in ways that make them " +"accessible to potential attackers. Otherwise, it is possible to create " +"decryption oracles." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Depending on the application, revocation checking (against certificate " +"revocations lists or via OCSP) and session resumption are important aspects " +"of production-quality client. These aspects are not yet covered." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Implementation TLS Clients With OpenSSL" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In the following code, the error handling is only exploratory. Proper error " +"handling is required for production use, especially in libraries." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The OpenSSL library needs explicit initialization (see )." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "OpenSSL library initialization" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"After that, a context object has to be created, which acts as a factory for " +"connection objects (). We use an explicit cipher list so that we do not pick up any " +"strange ciphers when OpenSSL is upgraded. The actual version requested in " +"the client hello depends on additional restrictions in the OpenSSL library. " +"If possible, you should follow the example code and use the default list of " +"trusted root certificate authorities provided by the system because you " +"would have to maintain your own set otherwise, which can be cumbersome." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "OpenSSL client context creation" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"A single context object can be used to create multiple connection objects. " +"It is safe to use the same SSL_CTX object for creating " +"connections concurrently from multiple threads, provided that the " +"SSL_CTX object is not modified (e.g., callbacks must not " +"be changed)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"After creating the TCP socket and disabling the Nagle algorithm (per ), the actual connection object " +"needs to be created, as show in . If the handshake started by " +"SSL_connect fails, the " +"ssl_print_error_and_exit function from is called." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The certificate_validity_override function provides an " +"opportunity to override the validity of the certificate in case the OpenSSL " +"check fails. If such functionality is not required, the call can be removed," +" otherwise, the application developer has to implement it." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The host name passed to the functions " +"SSL_set_tlsext_host_name and " +"X509_check_host must be the name that was passed to " +"getaddrinfo or a similar name resolution function. No " +"host name canonicalization must be performed. The " +"X509_check_host function used in the final step for " +"host name matching is currently only implemented in OpenSSL 1.1, which is " +"not released yet. In case host name matching fails, the function " +"certificate_host_name_override is called. This function" +" should check user-specific certificate store, to allow a connection even if" +" the host name does not match the certificate. This function has to be " +"provided by the application developer. Note that the override must be keyed " +"by both the certificate and the host name." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Creating a client connection using OpenSSL" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The connection object can be used for sending and receiving data, as in " +". It is " +"also possible to create a BIO object and use the " +"SSL object as the underlying transport, using " +"BIO_set_ssl." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Using an OpenSSL connection to send and receive data" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When it is time to close the connection, the " +"SSL_shutdown function needs to be called twice for an " +"orderly, synchronous connection termination (). This exchanges " +"close_notify alerts with the server. The additional logic" +" is required to deal with an unexpected close_notify from" +" the server. Note that is necessary to explicitly close the underlying " +"socket after the connection object has been freed." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Closing an OpenSSL connection in an orderly fashion" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +" shows how" +" to deallocate the context object when it is no longer needed because no " +"further TLS connections will be established." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Implementation TLS Clients With GNUTLS" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"This section describes how to implement a TLS client with full certificate " +"validation (but without certificate revocation checking). Note that the " +"error handling in is only exploratory and needs to be replaced before " +"production use." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "The GNUTLS library needs explicit initialization:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Failing to do so can result in obscure failures in Base64 decoding. See " +" for " +"additional aspects of initialization." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Before setting up TLS connections, a credentials objects has to be allocated" +" and initialized with the set of trusted root CAs ()." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Initializing a GNUTLS credentials structure" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"After the last TLS connection has been closed, this credentials object " +"should be freed:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"During its lifetime, the credentials object can be used to initialize TLS " +"session objects from multiple threads, provided that it is not changed." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Once the TCP connection has been established, the Nagle algorithm should be " +"disabled (see ). After " +"that, the socket can be associated with a new GNUTLS session object. The " +"previously allocated credentials object provides the set of root CAs. The " +"NORMAL set of cipher suites and protocols provides a " +"reasonable default. Then the TLS handshake must be initiated. This is shown " +"in ." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Establishing a TLS client connection using GNUTLS" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"After the handshake has been completed, the server certificate needs to be " +"verified (). In the example, the user-defined " +"certificate_validity_override function is called if the" +" verification fails, so that a separate, user-specific trust store can be " +"checked. This function call can be omitted if the functionality is not " +"needed." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Verifying a server certificate using GNUTLS" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In the next step (, the certificate must be matched against the host name (note the " +"unusual return value from " +"gnutls_x509_crt_check_hostname). Again, an override " +"function certificate_host_name_override is called. Note" +" that the override must be keyed to the certificate and" +" the host name. The function call can be omitted if the override is not " +"needed." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Matching the server host name and certificate in a GNUTLS client" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In newer GNUTLS versions, certificate checking and host name validation can " +"be combined using the gnutls_certificate_verify_peers3 " +"function." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"An established TLS session can be used for sending and receiving data, as in" +" ." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Using a GNUTLS session" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In order to shut down a connection in an orderly manner, you should call the" +" gnutls_bye function. Finally, the session object can " +"be deallocated using gnutls_deinit (see )." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Implementing TLS Clients With OpenJDK" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "The examples below use the following cryptographic-related classes:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If compatibility with OpenJDK 6 is required, it is necessary to use the " +"internal class sun.security.util.HostnameChecker. (The " +"public OpenJDK API does not provide any support for dissecting the subject " +"distinguished name of an X.509 certificate, so a custom-written DER parser " +"is needed—or we have to use an internal class, which we do below.) In " +"OpenJDK 7, the setEndpointIdentificationAlgorithm " +"method was added to the javax.net.ssl.SSLParameters " +"class, providing an official way to implement host name checking." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"TLS connections are established using an SSLContext " +"instance. With a properly configured OpenJDK installation, the " +"SunJSSE provider uses the system-wide set of trusted root" +" certificate authorities, so no further configuration is necessary. For " +"backwards compatibility with OpenJDK 6, the TLSv1 " +"provider has to be supported as a fall-back option. This is shown in ." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Setting up an SSLContext for OpenJDK TLS clients" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In addition to the context, a TLS parameter object will be needed which " +"adjusts the cipher suites and protocols (). Like the context, these " +"parameters can be reused for multiple TLS connections." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Setting up SSLParameters for TLS use with OpenJDK" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"As initialized above, the parameter object does not yet require host name " +"checking. This has to be enabled separately, and this is only supported by " +"OpenJDK 7 and later:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"All application protocols can use the \"HTTPS\" " +"algorithm. (The algorithms have minor differences with regard to wildcard " +"handling, which should not matter in practice.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +" shows " +"how to establish the connection. Before the handshake is initialized, the " +"protocol and cipher configuration has to be performed, by applying the " +"parameter object params. (After this point, changes to " +"params will not affect this TLS socket.) As mentioned " +"initially, host name checking requires using an internal API on OpenJDK 6." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Establishing a TLS connection with OpenJDK" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Starting with OpenJDK 7, the last lines can be omitted, provided that host " +"name verification has been enabled by calling the " +"setEndpointIdentificationAlgorithm method on the " +"params object (before it was applied to the socket)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The TLS socket can be used as a regular socket, as shown in ." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Using a TLS client socket in OpenJDK" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Overriding server certificate validation with OpenJDK 6" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Overriding certificate validation requires a custom trust manager. With " +"OpenJDK 6, the trust manager lacks information about the TLS session, and to" +" which server the connection is made. Certificate overrides have to be tied " +"to specific servers (host names). Consequently, different " +"TrustManager and SSLContext objects " +"have to be used for different servers." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In the trust manager shown in , the server certificate is identified by its " +"SHA-256 hash." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "A customer trust manager for OpenJDK TLS clients" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"This trust manager has to be passed to the init method of" +" the SSLContext object, as show in ." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Using a custom TLS trust manager with OpenJDK" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When certificate overrides are in place, host name verification should not " +"be performed because there is no security requirement that the host name in " +"the certificate matches the host name used to establish the connection (and " +"it often will not). However, without host name verification, it is not " +"possible to perform transparent fallback to certification validation using " +"the system certificate store." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The approach described above works with OpenJDK 6 and later versions. " +"Starting with OpenJDK 7, it is possible to use a custom subclass of the " +"javax.net.ssl.X509ExtendedTrustManager class. The OpenJDK" +" TLS implementation will call the new methods, passing along TLS session " +"information. This can be used to implement certificate overrides as a " +"fallback (if certificate or host name verification fails), and a trust " +"manager object can be used for multiple servers because the server address " +"is available to the trust manager." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Implementing TLS Clients With NSS" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The following code shows how to implement a simple TLS client using NSS. " +"Note that the error handling needs replacing before production use." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Using NSS needs several header files, as shown in ." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Include files for NSS" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Initializing the NSS library is a complex task (). It is not thread-safe. By default, the " +"library is in export mode, and all strong ciphers are disabled. Therefore, " +"after creating the NSSInitCContext object, we probe all " +"the strong ciphers we want to use, and check if at least one of them is " +"available. If not, we call NSS_SetDomesticPolicy to " +"switch to unrestricted policy mode. This function replaces the existing " +"global cipher suite policy, that is why we avoid calling it unless " +"absolutely necessary." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The simplest way to configured the trusted root certificates involves " +"loading the libnssckbi.so NSS module with a call to the" +" SECMOD_LoadUserModule function. The root certificates " +"are compiled into this module. (The PEM module for NSS, " +"libnsspem.so, offers a way to load trusted CA " +"certificates from a file.)" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Initializing the NSS library" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Some of the effects of the initialization can be reverted with the following" +" function calls:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"After NSS has been initialized, the TLS connection can be created (). The internal " +"PR_ImportTCPSocket function is used to turn the POSIX " +"file descriptor sockfd into an NSPR file descriptor. " +"(This function is de-facto part of the NSS public ABI, so it will not go " +"away.) Creating the TLS-capable file descriptor requires a " +"model descriptor, which is configured with the desired " +"set of protocols and ciphers. (The good_ciphers variable " +"is part of .) We cannot" +" resort to disabling ciphers not on a whitelist because by default, the AES " +"cipher suites are disabled. The model descriptor is not needed anymore after" +" TLS support has been activated for the existing connection descriptor." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The call to SSL_BadCertHook can be omitted if no " +"mechanism to override certificate verification is needed. The " +"bad_certificate function must check both the host name " +"specified for the connection and the certificate before granting the " +"override." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Triggering the actual handshake requires three function calls, " +"SSL_ResetHandshake, SSL_SetURL, " +"and SSL_ForceHandshake. (If " +"SSL_ResetHandshake is omitted, " +"SSL_ForceHandshake will succeed, but the data will not " +"be encrypted.) During the handshake, the certificate is verified and matched" +" against the host name." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Creating a TLS connection with NSS" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"After the connection has been established, shows how to use the NSPR descriptor to " +"communicate with the server." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Using NSS for sending and receiving data" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +" shows how to " +"close the connection." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Closing NSS client connections" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Implementing TLS Clients With Python" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The Python distribution provides a TLS implementation in the " +"ssl module (actually a wrapper around OpenSSL). The " +"exported interface is somewhat restricted, so that the client code shown " +"below does not fully implement the recommendations in ." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Currently, most Python function which accept https:// " +"URLs or otherwise implement HTTPS support do not perform certificate " +"validation at all. (For example, this is true for the " +"httplib and xmlrpclib modules.) If you" +" use HTTPS, you should not use the built-in HTTP clients. The " +"Curl class in the curl module, as " +"provided by the python-pycurl package implements proper " +"certificate validation." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The ssl module currently does not perform host name " +"checking on the server certificate. shows how to implement certificate " +"matching, using the parsed certificate returned by " +"getpeercert." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Implementing TLS host name checking Python (without wildcard support)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"To turn a regular, connected TCP socket into a TLS-enabled socket, use the " +"ssl.wrap_socket function. The function call in provides " +"additional arguments to override questionable defaults in OpenSSL and in the" +" Python module." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"ciphers=\"HIGH:-aNULL:-eNULL:-PSK:RC4-SHA:RC4-MD5\" " +"selects relatively strong cipher suites with certificate-based " +"authentication. (The call to check_host_name function " +"provides additional protection against anonymous cipher suites.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"ssl_version=ssl.PROTOCOL_TLSv1 disables SSL 2.0 support. " +"By default, the ssl module sends an SSL 2.0 client hello," +" which is rejected by some servers. Ideally, we would request OpenSSL to " +"negotiated the most recent TLS version supported by the server and the " +"client, but the Python module does not allow this." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"cert_reqs=ssl.CERT_REQUIRED turns on certificate " +"validation." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"ca_certs='/etc/ssl/certs/ca-bundle.crt' initializes the " +"certificate store with a set of trusted root CAs. Unfortunately, it is " +"necessary to hard-code this path into applications because the default path " +"in OpenSSL is not available through the Python ssl " +"module." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The ssl module (and OpenSSL) perform certificate " +"validation, but the certificate must be compared manually against the host " +"name, by calling the check_host_name defined above." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Establishing a TLS client connection with Python" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"After the connection has been established, the TLS socket can be used like a" +" regular socket:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Closing the TLS socket is straightforward as well:" +msgstr "" diff --git a/defensive-coding/es-ES/Features/snippets/TLS-Client-GNUTLS-Connect.po b/defensive-coding/es-ES/Features/snippets/TLS-Client-GNUTLS-Connect.po new file mode 100644 index 0000000..c61266a --- /dev/null +++ b/defensive-coding/es-ES/Features/snippets/TLS-Client-GNUTLS-Connect.po @@ -0,0 +1,71 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:33+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Spanish \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: es\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Create the session object.\n" +"gnutls_session_t session;\n" +"ret = gnutls_init(&session, GNUTLS_CLIENT);\n" +"if (ret != GNUTLS_E_SUCCESS) {\n" +" fprintf(stderr, \"error: gnutls_init: %s\n" +"\",\n" +"\t gnutls_strerror(ret));\n" +" exit(1);\n" +"}\n" +"\n" +"// Configure the cipher preferences.\n" +"const char *errptr = NULL;\n" +"ret = gnutls_priority_set_direct(session, \"NORMAL\", &errptr);\n" +"if (ret != GNUTLS_E_SUCCESS) {\n" +" fprintf(stderr, \"error: gnutls_priority_set_direct: %s\n" +"\"\n" +"\t \"error: at: \\\"%s\\\"\n" +"\", gnutls_strerror(ret), errptr);\n" +" exit(1);\n" +"}\n" +"\n" +"// Install the trusted certificates.\n" +"ret = gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, cred);\n" +"if (ret != GNUTLS_E_SUCCESS) {\n" +" fprintf(stderr, \"error: gnutls_credentials_set: %s\n" +"\",\n" +"\t gnutls_strerror(ret));\n" +" exit(1);\n" +"}\n" +"\n" +"// Associate the socket with the session object and set the server\n" +"// name.\n" +"gnutls_transport_set_ptr(session, (gnutls_transport_ptr_t)(uintptr_t)sockfd);\n" +"ret = gnutls_server_name_set(session, GNUTLS_NAME_DNS,\n" +"\t\t\t host, strlen(host));\n" +"if (ret != GNUTLS_E_SUCCESS) {\n" +" fprintf(stderr, \"error: gnutls_server_name_set: %s\n" +"\",\n" +"\t gnutls_strerror(ret));\n" +" exit(1);\n" +"}\n" +"\n" +"// Establish the session.\n" +"ret = gnutls_handshake(session);\n" +"if (ret != GNUTLS_E_SUCCESS) {\n" +" fprintf(stderr, \"error: gnutls_handshake: %s\n" +"\",\n" +"\t gnutls_strerror(ret));\n" +" exit(1);\n" +"}\n" +msgstr "" diff --git a/defensive-coding/es-ES/Features/snippets/TLS-Client-GNUTLS-Credentials.po b/defensive-coding/es-ES/Features/snippets/TLS-Client-GNUTLS-Credentials.po new file mode 100644 index 0000000..d1196a0 --- /dev/null +++ b/defensive-coding/es-ES/Features/snippets/TLS-Client-GNUTLS-Credentials.po @@ -0,0 +1,47 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:33+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Spanish \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: es\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Load the trusted CA certificates.\n" +"gnutls_certificate_credentials_t cred = NULL;\n" +"int ret = gnutls_certificate_allocate_credentials (&cred);\n" +"if (ret != GNUTLS_E_SUCCESS) {\n" +" fprintf(stderr, \"error: gnutls_certificate_allocate_credentials: %s\n" +"\",\n" +"\t gnutls_strerror(ret));\n" +" exit(1);\n" +"}\n" +"// gnutls_certificate_set_x509_system_trust needs GNUTLS version 3.0\n" +"// or newer, so we hard-code the path to the certificate store\n" +"// instead.\n" +"static const char ca_bundle[] = \"/etc/ssl/certs/ca-bundle.crt\";\n" +"ret = gnutls_certificate_set_x509_trust_file\n" +" (cred, ca_bundle, GNUTLS_X509_FMT_PEM);\n" +"if (ret == 0) {\n" +" fprintf(stderr, \"error: no certificates found in: %s\n" +"\", ca_bundle);\n" +" exit(1);\n" +"}\n" +"if (ret < 0) {\n" +" fprintf(stderr, \"error: gnutls_certificate_set_x509_trust_files(%s): %s\n" +"\",\n" +"\t ca_bundle, gnutls_strerror(ret));\n" +" exit(1);\n" +"}\n" +msgstr "" diff --git a/defensive-coding/es-ES/Features/snippets/TLS-Client-GNUTLS-Match.po b/defensive-coding/es-ES/Features/snippets/TLS-Client-GNUTLS-Match.po new file mode 100644 index 0000000..40da891 --- /dev/null +++ b/defensive-coding/es-ES/Features/snippets/TLS-Client-GNUTLS-Match.po @@ -0,0 +1,48 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:32+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Spanish \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: es\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Match the peer certificate against the host name.\n" +"// We can only obtain a set of DER-encoded certificates from the\n" +"// session object, so we have to re-parse the peer certificate into\n" +"// a certificate object.\n" +"gnutls_x509_crt_t cert;\n" +"ret = gnutls_x509_crt_init(&cert);\n" +"if (ret != GNUTLS_E_SUCCESS) {\n" +" fprintf(stderr, \"error: gnutls_x509_crt_init: %s\n" +"\",\n" +"\t gnutls_strerror(ret));\n" +" exit(1);\n" +"}\n" +"// The peer certificate is the first certificate in the list.\n" +"ret = gnutls_x509_crt_import(cert, certs, GNUTLS_X509_FMT_DER);\n" +"if (ret != GNUTLS_E_SUCCESS) {\n" +" fprintf(stderr, \"error: gnutls_x509_crt_import: %s\n" +"\",\n" +"\t gnutls_strerror(ret));\n" +" exit(1);\n" +"}\n" +"ret = gnutls_x509_crt_check_hostname(cert, host);\n" +"if (ret == 0 && !certificate_host_name_override(certs[0], host)) {\n" +" fprintf(stderr, \"error: host name does not match certificate\n" +"\");\n" +" exit(1);\n" +"}\n" +"gnutls_x509_crt_deinit(cert);\n" +msgstr "" diff --git a/defensive-coding/es-ES/Features/snippets/TLS-Client-GNUTLS-Verify.po b/defensive-coding/es-ES/Features/snippets/TLS-Client-GNUTLS-Verify.po new file mode 100644 index 0000000..43df9c3 --- /dev/null +++ b/defensive-coding/es-ES/Features/snippets/TLS-Client-GNUTLS-Verify.po @@ -0,0 +1,61 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:33+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Spanish \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: es\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Obtain the server certificate chain. The server certificate\n" +"// itself is stored in the first element of the array.\n" +"unsigned certslen = 0;\n" +"const gnutls_datum_t *const certs =\n" +" gnutls_certificate_get_peers(session, &certslen);\n" +"if (certs == NULL || certslen == 0) {\n" +" fprintf(stderr, \"error: could not obtain peer certificate\n" +"\");\n" +" exit(1);\n" +"}\n" +"\n" +"// Validate the certificate chain.\n" +"unsigned status = (unsigned)-1;\n" +"ret = gnutls_certificate_verify_peers2(session, &status);\n" +"if (ret != GNUTLS_E_SUCCESS) {\n" +" fprintf(stderr, \"error: gnutls_certificate_verify_peers2: %s\n" +"\",\n" +"\t gnutls_strerror(ret));\n" +" exit(1);\n" +"}\n" +"if (status != 0 && !certificate_validity_override(certs[0])) {\n" +" gnutls_datum_t msg;\n" +"#if GNUTLS_VERSION_AT_LEAST_3_1_4\n" +" int type = gnutls_certificate_type_get (session);\n" +" ret = gnutls_certificate_verification_status_print(status, type, &out, 0);\n" +"#else\n" +" ret = -1;\n" +"#endif\n" +" if (ret == 0) {\n" +" fprintf(stderr, \"error: %s\n" +"\", msg.data);\n" +" gnutls_free(msg.data);\n" +" exit(1);\n" +" } else {\n" +" fprintf(stderr, \"error: certificate validation failed with code 0x%x\n" +"\",\n" +"\t status);\n" +" exit(1);\n" +" }\n" +"}\n" +msgstr "" diff --git a/defensive-coding/es-ES/Features/snippets/TLS-Client-NSS-Close.po b/defensive-coding/es-ES/Features/snippets/TLS-Client-NSS-Close.po new file mode 100644 index 0000000..9e47caf --- /dev/null +++ b/defensive-coding/es-ES/Features/snippets/TLS-Client-NSS-Close.po @@ -0,0 +1,31 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:32+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Spanish \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: es\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Send close_notify alert.\n" +"if (PR_Shutdown(nspr, PR_SHUTDOWN_BOTH) != PR_SUCCESS) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: PR_Read error %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +"}\n" +"// Closes the underlying POSIX file descriptor, too.\n" +"PR_Close(nspr);\n" +msgstr "" diff --git a/defensive-coding/es-ES/Features/snippets/TLS-Client-NSS-Connect.po b/defensive-coding/es-ES/Features/snippets/TLS-Client-NSS-Connect.po new file mode 100644 index 0000000..7fefb6b --- /dev/null +++ b/defensive-coding/es-ES/Features/snippets/TLS-Client-NSS-Connect.po @@ -0,0 +1,132 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:33+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Spanish \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: es\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Wrap the POSIX file descriptor. This is an internal NSPR\n" +"// function, but it is very unlikely to change.\n" +"PRFileDesc* nspr = PR_ImportTCPSocket(sockfd);\n" +"sockfd = -1; // Has been taken over by NSPR.\n" +"\n" +"// Add the SSL layer.\n" +"{\n" +" PRFileDesc *model = PR_NewTCPSocket();\n" +" PRFileDesc *newfd = SSL_ImportFD(NULL, model);\n" +" if (newfd == NULL) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: NSPR error code %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +" }\n" +" model = newfd;\n" +" newfd = NULL;\n" +" if (SSL_OptionSet(model, SSL_ENABLE_SSL2, PR_FALSE) != SECSuccess) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: set SSL_ENABLE_SSL2 error %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +" }\n" +" if (SSL_OptionSet(model, SSL_V2_COMPATIBLE_HELLO, PR_FALSE) != SECSuccess) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: set SSL_V2_COMPATIBLE_HELLO error %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +" }\n" +" if (SSL_OptionSet(model, SSL_ENABLE_DEFLATE, PR_FALSE) != SECSuccess) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: set SSL_ENABLE_DEFLATE error %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +" }\n" +"\n" +" // Disable all ciphers (except RC4-based ciphers, for backwards\n" +" // compatibility).\n" +" const PRUint16 *const ciphers = SSL_GetImplementedCiphers();\n" +" for (unsigned i = 0; i < SSL_GetNumImplementedCiphers(); i++) {\n" +" if (ciphers[i] != SSL_RSA_WITH_RC4_128_SHA\n" +"\t && ciphers[i] != SSL_RSA_WITH_RC4_128_MD5) {\n" +"\tif (SSL_CipherPrefSet(model, ciphers[i], PR_FALSE) != SECSuccess) {\n" +"\t const PRErrorCode err = PR_GetError();\n" +"\t fprintf(stderr, \"error: disable cipher %u: error %d: %s\n" +"\",\n" +"\t\t (unsigned)ciphers[i], err, PR_ErrorToName(err));\n" +"\t exit(1);\n" +"\t}\n" +" }\n" +" }\n" +"\n" +" // Enable the strong ciphers.\n" +" for (const PRUint16 *p = good_ciphers; *p != SSL_NULL_WITH_NULL_NULL;\n" +"\t ++p) {\n" +" if (SSL_CipherPrefSet(model, *p, PR_TRUE) != SECSuccess) {\n" +"\tconst PRErrorCode err = PR_GetError();\n" +"\tfprintf(stderr, \"error: enable cipher %u: error %d: %s\n" +"\",\n" +"\t\t(unsigned)*p, err, PR_ErrorToName(err));\n" +"\texit(1);\n" +" }\n" +" }\n" +"\n" +" // Allow overriding invalid certificate.\n" +" if (SSL_BadCertHook(model, bad_certificate, (char *)host) != SECSuccess) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: SSL_BadCertHook error %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +" }\n" +"\n" +" newfd = SSL_ImportFD(model, nspr);\n" +" if (newfd == NULL) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: SSL_ImportFD error %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +" }\n" +" nspr = newfd;\n" +" PR_Close(model);\n" +"}\n" +"\n" +"// Perform the handshake.\n" +"if (SSL_ResetHandshake(nspr, PR_FALSE) != SECSuccess) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: SSL_ResetHandshake error %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +"}\n" +"if (SSL_SetURL(nspr, host) != SECSuccess) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: SSL_SetURL error %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +"}\n" +"if (SSL_ForceHandshake(nspr) != SECSuccess) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: SSL_ForceHandshake error %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +"}\n" +msgstr "" diff --git a/defensive-coding/es-ES/Features/snippets/TLS-Client-OpenJDK-Connect.po b/defensive-coding/es-ES/Features/snippets/TLS-Client-OpenJDK-Connect.po new file mode 100644 index 0000000..708c4ab --- /dev/null +++ b/defensive-coding/es-ES/Features/snippets/TLS-Client-OpenJDK-Connect.po @@ -0,0 +1,41 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:32+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Spanish \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: es\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Create the socket and connect it at the TCP layer.\n" +"SSLSocket socket = (SSLSocket) ctx.getSocketFactory()\n" +" .createSocket(host, port);\n" +"\n" +"// Disable the Nagle algorithm.\n" +"socket.setTcpNoDelay(true);\n" +"\n" +"// Adjust ciphers and protocols.\n" +"socket.setSSLParameters(params);\n" +"\n" +"// Perform the handshake.\n" +"socket.startHandshake();\n" +"\n" +"// Validate the host name. The match() method throws\n" +"// CertificateException on failure.\n" +"X509Certificate peer = (X509Certificate)\n" +" socket.getSession().getPeerCertificates()[0];\n" +"// This is the only way to perform host name checking on OpenJDK 6.\n" +"HostnameChecker.getInstance(HostnameChecker.TYPE_TLS).match(\n" +" host, peer);\n" +msgstr "" diff --git a/defensive-coding/es-ES/Features/snippets/TLS-Client-OpenJDK-Context.po b/defensive-coding/es-ES/Features/snippets/TLS-Client-OpenJDK-Context.po new file mode 100644 index 0000000..c65f9db --- /dev/null +++ b/defensive-coding/es-ES/Features/snippets/TLS-Client-OpenJDK-Context.po @@ -0,0 +1,41 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:32+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Spanish \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: es\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Create the context. Specify the SunJSSE provider to avoid\n" +"// picking up third-party providers. Try the TLS 1.2 provider\n" +"// first, then fall back to TLS 1.0.\n" +"SSLContext ctx;\n" +"try {\n" +" ctx = SSLContext.getInstance(\"TLSv1.2\", \"SunJSSE\");\n" +"} catch (NoSuchAlgorithmException e) {\n" +" try {\n" +" ctx = SSLContext.getInstance(\"TLSv1\", \"SunJSSE\");\n" +" } catch (NoSuchAlgorithmException e1) {\n" +" // The TLS 1.0 provider should always be available.\n" +" throw new AssertionError(e1);\n" +" } catch (NoSuchProviderException e1) {\n" +" throw new AssertionError(e1);\n" +" } \n" +"} catch (NoSuchProviderException e) {\n" +" // The SunJSSE provider should always be available.\n" +" throw new AssertionError(e);\n" +"}\n" +"ctx.init(null, null, null);\n" +msgstr "" diff --git a/defensive-coding/es-ES/Features/snippets/TLS-Client-OpenJDK-Context_For_Cert.po b/defensive-coding/es-ES/Features/snippets/TLS-Client-OpenJDK-Context_For_Cert.po new file mode 100644 index 0000000..10f61a8 --- /dev/null +++ b/defensive-coding/es-ES/Features/snippets/TLS-Client-OpenJDK-Context_For_Cert.po @@ -0,0 +1,37 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:33+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Spanish \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: es\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"SSLContext ctx;\n" +"try {\n" +" ctx = SSLContext.getInstance(\"TLSv1.2\", \"SunJSSE\");\n" +"} catch (NoSuchAlgorithmException e) {\n" +" try {\n" +" ctx = SSLContext.getInstance(\"TLSv1\", \"SunJSSE\");\n" +" } catch (NoSuchAlgorithmException e1) {\n" +" throw new AssertionError(e1);\n" +" } catch (NoSuchProviderException e1) {\n" +" throw new AssertionError(e1);\n" +" }\n" +"} catch (NoSuchProviderException e) {\n" +" throw new AssertionError(e);\n" +"}\n" +"MyTrustManager tm = new MyTrustManager(certHash);\n" +"ctx.init(null, new TrustManager[] {tm}, null);\n" +msgstr "" diff --git a/defensive-coding/es-ES/Features/snippets/TLS-Client-OpenJDK-Hostname.po b/defensive-coding/es-ES/Features/snippets/TLS-Client-OpenJDK-Hostname.po new file mode 100644 index 0000000..0c4588a --- /dev/null +++ b/defensive-coding/es-ES/Features/snippets/TLS-Client-OpenJDK-Hostname.po @@ -0,0 +1,22 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:31+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Spanish \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: es\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"params.setEndpointIdentificationAlgorithm(\"HTTPS\");\n" +msgstr "" diff --git a/defensive-coding/es-ES/Features/snippets/TLS-Client-OpenJDK-Import.po b/defensive-coding/es-ES/Features/snippets/TLS-Client-OpenJDK-Import.po new file mode 100644 index 0000000..12dc6bc --- /dev/null +++ b/defensive-coding/es-ES/Features/snippets/TLS-Client-OpenJDK-Import.po @@ -0,0 +1,33 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:31+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Spanish \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: es\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"import java.security.NoSuchAlgorithmException;\n" +"import java.security.NoSuchProviderException;\n" +"import java.security.cert.CertificateEncodingException;\n" +"import java.security.cert.CertificateException;\n" +"import java.security.cert.X509Certificate;\n" +"import javax.net.ssl.SSLContext;\n" +"import javax.net.ssl.SSLParameters;\n" +"import javax.net.ssl.SSLSocket;\n" +"import javax.net.ssl.TrustManager;\n" +"import javax.net.ssl.X509TrustManager;\n" +"\n" +"import sun.security.util.HostnameChecker;\n" +msgstr "" diff --git a/defensive-coding/es-ES/Features/snippets/TLS-Client-OpenJDK-MyTrustManager.po b/defensive-coding/es-ES/Features/snippets/TLS-Client-OpenJDK-MyTrustManager.po new file mode 100644 index 0000000..a2ea3bd --- /dev/null +++ b/defensive-coding/es-ES/Features/snippets/TLS-Client-OpenJDK-MyTrustManager.po @@ -0,0 +1,53 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:31+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Spanish \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: es\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"public class MyTrustManager implements X509TrustManager {\n" +" private final byte[] certHash;\n" +"\n" +" public MyTrustManager(byte[] certHash) throws Exception {\n" +" this.certHash = certHash;\n" +" }\n" +"\n" +" @Override\n" +" public void checkClientTrusted(X509Certificate[] chain, String authType)\n" +" throws CertificateException {\n" +" throw new UnsupportedOperationException();\n" +" }\n" +"\n" +" @Override\n" +" public void checkServerTrusted(X509Certificate[] chain,\n" +" String authType) throws CertificateException {\n" +" byte[] digest = getCertificateDigest(chain[0]);\n" +" String digestHex = formatHex(digest);\n" +"\n" +" if (Arrays.equals(digest, certHash)) {\n" +" System.err.println(\"info: accepting certificate: \" + digestHex);\n" +" } else {\n" +" throw new CertificateException(\"certificate rejected: \" +\n" +" digestHex);\n" +" }\n" +" }\n" +"\n" +" @Override\n" +" public X509Certificate[] getAcceptedIssuers() {\n" +" return new X509Certificate[0];\n" +" }\n" +"}\n" +msgstr "" diff --git a/defensive-coding/es-ES/Features/snippets/TLS-Client-OpenJDK-Use.po b/defensive-coding/es-ES/Features/snippets/TLS-Client-OpenJDK-Use.po new file mode 100644 index 0000000..d7ad96f --- /dev/null +++ b/defensive-coding/es-ES/Features/snippets/TLS-Client-OpenJDK-Use.po @@ -0,0 +1,28 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:31+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Spanish \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: es\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"socket.getOutputStream().write(\"GET / HTTP/1.0\\r\n" +"\\r\n" +"\"\n" +" .getBytes(Charset.forName(\"UTF-8\")));\n" +"byte[] buffer = new byte[4096];\n" +"int count = socket.getInputStream().read(buffer);\n" +"System.out.write(buffer, 0, count);\n" +msgstr "" diff --git a/defensive-coding/es-ES/Features/snippets/TLS-Client-OpenSSL-CTX.po b/defensive-coding/es-ES/Features/snippets/TLS-Client-OpenSSL-CTX.po new file mode 100644 index 0000000..a1ce7b0 --- /dev/null +++ b/defensive-coding/es-ES/Features/snippets/TLS-Client-OpenSSL-CTX.po @@ -0,0 +1,86 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:32+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Spanish \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: es\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Configure a client connection context. Send a hendshake for the\n" +"// highest supported TLS version, and disable compression.\n" +"const SSL_METHOD *const req_method = SSLv23_client_method();\n" +"SSL_CTX *const ctx = SSL_CTX_new(req_method);\n" +"if (ctx == NULL) {\n" +" ERR_print_errors(bio_err);\n" +" exit(1);\n" +"}\n" +"SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_COMPRESSION);\n" +"\n" +"// Adjust the ciphers list based on a whitelist. First enable all\n" +"// ciphers of at least medium strength, to get the list which is\n" +"// compiled into OpenSSL.\n" +"if (SSL_CTX_set_cipher_list(ctx, \"HIGH:MEDIUM\") != 1) {\n" +" ERR_print_errors(bio_err);\n" +" exit(1);\n" +"}\n" +"{\n" +" // Create a dummy SSL session to obtain the cipher list.\n" +" SSL *ssl = SSL_new(ctx);\n" +" if (ssl == NULL) {\n" +" ERR_print_errors(bio_err);\n" +" exit(1);\n" +" }\n" +" STACK_OF(SSL_CIPHER) *active_ciphers = SSL_get_ciphers(ssl);\n" +" if (active_ciphers == NULL) {\n" +" ERR_print_errors(bio_err);\n" +" exit(1);\n" +" }\n" +" // Whitelist of candidate ciphers.\n" +" static const char *const candidates[] = {\n" +" \"AES128-GCM-SHA256\", \"AES128-SHA256\", \"AES256-SHA256\", // strong ciphers\n" +" \"AES128-SHA\", \"AES256-SHA\", // strong ciphers, also in older versions\n" +" \"RC4-SHA\", \"RC4-MD5\", // backwards compatibility, supposed to be weak\n" +" \"DES-CBC3-SHA\", \"DES-CBC3-MD5\", // more backwards compatibility\n" +" NULL\n" +" };\n" +" // Actually selected ciphers.\n" +" char ciphers[300];\n" +" ciphers[0] = '\\0';\n" +" for (const char *const *c = candidates; *c; ++c) {\n" +" for (int i = 0; i < sk_SSL_CIPHER_num(active_ciphers); ++i) {\n" +"\tif (strcmp(SSL_CIPHER_get_name(sk_SSL_CIPHER_value(active_ciphers, i)),\n" +"\t\t *c) == 0) {\n" +"\t if (*ciphers) {\n" +"\t strcat(ciphers, \":\");\n" +"\t }\n" +"\t strcat(ciphers, *c);\n" +"\t break;\n" +"\t}\n" +" }\n" +" }\n" +" SSL_free(ssl);\n" +" // Apply final cipher list.\n" +" if (SSL_CTX_set_cipher_list(ctx, ciphers) != 1) {\n" +" ERR_print_errors(bio_err);\n" +" exit(1);\n" +" }\n" +"}\n" +"\n" +"// Load the set of trusted root certificates.\n" +"if (!SSL_CTX_set_default_verify_paths(ctx)) {\n" +" ERR_print_errors(bio_err);\n" +" exit(1);\n" +"}\n" +msgstr "" diff --git a/defensive-coding/es-ES/Features/snippets/TLS-Client-OpenSSL-Connect.po b/defensive-coding/es-ES/Features/snippets/TLS-Client-OpenSSL-Connect.po new file mode 100644 index 0000000..b695337 --- /dev/null +++ b/defensive-coding/es-ES/Features/snippets/TLS-Client-OpenSSL-Connect.po @@ -0,0 +1,72 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:33+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Spanish \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: es\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Create the connection object.\n" +"SSL *ssl = SSL_new(ctx);\n" +"if (ssl == NULL) {\n" +" ERR_print_errors(bio_err);\n" +" exit(1);\n" +"}\n" +"SSL_set_fd(ssl, sockfd);\n" +"\n" +"// Enable the ServerNameIndication extension\n" +"if (!SSL_set_tlsext_host_name(ssl, host)) {\n" +" ERR_print_errors(bio_err);\n" +" exit(1);\n" +"}\n" +"\n" +"// Perform the TLS handshake with the server.\n" +"ret = SSL_connect(ssl);\n" +"if (ret != 1) {\n" +" // Error status can be 0 or negative.\n" +" ssl_print_error_and_exit(ssl, \"SSL_connect\", ret);\n" +"}\n" +"\n" +"// Obtain the server certificate.\n" +"X509 *peercert = SSL_get_peer_certificate(ssl);\n" +"if (peercert == NULL) {\n" +" fprintf(stderr, \"peer certificate missing\");\n" +" exit(1);\n" +"}\n" +"\n" +"// Check the certificate verification result. Allow an explicit\n" +"// certificate validation override in case verification fails.\n" +"int verifystatus = SSL_get_verify_result(ssl);\n" +"if (verifystatus != X509_V_OK && !certificate_validity_override(peercert)) {\n" +" fprintf(stderr, \"SSL_connect: verify result: %s\n" +"\",\n" +"\t X509_verify_cert_error_string(verifystatus));\n" +" exit(1);\n" +"}\n" +"\n" +"// Check if the server certificate matches the host name used to\n" +"// establish the connection.\n" +"// FIXME: Currently needs OpenSSL 1.1.\n" +"if (X509_check_host(peercert, (const unsigned char *)host, strlen(host),\n" +"\t\t 0) != 1\n" +" && !certificate_host_name_override(peercert, host)) {\n" +" fprintf(stderr, \"SSL certificate does not match host name\n" +"\");\n" +" exit(1);\n" +"}\n" +"\n" +"X509_free(peercert);\n" +"\n" +msgstr "" diff --git a/defensive-coding/es-ES/Features/snippets/TLS-Client-OpenSSL-Connection-Use.po b/defensive-coding/es-ES/Features/snippets/TLS-Client-OpenSSL-Connection-Use.po new file mode 100644 index 0000000..3583d33 --- /dev/null +++ b/defensive-coding/es-ES/Features/snippets/TLS-Client-OpenSSL-Connection-Use.po @@ -0,0 +1,32 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:32+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Spanish \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: es\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"const char *const req = \"GET / HTTP/1.0\\r\n" +"\\r\n" +"\";\n" +"if (SSL_write(ssl, req, strlen(req)) < 0) {\n" +" ssl_print_error_and_exit(ssl, \"SSL_write\", ret);\n" +"}\n" +"char buf[4096];\n" +"ret = SSL_read(ssl, buf, sizeof(buf));\n" +"if (ret < 0) {\n" +" ssl_print_error_and_exit(ssl, \"SSL_read\", ret);\n" +"}\n" +msgstr "" diff --git a/defensive-coding/es-ES/Features/snippets/TLS-Client-OpenSSL-Init.po b/defensive-coding/es-ES/Features/snippets/TLS-Client-OpenSSL-Init.po new file mode 100644 index 0000000..35ca9f4 --- /dev/null +++ b/defensive-coding/es-ES/Features/snippets/TLS-Client-OpenSSL-Init.po @@ -0,0 +1,28 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:32+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Spanish \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: es\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// The following call prints an error message and calls exit() if\n" +"// the OpenSSL configuration file is unreadable.\n" +"OPENSSL_config(NULL);\n" +"// Provide human-readable error messages.\n" +"SSL_load_error_strings();\n" +"// Register ciphers.\n" +"SSL_library_init();\n" +msgstr "" diff --git a/defensive-coding/es-ES/Features/snippets/TLS-Client-Python-Connect.po b/defensive-coding/es-ES/Features/snippets/TLS-Client-Python-Connect.po new file mode 100644 index 0000000..6332caf --- /dev/null +++ b/defensive-coding/es-ES/Features/snippets/TLS-Client-Python-Connect.po @@ -0,0 +1,29 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:32+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Spanish \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: es\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"sock = ssl.wrap_socket(sock,\n" +" ciphers=\"HIGH:-aNULL:-eNULL:-PSK:RC4-SHA:RC4-MD5\",\n" +" ssl_version=ssl.PROTOCOL_TLSv1,\n" +" cert_reqs=ssl.CERT_REQUIRED,\n" +" ca_certs='/etc/ssl/certs/ca-bundle.crt')\n" +"# getpeercert() triggers the handshake as a side effect.\n" +"if not check_host_name(sock.getpeercert(), host):\n" +" raise IOError(\"peer certificate does not match host name\")\n" +msgstr "" diff --git a/defensive-coding/es-ES/Features/snippets/TLS-Client-Python-check_host_name.po b/defensive-coding/es-ES/Features/snippets/TLS-Client-Python-check_host_name.po new file mode 100644 index 0000000..d1f3456 --- /dev/null +++ b/defensive-coding/es-ES/Features/snippets/TLS-Client-Python-check_host_name.po @@ -0,0 +1,44 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:31+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Spanish \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: es\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"def check_host_name(peercert, name):\n" +" \"\"\"Simple certificate/host name checker. Returns True if the\n" +" certificate matches, False otherwise. Does not support\n" +" wildcards.\"\"\"\n" +" # Check that the peer has supplied a certificate.\n" +" # None/{} is not acceptable.\n" +" if not peercert:\n" +" return False\n" +" if peercert.has_key(\"subjectAltName\"):\n" +" for typ, val in peercert[\"subjectAltName\"]:\n" +" if typ == \"DNS\" and val == name:\n" +" return True\n" +" else:\n" +" # Only check the subject DN if there is no subject alternative\n" +" # name.\n" +" cn = None\n" +" for attr, val in peercert[\"subject\"]:\n" +" # Use most-specific (last) commonName attribute.\n" +" if attr == \"commonName\":\n" +" cn = val\n" +" if cn is not None:\n" +" return cn == name\n" +" return False\n" +msgstr "" diff --git a/defensive-coding/es-ES/Features/snippets/TLS-GNUTLS-Credentials-Close.po b/defensive-coding/es-ES/Features/snippets/TLS-GNUTLS-Credentials-Close.po new file mode 100644 index 0000000..a50a0d1 --- /dev/null +++ b/defensive-coding/es-ES/Features/snippets/TLS-GNUTLS-Credentials-Close.po @@ -0,0 +1,22 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:31+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Spanish \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: es\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"gnutls_certificate_free_credentials(cred);\n" +msgstr "" diff --git a/defensive-coding/es-ES/Features/snippets/TLS-GNUTLS-Disconnect.po b/defensive-coding/es-ES/Features/snippets/TLS-GNUTLS-Disconnect.po new file mode 100644 index 0000000..f814b40 --- /dev/null +++ b/defensive-coding/es-ES/Features/snippets/TLS-GNUTLS-Disconnect.po @@ -0,0 +1,30 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:32+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Spanish \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: es\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Initiate an orderly connection shutdown.\n" +"ret = gnutls_bye(session, GNUTLS_SHUT_RDWR);\n" +"if (ret < 0) {\n" +" fprintf(stderr, \"error: gnutls_bye: %s\n" +"\", gnutls_strerror(ret));\n" +" exit(1);\n" +"}\n" +"// Free the session object.\n" +"gnutls_deinit(session);\n" +msgstr "" diff --git a/defensive-coding/es-ES/Features/snippets/TLS-GNUTLS-Init.po b/defensive-coding/es-ES/Features/snippets/TLS-GNUTLS-Init.po new file mode 100644 index 0000000..82ae7ac --- /dev/null +++ b/defensive-coding/es-ES/Features/snippets/TLS-GNUTLS-Init.po @@ -0,0 +1,22 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:32+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Spanish \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: es\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"gnutls_global_init();\n" +msgstr "" diff --git a/defensive-coding/es-ES/Features/snippets/TLS-GNUTLS-Use.po b/defensive-coding/es-ES/Features/snippets/TLS-GNUTLS-Use.po new file mode 100644 index 0000000..565f4d9 --- /dev/null +++ b/defensive-coding/es-ES/Features/snippets/TLS-GNUTLS-Use.po @@ -0,0 +1,38 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:33+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Spanish \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: es\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"char buf[4096];\n" +"snprintf(buf, sizeof(buf), \"GET / HTTP/1.0\\r\n" +"Host: %s\\r\n" +"\\r\n" +"\", host);\n" +"ret = gnutls_record_send(session, buf, strlen(buf));\n" +"if (ret < 0) {\n" +" fprintf(stderr, \"error: gnutls_record_send: %s\n" +"\", gnutls_strerror(ret));\n" +" exit(1);\n" +"}\n" +"ret = gnutls_record_recv(session, buf, sizeof(buf));\n" +"if (ret < 0) {\n" +" fprintf(stderr, \"error: gnutls_record_recv: %s\n" +"\", gnutls_strerror(ret));\n" +" exit(1);\n" +"}\n" +msgstr "" diff --git a/defensive-coding/es-ES/Features/snippets/TLS-NSS-Close.po b/defensive-coding/es-ES/Features/snippets/TLS-NSS-Close.po new file mode 100644 index 0000000..3fcabed --- /dev/null +++ b/defensive-coding/es-ES/Features/snippets/TLS-NSS-Close.po @@ -0,0 +1,23 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:31+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Spanish \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: es\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"SECMOD_DestroyModule(module);\n" +"NSS_ShutdownContext(ctx);\n" +msgstr "" diff --git a/defensive-coding/es-ES/Features/snippets/TLS-NSS-Includes.po b/defensive-coding/es-ES/Features/snippets/TLS-NSS-Includes.po new file mode 100644 index 0000000..b869e98 --- /dev/null +++ b/defensive-coding/es-ES/Features/snippets/TLS-NSS-Includes.po @@ -0,0 +1,35 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:33+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Spanish \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: es\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// NSPR include files\n" +"#include <prerror.h>\n" +"#include <prinit.h>\n" +"\n" +"// NSS include files\n" +"#include <nss.h>\n" +"#include <pk11pub.h>\n" +"#include <secmod.h>\n" +"#include <ssl.h>\n" +"#include <sslproto.h>\n" +"\n" +"// Private API, no other way to turn a POSIX file descriptor into an\n" +"// NSPR handle.\n" +"NSPR_API(PRFileDesc*) PR_ImportTCPSocket(int);\n" +msgstr "" diff --git a/defensive-coding/es-ES/Features/snippets/TLS-NSS-Init.po b/defensive-coding/es-ES/Features/snippets/TLS-NSS-Init.po new file mode 100644 index 0000000..9e2477b --- /dev/null +++ b/defensive-coding/es-ES/Features/snippets/TLS-NSS-Init.po @@ -0,0 +1,83 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:33+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Spanish \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: es\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"PR_Init(PR_USER_THREAD, PR_PRIORITY_NORMAL, 0);\n" +"NSSInitContext *const ctx =\n" +" NSS_InitContext(\"sql:/etc/pki/nssdb\", \"\", \"\", \"\", NULL,\n" +"\t\t NSS_INIT_READONLY | NSS_INIT_PK11RELOAD);\n" +"if (ctx == NULL) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: NSPR error code %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +"}\n" +"\n" +"// Ciphers to enable.\n" +"static const PRUint16 good_ciphers[] = {\n" +" TLS_RSA_WITH_AES_128_CBC_SHA,\n" +" TLS_RSA_WITH_AES_256_CBC_SHA,\n" +" SSL_RSA_WITH_3DES_EDE_CBC_SHA,\n" +" SSL_NULL_WITH_NULL_NULL // sentinel\n" +"};\n" +"\n" +"// Check if the current policy allows any strong ciphers. If it\n" +"// doesn't, switch to the \"domestic\" (unrestricted) policy. This is\n" +"// not thread-safe and has global impact. Consequently, we only do\n" +"// it if absolutely necessary.\n" +"int found_good_cipher = 0;\n" +"for (const PRUint16 *p = good_ciphers; *p != SSL_NULL_WITH_NULL_NULL;\n" +" ++p) {\n" +" PRInt32 policy;\n" +" if (SSL_CipherPolicyGet(*p, &policy) != SECSuccess) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: policy for cipher %u: error %d: %s\n" +"\",\n" +"\t (unsigned)*p, err, PR_ErrorToName(err));\n" +" exit(1);\n" +" }\n" +" if (policy == SSL_ALLOWED) {\n" +" fprintf(stderr, \"info: found cipher %x\n" +"\", (unsigned)*p);\n" +" found_good_cipher = 1;\n" +" break;\n" +" }\n" +"}\n" +"if (!found_good_cipher) {\n" +" if (NSS_SetDomesticPolicy() != SECSuccess) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: NSS_SetDomesticPolicy: error %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +" }\n" +"}\n" +"\n" +"// Initialize the trusted certificate store.\n" +"char module_name[] = \"library=libnssckbi.so name=\\\"Root Certs\\\"\";\n" +"SECMODModule *module = SECMOD_LoadUserModule(module_name, NULL, PR_FALSE);\n" +"if (module == NULL || !module->loaded) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: NSPR error code %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +"}\n" +msgstr "" diff --git a/defensive-coding/es-ES/Features/snippets/TLS-NSS-Use.po b/defensive-coding/es-ES/Features/snippets/TLS-NSS-Use.po new file mode 100644 index 0000000..8e03332 --- /dev/null +++ b/defensive-coding/es-ES/Features/snippets/TLS-NSS-Use.po @@ -0,0 +1,42 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:32+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Spanish \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: es\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"char buf[4096];\n" +"snprintf(buf, sizeof(buf), \"GET / HTTP/1.0\\r\n" +"Host: %s\\r\n" +"\\r\n" +"\", host);\n" +"PRInt32 ret = PR_Write(nspr, buf, strlen(buf));\n" +"if (ret < 0) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: PR_Write error %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +"}\n" +"ret = PR_Read(nspr, buf, sizeof(buf));\n" +"if (ret < 0) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: PR_Read error %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +"}\n" +msgstr "" diff --git a/defensive-coding/es-ES/Features/snippets/TLS-Nagle.po b/defensive-coding/es-ES/Features/snippets/TLS-Nagle.po new file mode 100644 index 0000000..f4e720d --- /dev/null +++ b/defensive-coding/es-ES/Features/snippets/TLS-Nagle.po @@ -0,0 +1,27 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:31+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Spanish \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: es\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"const int val = 1;\n" +"int ret = setsockopt(sockfd, IPPROTO_TCP, TCP_NODELAY, &val, sizeof(val));\n" +"if (ret < 0) {\n" +" perror(\"setsockopt(TCP_NODELAY)\");\n" +" exit(1);\n" +"}\n" +msgstr "" diff --git a/defensive-coding/es-ES/Features/snippets/TLS-OpenJDK-Parameters.po b/defensive-coding/es-ES/Features/snippets/TLS-OpenJDK-Parameters.po new file mode 100644 index 0000000..12e2802 --- /dev/null +++ b/defensive-coding/es-ES/Features/snippets/TLS-OpenJDK-Parameters.po @@ -0,0 +1,42 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:33+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Spanish \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: es\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Prepare TLS parameters. These have to applied to every TLS\n" +"// socket before the handshake is triggered.\n" +"SSLParameters params = ctx.getDefaultSSLParameters();\n" +"// Do not send an SSL-2.0-compatible Client Hello.\n" +"ArrayList<String> protocols = new ArrayList<String>(\n" +" Arrays.asList(params.getProtocols()));\n" +"protocols.remove(\"SSLv2Hello\");\n" +"params.setProtocols(protocols.toArray(new String[protocols.size()]));\n" +"// Adjust the supported ciphers.\n" +"ArrayList<String> ciphers = new ArrayList<String>(\n" +" Arrays.asList(params.getCipherSuites()));\n" +"ciphers.retainAll(Arrays.asList(\n" +" \"TLS_RSA_WITH_AES_128_CBC_SHA256\",\n" +" \"TLS_RSA_WITH_AES_256_CBC_SHA256\",\n" +" \"TLS_RSA_WITH_AES_256_CBC_SHA\",\n" +" \"TLS_RSA_WITH_AES_128_CBC_SHA\",\n" +" \"SSL_RSA_WITH_3DES_EDE_CBC_SHA\",\n" +" \"SSL_RSA_WITH_RC4_128_SHA1\",\n" +" \"SSL_RSA_WITH_RC4_128_MD5\",\n" +" \"TLS_EMPTY_RENEGOTIATION_INFO_SCSV\"));\n" +"params.setCipherSuites(ciphers.toArray(new String[ciphers.size()]));\n" +msgstr "" diff --git a/defensive-coding/es-ES/Features/snippets/TLS-OpenSSL-Connection-Close.po b/defensive-coding/es-ES/Features/snippets/TLS-OpenSSL-Connection-Close.po new file mode 100644 index 0000000..217da36 --- /dev/null +++ b/defensive-coding/es-ES/Features/snippets/TLS-OpenSSL-Connection-Close.po @@ -0,0 +1,46 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:33+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Spanish \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: es\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Send the close_notify alert.\n" +"ret = SSL_shutdown(ssl);\n" +"switch (ret) {\n" +"case 1:\n" +" // A close_notify alert has already been received.\n" +" break;\n" +"case 0:\n" +" // Wait for the close_notify alert from the peer.\n" +" ret = SSL_shutdown(ssl);\n" +" switch (ret) {\n" +" case 0:\n" +" fprintf(stderr, \"info: second SSL_shutdown returned zero\n" +"\");\n" +" break;\n" +" case 1:\n" +" break;\n" +" default:\n" +" ssl_print_error_and_exit(ssl, \"SSL_shutdown 2\", ret);\n" +" }\n" +" break;\n" +"default:\n" +" ssl_print_error_and_exit(ssl, \"SSL_shutdown 1\", ret);\n" +"}\n" +"SSL_free(ssl);\n" +"close(sockfd);\n" +msgstr "" diff --git a/defensive-coding/es-ES/Features/snippets/TLS-OpenSSL-Context-Close.po b/defensive-coding/es-ES/Features/snippets/TLS-OpenSSL-Context-Close.po new file mode 100644 index 0000000..501ce1d --- /dev/null +++ b/defensive-coding/es-ES/Features/snippets/TLS-OpenSSL-Context-Close.po @@ -0,0 +1,22 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:33+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Spanish \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: es\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"SSL_CTX_free(ctx);\n" +msgstr "" diff --git a/defensive-coding/es-ES/Features/snippets/TLS-OpenSSL-Errors.po b/defensive-coding/es-ES/Features/snippets/TLS-OpenSSL-Errors.po new file mode 100644 index 0000000..07dce4f --- /dev/null +++ b/defensive-coding/es-ES/Features/snippets/TLS-OpenSSL-Errors.po @@ -0,0 +1,51 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:32+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Spanish \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: es\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"static void __attribute__((noreturn))\n" +"ssl_print_error_and_exit(SSL *ssl, const char *op, int ret)\n" +"{\n" +" int subcode = SSL_get_error(ssl, ret);\n" +" switch (subcode) {\n" +" case SSL_ERROR_NONE:\n" +" fprintf(stderr, \"error: %s: no error to report\n" +"\", op);\n" +" break;\n" +" case SSL_ERROR_WANT_READ:\n" +" case SSL_ERROR_WANT_WRITE:\n" +" case SSL_ERROR_WANT_X509_LOOKUP:\n" +" case SSL_ERROR_WANT_CONNECT:\n" +" case SSL_ERROR_WANT_ACCEPT:\n" +" fprintf(stderr, \"error: %s: invalid blocking state %d\n" +"\", op, subcode);\n" +" break;\n" +" case SSL_ERROR_SSL:\n" +" fprintf(stderr, \"error: %s: TLS layer problem\n" +"\", op);\n" +" case SSL_ERROR_SYSCALL:\n" +" fprintf(stderr, \"error: %s: system call failed: %s\n" +"\", op, strerror(errno));\n" +" break;\n" +" case SSL_ERROR_ZERO_RETURN:\n" +" fprintf(stderr, \"error: %s: zero return\n" +"\", op);\n" +" }\n" +" exit(1);\n" +"}\n" +msgstr "" diff --git a/defensive-coding/es-ES/Features/snippets/TLS-Python-Close.po b/defensive-coding/es-ES/Features/snippets/TLS-Python-Close.po new file mode 100644 index 0000000..9eb9479 --- /dev/null +++ b/defensive-coding/es-ES/Features/snippets/TLS-Python-Close.po @@ -0,0 +1,22 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:31+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Spanish \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: es\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"sock.close()\n" +msgstr "" diff --git a/defensive-coding/es-ES/Features/snippets/TLS-Python-Use.po b/defensive-coding/es-ES/Features/snippets/TLS-Python-Use.po new file mode 100644 index 0000000..efe71ca --- /dev/null +++ b/defensive-coding/es-ES/Features/snippets/TLS-Python-Use.po @@ -0,0 +1,26 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:32+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Spanish \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: es\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"sock.write(\"GET / HTTP/1.1\\r\n" +"Host: \" + host + \"\\r\n" +"\\r\n" +"\")\n" +"print sock.read()\n" +msgstr "" diff --git a/defensive-coding/es-ES/Revision_History.po b/defensive-coding/es-ES/Revision_History.po new file mode 100644 index 0000000..662dc47 --- /dev/null +++ b/defensive-coding/es-ES/Revision_History.po @@ -0,0 +1,35 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:18+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Spanish \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: es\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: title +#, no-c-format +msgid "Revision History" +msgstr "" + +#. Tag: firstname +#, no-c-format +msgid "Eric" +msgstr "" + +#. Tag: surname +#, no-c-format +msgid "Christensen" +msgstr "" + +#. Tag: member +#, no-c-format +msgid "Initial publication." +msgstr "" diff --git a/defensive-coding/es-ES/Tasks/Cryptography.po b/defensive-coding/es-ES/Tasks/Cryptography.po new file mode 100644 index 0000000..99e5073 --- /dev/null +++ b/defensive-coding/es-ES/Tasks/Cryptography.po @@ -0,0 +1,199 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:29+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Spanish \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: es\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: title +#, no-c-format +msgid "Cryptography" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Primitives" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Chosing from the following cryptographic primitives is recommended:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "RSA with 2048 bit keys and OAEP" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "AES-128 in CBC mode" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "SHA-256" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "HMAC-SHA-256" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "HMAC-SHA-1" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Other cryptographic algorithms can be used if they are required for " +"interoperability with existing software:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "RSA with key sizes larger than 1024 and legacy padding" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "AES-192" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "AES-256" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "3DES (triple DES, with two or three 56 bit keys)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "RC4 (but very, very strongly discouraged)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "SHA-1" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "HMAC-MD5" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Important" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"These primitives are difficult to use in a secure way. Custom implementation" +" of security protocols should be avoided. For protecting confidentiality and" +" integrity of network transmissions, TLS should be used ()." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Randomness" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The following facilities can be used to generate unpredictable and non-" +"repeating values. When these functions are used without special safeguards, " +"each individual rnadom value should be at least 12 bytes long." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"PK11_GenerateRandom in the NSS library (usable for high" +" data rates)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"RAND_bytes in the OpenSSL library (usable for high data" +" rates)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"gnutls_rnd in GNUTLS, with " +"GNUTLS_RND_RANDOM as the first argument (usable for high " +"data rates)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"java.security.SecureRandom in Java (usable for high data rates)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "os.urandom in Python" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Reading from the /dev/urandom character device" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"All these functions should be non-blocking, and they should not wait until " +"physical randomness becomes available. (Some cryptography providers for Java" +" can cause java.security.SecureRandom to block, however.) Those" +" functions which do not obtain all bits directly from " +"/dev/urandom are suitable for high data rates because " +"they do not deplete the system-wide entropy pool." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Difficult to use API" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Both RAND_bytes and " +"PK11_GenerateRandom have three-state return values " +"(with conflicting meanings). Careful error checking is required. Please " +"review the documentation when using these functions." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Other sources of randomness should be considered predictable." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Generating randomness for cryptographic keys in long-term use may need " +"different steps and is best left to cryptographic libraries." +msgstr "" diff --git a/defensive-coding/es-ES/Tasks/Descriptors.po b/defensive-coding/es-ES/Tasks/Descriptors.po new file mode 100644 index 0000000..aaf2da4 --- /dev/null +++ b/defensive-coding/es-ES/Tasks/Descriptors.po @@ -0,0 +1,332 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:29+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Spanish \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: es\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: title +#, no-c-format +msgid "File Descriptor Management" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"File descriptors underlie all input/output mechanisms offered by the system." +" They are used to implementation the FILE *-based " +"functions found in <stdio.h>, and all the file and " +"network communication facilities provided by the Python and Java " +"environments are eventually implemented in them." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"File descriptors are small, non-negative integers in userspace, and are " +"backed on the kernel side with complicated data structures which can " +"sometimes grow very large." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Closing descriptors" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If a descriptor is no longer used by a program and is not closed explicitly," +" its number cannot be reused (which is problematic in itself, see ), and the " +"kernel resources are not freed. Therefore, it is important to close all " +"descriptors at the earlierst point in time possible, but not earlier." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Error handling during descriptor close" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The close system call is always successful in the sense" +" that the passed file descriptor is never valid after the function has been " +"called. However, close still can return an error, for " +"example if there was a file system failure. But this error is not very " +"useful because the absence of an error does not mean that all caches have " +"been emptied and previous writes have been made durable. Programs which need" +" such guarantees must open files with O_SYNC or use " +"fsync or fdatasync, and may also have " +"to fsync the directory containing the file." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Closing descriptors and race conditions" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Unlike process IDs, which are recycle only gradually, the kernel always " +"allocates the lowest unused file descriptor when a new descriptor is " +"created. This means that in a multi-threaded program which constantly opens " +"and closes file descriptors, descriptors are reused very quickly. Unless " +"descriptor closing and other operations on the same file descriptor are " +"synchronized (typically, using a mutex), there will be race coniditons and " +"I/O operations will be applied to the wrong file descriptor." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Sometimes, it is necessary to close a file descriptor concurrently, while " +"another thread might be about to use it in a system call. In order to " +"support this, a program needs to create a single special file descriptor, " +"one on which all I/O operations fail. One way to achieve this is to use " +"socketpair, close one of the descriptors, and call " +"shutdown(fd, SHUTRDWR) on the other." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When a descriptor is closed concurrently, the program does not call " +"close on the descriptor. Instead it program uses " +"dup2 to replace the descriptor to be closed with the " +"dummy descriptor created earlier. This way, the kernel will not reuse the " +"descriptor, but it will carry out all other steps associated with calling a " +"descriptor (for instance, if the descriptor refers to a stream socket, the " +"peer will be notified)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"This is just a sketch, and many details are missing. Additional data " +"structures are needed to determine when it is safe to really close the " +"descriptor, and proper locking is required for that." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Lingering state after close" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"By default, closing a stream socket returns immediately, and the kernel will" +" try to send the data in the background. This means that it is impossible to" +" implement accurate accounting of network-related resource utilization from " +"userspace." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The SO_LINGER socket option alters the behavior of " +"close, so that it will return only after the lingering " +"data has been processed, either by sending it to the peer successfully, or " +"by discarding it after the configured timeout. However, there is no " +"interface which could perform this operation in the background, so a " +"separate userspace thread is needed for each close " +"call, causing scalability issues." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Currently, there is no application-level countermeasure which applies " +"universally. Mitigation is possible with iptables" +" (the connlimit match type in particular) and specialized" +" filtering devices for denial-of-service network traffic." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"These problems are not related to the TIME_WAIT state " +"commonly seen in netstat output. The kernel " +"automatically expires such sockets if necessary." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Preventing file descriptor leaks to child processes" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Child processes created with fork share the initial set" +" of file descriptors with their parent process. By default, file descriptors" +" are also preserved if a new process image is created with " +"execve (or any of the other functions such as " +"system or posix_spawn)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Usually, this behavior is not desirable. There are two ways to turn it off, " +"that is, to prevent new process images from inheriting the file descriptors " +"in the parent process:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Set the close-on-exec flag on all newly created file descriptors. " +"Traditionally, this flag is controlled by the FD_CLOEXEC " +"flag, using F_GETFD and F_SETFD " +"operations of the fcntl function." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"However, in a multi-threaded process, there is a race condition: a " +"subprocess could have been created between the time the descriptor was " +"created and the FD_CLOEXEC was set. Therefore, many " +"system calls which create descriptors (such as open and" +" openat) now accept the O_CLOEXEC " +"flag (SOCK_CLOEXEC for socket and " +"socketpair), which cause the " +"FD_CLOEXEC flag to be set for the file descriptor in an " +"atomic fashion. In addition, a few new systems calls were introduced, such " +"as pipe2 and dup3." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The downside of this approach is that every descriptor needs to receive " +"special treatment at the time of creation, otherwise it is not completely " +"effective." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"After calling fork, but before creating a new process " +"image with execve, all file descriptors which the child" +" process will not need are closed." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Traditionally, this was implemented as a loop over file descriptors ranging " +"from 3 to 255 and later " +"1023. But this is only an approximatio because it is " +"possible to create file descriptors outside this range easily (see ). Another " +"approach reads /proc/self/fd and closes the unexpected " +"descriptors listed there, but this approach is much slower." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"At present, environments which care about file descriptor leakage implement " +"the second approach. OpenJDK 6 and 7 are among them." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Dealing with the select limit" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"By default, a user is allowed to open only 1024 files in a single process, " +"but the system administrator can easily change this limit (which is " +"necessary for busy network servers). However, there is another restriction " +"which is more difficult to overcome." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The select function only supports a maximum of " +"FD_SETSIZE file descriptors (that is, the maximum " +"permitted value for a file descriptor is FD_SETSIZE - 1, " +"usually 1023.) If a process opens many files, descriptors may exceed such " +"limits. It is impossible to query such descriptors using " +"select." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If a library which creates many file descriptors is used in the same process" +" as a library which uses select, at least one of them " +"needs to be changed. Calls to select can be replaced " +"with calls to poll or another event handling mechanism." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Alternatively, the library with high descriptor usage can relocate " +"descriptors above the FD_SETSIZE limit using the " +"following procedure." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Create the file descriptor fd as usual, preferably with " +"the O_CLOEXEC flag." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Before doing anything else with the descriptor fd, " +"invoke:" +msgstr "" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"\t int newfd = fcntl(fd, F_DUPFD_CLOEXEC, (long)FD_SETSIZE);\n" +"\t" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Check that newfd result is non-negative, otherwise close " +"fd and report an error, and return." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Close fd and continue to use newfd." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The new descriptor has been allocated above the " +"FD_SETSIZE. Even though this algorithm is racy in the " +"sense that the FD_SETSIZE first descriptors could fill " +"up, a very high degree of physical parallelism is required before this " +"becomes a problem." +msgstr "" diff --git a/defensive-coding/es-ES/Tasks/File_System.po b/defensive-coding/es-ES/Tasks/File_System.po new file mode 100644 index 0000000..441e931 --- /dev/null +++ b/defensive-coding/es-ES/Tasks/File_System.po @@ -0,0 +1,396 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:25+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Spanish \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: es\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: title +#, no-c-format +msgid "File system manipulation" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In this chapter, we discuss general file system manipulation, with a focus " +"on access files and directories to which an other, potentially untrusted " +"user has write access." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Temporary files are covered in their own chapter, ." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Working with files and directories owned by other users" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Sometimes, it is necessary to operate on files and directories owned by " +"other (potentially untrusted) users. For example, a system administrator " +"could remove the home directory of a user, or a package manager could update" +" a file in a directory which is owned by an application-specific user. This " +"differs from accessing the file system as a specific user; see ." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Accessing files across trust boundaries faces several challenges, " +"particularly if an entire directory tree is being traversed:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Another user might add file names to a writable directory at any time. This " +"can interfere with file creation and the order of names returned by " +"readdir." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Merely opening and closing a file can have side effects. For instance, an " +"automounter can be triggered, or a tape device rewound. Opening a file on a " +"local file system can block indefinitely, due to mandatory file locking, " +"unless the O_NONBLOCK flag is specified." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Hard links and symbolic links can redirect the effect of file system " +"operations in unexpected ways. The O_NOFOLLOW and " +"AT_SYMLINK_NOFOLLOW variants of system calls only " +"affected final path name component." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The structure of a directory tree can change. For example, the parent " +"directory of what used to be a subdirectory within the directory tree being " +"processed could suddenly point outside that directory tree." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Files should always be created with the O_CREAT and " +"O_EXCL flags, so that creating the file will fail if it " +"already exists. This guards against the unexpected appearance of file names," +" either due to creation of a new file, or hard-linking of an existing file. " +"In multi-threaded programs, rather than manipulating the umask, create the " +"files with mode 000 if possible, and adjust it afterwards" +" with fchmod." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"To avoid issues related to symbolic links and directory tree restructuring, " +"the “at” variants of system calls have to be used (that " +"is, functions like openat, " +"fchownat, fchmodat, and " +"unlinkat, together with O_NOFOLLOW " +"or AT_SYMLINK_NOFOLLOW). Path names passed to these " +"functions must have just a single component (that is, without a slash). When" +" descending, the descriptors of parent directories must be kept open. The " +"missing opendirat function can be emulated with " +"openat (with an O_DIRECTORY flag, to " +"avoid opening special files with side effects), followed by " +"fdopendir." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If the “at” functions are not available, it is possible " +"to emulate them by changing the current directory. (Obviously, this only " +"works if the process is not multi-threaded.) fchdir has" +" to be used to change the current directory, and the descriptors of the " +"parent directories have to be kept open, just as with the " +"“at”-based approach. chdir(\"...\") is" +" unsafe because it might ascend outside the intended directory tree." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"This “at” function emulation is currently required when " +"manipulating extended attributes. In this case, the " +"lsetxattr function can be used, with a relative path " +"name consisting of a single component. This also applies to SELinux contexts" +" and the lsetfilecon function." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Currently, it is not possible to avoid opening special files " +"and changes to files with hard links if the directory " +"containing them is owned by an untrusted user. (Device nodes can be hard-" +"linked, just as regular files.) fchmodat and " +"fchownat affect files whose link count is greater than " +"one. But opening the files, checking that the link count is one with " +"fstat, and using fchmod and " +"fchown on the file descriptor may have unwanted side " +"effects, due to item 2 above. When creating directories, it is therefore " +"important to change the ownership and permissions only after it has been " +"fully created. Until that point, file names are stable, and no files with " +"unexpected hard links can be introduced." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Similarly, when just reading a directory owned by an untrusted user, it is " +"currently impossible to reliably avoid opening special files." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"There is no workaround against the instability of the file list returned by " +"readdir. Concurrent modification of the directory can " +"result in a list of files being returned which never actually existed on " +"disk." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Hard links and symbolic links can be safely deleted using " +"unlinkat without further checks because deletion only " +"affects the name within the directory tree being processed." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Accessing the file system as a different user" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"This section deals with access to the file system as a specific user. This " +"is different from accessing files and directories owned by a different, " +"potentially untrusted user; see ." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"One approach is to spawn a child process which runs under the target user " +"and group IDs (both effective and real IDs). Note that this child process " +"can block indefinitely, even when processing regular files only. For " +"example, a special FUSE file system could cause the process to hang in " +"uninterruptible sleep inside a stat system call." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"An existing process could change its user and group ID using " +"setfsuid and setfsgid. (These " +"functions are preferred over seteuid and " +"setegid because they do not allow the impersonated user" +" to send signals to the process.) These functions are not thread safe. In " +"multi-threaded processes, these operations need to be performed in a single-" +"threaded child process. Unexpected blocking may occur as well." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"It is not recommended to try to reimplement the kernel permission checks in " +"user space because the required checks are complex. It is also very " +"difficult to avoid race conditions during path name resolution." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "File system limits" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"For historical reasons, there are preprocessor constants such as " +"PATH_MAX, NAME_MAX. However, on most " +"systems, the length of canonical path names (absolute path names with all " +"symbolic links resolved, as returned by realpath or " +"canonicalize_file_name) can exceed " +"PATH_MAX bytes, and individual file name components can " +"be longer than NAME_MAX. This is also true of the " +"_PC_PATH_MAX and _PC_NAME_MAX values " +"returned by pathconf, and the " +"f_namemax member of struct statvfs. " +"Therefore, these constants should not be used. This is also reason why the " +"readdir_r should never be used (instead, use " +"readdir)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"You should not write code in a way that assumes that there is an upper limit" +" on the number of subdirectories of a directory, the number of regular files" +" in a directory, or the link count of an inode." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "File system features" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Not all file systems support all features. This makes it very difficult to " +"write general-purpose tools for copying files. For example, a copy operation" +" intending to preserve file permissions will generally fail when copying to " +"a FAT file system." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Some file systems are case-insensitive. Most should be case-preserving, " +"though." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Name length limits vary greatly, from eight to thousands of bytes. Path " +"length limits differ as well. Most systems impose an upper bound on path " +"names passed to the kernel, but using relative path names, it is possible to" +" create and access files whose absolute path name is essentially of " +"unbounded length." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Some file systems do not store names as fairly unrestricted byte sequences, " +"as it has been traditionally the case on GNU systems. This means that some " +"byte sequences (outside the POSIX safe character set) are not valid names. " +"Conversely, names of existing files may not be representable as byte " +"sequences, and the files are thus inaccessible on GNU systems. Some file " +"systems perform Unicode canonicalization on file names. These file systems " +"preserve case, but reading the name of a just-created file using " +"readdir might still result in a different byte " +"sequence." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Permissions and owners are not universally supported (and SUID/SGID bits may" +" not be available). For example, FAT file systems assign ownership based on " +"a mount option, and generally mark all files as executable. Any attempt to " +"change permissions would result in an error." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Non-regular files (device nodes, FIFOs) are not generally available." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Only on some file systems, files can have holes, that is, not all of their " +"contents is backed by disk storage." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"ioctl support (even fairly generic functionality such " +"as FIEMAP for discovering physical file layout and holes)" +" is file-system-specific." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Not all file systems support extended attributes, ACLs and SELinux metadata." +" Size and naming restriction on extended attributes vary." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Hard links may not be supported at all (FAT) or only within the same " +"directory (AFS). Symbolic links may not be available, either. Reflinks (hard" +" links with copy-on-write semantics) are still very rare. Recent systems " +"restrict creation of hard links to users which own the target file or have " +"read/write access to it, but older systems do not." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Renaming (or moving) files using rename can fail (even " +"when stat indicates that the source and target " +"directories are located on the same file system). This system call should " +"work if the old and new paths are located in the same directory, though." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Locking semantics vary among file systems. This affects advisory and " +"mandatory locks. For example, some network file systems do not allow " +"deleting files which are opened by any process." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Resolution of time stamps varies from two seconds to nanoseconds. Not all " +"time stamps are available on all file systems. File creation time " +"(birth time) is not exposed over the " +"stat/fstat interface, even if " +"stored by the file system." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Checking free space" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The statvfs and fstatvfs functions" +" allow programs to examine the number of available blocks and inodes, " +"through the members f_bfree, f_bavail," +" f_ffree, and f_favail of " +"struct statvfs. Some file systems return fictional values" +" in the f_ffree and f_favail fields, " +"so the only reliable way to discover if the file system still has space for " +"a file is to try to create it. The f_bfree field should " +"be reasonably accurate, though." +msgstr "" diff --git a/defensive-coding/es-ES/Tasks/Library_Design.po b/defensive-coding/es-ES/Tasks/Library_Design.po new file mode 100644 index 0000000..3ab9405 --- /dev/null +++ b/defensive-coding/es-ES/Tasks/Library_Design.po @@ -0,0 +1,267 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:29+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Spanish \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: es\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: title +#, no-c-format +msgid "Library Design" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Throught this section, the term client code refers to " +"applications and other libraries using the library." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "State management" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Global state" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Global state should be avoided." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If this is impossible, the global state must be protected with a lock. For " +"C/C++, you can use the pthread_mutex_lock and " +"pthread_mutex_unlock functions without linking against " +"-lpthread because the system provides stubs for non-" +"threaded processes." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"For compatibility with fork, these locks should be " +"acquired and released in helpers registered with " +"pthread_atfork. This function is not available without " +"-lpthread, so you need to use dlsym " +"or a weak symbol to obtain its address." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If you need fork protection for other reasons, you " +"should store the process ID and compare it to the value returned by " +"getpid each time you access the global state. " +"(getpid is not implemented as a system call and is " +"fast.) If the value changes, you know that you have to re-create the state " +"object. (This needs to be combined with locking, of course.)" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Handles" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Library state should be kept behind a curtain. Client code should receive " +"only a handle. In C, the handle can be a pointer to an incomplete " +"struct. In C++, the handle can be a pointer to an " +"abstract base class, or it can be hidden using the pointer-to-implementation" +" idiom." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The library should provide functions for creating and destroying handles. " +"(In C++, it is possible to use virtual destructors for the latter.) " +"Consistency between creation and destruction of handles is strongly " +"recommended: If the client code created a handle, it is the responsibility " +"of the client code to destroy it. (This is not always possible or " +"convenient, so sometimes, a transfer of ownership has to happen.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Using handles ensures that it is possible to change the way the library " +"represents state in a way that is transparent to client code. This is " +"important to facilitate security updates and many other code changes." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"It is not always necessary to protect state behind a handle with a lock. " +"This depends on the level of thread safety the library provides." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Object orientation" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Classes should be either designed as base classes, or it should be " +"impossible to use them as base classes (like final " +"classes in Java). Classes which are not designed for inheritance and are " +"used as base classes nevertheless create potential maintenance hazards " +"because it is difficult to predict how client code will react when calls to " +"virtual methods are added, reordered or removed." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Virtual member functions can be used as callbacks. See for some of the " +"challenges involved." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Callbacks" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Higher-order code is difficult to analyze for humans and computers alike, so" +" it should be avoided. Often, an iterator-based interface (a library " +"function which is called repeatedly by client code and returns a stream of " +"events) leads to a better design which is easier to document and use." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "If callbacks are unavoidable, some guidelines for them follow." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In modern C++ code, std::function objects should be used " +"for callbacks." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In older C++ code and in C code, all callbacks must have an additional " +"closure parameter of type void *, the value of which can " +"be specified by client code. If possible, the value of the closure parameter" +" should be provided by client code at the same time a specific callback is " +"registered (or specified as a function argument). If a single closure " +"parameter is shared by multiple callbacks, flexibility is greatly reduced, " +"and conflicts between different pieces of client code using the same library" +" object could be unresolvable. In some cases, it makes sense to provide a " +"de-registration callback which can be used to destroy the closure parameter " +"when the callback is no longer used." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Callbacks can throw exceptions or call longjmp. If " +"possible, all library objects should remain in a valid state. (All further " +"operations on them can fail, but it should be possible to deallocate them " +"without causing resource leaks.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The presence of callbacks raises the question if functions provided by the " +"library are reentrant. Unless a library was designed " +"for such use, bad things will happen if a callback function uses functions " +"in the same library (particularly if they are invoked on the same objects " +"and manipulate the same state). When the callback is invoked, the library " +"can be in an inconsistent state. Reentrant functions are more difficult to " +"write than thread-safe functions (by definition, simple locking would " +"immediately lead to deadlocks). It is also difficult to decide what to do " +"when destruction of an object which is currently processing a callback is " +"requested." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Process attributes" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Several attributes are global and affect all code in the process, not just " +"the library that manipulates them." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"environment variables (see )" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "umask" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "user IDs, group IDs and capabilities" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "current working directory" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "signal handlers, signal masks and signal delivery" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"file locks (especially fcntl locks behave in surprising" +" ways, not just in a multi-threaded environment)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Library code should avoid manipulating these global process attributes. It " +"should not rely on environment variables, umask, the current working " +"directory and signal masks because these attributes can be inherted from an " +"untrusted source." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In addition, there are obvious process-wide aspects such as the virtual " +"memory layout, the set of open files and dynamic shared objects, but with " +"the exception of shared objects, these can be manipulated in a relatively " +"isolated way." +msgstr "" diff --git a/defensive-coding/es-ES/Tasks/Processes.po b/defensive-coding/es-ES/Tasks/Processes.po new file mode 100644 index 0000000..ead6a40 --- /dev/null +++ b/defensive-coding/es-ES/Tasks/Processes.po @@ -0,0 +1,597 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:29+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Spanish \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: es\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: title +#, no-c-format +msgid "Processes" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Safe process creation" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"This section describes how to create new child processes in a safe manner. " +"In addition to the concerns addressed below, there is the possibility of " +"file descriptor leaks, see ." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Obtaining the program path and the command line template" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The name and path to the program being invoked should be hard-coded or " +"controlled by a static configuration file stored at a fixed location (at an " +"file system absolute path). The same applies to the template for generating " +"the command line." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The configured program name should be an absolute path. If it is a relative " +"path, the contents of the PATH must be obtained in s secure " +"manner (see )." +" If the PATH variable is not set or untrusted, the safe " +"default /bin:/usr/bin must be used." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If too much flexibility is provided here, it may allow invocation of " +"arbitrary programs without proper authorization." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Bypassing the shell" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Child processes should be created without involving the system shell." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"For C/C++, system should not be used. The " +"posix_spawn function can be used instead, or a " +"combination fork and execve. (In " +"some cases, it may be preferable to use vfork or the " +"Linux-specific clone system call instead of " +"fork.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In Python, the subprocess module bypasses the shell by " +"default (when the shell keyword argument is not set to " +"true). os.system should not be used." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The Java class java.lang.ProcessBuilder can be used to create " +"subprocesses without interference from the system shell." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Portability notice" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"On Windows, there is no argument vector, only a single argument string. Each" +" application is responsible for parsing this string into an argument vector." +" There is considerable variance among the quoting style recognized by " +"applications. Some of them expand shell wildcards, others do not. Extensive " +"application-specific testing is required to make this secure." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Note that some common applications (notably ssh) " +"unconditionally introduce the use of a shell, even if invoked directly " +"without a shell. It is difficult to use these applications in a secure " +"manner. In this case, untrusted data should be supplied by other means. For " +"example, standard input could be used, instead of the command line." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Specifying the process environment" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Child processes should be created with a minimal set of environment " +"variables. This is absolutely essential if there is a trust transition " +"involved, either when the parent process was created, or during the creation" +" of the child process." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In C/C++, the environment should be constructed as an array of strings and " +"passed as the envp argument to " +"posix_spawn or execve. The " +"functions setenv, unsetenv and " +"putenv should not be used. They are not thread-safe and" +" suffer from memory leaks." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Python programs need to specify a dict for the the " +"env argument of the subprocess.Popen" +" constructor. The Java class java.lang.ProcessBuilder " +"provides a environment() method, which returns a map " +"that can be manipulated." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The following list provides guidelines for selecting the set of environment " +"variables passed to the child process." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"PATH should be initialized to " +"/bin:/usr/bin." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"USER and HOME can be inhereted from the parent" +" process environment, or they can be initialized from the " +"pwent structure for the user." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The DISPLAY and XAUTHORITY variables should be" +" passed to the subprocess if it is an X program. Note that this will " +"typically not work across trust boundaries because XAUTHORITY" +" refers to a file with 0600 permissions." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The location-related environment variables LANG, " +"LANGUAGE, LC_ADDRESS, LC_ALL, " +"LC_COLLATE, LC_CTYPE, " +"LC_IDENTIFICATION, LC_MEASUREMENT, " +"LC_MESSAGES, LC_MONETARY, " +"LC_NAME, LC_NUMERIC, LC_PAPER, " +"LC_TELEPHONE and LC_TIME can be passed to the " +"subprocess if present." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The called process may need application-specific environment variables, for " +"example for passing passwords. (See .)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"All other environment variables should be dropped. Names for new environment" +" variables should not be accepted from untrusted sources." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Robust argument list processing" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When invoking a program, it is sometimes necessary to include data from " +"untrusted sources. Such data should be check against embedded " +"NUL characters because the system APIs will sliently " +"truncate argument strings at the first NUL character." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The following recommendations assume that the program being invoked uses " +"GNU-style option processing using getopt_long. This " +"convention is widely used, but it is just that, and individual programs " +"might interpret a command line in a different way." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If the untrusted data has to go into an option, use the --option-" +"name=VALUE syntax, placing the option and its value into the same " +"command line argument. This avoids any potential confusion if the data " +"starts with -." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"For positional arguments, terminate the option list with a single " +" marker after the last option, and include the data at " +"the right position. The marker terminates option " +"processing, and the data will not be treated as an option even if it starts " +"with a dash." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Passing secrets to subprocesses" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The command line (the name of the program and its argument) of a running " +"process is traditionally available to all local users. The called program " +"can overwrite this information, but only after it has run for a bit of time," +" during which the information may have been read by other processes. " +"However, on Linux, the process environment is restricted to the user who " +"runs the process. Therefore, if you need a convenient way to pass a password" +" to a child process, use an environment variable, and not a command line " +"argument. (See .)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"On some UNIX-like systems (notably Solaris), environment variables can be " +"read by any system user, just like command lines." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If the environment-based approach cannot be used due to portability " +"concerns, the data can be passed on standard input. Some programs (notably " +"gpg) use special file descriptors whose numbers " +"are specified on the command line. Temporary files are an option as well, " +"but they might give digital forensics access to sensitive data (such as " +"passphrases) because it is difficult to safely delete them in all cases." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Handling child process termination" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When child processes terminate, the parent process is signalled. A stub of " +"the terminated processes (a zombie, shown as " +"<defunct> by ps) is kept" +" around until the status information is collected " +"(reaped) by the parent process. Over the years, several" +" interfaces for this have been invented:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The parent process calls wait, " +"waitpid, waitid, " +"wait3 or wait4, without specifying" +" a process ID. This will deliver any matching process ID. This approach is " +"typically used from within event loops." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The parent process calls waitpid, " +"waitid, or wait4, with a specific " +"process ID. Only data for the specific process ID is returned. This is " +"typically used in code which spawns a single subprocess in a synchronous " +"manner." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The parent process installs a handler for the SIGCHLD " +"signal, using sigaction, and specifies to the " +"SA_NOCLDWAIT flag. This approach could be used by event " +"loops as well." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"None of these approaches can be used to wait for child process terminated in" +" a completely thread-safe manner. The parent process might execute an event " +"loop in another thread, which could pick up the termination signal. This " +"means that libraries typically cannot make free use of child processes (for " +"example, to run problematic code with reduced privileges in a separate " +"address space)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"At the moment, the parent process should explicitly wait for termination of " +"the child process using waitpid or " +"waitpid, and hope that the status is not collected by " +"an event loop first." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "SUID/SGID processes" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Programs can be marked in the file system to indicate to the kernel that a " +"trust transition should happen if the program is run. The " +"SUID file permission bit indicates that an executable " +"should run with the effective user ID equal to the owner of the executable " +"file. Similarly, with the SGID bit, the effective group " +"ID is set to the group of the executable file." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Linux supports fscaps, which can grant additional " +"capabilities to a process in a finer-grained manner. Additional mechanisms " +"can be provided by loadable security modules." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When such a trust transition has happened, the process runs in a potentially" +" hostile environment. Additional care is necessary not to rely on any " +"untrusted information. These concerns also apply to libraries which can be " +"linked into such processes." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Accessing environment variables" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The following steps are required so that a program does not accidentally " +"pick up untrusted data from environment variables." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Compile your C/C++ sources with -D_GNU_SOURCE. The " +"Autoconf macro AC_GNU_SOURCE ensures this." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Check for the presence of the secure_getenv and " +"__secure_getenv function. The Autoconf directive " +"AC_CHECK_FUNCS([__secure_getenv secure_getenv]) performs " +"these checks." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Arrange for a proper definition of the secure_getenv " +"function. See ." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Use secure_getenv instead of " +"getenv to obtain the value of critical environment " +"variables. secure_getenv will pretend the variable has " +"not bee set if the process environment is not trusted." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Critical environment variables are debugging flags, configuration file " +"locations, plug-in and log file locations, and anything else that might be " +"used to bypass security restrictions or cause a privileged process to behave" +" in an unexpected way." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Either the secure_getenv function or the " +"__secure_getenv is available from GNU libc." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Obtaining a definition for secure_getenv" +msgstr "" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"\n" +"#include <stdlib.h>\n" +"\n" +"#ifndef HAVE_SECURE_GETENV\n" +"# ifdef HAVE__SECURE_GETENV\n" +"# define secure_getenv __secure_getenv\n" +"# else\n" +"# error neither secure_getenv nor __secure_getenv are available\n" +"# endif\n" +"#endif\n" +"\n" +"\t" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Daemons" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Background processes providing system services " +"(daemons) need to decouple themselves from the " +"controlling terminal and the parent process environment:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Fork." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In the child process, call setsid. The parent process " +"can simply exit (using _exit, to avoid running clean-up" +" actions twice)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In the child process, fork again. Processing continues in the child process." +" Again, the parent process should just exit." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Replace the descriptors 0, 1, 2 with a descriptor for " +"/dev/null. Logging should be redirected to " +"syslog." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Older instructions for creating daemon processes recommended a call to " +"umask(0). This is risky because it often leads to world-" +"writable files and directories, resulting in security vulnerabilities such " +"as arbitrary process termination by untrusted local users, or log file " +"truncation. If the umask needs setting, a restrictive " +"value such as 027 or 077 is " +"recommended." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Other aspects of the process environment may have to changed as well " +"(environment variables, signal handler disposition)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"It is increasingly common that server processes do not run as background " +"processes, but as regular foreground process under a supervising master " +"process (such as systemd). Server processes " +"should offer a command line option which disables forking and replacement of" +" the standard output and standard error streams. Such an option is also " +"useful for debugging." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Semantics of command line arguments" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"After process creation and option processing, it is up to the child process " +"to interpret the arguments. Arguments can be file names, host names, or " +"URLs, and many other things. URLs can refer to the local network, some " +"server on the Internet, or to the local file system. Some applications even " +"accept arbitrary code in arguments (for example, " +"python with the option)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Similar concerns apply to environment variables, the contents of the current" +" directory and its subdirectories." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Consequently, careful analysis is required if it is safe to pass untrusted " +"data to another program." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "fork as a primitive for parallelism" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"A call to fork which is not immediately followed by a " +"call to execve (perhaps after rearranging and closing " +"file descriptors) is typically unsafe, especially from a library which does " +"not control the state of the entire process. Such use of " +"fork should be replaced with proper child processes or " +"threads." +msgstr "" diff --git a/defensive-coding/es-ES/Tasks/Serialization.po b/defensive-coding/es-ES/Tasks/Serialization.po new file mode 100644 index 0000000..5f045cf --- /dev/null +++ b/defensive-coding/es-ES/Tasks/Serialization.po @@ -0,0 +1,513 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:45\n" +"PO-Revision-Date: 2013-03-19 15:29+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Spanish \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: es\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: title +#, no-c-format +msgid "Serialization and Deserialization" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Protocol decoders and file format parsers are often the most-exposed part of" +" an application because they are exposed with little or no user interaction " +"and before any authentication and security checks are made. They are also " +"difficult to write robustly in languages which are not memory-safe." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Recommendations for manually written decoders" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"For C and C++, the advice in applies. In addition, avoid non-character " +"pointers directly into input buffers. Pointer misalignment causes crashes on" +" some architectures." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When reading variable-sized objects, do not allocate large amounts of data " +"solely based on the value of a size field. If possible, grow the data " +"structure as more data is read from the source, and stop when no data is " +"available. This helps to avoid denial-of-service attacks where little " +"amounts of input data results in enormous memory allocations during " +"decoding. Alternatively, you can impose reasonable bounds on memory " +"allocations, but some protocols do not permit this." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Protocol design" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Binary formats with explicit length fields are more difficult to parse " +"robustly than those where the length of dynamically-sized elements is " +"derived from sentinel values. A protocol which does not use length fields " +"and can be written in printable ASCII characters simplifies testing and " +"debugging. However, binary protocols with length fields may be more " +"efficient to parse." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Library support for deserialization" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"For some languages, generic libraries are available which allow to serialize" +" and deserialize user-defined objects. The deserialization part comes in one" +" of two flavors, depending on the library. The first kind uses type " +"information in the data stream to control which objects are instantiated. " +"The second kind uses type definitions supplied by the programmer. The first " +"one allows arbitrary object instantiation, the second one generally does " +"not." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The following serialization frameworks are in the first category, are known " +"to be unsafe, and must not be used for untrusted data:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Python's pickle and cPickle modules" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Perl's Storable package" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Java serialization (java.io.ObjectInputStream)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "PHP serialization (unserialize)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Most implementations of YAML" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When using a type-directed deserialization format where the types of the " +"deserialized objects are specified by the programmer, make sure that the " +"objects which can be instantiated cannot perform any destructive actions in " +"their destructors, even when the data members have been manipulated." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"JSON decoders do not suffer from this problem. But you must not use the " +"eval function to parse JSON objects in Javascript; even" +" with the regular expression filter from RFC 4627, there are still " +"information leaks remaining." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "XML serialization" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "External references" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"XML documents can contain external references. They can occur in various " +"places." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "In the DTD declaration in the header of an XML document:" +msgstr "" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"<!DOCTYPE html PUBLIC\n" +" \"-//W3C//DTD XHTML 1.0 Transitional//EN\"\n" +" \"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd\">\n" +"\t " +msgstr "" + +#. Tag: para +#, no-c-format +msgid "In a namespace declaration:" +msgstr "" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"<xsd:schema xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\">\n" +"\t " +msgstr "" + +#. Tag: para +#, no-c-format +msgid "In an entity defintion:" +msgstr "" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"<!ENTITY sys SYSTEM \"http://www.example.com/ent.xml\">\n" +"<!ENTITY pub PUBLIC \"-//Example//Public Entity//EN\"\n" +" \"http://www.example.com/pub-ent.xml\">\n" +"\t " +msgstr "" + +#. Tag: para +#, no-c-format +msgid "In a notation:" +msgstr "" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"<!NOTATION not SYSTEM \"../not.xml\">\n" +"\t " +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Originally, these external references were intended as unique identifiers, " +"but by many XML implementations, they are used for locating the data for the" +" referenced element. This causes unwanted network traffic, and may disclose " +"file system contents or otherwise unreachable network resources, so this " +"functionality should be disabled." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Depending on the XML library, external referenced might be processed not " +"just when parsing XML, but also when generating it." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Entity expansion" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When external DTD processing is disabled, an internal DTD subset can still " +"contain entity definitions. Entity declarations can reference other " +"entities. Some XML libraries expand entities automatically, and this " +"processing cannot be switched off in some places (such as attribute values " +"or content models). Without limits on the entity nesting level, this " +"expansion results in data which can grow exponentially in length with size " +"of the input. (If there is a limit on the nesting level, the growth is still" +" polynomial, unless further limits are imposed.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Consequently, the processing internal DTD subsets should be disabled if " +"possible, and only trusted DTDs should be processed. If a particular XML " +"application does not permit such restrictions, then application-specific " +"limits are called for." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "XInclude processing" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"XInclude processing can reference file and network resources and include " +"them into the document, much like external entity references. When parsing " +"untrusted XML documents, XInclude processing should be truned off." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"XInclude processing is also fairly complex and may pull in support for the " +"XPointer and XPath specifications, considerably increasing the amount of " +"code required for XML processing." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Algorithmic complexity of XML validation" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"DTD-based XML validation uses regular expressions for content models. The " +"XML specification requires that content models are deterministic, which " +"means that efficient validation is possible. However, some implementations " +"do not enforce determinism, and require exponential (or just polynomial) " +"amount of space or time for validating some DTD/document combinations." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"XML schemas and RELAX NG (via the xsd: prefix) directly " +"support textual regular expressions which are not required to be " +"deterministic." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Using Expat for XML parsing" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"By default, Expat does not try to resolve external IDs, so no steps are " +"required to block them. However, internal entity declarations are processed." +" Installing a callback which stops parsing as soon as such entities are " +"encountered disables them, see . Expat does not perform any " +"validation, so there are no problems related to that." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Disabling XML entity processing with Expat" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"This handler must be installed when the XML_Parser object" +" is created ()." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Creating an Expat XML parser" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"It is also possible to reject internal DTD subsets altogeher, using a " +"suitable XML_StartDoctypeDeclHandler handler installed " +"with XML_SetDoctypeDeclHandler." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Using OpenJDK for XML parsing and validation" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"OpenJDK contains facilities for DOM-based, SAX-based, and StAX-based " +"document parsing. Documents can be validated against DTDs or XML schemas." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The approach taken to deal with entity expansion differs from the general " +"recommendation in . We enable the the feature flag " +"javax.xml.XMLConstants.FEATURE_SECURE_PROCESSING, which " +"enforces heuristic restrictions on the number of entity expansions. Note " +"that this flag alone does not prevent resolution of external references " +"(system IDs or public IDs), so it is slightly misnamed." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In the following sections, we use helper classes to prevent external ID " +"resolution." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Helper class to prevent DTD external entity resolution in OpenJDK" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Helper class to prevent schema resolution in OpenJDK" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +" shows the imports used by the examples." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Java imports for OpenJDK XML parsing" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "DOM-based XML parsing and DTD validation in OpenJDK" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"This approach produces a org.w3c.dom.Document object from" +" an input stream. use the data from the " +"java.io.InputStream instance in the " +"inputStream variable." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "DOM-based XML parsing in OpenJDK" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"External entity references are prohibited using the " +"NoEntityResolver class in . " +"Because external DTD references are prohibited, DTD validation (if enabled) " +"will only happen against the internal DTD subset embedded in the XML " +"document." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"To validate the document against an external DTD, use a " +"javax.xml.transform.Transformer class to add the DTD " +"reference to the document, and an entity resolver which whitelists this " +"external reference." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "XML Schema validation in OpenJDK" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +" shows how to validate a document against an XML Schema, " +"using a SAX-based approach. The XML data is read from an " +"java.io.InputStream in the inputStream" +" variable." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "SAX-based validation against an XML schema in OpenJDK" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The NoResourceResolver class is defined in ." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If you need to validate a document against an XML schema, use the code in " +" to create the document, but do not enable validation at this point." +" Then use to perform the schema-based validation on " +"the org.w3c.dom.Document instance " +"document." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Validation of a DOM document against an XML schema in OpenJDK" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Protocol Encoders" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"For protocol encoders, you should write bytes to a buffer which grows as " +"needed, using an exponential sizing policy. Explicit lengths can be patched " +"in later, once they are known. Allocating the required number of bytes " +"upfront typically requires separate code to compute the final size, which " +"must be kept in sync with the actual encoding step, or vulnerabilities may " +"result. In multi-threaded code, parts of the object being deserialized might" +" change, so that the computed size is out of date." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"You should avoid copying data directly from a received packet during " +"encoding, disregarding the format. Propagating malformed data could enable " +"attacks on other recipients of that data." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When using C or C++ and copying whole data structures directly into the " +"output, make sure that you do not leak information in padding bytes between " +"fields or at the end of the struct." +msgstr "" diff --git a/defensive-coding/es-ES/Tasks/Temporary_Files.po b/defensive-coding/es-ES/Tasks/Temporary_Files.po new file mode 100644 index 0000000..43e50ae --- /dev/null +++ b/defensive-coding/es-ES/Tasks/Temporary_Files.po @@ -0,0 +1,309 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:45\n" +"PO-Revision-Date: 2013-03-19 15:29+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Spanish \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: es\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: title +#, no-c-format +msgid "Temporary files" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In this chapter, we describe how to create temporary files and directories, " +"how to remove them, and how to work with programs which do not create files " +"in ways that a safe with a shared directory for temporary files. General " +"file system manipulation is treated in a separate chapter, ." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Secure creation of temporary files has four different aspects." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The location of the directory for temporary files must be obtained in a " +"secure manner (that is, untrusted environment variables must be ignored, see" +" )." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"A new file must be created. Reusing an existing file must be avoided (the " +"/tmp race condition). This is " +"tricky because traditionally, system-wide temporary directories shared by " +"all users are used." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The file must be created in a way that makes it impossible for other users " +"to open it." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "The descriptor for the temporary file should not leak to subprocesses." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "All functions mentioned below will take care of these aspects." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Traditionally, temporary files are often used to reduce memory usage of " +"programs. More and more systems use RAM-based file systems such as " +"tmpfs for storing temporary files, to increase " +"performance and decrease wear on Flash storage. As a result, spooling data " +"to temporary files does not result in any memory savings, and the related " +"complexity can be avoided if the data is kept in process memory." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Obtaining the location of temporary directory" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Some functions below need the location of a directory which stores temporary" +" files. For C/C++ programs, use the following steps to obtain that " +"directory:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Use secure_getenv to obtain the value of the " +"TMPDIR environment variable. If it is set, convert the " +"path to a fully-resolved absolute path, using realpath(path, " +"NULL). Check if the new path refers to a directory and is " +"writeable. In this case, use it as the temporary directory." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Fall back to /tmp." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In Python, you can use the tempfile.tempdir variable." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Java does not support SUID/SGID programs, so you can use the " +"java.lang.System.getenv(String) method to obtain the " +"value of the TMPDIR environment variable, and follow the " +"two steps described above. (Java's default directory selection does not " +"honor TMPDIR.)" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Named temporary files" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The mkostemp function creates a named temporary file. " +"You should specify the O_CLOEXEC flag to avoid file " +"descriptor leaks to subprocesses. (Applications which do not use multiple " +"threads can also use mkstemp, but libraries should use " +"mkostemp.) For determining the directory part of the " +"file name pattern, see ." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The file is not removed automatically. It is not safe to rename or delete " +"the file before processing, or transform the name in any way (for example, " +"by adding a file extension). If you need multiple temporary files, call " +"mkostemp multiple times. Do not create additional file " +"names derived from the name provided by a previous " +"mkostemp call. However, it is safe to close the " +"descriptor returned by mkostemp and reopen the file " +"using the generated name." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The Python class tempfile.NamedTemporaryFile provides " +"similar functionality, except that the file is deleted automatically by " +"default. Note that you may have to use the file attribute" +" to obtain the actual file object because some programming interfaces cannot" +" deal with file-like objects. The C function mkostemp " +"is also available as tempfile.mkstemp." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In Java, you can use the java.io.File.createTempFile(String, " +"String, File) function, using the temporary file location " +"determined according to . Do not use " +"java.io.File.deleteOnExit() to delete temporary files, " +"and do not register a shutdown hook for each temporary file you create. In " +"both cases, the deletion hint cannot be removed from the system if you " +"delete the temporary file prior to termination of the VM, causing a memory " +"leak." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Temporary files without names" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The tmpfile function creates a temporary file and " +"immediately deletes it, while keeping the file open. As a result, the file " +"lacks a name and its space is deallocated as soon as the file descriptor is " +"closed (including the implicit close when the process terminates). This " +"avoids cluttering the temporary directory with orphaned files." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Alternatively, if the maximum size of the temporary file is known " +"beforehand, the fmemopen function can be used to create" +" a FILE * object which is backed by memory." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In Python, unnamed temporary files are provided by the " +"tempfile.TemporaryFile class, and the " +"tempfile.SpooledTemporaryFile class provides a way to " +"avoid creation of small temporary files." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Java does not support unnamed temporary files." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Temporary directories" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The mkdtemp function can be used to create a temporary " +"directory. (For determining the directory part of the file name pattern, see" +" .)" +" The directory is not automatically removed. In Python, this function is " +"available as tempfile.mkdtemp. In Java 7, temporary " +"directories can be created using the " +"java.nio.file.Files.createTempDirectory(Path, String, " +"FileAttribute...) function." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When creating files in the temporary directory, use automatically generated " +"names, e.g., derived from a sequential counter. Files with externally " +"provided names could be picked up in unexpected contexts, and crafted names " +"could actually point outside of the tempoary directory (due to " +"directory traversal)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Removing a directory tree in a completely safe manner is complicated. Unless" +" there are overriding performance concerns, the " +"rm program should be used, with the " +" and options." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Compensating for unsafe file creation" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"There are two ways to make a function or program which excepts a file name " +"safe for use with temporary files. See , for details on subprocess " +"creation." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Create a temporary directory and place the file there. If possible, run the " +"program in a subprocess which uses the temporary directory as its current " +"directory, with a restricted environment. Use generated names for all files " +"in that temporary directory. (See .)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Create the temporary file and pass the generated file name to the function " +"or program. This only works if the function or program can cope with a zero-" +"length existing file. It is safe only under additional assumptions:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The function or program must not create additional files whose name is " +"derived from the specified file name or are otherwise predictable." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "The function or program must not delete the file before processing it." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "It must not access any existing files in the same directory." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"It is often difficult to check whether these additional assumptions are " +"matched, therefore this approach is not recommended." +msgstr "" diff --git a/defensive-coding/es-ES/Tasks/snippets/Serialization-XML-Expat-Create.po b/defensive-coding/es-ES/Tasks/snippets/Serialization-XML-Expat-Create.po new file mode 100644 index 0000000..caafb63 --- /dev/null +++ b/defensive-coding/es-ES/Tasks/snippets/Serialization-XML-Expat-Create.po @@ -0,0 +1,33 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:45\n" +"PO-Revision-Date: 2013-03-19 15:29+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Spanish \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: es\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"XML_Parser parser = XML_ParserCreate(\"UTF-8\");\n" +"if (parser == NULL) {\n" +" fprintf(stderr, \"XML_ParserCreate failed\n" +"\");\n" +" close(fd);\n" +" exit(1);\n" +"}\n" +"// EntityDeclHandler needs a reference to the parser to stop\n" +"// parsing.\n" +"XML_SetUserData(parser, parser);\n" +"// Disable entity processing, to inhibit entity expansion.\n" +"XML_SetEntityDeclHandler(parser, EntityDeclHandler);\n" +msgstr "" diff --git a/defensive-coding/es-ES/Tasks/snippets/Serialization-XML-Expat-EntityDeclHandler.po b/defensive-coding/es-ES/Tasks/snippets/Serialization-XML-Expat-EntityDeclHandler.po new file mode 100644 index 0000000..78756c2 --- /dev/null +++ b/defensive-coding/es-ES/Tasks/snippets/Serialization-XML-Expat-EntityDeclHandler.po @@ -0,0 +1,31 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:45\n" +"PO-Revision-Date: 2013-03-19 15:30+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Spanish \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: es\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Stop the parser when an entity declaration is encountered.\n" +"static void\n" +"EntityDeclHandler(void *userData,\n" +"\t\t const XML_Char *entityName, int is_parameter_entity,\n" +"\t\t const XML_Char *value, int value_length,\n" +"\t\t const XML_Char *base, const XML_Char *systemId,\n" +"\t\t const XML_Char *publicId, const XML_Char *notationName)\n" +"{\n" +" XML_StopParser((XML_Parser)userData, XML_FALSE);\n" +"}\n" +msgstr "" diff --git a/defensive-coding/es-ES/Tasks/snippets/Serialization-XML-OpenJDK-Errors.po b/defensive-coding/es-ES/Tasks/snippets/Serialization-XML-OpenJDK-Errors.po new file mode 100644 index 0000000..6a2a03b --- /dev/null +++ b/defensive-coding/es-ES/Tasks/snippets/Serialization-XML-OpenJDK-Errors.po @@ -0,0 +1,37 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:45\n" +"PO-Revision-Date: 2013-03-19 15:29+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Spanish \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: es\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"class Errors implements ErrorHandler {\n" +" @Override\n" +" public void warning(SAXParseException exception) {\n" +" exception.printStackTrace();\n" +" }\n" +" \n" +" @Override\n" +" public void fatalError(SAXParseException exception) {\n" +" exception.printStackTrace();\n" +" }\n" +" \n" +" @Override\n" +" public void error(SAXParseException exception) {\n" +" exception.printStackTrace();\n" +" }\n" +"}\n" +msgstr "" diff --git a/defensive-coding/es-ES/Tasks/snippets/Serialization-XML-OpenJDK-Imports.po b/defensive-coding/es-ES/Tasks/snippets/Serialization-XML-OpenJDK-Imports.po new file mode 100644 index 0000000..2f2368c --- /dev/null +++ b/defensive-coding/es-ES/Tasks/snippets/Serialization-XML-OpenJDK-Imports.po @@ -0,0 +1,42 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:45\n" +"PO-Revision-Date: 2013-03-19 15:30+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Spanish \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: es\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"import javax.xml.XMLConstants;\n" +"import javax.xml.parsers.DocumentBuilder;\n" +"import javax.xml.parsers.DocumentBuilderFactory;\n" +"import javax.xml.parsers.ParserConfigurationException;\n" +"import javax.xml.parsers.SAXParser;\n" +"import javax.xml.parsers.SAXParserFactory;\n" +"import javax.xml.transform.dom.DOMSource;\n" +"import javax.xml.transform.sax.SAXSource;\n" +"import javax.xml.validation.Schema;\n" +"import javax.xml.validation.SchemaFactory;\n" +"import javax.xml.validation.Validator;\n" +"\n" +"import org.w3c.dom.Document;\n" +"import org.w3c.dom.ls.LSInput;\n" +"import org.w3c.dom.ls.LSResourceResolver;\n" +"import org.xml.sax.EntityResolver;\n" +"import org.xml.sax.ErrorHandler;\n" +"import org.xml.sax.InputSource;\n" +"import org.xml.sax.SAXException;\n" +"import org.xml.sax.SAXParseException;\n" +"import org.xml.sax.XMLReader;\n" +msgstr "" diff --git a/defensive-coding/es-ES/Tasks/snippets/Serialization-XML-OpenJDK-NoEntityResolver.po b/defensive-coding/es-ES/Tasks/snippets/Serialization-XML-OpenJDK-NoEntityResolver.po new file mode 100644 index 0000000..f24bc2e --- /dev/null +++ b/defensive-coding/es-ES/Tasks/snippets/Serialization-XML-OpenJDK-NoEntityResolver.po @@ -0,0 +1,30 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:45\n" +"PO-Revision-Date: 2013-03-19 15:30+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Spanish \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: es\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"class NoEntityResolver implements EntityResolver {\n" +" @Override\n" +" public InputSource resolveEntity(String publicId, String systemId)\n" +" throws SAXException, IOException {\n" +" // Throwing an exception stops validation.\n" +" throw new IOException(String.format(\n" +" \"attempt to resolve \\\"%s\\\" \\\"%s\\\"\", publicId, systemId));\n" +" }\n" +"}\n" +msgstr "" diff --git a/defensive-coding/es-ES/Tasks/snippets/Serialization-XML-OpenJDK-NoResourceResolver.po b/defensive-coding/es-ES/Tasks/snippets/Serialization-XML-OpenJDK-NoResourceResolver.po new file mode 100644 index 0000000..461ee40 --- /dev/null +++ b/defensive-coding/es-ES/Tasks/snippets/Serialization-XML-OpenJDK-NoResourceResolver.po @@ -0,0 +1,32 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:45\n" +"PO-Revision-Date: 2013-03-19 15:29+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Spanish \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: es\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"class NoResourceResolver implements LSResourceResolver {\n" +" @Override\n" +" public LSInput resolveResource(String type, String namespaceURI,\n" +" String publicId, String systemId, String baseURI) {\n" +" // Throwing an exception stops validation.\n" +" throw new RuntimeException(String.format(\n" +" \"resolution attempt: type=%s namespace=%s \" +\n" +" \"publicId=%s systemId=%s baseURI=%s\",\n" +" type, namespaceURI, publicId, systemId, baseURI));\n" +" }\n" +"}\n" +msgstr "" diff --git a/defensive-coding/es-ES/Tasks/snippets/Serialization-XML-OpenJDK_Parse-DOM.po b/defensive-coding/es-ES/Tasks/snippets/Serialization-XML-OpenJDK_Parse-DOM.po new file mode 100644 index 0000000..568619c --- /dev/null +++ b/defensive-coding/es-ES/Tasks/snippets/Serialization-XML-OpenJDK_Parse-DOM.po @@ -0,0 +1,34 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:45\n" +"PO-Revision-Date: 2013-03-19 15:29+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Spanish \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: es\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();\n" +"// Impose restrictions on the complexity of the DTD.\n" +"factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);\n" +"\n" +"// Turn on validation.\n" +"// This step can be omitted if validation is not desired.\n" +"factory.setValidating(true);\n" +"\n" +"// Parse the document.\n" +"DocumentBuilder builder = factory.newDocumentBuilder();\n" +"builder.setEntityResolver(new NoEntityResolver());\n" +"builder.setErrorHandler(new Errors());\n" +"Document document = builder.parse(inputStream);\n" +msgstr "" diff --git a/defensive-coding/es-ES/Tasks/snippets/Serialization-XML-OpenJDK_Parse-XMLSchema_DOM.po b/defensive-coding/es-ES/Tasks/snippets/Serialization-XML-OpenJDK_Parse-XMLSchema_DOM.po new file mode 100644 index 0000000..9a7f197 --- /dev/null +++ b/defensive-coding/es-ES/Tasks/snippets/Serialization-XML-OpenJDK_Parse-XMLSchema_DOM.po @@ -0,0 +1,38 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:45\n" +"PO-Revision-Date: 2013-03-19 15:29+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Spanish \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: es\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"SchemaFactory factory = SchemaFactory.newInstance(\n" +" XMLConstants.W3C_XML_SCHEMA_NS_URI);\n" +"\n" +"// This enables restrictions on schema complexity.\n" +"factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);\n" +"\n" +"// The following line prevents resource resolution\n" +"// by the schema itself.\n" +"factory.setResourceResolver(new NoResourceResolver());\n" +"\n" +"Schema schema = factory.newSchema(schemaFile);\n" +"\n" +"Validator validator = schema.newValidator();\n" +"\n" +"// This prevents external resource resolution.\n" +"validator.setResourceResolver(new NoResourceResolver());\n" +"validator.validate(new DOMSource(document));\n" +msgstr "" diff --git a/defensive-coding/es-ES/Tasks/snippets/Serialization-XML-OpenJDK_Parse-XMLSchema_SAX.po b/defensive-coding/es-ES/Tasks/snippets/Serialization-XML-OpenJDK_Parse-XMLSchema_SAX.po new file mode 100644 index 0000000..d27d06d --- /dev/null +++ b/defensive-coding/es-ES/Tasks/snippets/Serialization-XML-OpenJDK_Parse-XMLSchema_SAX.po @@ -0,0 +1,41 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:45\n" +"PO-Revision-Date: 2013-03-19 15:29+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Spanish \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: es\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"SchemaFactory factory = SchemaFactory.newInstance(\n" +" XMLConstants.W3C_XML_SCHEMA_NS_URI);\n" +"\n" +"// This enables restrictions on the schema and document\n" +"// complexity.\n" +"factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);\n" +"\n" +"// This prevents resource resolution by the schema itself.\n" +"// If the schema is trusted and references additional files,\n" +"// this line must be omitted, otherwise loading these files\n" +"// will fail.\n" +"factory.setResourceResolver(new NoResourceResolver());\n" +"\n" +"Schema schema = factory.newSchema(schemaFile);\n" +"Validator validator = schema.newValidator();\n" +"\n" +"// This prevents external resource resolution.\n" +"validator.setResourceResolver(new NoResourceResolver());\n" +"\n" +"validator.validate(new SAXSource(new InputSource(inputStream)));\n" +msgstr "" diff --git a/defensive-coding/fi-FI/Author_Group.po b/defensive-coding/fi-FI/Author_Group.po new file mode 100644 index 0000000..e34b4a9 --- /dev/null +++ b/defensive-coding/fi-FI/Author_Group.po @@ -0,0 +1,35 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-12 04:18+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Finnish (http://www.transifex.com/projects/p/fedora/language/fi/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: fi\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: firstname +#, no-c-format +msgid "Florian" +msgstr "" + +#. Tag: surname +#, no-c-format +msgid "Weimer" +msgstr "" + +#. Tag: orgname +#, no-c-format +msgid "Red Hat" +msgstr "" + +#. Tag: orgdiv +#, no-c-format +msgid "Product Security Team" +msgstr "" diff --git a/defensive-coding/fi-FI/Book_Info.po b/defensive-coding/fi-FI/Book_Info.po new file mode 100644 index 0000000..efb074a --- /dev/null +++ b/defensive-coding/fi-FI/Book_Info.po @@ -0,0 +1,38 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-12 04:19+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Finnish (http://www.transifex.com/projects/p/fedora/language/fi/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: fi\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: title +#, no-c-format +msgid "Defensive Coding" +msgstr "" + +#. Tag: subtitle +#, no-c-format +msgid "A Guide to Improving Software Security" +msgstr "" + +#. Tag: productname +#, no-c-format +msgid "Fedora Security Team" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"This document provides guidelines for improving software security through " +"secure coding. It covers common programming languages and libraries, and " +"focuses on concrete recommendations." +msgstr "" diff --git a/defensive-coding/fr-FR/Author_Group.po b/defensive-coding/fr-FR/Author_Group.po new file mode 100644 index 0000000..6ccf016 --- /dev/null +++ b/defensive-coding/fr-FR/Author_Group.po @@ -0,0 +1,36 @@ +# AUTHOR , YEAR. +# +# Translators: +# Jérôme Fenal , 2013 +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-04-28 20:14+0000\n" +"Last-Translator: Jérôme Fenal \n" +"Language-Team: French \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: fr\n" +"Plural-Forms: nplurals=2; plural=(n > 1);\n" + +#. Tag: firstname +#, no-c-format +msgid "Florian" +msgstr "Florian" + +#. Tag: surname +#, no-c-format +msgid "Weimer" +msgstr "Weimer" + +#. Tag: orgname +#, no-c-format +msgid "Red Hat" +msgstr "Red Hat" + +#. Tag: orgdiv +#, no-c-format +msgid "Product Security Team" +msgstr "Équipe Sécurité Produit" diff --git a/defensive-coding/fr-FR/Book_Info.po b/defensive-coding/fr-FR/Book_Info.po new file mode 100644 index 0000000..1c4915b --- /dev/null +++ b/defensive-coding/fr-FR/Book_Info.po @@ -0,0 +1,39 @@ +# AUTHOR , YEAR. +# +# Translators: +# Jérôme Fenal , 2013 +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-16 14:20+0000\n" +"Last-Translator: Jérôme Fenal \n" +"Language-Team: French \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: fr\n" +"Plural-Forms: nplurals=2; plural=(n > 1);\n" + +#. Tag: title +#, no-c-format +msgid "Defensive Coding" +msgstr "Développement défensif" + +#. Tag: subtitle +#, no-c-format +msgid "A Guide to Improving Software Security" +msgstr "Un guide visant à améliorer la sécurité des logiciels" + +#. Tag: productname +#, no-c-format +msgid "Fedora Security Team" +msgstr "Équipe Sécurité Fedora" + +#. Tag: para +#, no-c-format +msgid "" +"This document provides guidelines for improving software security through " +"secure coding. It covers common programming languages and libraries, and " +"focuses on concrete recommendations." +msgstr "Ce document fournit des conseils visant à améliorer la sécurité des logiciels par un développement prenant en compte la sécurité. Cela couvre les langages et bibliothèques les plus courants, et se concentre sur des recommandations concrètes." diff --git a/defensive-coding/fr-FR/C/Allocators.po b/defensive-coding/fr-FR/C/Allocators.po new file mode 100644 index 0000000..743487a --- /dev/null +++ b/defensive-coding/fr-FR/C/Allocators.po @@ -0,0 +1,266 @@ +# AUTHOR , YEAR. +# +# Translators: +# Jérôme Fenal , 2013 +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-04-02 08:00+0000\n" +"Last-Translator: Jérôme Fenal \n" +"Language-Team: French \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: fr\n" +"Plural-Forms: nplurals=2; plural=(n > 1);\n" + +#. Tag: title +#, no-c-format +msgid "Memory allocators" +msgstr "Fonctions d'allocation de mémoire" + +#. Tag: title +#, no-c-format +msgid "malloc and related functions" +msgstr "malloc et fonctions relatives" + +#. Tag: para +#, no-c-format +msgid "" +"The C library interfaces for memory allocation are provided by " +"malloc, free and " +"realloc, and the calloc function. " +"In addition to these generic functions, there are derived functions such as " +"strdup which perform allocation using " +"malloc internally, but do not return untyped heap " +"memory (which could be used for any object)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The C compiler knows about these functions and can use their expected " +"behavior for optimizations. For instance, the compiler assumes that an " +"existing pointer (or a pointer derived from an existing pointer by " +"arithmetic) will not point into the memory area returned by " +"malloc." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If the allocation fails, realloc does not free the old " +"pointer. Therefore, the idiom ptr = realloc(ptr, size); " +"is wrong because the memory pointed to by ptr leaks in " +"case of an error." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Use-after-free errors" +msgstr "Erreurs d'utilisation après libération" + +#. Tag: para +#, no-c-format +msgid "" +"After free, the pointer is invalid. Further pointer " +"dereferences are not allowed (and are usually detected by " +"valgrind). Less obvious is that any " +"use of the old pointer value is not allowed, either. In" +" particular, comparisons with any other pointer (or the null pointer) are " +"undefined according to the C standard." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The same rules apply to realloc if the memory area " +"cannot be enlarged in-place. For instance, the compiler may assume that a " +"comparison between the old and new pointer will always return false, so it " +"is impossible to detect movement this way." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Handling memory allocation errors" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Recovering from out-of-memory errors is often difficult or even impossible. " +"In these cases, malloc and other allocation functions " +"return a null pointer. Dereferencing this pointer lead to a crash. Such " +"dereferences can even be exploitable for code execution if the dereference " +"is combined with an array subscript." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In general, if you cannot check all allocation calls and handle failure, you" +" should abort the program on allocation failure, and not rely on the null " +"pointer dereference to terminate the process. See for related memory " +"allocation concerns." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "alloca and other forms of stack-based allocation" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Allocation on the stack is risky because stack overflow checking is " +"implicit. There is a guard page at the end of the memory area reserved for " +"the stack. If the program attempts to read from or write to this guard page," +" a SIGSEGV signal is generated and the program typically " +"terminates." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"This is sufficient for detecting typical stack overflow situations such as " +"unbounded recursion, but it fails when the stack grows in increments larger " +"than the size of the guard page. In this case, it is possible that the stack" +" pointer ends up pointing into a memory area which has been allocated for a " +"different purposes. Such misbehavior can be exploitable." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"A common source for large stack growth are calls to " +"alloca and related functions such as " +"strdupa. These functions should be avoided because of " +"the lack of error checking. (They can be used safely if the allocated size " +"is less than the page size (typically, 4096 bytes), but this case is " +"relatively rare.) Additionally, relying on alloca makes" +" it more difficult to reorgnize the code because it is not allowed to use " +"the pointer after the function calling alloca has " +"returned, even if this function has been inlined into its caller." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Similar concerns apply to variable-length arrays " +"(VLAs), a feature of the C99 standard which started as a GNU extension. For " +"large objects exceeding the page size, there is no error checking, either." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In both cases, negative or very large sizes can trigger a stack-pointer " +"wraparound, and the stack pointer and end up pointing into caller stack " +"frames, which is fatal and can be exploitable." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If you want to use alloca or VLAs for performance " +"reasons, consider using a small on-stack array (less than the page size, " +"large enough to fulfill most requests). If the requested size is small " +"enough, use the on-stack array. Otherwise, call malloc." +" When exiting the function, check if malloc had been " +"called, and free the buffer as needed." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Array allocation" +msgstr "Allocation de tableaux" + +#. Tag: para +#, no-c-format +msgid "" +"When allocating arrays, it is important to check for overflows. The " +"calloc function performs such checks." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If malloc or realloc is used, the " +"size check must be written manually. For instance, to allocate an array of " +"n elements of type T, check that the " +"requested size is not greater than n / sizeof(T)." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Custom memory allocators" +msgstr "Fonctions d'allocation de mémoire personnalisées" + +#. Tag: para +#, no-c-format +msgid "" +"Custom memory allocates come in two forms: replacements for " +"malloc, and completely different interfaces for memory " +"management. Both approaches can reduce the effectiveness of " +"valgrind and similar tools, and the heap " +"corruption detection provided by GNU libc, so they should be avoided." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Memory allocators are difficult to write and contain many performance and " +"security pitfalls." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When computing array sizes or rounding up allocation requests (to the next " +"allocation granularity, or for alignment purposes), checks for arithmetic " +"overflow are required." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Size computations for array allocations need overflow checking. See ." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"It can be difficult to beat well-tuned general-purpose allocators. In micro-" +"benchmarks, pool allocators can show huge wins, and size-specific pools can " +"reduce internal fragmentation. But often, utilization of individual pools is" +" poor, and" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Conservative garbage collection" +msgstr "Ramasse-miette conservateur" + +#. Tag: para +#, no-c-format +msgid "" +"Garbage collection can be an alternative to explicit memory management using" +" malloc and free. The Boehm-" +"Dehmers-Weiser allocator can be used from C programs, with minimal type " +"annotations. Performance is competitive with malloc on " +"64-bit architectures, especially for multi-threaded programs. The stop-the-" +"world pauses may be problematic for some real-time applications, though." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"However, using a conservative garbage collector may reduce opertunities for " +"code reduce because once one library in a program uses garbage collection, " +"the whole process memory needs to be subject to it, so that no pointers are " +"missed. The Boehm-Dehmers-Weiser collector also reserves certain signals for" +" internal use, so it is not fully transparent to the rest of the program." +msgstr "" diff --git a/defensive-coding/fr-FR/C/C.po b/defensive-coding/fr-FR/C/C.po new file mode 100644 index 0000000..37ad18c --- /dev/null +++ b/defensive-coding/fr-FR/C/C.po @@ -0,0 +1,21 @@ +# AUTHOR , YEAR. +# +# Translators: +# Jérôme Fenal , 2013 +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-20 12:53+0000\n" +"Last-Translator: Jérôme Fenal \n" +"Language-Team: French \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: fr\n" +"Plural-Forms: nplurals=2; plural=(n > 1);\n" + +#. Tag: title +#, no-c-format +msgid "The C Programming Language" +msgstr "Le langage C" diff --git a/defensive-coding/fr-FR/C/Libc.po b/defensive-coding/fr-FR/C/Libc.po new file mode 100644 index 0000000..efb5705 --- /dev/null +++ b/defensive-coding/fr-FR/C/Libc.po @@ -0,0 +1,279 @@ +# AUTHOR , YEAR. +# +# Translators: +# Jérôme Fenal , 2013 +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-04-16 21:32+0000\n" +"Last-Translator: Jérôme Fenal \n" +"Language-Team: French \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: fr\n" +"Plural-Forms: nplurals=2; plural=(n > 1);\n" + +#. Tag: title +#, no-c-format +msgid "The C standard library" +msgstr "La bibliothèque C standard" + +#. Tag: para +#, no-c-format +msgid "" +"Parts of the C standard library (and the UNIX and GNU extensions) are " +"difficult to use, so you shoud avoid them." +msgstr "Certaines parties de la bibliothèque C standard (tant dans UNIX que les extensions GNU) sont difficile à utiliser correctement, il vaut mieux éviter de les utiliser." + +#. Tag: para +#, no-c-format +msgid "" +"Please check the applicable documentation before using the recommended " +"replacements. Many of these functions allocate buffers using " +"malloc which your code must deallocate explicitly using" +" free." +msgstr "Merci aussi de vérifier dans la documentation afférente avant d'utiliser les fonction de remplacement recommandées ici. Plusieurs d'entre elles allouent des plages mémoire à l'aide de la fonction malloc que votre code devra ensuite libérer explicitement à l'aide de free." + +#. Tag: title +#, no-c-format +msgid "Absolutely banned interfaces" +msgstr "Interfaces totalement interdites" + +#. Tag: para +#, no-c-format +msgid "" +"The functions listed below must not be used because they are almost always " +"unsafe. Use the indicated replacements instead." +msgstr "Les fonctions énumérées ci-dessous ne doivent pas être utilisées car elles sont presque toujours dangeureuses. Utiliser les fonctions de remplacements suggérées en lieu et place." + +#. Tag: para +#, no-c-format +msgid "getsfgets" +msgstr "getsfgets" + +#. Tag: para +#, no-c-format +msgid "" +"getwdgetcwd or " +"get_current_dir_name" +msgstr "getwdgetcwd or get_current_dir_name" + +#. Tag: para +#, no-c-format +msgid "readdir_rreaddir" +msgstr "readdir_rreaddir" + +#. Tag: para +#, no-c-format +msgid "" +"realpath (with a non-NULL second parameter) ⟶ " +"realpath with NULL as the second parameter, or " +"canonicalize_file_name" +msgstr "realpath (avec un second paramètre non-NULL) ⟶ realpath avec NULL comme second paramètre, ou canonicalize_file_name" + +#. Tag: para +#, no-c-format +msgid "" +"The constants listed below must not be used, either. Instead, code must " +"allocate memory dynamically and use interfaces with length checking." +msgstr "Les constantes énumérées ci-dessous ne doivent pas non plus être utilisées. Le code doit plutôt allouer la mémoire dynamiquement, puis utiliser les interfaces qui vérifient les tailles de tampons. " + +#. Tag: para +#, no-c-format +msgid "" +"NAME_MAX (limit not actually enforced by the kernel)" +msgstr "NAME_MAX (limite dont le noyau n'assure pas le strict respect)" + +#. Tag: para +#, no-c-format +msgid "" +"PATH_MAX (limit not actually enforced by the kernel)" +msgstr "PATH_MAX (limite dont le noyau n'assure pas le strict respect)" + +#. Tag: para +#, no-c-format +msgid "" +"_PC_NAME_MAX (This limit, returned by the " +"pathconf function, is not enforced by the kernel.)" +msgstr "_PC_NAME_MAX (Le noyau n'assure pas le respect de cette limite, renvoyée par la fonction pathconf.)" + +#. Tag: para +#, no-c-format +msgid "" +"_PC_PATH_MAX (This limit, returned by the " +"pathconf function, is not enforced by the kernel.)" +msgstr "_PC_PATH_MAX (Le noyau n'assure pas le respect de cette limite, renvoyée par la fonction pathconf.)" + +#. Tag: para +#, no-c-format +msgid "The following structure members must not be used." +msgstr "Les membres de structures suivants ne doivent pas être utilisés." + +#. Tag: para +#, no-c-format +msgid "" +"f_namemax in struct statvfs (limit not" +" actually enforced by the kernel, see _PC_NAME_MAX above)" +msgstr "f_namemax dans struct statvfs (Le noyau n'assure pas le respect de cette limite, cf. _PC_NAME_MAX ci-dessus)" + +#. Tag: title +#, no-c-format +msgid "Functions to avoid" +msgstr "Fonctions à éviter" + +#. Tag: para +#, no-c-format +msgid "" +"The following string manipulation functions can be used securely in " +"principle, but their use should be avoided because they are difficult to use" +" correctly. Calls to these functions can be replaced with " +"asprintf or vasprintf. (For non-" +"GNU targets, these functions are available from Gnulib.) In some cases, the " +"snprintf function might be a suitable replacement, see " +"." +msgstr "Les fonctions suivantes de manipulation de chaînes peuvent être en principe utilisée de manière sécurisée, mais leur utilisation doit être évitée parce qu'elles sont difficiles à utiliser correctement. Les appels à ces fonctions peuvent être remplacés par asprintf ou vasprintf. (Pour les systèmes cibles non-GNU, ces fonctions sont disponibles dans Gnulib.) Dans certains cas, la fonction snprintf peut aussi être une solution de remplacement adéquate, cf. ." + +#. Tag: para +#, no-c-format +msgid "sprintf" +msgstr "sprintf" + +#. Tag: para +#, no-c-format +msgid "strcat" +msgstr "strcat" + +#. Tag: para +#, no-c-format +msgid "strcpy" +msgstr "strcpy" + +#. Tag: para +#, no-c-format +msgid "vsprintf" +msgstr "vsprintf" + +#. Tag: para +#, no-c-format +msgid "Use the indicated replacements for the functions below." +msgstr "Utiliser les alternatives indiquées pour les fonctions ci-dessous." + +#. Tag: para +#, no-c-format +msgid "" +"allocamalloc and " +"free (see )" +msgstr "allocamalloc et free (cf. )" + +#. Tag: para +#, no-c-format +msgid "" +"putenv ⟶ explicit envp argument in " +"process creation (see )" +msgstr "putenv ⟶ argument explicite envp dans la création de processus (cf. )" + +#. Tag: para +#, no-c-format +msgid "" +"setenv ⟶ explicit envp argument in " +"process creation (see )" +msgstr "setenv ⟶ argument explicite envp dans la création de processus (cf. )" + +#. Tag: para +#, no-c-format +msgid "" +"strdupastrdup and " +"free (see )" +msgstr "strdupastrdup et free (cf. )" + +#. Tag: para +#, no-c-format +msgid "" +"strndupastrndup and " +"free (see )" +msgstr "strndupastrndup et free (cf. )" + +#. Tag: para +#, no-c-format +msgid "" +"systemposix_spawn or " +"fork/execve/ (see )" +msgstr "systemposix_spawn ou fork/execve/ (cf. )" + +#. Tag: para +#, no-c-format +msgid "" +"unsetenv ⟶ explicit envp argument in" +" process creation (see )" +msgstr "unsetenv ⟶ argument explicite envp dans la création de processus (cf. )" + +#. Tag: title +#, no-c-format +msgid "String Functions With Explicit Length Arguments" +msgstr "Fonctions sur chaînes avec arguments de longueur explicites" + +#. Tag: para +#, no-c-format +msgid "" +"The snprintf function provides a way to construct a " +"string in a statically-sized buffer. (If the buffer size is dynamic, use " +"asprintf instead.)" +msgstr "La fonction snprintf fournit un moyen de construire une chaîne dans un tampon de taille statique. (Si la taille du tampon est dynamique, utiliser asprintf à la place.)" + +#. Tag: para +#, no-c-format +msgid "" +"The second argument to the snprintf should always be " +"the size of the buffer in the first argument (which should be a character " +"array). Complex pointer and length arithmetic can introduce errors and " +"nullify the security benefits of snprintf. If you need " +"to construct a string iteratively, by repeatedly appending fragments, " +"consider constructing the string on the heap, increasing the buffer with " +"realloc as needed. (snprintf does " +"not support overlapping the result buffer with argument strings.)" +msgstr "Le deuxième argument de snprintf doit toujours être la taille du tampon indiqué comme premier argument (qui devrait être un tableau de caractères). L'arithmétique complexe sur les pointeurs et la taille peuvent introduire des erreurs et rendre nuls les bénéfices pour la sécurité de l'utilisation snprintf. Si vous avez besoin de construire une chaîne de manière itérative, en ajoutant des fragments de façon répétée, envisagez de construire la chaîne sur le tas, en en augmentant la taille avec realloc lorsque nécessaire. (snprintf n'autorise pas de chevauchement entre le tampon résultat et ceux indiqués en arguments.)" + +#. Tag: para +#, no-c-format +msgid "" +"If you use vsnprintf (or snprintf)" +" with a format string which is not a constant, but a function argument, it " +"is important to annotate the function with a format " +"function attribute, so that GCC can warn about misuse of your function (see " +")." +msgstr "Si vous utilisez vsnprintf (ou snprintf) avec une chaîne de format qui n'est pas une constante mais un argument de fonction, il est important d'annoter la fonction avec l'attribut de fonction format, de façon à ce que GCC puisse avertir de la mauvaise utilisation éventuelle de votre fonction (see )." + +#. Tag: title +#, no-c-format +msgid "The format function attribute" +msgstr "L'attribut de format des fonctions" + +#. Tag: para +#, no-c-format +msgid "" +"There are other functions which operator on NUL-terminated strings and take " +"a length argument which affects the number of bytes written to the " +"destination: strncpy, strncat, and" +" stpncpy. These functions do not ensure that the result" +" string is NUL-terminated. For strncpy, NUL termination" +" can be added this way:" +msgstr "Il existe d'autres fonction qui opèrent sur les chaînes terminées par NUL et qui prennent un argument de longueur affectant le nombre d'octets écrit vers la destination : strncpy, strncat, et stpncpy. Ces fonctions n'assurent en aucun cas que le résultat est bien terminé par NUL. Pour strncpy, la terminaison NUL peut être ajoutée ainsi :" + +#. Tag: para +#, no-c-format +msgid "" +"Some systems support strlcpy and " +"strlcat functions which behave this way, but these " +"functions are not part of GNU libc. Using snprintf with" +" a suitable format string is a simple (albeit slightly slower) replacement." +msgstr "Certains systèmes apportent la prise en charge des fonctions strlcpy et strlcat qui se comportent ainsi, mais ces fonctions ne font pas partie de la libc GNU. L'utilisation de snprintf avec une chaîne de format est une solution simple (quoique que légèrement plus lente) de remplacement." diff --git a/defensive-coding/fr-FR/C/snippets/Arithmetic-add.po b/defensive-coding/fr-FR/C/snippets/Arithmetic-add.po new file mode 100644 index 0000000..d989703 --- /dev/null +++ b/defensive-coding/fr-FR/C/snippets/Arithmetic-add.po @@ -0,0 +1,37 @@ +# AUTHOR , YEAR. +# +# Translators: +# Jérôme Fenal , 2013 +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-20 12:53+0000\n" +"Last-Translator: Jérôme Fenal \n" +"Language-Team: French \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: fr\n" +"Plural-Forms: nplurals=2; plural=(n > 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"void report_overflow(void);\n" +"\n" +"int\n" +"add(int a, int b)\n" +"{\n" +" int result = a + b;\n" +" if (a < 0 || b < 0) {\n" +" return -1;\n" +" }\n" +" // The compiler can optimize away the following if statement.\n" +" if (result < 0) {\n" +" report_overflow();\n" +" }\n" +" return result;\n" +"}\n" +msgstr "\nvoid report_overflow(void);\n\nint\nadd(int a, int b)\n{\n int result = a + b;\n if (a < 0 || b < 0) {\n return -1;\n }\n // The compiler can optimize away the following if statement.\n if (result < 0) {\n report_overflow();\n }\n return result;\n}\n" diff --git a/defensive-coding/fr-FR/C/snippets/Arithmetic-mult.po b/defensive-coding/fr-FR/C/snippets/Arithmetic-mult.po new file mode 100644 index 0000000..9e683a2 --- /dev/null +++ b/defensive-coding/fr-FR/C/snippets/Arithmetic-mult.po @@ -0,0 +1,30 @@ +# AUTHOR , YEAR. +# +# Translators: +# Jérôme Fenal , 2013 +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-20 12:53+0000\n" +"Last-Translator: Jérôme Fenal \n" +"Language-Team: French \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: fr\n" +"Plural-Forms: nplurals=2; plural=(n > 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"unsigned\n" +"mul(unsigned a, unsigned b)\n" +"{\n" +" if (b && a > ((unsigned)-1) / b) {\n" +" report_overflow();\n" +" }\n" +" return a * b;\n" +"}\n" +msgstr "\nunsigned\nmul(unsigned a, unsigned b)\n{\n if (b && a > ((unsigned)-1) / b) {\n report_overflow();\n }\n return a * b;\n}\n" diff --git a/defensive-coding/fr-FR/C/snippets/Pointers-remaining.po b/defensive-coding/fr-FR/C/snippets/Pointers-remaining.po new file mode 100644 index 0000000..6cd86dc --- /dev/null +++ b/defensive-coding/fr-FR/C/snippets/Pointers-remaining.po @@ -0,0 +1,65 @@ +# AUTHOR , YEAR. +# +# Translators: +# Jérôme Fenal , 2013 +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-20 12:53+0000\n" +"Last-Translator: Jérôme Fenal \n" +"Language-Team: French \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: fr\n" +"Plural-Forms: nplurals=2; plural=(n > 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"ssize_t\n" +"extract_strings(const char *in, size_t inlen, char **out, size_t outlen)\n" +"{\n" +" const char *inp = in;\n" +" const char *inend = in + inlen;\n" +" char **outp = out;\n" +" char **outend = out + outlen;\n" +"\n" +" while (inp != inend) {\n" +" size_t len;\n" +" char *s;\n" +" if (outp == outend) {\n" +" errno = ENOSPC;\n" +" goto err;\n" +" }\n" +" len = (unsigned char)*inp;\n" +" ++inp;\n" +" if (len > (size_t)(inend - inp)) {\n" +" errno = EINVAL;\n" +" goto err;\n" +" }\n" +" s = malloc(len + 1);\n" +" if (s == NULL) {\n" +" goto err;\n" +" }\n" +" memcpy(s, inp, len);\n" +" inp += len;\n" +" s[len] = '\\0';\n" +" *outp = s;\n" +" ++outp;\n" +" }\n" +" return outp - out;\n" +"err:\n" +" {\n" +" int errno_old = errno;\n" +" while (out != outp) {\n" +" free(*out);\n" +" ++out;\n" +" }\n" +" errno = errno_old;\n" +" }\n" +" return -1;\n" +"}\n" +msgstr "\nssize_t\nextract_strings(const char *in, size_t inlen, char **out, size_t outlen)\n{\n const char *inp = in;\n const char *inend = in + inlen;\n char **outp = out;\n char **outend = out + outlen;\n\n while (inp != inend) {\n size_t len;\n char *s;\n if (outp == outend) {\n errno = ENOSPC;\n goto err;\n }\n len = (unsigned char)*inp;\n ++inp;\n if (len > (size_t)(inend - inp)) {\n errno = EINVAL;\n goto err;\n }\n s = malloc(len + 1);\n if (s == NULL) {\n goto err;\n }\n memcpy(s, inp, len);\n inp += len;\n s[len] = '\\0';\n *outp = s;\n ++outp;\n }\n return outp - out;\nerr:\n {\n int errno_old = errno;\n while (out != outp) {\n free(*out);\n ++out;\n }\n errno = errno_old;\n }\n return -1;\n}\n" diff --git a/defensive-coding/fr-FR/C/snippets/String-Functions-format.po b/defensive-coding/fr-FR/C/snippets/String-Functions-format.po new file mode 100644 index 0000000..52f9c57 --- /dev/null +++ b/defensive-coding/fr-FR/C/snippets/String-Functions-format.po @@ -0,0 +1,34 @@ +# AUTHOR , YEAR. +# +# Translators: +# Jérôme Fenal , 2013 +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-20 12:53+0000\n" +"Last-Translator: Jérôme Fenal \n" +"Language-Team: French \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: fr\n" +"Plural-Forms: nplurals=2; plural=(n > 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"void log_format(const char *format, ...) __attribute__((format(printf, 1, 2)));\n" +"\n" +"void\n" +"log_format(const char *format, ...)\n" +"{\n" +" char buf[1000];\n" +" va_list ap;\n" +" va_start(ap, format);\n" +" vsnprintf(buf, sizeof(buf), format, ap);\n" +" va_end(ap);\n" +" log_string(buf);\n" +"}\n" +msgstr "\nvoid log_format(const char *format, ...) __attribute__((format(printf, 1, 2)));\n\nvoid\nlog_format(const char *format, ...)\n{\n char buf[1000];\n va_list ap;\n va_start(ap, format);\n vsnprintf(buf, sizeof(buf), format, ap);\n va_end(ap);\n log_string(buf);\n}\n" diff --git a/defensive-coding/fr-FR/C/snippets/String-Functions-snprintf.po b/defensive-coding/fr-FR/C/snippets/String-Functions-snprintf.po new file mode 100644 index 0000000..2e4059e --- /dev/null +++ b/defensive-coding/fr-FR/C/snippets/String-Functions-snprintf.po @@ -0,0 +1,24 @@ +# AUTHOR , YEAR. +# +# Translators: +# Jérôme Fenal , 2013 +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-20 12:53+0000\n" +"Last-Translator: Jérôme Fenal \n" +"Language-Team: French \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: fr\n" +"Plural-Forms: nplurals=2; plural=(n > 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"char fraction[30];\n" +"snprintf(fraction, sizeof(fraction), \"%d/%d\", numerator, denominator);\n" +msgstr "\nchar fraction[30];\nsnprintf(fraction, sizeof(fraction), \"%d/%d\", numerator, denominator);\n" diff --git a/defensive-coding/fr-FR/C/snippets/String-Functions-strncpy.po b/defensive-coding/fr-FR/C/snippets/String-Functions-strncpy.po new file mode 100644 index 0000000..9c368fd --- /dev/null +++ b/defensive-coding/fr-FR/C/snippets/String-Functions-strncpy.po @@ -0,0 +1,25 @@ +# AUTHOR , YEAR. +# +# Translators: +# Jérôme Fenal , 2013 +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-20 12:53+0000\n" +"Last-Translator: Jérôme Fenal \n" +"Language-Team: French \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: fr\n" +"Plural-Forms: nplurals=2; plural=(n > 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"char buf[10];\n" +"strncpy(buf, data, sizeof(buf));\n" +"buf[sizeof(buf) - 1] = '\\0';\n" +msgstr "\nchar buf[10];\nstrncpy(buf, data, sizeof(buf));\nbuf[sizeof(buf) - 1] = '\\0';\n" diff --git a/defensive-coding/fr-FR/CXX/CXX.po b/defensive-coding/fr-FR/CXX/CXX.po new file mode 100644 index 0000000..6703da5 --- /dev/null +++ b/defensive-coding/fr-FR/CXX/CXX.po @@ -0,0 +1,21 @@ +# AUTHOR , YEAR. +# +# Translators: +# Jérôme Fenal , 2013 +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-20 12:58+0000\n" +"Last-Translator: Jérôme Fenal \n" +"Language-Team: French \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: fr\n" +"Plural-Forms: nplurals=2; plural=(n > 1);\n" + +#. Tag: title +#, no-c-format +msgid "The C++ Programming Language" +msgstr "Le langage C++" diff --git a/defensive-coding/fr-FR/CXX/Language.po b/defensive-coding/fr-FR/CXX/Language.po new file mode 100644 index 0000000..93b78e9 --- /dev/null +++ b/defensive-coding/fr-FR/CXX/Language.po @@ -0,0 +1,235 @@ +# AUTHOR , YEAR. +# +# Translators: +# Jérôme Fenal , 2013 +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-04-02 08:00+0000\n" +"Last-Translator: Jérôme Fenal \n" +"Language-Team: French \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: fr\n" +"Plural-Forms: nplurals=2; plural=(n > 1);\n" + +#. Tag: title +#, no-c-format +msgid "The core language" +msgstr "Le cœur du langage" + +#. Tag: para +#, no-c-format +msgid "" +"C++ includes a large subset of the C language. As far as the C subset is " +"used, the recommendations in " +"apply." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Array allocation with operator new[]" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"For very large values of n, an expression like " +"new T[n] can return a pointer to a heap region which is " +"too small. In other words, not all array elements are actually backed with " +"heap memory reserved to the array. Current GCC versions generate code that " +"performs a computation of the form sizeof(T) * size_t(n) + " +"cookie_size, where cookie_size is currently at " +"most 8. This computation can overflow, and GCC-generated code does not " +"detect this." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The std::vector template can be used instead an explicit " +"array allocation. (The GCC implementation detects overflow internally.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If there is no alternative to operator new[], code which " +"allocates arrays with a variable length must check for overflow manually. " +"For the new T[n] example, the size check could be " +"n || (n > 0 && n > (size_t(-1) - 8) / " +"sizeof(T)). (See .) If there are additional dimensions " +"(which must be constants according to the C++ standard), these should be " +"included as factors in the divisor." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"These countermeasures prevent out-of-bounds writes and potential code " +"execution. Very large memory allocations can still lead to a denial of " +"service. contains suggestions for mitigating this problem when " +"processing untrusted data." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"See for array" +" allocation advice for C-style memory allocation." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Overloading" +msgstr "Surcharge" + +#. Tag: para +#, no-c-format +msgid "" +"Do not overload functions with versions that have different security " +"characteristics. For instance, do not implement a function " +"strcat which works on std::string " +"arguments. Similarly, do not name methods after such functions." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "ABI compatibility and preparing for security updates" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"A stable binary interface (ABI) is vastly preferred for security updates. " +"Without a stable ABI, all reverse dependencies need recompiling, which can " +"be a lot of work and could even be impossible in some cases. Ideally, a " +"security update only updates a single dynamic shared object, and is picked " +"up automatically after restarting affected processes." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Outside of extremely performance-critical code, you should ensure that a " +"wide range of changes is possible without breaking ABI. Some very basic " +"guidelines are:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Avoid inline functions." +msgstr "Éviter les fonctions étendues en ligne." + +#. Tag: para +#, no-c-format +msgid "Use the pointer-to-implementation idiom." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Try to avoid templates. Use them if the increased type safety provides a " +"benefit to the programmer." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Move security-critical code out of templated code, so that it can be patched" +" in a central place if necessary." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The KDE project publishes a document with more extensive guidelines on ABI-" +"preserving changes to C++ code, Policies/Binary" +" Compatibility Issues With C++ (d-pointer " +"refers to the pointer-to-implementation idiom)." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "C++0X and C++11 support" +msgstr "Prise en charge de C++0X et C++11" + +#. Tag: para +#, no-c-format +msgid "GCC offers different language compatibility modes:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid " for the original 1998 C++ standard" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +" for the 1998 standard with the changes from the " +"TR1 technical report" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +" for the 2011 C++ standard. This option should " +"not be used." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +" for several different versions of C++11 support " +"in development, depending on the GCC version. This option should not be " +"used." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"For each of these flags, there are variants which also enable GNU extensions" +" (mostly language features also found in C99 or C11): " +", , " +". Again, should " +"not be used." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If you enable C++11 support, the ABI of the standard C++ library " +"libstdc++ will change in subtle ways. Currently, no C++ " +"libraries are compiled in C++11 mode, so if you compile your code in C++11 " +"mode, it will be incompatible with the rest of the system. Unfortunately, " +"this is also the case if you do not use any C++11 features. Currently, there" +" is no safe way to enable C++11 mode (except for freestanding applications)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The meaning of C++0X mode changed from GCC release to GCC release. Earlier " +"versions were still ABI-compatible with C++98 mode, but in the most recent " +"versions, switching to C++0X mode activates C++11 support, with its " +"compatibility problems." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Some C++11 features (or approximations thereof) are available with TR1 " +"support, that is, with or " +" and in the <tr1/*> " +"header files. This includes std::tr1::shared_ptr (from " +"<tr1/memory>) and " +"std::tr1::function (from " +"<tr1/functional>). For other C++11 features, the " +"Boost C++ library contains replacements." +msgstr "" diff --git a/defensive-coding/fr-FR/CXX/Std.po b/defensive-coding/fr-FR/CXX/Std.po new file mode 100644 index 0000000..18d6320 --- /dev/null +++ b/defensive-coding/fr-FR/CXX/Std.po @@ -0,0 +1,56 @@ +# AUTHOR , YEAR. +# +# Translators: +# Jérôme Fenal , 2013 +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-04-02 19:50+0000\n" +"Last-Translator: Jérôme Fenal \n" +"Language-Team: French \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: fr\n" +"Plural-Forms: nplurals=2; plural=(n > 1);\n" + +#. Tag: title +#, no-c-format +msgid "The C++ standard library" +msgstr "La bibliothèque C++ standard" + +#. Tag: para +#, no-c-format +msgid "" +"The C++ standard library includes most of its C counterpart by reference, " +"see ." +msgstr "La bibliothèque C++ standard inclut la plupart de ses homologues dans la bibliothèque C standard, cf. ." + +#. Tag: title +#, no-c-format +msgid "Containers and operator[]" +msgstr "Conteneurs et operator[]" + +#. Tag: para +#, no-c-format +msgid "" +"Many containers similar to std::vector provide both " +"operator[](size_type) and a member function " +"at(size_type). This applies to " +"std::vector itself, std::array, " +"std::string and other instances of " +"std::basic_string." +msgstr "Plusieurs conteneurs sont similaires à std::vector provide both operator[](size_type) et à la fonction membre at(size_type). Ceci s'applique à std::vector itself, std::array, std::string ainsi qu'aux occurrences de std::basic_string." + +#. Tag: para +#, no-c-format +msgid "" +"operator[](size_type) is not required by the standard to " +"perform bounds checking (and the implementation in GCC does not). In " +"contrast, at(size_type) must perform such a check. " +"Therefore, in code which is not performance-critical, you should prefer " +"at(size_type) over " +"operator[](size_type), even though it is slightly more " +"verbose." +msgstr "Le standard n'oblige pas operator[](size_type) à vérifier les limites (et sa mise en œuvre dans GCC non plus). A contrario, at(size_type) doit effectuer une telle vérification. Ainsi, dans un code où la performance n'est pas critique, il faut préférer l'utilisation de at(size_type) à celle de operator[](size_type), bien qu'elle soit légèrement plus verbeuse." diff --git a/defensive-coding/fr-FR/Defensive_Coding.po b/defensive-coding/fr-FR/Defensive_Coding.po new file mode 100644 index 0000000..e99ff54 --- /dev/null +++ b/defensive-coding/fr-FR/Defensive_Coding.po @@ -0,0 +1,31 @@ +# AUTHOR , YEAR. +# +# Translators: +# Jérôme Fenal , 2013 +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-20 12:48+0000\n" +"Last-Translator: Jérôme Fenal \n" +"Language-Team: French \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: fr\n" +"Plural-Forms: nplurals=2; plural=(n > 1);\n" + +#. Tag: title +#, no-c-format +msgid "Programming Languages" +msgstr "Langages de programmation" + +#. Tag: title +#, no-c-format +msgid "Specific Programming Tasks" +msgstr "Tâches spécifiques de programmation" + +#. Tag: title +#, no-c-format +msgid "Implementing Security Features" +msgstr "Mise en œuvre de fonctionnalités de sécurité" diff --git a/defensive-coding/fr-FR/Features/Authentication.po b/defensive-coding/fr-FR/Features/Authentication.po new file mode 100644 index 0000000..5242489 --- /dev/null +++ b/defensive-coding/fr-FR/Features/Authentication.po @@ -0,0 +1,232 @@ +# AUTHOR , YEAR. +# +# Translators: +# Jérôme Fenal , 2013 +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-04-28 09:30+0000\n" +"Last-Translator: Jérôme Fenal \n" +"Language-Team: French \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: fr\n" +"Plural-Forms: nplurals=2; plural=(n > 1);\n" + +#. Tag: title +#, no-c-format +msgid "Authentication and Authorization" +msgstr "Authentification et autorisation" + +#. Tag: title +#, no-c-format +msgid "Authenticating servers" +msgstr "Serveurs d'authentification" + +#. Tag: para +#, no-c-format +msgid "" +"When connecting to a server, a client has to make sure that it is actually " +"talking to the server it expects. There are two different aspects, securing " +"the network path, and making sure that the expected user runs the process on" +" the target host. There are several ways to ensure that:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The server uses a TLS certificate which is valid according to the web " +"browser public key infrastructure, and the client verifies the certificate " +"and the host name." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The server uses a TLS certificate which is expectedby the client (perhaps it" +" is stored in a configuration file read by the client). In this case, no " +"host name checking is required." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"On Linux, UNIX domain sockets (of the PF_UNIX protocol " +"family, sometimes called PF_LOCAL) are restricted by file" +" system permissions. If the server socket path is not world-writable, the " +"server identity cannot be spoofed by local users." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Port numbers less than 1024 (trusted ports) can only be" +" used by root, so if a UDP or TCP server is running on " +"the local host and it uses a trusted port, its identity is assured. (Not all" +" operating systems enforce the trusted ports concept, and the network might " +"not be trusted, so it is only useful on the local system.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"TLS () is the recommended way " +"for securing connections over untrusted networks." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If the server port number is 1024 is higher, a local user can impersonate " +"the process by binding to this socket, perhaps after crashing the real " +"server by exploiting a denial-of-service vulnerability." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Host-based authentication" +msgstr "Authentification basée sur l'hôte" + +#. Tag: para +#, no-c-format +msgid "" +"Host-based authentication uses access control lists (ACLs) to accept or deny" +" requests from clients. Thsis authentication method comes in two flavors: " +"IP-based (or, more generally, address-based) and name-based (with the name " +"coming from DNS or /etc/hosts). IP-based ACLs often use" +" prefix notation to extend access to entire subnets. Name-based ACLs " +"sometimes use wildcards for adding groups of hosts (from entire DNS " +"subtrees). (In the SSH context, host-based authentication means something " +"completely different and is not covered in this section.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Host-based authentication trust the network and may not offer sufficient " +"granularity, so it has to be considered a weak form of authentication. On " +"the other hand, IP-based authentication can be made extremely robust and can" +" be applied very early in input processing, so it offers an opportunity for " +"significantly reducing the number of potential attackers for many services." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The names returned by gethostbyaddr and " +"getnameinfo functions cannot be trusted. (DNS PTR " +"records can be set to arbitrary values, not just names belong to the address" +" owner.) If these names are used for ACL matching, a forward lookup using " +"gethostbyaddr or getaddrinfo has " +"to be performed. The name is only valid if the original address is found " +"among the results of the forward lookup (double-reverse " +"lookup)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"An empty ACL should deny all access (deny-by-default). If empty ACLs permits" +" all access, configuring any access list must switch to deny-by-default for " +"all unconfigured protocols, in both name-based and address-based variants." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Similarly, if an address or name is not matched by the list, it should be " +"denied. However, many implementations behave differently, so the actual " +"behavior must be documented properly." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"IPv6 addresses can embed IPv4 addresses. There is no universally correct way" +" to deal with this ambiguity. The behavior of the ACL implementation should " +"be documented." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "UNIX domain socket authentication" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"UNIX domain sockets (with address family AF_UNIX or " +"AF_LOCAL) are restricted to the local host and offer a " +"special authentication mechanism: credentials passing." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Nowadays, most systems support the SO_PEERCRED (Linux) or" +" LOCAL_PEERCRED (FreeBSD) socket options, or the " +"getpeereid (other BSDs, MacOS X). These interfaces " +"provide direct access to the (effective) user ID on the other end of a " +"domain socket connect, without cooperation from the other end." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Historically, credentials passing was implemented using ancillary data in " +"the sendmsg and recvmsg functions." +" On some systems, only credentials data that the peer has explicitly sent " +"can be received, and the kernel checks the data for correctness on the " +"sending side. This means that both peers need to deal with ancillary data. " +"Compared to that, the modern interfaces are easier to use. Both sets of " +"interfaces vary considerably among UNIX-like systems, unfortunately." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If you want to authenticate based on supplementary groups, you should obtain" +" the user ID using one of these methods, and look up the list of " +"supplementary groups using getpwuid (or " +"getpwuid_r) and getgrouplist. " +"Using the PID and information from /proc/PID/status is " +"prone to race conditions and insecure." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "AF_NETLINK authentication of origin" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Netlink messages are used as a high-performance data transfer mechanism " +"between the kernel and the userspace. Traditionally, they are used to " +"exchange information related to the network statck, such as routing table " +"entries." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When processing Netlink messages from the kernel, it is important to check " +"that these messages actually originate from the kernel, by checking that the" +" port ID (or PID) field nl_pid in the " +"sockaddr_nl structure is 0. (This " +"structure can be obtained using recvfrom or " +"recvmsg, it is different from the " +"nlmsghdr structure.) The kernel does not prevent other " +"processes from sending unicast Netlink messages, but the " +"nl_pid field in the sender's socket address will be non-" +"zero in such cases." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Applications should not use AF_NETLINK sockets as an IPC " +"mechanism among processes, but prefer UNIX domain sockets for this tasks." +msgstr "" diff --git a/defensive-coding/fr-FR/Features/TLS.po b/defensive-coding/fr-FR/Features/TLS.po new file mode 100644 index 0000000..31bf874 --- /dev/null +++ b/defensive-coding/fr-FR/Features/TLS.po @@ -0,0 +1,1121 @@ +# AUTHOR , YEAR. +# +# Translators: +# Jérôme Fenal , 2013 +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-24 17:30+0000\n" +"Last-Translator: Jérôme Fenal \n" +"Language-Team: French \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: fr\n" +"Plural-Forms: nplurals=2; plural=(n > 1);\n" + +#. Tag: title +#, no-c-format +msgid "Transport Layer Security" +msgstr "Transport Layer Security (sécurité de la couche de transport)" + +#. Tag: para +#, no-c-format +msgid "" +"Transport Layer Security (TLS, formerly Secure Sockets Layer/SSL) is the " +"recommended way to to protect integrity and confidentiality while data is " +"transferred over an untrusted network connection, and to identify the " +"endpoint." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Common Pitfalls" +msgstr "Écueils courants" + +#. Tag: para +#, no-c-format +msgid "" +"TLS implementations are difficult to use, and most of them lack a clean API " +"design. The following sections contain implementation-specific advice, and " +"some generic pitfalls are mentioned below." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Most TLS implementations have questionable default TLS cipher suites. Most " +"of them enable anonymous Diffie-Hellman key exchange (but we generally want " +"servers to authenticate themselves). Many do not disable ciphers which are " +"subject to brute-force attacks because of restricted key lengths. Some even " +"disable all variants of AES in the default configuration." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When overriding the cipher suite defaults, it is recommended to disable all " +"cipher suites which are not present on a whitelist, instead of simply " +"enabling a list of cipher suites. This way, if an algorithm is disabled by " +"default in the TLS implementation in a future security update, the " +"application will not re-enable it." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The name which is used in certificate validation must match the name " +"provided by the user or configuration file. No host name canonicalization or" +" IP address lookup must be performed." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The TLS handshake has very poor performance if the TCP Nagle algorithm is " +"active. You should switch on the TCP_NODELAY socket " +"option (at least for the duration of the handshake), or use the Linux-" +"specific TCP_CORK option." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Deactivating the TCP Nagle algorithm" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Implementing proper session resumption decreases handshake overhead " +"considerably. This is important if the upper-layer protocol uses short-lived" +" connections (like most application of HTTPS)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Both client and server should work towards an orderly connection shutdown, " +"that is send close_notify alerts and respond to them. " +"This is especially important if the upper-layer protocol does not provide " +"means to detect connection truncation (like some uses of HTTP)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When implementing a server using event-driven programming, it is important " +"to handle the TLS handshake properly because it includes multiple network " +"round-trips which can block when an ordinary TCP accept" +" would not. Otherwise, a client which fails to complete the TLS handshake " +"for some reason will prevent the server from handling input from other " +"clients." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Unlike regular file descriptors, TLS connections cannot be passed between " +"processes. Some TLS implementations add additional restrictions, and TLS " +"connections generally cannot be used across fork " +"function calls (see )." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "OpenSSL Pitfalls" +msgstr "Écueils avec OpenSSL" + +#. Tag: para +#, no-c-format +msgid "" +"Some OpenSSL function use tri-state return values. " +"Correct error checking is extremely important. Several functions return " +"int values with the following meaning:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The value 1 indicates success (for example, a successful " +"signature verification)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The value 0 indicates semantic failure (for example, a " +"signature verification which was unsuccessful because the signing " +"certificate was self-signed)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The value -1 indicates a low-level error in the system, " +"such as failure to allocate memory using malloc." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Treating such tri-state return values as booleans can lead to security " +"vulnerabilities. Note that some OpenSSL functions return boolean results or " +"yet another set of status indicators. Each function needs to be checked " +"individually." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Recovering precise error information is difficult. shows how to obtain a more precise " +"error code after a function call on an SSL object has " +"failed. However, there are still cases where no detailed error information " +"is available (e.g., if SSL_shutdown fails due to a " +"connection teardown by the other end)." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Obtaining OpenSSL error codes" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The OPENSSL_config function is documented to never " +"fail. In reality, it can terminate the entire process if there is a failure " +"accessing the configuration file. An error message is written to standard " +"error, but which might not be visible if the function is called from a " +"daemon process." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"OpenSSL contains two separate ASN.1 DER decoders. One set of decoders " +"operate on BIO handles (the input/output stream abstraction provided by " +"OpenSSL); their decoder function names start with d2i_ " +"and end in _fp or _bio (e.g., " +"d2i_X509_fp or d2i_X509_bio). " +"These decoders must not be used for parsing data from untrusted sources; " +"instead, the variants without the _fp and " +"_bio (e.g., d2i_X509) shall be used." +" The BIO variants have received considerably less testing and are not very " +"robust." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"For the same reason, the OpenSSL command line tools (such as " +"openssl x509) are generally generally less robust than " +"the actual library code. They use the BIO functions internally, and not the " +"more robust variants." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The command line tools do not always indicate failure in the exit status of " +"the openssl process. For instance, a verification" +" failure in openssl verify result in an exit status of " +"zero." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The OpenSSL server and client applications (openssl " +"s_client and openssl s_server) are debugging " +"tools and should never be used as generic clients. For " +"instance, the s_client tool reacts in a " +"surprisign way to lines starting with R and " +"Q." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"OpenSSL allows application code to access private key material over " +"documented interfaces. This can significantly increase the part of the code " +"base which has to undergo security certification." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "GNUTLS Pitfalls" +msgstr "Écueils avec GNUTLS" + +#. Tag: para +#, no-c-format +msgid "" +"libgnutls.so.26 links to " +"libpthread.so.0. Loading the threading library too late" +" causes problems, so the main program should be linked with " +"-lpthread as well. As a result, it can be difficult to " +"use GNUTLS in a plugin which is loaded with the dlopen " +"function. Another side effect is that applications which merely link against" +" GNUTLS (even without actually using it) may incur a substantial overhead " +"because other libraries automatically switch to thread-safe algorithms." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The gnutls_global_init function must be called before " +"using any functionality provided by the library. This function is not " +"thread-safe, so external locking is required, but it is not clear which lock" +" should be used. Omitting the synchronization does not just lead to a memory" +" leak, as it is suggested in the GNUTLS documentation, but to undefined " +"behavior because there is no barrier that would enforce memory ordering." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The gnutls_global_deinit function does not actually " +"deallocate all resources allocated by " +"gnutls_global_init. It is currently not thread-safe. " +"Therefore, it is best to avoid calling it altogether." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The X.509 implementation in GNUTLS is rather lenient. For example, it is " +"possible to create and process X.509 version 1 certificates which carry" +" extensions. These certificates are (correctly) rejected by other " +"implementations." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "OpenJDK Pitfalls" +msgstr "Écueils avec OpenJDK" + +#. Tag: para +#, no-c-format +msgid "" +"The Java cryptographic framework is highly modular. As a result, when you " +"request an object implementing some cryptographic functionality, you cannot " +"be completely sure that you end up with the well-tested, reviewed " +"implementation in OpenJDK." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"OpenJDK (in the source code as published by Oracle) and other " +"implementations of the Java platform require that the system administrator " +"has installed so-called unlimited strength jurisdiction policy " +"files. Without this step, it is not possible to use the secure " +"algorithms which offer sufficient cryptographic strength. Most downstream " +"redistributors of OpenJDK remove this requirement." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Some versions of OpenJDK use /dev/random as the " +"randomness source for nonces and other random data which is needed for TLS " +"operation, but does not actually require physical randomness. As a result, " +"TLS applications can block, waiting for more bits to become available in " +"/dev/random." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "NSS Pitfalls" +msgstr "Écueils avec NSS" + +#. Tag: para +#, no-c-format +msgid "" +"NSS was not designed to be used by other libraries which can be linked into " +"applications without modifying them. There is a lot of global state. There " +"does not seem to be a way to perform required NSS initialization without " +"race conditions." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If the NSPR descriptor is in an unexpected state, the " +"SSL_ForceHandshake function can succeed, but no TLS " +"handshake takes place, the peer is not authenticated, and subsequent data is" +" exchanged in the clear." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"NSS disables itself if it detects that the process underwent a " +"fork after the library has been initialized. This " +"behavior is required by the PKCS#11 API specification." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "TLS Clients" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Secure use of TLS in a client generally involves all of the following steps." +" (Individual instructions for specific TLS implementations follow in the " +"next sections.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The client must configure the TLS library to use a set of trusted root " +"certificates. These certificates are provided by the system in /etc/ssl/certs or files derived from it." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The client selects sufficiently strong cryptographic primitives and disables" +" insecure ones (such as no-op encryption). Compression and SSL version 2 " +"support must be disabled (including the SSLv2-compatible handshake)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The client initiates the TLS connection. The Server Name Indication " +"extension should be used if supported by the TLS implementation. Before " +"switching to the encrypted connection state, the contents of all input and " +"output buffers must be discarded." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The client needs to validate the peer certificate provided by the server, " +"that is, the client must check that there is a cryptographically protected " +"chain from a trusted root certificate to the peer certificate. (Depending on" +" the TLS implementation, a TLS handshake can succeed even if the certificate" +" cannot be validated.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The client must check that the configured or user-provided server name " +"matches the peer certificate provided by the server." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"It is safe to provide users detailed diagnostics on certificate validation " +"failures. Other causes of handshake failures and, generally speaking, any " +"details on other errors reported by the TLS implementation (particularly " +"exception tracebacks), must not be divulged in ways that make them " +"accessible to potential attackers. Otherwise, it is possible to create " +"decryption oracles." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Depending on the application, revocation checking (against certificate " +"revocations lists or via OCSP) and session resumption are important aspects " +"of production-quality client. These aspects are not yet covered." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Implementation TLS Clients With OpenSSL" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In the following code, the error handling is only exploratory. Proper error " +"handling is required for production use, especially in libraries." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The OpenSSL library needs explicit initialization (see )." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "OpenSSL library initialization" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"After that, a context object has to be created, which acts as a factory for " +"connection objects (). We use an explicit cipher list so that we do not pick up any " +"strange ciphers when OpenSSL is upgraded. The actual version requested in " +"the client hello depends on additional restrictions in the OpenSSL library. " +"If possible, you should follow the example code and use the default list of " +"trusted root certificate authorities provided by the system because you " +"would have to maintain your own set otherwise, which can be cumbersome." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "OpenSSL client context creation" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"A single context object can be used to create multiple connection objects. " +"It is safe to use the same SSL_CTX object for creating " +"connections concurrently from multiple threads, provided that the " +"SSL_CTX object is not modified (e.g., callbacks must not " +"be changed)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"After creating the TCP socket and disabling the Nagle algorithm (per ), the actual connection object " +"needs to be created, as show in . If the handshake started by " +"SSL_connect fails, the " +"ssl_print_error_and_exit function from is called." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The certificate_validity_override function provides an " +"opportunity to override the validity of the certificate in case the OpenSSL " +"check fails. If such functionality is not required, the call can be removed," +" otherwise, the application developer has to implement it." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The host name passed to the functions " +"SSL_set_tlsext_host_name and " +"X509_check_host must be the name that was passed to " +"getaddrinfo or a similar name resolution function. No " +"host name canonicalization must be performed. The " +"X509_check_host function used in the final step for " +"host name matching is currently only implemented in OpenSSL 1.1, which is " +"not released yet. In case host name matching fails, the function " +"certificate_host_name_override is called. This function" +" should check user-specific certificate store, to allow a connection even if" +" the host name does not match the certificate. This function has to be " +"provided by the application developer. Note that the override must be keyed " +"by both the certificate and the host name." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Creating a client connection using OpenSSL" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The connection object can be used for sending and receiving data, as in " +". It is " +"also possible to create a BIO object and use the " +"SSL object as the underlying transport, using " +"BIO_set_ssl." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Using an OpenSSL connection to send and receive data" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When it is time to close the connection, the " +"SSL_shutdown function needs to be called twice for an " +"orderly, synchronous connection termination (). This exchanges " +"close_notify alerts with the server. The additional logic" +" is required to deal with an unexpected close_notify from" +" the server. Note that is necessary to explicitly close the underlying " +"socket after the connection object has been freed." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Closing an OpenSSL connection in an orderly fashion" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +" shows how" +" to deallocate the context object when it is no longer needed because no " +"further TLS connections will be established." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Implementation TLS Clients With GNUTLS" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"This section describes how to implement a TLS client with full certificate " +"validation (but without certificate revocation checking). Note that the " +"error handling in is only exploratory and needs to be replaced before " +"production use." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "The GNUTLS library needs explicit initialization:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Failing to do so can result in obscure failures in Base64 decoding. See " +" for " +"additional aspects of initialization." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Before setting up TLS connections, a credentials objects has to be allocated" +" and initialized with the set of trusted root CAs ()." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Initializing a GNUTLS credentials structure" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"After the last TLS connection has been closed, this credentials object " +"should be freed:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"During its lifetime, the credentials object can be used to initialize TLS " +"session objects from multiple threads, provided that it is not changed." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Once the TCP connection has been established, the Nagle algorithm should be " +"disabled (see ). After " +"that, the socket can be associated with a new GNUTLS session object. The " +"previously allocated credentials object provides the set of root CAs. The " +"NORMAL set of cipher suites and protocols provides a " +"reasonable default. Then the TLS handshake must be initiated. This is shown " +"in ." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Establishing a TLS client connection using GNUTLS" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"After the handshake has been completed, the server certificate needs to be " +"verified (). In the example, the user-defined " +"certificate_validity_override function is called if the" +" verification fails, so that a separate, user-specific trust store can be " +"checked. This function call can be omitted if the functionality is not " +"needed." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Verifying a server certificate using GNUTLS" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In the next step (, the certificate must be matched against the host name (note the " +"unusual return value from " +"gnutls_x509_crt_check_hostname). Again, an override " +"function certificate_host_name_override is called. Note" +" that the override must be keyed to the certificate and" +" the host name. The function call can be omitted if the override is not " +"needed." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Matching the server host name and certificate in a GNUTLS client" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In newer GNUTLS versions, certificate checking and host name validation can " +"be combined using the gnutls_certificate_verify_peers3 " +"function." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"An established TLS session can be used for sending and receiving data, as in" +" ." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Using a GNUTLS session" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In order to shut down a connection in an orderly manner, you should call the" +" gnutls_bye function. Finally, the session object can " +"be deallocated using gnutls_deinit (see )." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Implementing TLS Clients With OpenJDK" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "The examples below use the following cryptographic-related classes:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If compatibility with OpenJDK 6 is required, it is necessary to use the " +"internal class sun.security.util.HostnameChecker. (The " +"public OpenJDK API does not provide any support for dissecting the subject " +"distinguished name of an X.509 certificate, so a custom-written DER parser " +"is needed—or we have to use an internal class, which we do below.) In " +"OpenJDK 7, the setEndpointIdentificationAlgorithm " +"method was added to the javax.net.ssl.SSLParameters " +"class, providing an official way to implement host name checking." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"TLS connections are established using an SSLContext " +"instance. With a properly configured OpenJDK installation, the " +"SunJSSE provider uses the system-wide set of trusted root" +" certificate authorities, so no further configuration is necessary. For " +"backwards compatibility with OpenJDK 6, the TLSv1 " +"provider has to be supported as a fall-back option. This is shown in ." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Setting up an SSLContext for OpenJDK TLS clients" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In addition to the context, a TLS parameter object will be needed which " +"adjusts the cipher suites and protocols (). Like the context, these " +"parameters can be reused for multiple TLS connections." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Setting up SSLParameters for TLS use with OpenJDK" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"As initialized above, the parameter object does not yet require host name " +"checking. This has to be enabled separately, and this is only supported by " +"OpenJDK 7 and later:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"All application protocols can use the \"HTTPS\" " +"algorithm. (The algorithms have minor differences with regard to wildcard " +"handling, which should not matter in practice.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +" shows " +"how to establish the connection. Before the handshake is initialized, the " +"protocol and cipher configuration has to be performed, by applying the " +"parameter object params. (After this point, changes to " +"params will not affect this TLS socket.) As mentioned " +"initially, host name checking requires using an internal API on OpenJDK 6." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Establishing a TLS connection with OpenJDK" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Starting with OpenJDK 7, the last lines can be omitted, provided that host " +"name verification has been enabled by calling the " +"setEndpointIdentificationAlgorithm method on the " +"params object (before it was applied to the socket)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The TLS socket can be used as a regular socket, as shown in ." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Using a TLS client socket in OpenJDK" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Overriding server certificate validation with OpenJDK 6" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Overriding certificate validation requires a custom trust manager. With " +"OpenJDK 6, the trust manager lacks information about the TLS session, and to" +" which server the connection is made. Certificate overrides have to be tied " +"to specific servers (host names). Consequently, different " +"TrustManager and SSLContext objects " +"have to be used for different servers." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In the trust manager shown in , the server certificate is identified by its " +"SHA-256 hash." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "A customer trust manager for OpenJDK TLS clients" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"This trust manager has to be passed to the init method of" +" the SSLContext object, as show in ." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Using a custom TLS trust manager with OpenJDK" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When certificate overrides are in place, host name verification should not " +"be performed because there is no security requirement that the host name in " +"the certificate matches the host name used to establish the connection (and " +"it often will not). However, without host name verification, it is not " +"possible to perform transparent fallback to certification validation using " +"the system certificate store." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The approach described above works with OpenJDK 6 and later versions. " +"Starting with OpenJDK 7, it is possible to use a custom subclass of the " +"javax.net.ssl.X509ExtendedTrustManager class. The OpenJDK" +" TLS implementation will call the new methods, passing along TLS session " +"information. This can be used to implement certificate overrides as a " +"fallback (if certificate or host name verification fails), and a trust " +"manager object can be used for multiple servers because the server address " +"is available to the trust manager." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Implementing TLS Clients With NSS" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The following code shows how to implement a simple TLS client using NSS. " +"Note that the error handling needs replacing before production use." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Using NSS needs several header files, as shown in ." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Include files for NSS" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Initializing the NSS library is a complex task (). It is not thread-safe. By default, the " +"library is in export mode, and all strong ciphers are disabled. Therefore, " +"after creating the NSSInitCContext object, we probe all " +"the strong ciphers we want to use, and check if at least one of them is " +"available. If not, we call NSS_SetDomesticPolicy to " +"switch to unrestricted policy mode. This function replaces the existing " +"global cipher suite policy, that is why we avoid calling it unless " +"absolutely necessary." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The simplest way to configured the trusted root certificates involves " +"loading the libnssckbi.so NSS module with a call to the" +" SECMOD_LoadUserModule function. The root certificates " +"are compiled into this module. (The PEM module for NSS, " +"libnsspem.so, offers a way to load trusted CA " +"certificates from a file.)" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Initializing the NSS library" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Some of the effects of the initialization can be reverted with the following" +" function calls:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"After NSS has been initialized, the TLS connection can be created (). The internal " +"PR_ImportTCPSocket function is used to turn the POSIX " +"file descriptor sockfd into an NSPR file descriptor. " +"(This function is de-facto part of the NSS public ABI, so it will not go " +"away.) Creating the TLS-capable file descriptor requires a " +"model descriptor, which is configured with the desired " +"set of protocols and ciphers. (The good_ciphers variable " +"is part of .) We cannot" +" resort to disabling ciphers not on a whitelist because by default, the AES " +"cipher suites are disabled. The model descriptor is not needed anymore after" +" TLS support has been activated for the existing connection descriptor." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The call to SSL_BadCertHook can be omitted if no " +"mechanism to override certificate verification is needed. The " +"bad_certificate function must check both the host name " +"specified for the connection and the certificate before granting the " +"override." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Triggering the actual handshake requires three function calls, " +"SSL_ResetHandshake, SSL_SetURL, " +"and SSL_ForceHandshake. (If " +"SSL_ResetHandshake is omitted, " +"SSL_ForceHandshake will succeed, but the data will not " +"be encrypted.) During the handshake, the certificate is verified and matched" +" against the host name." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Creating a TLS connection with NSS" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"After the connection has been established, shows how to use the NSPR descriptor to " +"communicate with the server." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Using NSS for sending and receiving data" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +" shows how to " +"close the connection." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Closing NSS client connections" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Implementing TLS Clients With Python" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The Python distribution provides a TLS implementation in the " +"ssl module (actually a wrapper around OpenSSL). The " +"exported interface is somewhat restricted, so that the client code shown " +"below does not fully implement the recommendations in ." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Currently, most Python function which accept https:// " +"URLs or otherwise implement HTTPS support do not perform certificate " +"validation at all. (For example, this is true for the " +"httplib and xmlrpclib modules.) If you" +" use HTTPS, you should not use the built-in HTTP clients. The " +"Curl class in the curl module, as " +"provided by the python-pycurl package implements proper " +"certificate validation." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The ssl module currently does not perform host name " +"checking on the server certificate. shows how to implement certificate " +"matching, using the parsed certificate returned by " +"getpeercert." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Implementing TLS host name checking Python (without wildcard support)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"To turn a regular, connected TCP socket into a TLS-enabled socket, use the " +"ssl.wrap_socket function. The function call in provides " +"additional arguments to override questionable defaults in OpenSSL and in the" +" Python module." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"ciphers=\"HIGH:-aNULL:-eNULL:-PSK:RC4-SHA:RC4-MD5\" " +"selects relatively strong cipher suites with certificate-based " +"authentication. (The call to check_host_name function " +"provides additional protection against anonymous cipher suites.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"ssl_version=ssl.PROTOCOL_TLSv1 disables SSL 2.0 support. " +"By default, the ssl module sends an SSL 2.0 client hello," +" which is rejected by some servers. Ideally, we would request OpenSSL to " +"negotiated the most recent TLS version supported by the server and the " +"client, but the Python module does not allow this." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"cert_reqs=ssl.CERT_REQUIRED turns on certificate " +"validation." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"ca_certs='/etc/ssl/certs/ca-bundle.crt' initializes the " +"certificate store with a set of trusted root CAs. Unfortunately, it is " +"necessary to hard-code this path into applications because the default path " +"in OpenSSL is not available through the Python ssl " +"module." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The ssl module (and OpenSSL) perform certificate " +"validation, but the certificate must be compared manually against the host " +"name, by calling the check_host_name defined above." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Establishing a TLS client connection with Python" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"After the connection has been established, the TLS socket can be used like a" +" regular socket:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Closing the TLS socket is straightforward as well:" +msgstr "" diff --git a/defensive-coding/fr-FR/Features/snippets/TLS-Client-GNUTLS-Connect.po b/defensive-coding/fr-FR/Features/snippets/TLS-Client-GNUTLS-Connect.po new file mode 100644 index 0000000..7c99eab --- /dev/null +++ b/defensive-coding/fr-FR/Features/snippets/TLS-Client-GNUTLS-Connect.po @@ -0,0 +1,72 @@ +# AUTHOR , YEAR. +# +# Translators: +# Jérôme Fenal , 2013 +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-20 13:04+0000\n" +"Last-Translator: Jérôme Fenal \n" +"Language-Team: French \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: fr\n" +"Plural-Forms: nplurals=2; plural=(n > 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Create the session object.\n" +"gnutls_session_t session;\n" +"ret = gnutls_init(&session, GNUTLS_CLIENT);\n" +"if (ret != GNUTLS_E_SUCCESS) {\n" +" fprintf(stderr, \"error: gnutls_init: %s\n" +"\",\n" +"\t gnutls_strerror(ret));\n" +" exit(1);\n" +"}\n" +"\n" +"// Configure the cipher preferences.\n" +"const char *errptr = NULL;\n" +"ret = gnutls_priority_set_direct(session, \"NORMAL\", &errptr);\n" +"if (ret != GNUTLS_E_SUCCESS) {\n" +" fprintf(stderr, \"error: gnutls_priority_set_direct: %s\n" +"\"\n" +"\t \"error: at: \\\"%s\\\"\n" +"\", gnutls_strerror(ret), errptr);\n" +" exit(1);\n" +"}\n" +"\n" +"// Install the trusted certificates.\n" +"ret = gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, cred);\n" +"if (ret != GNUTLS_E_SUCCESS) {\n" +" fprintf(stderr, \"error: gnutls_credentials_set: %s\n" +"\",\n" +"\t gnutls_strerror(ret));\n" +" exit(1);\n" +"}\n" +"\n" +"// Associate the socket with the session object and set the server\n" +"// name.\n" +"gnutls_transport_set_ptr(session, (gnutls_transport_ptr_t)(uintptr_t)sockfd);\n" +"ret = gnutls_server_name_set(session, GNUTLS_NAME_DNS,\n" +"\t\t\t host, strlen(host));\n" +"if (ret != GNUTLS_E_SUCCESS) {\n" +" fprintf(stderr, \"error: gnutls_server_name_set: %s\n" +"\",\n" +"\t gnutls_strerror(ret));\n" +" exit(1);\n" +"}\n" +"\n" +"// Establish the session.\n" +"ret = gnutls_handshake(session);\n" +"if (ret != GNUTLS_E_SUCCESS) {\n" +" fprintf(stderr, \"error: gnutls_handshake: %s\n" +"\",\n" +"\t gnutls_strerror(ret));\n" +" exit(1);\n" +"}\n" +msgstr "\n// Create the session object.\ngnutls_session_t session;\nret = gnutls_init(&session, GNUTLS_CLIENT);\nif (ret != GNUTLS_E_SUCCESS) {\n fprintf(stderr, \"error: gnutls_init: %s\n\",\n\t gnutls_strerror(ret));\n exit(1);\n}\n\n// Configure the cipher preferences.\nconst char *errptr = NULL;\nret = gnutls_priority_set_direct(session, \"NORMAL\", &errptr);\nif (ret != GNUTLS_E_SUCCESS) {\n fprintf(stderr, \"error: gnutls_priority_set_direct: %s\n\"\n\t \"error: at: \\\"%s\\\"\n\", gnutls_strerror(ret), errptr);\n exit(1);\n}\n\n// Install the trusted certificates.\nret = gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, cred);\nif (ret != GNUTLS_E_SUCCESS) {\n fprintf(stderr, \"error: gnutls_credentials_set: %s\n\",\n\t gnutls_strerror(ret));\n exit(1);\n}\n\n// Associate the socket with the session object and set the server\n// name.\ngnutls_transport_set_ptr(session, (gnutls_transport_ptr_t)(uintptr_t)sockfd);\nret = gnutls_server_name_set(session, GNUTLS_NAME_DNS,\n\t\t\t host, strlen(host));\nif (ret != GNUTLS_E_SUCCESS) {\n fprintf(stderr, \"error: gnutls_server_name_set: %s\n\",\n\t gnutls_strerror(ret));\n exit(1);\n}\n\n// Establish the session.\nret = gnutls_handshake(session);\nif (ret != GNUTLS_E_SUCCESS) {\n fprintf(stderr, \"error: gnutls_handshake: %s\n\",\n\t gnutls_strerror(ret));\n exit(1);\n}\n" diff --git a/defensive-coding/fr-FR/Features/snippets/TLS-Client-GNUTLS-Credentials.po b/defensive-coding/fr-FR/Features/snippets/TLS-Client-GNUTLS-Credentials.po new file mode 100644 index 0000000..0ef2e3b --- /dev/null +++ b/defensive-coding/fr-FR/Features/snippets/TLS-Client-GNUTLS-Credentials.po @@ -0,0 +1,48 @@ +# AUTHOR , YEAR. +# +# Translators: +# Jérôme Fenal , 2013 +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-24 17:40+0000\n" +"Last-Translator: Jérôme Fenal \n" +"Language-Team: French \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: fr\n" +"Plural-Forms: nplurals=2; plural=(n > 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Load the trusted CA certificates.\n" +"gnutls_certificate_credentials_t cred = NULL;\n" +"int ret = gnutls_certificate_allocate_credentials (&cred);\n" +"if (ret != GNUTLS_E_SUCCESS) {\n" +" fprintf(stderr, \"error: gnutls_certificate_allocate_credentials: %s\n" +"\",\n" +"\t gnutls_strerror(ret));\n" +" exit(1);\n" +"}\n" +"// gnutls_certificate_set_x509_system_trust needs GNUTLS version 3.0\n" +"// or newer, so we hard-code the path to the certificate store\n" +"// instead.\n" +"static const char ca_bundle[] = \"/etc/ssl/certs/ca-bundle.crt\";\n" +"ret = gnutls_certificate_set_x509_trust_file\n" +" (cred, ca_bundle, GNUTLS_X509_FMT_PEM);\n" +"if (ret == 0) {\n" +" fprintf(stderr, \"error: no certificates found in: %s\n" +"\", ca_bundle);\n" +" exit(1);\n" +"}\n" +"if (ret < 0) {\n" +" fprintf(stderr, \"error: gnutls_certificate_set_x509_trust_files(%s): %s\n" +"\",\n" +"\t ca_bundle, gnutls_strerror(ret));\n" +" exit(1);\n" +"}\n" +msgstr "\n// Charge les certificats des AC de confiance.\ngnutls_certificate_credentials_t cred = NULL;\nint ret = gnutls_certificate_allocate_credentials (&cred);\nif (ret != GNUTLS_E_SUCCESS) {\n fprintf(stderr, \"error: gnutls_certificate_allocate_credentials: %s\n\",\n\t gnutls_strerror(ret));\n exit(1);\n}\n// gnutls_certificate_set_x509_system_trust nécessite GNUTLS version 3.0\n// ou plus récent, on code donc en dur le chemin vers le magasin de certificats.\nstatic const char ca_bundle[] = \"/etc/ssl/certs/ca-bundle.crt\";\nret = gnutls_certificate_set_x509_trust_file\n (cred, ca_bundle, GNUTLS_X509_FMT_PEM);\nif (ret == 0) {\n fprintf(stderr, \"error: no certificates found in: %s\n\", ca_bundle);\n exit(1);\n}\nif (ret < 0) {\n fprintf(stderr, \"error: gnutls_certificate_set_x509_trust_files(%s): %s\n\",\n\t ca_bundle, gnutls_strerror(ret));\n exit(1);\n}\n" diff --git a/defensive-coding/fr-FR/Features/snippets/TLS-Client-GNUTLS-Match.po b/defensive-coding/fr-FR/Features/snippets/TLS-Client-GNUTLS-Match.po new file mode 100644 index 0000000..2c9def7 --- /dev/null +++ b/defensive-coding/fr-FR/Features/snippets/TLS-Client-GNUTLS-Match.po @@ -0,0 +1,49 @@ +# AUTHOR , YEAR. +# +# Translators: +# Jérôme Fenal , 2013 +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-20 13:01+0000\n" +"Last-Translator: Jérôme Fenal \n" +"Language-Team: French \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: fr\n" +"Plural-Forms: nplurals=2; plural=(n > 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Match the peer certificate against the host name.\n" +"// We can only obtain a set of DER-encoded certificates from the\n" +"// session object, so we have to re-parse the peer certificate into\n" +"// a certificate object.\n" +"gnutls_x509_crt_t cert;\n" +"ret = gnutls_x509_crt_init(&cert);\n" +"if (ret != GNUTLS_E_SUCCESS) {\n" +" fprintf(stderr, \"error: gnutls_x509_crt_init: %s\n" +"\",\n" +"\t gnutls_strerror(ret));\n" +" exit(1);\n" +"}\n" +"// The peer certificate is the first certificate in the list.\n" +"ret = gnutls_x509_crt_import(cert, certs, GNUTLS_X509_FMT_DER);\n" +"if (ret != GNUTLS_E_SUCCESS) {\n" +" fprintf(stderr, \"error: gnutls_x509_crt_import: %s\n" +"\",\n" +"\t gnutls_strerror(ret));\n" +" exit(1);\n" +"}\n" +"ret = gnutls_x509_crt_check_hostname(cert, host);\n" +"if (ret == 0 && !certificate_host_name_override(certs[0], host)) {\n" +" fprintf(stderr, \"error: host name does not match certificate\n" +"\");\n" +" exit(1);\n" +"}\n" +"gnutls_x509_crt_deinit(cert);\n" +msgstr "\n// Match the peer certificate against the host name.\n// We can only obtain a set of DER-encoded certificates from the\n// session object, so we have to re-parse the peer certificate into\n// a certificate object.\ngnutls_x509_crt_t cert;\nret = gnutls_x509_crt_init(&cert);\nif (ret != GNUTLS_E_SUCCESS) {\n fprintf(stderr, \"error: gnutls_x509_crt_init: %s\n\",\n\t gnutls_strerror(ret));\n exit(1);\n}\n// The peer certificate is the first certificate in the list.\nret = gnutls_x509_crt_import(cert, certs, GNUTLS_X509_FMT_DER);\nif (ret != GNUTLS_E_SUCCESS) {\n fprintf(stderr, \"error: gnutls_x509_crt_import: %s\n\",\n\t gnutls_strerror(ret));\n exit(1);\n}\nret = gnutls_x509_crt_check_hostname(cert, host);\nif (ret == 0 && !certificate_host_name_override(certs[0], host)) {\n fprintf(stderr, \"error: host name does not match certificate\n\");\n exit(1);\n}\ngnutls_x509_crt_deinit(cert);\n" diff --git a/defensive-coding/fr-FR/Features/snippets/TLS-Client-GNUTLS-Verify.po b/defensive-coding/fr-FR/Features/snippets/TLS-Client-GNUTLS-Verify.po new file mode 100644 index 0000000..268587f --- /dev/null +++ b/defensive-coding/fr-FR/Features/snippets/TLS-Client-GNUTLS-Verify.po @@ -0,0 +1,62 @@ +# AUTHOR , YEAR. +# +# Translators: +# Jérôme Fenal , 2013 +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-24 17:30+0000\n" +"Last-Translator: Jérôme Fenal \n" +"Language-Team: French \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: fr\n" +"Plural-Forms: nplurals=2; plural=(n > 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Obtain the server certificate chain. The server certificate\n" +"// itself is stored in the first element of the array.\n" +"unsigned certslen = 0;\n" +"const gnutls_datum_t *const certs =\n" +" gnutls_certificate_get_peers(session, &certslen);\n" +"if (certs == NULL || certslen == 0) {\n" +" fprintf(stderr, \"error: could not obtain peer certificate\n" +"\");\n" +" exit(1);\n" +"}\n" +"\n" +"// Validate the certificate chain.\n" +"unsigned status = (unsigned)-1;\n" +"ret = gnutls_certificate_verify_peers2(session, &status);\n" +"if (ret != GNUTLS_E_SUCCESS) {\n" +" fprintf(stderr, \"error: gnutls_certificate_verify_peers2: %s\n" +"\",\n" +"\t gnutls_strerror(ret));\n" +" exit(1);\n" +"}\n" +"if (status != 0 && !certificate_validity_override(certs[0])) {\n" +" gnutls_datum_t msg;\n" +"#if GNUTLS_VERSION_AT_LEAST_3_1_4\n" +" int type = gnutls_certificate_type_get (session);\n" +" ret = gnutls_certificate_verification_status_print(status, type, &out, 0);\n" +"#else\n" +" ret = -1;\n" +"#endif\n" +" if (ret == 0) {\n" +" fprintf(stderr, \"error: %s\n" +"\", msg.data);\n" +" gnutls_free(msg.data);\n" +" exit(1);\n" +" } else {\n" +" fprintf(stderr, \"error: certificate validation failed with code 0x%x\n" +"\",\n" +"\t status);\n" +" exit(1);\n" +" }\n" +"}\n" +msgstr "\n// Obitent la chaîne de certificats du serveur. Le certificat du serveur\n// lui-même est stocké dans le premier élément du tableau.\nunsigned certslen = 0;\nconst gnutls_datum_t *const certs =\n gnutls_certificate_get_peers(session, &certslen);\nif (certs == NULL || certslen == 0) {\n fprintf(stderr, \"error: could not obtain peer certificate\n\");\n exit(1);\n}\n\n// Valide la chaîne de certificats.\nunsigned status = (unsigned)-1;\nret = gnutls_certificate_verify_peers2(session, &status);\nif (ret != GNUTLS_E_SUCCESS) {\n fprintf(stderr, \"error: gnutls_certificate_verify_peers2: %s\n\",\n\t gnutls_strerror(ret));\n exit(1);\n}\nif (status != 0 && !certificate_validity_override(certs[0])) {\n gnutls_datum_t msg;\n#if GNUTLS_VERSION_AT_LEAST_3_1_4\n int type = gnutls_certificate_type_get (session);\n ret = gnutls_certificate_verification_status_print(status, type, &out, 0);\n#else\n ret = -1;\n#endif\n if (ret == 0) {\n fprintf(stderr, \"error: %s\n\", msg.data);\n gnutls_free(msg.data);\n exit(1);\n } else {\n fprintf(stderr, \"error: certificate validation failed with code 0x%x\n\",\n\t status);\n exit(1);\n }\n}\n" diff --git a/defensive-coding/fr-FR/Features/snippets/TLS-Client-NSS-Close.po b/defensive-coding/fr-FR/Features/snippets/TLS-Client-NSS-Close.po new file mode 100644 index 0000000..b484c31 --- /dev/null +++ b/defensive-coding/fr-FR/Features/snippets/TLS-Client-NSS-Close.po @@ -0,0 +1,32 @@ +# AUTHOR , YEAR. +# +# Translators: +# Jérôme Fenal , 2013 +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-20 13:06+0000\n" +"Last-Translator: Jérôme Fenal \n" +"Language-Team: French \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: fr\n" +"Plural-Forms: nplurals=2; plural=(n > 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Send close_notify alert.\n" +"if (PR_Shutdown(nspr, PR_SHUTDOWN_BOTH) != PR_SUCCESS) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: PR_Read error %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +"}\n" +"// Closes the underlying POSIX file descriptor, too.\n" +"PR_Close(nspr);\n" +msgstr "\n// Send close_notify alert.\nif (PR_Shutdown(nspr, PR_SHUTDOWN_BOTH) != PR_SUCCESS) {\n const PRErrorCode err = PR_GetError();\n fprintf(stderr, \"error: PR_Read error %d: %s\n\",\n\t err, PR_ErrorToName(err));\n exit(1);\n}\n// Closes the underlying POSIX file descriptor, too.\nPR_Close(nspr);\n" diff --git a/defensive-coding/fr-FR/Features/snippets/TLS-Client-NSS-Connect.po b/defensive-coding/fr-FR/Features/snippets/TLS-Client-NSS-Connect.po new file mode 100644 index 0000000..13638dc --- /dev/null +++ b/defensive-coding/fr-FR/Features/snippets/TLS-Client-NSS-Connect.po @@ -0,0 +1,133 @@ +# AUTHOR , YEAR. +# +# Translators: +# Jérôme Fenal , 2013 +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-24 17:40+0000\n" +"Last-Translator: Jérôme Fenal \n" +"Language-Team: French \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: fr\n" +"Plural-Forms: nplurals=2; plural=(n > 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Wrap the POSIX file descriptor. This is an internal NSPR\n" +"// function, but it is very unlikely to change.\n" +"PRFileDesc* nspr = PR_ImportTCPSocket(sockfd);\n" +"sockfd = -1; // Has been taken over by NSPR.\n" +"\n" +"// Add the SSL layer.\n" +"{\n" +" PRFileDesc *model = PR_NewTCPSocket();\n" +" PRFileDesc *newfd = SSL_ImportFD(NULL, model);\n" +" if (newfd == NULL) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: NSPR error code %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +" }\n" +" model = newfd;\n" +" newfd = NULL;\n" +" if (SSL_OptionSet(model, SSL_ENABLE_SSL2, PR_FALSE) != SECSuccess) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: set SSL_ENABLE_SSL2 error %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +" }\n" +" if (SSL_OptionSet(model, SSL_V2_COMPATIBLE_HELLO, PR_FALSE) != SECSuccess) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: set SSL_V2_COMPATIBLE_HELLO error %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +" }\n" +" if (SSL_OptionSet(model, SSL_ENABLE_DEFLATE, PR_FALSE) != SECSuccess) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: set SSL_ENABLE_DEFLATE error %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +" }\n" +"\n" +" // Disable all ciphers (except RC4-based ciphers, for backwards\n" +" // compatibility).\n" +" const PRUint16 *const ciphers = SSL_GetImplementedCiphers();\n" +" for (unsigned i = 0; i < SSL_GetNumImplementedCiphers(); i++) {\n" +" if (ciphers[i] != SSL_RSA_WITH_RC4_128_SHA\n" +"\t && ciphers[i] != SSL_RSA_WITH_RC4_128_MD5) {\n" +"\tif (SSL_CipherPrefSet(model, ciphers[i], PR_FALSE) != SECSuccess) {\n" +"\t const PRErrorCode err = PR_GetError();\n" +"\t fprintf(stderr, \"error: disable cipher %u: error %d: %s\n" +"\",\n" +"\t\t (unsigned)ciphers[i], err, PR_ErrorToName(err));\n" +"\t exit(1);\n" +"\t}\n" +" }\n" +" }\n" +"\n" +" // Enable the strong ciphers.\n" +" for (const PRUint16 *p = good_ciphers; *p != SSL_NULL_WITH_NULL_NULL;\n" +"\t ++p) {\n" +" if (SSL_CipherPrefSet(model, *p, PR_TRUE) != SECSuccess) {\n" +"\tconst PRErrorCode err = PR_GetError();\n" +"\tfprintf(stderr, \"error: enable cipher %u: error %d: %s\n" +"\",\n" +"\t\t(unsigned)*p, err, PR_ErrorToName(err));\n" +"\texit(1);\n" +" }\n" +" }\n" +"\n" +" // Allow overriding invalid certificate.\n" +" if (SSL_BadCertHook(model, bad_certificate, (char *)host) != SECSuccess) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: SSL_BadCertHook error %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +" }\n" +"\n" +" newfd = SSL_ImportFD(model, nspr);\n" +" if (newfd == NULL) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: SSL_ImportFD error %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +" }\n" +" nspr = newfd;\n" +" PR_Close(model);\n" +"}\n" +"\n" +"// Perform the handshake.\n" +"if (SSL_ResetHandshake(nspr, PR_FALSE) != SECSuccess) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: SSL_ResetHandshake error %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +"}\n" +"if (SSL_SetURL(nspr, host) != SECSuccess) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: SSL_SetURL error %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +"}\n" +"if (SSL_ForceHandshake(nspr) != SECSuccess) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: SSL_ForceHandshake error %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +"}\n" +msgstr "\n// Wrap the POSIX file descriptor. This is an internal NSPR\n// function, but it is very unlikely to change.\nPRFileDesc* nspr = PR_ImportTCPSocket(sockfd);\nsockfd = -1; // Has been taken over by NSPR.\n\n// Add the SSL layer.\n{\n PRFileDesc *model = PR_NewTCPSocket();\n PRFileDesc *newfd = SSL_ImportFD(NULL, model);\n if (newfd == NULL) {\n const PRErrorCode err = PR_GetError();\n fprintf(stderr, \"error: NSPR error code %d: %s\n\",\n\t err, PR_ErrorToName(err));\n exit(1);\n }\n model = newfd;\n newfd = NULL;\n if (SSL_OptionSet(model, SSL_ENABLE_SSL2, PR_FALSE) != SECSuccess) {\n const PRErrorCode err = PR_GetError();\n fprintf(stderr, \"error: set SSL_ENABLE_SSL2 error %d: %s\n\",\n\t err, PR_ErrorToName(err));\n exit(1);\n }\n if (SSL_OptionSet(model, SSL_V2_COMPATIBLE_HELLO, PR_FALSE) != SECSuccess) {\n const PRErrorCode err = PR_GetError();\n fprintf(stderr, \"error: set SSL_V2_COMPATIBLE_HELLO error %d: %s\n\",\n\t err, PR_ErrorToName(err));\n exit(1);\n }\n if (SSL_OptionSet(model, SSL_ENABLE_DEFLATE, PR_FALSE) != SECSuccess) {\n const PRErrorCode err = PR_GetError();\n fprintf(stderr, \"error: set SSL_ENABLE_DEFLATE error %d: %s\n\",\n\t err, PR_ErrorToName(err));\n exit(1);\n }\n\n // Disable all ciphers (except RC4-based ciphers, for backwards\n // compatibility).\n const PRUint16 *const ciphers = SSL_GetImplementedCiphers();\n for (unsigned i = 0; i < SSL_GetNumImplementedCiphers(); i++) {\n if (ciphers[i] != SSL_RSA_WITH_RC4_128_SHA\n\t && ciphers[i] != SSL_RSA_WITH_RC4_128_MD5) {\n\tif (SSL_CipherPrefSet(model, ciphers[i], PR_FALSE) != SECSuccess) {\n\t const PRErrorCode err = PR_GetError();\n\t fprintf(stderr, \"error: disable cipher %u: error %d: %s\n\",\n\t\t (unsigned)ciphers[i], err, PR_ErrorToName(err));\n\t exit(1);\n\t}\n }\n }\n\n // Enable the strong ciphers.\n for (const PRUint16 *p = good_ciphers; *p != SSL_NULL_WITH_NULL_NULL;\n\t ++p) {\n if (SSL_CipherPrefSet(model, *p, PR_TRUE) != SECSuccess) {\n\tconst PRErrorCode err = PR_GetError();\n\tfprintf(stderr, \"error: enable cipher %u: error %d: %s\n\",\n\t\t(unsigned)*p, err, PR_ErrorToName(err));\n\texit(1);\n }\n }\n\n // Allow overriding invalid certificate.\n if (SSL_BadCertHook(model, bad_certificate, (char *)host) != SECSuccess) {\n const PRErrorCode err = PR_GetError();\n fprintf(stderr, \"error: SSL_BadCertHook error %d: %s\n\",\n\t err, PR_ErrorToName(err));\n exit(1);\n }\n\n newfd = SSL_ImportFD(model, nspr);\n if (newfd == NULL) {\n const PRErrorCode err = PR_GetError();\n fprintf(stderr, \"error: SSL_ImportFD error %d: %s\n\",\n\t err, PR_ErrorToName(err));\n exit(1);\n }\n nspr = newfd;\n PR_Close(model);\n}\n\n// Perform the handshake.\nif (SSL_ResetHandshake(nspr, PR_FALSE) != SECSuccess) {\n const PRErrorCode err = PR_GetError();\n fprintf(stderr, \"error: SSL_ResetHandshake error %d: %s\n\",\n\t err, PR_ErrorToName(err));\n exit(1);\n}\nif (SSL_SetURL(nspr, host) != SECSuccess) {\n const PRErrorCode err = PR_GetError();\n fprintf(stderr, \"error: SSL_SetURL error %d: %s\n\",\n\t err, PR_ErrorToName(err));\n exit(1);\n}\nif (SSL_ForceHandshake(nspr) != SECSuccess) {\n const PRErrorCode err = PR_GetError();\n fprintf(stderr, \"error: SSL_ForceHandshake error %d: %s\n\",\n\t err, PR_ErrorToName(err));\n exit(1);\n}\n" diff --git a/defensive-coding/fr-FR/Features/snippets/TLS-Client-OpenJDK-Connect.po b/defensive-coding/fr-FR/Features/snippets/TLS-Client-OpenJDK-Connect.po new file mode 100644 index 0000000..f821431 --- /dev/null +++ b/defensive-coding/fr-FR/Features/snippets/TLS-Client-OpenJDK-Connect.po @@ -0,0 +1,42 @@ +# AUTHOR , YEAR. +# +# Translators: +# Jérôme Fenal , 2013 +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-20 13:08+0000\n" +"Last-Translator: Jérôme Fenal \n" +"Language-Team: French \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: fr\n" +"Plural-Forms: nplurals=2; plural=(n > 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Create the socket and connect it at the TCP layer.\n" +"SSLSocket socket = (SSLSocket) ctx.getSocketFactory()\n" +" .createSocket(host, port);\n" +"\n" +"// Disable the Nagle algorithm.\n" +"socket.setTcpNoDelay(true);\n" +"\n" +"// Adjust ciphers and protocols.\n" +"socket.setSSLParameters(params);\n" +"\n" +"// Perform the handshake.\n" +"socket.startHandshake();\n" +"\n" +"// Validate the host name. The match() method throws\n" +"// CertificateException on failure.\n" +"X509Certificate peer = (X509Certificate)\n" +" socket.getSession().getPeerCertificates()[0];\n" +"// This is the only way to perform host name checking on OpenJDK 6.\n" +"HostnameChecker.getInstance(HostnameChecker.TYPE_TLS).match(\n" +" host, peer);\n" +msgstr "\n// Create the socket and connect it at the TCP layer.\nSSLSocket socket = (SSLSocket) ctx.getSocketFactory()\n .createSocket(host, port);\n\n// Disable the Nagle algorithm.\nsocket.setTcpNoDelay(true);\n\n// Adjust ciphers and protocols.\nsocket.setSSLParameters(params);\n\n// Perform the handshake.\nsocket.startHandshake();\n\n// Validate the host name. The match() method throws\n// CertificateException on failure.\nX509Certificate peer = (X509Certificate)\n socket.getSession().getPeerCertificates()[0];\n// This is the only way to perform host name checking on OpenJDK 6.\nHostnameChecker.getInstance(HostnameChecker.TYPE_TLS).match(\n host, peer);\n" diff --git a/defensive-coding/fr-FR/Features/snippets/TLS-Client-OpenJDK-Context.po b/defensive-coding/fr-FR/Features/snippets/TLS-Client-OpenJDK-Context.po new file mode 100644 index 0000000..32fcc07 --- /dev/null +++ b/defensive-coding/fr-FR/Features/snippets/TLS-Client-OpenJDK-Context.po @@ -0,0 +1,42 @@ +# AUTHOR , YEAR. +# +# Translators: +# Jérôme Fenal , 2013 +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-20 13:03+0000\n" +"Last-Translator: Jérôme Fenal \n" +"Language-Team: French \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: fr\n" +"Plural-Forms: nplurals=2; plural=(n > 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Create the context. Specify the SunJSSE provider to avoid\n" +"// picking up third-party providers. Try the TLS 1.2 provider\n" +"// first, then fall back to TLS 1.0.\n" +"SSLContext ctx;\n" +"try {\n" +" ctx = SSLContext.getInstance(\"TLSv1.2\", \"SunJSSE\");\n" +"} catch (NoSuchAlgorithmException e) {\n" +" try {\n" +" ctx = SSLContext.getInstance(\"TLSv1\", \"SunJSSE\");\n" +" } catch (NoSuchAlgorithmException e1) {\n" +" // The TLS 1.0 provider should always be available.\n" +" throw new AssertionError(e1);\n" +" } catch (NoSuchProviderException e1) {\n" +" throw new AssertionError(e1);\n" +" } \n" +"} catch (NoSuchProviderException e) {\n" +" // The SunJSSE provider should always be available.\n" +" throw new AssertionError(e);\n" +"}\n" +"ctx.init(null, null, null);\n" +msgstr "\n// Create the context. Specify the SunJSSE provider to avoid\n// picking up third-party providers. Try the TLS 1.2 provider\n// first, then fall back to TLS 1.0.\nSSLContext ctx;\ntry {\n ctx = SSLContext.getInstance(\"TLSv1.2\", \"SunJSSE\");\n} catch (NoSuchAlgorithmException e) {\n try {\n ctx = SSLContext.getInstance(\"TLSv1\", \"SunJSSE\");\n } catch (NoSuchAlgorithmException e1) {\n // The TLS 1.0 provider should always be available.\n throw new AssertionError(e1);\n } catch (NoSuchProviderException e1) {\n throw new AssertionError(e1);\n } \n} catch (NoSuchProviderException e) {\n // The SunJSSE provider should always be available.\n throw new AssertionError(e);\n}\nctx.init(null, null, null);\n" diff --git a/defensive-coding/fr-FR/Features/snippets/TLS-Client-OpenJDK-Context_For_Cert.po b/defensive-coding/fr-FR/Features/snippets/TLS-Client-OpenJDK-Context_For_Cert.po new file mode 100644 index 0000000..1b63144 --- /dev/null +++ b/defensive-coding/fr-FR/Features/snippets/TLS-Client-OpenJDK-Context_For_Cert.po @@ -0,0 +1,38 @@ +# AUTHOR , YEAR. +# +# Translators: +# Jérôme Fenal , 2013 +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-24 17:26+0000\n" +"Last-Translator: Jérôme Fenal \n" +"Language-Team: French \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: fr\n" +"Plural-Forms: nplurals=2; plural=(n > 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"SSLContext ctx;\n" +"try {\n" +" ctx = SSLContext.getInstance(\"TLSv1.2\", \"SunJSSE\");\n" +"} catch (NoSuchAlgorithmException e) {\n" +" try {\n" +" ctx = SSLContext.getInstance(\"TLSv1\", \"SunJSSE\");\n" +" } catch (NoSuchAlgorithmException e1) {\n" +" throw new AssertionError(e1);\n" +" } catch (NoSuchProviderException e1) {\n" +" throw new AssertionError(e1);\n" +" }\n" +"} catch (NoSuchProviderException e) {\n" +" throw new AssertionError(e);\n" +"}\n" +"MyTrustManager tm = new MyTrustManager(certHash);\n" +"ctx.init(null, new TrustManager[] {tm}, null);\n" +msgstr "\nSSLContext ctx;\ntry {\n ctx = SSLContext.getInstance(\"TLSv1.2\", \"SunJSSE\");\n} catch (NoSuchAlgorithmException e) {\n try {\n ctx = SSLContext.getInstance(\"TLSv1\", \"SunJSSE\");\n } catch (NoSuchAlgorithmException e1) {\n throw new AssertionError(e1);\n } catch (NoSuchProviderException e1) {\n throw new AssertionError(e1);\n }\n} catch (NoSuchProviderException e) {\n throw new AssertionError(e);\n}\nMyTrustManager tm = new MyTrustManager(certHash);\nctx.init(null, new TrustManager[] {tm}, null);\n" diff --git a/defensive-coding/fr-FR/Features/snippets/TLS-Client-OpenJDK-Hostname.po b/defensive-coding/fr-FR/Features/snippets/TLS-Client-OpenJDK-Hostname.po new file mode 100644 index 0000000..f79123e --- /dev/null +++ b/defensive-coding/fr-FR/Features/snippets/TLS-Client-OpenJDK-Hostname.po @@ -0,0 +1,23 @@ +# AUTHOR , YEAR. +# +# Translators: +# Jérôme Fenal , 2013 +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-20 12:58+0000\n" +"Last-Translator: Jérôme Fenal \n" +"Language-Team: French \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: fr\n" +"Plural-Forms: nplurals=2; plural=(n > 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"params.setEndpointIdentificationAlgorithm(\"HTTPS\");\n" +msgstr "\nparams.setEndpointIdentificationAlgorithm(\"HTTPS\");\n" diff --git a/defensive-coding/fr-FR/Features/snippets/TLS-Client-OpenJDK-Import.po b/defensive-coding/fr-FR/Features/snippets/TLS-Client-OpenJDK-Import.po new file mode 100644 index 0000000..7ec1d9e --- /dev/null +++ b/defensive-coding/fr-FR/Features/snippets/TLS-Client-OpenJDK-Import.po @@ -0,0 +1,34 @@ +# AUTHOR , YEAR. +# +# Translators: +# Jérôme Fenal , 2013 +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-20 12:58+0000\n" +"Last-Translator: Jérôme Fenal \n" +"Language-Team: French \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: fr\n" +"Plural-Forms: nplurals=2; plural=(n > 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"import java.security.NoSuchAlgorithmException;\n" +"import java.security.NoSuchProviderException;\n" +"import java.security.cert.CertificateEncodingException;\n" +"import java.security.cert.CertificateException;\n" +"import java.security.cert.X509Certificate;\n" +"import javax.net.ssl.SSLContext;\n" +"import javax.net.ssl.SSLParameters;\n" +"import javax.net.ssl.SSLSocket;\n" +"import javax.net.ssl.TrustManager;\n" +"import javax.net.ssl.X509TrustManager;\n" +"\n" +"import sun.security.util.HostnameChecker;\n" +msgstr "\nimport java.security.NoSuchAlgorithmException;\nimport java.security.NoSuchProviderException;\nimport java.security.cert.CertificateEncodingException;\nimport java.security.cert.CertificateException;\nimport java.security.cert.X509Certificate;\nimport javax.net.ssl.SSLContext;\nimport javax.net.ssl.SSLParameters;\nimport javax.net.ssl.SSLSocket;\nimport javax.net.ssl.TrustManager;\nimport javax.net.ssl.X509TrustManager;\n\nimport sun.security.util.HostnameChecker;\n" diff --git a/defensive-coding/fr-FR/Features/snippets/TLS-Client-OpenJDK-MyTrustManager.po b/defensive-coding/fr-FR/Features/snippets/TLS-Client-OpenJDK-MyTrustManager.po new file mode 100644 index 0000000..ff186e7 --- /dev/null +++ b/defensive-coding/fr-FR/Features/snippets/TLS-Client-OpenJDK-MyTrustManager.po @@ -0,0 +1,54 @@ +# AUTHOR , YEAR. +# +# Translators: +# Jérôme Fenal , 2013 +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-20 12:49+0000\n" +"Last-Translator: Jérôme Fenal \n" +"Language-Team: French \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: fr\n" +"Plural-Forms: nplurals=2; plural=(n > 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"public class MyTrustManager implements X509TrustManager {\n" +" private final byte[] certHash;\n" +"\n" +" public MyTrustManager(byte[] certHash) throws Exception {\n" +" this.certHash = certHash;\n" +" }\n" +"\n" +" @Override\n" +" public void checkClientTrusted(X509Certificate[] chain, String authType)\n" +" throws CertificateException {\n" +" throw new UnsupportedOperationException();\n" +" }\n" +"\n" +" @Override\n" +" public void checkServerTrusted(X509Certificate[] chain,\n" +" String authType) throws CertificateException {\n" +" byte[] digest = getCertificateDigest(chain[0]);\n" +" String digestHex = formatHex(digest);\n" +"\n" +" if (Arrays.equals(digest, certHash)) {\n" +" System.err.println(\"info: accepting certificate: \" + digestHex);\n" +" } else {\n" +" throw new CertificateException(\"certificate rejected: \" +\n" +" digestHex);\n" +" }\n" +" }\n" +"\n" +" @Override\n" +" public X509Certificate[] getAcceptedIssuers() {\n" +" return new X509Certificate[0];\n" +" }\n" +"}\n" +msgstr "\npublic class MyTrustManager implements X509TrustManager {\n private final byte[] certHash;\n\n public MyTrustManager(byte[] certHash) throws Exception {\n this.certHash = certHash;\n }\n\n @Override\n public void checkClientTrusted(X509Certificate[] chain, String authType)\n throws CertificateException {\n throw new UnsupportedOperationException();\n }\n\n @Override\n public void checkServerTrusted(X509Certificate[] chain,\n String authType) throws CertificateException {\n byte[] digest = getCertificateDigest(chain[0]);\n String digestHex = formatHex(digest);\n\n if (Arrays.equals(digest, certHash)) {\n System.err.println(\"info: accepting certificate: \" + digestHex);\n } else {\n throw new CertificateException(\"certificate rejected: \" +\n digestHex);\n }\n }\n\n @Override\n public X509Certificate[] getAcceptedIssuers() {\n return new X509Certificate[0];\n }\n}\n" diff --git a/defensive-coding/fr-FR/Features/snippets/TLS-Client-OpenJDK-Use.po b/defensive-coding/fr-FR/Features/snippets/TLS-Client-OpenJDK-Use.po new file mode 100644 index 0000000..f0b088a --- /dev/null +++ b/defensive-coding/fr-FR/Features/snippets/TLS-Client-OpenJDK-Use.po @@ -0,0 +1,29 @@ +# AUTHOR , YEAR. +# +# Translators: +# Jérôme Fenal , 2013 +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-20 12:58+0000\n" +"Last-Translator: Jérôme Fenal \n" +"Language-Team: French \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: fr\n" +"Plural-Forms: nplurals=2; plural=(n > 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"socket.getOutputStream().write(\"GET / HTTP/1.0\\r\n" +"\\r\n" +"\"\n" +" .getBytes(Charset.forName(\"UTF-8\")));\n" +"byte[] buffer = new byte[4096];\n" +"int count = socket.getInputStream().read(buffer);\n" +"System.out.write(buffer, 0, count);\n" +msgstr "\nsocket.getOutputStream().write(\"GET / HTTP/1.0\\r\n\\r\n\"\n .getBytes(Charset.forName(\"UTF-8\")));\nbyte[] buffer = new byte[4096];\nint count = socket.getInputStream().read(buffer);\nSystem.out.write(buffer, 0, count);\n" diff --git a/defensive-coding/fr-FR/Features/snippets/TLS-Client-OpenSSL-CTX.po b/defensive-coding/fr-FR/Features/snippets/TLS-Client-OpenSSL-CTX.po new file mode 100644 index 0000000..7dd0801 --- /dev/null +++ b/defensive-coding/fr-FR/Features/snippets/TLS-Client-OpenSSL-CTX.po @@ -0,0 +1,87 @@ +# AUTHOR , YEAR. +# +# Translators: +# Jérôme Fenal , 2013 +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-20 13:06+0000\n" +"Last-Translator: Jérôme Fenal \n" +"Language-Team: French \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: fr\n" +"Plural-Forms: nplurals=2; plural=(n > 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Configure a client connection context. Send a hendshake for the\n" +"// highest supported TLS version, and disable compression.\n" +"const SSL_METHOD *const req_method = SSLv23_client_method();\n" +"SSL_CTX *const ctx = SSL_CTX_new(req_method);\n" +"if (ctx == NULL) {\n" +" ERR_print_errors(bio_err);\n" +" exit(1);\n" +"}\n" +"SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_COMPRESSION);\n" +"\n" +"// Adjust the ciphers list based on a whitelist. First enable all\n" +"// ciphers of at least medium strength, to get the list which is\n" +"// compiled into OpenSSL.\n" +"if (SSL_CTX_set_cipher_list(ctx, \"HIGH:MEDIUM\") != 1) {\n" +" ERR_print_errors(bio_err);\n" +" exit(1);\n" +"}\n" +"{\n" +" // Create a dummy SSL session to obtain the cipher list.\n" +" SSL *ssl = SSL_new(ctx);\n" +" if (ssl == NULL) {\n" +" ERR_print_errors(bio_err);\n" +" exit(1);\n" +" }\n" +" STACK_OF(SSL_CIPHER) *active_ciphers = SSL_get_ciphers(ssl);\n" +" if (active_ciphers == NULL) {\n" +" ERR_print_errors(bio_err);\n" +" exit(1);\n" +" }\n" +" // Whitelist of candidate ciphers.\n" +" static const char *const candidates[] = {\n" +" \"AES128-GCM-SHA256\", \"AES128-SHA256\", \"AES256-SHA256\", // strong ciphers\n" +" \"AES128-SHA\", \"AES256-SHA\", // strong ciphers, also in older versions\n" +" \"RC4-SHA\", \"RC4-MD5\", // backwards compatibility, supposed to be weak\n" +" \"DES-CBC3-SHA\", \"DES-CBC3-MD5\", // more backwards compatibility\n" +" NULL\n" +" };\n" +" // Actually selected ciphers.\n" +" char ciphers[300];\n" +" ciphers[0] = '\\0';\n" +" for (const char *const *c = candidates; *c; ++c) {\n" +" for (int i = 0; i < sk_SSL_CIPHER_num(active_ciphers); ++i) {\n" +"\tif (strcmp(SSL_CIPHER_get_name(sk_SSL_CIPHER_value(active_ciphers, i)),\n" +"\t\t *c) == 0) {\n" +"\t if (*ciphers) {\n" +"\t strcat(ciphers, \":\");\n" +"\t }\n" +"\t strcat(ciphers, *c);\n" +"\t break;\n" +"\t}\n" +" }\n" +" }\n" +" SSL_free(ssl);\n" +" // Apply final cipher list.\n" +" if (SSL_CTX_set_cipher_list(ctx, ciphers) != 1) {\n" +" ERR_print_errors(bio_err);\n" +" exit(1);\n" +" }\n" +"}\n" +"\n" +"// Load the set of trusted root certificates.\n" +"if (!SSL_CTX_set_default_verify_paths(ctx)) {\n" +" ERR_print_errors(bio_err);\n" +" exit(1);\n" +"}\n" +msgstr "\n// Configure a client connection context. Send a hendshake for the\n// highest supported TLS version, and disable compression.\nconst SSL_METHOD *const req_method = SSLv23_client_method();\nSSL_CTX *const ctx = SSL_CTX_new(req_method);\nif (ctx == NULL) {\n ERR_print_errors(bio_err);\n exit(1);\n}\nSSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_COMPRESSION);\n\n// Adjust the ciphers list based on a whitelist. First enable all\n// ciphers of at least medium strength, to get the list which is\n// compiled into OpenSSL.\nif (SSL_CTX_set_cipher_list(ctx, \"HIGH:MEDIUM\") != 1) {\n ERR_print_errors(bio_err);\n exit(1);\n}\n{\n // Create a dummy SSL session to obtain the cipher list.\n SSL *ssl = SSL_new(ctx);\n if (ssl == NULL) {\n ERR_print_errors(bio_err);\n exit(1);\n }\n STACK_OF(SSL_CIPHER) *active_ciphers = SSL_get_ciphers(ssl);\n if (active_ciphers == NULL) {\n ERR_print_errors(bio_err);\n exit(1);\n }\n // Whitelist of candidate ciphers.\n static const char *const candidates[] = {\n \"AES128-GCM-SHA256\", \"AES128-SHA256\", \"AES256-SHA256\", // strong ciphers\n \"AES128-SHA\", \"AES256-SHA\", // strong ciphers, also in older versions\n \"RC4-SHA\", \"RC4-MD5\", // backwards compatibility, supposed to be weak\n \"DES-CBC3-SHA\", \"DES-CBC3-MD5\", // more backwards compatibility\n NULL\n };\n // Actually selected ciphers.\n char ciphers[300];\n ciphers[0] = '\\0';\n for (const char *const *c = candidates; *c; ++c) {\n for (int i = 0; i < sk_SSL_CIPHER_num(active_ciphers); ++i) {\n\tif (strcmp(SSL_CIPHER_get_name(sk_SSL_CIPHER_value(active_ciphers, i)),\n\t\t *c) == 0) {\n\t if (*ciphers) {\n\t strcat(ciphers, \":\");\n\t }\n\t strcat(ciphers, *c);\n\t break;\n\t}\n }\n }\n SSL_free(ssl);\n // Apply final cipher list.\n if (SSL_CTX_set_cipher_list(ctx, ciphers) != 1) {\n ERR_print_errors(bio_err);\n exit(1);\n }\n}\n\n// Load the set of trusted root certificates.\nif (!SSL_CTX_set_default_verify_paths(ctx)) {\n ERR_print_errors(bio_err);\n exit(1);\n}\n" diff --git a/defensive-coding/fr-FR/Features/snippets/TLS-Client-OpenSSL-Connect.po b/defensive-coding/fr-FR/Features/snippets/TLS-Client-OpenSSL-Connect.po new file mode 100644 index 0000000..6450c7d --- /dev/null +++ b/defensive-coding/fr-FR/Features/snippets/TLS-Client-OpenSSL-Connect.po @@ -0,0 +1,73 @@ +# AUTHOR , YEAR. +# +# Translators: +# Jérôme Fenal , 2013 +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-24 17:40+0000\n" +"Last-Translator: Jérôme Fenal \n" +"Language-Team: French \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: fr\n" +"Plural-Forms: nplurals=2; plural=(n > 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Create the connection object.\n" +"SSL *ssl = SSL_new(ctx);\n" +"if (ssl == NULL) {\n" +" ERR_print_errors(bio_err);\n" +" exit(1);\n" +"}\n" +"SSL_set_fd(ssl, sockfd);\n" +"\n" +"// Enable the ServerNameIndication extension\n" +"if (!SSL_set_tlsext_host_name(ssl, host)) {\n" +" ERR_print_errors(bio_err);\n" +" exit(1);\n" +"}\n" +"\n" +"// Perform the TLS handshake with the server.\n" +"ret = SSL_connect(ssl);\n" +"if (ret != 1) {\n" +" // Error status can be 0 or negative.\n" +" ssl_print_error_and_exit(ssl, \"SSL_connect\", ret);\n" +"}\n" +"\n" +"// Obtain the server certificate.\n" +"X509 *peercert = SSL_get_peer_certificate(ssl);\n" +"if (peercert == NULL) {\n" +" fprintf(stderr, \"peer certificate missing\");\n" +" exit(1);\n" +"}\n" +"\n" +"// Check the certificate verification result. Allow an explicit\n" +"// certificate validation override in case verification fails.\n" +"int verifystatus = SSL_get_verify_result(ssl);\n" +"if (verifystatus != X509_V_OK && !certificate_validity_override(peercert)) {\n" +" fprintf(stderr, \"SSL_connect: verify result: %s\n" +"\",\n" +"\t X509_verify_cert_error_string(verifystatus));\n" +" exit(1);\n" +"}\n" +"\n" +"// Check if the server certificate matches the host name used to\n" +"// establish the connection.\n" +"// FIXME: Currently needs OpenSSL 1.1.\n" +"if (X509_check_host(peercert, (const unsigned char *)host, strlen(host),\n" +"\t\t 0) != 1\n" +" && !certificate_host_name_override(peercert, host)) {\n" +" fprintf(stderr, \"SSL certificate does not match host name\n" +"\");\n" +" exit(1);\n" +"}\n" +"\n" +"X509_free(peercert);\n" +"\n" +msgstr "\n// Crée l'objet connexion.\nSSL *ssl = SSL_new(ctx);\nif (ssl == NULL) {\n ERR_print_errors(bio_err);\n exit(1);\n}\nSSL_set_fd(ssl, sockfd);\n\n// Active l'extension ServerNameIndication\nif (!SSL_set_tlsext_host_name(ssl, host)) {\n ERR_print_errors(bio_err);\n exit(1);\n}\n\n// Réalise la poignée de main avec le serveur.\nret = SSL_connect(ssl);\nif (ret != 1) {\n // Error status can be 0 or negative.\n ssl_print_error_and_exit(ssl, \"SSL_connect\", ret);\n}\n\n// Récupère le certificat du serveur.\nX509 *peercert = SSL_get_peer_certificate(ssl);\nif (peercert == NULL) {\n fprintf(stderr, \"peer certificate missing\");\n exit(1);\n}\n\n// Vérifie le résultat de la vérification du certificat. Autorise une dérogation\n// explicite en case d'échec de la vérification du certificat.\nint verifystatus = SSL_get_verify_result(ssl);\nif (verifystatus != X509_V_OK && !certificate_validity_override(peercert)) {\n fprintf(stderr, \"SSL_connect: verify result: %s\n\",\n\t X509_verify_cert_error_string(verifystatus));\n exit(1);\n}\n\n// Vérifie que le certificat du serveur correspond au nom d'hôte utilisé\n// pour établir la connexion.\n// FIXME: Nécessite OpenSSL 1.1.\nif (X509_check_host(peercert, (const unsigned char *)host, strlen(host),\n\t\t 0) != 1\n && !certificate_host_name_override(peercert, host)) {\n fprintf(stderr, \"SSL certificate does not match host name\n\");\n exit(1);\n}\n\nX509_free(peercert);\n\n" diff --git a/defensive-coding/fr-FR/Features/snippets/TLS-Client-OpenSSL-Connection-Use.po b/defensive-coding/fr-FR/Features/snippets/TLS-Client-OpenSSL-Connection-Use.po new file mode 100644 index 0000000..282f0e3 --- /dev/null +++ b/defensive-coding/fr-FR/Features/snippets/TLS-Client-OpenSSL-Connection-Use.po @@ -0,0 +1,33 @@ +# AUTHOR , YEAR. +# +# Translators: +# Jérôme Fenal , 2013 +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-20 13:02+0000\n" +"Last-Translator: Jérôme Fenal \n" +"Language-Team: French \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: fr\n" +"Plural-Forms: nplurals=2; plural=(n > 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"const char *const req = \"GET / HTTP/1.0\\r\n" +"\\r\n" +"\";\n" +"if (SSL_write(ssl, req, strlen(req)) < 0) {\n" +" ssl_print_error_and_exit(ssl, \"SSL_write\", ret);\n" +"}\n" +"char buf[4096];\n" +"ret = SSL_read(ssl, buf, sizeof(buf));\n" +"if (ret < 0) {\n" +" ssl_print_error_and_exit(ssl, \"SSL_read\", ret);\n" +"}\n" +msgstr "\nconst char *const req = \"GET / HTTP/1.0\\r\n\\r\n\";\nif (SSL_write(ssl, req, strlen(req)) < 0) {\n ssl_print_error_and_exit(ssl, \"SSL_write\", ret);\n}\nchar buf[4096];\nret = SSL_read(ssl, buf, sizeof(buf));\nif (ret < 0) {\n ssl_print_error_and_exit(ssl, \"SSL_read\", ret);\n}\n" diff --git a/defensive-coding/fr-FR/Features/snippets/TLS-Client-OpenSSL-Init.po b/defensive-coding/fr-FR/Features/snippets/TLS-Client-OpenSSL-Init.po new file mode 100644 index 0000000..b74ade3 --- /dev/null +++ b/defensive-coding/fr-FR/Features/snippets/TLS-Client-OpenSSL-Init.po @@ -0,0 +1,29 @@ +# AUTHOR , YEAR. +# +# Translators: +# Jérôme Fenal , 2013 +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-20 13:06+0000\n" +"Last-Translator: Jérôme Fenal \n" +"Language-Team: French \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: fr\n" +"Plural-Forms: nplurals=2; plural=(n > 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// The following call prints an error message and calls exit() if\n" +"// the OpenSSL configuration file is unreadable.\n" +"OPENSSL_config(NULL);\n" +"// Provide human-readable error messages.\n" +"SSL_load_error_strings();\n" +"// Register ciphers.\n" +"SSL_library_init();\n" +msgstr "\n// The following call prints an error message and calls exit() if\n// the OpenSSL configuration file is unreadable.\nOPENSSL_config(NULL);\n// Provide human-readable error messages.\nSSL_load_error_strings();\n// Register ciphers.\nSSL_library_init();\n" diff --git a/defensive-coding/fr-FR/Features/snippets/TLS-Client-Python-Connect.po b/defensive-coding/fr-FR/Features/snippets/TLS-Client-Python-Connect.po new file mode 100644 index 0000000..12b20b4 --- /dev/null +++ b/defensive-coding/fr-FR/Features/snippets/TLS-Client-Python-Connect.po @@ -0,0 +1,30 @@ +# AUTHOR , YEAR. +# +# Translators: +# Jérôme Fenal , 2013 +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-20 13:03+0000\n" +"Last-Translator: Jérôme Fenal \n" +"Language-Team: French \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: fr\n" +"Plural-Forms: nplurals=2; plural=(n > 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"sock = ssl.wrap_socket(sock,\n" +" ciphers=\"HIGH:-aNULL:-eNULL:-PSK:RC4-SHA:RC4-MD5\",\n" +" ssl_version=ssl.PROTOCOL_TLSv1,\n" +" cert_reqs=ssl.CERT_REQUIRED,\n" +" ca_certs='/etc/ssl/certs/ca-bundle.crt')\n" +"# getpeercert() triggers the handshake as a side effect.\n" +"if not check_host_name(sock.getpeercert(), host):\n" +" raise IOError(\"peer certificate does not match host name\")\n" +msgstr "\nsock = ssl.wrap_socket(sock,\n ciphers=\"HIGH:-aNULL:-eNULL:-PSK:RC4-SHA:RC4-MD5\",\n ssl_version=ssl.PROTOCOL_TLSv1,\n cert_reqs=ssl.CERT_REQUIRED,\n ca_certs='/etc/ssl/certs/ca-bundle.crt')\n# getpeercert() triggers the handshake as a side effect.\nif not check_host_name(sock.getpeercert(), host):\n raise IOError(\"peer certificate does not match host name\")\n" diff --git a/defensive-coding/fr-FR/Features/snippets/TLS-Client-Python-check_host_name.po b/defensive-coding/fr-FR/Features/snippets/TLS-Client-Python-check_host_name.po new file mode 100644 index 0000000..0f3e502 --- /dev/null +++ b/defensive-coding/fr-FR/Features/snippets/TLS-Client-Python-check_host_name.po @@ -0,0 +1,45 @@ +# AUTHOR , YEAR. +# +# Translators: +# Jérôme Fenal , 2013 +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-20 12:58+0000\n" +"Last-Translator: Jérôme Fenal \n" +"Language-Team: French \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: fr\n" +"Plural-Forms: nplurals=2; plural=(n > 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"def check_host_name(peercert, name):\n" +" \"\"\"Simple certificate/host name checker. Returns True if the\n" +" certificate matches, False otherwise. Does not support\n" +" wildcards.\"\"\"\n" +" # Check that the peer has supplied a certificate.\n" +" # None/{} is not acceptable.\n" +" if not peercert:\n" +" return False\n" +" if peercert.has_key(\"subjectAltName\"):\n" +" for typ, val in peercert[\"subjectAltName\"]:\n" +" if typ == \"DNS\" and val == name:\n" +" return True\n" +" else:\n" +" # Only check the subject DN if there is no subject alternative\n" +" # name.\n" +" cn = None\n" +" for attr, val in peercert[\"subject\"]:\n" +" # Use most-specific (last) commonName attribute.\n" +" if attr == \"commonName\":\n" +" cn = val\n" +" if cn is not None:\n" +" return cn == name\n" +" return False\n" +msgstr "\ndef check_host_name(peercert, name):\n \"\"\"Simple certificate/host name checker. Returns True if the\n certificate matches, False otherwise. Does not support\n wildcards.\"\"\"\n # Check that the peer has supplied a certificate.\n # None/{} is not acceptable.\n if not peercert:\n return False\n if peercert.has_key(\"subjectAltName\"):\n for typ, val in peercert[\"subjectAltName\"]:\n if typ == \"DNS\" and val == name:\n return True\n else:\n # Only check the subject DN if there is no subject alternative\n # name.\n cn = None\n for attr, val in peercert[\"subject\"]:\n # Use most-specific (last) commonName attribute.\n if attr == \"commonName\":\n cn = val\n if cn is not None:\n return cn == name\n return False\n" diff --git a/defensive-coding/fr-FR/Features/snippets/TLS-GNUTLS-Credentials-Close.po b/defensive-coding/fr-FR/Features/snippets/TLS-GNUTLS-Credentials-Close.po new file mode 100644 index 0000000..c64b790 --- /dev/null +++ b/defensive-coding/fr-FR/Features/snippets/TLS-GNUTLS-Credentials-Close.po @@ -0,0 +1,23 @@ +# AUTHOR , YEAR. +# +# Translators: +# Jérôme Fenal , 2013 +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-20 12:58+0000\n" +"Last-Translator: Jérôme Fenal \n" +"Language-Team: French \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: fr\n" +"Plural-Forms: nplurals=2; plural=(n > 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"gnutls_certificate_free_credentials(cred);\n" +msgstr "\ngnutls_certificate_free_credentials(cred);\n" diff --git a/defensive-coding/fr-FR/Features/snippets/TLS-GNUTLS-Disconnect.po b/defensive-coding/fr-FR/Features/snippets/TLS-GNUTLS-Disconnect.po new file mode 100644 index 0000000..29710c0 --- /dev/null +++ b/defensive-coding/fr-FR/Features/snippets/TLS-GNUTLS-Disconnect.po @@ -0,0 +1,31 @@ +# AUTHOR , YEAR. +# +# Translators: +# Jérôme Fenal , 2013 +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-20 13:05+0000\n" +"Last-Translator: Jérôme Fenal \n" +"Language-Team: French \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: fr\n" +"Plural-Forms: nplurals=2; plural=(n > 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Initiate an orderly connection shutdown.\n" +"ret = gnutls_bye(session, GNUTLS_SHUT_RDWR);\n" +"if (ret < 0) {\n" +" fprintf(stderr, \"error: gnutls_bye: %s\n" +"\", gnutls_strerror(ret));\n" +" exit(1);\n" +"}\n" +"// Free the session object.\n" +"gnutls_deinit(session);\n" +msgstr "\n// Initiate an orderly connection shutdown.\nret = gnutls_bye(session, GNUTLS_SHUT_RDWR);\nif (ret < 0) {\n fprintf(stderr, \"error: gnutls_bye: %s\n\", gnutls_strerror(ret));\n exit(1);\n}\n// Free the session object.\ngnutls_deinit(session);\n" diff --git a/defensive-coding/fr-FR/Features/snippets/TLS-GNUTLS-Init.po b/defensive-coding/fr-FR/Features/snippets/TLS-GNUTLS-Init.po new file mode 100644 index 0000000..8e4a711 --- /dev/null +++ b/defensive-coding/fr-FR/Features/snippets/TLS-GNUTLS-Init.po @@ -0,0 +1,23 @@ +# AUTHOR , YEAR. +# +# Translators: +# Jérôme Fenal , 2013 +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-20 13:05+0000\n" +"Last-Translator: Jérôme Fenal \n" +"Language-Team: French \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: fr\n" +"Plural-Forms: nplurals=2; plural=(n > 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"gnutls_global_init();\n" +msgstr "\ngnutls_global_init();\n" diff --git a/defensive-coding/fr-FR/Features/snippets/TLS-GNUTLS-Use.po b/defensive-coding/fr-FR/Features/snippets/TLS-GNUTLS-Use.po new file mode 100644 index 0000000..ed2ab67 --- /dev/null +++ b/defensive-coding/fr-FR/Features/snippets/TLS-GNUTLS-Use.po @@ -0,0 +1,39 @@ +# AUTHOR , YEAR. +# +# Translators: +# Jérôme Fenal , 2013 +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-24 17:39+0000\n" +"Last-Translator: Jérôme Fenal \n" +"Language-Team: French \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: fr\n" +"Plural-Forms: nplurals=2; plural=(n > 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"char buf[4096];\n" +"snprintf(buf, sizeof(buf), \"GET / HTTP/1.0\\r\n" +"Host: %s\\r\n" +"\\r\n" +"\", host);\n" +"ret = gnutls_record_send(session, buf, strlen(buf));\n" +"if (ret < 0) {\n" +" fprintf(stderr, \"error: gnutls_record_send: %s\n" +"\", gnutls_strerror(ret));\n" +" exit(1);\n" +"}\n" +"ret = gnutls_record_recv(session, buf, sizeof(buf));\n" +"if (ret < 0) {\n" +" fprintf(stderr, \"error: gnutls_record_recv: %s\n" +"\", gnutls_strerror(ret));\n" +" exit(1);\n" +"}\n" +msgstr "\nchar buf[4096];\nsnprintf(buf, sizeof(buf), \"GET / HTTP/1.0\\r\nHost: %s\\r\n\\r\n\", host);\nret = gnutls_record_send(session, buf, strlen(buf));\nif (ret < 0) {\n fprintf(stderr, \"error: gnutls_record_send: %s\n\", gnutls_strerror(ret));\n exit(1);\n}\nret = gnutls_record_recv(session, buf, sizeof(buf));\nif (ret < 0) {\n fprintf(stderr, \"error: gnutls_record_recv: %s\n\", gnutls_strerror(ret));\n exit(1);\n}\n" diff --git a/defensive-coding/fr-FR/Features/snippets/TLS-NSS-Close.po b/defensive-coding/fr-FR/Features/snippets/TLS-NSS-Close.po new file mode 100644 index 0000000..a9cc29f --- /dev/null +++ b/defensive-coding/fr-FR/Features/snippets/TLS-NSS-Close.po @@ -0,0 +1,24 @@ +# AUTHOR , YEAR. +# +# Translators: +# Jérôme Fenal , 2013 +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-20 12:59+0000\n" +"Last-Translator: Jérôme Fenal \n" +"Language-Team: French \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: fr\n" +"Plural-Forms: nplurals=2; plural=(n > 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"SECMOD_DestroyModule(module);\n" +"NSS_ShutdownContext(ctx);\n" +msgstr "\nSECMOD_DestroyModule(module);\nNSS_ShutdownContext(ctx);\n" diff --git a/defensive-coding/fr-FR/Features/snippets/TLS-NSS-Includes.po b/defensive-coding/fr-FR/Features/snippets/TLS-NSS-Includes.po new file mode 100644 index 0000000..22899d8 --- /dev/null +++ b/defensive-coding/fr-FR/Features/snippets/TLS-NSS-Includes.po @@ -0,0 +1,36 @@ +# AUTHOR , YEAR. +# +# Translators: +# Jérôme Fenal , 2013 +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-24 17:40+0000\n" +"Last-Translator: Jérôme Fenal \n" +"Language-Team: French \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: fr\n" +"Plural-Forms: nplurals=2; plural=(n > 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// NSPR include files\n" +"#include <prerror.h>\n" +"#include <prinit.h>\n" +"\n" +"// NSS include files\n" +"#include <nss.h>\n" +"#include <pk11pub.h>\n" +"#include <secmod.h>\n" +"#include <ssl.h>\n" +"#include <sslproto.h>\n" +"\n" +"// Private API, no other way to turn a POSIX file descriptor into an\n" +"// NSPR handle.\n" +"NSPR_API(PRFileDesc*) PR_ImportTCPSocket(int);\n" +msgstr "\n// Fichiers include pour NSPR\n#include <prerror.h>\n#include <prinit.h>\n\n// Fichiers include pour NSS\n#include <nss.h>\n#include <pk11pub.h>\n#include <secmod.h>\n#include <ssl.h>\n#include <sslproto.h>\n\n// API privée, pas d'autre moyen de transformer un descripteur de fichier\n// POSIX en descripteur NSPR.\nNSPR_API(PRFileDesc*) PR_ImportTCPSocket(int);\n" diff --git a/defensive-coding/fr-FR/Features/snippets/TLS-NSS-Init.po b/defensive-coding/fr-FR/Features/snippets/TLS-NSS-Init.po new file mode 100644 index 0000000..c7d83c4 --- /dev/null +++ b/defensive-coding/fr-FR/Features/snippets/TLS-NSS-Init.po @@ -0,0 +1,84 @@ +# AUTHOR , YEAR. +# +# Translators: +# Jérôme Fenal , 2013 +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-24 17:40+0000\n" +"Last-Translator: Jérôme Fenal \n" +"Language-Team: French \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: fr\n" +"Plural-Forms: nplurals=2; plural=(n > 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"PR_Init(PR_USER_THREAD, PR_PRIORITY_NORMAL, 0);\n" +"NSSInitContext *const ctx =\n" +" NSS_InitContext(\"sql:/etc/pki/nssdb\", \"\", \"\", \"\", NULL,\n" +"\t\t NSS_INIT_READONLY | NSS_INIT_PK11RELOAD);\n" +"if (ctx == NULL) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: NSPR error code %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +"}\n" +"\n" +"// Ciphers to enable.\n" +"static const PRUint16 good_ciphers[] = {\n" +" TLS_RSA_WITH_AES_128_CBC_SHA,\n" +" TLS_RSA_WITH_AES_256_CBC_SHA,\n" +" SSL_RSA_WITH_3DES_EDE_CBC_SHA,\n" +" SSL_NULL_WITH_NULL_NULL // sentinel\n" +"};\n" +"\n" +"// Check if the current policy allows any strong ciphers. If it\n" +"// doesn't, switch to the \"domestic\" (unrestricted) policy. This is\n" +"// not thread-safe and has global impact. Consequently, we only do\n" +"// it if absolutely necessary.\n" +"int found_good_cipher = 0;\n" +"for (const PRUint16 *p = good_ciphers; *p != SSL_NULL_WITH_NULL_NULL;\n" +" ++p) {\n" +" PRInt32 policy;\n" +" if (SSL_CipherPolicyGet(*p, &policy) != SECSuccess) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: policy for cipher %u: error %d: %s\n" +"\",\n" +"\t (unsigned)*p, err, PR_ErrorToName(err));\n" +" exit(1);\n" +" }\n" +" if (policy == SSL_ALLOWED) {\n" +" fprintf(stderr, \"info: found cipher %x\n" +"\", (unsigned)*p);\n" +" found_good_cipher = 1;\n" +" break;\n" +" }\n" +"}\n" +"if (!found_good_cipher) {\n" +" if (NSS_SetDomesticPolicy() != SECSuccess) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: NSS_SetDomesticPolicy: error %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +" }\n" +"}\n" +"\n" +"// Initialize the trusted certificate store.\n" +"char module_name[] = \"library=libnssckbi.so name=\\\"Root Certs\\\"\";\n" +"SECMODModule *module = SECMOD_LoadUserModule(module_name, NULL, PR_FALSE);\n" +"if (module == NULL || !module->loaded) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: NSPR error code %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +"}\n" +msgstr "\nPR_Init(PR_USER_THREAD, PR_PRIORITY_NORMAL, 0);\nNSSInitContext *const ctx =\n NSS_InitContext(\"sql:/etc/pki/nssdb\", \"\", \"\", \"\", NULL,\n\t\t NSS_INIT_READONLY | NSS_INIT_PK11RELOAD);\nif (ctx == NULL) {\n const PRErrorCode err = PR_GetError();\n fprintf(stderr, \"error: NSPR error code %d: %s\n\",\n\t err, PR_ErrorToName(err));\n exit(1);\n}\n\n// Chiffres à activer.\nstatic const PRUint16 good_ciphers[] = {\n TLS_RSA_WITH_AES_128_CBC_SHA,\n TLS_RSA_WITH_AES_256_CBC_SHA,\n SSL_RSA_WITH_3DES_EDE_CBC_SHA,\n SSL_NULL_WITH_NULL_NULL // sentinel\n};\n\n// Vérifie si la politique actuelle permet les chiffres forts. Dans le cas\n// contraire, passe à la politique domestique (non restreinte).\n// Ceci n'est pas thread-safe et a un impact global. Ainsi, on ne le\n// fait que lorsque cela est absolument nécessaire.\nint found_good_cipher = 0;\nfor (const PRUint16 *p = good_ciphers; *p != SSL_NULL_WITH_NULL_NULL;\n ++p) {\n PRInt32 policy;\n if (SSL_CipherPolicyGet(*p, &policy) != SECSuccess) {\n const PRErrorCode err = PR_GetError();\n fprintf(stderr, \"error: policy for cipher %u: error %d: %s\n\",\n\t (unsigned)*p, err, PR_ErrorToName(err));\n exit(1);\n }\n if (policy == SSL_ALLOWED) {\n fprintf(stderr, \"info: found cipher %x\n\", (unsigned)*p);\n found_good_cipher = 1;\n break;\n }\n}\nif (!found_good_cipher) {\n if (NSS_SetDomesticPolicy() != SECSuccess) {\n const PRErrorCode err = PR_GetError();\n fprintf(stderr, \"error: NSS_SetDomesticPolicy: error %d: %s\n\",\n\t err, PR_ErrorToName(err));\n exit(1);\n }\n}\n\n// Initialise le magasin de certificat de confiance.\nchar module_name[] = \"library=libnssckbi.so name=\\\"Root Certs\\\"\";\nSECMODModule *module = SECMOD_LoadUserModule(module_name, NULL, PR_FALSE);\nif (module == NULL || !module->loaded) {\n const PRErrorCode err = PR_GetError();\n fprintf(stderr, \"error: NSPR error code %d: %s\n\",\n\t err, PR_ErrorToName(err));\n exit(1);\n}\n" diff --git a/defensive-coding/fr-FR/Features/snippets/TLS-NSS-Use.po b/defensive-coding/fr-FR/Features/snippets/TLS-NSS-Use.po new file mode 100644 index 0000000..eb922b5 --- /dev/null +++ b/defensive-coding/fr-FR/Features/snippets/TLS-NSS-Use.po @@ -0,0 +1,43 @@ +# AUTHOR , YEAR. +# +# Translators: +# Jérôme Fenal , 2013 +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-20 12:59+0000\n" +"Last-Translator: Jérôme Fenal \n" +"Language-Team: French \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: fr\n" +"Plural-Forms: nplurals=2; plural=(n > 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"char buf[4096];\n" +"snprintf(buf, sizeof(buf), \"GET / HTTP/1.0\\r\n" +"Host: %s\\r\n" +"\\r\n" +"\", host);\n" +"PRInt32 ret = PR_Write(nspr, buf, strlen(buf));\n" +"if (ret < 0) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: PR_Write error %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +"}\n" +"ret = PR_Read(nspr, buf, sizeof(buf));\n" +"if (ret < 0) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: PR_Read error %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +"}\n" +msgstr "\nchar buf[4096];\nsnprintf(buf, sizeof(buf), \"GET / HTTP/1.0\\r\nHost: %s\\r\n\\r\n\", host);\nPRInt32 ret = PR_Write(nspr, buf, strlen(buf));\nif (ret < 0) {\n const PRErrorCode err = PR_GetError();\n fprintf(stderr, \"error: PR_Write error %d: %s\n\",\n\t err, PR_ErrorToName(err));\n exit(1);\n}\nret = PR_Read(nspr, buf, sizeof(buf));\nif (ret < 0) {\n const PRErrorCode err = PR_GetError();\n fprintf(stderr, \"error: PR_Read error %d: %s\n\",\n\t err, PR_ErrorToName(err));\n exit(1);\n}\n" diff --git a/defensive-coding/fr-FR/Features/snippets/TLS-Nagle.po b/defensive-coding/fr-FR/Features/snippets/TLS-Nagle.po new file mode 100644 index 0000000..515a06b --- /dev/null +++ b/defensive-coding/fr-FR/Features/snippets/TLS-Nagle.po @@ -0,0 +1,28 @@ +# AUTHOR , YEAR. +# +# Translators: +# Jérôme Fenal , 2013 +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-20 12:58+0000\n" +"Last-Translator: Jérôme Fenal \n" +"Language-Team: French \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: fr\n" +"Plural-Forms: nplurals=2; plural=(n > 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"const int val = 1;\n" +"int ret = setsockopt(sockfd, IPPROTO_TCP, TCP_NODELAY, &val, sizeof(val));\n" +"if (ret < 0) {\n" +" perror(\"setsockopt(TCP_NODELAY)\");\n" +" exit(1);\n" +"}\n" +msgstr "\nconst int val = 1;\nint ret = setsockopt(sockfd, IPPROTO_TCP, TCP_NODELAY, &val, sizeof(val));\nif (ret < 0) {\n perror(\"setsockopt(TCP_NODELAY)\");\n exit(1);\n}\n" diff --git a/defensive-coding/fr-FR/Features/snippets/TLS-OpenJDK-Parameters.po b/defensive-coding/fr-FR/Features/snippets/TLS-OpenJDK-Parameters.po new file mode 100644 index 0000000..6306590 --- /dev/null +++ b/defensive-coding/fr-FR/Features/snippets/TLS-OpenJDK-Parameters.po @@ -0,0 +1,43 @@ +# AUTHOR , YEAR. +# +# Translators: +# Jérôme Fenal , 2013 +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-24 17:50+0000\n" +"Last-Translator: Jérôme Fenal \n" +"Language-Team: French \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: fr\n" +"Plural-Forms: nplurals=2; plural=(n > 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Prepare TLS parameters. These have to applied to every TLS\n" +"// socket before the handshake is triggered.\n" +"SSLParameters params = ctx.getDefaultSSLParameters();\n" +"// Do not send an SSL-2.0-compatible Client Hello.\n" +"ArrayList<String> protocols = new ArrayList<String>(\n" +" Arrays.asList(params.getProtocols()));\n" +"protocols.remove(\"SSLv2Hello\");\n" +"params.setProtocols(protocols.toArray(new String[protocols.size()]));\n" +"// Adjust the supported ciphers.\n" +"ArrayList<String> ciphers = new ArrayList<String>(\n" +" Arrays.asList(params.getCipherSuites()));\n" +"ciphers.retainAll(Arrays.asList(\n" +" \"TLS_RSA_WITH_AES_128_CBC_SHA256\",\n" +" \"TLS_RSA_WITH_AES_256_CBC_SHA256\",\n" +" \"TLS_RSA_WITH_AES_256_CBC_SHA\",\n" +" \"TLS_RSA_WITH_AES_128_CBC_SHA\",\n" +" \"SSL_RSA_WITH_3DES_EDE_CBC_SHA\",\n" +" \"SSL_RSA_WITH_RC4_128_SHA1\",\n" +" \"SSL_RSA_WITH_RC4_128_MD5\",\n" +" \"TLS_EMPTY_RENEGOTIATION_INFO_SCSV\"));\n" +"params.setCipherSuites(ciphers.toArray(new String[ciphers.size()]));\n" +msgstr "\n// Prépare les paramètres TLS. Ceux-ci doivent être appliqués\n// à toute socket TLS avant le déclenchement de la poignée de main.\nSSLParameters params = ctx.getDefaultSSLParameters();\n// Ne pas envoyer de Hello compatible avec un client SSL-2.0.\nArrayList<String> protocols = new ArrayList<String>(\n Arrays.asList(params.getProtocols()));\nprotocols.remove(\"SSLv2Hello\");\nparams.setProtocols(protocols.toArray(new String[protocols.size()]));\n// Ajuster les chiffres pris en charge.\nArrayList<String> ciphers = new ArrayList<String>(\n Arrays.asList(params.getCipherSuites()));\nciphers.retainAll(Arrays.asList(\n \"TLS_RSA_WITH_AES_128_CBC_SHA256\",\n \"TLS_RSA_WITH_AES_256_CBC_SHA256\",\n \"TLS_RSA_WITH_AES_256_CBC_SHA\",\n \"TLS_RSA_WITH_AES_128_CBC_SHA\",\n \"SSL_RSA_WITH_3DES_EDE_CBC_SHA\",\n \"SSL_RSA_WITH_RC4_128_SHA1\",\n \"SSL_RSA_WITH_RC4_128_MD5\",\n \"TLS_EMPTY_RENEGOTIATION_INFO_SCSV\"));\nparams.setCipherSuites(ciphers.toArray(new String[ciphers.size()]));\n" diff --git a/defensive-coding/fr-FR/Features/snippets/TLS-OpenSSL-Connection-Close.po b/defensive-coding/fr-FR/Features/snippets/TLS-OpenSSL-Connection-Close.po new file mode 100644 index 0000000..637c35f --- /dev/null +++ b/defensive-coding/fr-FR/Features/snippets/TLS-OpenSSL-Connection-Close.po @@ -0,0 +1,47 @@ +# AUTHOR , YEAR. +# +# Translators: +# Jérôme Fenal , 2013 +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-24 17:40+0000\n" +"Last-Translator: Jérôme Fenal \n" +"Language-Team: French \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: fr\n" +"Plural-Forms: nplurals=2; plural=(n > 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Send the close_notify alert.\n" +"ret = SSL_shutdown(ssl);\n" +"switch (ret) {\n" +"case 1:\n" +" // A close_notify alert has already been received.\n" +" break;\n" +"case 0:\n" +" // Wait for the close_notify alert from the peer.\n" +" ret = SSL_shutdown(ssl);\n" +" switch (ret) {\n" +" case 0:\n" +" fprintf(stderr, \"info: second SSL_shutdown returned zero\n" +"\");\n" +" break;\n" +" case 1:\n" +" break;\n" +" default:\n" +" ssl_print_error_and_exit(ssl, \"SSL_shutdown 2\", ret);\n" +" }\n" +" break;\n" +"default:\n" +" ssl_print_error_and_exit(ssl, \"SSL_shutdown 1\", ret);\n" +"}\n" +"SSL_free(ssl);\n" +"close(sockfd);\n" +msgstr "\n// Envoie l'alerte close_notify.\nret = SSL_shutdown(ssl);\nswitch (ret) {\ncase 1:\n // Une alerte close_notify a déjà été reçue.\n break;\ncase 0:\n // Attend l'alerte close_notify de la contrepartie.\n ret = SSL_shutdown(ssl);\n switch (ret) {\n case 0:\n fprintf(stderr, \"info: second SSL_shutdown returned zero\n\");\n break;\n case 1:\n break;\n default:\n ssl_print_error_and_exit(ssl, \"SSL_shutdown 2\", ret);\n }\n break;\ndefault:\n ssl_print_error_and_exit(ssl, \"SSL_shutdown 1\", ret);\n}\nSSL_free(ssl);\nclose(sockfd);\n" diff --git a/defensive-coding/fr-FR/Features/snippets/TLS-OpenSSL-Context-Close.po b/defensive-coding/fr-FR/Features/snippets/TLS-OpenSSL-Context-Close.po new file mode 100644 index 0000000..55bb7c8 --- /dev/null +++ b/defensive-coding/fr-FR/Features/snippets/TLS-OpenSSL-Context-Close.po @@ -0,0 +1,23 @@ +# AUTHOR , YEAR. +# +# Translators: +# Jérôme Fenal , 2013 +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-20 13:01+0000\n" +"Last-Translator: Jérôme Fenal \n" +"Language-Team: French \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: fr\n" +"Plural-Forms: nplurals=2; plural=(n > 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"SSL_CTX_free(ctx);\n" +msgstr "\nSSL_CTX_free(ctx);\n" diff --git a/defensive-coding/fr-FR/Features/snippets/TLS-OpenSSL-Errors.po b/defensive-coding/fr-FR/Features/snippets/TLS-OpenSSL-Errors.po new file mode 100644 index 0000000..611bda3 --- /dev/null +++ b/defensive-coding/fr-FR/Features/snippets/TLS-OpenSSL-Errors.po @@ -0,0 +1,52 @@ +# AUTHOR , YEAR. +# +# Translators: +# Jérôme Fenal , 2013 +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-20 13:01+0000\n" +"Last-Translator: Jérôme Fenal \n" +"Language-Team: French \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: fr\n" +"Plural-Forms: nplurals=2; plural=(n > 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"static void __attribute__((noreturn))\n" +"ssl_print_error_and_exit(SSL *ssl, const char *op, int ret)\n" +"{\n" +" int subcode = SSL_get_error(ssl, ret);\n" +" switch (subcode) {\n" +" case SSL_ERROR_NONE:\n" +" fprintf(stderr, \"error: %s: no error to report\n" +"\", op);\n" +" break;\n" +" case SSL_ERROR_WANT_READ:\n" +" case SSL_ERROR_WANT_WRITE:\n" +" case SSL_ERROR_WANT_X509_LOOKUP:\n" +" case SSL_ERROR_WANT_CONNECT:\n" +" case SSL_ERROR_WANT_ACCEPT:\n" +" fprintf(stderr, \"error: %s: invalid blocking state %d\n" +"\", op, subcode);\n" +" break;\n" +" case SSL_ERROR_SSL:\n" +" fprintf(stderr, \"error: %s: TLS layer problem\n" +"\", op);\n" +" case SSL_ERROR_SYSCALL:\n" +" fprintf(stderr, \"error: %s: system call failed: %s\n" +"\", op, strerror(errno));\n" +" break;\n" +" case SSL_ERROR_ZERO_RETURN:\n" +" fprintf(stderr, \"error: %s: zero return\n" +"\", op);\n" +" }\n" +" exit(1);\n" +"}\n" +msgstr "\nstatic void __attribute__((noreturn))\nssl_print_error_and_exit(SSL *ssl, const char *op, int ret)\n{\n int subcode = SSL_get_error(ssl, ret);\n switch (subcode) {\n case SSL_ERROR_NONE:\n fprintf(stderr, \"error: %s: no error to report\n\", op);\n break;\n case SSL_ERROR_WANT_READ:\n case SSL_ERROR_WANT_WRITE:\n case SSL_ERROR_WANT_X509_LOOKUP:\n case SSL_ERROR_WANT_CONNECT:\n case SSL_ERROR_WANT_ACCEPT:\n fprintf(stderr, \"error: %s: invalid blocking state %d\n\", op, subcode);\n break;\n case SSL_ERROR_SSL:\n fprintf(stderr, \"error: %s: TLS layer problem\n\", op);\n case SSL_ERROR_SYSCALL:\n fprintf(stderr, \"error: %s: system call failed: %s\n\", op, strerror(errno));\n break;\n case SSL_ERROR_ZERO_RETURN:\n fprintf(stderr, \"error: %s: zero return\n\", op);\n }\n exit(1);\n}\n" diff --git a/defensive-coding/fr-FR/Features/snippets/TLS-Python-Close.po b/defensive-coding/fr-FR/Features/snippets/TLS-Python-Close.po new file mode 100644 index 0000000..cdb7e3c --- /dev/null +++ b/defensive-coding/fr-FR/Features/snippets/TLS-Python-Close.po @@ -0,0 +1,23 @@ +# AUTHOR , YEAR. +# +# Translators: +# Jérôme Fenal , 2013 +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-20 12:58+0000\n" +"Last-Translator: Jérôme Fenal \n" +"Language-Team: French \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: fr\n" +"Plural-Forms: nplurals=2; plural=(n > 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"sock.close()\n" +msgstr "\nsock.close()\n" diff --git a/defensive-coding/fr-FR/Features/snippets/TLS-Python-Use.po b/defensive-coding/fr-FR/Features/snippets/TLS-Python-Use.po new file mode 100644 index 0000000..a61e518 --- /dev/null +++ b/defensive-coding/fr-FR/Features/snippets/TLS-Python-Use.po @@ -0,0 +1,27 @@ +# AUTHOR , YEAR. +# +# Translators: +# Jérôme Fenal , 2013 +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-20 13:00+0000\n" +"Last-Translator: Jérôme Fenal \n" +"Language-Team: French \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: fr\n" +"Plural-Forms: nplurals=2; plural=(n > 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"sock.write(\"GET / HTTP/1.1\\r\n" +"Host: \" + host + \"\\r\n" +"\\r\n" +"\")\n" +"print sock.read()\n" +msgstr "\nsock.write(\"GET / HTTP/1.1\\r\nHost: \" + host + \"\\r\n\\r\n\")\nprint sock.read()\n" diff --git a/defensive-coding/fr-FR/Revision_History.po b/defensive-coding/fr-FR/Revision_History.po new file mode 100644 index 0000000..0547836 --- /dev/null +++ b/defensive-coding/fr-FR/Revision_History.po @@ -0,0 +1,36 @@ +# AUTHOR , YEAR. +# +# Translators: +# Jérôme Fenal , 2013 +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-04-28 09:23+0000\n" +"Last-Translator: Jérôme Fenal \n" +"Language-Team: French \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: fr\n" +"Plural-Forms: nplurals=2; plural=(n > 1);\n" + +#. Tag: title +#, no-c-format +msgid "Revision History" +msgstr "Historique de modifications" + +#. Tag: firstname +#, no-c-format +msgid "Eric" +msgstr "Eric" + +#. Tag: surname +#, no-c-format +msgid "Christensen" +msgstr "Christensen" + +#. Tag: member +#, no-c-format +msgid "Initial publication." +msgstr "Publication initiale." diff --git a/defensive-coding/fr-FR/Tasks/Cryptography.po b/defensive-coding/fr-FR/Tasks/Cryptography.po new file mode 100644 index 0000000..bb5d4f3 --- /dev/null +++ b/defensive-coding/fr-FR/Tasks/Cryptography.po @@ -0,0 +1,200 @@ +# AUTHOR , YEAR. +# +# Translators: +# Jérôme Fenal , 2013 +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-04-02 09:20+0000\n" +"Last-Translator: Jérôme Fenal \n" +"Language-Team: French \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: fr\n" +"Plural-Forms: nplurals=2; plural=(n > 1);\n" + +#. Tag: title +#, no-c-format +msgid "Cryptography" +msgstr "Cryptographie" + +#. Tag: title +#, no-c-format +msgid "Primitives" +msgstr "Primitives" + +#. Tag: para +#, no-c-format +msgid "Chosing from the following cryptographic primitives is recommended:" +msgstr "Il est recommandé de faire son choix parmi les primitives cryptographiques suivantes :" + +#. Tag: para +#, no-c-format +msgid "RSA with 2048 bit keys and OAEP" +msgstr "RSA avec des clés de 2048 bit et OAEP" + +#. Tag: para +#, no-c-format +msgid "AES-128 in CBC mode" +msgstr "AES-128 en mode CBC" + +#. Tag: para +#, no-c-format +msgid "SHA-256" +msgstr "SHA-256" + +#. Tag: para +#, no-c-format +msgid "HMAC-SHA-256" +msgstr "HMAC-SHA-256" + +#. Tag: para +#, no-c-format +msgid "HMAC-SHA-1" +msgstr "HMAC-SHA-1" + +#. Tag: para +#, no-c-format +msgid "" +"Other cryptographic algorithms can be used if they are required for " +"interoperability with existing software:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "RSA with key sizes larger than 1024 and legacy padding" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "AES-192" +msgstr "AES-192" + +#. Tag: para +#, no-c-format +msgid "AES-256" +msgstr "AES-256" + +#. Tag: para +#, no-c-format +msgid "3DES (triple DES, with two or three 56 bit keys)" +msgstr "3DES (triple DES, avec deux ou trois clés de 56 bit)" + +#. Tag: para +#, no-c-format +msgid "RC4 (but very, very strongly discouraged)" +msgstr "RC4 (mais très, très fortement déconseillé)" + +#. Tag: para +#, no-c-format +msgid "SHA-1" +msgstr "SHA-1" + +#. Tag: para +#, no-c-format +msgid "HMAC-MD5" +msgstr "HMAC-MD5" + +#. Tag: title +#, no-c-format +msgid "Important" +msgstr "Important" + +#. Tag: para +#, no-c-format +msgid "" +"These primitives are difficult to use in a secure way. Custom implementation" +" of security protocols should be avoided. For protecting confidentiality and" +" integrity of network transmissions, TLS should be used ()." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Randomness" +msgstr "Aléatoire" + +#. Tag: para +#, no-c-format +msgid "" +"The following facilities can be used to generate unpredictable and non-" +"repeating values. When these functions are used without special safeguards, " +"each individual rnadom value should be at least 12 bytes long." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"PK11_GenerateRandom in the NSS library (usable for high" +" data rates)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"RAND_bytes in the OpenSSL library (usable for high data" +" rates)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"gnutls_rnd in GNUTLS, with " +"GNUTLS_RND_RANDOM as the first argument (usable for high " +"data rates)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"java.security.SecureRandom in Java (usable for high data rates)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "os.urandom in Python" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Reading from the /dev/urandom character device" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"All these functions should be non-blocking, and they should not wait until " +"physical randomness becomes available. (Some cryptography providers for Java" +" can cause java.security.SecureRandom to block, however.) Those" +" functions which do not obtain all bits directly from " +"/dev/urandom are suitable for high data rates because " +"they do not deplete the system-wide entropy pool." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Difficult to use API" +msgstr "API difficiles à utiliser" + +#. Tag: para +#, no-c-format +msgid "" +"Both RAND_bytes and " +"PK11_GenerateRandom have three-state return values " +"(with conflicting meanings). Careful error checking is required. Please " +"review the documentation when using these functions." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Other sources of randomness should be considered predictable." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Generating randomness for cryptographic keys in long-term use may need " +"different steps and is best left to cryptographic libraries." +msgstr "" diff --git a/defensive-coding/fr-FR/Tasks/Descriptors.po b/defensive-coding/fr-FR/Tasks/Descriptors.po new file mode 100644 index 0000000..f6ce86d --- /dev/null +++ b/defensive-coding/fr-FR/Tasks/Descriptors.po @@ -0,0 +1,333 @@ +# AUTHOR , YEAR. +# +# Translators: +# Jérôme Fenal , 2013 +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-04-17 09:20+0000\n" +"Last-Translator: Jérôme Fenal \n" +"Language-Team: French \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: fr\n" +"Plural-Forms: nplurals=2; plural=(n > 1);\n" + +#. Tag: title +#, no-c-format +msgid "File Descriptor Management" +msgstr "Gestion des descripteurs de fichiers" + +#. Tag: para +#, no-c-format +msgid "" +"File descriptors underlie all input/output mechanisms offered by the system." +" They are used to implementation the FILE *-based " +"functions found in <stdio.h>, and all the file and " +"network communication facilities provided by the Python and Java " +"environments are eventually implemented in them." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"File descriptors are small, non-negative integers in userspace, and are " +"backed on the kernel side with complicated data structures which can " +"sometimes grow very large." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Closing descriptors" +msgstr "Fermeture de descripteurs" + +#. Tag: para +#, no-c-format +msgid "" +"If a descriptor is no longer used by a program and is not closed explicitly," +" its number cannot be reused (which is problematic in itself, see ), and the " +"kernel resources are not freed. Therefore, it is important to close all " +"descriptors at the earlierst point in time possible, but not earlier." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Error handling during descriptor close" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The close system call is always successful in the sense" +" that the passed file descriptor is never valid after the function has been " +"called. However, close still can return an error, for " +"example if there was a file system failure. But this error is not very " +"useful because the absence of an error does not mean that all caches have " +"been emptied and previous writes have been made durable. Programs which need" +" such guarantees must open files with O_SYNC or use " +"fsync or fdatasync, and may also have " +"to fsync the directory containing the file." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Closing descriptors and race conditions" +msgstr "Fermeture de descripteurs et situation de compétition" + +#. Tag: para +#, no-c-format +msgid "" +"Unlike process IDs, which are recycle only gradually, the kernel always " +"allocates the lowest unused file descriptor when a new descriptor is " +"created. This means that in a multi-threaded program which constantly opens " +"and closes file descriptors, descriptors are reused very quickly. Unless " +"descriptor closing and other operations on the same file descriptor are " +"synchronized (typically, using a mutex), there will be race coniditons and " +"I/O operations will be applied to the wrong file descriptor." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Sometimes, it is necessary to close a file descriptor concurrently, while " +"another thread might be about to use it in a system call. In order to " +"support this, a program needs to create a single special file descriptor, " +"one on which all I/O operations fail. One way to achieve this is to use " +"socketpair, close one of the descriptors, and call " +"shutdown(fd, SHUTRDWR) on the other." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When a descriptor is closed concurrently, the program does not call " +"close on the descriptor. Instead it program uses " +"dup2 to replace the descriptor to be closed with the " +"dummy descriptor created earlier. This way, the kernel will not reuse the " +"descriptor, but it will carry out all other steps associated with calling a " +"descriptor (for instance, if the descriptor refers to a stream socket, the " +"peer will be notified)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"This is just a sketch, and many details are missing. Additional data " +"structures are needed to determine when it is safe to really close the " +"descriptor, and proper locking is required for that." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Lingering state after close" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"By default, closing a stream socket returns immediately, and the kernel will" +" try to send the data in the background. This means that it is impossible to" +" implement accurate accounting of network-related resource utilization from " +"userspace." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The SO_LINGER socket option alters the behavior of " +"close, so that it will return only after the lingering " +"data has been processed, either by sending it to the peer successfully, or " +"by discarding it after the configured timeout. However, there is no " +"interface which could perform this operation in the background, so a " +"separate userspace thread is needed for each close " +"call, causing scalability issues." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Currently, there is no application-level countermeasure which applies " +"universally. Mitigation is possible with iptables" +" (the connlimit match type in particular) and specialized" +" filtering devices for denial-of-service network traffic." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"These problems are not related to the TIME_WAIT state " +"commonly seen in netstat output. The kernel " +"automatically expires such sockets if necessary." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Preventing file descriptor leaks to child processes" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Child processes created with fork share the initial set" +" of file descriptors with their parent process. By default, file descriptors" +" are also preserved if a new process image is created with " +"execve (or any of the other functions such as " +"system or posix_spawn)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Usually, this behavior is not desirable. There are two ways to turn it off, " +"that is, to prevent new process images from inheriting the file descriptors " +"in the parent process:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Set the close-on-exec flag on all newly created file descriptors. " +"Traditionally, this flag is controlled by the FD_CLOEXEC " +"flag, using F_GETFD and F_SETFD " +"operations of the fcntl function." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"However, in a multi-threaded process, there is a race condition: a " +"subprocess could have been created between the time the descriptor was " +"created and the FD_CLOEXEC was set. Therefore, many " +"system calls which create descriptors (such as open and" +" openat) now accept the O_CLOEXEC " +"flag (SOCK_CLOEXEC for socket and " +"socketpair), which cause the " +"FD_CLOEXEC flag to be set for the file descriptor in an " +"atomic fashion. In addition, a few new systems calls were introduced, such " +"as pipe2 and dup3." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The downside of this approach is that every descriptor needs to receive " +"special treatment at the time of creation, otherwise it is not completely " +"effective." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"After calling fork, but before creating a new process " +"image with execve, all file descriptors which the child" +" process will not need are closed." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Traditionally, this was implemented as a loop over file descriptors ranging " +"from 3 to 255 and later " +"1023. But this is only an approximatio because it is " +"possible to create file descriptors outside this range easily (see ). Another " +"approach reads /proc/self/fd and closes the unexpected " +"descriptors listed there, but this approach is much slower." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"At present, environments which care about file descriptor leakage implement " +"the second approach. OpenJDK 6 and 7 are among them." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Dealing with the select limit" +msgstr "Faire avec les limites de select" + +#. Tag: para +#, no-c-format +msgid "" +"By default, a user is allowed to open only 1024 files in a single process, " +"but the system administrator can easily change this limit (which is " +"necessary for busy network servers). However, there is another restriction " +"which is more difficult to overcome." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The select function only supports a maximum of " +"FD_SETSIZE file descriptors (that is, the maximum " +"permitted value for a file descriptor is FD_SETSIZE - 1, " +"usually 1023.) If a process opens many files, descriptors may exceed such " +"limits. It is impossible to query such descriptors using " +"select." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If a library which creates many file descriptors is used in the same process" +" as a library which uses select, at least one of them " +"needs to be changed. Calls to select can be replaced " +"with calls to poll or another event handling mechanism." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Alternatively, the library with high descriptor usage can relocate " +"descriptors above the FD_SETSIZE limit using the " +"following procedure." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Create the file descriptor fd as usual, preferably with " +"the O_CLOEXEC flag." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Before doing anything else with the descriptor fd, " +"invoke:" +msgstr "" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"\t int newfd = fcntl(fd, F_DUPFD_CLOEXEC, (long)FD_SETSIZE);\n" +"\t" +msgstr "\n\t int newfd = fcntl(fd, F_DUPFD_CLOEXEC, (long)FD_SETSIZE);\n\t" + +#. Tag: para +#, no-c-format +msgid "" +"Check that newfd result is non-negative, otherwise close " +"fd and report an error, and return." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Close fd and continue to use newfd." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The new descriptor has been allocated above the " +"FD_SETSIZE. Even though this algorithm is racy in the " +"sense that the FD_SETSIZE first descriptors could fill " +"up, a very high degree of physical parallelism is required before this " +"becomes a problem." +msgstr "" diff --git a/defensive-coding/fr-FR/Tasks/File_System.po b/defensive-coding/fr-FR/Tasks/File_System.po new file mode 100644 index 0000000..8902b08 --- /dev/null +++ b/defensive-coding/fr-FR/Tasks/File_System.po @@ -0,0 +1,397 @@ +# AUTHOR , YEAR. +# +# Translators: +# Jérôme Fenal , 2013 +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-04-17 09:20+0000\n" +"Last-Translator: Jérôme Fenal \n" +"Language-Team: French \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: fr\n" +"Plural-Forms: nplurals=2; plural=(n > 1);\n" + +#. Tag: title +#, no-c-format +msgid "File system manipulation" +msgstr "Manipulation des systèmes de fichiers" + +#. Tag: para +#, no-c-format +msgid "" +"In this chapter, we discuss general file system manipulation, with a focus " +"on access files and directories to which an other, potentially untrusted " +"user has write access." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Temporary files are covered in their own chapter, ." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Working with files and directories owned by other users" +msgstr "Travailler avec des fichiers et répertoires appartenant à d'autres utilisateurs" + +#. Tag: para +#, no-c-format +msgid "" +"Sometimes, it is necessary to operate on files and directories owned by " +"other (potentially untrusted) users. For example, a system administrator " +"could remove the home directory of a user, or a package manager could update" +" a file in a directory which is owned by an application-specific user. This " +"differs from accessing the file system as a specific user; see ." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Accessing files across trust boundaries faces several challenges, " +"particularly if an entire directory tree is being traversed:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Another user might add file names to a writable directory at any time. This " +"can interfere with file creation and the order of names returned by " +"readdir." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Merely opening and closing a file can have side effects. For instance, an " +"automounter can be triggered, or a tape device rewound. Opening a file on a " +"local file system can block indefinitely, due to mandatory file locking, " +"unless the O_NONBLOCK flag is specified." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Hard links and symbolic links can redirect the effect of file system " +"operations in unexpected ways. The O_NOFOLLOW and " +"AT_SYMLINK_NOFOLLOW variants of system calls only " +"affected final path name component." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The structure of a directory tree can change. For example, the parent " +"directory of what used to be a subdirectory within the directory tree being " +"processed could suddenly point outside that directory tree." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Files should always be created with the O_CREAT and " +"O_EXCL flags, so that creating the file will fail if it " +"already exists. This guards against the unexpected appearance of file names," +" either due to creation of a new file, or hard-linking of an existing file. " +"In multi-threaded programs, rather than manipulating the umask, create the " +"files with mode 000 if possible, and adjust it afterwards" +" with fchmod." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"To avoid issues related to symbolic links and directory tree restructuring, " +"the “at” variants of system calls have to be used (that " +"is, functions like openat, " +"fchownat, fchmodat, and " +"unlinkat, together with O_NOFOLLOW " +"or AT_SYMLINK_NOFOLLOW). Path names passed to these " +"functions must have just a single component (that is, without a slash). When" +" descending, the descriptors of parent directories must be kept open. The " +"missing opendirat function can be emulated with " +"openat (with an O_DIRECTORY flag, to " +"avoid opening special files with side effects), followed by " +"fdopendir." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If the “at” functions are not available, it is possible " +"to emulate them by changing the current directory. (Obviously, this only " +"works if the process is not multi-threaded.) fchdir has" +" to be used to change the current directory, and the descriptors of the " +"parent directories have to be kept open, just as with the " +"“at”-based approach. chdir(\"...\") is" +" unsafe because it might ascend outside the intended directory tree." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"This “at” function emulation is currently required when " +"manipulating extended attributes. In this case, the " +"lsetxattr function can be used, with a relative path " +"name consisting of a single component. This also applies to SELinux contexts" +" and the lsetfilecon function." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Currently, it is not possible to avoid opening special files " +"and changes to files with hard links if the directory " +"containing them is owned by an untrusted user. (Device nodes can be hard-" +"linked, just as regular files.) fchmodat and " +"fchownat affect files whose link count is greater than " +"one. But opening the files, checking that the link count is one with " +"fstat, and using fchmod and " +"fchown on the file descriptor may have unwanted side " +"effects, due to item 2 above. When creating directories, it is therefore " +"important to change the ownership and permissions only after it has been " +"fully created. Until that point, file names are stable, and no files with " +"unexpected hard links can be introduced." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Similarly, when just reading a directory owned by an untrusted user, it is " +"currently impossible to reliably avoid opening special files." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"There is no workaround against the instability of the file list returned by " +"readdir. Concurrent modification of the directory can " +"result in a list of files being returned which never actually existed on " +"disk." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Hard links and symbolic links can be safely deleted using " +"unlinkat without further checks because deletion only " +"affects the name within the directory tree being processed." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Accessing the file system as a different user" +msgstr "Accéder au système de fichier en tant qu'un autre utilisateur" + +#. Tag: para +#, no-c-format +msgid "" +"This section deals with access to the file system as a specific user. This " +"is different from accessing files and directories owned by a different, " +"potentially untrusted user; see ." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"One approach is to spawn a child process which runs under the target user " +"and group IDs (both effective and real IDs). Note that this child process " +"can block indefinitely, even when processing regular files only. For " +"example, a special FUSE file system could cause the process to hang in " +"uninterruptible sleep inside a stat system call." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"An existing process could change its user and group ID using " +"setfsuid and setfsgid. (These " +"functions are preferred over seteuid and " +"setegid because they do not allow the impersonated user" +" to send signals to the process.) These functions are not thread safe. In " +"multi-threaded processes, these operations need to be performed in a single-" +"threaded child process. Unexpected blocking may occur as well." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"It is not recommended to try to reimplement the kernel permission checks in " +"user space because the required checks are complex. It is also very " +"difficult to avoid race conditions during path name resolution." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "File system limits" +msgstr "Limites relatives aux systèmes de fichiers" + +#. Tag: para +#, no-c-format +msgid "" +"For historical reasons, there are preprocessor constants such as " +"PATH_MAX, NAME_MAX. However, on most " +"systems, the length of canonical path names (absolute path names with all " +"symbolic links resolved, as returned by realpath or " +"canonicalize_file_name) can exceed " +"PATH_MAX bytes, and individual file name components can " +"be longer than NAME_MAX. This is also true of the " +"_PC_PATH_MAX and _PC_NAME_MAX values " +"returned by pathconf, and the " +"f_namemax member of struct statvfs. " +"Therefore, these constants should not be used. This is also reason why the " +"readdir_r should never be used (instead, use " +"readdir)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"You should not write code in a way that assumes that there is an upper limit" +" on the number of subdirectories of a directory, the number of regular files" +" in a directory, or the link count of an inode." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "File system features" +msgstr "Fonctionnalités des systèmes de fichiers" + +#. Tag: para +#, no-c-format +msgid "" +"Not all file systems support all features. This makes it very difficult to " +"write general-purpose tools for copying files. For example, a copy operation" +" intending to preserve file permissions will generally fail when copying to " +"a FAT file system." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Some file systems are case-insensitive. Most should be case-preserving, " +"though." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Name length limits vary greatly, from eight to thousands of bytes. Path " +"length limits differ as well. Most systems impose an upper bound on path " +"names passed to the kernel, but using relative path names, it is possible to" +" create and access files whose absolute path name is essentially of " +"unbounded length." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Some file systems do not store names as fairly unrestricted byte sequences, " +"as it has been traditionally the case on GNU systems. This means that some " +"byte sequences (outside the POSIX safe character set) are not valid names. " +"Conversely, names of existing files may not be representable as byte " +"sequences, and the files are thus inaccessible on GNU systems. Some file " +"systems perform Unicode canonicalization on file names. These file systems " +"preserve case, but reading the name of a just-created file using " +"readdir might still result in a different byte " +"sequence." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Permissions and owners are not universally supported (and SUID/SGID bits may" +" not be available). For example, FAT file systems assign ownership based on " +"a mount option, and generally mark all files as executable. Any attempt to " +"change permissions would result in an error." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Non-regular files (device nodes, FIFOs) are not generally available." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Only on some file systems, files can have holes, that is, not all of their " +"contents is backed by disk storage." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"ioctl support (even fairly generic functionality such " +"as FIEMAP for discovering physical file layout and holes)" +" is file-system-specific." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Not all file systems support extended attributes, ACLs and SELinux metadata." +" Size and naming restriction on extended attributes vary." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Hard links may not be supported at all (FAT) or only within the same " +"directory (AFS). Symbolic links may not be available, either. Reflinks (hard" +" links with copy-on-write semantics) are still very rare. Recent systems " +"restrict creation of hard links to users which own the target file or have " +"read/write access to it, but older systems do not." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Renaming (or moving) files using rename can fail (even " +"when stat indicates that the source and target " +"directories are located on the same file system). This system call should " +"work if the old and new paths are located in the same directory, though." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Locking semantics vary among file systems. This affects advisory and " +"mandatory locks. For example, some network file systems do not allow " +"deleting files which are opened by any process." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Resolution of time stamps varies from two seconds to nanoseconds. Not all " +"time stamps are available on all file systems. File creation time " +"(birth time) is not exposed over the " +"stat/fstat interface, even if " +"stored by the file system." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Checking free space" +msgstr "Vérification de l'espace disponible" + +#. Tag: para +#, no-c-format +msgid "" +"The statvfs and fstatvfs functions" +" allow programs to examine the number of available blocks and inodes, " +"through the members f_bfree, f_bavail," +" f_ffree, and f_favail of " +"struct statvfs. Some file systems return fictional values" +" in the f_ffree and f_favail fields, " +"so the only reliable way to discover if the file system still has space for " +"a file is to try to create it. The f_bfree field should " +"be reasonably accurate, though." +msgstr "" diff --git a/defensive-coding/fr-FR/Tasks/Library_Design.po b/defensive-coding/fr-FR/Tasks/Library_Design.po new file mode 100644 index 0000000..15bd3f2 --- /dev/null +++ b/defensive-coding/fr-FR/Tasks/Library_Design.po @@ -0,0 +1,268 @@ +# AUTHOR , YEAR. +# +# Translators: +# Jérôme Fenal , 2013 +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-04-02 09:30+0000\n" +"Last-Translator: Jérôme Fenal \n" +"Language-Team: French \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: fr\n" +"Plural-Forms: nplurals=2; plural=(n > 1);\n" + +#. Tag: title +#, no-c-format +msgid "Library Design" +msgstr "Conception de bibliothèque" + +#. Tag: para +#, no-c-format +msgid "" +"Throught this section, the term client code refers to " +"applications and other libraries using the library." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "State management" +msgstr "Gestion d'état" + +#. Tag: title +#, no-c-format +msgid "Global state" +msgstr "État global" + +#. Tag: para +#, no-c-format +msgid "Global state should be avoided." +msgstr "L'utilisation d'un état global doit être évitée." + +#. Tag: para +#, no-c-format +msgid "" +"If this is impossible, the global state must be protected with a lock. For " +"C/C++, you can use the pthread_mutex_lock and " +"pthread_mutex_unlock functions without linking against " +"-lpthread because the system provides stubs for non-" +"threaded processes." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"For compatibility with fork, these locks should be " +"acquired and released in helpers registered with " +"pthread_atfork. This function is not available without " +"-lpthread, so you need to use dlsym " +"or a weak symbol to obtain its address." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If you need fork protection for other reasons, you " +"should store the process ID and compare it to the value returned by " +"getpid each time you access the global state. " +"(getpid is not implemented as a system call and is " +"fast.) If the value changes, you know that you have to re-create the state " +"object. (This needs to be combined with locking, of course.)" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Handles" +msgstr "Descripteurs" + +#. Tag: para +#, no-c-format +msgid "" +"Library state should be kept behind a curtain. Client code should receive " +"only a handle. In C, the handle can be a pointer to an incomplete " +"struct. In C++, the handle can be a pointer to an " +"abstract base class, or it can be hidden using the pointer-to-implementation" +" idiom." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The library should provide functions for creating and destroying handles. " +"(In C++, it is possible to use virtual destructors for the latter.) " +"Consistency between creation and destruction of handles is strongly " +"recommended: If the client code created a handle, it is the responsibility " +"of the client code to destroy it. (This is not always possible or " +"convenient, so sometimes, a transfer of ownership has to happen.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Using handles ensures that it is possible to change the way the library " +"represents state in a way that is transparent to client code. This is " +"important to facilitate security updates and many other code changes." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"It is not always necessary to protect state behind a handle with a lock. " +"This depends on the level of thread safety the library provides." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Object orientation" +msgstr "Programmation orientée objet" + +#. Tag: para +#, no-c-format +msgid "" +"Classes should be either designed as base classes, or it should be " +"impossible to use them as base classes (like final " +"classes in Java). Classes which are not designed for inheritance and are " +"used as base classes nevertheless create potential maintenance hazards " +"because it is difficult to predict how client code will react when calls to " +"virtual methods are added, reordered or removed." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Virtual member functions can be used as callbacks. See for some of the " +"challenges involved." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Callbacks" +msgstr "Callbacks" + +#. Tag: para +#, no-c-format +msgid "" +"Higher-order code is difficult to analyze for humans and computers alike, so" +" it should be avoided. Often, an iterator-based interface (a library " +"function which is called repeatedly by client code and returns a stream of " +"events) leads to a better design which is easier to document and use." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "If callbacks are unavoidable, some guidelines for them follow." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In modern C++ code, std::function objects should be used " +"for callbacks." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In older C++ code and in C code, all callbacks must have an additional " +"closure parameter of type void *, the value of which can " +"be specified by client code. If possible, the value of the closure parameter" +" should be provided by client code at the same time a specific callback is " +"registered (or specified as a function argument). If a single closure " +"parameter is shared by multiple callbacks, flexibility is greatly reduced, " +"and conflicts between different pieces of client code using the same library" +" object could be unresolvable. In some cases, it makes sense to provide a " +"de-registration callback which can be used to destroy the closure parameter " +"when the callback is no longer used." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Callbacks can throw exceptions or call longjmp. If " +"possible, all library objects should remain in a valid state. (All further " +"operations on them can fail, but it should be possible to deallocate them " +"without causing resource leaks.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The presence of callbacks raises the question if functions provided by the " +"library are reentrant. Unless a library was designed " +"for such use, bad things will happen if a callback function uses functions " +"in the same library (particularly if they are invoked on the same objects " +"and manipulate the same state). When the callback is invoked, the library " +"can be in an inconsistent state. Reentrant functions are more difficult to " +"write than thread-safe functions (by definition, simple locking would " +"immediately lead to deadlocks). It is also difficult to decide what to do " +"when destruction of an object which is currently processing a callback is " +"requested." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Process attributes" +msgstr "Attributs de processus" + +#. Tag: para +#, no-c-format +msgid "" +"Several attributes are global and affect all code in the process, not just " +"the library that manipulates them." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"environment variables (see )" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "umask" +msgstr "umask" + +#. Tag: para +#, no-c-format +msgid "user IDs, group IDs and capabilities" +msgstr "identifiants d'utilisateurs, de groupes et capacités (capabilities)" + +#. Tag: para +#, no-c-format +msgid "current working directory" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "signal handlers, signal masks and signal delivery" +msgstr "gestionnaires, masques et propagation de signaux" + +#. Tag: para +#, no-c-format +msgid "" +"file locks (especially fcntl locks behave in surprising" +" ways, not just in a multi-threaded environment)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Library code should avoid manipulating these global process attributes. It " +"should not rely on environment variables, umask, the current working " +"directory and signal masks because these attributes can be inherted from an " +"untrusted source." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In addition, there are obvious process-wide aspects such as the virtual " +"memory layout, the set of open files and dynamic shared objects, but with " +"the exception of shared objects, these can be manipulated in a relatively " +"isolated way." +msgstr "" diff --git a/defensive-coding/fr-FR/Tasks/Processes.po b/defensive-coding/fr-FR/Tasks/Processes.po new file mode 100644 index 0000000..40b4a3d --- /dev/null +++ b/defensive-coding/fr-FR/Tasks/Processes.po @@ -0,0 +1,598 @@ +# AUTHOR , YEAR. +# +# Translators: +# Jérôme Fenal , 2013 +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-04-10 17:20+0000\n" +"Last-Translator: Jérôme Fenal \n" +"Language-Team: French \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: fr\n" +"Plural-Forms: nplurals=2; plural=(n > 1);\n" + +#. Tag: title +#, no-c-format +msgid "Processes" +msgstr "Processus" + +#. Tag: title +#, no-c-format +msgid "Safe process creation" +msgstr "Création sécurisée de processus" + +#. Tag: para +#, no-c-format +msgid "" +"This section describes how to create new child processes in a safe manner. " +"In addition to the concerns addressed below, there is the possibility of " +"file descriptor leaks, see ." +msgstr "Cette section décrit les différentes manières sécurisées de créer des processus enfants. Au delà des considérations prises comptes ci-dessous, il existe aussi la possibilité fuite de descripteurs de fichiers pendant ces opérations, cf. ." + +#. Tag: title +#, no-c-format +msgid "Obtaining the program path and the command line template" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The name and path to the program being invoked should be hard-coded or " +"controlled by a static configuration file stored at a fixed location (at an " +"file system absolute path). The same applies to the template for generating " +"the command line." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The configured program name should be an absolute path. If it is a relative " +"path, the contents of the PATH must be obtained in s secure " +"manner (see )." +" If the PATH variable is not set or untrusted, the safe " +"default /bin:/usr/bin must be used." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If too much flexibility is provided here, it may allow invocation of " +"arbitrary programs without proper authorization." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Bypassing the shell" +msgstr "Outrepasser l'interpréteur de commandes" + +#. Tag: para +#, no-c-format +msgid "Child processes should be created without involving the system shell." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"For C/C++, system should not be used. The " +"posix_spawn function can be used instead, or a " +"combination fork and execve. (In " +"some cases, it may be preferable to use vfork or the " +"Linux-specific clone system call instead of " +"fork.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In Python, the subprocess module bypasses the shell by " +"default (when the shell keyword argument is not set to " +"true). os.system should not be used." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The Java class java.lang.ProcessBuilder can be used to create " +"subprocesses without interference from the system shell." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Portability notice" +msgstr "Avertissement de portabilité" + +#. Tag: para +#, no-c-format +msgid "" +"On Windows, there is no argument vector, only a single argument string. Each" +" application is responsible for parsing this string into an argument vector." +" There is considerable variance among the quoting style recognized by " +"applications. Some of them expand shell wildcards, others do not. Extensive " +"application-specific testing is required to make this secure." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Note that some common applications (notably ssh) " +"unconditionally introduce the use of a shell, even if invoked directly " +"without a shell. It is difficult to use these applications in a secure " +"manner. In this case, untrusted data should be supplied by other means. For " +"example, standard input could be used, instead of the command line." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Specifying the process environment" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Child processes should be created with a minimal set of environment " +"variables. This is absolutely essential if there is a trust transition " +"involved, either when the parent process was created, or during the creation" +" of the child process." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In C/C++, the environment should be constructed as an array of strings and " +"passed as the envp argument to " +"posix_spawn or execve. The " +"functions setenv, unsetenv and " +"putenv should not be used. They are not thread-safe and" +" suffer from memory leaks." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Python programs need to specify a dict for the the " +"env argument of the subprocess.Popen" +" constructor. The Java class java.lang.ProcessBuilder " +"provides a environment() method, which returns a map " +"that can be manipulated." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The following list provides guidelines for selecting the set of environment " +"variables passed to the child process." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"PATH should be initialized to " +"/bin:/usr/bin." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"USER and HOME can be inhereted from the parent" +" process environment, or they can be initialized from the " +"pwent structure for the user." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The DISPLAY and XAUTHORITY variables should be" +" passed to the subprocess if it is an X program. Note that this will " +"typically not work across trust boundaries because XAUTHORITY" +" refers to a file with 0600 permissions." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The location-related environment variables LANG, " +"LANGUAGE, LC_ADDRESS, LC_ALL, " +"LC_COLLATE, LC_CTYPE, " +"LC_IDENTIFICATION, LC_MEASUREMENT, " +"LC_MESSAGES, LC_MONETARY, " +"LC_NAME, LC_NUMERIC, LC_PAPER, " +"LC_TELEPHONE and LC_TIME can be passed to the " +"subprocess if present." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The called process may need application-specific environment variables, for " +"example for passing passwords. (See .)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"All other environment variables should be dropped. Names for new environment" +" variables should not be accepted from untrusted sources." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Robust argument list processing" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When invoking a program, it is sometimes necessary to include data from " +"untrusted sources. Such data should be check against embedded " +"NUL characters because the system APIs will sliently " +"truncate argument strings at the first NUL character." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The following recommendations assume that the program being invoked uses " +"GNU-style option processing using getopt_long. This " +"convention is widely used, but it is just that, and individual programs " +"might interpret a command line in a different way." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If the untrusted data has to go into an option, use the --option-" +"name=VALUE syntax, placing the option and its value into the same " +"command line argument. This avoids any potential confusion if the data " +"starts with -." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"For positional arguments, terminate the option list with a single " +" marker after the last option, and include the data at " +"the right position. The marker terminates option " +"processing, and the data will not be treated as an option even if it starts " +"with a dash." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Passing secrets to subprocesses" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The command line (the name of the program and its argument) of a running " +"process is traditionally available to all local users. The called program " +"can overwrite this information, but only after it has run for a bit of time," +" during which the information may have been read by other processes. " +"However, on Linux, the process environment is restricted to the user who " +"runs the process. Therefore, if you need a convenient way to pass a password" +" to a child process, use an environment variable, and not a command line " +"argument. (See .)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"On some UNIX-like systems (notably Solaris), environment variables can be " +"read by any system user, just like command lines." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If the environment-based approach cannot be used due to portability " +"concerns, the data can be passed on standard input. Some programs (notably " +"gpg) use special file descriptors whose numbers " +"are specified on the command line. Temporary files are an option as well, " +"but they might give digital forensics access to sensitive data (such as " +"passphrases) because it is difficult to safely delete them in all cases." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Handling child process termination" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When child processes terminate, the parent process is signalled. A stub of " +"the terminated processes (a zombie, shown as " +"<defunct> by ps) is kept" +" around until the status information is collected " +"(reaped) by the parent process. Over the years, several" +" interfaces for this have been invented:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The parent process calls wait, " +"waitpid, waitid, " +"wait3 or wait4, without specifying" +" a process ID. This will deliver any matching process ID. This approach is " +"typically used from within event loops." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The parent process calls waitpid, " +"waitid, or wait4, with a specific " +"process ID. Only data for the specific process ID is returned. This is " +"typically used in code which spawns a single subprocess in a synchronous " +"manner." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The parent process installs a handler for the SIGCHLD " +"signal, using sigaction, and specifies to the " +"SA_NOCLDWAIT flag. This approach could be used by event " +"loops as well." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"None of these approaches can be used to wait for child process terminated in" +" a completely thread-safe manner. The parent process might execute an event " +"loop in another thread, which could pick up the termination signal. This " +"means that libraries typically cannot make free use of child processes (for " +"example, to run problematic code with reduced privileges in a separate " +"address space)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"At the moment, the parent process should explicitly wait for termination of " +"the child process using waitpid or " +"waitpid, and hope that the status is not collected by " +"an event loop first." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "SUID/SGID processes" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Programs can be marked in the file system to indicate to the kernel that a " +"trust transition should happen if the program is run. The " +"SUID file permission bit indicates that an executable " +"should run with the effective user ID equal to the owner of the executable " +"file. Similarly, with the SGID bit, the effective group " +"ID is set to the group of the executable file." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Linux supports fscaps, which can grant additional " +"capabilities to a process in a finer-grained manner. Additional mechanisms " +"can be provided by loadable security modules." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When such a trust transition has happened, the process runs in a potentially" +" hostile environment. Additional care is necessary not to rely on any " +"untrusted information. These concerns also apply to libraries which can be " +"linked into such processes." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Accessing environment variables" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The following steps are required so that a program does not accidentally " +"pick up untrusted data from environment variables." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Compile your C/C++ sources with -D_GNU_SOURCE. The " +"Autoconf macro AC_GNU_SOURCE ensures this." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Check for the presence of the secure_getenv and " +"__secure_getenv function. The Autoconf directive " +"AC_CHECK_FUNCS([__secure_getenv secure_getenv]) performs " +"these checks." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Arrange for a proper definition of the secure_getenv " +"function. See ." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Use secure_getenv instead of " +"getenv to obtain the value of critical environment " +"variables. secure_getenv will pretend the variable has " +"not bee set if the process environment is not trusted." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Critical environment variables are debugging flags, configuration file " +"locations, plug-in and log file locations, and anything else that might be " +"used to bypass security restrictions or cause a privileged process to behave" +" in an unexpected way." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Either the secure_getenv function or the " +"__secure_getenv is available from GNU libc." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Obtaining a definition for secure_getenv" +msgstr "" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"\n" +"#include <stdlib.h>\n" +"\n" +"#ifndef HAVE_SECURE_GETENV\n" +"# ifdef HAVE__SECURE_GETENV\n" +"# define secure_getenv __secure_getenv\n" +"# else\n" +"# error neither secure_getenv nor __secure_getenv are available\n" +"# endif\n" +"#endif\n" +"\n" +"\t" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Daemons" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Background processes providing system services " +"(daemons) need to decouple themselves from the " +"controlling terminal and the parent process environment:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Fork." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In the child process, call setsid. The parent process " +"can simply exit (using _exit, to avoid running clean-up" +" actions twice)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In the child process, fork again. Processing continues in the child process." +" Again, the parent process should just exit." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Replace the descriptors 0, 1, 2 with a descriptor for " +"/dev/null. Logging should be redirected to " +"syslog." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Older instructions for creating daemon processes recommended a call to " +"umask(0). This is risky because it often leads to world-" +"writable files and directories, resulting in security vulnerabilities such " +"as arbitrary process termination by untrusted local users, or log file " +"truncation. If the umask needs setting, a restrictive " +"value such as 027 or 077 is " +"recommended." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Other aspects of the process environment may have to changed as well " +"(environment variables, signal handler disposition)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"It is increasingly common that server processes do not run as background " +"processes, but as regular foreground process under a supervising master " +"process (such as systemd). Server processes " +"should offer a command line option which disables forking and replacement of" +" the standard output and standard error streams. Such an option is also " +"useful for debugging." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Semantics of command line arguments" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"After process creation and option processing, it is up to the child process " +"to interpret the arguments. Arguments can be file names, host names, or " +"URLs, and many other things. URLs can refer to the local network, some " +"server on the Internet, or to the local file system. Some applications even " +"accept arbitrary code in arguments (for example, " +"python with the option)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Similar concerns apply to environment variables, the contents of the current" +" directory and its subdirectories." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Consequently, careful analysis is required if it is safe to pass untrusted " +"data to another program." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "fork as a primitive for parallelism" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"A call to fork which is not immediately followed by a " +"call to execve (perhaps after rearranging and closing " +"file descriptors) is typically unsafe, especially from a library which does " +"not control the state of the entire process. Such use of " +"fork should be replaced with proper child processes or " +"threads." +msgstr "" diff --git a/defensive-coding/fr-FR/Tasks/Serialization.po b/defensive-coding/fr-FR/Tasks/Serialization.po new file mode 100644 index 0000000..4874214 --- /dev/null +++ b/defensive-coding/fr-FR/Tasks/Serialization.po @@ -0,0 +1,514 @@ +# AUTHOR , YEAR. +# +# Translators: +# Jérôme Fenal , 2013 +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:45\n" +"PO-Revision-Date: 2013-04-16 21:32+0000\n" +"Last-Translator: Jérôme Fenal \n" +"Language-Team: French \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: fr\n" +"Plural-Forms: nplurals=2; plural=(n > 1);\n" + +#. Tag: title +#, no-c-format +msgid "Serialization and Deserialization" +msgstr "Sérialisation et déserialisation" + +#. Tag: para +#, no-c-format +msgid "" +"Protocol decoders and file format parsers are often the most-exposed part of" +" an application because they are exposed with little or no user interaction " +"and before any authentication and security checks are made. They are also " +"difficult to write robustly in languages which are not memory-safe." +msgstr "Les décodeurs et analyseurs de protocole de formats de fichiers sont souvent la partie la plus exposée d'une application car ils sont exposés avec une interaction utilisateur minimale voire nulle, et ce avant toute authentification et tout contrôle de sécurité. Ils sont également difficiles à écrire de manière robuste dans des langages dont la gestion de la mémoire n'est pas sécurisée." + +#. Tag: title +#, no-c-format +msgid "Recommendations for manually written decoders" +msgstr "Recommandations pour les décodeurs faits maison." + +#. Tag: para +#, no-c-format +msgid "" +"For C and C++, the advice in applies. In addition, avoid non-character " +"pointers directly into input buffers. Pointer misalignment causes crashes on" +" some architectures." +msgstr "Pour C et C++, les conseils dans s'appliquent. De plus, il faut éviter l'utilisation de pointeurs non-caractères directement dans les tampons d'entrée. Un mauvais alignement de tampons peut provoquer des plantages sur certaines architectures." + +#. Tag: para +#, no-c-format +msgid "" +"When reading variable-sized objects, do not allocate large amounts of data " +"solely based on the value of a size field. If possible, grow the data " +"structure as more data is read from the source, and stop when no data is " +"available. This helps to avoid denial-of-service attacks where little " +"amounts of input data results in enormous memory allocations during " +"decoding. Alternatively, you can impose reasonable bounds on memory " +"allocations, but some protocols do not permit this." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Protocol design" +msgstr "Conception de protocole" + +#. Tag: para +#, no-c-format +msgid "" +"Binary formats with explicit length fields are more difficult to parse " +"robustly than those where the length of dynamically-sized elements is " +"derived from sentinel values. A protocol which does not use length fields " +"and can be written in printable ASCII characters simplifies testing and " +"debugging. However, binary protocols with length fields may be more " +"efficient to parse." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Library support for deserialization" +msgstr "Bibliothèques de prise en charge de la désérialisation" + +#. Tag: para +#, no-c-format +msgid "" +"For some languages, generic libraries are available which allow to serialize" +" and deserialize user-defined objects. The deserialization part comes in one" +" of two flavors, depending on the library. The first kind uses type " +"information in the data stream to control which objects are instantiated. " +"The second kind uses type definitions supplied by the programmer. The first " +"one allows arbitrary object instantiation, the second one generally does " +"not." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The following serialization frameworks are in the first category, are known " +"to be unsafe, and must not be used for untrusted data:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Python's pickle and cPickle modules" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Perl's Storable package" +msgstr "Module Perl Storable" + +#. Tag: para +#, no-c-format +msgid "Java serialization (java.io.ObjectInputStream)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "PHP serialization (unserialize)" +msgstr "Sérialisation PHP (unserialize)" + +#. Tag: para +#, no-c-format +msgid "Most implementations of YAML" +msgstr "La plupart des mises en œuvres de YAML" + +#. Tag: para +#, no-c-format +msgid "" +"When using a type-directed deserialization format where the types of the " +"deserialized objects are specified by the programmer, make sure that the " +"objects which can be instantiated cannot perform any destructive actions in " +"their destructors, even when the data members have been manipulated." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"JSON decoders do not suffer from this problem. But you must not use the " +"eval function to parse JSON objects in Javascript; even" +" with the regular expression filter from RFC 4627, there are still " +"information leaks remaining." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "XML serialization" +msgstr "Sérialisation XML" + +#. Tag: title +#, no-c-format +msgid "External references" +msgstr "Références externes" + +#. Tag: para +#, no-c-format +msgid "" +"XML documents can contain external references. They can occur in various " +"places." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "In the DTD declaration in the header of an XML document:" +msgstr "" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"<!DOCTYPE html PUBLIC\n" +" \"-//W3C//DTD XHTML 1.0 Transitional//EN\"\n" +" \"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd\">\n" +"\t " +msgstr "" + +#. Tag: para +#, no-c-format +msgid "In a namespace declaration:" +msgstr "" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"<xsd:schema xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\">\n" +"\t " +msgstr "" + +#. Tag: para +#, no-c-format +msgid "In an entity defintion:" +msgstr "" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"<!ENTITY sys SYSTEM \"http://www.example.com/ent.xml\">\n" +"<!ENTITY pub PUBLIC \"-//Example//Public Entity//EN\"\n" +" \"http://www.example.com/pub-ent.xml\">\n" +"\t " +msgstr "" + +#. Tag: para +#, no-c-format +msgid "In a notation:" +msgstr "" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"<!NOTATION not SYSTEM \"../not.xml\">\n" +"\t " +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Originally, these external references were intended as unique identifiers, " +"but by many XML implementations, they are used for locating the data for the" +" referenced element. This causes unwanted network traffic, and may disclose " +"file system contents or otherwise unreachable network resources, so this " +"functionality should be disabled." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Depending on the XML library, external referenced might be processed not " +"just when parsing XML, but also when generating it." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Entity expansion" +msgstr "Extension des entités" + +#. Tag: para +#, no-c-format +msgid "" +"When external DTD processing is disabled, an internal DTD subset can still " +"contain entity definitions. Entity declarations can reference other " +"entities. Some XML libraries expand entities automatically, and this " +"processing cannot be switched off in some places (such as attribute values " +"or content models). Without limits on the entity nesting level, this " +"expansion results in data which can grow exponentially in length with size " +"of the input. (If there is a limit on the nesting level, the growth is still" +" polynomial, unless further limits are imposed.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Consequently, the processing internal DTD subsets should be disabled if " +"possible, and only trusted DTDs should be processed. If a particular XML " +"application does not permit such restrictions, then application-specific " +"limits are called for." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "XInclude processing" +msgstr "Traitement XInclude" + +#. Tag: para +#, no-c-format +msgid "" +"XInclude processing can reference file and network resources and include " +"them into the document, much like external entity references. When parsing " +"untrusted XML documents, XInclude processing should be truned off." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"XInclude processing is also fairly complex and may pull in support for the " +"XPointer and XPath specifications, considerably increasing the amount of " +"code required for XML processing." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Algorithmic complexity of XML validation" +msgstr "Complexité algorithmique de la validation XML" + +#. Tag: para +#, no-c-format +msgid "" +"DTD-based XML validation uses regular expressions for content models. The " +"XML specification requires that content models are deterministic, which " +"means that efficient validation is possible. However, some implementations " +"do not enforce determinism, and require exponential (or just polynomial) " +"amount of space or time for validating some DTD/document combinations." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"XML schemas and RELAX NG (via the xsd: prefix) directly " +"support textual regular expressions which are not required to be " +"deterministic." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Using Expat for XML parsing" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"By default, Expat does not try to resolve external IDs, so no steps are " +"required to block them. However, internal entity declarations are processed." +" Installing a callback which stops parsing as soon as such entities are " +"encountered disables them, see . Expat does not perform any " +"validation, so there are no problems related to that." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Disabling XML entity processing with Expat" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"This handler must be installed when the XML_Parser object" +" is created ()." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Creating an Expat XML parser" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"It is also possible to reject internal DTD subsets altogeher, using a " +"suitable XML_StartDoctypeDeclHandler handler installed " +"with XML_SetDoctypeDeclHandler." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Using OpenJDK for XML parsing and validation" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"OpenJDK contains facilities for DOM-based, SAX-based, and StAX-based " +"document parsing. Documents can be validated against DTDs or XML schemas." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The approach taken to deal with entity expansion differs from the general " +"recommendation in . We enable the the feature flag " +"javax.xml.XMLConstants.FEATURE_SECURE_PROCESSING, which " +"enforces heuristic restrictions on the number of entity expansions. Note " +"that this flag alone does not prevent resolution of external references " +"(system IDs or public IDs), so it is slightly misnamed." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In the following sections, we use helper classes to prevent external ID " +"resolution." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Helper class to prevent DTD external entity resolution in OpenJDK" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Helper class to prevent schema resolution in OpenJDK" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +" shows the imports used by the examples." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Java imports for OpenJDK XML parsing" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "DOM-based XML parsing and DTD validation in OpenJDK" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"This approach produces a org.w3c.dom.Document object from" +" an input stream. use the data from the " +"java.io.InputStream instance in the " +"inputStream variable." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "DOM-based XML parsing in OpenJDK" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"External entity references are prohibited using the " +"NoEntityResolver class in . " +"Because external DTD references are prohibited, DTD validation (if enabled) " +"will only happen against the internal DTD subset embedded in the XML " +"document." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"To validate the document against an external DTD, use a " +"javax.xml.transform.Transformer class to add the DTD " +"reference to the document, and an entity resolver which whitelists this " +"external reference." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "XML Schema validation in OpenJDK" +msgstr "Validation de schéma XML dans OpenJDK" + +#. Tag: para +#, no-c-format +msgid "" +" shows how to validate a document against an XML Schema, " +"using a SAX-based approach. The XML data is read from an " +"java.io.InputStream in the inputStream" +" variable." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "SAX-based validation against an XML schema in OpenJDK" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The NoResourceResolver class is defined in ." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If you need to validate a document against an XML schema, use the code in " +" to create the document, but do not enable validation at this point." +" Then use to perform the schema-based validation on " +"the org.w3c.dom.Document instance " +"document." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Validation of a DOM document against an XML schema in OpenJDK" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Protocol Encoders" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"For protocol encoders, you should write bytes to a buffer which grows as " +"needed, using an exponential sizing policy. Explicit lengths can be patched " +"in later, once they are known. Allocating the required number of bytes " +"upfront typically requires separate code to compute the final size, which " +"must be kept in sync with the actual encoding step, or vulnerabilities may " +"result. In multi-threaded code, parts of the object being deserialized might" +" change, so that the computed size is out of date." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"You should avoid copying data directly from a received packet during " +"encoding, disregarding the format. Propagating malformed data could enable " +"attacks on other recipients of that data." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When using C or C++ and copying whole data structures directly into the " +"output, make sure that you do not leak information in padding bytes between " +"fields or at the end of the struct." +msgstr "" diff --git a/defensive-coding/fr-FR/Tasks/Temporary_Files.po b/defensive-coding/fr-FR/Tasks/Temporary_Files.po new file mode 100644 index 0000000..21ad853 --- /dev/null +++ b/defensive-coding/fr-FR/Tasks/Temporary_Files.po @@ -0,0 +1,310 @@ +# AUTHOR , YEAR. +# +# Translators: +# Jérôme Fenal , 2013 +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:45\n" +"PO-Revision-Date: 2013-05-06 08:20+0000\n" +"Last-Translator: Jérôme Fenal \n" +"Language-Team: French \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: fr\n" +"Plural-Forms: nplurals=2; plural=(n > 1);\n" + +#. Tag: title +#, no-c-format +msgid "Temporary files" +msgstr "Fichiers temporaires" + +#. Tag: para +#, no-c-format +msgid "" +"In this chapter, we describe how to create temporary files and directories, " +"how to remove them, and how to work with programs which do not create files " +"in ways that a safe with a shared directory for temporary files. General " +"file system manipulation is treated in a separate chapter, ." +msgstr "Dans ce chapitre, nous décrivons comment créer des fichiers et des répertoires temporaires, comment les supprimer, et comment travailler avec les programmes qui ne créent pas de fichiers d'une manière sûre avec un répertoire partagé pour les fichiers temporaires. Les manipulations générales du système de fichiers sont traitées dans un chapitre distinct, ." + +#. Tag: para +#, no-c-format +msgid "Secure creation of temporary files has four different aspects." +msgstr "La création sécurisée de fichiers temporaires comporte quatre aspects." + +#. Tag: para +#, no-c-format +msgid "" +"The location of the directory for temporary files must be obtained in a " +"secure manner (that is, untrusted environment variables must be ignored, see" +" )." +msgstr "L'emplacement du répertoire pour les fichiers temporaires doit être obtenu de manière sécurisée (cest à dire que les variables d'environnement non fiables doivent être ignorées, voir )." + +#. Tag: para +#, no-c-format +msgid "" +"A new file must be created. Reusing an existing file must be avoided (the " +"/tmp race condition). This is " +"tricky because traditionally, system-wide temporary directories shared by " +"all users are used." +msgstr "Un nouveau fichier doit être créé. La réutilisation d'un fichier existant doit être évitée (la situation de compétition dans /tmp). C'est difficile parce que les répertoires temporaires sont traditionnellement des répertoires partagés par tous les utilisateurs sur le système." + +#. Tag: para +#, no-c-format +msgid "" +"The file must be created in a way that makes it impossible for other users " +"to open it." +msgstr "Le fichier doit être créé d'une manière qui rend impossible pour les autres utilisateurs de l'ouvrir." + +#. Tag: para +#, no-c-format +msgid "The descriptor for the temporary file should not leak to subprocesses." +msgstr "Le descripteur du fichier temporaire ne doit pas fuir à des sous-processus." + +#. Tag: para +#, no-c-format +msgid "All functions mentioned below will take care of these aspects." +msgstr "Toutes les fonctions mentionnées ci-dessous prennent en compte ces différents aspects." + +#. Tag: para +#, no-c-format +msgid "" +"Traditionally, temporary files are often used to reduce memory usage of " +"programs. More and more systems use RAM-based file systems such as " +"tmpfs for storing temporary files, to increase " +"performance and decrease wear on Flash storage. As a result, spooling data " +"to temporary files does not result in any memory savings, and the related " +"complexity can be avoided if the data is kept in process memory." +msgstr "Traditionnellement, les fichiers temporaires sont souvent utilisés pour réduire la consommation de mémoire des programmes. De plus en plus de systèmes utilisent des systèmes de fichiers basé en mémoire RAM comme tmpfs pour stocker les fichiers temporaires, pour augmenter les performances et réduire l'usure du stockage flash. En conséquence, le stockage de données dans des fichiers temporaires ne conduit pas à des économies de mémoire, et la complexité liée peut être évitée si les données sont conservées dans la mémoire du processus." + +#. Tag: title +#, no-c-format +msgid "Obtaining the location of temporary directory" +msgstr "Obtenir l'emplacement du répertoire temporaire" + +#. Tag: para +#, no-c-format +msgid "" +"Some functions below need the location of a directory which stores temporary" +" files. For C/C++ programs, use the following steps to obtain that " +"directory:" +msgstr "Certaines fonctions ci-dessous ont besoin de l'emplacement d'un répertoire qui stocke les fichiers temporaires. Pour C/C++, utiliser les étapes suivantes pour obtenir ce répertoire :" + +#. Tag: para +#, no-c-format +msgid "" +"Use secure_getenv to obtain the value of the " +"TMPDIR environment variable. If it is set, convert the " +"path to a fully-resolved absolute path, using realpath(path, " +"NULL). Check if the new path refers to a directory and is " +"writeable. In this case, use it as the temporary directory." +msgstr "Utiliser secure_getenv pour obtenir la valeur de la variable d'environnement TMPDIR . Si elle est définie, convertir le chemin en un chemin absolu entièrement résolu, en utilisant realpath(path, NULL). Vérifier si le nouveau chemin d'accès correspond à un répertoire et est accessible en écriture. Dans ce cas, l'utiliser comme répertoire temporaire." + +#. Tag: para +#, no-c-format +msgid "Fall back to /tmp." +msgstr "Se replier sur /tmp." + +#. Tag: para +#, no-c-format +msgid "" +"In Python, you can use the tempfile.tempdir variable." +msgstr "En Python, il est possible d'utiliser la variable tempfile.tempdir." + +#. Tag: para +#, no-c-format +msgid "" +"Java does not support SUID/SGID programs, so you can use the " +"java.lang.System.getenv(String) method to obtain the " +"value of the TMPDIR environment variable, and follow the " +"two steps described above. (Java's default directory selection does not " +"honor TMPDIR.)" +msgstr "Java ne prend pas en charge les programmes SUID/SGID, il est donc possible d'utiliser la méthode java.lang.System.getenv (String) pour obtenir la valeur de la variable d'environnement TMPDIR, puis de suivre les deux étapes décrites ci-dessus. (La sélection du répertoire par défaut de Java n'honore pas TMPDIR.)" + +#. Tag: title +#, no-c-format +msgid "Named temporary files" +msgstr "Fichiers temporaires nommés" + +#. Tag: para +#, no-c-format +msgid "" +"The mkostemp function creates a named temporary file. " +"You should specify the O_CLOEXEC flag to avoid file " +"descriptor leaks to subprocesses. (Applications which do not use multiple " +"threads can also use mkstemp, but libraries should use " +"mkostemp.) For determining the directory part of the " +"file name pattern, see ." +msgstr "La fonction mkostemp crée un fichier temporaire nommé. Il est possible de lui indiquer le drapeau O_CLOEXEC afin d'éviter les fuites de descripteurs aux sous-processus. (Les applications qui ne sont pas multi-fils d'exécution -- multi-threads, peuvent aussi utiliser la fonction mkstemp, mais les bibliothèques doivent utiliser mkostemp.) Pour définir la partie répertoire du motif de nom de fichier, cf. ." + +#. Tag: para +#, no-c-format +msgid "" +"The file is not removed automatically. It is not safe to rename or delete " +"the file before processing, or transform the name in any way (for example, " +"by adding a file extension). If you need multiple temporary files, call " +"mkostemp multiple times. Do not create additional file " +"names derived from the name provided by a previous " +"mkostemp call. However, it is safe to close the " +"descriptor returned by mkostemp and reopen the file " +"using the generated name." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The Python class tempfile.NamedTemporaryFile provides " +"similar functionality, except that the file is deleted automatically by " +"default. Note that you may have to use the file attribute" +" to obtain the actual file object because some programming interfaces cannot" +" deal with file-like objects. The C function mkostemp " +"is also available as tempfile.mkstemp." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In Java, you can use the java.io.File.createTempFile(String, " +"String, File) function, using the temporary file location " +"determined according to . Do not use " +"java.io.File.deleteOnExit() to delete temporary files, " +"and do not register a shutdown hook for each temporary file you create. In " +"both cases, the deletion hint cannot be removed from the system if you " +"delete the temporary file prior to termination of the VM, causing a memory " +"leak." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Temporary files without names" +msgstr "Fichiers temporaires sans noms" + +#. Tag: para +#, no-c-format +msgid "" +"The tmpfile function creates a temporary file and " +"immediately deletes it, while keeping the file open. As a result, the file " +"lacks a name and its space is deallocated as soon as the file descriptor is " +"closed (including the implicit close when the process terminates). This " +"avoids cluttering the temporary directory with orphaned files." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Alternatively, if the maximum size of the temporary file is known " +"beforehand, the fmemopen function can be used to create" +" a FILE * object which is backed by memory." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In Python, unnamed temporary files are provided by the " +"tempfile.TemporaryFile class, and the " +"tempfile.SpooledTemporaryFile class provides a way to " +"avoid creation of small temporary files." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Java does not support unnamed temporary files." +msgstr "Java en prend pas en charge les fichiers temporaires sans nom." + +#. Tag: title +#, no-c-format +msgid "Temporary directories" +msgstr "Répertoires temporaires" + +#. Tag: para +#, no-c-format +msgid "" +"The mkdtemp function can be used to create a temporary " +"directory. (For determining the directory part of the file name pattern, see" +" .)" +" The directory is not automatically removed. In Python, this function is " +"available as tempfile.mkdtemp. In Java 7, temporary " +"directories can be created using the " +"java.nio.file.Files.createTempDirectory(Path, String, " +"FileAttribute...) function." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When creating files in the temporary directory, use automatically generated " +"names, e.g., derived from a sequential counter. Files with externally " +"provided names could be picked up in unexpected contexts, and crafted names " +"could actually point outside of the tempoary directory (due to " +"directory traversal)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Removing a directory tree in a completely safe manner is complicated. Unless" +" there are overriding performance concerns, the " +"rm program should be used, with the " +" and options." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Compensating for unsafe file creation" +msgstr "Compenser les créations de fichiers non sécurisées" + +#. Tag: para +#, no-c-format +msgid "" +"There are two ways to make a function or program which excepts a file name " +"safe for use with temporary files. See , for details on subprocess " +"creation." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Create a temporary directory and place the file there. If possible, run the " +"program in a subprocess which uses the temporary directory as its current " +"directory, with a restricted environment. Use generated names for all files " +"in that temporary directory. (See .)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Create the temporary file and pass the generated file name to the function " +"or program. This only works if the function or program can cope with a zero-" +"length existing file. It is safe only under additional assumptions:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The function or program must not create additional files whose name is " +"derived from the specified file name or are otherwise predictable." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "The function or program must not delete the file before processing it." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "It must not access any existing files in the same directory." +msgstr "Elle ne doit accéder à aucun autre fichier existant dans le même répertoire." + +#. Tag: para +#, no-c-format +msgid "" +"It is often difficult to check whether these additional assumptions are " +"matched, therefore this approach is not recommended." +msgstr "" diff --git a/defensive-coding/fr-FR/Tasks/snippets/Serialization-XML-Expat-Create.po b/defensive-coding/fr-FR/Tasks/snippets/Serialization-XML-Expat-Create.po new file mode 100644 index 0000000..ffa9701 --- /dev/null +++ b/defensive-coding/fr-FR/Tasks/snippets/Serialization-XML-Expat-Create.po @@ -0,0 +1,34 @@ +# AUTHOR , YEAR. +# +# Translators: +# Jérôme Fenal , 2013 +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:45\n" +"PO-Revision-Date: 2013-03-24 17:20+0000\n" +"Last-Translator: Jérôme Fenal \n" +"Language-Team: French \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: fr\n" +"Plural-Forms: nplurals=2; plural=(n > 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"XML_Parser parser = XML_ParserCreate(\"UTF-8\");\n" +"if (parser == NULL) {\n" +" fprintf(stderr, \"XML_ParserCreate failed\n" +"\");\n" +" close(fd);\n" +" exit(1);\n" +"}\n" +"// EntityDeclHandler needs a reference to the parser to stop\n" +"// parsing.\n" +"XML_SetUserData(parser, parser);\n" +"// Disable entity processing, to inhibit entity expansion.\n" +"XML_SetEntityDeclHandler(parser, EntityDeclHandler);\n" +msgstr "\nXML_Parser parser = XML_ParserCreate(\"UTF-8\");\nif (parser == NULL) {\n fprintf(stderr, \"XML_ParserCreate failed\n\");\n close(fd);\n exit(1);\n}\n// EntityDeclHandler nécessite une référence sur l'analyseur afin\n// d'arrêter l'analyse.\nXML_SetUserData(parser, parser);\n// Disable entity processing, to inhibit entity expansion.\nXML_SetEntityDeclHandler(parser, EntityDeclHandler);\n" diff --git a/defensive-coding/fr-FR/Tasks/snippets/Serialization-XML-Expat-EntityDeclHandler.po b/defensive-coding/fr-FR/Tasks/snippets/Serialization-XML-Expat-EntityDeclHandler.po new file mode 100644 index 0000000..8d4dcba --- /dev/null +++ b/defensive-coding/fr-FR/Tasks/snippets/Serialization-XML-Expat-EntityDeclHandler.po @@ -0,0 +1,32 @@ +# AUTHOR , YEAR. +# +# Translators: +# Jérôme Fenal , 2013 +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:45\n" +"PO-Revision-Date: 2013-03-24 17:30+0000\n" +"Last-Translator: Jérôme Fenal \n" +"Language-Team: French \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: fr\n" +"Plural-Forms: nplurals=2; plural=(n > 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Stop the parser when an entity declaration is encountered.\n" +"static void\n" +"EntityDeclHandler(void *userData,\n" +"\t\t const XML_Char *entityName, int is_parameter_entity,\n" +"\t\t const XML_Char *value, int value_length,\n" +"\t\t const XML_Char *base, const XML_Char *systemId,\n" +"\t\t const XML_Char *publicId, const XML_Char *notationName)\n" +"{\n" +" XML_StopParser((XML_Parser)userData, XML_FALSE);\n" +"}\n" +msgstr "\n// Arrête l'analyseur lors de la rencontre d'une déclaration d'entité.\nstatic void\nEntityDeclHandler(void *userData,\n\t\t const XML_Char *entityName, int is_parameter_entity,\n\t\t const XML_Char *value, int value_length,\n\t\t const XML_Char *base, const XML_Char *systemId,\n\t\t const XML_Char *publicId, const XML_Char *notationName)\n{\n XML_StopParser((XML_Parser)userData, XML_FALSE);\n}\n" diff --git a/defensive-coding/fr-FR/Tasks/snippets/Serialization-XML-OpenJDK-Errors.po b/defensive-coding/fr-FR/Tasks/snippets/Serialization-XML-OpenJDK-Errors.po new file mode 100644 index 0000000..6942931 --- /dev/null +++ b/defensive-coding/fr-FR/Tasks/snippets/Serialization-XML-OpenJDK-Errors.po @@ -0,0 +1,38 @@ +# AUTHOR , YEAR. +# +# Translators: +# Jérôme Fenal , 2013 +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:45\n" +"PO-Revision-Date: 2013-03-24 17:18+0000\n" +"Last-Translator: Jérôme Fenal \n" +"Language-Team: French \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: fr\n" +"Plural-Forms: nplurals=2; plural=(n > 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"class Errors implements ErrorHandler {\n" +" @Override\n" +" public void warning(SAXParseException exception) {\n" +" exception.printStackTrace();\n" +" }\n" +" \n" +" @Override\n" +" public void fatalError(SAXParseException exception) {\n" +" exception.printStackTrace();\n" +" }\n" +" \n" +" @Override\n" +" public void error(SAXParseException exception) {\n" +" exception.printStackTrace();\n" +" }\n" +"}\n" +msgstr "\nclass Errors implements ErrorHandler {\n @Override\n public void warning(SAXParseException exception) {\n exception.printStackTrace();\n }\n \n @Override\n public void fatalError(SAXParseException exception) {\n exception.printStackTrace();\n }\n \n @Override\n public void error(SAXParseException exception) {\n exception.printStackTrace();\n }\n}\n" diff --git a/defensive-coding/fr-FR/Tasks/snippets/Serialization-XML-OpenJDK-Imports.po b/defensive-coding/fr-FR/Tasks/snippets/Serialization-XML-OpenJDK-Imports.po new file mode 100644 index 0000000..f79bfcc --- /dev/null +++ b/defensive-coding/fr-FR/Tasks/snippets/Serialization-XML-OpenJDK-Imports.po @@ -0,0 +1,43 @@ +# AUTHOR , YEAR. +# +# Translators: +# Jérôme Fenal , 2013 +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:45\n" +"PO-Revision-Date: 2013-03-24 17:22+0000\n" +"Last-Translator: Jérôme Fenal \n" +"Language-Team: French \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: fr\n" +"Plural-Forms: nplurals=2; plural=(n > 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"import javax.xml.XMLConstants;\n" +"import javax.xml.parsers.DocumentBuilder;\n" +"import javax.xml.parsers.DocumentBuilderFactory;\n" +"import javax.xml.parsers.ParserConfigurationException;\n" +"import javax.xml.parsers.SAXParser;\n" +"import javax.xml.parsers.SAXParserFactory;\n" +"import javax.xml.transform.dom.DOMSource;\n" +"import javax.xml.transform.sax.SAXSource;\n" +"import javax.xml.validation.Schema;\n" +"import javax.xml.validation.SchemaFactory;\n" +"import javax.xml.validation.Validator;\n" +"\n" +"import org.w3c.dom.Document;\n" +"import org.w3c.dom.ls.LSInput;\n" +"import org.w3c.dom.ls.LSResourceResolver;\n" +"import org.xml.sax.EntityResolver;\n" +"import org.xml.sax.ErrorHandler;\n" +"import org.xml.sax.InputSource;\n" +"import org.xml.sax.SAXException;\n" +"import org.xml.sax.SAXParseException;\n" +"import org.xml.sax.XMLReader;\n" +msgstr "\nimport javax.xml.XMLConstants;\nimport javax.xml.parsers.DocumentBuilder;\nimport javax.xml.parsers.DocumentBuilderFactory;\nimport javax.xml.parsers.ParserConfigurationException;\nimport javax.xml.parsers.SAXParser;\nimport javax.xml.parsers.SAXParserFactory;\nimport javax.xml.transform.dom.DOMSource;\nimport javax.xml.transform.sax.SAXSource;\nimport javax.xml.validation.Schema;\nimport javax.xml.validation.SchemaFactory;\nimport javax.xml.validation.Validator;\n\nimport org.w3c.dom.Document;\nimport org.w3c.dom.ls.LSInput;\nimport org.w3c.dom.ls.LSResourceResolver;\nimport org.xml.sax.EntityResolver;\nimport org.xml.sax.ErrorHandler;\nimport org.xml.sax.InputSource;\nimport org.xml.sax.SAXException;\nimport org.xml.sax.SAXParseException;\nimport org.xml.sax.XMLReader;\n" diff --git a/defensive-coding/fr-FR/Tasks/snippets/Serialization-XML-OpenJDK-NoEntityResolver.po b/defensive-coding/fr-FR/Tasks/snippets/Serialization-XML-OpenJDK-NoEntityResolver.po new file mode 100644 index 0000000..b43dbf4 --- /dev/null +++ b/defensive-coding/fr-FR/Tasks/snippets/Serialization-XML-OpenJDK-NoEntityResolver.po @@ -0,0 +1,31 @@ +# AUTHOR , YEAR. +# +# Translators: +# Jérôme Fenal , 2013 +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:45\n" +"PO-Revision-Date: 2013-03-20 12:52+0000\n" +"Last-Translator: Jérôme Fenal \n" +"Language-Team: French \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: fr\n" +"Plural-Forms: nplurals=2; plural=(n > 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"class NoEntityResolver implements EntityResolver {\n" +" @Override\n" +" public InputSource resolveEntity(String publicId, String systemId)\n" +" throws SAXException, IOException {\n" +" // Throwing an exception stops validation.\n" +" throw new IOException(String.format(\n" +" \"attempt to resolve \\\"%s\\\" \\\"%s\\\"\", publicId, systemId));\n" +" }\n" +"}\n" +msgstr "\nclass NoEntityResolver implements EntityResolver {\n @Override\n public InputSource resolveEntity(String publicId, String systemId)\n throws SAXException, IOException {\n // Throwing an exception stops validation.\n throw new IOException(String.format(\n \"attempt to resolve \\\"%s\\\" \\\"%s\\\"\", publicId, systemId));\n }\n}\n" diff --git a/defensive-coding/fr-FR/Tasks/snippets/Serialization-XML-OpenJDK-NoResourceResolver.po b/defensive-coding/fr-FR/Tasks/snippets/Serialization-XML-OpenJDK-NoResourceResolver.po new file mode 100644 index 0000000..f5881ba --- /dev/null +++ b/defensive-coding/fr-FR/Tasks/snippets/Serialization-XML-OpenJDK-NoResourceResolver.po @@ -0,0 +1,33 @@ +# AUTHOR , YEAR. +# +# Translators: +# Jérôme Fenal , 2013 +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:45\n" +"PO-Revision-Date: 2013-03-24 17:15+0000\n" +"Last-Translator: Jérôme Fenal \n" +"Language-Team: French \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: fr\n" +"Plural-Forms: nplurals=2; plural=(n > 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"class NoResourceResolver implements LSResourceResolver {\n" +" @Override\n" +" public LSInput resolveResource(String type, String namespaceURI,\n" +" String publicId, String systemId, String baseURI) {\n" +" // Throwing an exception stops validation.\n" +" throw new RuntimeException(String.format(\n" +" \"resolution attempt: type=%s namespace=%s \" +\n" +" \"publicId=%s systemId=%s baseURI=%s\",\n" +" type, namespaceURI, publicId, systemId, baseURI));\n" +" }\n" +"}\n" +msgstr "\nclass NoResourceResolver implements LSResourceResolver {\n @Override\n public LSInput resolveResource(String type, String namespaceURI,\n String publicId, String systemId, String baseURI) {\n // Throwing an exception stops validation.\n throw new RuntimeException(String.format(\n \"resolution attempt: type=%s namespace=%s \" +\n \"publicId=%s systemId=%s baseURI=%s\",\n type, namespaceURI, publicId, systemId, baseURI));\n }\n}\n" diff --git a/defensive-coding/fr-FR/Tasks/snippets/Serialization-XML-OpenJDK_Parse-DOM.po b/defensive-coding/fr-FR/Tasks/snippets/Serialization-XML-OpenJDK_Parse-DOM.po new file mode 100644 index 0000000..f786c32 --- /dev/null +++ b/defensive-coding/fr-FR/Tasks/snippets/Serialization-XML-OpenJDK_Parse-DOM.po @@ -0,0 +1,35 @@ +# AUTHOR , YEAR. +# +# Translators: +# Jérôme Fenal , 2013 +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:45\n" +"PO-Revision-Date: 2013-03-24 17:20+0000\n" +"Last-Translator: Jérôme Fenal \n" +"Language-Team: French \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: fr\n" +"Plural-Forms: nplurals=2; plural=(n > 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();\n" +"// Impose restrictions on the complexity of the DTD.\n" +"factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);\n" +"\n" +"// Turn on validation.\n" +"// This step can be omitted if validation is not desired.\n" +"factory.setValidating(true);\n" +"\n" +"// Parse the document.\n" +"DocumentBuilder builder = factory.newDocumentBuilder();\n" +"builder.setEntityResolver(new NoEntityResolver());\n" +"builder.setErrorHandler(new Errors());\n" +"Document document = builder.parse(inputStream);\n" +msgstr "\nDocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();\n// Impose restrictions on the complexity of the DTD.\nfactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);\n\n// Active la validation.\n// Cette étape peut être omise si la validation n'est pas désirée.\nfactory.setValidating(true);\n\n// Parse the document.\nDocumentBuilder builder = factory.newDocumentBuilder();\nbuilder.setEntityResolver(new NoEntityResolver());\nbuilder.setErrorHandler(new Errors());\nDocument document = builder.parse(inputStream);\n" diff --git a/defensive-coding/fr-FR/Tasks/snippets/Serialization-XML-OpenJDK_Parse-XMLSchema_DOM.po b/defensive-coding/fr-FR/Tasks/snippets/Serialization-XML-OpenJDK_Parse-XMLSchema_DOM.po new file mode 100644 index 0000000..22613e2 --- /dev/null +++ b/defensive-coding/fr-FR/Tasks/snippets/Serialization-XML-OpenJDK_Parse-XMLSchema_DOM.po @@ -0,0 +1,39 @@ +# AUTHOR , YEAR. +# +# Translators: +# Jérôme Fenal , 2013 +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:45\n" +"PO-Revision-Date: 2013-03-24 17:20+0000\n" +"Last-Translator: Jérôme Fenal \n" +"Language-Team: French \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: fr\n" +"Plural-Forms: nplurals=2; plural=(n > 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"SchemaFactory factory = SchemaFactory.newInstance(\n" +" XMLConstants.W3C_XML_SCHEMA_NS_URI);\n" +"\n" +"// This enables restrictions on schema complexity.\n" +"factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);\n" +"\n" +"// The following line prevents resource resolution\n" +"// by the schema itself.\n" +"factory.setResourceResolver(new NoResourceResolver());\n" +"\n" +"Schema schema = factory.newSchema(schemaFile);\n" +"\n" +"Validator validator = schema.newValidator();\n" +"\n" +"// This prevents external resource resolution.\n" +"validator.setResourceResolver(new NoResourceResolver());\n" +"validator.validate(new DOMSource(document));\n" +msgstr "\nSchemaFactory factory = SchemaFactory.newInstance(\n XMLConstants.W3C_XML_SCHEMA_NS_URI);\n\n// Ceci active les restrictions sur la complexité du schéma.\nfactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);\n\n// La ligne qui suit évite la résolution de ressources\n// par le schéma lui-même.\nfactory.setResourceResolver(new NoResourceResolver());\n\nSchema schema = factory.newSchema(schemaFile);\n\nValidator validator = schema.newValidator();\n\n// Ceci évite la résolution de ressource externe.\nvalidator.setResourceResolver(new NoResourceResolver());\nvalidator.validate(new DOMSource(document));\n" diff --git a/defensive-coding/fr-FR/Tasks/snippets/Serialization-XML-OpenJDK_Parse-XMLSchema_SAX.po b/defensive-coding/fr-FR/Tasks/snippets/Serialization-XML-OpenJDK_Parse-XMLSchema_SAX.po new file mode 100644 index 0000000..85d9665 --- /dev/null +++ b/defensive-coding/fr-FR/Tasks/snippets/Serialization-XML-OpenJDK_Parse-XMLSchema_SAX.po @@ -0,0 +1,42 @@ +# AUTHOR , YEAR. +# +# Translators: +# Jérôme Fenal , 2013 +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:45\n" +"PO-Revision-Date: 2013-03-24 17:30+0000\n" +"Last-Translator: Jérôme Fenal \n" +"Language-Team: French \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: fr\n" +"Plural-Forms: nplurals=2; plural=(n > 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"SchemaFactory factory = SchemaFactory.newInstance(\n" +" XMLConstants.W3C_XML_SCHEMA_NS_URI);\n" +"\n" +"// This enables restrictions on the schema and document\n" +"// complexity.\n" +"factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);\n" +"\n" +"// This prevents resource resolution by the schema itself.\n" +"// If the schema is trusted and references additional files,\n" +"// this line must be omitted, otherwise loading these files\n" +"// will fail.\n" +"factory.setResourceResolver(new NoResourceResolver());\n" +"\n" +"Schema schema = factory.newSchema(schemaFile);\n" +"Validator validator = schema.newValidator();\n" +"\n" +"// This prevents external resource resolution.\n" +"validator.setResourceResolver(new NoResourceResolver());\n" +"\n" +"validator.validate(new SAXSource(new InputSource(inputStream)));\n" +msgstr "\nSchemaFactory factory = SchemaFactory.newInstance(\n XMLConstants.W3C_XML_SCHEMA_NS_URI);\n\n// Ceci active les restrictions sur la complexité de schéma\n// et de document.\nfactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);\n\n// Ceci évite la résolution de ressources par le schéma\n// lui-même.\n// Si le schéma est digne de confiance et qu'il fait référence à des\n// fichiers additionnels, cette ligne doit être omise, sinon le\n// chargement de ces fichiers échouera.\nfactory.setResourceResolver(new NoResourceResolver());\n\nSchema schema = factory.newSchema(schemaFile);\nValidator validator = schema.newValidator();\n\n// Ceci évite la résolution de ressource externe.\nvalidator.setResourceResolver(new NoResourceResolver());\n\nvalidator.validate(new SAXSource(new InputSource(inputStream)));\n" diff --git a/defensive-coding/gl-ES/Author_Group.po b/defensive-coding/gl-ES/Author_Group.po new file mode 100644 index 0000000..c87f190 --- /dev/null +++ b/defensive-coding/gl-ES/Author_Group.po @@ -0,0 +1,35 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-12 04:18+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Galician (http://www.transifex.com/projects/p/fedora/language/gl/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: gl\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: firstname +#, no-c-format +msgid "Florian" +msgstr "" + +#. Tag: surname +#, no-c-format +msgid "Weimer" +msgstr "" + +#. Tag: orgname +#, no-c-format +msgid "Red Hat" +msgstr "" + +#. Tag: orgdiv +#, no-c-format +msgid "Product Security Team" +msgstr "" diff --git a/defensive-coding/gl-ES/Book_Info.po b/defensive-coding/gl-ES/Book_Info.po new file mode 100644 index 0000000..fd20ab6 --- /dev/null +++ b/defensive-coding/gl-ES/Book_Info.po @@ -0,0 +1,38 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-12 04:19+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Galician (http://www.transifex.com/projects/p/fedora/language/gl/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: gl\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: title +#, no-c-format +msgid "Defensive Coding" +msgstr "" + +#. Tag: subtitle +#, no-c-format +msgid "A Guide to Improving Software Security" +msgstr "" + +#. Tag: productname +#, no-c-format +msgid "Fedora Security Team" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"This document provides guidelines for improving software security through " +"secure coding. It covers common programming languages and libraries, and " +"focuses on concrete recommendations." +msgstr "" diff --git a/defensive-coding/hi-IN/Author_Group.po b/defensive-coding/hi-IN/Author_Group.po new file mode 100644 index 0000000..4187c5d --- /dev/null +++ b/defensive-coding/hi-IN/Author_Group.po @@ -0,0 +1,35 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-12 04:18+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Hindi \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: hi\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: firstname +#, no-c-format +msgid "Florian" +msgstr "" + +#. Tag: surname +#, no-c-format +msgid "Weimer" +msgstr "" + +#. Tag: orgname +#, no-c-format +msgid "Red Hat" +msgstr "" + +#. Tag: orgdiv +#, no-c-format +msgid "Product Security Team" +msgstr "" diff --git a/defensive-coding/hi-IN/Book_Info.po b/defensive-coding/hi-IN/Book_Info.po new file mode 100644 index 0000000..7253ed8 --- /dev/null +++ b/defensive-coding/hi-IN/Book_Info.po @@ -0,0 +1,38 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-12 04:19+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Hindi \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: hi\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: title +#, no-c-format +msgid "Defensive Coding" +msgstr "" + +#. Tag: subtitle +#, no-c-format +msgid "A Guide to Improving Software Security" +msgstr "" + +#. Tag: productname +#, no-c-format +msgid "Fedora Security Team" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"This document provides guidelines for improving software security through " +"secure coding. It covers common programming languages and libraries, and " +"focuses on concrete recommendations." +msgstr "" diff --git a/defensive-coding/hi-IN/C/Allocators.po b/defensive-coding/hi-IN/C/Allocators.po new file mode 100644 index 0000000..1c926bc --- /dev/null +++ b/defensive-coding/hi-IN/C/Allocators.po @@ -0,0 +1,265 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:30+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Hindi \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: hi\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: title +#, no-c-format +msgid "Memory allocators" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "malloc and related functions" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The C library interfaces for memory allocation are provided by " +"malloc, free and " +"realloc, and the calloc function. " +"In addition to these generic functions, there are derived functions such as " +"strdup which perform allocation using " +"malloc internally, but do not return untyped heap " +"memory (which could be used for any object)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The C compiler knows about these functions and can use their expected " +"behavior for optimizations. For instance, the compiler assumes that an " +"existing pointer (or a pointer derived from an existing pointer by " +"arithmetic) will not point into the memory area returned by " +"malloc." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If the allocation fails, realloc does not free the old " +"pointer. Therefore, the idiom ptr = realloc(ptr, size); " +"is wrong because the memory pointed to by ptr leaks in " +"case of an error." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Use-after-free errors" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"After free, the pointer is invalid. Further pointer " +"dereferences are not allowed (and are usually detected by " +"valgrind). Less obvious is that any " +"use of the old pointer value is not allowed, either. In" +" particular, comparisons with any other pointer (or the null pointer) are " +"undefined according to the C standard." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The same rules apply to realloc if the memory area " +"cannot be enlarged in-place. For instance, the compiler may assume that a " +"comparison between the old and new pointer will always return false, so it " +"is impossible to detect movement this way." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Handling memory allocation errors" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Recovering from out-of-memory errors is often difficult or even impossible. " +"In these cases, malloc and other allocation functions " +"return a null pointer. Dereferencing this pointer lead to a crash. Such " +"dereferences can even be exploitable for code execution if the dereference " +"is combined with an array subscript." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In general, if you cannot check all allocation calls and handle failure, you" +" should abort the program on allocation failure, and not rely on the null " +"pointer dereference to terminate the process. See for related memory " +"allocation concerns." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "alloca and other forms of stack-based allocation" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Allocation on the stack is risky because stack overflow checking is " +"implicit. There is a guard page at the end of the memory area reserved for " +"the stack. If the program attempts to read from or write to this guard page," +" a SIGSEGV signal is generated and the program typically " +"terminates." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"This is sufficient for detecting typical stack overflow situations such as " +"unbounded recursion, but it fails when the stack grows in increments larger " +"than the size of the guard page. In this case, it is possible that the stack" +" pointer ends up pointing into a memory area which has been allocated for a " +"different purposes. Such misbehavior can be exploitable." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"A common source for large stack growth are calls to " +"alloca and related functions such as " +"strdupa. These functions should be avoided because of " +"the lack of error checking. (They can be used safely if the allocated size " +"is less than the page size (typically, 4096 bytes), but this case is " +"relatively rare.) Additionally, relying on alloca makes" +" it more difficult to reorgnize the code because it is not allowed to use " +"the pointer after the function calling alloca has " +"returned, even if this function has been inlined into its caller." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Similar concerns apply to variable-length arrays " +"(VLAs), a feature of the C99 standard which started as a GNU extension. For " +"large objects exceeding the page size, there is no error checking, either." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In both cases, negative or very large sizes can trigger a stack-pointer " +"wraparound, and the stack pointer and end up pointing into caller stack " +"frames, which is fatal and can be exploitable." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If you want to use alloca or VLAs for performance " +"reasons, consider using a small on-stack array (less than the page size, " +"large enough to fulfill most requests). If the requested size is small " +"enough, use the on-stack array. Otherwise, call malloc." +" When exiting the function, check if malloc had been " +"called, and free the buffer as needed." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Array allocation" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When allocating arrays, it is important to check for overflows. The " +"calloc function performs such checks." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If malloc or realloc is used, the " +"size check must be written manually. For instance, to allocate an array of " +"n elements of type T, check that the " +"requested size is not greater than n / sizeof(T)." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Custom memory allocators" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Custom memory allocates come in two forms: replacements for " +"malloc, and completely different interfaces for memory " +"management. Both approaches can reduce the effectiveness of " +"valgrind and similar tools, and the heap " +"corruption detection provided by GNU libc, so they should be avoided." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Memory allocators are difficult to write and contain many performance and " +"security pitfalls." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When computing array sizes or rounding up allocation requests (to the next " +"allocation granularity, or for alignment purposes), checks for arithmetic " +"overflow are required." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Size computations for array allocations need overflow checking. See ." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"It can be difficult to beat well-tuned general-purpose allocators. In micro-" +"benchmarks, pool allocators can show huge wins, and size-specific pools can " +"reduce internal fragmentation. But often, utilization of individual pools is" +" poor, and" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Conservative garbage collection" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Garbage collection can be an alternative to explicit memory management using" +" malloc and free. The Boehm-" +"Dehmers-Weiser allocator can be used from C programs, with minimal type " +"annotations. Performance is competitive with malloc on " +"64-bit architectures, especially for multi-threaded programs. The stop-the-" +"world pauses may be problematic for some real-time applications, though." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"However, using a conservative garbage collector may reduce opertunities for " +"code reduce because once one library in a program uses garbage collection, " +"the whole process memory needs to be subject to it, so that no pointers are " +"missed. The Boehm-Dehmers-Weiser collector also reserves certain signals for" +" internal use, so it is not fully transparent to the rest of the program." +msgstr "" diff --git a/defensive-coding/hi-IN/C/C.po b/defensive-coding/hi-IN/C/C.po new file mode 100644 index 0000000..a0e5376 --- /dev/null +++ b/defensive-coding/hi-IN/C/C.po @@ -0,0 +1,20 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:30+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Hindi \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: hi\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: title +#, no-c-format +msgid "The C Programming Language" +msgstr "" diff --git a/defensive-coding/hi-IN/C/Libc.po b/defensive-coding/hi-IN/C/Libc.po new file mode 100644 index 0000000..3cea4e8 --- /dev/null +++ b/defensive-coding/hi-IN/C/Libc.po @@ -0,0 +1,278 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:30+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Hindi \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: hi\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: title +#, no-c-format +msgid "The C standard library" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Parts of the C standard library (and the UNIX and GNU extensions) are " +"difficult to use, so you shoud avoid them." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Please check the applicable documentation before using the recommended " +"replacements. Many of these functions allocate buffers using " +"malloc which your code must deallocate explicitly using" +" free." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Absolutely banned interfaces" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The functions listed below must not be used because they are almost always " +"unsafe. Use the indicated replacements instead." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "getsfgets" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"getwdgetcwd or " +"get_current_dir_name" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "readdir_rreaddir" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"realpath (with a non-NULL second parameter) ⟶ " +"realpath with NULL as the second parameter, or " +"canonicalize_file_name" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The constants listed below must not be used, either. Instead, code must " +"allocate memory dynamically and use interfaces with length checking." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"NAME_MAX (limit not actually enforced by the kernel)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"PATH_MAX (limit not actually enforced by the kernel)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"_PC_NAME_MAX (This limit, returned by the " +"pathconf function, is not enforced by the kernel.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"_PC_PATH_MAX (This limit, returned by the " +"pathconf function, is not enforced by the kernel.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "The following structure members must not be used." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"f_namemax in struct statvfs (limit not" +" actually enforced by the kernel, see _PC_NAME_MAX above)" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Functions to avoid" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The following string manipulation functions can be used securely in " +"principle, but their use should be avoided because they are difficult to use" +" correctly. Calls to these functions can be replaced with " +"asprintf or vasprintf. (For non-" +"GNU targets, these functions are available from Gnulib.) In some cases, the " +"snprintf function might be a suitable replacement, see " +"." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "sprintf" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "strcat" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "strcpy" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "vsprintf" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Use the indicated replacements for the functions below." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"allocamalloc and " +"free (see )" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"putenv ⟶ explicit envp argument in " +"process creation (see )" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"setenv ⟶ explicit envp argument in " +"process creation (see )" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"strdupastrdup and " +"free (see )" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"strndupastrndup and " +"free (see )" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"systemposix_spawn or " +"fork/execve/ (see )" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"unsetenv ⟶ explicit envp argument in" +" process creation (see )" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "String Functions With Explicit Length Arguments" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The snprintf function provides a way to construct a " +"string in a statically-sized buffer. (If the buffer size is dynamic, use " +"asprintf instead.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The second argument to the snprintf should always be " +"the size of the buffer in the first argument (which should be a character " +"array). Complex pointer and length arithmetic can introduce errors and " +"nullify the security benefits of snprintf. If you need " +"to construct a string iteratively, by repeatedly appending fragments, " +"consider constructing the string on the heap, increasing the buffer with " +"realloc as needed. (snprintf does " +"not support overlapping the result buffer with argument strings.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If you use vsnprintf (or snprintf)" +" with a format string which is not a constant, but a function argument, it " +"is important to annotate the function with a format " +"function attribute, so that GCC can warn about misuse of your function (see " +")." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "The format function attribute" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"There are other functions which operator on NUL-terminated strings and take " +"a length argument which affects the number of bytes written to the " +"destination: strncpy, strncat, and" +" stpncpy. These functions do not ensure that the result" +" string is NUL-terminated. For strncpy, NUL termination" +" can be added this way:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Some systems support strlcpy and " +"strlcat functions which behave this way, but these " +"functions are not part of GNU libc. Using snprintf with" +" a suitable format string is a simple (albeit slightly slower) replacement." +msgstr "" diff --git a/defensive-coding/hi-IN/C/snippets/Arithmetic-add.po b/defensive-coding/hi-IN/C/snippets/Arithmetic-add.po new file mode 100644 index 0000000..290169b --- /dev/null +++ b/defensive-coding/hi-IN/C/snippets/Arithmetic-add.po @@ -0,0 +1,36 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:30+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Hindi \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: hi\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"void report_overflow(void);\n" +"\n" +"int\n" +"add(int a, int b)\n" +"{\n" +" int result = a + b;\n" +" if (a < 0 || b < 0) {\n" +" return -1;\n" +" }\n" +" // The compiler can optimize away the following if statement.\n" +" if (result < 0) {\n" +" report_overflow();\n" +" }\n" +" return result;\n" +"}\n" +msgstr "" diff --git a/defensive-coding/hi-IN/C/snippets/Arithmetic-mult.po b/defensive-coding/hi-IN/C/snippets/Arithmetic-mult.po new file mode 100644 index 0000000..91f1bd5 --- /dev/null +++ b/defensive-coding/hi-IN/C/snippets/Arithmetic-mult.po @@ -0,0 +1,29 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:30+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Hindi \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: hi\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"unsigned\n" +"mul(unsigned a, unsigned b)\n" +"{\n" +" if (b && a > ((unsigned)-1) / b) {\n" +" report_overflow();\n" +" }\n" +" return a * b;\n" +"}\n" +msgstr "" diff --git a/defensive-coding/hi-IN/C/snippets/Pointers-remaining.po b/defensive-coding/hi-IN/C/snippets/Pointers-remaining.po new file mode 100644 index 0000000..e1d6955 --- /dev/null +++ b/defensive-coding/hi-IN/C/snippets/Pointers-remaining.po @@ -0,0 +1,64 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:30+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Hindi \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: hi\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"ssize_t\n" +"extract_strings(const char *in, size_t inlen, char **out, size_t outlen)\n" +"{\n" +" const char *inp = in;\n" +" const char *inend = in + inlen;\n" +" char **outp = out;\n" +" char **outend = out + outlen;\n" +"\n" +" while (inp != inend) {\n" +" size_t len;\n" +" char *s;\n" +" if (outp == outend) {\n" +" errno = ENOSPC;\n" +" goto err;\n" +" }\n" +" len = (unsigned char)*inp;\n" +" ++inp;\n" +" if (len > (size_t)(inend - inp)) {\n" +" errno = EINVAL;\n" +" goto err;\n" +" }\n" +" s = malloc(len + 1);\n" +" if (s == NULL) {\n" +" goto err;\n" +" }\n" +" memcpy(s, inp, len);\n" +" inp += len;\n" +" s[len] = '\\0';\n" +" *outp = s;\n" +" ++outp;\n" +" }\n" +" return outp - out;\n" +"err:\n" +" {\n" +" int errno_old = errno;\n" +" while (out != outp) {\n" +" free(*out);\n" +" ++out;\n" +" }\n" +" errno = errno_old;\n" +" }\n" +" return -1;\n" +"}\n" +msgstr "" diff --git a/defensive-coding/hi-IN/C/snippets/String-Functions-format.po b/defensive-coding/hi-IN/C/snippets/String-Functions-format.po new file mode 100644 index 0000000..1ea751c --- /dev/null +++ b/defensive-coding/hi-IN/C/snippets/String-Functions-format.po @@ -0,0 +1,33 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:30+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Hindi \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: hi\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"void log_format(const char *format, ...) __attribute__((format(printf, 1, 2)));\n" +"\n" +"void\n" +"log_format(const char *format, ...)\n" +"{\n" +" char buf[1000];\n" +" va_list ap;\n" +" va_start(ap, format);\n" +" vsnprintf(buf, sizeof(buf), format, ap);\n" +" va_end(ap);\n" +" log_string(buf);\n" +"}\n" +msgstr "" diff --git a/defensive-coding/hi-IN/C/snippets/String-Functions-snprintf.po b/defensive-coding/hi-IN/C/snippets/String-Functions-snprintf.po new file mode 100644 index 0000000..1c1a67a --- /dev/null +++ b/defensive-coding/hi-IN/C/snippets/String-Functions-snprintf.po @@ -0,0 +1,23 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:30+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Hindi \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: hi\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"char fraction[30];\n" +"snprintf(fraction, sizeof(fraction), \"%d/%d\", numerator, denominator);\n" +msgstr "" diff --git a/defensive-coding/hi-IN/C/snippets/String-Functions-strncpy.po b/defensive-coding/hi-IN/C/snippets/String-Functions-strncpy.po new file mode 100644 index 0000000..598bbb1 --- /dev/null +++ b/defensive-coding/hi-IN/C/snippets/String-Functions-strncpy.po @@ -0,0 +1,24 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:30+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Hindi \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: hi\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"char buf[10];\n" +"strncpy(buf, data, sizeof(buf));\n" +"buf[sizeof(buf) - 1] = '\\0';\n" +msgstr "" diff --git a/defensive-coding/hi-IN/CXX/CXX.po b/defensive-coding/hi-IN/CXX/CXX.po new file mode 100644 index 0000000..889aa38 --- /dev/null +++ b/defensive-coding/hi-IN/CXX/CXX.po @@ -0,0 +1,20 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:31+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Hindi \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: hi\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: title +#, no-c-format +msgid "The C++ Programming Language" +msgstr "" diff --git a/defensive-coding/hi-IN/CXX/Language.po b/defensive-coding/hi-IN/CXX/Language.po new file mode 100644 index 0000000..233ee1a --- /dev/null +++ b/defensive-coding/hi-IN/CXX/Language.po @@ -0,0 +1,234 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:18+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Hindi \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: hi\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: title +#, no-c-format +msgid "The core language" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"C++ includes a large subset of the C language. As far as the C subset is " +"used, the recommendations in " +"apply." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Array allocation with operator new[]" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"For very large values of n, an expression like " +"new T[n] can return a pointer to a heap region which is " +"too small. In other words, not all array elements are actually backed with " +"heap memory reserved to the array. Current GCC versions generate code that " +"performs a computation of the form sizeof(T) * size_t(n) + " +"cookie_size, where cookie_size is currently at " +"most 8. This computation can overflow, and GCC-generated code does not " +"detect this." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The std::vector template can be used instead an explicit " +"array allocation. (The GCC implementation detects overflow internally.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If there is no alternative to operator new[], code which " +"allocates arrays with a variable length must check for overflow manually. " +"For the new T[n] example, the size check could be " +"n || (n > 0 && n > (size_t(-1) - 8) / " +"sizeof(T)). (See .) If there are additional dimensions " +"(which must be constants according to the C++ standard), these should be " +"included as factors in the divisor." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"These countermeasures prevent out-of-bounds writes and potential code " +"execution. Very large memory allocations can still lead to a denial of " +"service. contains suggestions for mitigating this problem when " +"processing untrusted data." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"See for array" +" allocation advice for C-style memory allocation." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Overloading" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Do not overload functions with versions that have different security " +"characteristics. For instance, do not implement a function " +"strcat which works on std::string " +"arguments. Similarly, do not name methods after such functions." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "ABI compatibility and preparing for security updates" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"A stable binary interface (ABI) is vastly preferred for security updates. " +"Without a stable ABI, all reverse dependencies need recompiling, which can " +"be a lot of work and could even be impossible in some cases. Ideally, a " +"security update only updates a single dynamic shared object, and is picked " +"up automatically after restarting affected processes." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Outside of extremely performance-critical code, you should ensure that a " +"wide range of changes is possible without breaking ABI. Some very basic " +"guidelines are:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Avoid inline functions." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Use the pointer-to-implementation idiom." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Try to avoid templates. Use them if the increased type safety provides a " +"benefit to the programmer." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Move security-critical code out of templated code, so that it can be patched" +" in a central place if necessary." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The KDE project publishes a document with more extensive guidelines on ABI-" +"preserving changes to C++ code, Policies/Binary" +" Compatibility Issues With C++ (d-pointer " +"refers to the pointer-to-implementation idiom)." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "C++0X and C++11 support" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "GCC offers different language compatibility modes:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid " for the original 1998 C++ standard" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +" for the 1998 standard with the changes from the " +"TR1 technical report" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +" for the 2011 C++ standard. This option should " +"not be used." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +" for several different versions of C++11 support " +"in development, depending on the GCC version. This option should not be " +"used." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"For each of these flags, there are variants which also enable GNU extensions" +" (mostly language features also found in C99 or C11): " +", , " +". Again, should " +"not be used." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If you enable C++11 support, the ABI of the standard C++ library " +"libstdc++ will change in subtle ways. Currently, no C++ " +"libraries are compiled in C++11 mode, so if you compile your code in C++11 " +"mode, it will be incompatible with the rest of the system. Unfortunately, " +"this is also the case if you do not use any C++11 features. Currently, there" +" is no safe way to enable C++11 mode (except for freestanding applications)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The meaning of C++0X mode changed from GCC release to GCC release. Earlier " +"versions were still ABI-compatible with C++98 mode, but in the most recent " +"versions, switching to C++0X mode activates C++11 support, with its " +"compatibility problems." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Some C++11 features (or approximations thereof) are available with TR1 " +"support, that is, with or " +" and in the <tr1/*> " +"header files. This includes std::tr1::shared_ptr (from " +"<tr1/memory>) and " +"std::tr1::function (from " +"<tr1/functional>). For other C++11 features, the " +"Boost C++ library contains replacements." +msgstr "" diff --git a/defensive-coding/hi-IN/CXX/Std.po b/defensive-coding/hi-IN/CXX/Std.po new file mode 100644 index 0000000..07033d2 --- /dev/null +++ b/defensive-coding/hi-IN/CXX/Std.po @@ -0,0 +1,55 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:30+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Hindi \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: hi\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: title +#, no-c-format +msgid "The C++ standard library" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The C++ standard library includes most of its C counterpart by reference, " +"see ." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Containers and operator[]" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Many containers similar to std::vector provide both " +"operator[](size_type) and a member function " +"at(size_type). This applies to " +"std::vector itself, std::array, " +"std::string and other instances of " +"std::basic_string." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"operator[](size_type) is not required by the standard to " +"perform bounds checking (and the implementation in GCC does not). In " +"contrast, at(size_type) must perform such a check. " +"Therefore, in code which is not performance-critical, you should prefer " +"at(size_type) over " +"operator[](size_type), even though it is slightly more " +"verbose." +msgstr "" diff --git a/defensive-coding/hi-IN/Defensive_Coding.po b/defensive-coding/hi-IN/Defensive_Coding.po new file mode 100644 index 0000000..ad28245 --- /dev/null +++ b/defensive-coding/hi-IN/Defensive_Coding.po @@ -0,0 +1,30 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:18+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Hindi \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: hi\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: title +#, no-c-format +msgid "Programming Languages" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Specific Programming Tasks" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Implementing Security Features" +msgstr "" diff --git a/defensive-coding/hi-IN/Features/Authentication.po b/defensive-coding/hi-IN/Features/Authentication.po new file mode 100644 index 0000000..314eea2 --- /dev/null +++ b/defensive-coding/hi-IN/Features/Authentication.po @@ -0,0 +1,231 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:31+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Hindi \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: hi\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: title +#, no-c-format +msgid "Authentication and Authorization" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Authenticating servers" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When connecting to a server, a client has to make sure that it is actually " +"talking to the server it expects. There are two different aspects, securing " +"the network path, and making sure that the expected user runs the process on" +" the target host. There are several ways to ensure that:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The server uses a TLS certificate which is valid according to the web " +"browser public key infrastructure, and the client verifies the certificate " +"and the host name." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The server uses a TLS certificate which is expectedby the client (perhaps it" +" is stored in a configuration file read by the client). In this case, no " +"host name checking is required." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"On Linux, UNIX domain sockets (of the PF_UNIX protocol " +"family, sometimes called PF_LOCAL) are restricted by file" +" system permissions. If the server socket path is not world-writable, the " +"server identity cannot be spoofed by local users." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Port numbers less than 1024 (trusted ports) can only be" +" used by root, so if a UDP or TCP server is running on " +"the local host and it uses a trusted port, its identity is assured. (Not all" +" operating systems enforce the trusted ports concept, and the network might " +"not be trusted, so it is only useful on the local system.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"TLS () is the recommended way " +"for securing connections over untrusted networks." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If the server port number is 1024 is higher, a local user can impersonate " +"the process by binding to this socket, perhaps after crashing the real " +"server by exploiting a denial-of-service vulnerability." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Host-based authentication" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Host-based authentication uses access control lists (ACLs) to accept or deny" +" requests from clients. Thsis authentication method comes in two flavors: " +"IP-based (or, more generally, address-based) and name-based (with the name " +"coming from DNS or /etc/hosts). IP-based ACLs often use" +" prefix notation to extend access to entire subnets. Name-based ACLs " +"sometimes use wildcards for adding groups of hosts (from entire DNS " +"subtrees). (In the SSH context, host-based authentication means something " +"completely different and is not covered in this section.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Host-based authentication trust the network and may not offer sufficient " +"granularity, so it has to be considered a weak form of authentication. On " +"the other hand, IP-based authentication can be made extremely robust and can" +" be applied very early in input processing, so it offers an opportunity for " +"significantly reducing the number of potential attackers for many services." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The names returned by gethostbyaddr and " +"getnameinfo functions cannot be trusted. (DNS PTR " +"records can be set to arbitrary values, not just names belong to the address" +" owner.) If these names are used for ACL matching, a forward lookup using " +"gethostbyaddr or getaddrinfo has " +"to be performed. The name is only valid if the original address is found " +"among the results of the forward lookup (double-reverse " +"lookup)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"An empty ACL should deny all access (deny-by-default). If empty ACLs permits" +" all access, configuring any access list must switch to deny-by-default for " +"all unconfigured protocols, in both name-based and address-based variants." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Similarly, if an address or name is not matched by the list, it should be " +"denied. However, many implementations behave differently, so the actual " +"behavior must be documented properly." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"IPv6 addresses can embed IPv4 addresses. There is no universally correct way" +" to deal with this ambiguity. The behavior of the ACL implementation should " +"be documented." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "UNIX domain socket authentication" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"UNIX domain sockets (with address family AF_UNIX or " +"AF_LOCAL) are restricted to the local host and offer a " +"special authentication mechanism: credentials passing." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Nowadays, most systems support the SO_PEERCRED (Linux) or" +" LOCAL_PEERCRED (FreeBSD) socket options, or the " +"getpeereid (other BSDs, MacOS X). These interfaces " +"provide direct access to the (effective) user ID on the other end of a " +"domain socket connect, without cooperation from the other end." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Historically, credentials passing was implemented using ancillary data in " +"the sendmsg and recvmsg functions." +" On some systems, only credentials data that the peer has explicitly sent " +"can be received, and the kernel checks the data for correctness on the " +"sending side. This means that both peers need to deal with ancillary data. " +"Compared to that, the modern interfaces are easier to use. Both sets of " +"interfaces vary considerably among UNIX-like systems, unfortunately." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If you want to authenticate based on supplementary groups, you should obtain" +" the user ID using one of these methods, and look up the list of " +"supplementary groups using getpwuid (or " +"getpwuid_r) and getgrouplist. " +"Using the PID and information from /proc/PID/status is " +"prone to race conditions and insecure." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "AF_NETLINK authentication of origin" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Netlink messages are used as a high-performance data transfer mechanism " +"between the kernel and the userspace. Traditionally, they are used to " +"exchange information related to the network statck, such as routing table " +"entries." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When processing Netlink messages from the kernel, it is important to check " +"that these messages actually originate from the kernel, by checking that the" +" port ID (or PID) field nl_pid in the " +"sockaddr_nl structure is 0. (This " +"structure can be obtained using recvfrom or " +"recvmsg, it is different from the " +"nlmsghdr structure.) The kernel does not prevent other " +"processes from sending unicast Netlink messages, but the " +"nl_pid field in the sender's socket address will be non-" +"zero in such cases." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Applications should not use AF_NETLINK sockets as an IPC " +"mechanism among processes, but prefer UNIX domain sockets for this tasks." +msgstr "" diff --git a/defensive-coding/hi-IN/Features/TLS.po b/defensive-coding/hi-IN/Features/TLS.po new file mode 100644 index 0000000..3f75d89 --- /dev/null +++ b/defensive-coding/hi-IN/Features/TLS.po @@ -0,0 +1,1120 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:31+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Hindi \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: hi\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: title +#, no-c-format +msgid "Transport Layer Security" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Transport Layer Security (TLS, formerly Secure Sockets Layer/SSL) is the " +"recommended way to to protect integrity and confidentiality while data is " +"transferred over an untrusted network connection, and to identify the " +"endpoint." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Common Pitfalls" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"TLS implementations are difficult to use, and most of them lack a clean API " +"design. The following sections contain implementation-specific advice, and " +"some generic pitfalls are mentioned below." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Most TLS implementations have questionable default TLS cipher suites. Most " +"of them enable anonymous Diffie-Hellman key exchange (but we generally want " +"servers to authenticate themselves). Many do not disable ciphers which are " +"subject to brute-force attacks because of restricted key lengths. Some even " +"disable all variants of AES in the default configuration." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When overriding the cipher suite defaults, it is recommended to disable all " +"cipher suites which are not present on a whitelist, instead of simply " +"enabling a list of cipher suites. This way, if an algorithm is disabled by " +"default in the TLS implementation in a future security update, the " +"application will not re-enable it." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The name which is used in certificate validation must match the name " +"provided by the user or configuration file. No host name canonicalization or" +" IP address lookup must be performed." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The TLS handshake has very poor performance if the TCP Nagle algorithm is " +"active. You should switch on the TCP_NODELAY socket " +"option (at least for the duration of the handshake), or use the Linux-" +"specific TCP_CORK option." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Deactivating the TCP Nagle algorithm" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Implementing proper session resumption decreases handshake overhead " +"considerably. This is important if the upper-layer protocol uses short-lived" +" connections (like most application of HTTPS)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Both client and server should work towards an orderly connection shutdown, " +"that is send close_notify alerts and respond to them. " +"This is especially important if the upper-layer protocol does not provide " +"means to detect connection truncation (like some uses of HTTP)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When implementing a server using event-driven programming, it is important " +"to handle the TLS handshake properly because it includes multiple network " +"round-trips which can block when an ordinary TCP accept" +" would not. Otherwise, a client which fails to complete the TLS handshake " +"for some reason will prevent the server from handling input from other " +"clients." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Unlike regular file descriptors, TLS connections cannot be passed between " +"processes. Some TLS implementations add additional restrictions, and TLS " +"connections generally cannot be used across fork " +"function calls (see )." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "OpenSSL Pitfalls" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Some OpenSSL function use tri-state return values. " +"Correct error checking is extremely important. Several functions return " +"int values with the following meaning:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The value 1 indicates success (for example, a successful " +"signature verification)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The value 0 indicates semantic failure (for example, a " +"signature verification which was unsuccessful because the signing " +"certificate was self-signed)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The value -1 indicates a low-level error in the system, " +"such as failure to allocate memory using malloc." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Treating such tri-state return values as booleans can lead to security " +"vulnerabilities. Note that some OpenSSL functions return boolean results or " +"yet another set of status indicators. Each function needs to be checked " +"individually." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Recovering precise error information is difficult. shows how to obtain a more precise " +"error code after a function call on an SSL object has " +"failed. However, there are still cases where no detailed error information " +"is available (e.g., if SSL_shutdown fails due to a " +"connection teardown by the other end)." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Obtaining OpenSSL error codes" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The OPENSSL_config function is documented to never " +"fail. In reality, it can terminate the entire process if there is a failure " +"accessing the configuration file. An error message is written to standard " +"error, but which might not be visible if the function is called from a " +"daemon process." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"OpenSSL contains two separate ASN.1 DER decoders. One set of decoders " +"operate on BIO handles (the input/output stream abstraction provided by " +"OpenSSL); their decoder function names start with d2i_ " +"and end in _fp or _bio (e.g., " +"d2i_X509_fp or d2i_X509_bio). " +"These decoders must not be used for parsing data from untrusted sources; " +"instead, the variants without the _fp and " +"_bio (e.g., d2i_X509) shall be used." +" The BIO variants have received considerably less testing and are not very " +"robust." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"For the same reason, the OpenSSL command line tools (such as " +"openssl x509) are generally generally less robust than " +"the actual library code. They use the BIO functions internally, and not the " +"more robust variants." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The command line tools do not always indicate failure in the exit status of " +"the openssl process. For instance, a verification" +" failure in openssl verify result in an exit status of " +"zero." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The OpenSSL server and client applications (openssl " +"s_client and openssl s_server) are debugging " +"tools and should never be used as generic clients. For " +"instance, the s_client tool reacts in a " +"surprisign way to lines starting with R and " +"Q." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"OpenSSL allows application code to access private key material over " +"documented interfaces. This can significantly increase the part of the code " +"base which has to undergo security certification." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "GNUTLS Pitfalls" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"libgnutls.so.26 links to " +"libpthread.so.0. Loading the threading library too late" +" causes problems, so the main program should be linked with " +"-lpthread as well. As a result, it can be difficult to " +"use GNUTLS in a plugin which is loaded with the dlopen " +"function. Another side effect is that applications which merely link against" +" GNUTLS (even without actually using it) may incur a substantial overhead " +"because other libraries automatically switch to thread-safe algorithms." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The gnutls_global_init function must be called before " +"using any functionality provided by the library. This function is not " +"thread-safe, so external locking is required, but it is not clear which lock" +" should be used. Omitting the synchronization does not just lead to a memory" +" leak, as it is suggested in the GNUTLS documentation, but to undefined " +"behavior because there is no barrier that would enforce memory ordering." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The gnutls_global_deinit function does not actually " +"deallocate all resources allocated by " +"gnutls_global_init. It is currently not thread-safe. " +"Therefore, it is best to avoid calling it altogether." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The X.509 implementation in GNUTLS is rather lenient. For example, it is " +"possible to create and process X.509 version 1 certificates which carry" +" extensions. These certificates are (correctly) rejected by other " +"implementations." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "OpenJDK Pitfalls" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The Java cryptographic framework is highly modular. As a result, when you " +"request an object implementing some cryptographic functionality, you cannot " +"be completely sure that you end up with the well-tested, reviewed " +"implementation in OpenJDK." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"OpenJDK (in the source code as published by Oracle) and other " +"implementations of the Java platform require that the system administrator " +"has installed so-called unlimited strength jurisdiction policy " +"files. Without this step, it is not possible to use the secure " +"algorithms which offer sufficient cryptographic strength. Most downstream " +"redistributors of OpenJDK remove this requirement." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Some versions of OpenJDK use /dev/random as the " +"randomness source for nonces and other random data which is needed for TLS " +"operation, but does not actually require physical randomness. As a result, " +"TLS applications can block, waiting for more bits to become available in " +"/dev/random." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "NSS Pitfalls" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"NSS was not designed to be used by other libraries which can be linked into " +"applications without modifying them. There is a lot of global state. There " +"does not seem to be a way to perform required NSS initialization without " +"race conditions." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If the NSPR descriptor is in an unexpected state, the " +"SSL_ForceHandshake function can succeed, but no TLS " +"handshake takes place, the peer is not authenticated, and subsequent data is" +" exchanged in the clear." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"NSS disables itself if it detects that the process underwent a " +"fork after the library has been initialized. This " +"behavior is required by the PKCS#11 API specification." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "TLS Clients" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Secure use of TLS in a client generally involves all of the following steps." +" (Individual instructions for specific TLS implementations follow in the " +"next sections.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The client must configure the TLS library to use a set of trusted root " +"certificates. These certificates are provided by the system in /etc/ssl/certs or files derived from it." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The client selects sufficiently strong cryptographic primitives and disables" +" insecure ones (such as no-op encryption). Compression and SSL version 2 " +"support must be disabled (including the SSLv2-compatible handshake)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The client initiates the TLS connection. The Server Name Indication " +"extension should be used if supported by the TLS implementation. Before " +"switching to the encrypted connection state, the contents of all input and " +"output buffers must be discarded." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The client needs to validate the peer certificate provided by the server, " +"that is, the client must check that there is a cryptographically protected " +"chain from a trusted root certificate to the peer certificate. (Depending on" +" the TLS implementation, a TLS handshake can succeed even if the certificate" +" cannot be validated.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The client must check that the configured or user-provided server name " +"matches the peer certificate provided by the server." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"It is safe to provide users detailed diagnostics on certificate validation " +"failures. Other causes of handshake failures and, generally speaking, any " +"details on other errors reported by the TLS implementation (particularly " +"exception tracebacks), must not be divulged in ways that make them " +"accessible to potential attackers. Otherwise, it is possible to create " +"decryption oracles." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Depending on the application, revocation checking (against certificate " +"revocations lists or via OCSP) and session resumption are important aspects " +"of production-quality client. These aspects are not yet covered." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Implementation TLS Clients With OpenSSL" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In the following code, the error handling is only exploratory. Proper error " +"handling is required for production use, especially in libraries." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The OpenSSL library needs explicit initialization (see )." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "OpenSSL library initialization" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"After that, a context object has to be created, which acts as a factory for " +"connection objects (). We use an explicit cipher list so that we do not pick up any " +"strange ciphers when OpenSSL is upgraded. The actual version requested in " +"the client hello depends on additional restrictions in the OpenSSL library. " +"If possible, you should follow the example code and use the default list of " +"trusted root certificate authorities provided by the system because you " +"would have to maintain your own set otherwise, which can be cumbersome." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "OpenSSL client context creation" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"A single context object can be used to create multiple connection objects. " +"It is safe to use the same SSL_CTX object for creating " +"connections concurrently from multiple threads, provided that the " +"SSL_CTX object is not modified (e.g., callbacks must not " +"be changed)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"After creating the TCP socket and disabling the Nagle algorithm (per ), the actual connection object " +"needs to be created, as show in . If the handshake started by " +"SSL_connect fails, the " +"ssl_print_error_and_exit function from is called." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The certificate_validity_override function provides an " +"opportunity to override the validity of the certificate in case the OpenSSL " +"check fails. If such functionality is not required, the call can be removed," +" otherwise, the application developer has to implement it." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The host name passed to the functions " +"SSL_set_tlsext_host_name and " +"X509_check_host must be the name that was passed to " +"getaddrinfo or a similar name resolution function. No " +"host name canonicalization must be performed. The " +"X509_check_host function used in the final step for " +"host name matching is currently only implemented in OpenSSL 1.1, which is " +"not released yet. In case host name matching fails, the function " +"certificate_host_name_override is called. This function" +" should check user-specific certificate store, to allow a connection even if" +" the host name does not match the certificate. This function has to be " +"provided by the application developer. Note that the override must be keyed " +"by both the certificate and the host name." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Creating a client connection using OpenSSL" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The connection object can be used for sending and receiving data, as in " +". It is " +"also possible to create a BIO object and use the " +"SSL object as the underlying transport, using " +"BIO_set_ssl." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Using an OpenSSL connection to send and receive data" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When it is time to close the connection, the " +"SSL_shutdown function needs to be called twice for an " +"orderly, synchronous connection termination (). This exchanges " +"close_notify alerts with the server. The additional logic" +" is required to deal with an unexpected close_notify from" +" the server. Note that is necessary to explicitly close the underlying " +"socket after the connection object has been freed." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Closing an OpenSSL connection in an orderly fashion" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +" shows how" +" to deallocate the context object when it is no longer needed because no " +"further TLS connections will be established." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Implementation TLS Clients With GNUTLS" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"This section describes how to implement a TLS client with full certificate " +"validation (but without certificate revocation checking). Note that the " +"error handling in is only exploratory and needs to be replaced before " +"production use." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "The GNUTLS library needs explicit initialization:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Failing to do so can result in obscure failures in Base64 decoding. See " +" for " +"additional aspects of initialization." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Before setting up TLS connections, a credentials objects has to be allocated" +" and initialized with the set of trusted root CAs ()." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Initializing a GNUTLS credentials structure" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"After the last TLS connection has been closed, this credentials object " +"should be freed:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"During its lifetime, the credentials object can be used to initialize TLS " +"session objects from multiple threads, provided that it is not changed." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Once the TCP connection has been established, the Nagle algorithm should be " +"disabled (see ). After " +"that, the socket can be associated with a new GNUTLS session object. The " +"previously allocated credentials object provides the set of root CAs. The " +"NORMAL set of cipher suites and protocols provides a " +"reasonable default. Then the TLS handshake must be initiated. This is shown " +"in ." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Establishing a TLS client connection using GNUTLS" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"After the handshake has been completed, the server certificate needs to be " +"verified (). In the example, the user-defined " +"certificate_validity_override function is called if the" +" verification fails, so that a separate, user-specific trust store can be " +"checked. This function call can be omitted if the functionality is not " +"needed." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Verifying a server certificate using GNUTLS" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In the next step (, the certificate must be matched against the host name (note the " +"unusual return value from " +"gnutls_x509_crt_check_hostname). Again, an override " +"function certificate_host_name_override is called. Note" +" that the override must be keyed to the certificate and" +" the host name. The function call can be omitted if the override is not " +"needed." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Matching the server host name and certificate in a GNUTLS client" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In newer GNUTLS versions, certificate checking and host name validation can " +"be combined using the gnutls_certificate_verify_peers3 " +"function." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"An established TLS session can be used for sending and receiving data, as in" +" ." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Using a GNUTLS session" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In order to shut down a connection in an orderly manner, you should call the" +" gnutls_bye function. Finally, the session object can " +"be deallocated using gnutls_deinit (see )." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Implementing TLS Clients With OpenJDK" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "The examples below use the following cryptographic-related classes:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If compatibility with OpenJDK 6 is required, it is necessary to use the " +"internal class sun.security.util.HostnameChecker. (The " +"public OpenJDK API does not provide any support for dissecting the subject " +"distinguished name of an X.509 certificate, so a custom-written DER parser " +"is needed—or we have to use an internal class, which we do below.) In " +"OpenJDK 7, the setEndpointIdentificationAlgorithm " +"method was added to the javax.net.ssl.SSLParameters " +"class, providing an official way to implement host name checking." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"TLS connections are established using an SSLContext " +"instance. With a properly configured OpenJDK installation, the " +"SunJSSE provider uses the system-wide set of trusted root" +" certificate authorities, so no further configuration is necessary. For " +"backwards compatibility with OpenJDK 6, the TLSv1 " +"provider has to be supported as a fall-back option. This is shown in ." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Setting up an SSLContext for OpenJDK TLS clients" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In addition to the context, a TLS parameter object will be needed which " +"adjusts the cipher suites and protocols (). Like the context, these " +"parameters can be reused for multiple TLS connections." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Setting up SSLParameters for TLS use with OpenJDK" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"As initialized above, the parameter object does not yet require host name " +"checking. This has to be enabled separately, and this is only supported by " +"OpenJDK 7 and later:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"All application protocols can use the \"HTTPS\" " +"algorithm. (The algorithms have minor differences with regard to wildcard " +"handling, which should not matter in practice.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +" shows " +"how to establish the connection. Before the handshake is initialized, the " +"protocol and cipher configuration has to be performed, by applying the " +"parameter object params. (After this point, changes to " +"params will not affect this TLS socket.) As mentioned " +"initially, host name checking requires using an internal API on OpenJDK 6." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Establishing a TLS connection with OpenJDK" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Starting with OpenJDK 7, the last lines can be omitted, provided that host " +"name verification has been enabled by calling the " +"setEndpointIdentificationAlgorithm method on the " +"params object (before it was applied to the socket)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The TLS socket can be used as a regular socket, as shown in ." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Using a TLS client socket in OpenJDK" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Overriding server certificate validation with OpenJDK 6" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Overriding certificate validation requires a custom trust manager. With " +"OpenJDK 6, the trust manager lacks information about the TLS session, and to" +" which server the connection is made. Certificate overrides have to be tied " +"to specific servers (host names). Consequently, different " +"TrustManager and SSLContext objects " +"have to be used for different servers." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In the trust manager shown in , the server certificate is identified by its " +"SHA-256 hash." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "A customer trust manager for OpenJDK TLS clients" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"This trust manager has to be passed to the init method of" +" the SSLContext object, as show in ." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Using a custom TLS trust manager with OpenJDK" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When certificate overrides are in place, host name verification should not " +"be performed because there is no security requirement that the host name in " +"the certificate matches the host name used to establish the connection (and " +"it often will not). However, without host name verification, it is not " +"possible to perform transparent fallback to certification validation using " +"the system certificate store." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The approach described above works with OpenJDK 6 and later versions. " +"Starting with OpenJDK 7, it is possible to use a custom subclass of the " +"javax.net.ssl.X509ExtendedTrustManager class. The OpenJDK" +" TLS implementation will call the new methods, passing along TLS session " +"information. This can be used to implement certificate overrides as a " +"fallback (if certificate or host name verification fails), and a trust " +"manager object can be used for multiple servers because the server address " +"is available to the trust manager." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Implementing TLS Clients With NSS" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The following code shows how to implement a simple TLS client using NSS. " +"Note that the error handling needs replacing before production use." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Using NSS needs several header files, as shown in ." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Include files for NSS" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Initializing the NSS library is a complex task (). It is not thread-safe. By default, the " +"library is in export mode, and all strong ciphers are disabled. Therefore, " +"after creating the NSSInitCContext object, we probe all " +"the strong ciphers we want to use, and check if at least one of them is " +"available. If not, we call NSS_SetDomesticPolicy to " +"switch to unrestricted policy mode. This function replaces the existing " +"global cipher suite policy, that is why we avoid calling it unless " +"absolutely necessary." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The simplest way to configured the trusted root certificates involves " +"loading the libnssckbi.so NSS module with a call to the" +" SECMOD_LoadUserModule function. The root certificates " +"are compiled into this module. (The PEM module for NSS, " +"libnsspem.so, offers a way to load trusted CA " +"certificates from a file.)" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Initializing the NSS library" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Some of the effects of the initialization can be reverted with the following" +" function calls:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"After NSS has been initialized, the TLS connection can be created (). The internal " +"PR_ImportTCPSocket function is used to turn the POSIX " +"file descriptor sockfd into an NSPR file descriptor. " +"(This function is de-facto part of the NSS public ABI, so it will not go " +"away.) Creating the TLS-capable file descriptor requires a " +"model descriptor, which is configured with the desired " +"set of protocols and ciphers. (The good_ciphers variable " +"is part of .) We cannot" +" resort to disabling ciphers not on a whitelist because by default, the AES " +"cipher suites are disabled. The model descriptor is not needed anymore after" +" TLS support has been activated for the existing connection descriptor." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The call to SSL_BadCertHook can be omitted if no " +"mechanism to override certificate verification is needed. The " +"bad_certificate function must check both the host name " +"specified for the connection and the certificate before granting the " +"override." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Triggering the actual handshake requires three function calls, " +"SSL_ResetHandshake, SSL_SetURL, " +"and SSL_ForceHandshake. (If " +"SSL_ResetHandshake is omitted, " +"SSL_ForceHandshake will succeed, but the data will not " +"be encrypted.) During the handshake, the certificate is verified and matched" +" against the host name." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Creating a TLS connection with NSS" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"After the connection has been established, shows how to use the NSPR descriptor to " +"communicate with the server." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Using NSS for sending and receiving data" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +" shows how to " +"close the connection." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Closing NSS client connections" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Implementing TLS Clients With Python" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The Python distribution provides a TLS implementation in the " +"ssl module (actually a wrapper around OpenSSL). The " +"exported interface is somewhat restricted, so that the client code shown " +"below does not fully implement the recommendations in ." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Currently, most Python function which accept https:// " +"URLs or otherwise implement HTTPS support do not perform certificate " +"validation at all. (For example, this is true for the " +"httplib and xmlrpclib modules.) If you" +" use HTTPS, you should not use the built-in HTTP clients. The " +"Curl class in the curl module, as " +"provided by the python-pycurl package implements proper " +"certificate validation." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The ssl module currently does not perform host name " +"checking on the server certificate. shows how to implement certificate " +"matching, using the parsed certificate returned by " +"getpeercert." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Implementing TLS host name checking Python (without wildcard support)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"To turn a regular, connected TCP socket into a TLS-enabled socket, use the " +"ssl.wrap_socket function. The function call in provides " +"additional arguments to override questionable defaults in OpenSSL and in the" +" Python module." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"ciphers=\"HIGH:-aNULL:-eNULL:-PSK:RC4-SHA:RC4-MD5\" " +"selects relatively strong cipher suites with certificate-based " +"authentication. (The call to check_host_name function " +"provides additional protection against anonymous cipher suites.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"ssl_version=ssl.PROTOCOL_TLSv1 disables SSL 2.0 support. " +"By default, the ssl module sends an SSL 2.0 client hello," +" which is rejected by some servers. Ideally, we would request OpenSSL to " +"negotiated the most recent TLS version supported by the server and the " +"client, but the Python module does not allow this." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"cert_reqs=ssl.CERT_REQUIRED turns on certificate " +"validation." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"ca_certs='/etc/ssl/certs/ca-bundle.crt' initializes the " +"certificate store with a set of trusted root CAs. Unfortunately, it is " +"necessary to hard-code this path into applications because the default path " +"in OpenSSL is not available through the Python ssl " +"module." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The ssl module (and OpenSSL) perform certificate " +"validation, but the certificate must be compared manually against the host " +"name, by calling the check_host_name defined above." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Establishing a TLS client connection with Python" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"After the connection has been established, the TLS socket can be used like a" +" regular socket:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Closing the TLS socket is straightforward as well:" +msgstr "" diff --git a/defensive-coding/hi-IN/Features/snippets/TLS-Client-GNUTLS-Connect.po b/defensive-coding/hi-IN/Features/snippets/TLS-Client-GNUTLS-Connect.po new file mode 100644 index 0000000..68afb39 --- /dev/null +++ b/defensive-coding/hi-IN/Features/snippets/TLS-Client-GNUTLS-Connect.po @@ -0,0 +1,71 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:33+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Hindi \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: hi\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Create the session object.\n" +"gnutls_session_t session;\n" +"ret = gnutls_init(&session, GNUTLS_CLIENT);\n" +"if (ret != GNUTLS_E_SUCCESS) {\n" +" fprintf(stderr, \"error: gnutls_init: %s\n" +"\",\n" +"\t gnutls_strerror(ret));\n" +" exit(1);\n" +"}\n" +"\n" +"// Configure the cipher preferences.\n" +"const char *errptr = NULL;\n" +"ret = gnutls_priority_set_direct(session, \"NORMAL\", &errptr);\n" +"if (ret != GNUTLS_E_SUCCESS) {\n" +" fprintf(stderr, \"error: gnutls_priority_set_direct: %s\n" +"\"\n" +"\t \"error: at: \\\"%s\\\"\n" +"\", gnutls_strerror(ret), errptr);\n" +" exit(1);\n" +"}\n" +"\n" +"// Install the trusted certificates.\n" +"ret = gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, cred);\n" +"if (ret != GNUTLS_E_SUCCESS) {\n" +" fprintf(stderr, \"error: gnutls_credentials_set: %s\n" +"\",\n" +"\t gnutls_strerror(ret));\n" +" exit(1);\n" +"}\n" +"\n" +"// Associate the socket with the session object and set the server\n" +"// name.\n" +"gnutls_transport_set_ptr(session, (gnutls_transport_ptr_t)(uintptr_t)sockfd);\n" +"ret = gnutls_server_name_set(session, GNUTLS_NAME_DNS,\n" +"\t\t\t host, strlen(host));\n" +"if (ret != GNUTLS_E_SUCCESS) {\n" +" fprintf(stderr, \"error: gnutls_server_name_set: %s\n" +"\",\n" +"\t gnutls_strerror(ret));\n" +" exit(1);\n" +"}\n" +"\n" +"// Establish the session.\n" +"ret = gnutls_handshake(session);\n" +"if (ret != GNUTLS_E_SUCCESS) {\n" +" fprintf(stderr, \"error: gnutls_handshake: %s\n" +"\",\n" +"\t gnutls_strerror(ret));\n" +" exit(1);\n" +"}\n" +msgstr "" diff --git a/defensive-coding/hi-IN/Features/snippets/TLS-Client-GNUTLS-Credentials.po b/defensive-coding/hi-IN/Features/snippets/TLS-Client-GNUTLS-Credentials.po new file mode 100644 index 0000000..b5f6725 --- /dev/null +++ b/defensive-coding/hi-IN/Features/snippets/TLS-Client-GNUTLS-Credentials.po @@ -0,0 +1,47 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:33+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Hindi \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: hi\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Load the trusted CA certificates.\n" +"gnutls_certificate_credentials_t cred = NULL;\n" +"int ret = gnutls_certificate_allocate_credentials (&cred);\n" +"if (ret != GNUTLS_E_SUCCESS) {\n" +" fprintf(stderr, \"error: gnutls_certificate_allocate_credentials: %s\n" +"\",\n" +"\t gnutls_strerror(ret));\n" +" exit(1);\n" +"}\n" +"// gnutls_certificate_set_x509_system_trust needs GNUTLS version 3.0\n" +"// or newer, so we hard-code the path to the certificate store\n" +"// instead.\n" +"static const char ca_bundle[] = \"/etc/ssl/certs/ca-bundle.crt\";\n" +"ret = gnutls_certificate_set_x509_trust_file\n" +" (cred, ca_bundle, GNUTLS_X509_FMT_PEM);\n" +"if (ret == 0) {\n" +" fprintf(stderr, \"error: no certificates found in: %s\n" +"\", ca_bundle);\n" +" exit(1);\n" +"}\n" +"if (ret < 0) {\n" +" fprintf(stderr, \"error: gnutls_certificate_set_x509_trust_files(%s): %s\n" +"\",\n" +"\t ca_bundle, gnutls_strerror(ret));\n" +" exit(1);\n" +"}\n" +msgstr "" diff --git a/defensive-coding/hi-IN/Features/snippets/TLS-Client-GNUTLS-Match.po b/defensive-coding/hi-IN/Features/snippets/TLS-Client-GNUTLS-Match.po new file mode 100644 index 0000000..36572c5 --- /dev/null +++ b/defensive-coding/hi-IN/Features/snippets/TLS-Client-GNUTLS-Match.po @@ -0,0 +1,48 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:32+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Hindi \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: hi\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Match the peer certificate against the host name.\n" +"// We can only obtain a set of DER-encoded certificates from the\n" +"// session object, so we have to re-parse the peer certificate into\n" +"// a certificate object.\n" +"gnutls_x509_crt_t cert;\n" +"ret = gnutls_x509_crt_init(&cert);\n" +"if (ret != GNUTLS_E_SUCCESS) {\n" +" fprintf(stderr, \"error: gnutls_x509_crt_init: %s\n" +"\",\n" +"\t gnutls_strerror(ret));\n" +" exit(1);\n" +"}\n" +"// The peer certificate is the first certificate in the list.\n" +"ret = gnutls_x509_crt_import(cert, certs, GNUTLS_X509_FMT_DER);\n" +"if (ret != GNUTLS_E_SUCCESS) {\n" +" fprintf(stderr, \"error: gnutls_x509_crt_import: %s\n" +"\",\n" +"\t gnutls_strerror(ret));\n" +" exit(1);\n" +"}\n" +"ret = gnutls_x509_crt_check_hostname(cert, host);\n" +"if (ret == 0 && !certificate_host_name_override(certs[0], host)) {\n" +" fprintf(stderr, \"error: host name does not match certificate\n" +"\");\n" +" exit(1);\n" +"}\n" +"gnutls_x509_crt_deinit(cert);\n" +msgstr "" diff --git a/defensive-coding/hi-IN/Features/snippets/TLS-Client-GNUTLS-Verify.po b/defensive-coding/hi-IN/Features/snippets/TLS-Client-GNUTLS-Verify.po new file mode 100644 index 0000000..caae076 --- /dev/null +++ b/defensive-coding/hi-IN/Features/snippets/TLS-Client-GNUTLS-Verify.po @@ -0,0 +1,61 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:33+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Hindi \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: hi\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Obtain the server certificate chain. The server certificate\n" +"// itself is stored in the first element of the array.\n" +"unsigned certslen = 0;\n" +"const gnutls_datum_t *const certs =\n" +" gnutls_certificate_get_peers(session, &certslen);\n" +"if (certs == NULL || certslen == 0) {\n" +" fprintf(stderr, \"error: could not obtain peer certificate\n" +"\");\n" +" exit(1);\n" +"}\n" +"\n" +"// Validate the certificate chain.\n" +"unsigned status = (unsigned)-1;\n" +"ret = gnutls_certificate_verify_peers2(session, &status);\n" +"if (ret != GNUTLS_E_SUCCESS) {\n" +" fprintf(stderr, \"error: gnutls_certificate_verify_peers2: %s\n" +"\",\n" +"\t gnutls_strerror(ret));\n" +" exit(1);\n" +"}\n" +"if (status != 0 && !certificate_validity_override(certs[0])) {\n" +" gnutls_datum_t msg;\n" +"#if GNUTLS_VERSION_AT_LEAST_3_1_4\n" +" int type = gnutls_certificate_type_get (session);\n" +" ret = gnutls_certificate_verification_status_print(status, type, &out, 0);\n" +"#else\n" +" ret = -1;\n" +"#endif\n" +" if (ret == 0) {\n" +" fprintf(stderr, \"error: %s\n" +"\", msg.data);\n" +" gnutls_free(msg.data);\n" +" exit(1);\n" +" } else {\n" +" fprintf(stderr, \"error: certificate validation failed with code 0x%x\n" +"\",\n" +"\t status);\n" +" exit(1);\n" +" }\n" +"}\n" +msgstr "" diff --git a/defensive-coding/hi-IN/Features/snippets/TLS-Client-NSS-Close.po b/defensive-coding/hi-IN/Features/snippets/TLS-Client-NSS-Close.po new file mode 100644 index 0000000..1473182 --- /dev/null +++ b/defensive-coding/hi-IN/Features/snippets/TLS-Client-NSS-Close.po @@ -0,0 +1,31 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:32+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Hindi \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: hi\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Send close_notify alert.\n" +"if (PR_Shutdown(nspr, PR_SHUTDOWN_BOTH) != PR_SUCCESS) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: PR_Read error %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +"}\n" +"// Closes the underlying POSIX file descriptor, too.\n" +"PR_Close(nspr);\n" +msgstr "" diff --git a/defensive-coding/hi-IN/Features/snippets/TLS-Client-NSS-Connect.po b/defensive-coding/hi-IN/Features/snippets/TLS-Client-NSS-Connect.po new file mode 100644 index 0000000..eb929de --- /dev/null +++ b/defensive-coding/hi-IN/Features/snippets/TLS-Client-NSS-Connect.po @@ -0,0 +1,132 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:33+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Hindi \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: hi\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Wrap the POSIX file descriptor. This is an internal NSPR\n" +"// function, but it is very unlikely to change.\n" +"PRFileDesc* nspr = PR_ImportTCPSocket(sockfd);\n" +"sockfd = -1; // Has been taken over by NSPR.\n" +"\n" +"// Add the SSL layer.\n" +"{\n" +" PRFileDesc *model = PR_NewTCPSocket();\n" +" PRFileDesc *newfd = SSL_ImportFD(NULL, model);\n" +" if (newfd == NULL) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: NSPR error code %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +" }\n" +" model = newfd;\n" +" newfd = NULL;\n" +" if (SSL_OptionSet(model, SSL_ENABLE_SSL2, PR_FALSE) != SECSuccess) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: set SSL_ENABLE_SSL2 error %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +" }\n" +" if (SSL_OptionSet(model, SSL_V2_COMPATIBLE_HELLO, PR_FALSE) != SECSuccess) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: set SSL_V2_COMPATIBLE_HELLO error %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +" }\n" +" if (SSL_OptionSet(model, SSL_ENABLE_DEFLATE, PR_FALSE) != SECSuccess) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: set SSL_ENABLE_DEFLATE error %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +" }\n" +"\n" +" // Disable all ciphers (except RC4-based ciphers, for backwards\n" +" // compatibility).\n" +" const PRUint16 *const ciphers = SSL_GetImplementedCiphers();\n" +" for (unsigned i = 0; i < SSL_GetNumImplementedCiphers(); i++) {\n" +" if (ciphers[i] != SSL_RSA_WITH_RC4_128_SHA\n" +"\t && ciphers[i] != SSL_RSA_WITH_RC4_128_MD5) {\n" +"\tif (SSL_CipherPrefSet(model, ciphers[i], PR_FALSE) != SECSuccess) {\n" +"\t const PRErrorCode err = PR_GetError();\n" +"\t fprintf(stderr, \"error: disable cipher %u: error %d: %s\n" +"\",\n" +"\t\t (unsigned)ciphers[i], err, PR_ErrorToName(err));\n" +"\t exit(1);\n" +"\t}\n" +" }\n" +" }\n" +"\n" +" // Enable the strong ciphers.\n" +" for (const PRUint16 *p = good_ciphers; *p != SSL_NULL_WITH_NULL_NULL;\n" +"\t ++p) {\n" +" if (SSL_CipherPrefSet(model, *p, PR_TRUE) != SECSuccess) {\n" +"\tconst PRErrorCode err = PR_GetError();\n" +"\tfprintf(stderr, \"error: enable cipher %u: error %d: %s\n" +"\",\n" +"\t\t(unsigned)*p, err, PR_ErrorToName(err));\n" +"\texit(1);\n" +" }\n" +" }\n" +"\n" +" // Allow overriding invalid certificate.\n" +" if (SSL_BadCertHook(model, bad_certificate, (char *)host) != SECSuccess) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: SSL_BadCertHook error %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +" }\n" +"\n" +" newfd = SSL_ImportFD(model, nspr);\n" +" if (newfd == NULL) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: SSL_ImportFD error %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +" }\n" +" nspr = newfd;\n" +" PR_Close(model);\n" +"}\n" +"\n" +"// Perform the handshake.\n" +"if (SSL_ResetHandshake(nspr, PR_FALSE) != SECSuccess) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: SSL_ResetHandshake error %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +"}\n" +"if (SSL_SetURL(nspr, host) != SECSuccess) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: SSL_SetURL error %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +"}\n" +"if (SSL_ForceHandshake(nspr) != SECSuccess) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: SSL_ForceHandshake error %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +"}\n" +msgstr "" diff --git a/defensive-coding/hi-IN/Features/snippets/TLS-Client-OpenJDK-Connect.po b/defensive-coding/hi-IN/Features/snippets/TLS-Client-OpenJDK-Connect.po new file mode 100644 index 0000000..5b4f8d8 --- /dev/null +++ b/defensive-coding/hi-IN/Features/snippets/TLS-Client-OpenJDK-Connect.po @@ -0,0 +1,41 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:32+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Hindi \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: hi\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Create the socket and connect it at the TCP layer.\n" +"SSLSocket socket = (SSLSocket) ctx.getSocketFactory()\n" +" .createSocket(host, port);\n" +"\n" +"// Disable the Nagle algorithm.\n" +"socket.setTcpNoDelay(true);\n" +"\n" +"// Adjust ciphers and protocols.\n" +"socket.setSSLParameters(params);\n" +"\n" +"// Perform the handshake.\n" +"socket.startHandshake();\n" +"\n" +"// Validate the host name. The match() method throws\n" +"// CertificateException on failure.\n" +"X509Certificate peer = (X509Certificate)\n" +" socket.getSession().getPeerCertificates()[0];\n" +"// This is the only way to perform host name checking on OpenJDK 6.\n" +"HostnameChecker.getInstance(HostnameChecker.TYPE_TLS).match(\n" +" host, peer);\n" +msgstr "" diff --git a/defensive-coding/hi-IN/Features/snippets/TLS-Client-OpenJDK-Context.po b/defensive-coding/hi-IN/Features/snippets/TLS-Client-OpenJDK-Context.po new file mode 100644 index 0000000..3d1eae0 --- /dev/null +++ b/defensive-coding/hi-IN/Features/snippets/TLS-Client-OpenJDK-Context.po @@ -0,0 +1,41 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:32+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Hindi \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: hi\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Create the context. Specify the SunJSSE provider to avoid\n" +"// picking up third-party providers. Try the TLS 1.2 provider\n" +"// first, then fall back to TLS 1.0.\n" +"SSLContext ctx;\n" +"try {\n" +" ctx = SSLContext.getInstance(\"TLSv1.2\", \"SunJSSE\");\n" +"} catch (NoSuchAlgorithmException e) {\n" +" try {\n" +" ctx = SSLContext.getInstance(\"TLSv1\", \"SunJSSE\");\n" +" } catch (NoSuchAlgorithmException e1) {\n" +" // The TLS 1.0 provider should always be available.\n" +" throw new AssertionError(e1);\n" +" } catch (NoSuchProviderException e1) {\n" +" throw new AssertionError(e1);\n" +" } \n" +"} catch (NoSuchProviderException e) {\n" +" // The SunJSSE provider should always be available.\n" +" throw new AssertionError(e);\n" +"}\n" +"ctx.init(null, null, null);\n" +msgstr "" diff --git a/defensive-coding/hi-IN/Features/snippets/TLS-Client-OpenJDK-Context_For_Cert.po b/defensive-coding/hi-IN/Features/snippets/TLS-Client-OpenJDK-Context_For_Cert.po new file mode 100644 index 0000000..5ff9baa --- /dev/null +++ b/defensive-coding/hi-IN/Features/snippets/TLS-Client-OpenJDK-Context_For_Cert.po @@ -0,0 +1,37 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:33+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Hindi \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: hi\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"SSLContext ctx;\n" +"try {\n" +" ctx = SSLContext.getInstance(\"TLSv1.2\", \"SunJSSE\");\n" +"} catch (NoSuchAlgorithmException e) {\n" +" try {\n" +" ctx = SSLContext.getInstance(\"TLSv1\", \"SunJSSE\");\n" +" } catch (NoSuchAlgorithmException e1) {\n" +" throw new AssertionError(e1);\n" +" } catch (NoSuchProviderException e1) {\n" +" throw new AssertionError(e1);\n" +" }\n" +"} catch (NoSuchProviderException e) {\n" +" throw new AssertionError(e);\n" +"}\n" +"MyTrustManager tm = new MyTrustManager(certHash);\n" +"ctx.init(null, new TrustManager[] {tm}, null);\n" +msgstr "" diff --git a/defensive-coding/hi-IN/Features/snippets/TLS-Client-OpenJDK-Hostname.po b/defensive-coding/hi-IN/Features/snippets/TLS-Client-OpenJDK-Hostname.po new file mode 100644 index 0000000..e1f9800 --- /dev/null +++ b/defensive-coding/hi-IN/Features/snippets/TLS-Client-OpenJDK-Hostname.po @@ -0,0 +1,22 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:31+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Hindi \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: hi\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"params.setEndpointIdentificationAlgorithm(\"HTTPS\");\n" +msgstr "" diff --git a/defensive-coding/hi-IN/Features/snippets/TLS-Client-OpenJDK-Import.po b/defensive-coding/hi-IN/Features/snippets/TLS-Client-OpenJDK-Import.po new file mode 100644 index 0000000..e042bf9 --- /dev/null +++ b/defensive-coding/hi-IN/Features/snippets/TLS-Client-OpenJDK-Import.po @@ -0,0 +1,33 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:31+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Hindi \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: hi\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"import java.security.NoSuchAlgorithmException;\n" +"import java.security.NoSuchProviderException;\n" +"import java.security.cert.CertificateEncodingException;\n" +"import java.security.cert.CertificateException;\n" +"import java.security.cert.X509Certificate;\n" +"import javax.net.ssl.SSLContext;\n" +"import javax.net.ssl.SSLParameters;\n" +"import javax.net.ssl.SSLSocket;\n" +"import javax.net.ssl.TrustManager;\n" +"import javax.net.ssl.X509TrustManager;\n" +"\n" +"import sun.security.util.HostnameChecker;\n" +msgstr "" diff --git a/defensive-coding/hi-IN/Features/snippets/TLS-Client-OpenJDK-MyTrustManager.po b/defensive-coding/hi-IN/Features/snippets/TLS-Client-OpenJDK-MyTrustManager.po new file mode 100644 index 0000000..66b9cb9 --- /dev/null +++ b/defensive-coding/hi-IN/Features/snippets/TLS-Client-OpenJDK-MyTrustManager.po @@ -0,0 +1,53 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:31+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Hindi \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: hi\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"public class MyTrustManager implements X509TrustManager {\n" +" private final byte[] certHash;\n" +"\n" +" public MyTrustManager(byte[] certHash) throws Exception {\n" +" this.certHash = certHash;\n" +" }\n" +"\n" +" @Override\n" +" public void checkClientTrusted(X509Certificate[] chain, String authType)\n" +" throws CertificateException {\n" +" throw new UnsupportedOperationException();\n" +" }\n" +"\n" +" @Override\n" +" public void checkServerTrusted(X509Certificate[] chain,\n" +" String authType) throws CertificateException {\n" +" byte[] digest = getCertificateDigest(chain[0]);\n" +" String digestHex = formatHex(digest);\n" +"\n" +" if (Arrays.equals(digest, certHash)) {\n" +" System.err.println(\"info: accepting certificate: \" + digestHex);\n" +" } else {\n" +" throw new CertificateException(\"certificate rejected: \" +\n" +" digestHex);\n" +" }\n" +" }\n" +"\n" +" @Override\n" +" public X509Certificate[] getAcceptedIssuers() {\n" +" return new X509Certificate[0];\n" +" }\n" +"}\n" +msgstr "" diff --git a/defensive-coding/hi-IN/Features/snippets/TLS-Client-OpenJDK-Use.po b/defensive-coding/hi-IN/Features/snippets/TLS-Client-OpenJDK-Use.po new file mode 100644 index 0000000..790106a --- /dev/null +++ b/defensive-coding/hi-IN/Features/snippets/TLS-Client-OpenJDK-Use.po @@ -0,0 +1,28 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:31+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Hindi \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: hi\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"socket.getOutputStream().write(\"GET / HTTP/1.0\\r\n" +"\\r\n" +"\"\n" +" .getBytes(Charset.forName(\"UTF-8\")));\n" +"byte[] buffer = new byte[4096];\n" +"int count = socket.getInputStream().read(buffer);\n" +"System.out.write(buffer, 0, count);\n" +msgstr "" diff --git a/defensive-coding/hi-IN/Features/snippets/TLS-Client-OpenSSL-CTX.po b/defensive-coding/hi-IN/Features/snippets/TLS-Client-OpenSSL-CTX.po new file mode 100644 index 0000000..a887c08 --- /dev/null +++ b/defensive-coding/hi-IN/Features/snippets/TLS-Client-OpenSSL-CTX.po @@ -0,0 +1,86 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:32+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Hindi \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: hi\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Configure a client connection context. Send a hendshake for the\n" +"// highest supported TLS version, and disable compression.\n" +"const SSL_METHOD *const req_method = SSLv23_client_method();\n" +"SSL_CTX *const ctx = SSL_CTX_new(req_method);\n" +"if (ctx == NULL) {\n" +" ERR_print_errors(bio_err);\n" +" exit(1);\n" +"}\n" +"SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_COMPRESSION);\n" +"\n" +"// Adjust the ciphers list based on a whitelist. First enable all\n" +"// ciphers of at least medium strength, to get the list which is\n" +"// compiled into OpenSSL.\n" +"if (SSL_CTX_set_cipher_list(ctx, \"HIGH:MEDIUM\") != 1) {\n" +" ERR_print_errors(bio_err);\n" +" exit(1);\n" +"}\n" +"{\n" +" // Create a dummy SSL session to obtain the cipher list.\n" +" SSL *ssl = SSL_new(ctx);\n" +" if (ssl == NULL) {\n" +" ERR_print_errors(bio_err);\n" +" exit(1);\n" +" }\n" +" STACK_OF(SSL_CIPHER) *active_ciphers = SSL_get_ciphers(ssl);\n" +" if (active_ciphers == NULL) {\n" +" ERR_print_errors(bio_err);\n" +" exit(1);\n" +" }\n" +" // Whitelist of candidate ciphers.\n" +" static const char *const candidates[] = {\n" +" \"AES128-GCM-SHA256\", \"AES128-SHA256\", \"AES256-SHA256\", // strong ciphers\n" +" \"AES128-SHA\", \"AES256-SHA\", // strong ciphers, also in older versions\n" +" \"RC4-SHA\", \"RC4-MD5\", // backwards compatibility, supposed to be weak\n" +" \"DES-CBC3-SHA\", \"DES-CBC3-MD5\", // more backwards compatibility\n" +" NULL\n" +" };\n" +" // Actually selected ciphers.\n" +" char ciphers[300];\n" +" ciphers[0] = '\\0';\n" +" for (const char *const *c = candidates; *c; ++c) {\n" +" for (int i = 0; i < sk_SSL_CIPHER_num(active_ciphers); ++i) {\n" +"\tif (strcmp(SSL_CIPHER_get_name(sk_SSL_CIPHER_value(active_ciphers, i)),\n" +"\t\t *c) == 0) {\n" +"\t if (*ciphers) {\n" +"\t strcat(ciphers, \":\");\n" +"\t }\n" +"\t strcat(ciphers, *c);\n" +"\t break;\n" +"\t}\n" +" }\n" +" }\n" +" SSL_free(ssl);\n" +" // Apply final cipher list.\n" +" if (SSL_CTX_set_cipher_list(ctx, ciphers) != 1) {\n" +" ERR_print_errors(bio_err);\n" +" exit(1);\n" +" }\n" +"}\n" +"\n" +"// Load the set of trusted root certificates.\n" +"if (!SSL_CTX_set_default_verify_paths(ctx)) {\n" +" ERR_print_errors(bio_err);\n" +" exit(1);\n" +"}\n" +msgstr "" diff --git a/defensive-coding/hi-IN/Features/snippets/TLS-Client-OpenSSL-Connect.po b/defensive-coding/hi-IN/Features/snippets/TLS-Client-OpenSSL-Connect.po new file mode 100644 index 0000000..1a51a72 --- /dev/null +++ b/defensive-coding/hi-IN/Features/snippets/TLS-Client-OpenSSL-Connect.po @@ -0,0 +1,72 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:33+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Hindi \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: hi\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Create the connection object.\n" +"SSL *ssl = SSL_new(ctx);\n" +"if (ssl == NULL) {\n" +" ERR_print_errors(bio_err);\n" +" exit(1);\n" +"}\n" +"SSL_set_fd(ssl, sockfd);\n" +"\n" +"// Enable the ServerNameIndication extension\n" +"if (!SSL_set_tlsext_host_name(ssl, host)) {\n" +" ERR_print_errors(bio_err);\n" +" exit(1);\n" +"}\n" +"\n" +"// Perform the TLS handshake with the server.\n" +"ret = SSL_connect(ssl);\n" +"if (ret != 1) {\n" +" // Error status can be 0 or negative.\n" +" ssl_print_error_and_exit(ssl, \"SSL_connect\", ret);\n" +"}\n" +"\n" +"// Obtain the server certificate.\n" +"X509 *peercert = SSL_get_peer_certificate(ssl);\n" +"if (peercert == NULL) {\n" +" fprintf(stderr, \"peer certificate missing\");\n" +" exit(1);\n" +"}\n" +"\n" +"// Check the certificate verification result. Allow an explicit\n" +"// certificate validation override in case verification fails.\n" +"int verifystatus = SSL_get_verify_result(ssl);\n" +"if (verifystatus != X509_V_OK && !certificate_validity_override(peercert)) {\n" +" fprintf(stderr, \"SSL_connect: verify result: %s\n" +"\",\n" +"\t X509_verify_cert_error_string(verifystatus));\n" +" exit(1);\n" +"}\n" +"\n" +"// Check if the server certificate matches the host name used to\n" +"// establish the connection.\n" +"// FIXME: Currently needs OpenSSL 1.1.\n" +"if (X509_check_host(peercert, (const unsigned char *)host, strlen(host),\n" +"\t\t 0) != 1\n" +" && !certificate_host_name_override(peercert, host)) {\n" +" fprintf(stderr, \"SSL certificate does not match host name\n" +"\");\n" +" exit(1);\n" +"}\n" +"\n" +"X509_free(peercert);\n" +"\n" +msgstr "" diff --git a/defensive-coding/hi-IN/Features/snippets/TLS-Client-OpenSSL-Connection-Use.po b/defensive-coding/hi-IN/Features/snippets/TLS-Client-OpenSSL-Connection-Use.po new file mode 100644 index 0000000..837e9ce --- /dev/null +++ b/defensive-coding/hi-IN/Features/snippets/TLS-Client-OpenSSL-Connection-Use.po @@ -0,0 +1,32 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:32+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Hindi \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: hi\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"const char *const req = \"GET / HTTP/1.0\\r\n" +"\\r\n" +"\";\n" +"if (SSL_write(ssl, req, strlen(req)) < 0) {\n" +" ssl_print_error_and_exit(ssl, \"SSL_write\", ret);\n" +"}\n" +"char buf[4096];\n" +"ret = SSL_read(ssl, buf, sizeof(buf));\n" +"if (ret < 0) {\n" +" ssl_print_error_and_exit(ssl, \"SSL_read\", ret);\n" +"}\n" +msgstr "" diff --git a/defensive-coding/hi-IN/Features/snippets/TLS-Client-OpenSSL-Init.po b/defensive-coding/hi-IN/Features/snippets/TLS-Client-OpenSSL-Init.po new file mode 100644 index 0000000..0a91ca4 --- /dev/null +++ b/defensive-coding/hi-IN/Features/snippets/TLS-Client-OpenSSL-Init.po @@ -0,0 +1,28 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:32+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Hindi \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: hi\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// The following call prints an error message and calls exit() if\n" +"// the OpenSSL configuration file is unreadable.\n" +"OPENSSL_config(NULL);\n" +"// Provide human-readable error messages.\n" +"SSL_load_error_strings();\n" +"// Register ciphers.\n" +"SSL_library_init();\n" +msgstr "" diff --git a/defensive-coding/hi-IN/Features/snippets/TLS-Client-Python-Connect.po b/defensive-coding/hi-IN/Features/snippets/TLS-Client-Python-Connect.po new file mode 100644 index 0000000..8fc6573 --- /dev/null +++ b/defensive-coding/hi-IN/Features/snippets/TLS-Client-Python-Connect.po @@ -0,0 +1,29 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:32+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Hindi \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: hi\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"sock = ssl.wrap_socket(sock,\n" +" ciphers=\"HIGH:-aNULL:-eNULL:-PSK:RC4-SHA:RC4-MD5\",\n" +" ssl_version=ssl.PROTOCOL_TLSv1,\n" +" cert_reqs=ssl.CERT_REQUIRED,\n" +" ca_certs='/etc/ssl/certs/ca-bundle.crt')\n" +"# getpeercert() triggers the handshake as a side effect.\n" +"if not check_host_name(sock.getpeercert(), host):\n" +" raise IOError(\"peer certificate does not match host name\")\n" +msgstr "" diff --git a/defensive-coding/hi-IN/Features/snippets/TLS-Client-Python-check_host_name.po b/defensive-coding/hi-IN/Features/snippets/TLS-Client-Python-check_host_name.po new file mode 100644 index 0000000..b2b47b5 --- /dev/null +++ b/defensive-coding/hi-IN/Features/snippets/TLS-Client-Python-check_host_name.po @@ -0,0 +1,44 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:31+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Hindi \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: hi\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"def check_host_name(peercert, name):\n" +" \"\"\"Simple certificate/host name checker. Returns True if the\n" +" certificate matches, False otherwise. Does not support\n" +" wildcards.\"\"\"\n" +" # Check that the peer has supplied a certificate.\n" +" # None/{} is not acceptable.\n" +" if not peercert:\n" +" return False\n" +" if peercert.has_key(\"subjectAltName\"):\n" +" for typ, val in peercert[\"subjectAltName\"]:\n" +" if typ == \"DNS\" and val == name:\n" +" return True\n" +" else:\n" +" # Only check the subject DN if there is no subject alternative\n" +" # name.\n" +" cn = None\n" +" for attr, val in peercert[\"subject\"]:\n" +" # Use most-specific (last) commonName attribute.\n" +" if attr == \"commonName\":\n" +" cn = val\n" +" if cn is not None:\n" +" return cn == name\n" +" return False\n" +msgstr "" diff --git a/defensive-coding/hi-IN/Features/snippets/TLS-GNUTLS-Credentials-Close.po b/defensive-coding/hi-IN/Features/snippets/TLS-GNUTLS-Credentials-Close.po new file mode 100644 index 0000000..a31ccce --- /dev/null +++ b/defensive-coding/hi-IN/Features/snippets/TLS-GNUTLS-Credentials-Close.po @@ -0,0 +1,22 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:31+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Hindi \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: hi\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"gnutls_certificate_free_credentials(cred);\n" +msgstr "" diff --git a/defensive-coding/hi-IN/Features/snippets/TLS-GNUTLS-Disconnect.po b/defensive-coding/hi-IN/Features/snippets/TLS-GNUTLS-Disconnect.po new file mode 100644 index 0000000..e3d9e8c --- /dev/null +++ b/defensive-coding/hi-IN/Features/snippets/TLS-GNUTLS-Disconnect.po @@ -0,0 +1,30 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:32+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Hindi \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: hi\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Initiate an orderly connection shutdown.\n" +"ret = gnutls_bye(session, GNUTLS_SHUT_RDWR);\n" +"if (ret < 0) {\n" +" fprintf(stderr, \"error: gnutls_bye: %s\n" +"\", gnutls_strerror(ret));\n" +" exit(1);\n" +"}\n" +"// Free the session object.\n" +"gnutls_deinit(session);\n" +msgstr "" diff --git a/defensive-coding/hi-IN/Features/snippets/TLS-GNUTLS-Init.po b/defensive-coding/hi-IN/Features/snippets/TLS-GNUTLS-Init.po new file mode 100644 index 0000000..bd177c6 --- /dev/null +++ b/defensive-coding/hi-IN/Features/snippets/TLS-GNUTLS-Init.po @@ -0,0 +1,22 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:32+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Hindi \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: hi\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"gnutls_global_init();\n" +msgstr "" diff --git a/defensive-coding/hi-IN/Features/snippets/TLS-GNUTLS-Use.po b/defensive-coding/hi-IN/Features/snippets/TLS-GNUTLS-Use.po new file mode 100644 index 0000000..252c001 --- /dev/null +++ b/defensive-coding/hi-IN/Features/snippets/TLS-GNUTLS-Use.po @@ -0,0 +1,38 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:33+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Hindi \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: hi\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"char buf[4096];\n" +"snprintf(buf, sizeof(buf), \"GET / HTTP/1.0\\r\n" +"Host: %s\\r\n" +"\\r\n" +"\", host);\n" +"ret = gnutls_record_send(session, buf, strlen(buf));\n" +"if (ret < 0) {\n" +" fprintf(stderr, \"error: gnutls_record_send: %s\n" +"\", gnutls_strerror(ret));\n" +" exit(1);\n" +"}\n" +"ret = gnutls_record_recv(session, buf, sizeof(buf));\n" +"if (ret < 0) {\n" +" fprintf(stderr, \"error: gnutls_record_recv: %s\n" +"\", gnutls_strerror(ret));\n" +" exit(1);\n" +"}\n" +msgstr "" diff --git a/defensive-coding/hi-IN/Features/snippets/TLS-NSS-Close.po b/defensive-coding/hi-IN/Features/snippets/TLS-NSS-Close.po new file mode 100644 index 0000000..16f4760 --- /dev/null +++ b/defensive-coding/hi-IN/Features/snippets/TLS-NSS-Close.po @@ -0,0 +1,23 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:31+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Hindi \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: hi\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"SECMOD_DestroyModule(module);\n" +"NSS_ShutdownContext(ctx);\n" +msgstr "" diff --git a/defensive-coding/hi-IN/Features/snippets/TLS-NSS-Includes.po b/defensive-coding/hi-IN/Features/snippets/TLS-NSS-Includes.po new file mode 100644 index 0000000..51f8f7a --- /dev/null +++ b/defensive-coding/hi-IN/Features/snippets/TLS-NSS-Includes.po @@ -0,0 +1,35 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:33+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Hindi \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: hi\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// NSPR include files\n" +"#include <prerror.h>\n" +"#include <prinit.h>\n" +"\n" +"// NSS include files\n" +"#include <nss.h>\n" +"#include <pk11pub.h>\n" +"#include <secmod.h>\n" +"#include <ssl.h>\n" +"#include <sslproto.h>\n" +"\n" +"// Private API, no other way to turn a POSIX file descriptor into an\n" +"// NSPR handle.\n" +"NSPR_API(PRFileDesc*) PR_ImportTCPSocket(int);\n" +msgstr "" diff --git a/defensive-coding/hi-IN/Features/snippets/TLS-NSS-Init.po b/defensive-coding/hi-IN/Features/snippets/TLS-NSS-Init.po new file mode 100644 index 0000000..fab750f --- /dev/null +++ b/defensive-coding/hi-IN/Features/snippets/TLS-NSS-Init.po @@ -0,0 +1,83 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:33+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Hindi \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: hi\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"PR_Init(PR_USER_THREAD, PR_PRIORITY_NORMAL, 0);\n" +"NSSInitContext *const ctx =\n" +" NSS_InitContext(\"sql:/etc/pki/nssdb\", \"\", \"\", \"\", NULL,\n" +"\t\t NSS_INIT_READONLY | NSS_INIT_PK11RELOAD);\n" +"if (ctx == NULL) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: NSPR error code %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +"}\n" +"\n" +"// Ciphers to enable.\n" +"static const PRUint16 good_ciphers[] = {\n" +" TLS_RSA_WITH_AES_128_CBC_SHA,\n" +" TLS_RSA_WITH_AES_256_CBC_SHA,\n" +" SSL_RSA_WITH_3DES_EDE_CBC_SHA,\n" +" SSL_NULL_WITH_NULL_NULL // sentinel\n" +"};\n" +"\n" +"// Check if the current policy allows any strong ciphers. If it\n" +"// doesn't, switch to the \"domestic\" (unrestricted) policy. This is\n" +"// not thread-safe and has global impact. Consequently, we only do\n" +"// it if absolutely necessary.\n" +"int found_good_cipher = 0;\n" +"for (const PRUint16 *p = good_ciphers; *p != SSL_NULL_WITH_NULL_NULL;\n" +" ++p) {\n" +" PRInt32 policy;\n" +" if (SSL_CipherPolicyGet(*p, &policy) != SECSuccess) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: policy for cipher %u: error %d: %s\n" +"\",\n" +"\t (unsigned)*p, err, PR_ErrorToName(err));\n" +" exit(1);\n" +" }\n" +" if (policy == SSL_ALLOWED) {\n" +" fprintf(stderr, \"info: found cipher %x\n" +"\", (unsigned)*p);\n" +" found_good_cipher = 1;\n" +" break;\n" +" }\n" +"}\n" +"if (!found_good_cipher) {\n" +" if (NSS_SetDomesticPolicy() != SECSuccess) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: NSS_SetDomesticPolicy: error %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +" }\n" +"}\n" +"\n" +"// Initialize the trusted certificate store.\n" +"char module_name[] = \"library=libnssckbi.so name=\\\"Root Certs\\\"\";\n" +"SECMODModule *module = SECMOD_LoadUserModule(module_name, NULL, PR_FALSE);\n" +"if (module == NULL || !module->loaded) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: NSPR error code %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +"}\n" +msgstr "" diff --git a/defensive-coding/hi-IN/Features/snippets/TLS-NSS-Use.po b/defensive-coding/hi-IN/Features/snippets/TLS-NSS-Use.po new file mode 100644 index 0000000..abfbb27 --- /dev/null +++ b/defensive-coding/hi-IN/Features/snippets/TLS-NSS-Use.po @@ -0,0 +1,42 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:32+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Hindi \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: hi\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"char buf[4096];\n" +"snprintf(buf, sizeof(buf), \"GET / HTTP/1.0\\r\n" +"Host: %s\\r\n" +"\\r\n" +"\", host);\n" +"PRInt32 ret = PR_Write(nspr, buf, strlen(buf));\n" +"if (ret < 0) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: PR_Write error %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +"}\n" +"ret = PR_Read(nspr, buf, sizeof(buf));\n" +"if (ret < 0) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: PR_Read error %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +"}\n" +msgstr "" diff --git a/defensive-coding/hi-IN/Features/snippets/TLS-Nagle.po b/defensive-coding/hi-IN/Features/snippets/TLS-Nagle.po new file mode 100644 index 0000000..d219a07 --- /dev/null +++ b/defensive-coding/hi-IN/Features/snippets/TLS-Nagle.po @@ -0,0 +1,27 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:31+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Hindi \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: hi\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"const int val = 1;\n" +"int ret = setsockopt(sockfd, IPPROTO_TCP, TCP_NODELAY, &val, sizeof(val));\n" +"if (ret < 0) {\n" +" perror(\"setsockopt(TCP_NODELAY)\");\n" +" exit(1);\n" +"}\n" +msgstr "" diff --git a/defensive-coding/hi-IN/Features/snippets/TLS-OpenJDK-Parameters.po b/defensive-coding/hi-IN/Features/snippets/TLS-OpenJDK-Parameters.po new file mode 100644 index 0000000..2ce4e83 --- /dev/null +++ b/defensive-coding/hi-IN/Features/snippets/TLS-OpenJDK-Parameters.po @@ -0,0 +1,42 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:33+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Hindi \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: hi\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Prepare TLS parameters. These have to applied to every TLS\n" +"// socket before the handshake is triggered.\n" +"SSLParameters params = ctx.getDefaultSSLParameters();\n" +"// Do not send an SSL-2.0-compatible Client Hello.\n" +"ArrayList<String> protocols = new ArrayList<String>(\n" +" Arrays.asList(params.getProtocols()));\n" +"protocols.remove(\"SSLv2Hello\");\n" +"params.setProtocols(protocols.toArray(new String[protocols.size()]));\n" +"// Adjust the supported ciphers.\n" +"ArrayList<String> ciphers = new ArrayList<String>(\n" +" Arrays.asList(params.getCipherSuites()));\n" +"ciphers.retainAll(Arrays.asList(\n" +" \"TLS_RSA_WITH_AES_128_CBC_SHA256\",\n" +" \"TLS_RSA_WITH_AES_256_CBC_SHA256\",\n" +" \"TLS_RSA_WITH_AES_256_CBC_SHA\",\n" +" \"TLS_RSA_WITH_AES_128_CBC_SHA\",\n" +" \"SSL_RSA_WITH_3DES_EDE_CBC_SHA\",\n" +" \"SSL_RSA_WITH_RC4_128_SHA1\",\n" +" \"SSL_RSA_WITH_RC4_128_MD5\",\n" +" \"TLS_EMPTY_RENEGOTIATION_INFO_SCSV\"));\n" +"params.setCipherSuites(ciphers.toArray(new String[ciphers.size()]));\n" +msgstr "" diff --git a/defensive-coding/hi-IN/Features/snippets/TLS-OpenSSL-Connection-Close.po b/defensive-coding/hi-IN/Features/snippets/TLS-OpenSSL-Connection-Close.po new file mode 100644 index 0000000..44c579e --- /dev/null +++ b/defensive-coding/hi-IN/Features/snippets/TLS-OpenSSL-Connection-Close.po @@ -0,0 +1,46 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:33+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Hindi \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: hi\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Send the close_notify alert.\n" +"ret = SSL_shutdown(ssl);\n" +"switch (ret) {\n" +"case 1:\n" +" // A close_notify alert has already been received.\n" +" break;\n" +"case 0:\n" +" // Wait for the close_notify alert from the peer.\n" +" ret = SSL_shutdown(ssl);\n" +" switch (ret) {\n" +" case 0:\n" +" fprintf(stderr, \"info: second SSL_shutdown returned zero\n" +"\");\n" +" break;\n" +" case 1:\n" +" break;\n" +" default:\n" +" ssl_print_error_and_exit(ssl, \"SSL_shutdown 2\", ret);\n" +" }\n" +" break;\n" +"default:\n" +" ssl_print_error_and_exit(ssl, \"SSL_shutdown 1\", ret);\n" +"}\n" +"SSL_free(ssl);\n" +"close(sockfd);\n" +msgstr "" diff --git a/defensive-coding/hi-IN/Features/snippets/TLS-OpenSSL-Context-Close.po b/defensive-coding/hi-IN/Features/snippets/TLS-OpenSSL-Context-Close.po new file mode 100644 index 0000000..764a063 --- /dev/null +++ b/defensive-coding/hi-IN/Features/snippets/TLS-OpenSSL-Context-Close.po @@ -0,0 +1,22 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:33+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Hindi \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: hi\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"SSL_CTX_free(ctx);\n" +msgstr "" diff --git a/defensive-coding/hi-IN/Features/snippets/TLS-OpenSSL-Errors.po b/defensive-coding/hi-IN/Features/snippets/TLS-OpenSSL-Errors.po new file mode 100644 index 0000000..b958222 --- /dev/null +++ b/defensive-coding/hi-IN/Features/snippets/TLS-OpenSSL-Errors.po @@ -0,0 +1,51 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:32+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Hindi \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: hi\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"static void __attribute__((noreturn))\n" +"ssl_print_error_and_exit(SSL *ssl, const char *op, int ret)\n" +"{\n" +" int subcode = SSL_get_error(ssl, ret);\n" +" switch (subcode) {\n" +" case SSL_ERROR_NONE:\n" +" fprintf(stderr, \"error: %s: no error to report\n" +"\", op);\n" +" break;\n" +" case SSL_ERROR_WANT_READ:\n" +" case SSL_ERROR_WANT_WRITE:\n" +" case SSL_ERROR_WANT_X509_LOOKUP:\n" +" case SSL_ERROR_WANT_CONNECT:\n" +" case SSL_ERROR_WANT_ACCEPT:\n" +" fprintf(stderr, \"error: %s: invalid blocking state %d\n" +"\", op, subcode);\n" +" break;\n" +" case SSL_ERROR_SSL:\n" +" fprintf(stderr, \"error: %s: TLS layer problem\n" +"\", op);\n" +" case SSL_ERROR_SYSCALL:\n" +" fprintf(stderr, \"error: %s: system call failed: %s\n" +"\", op, strerror(errno));\n" +" break;\n" +" case SSL_ERROR_ZERO_RETURN:\n" +" fprintf(stderr, \"error: %s: zero return\n" +"\", op);\n" +" }\n" +" exit(1);\n" +"}\n" +msgstr "" diff --git a/defensive-coding/hi-IN/Features/snippets/TLS-Python-Close.po b/defensive-coding/hi-IN/Features/snippets/TLS-Python-Close.po new file mode 100644 index 0000000..ef86f46 --- /dev/null +++ b/defensive-coding/hi-IN/Features/snippets/TLS-Python-Close.po @@ -0,0 +1,22 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:31+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Hindi \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: hi\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"sock.close()\n" +msgstr "" diff --git a/defensive-coding/hi-IN/Features/snippets/TLS-Python-Use.po b/defensive-coding/hi-IN/Features/snippets/TLS-Python-Use.po new file mode 100644 index 0000000..4381fb4 --- /dev/null +++ b/defensive-coding/hi-IN/Features/snippets/TLS-Python-Use.po @@ -0,0 +1,26 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:32+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Hindi \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: hi\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"sock.write(\"GET / HTTP/1.1\\r\n" +"Host: \" + host + \"\\r\n" +"\\r\n" +"\")\n" +"print sock.read()\n" +msgstr "" diff --git a/defensive-coding/hi-IN/Revision_History.po b/defensive-coding/hi-IN/Revision_History.po new file mode 100644 index 0000000..e134747 --- /dev/null +++ b/defensive-coding/hi-IN/Revision_History.po @@ -0,0 +1,35 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:18+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Hindi \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: hi\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: title +#, no-c-format +msgid "Revision History" +msgstr "" + +#. Tag: firstname +#, no-c-format +msgid "Eric" +msgstr "" + +#. Tag: surname +#, no-c-format +msgid "Christensen" +msgstr "" + +#. Tag: member +#, no-c-format +msgid "Initial publication." +msgstr "" diff --git a/defensive-coding/hi-IN/Tasks/Cryptography.po b/defensive-coding/hi-IN/Tasks/Cryptography.po new file mode 100644 index 0000000..495f8a3 --- /dev/null +++ b/defensive-coding/hi-IN/Tasks/Cryptography.po @@ -0,0 +1,199 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:29+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Hindi \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: hi\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: title +#, no-c-format +msgid "Cryptography" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Primitives" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Chosing from the following cryptographic primitives is recommended:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "RSA with 2048 bit keys and OAEP" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "AES-128 in CBC mode" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "SHA-256" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "HMAC-SHA-256" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "HMAC-SHA-1" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Other cryptographic algorithms can be used if they are required for " +"interoperability with existing software:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "RSA with key sizes larger than 1024 and legacy padding" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "AES-192" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "AES-256" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "3DES (triple DES, with two or three 56 bit keys)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "RC4 (but very, very strongly discouraged)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "SHA-1" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "HMAC-MD5" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Important" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"These primitives are difficult to use in a secure way. Custom implementation" +" of security protocols should be avoided. For protecting confidentiality and" +" integrity of network transmissions, TLS should be used ()." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Randomness" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The following facilities can be used to generate unpredictable and non-" +"repeating values. When these functions are used without special safeguards, " +"each individual rnadom value should be at least 12 bytes long." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"PK11_GenerateRandom in the NSS library (usable for high" +" data rates)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"RAND_bytes in the OpenSSL library (usable for high data" +" rates)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"gnutls_rnd in GNUTLS, with " +"GNUTLS_RND_RANDOM as the first argument (usable for high " +"data rates)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"java.security.SecureRandom in Java (usable for high data rates)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "os.urandom in Python" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Reading from the /dev/urandom character device" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"All these functions should be non-blocking, and they should not wait until " +"physical randomness becomes available. (Some cryptography providers for Java" +" can cause java.security.SecureRandom to block, however.) Those" +" functions which do not obtain all bits directly from " +"/dev/urandom are suitable for high data rates because " +"they do not deplete the system-wide entropy pool." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Difficult to use API" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Both RAND_bytes and " +"PK11_GenerateRandom have three-state return values " +"(with conflicting meanings). Careful error checking is required. Please " +"review the documentation when using these functions." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Other sources of randomness should be considered predictable." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Generating randomness for cryptographic keys in long-term use may need " +"different steps and is best left to cryptographic libraries." +msgstr "" diff --git a/defensive-coding/hi-IN/Tasks/Descriptors.po b/defensive-coding/hi-IN/Tasks/Descriptors.po new file mode 100644 index 0000000..a4af044 --- /dev/null +++ b/defensive-coding/hi-IN/Tasks/Descriptors.po @@ -0,0 +1,332 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:29+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Hindi \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: hi\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: title +#, no-c-format +msgid "File Descriptor Management" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"File descriptors underlie all input/output mechanisms offered by the system." +" They are used to implementation the FILE *-based " +"functions found in <stdio.h>, and all the file and " +"network communication facilities provided by the Python and Java " +"environments are eventually implemented in them." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"File descriptors are small, non-negative integers in userspace, and are " +"backed on the kernel side with complicated data structures which can " +"sometimes grow very large." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Closing descriptors" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If a descriptor is no longer used by a program and is not closed explicitly," +" its number cannot be reused (which is problematic in itself, see ), and the " +"kernel resources are not freed. Therefore, it is important to close all " +"descriptors at the earlierst point in time possible, but not earlier." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Error handling during descriptor close" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The close system call is always successful in the sense" +" that the passed file descriptor is never valid after the function has been " +"called. However, close still can return an error, for " +"example if there was a file system failure. But this error is not very " +"useful because the absence of an error does not mean that all caches have " +"been emptied and previous writes have been made durable. Programs which need" +" such guarantees must open files with O_SYNC or use " +"fsync or fdatasync, and may also have " +"to fsync the directory containing the file." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Closing descriptors and race conditions" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Unlike process IDs, which are recycle only gradually, the kernel always " +"allocates the lowest unused file descriptor when a new descriptor is " +"created. This means that in a multi-threaded program which constantly opens " +"and closes file descriptors, descriptors are reused very quickly. Unless " +"descriptor closing and other operations on the same file descriptor are " +"synchronized (typically, using a mutex), there will be race coniditons and " +"I/O operations will be applied to the wrong file descriptor." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Sometimes, it is necessary to close a file descriptor concurrently, while " +"another thread might be about to use it in a system call. In order to " +"support this, a program needs to create a single special file descriptor, " +"one on which all I/O operations fail. One way to achieve this is to use " +"socketpair, close one of the descriptors, and call " +"shutdown(fd, SHUTRDWR) on the other." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When a descriptor is closed concurrently, the program does not call " +"close on the descriptor. Instead it program uses " +"dup2 to replace the descriptor to be closed with the " +"dummy descriptor created earlier. This way, the kernel will not reuse the " +"descriptor, but it will carry out all other steps associated with calling a " +"descriptor (for instance, if the descriptor refers to a stream socket, the " +"peer will be notified)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"This is just a sketch, and many details are missing. Additional data " +"structures are needed to determine when it is safe to really close the " +"descriptor, and proper locking is required for that." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Lingering state after close" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"By default, closing a stream socket returns immediately, and the kernel will" +" try to send the data in the background. This means that it is impossible to" +" implement accurate accounting of network-related resource utilization from " +"userspace." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The SO_LINGER socket option alters the behavior of " +"close, so that it will return only after the lingering " +"data has been processed, either by sending it to the peer successfully, or " +"by discarding it after the configured timeout. However, there is no " +"interface which could perform this operation in the background, so a " +"separate userspace thread is needed for each close " +"call, causing scalability issues." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Currently, there is no application-level countermeasure which applies " +"universally. Mitigation is possible with iptables" +" (the connlimit match type in particular) and specialized" +" filtering devices for denial-of-service network traffic." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"These problems are not related to the TIME_WAIT state " +"commonly seen in netstat output. The kernel " +"automatically expires such sockets if necessary." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Preventing file descriptor leaks to child processes" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Child processes created with fork share the initial set" +" of file descriptors with their parent process. By default, file descriptors" +" are also preserved if a new process image is created with " +"execve (or any of the other functions such as " +"system or posix_spawn)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Usually, this behavior is not desirable. There are two ways to turn it off, " +"that is, to prevent new process images from inheriting the file descriptors " +"in the parent process:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Set the close-on-exec flag on all newly created file descriptors. " +"Traditionally, this flag is controlled by the FD_CLOEXEC " +"flag, using F_GETFD and F_SETFD " +"operations of the fcntl function." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"However, in a multi-threaded process, there is a race condition: a " +"subprocess could have been created between the time the descriptor was " +"created and the FD_CLOEXEC was set. Therefore, many " +"system calls which create descriptors (such as open and" +" openat) now accept the O_CLOEXEC " +"flag (SOCK_CLOEXEC for socket and " +"socketpair), which cause the " +"FD_CLOEXEC flag to be set for the file descriptor in an " +"atomic fashion. In addition, a few new systems calls were introduced, such " +"as pipe2 and dup3." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The downside of this approach is that every descriptor needs to receive " +"special treatment at the time of creation, otherwise it is not completely " +"effective." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"After calling fork, but before creating a new process " +"image with execve, all file descriptors which the child" +" process will not need are closed." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Traditionally, this was implemented as a loop over file descriptors ranging " +"from 3 to 255 and later " +"1023. But this is only an approximatio because it is " +"possible to create file descriptors outside this range easily (see ). Another " +"approach reads /proc/self/fd and closes the unexpected " +"descriptors listed there, but this approach is much slower." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"At present, environments which care about file descriptor leakage implement " +"the second approach. OpenJDK 6 and 7 are among them." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Dealing with the select limit" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"By default, a user is allowed to open only 1024 files in a single process, " +"but the system administrator can easily change this limit (which is " +"necessary for busy network servers). However, there is another restriction " +"which is more difficult to overcome." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The select function only supports a maximum of " +"FD_SETSIZE file descriptors (that is, the maximum " +"permitted value for a file descriptor is FD_SETSIZE - 1, " +"usually 1023.) If a process opens many files, descriptors may exceed such " +"limits. It is impossible to query such descriptors using " +"select." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If a library which creates many file descriptors is used in the same process" +" as a library which uses select, at least one of them " +"needs to be changed. Calls to select can be replaced " +"with calls to poll or another event handling mechanism." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Alternatively, the library with high descriptor usage can relocate " +"descriptors above the FD_SETSIZE limit using the " +"following procedure." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Create the file descriptor fd as usual, preferably with " +"the O_CLOEXEC flag." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Before doing anything else with the descriptor fd, " +"invoke:" +msgstr "" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"\t int newfd = fcntl(fd, F_DUPFD_CLOEXEC, (long)FD_SETSIZE);\n" +"\t" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Check that newfd result is non-negative, otherwise close " +"fd and report an error, and return." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Close fd and continue to use newfd." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The new descriptor has been allocated above the " +"FD_SETSIZE. Even though this algorithm is racy in the " +"sense that the FD_SETSIZE first descriptors could fill " +"up, a very high degree of physical parallelism is required before this " +"becomes a problem." +msgstr "" diff --git a/defensive-coding/hi-IN/Tasks/File_System.po b/defensive-coding/hi-IN/Tasks/File_System.po new file mode 100644 index 0000000..3092886 --- /dev/null +++ b/defensive-coding/hi-IN/Tasks/File_System.po @@ -0,0 +1,396 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:25+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Hindi \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: hi\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: title +#, no-c-format +msgid "File system manipulation" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In this chapter, we discuss general file system manipulation, with a focus " +"on access files and directories to which an other, potentially untrusted " +"user has write access." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Temporary files are covered in their own chapter, ." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Working with files and directories owned by other users" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Sometimes, it is necessary to operate on files and directories owned by " +"other (potentially untrusted) users. For example, a system administrator " +"could remove the home directory of a user, or a package manager could update" +" a file in a directory which is owned by an application-specific user. This " +"differs from accessing the file system as a specific user; see ." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Accessing files across trust boundaries faces several challenges, " +"particularly if an entire directory tree is being traversed:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Another user might add file names to a writable directory at any time. This " +"can interfere with file creation and the order of names returned by " +"readdir." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Merely opening and closing a file can have side effects. For instance, an " +"automounter can be triggered, or a tape device rewound. Opening a file on a " +"local file system can block indefinitely, due to mandatory file locking, " +"unless the O_NONBLOCK flag is specified." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Hard links and symbolic links can redirect the effect of file system " +"operations in unexpected ways. The O_NOFOLLOW and " +"AT_SYMLINK_NOFOLLOW variants of system calls only " +"affected final path name component." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The structure of a directory tree can change. For example, the parent " +"directory of what used to be a subdirectory within the directory tree being " +"processed could suddenly point outside that directory tree." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Files should always be created with the O_CREAT and " +"O_EXCL flags, so that creating the file will fail if it " +"already exists. This guards against the unexpected appearance of file names," +" either due to creation of a new file, or hard-linking of an existing file. " +"In multi-threaded programs, rather than manipulating the umask, create the " +"files with mode 000 if possible, and adjust it afterwards" +" with fchmod." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"To avoid issues related to symbolic links and directory tree restructuring, " +"the “at” variants of system calls have to be used (that " +"is, functions like openat, " +"fchownat, fchmodat, and " +"unlinkat, together with O_NOFOLLOW " +"or AT_SYMLINK_NOFOLLOW). Path names passed to these " +"functions must have just a single component (that is, without a slash). When" +" descending, the descriptors of parent directories must be kept open. The " +"missing opendirat function can be emulated with " +"openat (with an O_DIRECTORY flag, to " +"avoid opening special files with side effects), followed by " +"fdopendir." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If the “at” functions are not available, it is possible " +"to emulate them by changing the current directory. (Obviously, this only " +"works if the process is not multi-threaded.) fchdir has" +" to be used to change the current directory, and the descriptors of the " +"parent directories have to be kept open, just as with the " +"“at”-based approach. chdir(\"...\") is" +" unsafe because it might ascend outside the intended directory tree." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"This “at” function emulation is currently required when " +"manipulating extended attributes. In this case, the " +"lsetxattr function can be used, with a relative path " +"name consisting of a single component. This also applies to SELinux contexts" +" and the lsetfilecon function." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Currently, it is not possible to avoid opening special files " +"and changes to files with hard links if the directory " +"containing them is owned by an untrusted user. (Device nodes can be hard-" +"linked, just as regular files.) fchmodat and " +"fchownat affect files whose link count is greater than " +"one. But opening the files, checking that the link count is one with " +"fstat, and using fchmod and " +"fchown on the file descriptor may have unwanted side " +"effects, due to item 2 above. When creating directories, it is therefore " +"important to change the ownership and permissions only after it has been " +"fully created. Until that point, file names are stable, and no files with " +"unexpected hard links can be introduced." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Similarly, when just reading a directory owned by an untrusted user, it is " +"currently impossible to reliably avoid opening special files." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"There is no workaround against the instability of the file list returned by " +"readdir. Concurrent modification of the directory can " +"result in a list of files being returned which never actually existed on " +"disk." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Hard links and symbolic links can be safely deleted using " +"unlinkat without further checks because deletion only " +"affects the name within the directory tree being processed." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Accessing the file system as a different user" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"This section deals with access to the file system as a specific user. This " +"is different from accessing files and directories owned by a different, " +"potentially untrusted user; see ." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"One approach is to spawn a child process which runs under the target user " +"and group IDs (both effective and real IDs). Note that this child process " +"can block indefinitely, even when processing regular files only. For " +"example, a special FUSE file system could cause the process to hang in " +"uninterruptible sleep inside a stat system call." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"An existing process could change its user and group ID using " +"setfsuid and setfsgid. (These " +"functions are preferred over seteuid and " +"setegid because they do not allow the impersonated user" +" to send signals to the process.) These functions are not thread safe. In " +"multi-threaded processes, these operations need to be performed in a single-" +"threaded child process. Unexpected blocking may occur as well." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"It is not recommended to try to reimplement the kernel permission checks in " +"user space because the required checks are complex. It is also very " +"difficult to avoid race conditions during path name resolution." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "File system limits" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"For historical reasons, there are preprocessor constants such as " +"PATH_MAX, NAME_MAX. However, on most " +"systems, the length of canonical path names (absolute path names with all " +"symbolic links resolved, as returned by realpath or " +"canonicalize_file_name) can exceed " +"PATH_MAX bytes, and individual file name components can " +"be longer than NAME_MAX. This is also true of the " +"_PC_PATH_MAX and _PC_NAME_MAX values " +"returned by pathconf, and the " +"f_namemax member of struct statvfs. " +"Therefore, these constants should not be used. This is also reason why the " +"readdir_r should never be used (instead, use " +"readdir)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"You should not write code in a way that assumes that there is an upper limit" +" on the number of subdirectories of a directory, the number of regular files" +" in a directory, or the link count of an inode." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "File system features" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Not all file systems support all features. This makes it very difficult to " +"write general-purpose tools for copying files. For example, a copy operation" +" intending to preserve file permissions will generally fail when copying to " +"a FAT file system." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Some file systems are case-insensitive. Most should be case-preserving, " +"though." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Name length limits vary greatly, from eight to thousands of bytes. Path " +"length limits differ as well. Most systems impose an upper bound on path " +"names passed to the kernel, but using relative path names, it is possible to" +" create and access files whose absolute path name is essentially of " +"unbounded length." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Some file systems do not store names as fairly unrestricted byte sequences, " +"as it has been traditionally the case on GNU systems. This means that some " +"byte sequences (outside the POSIX safe character set) are not valid names. " +"Conversely, names of existing files may not be representable as byte " +"sequences, and the files are thus inaccessible on GNU systems. Some file " +"systems perform Unicode canonicalization on file names. These file systems " +"preserve case, but reading the name of a just-created file using " +"readdir might still result in a different byte " +"sequence." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Permissions and owners are not universally supported (and SUID/SGID bits may" +" not be available). For example, FAT file systems assign ownership based on " +"a mount option, and generally mark all files as executable. Any attempt to " +"change permissions would result in an error." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Non-regular files (device nodes, FIFOs) are not generally available." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Only on some file systems, files can have holes, that is, not all of their " +"contents is backed by disk storage." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"ioctl support (even fairly generic functionality such " +"as FIEMAP for discovering physical file layout and holes)" +" is file-system-specific." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Not all file systems support extended attributes, ACLs and SELinux metadata." +" Size and naming restriction on extended attributes vary." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Hard links may not be supported at all (FAT) or only within the same " +"directory (AFS). Symbolic links may not be available, either. Reflinks (hard" +" links with copy-on-write semantics) are still very rare. Recent systems " +"restrict creation of hard links to users which own the target file or have " +"read/write access to it, but older systems do not." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Renaming (or moving) files using rename can fail (even " +"when stat indicates that the source and target " +"directories are located on the same file system). This system call should " +"work if the old and new paths are located in the same directory, though." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Locking semantics vary among file systems. This affects advisory and " +"mandatory locks. For example, some network file systems do not allow " +"deleting files which are opened by any process." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Resolution of time stamps varies from two seconds to nanoseconds. Not all " +"time stamps are available on all file systems. File creation time " +"(birth time) is not exposed over the " +"stat/fstat interface, even if " +"stored by the file system." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Checking free space" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The statvfs and fstatvfs functions" +" allow programs to examine the number of available blocks and inodes, " +"through the members f_bfree, f_bavail," +" f_ffree, and f_favail of " +"struct statvfs. Some file systems return fictional values" +" in the f_ffree and f_favail fields, " +"so the only reliable way to discover if the file system still has space for " +"a file is to try to create it. The f_bfree field should " +"be reasonably accurate, though." +msgstr "" diff --git a/defensive-coding/hi-IN/Tasks/Library_Design.po b/defensive-coding/hi-IN/Tasks/Library_Design.po new file mode 100644 index 0000000..11b330b --- /dev/null +++ b/defensive-coding/hi-IN/Tasks/Library_Design.po @@ -0,0 +1,267 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:29+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Hindi \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: hi\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: title +#, no-c-format +msgid "Library Design" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Throught this section, the term client code refers to " +"applications and other libraries using the library." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "State management" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Global state" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Global state should be avoided." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If this is impossible, the global state must be protected with a lock. For " +"C/C++, you can use the pthread_mutex_lock and " +"pthread_mutex_unlock functions without linking against " +"-lpthread because the system provides stubs for non-" +"threaded processes." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"For compatibility with fork, these locks should be " +"acquired and released in helpers registered with " +"pthread_atfork. This function is not available without " +"-lpthread, so you need to use dlsym " +"or a weak symbol to obtain its address." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If you need fork protection for other reasons, you " +"should store the process ID and compare it to the value returned by " +"getpid each time you access the global state. " +"(getpid is not implemented as a system call and is " +"fast.) If the value changes, you know that you have to re-create the state " +"object. (This needs to be combined with locking, of course.)" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Handles" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Library state should be kept behind a curtain. Client code should receive " +"only a handle. In C, the handle can be a pointer to an incomplete " +"struct. In C++, the handle can be a pointer to an " +"abstract base class, or it can be hidden using the pointer-to-implementation" +" idiom." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The library should provide functions for creating and destroying handles. " +"(In C++, it is possible to use virtual destructors for the latter.) " +"Consistency between creation and destruction of handles is strongly " +"recommended: If the client code created a handle, it is the responsibility " +"of the client code to destroy it. (This is not always possible or " +"convenient, so sometimes, a transfer of ownership has to happen.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Using handles ensures that it is possible to change the way the library " +"represents state in a way that is transparent to client code. This is " +"important to facilitate security updates and many other code changes." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"It is not always necessary to protect state behind a handle with a lock. " +"This depends on the level of thread safety the library provides." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Object orientation" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Classes should be either designed as base classes, or it should be " +"impossible to use them as base classes (like final " +"classes in Java). Classes which are not designed for inheritance and are " +"used as base classes nevertheless create potential maintenance hazards " +"because it is difficult to predict how client code will react when calls to " +"virtual methods are added, reordered or removed." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Virtual member functions can be used as callbacks. See for some of the " +"challenges involved." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Callbacks" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Higher-order code is difficult to analyze for humans and computers alike, so" +" it should be avoided. Often, an iterator-based interface (a library " +"function which is called repeatedly by client code and returns a stream of " +"events) leads to a better design which is easier to document and use." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "If callbacks are unavoidable, some guidelines for them follow." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In modern C++ code, std::function objects should be used " +"for callbacks." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In older C++ code and in C code, all callbacks must have an additional " +"closure parameter of type void *, the value of which can " +"be specified by client code. If possible, the value of the closure parameter" +" should be provided by client code at the same time a specific callback is " +"registered (or specified as a function argument). If a single closure " +"parameter is shared by multiple callbacks, flexibility is greatly reduced, " +"and conflicts between different pieces of client code using the same library" +" object could be unresolvable. In some cases, it makes sense to provide a " +"de-registration callback which can be used to destroy the closure parameter " +"when the callback is no longer used." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Callbacks can throw exceptions or call longjmp. If " +"possible, all library objects should remain in a valid state. (All further " +"operations on them can fail, but it should be possible to deallocate them " +"without causing resource leaks.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The presence of callbacks raises the question if functions provided by the " +"library are reentrant. Unless a library was designed " +"for such use, bad things will happen if a callback function uses functions " +"in the same library (particularly if they are invoked on the same objects " +"and manipulate the same state). When the callback is invoked, the library " +"can be in an inconsistent state. Reentrant functions are more difficult to " +"write than thread-safe functions (by definition, simple locking would " +"immediately lead to deadlocks). It is also difficult to decide what to do " +"when destruction of an object which is currently processing a callback is " +"requested." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Process attributes" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Several attributes are global and affect all code in the process, not just " +"the library that manipulates them." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"environment variables (see )" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "umask" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "user IDs, group IDs and capabilities" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "current working directory" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "signal handlers, signal masks and signal delivery" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"file locks (especially fcntl locks behave in surprising" +" ways, not just in a multi-threaded environment)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Library code should avoid manipulating these global process attributes. It " +"should not rely on environment variables, umask, the current working " +"directory and signal masks because these attributes can be inherted from an " +"untrusted source." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In addition, there are obvious process-wide aspects such as the virtual " +"memory layout, the set of open files and dynamic shared objects, but with " +"the exception of shared objects, these can be manipulated in a relatively " +"isolated way." +msgstr "" diff --git a/defensive-coding/hi-IN/Tasks/Processes.po b/defensive-coding/hi-IN/Tasks/Processes.po new file mode 100644 index 0000000..a49eb14 --- /dev/null +++ b/defensive-coding/hi-IN/Tasks/Processes.po @@ -0,0 +1,597 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:29+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Hindi \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: hi\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: title +#, no-c-format +msgid "Processes" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Safe process creation" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"This section describes how to create new child processes in a safe manner. " +"In addition to the concerns addressed below, there is the possibility of " +"file descriptor leaks, see ." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Obtaining the program path and the command line template" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The name and path to the program being invoked should be hard-coded or " +"controlled by a static configuration file stored at a fixed location (at an " +"file system absolute path). The same applies to the template for generating " +"the command line." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The configured program name should be an absolute path. If it is a relative " +"path, the contents of the PATH must be obtained in s secure " +"manner (see )." +" If the PATH variable is not set or untrusted, the safe " +"default /bin:/usr/bin must be used." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If too much flexibility is provided here, it may allow invocation of " +"arbitrary programs without proper authorization." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Bypassing the shell" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Child processes should be created without involving the system shell." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"For C/C++, system should not be used. The " +"posix_spawn function can be used instead, or a " +"combination fork and execve. (In " +"some cases, it may be preferable to use vfork or the " +"Linux-specific clone system call instead of " +"fork.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In Python, the subprocess module bypasses the shell by " +"default (when the shell keyword argument is not set to " +"true). os.system should not be used." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The Java class java.lang.ProcessBuilder can be used to create " +"subprocesses without interference from the system shell." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Portability notice" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"On Windows, there is no argument vector, only a single argument string. Each" +" application is responsible for parsing this string into an argument vector." +" There is considerable variance among the quoting style recognized by " +"applications. Some of them expand shell wildcards, others do not. Extensive " +"application-specific testing is required to make this secure." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Note that some common applications (notably ssh) " +"unconditionally introduce the use of a shell, even if invoked directly " +"without a shell. It is difficult to use these applications in a secure " +"manner. In this case, untrusted data should be supplied by other means. For " +"example, standard input could be used, instead of the command line." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Specifying the process environment" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Child processes should be created with a minimal set of environment " +"variables. This is absolutely essential if there is a trust transition " +"involved, either when the parent process was created, or during the creation" +" of the child process." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In C/C++, the environment should be constructed as an array of strings and " +"passed as the envp argument to " +"posix_spawn or execve. The " +"functions setenv, unsetenv and " +"putenv should not be used. They are not thread-safe and" +" suffer from memory leaks." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Python programs need to specify a dict for the the " +"env argument of the subprocess.Popen" +" constructor. The Java class java.lang.ProcessBuilder " +"provides a environment() method, which returns a map " +"that can be manipulated." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The following list provides guidelines for selecting the set of environment " +"variables passed to the child process." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"PATH should be initialized to " +"/bin:/usr/bin." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"USER and HOME can be inhereted from the parent" +" process environment, or they can be initialized from the " +"pwent structure for the user." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The DISPLAY and XAUTHORITY variables should be" +" passed to the subprocess if it is an X program. Note that this will " +"typically not work across trust boundaries because XAUTHORITY" +" refers to a file with 0600 permissions." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The location-related environment variables LANG, " +"LANGUAGE, LC_ADDRESS, LC_ALL, " +"LC_COLLATE, LC_CTYPE, " +"LC_IDENTIFICATION, LC_MEASUREMENT, " +"LC_MESSAGES, LC_MONETARY, " +"LC_NAME, LC_NUMERIC, LC_PAPER, " +"LC_TELEPHONE and LC_TIME can be passed to the " +"subprocess if present." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The called process may need application-specific environment variables, for " +"example for passing passwords. (See .)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"All other environment variables should be dropped. Names for new environment" +" variables should not be accepted from untrusted sources." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Robust argument list processing" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When invoking a program, it is sometimes necessary to include data from " +"untrusted sources. Such data should be check against embedded " +"NUL characters because the system APIs will sliently " +"truncate argument strings at the first NUL character." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The following recommendations assume that the program being invoked uses " +"GNU-style option processing using getopt_long. This " +"convention is widely used, but it is just that, and individual programs " +"might interpret a command line in a different way." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If the untrusted data has to go into an option, use the --option-" +"name=VALUE syntax, placing the option and its value into the same " +"command line argument. This avoids any potential confusion if the data " +"starts with -." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"For positional arguments, terminate the option list with a single " +" marker after the last option, and include the data at " +"the right position. The marker terminates option " +"processing, and the data will not be treated as an option even if it starts " +"with a dash." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Passing secrets to subprocesses" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The command line (the name of the program and its argument) of a running " +"process is traditionally available to all local users. The called program " +"can overwrite this information, but only after it has run for a bit of time," +" during which the information may have been read by other processes. " +"However, on Linux, the process environment is restricted to the user who " +"runs the process. Therefore, if you need a convenient way to pass a password" +" to a child process, use an environment variable, and not a command line " +"argument. (See .)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"On some UNIX-like systems (notably Solaris), environment variables can be " +"read by any system user, just like command lines." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If the environment-based approach cannot be used due to portability " +"concerns, the data can be passed on standard input. Some programs (notably " +"gpg) use special file descriptors whose numbers " +"are specified on the command line. Temporary files are an option as well, " +"but they might give digital forensics access to sensitive data (such as " +"passphrases) because it is difficult to safely delete them in all cases." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Handling child process termination" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When child processes terminate, the parent process is signalled. A stub of " +"the terminated processes (a zombie, shown as " +"<defunct> by ps) is kept" +" around until the status information is collected " +"(reaped) by the parent process. Over the years, several" +" interfaces for this have been invented:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The parent process calls wait, " +"waitpid, waitid, " +"wait3 or wait4, without specifying" +" a process ID. This will deliver any matching process ID. This approach is " +"typically used from within event loops." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The parent process calls waitpid, " +"waitid, or wait4, with a specific " +"process ID. Only data for the specific process ID is returned. This is " +"typically used in code which spawns a single subprocess in a synchronous " +"manner." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The parent process installs a handler for the SIGCHLD " +"signal, using sigaction, and specifies to the " +"SA_NOCLDWAIT flag. This approach could be used by event " +"loops as well." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"None of these approaches can be used to wait for child process terminated in" +" a completely thread-safe manner. The parent process might execute an event " +"loop in another thread, which could pick up the termination signal. This " +"means that libraries typically cannot make free use of child processes (for " +"example, to run problematic code with reduced privileges in a separate " +"address space)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"At the moment, the parent process should explicitly wait for termination of " +"the child process using waitpid or " +"waitpid, and hope that the status is not collected by " +"an event loop first." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "SUID/SGID processes" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Programs can be marked in the file system to indicate to the kernel that a " +"trust transition should happen if the program is run. The " +"SUID file permission bit indicates that an executable " +"should run with the effective user ID equal to the owner of the executable " +"file. Similarly, with the SGID bit, the effective group " +"ID is set to the group of the executable file." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Linux supports fscaps, which can grant additional " +"capabilities to a process in a finer-grained manner. Additional mechanisms " +"can be provided by loadable security modules." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When such a trust transition has happened, the process runs in a potentially" +" hostile environment. Additional care is necessary not to rely on any " +"untrusted information. These concerns also apply to libraries which can be " +"linked into such processes." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Accessing environment variables" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The following steps are required so that a program does not accidentally " +"pick up untrusted data from environment variables." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Compile your C/C++ sources with -D_GNU_SOURCE. The " +"Autoconf macro AC_GNU_SOURCE ensures this." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Check for the presence of the secure_getenv and " +"__secure_getenv function. The Autoconf directive " +"AC_CHECK_FUNCS([__secure_getenv secure_getenv]) performs " +"these checks." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Arrange for a proper definition of the secure_getenv " +"function. See ." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Use secure_getenv instead of " +"getenv to obtain the value of critical environment " +"variables. secure_getenv will pretend the variable has " +"not bee set if the process environment is not trusted." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Critical environment variables are debugging flags, configuration file " +"locations, plug-in and log file locations, and anything else that might be " +"used to bypass security restrictions or cause a privileged process to behave" +" in an unexpected way." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Either the secure_getenv function or the " +"__secure_getenv is available from GNU libc." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Obtaining a definition for secure_getenv" +msgstr "" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"\n" +"#include <stdlib.h>\n" +"\n" +"#ifndef HAVE_SECURE_GETENV\n" +"# ifdef HAVE__SECURE_GETENV\n" +"# define secure_getenv __secure_getenv\n" +"# else\n" +"# error neither secure_getenv nor __secure_getenv are available\n" +"# endif\n" +"#endif\n" +"\n" +"\t" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Daemons" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Background processes providing system services " +"(daemons) need to decouple themselves from the " +"controlling terminal and the parent process environment:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Fork." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In the child process, call setsid. The parent process " +"can simply exit (using _exit, to avoid running clean-up" +" actions twice)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In the child process, fork again. Processing continues in the child process." +" Again, the parent process should just exit." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Replace the descriptors 0, 1, 2 with a descriptor for " +"/dev/null. Logging should be redirected to " +"syslog." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Older instructions for creating daemon processes recommended a call to " +"umask(0). This is risky because it often leads to world-" +"writable files and directories, resulting in security vulnerabilities such " +"as arbitrary process termination by untrusted local users, or log file " +"truncation. If the umask needs setting, a restrictive " +"value such as 027 or 077 is " +"recommended." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Other aspects of the process environment may have to changed as well " +"(environment variables, signal handler disposition)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"It is increasingly common that server processes do not run as background " +"processes, but as regular foreground process under a supervising master " +"process (such as systemd). Server processes " +"should offer a command line option which disables forking and replacement of" +" the standard output and standard error streams. Such an option is also " +"useful for debugging." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Semantics of command line arguments" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"After process creation and option processing, it is up to the child process " +"to interpret the arguments. Arguments can be file names, host names, or " +"URLs, and many other things. URLs can refer to the local network, some " +"server on the Internet, or to the local file system. Some applications even " +"accept arbitrary code in arguments (for example, " +"python with the option)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Similar concerns apply to environment variables, the contents of the current" +" directory and its subdirectories." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Consequently, careful analysis is required if it is safe to pass untrusted " +"data to another program." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "fork as a primitive for parallelism" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"A call to fork which is not immediately followed by a " +"call to execve (perhaps after rearranging and closing " +"file descriptors) is typically unsafe, especially from a library which does " +"not control the state of the entire process. Such use of " +"fork should be replaced with proper child processes or " +"threads." +msgstr "" diff --git a/defensive-coding/hi-IN/Tasks/Serialization.po b/defensive-coding/hi-IN/Tasks/Serialization.po new file mode 100644 index 0000000..447a303 --- /dev/null +++ b/defensive-coding/hi-IN/Tasks/Serialization.po @@ -0,0 +1,513 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:45\n" +"PO-Revision-Date: 2013-03-19 15:29+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Hindi \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: hi\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: title +#, no-c-format +msgid "Serialization and Deserialization" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Protocol decoders and file format parsers are often the most-exposed part of" +" an application because they are exposed with little or no user interaction " +"and before any authentication and security checks are made. They are also " +"difficult to write robustly in languages which are not memory-safe." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Recommendations for manually written decoders" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"For C and C++, the advice in applies. In addition, avoid non-character " +"pointers directly into input buffers. Pointer misalignment causes crashes on" +" some architectures." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When reading variable-sized objects, do not allocate large amounts of data " +"solely based on the value of a size field. If possible, grow the data " +"structure as more data is read from the source, and stop when no data is " +"available. This helps to avoid denial-of-service attacks where little " +"amounts of input data results in enormous memory allocations during " +"decoding. Alternatively, you can impose reasonable bounds on memory " +"allocations, but some protocols do not permit this." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Protocol design" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Binary formats with explicit length fields are more difficult to parse " +"robustly than those where the length of dynamically-sized elements is " +"derived from sentinel values. A protocol which does not use length fields " +"and can be written in printable ASCII characters simplifies testing and " +"debugging. However, binary protocols with length fields may be more " +"efficient to parse." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Library support for deserialization" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"For some languages, generic libraries are available which allow to serialize" +" and deserialize user-defined objects. The deserialization part comes in one" +" of two flavors, depending on the library. The first kind uses type " +"information in the data stream to control which objects are instantiated. " +"The second kind uses type definitions supplied by the programmer. The first " +"one allows arbitrary object instantiation, the second one generally does " +"not." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The following serialization frameworks are in the first category, are known " +"to be unsafe, and must not be used for untrusted data:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Python's pickle and cPickle modules" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Perl's Storable package" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Java serialization (java.io.ObjectInputStream)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "PHP serialization (unserialize)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Most implementations of YAML" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When using a type-directed deserialization format where the types of the " +"deserialized objects are specified by the programmer, make sure that the " +"objects which can be instantiated cannot perform any destructive actions in " +"their destructors, even when the data members have been manipulated." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"JSON decoders do not suffer from this problem. But you must not use the " +"eval function to parse JSON objects in Javascript; even" +" with the regular expression filter from RFC 4627, there are still " +"information leaks remaining." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "XML serialization" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "External references" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"XML documents can contain external references. They can occur in various " +"places." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "In the DTD declaration in the header of an XML document:" +msgstr "" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"<!DOCTYPE html PUBLIC\n" +" \"-//W3C//DTD XHTML 1.0 Transitional//EN\"\n" +" \"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd\">\n" +"\t " +msgstr "" + +#. Tag: para +#, no-c-format +msgid "In a namespace declaration:" +msgstr "" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"<xsd:schema xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\">\n" +"\t " +msgstr "" + +#. Tag: para +#, no-c-format +msgid "In an entity defintion:" +msgstr "" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"<!ENTITY sys SYSTEM \"http://www.example.com/ent.xml\">\n" +"<!ENTITY pub PUBLIC \"-//Example//Public Entity//EN\"\n" +" \"http://www.example.com/pub-ent.xml\">\n" +"\t " +msgstr "" + +#. Tag: para +#, no-c-format +msgid "In a notation:" +msgstr "" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"<!NOTATION not SYSTEM \"../not.xml\">\n" +"\t " +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Originally, these external references were intended as unique identifiers, " +"but by many XML implementations, they are used for locating the data for the" +" referenced element. This causes unwanted network traffic, and may disclose " +"file system contents or otherwise unreachable network resources, so this " +"functionality should be disabled." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Depending on the XML library, external referenced might be processed not " +"just when parsing XML, but also when generating it." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Entity expansion" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When external DTD processing is disabled, an internal DTD subset can still " +"contain entity definitions. Entity declarations can reference other " +"entities. Some XML libraries expand entities automatically, and this " +"processing cannot be switched off in some places (such as attribute values " +"or content models). Without limits on the entity nesting level, this " +"expansion results in data which can grow exponentially in length with size " +"of the input. (If there is a limit on the nesting level, the growth is still" +" polynomial, unless further limits are imposed.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Consequently, the processing internal DTD subsets should be disabled if " +"possible, and only trusted DTDs should be processed. If a particular XML " +"application does not permit such restrictions, then application-specific " +"limits are called for." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "XInclude processing" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"XInclude processing can reference file and network resources and include " +"them into the document, much like external entity references. When parsing " +"untrusted XML documents, XInclude processing should be truned off." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"XInclude processing is also fairly complex and may pull in support for the " +"XPointer and XPath specifications, considerably increasing the amount of " +"code required for XML processing." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Algorithmic complexity of XML validation" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"DTD-based XML validation uses regular expressions for content models. The " +"XML specification requires that content models are deterministic, which " +"means that efficient validation is possible. However, some implementations " +"do not enforce determinism, and require exponential (or just polynomial) " +"amount of space or time for validating some DTD/document combinations." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"XML schemas and RELAX NG (via the xsd: prefix) directly " +"support textual regular expressions which are not required to be " +"deterministic." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Using Expat for XML parsing" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"By default, Expat does not try to resolve external IDs, so no steps are " +"required to block them. However, internal entity declarations are processed." +" Installing a callback which stops parsing as soon as such entities are " +"encountered disables them, see . Expat does not perform any " +"validation, so there are no problems related to that." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Disabling XML entity processing with Expat" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"This handler must be installed when the XML_Parser object" +" is created ()." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Creating an Expat XML parser" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"It is also possible to reject internal DTD subsets altogeher, using a " +"suitable XML_StartDoctypeDeclHandler handler installed " +"with XML_SetDoctypeDeclHandler." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Using OpenJDK for XML parsing and validation" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"OpenJDK contains facilities for DOM-based, SAX-based, and StAX-based " +"document parsing. Documents can be validated against DTDs or XML schemas." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The approach taken to deal with entity expansion differs from the general " +"recommendation in . We enable the the feature flag " +"javax.xml.XMLConstants.FEATURE_SECURE_PROCESSING, which " +"enforces heuristic restrictions on the number of entity expansions. Note " +"that this flag alone does not prevent resolution of external references " +"(system IDs or public IDs), so it is slightly misnamed." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In the following sections, we use helper classes to prevent external ID " +"resolution." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Helper class to prevent DTD external entity resolution in OpenJDK" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Helper class to prevent schema resolution in OpenJDK" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +" shows the imports used by the examples." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Java imports for OpenJDK XML parsing" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "DOM-based XML parsing and DTD validation in OpenJDK" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"This approach produces a org.w3c.dom.Document object from" +" an input stream. use the data from the " +"java.io.InputStream instance in the " +"inputStream variable." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "DOM-based XML parsing in OpenJDK" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"External entity references are prohibited using the " +"NoEntityResolver class in . " +"Because external DTD references are prohibited, DTD validation (if enabled) " +"will only happen against the internal DTD subset embedded in the XML " +"document." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"To validate the document against an external DTD, use a " +"javax.xml.transform.Transformer class to add the DTD " +"reference to the document, and an entity resolver which whitelists this " +"external reference." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "XML Schema validation in OpenJDK" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +" shows how to validate a document against an XML Schema, " +"using a SAX-based approach. The XML data is read from an " +"java.io.InputStream in the inputStream" +" variable." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "SAX-based validation against an XML schema in OpenJDK" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The NoResourceResolver class is defined in ." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If you need to validate a document against an XML schema, use the code in " +" to create the document, but do not enable validation at this point." +" Then use to perform the schema-based validation on " +"the org.w3c.dom.Document instance " +"document." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Validation of a DOM document against an XML schema in OpenJDK" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Protocol Encoders" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"For protocol encoders, you should write bytes to a buffer which grows as " +"needed, using an exponential sizing policy. Explicit lengths can be patched " +"in later, once they are known. Allocating the required number of bytes " +"upfront typically requires separate code to compute the final size, which " +"must be kept in sync with the actual encoding step, or vulnerabilities may " +"result. In multi-threaded code, parts of the object being deserialized might" +" change, so that the computed size is out of date." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"You should avoid copying data directly from a received packet during " +"encoding, disregarding the format. Propagating malformed data could enable " +"attacks on other recipients of that data." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When using C or C++ and copying whole data structures directly into the " +"output, make sure that you do not leak information in padding bytes between " +"fields or at the end of the struct." +msgstr "" diff --git a/defensive-coding/hi-IN/Tasks/Temporary_Files.po b/defensive-coding/hi-IN/Tasks/Temporary_Files.po new file mode 100644 index 0000000..880ad14 --- /dev/null +++ b/defensive-coding/hi-IN/Tasks/Temporary_Files.po @@ -0,0 +1,309 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:45\n" +"PO-Revision-Date: 2013-03-19 15:29+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Hindi \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: hi\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: title +#, no-c-format +msgid "Temporary files" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In this chapter, we describe how to create temporary files and directories, " +"how to remove them, and how to work with programs which do not create files " +"in ways that a safe with a shared directory for temporary files. General " +"file system manipulation is treated in a separate chapter, ." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Secure creation of temporary files has four different aspects." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The location of the directory for temporary files must be obtained in a " +"secure manner (that is, untrusted environment variables must be ignored, see" +" )." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"A new file must be created. Reusing an existing file must be avoided (the " +"/tmp race condition). This is " +"tricky because traditionally, system-wide temporary directories shared by " +"all users are used." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The file must be created in a way that makes it impossible for other users " +"to open it." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "The descriptor for the temporary file should not leak to subprocesses." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "All functions mentioned below will take care of these aspects." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Traditionally, temporary files are often used to reduce memory usage of " +"programs. More and more systems use RAM-based file systems such as " +"tmpfs for storing temporary files, to increase " +"performance and decrease wear on Flash storage. As a result, spooling data " +"to temporary files does not result in any memory savings, and the related " +"complexity can be avoided if the data is kept in process memory." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Obtaining the location of temporary directory" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Some functions below need the location of a directory which stores temporary" +" files. For C/C++ programs, use the following steps to obtain that " +"directory:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Use secure_getenv to obtain the value of the " +"TMPDIR environment variable. If it is set, convert the " +"path to a fully-resolved absolute path, using realpath(path, " +"NULL). Check if the new path refers to a directory and is " +"writeable. In this case, use it as the temporary directory." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Fall back to /tmp." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In Python, you can use the tempfile.tempdir variable." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Java does not support SUID/SGID programs, so you can use the " +"java.lang.System.getenv(String) method to obtain the " +"value of the TMPDIR environment variable, and follow the " +"two steps described above. (Java's default directory selection does not " +"honor TMPDIR.)" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Named temporary files" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The mkostemp function creates a named temporary file. " +"You should specify the O_CLOEXEC flag to avoid file " +"descriptor leaks to subprocesses. (Applications which do not use multiple " +"threads can also use mkstemp, but libraries should use " +"mkostemp.) For determining the directory part of the " +"file name pattern, see ." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The file is not removed automatically. It is not safe to rename or delete " +"the file before processing, or transform the name in any way (for example, " +"by adding a file extension). If you need multiple temporary files, call " +"mkostemp multiple times. Do not create additional file " +"names derived from the name provided by a previous " +"mkostemp call. However, it is safe to close the " +"descriptor returned by mkostemp and reopen the file " +"using the generated name." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The Python class tempfile.NamedTemporaryFile provides " +"similar functionality, except that the file is deleted automatically by " +"default. Note that you may have to use the file attribute" +" to obtain the actual file object because some programming interfaces cannot" +" deal with file-like objects. The C function mkostemp " +"is also available as tempfile.mkstemp." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In Java, you can use the java.io.File.createTempFile(String, " +"String, File) function, using the temporary file location " +"determined according to . Do not use " +"java.io.File.deleteOnExit() to delete temporary files, " +"and do not register a shutdown hook for each temporary file you create. In " +"both cases, the deletion hint cannot be removed from the system if you " +"delete the temporary file prior to termination of the VM, causing a memory " +"leak." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Temporary files without names" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The tmpfile function creates a temporary file and " +"immediately deletes it, while keeping the file open. As a result, the file " +"lacks a name and its space is deallocated as soon as the file descriptor is " +"closed (including the implicit close when the process terminates). This " +"avoids cluttering the temporary directory with orphaned files." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Alternatively, if the maximum size of the temporary file is known " +"beforehand, the fmemopen function can be used to create" +" a FILE * object which is backed by memory." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In Python, unnamed temporary files are provided by the " +"tempfile.TemporaryFile class, and the " +"tempfile.SpooledTemporaryFile class provides a way to " +"avoid creation of small temporary files." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Java does not support unnamed temporary files." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Temporary directories" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The mkdtemp function can be used to create a temporary " +"directory. (For determining the directory part of the file name pattern, see" +" .)" +" The directory is not automatically removed. In Python, this function is " +"available as tempfile.mkdtemp. In Java 7, temporary " +"directories can be created using the " +"java.nio.file.Files.createTempDirectory(Path, String, " +"FileAttribute...) function." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When creating files in the temporary directory, use automatically generated " +"names, e.g., derived from a sequential counter. Files with externally " +"provided names could be picked up in unexpected contexts, and crafted names " +"could actually point outside of the tempoary directory (due to " +"directory traversal)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Removing a directory tree in a completely safe manner is complicated. Unless" +" there are overriding performance concerns, the " +"rm program should be used, with the " +" and options." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Compensating for unsafe file creation" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"There are two ways to make a function or program which excepts a file name " +"safe for use with temporary files. See , for details on subprocess " +"creation." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Create a temporary directory and place the file there. If possible, run the " +"program in a subprocess which uses the temporary directory as its current " +"directory, with a restricted environment. Use generated names for all files " +"in that temporary directory. (See .)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Create the temporary file and pass the generated file name to the function " +"or program. This only works if the function or program can cope with a zero-" +"length existing file. It is safe only under additional assumptions:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The function or program must not create additional files whose name is " +"derived from the specified file name or are otherwise predictable." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "The function or program must not delete the file before processing it." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "It must not access any existing files in the same directory." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"It is often difficult to check whether these additional assumptions are " +"matched, therefore this approach is not recommended." +msgstr "" diff --git a/defensive-coding/hi-IN/Tasks/snippets/Serialization-XML-Expat-Create.po b/defensive-coding/hi-IN/Tasks/snippets/Serialization-XML-Expat-Create.po new file mode 100644 index 0000000..20808d8 --- /dev/null +++ b/defensive-coding/hi-IN/Tasks/snippets/Serialization-XML-Expat-Create.po @@ -0,0 +1,33 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:45\n" +"PO-Revision-Date: 2013-03-19 15:29+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Hindi \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: hi\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"XML_Parser parser = XML_ParserCreate(\"UTF-8\");\n" +"if (parser == NULL) {\n" +" fprintf(stderr, \"XML_ParserCreate failed\n" +"\");\n" +" close(fd);\n" +" exit(1);\n" +"}\n" +"// EntityDeclHandler needs a reference to the parser to stop\n" +"// parsing.\n" +"XML_SetUserData(parser, parser);\n" +"// Disable entity processing, to inhibit entity expansion.\n" +"XML_SetEntityDeclHandler(parser, EntityDeclHandler);\n" +msgstr "" diff --git a/defensive-coding/hi-IN/Tasks/snippets/Serialization-XML-Expat-EntityDeclHandler.po b/defensive-coding/hi-IN/Tasks/snippets/Serialization-XML-Expat-EntityDeclHandler.po new file mode 100644 index 0000000..eb20022 --- /dev/null +++ b/defensive-coding/hi-IN/Tasks/snippets/Serialization-XML-Expat-EntityDeclHandler.po @@ -0,0 +1,31 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:45\n" +"PO-Revision-Date: 2013-03-19 15:30+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Hindi \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: hi\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Stop the parser when an entity declaration is encountered.\n" +"static void\n" +"EntityDeclHandler(void *userData,\n" +"\t\t const XML_Char *entityName, int is_parameter_entity,\n" +"\t\t const XML_Char *value, int value_length,\n" +"\t\t const XML_Char *base, const XML_Char *systemId,\n" +"\t\t const XML_Char *publicId, const XML_Char *notationName)\n" +"{\n" +" XML_StopParser((XML_Parser)userData, XML_FALSE);\n" +"}\n" +msgstr "" diff --git a/defensive-coding/hi-IN/Tasks/snippets/Serialization-XML-OpenJDK-Errors.po b/defensive-coding/hi-IN/Tasks/snippets/Serialization-XML-OpenJDK-Errors.po new file mode 100644 index 0000000..fe558bf --- /dev/null +++ b/defensive-coding/hi-IN/Tasks/snippets/Serialization-XML-OpenJDK-Errors.po @@ -0,0 +1,37 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:45\n" +"PO-Revision-Date: 2013-03-19 15:29+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Hindi \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: hi\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"class Errors implements ErrorHandler {\n" +" @Override\n" +" public void warning(SAXParseException exception) {\n" +" exception.printStackTrace();\n" +" }\n" +" \n" +" @Override\n" +" public void fatalError(SAXParseException exception) {\n" +" exception.printStackTrace();\n" +" }\n" +" \n" +" @Override\n" +" public void error(SAXParseException exception) {\n" +" exception.printStackTrace();\n" +" }\n" +"}\n" +msgstr "" diff --git a/defensive-coding/hi-IN/Tasks/snippets/Serialization-XML-OpenJDK-Imports.po b/defensive-coding/hi-IN/Tasks/snippets/Serialization-XML-OpenJDK-Imports.po new file mode 100644 index 0000000..eb9e56f --- /dev/null +++ b/defensive-coding/hi-IN/Tasks/snippets/Serialization-XML-OpenJDK-Imports.po @@ -0,0 +1,42 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:45\n" +"PO-Revision-Date: 2013-03-19 15:30+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Hindi \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: hi\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"import javax.xml.XMLConstants;\n" +"import javax.xml.parsers.DocumentBuilder;\n" +"import javax.xml.parsers.DocumentBuilderFactory;\n" +"import javax.xml.parsers.ParserConfigurationException;\n" +"import javax.xml.parsers.SAXParser;\n" +"import javax.xml.parsers.SAXParserFactory;\n" +"import javax.xml.transform.dom.DOMSource;\n" +"import javax.xml.transform.sax.SAXSource;\n" +"import javax.xml.validation.Schema;\n" +"import javax.xml.validation.SchemaFactory;\n" +"import javax.xml.validation.Validator;\n" +"\n" +"import org.w3c.dom.Document;\n" +"import org.w3c.dom.ls.LSInput;\n" +"import org.w3c.dom.ls.LSResourceResolver;\n" +"import org.xml.sax.EntityResolver;\n" +"import org.xml.sax.ErrorHandler;\n" +"import org.xml.sax.InputSource;\n" +"import org.xml.sax.SAXException;\n" +"import org.xml.sax.SAXParseException;\n" +"import org.xml.sax.XMLReader;\n" +msgstr "" diff --git a/defensive-coding/hi-IN/Tasks/snippets/Serialization-XML-OpenJDK-NoEntityResolver.po b/defensive-coding/hi-IN/Tasks/snippets/Serialization-XML-OpenJDK-NoEntityResolver.po new file mode 100644 index 0000000..1e534bd --- /dev/null +++ b/defensive-coding/hi-IN/Tasks/snippets/Serialization-XML-OpenJDK-NoEntityResolver.po @@ -0,0 +1,30 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:45\n" +"PO-Revision-Date: 2013-03-19 15:30+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Hindi \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: hi\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"class NoEntityResolver implements EntityResolver {\n" +" @Override\n" +" public InputSource resolveEntity(String publicId, String systemId)\n" +" throws SAXException, IOException {\n" +" // Throwing an exception stops validation.\n" +" throw new IOException(String.format(\n" +" \"attempt to resolve \\\"%s\\\" \\\"%s\\\"\", publicId, systemId));\n" +" }\n" +"}\n" +msgstr "" diff --git a/defensive-coding/hi-IN/Tasks/snippets/Serialization-XML-OpenJDK-NoResourceResolver.po b/defensive-coding/hi-IN/Tasks/snippets/Serialization-XML-OpenJDK-NoResourceResolver.po new file mode 100644 index 0000000..1da336c --- /dev/null +++ b/defensive-coding/hi-IN/Tasks/snippets/Serialization-XML-OpenJDK-NoResourceResolver.po @@ -0,0 +1,32 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:45\n" +"PO-Revision-Date: 2013-03-19 15:29+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Hindi \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: hi\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"class NoResourceResolver implements LSResourceResolver {\n" +" @Override\n" +" public LSInput resolveResource(String type, String namespaceURI,\n" +" String publicId, String systemId, String baseURI) {\n" +" // Throwing an exception stops validation.\n" +" throw new RuntimeException(String.format(\n" +" \"resolution attempt: type=%s namespace=%s \" +\n" +" \"publicId=%s systemId=%s baseURI=%s\",\n" +" type, namespaceURI, publicId, systemId, baseURI));\n" +" }\n" +"}\n" +msgstr "" diff --git a/defensive-coding/hi-IN/Tasks/snippets/Serialization-XML-OpenJDK_Parse-DOM.po b/defensive-coding/hi-IN/Tasks/snippets/Serialization-XML-OpenJDK_Parse-DOM.po new file mode 100644 index 0000000..840c02a --- /dev/null +++ b/defensive-coding/hi-IN/Tasks/snippets/Serialization-XML-OpenJDK_Parse-DOM.po @@ -0,0 +1,34 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:45\n" +"PO-Revision-Date: 2013-03-19 15:29+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Hindi \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: hi\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();\n" +"// Impose restrictions on the complexity of the DTD.\n" +"factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);\n" +"\n" +"// Turn on validation.\n" +"// This step can be omitted if validation is not desired.\n" +"factory.setValidating(true);\n" +"\n" +"// Parse the document.\n" +"DocumentBuilder builder = factory.newDocumentBuilder();\n" +"builder.setEntityResolver(new NoEntityResolver());\n" +"builder.setErrorHandler(new Errors());\n" +"Document document = builder.parse(inputStream);\n" +msgstr "" diff --git a/defensive-coding/hi-IN/Tasks/snippets/Serialization-XML-OpenJDK_Parse-XMLSchema_DOM.po b/defensive-coding/hi-IN/Tasks/snippets/Serialization-XML-OpenJDK_Parse-XMLSchema_DOM.po new file mode 100644 index 0000000..4dc24a1 --- /dev/null +++ b/defensive-coding/hi-IN/Tasks/snippets/Serialization-XML-OpenJDK_Parse-XMLSchema_DOM.po @@ -0,0 +1,38 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:45\n" +"PO-Revision-Date: 2013-03-19 15:29+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Hindi \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: hi\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"SchemaFactory factory = SchemaFactory.newInstance(\n" +" XMLConstants.W3C_XML_SCHEMA_NS_URI);\n" +"\n" +"// This enables restrictions on schema complexity.\n" +"factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);\n" +"\n" +"// The following line prevents resource resolution\n" +"// by the schema itself.\n" +"factory.setResourceResolver(new NoResourceResolver());\n" +"\n" +"Schema schema = factory.newSchema(schemaFile);\n" +"\n" +"Validator validator = schema.newValidator();\n" +"\n" +"// This prevents external resource resolution.\n" +"validator.setResourceResolver(new NoResourceResolver());\n" +"validator.validate(new DOMSource(document));\n" +msgstr "" diff --git a/defensive-coding/hi-IN/Tasks/snippets/Serialization-XML-OpenJDK_Parse-XMLSchema_SAX.po b/defensive-coding/hi-IN/Tasks/snippets/Serialization-XML-OpenJDK_Parse-XMLSchema_SAX.po new file mode 100644 index 0000000..85b29c6 --- /dev/null +++ b/defensive-coding/hi-IN/Tasks/snippets/Serialization-XML-OpenJDK_Parse-XMLSchema_SAX.po @@ -0,0 +1,41 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:45\n" +"PO-Revision-Date: 2013-03-19 15:29+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Hindi \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: hi\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"SchemaFactory factory = SchemaFactory.newInstance(\n" +" XMLConstants.W3C_XML_SCHEMA_NS_URI);\n" +"\n" +"// This enables restrictions on the schema and document\n" +"// complexity.\n" +"factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);\n" +"\n" +"// This prevents resource resolution by the schema itself.\n" +"// If the schema is trusted and references additional files,\n" +"// this line must be omitted, otherwise loading these files\n" +"// will fail.\n" +"factory.setResourceResolver(new NoResourceResolver());\n" +"\n" +"Schema schema = factory.newSchema(schemaFile);\n" +"Validator validator = schema.newValidator();\n" +"\n" +"// This prevents external resource resolution.\n" +"validator.setResourceResolver(new NoResourceResolver());\n" +"\n" +"validator.validate(new SAXSource(new InputSource(inputStream)));\n" +msgstr "" diff --git a/defensive-coding/ia/Author_Group.po b/defensive-coding/ia/Author_Group.po new file mode 100644 index 0000000..c9c1235 --- /dev/null +++ b/defensive-coding/ia/Author_Group.po @@ -0,0 +1,35 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-12 04:18+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Interlingua \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: ia\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: firstname +#, no-c-format +msgid "Florian" +msgstr "" + +#. Tag: surname +#, no-c-format +msgid "Weimer" +msgstr "" + +#. Tag: orgname +#, no-c-format +msgid "Red Hat" +msgstr "" + +#. Tag: orgdiv +#, no-c-format +msgid "Product Security Team" +msgstr "" diff --git a/defensive-coding/ia/Book_Info.po b/defensive-coding/ia/Book_Info.po new file mode 100644 index 0000000..e68d393 --- /dev/null +++ b/defensive-coding/ia/Book_Info.po @@ -0,0 +1,38 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-12 04:19+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Interlingua \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: ia\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: title +#, no-c-format +msgid "Defensive Coding" +msgstr "" + +#. Tag: subtitle +#, no-c-format +msgid "A Guide to Improving Software Security" +msgstr "" + +#. Tag: productname +#, no-c-format +msgid "Fedora Security Team" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"This document provides guidelines for improving software security through " +"secure coding. It covers common programming languages and libraries, and " +"focuses on concrete recommendations." +msgstr "" diff --git a/defensive-coding/ia/C/Allocators.po b/defensive-coding/ia/C/Allocators.po new file mode 100644 index 0000000..142ed46 --- /dev/null +++ b/defensive-coding/ia/C/Allocators.po @@ -0,0 +1,265 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:30+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Interlingua \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: ia\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: title +#, no-c-format +msgid "Memory allocators" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "malloc and related functions" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The C library interfaces for memory allocation are provided by " +"malloc, free and " +"realloc, and the calloc function. " +"In addition to these generic functions, there are derived functions such as " +"strdup which perform allocation using " +"malloc internally, but do not return untyped heap " +"memory (which could be used for any object)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The C compiler knows about these functions and can use their expected " +"behavior for optimizations. For instance, the compiler assumes that an " +"existing pointer (or a pointer derived from an existing pointer by " +"arithmetic) will not point into the memory area returned by " +"malloc." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If the allocation fails, realloc does not free the old " +"pointer. Therefore, the idiom ptr = realloc(ptr, size); " +"is wrong because the memory pointed to by ptr leaks in " +"case of an error." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Use-after-free errors" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"After free, the pointer is invalid. Further pointer " +"dereferences are not allowed (and are usually detected by " +"valgrind). Less obvious is that any " +"use of the old pointer value is not allowed, either. In" +" particular, comparisons with any other pointer (or the null pointer) are " +"undefined according to the C standard." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The same rules apply to realloc if the memory area " +"cannot be enlarged in-place. For instance, the compiler may assume that a " +"comparison between the old and new pointer will always return false, so it " +"is impossible to detect movement this way." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Handling memory allocation errors" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Recovering from out-of-memory errors is often difficult or even impossible. " +"In these cases, malloc and other allocation functions " +"return a null pointer. Dereferencing this pointer lead to a crash. Such " +"dereferences can even be exploitable for code execution if the dereference " +"is combined with an array subscript." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In general, if you cannot check all allocation calls and handle failure, you" +" should abort the program on allocation failure, and not rely on the null " +"pointer dereference to terminate the process. See for related memory " +"allocation concerns." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "alloca and other forms of stack-based allocation" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Allocation on the stack is risky because stack overflow checking is " +"implicit. There is a guard page at the end of the memory area reserved for " +"the stack. If the program attempts to read from or write to this guard page," +" a SIGSEGV signal is generated and the program typically " +"terminates." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"This is sufficient for detecting typical stack overflow situations such as " +"unbounded recursion, but it fails when the stack grows in increments larger " +"than the size of the guard page. In this case, it is possible that the stack" +" pointer ends up pointing into a memory area which has been allocated for a " +"different purposes. Such misbehavior can be exploitable." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"A common source for large stack growth are calls to " +"alloca and related functions such as " +"strdupa. These functions should be avoided because of " +"the lack of error checking. (They can be used safely if the allocated size " +"is less than the page size (typically, 4096 bytes), but this case is " +"relatively rare.) Additionally, relying on alloca makes" +" it more difficult to reorgnize the code because it is not allowed to use " +"the pointer after the function calling alloca has " +"returned, even if this function has been inlined into its caller." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Similar concerns apply to variable-length arrays " +"(VLAs), a feature of the C99 standard which started as a GNU extension. For " +"large objects exceeding the page size, there is no error checking, either." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In both cases, negative or very large sizes can trigger a stack-pointer " +"wraparound, and the stack pointer and end up pointing into caller stack " +"frames, which is fatal and can be exploitable." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If you want to use alloca or VLAs for performance " +"reasons, consider using a small on-stack array (less than the page size, " +"large enough to fulfill most requests). If the requested size is small " +"enough, use the on-stack array. Otherwise, call malloc." +" When exiting the function, check if malloc had been " +"called, and free the buffer as needed." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Array allocation" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When allocating arrays, it is important to check for overflows. The " +"calloc function performs such checks." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If malloc or realloc is used, the " +"size check must be written manually. For instance, to allocate an array of " +"n elements of type T, check that the " +"requested size is not greater than n / sizeof(T)." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Custom memory allocators" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Custom memory allocates come in two forms: replacements for " +"malloc, and completely different interfaces for memory " +"management. Both approaches can reduce the effectiveness of " +"valgrind and similar tools, and the heap " +"corruption detection provided by GNU libc, so they should be avoided." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Memory allocators are difficult to write and contain many performance and " +"security pitfalls." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When computing array sizes or rounding up allocation requests (to the next " +"allocation granularity, or for alignment purposes), checks for arithmetic " +"overflow are required." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Size computations for array allocations need overflow checking. See ." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"It can be difficult to beat well-tuned general-purpose allocators. In micro-" +"benchmarks, pool allocators can show huge wins, and size-specific pools can " +"reduce internal fragmentation. But often, utilization of individual pools is" +" poor, and" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Conservative garbage collection" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Garbage collection can be an alternative to explicit memory management using" +" malloc and free. The Boehm-" +"Dehmers-Weiser allocator can be used from C programs, with minimal type " +"annotations. Performance is competitive with malloc on " +"64-bit architectures, especially for multi-threaded programs. The stop-the-" +"world pauses may be problematic for some real-time applications, though." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"However, using a conservative garbage collector may reduce opertunities for " +"code reduce because once one library in a program uses garbage collection, " +"the whole process memory needs to be subject to it, so that no pointers are " +"missed. The Boehm-Dehmers-Weiser collector also reserves certain signals for" +" internal use, so it is not fully transparent to the rest of the program." +msgstr "" diff --git a/defensive-coding/ia/C/C.po b/defensive-coding/ia/C/C.po new file mode 100644 index 0000000..ba42427 --- /dev/null +++ b/defensive-coding/ia/C/C.po @@ -0,0 +1,20 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:30+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Interlingua \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: ia\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: title +#, no-c-format +msgid "The C Programming Language" +msgstr "" diff --git a/defensive-coding/ia/C/Libc.po b/defensive-coding/ia/C/Libc.po new file mode 100644 index 0000000..bb3f99a --- /dev/null +++ b/defensive-coding/ia/C/Libc.po @@ -0,0 +1,278 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:30+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Interlingua \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: ia\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: title +#, no-c-format +msgid "The C standard library" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Parts of the C standard library (and the UNIX and GNU extensions) are " +"difficult to use, so you shoud avoid them." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Please check the applicable documentation before using the recommended " +"replacements. Many of these functions allocate buffers using " +"malloc which your code must deallocate explicitly using" +" free." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Absolutely banned interfaces" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The functions listed below must not be used because they are almost always " +"unsafe. Use the indicated replacements instead." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "getsfgets" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"getwdgetcwd or " +"get_current_dir_name" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "readdir_rreaddir" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"realpath (with a non-NULL second parameter) ⟶ " +"realpath with NULL as the second parameter, or " +"canonicalize_file_name" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The constants listed below must not be used, either. Instead, code must " +"allocate memory dynamically and use interfaces with length checking." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"NAME_MAX (limit not actually enforced by the kernel)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"PATH_MAX (limit not actually enforced by the kernel)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"_PC_NAME_MAX (This limit, returned by the " +"pathconf function, is not enforced by the kernel.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"_PC_PATH_MAX (This limit, returned by the " +"pathconf function, is not enforced by the kernel.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "The following structure members must not be used." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"f_namemax in struct statvfs (limit not" +" actually enforced by the kernel, see _PC_NAME_MAX above)" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Functions to avoid" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The following string manipulation functions can be used securely in " +"principle, but their use should be avoided because they are difficult to use" +" correctly. Calls to these functions can be replaced with " +"asprintf or vasprintf. (For non-" +"GNU targets, these functions are available from Gnulib.) In some cases, the " +"snprintf function might be a suitable replacement, see " +"." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "sprintf" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "strcat" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "strcpy" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "vsprintf" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Use the indicated replacements for the functions below." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"allocamalloc and " +"free (see )" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"putenv ⟶ explicit envp argument in " +"process creation (see )" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"setenv ⟶ explicit envp argument in " +"process creation (see )" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"strdupastrdup and " +"free (see )" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"strndupastrndup and " +"free (see )" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"systemposix_spawn or " +"fork/execve/ (see )" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"unsetenv ⟶ explicit envp argument in" +" process creation (see )" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "String Functions With Explicit Length Arguments" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The snprintf function provides a way to construct a " +"string in a statically-sized buffer. (If the buffer size is dynamic, use " +"asprintf instead.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The second argument to the snprintf should always be " +"the size of the buffer in the first argument (which should be a character " +"array). Complex pointer and length arithmetic can introduce errors and " +"nullify the security benefits of snprintf. If you need " +"to construct a string iteratively, by repeatedly appending fragments, " +"consider constructing the string on the heap, increasing the buffer with " +"realloc as needed. (snprintf does " +"not support overlapping the result buffer with argument strings.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If you use vsnprintf (or snprintf)" +" with a format string which is not a constant, but a function argument, it " +"is important to annotate the function with a format " +"function attribute, so that GCC can warn about misuse of your function (see " +")." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "The format function attribute" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"There are other functions which operator on NUL-terminated strings and take " +"a length argument which affects the number of bytes written to the " +"destination: strncpy, strncat, and" +" stpncpy. These functions do not ensure that the result" +" string is NUL-terminated. For strncpy, NUL termination" +" can be added this way:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Some systems support strlcpy and " +"strlcat functions which behave this way, but these " +"functions are not part of GNU libc. Using snprintf with" +" a suitable format string is a simple (albeit slightly slower) replacement." +msgstr "" diff --git a/defensive-coding/ia/C/snippets/Arithmetic-add.po b/defensive-coding/ia/C/snippets/Arithmetic-add.po new file mode 100644 index 0000000..1c197d3 --- /dev/null +++ b/defensive-coding/ia/C/snippets/Arithmetic-add.po @@ -0,0 +1,36 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:30+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Interlingua \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: ia\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"void report_overflow(void);\n" +"\n" +"int\n" +"add(int a, int b)\n" +"{\n" +" int result = a + b;\n" +" if (a < 0 || b < 0) {\n" +" return -1;\n" +" }\n" +" // The compiler can optimize away the following if statement.\n" +" if (result < 0) {\n" +" report_overflow();\n" +" }\n" +" return result;\n" +"}\n" +msgstr "" diff --git a/defensive-coding/ia/C/snippets/Arithmetic-mult.po b/defensive-coding/ia/C/snippets/Arithmetic-mult.po new file mode 100644 index 0000000..30c097e --- /dev/null +++ b/defensive-coding/ia/C/snippets/Arithmetic-mult.po @@ -0,0 +1,29 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:30+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Interlingua \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: ia\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"unsigned\n" +"mul(unsigned a, unsigned b)\n" +"{\n" +" if (b && a > ((unsigned)-1) / b) {\n" +" report_overflow();\n" +" }\n" +" return a * b;\n" +"}\n" +msgstr "" diff --git a/defensive-coding/ia/C/snippets/Pointers-remaining.po b/defensive-coding/ia/C/snippets/Pointers-remaining.po new file mode 100644 index 0000000..59ad07e --- /dev/null +++ b/defensive-coding/ia/C/snippets/Pointers-remaining.po @@ -0,0 +1,64 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:30+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Interlingua \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: ia\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"ssize_t\n" +"extract_strings(const char *in, size_t inlen, char **out, size_t outlen)\n" +"{\n" +" const char *inp = in;\n" +" const char *inend = in + inlen;\n" +" char **outp = out;\n" +" char **outend = out + outlen;\n" +"\n" +" while (inp != inend) {\n" +" size_t len;\n" +" char *s;\n" +" if (outp == outend) {\n" +" errno = ENOSPC;\n" +" goto err;\n" +" }\n" +" len = (unsigned char)*inp;\n" +" ++inp;\n" +" if (len > (size_t)(inend - inp)) {\n" +" errno = EINVAL;\n" +" goto err;\n" +" }\n" +" s = malloc(len + 1);\n" +" if (s == NULL) {\n" +" goto err;\n" +" }\n" +" memcpy(s, inp, len);\n" +" inp += len;\n" +" s[len] = '\\0';\n" +" *outp = s;\n" +" ++outp;\n" +" }\n" +" return outp - out;\n" +"err:\n" +" {\n" +" int errno_old = errno;\n" +" while (out != outp) {\n" +" free(*out);\n" +" ++out;\n" +" }\n" +" errno = errno_old;\n" +" }\n" +" return -1;\n" +"}\n" +msgstr "" diff --git a/defensive-coding/ia/C/snippets/String-Functions-format.po b/defensive-coding/ia/C/snippets/String-Functions-format.po new file mode 100644 index 0000000..ec8d350 --- /dev/null +++ b/defensive-coding/ia/C/snippets/String-Functions-format.po @@ -0,0 +1,33 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:30+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Interlingua \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: ia\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"void log_format(const char *format, ...) __attribute__((format(printf, 1, 2)));\n" +"\n" +"void\n" +"log_format(const char *format, ...)\n" +"{\n" +" char buf[1000];\n" +" va_list ap;\n" +" va_start(ap, format);\n" +" vsnprintf(buf, sizeof(buf), format, ap);\n" +" va_end(ap);\n" +" log_string(buf);\n" +"}\n" +msgstr "" diff --git a/defensive-coding/ia/C/snippets/String-Functions-snprintf.po b/defensive-coding/ia/C/snippets/String-Functions-snprintf.po new file mode 100644 index 0000000..453cf8f --- /dev/null +++ b/defensive-coding/ia/C/snippets/String-Functions-snprintf.po @@ -0,0 +1,23 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:30+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Interlingua \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: ia\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"char fraction[30];\n" +"snprintf(fraction, sizeof(fraction), \"%d/%d\", numerator, denominator);\n" +msgstr "" diff --git a/defensive-coding/ia/C/snippets/String-Functions-strncpy.po b/defensive-coding/ia/C/snippets/String-Functions-strncpy.po new file mode 100644 index 0000000..9cd4a9a --- /dev/null +++ b/defensive-coding/ia/C/snippets/String-Functions-strncpy.po @@ -0,0 +1,24 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:30+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Interlingua \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: ia\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"char buf[10];\n" +"strncpy(buf, data, sizeof(buf));\n" +"buf[sizeof(buf) - 1] = '\\0';\n" +msgstr "" diff --git a/defensive-coding/ia/CXX/CXX.po b/defensive-coding/ia/CXX/CXX.po new file mode 100644 index 0000000..3526d8f --- /dev/null +++ b/defensive-coding/ia/CXX/CXX.po @@ -0,0 +1,20 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:31+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Interlingua \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: ia\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: title +#, no-c-format +msgid "The C++ Programming Language" +msgstr "" diff --git a/defensive-coding/ia/CXX/Language.po b/defensive-coding/ia/CXX/Language.po new file mode 100644 index 0000000..c8648fb --- /dev/null +++ b/defensive-coding/ia/CXX/Language.po @@ -0,0 +1,234 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:18+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Interlingua \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: ia\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: title +#, no-c-format +msgid "The core language" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"C++ includes a large subset of the C language. As far as the C subset is " +"used, the recommendations in " +"apply." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Array allocation with operator new[]" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"For very large values of n, an expression like " +"new T[n] can return a pointer to a heap region which is " +"too small. In other words, not all array elements are actually backed with " +"heap memory reserved to the array. Current GCC versions generate code that " +"performs a computation of the form sizeof(T) * size_t(n) + " +"cookie_size, where cookie_size is currently at " +"most 8. This computation can overflow, and GCC-generated code does not " +"detect this." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The std::vector template can be used instead an explicit " +"array allocation. (The GCC implementation detects overflow internally.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If there is no alternative to operator new[], code which " +"allocates arrays with a variable length must check for overflow manually. " +"For the new T[n] example, the size check could be " +"n || (n > 0 && n > (size_t(-1) - 8) / " +"sizeof(T)). (See .) If there are additional dimensions " +"(which must be constants according to the C++ standard), these should be " +"included as factors in the divisor." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"These countermeasures prevent out-of-bounds writes and potential code " +"execution. Very large memory allocations can still lead to a denial of " +"service. contains suggestions for mitigating this problem when " +"processing untrusted data." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"See for array" +" allocation advice for C-style memory allocation." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Overloading" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Do not overload functions with versions that have different security " +"characteristics. For instance, do not implement a function " +"strcat which works on std::string " +"arguments. Similarly, do not name methods after such functions." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "ABI compatibility and preparing for security updates" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"A stable binary interface (ABI) is vastly preferred for security updates. " +"Without a stable ABI, all reverse dependencies need recompiling, which can " +"be a lot of work and could even be impossible in some cases. Ideally, a " +"security update only updates a single dynamic shared object, and is picked " +"up automatically after restarting affected processes." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Outside of extremely performance-critical code, you should ensure that a " +"wide range of changes is possible without breaking ABI. Some very basic " +"guidelines are:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Avoid inline functions." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Use the pointer-to-implementation idiom." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Try to avoid templates. Use them if the increased type safety provides a " +"benefit to the programmer." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Move security-critical code out of templated code, so that it can be patched" +" in a central place if necessary." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The KDE project publishes a document with more extensive guidelines on ABI-" +"preserving changes to C++ code, Policies/Binary" +" Compatibility Issues With C++ (d-pointer " +"refers to the pointer-to-implementation idiom)." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "C++0X and C++11 support" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "GCC offers different language compatibility modes:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid " for the original 1998 C++ standard" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +" for the 1998 standard with the changes from the " +"TR1 technical report" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +" for the 2011 C++ standard. This option should " +"not be used." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +" for several different versions of C++11 support " +"in development, depending on the GCC version. This option should not be " +"used." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"For each of these flags, there are variants which also enable GNU extensions" +" (mostly language features also found in C99 or C11): " +", , " +". Again, should " +"not be used." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If you enable C++11 support, the ABI of the standard C++ library " +"libstdc++ will change in subtle ways. Currently, no C++ " +"libraries are compiled in C++11 mode, so if you compile your code in C++11 " +"mode, it will be incompatible with the rest of the system. Unfortunately, " +"this is also the case if you do not use any C++11 features. Currently, there" +" is no safe way to enable C++11 mode (except for freestanding applications)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The meaning of C++0X mode changed from GCC release to GCC release. Earlier " +"versions were still ABI-compatible with C++98 mode, but in the most recent " +"versions, switching to C++0X mode activates C++11 support, with its " +"compatibility problems." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Some C++11 features (or approximations thereof) are available with TR1 " +"support, that is, with or " +" and in the <tr1/*> " +"header files. This includes std::tr1::shared_ptr (from " +"<tr1/memory>) and " +"std::tr1::function (from " +"<tr1/functional>). For other C++11 features, the " +"Boost C++ library contains replacements." +msgstr "" diff --git a/defensive-coding/ia/CXX/Std.po b/defensive-coding/ia/CXX/Std.po new file mode 100644 index 0000000..381fa7a --- /dev/null +++ b/defensive-coding/ia/CXX/Std.po @@ -0,0 +1,55 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:30+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Interlingua \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: ia\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: title +#, no-c-format +msgid "The C++ standard library" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The C++ standard library includes most of its C counterpart by reference, " +"see ." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Containers and operator[]" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Many containers similar to std::vector provide both " +"operator[](size_type) and a member function " +"at(size_type). This applies to " +"std::vector itself, std::array, " +"std::string and other instances of " +"std::basic_string." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"operator[](size_type) is not required by the standard to " +"perform bounds checking (and the implementation in GCC does not). In " +"contrast, at(size_type) must perform such a check. " +"Therefore, in code which is not performance-critical, you should prefer " +"at(size_type) over " +"operator[](size_type), even though it is slightly more " +"verbose." +msgstr "" diff --git a/defensive-coding/ia/Defensive_Coding.po b/defensive-coding/ia/Defensive_Coding.po new file mode 100644 index 0000000..5565b9b --- /dev/null +++ b/defensive-coding/ia/Defensive_Coding.po @@ -0,0 +1,30 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:18+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Interlingua \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: ia\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: title +#, no-c-format +msgid "Programming Languages" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Specific Programming Tasks" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Implementing Security Features" +msgstr "" diff --git a/defensive-coding/ia/Features/Authentication.po b/defensive-coding/ia/Features/Authentication.po new file mode 100644 index 0000000..dc4fb5f --- /dev/null +++ b/defensive-coding/ia/Features/Authentication.po @@ -0,0 +1,231 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:31+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Interlingua \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: ia\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: title +#, no-c-format +msgid "Authentication and Authorization" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Authenticating servers" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When connecting to a server, a client has to make sure that it is actually " +"talking to the server it expects. There are two different aspects, securing " +"the network path, and making sure that the expected user runs the process on" +" the target host. There are several ways to ensure that:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The server uses a TLS certificate which is valid according to the web " +"browser public key infrastructure, and the client verifies the certificate " +"and the host name." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The server uses a TLS certificate which is expectedby the client (perhaps it" +" is stored in a configuration file read by the client). In this case, no " +"host name checking is required." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"On Linux, UNIX domain sockets (of the PF_UNIX protocol " +"family, sometimes called PF_LOCAL) are restricted by file" +" system permissions. If the server socket path is not world-writable, the " +"server identity cannot be spoofed by local users." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Port numbers less than 1024 (trusted ports) can only be" +" used by root, so if a UDP or TCP server is running on " +"the local host and it uses a trusted port, its identity is assured. (Not all" +" operating systems enforce the trusted ports concept, and the network might " +"not be trusted, so it is only useful on the local system.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"TLS () is the recommended way " +"for securing connections over untrusted networks." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If the server port number is 1024 is higher, a local user can impersonate " +"the process by binding to this socket, perhaps after crashing the real " +"server by exploiting a denial-of-service vulnerability." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Host-based authentication" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Host-based authentication uses access control lists (ACLs) to accept or deny" +" requests from clients. Thsis authentication method comes in two flavors: " +"IP-based (or, more generally, address-based) and name-based (with the name " +"coming from DNS or /etc/hosts). IP-based ACLs often use" +" prefix notation to extend access to entire subnets. Name-based ACLs " +"sometimes use wildcards for adding groups of hosts (from entire DNS " +"subtrees). (In the SSH context, host-based authentication means something " +"completely different and is not covered in this section.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Host-based authentication trust the network and may not offer sufficient " +"granularity, so it has to be considered a weak form of authentication. On " +"the other hand, IP-based authentication can be made extremely robust and can" +" be applied very early in input processing, so it offers an opportunity for " +"significantly reducing the number of potential attackers for many services." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The names returned by gethostbyaddr and " +"getnameinfo functions cannot be trusted. (DNS PTR " +"records can be set to arbitrary values, not just names belong to the address" +" owner.) If these names are used for ACL matching, a forward lookup using " +"gethostbyaddr or getaddrinfo has " +"to be performed. The name is only valid if the original address is found " +"among the results of the forward lookup (double-reverse " +"lookup)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"An empty ACL should deny all access (deny-by-default). If empty ACLs permits" +" all access, configuring any access list must switch to deny-by-default for " +"all unconfigured protocols, in both name-based and address-based variants." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Similarly, if an address or name is not matched by the list, it should be " +"denied. However, many implementations behave differently, so the actual " +"behavior must be documented properly." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"IPv6 addresses can embed IPv4 addresses. There is no universally correct way" +" to deal with this ambiguity. The behavior of the ACL implementation should " +"be documented." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "UNIX domain socket authentication" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"UNIX domain sockets (with address family AF_UNIX or " +"AF_LOCAL) are restricted to the local host and offer a " +"special authentication mechanism: credentials passing." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Nowadays, most systems support the SO_PEERCRED (Linux) or" +" LOCAL_PEERCRED (FreeBSD) socket options, or the " +"getpeereid (other BSDs, MacOS X). These interfaces " +"provide direct access to the (effective) user ID on the other end of a " +"domain socket connect, without cooperation from the other end." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Historically, credentials passing was implemented using ancillary data in " +"the sendmsg and recvmsg functions." +" On some systems, only credentials data that the peer has explicitly sent " +"can be received, and the kernel checks the data for correctness on the " +"sending side. This means that both peers need to deal with ancillary data. " +"Compared to that, the modern interfaces are easier to use. Both sets of " +"interfaces vary considerably among UNIX-like systems, unfortunately." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If you want to authenticate based on supplementary groups, you should obtain" +" the user ID using one of these methods, and look up the list of " +"supplementary groups using getpwuid (or " +"getpwuid_r) and getgrouplist. " +"Using the PID and information from /proc/PID/status is " +"prone to race conditions and insecure." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "AF_NETLINK authentication of origin" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Netlink messages are used as a high-performance data transfer mechanism " +"between the kernel and the userspace. Traditionally, they are used to " +"exchange information related to the network statck, such as routing table " +"entries." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When processing Netlink messages from the kernel, it is important to check " +"that these messages actually originate from the kernel, by checking that the" +" port ID (or PID) field nl_pid in the " +"sockaddr_nl structure is 0. (This " +"structure can be obtained using recvfrom or " +"recvmsg, it is different from the " +"nlmsghdr structure.) The kernel does not prevent other " +"processes from sending unicast Netlink messages, but the " +"nl_pid field in the sender's socket address will be non-" +"zero in such cases." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Applications should not use AF_NETLINK sockets as an IPC " +"mechanism among processes, but prefer UNIX domain sockets for this tasks." +msgstr "" diff --git a/defensive-coding/ia/Features/TLS.po b/defensive-coding/ia/Features/TLS.po new file mode 100644 index 0000000..4fd55fd --- /dev/null +++ b/defensive-coding/ia/Features/TLS.po @@ -0,0 +1,1120 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:31+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Interlingua \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: ia\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: title +#, no-c-format +msgid "Transport Layer Security" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Transport Layer Security (TLS, formerly Secure Sockets Layer/SSL) is the " +"recommended way to to protect integrity and confidentiality while data is " +"transferred over an untrusted network connection, and to identify the " +"endpoint." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Common Pitfalls" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"TLS implementations are difficult to use, and most of them lack a clean API " +"design. The following sections contain implementation-specific advice, and " +"some generic pitfalls are mentioned below." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Most TLS implementations have questionable default TLS cipher suites. Most " +"of them enable anonymous Diffie-Hellman key exchange (but we generally want " +"servers to authenticate themselves). Many do not disable ciphers which are " +"subject to brute-force attacks because of restricted key lengths. Some even " +"disable all variants of AES in the default configuration." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When overriding the cipher suite defaults, it is recommended to disable all " +"cipher suites which are not present on a whitelist, instead of simply " +"enabling a list of cipher suites. This way, if an algorithm is disabled by " +"default in the TLS implementation in a future security update, the " +"application will not re-enable it." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The name which is used in certificate validation must match the name " +"provided by the user or configuration file. No host name canonicalization or" +" IP address lookup must be performed." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The TLS handshake has very poor performance if the TCP Nagle algorithm is " +"active. You should switch on the TCP_NODELAY socket " +"option (at least for the duration of the handshake), or use the Linux-" +"specific TCP_CORK option." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Deactivating the TCP Nagle algorithm" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Implementing proper session resumption decreases handshake overhead " +"considerably. This is important if the upper-layer protocol uses short-lived" +" connections (like most application of HTTPS)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Both client and server should work towards an orderly connection shutdown, " +"that is send close_notify alerts and respond to them. " +"This is especially important if the upper-layer protocol does not provide " +"means to detect connection truncation (like some uses of HTTP)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When implementing a server using event-driven programming, it is important " +"to handle the TLS handshake properly because it includes multiple network " +"round-trips which can block when an ordinary TCP accept" +" would not. Otherwise, a client which fails to complete the TLS handshake " +"for some reason will prevent the server from handling input from other " +"clients." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Unlike regular file descriptors, TLS connections cannot be passed between " +"processes. Some TLS implementations add additional restrictions, and TLS " +"connections generally cannot be used across fork " +"function calls (see )." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "OpenSSL Pitfalls" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Some OpenSSL function use tri-state return values. " +"Correct error checking is extremely important. Several functions return " +"int values with the following meaning:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The value 1 indicates success (for example, a successful " +"signature verification)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The value 0 indicates semantic failure (for example, a " +"signature verification which was unsuccessful because the signing " +"certificate was self-signed)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The value -1 indicates a low-level error in the system, " +"such as failure to allocate memory using malloc." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Treating such tri-state return values as booleans can lead to security " +"vulnerabilities. Note that some OpenSSL functions return boolean results or " +"yet another set of status indicators. Each function needs to be checked " +"individually." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Recovering precise error information is difficult. shows how to obtain a more precise " +"error code after a function call on an SSL object has " +"failed. However, there are still cases where no detailed error information " +"is available (e.g., if SSL_shutdown fails due to a " +"connection teardown by the other end)." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Obtaining OpenSSL error codes" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The OPENSSL_config function is documented to never " +"fail. In reality, it can terminate the entire process if there is a failure " +"accessing the configuration file. An error message is written to standard " +"error, but which might not be visible if the function is called from a " +"daemon process." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"OpenSSL contains two separate ASN.1 DER decoders. One set of decoders " +"operate on BIO handles (the input/output stream abstraction provided by " +"OpenSSL); their decoder function names start with d2i_ " +"and end in _fp or _bio (e.g., " +"d2i_X509_fp or d2i_X509_bio). " +"These decoders must not be used for parsing data from untrusted sources; " +"instead, the variants without the _fp and " +"_bio (e.g., d2i_X509) shall be used." +" The BIO variants have received considerably less testing and are not very " +"robust." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"For the same reason, the OpenSSL command line tools (such as " +"openssl x509) are generally generally less robust than " +"the actual library code. They use the BIO functions internally, and not the " +"more robust variants." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The command line tools do not always indicate failure in the exit status of " +"the openssl process. For instance, a verification" +" failure in openssl verify result in an exit status of " +"zero." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The OpenSSL server and client applications (openssl " +"s_client and openssl s_server) are debugging " +"tools and should never be used as generic clients. For " +"instance, the s_client tool reacts in a " +"surprisign way to lines starting with R and " +"Q." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"OpenSSL allows application code to access private key material over " +"documented interfaces. This can significantly increase the part of the code " +"base which has to undergo security certification." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "GNUTLS Pitfalls" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"libgnutls.so.26 links to " +"libpthread.so.0. Loading the threading library too late" +" causes problems, so the main program should be linked with " +"-lpthread as well. As a result, it can be difficult to " +"use GNUTLS in a plugin which is loaded with the dlopen " +"function. Another side effect is that applications which merely link against" +" GNUTLS (even without actually using it) may incur a substantial overhead " +"because other libraries automatically switch to thread-safe algorithms." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The gnutls_global_init function must be called before " +"using any functionality provided by the library. This function is not " +"thread-safe, so external locking is required, but it is not clear which lock" +" should be used. Omitting the synchronization does not just lead to a memory" +" leak, as it is suggested in the GNUTLS documentation, but to undefined " +"behavior because there is no barrier that would enforce memory ordering." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The gnutls_global_deinit function does not actually " +"deallocate all resources allocated by " +"gnutls_global_init. It is currently not thread-safe. " +"Therefore, it is best to avoid calling it altogether." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The X.509 implementation in GNUTLS is rather lenient. For example, it is " +"possible to create and process X.509 version 1 certificates which carry" +" extensions. These certificates are (correctly) rejected by other " +"implementations." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "OpenJDK Pitfalls" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The Java cryptographic framework is highly modular. As a result, when you " +"request an object implementing some cryptographic functionality, you cannot " +"be completely sure that you end up with the well-tested, reviewed " +"implementation in OpenJDK." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"OpenJDK (in the source code as published by Oracle) and other " +"implementations of the Java platform require that the system administrator " +"has installed so-called unlimited strength jurisdiction policy " +"files. Without this step, it is not possible to use the secure " +"algorithms which offer sufficient cryptographic strength. Most downstream " +"redistributors of OpenJDK remove this requirement." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Some versions of OpenJDK use /dev/random as the " +"randomness source for nonces and other random data which is needed for TLS " +"operation, but does not actually require physical randomness. As a result, " +"TLS applications can block, waiting for more bits to become available in " +"/dev/random." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "NSS Pitfalls" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"NSS was not designed to be used by other libraries which can be linked into " +"applications without modifying them. There is a lot of global state. There " +"does not seem to be a way to perform required NSS initialization without " +"race conditions." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If the NSPR descriptor is in an unexpected state, the " +"SSL_ForceHandshake function can succeed, but no TLS " +"handshake takes place, the peer is not authenticated, and subsequent data is" +" exchanged in the clear." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"NSS disables itself if it detects that the process underwent a " +"fork after the library has been initialized. This " +"behavior is required by the PKCS#11 API specification." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "TLS Clients" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Secure use of TLS in a client generally involves all of the following steps." +" (Individual instructions for specific TLS implementations follow in the " +"next sections.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The client must configure the TLS library to use a set of trusted root " +"certificates. These certificates are provided by the system in /etc/ssl/certs or files derived from it." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The client selects sufficiently strong cryptographic primitives and disables" +" insecure ones (such as no-op encryption). Compression and SSL version 2 " +"support must be disabled (including the SSLv2-compatible handshake)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The client initiates the TLS connection. The Server Name Indication " +"extension should be used if supported by the TLS implementation. Before " +"switching to the encrypted connection state, the contents of all input and " +"output buffers must be discarded." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The client needs to validate the peer certificate provided by the server, " +"that is, the client must check that there is a cryptographically protected " +"chain from a trusted root certificate to the peer certificate. (Depending on" +" the TLS implementation, a TLS handshake can succeed even if the certificate" +" cannot be validated.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The client must check that the configured or user-provided server name " +"matches the peer certificate provided by the server." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"It is safe to provide users detailed diagnostics on certificate validation " +"failures. Other causes of handshake failures and, generally speaking, any " +"details on other errors reported by the TLS implementation (particularly " +"exception tracebacks), must not be divulged in ways that make them " +"accessible to potential attackers. Otherwise, it is possible to create " +"decryption oracles." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Depending on the application, revocation checking (against certificate " +"revocations lists or via OCSP) and session resumption are important aspects " +"of production-quality client. These aspects are not yet covered." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Implementation TLS Clients With OpenSSL" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In the following code, the error handling is only exploratory. Proper error " +"handling is required for production use, especially in libraries." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The OpenSSL library needs explicit initialization (see )." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "OpenSSL library initialization" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"After that, a context object has to be created, which acts as a factory for " +"connection objects (). We use an explicit cipher list so that we do not pick up any " +"strange ciphers when OpenSSL is upgraded. The actual version requested in " +"the client hello depends on additional restrictions in the OpenSSL library. " +"If possible, you should follow the example code and use the default list of " +"trusted root certificate authorities provided by the system because you " +"would have to maintain your own set otherwise, which can be cumbersome." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "OpenSSL client context creation" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"A single context object can be used to create multiple connection objects. " +"It is safe to use the same SSL_CTX object for creating " +"connections concurrently from multiple threads, provided that the " +"SSL_CTX object is not modified (e.g., callbacks must not " +"be changed)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"After creating the TCP socket and disabling the Nagle algorithm (per ), the actual connection object " +"needs to be created, as show in . If the handshake started by " +"SSL_connect fails, the " +"ssl_print_error_and_exit function from is called." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The certificate_validity_override function provides an " +"opportunity to override the validity of the certificate in case the OpenSSL " +"check fails. If such functionality is not required, the call can be removed," +" otherwise, the application developer has to implement it." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The host name passed to the functions " +"SSL_set_tlsext_host_name and " +"X509_check_host must be the name that was passed to " +"getaddrinfo or a similar name resolution function. No " +"host name canonicalization must be performed. The " +"X509_check_host function used in the final step for " +"host name matching is currently only implemented in OpenSSL 1.1, which is " +"not released yet. In case host name matching fails, the function " +"certificate_host_name_override is called. This function" +" should check user-specific certificate store, to allow a connection even if" +" the host name does not match the certificate. This function has to be " +"provided by the application developer. Note that the override must be keyed " +"by both the certificate and the host name." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Creating a client connection using OpenSSL" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The connection object can be used for sending and receiving data, as in " +". It is " +"also possible to create a BIO object and use the " +"SSL object as the underlying transport, using " +"BIO_set_ssl." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Using an OpenSSL connection to send and receive data" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When it is time to close the connection, the " +"SSL_shutdown function needs to be called twice for an " +"orderly, synchronous connection termination (). This exchanges " +"close_notify alerts with the server. The additional logic" +" is required to deal with an unexpected close_notify from" +" the server. Note that is necessary to explicitly close the underlying " +"socket after the connection object has been freed." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Closing an OpenSSL connection in an orderly fashion" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +" shows how" +" to deallocate the context object when it is no longer needed because no " +"further TLS connections will be established." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Implementation TLS Clients With GNUTLS" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"This section describes how to implement a TLS client with full certificate " +"validation (but without certificate revocation checking). Note that the " +"error handling in is only exploratory and needs to be replaced before " +"production use." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "The GNUTLS library needs explicit initialization:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Failing to do so can result in obscure failures in Base64 decoding. See " +" for " +"additional aspects of initialization." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Before setting up TLS connections, a credentials objects has to be allocated" +" and initialized with the set of trusted root CAs ()." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Initializing a GNUTLS credentials structure" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"After the last TLS connection has been closed, this credentials object " +"should be freed:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"During its lifetime, the credentials object can be used to initialize TLS " +"session objects from multiple threads, provided that it is not changed." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Once the TCP connection has been established, the Nagle algorithm should be " +"disabled (see ). After " +"that, the socket can be associated with a new GNUTLS session object. The " +"previously allocated credentials object provides the set of root CAs. The " +"NORMAL set of cipher suites and protocols provides a " +"reasonable default. Then the TLS handshake must be initiated. This is shown " +"in ." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Establishing a TLS client connection using GNUTLS" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"After the handshake has been completed, the server certificate needs to be " +"verified (). In the example, the user-defined " +"certificate_validity_override function is called if the" +" verification fails, so that a separate, user-specific trust store can be " +"checked. This function call can be omitted if the functionality is not " +"needed." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Verifying a server certificate using GNUTLS" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In the next step (, the certificate must be matched against the host name (note the " +"unusual return value from " +"gnutls_x509_crt_check_hostname). Again, an override " +"function certificate_host_name_override is called. Note" +" that the override must be keyed to the certificate and" +" the host name. The function call can be omitted if the override is not " +"needed." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Matching the server host name and certificate in a GNUTLS client" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In newer GNUTLS versions, certificate checking and host name validation can " +"be combined using the gnutls_certificate_verify_peers3 " +"function." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"An established TLS session can be used for sending and receiving data, as in" +" ." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Using a GNUTLS session" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In order to shut down a connection in an orderly manner, you should call the" +" gnutls_bye function. Finally, the session object can " +"be deallocated using gnutls_deinit (see )." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Implementing TLS Clients With OpenJDK" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "The examples below use the following cryptographic-related classes:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If compatibility with OpenJDK 6 is required, it is necessary to use the " +"internal class sun.security.util.HostnameChecker. (The " +"public OpenJDK API does not provide any support for dissecting the subject " +"distinguished name of an X.509 certificate, so a custom-written DER parser " +"is needed—or we have to use an internal class, which we do below.) In " +"OpenJDK 7, the setEndpointIdentificationAlgorithm " +"method was added to the javax.net.ssl.SSLParameters " +"class, providing an official way to implement host name checking." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"TLS connections are established using an SSLContext " +"instance. With a properly configured OpenJDK installation, the " +"SunJSSE provider uses the system-wide set of trusted root" +" certificate authorities, so no further configuration is necessary. For " +"backwards compatibility with OpenJDK 6, the TLSv1 " +"provider has to be supported as a fall-back option. This is shown in ." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Setting up an SSLContext for OpenJDK TLS clients" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In addition to the context, a TLS parameter object will be needed which " +"adjusts the cipher suites and protocols (). Like the context, these " +"parameters can be reused for multiple TLS connections." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Setting up SSLParameters for TLS use with OpenJDK" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"As initialized above, the parameter object does not yet require host name " +"checking. This has to be enabled separately, and this is only supported by " +"OpenJDK 7 and later:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"All application protocols can use the \"HTTPS\" " +"algorithm. (The algorithms have minor differences with regard to wildcard " +"handling, which should not matter in practice.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +" shows " +"how to establish the connection. Before the handshake is initialized, the " +"protocol and cipher configuration has to be performed, by applying the " +"parameter object params. (After this point, changes to " +"params will not affect this TLS socket.) As mentioned " +"initially, host name checking requires using an internal API on OpenJDK 6." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Establishing a TLS connection with OpenJDK" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Starting with OpenJDK 7, the last lines can be omitted, provided that host " +"name verification has been enabled by calling the " +"setEndpointIdentificationAlgorithm method on the " +"params object (before it was applied to the socket)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The TLS socket can be used as a regular socket, as shown in ." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Using a TLS client socket in OpenJDK" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Overriding server certificate validation with OpenJDK 6" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Overriding certificate validation requires a custom trust manager. With " +"OpenJDK 6, the trust manager lacks information about the TLS session, and to" +" which server the connection is made. Certificate overrides have to be tied " +"to specific servers (host names). Consequently, different " +"TrustManager and SSLContext objects " +"have to be used for different servers." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In the trust manager shown in , the server certificate is identified by its " +"SHA-256 hash." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "A customer trust manager for OpenJDK TLS clients" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"This trust manager has to be passed to the init method of" +" the SSLContext object, as show in ." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Using a custom TLS trust manager with OpenJDK" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When certificate overrides are in place, host name verification should not " +"be performed because there is no security requirement that the host name in " +"the certificate matches the host name used to establish the connection (and " +"it often will not). However, without host name verification, it is not " +"possible to perform transparent fallback to certification validation using " +"the system certificate store." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The approach described above works with OpenJDK 6 and later versions. " +"Starting with OpenJDK 7, it is possible to use a custom subclass of the " +"javax.net.ssl.X509ExtendedTrustManager class. The OpenJDK" +" TLS implementation will call the new methods, passing along TLS session " +"information. This can be used to implement certificate overrides as a " +"fallback (if certificate or host name verification fails), and a trust " +"manager object can be used for multiple servers because the server address " +"is available to the trust manager." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Implementing TLS Clients With NSS" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The following code shows how to implement a simple TLS client using NSS. " +"Note that the error handling needs replacing before production use." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Using NSS needs several header files, as shown in ." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Include files for NSS" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Initializing the NSS library is a complex task (). It is not thread-safe. By default, the " +"library is in export mode, and all strong ciphers are disabled. Therefore, " +"after creating the NSSInitCContext object, we probe all " +"the strong ciphers we want to use, and check if at least one of them is " +"available. If not, we call NSS_SetDomesticPolicy to " +"switch to unrestricted policy mode. This function replaces the existing " +"global cipher suite policy, that is why we avoid calling it unless " +"absolutely necessary." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The simplest way to configured the trusted root certificates involves " +"loading the libnssckbi.so NSS module with a call to the" +" SECMOD_LoadUserModule function. The root certificates " +"are compiled into this module. (The PEM module for NSS, " +"libnsspem.so, offers a way to load trusted CA " +"certificates from a file.)" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Initializing the NSS library" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Some of the effects of the initialization can be reverted with the following" +" function calls:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"After NSS has been initialized, the TLS connection can be created (). The internal " +"PR_ImportTCPSocket function is used to turn the POSIX " +"file descriptor sockfd into an NSPR file descriptor. " +"(This function is de-facto part of the NSS public ABI, so it will not go " +"away.) Creating the TLS-capable file descriptor requires a " +"model descriptor, which is configured with the desired " +"set of protocols and ciphers. (The good_ciphers variable " +"is part of .) We cannot" +" resort to disabling ciphers not on a whitelist because by default, the AES " +"cipher suites are disabled. The model descriptor is not needed anymore after" +" TLS support has been activated for the existing connection descriptor." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The call to SSL_BadCertHook can be omitted if no " +"mechanism to override certificate verification is needed. The " +"bad_certificate function must check both the host name " +"specified for the connection and the certificate before granting the " +"override." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Triggering the actual handshake requires three function calls, " +"SSL_ResetHandshake, SSL_SetURL, " +"and SSL_ForceHandshake. (If " +"SSL_ResetHandshake is omitted, " +"SSL_ForceHandshake will succeed, but the data will not " +"be encrypted.) During the handshake, the certificate is verified and matched" +" against the host name." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Creating a TLS connection with NSS" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"After the connection has been established, shows how to use the NSPR descriptor to " +"communicate with the server." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Using NSS for sending and receiving data" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +" shows how to " +"close the connection." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Closing NSS client connections" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Implementing TLS Clients With Python" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The Python distribution provides a TLS implementation in the " +"ssl module (actually a wrapper around OpenSSL). The " +"exported interface is somewhat restricted, so that the client code shown " +"below does not fully implement the recommendations in ." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Currently, most Python function which accept https:// " +"URLs or otherwise implement HTTPS support do not perform certificate " +"validation at all. (For example, this is true for the " +"httplib and xmlrpclib modules.) If you" +" use HTTPS, you should not use the built-in HTTP clients. The " +"Curl class in the curl module, as " +"provided by the python-pycurl package implements proper " +"certificate validation." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The ssl module currently does not perform host name " +"checking on the server certificate. shows how to implement certificate " +"matching, using the parsed certificate returned by " +"getpeercert." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Implementing TLS host name checking Python (without wildcard support)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"To turn a regular, connected TCP socket into a TLS-enabled socket, use the " +"ssl.wrap_socket function. The function call in provides " +"additional arguments to override questionable defaults in OpenSSL and in the" +" Python module." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"ciphers=\"HIGH:-aNULL:-eNULL:-PSK:RC4-SHA:RC4-MD5\" " +"selects relatively strong cipher suites with certificate-based " +"authentication. (The call to check_host_name function " +"provides additional protection against anonymous cipher suites.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"ssl_version=ssl.PROTOCOL_TLSv1 disables SSL 2.0 support. " +"By default, the ssl module sends an SSL 2.0 client hello," +" which is rejected by some servers. Ideally, we would request OpenSSL to " +"negotiated the most recent TLS version supported by the server and the " +"client, but the Python module does not allow this." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"cert_reqs=ssl.CERT_REQUIRED turns on certificate " +"validation." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"ca_certs='/etc/ssl/certs/ca-bundle.crt' initializes the " +"certificate store with a set of trusted root CAs. Unfortunately, it is " +"necessary to hard-code this path into applications because the default path " +"in OpenSSL is not available through the Python ssl " +"module." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The ssl module (and OpenSSL) perform certificate " +"validation, but the certificate must be compared manually against the host " +"name, by calling the check_host_name defined above." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Establishing a TLS client connection with Python" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"After the connection has been established, the TLS socket can be used like a" +" regular socket:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Closing the TLS socket is straightforward as well:" +msgstr "" diff --git a/defensive-coding/ia/Features/snippets/TLS-Client-GNUTLS-Connect.po b/defensive-coding/ia/Features/snippets/TLS-Client-GNUTLS-Connect.po new file mode 100644 index 0000000..b376f93 --- /dev/null +++ b/defensive-coding/ia/Features/snippets/TLS-Client-GNUTLS-Connect.po @@ -0,0 +1,71 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:33+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Interlingua \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: ia\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Create the session object.\n" +"gnutls_session_t session;\n" +"ret = gnutls_init(&session, GNUTLS_CLIENT);\n" +"if (ret != GNUTLS_E_SUCCESS) {\n" +" fprintf(stderr, \"error: gnutls_init: %s\n" +"\",\n" +"\t gnutls_strerror(ret));\n" +" exit(1);\n" +"}\n" +"\n" +"// Configure the cipher preferences.\n" +"const char *errptr = NULL;\n" +"ret = gnutls_priority_set_direct(session, \"NORMAL\", &errptr);\n" +"if (ret != GNUTLS_E_SUCCESS) {\n" +" fprintf(stderr, \"error: gnutls_priority_set_direct: %s\n" +"\"\n" +"\t \"error: at: \\\"%s\\\"\n" +"\", gnutls_strerror(ret), errptr);\n" +" exit(1);\n" +"}\n" +"\n" +"// Install the trusted certificates.\n" +"ret = gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, cred);\n" +"if (ret != GNUTLS_E_SUCCESS) {\n" +" fprintf(stderr, \"error: gnutls_credentials_set: %s\n" +"\",\n" +"\t gnutls_strerror(ret));\n" +" exit(1);\n" +"}\n" +"\n" +"// Associate the socket with the session object and set the server\n" +"// name.\n" +"gnutls_transport_set_ptr(session, (gnutls_transport_ptr_t)(uintptr_t)sockfd);\n" +"ret = gnutls_server_name_set(session, GNUTLS_NAME_DNS,\n" +"\t\t\t host, strlen(host));\n" +"if (ret != GNUTLS_E_SUCCESS) {\n" +" fprintf(stderr, \"error: gnutls_server_name_set: %s\n" +"\",\n" +"\t gnutls_strerror(ret));\n" +" exit(1);\n" +"}\n" +"\n" +"// Establish the session.\n" +"ret = gnutls_handshake(session);\n" +"if (ret != GNUTLS_E_SUCCESS) {\n" +" fprintf(stderr, \"error: gnutls_handshake: %s\n" +"\",\n" +"\t gnutls_strerror(ret));\n" +" exit(1);\n" +"}\n" +msgstr "" diff --git a/defensive-coding/ia/Features/snippets/TLS-Client-GNUTLS-Credentials.po b/defensive-coding/ia/Features/snippets/TLS-Client-GNUTLS-Credentials.po new file mode 100644 index 0000000..4a63e90 --- /dev/null +++ b/defensive-coding/ia/Features/snippets/TLS-Client-GNUTLS-Credentials.po @@ -0,0 +1,47 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:33+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Interlingua \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: ia\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Load the trusted CA certificates.\n" +"gnutls_certificate_credentials_t cred = NULL;\n" +"int ret = gnutls_certificate_allocate_credentials (&cred);\n" +"if (ret != GNUTLS_E_SUCCESS) {\n" +" fprintf(stderr, \"error: gnutls_certificate_allocate_credentials: %s\n" +"\",\n" +"\t gnutls_strerror(ret));\n" +" exit(1);\n" +"}\n" +"// gnutls_certificate_set_x509_system_trust needs GNUTLS version 3.0\n" +"// or newer, so we hard-code the path to the certificate store\n" +"// instead.\n" +"static const char ca_bundle[] = \"/etc/ssl/certs/ca-bundle.crt\";\n" +"ret = gnutls_certificate_set_x509_trust_file\n" +" (cred, ca_bundle, GNUTLS_X509_FMT_PEM);\n" +"if (ret == 0) {\n" +" fprintf(stderr, \"error: no certificates found in: %s\n" +"\", ca_bundle);\n" +" exit(1);\n" +"}\n" +"if (ret < 0) {\n" +" fprintf(stderr, \"error: gnutls_certificate_set_x509_trust_files(%s): %s\n" +"\",\n" +"\t ca_bundle, gnutls_strerror(ret));\n" +" exit(1);\n" +"}\n" +msgstr "" diff --git a/defensive-coding/ia/Features/snippets/TLS-Client-GNUTLS-Match.po b/defensive-coding/ia/Features/snippets/TLS-Client-GNUTLS-Match.po new file mode 100644 index 0000000..4937de7 --- /dev/null +++ b/defensive-coding/ia/Features/snippets/TLS-Client-GNUTLS-Match.po @@ -0,0 +1,48 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:32+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Interlingua \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: ia\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Match the peer certificate against the host name.\n" +"// We can only obtain a set of DER-encoded certificates from the\n" +"// session object, so we have to re-parse the peer certificate into\n" +"// a certificate object.\n" +"gnutls_x509_crt_t cert;\n" +"ret = gnutls_x509_crt_init(&cert);\n" +"if (ret != GNUTLS_E_SUCCESS) {\n" +" fprintf(stderr, \"error: gnutls_x509_crt_init: %s\n" +"\",\n" +"\t gnutls_strerror(ret));\n" +" exit(1);\n" +"}\n" +"// The peer certificate is the first certificate in the list.\n" +"ret = gnutls_x509_crt_import(cert, certs, GNUTLS_X509_FMT_DER);\n" +"if (ret != GNUTLS_E_SUCCESS) {\n" +" fprintf(stderr, \"error: gnutls_x509_crt_import: %s\n" +"\",\n" +"\t gnutls_strerror(ret));\n" +" exit(1);\n" +"}\n" +"ret = gnutls_x509_crt_check_hostname(cert, host);\n" +"if (ret == 0 && !certificate_host_name_override(certs[0], host)) {\n" +" fprintf(stderr, \"error: host name does not match certificate\n" +"\");\n" +" exit(1);\n" +"}\n" +"gnutls_x509_crt_deinit(cert);\n" +msgstr "" diff --git a/defensive-coding/ia/Features/snippets/TLS-Client-GNUTLS-Verify.po b/defensive-coding/ia/Features/snippets/TLS-Client-GNUTLS-Verify.po new file mode 100644 index 0000000..d592ed0 --- /dev/null +++ b/defensive-coding/ia/Features/snippets/TLS-Client-GNUTLS-Verify.po @@ -0,0 +1,61 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:33+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Interlingua \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: ia\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Obtain the server certificate chain. The server certificate\n" +"// itself is stored in the first element of the array.\n" +"unsigned certslen = 0;\n" +"const gnutls_datum_t *const certs =\n" +" gnutls_certificate_get_peers(session, &certslen);\n" +"if (certs == NULL || certslen == 0) {\n" +" fprintf(stderr, \"error: could not obtain peer certificate\n" +"\");\n" +" exit(1);\n" +"}\n" +"\n" +"// Validate the certificate chain.\n" +"unsigned status = (unsigned)-1;\n" +"ret = gnutls_certificate_verify_peers2(session, &status);\n" +"if (ret != GNUTLS_E_SUCCESS) {\n" +" fprintf(stderr, \"error: gnutls_certificate_verify_peers2: %s\n" +"\",\n" +"\t gnutls_strerror(ret));\n" +" exit(1);\n" +"}\n" +"if (status != 0 && !certificate_validity_override(certs[0])) {\n" +" gnutls_datum_t msg;\n" +"#if GNUTLS_VERSION_AT_LEAST_3_1_4\n" +" int type = gnutls_certificate_type_get (session);\n" +" ret = gnutls_certificate_verification_status_print(status, type, &out, 0);\n" +"#else\n" +" ret = -1;\n" +"#endif\n" +" if (ret == 0) {\n" +" fprintf(stderr, \"error: %s\n" +"\", msg.data);\n" +" gnutls_free(msg.data);\n" +" exit(1);\n" +" } else {\n" +" fprintf(stderr, \"error: certificate validation failed with code 0x%x\n" +"\",\n" +"\t status);\n" +" exit(1);\n" +" }\n" +"}\n" +msgstr "" diff --git a/defensive-coding/ia/Features/snippets/TLS-Client-NSS-Close.po b/defensive-coding/ia/Features/snippets/TLS-Client-NSS-Close.po new file mode 100644 index 0000000..c6f1b2b --- /dev/null +++ b/defensive-coding/ia/Features/snippets/TLS-Client-NSS-Close.po @@ -0,0 +1,31 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:32+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Interlingua \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: ia\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Send close_notify alert.\n" +"if (PR_Shutdown(nspr, PR_SHUTDOWN_BOTH) != PR_SUCCESS) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: PR_Read error %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +"}\n" +"// Closes the underlying POSIX file descriptor, too.\n" +"PR_Close(nspr);\n" +msgstr "" diff --git a/defensive-coding/ia/Features/snippets/TLS-Client-NSS-Connect.po b/defensive-coding/ia/Features/snippets/TLS-Client-NSS-Connect.po new file mode 100644 index 0000000..c6ab5a1 --- /dev/null +++ b/defensive-coding/ia/Features/snippets/TLS-Client-NSS-Connect.po @@ -0,0 +1,132 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:33+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Interlingua \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: ia\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Wrap the POSIX file descriptor. This is an internal NSPR\n" +"// function, but it is very unlikely to change.\n" +"PRFileDesc* nspr = PR_ImportTCPSocket(sockfd);\n" +"sockfd = -1; // Has been taken over by NSPR.\n" +"\n" +"// Add the SSL layer.\n" +"{\n" +" PRFileDesc *model = PR_NewTCPSocket();\n" +" PRFileDesc *newfd = SSL_ImportFD(NULL, model);\n" +" if (newfd == NULL) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: NSPR error code %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +" }\n" +" model = newfd;\n" +" newfd = NULL;\n" +" if (SSL_OptionSet(model, SSL_ENABLE_SSL2, PR_FALSE) != SECSuccess) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: set SSL_ENABLE_SSL2 error %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +" }\n" +" if (SSL_OptionSet(model, SSL_V2_COMPATIBLE_HELLO, PR_FALSE) != SECSuccess) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: set SSL_V2_COMPATIBLE_HELLO error %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +" }\n" +" if (SSL_OptionSet(model, SSL_ENABLE_DEFLATE, PR_FALSE) != SECSuccess) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: set SSL_ENABLE_DEFLATE error %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +" }\n" +"\n" +" // Disable all ciphers (except RC4-based ciphers, for backwards\n" +" // compatibility).\n" +" const PRUint16 *const ciphers = SSL_GetImplementedCiphers();\n" +" for (unsigned i = 0; i < SSL_GetNumImplementedCiphers(); i++) {\n" +" if (ciphers[i] != SSL_RSA_WITH_RC4_128_SHA\n" +"\t && ciphers[i] != SSL_RSA_WITH_RC4_128_MD5) {\n" +"\tif (SSL_CipherPrefSet(model, ciphers[i], PR_FALSE) != SECSuccess) {\n" +"\t const PRErrorCode err = PR_GetError();\n" +"\t fprintf(stderr, \"error: disable cipher %u: error %d: %s\n" +"\",\n" +"\t\t (unsigned)ciphers[i], err, PR_ErrorToName(err));\n" +"\t exit(1);\n" +"\t}\n" +" }\n" +" }\n" +"\n" +" // Enable the strong ciphers.\n" +" for (const PRUint16 *p = good_ciphers; *p != SSL_NULL_WITH_NULL_NULL;\n" +"\t ++p) {\n" +" if (SSL_CipherPrefSet(model, *p, PR_TRUE) != SECSuccess) {\n" +"\tconst PRErrorCode err = PR_GetError();\n" +"\tfprintf(stderr, \"error: enable cipher %u: error %d: %s\n" +"\",\n" +"\t\t(unsigned)*p, err, PR_ErrorToName(err));\n" +"\texit(1);\n" +" }\n" +" }\n" +"\n" +" // Allow overriding invalid certificate.\n" +" if (SSL_BadCertHook(model, bad_certificate, (char *)host) != SECSuccess) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: SSL_BadCertHook error %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +" }\n" +"\n" +" newfd = SSL_ImportFD(model, nspr);\n" +" if (newfd == NULL) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: SSL_ImportFD error %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +" }\n" +" nspr = newfd;\n" +" PR_Close(model);\n" +"}\n" +"\n" +"// Perform the handshake.\n" +"if (SSL_ResetHandshake(nspr, PR_FALSE) != SECSuccess) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: SSL_ResetHandshake error %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +"}\n" +"if (SSL_SetURL(nspr, host) != SECSuccess) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: SSL_SetURL error %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +"}\n" +"if (SSL_ForceHandshake(nspr) != SECSuccess) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: SSL_ForceHandshake error %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +"}\n" +msgstr "" diff --git a/defensive-coding/ia/Features/snippets/TLS-Client-OpenJDK-Connect.po b/defensive-coding/ia/Features/snippets/TLS-Client-OpenJDK-Connect.po new file mode 100644 index 0000000..9c47133 --- /dev/null +++ b/defensive-coding/ia/Features/snippets/TLS-Client-OpenJDK-Connect.po @@ -0,0 +1,41 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:32+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Interlingua \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: ia\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Create the socket and connect it at the TCP layer.\n" +"SSLSocket socket = (SSLSocket) ctx.getSocketFactory()\n" +" .createSocket(host, port);\n" +"\n" +"// Disable the Nagle algorithm.\n" +"socket.setTcpNoDelay(true);\n" +"\n" +"// Adjust ciphers and protocols.\n" +"socket.setSSLParameters(params);\n" +"\n" +"// Perform the handshake.\n" +"socket.startHandshake();\n" +"\n" +"// Validate the host name. The match() method throws\n" +"// CertificateException on failure.\n" +"X509Certificate peer = (X509Certificate)\n" +" socket.getSession().getPeerCertificates()[0];\n" +"// This is the only way to perform host name checking on OpenJDK 6.\n" +"HostnameChecker.getInstance(HostnameChecker.TYPE_TLS).match(\n" +" host, peer);\n" +msgstr "" diff --git a/defensive-coding/ia/Features/snippets/TLS-Client-OpenJDK-Context.po b/defensive-coding/ia/Features/snippets/TLS-Client-OpenJDK-Context.po new file mode 100644 index 0000000..0eef985 --- /dev/null +++ b/defensive-coding/ia/Features/snippets/TLS-Client-OpenJDK-Context.po @@ -0,0 +1,41 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:32+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Interlingua \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: ia\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Create the context. Specify the SunJSSE provider to avoid\n" +"// picking up third-party providers. Try the TLS 1.2 provider\n" +"// first, then fall back to TLS 1.0.\n" +"SSLContext ctx;\n" +"try {\n" +" ctx = SSLContext.getInstance(\"TLSv1.2\", \"SunJSSE\");\n" +"} catch (NoSuchAlgorithmException e) {\n" +" try {\n" +" ctx = SSLContext.getInstance(\"TLSv1\", \"SunJSSE\");\n" +" } catch (NoSuchAlgorithmException e1) {\n" +" // The TLS 1.0 provider should always be available.\n" +" throw new AssertionError(e1);\n" +" } catch (NoSuchProviderException e1) {\n" +" throw new AssertionError(e1);\n" +" } \n" +"} catch (NoSuchProviderException e) {\n" +" // The SunJSSE provider should always be available.\n" +" throw new AssertionError(e);\n" +"}\n" +"ctx.init(null, null, null);\n" +msgstr "" diff --git a/defensive-coding/ia/Features/snippets/TLS-Client-OpenJDK-Context_For_Cert.po b/defensive-coding/ia/Features/snippets/TLS-Client-OpenJDK-Context_For_Cert.po new file mode 100644 index 0000000..4825599 --- /dev/null +++ b/defensive-coding/ia/Features/snippets/TLS-Client-OpenJDK-Context_For_Cert.po @@ -0,0 +1,37 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:33+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Interlingua \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: ia\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"SSLContext ctx;\n" +"try {\n" +" ctx = SSLContext.getInstance(\"TLSv1.2\", \"SunJSSE\");\n" +"} catch (NoSuchAlgorithmException e) {\n" +" try {\n" +" ctx = SSLContext.getInstance(\"TLSv1\", \"SunJSSE\");\n" +" } catch (NoSuchAlgorithmException e1) {\n" +" throw new AssertionError(e1);\n" +" } catch (NoSuchProviderException e1) {\n" +" throw new AssertionError(e1);\n" +" }\n" +"} catch (NoSuchProviderException e) {\n" +" throw new AssertionError(e);\n" +"}\n" +"MyTrustManager tm = new MyTrustManager(certHash);\n" +"ctx.init(null, new TrustManager[] {tm}, null);\n" +msgstr "" diff --git a/defensive-coding/ia/Features/snippets/TLS-Client-OpenJDK-Hostname.po b/defensive-coding/ia/Features/snippets/TLS-Client-OpenJDK-Hostname.po new file mode 100644 index 0000000..e950e80 --- /dev/null +++ b/defensive-coding/ia/Features/snippets/TLS-Client-OpenJDK-Hostname.po @@ -0,0 +1,22 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:31+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Interlingua \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: ia\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"params.setEndpointIdentificationAlgorithm(\"HTTPS\");\n" +msgstr "" diff --git a/defensive-coding/ia/Features/snippets/TLS-Client-OpenJDK-Import.po b/defensive-coding/ia/Features/snippets/TLS-Client-OpenJDK-Import.po new file mode 100644 index 0000000..43b2372 --- /dev/null +++ b/defensive-coding/ia/Features/snippets/TLS-Client-OpenJDK-Import.po @@ -0,0 +1,33 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:31+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Interlingua \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: ia\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"import java.security.NoSuchAlgorithmException;\n" +"import java.security.NoSuchProviderException;\n" +"import java.security.cert.CertificateEncodingException;\n" +"import java.security.cert.CertificateException;\n" +"import java.security.cert.X509Certificate;\n" +"import javax.net.ssl.SSLContext;\n" +"import javax.net.ssl.SSLParameters;\n" +"import javax.net.ssl.SSLSocket;\n" +"import javax.net.ssl.TrustManager;\n" +"import javax.net.ssl.X509TrustManager;\n" +"\n" +"import sun.security.util.HostnameChecker;\n" +msgstr "" diff --git a/defensive-coding/ia/Features/snippets/TLS-Client-OpenJDK-MyTrustManager.po b/defensive-coding/ia/Features/snippets/TLS-Client-OpenJDK-MyTrustManager.po new file mode 100644 index 0000000..1b4709a --- /dev/null +++ b/defensive-coding/ia/Features/snippets/TLS-Client-OpenJDK-MyTrustManager.po @@ -0,0 +1,53 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:31+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Interlingua \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: ia\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"public class MyTrustManager implements X509TrustManager {\n" +" private final byte[] certHash;\n" +"\n" +" public MyTrustManager(byte[] certHash) throws Exception {\n" +" this.certHash = certHash;\n" +" }\n" +"\n" +" @Override\n" +" public void checkClientTrusted(X509Certificate[] chain, String authType)\n" +" throws CertificateException {\n" +" throw new UnsupportedOperationException();\n" +" }\n" +"\n" +" @Override\n" +" public void checkServerTrusted(X509Certificate[] chain,\n" +" String authType) throws CertificateException {\n" +" byte[] digest = getCertificateDigest(chain[0]);\n" +" String digestHex = formatHex(digest);\n" +"\n" +" if (Arrays.equals(digest, certHash)) {\n" +" System.err.println(\"info: accepting certificate: \" + digestHex);\n" +" } else {\n" +" throw new CertificateException(\"certificate rejected: \" +\n" +" digestHex);\n" +" }\n" +" }\n" +"\n" +" @Override\n" +" public X509Certificate[] getAcceptedIssuers() {\n" +" return new X509Certificate[0];\n" +" }\n" +"}\n" +msgstr "" diff --git a/defensive-coding/ia/Features/snippets/TLS-Client-OpenJDK-Use.po b/defensive-coding/ia/Features/snippets/TLS-Client-OpenJDK-Use.po new file mode 100644 index 0000000..d73b329 --- /dev/null +++ b/defensive-coding/ia/Features/snippets/TLS-Client-OpenJDK-Use.po @@ -0,0 +1,28 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:31+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Interlingua \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: ia\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"socket.getOutputStream().write(\"GET / HTTP/1.0\\r\n" +"\\r\n" +"\"\n" +" .getBytes(Charset.forName(\"UTF-8\")));\n" +"byte[] buffer = new byte[4096];\n" +"int count = socket.getInputStream().read(buffer);\n" +"System.out.write(buffer, 0, count);\n" +msgstr "" diff --git a/defensive-coding/ia/Features/snippets/TLS-Client-OpenSSL-CTX.po b/defensive-coding/ia/Features/snippets/TLS-Client-OpenSSL-CTX.po new file mode 100644 index 0000000..86fd223 --- /dev/null +++ b/defensive-coding/ia/Features/snippets/TLS-Client-OpenSSL-CTX.po @@ -0,0 +1,86 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:32+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Interlingua \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: ia\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Configure a client connection context. Send a hendshake for the\n" +"// highest supported TLS version, and disable compression.\n" +"const SSL_METHOD *const req_method = SSLv23_client_method();\n" +"SSL_CTX *const ctx = SSL_CTX_new(req_method);\n" +"if (ctx == NULL) {\n" +" ERR_print_errors(bio_err);\n" +" exit(1);\n" +"}\n" +"SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_COMPRESSION);\n" +"\n" +"// Adjust the ciphers list based on a whitelist. First enable all\n" +"// ciphers of at least medium strength, to get the list which is\n" +"// compiled into OpenSSL.\n" +"if (SSL_CTX_set_cipher_list(ctx, \"HIGH:MEDIUM\") != 1) {\n" +" ERR_print_errors(bio_err);\n" +" exit(1);\n" +"}\n" +"{\n" +" // Create a dummy SSL session to obtain the cipher list.\n" +" SSL *ssl = SSL_new(ctx);\n" +" if (ssl == NULL) {\n" +" ERR_print_errors(bio_err);\n" +" exit(1);\n" +" }\n" +" STACK_OF(SSL_CIPHER) *active_ciphers = SSL_get_ciphers(ssl);\n" +" if (active_ciphers == NULL) {\n" +" ERR_print_errors(bio_err);\n" +" exit(1);\n" +" }\n" +" // Whitelist of candidate ciphers.\n" +" static const char *const candidates[] = {\n" +" \"AES128-GCM-SHA256\", \"AES128-SHA256\", \"AES256-SHA256\", // strong ciphers\n" +" \"AES128-SHA\", \"AES256-SHA\", // strong ciphers, also in older versions\n" +" \"RC4-SHA\", \"RC4-MD5\", // backwards compatibility, supposed to be weak\n" +" \"DES-CBC3-SHA\", \"DES-CBC3-MD5\", // more backwards compatibility\n" +" NULL\n" +" };\n" +" // Actually selected ciphers.\n" +" char ciphers[300];\n" +" ciphers[0] = '\\0';\n" +" for (const char *const *c = candidates; *c; ++c) {\n" +" for (int i = 0; i < sk_SSL_CIPHER_num(active_ciphers); ++i) {\n" +"\tif (strcmp(SSL_CIPHER_get_name(sk_SSL_CIPHER_value(active_ciphers, i)),\n" +"\t\t *c) == 0) {\n" +"\t if (*ciphers) {\n" +"\t strcat(ciphers, \":\");\n" +"\t }\n" +"\t strcat(ciphers, *c);\n" +"\t break;\n" +"\t}\n" +" }\n" +" }\n" +" SSL_free(ssl);\n" +" // Apply final cipher list.\n" +" if (SSL_CTX_set_cipher_list(ctx, ciphers) != 1) {\n" +" ERR_print_errors(bio_err);\n" +" exit(1);\n" +" }\n" +"}\n" +"\n" +"// Load the set of trusted root certificates.\n" +"if (!SSL_CTX_set_default_verify_paths(ctx)) {\n" +" ERR_print_errors(bio_err);\n" +" exit(1);\n" +"}\n" +msgstr "" diff --git a/defensive-coding/ia/Features/snippets/TLS-Client-OpenSSL-Connect.po b/defensive-coding/ia/Features/snippets/TLS-Client-OpenSSL-Connect.po new file mode 100644 index 0000000..44adc2d --- /dev/null +++ b/defensive-coding/ia/Features/snippets/TLS-Client-OpenSSL-Connect.po @@ -0,0 +1,72 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:33+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Interlingua \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: ia\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Create the connection object.\n" +"SSL *ssl = SSL_new(ctx);\n" +"if (ssl == NULL) {\n" +" ERR_print_errors(bio_err);\n" +" exit(1);\n" +"}\n" +"SSL_set_fd(ssl, sockfd);\n" +"\n" +"// Enable the ServerNameIndication extension\n" +"if (!SSL_set_tlsext_host_name(ssl, host)) {\n" +" ERR_print_errors(bio_err);\n" +" exit(1);\n" +"}\n" +"\n" +"// Perform the TLS handshake with the server.\n" +"ret = SSL_connect(ssl);\n" +"if (ret != 1) {\n" +" // Error status can be 0 or negative.\n" +" ssl_print_error_and_exit(ssl, \"SSL_connect\", ret);\n" +"}\n" +"\n" +"// Obtain the server certificate.\n" +"X509 *peercert = SSL_get_peer_certificate(ssl);\n" +"if (peercert == NULL) {\n" +" fprintf(stderr, \"peer certificate missing\");\n" +" exit(1);\n" +"}\n" +"\n" +"// Check the certificate verification result. Allow an explicit\n" +"// certificate validation override in case verification fails.\n" +"int verifystatus = SSL_get_verify_result(ssl);\n" +"if (verifystatus != X509_V_OK && !certificate_validity_override(peercert)) {\n" +" fprintf(stderr, \"SSL_connect: verify result: %s\n" +"\",\n" +"\t X509_verify_cert_error_string(verifystatus));\n" +" exit(1);\n" +"}\n" +"\n" +"// Check if the server certificate matches the host name used to\n" +"// establish the connection.\n" +"// FIXME: Currently needs OpenSSL 1.1.\n" +"if (X509_check_host(peercert, (const unsigned char *)host, strlen(host),\n" +"\t\t 0) != 1\n" +" && !certificate_host_name_override(peercert, host)) {\n" +" fprintf(stderr, \"SSL certificate does not match host name\n" +"\");\n" +" exit(1);\n" +"}\n" +"\n" +"X509_free(peercert);\n" +"\n" +msgstr "" diff --git a/defensive-coding/ia/Features/snippets/TLS-Client-OpenSSL-Connection-Use.po b/defensive-coding/ia/Features/snippets/TLS-Client-OpenSSL-Connection-Use.po new file mode 100644 index 0000000..6622b11 --- /dev/null +++ b/defensive-coding/ia/Features/snippets/TLS-Client-OpenSSL-Connection-Use.po @@ -0,0 +1,32 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:32+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Interlingua \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: ia\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"const char *const req = \"GET / HTTP/1.0\\r\n" +"\\r\n" +"\";\n" +"if (SSL_write(ssl, req, strlen(req)) < 0) {\n" +" ssl_print_error_and_exit(ssl, \"SSL_write\", ret);\n" +"}\n" +"char buf[4096];\n" +"ret = SSL_read(ssl, buf, sizeof(buf));\n" +"if (ret < 0) {\n" +" ssl_print_error_and_exit(ssl, \"SSL_read\", ret);\n" +"}\n" +msgstr "" diff --git a/defensive-coding/ia/Features/snippets/TLS-Client-OpenSSL-Init.po b/defensive-coding/ia/Features/snippets/TLS-Client-OpenSSL-Init.po new file mode 100644 index 0000000..f82358e --- /dev/null +++ b/defensive-coding/ia/Features/snippets/TLS-Client-OpenSSL-Init.po @@ -0,0 +1,28 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:32+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Interlingua \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: ia\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// The following call prints an error message and calls exit() if\n" +"// the OpenSSL configuration file is unreadable.\n" +"OPENSSL_config(NULL);\n" +"// Provide human-readable error messages.\n" +"SSL_load_error_strings();\n" +"// Register ciphers.\n" +"SSL_library_init();\n" +msgstr "" diff --git a/defensive-coding/ia/Features/snippets/TLS-Client-Python-Connect.po b/defensive-coding/ia/Features/snippets/TLS-Client-Python-Connect.po new file mode 100644 index 0000000..0536c29 --- /dev/null +++ b/defensive-coding/ia/Features/snippets/TLS-Client-Python-Connect.po @@ -0,0 +1,29 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:32+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Interlingua \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: ia\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"sock = ssl.wrap_socket(sock,\n" +" ciphers=\"HIGH:-aNULL:-eNULL:-PSK:RC4-SHA:RC4-MD5\",\n" +" ssl_version=ssl.PROTOCOL_TLSv1,\n" +" cert_reqs=ssl.CERT_REQUIRED,\n" +" ca_certs='/etc/ssl/certs/ca-bundle.crt')\n" +"# getpeercert() triggers the handshake as a side effect.\n" +"if not check_host_name(sock.getpeercert(), host):\n" +" raise IOError(\"peer certificate does not match host name\")\n" +msgstr "" diff --git a/defensive-coding/ia/Features/snippets/TLS-Client-Python-check_host_name.po b/defensive-coding/ia/Features/snippets/TLS-Client-Python-check_host_name.po new file mode 100644 index 0000000..c5e1768 --- /dev/null +++ b/defensive-coding/ia/Features/snippets/TLS-Client-Python-check_host_name.po @@ -0,0 +1,44 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:31+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Interlingua \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: ia\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"def check_host_name(peercert, name):\n" +" \"\"\"Simple certificate/host name checker. Returns True if the\n" +" certificate matches, False otherwise. Does not support\n" +" wildcards.\"\"\"\n" +" # Check that the peer has supplied a certificate.\n" +" # None/{} is not acceptable.\n" +" if not peercert:\n" +" return False\n" +" if peercert.has_key(\"subjectAltName\"):\n" +" for typ, val in peercert[\"subjectAltName\"]:\n" +" if typ == \"DNS\" and val == name:\n" +" return True\n" +" else:\n" +" # Only check the subject DN if there is no subject alternative\n" +" # name.\n" +" cn = None\n" +" for attr, val in peercert[\"subject\"]:\n" +" # Use most-specific (last) commonName attribute.\n" +" if attr == \"commonName\":\n" +" cn = val\n" +" if cn is not None:\n" +" return cn == name\n" +" return False\n" +msgstr "" diff --git a/defensive-coding/ia/Features/snippets/TLS-GNUTLS-Credentials-Close.po b/defensive-coding/ia/Features/snippets/TLS-GNUTLS-Credentials-Close.po new file mode 100644 index 0000000..dc57d85 --- /dev/null +++ b/defensive-coding/ia/Features/snippets/TLS-GNUTLS-Credentials-Close.po @@ -0,0 +1,22 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:31+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Interlingua \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: ia\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"gnutls_certificate_free_credentials(cred);\n" +msgstr "" diff --git a/defensive-coding/ia/Features/snippets/TLS-GNUTLS-Disconnect.po b/defensive-coding/ia/Features/snippets/TLS-GNUTLS-Disconnect.po new file mode 100644 index 0000000..31b05b8 --- /dev/null +++ b/defensive-coding/ia/Features/snippets/TLS-GNUTLS-Disconnect.po @@ -0,0 +1,30 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:32+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Interlingua \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: ia\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Initiate an orderly connection shutdown.\n" +"ret = gnutls_bye(session, GNUTLS_SHUT_RDWR);\n" +"if (ret < 0) {\n" +" fprintf(stderr, \"error: gnutls_bye: %s\n" +"\", gnutls_strerror(ret));\n" +" exit(1);\n" +"}\n" +"// Free the session object.\n" +"gnutls_deinit(session);\n" +msgstr "" diff --git a/defensive-coding/ia/Features/snippets/TLS-GNUTLS-Init.po b/defensive-coding/ia/Features/snippets/TLS-GNUTLS-Init.po new file mode 100644 index 0000000..070e01d --- /dev/null +++ b/defensive-coding/ia/Features/snippets/TLS-GNUTLS-Init.po @@ -0,0 +1,22 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:32+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Interlingua \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: ia\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"gnutls_global_init();\n" +msgstr "" diff --git a/defensive-coding/ia/Features/snippets/TLS-GNUTLS-Use.po b/defensive-coding/ia/Features/snippets/TLS-GNUTLS-Use.po new file mode 100644 index 0000000..26b2678 --- /dev/null +++ b/defensive-coding/ia/Features/snippets/TLS-GNUTLS-Use.po @@ -0,0 +1,38 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:33+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Interlingua \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: ia\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"char buf[4096];\n" +"snprintf(buf, sizeof(buf), \"GET / HTTP/1.0\\r\n" +"Host: %s\\r\n" +"\\r\n" +"\", host);\n" +"ret = gnutls_record_send(session, buf, strlen(buf));\n" +"if (ret < 0) {\n" +" fprintf(stderr, \"error: gnutls_record_send: %s\n" +"\", gnutls_strerror(ret));\n" +" exit(1);\n" +"}\n" +"ret = gnutls_record_recv(session, buf, sizeof(buf));\n" +"if (ret < 0) {\n" +" fprintf(stderr, \"error: gnutls_record_recv: %s\n" +"\", gnutls_strerror(ret));\n" +" exit(1);\n" +"}\n" +msgstr "" diff --git a/defensive-coding/ia/Features/snippets/TLS-NSS-Close.po b/defensive-coding/ia/Features/snippets/TLS-NSS-Close.po new file mode 100644 index 0000000..88b7eee --- /dev/null +++ b/defensive-coding/ia/Features/snippets/TLS-NSS-Close.po @@ -0,0 +1,23 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:31+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Interlingua \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: ia\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"SECMOD_DestroyModule(module);\n" +"NSS_ShutdownContext(ctx);\n" +msgstr "" diff --git a/defensive-coding/ia/Features/snippets/TLS-NSS-Includes.po b/defensive-coding/ia/Features/snippets/TLS-NSS-Includes.po new file mode 100644 index 0000000..eca087c --- /dev/null +++ b/defensive-coding/ia/Features/snippets/TLS-NSS-Includes.po @@ -0,0 +1,35 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:33+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Interlingua \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: ia\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// NSPR include files\n" +"#include <prerror.h>\n" +"#include <prinit.h>\n" +"\n" +"// NSS include files\n" +"#include <nss.h>\n" +"#include <pk11pub.h>\n" +"#include <secmod.h>\n" +"#include <ssl.h>\n" +"#include <sslproto.h>\n" +"\n" +"// Private API, no other way to turn a POSIX file descriptor into an\n" +"// NSPR handle.\n" +"NSPR_API(PRFileDesc*) PR_ImportTCPSocket(int);\n" +msgstr "" diff --git a/defensive-coding/ia/Features/snippets/TLS-NSS-Init.po b/defensive-coding/ia/Features/snippets/TLS-NSS-Init.po new file mode 100644 index 0000000..7b767f2 --- /dev/null +++ b/defensive-coding/ia/Features/snippets/TLS-NSS-Init.po @@ -0,0 +1,83 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:33+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Interlingua \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: ia\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"PR_Init(PR_USER_THREAD, PR_PRIORITY_NORMAL, 0);\n" +"NSSInitContext *const ctx =\n" +" NSS_InitContext(\"sql:/etc/pki/nssdb\", \"\", \"\", \"\", NULL,\n" +"\t\t NSS_INIT_READONLY | NSS_INIT_PK11RELOAD);\n" +"if (ctx == NULL) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: NSPR error code %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +"}\n" +"\n" +"// Ciphers to enable.\n" +"static const PRUint16 good_ciphers[] = {\n" +" TLS_RSA_WITH_AES_128_CBC_SHA,\n" +" TLS_RSA_WITH_AES_256_CBC_SHA,\n" +" SSL_RSA_WITH_3DES_EDE_CBC_SHA,\n" +" SSL_NULL_WITH_NULL_NULL // sentinel\n" +"};\n" +"\n" +"// Check if the current policy allows any strong ciphers. If it\n" +"// doesn't, switch to the \"domestic\" (unrestricted) policy. This is\n" +"// not thread-safe and has global impact. Consequently, we only do\n" +"// it if absolutely necessary.\n" +"int found_good_cipher = 0;\n" +"for (const PRUint16 *p = good_ciphers; *p != SSL_NULL_WITH_NULL_NULL;\n" +" ++p) {\n" +" PRInt32 policy;\n" +" if (SSL_CipherPolicyGet(*p, &policy) != SECSuccess) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: policy for cipher %u: error %d: %s\n" +"\",\n" +"\t (unsigned)*p, err, PR_ErrorToName(err));\n" +" exit(1);\n" +" }\n" +" if (policy == SSL_ALLOWED) {\n" +" fprintf(stderr, \"info: found cipher %x\n" +"\", (unsigned)*p);\n" +" found_good_cipher = 1;\n" +" break;\n" +" }\n" +"}\n" +"if (!found_good_cipher) {\n" +" if (NSS_SetDomesticPolicy() != SECSuccess) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: NSS_SetDomesticPolicy: error %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +" }\n" +"}\n" +"\n" +"// Initialize the trusted certificate store.\n" +"char module_name[] = \"library=libnssckbi.so name=\\\"Root Certs\\\"\";\n" +"SECMODModule *module = SECMOD_LoadUserModule(module_name, NULL, PR_FALSE);\n" +"if (module == NULL || !module->loaded) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: NSPR error code %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +"}\n" +msgstr "" diff --git a/defensive-coding/ia/Features/snippets/TLS-NSS-Use.po b/defensive-coding/ia/Features/snippets/TLS-NSS-Use.po new file mode 100644 index 0000000..bf4e2b6 --- /dev/null +++ b/defensive-coding/ia/Features/snippets/TLS-NSS-Use.po @@ -0,0 +1,42 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:32+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Interlingua \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: ia\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"char buf[4096];\n" +"snprintf(buf, sizeof(buf), \"GET / HTTP/1.0\\r\n" +"Host: %s\\r\n" +"\\r\n" +"\", host);\n" +"PRInt32 ret = PR_Write(nspr, buf, strlen(buf));\n" +"if (ret < 0) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: PR_Write error %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +"}\n" +"ret = PR_Read(nspr, buf, sizeof(buf));\n" +"if (ret < 0) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: PR_Read error %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +"}\n" +msgstr "" diff --git a/defensive-coding/ia/Features/snippets/TLS-Nagle.po b/defensive-coding/ia/Features/snippets/TLS-Nagle.po new file mode 100644 index 0000000..f41fc37 --- /dev/null +++ b/defensive-coding/ia/Features/snippets/TLS-Nagle.po @@ -0,0 +1,27 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:31+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Interlingua \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: ia\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"const int val = 1;\n" +"int ret = setsockopt(sockfd, IPPROTO_TCP, TCP_NODELAY, &val, sizeof(val));\n" +"if (ret < 0) {\n" +" perror(\"setsockopt(TCP_NODELAY)\");\n" +" exit(1);\n" +"}\n" +msgstr "" diff --git a/defensive-coding/ia/Features/snippets/TLS-OpenJDK-Parameters.po b/defensive-coding/ia/Features/snippets/TLS-OpenJDK-Parameters.po new file mode 100644 index 0000000..6bcbc0d --- /dev/null +++ b/defensive-coding/ia/Features/snippets/TLS-OpenJDK-Parameters.po @@ -0,0 +1,42 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:33+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Interlingua \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: ia\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Prepare TLS parameters. These have to applied to every TLS\n" +"// socket before the handshake is triggered.\n" +"SSLParameters params = ctx.getDefaultSSLParameters();\n" +"// Do not send an SSL-2.0-compatible Client Hello.\n" +"ArrayList<String> protocols = new ArrayList<String>(\n" +" Arrays.asList(params.getProtocols()));\n" +"protocols.remove(\"SSLv2Hello\");\n" +"params.setProtocols(protocols.toArray(new String[protocols.size()]));\n" +"// Adjust the supported ciphers.\n" +"ArrayList<String> ciphers = new ArrayList<String>(\n" +" Arrays.asList(params.getCipherSuites()));\n" +"ciphers.retainAll(Arrays.asList(\n" +" \"TLS_RSA_WITH_AES_128_CBC_SHA256\",\n" +" \"TLS_RSA_WITH_AES_256_CBC_SHA256\",\n" +" \"TLS_RSA_WITH_AES_256_CBC_SHA\",\n" +" \"TLS_RSA_WITH_AES_128_CBC_SHA\",\n" +" \"SSL_RSA_WITH_3DES_EDE_CBC_SHA\",\n" +" \"SSL_RSA_WITH_RC4_128_SHA1\",\n" +" \"SSL_RSA_WITH_RC4_128_MD5\",\n" +" \"TLS_EMPTY_RENEGOTIATION_INFO_SCSV\"));\n" +"params.setCipherSuites(ciphers.toArray(new String[ciphers.size()]));\n" +msgstr "" diff --git a/defensive-coding/ia/Features/snippets/TLS-OpenSSL-Connection-Close.po b/defensive-coding/ia/Features/snippets/TLS-OpenSSL-Connection-Close.po new file mode 100644 index 0000000..49a865f --- /dev/null +++ b/defensive-coding/ia/Features/snippets/TLS-OpenSSL-Connection-Close.po @@ -0,0 +1,46 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:33+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Interlingua \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: ia\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Send the close_notify alert.\n" +"ret = SSL_shutdown(ssl);\n" +"switch (ret) {\n" +"case 1:\n" +" // A close_notify alert has already been received.\n" +" break;\n" +"case 0:\n" +" // Wait for the close_notify alert from the peer.\n" +" ret = SSL_shutdown(ssl);\n" +" switch (ret) {\n" +" case 0:\n" +" fprintf(stderr, \"info: second SSL_shutdown returned zero\n" +"\");\n" +" break;\n" +" case 1:\n" +" break;\n" +" default:\n" +" ssl_print_error_and_exit(ssl, \"SSL_shutdown 2\", ret);\n" +" }\n" +" break;\n" +"default:\n" +" ssl_print_error_and_exit(ssl, \"SSL_shutdown 1\", ret);\n" +"}\n" +"SSL_free(ssl);\n" +"close(sockfd);\n" +msgstr "" diff --git a/defensive-coding/ia/Features/snippets/TLS-OpenSSL-Context-Close.po b/defensive-coding/ia/Features/snippets/TLS-OpenSSL-Context-Close.po new file mode 100644 index 0000000..b9b64e4 --- /dev/null +++ b/defensive-coding/ia/Features/snippets/TLS-OpenSSL-Context-Close.po @@ -0,0 +1,22 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:33+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Interlingua \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: ia\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"SSL_CTX_free(ctx);\n" +msgstr "" diff --git a/defensive-coding/ia/Features/snippets/TLS-OpenSSL-Errors.po b/defensive-coding/ia/Features/snippets/TLS-OpenSSL-Errors.po new file mode 100644 index 0000000..6c0bdc8 --- /dev/null +++ b/defensive-coding/ia/Features/snippets/TLS-OpenSSL-Errors.po @@ -0,0 +1,51 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:32+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Interlingua \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: ia\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"static void __attribute__((noreturn))\n" +"ssl_print_error_and_exit(SSL *ssl, const char *op, int ret)\n" +"{\n" +" int subcode = SSL_get_error(ssl, ret);\n" +" switch (subcode) {\n" +" case SSL_ERROR_NONE:\n" +" fprintf(stderr, \"error: %s: no error to report\n" +"\", op);\n" +" break;\n" +" case SSL_ERROR_WANT_READ:\n" +" case SSL_ERROR_WANT_WRITE:\n" +" case SSL_ERROR_WANT_X509_LOOKUP:\n" +" case SSL_ERROR_WANT_CONNECT:\n" +" case SSL_ERROR_WANT_ACCEPT:\n" +" fprintf(stderr, \"error: %s: invalid blocking state %d\n" +"\", op, subcode);\n" +" break;\n" +" case SSL_ERROR_SSL:\n" +" fprintf(stderr, \"error: %s: TLS layer problem\n" +"\", op);\n" +" case SSL_ERROR_SYSCALL:\n" +" fprintf(stderr, \"error: %s: system call failed: %s\n" +"\", op, strerror(errno));\n" +" break;\n" +" case SSL_ERROR_ZERO_RETURN:\n" +" fprintf(stderr, \"error: %s: zero return\n" +"\", op);\n" +" }\n" +" exit(1);\n" +"}\n" +msgstr "" diff --git a/defensive-coding/ia/Features/snippets/TLS-Python-Close.po b/defensive-coding/ia/Features/snippets/TLS-Python-Close.po new file mode 100644 index 0000000..c83f444 --- /dev/null +++ b/defensive-coding/ia/Features/snippets/TLS-Python-Close.po @@ -0,0 +1,22 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:31+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Interlingua \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: ia\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"sock.close()\n" +msgstr "" diff --git a/defensive-coding/ia/Features/snippets/TLS-Python-Use.po b/defensive-coding/ia/Features/snippets/TLS-Python-Use.po new file mode 100644 index 0000000..be817a3 --- /dev/null +++ b/defensive-coding/ia/Features/snippets/TLS-Python-Use.po @@ -0,0 +1,26 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:32+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Interlingua \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: ia\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"sock.write(\"GET / HTTP/1.1\\r\n" +"Host: \" + host + \"\\r\n" +"\\r\n" +"\")\n" +"print sock.read()\n" +msgstr "" diff --git a/defensive-coding/ia/Revision_History.po b/defensive-coding/ia/Revision_History.po new file mode 100644 index 0000000..7784b70 --- /dev/null +++ b/defensive-coding/ia/Revision_History.po @@ -0,0 +1,35 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:18+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Interlingua \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: ia\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: title +#, no-c-format +msgid "Revision History" +msgstr "" + +#. Tag: firstname +#, no-c-format +msgid "Eric" +msgstr "" + +#. Tag: surname +#, no-c-format +msgid "Christensen" +msgstr "" + +#. Tag: member +#, no-c-format +msgid "Initial publication." +msgstr "" diff --git a/defensive-coding/ia/Tasks/Cryptography.po b/defensive-coding/ia/Tasks/Cryptography.po new file mode 100644 index 0000000..24f68d6 --- /dev/null +++ b/defensive-coding/ia/Tasks/Cryptography.po @@ -0,0 +1,199 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:29+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Interlingua \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: ia\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: title +#, no-c-format +msgid "Cryptography" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Primitives" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Chosing from the following cryptographic primitives is recommended:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "RSA with 2048 bit keys and OAEP" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "AES-128 in CBC mode" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "SHA-256" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "HMAC-SHA-256" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "HMAC-SHA-1" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Other cryptographic algorithms can be used if they are required for " +"interoperability with existing software:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "RSA with key sizes larger than 1024 and legacy padding" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "AES-192" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "AES-256" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "3DES (triple DES, with two or three 56 bit keys)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "RC4 (but very, very strongly discouraged)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "SHA-1" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "HMAC-MD5" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Important" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"These primitives are difficult to use in a secure way. Custom implementation" +" of security protocols should be avoided. For protecting confidentiality and" +" integrity of network transmissions, TLS should be used ()." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Randomness" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The following facilities can be used to generate unpredictable and non-" +"repeating values. When these functions are used without special safeguards, " +"each individual rnadom value should be at least 12 bytes long." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"PK11_GenerateRandom in the NSS library (usable for high" +" data rates)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"RAND_bytes in the OpenSSL library (usable for high data" +" rates)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"gnutls_rnd in GNUTLS, with " +"GNUTLS_RND_RANDOM as the first argument (usable for high " +"data rates)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"java.security.SecureRandom in Java (usable for high data rates)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "os.urandom in Python" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Reading from the /dev/urandom character device" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"All these functions should be non-blocking, and they should not wait until " +"physical randomness becomes available. (Some cryptography providers for Java" +" can cause java.security.SecureRandom to block, however.) Those" +" functions which do not obtain all bits directly from " +"/dev/urandom are suitable for high data rates because " +"they do not deplete the system-wide entropy pool." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Difficult to use API" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Both RAND_bytes and " +"PK11_GenerateRandom have three-state return values " +"(with conflicting meanings). Careful error checking is required. Please " +"review the documentation when using these functions." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Other sources of randomness should be considered predictable." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Generating randomness for cryptographic keys in long-term use may need " +"different steps and is best left to cryptographic libraries." +msgstr "" diff --git a/defensive-coding/ia/Tasks/Descriptors.po b/defensive-coding/ia/Tasks/Descriptors.po new file mode 100644 index 0000000..094854b --- /dev/null +++ b/defensive-coding/ia/Tasks/Descriptors.po @@ -0,0 +1,332 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:29+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Interlingua \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: ia\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: title +#, no-c-format +msgid "File Descriptor Management" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"File descriptors underlie all input/output mechanisms offered by the system." +" They are used to implementation the FILE *-based " +"functions found in <stdio.h>, and all the file and " +"network communication facilities provided by the Python and Java " +"environments are eventually implemented in them." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"File descriptors are small, non-negative integers in userspace, and are " +"backed on the kernel side with complicated data structures which can " +"sometimes grow very large." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Closing descriptors" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If a descriptor is no longer used by a program and is not closed explicitly," +" its number cannot be reused (which is problematic in itself, see ), and the " +"kernel resources are not freed. Therefore, it is important to close all " +"descriptors at the earlierst point in time possible, but not earlier." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Error handling during descriptor close" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The close system call is always successful in the sense" +" that the passed file descriptor is never valid after the function has been " +"called. However, close still can return an error, for " +"example if there was a file system failure. But this error is not very " +"useful because the absence of an error does not mean that all caches have " +"been emptied and previous writes have been made durable. Programs which need" +" such guarantees must open files with O_SYNC or use " +"fsync or fdatasync, and may also have " +"to fsync the directory containing the file." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Closing descriptors and race conditions" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Unlike process IDs, which are recycle only gradually, the kernel always " +"allocates the lowest unused file descriptor when a new descriptor is " +"created. This means that in a multi-threaded program which constantly opens " +"and closes file descriptors, descriptors are reused very quickly. Unless " +"descriptor closing and other operations on the same file descriptor are " +"synchronized (typically, using a mutex), there will be race coniditons and " +"I/O operations will be applied to the wrong file descriptor." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Sometimes, it is necessary to close a file descriptor concurrently, while " +"another thread might be about to use it in a system call. In order to " +"support this, a program needs to create a single special file descriptor, " +"one on which all I/O operations fail. One way to achieve this is to use " +"socketpair, close one of the descriptors, and call " +"shutdown(fd, SHUTRDWR) on the other." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When a descriptor is closed concurrently, the program does not call " +"close on the descriptor. Instead it program uses " +"dup2 to replace the descriptor to be closed with the " +"dummy descriptor created earlier. This way, the kernel will not reuse the " +"descriptor, but it will carry out all other steps associated with calling a " +"descriptor (for instance, if the descriptor refers to a stream socket, the " +"peer will be notified)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"This is just a sketch, and many details are missing. Additional data " +"structures are needed to determine when it is safe to really close the " +"descriptor, and proper locking is required for that." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Lingering state after close" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"By default, closing a stream socket returns immediately, and the kernel will" +" try to send the data in the background. This means that it is impossible to" +" implement accurate accounting of network-related resource utilization from " +"userspace." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The SO_LINGER socket option alters the behavior of " +"close, so that it will return only after the lingering " +"data has been processed, either by sending it to the peer successfully, or " +"by discarding it after the configured timeout. However, there is no " +"interface which could perform this operation in the background, so a " +"separate userspace thread is needed for each close " +"call, causing scalability issues." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Currently, there is no application-level countermeasure which applies " +"universally. Mitigation is possible with iptables" +" (the connlimit match type in particular) and specialized" +" filtering devices for denial-of-service network traffic." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"These problems are not related to the TIME_WAIT state " +"commonly seen in netstat output. The kernel " +"automatically expires such sockets if necessary." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Preventing file descriptor leaks to child processes" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Child processes created with fork share the initial set" +" of file descriptors with their parent process. By default, file descriptors" +" are also preserved if a new process image is created with " +"execve (or any of the other functions such as " +"system or posix_spawn)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Usually, this behavior is not desirable. There are two ways to turn it off, " +"that is, to prevent new process images from inheriting the file descriptors " +"in the parent process:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Set the close-on-exec flag on all newly created file descriptors. " +"Traditionally, this flag is controlled by the FD_CLOEXEC " +"flag, using F_GETFD and F_SETFD " +"operations of the fcntl function." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"However, in a multi-threaded process, there is a race condition: a " +"subprocess could have been created between the time the descriptor was " +"created and the FD_CLOEXEC was set. Therefore, many " +"system calls which create descriptors (such as open and" +" openat) now accept the O_CLOEXEC " +"flag (SOCK_CLOEXEC for socket and " +"socketpair), which cause the " +"FD_CLOEXEC flag to be set for the file descriptor in an " +"atomic fashion. In addition, a few new systems calls were introduced, such " +"as pipe2 and dup3." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The downside of this approach is that every descriptor needs to receive " +"special treatment at the time of creation, otherwise it is not completely " +"effective." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"After calling fork, but before creating a new process " +"image with execve, all file descriptors which the child" +" process will not need are closed." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Traditionally, this was implemented as a loop over file descriptors ranging " +"from 3 to 255 and later " +"1023. But this is only an approximatio because it is " +"possible to create file descriptors outside this range easily (see ). Another " +"approach reads /proc/self/fd and closes the unexpected " +"descriptors listed there, but this approach is much slower." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"At present, environments which care about file descriptor leakage implement " +"the second approach. OpenJDK 6 and 7 are among them." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Dealing with the select limit" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"By default, a user is allowed to open only 1024 files in a single process, " +"but the system administrator can easily change this limit (which is " +"necessary for busy network servers). However, there is another restriction " +"which is more difficult to overcome." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The select function only supports a maximum of " +"FD_SETSIZE file descriptors (that is, the maximum " +"permitted value for a file descriptor is FD_SETSIZE - 1, " +"usually 1023.) If a process opens many files, descriptors may exceed such " +"limits. It is impossible to query such descriptors using " +"select." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If a library which creates many file descriptors is used in the same process" +" as a library which uses select, at least one of them " +"needs to be changed. Calls to select can be replaced " +"with calls to poll or another event handling mechanism." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Alternatively, the library with high descriptor usage can relocate " +"descriptors above the FD_SETSIZE limit using the " +"following procedure." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Create the file descriptor fd as usual, preferably with " +"the O_CLOEXEC flag." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Before doing anything else with the descriptor fd, " +"invoke:" +msgstr "" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"\t int newfd = fcntl(fd, F_DUPFD_CLOEXEC, (long)FD_SETSIZE);\n" +"\t" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Check that newfd result is non-negative, otherwise close " +"fd and report an error, and return." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Close fd and continue to use newfd." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The new descriptor has been allocated above the " +"FD_SETSIZE. Even though this algorithm is racy in the " +"sense that the FD_SETSIZE first descriptors could fill " +"up, a very high degree of physical parallelism is required before this " +"becomes a problem." +msgstr "" diff --git a/defensive-coding/ia/Tasks/File_System.po b/defensive-coding/ia/Tasks/File_System.po new file mode 100644 index 0000000..f9dfc56 --- /dev/null +++ b/defensive-coding/ia/Tasks/File_System.po @@ -0,0 +1,396 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:25+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Interlingua \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: ia\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: title +#, no-c-format +msgid "File system manipulation" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In this chapter, we discuss general file system manipulation, with a focus " +"on access files and directories to which an other, potentially untrusted " +"user has write access." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Temporary files are covered in their own chapter, ." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Working with files and directories owned by other users" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Sometimes, it is necessary to operate on files and directories owned by " +"other (potentially untrusted) users. For example, a system administrator " +"could remove the home directory of a user, or a package manager could update" +" a file in a directory which is owned by an application-specific user. This " +"differs from accessing the file system as a specific user; see ." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Accessing files across trust boundaries faces several challenges, " +"particularly if an entire directory tree is being traversed:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Another user might add file names to a writable directory at any time. This " +"can interfere with file creation and the order of names returned by " +"readdir." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Merely opening and closing a file can have side effects. For instance, an " +"automounter can be triggered, or a tape device rewound. Opening a file on a " +"local file system can block indefinitely, due to mandatory file locking, " +"unless the O_NONBLOCK flag is specified." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Hard links and symbolic links can redirect the effect of file system " +"operations in unexpected ways. The O_NOFOLLOW and " +"AT_SYMLINK_NOFOLLOW variants of system calls only " +"affected final path name component." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The structure of a directory tree can change. For example, the parent " +"directory of what used to be a subdirectory within the directory tree being " +"processed could suddenly point outside that directory tree." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Files should always be created with the O_CREAT and " +"O_EXCL flags, so that creating the file will fail if it " +"already exists. This guards against the unexpected appearance of file names," +" either due to creation of a new file, or hard-linking of an existing file. " +"In multi-threaded programs, rather than manipulating the umask, create the " +"files with mode 000 if possible, and adjust it afterwards" +" with fchmod." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"To avoid issues related to symbolic links and directory tree restructuring, " +"the “at” variants of system calls have to be used (that " +"is, functions like openat, " +"fchownat, fchmodat, and " +"unlinkat, together with O_NOFOLLOW " +"or AT_SYMLINK_NOFOLLOW). Path names passed to these " +"functions must have just a single component (that is, without a slash). When" +" descending, the descriptors of parent directories must be kept open. The " +"missing opendirat function can be emulated with " +"openat (with an O_DIRECTORY flag, to " +"avoid opening special files with side effects), followed by " +"fdopendir." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If the “at” functions are not available, it is possible " +"to emulate them by changing the current directory. (Obviously, this only " +"works if the process is not multi-threaded.) fchdir has" +" to be used to change the current directory, and the descriptors of the " +"parent directories have to be kept open, just as with the " +"“at”-based approach. chdir(\"...\") is" +" unsafe because it might ascend outside the intended directory tree." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"This “at” function emulation is currently required when " +"manipulating extended attributes. In this case, the " +"lsetxattr function can be used, with a relative path " +"name consisting of a single component. This also applies to SELinux contexts" +" and the lsetfilecon function." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Currently, it is not possible to avoid opening special files " +"and changes to files with hard links if the directory " +"containing them is owned by an untrusted user. (Device nodes can be hard-" +"linked, just as regular files.) fchmodat and " +"fchownat affect files whose link count is greater than " +"one. But opening the files, checking that the link count is one with " +"fstat, and using fchmod and " +"fchown on the file descriptor may have unwanted side " +"effects, due to item 2 above. When creating directories, it is therefore " +"important to change the ownership and permissions only after it has been " +"fully created. Until that point, file names are stable, and no files with " +"unexpected hard links can be introduced." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Similarly, when just reading a directory owned by an untrusted user, it is " +"currently impossible to reliably avoid opening special files." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"There is no workaround against the instability of the file list returned by " +"readdir. Concurrent modification of the directory can " +"result in a list of files being returned which never actually existed on " +"disk." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Hard links and symbolic links can be safely deleted using " +"unlinkat without further checks because deletion only " +"affects the name within the directory tree being processed." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Accessing the file system as a different user" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"This section deals with access to the file system as a specific user. This " +"is different from accessing files and directories owned by a different, " +"potentially untrusted user; see ." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"One approach is to spawn a child process which runs under the target user " +"and group IDs (both effective and real IDs). Note that this child process " +"can block indefinitely, even when processing regular files only. For " +"example, a special FUSE file system could cause the process to hang in " +"uninterruptible sleep inside a stat system call." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"An existing process could change its user and group ID using " +"setfsuid and setfsgid. (These " +"functions are preferred over seteuid and " +"setegid because they do not allow the impersonated user" +" to send signals to the process.) These functions are not thread safe. In " +"multi-threaded processes, these operations need to be performed in a single-" +"threaded child process. Unexpected blocking may occur as well." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"It is not recommended to try to reimplement the kernel permission checks in " +"user space because the required checks are complex. It is also very " +"difficult to avoid race conditions during path name resolution." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "File system limits" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"For historical reasons, there are preprocessor constants such as " +"PATH_MAX, NAME_MAX. However, on most " +"systems, the length of canonical path names (absolute path names with all " +"symbolic links resolved, as returned by realpath or " +"canonicalize_file_name) can exceed " +"PATH_MAX bytes, and individual file name components can " +"be longer than NAME_MAX. This is also true of the " +"_PC_PATH_MAX and _PC_NAME_MAX values " +"returned by pathconf, and the " +"f_namemax member of struct statvfs. " +"Therefore, these constants should not be used. This is also reason why the " +"readdir_r should never be used (instead, use " +"readdir)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"You should not write code in a way that assumes that there is an upper limit" +" on the number of subdirectories of a directory, the number of regular files" +" in a directory, or the link count of an inode." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "File system features" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Not all file systems support all features. This makes it very difficult to " +"write general-purpose tools for copying files. For example, a copy operation" +" intending to preserve file permissions will generally fail when copying to " +"a FAT file system." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Some file systems are case-insensitive. Most should be case-preserving, " +"though." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Name length limits vary greatly, from eight to thousands of bytes. Path " +"length limits differ as well. Most systems impose an upper bound on path " +"names passed to the kernel, but using relative path names, it is possible to" +" create and access files whose absolute path name is essentially of " +"unbounded length." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Some file systems do not store names as fairly unrestricted byte sequences, " +"as it has been traditionally the case on GNU systems. This means that some " +"byte sequences (outside the POSIX safe character set) are not valid names. " +"Conversely, names of existing files may not be representable as byte " +"sequences, and the files are thus inaccessible on GNU systems. Some file " +"systems perform Unicode canonicalization on file names. These file systems " +"preserve case, but reading the name of a just-created file using " +"readdir might still result in a different byte " +"sequence." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Permissions and owners are not universally supported (and SUID/SGID bits may" +" not be available). For example, FAT file systems assign ownership based on " +"a mount option, and generally mark all files as executable. Any attempt to " +"change permissions would result in an error." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Non-regular files (device nodes, FIFOs) are not generally available." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Only on some file systems, files can have holes, that is, not all of their " +"contents is backed by disk storage." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"ioctl support (even fairly generic functionality such " +"as FIEMAP for discovering physical file layout and holes)" +" is file-system-specific." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Not all file systems support extended attributes, ACLs and SELinux metadata." +" Size and naming restriction on extended attributes vary." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Hard links may not be supported at all (FAT) or only within the same " +"directory (AFS). Symbolic links may not be available, either. Reflinks (hard" +" links with copy-on-write semantics) are still very rare. Recent systems " +"restrict creation of hard links to users which own the target file or have " +"read/write access to it, but older systems do not." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Renaming (or moving) files using rename can fail (even " +"when stat indicates that the source and target " +"directories are located on the same file system). This system call should " +"work if the old and new paths are located in the same directory, though." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Locking semantics vary among file systems. This affects advisory and " +"mandatory locks. For example, some network file systems do not allow " +"deleting files which are opened by any process." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Resolution of time stamps varies from two seconds to nanoseconds. Not all " +"time stamps are available on all file systems. File creation time " +"(birth time) is not exposed over the " +"stat/fstat interface, even if " +"stored by the file system." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Checking free space" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The statvfs and fstatvfs functions" +" allow programs to examine the number of available blocks and inodes, " +"through the members f_bfree, f_bavail," +" f_ffree, and f_favail of " +"struct statvfs. Some file systems return fictional values" +" in the f_ffree and f_favail fields, " +"so the only reliable way to discover if the file system still has space for " +"a file is to try to create it. The f_bfree field should " +"be reasonably accurate, though." +msgstr "" diff --git a/defensive-coding/ia/Tasks/Library_Design.po b/defensive-coding/ia/Tasks/Library_Design.po new file mode 100644 index 0000000..a18326b --- /dev/null +++ b/defensive-coding/ia/Tasks/Library_Design.po @@ -0,0 +1,267 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:29+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Interlingua \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: ia\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: title +#, no-c-format +msgid "Library Design" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Throught this section, the term client code refers to " +"applications and other libraries using the library." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "State management" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Global state" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Global state should be avoided." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If this is impossible, the global state must be protected with a lock. For " +"C/C++, you can use the pthread_mutex_lock and " +"pthread_mutex_unlock functions without linking against " +"-lpthread because the system provides stubs for non-" +"threaded processes." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"For compatibility with fork, these locks should be " +"acquired and released in helpers registered with " +"pthread_atfork. This function is not available without " +"-lpthread, so you need to use dlsym " +"or a weak symbol to obtain its address." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If you need fork protection for other reasons, you " +"should store the process ID and compare it to the value returned by " +"getpid each time you access the global state. " +"(getpid is not implemented as a system call and is " +"fast.) If the value changes, you know that you have to re-create the state " +"object. (This needs to be combined with locking, of course.)" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Handles" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Library state should be kept behind a curtain. Client code should receive " +"only a handle. In C, the handle can be a pointer to an incomplete " +"struct. In C++, the handle can be a pointer to an " +"abstract base class, or it can be hidden using the pointer-to-implementation" +" idiom." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The library should provide functions for creating and destroying handles. " +"(In C++, it is possible to use virtual destructors for the latter.) " +"Consistency between creation and destruction of handles is strongly " +"recommended: If the client code created a handle, it is the responsibility " +"of the client code to destroy it. (This is not always possible or " +"convenient, so sometimes, a transfer of ownership has to happen.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Using handles ensures that it is possible to change the way the library " +"represents state in a way that is transparent to client code. This is " +"important to facilitate security updates and many other code changes." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"It is not always necessary to protect state behind a handle with a lock. " +"This depends on the level of thread safety the library provides." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Object orientation" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Classes should be either designed as base classes, or it should be " +"impossible to use them as base classes (like final " +"classes in Java). Classes which are not designed for inheritance and are " +"used as base classes nevertheless create potential maintenance hazards " +"because it is difficult to predict how client code will react when calls to " +"virtual methods are added, reordered or removed." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Virtual member functions can be used as callbacks. See for some of the " +"challenges involved." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Callbacks" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Higher-order code is difficult to analyze for humans and computers alike, so" +" it should be avoided. Often, an iterator-based interface (a library " +"function which is called repeatedly by client code and returns a stream of " +"events) leads to a better design which is easier to document and use." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "If callbacks are unavoidable, some guidelines for them follow." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In modern C++ code, std::function objects should be used " +"for callbacks." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In older C++ code and in C code, all callbacks must have an additional " +"closure parameter of type void *, the value of which can " +"be specified by client code. If possible, the value of the closure parameter" +" should be provided by client code at the same time a specific callback is " +"registered (or specified as a function argument). If a single closure " +"parameter is shared by multiple callbacks, flexibility is greatly reduced, " +"and conflicts between different pieces of client code using the same library" +" object could be unresolvable. In some cases, it makes sense to provide a " +"de-registration callback which can be used to destroy the closure parameter " +"when the callback is no longer used." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Callbacks can throw exceptions or call longjmp. If " +"possible, all library objects should remain in a valid state. (All further " +"operations on them can fail, but it should be possible to deallocate them " +"without causing resource leaks.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The presence of callbacks raises the question if functions provided by the " +"library are reentrant. Unless a library was designed " +"for such use, bad things will happen if a callback function uses functions " +"in the same library (particularly if they are invoked on the same objects " +"and manipulate the same state). When the callback is invoked, the library " +"can be in an inconsistent state. Reentrant functions are more difficult to " +"write than thread-safe functions (by definition, simple locking would " +"immediately lead to deadlocks). It is also difficult to decide what to do " +"when destruction of an object which is currently processing a callback is " +"requested." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Process attributes" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Several attributes are global and affect all code in the process, not just " +"the library that manipulates them." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"environment variables (see )" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "umask" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "user IDs, group IDs and capabilities" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "current working directory" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "signal handlers, signal masks and signal delivery" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"file locks (especially fcntl locks behave in surprising" +" ways, not just in a multi-threaded environment)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Library code should avoid manipulating these global process attributes. It " +"should not rely on environment variables, umask, the current working " +"directory and signal masks because these attributes can be inherted from an " +"untrusted source." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In addition, there are obvious process-wide aspects such as the virtual " +"memory layout, the set of open files and dynamic shared objects, but with " +"the exception of shared objects, these can be manipulated in a relatively " +"isolated way." +msgstr "" diff --git a/defensive-coding/ia/Tasks/Processes.po b/defensive-coding/ia/Tasks/Processes.po new file mode 100644 index 0000000..e99028f --- /dev/null +++ b/defensive-coding/ia/Tasks/Processes.po @@ -0,0 +1,597 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:29+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Interlingua \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: ia\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: title +#, no-c-format +msgid "Processes" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Safe process creation" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"This section describes how to create new child processes in a safe manner. " +"In addition to the concerns addressed below, there is the possibility of " +"file descriptor leaks, see ." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Obtaining the program path and the command line template" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The name and path to the program being invoked should be hard-coded or " +"controlled by a static configuration file stored at a fixed location (at an " +"file system absolute path). The same applies to the template for generating " +"the command line." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The configured program name should be an absolute path. If it is a relative " +"path, the contents of the PATH must be obtained in s secure " +"manner (see )." +" If the PATH variable is not set or untrusted, the safe " +"default /bin:/usr/bin must be used." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If too much flexibility is provided here, it may allow invocation of " +"arbitrary programs without proper authorization." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Bypassing the shell" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Child processes should be created without involving the system shell." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"For C/C++, system should not be used. The " +"posix_spawn function can be used instead, or a " +"combination fork and execve. (In " +"some cases, it may be preferable to use vfork or the " +"Linux-specific clone system call instead of " +"fork.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In Python, the subprocess module bypasses the shell by " +"default (when the shell keyword argument is not set to " +"true). os.system should not be used." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The Java class java.lang.ProcessBuilder can be used to create " +"subprocesses without interference from the system shell." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Portability notice" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"On Windows, there is no argument vector, only a single argument string. Each" +" application is responsible for parsing this string into an argument vector." +" There is considerable variance among the quoting style recognized by " +"applications. Some of them expand shell wildcards, others do not. Extensive " +"application-specific testing is required to make this secure." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Note that some common applications (notably ssh) " +"unconditionally introduce the use of a shell, even if invoked directly " +"without a shell. It is difficult to use these applications in a secure " +"manner. In this case, untrusted data should be supplied by other means. For " +"example, standard input could be used, instead of the command line." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Specifying the process environment" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Child processes should be created with a minimal set of environment " +"variables. This is absolutely essential if there is a trust transition " +"involved, either when the parent process was created, or during the creation" +" of the child process." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In C/C++, the environment should be constructed as an array of strings and " +"passed as the envp argument to " +"posix_spawn or execve. The " +"functions setenv, unsetenv and " +"putenv should not be used. They are not thread-safe and" +" suffer from memory leaks." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Python programs need to specify a dict for the the " +"env argument of the subprocess.Popen" +" constructor. The Java class java.lang.ProcessBuilder " +"provides a environment() method, which returns a map " +"that can be manipulated." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The following list provides guidelines for selecting the set of environment " +"variables passed to the child process." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"PATH should be initialized to " +"/bin:/usr/bin." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"USER and HOME can be inhereted from the parent" +" process environment, or they can be initialized from the " +"pwent structure for the user." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The DISPLAY and XAUTHORITY variables should be" +" passed to the subprocess if it is an X program. Note that this will " +"typically not work across trust boundaries because XAUTHORITY" +" refers to a file with 0600 permissions." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The location-related environment variables LANG, " +"LANGUAGE, LC_ADDRESS, LC_ALL, " +"LC_COLLATE, LC_CTYPE, " +"LC_IDENTIFICATION, LC_MEASUREMENT, " +"LC_MESSAGES, LC_MONETARY, " +"LC_NAME, LC_NUMERIC, LC_PAPER, " +"LC_TELEPHONE and LC_TIME can be passed to the " +"subprocess if present." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The called process may need application-specific environment variables, for " +"example for passing passwords. (See .)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"All other environment variables should be dropped. Names for new environment" +" variables should not be accepted from untrusted sources." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Robust argument list processing" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When invoking a program, it is sometimes necessary to include data from " +"untrusted sources. Such data should be check against embedded " +"NUL characters because the system APIs will sliently " +"truncate argument strings at the first NUL character." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The following recommendations assume that the program being invoked uses " +"GNU-style option processing using getopt_long. This " +"convention is widely used, but it is just that, and individual programs " +"might interpret a command line in a different way." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If the untrusted data has to go into an option, use the --option-" +"name=VALUE syntax, placing the option and its value into the same " +"command line argument. This avoids any potential confusion if the data " +"starts with -." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"For positional arguments, terminate the option list with a single " +" marker after the last option, and include the data at " +"the right position. The marker terminates option " +"processing, and the data will not be treated as an option even if it starts " +"with a dash." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Passing secrets to subprocesses" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The command line (the name of the program and its argument) of a running " +"process is traditionally available to all local users. The called program " +"can overwrite this information, but only after it has run for a bit of time," +" during which the information may have been read by other processes. " +"However, on Linux, the process environment is restricted to the user who " +"runs the process. Therefore, if you need a convenient way to pass a password" +" to a child process, use an environment variable, and not a command line " +"argument. (See .)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"On some UNIX-like systems (notably Solaris), environment variables can be " +"read by any system user, just like command lines." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If the environment-based approach cannot be used due to portability " +"concerns, the data can be passed on standard input. Some programs (notably " +"gpg) use special file descriptors whose numbers " +"are specified on the command line. Temporary files are an option as well, " +"but they might give digital forensics access to sensitive data (such as " +"passphrases) because it is difficult to safely delete them in all cases." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Handling child process termination" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When child processes terminate, the parent process is signalled. A stub of " +"the terminated processes (a zombie, shown as " +"<defunct> by ps) is kept" +" around until the status information is collected " +"(reaped) by the parent process. Over the years, several" +" interfaces for this have been invented:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The parent process calls wait, " +"waitpid, waitid, " +"wait3 or wait4, without specifying" +" a process ID. This will deliver any matching process ID. This approach is " +"typically used from within event loops." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The parent process calls waitpid, " +"waitid, or wait4, with a specific " +"process ID. Only data for the specific process ID is returned. This is " +"typically used in code which spawns a single subprocess in a synchronous " +"manner." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The parent process installs a handler for the SIGCHLD " +"signal, using sigaction, and specifies to the " +"SA_NOCLDWAIT flag. This approach could be used by event " +"loops as well." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"None of these approaches can be used to wait for child process terminated in" +" a completely thread-safe manner. The parent process might execute an event " +"loop in another thread, which could pick up the termination signal. This " +"means that libraries typically cannot make free use of child processes (for " +"example, to run problematic code with reduced privileges in a separate " +"address space)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"At the moment, the parent process should explicitly wait for termination of " +"the child process using waitpid or " +"waitpid, and hope that the status is not collected by " +"an event loop first." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "SUID/SGID processes" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Programs can be marked in the file system to indicate to the kernel that a " +"trust transition should happen if the program is run. The " +"SUID file permission bit indicates that an executable " +"should run with the effective user ID equal to the owner of the executable " +"file. Similarly, with the SGID bit, the effective group " +"ID is set to the group of the executable file." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Linux supports fscaps, which can grant additional " +"capabilities to a process in a finer-grained manner. Additional mechanisms " +"can be provided by loadable security modules." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When such a trust transition has happened, the process runs in a potentially" +" hostile environment. Additional care is necessary not to rely on any " +"untrusted information. These concerns also apply to libraries which can be " +"linked into such processes." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Accessing environment variables" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The following steps are required so that a program does not accidentally " +"pick up untrusted data from environment variables." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Compile your C/C++ sources with -D_GNU_SOURCE. The " +"Autoconf macro AC_GNU_SOURCE ensures this." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Check for the presence of the secure_getenv and " +"__secure_getenv function. The Autoconf directive " +"AC_CHECK_FUNCS([__secure_getenv secure_getenv]) performs " +"these checks." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Arrange for a proper definition of the secure_getenv " +"function. See ." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Use secure_getenv instead of " +"getenv to obtain the value of critical environment " +"variables. secure_getenv will pretend the variable has " +"not bee set if the process environment is not trusted." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Critical environment variables are debugging flags, configuration file " +"locations, plug-in and log file locations, and anything else that might be " +"used to bypass security restrictions or cause a privileged process to behave" +" in an unexpected way." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Either the secure_getenv function or the " +"__secure_getenv is available from GNU libc." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Obtaining a definition for secure_getenv" +msgstr "" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"\n" +"#include <stdlib.h>\n" +"\n" +"#ifndef HAVE_SECURE_GETENV\n" +"# ifdef HAVE__SECURE_GETENV\n" +"# define secure_getenv __secure_getenv\n" +"# else\n" +"# error neither secure_getenv nor __secure_getenv are available\n" +"# endif\n" +"#endif\n" +"\n" +"\t" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Daemons" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Background processes providing system services " +"(daemons) need to decouple themselves from the " +"controlling terminal and the parent process environment:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Fork." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In the child process, call setsid. The parent process " +"can simply exit (using _exit, to avoid running clean-up" +" actions twice)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In the child process, fork again. Processing continues in the child process." +" Again, the parent process should just exit." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Replace the descriptors 0, 1, 2 with a descriptor for " +"/dev/null. Logging should be redirected to " +"syslog." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Older instructions for creating daemon processes recommended a call to " +"umask(0). This is risky because it often leads to world-" +"writable files and directories, resulting in security vulnerabilities such " +"as arbitrary process termination by untrusted local users, or log file " +"truncation. If the umask needs setting, a restrictive " +"value such as 027 or 077 is " +"recommended." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Other aspects of the process environment may have to changed as well " +"(environment variables, signal handler disposition)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"It is increasingly common that server processes do not run as background " +"processes, but as regular foreground process under a supervising master " +"process (such as systemd). Server processes " +"should offer a command line option which disables forking and replacement of" +" the standard output and standard error streams. Such an option is also " +"useful for debugging." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Semantics of command line arguments" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"After process creation and option processing, it is up to the child process " +"to interpret the arguments. Arguments can be file names, host names, or " +"URLs, and many other things. URLs can refer to the local network, some " +"server on the Internet, or to the local file system. Some applications even " +"accept arbitrary code in arguments (for example, " +"python with the option)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Similar concerns apply to environment variables, the contents of the current" +" directory and its subdirectories." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Consequently, careful analysis is required if it is safe to pass untrusted " +"data to another program." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "fork as a primitive for parallelism" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"A call to fork which is not immediately followed by a " +"call to execve (perhaps after rearranging and closing " +"file descriptors) is typically unsafe, especially from a library which does " +"not control the state of the entire process. Such use of " +"fork should be replaced with proper child processes or " +"threads." +msgstr "" diff --git a/defensive-coding/ia/Tasks/Serialization.po b/defensive-coding/ia/Tasks/Serialization.po new file mode 100644 index 0000000..5f6fd4f --- /dev/null +++ b/defensive-coding/ia/Tasks/Serialization.po @@ -0,0 +1,513 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:45\n" +"PO-Revision-Date: 2013-03-19 15:29+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Interlingua \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: ia\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: title +#, no-c-format +msgid "Serialization and Deserialization" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Protocol decoders and file format parsers are often the most-exposed part of" +" an application because they are exposed with little or no user interaction " +"and before any authentication and security checks are made. They are also " +"difficult to write robustly in languages which are not memory-safe." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Recommendations for manually written decoders" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"For C and C++, the advice in applies. In addition, avoid non-character " +"pointers directly into input buffers. Pointer misalignment causes crashes on" +" some architectures." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When reading variable-sized objects, do not allocate large amounts of data " +"solely based on the value of a size field. If possible, grow the data " +"structure as more data is read from the source, and stop when no data is " +"available. This helps to avoid denial-of-service attacks where little " +"amounts of input data results in enormous memory allocations during " +"decoding. Alternatively, you can impose reasonable bounds on memory " +"allocations, but some protocols do not permit this." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Protocol design" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Binary formats with explicit length fields are more difficult to parse " +"robustly than those where the length of dynamically-sized elements is " +"derived from sentinel values. A protocol which does not use length fields " +"and can be written in printable ASCII characters simplifies testing and " +"debugging. However, binary protocols with length fields may be more " +"efficient to parse." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Library support for deserialization" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"For some languages, generic libraries are available which allow to serialize" +" and deserialize user-defined objects. The deserialization part comes in one" +" of two flavors, depending on the library. The first kind uses type " +"information in the data stream to control which objects are instantiated. " +"The second kind uses type definitions supplied by the programmer. The first " +"one allows arbitrary object instantiation, the second one generally does " +"not." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The following serialization frameworks are in the first category, are known " +"to be unsafe, and must not be used for untrusted data:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Python's pickle and cPickle modules" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Perl's Storable package" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Java serialization (java.io.ObjectInputStream)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "PHP serialization (unserialize)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Most implementations of YAML" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When using a type-directed deserialization format where the types of the " +"deserialized objects are specified by the programmer, make sure that the " +"objects which can be instantiated cannot perform any destructive actions in " +"their destructors, even when the data members have been manipulated." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"JSON decoders do not suffer from this problem. But you must not use the " +"eval function to parse JSON objects in Javascript; even" +" with the regular expression filter from RFC 4627, there are still " +"information leaks remaining." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "XML serialization" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "External references" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"XML documents can contain external references. They can occur in various " +"places." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "In the DTD declaration in the header of an XML document:" +msgstr "" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"<!DOCTYPE html PUBLIC\n" +" \"-//W3C//DTD XHTML 1.0 Transitional//EN\"\n" +" \"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd\">\n" +"\t " +msgstr "" + +#. Tag: para +#, no-c-format +msgid "In a namespace declaration:" +msgstr "" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"<xsd:schema xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\">\n" +"\t " +msgstr "" + +#. Tag: para +#, no-c-format +msgid "In an entity defintion:" +msgstr "" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"<!ENTITY sys SYSTEM \"http://www.example.com/ent.xml\">\n" +"<!ENTITY pub PUBLIC \"-//Example//Public Entity//EN\"\n" +" \"http://www.example.com/pub-ent.xml\">\n" +"\t " +msgstr "" + +#. Tag: para +#, no-c-format +msgid "In a notation:" +msgstr "" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"<!NOTATION not SYSTEM \"../not.xml\">\n" +"\t " +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Originally, these external references were intended as unique identifiers, " +"but by many XML implementations, they are used for locating the data for the" +" referenced element. This causes unwanted network traffic, and may disclose " +"file system contents or otherwise unreachable network resources, so this " +"functionality should be disabled." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Depending on the XML library, external referenced might be processed not " +"just when parsing XML, but also when generating it." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Entity expansion" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When external DTD processing is disabled, an internal DTD subset can still " +"contain entity definitions. Entity declarations can reference other " +"entities. Some XML libraries expand entities automatically, and this " +"processing cannot be switched off in some places (such as attribute values " +"or content models). Without limits on the entity nesting level, this " +"expansion results in data which can grow exponentially in length with size " +"of the input. (If there is a limit on the nesting level, the growth is still" +" polynomial, unless further limits are imposed.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Consequently, the processing internal DTD subsets should be disabled if " +"possible, and only trusted DTDs should be processed. If a particular XML " +"application does not permit such restrictions, then application-specific " +"limits are called for." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "XInclude processing" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"XInclude processing can reference file and network resources and include " +"them into the document, much like external entity references. When parsing " +"untrusted XML documents, XInclude processing should be truned off." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"XInclude processing is also fairly complex and may pull in support for the " +"XPointer and XPath specifications, considerably increasing the amount of " +"code required for XML processing." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Algorithmic complexity of XML validation" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"DTD-based XML validation uses regular expressions for content models. The " +"XML specification requires that content models are deterministic, which " +"means that efficient validation is possible. However, some implementations " +"do not enforce determinism, and require exponential (or just polynomial) " +"amount of space or time for validating some DTD/document combinations." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"XML schemas and RELAX NG (via the xsd: prefix) directly " +"support textual regular expressions which are not required to be " +"deterministic." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Using Expat for XML parsing" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"By default, Expat does not try to resolve external IDs, so no steps are " +"required to block them. However, internal entity declarations are processed." +" Installing a callback which stops parsing as soon as such entities are " +"encountered disables them, see . Expat does not perform any " +"validation, so there are no problems related to that." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Disabling XML entity processing with Expat" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"This handler must be installed when the XML_Parser object" +" is created ()." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Creating an Expat XML parser" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"It is also possible to reject internal DTD subsets altogeher, using a " +"suitable XML_StartDoctypeDeclHandler handler installed " +"with XML_SetDoctypeDeclHandler." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Using OpenJDK for XML parsing and validation" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"OpenJDK contains facilities for DOM-based, SAX-based, and StAX-based " +"document parsing. Documents can be validated against DTDs or XML schemas." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The approach taken to deal with entity expansion differs from the general " +"recommendation in . We enable the the feature flag " +"javax.xml.XMLConstants.FEATURE_SECURE_PROCESSING, which " +"enforces heuristic restrictions on the number of entity expansions. Note " +"that this flag alone does not prevent resolution of external references " +"(system IDs or public IDs), so it is slightly misnamed." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In the following sections, we use helper classes to prevent external ID " +"resolution." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Helper class to prevent DTD external entity resolution in OpenJDK" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Helper class to prevent schema resolution in OpenJDK" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +" shows the imports used by the examples." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Java imports for OpenJDK XML parsing" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "DOM-based XML parsing and DTD validation in OpenJDK" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"This approach produces a org.w3c.dom.Document object from" +" an input stream. use the data from the " +"java.io.InputStream instance in the " +"inputStream variable." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "DOM-based XML parsing in OpenJDK" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"External entity references are prohibited using the " +"NoEntityResolver class in . " +"Because external DTD references are prohibited, DTD validation (if enabled) " +"will only happen against the internal DTD subset embedded in the XML " +"document." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"To validate the document against an external DTD, use a " +"javax.xml.transform.Transformer class to add the DTD " +"reference to the document, and an entity resolver which whitelists this " +"external reference." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "XML Schema validation in OpenJDK" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +" shows how to validate a document against an XML Schema, " +"using a SAX-based approach. The XML data is read from an " +"java.io.InputStream in the inputStream" +" variable." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "SAX-based validation against an XML schema in OpenJDK" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The NoResourceResolver class is defined in ." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If you need to validate a document against an XML schema, use the code in " +" to create the document, but do not enable validation at this point." +" Then use to perform the schema-based validation on " +"the org.w3c.dom.Document instance " +"document." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Validation of a DOM document against an XML schema in OpenJDK" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Protocol Encoders" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"For protocol encoders, you should write bytes to a buffer which grows as " +"needed, using an exponential sizing policy. Explicit lengths can be patched " +"in later, once they are known. Allocating the required number of bytes " +"upfront typically requires separate code to compute the final size, which " +"must be kept in sync with the actual encoding step, or vulnerabilities may " +"result. In multi-threaded code, parts of the object being deserialized might" +" change, so that the computed size is out of date." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"You should avoid copying data directly from a received packet during " +"encoding, disregarding the format. Propagating malformed data could enable " +"attacks on other recipients of that data." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When using C or C++ and copying whole data structures directly into the " +"output, make sure that you do not leak information in padding bytes between " +"fields or at the end of the struct." +msgstr "" diff --git a/defensive-coding/ia/Tasks/Temporary_Files.po b/defensive-coding/ia/Tasks/Temporary_Files.po new file mode 100644 index 0000000..a4efdc2 --- /dev/null +++ b/defensive-coding/ia/Tasks/Temporary_Files.po @@ -0,0 +1,309 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:45\n" +"PO-Revision-Date: 2013-03-19 15:29+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Interlingua \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: ia\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: title +#, no-c-format +msgid "Temporary files" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In this chapter, we describe how to create temporary files and directories, " +"how to remove them, and how to work with programs which do not create files " +"in ways that a safe with a shared directory for temporary files. General " +"file system manipulation is treated in a separate chapter, ." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Secure creation of temporary files has four different aspects." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The location of the directory for temporary files must be obtained in a " +"secure manner (that is, untrusted environment variables must be ignored, see" +" )." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"A new file must be created. Reusing an existing file must be avoided (the " +"/tmp race condition). This is " +"tricky because traditionally, system-wide temporary directories shared by " +"all users are used." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The file must be created in a way that makes it impossible for other users " +"to open it." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "The descriptor for the temporary file should not leak to subprocesses." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "All functions mentioned below will take care of these aspects." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Traditionally, temporary files are often used to reduce memory usage of " +"programs. More and more systems use RAM-based file systems such as " +"tmpfs for storing temporary files, to increase " +"performance and decrease wear on Flash storage. As a result, spooling data " +"to temporary files does not result in any memory savings, and the related " +"complexity can be avoided if the data is kept in process memory." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Obtaining the location of temporary directory" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Some functions below need the location of a directory which stores temporary" +" files. For C/C++ programs, use the following steps to obtain that " +"directory:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Use secure_getenv to obtain the value of the " +"TMPDIR environment variable. If it is set, convert the " +"path to a fully-resolved absolute path, using realpath(path, " +"NULL). Check if the new path refers to a directory and is " +"writeable. In this case, use it as the temporary directory." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Fall back to /tmp." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In Python, you can use the tempfile.tempdir variable." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Java does not support SUID/SGID programs, so you can use the " +"java.lang.System.getenv(String) method to obtain the " +"value of the TMPDIR environment variable, and follow the " +"two steps described above. (Java's default directory selection does not " +"honor TMPDIR.)" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Named temporary files" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The mkostemp function creates a named temporary file. " +"You should specify the O_CLOEXEC flag to avoid file " +"descriptor leaks to subprocesses. (Applications which do not use multiple " +"threads can also use mkstemp, but libraries should use " +"mkostemp.) For determining the directory part of the " +"file name pattern, see ." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The file is not removed automatically. It is not safe to rename or delete " +"the file before processing, or transform the name in any way (for example, " +"by adding a file extension). If you need multiple temporary files, call " +"mkostemp multiple times. Do not create additional file " +"names derived from the name provided by a previous " +"mkostemp call. However, it is safe to close the " +"descriptor returned by mkostemp and reopen the file " +"using the generated name." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The Python class tempfile.NamedTemporaryFile provides " +"similar functionality, except that the file is deleted automatically by " +"default. Note that you may have to use the file attribute" +" to obtain the actual file object because some programming interfaces cannot" +" deal with file-like objects. The C function mkostemp " +"is also available as tempfile.mkstemp." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In Java, you can use the java.io.File.createTempFile(String, " +"String, File) function, using the temporary file location " +"determined according to . Do not use " +"java.io.File.deleteOnExit() to delete temporary files, " +"and do not register a shutdown hook for each temporary file you create. In " +"both cases, the deletion hint cannot be removed from the system if you " +"delete the temporary file prior to termination of the VM, causing a memory " +"leak." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Temporary files without names" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The tmpfile function creates a temporary file and " +"immediately deletes it, while keeping the file open. As a result, the file " +"lacks a name and its space is deallocated as soon as the file descriptor is " +"closed (including the implicit close when the process terminates). This " +"avoids cluttering the temporary directory with orphaned files." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Alternatively, if the maximum size of the temporary file is known " +"beforehand, the fmemopen function can be used to create" +" a FILE * object which is backed by memory." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In Python, unnamed temporary files are provided by the " +"tempfile.TemporaryFile class, and the " +"tempfile.SpooledTemporaryFile class provides a way to " +"avoid creation of small temporary files." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Java does not support unnamed temporary files." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Temporary directories" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The mkdtemp function can be used to create a temporary " +"directory. (For determining the directory part of the file name pattern, see" +" .)" +" The directory is not automatically removed. In Python, this function is " +"available as tempfile.mkdtemp. In Java 7, temporary " +"directories can be created using the " +"java.nio.file.Files.createTempDirectory(Path, String, " +"FileAttribute...) function." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When creating files in the temporary directory, use automatically generated " +"names, e.g., derived from a sequential counter. Files with externally " +"provided names could be picked up in unexpected contexts, and crafted names " +"could actually point outside of the tempoary directory (due to " +"directory traversal)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Removing a directory tree in a completely safe manner is complicated. Unless" +" there are overriding performance concerns, the " +"rm program should be used, with the " +" and options." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Compensating for unsafe file creation" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"There are two ways to make a function or program which excepts a file name " +"safe for use with temporary files. See , for details on subprocess " +"creation." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Create a temporary directory and place the file there. If possible, run the " +"program in a subprocess which uses the temporary directory as its current " +"directory, with a restricted environment. Use generated names for all files " +"in that temporary directory. (See .)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Create the temporary file and pass the generated file name to the function " +"or program. This only works if the function or program can cope with a zero-" +"length existing file. It is safe only under additional assumptions:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The function or program must not create additional files whose name is " +"derived from the specified file name or are otherwise predictable." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "The function or program must not delete the file before processing it." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "It must not access any existing files in the same directory." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"It is often difficult to check whether these additional assumptions are " +"matched, therefore this approach is not recommended." +msgstr "" diff --git a/defensive-coding/ia/Tasks/snippets/Serialization-XML-Expat-Create.po b/defensive-coding/ia/Tasks/snippets/Serialization-XML-Expat-Create.po new file mode 100644 index 0000000..ff303d8 --- /dev/null +++ b/defensive-coding/ia/Tasks/snippets/Serialization-XML-Expat-Create.po @@ -0,0 +1,33 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:45\n" +"PO-Revision-Date: 2013-03-19 15:29+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Interlingua \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: ia\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"XML_Parser parser = XML_ParserCreate(\"UTF-8\");\n" +"if (parser == NULL) {\n" +" fprintf(stderr, \"XML_ParserCreate failed\n" +"\");\n" +" close(fd);\n" +" exit(1);\n" +"}\n" +"// EntityDeclHandler needs a reference to the parser to stop\n" +"// parsing.\n" +"XML_SetUserData(parser, parser);\n" +"// Disable entity processing, to inhibit entity expansion.\n" +"XML_SetEntityDeclHandler(parser, EntityDeclHandler);\n" +msgstr "" diff --git a/defensive-coding/ia/Tasks/snippets/Serialization-XML-Expat-EntityDeclHandler.po b/defensive-coding/ia/Tasks/snippets/Serialization-XML-Expat-EntityDeclHandler.po new file mode 100644 index 0000000..f931c42 --- /dev/null +++ b/defensive-coding/ia/Tasks/snippets/Serialization-XML-Expat-EntityDeclHandler.po @@ -0,0 +1,31 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:45\n" +"PO-Revision-Date: 2013-03-19 15:30+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Interlingua \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: ia\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Stop the parser when an entity declaration is encountered.\n" +"static void\n" +"EntityDeclHandler(void *userData,\n" +"\t\t const XML_Char *entityName, int is_parameter_entity,\n" +"\t\t const XML_Char *value, int value_length,\n" +"\t\t const XML_Char *base, const XML_Char *systemId,\n" +"\t\t const XML_Char *publicId, const XML_Char *notationName)\n" +"{\n" +" XML_StopParser((XML_Parser)userData, XML_FALSE);\n" +"}\n" +msgstr "" diff --git a/defensive-coding/ia/Tasks/snippets/Serialization-XML-OpenJDK-Errors.po b/defensive-coding/ia/Tasks/snippets/Serialization-XML-OpenJDK-Errors.po new file mode 100644 index 0000000..5a483be --- /dev/null +++ b/defensive-coding/ia/Tasks/snippets/Serialization-XML-OpenJDK-Errors.po @@ -0,0 +1,37 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:45\n" +"PO-Revision-Date: 2013-03-19 15:29+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Interlingua \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: ia\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"class Errors implements ErrorHandler {\n" +" @Override\n" +" public void warning(SAXParseException exception) {\n" +" exception.printStackTrace();\n" +" }\n" +" \n" +" @Override\n" +" public void fatalError(SAXParseException exception) {\n" +" exception.printStackTrace();\n" +" }\n" +" \n" +" @Override\n" +" public void error(SAXParseException exception) {\n" +" exception.printStackTrace();\n" +" }\n" +"}\n" +msgstr "" diff --git a/defensive-coding/ia/Tasks/snippets/Serialization-XML-OpenJDK-Imports.po b/defensive-coding/ia/Tasks/snippets/Serialization-XML-OpenJDK-Imports.po new file mode 100644 index 0000000..c1d2b10 --- /dev/null +++ b/defensive-coding/ia/Tasks/snippets/Serialization-XML-OpenJDK-Imports.po @@ -0,0 +1,42 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:45\n" +"PO-Revision-Date: 2013-03-19 15:30+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Interlingua \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: ia\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"import javax.xml.XMLConstants;\n" +"import javax.xml.parsers.DocumentBuilder;\n" +"import javax.xml.parsers.DocumentBuilderFactory;\n" +"import javax.xml.parsers.ParserConfigurationException;\n" +"import javax.xml.parsers.SAXParser;\n" +"import javax.xml.parsers.SAXParserFactory;\n" +"import javax.xml.transform.dom.DOMSource;\n" +"import javax.xml.transform.sax.SAXSource;\n" +"import javax.xml.validation.Schema;\n" +"import javax.xml.validation.SchemaFactory;\n" +"import javax.xml.validation.Validator;\n" +"\n" +"import org.w3c.dom.Document;\n" +"import org.w3c.dom.ls.LSInput;\n" +"import org.w3c.dom.ls.LSResourceResolver;\n" +"import org.xml.sax.EntityResolver;\n" +"import org.xml.sax.ErrorHandler;\n" +"import org.xml.sax.InputSource;\n" +"import org.xml.sax.SAXException;\n" +"import org.xml.sax.SAXParseException;\n" +"import org.xml.sax.XMLReader;\n" +msgstr "" diff --git a/defensive-coding/ia/Tasks/snippets/Serialization-XML-OpenJDK-NoEntityResolver.po b/defensive-coding/ia/Tasks/snippets/Serialization-XML-OpenJDK-NoEntityResolver.po new file mode 100644 index 0000000..6052dbe --- /dev/null +++ b/defensive-coding/ia/Tasks/snippets/Serialization-XML-OpenJDK-NoEntityResolver.po @@ -0,0 +1,30 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:45\n" +"PO-Revision-Date: 2013-03-19 15:30+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Interlingua \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: ia\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"class NoEntityResolver implements EntityResolver {\n" +" @Override\n" +" public InputSource resolveEntity(String publicId, String systemId)\n" +" throws SAXException, IOException {\n" +" // Throwing an exception stops validation.\n" +" throw new IOException(String.format(\n" +" \"attempt to resolve \\\"%s\\\" \\\"%s\\\"\", publicId, systemId));\n" +" }\n" +"}\n" +msgstr "" diff --git a/defensive-coding/ia/Tasks/snippets/Serialization-XML-OpenJDK-NoResourceResolver.po b/defensive-coding/ia/Tasks/snippets/Serialization-XML-OpenJDK-NoResourceResolver.po new file mode 100644 index 0000000..08d9c8b --- /dev/null +++ b/defensive-coding/ia/Tasks/snippets/Serialization-XML-OpenJDK-NoResourceResolver.po @@ -0,0 +1,32 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:45\n" +"PO-Revision-Date: 2013-03-19 15:29+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Interlingua \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: ia\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"class NoResourceResolver implements LSResourceResolver {\n" +" @Override\n" +" public LSInput resolveResource(String type, String namespaceURI,\n" +" String publicId, String systemId, String baseURI) {\n" +" // Throwing an exception stops validation.\n" +" throw new RuntimeException(String.format(\n" +" \"resolution attempt: type=%s namespace=%s \" +\n" +" \"publicId=%s systemId=%s baseURI=%s\",\n" +" type, namespaceURI, publicId, systemId, baseURI));\n" +" }\n" +"}\n" +msgstr "" diff --git a/defensive-coding/ia/Tasks/snippets/Serialization-XML-OpenJDK_Parse-DOM.po b/defensive-coding/ia/Tasks/snippets/Serialization-XML-OpenJDK_Parse-DOM.po new file mode 100644 index 0000000..b4f5046 --- /dev/null +++ b/defensive-coding/ia/Tasks/snippets/Serialization-XML-OpenJDK_Parse-DOM.po @@ -0,0 +1,34 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:45\n" +"PO-Revision-Date: 2013-03-19 15:29+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Interlingua \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: ia\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();\n" +"// Impose restrictions on the complexity of the DTD.\n" +"factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);\n" +"\n" +"// Turn on validation.\n" +"// This step can be omitted if validation is not desired.\n" +"factory.setValidating(true);\n" +"\n" +"// Parse the document.\n" +"DocumentBuilder builder = factory.newDocumentBuilder();\n" +"builder.setEntityResolver(new NoEntityResolver());\n" +"builder.setErrorHandler(new Errors());\n" +"Document document = builder.parse(inputStream);\n" +msgstr "" diff --git a/defensive-coding/ia/Tasks/snippets/Serialization-XML-OpenJDK_Parse-XMLSchema_DOM.po b/defensive-coding/ia/Tasks/snippets/Serialization-XML-OpenJDK_Parse-XMLSchema_DOM.po new file mode 100644 index 0000000..5820af3 --- /dev/null +++ b/defensive-coding/ia/Tasks/snippets/Serialization-XML-OpenJDK_Parse-XMLSchema_DOM.po @@ -0,0 +1,38 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:45\n" +"PO-Revision-Date: 2013-03-19 15:29+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Interlingua \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: ia\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"SchemaFactory factory = SchemaFactory.newInstance(\n" +" XMLConstants.W3C_XML_SCHEMA_NS_URI);\n" +"\n" +"// This enables restrictions on schema complexity.\n" +"factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);\n" +"\n" +"// The following line prevents resource resolution\n" +"// by the schema itself.\n" +"factory.setResourceResolver(new NoResourceResolver());\n" +"\n" +"Schema schema = factory.newSchema(schemaFile);\n" +"\n" +"Validator validator = schema.newValidator();\n" +"\n" +"// This prevents external resource resolution.\n" +"validator.setResourceResolver(new NoResourceResolver());\n" +"validator.validate(new DOMSource(document));\n" +msgstr "" diff --git a/defensive-coding/ia/Tasks/snippets/Serialization-XML-OpenJDK_Parse-XMLSchema_SAX.po b/defensive-coding/ia/Tasks/snippets/Serialization-XML-OpenJDK_Parse-XMLSchema_SAX.po new file mode 100644 index 0000000..a5129da --- /dev/null +++ b/defensive-coding/ia/Tasks/snippets/Serialization-XML-OpenJDK_Parse-XMLSchema_SAX.po @@ -0,0 +1,41 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:45\n" +"PO-Revision-Date: 2013-03-19 15:29+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Interlingua \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: ia\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"SchemaFactory factory = SchemaFactory.newInstance(\n" +" XMLConstants.W3C_XML_SCHEMA_NS_URI);\n" +"\n" +"// This enables restrictions on the schema and document\n" +"// complexity.\n" +"factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);\n" +"\n" +"// This prevents resource resolution by the schema itself.\n" +"// If the schema is trusted and references additional files,\n" +"// this line must be omitted, otherwise loading these files\n" +"// will fail.\n" +"factory.setResourceResolver(new NoResourceResolver());\n" +"\n" +"Schema schema = factory.newSchema(schemaFile);\n" +"Validator validator = schema.newValidator();\n" +"\n" +"// This prevents external resource resolution.\n" +"validator.setResourceResolver(new NoResourceResolver());\n" +"\n" +"validator.validate(new SAXSource(new InputSource(inputStream)));\n" +msgstr "" diff --git a/defensive-coding/id-ID/Author_Group.po b/defensive-coding/id-ID/Author_Group.po new file mode 100644 index 0000000..91b6ab6 --- /dev/null +++ b/defensive-coding/id-ID/Author_Group.po @@ -0,0 +1,35 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-12 04:18+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Indonesian \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: id\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: firstname +#, no-c-format +msgid "Florian" +msgstr "" + +#. Tag: surname +#, no-c-format +msgid "Weimer" +msgstr "" + +#. Tag: orgname +#, no-c-format +msgid "Red Hat" +msgstr "" + +#. Tag: orgdiv +#, no-c-format +msgid "Product Security Team" +msgstr "" diff --git a/defensive-coding/id-ID/Book_Info.po b/defensive-coding/id-ID/Book_Info.po new file mode 100644 index 0000000..cb4f370 --- /dev/null +++ b/defensive-coding/id-ID/Book_Info.po @@ -0,0 +1,38 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-12 04:19+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Indonesian \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: id\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: title +#, no-c-format +msgid "Defensive Coding" +msgstr "" + +#. Tag: subtitle +#, no-c-format +msgid "A Guide to Improving Software Security" +msgstr "" + +#. Tag: productname +#, no-c-format +msgid "Fedora Security Team" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"This document provides guidelines for improving software security through " +"secure coding. It covers common programming languages and libraries, and " +"focuses on concrete recommendations." +msgstr "" diff --git a/defensive-coding/it-IT/Author_Group.po b/defensive-coding/it-IT/Author_Group.po new file mode 100644 index 0000000..d0b5639 --- /dev/null +++ b/defensive-coding/it-IT/Author_Group.po @@ -0,0 +1,35 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-12 04:18+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Italian \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: it\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: firstname +#, no-c-format +msgid "Florian" +msgstr "" + +#. Tag: surname +#, no-c-format +msgid "Weimer" +msgstr "" + +#. Tag: orgname +#, no-c-format +msgid "Red Hat" +msgstr "" + +#. Tag: orgdiv +#, no-c-format +msgid "Product Security Team" +msgstr "" diff --git a/defensive-coding/it-IT/Book_Info.po b/defensive-coding/it-IT/Book_Info.po new file mode 100644 index 0000000..36b4b89 --- /dev/null +++ b/defensive-coding/it-IT/Book_Info.po @@ -0,0 +1,38 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-12 04:19+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Italian \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: it\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: title +#, no-c-format +msgid "Defensive Coding" +msgstr "" + +#. Tag: subtitle +#, no-c-format +msgid "A Guide to Improving Software Security" +msgstr "" + +#. Tag: productname +#, no-c-format +msgid "Fedora Security Team" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"This document provides guidelines for improving software security through " +"secure coding. It covers common programming languages and libraries, and " +"focuses on concrete recommendations." +msgstr "" diff --git a/defensive-coding/it-IT/C/Allocators.po b/defensive-coding/it-IT/C/Allocators.po new file mode 100644 index 0000000..5db7fd8 --- /dev/null +++ b/defensive-coding/it-IT/C/Allocators.po @@ -0,0 +1,265 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:30+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Italian \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: it\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: title +#, no-c-format +msgid "Memory allocators" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "malloc and related functions" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The C library interfaces for memory allocation are provided by " +"malloc, free and " +"realloc, and the calloc function. " +"In addition to these generic functions, there are derived functions such as " +"strdup which perform allocation using " +"malloc internally, but do not return untyped heap " +"memory (which could be used for any object)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The C compiler knows about these functions and can use their expected " +"behavior for optimizations. For instance, the compiler assumes that an " +"existing pointer (or a pointer derived from an existing pointer by " +"arithmetic) will not point into the memory area returned by " +"malloc." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If the allocation fails, realloc does not free the old " +"pointer. Therefore, the idiom ptr = realloc(ptr, size); " +"is wrong because the memory pointed to by ptr leaks in " +"case of an error." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Use-after-free errors" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"After free, the pointer is invalid. Further pointer " +"dereferences are not allowed (and are usually detected by " +"valgrind). Less obvious is that any " +"use of the old pointer value is not allowed, either. In" +" particular, comparisons with any other pointer (or the null pointer) are " +"undefined according to the C standard." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The same rules apply to realloc if the memory area " +"cannot be enlarged in-place. For instance, the compiler may assume that a " +"comparison between the old and new pointer will always return false, so it " +"is impossible to detect movement this way." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Handling memory allocation errors" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Recovering from out-of-memory errors is often difficult or even impossible. " +"In these cases, malloc and other allocation functions " +"return a null pointer. Dereferencing this pointer lead to a crash. Such " +"dereferences can even be exploitable for code execution if the dereference " +"is combined with an array subscript." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In general, if you cannot check all allocation calls and handle failure, you" +" should abort the program on allocation failure, and not rely on the null " +"pointer dereference to terminate the process. See for related memory " +"allocation concerns." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "alloca and other forms of stack-based allocation" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Allocation on the stack is risky because stack overflow checking is " +"implicit. There is a guard page at the end of the memory area reserved for " +"the stack. If the program attempts to read from or write to this guard page," +" a SIGSEGV signal is generated and the program typically " +"terminates." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"This is sufficient for detecting typical stack overflow situations such as " +"unbounded recursion, but it fails when the stack grows in increments larger " +"than the size of the guard page. In this case, it is possible that the stack" +" pointer ends up pointing into a memory area which has been allocated for a " +"different purposes. Such misbehavior can be exploitable." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"A common source for large stack growth are calls to " +"alloca and related functions such as " +"strdupa. These functions should be avoided because of " +"the lack of error checking. (They can be used safely if the allocated size " +"is less than the page size (typically, 4096 bytes), but this case is " +"relatively rare.) Additionally, relying on alloca makes" +" it more difficult to reorgnize the code because it is not allowed to use " +"the pointer after the function calling alloca has " +"returned, even if this function has been inlined into its caller." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Similar concerns apply to variable-length arrays " +"(VLAs), a feature of the C99 standard which started as a GNU extension. For " +"large objects exceeding the page size, there is no error checking, either." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In both cases, negative or very large sizes can trigger a stack-pointer " +"wraparound, and the stack pointer and end up pointing into caller stack " +"frames, which is fatal and can be exploitable." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If you want to use alloca or VLAs for performance " +"reasons, consider using a small on-stack array (less than the page size, " +"large enough to fulfill most requests). If the requested size is small " +"enough, use the on-stack array. Otherwise, call malloc." +" When exiting the function, check if malloc had been " +"called, and free the buffer as needed." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Array allocation" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When allocating arrays, it is important to check for overflows. The " +"calloc function performs such checks." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If malloc or realloc is used, the " +"size check must be written manually. For instance, to allocate an array of " +"n elements of type T, check that the " +"requested size is not greater than n / sizeof(T)." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Custom memory allocators" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Custom memory allocates come in two forms: replacements for " +"malloc, and completely different interfaces for memory " +"management. Both approaches can reduce the effectiveness of " +"valgrind and similar tools, and the heap " +"corruption detection provided by GNU libc, so they should be avoided." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Memory allocators are difficult to write and contain many performance and " +"security pitfalls." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When computing array sizes or rounding up allocation requests (to the next " +"allocation granularity, or for alignment purposes), checks for arithmetic " +"overflow are required." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Size computations for array allocations need overflow checking. See ." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"It can be difficult to beat well-tuned general-purpose allocators. In micro-" +"benchmarks, pool allocators can show huge wins, and size-specific pools can " +"reduce internal fragmentation. But often, utilization of individual pools is" +" poor, and" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Conservative garbage collection" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Garbage collection can be an alternative to explicit memory management using" +" malloc and free. The Boehm-" +"Dehmers-Weiser allocator can be used from C programs, with minimal type " +"annotations. Performance is competitive with malloc on " +"64-bit architectures, especially for multi-threaded programs. The stop-the-" +"world pauses may be problematic for some real-time applications, though." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"However, using a conservative garbage collector may reduce opertunities for " +"code reduce because once one library in a program uses garbage collection, " +"the whole process memory needs to be subject to it, so that no pointers are " +"missed. The Boehm-Dehmers-Weiser collector also reserves certain signals for" +" internal use, so it is not fully transparent to the rest of the program." +msgstr "" diff --git a/defensive-coding/it-IT/C/C.po b/defensive-coding/it-IT/C/C.po new file mode 100644 index 0000000..1daa047 --- /dev/null +++ b/defensive-coding/it-IT/C/C.po @@ -0,0 +1,20 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:30+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Italian \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: it\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: title +#, no-c-format +msgid "The C Programming Language" +msgstr "" diff --git a/defensive-coding/it-IT/C/Libc.po b/defensive-coding/it-IT/C/Libc.po new file mode 100644 index 0000000..907b4f6 --- /dev/null +++ b/defensive-coding/it-IT/C/Libc.po @@ -0,0 +1,278 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:30+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Italian \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: it\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: title +#, no-c-format +msgid "The C standard library" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Parts of the C standard library (and the UNIX and GNU extensions) are " +"difficult to use, so you shoud avoid them." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Please check the applicable documentation before using the recommended " +"replacements. Many of these functions allocate buffers using " +"malloc which your code must deallocate explicitly using" +" free." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Absolutely banned interfaces" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The functions listed below must not be used because they are almost always " +"unsafe. Use the indicated replacements instead." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "getsfgets" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"getwdgetcwd or " +"get_current_dir_name" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "readdir_rreaddir" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"realpath (with a non-NULL second parameter) ⟶ " +"realpath with NULL as the second parameter, or " +"canonicalize_file_name" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The constants listed below must not be used, either. Instead, code must " +"allocate memory dynamically and use interfaces with length checking." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"NAME_MAX (limit not actually enforced by the kernel)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"PATH_MAX (limit not actually enforced by the kernel)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"_PC_NAME_MAX (This limit, returned by the " +"pathconf function, is not enforced by the kernel.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"_PC_PATH_MAX (This limit, returned by the " +"pathconf function, is not enforced by the kernel.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "The following structure members must not be used." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"f_namemax in struct statvfs (limit not" +" actually enforced by the kernel, see _PC_NAME_MAX above)" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Functions to avoid" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The following string manipulation functions can be used securely in " +"principle, but their use should be avoided because they are difficult to use" +" correctly. Calls to these functions can be replaced with " +"asprintf or vasprintf. (For non-" +"GNU targets, these functions are available from Gnulib.) In some cases, the " +"snprintf function might be a suitable replacement, see " +"." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "sprintf" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "strcat" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "strcpy" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "vsprintf" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Use the indicated replacements for the functions below." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"allocamalloc and " +"free (see )" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"putenv ⟶ explicit envp argument in " +"process creation (see )" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"setenv ⟶ explicit envp argument in " +"process creation (see )" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"strdupastrdup and " +"free (see )" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"strndupastrndup and " +"free (see )" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"systemposix_spawn or " +"fork/execve/ (see )" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"unsetenv ⟶ explicit envp argument in" +" process creation (see )" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "String Functions With Explicit Length Arguments" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The snprintf function provides a way to construct a " +"string in a statically-sized buffer. (If the buffer size is dynamic, use " +"asprintf instead.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The second argument to the snprintf should always be " +"the size of the buffer in the first argument (which should be a character " +"array). Complex pointer and length arithmetic can introduce errors and " +"nullify the security benefits of snprintf. If you need " +"to construct a string iteratively, by repeatedly appending fragments, " +"consider constructing the string on the heap, increasing the buffer with " +"realloc as needed. (snprintf does " +"not support overlapping the result buffer with argument strings.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If you use vsnprintf (or snprintf)" +" with a format string which is not a constant, but a function argument, it " +"is important to annotate the function with a format " +"function attribute, so that GCC can warn about misuse of your function (see " +")." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "The format function attribute" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"There are other functions which operator on NUL-terminated strings and take " +"a length argument which affects the number of bytes written to the " +"destination: strncpy, strncat, and" +" stpncpy. These functions do not ensure that the result" +" string is NUL-terminated. For strncpy, NUL termination" +" can be added this way:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Some systems support strlcpy and " +"strlcat functions which behave this way, but these " +"functions are not part of GNU libc. Using snprintf with" +" a suitable format string is a simple (albeit slightly slower) replacement." +msgstr "" diff --git a/defensive-coding/it-IT/C/snippets/Arithmetic-add.po b/defensive-coding/it-IT/C/snippets/Arithmetic-add.po new file mode 100644 index 0000000..51a6312 --- /dev/null +++ b/defensive-coding/it-IT/C/snippets/Arithmetic-add.po @@ -0,0 +1,36 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:30+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Italian \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: it\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"void report_overflow(void);\n" +"\n" +"int\n" +"add(int a, int b)\n" +"{\n" +" int result = a + b;\n" +" if (a < 0 || b < 0) {\n" +" return -1;\n" +" }\n" +" // The compiler can optimize away the following if statement.\n" +" if (result < 0) {\n" +" report_overflow();\n" +" }\n" +" return result;\n" +"}\n" +msgstr "" diff --git a/defensive-coding/it-IT/C/snippets/Arithmetic-mult.po b/defensive-coding/it-IT/C/snippets/Arithmetic-mult.po new file mode 100644 index 0000000..1a5db4f --- /dev/null +++ b/defensive-coding/it-IT/C/snippets/Arithmetic-mult.po @@ -0,0 +1,29 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:30+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Italian \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: it\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"unsigned\n" +"mul(unsigned a, unsigned b)\n" +"{\n" +" if (b && a > ((unsigned)-1) / b) {\n" +" report_overflow();\n" +" }\n" +" return a * b;\n" +"}\n" +msgstr "" diff --git a/defensive-coding/it-IT/C/snippets/Pointers-remaining.po b/defensive-coding/it-IT/C/snippets/Pointers-remaining.po new file mode 100644 index 0000000..fe4dd0b --- /dev/null +++ b/defensive-coding/it-IT/C/snippets/Pointers-remaining.po @@ -0,0 +1,64 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:30+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Italian \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: it\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"ssize_t\n" +"extract_strings(const char *in, size_t inlen, char **out, size_t outlen)\n" +"{\n" +" const char *inp = in;\n" +" const char *inend = in + inlen;\n" +" char **outp = out;\n" +" char **outend = out + outlen;\n" +"\n" +" while (inp != inend) {\n" +" size_t len;\n" +" char *s;\n" +" if (outp == outend) {\n" +" errno = ENOSPC;\n" +" goto err;\n" +" }\n" +" len = (unsigned char)*inp;\n" +" ++inp;\n" +" if (len > (size_t)(inend - inp)) {\n" +" errno = EINVAL;\n" +" goto err;\n" +" }\n" +" s = malloc(len + 1);\n" +" if (s == NULL) {\n" +" goto err;\n" +" }\n" +" memcpy(s, inp, len);\n" +" inp += len;\n" +" s[len] = '\\0';\n" +" *outp = s;\n" +" ++outp;\n" +" }\n" +" return outp - out;\n" +"err:\n" +" {\n" +" int errno_old = errno;\n" +" while (out != outp) {\n" +" free(*out);\n" +" ++out;\n" +" }\n" +" errno = errno_old;\n" +" }\n" +" return -1;\n" +"}\n" +msgstr "" diff --git a/defensive-coding/it-IT/C/snippets/String-Functions-format.po b/defensive-coding/it-IT/C/snippets/String-Functions-format.po new file mode 100644 index 0000000..6fdeee7 --- /dev/null +++ b/defensive-coding/it-IT/C/snippets/String-Functions-format.po @@ -0,0 +1,33 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:30+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Italian \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: it\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"void log_format(const char *format, ...) __attribute__((format(printf, 1, 2)));\n" +"\n" +"void\n" +"log_format(const char *format, ...)\n" +"{\n" +" char buf[1000];\n" +" va_list ap;\n" +" va_start(ap, format);\n" +" vsnprintf(buf, sizeof(buf), format, ap);\n" +" va_end(ap);\n" +" log_string(buf);\n" +"}\n" +msgstr "" diff --git a/defensive-coding/it-IT/C/snippets/String-Functions-snprintf.po b/defensive-coding/it-IT/C/snippets/String-Functions-snprintf.po new file mode 100644 index 0000000..35153ae --- /dev/null +++ b/defensive-coding/it-IT/C/snippets/String-Functions-snprintf.po @@ -0,0 +1,23 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:30+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Italian \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: it\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"char fraction[30];\n" +"snprintf(fraction, sizeof(fraction), \"%d/%d\", numerator, denominator);\n" +msgstr "" diff --git a/defensive-coding/it-IT/C/snippets/String-Functions-strncpy.po b/defensive-coding/it-IT/C/snippets/String-Functions-strncpy.po new file mode 100644 index 0000000..a025203 --- /dev/null +++ b/defensive-coding/it-IT/C/snippets/String-Functions-strncpy.po @@ -0,0 +1,24 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:30+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Italian \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: it\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"char buf[10];\n" +"strncpy(buf, data, sizeof(buf));\n" +"buf[sizeof(buf) - 1] = '\\0';\n" +msgstr "" diff --git a/defensive-coding/it-IT/CXX/CXX.po b/defensive-coding/it-IT/CXX/CXX.po new file mode 100644 index 0000000..31394d1 --- /dev/null +++ b/defensive-coding/it-IT/CXX/CXX.po @@ -0,0 +1,20 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:31+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Italian \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: it\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: title +#, no-c-format +msgid "The C++ Programming Language" +msgstr "" diff --git a/defensive-coding/it-IT/CXX/Language.po b/defensive-coding/it-IT/CXX/Language.po new file mode 100644 index 0000000..087faf3 --- /dev/null +++ b/defensive-coding/it-IT/CXX/Language.po @@ -0,0 +1,234 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:18+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Italian \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: it\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: title +#, no-c-format +msgid "The core language" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"C++ includes a large subset of the C language. As far as the C subset is " +"used, the recommendations in " +"apply." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Array allocation with operator new[]" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"For very large values of n, an expression like " +"new T[n] can return a pointer to a heap region which is " +"too small. In other words, not all array elements are actually backed with " +"heap memory reserved to the array. Current GCC versions generate code that " +"performs a computation of the form sizeof(T) * size_t(n) + " +"cookie_size, where cookie_size is currently at " +"most 8. This computation can overflow, and GCC-generated code does not " +"detect this." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The std::vector template can be used instead an explicit " +"array allocation. (The GCC implementation detects overflow internally.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If there is no alternative to operator new[], code which " +"allocates arrays with a variable length must check for overflow manually. " +"For the new T[n] example, the size check could be " +"n || (n > 0 && n > (size_t(-1) - 8) / " +"sizeof(T)). (See .) If there are additional dimensions " +"(which must be constants according to the C++ standard), these should be " +"included as factors in the divisor." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"These countermeasures prevent out-of-bounds writes and potential code " +"execution. Very large memory allocations can still lead to a denial of " +"service. contains suggestions for mitigating this problem when " +"processing untrusted data." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"See for array" +" allocation advice for C-style memory allocation." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Overloading" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Do not overload functions with versions that have different security " +"characteristics. For instance, do not implement a function " +"strcat which works on std::string " +"arguments. Similarly, do not name methods after such functions." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "ABI compatibility and preparing for security updates" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"A stable binary interface (ABI) is vastly preferred for security updates. " +"Without a stable ABI, all reverse dependencies need recompiling, which can " +"be a lot of work and could even be impossible in some cases. Ideally, a " +"security update only updates a single dynamic shared object, and is picked " +"up automatically after restarting affected processes." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Outside of extremely performance-critical code, you should ensure that a " +"wide range of changes is possible without breaking ABI. Some very basic " +"guidelines are:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Avoid inline functions." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Use the pointer-to-implementation idiom." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Try to avoid templates. Use them if the increased type safety provides a " +"benefit to the programmer." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Move security-critical code out of templated code, so that it can be patched" +" in a central place if necessary." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The KDE project publishes a document with more extensive guidelines on ABI-" +"preserving changes to C++ code, Policies/Binary" +" Compatibility Issues With C++ (d-pointer " +"refers to the pointer-to-implementation idiom)." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "C++0X and C++11 support" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "GCC offers different language compatibility modes:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid " for the original 1998 C++ standard" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +" for the 1998 standard with the changes from the " +"TR1 technical report" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +" for the 2011 C++ standard. This option should " +"not be used." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +" for several different versions of C++11 support " +"in development, depending on the GCC version. This option should not be " +"used." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"For each of these flags, there are variants which also enable GNU extensions" +" (mostly language features also found in C99 or C11): " +", , " +". Again, should " +"not be used." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If you enable C++11 support, the ABI of the standard C++ library " +"libstdc++ will change in subtle ways. Currently, no C++ " +"libraries are compiled in C++11 mode, so if you compile your code in C++11 " +"mode, it will be incompatible with the rest of the system. Unfortunately, " +"this is also the case if you do not use any C++11 features. Currently, there" +" is no safe way to enable C++11 mode (except for freestanding applications)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The meaning of C++0X mode changed from GCC release to GCC release. Earlier " +"versions were still ABI-compatible with C++98 mode, but in the most recent " +"versions, switching to C++0X mode activates C++11 support, with its " +"compatibility problems." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Some C++11 features (or approximations thereof) are available with TR1 " +"support, that is, with or " +" and in the <tr1/*> " +"header files. This includes std::tr1::shared_ptr (from " +"<tr1/memory>) and " +"std::tr1::function (from " +"<tr1/functional>). For other C++11 features, the " +"Boost C++ library contains replacements." +msgstr "" diff --git a/defensive-coding/it-IT/CXX/Std.po b/defensive-coding/it-IT/CXX/Std.po new file mode 100644 index 0000000..1d027ca --- /dev/null +++ b/defensive-coding/it-IT/CXX/Std.po @@ -0,0 +1,55 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:30+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Italian \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: it\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: title +#, no-c-format +msgid "The C++ standard library" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The C++ standard library includes most of its C counterpart by reference, " +"see ." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Containers and operator[]" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Many containers similar to std::vector provide both " +"operator[](size_type) and a member function " +"at(size_type). This applies to " +"std::vector itself, std::array, " +"std::string and other instances of " +"std::basic_string." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"operator[](size_type) is not required by the standard to " +"perform bounds checking (and the implementation in GCC does not). In " +"contrast, at(size_type) must perform such a check. " +"Therefore, in code which is not performance-critical, you should prefer " +"at(size_type) over " +"operator[](size_type), even though it is slightly more " +"verbose." +msgstr "" diff --git a/defensive-coding/it-IT/Defensive_Coding.po b/defensive-coding/it-IT/Defensive_Coding.po new file mode 100644 index 0000000..999acca --- /dev/null +++ b/defensive-coding/it-IT/Defensive_Coding.po @@ -0,0 +1,30 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:18+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Italian \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: it\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: title +#, no-c-format +msgid "Programming Languages" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Specific Programming Tasks" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Implementing Security Features" +msgstr "" diff --git a/defensive-coding/it-IT/Features/Authentication.po b/defensive-coding/it-IT/Features/Authentication.po new file mode 100644 index 0000000..d8fc231 --- /dev/null +++ b/defensive-coding/it-IT/Features/Authentication.po @@ -0,0 +1,231 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:31+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Italian \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: it\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: title +#, no-c-format +msgid "Authentication and Authorization" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Authenticating servers" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When connecting to a server, a client has to make sure that it is actually " +"talking to the server it expects. There are two different aspects, securing " +"the network path, and making sure that the expected user runs the process on" +" the target host. There are several ways to ensure that:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The server uses a TLS certificate which is valid according to the web " +"browser public key infrastructure, and the client verifies the certificate " +"and the host name." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The server uses a TLS certificate which is expectedby the client (perhaps it" +" is stored in a configuration file read by the client). In this case, no " +"host name checking is required." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"On Linux, UNIX domain sockets (of the PF_UNIX protocol " +"family, sometimes called PF_LOCAL) are restricted by file" +" system permissions. If the server socket path is not world-writable, the " +"server identity cannot be spoofed by local users." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Port numbers less than 1024 (trusted ports) can only be" +" used by root, so if a UDP or TCP server is running on " +"the local host and it uses a trusted port, its identity is assured. (Not all" +" operating systems enforce the trusted ports concept, and the network might " +"not be trusted, so it is only useful on the local system.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"TLS () is the recommended way " +"for securing connections over untrusted networks." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If the server port number is 1024 is higher, a local user can impersonate " +"the process by binding to this socket, perhaps after crashing the real " +"server by exploiting a denial-of-service vulnerability." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Host-based authentication" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Host-based authentication uses access control lists (ACLs) to accept or deny" +" requests from clients. Thsis authentication method comes in two flavors: " +"IP-based (or, more generally, address-based) and name-based (with the name " +"coming from DNS or /etc/hosts). IP-based ACLs often use" +" prefix notation to extend access to entire subnets. Name-based ACLs " +"sometimes use wildcards for adding groups of hosts (from entire DNS " +"subtrees). (In the SSH context, host-based authentication means something " +"completely different and is not covered in this section.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Host-based authentication trust the network and may not offer sufficient " +"granularity, so it has to be considered a weak form of authentication. On " +"the other hand, IP-based authentication can be made extremely robust and can" +" be applied very early in input processing, so it offers an opportunity for " +"significantly reducing the number of potential attackers for many services." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The names returned by gethostbyaddr and " +"getnameinfo functions cannot be trusted. (DNS PTR " +"records can be set to arbitrary values, not just names belong to the address" +" owner.) If these names are used for ACL matching, a forward lookup using " +"gethostbyaddr or getaddrinfo has " +"to be performed. The name is only valid if the original address is found " +"among the results of the forward lookup (double-reverse " +"lookup)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"An empty ACL should deny all access (deny-by-default). If empty ACLs permits" +" all access, configuring any access list must switch to deny-by-default for " +"all unconfigured protocols, in both name-based and address-based variants." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Similarly, if an address or name is not matched by the list, it should be " +"denied. However, many implementations behave differently, so the actual " +"behavior must be documented properly." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"IPv6 addresses can embed IPv4 addresses. There is no universally correct way" +" to deal with this ambiguity. The behavior of the ACL implementation should " +"be documented." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "UNIX domain socket authentication" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"UNIX domain sockets (with address family AF_UNIX or " +"AF_LOCAL) are restricted to the local host and offer a " +"special authentication mechanism: credentials passing." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Nowadays, most systems support the SO_PEERCRED (Linux) or" +" LOCAL_PEERCRED (FreeBSD) socket options, or the " +"getpeereid (other BSDs, MacOS X). These interfaces " +"provide direct access to the (effective) user ID on the other end of a " +"domain socket connect, without cooperation from the other end." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Historically, credentials passing was implemented using ancillary data in " +"the sendmsg and recvmsg functions." +" On some systems, only credentials data that the peer has explicitly sent " +"can be received, and the kernel checks the data for correctness on the " +"sending side. This means that both peers need to deal with ancillary data. " +"Compared to that, the modern interfaces are easier to use. Both sets of " +"interfaces vary considerably among UNIX-like systems, unfortunately." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If you want to authenticate based on supplementary groups, you should obtain" +" the user ID using one of these methods, and look up the list of " +"supplementary groups using getpwuid (or " +"getpwuid_r) and getgrouplist. " +"Using the PID and information from /proc/PID/status is " +"prone to race conditions and insecure." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "AF_NETLINK authentication of origin" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Netlink messages are used as a high-performance data transfer mechanism " +"between the kernel and the userspace. Traditionally, they are used to " +"exchange information related to the network statck, such as routing table " +"entries." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When processing Netlink messages from the kernel, it is important to check " +"that these messages actually originate from the kernel, by checking that the" +" port ID (or PID) field nl_pid in the " +"sockaddr_nl structure is 0. (This " +"structure can be obtained using recvfrom or " +"recvmsg, it is different from the " +"nlmsghdr structure.) The kernel does not prevent other " +"processes from sending unicast Netlink messages, but the " +"nl_pid field in the sender's socket address will be non-" +"zero in such cases." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Applications should not use AF_NETLINK sockets as an IPC " +"mechanism among processes, but prefer UNIX domain sockets for this tasks." +msgstr "" diff --git a/defensive-coding/it-IT/Features/TLS.po b/defensive-coding/it-IT/Features/TLS.po new file mode 100644 index 0000000..499d370 --- /dev/null +++ b/defensive-coding/it-IT/Features/TLS.po @@ -0,0 +1,1120 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:31+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Italian \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: it\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: title +#, no-c-format +msgid "Transport Layer Security" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Transport Layer Security (TLS, formerly Secure Sockets Layer/SSL) is the " +"recommended way to to protect integrity and confidentiality while data is " +"transferred over an untrusted network connection, and to identify the " +"endpoint." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Common Pitfalls" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"TLS implementations are difficult to use, and most of them lack a clean API " +"design. The following sections contain implementation-specific advice, and " +"some generic pitfalls are mentioned below." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Most TLS implementations have questionable default TLS cipher suites. Most " +"of them enable anonymous Diffie-Hellman key exchange (but we generally want " +"servers to authenticate themselves). Many do not disable ciphers which are " +"subject to brute-force attacks because of restricted key lengths. Some even " +"disable all variants of AES in the default configuration." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When overriding the cipher suite defaults, it is recommended to disable all " +"cipher suites which are not present on a whitelist, instead of simply " +"enabling a list of cipher suites. This way, if an algorithm is disabled by " +"default in the TLS implementation in a future security update, the " +"application will not re-enable it." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The name which is used in certificate validation must match the name " +"provided by the user or configuration file. No host name canonicalization or" +" IP address lookup must be performed." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The TLS handshake has very poor performance if the TCP Nagle algorithm is " +"active. You should switch on the TCP_NODELAY socket " +"option (at least for the duration of the handshake), or use the Linux-" +"specific TCP_CORK option." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Deactivating the TCP Nagle algorithm" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Implementing proper session resumption decreases handshake overhead " +"considerably. This is important if the upper-layer protocol uses short-lived" +" connections (like most application of HTTPS)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Both client and server should work towards an orderly connection shutdown, " +"that is send close_notify alerts and respond to them. " +"This is especially important if the upper-layer protocol does not provide " +"means to detect connection truncation (like some uses of HTTP)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When implementing a server using event-driven programming, it is important " +"to handle the TLS handshake properly because it includes multiple network " +"round-trips which can block when an ordinary TCP accept" +" would not. Otherwise, a client which fails to complete the TLS handshake " +"for some reason will prevent the server from handling input from other " +"clients." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Unlike regular file descriptors, TLS connections cannot be passed between " +"processes. Some TLS implementations add additional restrictions, and TLS " +"connections generally cannot be used across fork " +"function calls (see )." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "OpenSSL Pitfalls" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Some OpenSSL function use tri-state return values. " +"Correct error checking is extremely important. Several functions return " +"int values with the following meaning:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The value 1 indicates success (for example, a successful " +"signature verification)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The value 0 indicates semantic failure (for example, a " +"signature verification which was unsuccessful because the signing " +"certificate was self-signed)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The value -1 indicates a low-level error in the system, " +"such as failure to allocate memory using malloc." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Treating such tri-state return values as booleans can lead to security " +"vulnerabilities. Note that some OpenSSL functions return boolean results or " +"yet another set of status indicators. Each function needs to be checked " +"individually." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Recovering precise error information is difficult. shows how to obtain a more precise " +"error code after a function call on an SSL object has " +"failed. However, there are still cases where no detailed error information " +"is available (e.g., if SSL_shutdown fails due to a " +"connection teardown by the other end)." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Obtaining OpenSSL error codes" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The OPENSSL_config function is documented to never " +"fail. In reality, it can terminate the entire process if there is a failure " +"accessing the configuration file. An error message is written to standard " +"error, but which might not be visible if the function is called from a " +"daemon process." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"OpenSSL contains two separate ASN.1 DER decoders. One set of decoders " +"operate on BIO handles (the input/output stream abstraction provided by " +"OpenSSL); their decoder function names start with d2i_ " +"and end in _fp or _bio (e.g., " +"d2i_X509_fp or d2i_X509_bio). " +"These decoders must not be used for parsing data from untrusted sources; " +"instead, the variants without the _fp and " +"_bio (e.g., d2i_X509) shall be used." +" The BIO variants have received considerably less testing and are not very " +"robust." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"For the same reason, the OpenSSL command line tools (such as " +"openssl x509) are generally generally less robust than " +"the actual library code. They use the BIO functions internally, and not the " +"more robust variants." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The command line tools do not always indicate failure in the exit status of " +"the openssl process. For instance, a verification" +" failure in openssl verify result in an exit status of " +"zero." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The OpenSSL server and client applications (openssl " +"s_client and openssl s_server) are debugging " +"tools and should never be used as generic clients. For " +"instance, the s_client tool reacts in a " +"surprisign way to lines starting with R and " +"Q." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"OpenSSL allows application code to access private key material over " +"documented interfaces. This can significantly increase the part of the code " +"base which has to undergo security certification." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "GNUTLS Pitfalls" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"libgnutls.so.26 links to " +"libpthread.so.0. Loading the threading library too late" +" causes problems, so the main program should be linked with " +"-lpthread as well. As a result, it can be difficult to " +"use GNUTLS in a plugin which is loaded with the dlopen " +"function. Another side effect is that applications which merely link against" +" GNUTLS (even without actually using it) may incur a substantial overhead " +"because other libraries automatically switch to thread-safe algorithms." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The gnutls_global_init function must be called before " +"using any functionality provided by the library. This function is not " +"thread-safe, so external locking is required, but it is not clear which lock" +" should be used. Omitting the synchronization does not just lead to a memory" +" leak, as it is suggested in the GNUTLS documentation, but to undefined " +"behavior because there is no barrier that would enforce memory ordering." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The gnutls_global_deinit function does not actually " +"deallocate all resources allocated by " +"gnutls_global_init. It is currently not thread-safe. " +"Therefore, it is best to avoid calling it altogether." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The X.509 implementation in GNUTLS is rather lenient. For example, it is " +"possible to create and process X.509 version 1 certificates which carry" +" extensions. These certificates are (correctly) rejected by other " +"implementations." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "OpenJDK Pitfalls" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The Java cryptographic framework is highly modular. As a result, when you " +"request an object implementing some cryptographic functionality, you cannot " +"be completely sure that you end up with the well-tested, reviewed " +"implementation in OpenJDK." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"OpenJDK (in the source code as published by Oracle) and other " +"implementations of the Java platform require that the system administrator " +"has installed so-called unlimited strength jurisdiction policy " +"files. Without this step, it is not possible to use the secure " +"algorithms which offer sufficient cryptographic strength. Most downstream " +"redistributors of OpenJDK remove this requirement." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Some versions of OpenJDK use /dev/random as the " +"randomness source for nonces and other random data which is needed for TLS " +"operation, but does not actually require physical randomness. As a result, " +"TLS applications can block, waiting for more bits to become available in " +"/dev/random." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "NSS Pitfalls" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"NSS was not designed to be used by other libraries which can be linked into " +"applications without modifying them. There is a lot of global state. There " +"does not seem to be a way to perform required NSS initialization without " +"race conditions." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If the NSPR descriptor is in an unexpected state, the " +"SSL_ForceHandshake function can succeed, but no TLS " +"handshake takes place, the peer is not authenticated, and subsequent data is" +" exchanged in the clear." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"NSS disables itself if it detects that the process underwent a " +"fork after the library has been initialized. This " +"behavior is required by the PKCS#11 API specification." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "TLS Clients" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Secure use of TLS in a client generally involves all of the following steps." +" (Individual instructions for specific TLS implementations follow in the " +"next sections.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The client must configure the TLS library to use a set of trusted root " +"certificates. These certificates are provided by the system in /etc/ssl/certs or files derived from it." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The client selects sufficiently strong cryptographic primitives and disables" +" insecure ones (such as no-op encryption). Compression and SSL version 2 " +"support must be disabled (including the SSLv2-compatible handshake)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The client initiates the TLS connection. The Server Name Indication " +"extension should be used if supported by the TLS implementation. Before " +"switching to the encrypted connection state, the contents of all input and " +"output buffers must be discarded." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The client needs to validate the peer certificate provided by the server, " +"that is, the client must check that there is a cryptographically protected " +"chain from a trusted root certificate to the peer certificate. (Depending on" +" the TLS implementation, a TLS handshake can succeed even if the certificate" +" cannot be validated.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The client must check that the configured or user-provided server name " +"matches the peer certificate provided by the server." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"It is safe to provide users detailed diagnostics on certificate validation " +"failures. Other causes of handshake failures and, generally speaking, any " +"details on other errors reported by the TLS implementation (particularly " +"exception tracebacks), must not be divulged in ways that make them " +"accessible to potential attackers. Otherwise, it is possible to create " +"decryption oracles." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Depending on the application, revocation checking (against certificate " +"revocations lists or via OCSP) and session resumption are important aspects " +"of production-quality client. These aspects are not yet covered." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Implementation TLS Clients With OpenSSL" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In the following code, the error handling is only exploratory. Proper error " +"handling is required for production use, especially in libraries." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The OpenSSL library needs explicit initialization (see )." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "OpenSSL library initialization" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"After that, a context object has to be created, which acts as a factory for " +"connection objects (). We use an explicit cipher list so that we do not pick up any " +"strange ciphers when OpenSSL is upgraded. The actual version requested in " +"the client hello depends on additional restrictions in the OpenSSL library. " +"If possible, you should follow the example code and use the default list of " +"trusted root certificate authorities provided by the system because you " +"would have to maintain your own set otherwise, which can be cumbersome." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "OpenSSL client context creation" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"A single context object can be used to create multiple connection objects. " +"It is safe to use the same SSL_CTX object for creating " +"connections concurrently from multiple threads, provided that the " +"SSL_CTX object is not modified (e.g., callbacks must not " +"be changed)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"After creating the TCP socket and disabling the Nagle algorithm (per ), the actual connection object " +"needs to be created, as show in . If the handshake started by " +"SSL_connect fails, the " +"ssl_print_error_and_exit function from is called." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The certificate_validity_override function provides an " +"opportunity to override the validity of the certificate in case the OpenSSL " +"check fails. If such functionality is not required, the call can be removed," +" otherwise, the application developer has to implement it." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The host name passed to the functions " +"SSL_set_tlsext_host_name and " +"X509_check_host must be the name that was passed to " +"getaddrinfo or a similar name resolution function. No " +"host name canonicalization must be performed. The " +"X509_check_host function used in the final step for " +"host name matching is currently only implemented in OpenSSL 1.1, which is " +"not released yet. In case host name matching fails, the function " +"certificate_host_name_override is called. This function" +" should check user-specific certificate store, to allow a connection even if" +" the host name does not match the certificate. This function has to be " +"provided by the application developer. Note that the override must be keyed " +"by both the certificate and the host name." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Creating a client connection using OpenSSL" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The connection object can be used for sending and receiving data, as in " +". It is " +"also possible to create a BIO object and use the " +"SSL object as the underlying transport, using " +"BIO_set_ssl." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Using an OpenSSL connection to send and receive data" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When it is time to close the connection, the " +"SSL_shutdown function needs to be called twice for an " +"orderly, synchronous connection termination (). This exchanges " +"close_notify alerts with the server. The additional logic" +" is required to deal with an unexpected close_notify from" +" the server. Note that is necessary to explicitly close the underlying " +"socket after the connection object has been freed." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Closing an OpenSSL connection in an orderly fashion" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +" shows how" +" to deallocate the context object when it is no longer needed because no " +"further TLS connections will be established." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Implementation TLS Clients With GNUTLS" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"This section describes how to implement a TLS client with full certificate " +"validation (but without certificate revocation checking). Note that the " +"error handling in is only exploratory and needs to be replaced before " +"production use." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "The GNUTLS library needs explicit initialization:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Failing to do so can result in obscure failures in Base64 decoding. See " +" for " +"additional aspects of initialization." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Before setting up TLS connections, a credentials objects has to be allocated" +" and initialized with the set of trusted root CAs ()." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Initializing a GNUTLS credentials structure" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"After the last TLS connection has been closed, this credentials object " +"should be freed:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"During its lifetime, the credentials object can be used to initialize TLS " +"session objects from multiple threads, provided that it is not changed." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Once the TCP connection has been established, the Nagle algorithm should be " +"disabled (see ). After " +"that, the socket can be associated with a new GNUTLS session object. The " +"previously allocated credentials object provides the set of root CAs. The " +"NORMAL set of cipher suites and protocols provides a " +"reasonable default. Then the TLS handshake must be initiated. This is shown " +"in ." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Establishing a TLS client connection using GNUTLS" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"After the handshake has been completed, the server certificate needs to be " +"verified (). In the example, the user-defined " +"certificate_validity_override function is called if the" +" verification fails, so that a separate, user-specific trust store can be " +"checked. This function call can be omitted if the functionality is not " +"needed." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Verifying a server certificate using GNUTLS" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In the next step (, the certificate must be matched against the host name (note the " +"unusual return value from " +"gnutls_x509_crt_check_hostname). Again, an override " +"function certificate_host_name_override is called. Note" +" that the override must be keyed to the certificate and" +" the host name. The function call can be omitted if the override is not " +"needed." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Matching the server host name and certificate in a GNUTLS client" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In newer GNUTLS versions, certificate checking and host name validation can " +"be combined using the gnutls_certificate_verify_peers3 " +"function." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"An established TLS session can be used for sending and receiving data, as in" +" ." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Using a GNUTLS session" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In order to shut down a connection in an orderly manner, you should call the" +" gnutls_bye function. Finally, the session object can " +"be deallocated using gnutls_deinit (see )." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Implementing TLS Clients With OpenJDK" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "The examples below use the following cryptographic-related classes:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If compatibility with OpenJDK 6 is required, it is necessary to use the " +"internal class sun.security.util.HostnameChecker. (The " +"public OpenJDK API does not provide any support for dissecting the subject " +"distinguished name of an X.509 certificate, so a custom-written DER parser " +"is needed—or we have to use an internal class, which we do below.) In " +"OpenJDK 7, the setEndpointIdentificationAlgorithm " +"method was added to the javax.net.ssl.SSLParameters " +"class, providing an official way to implement host name checking." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"TLS connections are established using an SSLContext " +"instance. With a properly configured OpenJDK installation, the " +"SunJSSE provider uses the system-wide set of trusted root" +" certificate authorities, so no further configuration is necessary. For " +"backwards compatibility with OpenJDK 6, the TLSv1 " +"provider has to be supported as a fall-back option. This is shown in ." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Setting up an SSLContext for OpenJDK TLS clients" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In addition to the context, a TLS parameter object will be needed which " +"adjusts the cipher suites and protocols (). Like the context, these " +"parameters can be reused for multiple TLS connections." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Setting up SSLParameters for TLS use with OpenJDK" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"As initialized above, the parameter object does not yet require host name " +"checking. This has to be enabled separately, and this is only supported by " +"OpenJDK 7 and later:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"All application protocols can use the \"HTTPS\" " +"algorithm. (The algorithms have minor differences with regard to wildcard " +"handling, which should not matter in practice.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +" shows " +"how to establish the connection. Before the handshake is initialized, the " +"protocol and cipher configuration has to be performed, by applying the " +"parameter object params. (After this point, changes to " +"params will not affect this TLS socket.) As mentioned " +"initially, host name checking requires using an internal API on OpenJDK 6." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Establishing a TLS connection with OpenJDK" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Starting with OpenJDK 7, the last lines can be omitted, provided that host " +"name verification has been enabled by calling the " +"setEndpointIdentificationAlgorithm method on the " +"params object (before it was applied to the socket)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The TLS socket can be used as a regular socket, as shown in ." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Using a TLS client socket in OpenJDK" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Overriding server certificate validation with OpenJDK 6" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Overriding certificate validation requires a custom trust manager. With " +"OpenJDK 6, the trust manager lacks information about the TLS session, and to" +" which server the connection is made. Certificate overrides have to be tied " +"to specific servers (host names). Consequently, different " +"TrustManager and SSLContext objects " +"have to be used for different servers." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In the trust manager shown in , the server certificate is identified by its " +"SHA-256 hash." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "A customer trust manager for OpenJDK TLS clients" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"This trust manager has to be passed to the init method of" +" the SSLContext object, as show in ." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Using a custom TLS trust manager with OpenJDK" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When certificate overrides are in place, host name verification should not " +"be performed because there is no security requirement that the host name in " +"the certificate matches the host name used to establish the connection (and " +"it often will not). However, without host name verification, it is not " +"possible to perform transparent fallback to certification validation using " +"the system certificate store." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The approach described above works with OpenJDK 6 and later versions. " +"Starting with OpenJDK 7, it is possible to use a custom subclass of the " +"javax.net.ssl.X509ExtendedTrustManager class. The OpenJDK" +" TLS implementation will call the new methods, passing along TLS session " +"information. This can be used to implement certificate overrides as a " +"fallback (if certificate or host name verification fails), and a trust " +"manager object can be used for multiple servers because the server address " +"is available to the trust manager." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Implementing TLS Clients With NSS" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The following code shows how to implement a simple TLS client using NSS. " +"Note that the error handling needs replacing before production use." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Using NSS needs several header files, as shown in ." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Include files for NSS" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Initializing the NSS library is a complex task (). It is not thread-safe. By default, the " +"library is in export mode, and all strong ciphers are disabled. Therefore, " +"after creating the NSSInitCContext object, we probe all " +"the strong ciphers we want to use, and check if at least one of them is " +"available. If not, we call NSS_SetDomesticPolicy to " +"switch to unrestricted policy mode. This function replaces the existing " +"global cipher suite policy, that is why we avoid calling it unless " +"absolutely necessary." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The simplest way to configured the trusted root certificates involves " +"loading the libnssckbi.so NSS module with a call to the" +" SECMOD_LoadUserModule function. The root certificates " +"are compiled into this module. (The PEM module for NSS, " +"libnsspem.so, offers a way to load trusted CA " +"certificates from a file.)" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Initializing the NSS library" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Some of the effects of the initialization can be reverted with the following" +" function calls:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"After NSS has been initialized, the TLS connection can be created (). The internal " +"PR_ImportTCPSocket function is used to turn the POSIX " +"file descriptor sockfd into an NSPR file descriptor. " +"(This function is de-facto part of the NSS public ABI, so it will not go " +"away.) Creating the TLS-capable file descriptor requires a " +"model descriptor, which is configured with the desired " +"set of protocols and ciphers. (The good_ciphers variable " +"is part of .) We cannot" +" resort to disabling ciphers not on a whitelist because by default, the AES " +"cipher suites are disabled. The model descriptor is not needed anymore after" +" TLS support has been activated for the existing connection descriptor." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The call to SSL_BadCertHook can be omitted if no " +"mechanism to override certificate verification is needed. The " +"bad_certificate function must check both the host name " +"specified for the connection and the certificate before granting the " +"override." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Triggering the actual handshake requires three function calls, " +"SSL_ResetHandshake, SSL_SetURL, " +"and SSL_ForceHandshake. (If " +"SSL_ResetHandshake is omitted, " +"SSL_ForceHandshake will succeed, but the data will not " +"be encrypted.) During the handshake, the certificate is verified and matched" +" against the host name." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Creating a TLS connection with NSS" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"After the connection has been established, shows how to use the NSPR descriptor to " +"communicate with the server." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Using NSS for sending and receiving data" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +" shows how to " +"close the connection." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Closing NSS client connections" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Implementing TLS Clients With Python" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The Python distribution provides a TLS implementation in the " +"ssl module (actually a wrapper around OpenSSL). The " +"exported interface is somewhat restricted, so that the client code shown " +"below does not fully implement the recommendations in ." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Currently, most Python function which accept https:// " +"URLs or otherwise implement HTTPS support do not perform certificate " +"validation at all. (For example, this is true for the " +"httplib and xmlrpclib modules.) If you" +" use HTTPS, you should not use the built-in HTTP clients. The " +"Curl class in the curl module, as " +"provided by the python-pycurl package implements proper " +"certificate validation." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The ssl module currently does not perform host name " +"checking on the server certificate. shows how to implement certificate " +"matching, using the parsed certificate returned by " +"getpeercert." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Implementing TLS host name checking Python (without wildcard support)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"To turn a regular, connected TCP socket into a TLS-enabled socket, use the " +"ssl.wrap_socket function. The function call in provides " +"additional arguments to override questionable defaults in OpenSSL and in the" +" Python module." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"ciphers=\"HIGH:-aNULL:-eNULL:-PSK:RC4-SHA:RC4-MD5\" " +"selects relatively strong cipher suites with certificate-based " +"authentication. (The call to check_host_name function " +"provides additional protection against anonymous cipher suites.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"ssl_version=ssl.PROTOCOL_TLSv1 disables SSL 2.0 support. " +"By default, the ssl module sends an SSL 2.0 client hello," +" which is rejected by some servers. Ideally, we would request OpenSSL to " +"negotiated the most recent TLS version supported by the server and the " +"client, but the Python module does not allow this." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"cert_reqs=ssl.CERT_REQUIRED turns on certificate " +"validation." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"ca_certs='/etc/ssl/certs/ca-bundle.crt' initializes the " +"certificate store with a set of trusted root CAs. Unfortunately, it is " +"necessary to hard-code this path into applications because the default path " +"in OpenSSL is not available through the Python ssl " +"module." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The ssl module (and OpenSSL) perform certificate " +"validation, but the certificate must be compared manually against the host " +"name, by calling the check_host_name defined above." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Establishing a TLS client connection with Python" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"After the connection has been established, the TLS socket can be used like a" +" regular socket:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Closing the TLS socket is straightforward as well:" +msgstr "" diff --git a/defensive-coding/it-IT/Features/snippets/TLS-Client-GNUTLS-Connect.po b/defensive-coding/it-IT/Features/snippets/TLS-Client-GNUTLS-Connect.po new file mode 100644 index 0000000..2f08b71 --- /dev/null +++ b/defensive-coding/it-IT/Features/snippets/TLS-Client-GNUTLS-Connect.po @@ -0,0 +1,71 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:33+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Italian \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: it\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Create the session object.\n" +"gnutls_session_t session;\n" +"ret = gnutls_init(&session, GNUTLS_CLIENT);\n" +"if (ret != GNUTLS_E_SUCCESS) {\n" +" fprintf(stderr, \"error: gnutls_init: %s\n" +"\",\n" +"\t gnutls_strerror(ret));\n" +" exit(1);\n" +"}\n" +"\n" +"// Configure the cipher preferences.\n" +"const char *errptr = NULL;\n" +"ret = gnutls_priority_set_direct(session, \"NORMAL\", &errptr);\n" +"if (ret != GNUTLS_E_SUCCESS) {\n" +" fprintf(stderr, \"error: gnutls_priority_set_direct: %s\n" +"\"\n" +"\t \"error: at: \\\"%s\\\"\n" +"\", gnutls_strerror(ret), errptr);\n" +" exit(1);\n" +"}\n" +"\n" +"// Install the trusted certificates.\n" +"ret = gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, cred);\n" +"if (ret != GNUTLS_E_SUCCESS) {\n" +" fprintf(stderr, \"error: gnutls_credentials_set: %s\n" +"\",\n" +"\t gnutls_strerror(ret));\n" +" exit(1);\n" +"}\n" +"\n" +"// Associate the socket with the session object and set the server\n" +"// name.\n" +"gnutls_transport_set_ptr(session, (gnutls_transport_ptr_t)(uintptr_t)sockfd);\n" +"ret = gnutls_server_name_set(session, GNUTLS_NAME_DNS,\n" +"\t\t\t host, strlen(host));\n" +"if (ret != GNUTLS_E_SUCCESS) {\n" +" fprintf(stderr, \"error: gnutls_server_name_set: %s\n" +"\",\n" +"\t gnutls_strerror(ret));\n" +" exit(1);\n" +"}\n" +"\n" +"// Establish the session.\n" +"ret = gnutls_handshake(session);\n" +"if (ret != GNUTLS_E_SUCCESS) {\n" +" fprintf(stderr, \"error: gnutls_handshake: %s\n" +"\",\n" +"\t gnutls_strerror(ret));\n" +" exit(1);\n" +"}\n" +msgstr "" diff --git a/defensive-coding/it-IT/Features/snippets/TLS-Client-GNUTLS-Credentials.po b/defensive-coding/it-IT/Features/snippets/TLS-Client-GNUTLS-Credentials.po new file mode 100644 index 0000000..0f1b26a --- /dev/null +++ b/defensive-coding/it-IT/Features/snippets/TLS-Client-GNUTLS-Credentials.po @@ -0,0 +1,47 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:33+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Italian \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: it\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Load the trusted CA certificates.\n" +"gnutls_certificate_credentials_t cred = NULL;\n" +"int ret = gnutls_certificate_allocate_credentials (&cred);\n" +"if (ret != GNUTLS_E_SUCCESS) {\n" +" fprintf(stderr, \"error: gnutls_certificate_allocate_credentials: %s\n" +"\",\n" +"\t gnutls_strerror(ret));\n" +" exit(1);\n" +"}\n" +"// gnutls_certificate_set_x509_system_trust needs GNUTLS version 3.0\n" +"// or newer, so we hard-code the path to the certificate store\n" +"// instead.\n" +"static const char ca_bundle[] = \"/etc/ssl/certs/ca-bundle.crt\";\n" +"ret = gnutls_certificate_set_x509_trust_file\n" +" (cred, ca_bundle, GNUTLS_X509_FMT_PEM);\n" +"if (ret == 0) {\n" +" fprintf(stderr, \"error: no certificates found in: %s\n" +"\", ca_bundle);\n" +" exit(1);\n" +"}\n" +"if (ret < 0) {\n" +" fprintf(stderr, \"error: gnutls_certificate_set_x509_trust_files(%s): %s\n" +"\",\n" +"\t ca_bundle, gnutls_strerror(ret));\n" +" exit(1);\n" +"}\n" +msgstr "" diff --git a/defensive-coding/it-IT/Features/snippets/TLS-Client-GNUTLS-Match.po b/defensive-coding/it-IT/Features/snippets/TLS-Client-GNUTLS-Match.po new file mode 100644 index 0000000..9c165fd --- /dev/null +++ b/defensive-coding/it-IT/Features/snippets/TLS-Client-GNUTLS-Match.po @@ -0,0 +1,48 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:32+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Italian \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: it\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Match the peer certificate against the host name.\n" +"// We can only obtain a set of DER-encoded certificates from the\n" +"// session object, so we have to re-parse the peer certificate into\n" +"// a certificate object.\n" +"gnutls_x509_crt_t cert;\n" +"ret = gnutls_x509_crt_init(&cert);\n" +"if (ret != GNUTLS_E_SUCCESS) {\n" +" fprintf(stderr, \"error: gnutls_x509_crt_init: %s\n" +"\",\n" +"\t gnutls_strerror(ret));\n" +" exit(1);\n" +"}\n" +"// The peer certificate is the first certificate in the list.\n" +"ret = gnutls_x509_crt_import(cert, certs, GNUTLS_X509_FMT_DER);\n" +"if (ret != GNUTLS_E_SUCCESS) {\n" +" fprintf(stderr, \"error: gnutls_x509_crt_import: %s\n" +"\",\n" +"\t gnutls_strerror(ret));\n" +" exit(1);\n" +"}\n" +"ret = gnutls_x509_crt_check_hostname(cert, host);\n" +"if (ret == 0 && !certificate_host_name_override(certs[0], host)) {\n" +" fprintf(stderr, \"error: host name does not match certificate\n" +"\");\n" +" exit(1);\n" +"}\n" +"gnutls_x509_crt_deinit(cert);\n" +msgstr "" diff --git a/defensive-coding/it-IT/Features/snippets/TLS-Client-GNUTLS-Verify.po b/defensive-coding/it-IT/Features/snippets/TLS-Client-GNUTLS-Verify.po new file mode 100644 index 0000000..463724b --- /dev/null +++ b/defensive-coding/it-IT/Features/snippets/TLS-Client-GNUTLS-Verify.po @@ -0,0 +1,61 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:33+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Italian \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: it\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Obtain the server certificate chain. The server certificate\n" +"// itself is stored in the first element of the array.\n" +"unsigned certslen = 0;\n" +"const gnutls_datum_t *const certs =\n" +" gnutls_certificate_get_peers(session, &certslen);\n" +"if (certs == NULL || certslen == 0) {\n" +" fprintf(stderr, \"error: could not obtain peer certificate\n" +"\");\n" +" exit(1);\n" +"}\n" +"\n" +"// Validate the certificate chain.\n" +"unsigned status = (unsigned)-1;\n" +"ret = gnutls_certificate_verify_peers2(session, &status);\n" +"if (ret != GNUTLS_E_SUCCESS) {\n" +" fprintf(stderr, \"error: gnutls_certificate_verify_peers2: %s\n" +"\",\n" +"\t gnutls_strerror(ret));\n" +" exit(1);\n" +"}\n" +"if (status != 0 && !certificate_validity_override(certs[0])) {\n" +" gnutls_datum_t msg;\n" +"#if GNUTLS_VERSION_AT_LEAST_3_1_4\n" +" int type = gnutls_certificate_type_get (session);\n" +" ret = gnutls_certificate_verification_status_print(status, type, &out, 0);\n" +"#else\n" +" ret = -1;\n" +"#endif\n" +" if (ret == 0) {\n" +" fprintf(stderr, \"error: %s\n" +"\", msg.data);\n" +" gnutls_free(msg.data);\n" +" exit(1);\n" +" } else {\n" +" fprintf(stderr, \"error: certificate validation failed with code 0x%x\n" +"\",\n" +"\t status);\n" +" exit(1);\n" +" }\n" +"}\n" +msgstr "" diff --git a/defensive-coding/it-IT/Features/snippets/TLS-Client-NSS-Close.po b/defensive-coding/it-IT/Features/snippets/TLS-Client-NSS-Close.po new file mode 100644 index 0000000..a73cf0b --- /dev/null +++ b/defensive-coding/it-IT/Features/snippets/TLS-Client-NSS-Close.po @@ -0,0 +1,31 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:32+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Italian \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: it\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Send close_notify alert.\n" +"if (PR_Shutdown(nspr, PR_SHUTDOWN_BOTH) != PR_SUCCESS) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: PR_Read error %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +"}\n" +"// Closes the underlying POSIX file descriptor, too.\n" +"PR_Close(nspr);\n" +msgstr "" diff --git a/defensive-coding/it-IT/Features/snippets/TLS-Client-NSS-Connect.po b/defensive-coding/it-IT/Features/snippets/TLS-Client-NSS-Connect.po new file mode 100644 index 0000000..bba6f1f --- /dev/null +++ b/defensive-coding/it-IT/Features/snippets/TLS-Client-NSS-Connect.po @@ -0,0 +1,132 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:33+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Italian \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: it\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Wrap the POSIX file descriptor. This is an internal NSPR\n" +"// function, but it is very unlikely to change.\n" +"PRFileDesc* nspr = PR_ImportTCPSocket(sockfd);\n" +"sockfd = -1; // Has been taken over by NSPR.\n" +"\n" +"// Add the SSL layer.\n" +"{\n" +" PRFileDesc *model = PR_NewTCPSocket();\n" +" PRFileDesc *newfd = SSL_ImportFD(NULL, model);\n" +" if (newfd == NULL) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: NSPR error code %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +" }\n" +" model = newfd;\n" +" newfd = NULL;\n" +" if (SSL_OptionSet(model, SSL_ENABLE_SSL2, PR_FALSE) != SECSuccess) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: set SSL_ENABLE_SSL2 error %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +" }\n" +" if (SSL_OptionSet(model, SSL_V2_COMPATIBLE_HELLO, PR_FALSE) != SECSuccess) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: set SSL_V2_COMPATIBLE_HELLO error %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +" }\n" +" if (SSL_OptionSet(model, SSL_ENABLE_DEFLATE, PR_FALSE) != SECSuccess) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: set SSL_ENABLE_DEFLATE error %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +" }\n" +"\n" +" // Disable all ciphers (except RC4-based ciphers, for backwards\n" +" // compatibility).\n" +" const PRUint16 *const ciphers = SSL_GetImplementedCiphers();\n" +" for (unsigned i = 0; i < SSL_GetNumImplementedCiphers(); i++) {\n" +" if (ciphers[i] != SSL_RSA_WITH_RC4_128_SHA\n" +"\t && ciphers[i] != SSL_RSA_WITH_RC4_128_MD5) {\n" +"\tif (SSL_CipherPrefSet(model, ciphers[i], PR_FALSE) != SECSuccess) {\n" +"\t const PRErrorCode err = PR_GetError();\n" +"\t fprintf(stderr, \"error: disable cipher %u: error %d: %s\n" +"\",\n" +"\t\t (unsigned)ciphers[i], err, PR_ErrorToName(err));\n" +"\t exit(1);\n" +"\t}\n" +" }\n" +" }\n" +"\n" +" // Enable the strong ciphers.\n" +" for (const PRUint16 *p = good_ciphers; *p != SSL_NULL_WITH_NULL_NULL;\n" +"\t ++p) {\n" +" if (SSL_CipherPrefSet(model, *p, PR_TRUE) != SECSuccess) {\n" +"\tconst PRErrorCode err = PR_GetError();\n" +"\tfprintf(stderr, \"error: enable cipher %u: error %d: %s\n" +"\",\n" +"\t\t(unsigned)*p, err, PR_ErrorToName(err));\n" +"\texit(1);\n" +" }\n" +" }\n" +"\n" +" // Allow overriding invalid certificate.\n" +" if (SSL_BadCertHook(model, bad_certificate, (char *)host) != SECSuccess) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: SSL_BadCertHook error %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +" }\n" +"\n" +" newfd = SSL_ImportFD(model, nspr);\n" +" if (newfd == NULL) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: SSL_ImportFD error %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +" }\n" +" nspr = newfd;\n" +" PR_Close(model);\n" +"}\n" +"\n" +"// Perform the handshake.\n" +"if (SSL_ResetHandshake(nspr, PR_FALSE) != SECSuccess) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: SSL_ResetHandshake error %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +"}\n" +"if (SSL_SetURL(nspr, host) != SECSuccess) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: SSL_SetURL error %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +"}\n" +"if (SSL_ForceHandshake(nspr) != SECSuccess) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: SSL_ForceHandshake error %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +"}\n" +msgstr "" diff --git a/defensive-coding/it-IT/Features/snippets/TLS-Client-OpenJDK-Connect.po b/defensive-coding/it-IT/Features/snippets/TLS-Client-OpenJDK-Connect.po new file mode 100644 index 0000000..8fa4600 --- /dev/null +++ b/defensive-coding/it-IT/Features/snippets/TLS-Client-OpenJDK-Connect.po @@ -0,0 +1,41 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:32+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Italian \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: it\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Create the socket and connect it at the TCP layer.\n" +"SSLSocket socket = (SSLSocket) ctx.getSocketFactory()\n" +" .createSocket(host, port);\n" +"\n" +"// Disable the Nagle algorithm.\n" +"socket.setTcpNoDelay(true);\n" +"\n" +"// Adjust ciphers and protocols.\n" +"socket.setSSLParameters(params);\n" +"\n" +"// Perform the handshake.\n" +"socket.startHandshake();\n" +"\n" +"// Validate the host name. The match() method throws\n" +"// CertificateException on failure.\n" +"X509Certificate peer = (X509Certificate)\n" +" socket.getSession().getPeerCertificates()[0];\n" +"// This is the only way to perform host name checking on OpenJDK 6.\n" +"HostnameChecker.getInstance(HostnameChecker.TYPE_TLS).match(\n" +" host, peer);\n" +msgstr "" diff --git a/defensive-coding/it-IT/Features/snippets/TLS-Client-OpenJDK-Context.po b/defensive-coding/it-IT/Features/snippets/TLS-Client-OpenJDK-Context.po new file mode 100644 index 0000000..bd9b1bc --- /dev/null +++ b/defensive-coding/it-IT/Features/snippets/TLS-Client-OpenJDK-Context.po @@ -0,0 +1,41 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:32+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Italian \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: it\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Create the context. Specify the SunJSSE provider to avoid\n" +"// picking up third-party providers. Try the TLS 1.2 provider\n" +"// first, then fall back to TLS 1.0.\n" +"SSLContext ctx;\n" +"try {\n" +" ctx = SSLContext.getInstance(\"TLSv1.2\", \"SunJSSE\");\n" +"} catch (NoSuchAlgorithmException e) {\n" +" try {\n" +" ctx = SSLContext.getInstance(\"TLSv1\", \"SunJSSE\");\n" +" } catch (NoSuchAlgorithmException e1) {\n" +" // The TLS 1.0 provider should always be available.\n" +" throw new AssertionError(e1);\n" +" } catch (NoSuchProviderException e1) {\n" +" throw new AssertionError(e1);\n" +" } \n" +"} catch (NoSuchProviderException e) {\n" +" // The SunJSSE provider should always be available.\n" +" throw new AssertionError(e);\n" +"}\n" +"ctx.init(null, null, null);\n" +msgstr "" diff --git a/defensive-coding/it-IT/Features/snippets/TLS-Client-OpenJDK-Context_For_Cert.po b/defensive-coding/it-IT/Features/snippets/TLS-Client-OpenJDK-Context_For_Cert.po new file mode 100644 index 0000000..b97caa2 --- /dev/null +++ b/defensive-coding/it-IT/Features/snippets/TLS-Client-OpenJDK-Context_For_Cert.po @@ -0,0 +1,37 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:33+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Italian \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: it\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"SSLContext ctx;\n" +"try {\n" +" ctx = SSLContext.getInstance(\"TLSv1.2\", \"SunJSSE\");\n" +"} catch (NoSuchAlgorithmException e) {\n" +" try {\n" +" ctx = SSLContext.getInstance(\"TLSv1\", \"SunJSSE\");\n" +" } catch (NoSuchAlgorithmException e1) {\n" +" throw new AssertionError(e1);\n" +" } catch (NoSuchProviderException e1) {\n" +" throw new AssertionError(e1);\n" +" }\n" +"} catch (NoSuchProviderException e) {\n" +" throw new AssertionError(e);\n" +"}\n" +"MyTrustManager tm = new MyTrustManager(certHash);\n" +"ctx.init(null, new TrustManager[] {tm}, null);\n" +msgstr "" diff --git a/defensive-coding/it-IT/Features/snippets/TLS-Client-OpenJDK-Hostname.po b/defensive-coding/it-IT/Features/snippets/TLS-Client-OpenJDK-Hostname.po new file mode 100644 index 0000000..02238cc --- /dev/null +++ b/defensive-coding/it-IT/Features/snippets/TLS-Client-OpenJDK-Hostname.po @@ -0,0 +1,22 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:31+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Italian \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: it\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"params.setEndpointIdentificationAlgorithm(\"HTTPS\");\n" +msgstr "" diff --git a/defensive-coding/it-IT/Features/snippets/TLS-Client-OpenJDK-Import.po b/defensive-coding/it-IT/Features/snippets/TLS-Client-OpenJDK-Import.po new file mode 100644 index 0000000..f078ea7 --- /dev/null +++ b/defensive-coding/it-IT/Features/snippets/TLS-Client-OpenJDK-Import.po @@ -0,0 +1,33 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:31+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Italian \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: it\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"import java.security.NoSuchAlgorithmException;\n" +"import java.security.NoSuchProviderException;\n" +"import java.security.cert.CertificateEncodingException;\n" +"import java.security.cert.CertificateException;\n" +"import java.security.cert.X509Certificate;\n" +"import javax.net.ssl.SSLContext;\n" +"import javax.net.ssl.SSLParameters;\n" +"import javax.net.ssl.SSLSocket;\n" +"import javax.net.ssl.TrustManager;\n" +"import javax.net.ssl.X509TrustManager;\n" +"\n" +"import sun.security.util.HostnameChecker;\n" +msgstr "" diff --git a/defensive-coding/it-IT/Features/snippets/TLS-Client-OpenJDK-MyTrustManager.po b/defensive-coding/it-IT/Features/snippets/TLS-Client-OpenJDK-MyTrustManager.po new file mode 100644 index 0000000..92de9fe --- /dev/null +++ b/defensive-coding/it-IT/Features/snippets/TLS-Client-OpenJDK-MyTrustManager.po @@ -0,0 +1,53 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:31+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Italian \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: it\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"public class MyTrustManager implements X509TrustManager {\n" +" private final byte[] certHash;\n" +"\n" +" public MyTrustManager(byte[] certHash) throws Exception {\n" +" this.certHash = certHash;\n" +" }\n" +"\n" +" @Override\n" +" public void checkClientTrusted(X509Certificate[] chain, String authType)\n" +" throws CertificateException {\n" +" throw new UnsupportedOperationException();\n" +" }\n" +"\n" +" @Override\n" +" public void checkServerTrusted(X509Certificate[] chain,\n" +" String authType) throws CertificateException {\n" +" byte[] digest = getCertificateDigest(chain[0]);\n" +" String digestHex = formatHex(digest);\n" +"\n" +" if (Arrays.equals(digest, certHash)) {\n" +" System.err.println(\"info: accepting certificate: \" + digestHex);\n" +" } else {\n" +" throw new CertificateException(\"certificate rejected: \" +\n" +" digestHex);\n" +" }\n" +" }\n" +"\n" +" @Override\n" +" public X509Certificate[] getAcceptedIssuers() {\n" +" return new X509Certificate[0];\n" +" }\n" +"}\n" +msgstr "" diff --git a/defensive-coding/it-IT/Features/snippets/TLS-Client-OpenJDK-Use.po b/defensive-coding/it-IT/Features/snippets/TLS-Client-OpenJDK-Use.po new file mode 100644 index 0000000..ccbaa0d --- /dev/null +++ b/defensive-coding/it-IT/Features/snippets/TLS-Client-OpenJDK-Use.po @@ -0,0 +1,28 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:31+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Italian \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: it\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"socket.getOutputStream().write(\"GET / HTTP/1.0\\r\n" +"\\r\n" +"\"\n" +" .getBytes(Charset.forName(\"UTF-8\")));\n" +"byte[] buffer = new byte[4096];\n" +"int count = socket.getInputStream().read(buffer);\n" +"System.out.write(buffer, 0, count);\n" +msgstr "" diff --git a/defensive-coding/it-IT/Features/snippets/TLS-Client-OpenSSL-CTX.po b/defensive-coding/it-IT/Features/snippets/TLS-Client-OpenSSL-CTX.po new file mode 100644 index 0000000..7240402 --- /dev/null +++ b/defensive-coding/it-IT/Features/snippets/TLS-Client-OpenSSL-CTX.po @@ -0,0 +1,86 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:32+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Italian \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: it\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Configure a client connection context. Send a hendshake for the\n" +"// highest supported TLS version, and disable compression.\n" +"const SSL_METHOD *const req_method = SSLv23_client_method();\n" +"SSL_CTX *const ctx = SSL_CTX_new(req_method);\n" +"if (ctx == NULL) {\n" +" ERR_print_errors(bio_err);\n" +" exit(1);\n" +"}\n" +"SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_COMPRESSION);\n" +"\n" +"// Adjust the ciphers list based on a whitelist. First enable all\n" +"// ciphers of at least medium strength, to get the list which is\n" +"// compiled into OpenSSL.\n" +"if (SSL_CTX_set_cipher_list(ctx, \"HIGH:MEDIUM\") != 1) {\n" +" ERR_print_errors(bio_err);\n" +" exit(1);\n" +"}\n" +"{\n" +" // Create a dummy SSL session to obtain the cipher list.\n" +" SSL *ssl = SSL_new(ctx);\n" +" if (ssl == NULL) {\n" +" ERR_print_errors(bio_err);\n" +" exit(1);\n" +" }\n" +" STACK_OF(SSL_CIPHER) *active_ciphers = SSL_get_ciphers(ssl);\n" +" if (active_ciphers == NULL) {\n" +" ERR_print_errors(bio_err);\n" +" exit(1);\n" +" }\n" +" // Whitelist of candidate ciphers.\n" +" static const char *const candidates[] = {\n" +" \"AES128-GCM-SHA256\", \"AES128-SHA256\", \"AES256-SHA256\", // strong ciphers\n" +" \"AES128-SHA\", \"AES256-SHA\", // strong ciphers, also in older versions\n" +" \"RC4-SHA\", \"RC4-MD5\", // backwards compatibility, supposed to be weak\n" +" \"DES-CBC3-SHA\", \"DES-CBC3-MD5\", // more backwards compatibility\n" +" NULL\n" +" };\n" +" // Actually selected ciphers.\n" +" char ciphers[300];\n" +" ciphers[0] = '\\0';\n" +" for (const char *const *c = candidates; *c; ++c) {\n" +" for (int i = 0; i < sk_SSL_CIPHER_num(active_ciphers); ++i) {\n" +"\tif (strcmp(SSL_CIPHER_get_name(sk_SSL_CIPHER_value(active_ciphers, i)),\n" +"\t\t *c) == 0) {\n" +"\t if (*ciphers) {\n" +"\t strcat(ciphers, \":\");\n" +"\t }\n" +"\t strcat(ciphers, *c);\n" +"\t break;\n" +"\t}\n" +" }\n" +" }\n" +" SSL_free(ssl);\n" +" // Apply final cipher list.\n" +" if (SSL_CTX_set_cipher_list(ctx, ciphers) != 1) {\n" +" ERR_print_errors(bio_err);\n" +" exit(1);\n" +" }\n" +"}\n" +"\n" +"// Load the set of trusted root certificates.\n" +"if (!SSL_CTX_set_default_verify_paths(ctx)) {\n" +" ERR_print_errors(bio_err);\n" +" exit(1);\n" +"}\n" +msgstr "" diff --git a/defensive-coding/it-IT/Features/snippets/TLS-Client-OpenSSL-Connect.po b/defensive-coding/it-IT/Features/snippets/TLS-Client-OpenSSL-Connect.po new file mode 100644 index 0000000..7556ec1 --- /dev/null +++ b/defensive-coding/it-IT/Features/snippets/TLS-Client-OpenSSL-Connect.po @@ -0,0 +1,72 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:33+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Italian \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: it\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Create the connection object.\n" +"SSL *ssl = SSL_new(ctx);\n" +"if (ssl == NULL) {\n" +" ERR_print_errors(bio_err);\n" +" exit(1);\n" +"}\n" +"SSL_set_fd(ssl, sockfd);\n" +"\n" +"// Enable the ServerNameIndication extension\n" +"if (!SSL_set_tlsext_host_name(ssl, host)) {\n" +" ERR_print_errors(bio_err);\n" +" exit(1);\n" +"}\n" +"\n" +"// Perform the TLS handshake with the server.\n" +"ret = SSL_connect(ssl);\n" +"if (ret != 1) {\n" +" // Error status can be 0 or negative.\n" +" ssl_print_error_and_exit(ssl, \"SSL_connect\", ret);\n" +"}\n" +"\n" +"// Obtain the server certificate.\n" +"X509 *peercert = SSL_get_peer_certificate(ssl);\n" +"if (peercert == NULL) {\n" +" fprintf(stderr, \"peer certificate missing\");\n" +" exit(1);\n" +"}\n" +"\n" +"// Check the certificate verification result. Allow an explicit\n" +"// certificate validation override in case verification fails.\n" +"int verifystatus = SSL_get_verify_result(ssl);\n" +"if (verifystatus != X509_V_OK && !certificate_validity_override(peercert)) {\n" +" fprintf(stderr, \"SSL_connect: verify result: %s\n" +"\",\n" +"\t X509_verify_cert_error_string(verifystatus));\n" +" exit(1);\n" +"}\n" +"\n" +"// Check if the server certificate matches the host name used to\n" +"// establish the connection.\n" +"// FIXME: Currently needs OpenSSL 1.1.\n" +"if (X509_check_host(peercert, (const unsigned char *)host, strlen(host),\n" +"\t\t 0) != 1\n" +" && !certificate_host_name_override(peercert, host)) {\n" +" fprintf(stderr, \"SSL certificate does not match host name\n" +"\");\n" +" exit(1);\n" +"}\n" +"\n" +"X509_free(peercert);\n" +"\n" +msgstr "" diff --git a/defensive-coding/it-IT/Features/snippets/TLS-Client-OpenSSL-Connection-Use.po b/defensive-coding/it-IT/Features/snippets/TLS-Client-OpenSSL-Connection-Use.po new file mode 100644 index 0000000..e791082 --- /dev/null +++ b/defensive-coding/it-IT/Features/snippets/TLS-Client-OpenSSL-Connection-Use.po @@ -0,0 +1,32 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:32+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Italian \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: it\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"const char *const req = \"GET / HTTP/1.0\\r\n" +"\\r\n" +"\";\n" +"if (SSL_write(ssl, req, strlen(req)) < 0) {\n" +" ssl_print_error_and_exit(ssl, \"SSL_write\", ret);\n" +"}\n" +"char buf[4096];\n" +"ret = SSL_read(ssl, buf, sizeof(buf));\n" +"if (ret < 0) {\n" +" ssl_print_error_and_exit(ssl, \"SSL_read\", ret);\n" +"}\n" +msgstr "" diff --git a/defensive-coding/it-IT/Features/snippets/TLS-Client-OpenSSL-Init.po b/defensive-coding/it-IT/Features/snippets/TLS-Client-OpenSSL-Init.po new file mode 100644 index 0000000..418e344 --- /dev/null +++ b/defensive-coding/it-IT/Features/snippets/TLS-Client-OpenSSL-Init.po @@ -0,0 +1,28 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:32+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Italian \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: it\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// The following call prints an error message and calls exit() if\n" +"// the OpenSSL configuration file is unreadable.\n" +"OPENSSL_config(NULL);\n" +"// Provide human-readable error messages.\n" +"SSL_load_error_strings();\n" +"// Register ciphers.\n" +"SSL_library_init();\n" +msgstr "" diff --git a/defensive-coding/it-IT/Features/snippets/TLS-Client-Python-Connect.po b/defensive-coding/it-IT/Features/snippets/TLS-Client-Python-Connect.po new file mode 100644 index 0000000..4cc5fef --- /dev/null +++ b/defensive-coding/it-IT/Features/snippets/TLS-Client-Python-Connect.po @@ -0,0 +1,29 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:32+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Italian \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: it\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"sock = ssl.wrap_socket(sock,\n" +" ciphers=\"HIGH:-aNULL:-eNULL:-PSK:RC4-SHA:RC4-MD5\",\n" +" ssl_version=ssl.PROTOCOL_TLSv1,\n" +" cert_reqs=ssl.CERT_REQUIRED,\n" +" ca_certs='/etc/ssl/certs/ca-bundle.crt')\n" +"# getpeercert() triggers the handshake as a side effect.\n" +"if not check_host_name(sock.getpeercert(), host):\n" +" raise IOError(\"peer certificate does not match host name\")\n" +msgstr "" diff --git a/defensive-coding/it-IT/Features/snippets/TLS-Client-Python-check_host_name.po b/defensive-coding/it-IT/Features/snippets/TLS-Client-Python-check_host_name.po new file mode 100644 index 0000000..cfd2138 --- /dev/null +++ b/defensive-coding/it-IT/Features/snippets/TLS-Client-Python-check_host_name.po @@ -0,0 +1,44 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:31+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Italian \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: it\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"def check_host_name(peercert, name):\n" +" \"\"\"Simple certificate/host name checker. Returns True if the\n" +" certificate matches, False otherwise. Does not support\n" +" wildcards.\"\"\"\n" +" # Check that the peer has supplied a certificate.\n" +" # None/{} is not acceptable.\n" +" if not peercert:\n" +" return False\n" +" if peercert.has_key(\"subjectAltName\"):\n" +" for typ, val in peercert[\"subjectAltName\"]:\n" +" if typ == \"DNS\" and val == name:\n" +" return True\n" +" else:\n" +" # Only check the subject DN if there is no subject alternative\n" +" # name.\n" +" cn = None\n" +" for attr, val in peercert[\"subject\"]:\n" +" # Use most-specific (last) commonName attribute.\n" +" if attr == \"commonName\":\n" +" cn = val\n" +" if cn is not None:\n" +" return cn == name\n" +" return False\n" +msgstr "" diff --git a/defensive-coding/it-IT/Features/snippets/TLS-GNUTLS-Credentials-Close.po b/defensive-coding/it-IT/Features/snippets/TLS-GNUTLS-Credentials-Close.po new file mode 100644 index 0000000..82f9fc1 --- /dev/null +++ b/defensive-coding/it-IT/Features/snippets/TLS-GNUTLS-Credentials-Close.po @@ -0,0 +1,22 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:31+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Italian \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: it\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"gnutls_certificate_free_credentials(cred);\n" +msgstr "" diff --git a/defensive-coding/it-IT/Features/snippets/TLS-GNUTLS-Disconnect.po b/defensive-coding/it-IT/Features/snippets/TLS-GNUTLS-Disconnect.po new file mode 100644 index 0000000..b855512 --- /dev/null +++ b/defensive-coding/it-IT/Features/snippets/TLS-GNUTLS-Disconnect.po @@ -0,0 +1,30 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:32+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Italian \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: it\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Initiate an orderly connection shutdown.\n" +"ret = gnutls_bye(session, GNUTLS_SHUT_RDWR);\n" +"if (ret < 0) {\n" +" fprintf(stderr, \"error: gnutls_bye: %s\n" +"\", gnutls_strerror(ret));\n" +" exit(1);\n" +"}\n" +"// Free the session object.\n" +"gnutls_deinit(session);\n" +msgstr "" diff --git a/defensive-coding/it-IT/Features/snippets/TLS-GNUTLS-Init.po b/defensive-coding/it-IT/Features/snippets/TLS-GNUTLS-Init.po new file mode 100644 index 0000000..f3e9229 --- /dev/null +++ b/defensive-coding/it-IT/Features/snippets/TLS-GNUTLS-Init.po @@ -0,0 +1,22 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:32+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Italian \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: it\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"gnutls_global_init();\n" +msgstr "" diff --git a/defensive-coding/it-IT/Features/snippets/TLS-GNUTLS-Use.po b/defensive-coding/it-IT/Features/snippets/TLS-GNUTLS-Use.po new file mode 100644 index 0000000..ae6ddc8 --- /dev/null +++ b/defensive-coding/it-IT/Features/snippets/TLS-GNUTLS-Use.po @@ -0,0 +1,38 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:33+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Italian \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: it\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"char buf[4096];\n" +"snprintf(buf, sizeof(buf), \"GET / HTTP/1.0\\r\n" +"Host: %s\\r\n" +"\\r\n" +"\", host);\n" +"ret = gnutls_record_send(session, buf, strlen(buf));\n" +"if (ret < 0) {\n" +" fprintf(stderr, \"error: gnutls_record_send: %s\n" +"\", gnutls_strerror(ret));\n" +" exit(1);\n" +"}\n" +"ret = gnutls_record_recv(session, buf, sizeof(buf));\n" +"if (ret < 0) {\n" +" fprintf(stderr, \"error: gnutls_record_recv: %s\n" +"\", gnutls_strerror(ret));\n" +" exit(1);\n" +"}\n" +msgstr "" diff --git a/defensive-coding/it-IT/Features/snippets/TLS-NSS-Close.po b/defensive-coding/it-IT/Features/snippets/TLS-NSS-Close.po new file mode 100644 index 0000000..e9f7b10 --- /dev/null +++ b/defensive-coding/it-IT/Features/snippets/TLS-NSS-Close.po @@ -0,0 +1,23 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:31+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Italian \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: it\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"SECMOD_DestroyModule(module);\n" +"NSS_ShutdownContext(ctx);\n" +msgstr "" diff --git a/defensive-coding/it-IT/Features/snippets/TLS-NSS-Includes.po b/defensive-coding/it-IT/Features/snippets/TLS-NSS-Includes.po new file mode 100644 index 0000000..9847b0d --- /dev/null +++ b/defensive-coding/it-IT/Features/snippets/TLS-NSS-Includes.po @@ -0,0 +1,35 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:33+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Italian \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: it\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// NSPR include files\n" +"#include <prerror.h>\n" +"#include <prinit.h>\n" +"\n" +"// NSS include files\n" +"#include <nss.h>\n" +"#include <pk11pub.h>\n" +"#include <secmod.h>\n" +"#include <ssl.h>\n" +"#include <sslproto.h>\n" +"\n" +"// Private API, no other way to turn a POSIX file descriptor into an\n" +"// NSPR handle.\n" +"NSPR_API(PRFileDesc*) PR_ImportTCPSocket(int);\n" +msgstr "" diff --git a/defensive-coding/it-IT/Features/snippets/TLS-NSS-Init.po b/defensive-coding/it-IT/Features/snippets/TLS-NSS-Init.po new file mode 100644 index 0000000..a65d08f --- /dev/null +++ b/defensive-coding/it-IT/Features/snippets/TLS-NSS-Init.po @@ -0,0 +1,83 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:33+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Italian \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: it\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"PR_Init(PR_USER_THREAD, PR_PRIORITY_NORMAL, 0);\n" +"NSSInitContext *const ctx =\n" +" NSS_InitContext(\"sql:/etc/pki/nssdb\", \"\", \"\", \"\", NULL,\n" +"\t\t NSS_INIT_READONLY | NSS_INIT_PK11RELOAD);\n" +"if (ctx == NULL) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: NSPR error code %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +"}\n" +"\n" +"// Ciphers to enable.\n" +"static const PRUint16 good_ciphers[] = {\n" +" TLS_RSA_WITH_AES_128_CBC_SHA,\n" +" TLS_RSA_WITH_AES_256_CBC_SHA,\n" +" SSL_RSA_WITH_3DES_EDE_CBC_SHA,\n" +" SSL_NULL_WITH_NULL_NULL // sentinel\n" +"};\n" +"\n" +"// Check if the current policy allows any strong ciphers. If it\n" +"// doesn't, switch to the \"domestic\" (unrestricted) policy. This is\n" +"// not thread-safe and has global impact. Consequently, we only do\n" +"// it if absolutely necessary.\n" +"int found_good_cipher = 0;\n" +"for (const PRUint16 *p = good_ciphers; *p != SSL_NULL_WITH_NULL_NULL;\n" +" ++p) {\n" +" PRInt32 policy;\n" +" if (SSL_CipherPolicyGet(*p, &policy) != SECSuccess) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: policy for cipher %u: error %d: %s\n" +"\",\n" +"\t (unsigned)*p, err, PR_ErrorToName(err));\n" +" exit(1);\n" +" }\n" +" if (policy == SSL_ALLOWED) {\n" +" fprintf(stderr, \"info: found cipher %x\n" +"\", (unsigned)*p);\n" +" found_good_cipher = 1;\n" +" break;\n" +" }\n" +"}\n" +"if (!found_good_cipher) {\n" +" if (NSS_SetDomesticPolicy() != SECSuccess) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: NSS_SetDomesticPolicy: error %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +" }\n" +"}\n" +"\n" +"// Initialize the trusted certificate store.\n" +"char module_name[] = \"library=libnssckbi.so name=\\\"Root Certs\\\"\";\n" +"SECMODModule *module = SECMOD_LoadUserModule(module_name, NULL, PR_FALSE);\n" +"if (module == NULL || !module->loaded) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: NSPR error code %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +"}\n" +msgstr "" diff --git a/defensive-coding/it-IT/Features/snippets/TLS-NSS-Use.po b/defensive-coding/it-IT/Features/snippets/TLS-NSS-Use.po new file mode 100644 index 0000000..595ba61 --- /dev/null +++ b/defensive-coding/it-IT/Features/snippets/TLS-NSS-Use.po @@ -0,0 +1,42 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:32+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Italian \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: it\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"char buf[4096];\n" +"snprintf(buf, sizeof(buf), \"GET / HTTP/1.0\\r\n" +"Host: %s\\r\n" +"\\r\n" +"\", host);\n" +"PRInt32 ret = PR_Write(nspr, buf, strlen(buf));\n" +"if (ret < 0) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: PR_Write error %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +"}\n" +"ret = PR_Read(nspr, buf, sizeof(buf));\n" +"if (ret < 0) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: PR_Read error %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +"}\n" +msgstr "" diff --git a/defensive-coding/it-IT/Features/snippets/TLS-Nagle.po b/defensive-coding/it-IT/Features/snippets/TLS-Nagle.po new file mode 100644 index 0000000..c7a3794 --- /dev/null +++ b/defensive-coding/it-IT/Features/snippets/TLS-Nagle.po @@ -0,0 +1,27 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:31+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Italian \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: it\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"const int val = 1;\n" +"int ret = setsockopt(sockfd, IPPROTO_TCP, TCP_NODELAY, &val, sizeof(val));\n" +"if (ret < 0) {\n" +" perror(\"setsockopt(TCP_NODELAY)\");\n" +" exit(1);\n" +"}\n" +msgstr "" diff --git a/defensive-coding/it-IT/Features/snippets/TLS-OpenJDK-Parameters.po b/defensive-coding/it-IT/Features/snippets/TLS-OpenJDK-Parameters.po new file mode 100644 index 0000000..b038b62 --- /dev/null +++ b/defensive-coding/it-IT/Features/snippets/TLS-OpenJDK-Parameters.po @@ -0,0 +1,42 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:33+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Italian \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: it\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Prepare TLS parameters. These have to applied to every TLS\n" +"// socket before the handshake is triggered.\n" +"SSLParameters params = ctx.getDefaultSSLParameters();\n" +"// Do not send an SSL-2.0-compatible Client Hello.\n" +"ArrayList<String> protocols = new ArrayList<String>(\n" +" Arrays.asList(params.getProtocols()));\n" +"protocols.remove(\"SSLv2Hello\");\n" +"params.setProtocols(protocols.toArray(new String[protocols.size()]));\n" +"// Adjust the supported ciphers.\n" +"ArrayList<String> ciphers = new ArrayList<String>(\n" +" Arrays.asList(params.getCipherSuites()));\n" +"ciphers.retainAll(Arrays.asList(\n" +" \"TLS_RSA_WITH_AES_128_CBC_SHA256\",\n" +" \"TLS_RSA_WITH_AES_256_CBC_SHA256\",\n" +" \"TLS_RSA_WITH_AES_256_CBC_SHA\",\n" +" \"TLS_RSA_WITH_AES_128_CBC_SHA\",\n" +" \"SSL_RSA_WITH_3DES_EDE_CBC_SHA\",\n" +" \"SSL_RSA_WITH_RC4_128_SHA1\",\n" +" \"SSL_RSA_WITH_RC4_128_MD5\",\n" +" \"TLS_EMPTY_RENEGOTIATION_INFO_SCSV\"));\n" +"params.setCipherSuites(ciphers.toArray(new String[ciphers.size()]));\n" +msgstr "" diff --git a/defensive-coding/it-IT/Features/snippets/TLS-OpenSSL-Connection-Close.po b/defensive-coding/it-IT/Features/snippets/TLS-OpenSSL-Connection-Close.po new file mode 100644 index 0000000..831d402 --- /dev/null +++ b/defensive-coding/it-IT/Features/snippets/TLS-OpenSSL-Connection-Close.po @@ -0,0 +1,46 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:33+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Italian \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: it\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Send the close_notify alert.\n" +"ret = SSL_shutdown(ssl);\n" +"switch (ret) {\n" +"case 1:\n" +" // A close_notify alert has already been received.\n" +" break;\n" +"case 0:\n" +" // Wait for the close_notify alert from the peer.\n" +" ret = SSL_shutdown(ssl);\n" +" switch (ret) {\n" +" case 0:\n" +" fprintf(stderr, \"info: second SSL_shutdown returned zero\n" +"\");\n" +" break;\n" +" case 1:\n" +" break;\n" +" default:\n" +" ssl_print_error_and_exit(ssl, \"SSL_shutdown 2\", ret);\n" +" }\n" +" break;\n" +"default:\n" +" ssl_print_error_and_exit(ssl, \"SSL_shutdown 1\", ret);\n" +"}\n" +"SSL_free(ssl);\n" +"close(sockfd);\n" +msgstr "" diff --git a/defensive-coding/it-IT/Features/snippets/TLS-OpenSSL-Context-Close.po b/defensive-coding/it-IT/Features/snippets/TLS-OpenSSL-Context-Close.po new file mode 100644 index 0000000..3722e36 --- /dev/null +++ b/defensive-coding/it-IT/Features/snippets/TLS-OpenSSL-Context-Close.po @@ -0,0 +1,22 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:33+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Italian \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: it\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"SSL_CTX_free(ctx);\n" +msgstr "" diff --git a/defensive-coding/it-IT/Features/snippets/TLS-OpenSSL-Errors.po b/defensive-coding/it-IT/Features/snippets/TLS-OpenSSL-Errors.po new file mode 100644 index 0000000..3dec9a5 --- /dev/null +++ b/defensive-coding/it-IT/Features/snippets/TLS-OpenSSL-Errors.po @@ -0,0 +1,51 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:32+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Italian \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: it\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"static void __attribute__((noreturn))\n" +"ssl_print_error_and_exit(SSL *ssl, const char *op, int ret)\n" +"{\n" +" int subcode = SSL_get_error(ssl, ret);\n" +" switch (subcode) {\n" +" case SSL_ERROR_NONE:\n" +" fprintf(stderr, \"error: %s: no error to report\n" +"\", op);\n" +" break;\n" +" case SSL_ERROR_WANT_READ:\n" +" case SSL_ERROR_WANT_WRITE:\n" +" case SSL_ERROR_WANT_X509_LOOKUP:\n" +" case SSL_ERROR_WANT_CONNECT:\n" +" case SSL_ERROR_WANT_ACCEPT:\n" +" fprintf(stderr, \"error: %s: invalid blocking state %d\n" +"\", op, subcode);\n" +" break;\n" +" case SSL_ERROR_SSL:\n" +" fprintf(stderr, \"error: %s: TLS layer problem\n" +"\", op);\n" +" case SSL_ERROR_SYSCALL:\n" +" fprintf(stderr, \"error: %s: system call failed: %s\n" +"\", op, strerror(errno));\n" +" break;\n" +" case SSL_ERROR_ZERO_RETURN:\n" +" fprintf(stderr, \"error: %s: zero return\n" +"\", op);\n" +" }\n" +" exit(1);\n" +"}\n" +msgstr "" diff --git a/defensive-coding/it-IT/Features/snippets/TLS-Python-Close.po b/defensive-coding/it-IT/Features/snippets/TLS-Python-Close.po new file mode 100644 index 0000000..99f3702 --- /dev/null +++ b/defensive-coding/it-IT/Features/snippets/TLS-Python-Close.po @@ -0,0 +1,22 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:31+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Italian \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: it\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"sock.close()\n" +msgstr "" diff --git a/defensive-coding/it-IT/Features/snippets/TLS-Python-Use.po b/defensive-coding/it-IT/Features/snippets/TLS-Python-Use.po new file mode 100644 index 0000000..e8531ce --- /dev/null +++ b/defensive-coding/it-IT/Features/snippets/TLS-Python-Use.po @@ -0,0 +1,26 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:32+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Italian \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: it\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"sock.write(\"GET / HTTP/1.1\\r\n" +"Host: \" + host + \"\\r\n" +"\\r\n" +"\")\n" +"print sock.read()\n" +msgstr "" diff --git a/defensive-coding/it-IT/Revision_History.po b/defensive-coding/it-IT/Revision_History.po new file mode 100644 index 0000000..6cc3d1a --- /dev/null +++ b/defensive-coding/it-IT/Revision_History.po @@ -0,0 +1,35 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:18+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Italian \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: it\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: title +#, no-c-format +msgid "Revision History" +msgstr "" + +#. Tag: firstname +#, no-c-format +msgid "Eric" +msgstr "" + +#. Tag: surname +#, no-c-format +msgid "Christensen" +msgstr "" + +#. Tag: member +#, no-c-format +msgid "Initial publication." +msgstr "" diff --git a/defensive-coding/it-IT/Tasks/Cryptography.po b/defensive-coding/it-IT/Tasks/Cryptography.po new file mode 100644 index 0000000..c1dce18 --- /dev/null +++ b/defensive-coding/it-IT/Tasks/Cryptography.po @@ -0,0 +1,199 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:29+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Italian \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: it\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: title +#, no-c-format +msgid "Cryptography" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Primitives" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Chosing from the following cryptographic primitives is recommended:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "RSA with 2048 bit keys and OAEP" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "AES-128 in CBC mode" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "SHA-256" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "HMAC-SHA-256" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "HMAC-SHA-1" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Other cryptographic algorithms can be used if they are required for " +"interoperability with existing software:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "RSA with key sizes larger than 1024 and legacy padding" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "AES-192" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "AES-256" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "3DES (triple DES, with two or three 56 bit keys)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "RC4 (but very, very strongly discouraged)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "SHA-1" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "HMAC-MD5" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Important" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"These primitives are difficult to use in a secure way. Custom implementation" +" of security protocols should be avoided. For protecting confidentiality and" +" integrity of network transmissions, TLS should be used ()." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Randomness" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The following facilities can be used to generate unpredictable and non-" +"repeating values. When these functions are used without special safeguards, " +"each individual rnadom value should be at least 12 bytes long." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"PK11_GenerateRandom in the NSS library (usable for high" +" data rates)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"RAND_bytes in the OpenSSL library (usable for high data" +" rates)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"gnutls_rnd in GNUTLS, with " +"GNUTLS_RND_RANDOM as the first argument (usable for high " +"data rates)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"java.security.SecureRandom in Java (usable for high data rates)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "os.urandom in Python" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Reading from the /dev/urandom character device" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"All these functions should be non-blocking, and they should not wait until " +"physical randomness becomes available. (Some cryptography providers for Java" +" can cause java.security.SecureRandom to block, however.) Those" +" functions which do not obtain all bits directly from " +"/dev/urandom are suitable for high data rates because " +"they do not deplete the system-wide entropy pool." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Difficult to use API" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Both RAND_bytes and " +"PK11_GenerateRandom have three-state return values " +"(with conflicting meanings). Careful error checking is required. Please " +"review the documentation when using these functions." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Other sources of randomness should be considered predictable." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Generating randomness for cryptographic keys in long-term use may need " +"different steps and is best left to cryptographic libraries." +msgstr "" diff --git a/defensive-coding/it-IT/Tasks/Descriptors.po b/defensive-coding/it-IT/Tasks/Descriptors.po new file mode 100644 index 0000000..63322ba --- /dev/null +++ b/defensive-coding/it-IT/Tasks/Descriptors.po @@ -0,0 +1,332 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:29+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Italian \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: it\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: title +#, no-c-format +msgid "File Descriptor Management" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"File descriptors underlie all input/output mechanisms offered by the system." +" They are used to implementation the FILE *-based " +"functions found in <stdio.h>, and all the file and " +"network communication facilities provided by the Python and Java " +"environments are eventually implemented in them." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"File descriptors are small, non-negative integers in userspace, and are " +"backed on the kernel side with complicated data structures which can " +"sometimes grow very large." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Closing descriptors" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If a descriptor is no longer used by a program and is not closed explicitly," +" its number cannot be reused (which is problematic in itself, see ), and the " +"kernel resources are not freed. Therefore, it is important to close all " +"descriptors at the earlierst point in time possible, but not earlier." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Error handling during descriptor close" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The close system call is always successful in the sense" +" that the passed file descriptor is never valid after the function has been " +"called. However, close still can return an error, for " +"example if there was a file system failure. But this error is not very " +"useful because the absence of an error does not mean that all caches have " +"been emptied and previous writes have been made durable. Programs which need" +" such guarantees must open files with O_SYNC or use " +"fsync or fdatasync, and may also have " +"to fsync the directory containing the file." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Closing descriptors and race conditions" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Unlike process IDs, which are recycle only gradually, the kernel always " +"allocates the lowest unused file descriptor when a new descriptor is " +"created. This means that in a multi-threaded program which constantly opens " +"and closes file descriptors, descriptors are reused very quickly. Unless " +"descriptor closing and other operations on the same file descriptor are " +"synchronized (typically, using a mutex), there will be race coniditons and " +"I/O operations will be applied to the wrong file descriptor." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Sometimes, it is necessary to close a file descriptor concurrently, while " +"another thread might be about to use it in a system call. In order to " +"support this, a program needs to create a single special file descriptor, " +"one on which all I/O operations fail. One way to achieve this is to use " +"socketpair, close one of the descriptors, and call " +"shutdown(fd, SHUTRDWR) on the other." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When a descriptor is closed concurrently, the program does not call " +"close on the descriptor. Instead it program uses " +"dup2 to replace the descriptor to be closed with the " +"dummy descriptor created earlier. This way, the kernel will not reuse the " +"descriptor, but it will carry out all other steps associated with calling a " +"descriptor (for instance, if the descriptor refers to a stream socket, the " +"peer will be notified)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"This is just a sketch, and many details are missing. Additional data " +"structures are needed to determine when it is safe to really close the " +"descriptor, and proper locking is required for that." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Lingering state after close" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"By default, closing a stream socket returns immediately, and the kernel will" +" try to send the data in the background. This means that it is impossible to" +" implement accurate accounting of network-related resource utilization from " +"userspace." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The SO_LINGER socket option alters the behavior of " +"close, so that it will return only after the lingering " +"data has been processed, either by sending it to the peer successfully, or " +"by discarding it after the configured timeout. However, there is no " +"interface which could perform this operation in the background, so a " +"separate userspace thread is needed for each close " +"call, causing scalability issues." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Currently, there is no application-level countermeasure which applies " +"universally. Mitigation is possible with iptables" +" (the connlimit match type in particular) and specialized" +" filtering devices for denial-of-service network traffic." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"These problems are not related to the TIME_WAIT state " +"commonly seen in netstat output. The kernel " +"automatically expires such sockets if necessary." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Preventing file descriptor leaks to child processes" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Child processes created with fork share the initial set" +" of file descriptors with their parent process. By default, file descriptors" +" are also preserved if a new process image is created with " +"execve (or any of the other functions such as " +"system or posix_spawn)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Usually, this behavior is not desirable. There are two ways to turn it off, " +"that is, to prevent new process images from inheriting the file descriptors " +"in the parent process:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Set the close-on-exec flag on all newly created file descriptors. " +"Traditionally, this flag is controlled by the FD_CLOEXEC " +"flag, using F_GETFD and F_SETFD " +"operations of the fcntl function." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"However, in a multi-threaded process, there is a race condition: a " +"subprocess could have been created between the time the descriptor was " +"created and the FD_CLOEXEC was set. Therefore, many " +"system calls which create descriptors (such as open and" +" openat) now accept the O_CLOEXEC " +"flag (SOCK_CLOEXEC for socket and " +"socketpair), which cause the " +"FD_CLOEXEC flag to be set for the file descriptor in an " +"atomic fashion. In addition, a few new systems calls were introduced, such " +"as pipe2 and dup3." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The downside of this approach is that every descriptor needs to receive " +"special treatment at the time of creation, otherwise it is not completely " +"effective." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"After calling fork, but before creating a new process " +"image with execve, all file descriptors which the child" +" process will not need are closed." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Traditionally, this was implemented as a loop over file descriptors ranging " +"from 3 to 255 and later " +"1023. But this is only an approximatio because it is " +"possible to create file descriptors outside this range easily (see ). Another " +"approach reads /proc/self/fd and closes the unexpected " +"descriptors listed there, but this approach is much slower." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"At present, environments which care about file descriptor leakage implement " +"the second approach. OpenJDK 6 and 7 are among them." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Dealing with the select limit" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"By default, a user is allowed to open only 1024 files in a single process, " +"but the system administrator can easily change this limit (which is " +"necessary for busy network servers). However, there is another restriction " +"which is more difficult to overcome." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The select function only supports a maximum of " +"FD_SETSIZE file descriptors (that is, the maximum " +"permitted value for a file descriptor is FD_SETSIZE - 1, " +"usually 1023.) If a process opens many files, descriptors may exceed such " +"limits. It is impossible to query such descriptors using " +"select." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If a library which creates many file descriptors is used in the same process" +" as a library which uses select, at least one of them " +"needs to be changed. Calls to select can be replaced " +"with calls to poll or another event handling mechanism." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Alternatively, the library with high descriptor usage can relocate " +"descriptors above the FD_SETSIZE limit using the " +"following procedure." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Create the file descriptor fd as usual, preferably with " +"the O_CLOEXEC flag." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Before doing anything else with the descriptor fd, " +"invoke:" +msgstr "" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"\t int newfd = fcntl(fd, F_DUPFD_CLOEXEC, (long)FD_SETSIZE);\n" +"\t" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Check that newfd result is non-negative, otherwise close " +"fd and report an error, and return." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Close fd and continue to use newfd." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The new descriptor has been allocated above the " +"FD_SETSIZE. Even though this algorithm is racy in the " +"sense that the FD_SETSIZE first descriptors could fill " +"up, a very high degree of physical parallelism is required before this " +"becomes a problem." +msgstr "" diff --git a/defensive-coding/it-IT/Tasks/File_System.po b/defensive-coding/it-IT/Tasks/File_System.po new file mode 100644 index 0000000..2ba58e2 --- /dev/null +++ b/defensive-coding/it-IT/Tasks/File_System.po @@ -0,0 +1,396 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:25+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Italian \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: it\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: title +#, no-c-format +msgid "File system manipulation" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In this chapter, we discuss general file system manipulation, with a focus " +"on access files and directories to which an other, potentially untrusted " +"user has write access." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Temporary files are covered in their own chapter, ." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Working with files and directories owned by other users" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Sometimes, it is necessary to operate on files and directories owned by " +"other (potentially untrusted) users. For example, a system administrator " +"could remove the home directory of a user, or a package manager could update" +" a file in a directory which is owned by an application-specific user. This " +"differs from accessing the file system as a specific user; see ." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Accessing files across trust boundaries faces several challenges, " +"particularly if an entire directory tree is being traversed:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Another user might add file names to a writable directory at any time. This " +"can interfere with file creation and the order of names returned by " +"readdir." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Merely opening and closing a file can have side effects. For instance, an " +"automounter can be triggered, or a tape device rewound. Opening a file on a " +"local file system can block indefinitely, due to mandatory file locking, " +"unless the O_NONBLOCK flag is specified." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Hard links and symbolic links can redirect the effect of file system " +"operations in unexpected ways. The O_NOFOLLOW and " +"AT_SYMLINK_NOFOLLOW variants of system calls only " +"affected final path name component." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The structure of a directory tree can change. For example, the parent " +"directory of what used to be a subdirectory within the directory tree being " +"processed could suddenly point outside that directory tree." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Files should always be created with the O_CREAT and " +"O_EXCL flags, so that creating the file will fail if it " +"already exists. This guards against the unexpected appearance of file names," +" either due to creation of a new file, or hard-linking of an existing file. " +"In multi-threaded programs, rather than manipulating the umask, create the " +"files with mode 000 if possible, and adjust it afterwards" +" with fchmod." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"To avoid issues related to symbolic links and directory tree restructuring, " +"the “at” variants of system calls have to be used (that " +"is, functions like openat, " +"fchownat, fchmodat, and " +"unlinkat, together with O_NOFOLLOW " +"or AT_SYMLINK_NOFOLLOW). Path names passed to these " +"functions must have just a single component (that is, without a slash). When" +" descending, the descriptors of parent directories must be kept open. The " +"missing opendirat function can be emulated with " +"openat (with an O_DIRECTORY flag, to " +"avoid opening special files with side effects), followed by " +"fdopendir." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If the “at” functions are not available, it is possible " +"to emulate them by changing the current directory. (Obviously, this only " +"works if the process is not multi-threaded.) fchdir has" +" to be used to change the current directory, and the descriptors of the " +"parent directories have to be kept open, just as with the " +"“at”-based approach. chdir(\"...\") is" +" unsafe because it might ascend outside the intended directory tree." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"This “at” function emulation is currently required when " +"manipulating extended attributes. In this case, the " +"lsetxattr function can be used, with a relative path " +"name consisting of a single component. This also applies to SELinux contexts" +" and the lsetfilecon function." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Currently, it is not possible to avoid opening special files " +"and changes to files with hard links if the directory " +"containing them is owned by an untrusted user. (Device nodes can be hard-" +"linked, just as regular files.) fchmodat and " +"fchownat affect files whose link count is greater than " +"one. But opening the files, checking that the link count is one with " +"fstat, and using fchmod and " +"fchown on the file descriptor may have unwanted side " +"effects, due to item 2 above. When creating directories, it is therefore " +"important to change the ownership and permissions only after it has been " +"fully created. Until that point, file names are stable, and no files with " +"unexpected hard links can be introduced." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Similarly, when just reading a directory owned by an untrusted user, it is " +"currently impossible to reliably avoid opening special files." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"There is no workaround against the instability of the file list returned by " +"readdir. Concurrent modification of the directory can " +"result in a list of files being returned which never actually existed on " +"disk." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Hard links and symbolic links can be safely deleted using " +"unlinkat without further checks because deletion only " +"affects the name within the directory tree being processed." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Accessing the file system as a different user" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"This section deals with access to the file system as a specific user. This " +"is different from accessing files and directories owned by a different, " +"potentially untrusted user; see ." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"One approach is to spawn a child process which runs under the target user " +"and group IDs (both effective and real IDs). Note that this child process " +"can block indefinitely, even when processing regular files only. For " +"example, a special FUSE file system could cause the process to hang in " +"uninterruptible sleep inside a stat system call." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"An existing process could change its user and group ID using " +"setfsuid and setfsgid. (These " +"functions are preferred over seteuid and " +"setegid because they do not allow the impersonated user" +" to send signals to the process.) These functions are not thread safe. In " +"multi-threaded processes, these operations need to be performed in a single-" +"threaded child process. Unexpected blocking may occur as well." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"It is not recommended to try to reimplement the kernel permission checks in " +"user space because the required checks are complex. It is also very " +"difficult to avoid race conditions during path name resolution." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "File system limits" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"For historical reasons, there are preprocessor constants such as " +"PATH_MAX, NAME_MAX. However, on most " +"systems, the length of canonical path names (absolute path names with all " +"symbolic links resolved, as returned by realpath or " +"canonicalize_file_name) can exceed " +"PATH_MAX bytes, and individual file name components can " +"be longer than NAME_MAX. This is also true of the " +"_PC_PATH_MAX and _PC_NAME_MAX values " +"returned by pathconf, and the " +"f_namemax member of struct statvfs. " +"Therefore, these constants should not be used. This is also reason why the " +"readdir_r should never be used (instead, use " +"readdir)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"You should not write code in a way that assumes that there is an upper limit" +" on the number of subdirectories of a directory, the number of regular files" +" in a directory, or the link count of an inode." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "File system features" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Not all file systems support all features. This makes it very difficult to " +"write general-purpose tools for copying files. For example, a copy operation" +" intending to preserve file permissions will generally fail when copying to " +"a FAT file system." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Some file systems are case-insensitive. Most should be case-preserving, " +"though." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Name length limits vary greatly, from eight to thousands of bytes. Path " +"length limits differ as well. Most systems impose an upper bound on path " +"names passed to the kernel, but using relative path names, it is possible to" +" create and access files whose absolute path name is essentially of " +"unbounded length." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Some file systems do not store names as fairly unrestricted byte sequences, " +"as it has been traditionally the case on GNU systems. This means that some " +"byte sequences (outside the POSIX safe character set) are not valid names. " +"Conversely, names of existing files may not be representable as byte " +"sequences, and the files are thus inaccessible on GNU systems. Some file " +"systems perform Unicode canonicalization on file names. These file systems " +"preserve case, but reading the name of a just-created file using " +"readdir might still result in a different byte " +"sequence." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Permissions and owners are not universally supported (and SUID/SGID bits may" +" not be available). For example, FAT file systems assign ownership based on " +"a mount option, and generally mark all files as executable. Any attempt to " +"change permissions would result in an error." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Non-regular files (device nodes, FIFOs) are not generally available." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Only on some file systems, files can have holes, that is, not all of their " +"contents is backed by disk storage." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"ioctl support (even fairly generic functionality such " +"as FIEMAP for discovering physical file layout and holes)" +" is file-system-specific." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Not all file systems support extended attributes, ACLs and SELinux metadata." +" Size and naming restriction on extended attributes vary." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Hard links may not be supported at all (FAT) or only within the same " +"directory (AFS). Symbolic links may not be available, either. Reflinks (hard" +" links with copy-on-write semantics) are still very rare. Recent systems " +"restrict creation of hard links to users which own the target file or have " +"read/write access to it, but older systems do not." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Renaming (or moving) files using rename can fail (even " +"when stat indicates that the source and target " +"directories are located on the same file system). This system call should " +"work if the old and new paths are located in the same directory, though." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Locking semantics vary among file systems. This affects advisory and " +"mandatory locks. For example, some network file systems do not allow " +"deleting files which are opened by any process." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Resolution of time stamps varies from two seconds to nanoseconds. Not all " +"time stamps are available on all file systems. File creation time " +"(birth time) is not exposed over the " +"stat/fstat interface, even if " +"stored by the file system." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Checking free space" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The statvfs and fstatvfs functions" +" allow programs to examine the number of available blocks and inodes, " +"through the members f_bfree, f_bavail," +" f_ffree, and f_favail of " +"struct statvfs. Some file systems return fictional values" +" in the f_ffree and f_favail fields, " +"so the only reliable way to discover if the file system still has space for " +"a file is to try to create it. The f_bfree field should " +"be reasonably accurate, though." +msgstr "" diff --git a/defensive-coding/it-IT/Tasks/Library_Design.po b/defensive-coding/it-IT/Tasks/Library_Design.po new file mode 100644 index 0000000..bfed464 --- /dev/null +++ b/defensive-coding/it-IT/Tasks/Library_Design.po @@ -0,0 +1,267 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:29+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Italian \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: it\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: title +#, no-c-format +msgid "Library Design" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Throught this section, the term client code refers to " +"applications and other libraries using the library." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "State management" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Global state" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Global state should be avoided." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If this is impossible, the global state must be protected with a lock. For " +"C/C++, you can use the pthread_mutex_lock and " +"pthread_mutex_unlock functions without linking against " +"-lpthread because the system provides stubs for non-" +"threaded processes." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"For compatibility with fork, these locks should be " +"acquired and released in helpers registered with " +"pthread_atfork. This function is not available without " +"-lpthread, so you need to use dlsym " +"or a weak symbol to obtain its address." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If you need fork protection for other reasons, you " +"should store the process ID and compare it to the value returned by " +"getpid each time you access the global state. " +"(getpid is not implemented as a system call and is " +"fast.) If the value changes, you know that you have to re-create the state " +"object. (This needs to be combined with locking, of course.)" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Handles" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Library state should be kept behind a curtain. Client code should receive " +"only a handle. In C, the handle can be a pointer to an incomplete " +"struct. In C++, the handle can be a pointer to an " +"abstract base class, or it can be hidden using the pointer-to-implementation" +" idiom." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The library should provide functions for creating and destroying handles. " +"(In C++, it is possible to use virtual destructors for the latter.) " +"Consistency between creation and destruction of handles is strongly " +"recommended: If the client code created a handle, it is the responsibility " +"of the client code to destroy it. (This is not always possible or " +"convenient, so sometimes, a transfer of ownership has to happen.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Using handles ensures that it is possible to change the way the library " +"represents state in a way that is transparent to client code. This is " +"important to facilitate security updates and many other code changes." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"It is not always necessary to protect state behind a handle with a lock. " +"This depends on the level of thread safety the library provides." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Object orientation" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Classes should be either designed as base classes, or it should be " +"impossible to use them as base classes (like final " +"classes in Java). Classes which are not designed for inheritance and are " +"used as base classes nevertheless create potential maintenance hazards " +"because it is difficult to predict how client code will react when calls to " +"virtual methods are added, reordered or removed." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Virtual member functions can be used as callbacks. See for some of the " +"challenges involved." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Callbacks" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Higher-order code is difficult to analyze for humans and computers alike, so" +" it should be avoided. Often, an iterator-based interface (a library " +"function which is called repeatedly by client code and returns a stream of " +"events) leads to a better design which is easier to document and use." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "If callbacks are unavoidable, some guidelines for them follow." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In modern C++ code, std::function objects should be used " +"for callbacks." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In older C++ code and in C code, all callbacks must have an additional " +"closure parameter of type void *, the value of which can " +"be specified by client code. If possible, the value of the closure parameter" +" should be provided by client code at the same time a specific callback is " +"registered (or specified as a function argument). If a single closure " +"parameter is shared by multiple callbacks, flexibility is greatly reduced, " +"and conflicts between different pieces of client code using the same library" +" object could be unresolvable. In some cases, it makes sense to provide a " +"de-registration callback which can be used to destroy the closure parameter " +"when the callback is no longer used." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Callbacks can throw exceptions or call longjmp. If " +"possible, all library objects should remain in a valid state. (All further " +"operations on them can fail, but it should be possible to deallocate them " +"without causing resource leaks.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The presence of callbacks raises the question if functions provided by the " +"library are reentrant. Unless a library was designed " +"for such use, bad things will happen if a callback function uses functions " +"in the same library (particularly if they are invoked on the same objects " +"and manipulate the same state). When the callback is invoked, the library " +"can be in an inconsistent state. Reentrant functions are more difficult to " +"write than thread-safe functions (by definition, simple locking would " +"immediately lead to deadlocks). It is also difficult to decide what to do " +"when destruction of an object which is currently processing a callback is " +"requested." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Process attributes" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Several attributes are global and affect all code in the process, not just " +"the library that manipulates them." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"environment variables (see )" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "umask" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "user IDs, group IDs and capabilities" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "current working directory" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "signal handlers, signal masks and signal delivery" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"file locks (especially fcntl locks behave in surprising" +" ways, not just in a multi-threaded environment)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Library code should avoid manipulating these global process attributes. It " +"should not rely on environment variables, umask, the current working " +"directory and signal masks because these attributes can be inherted from an " +"untrusted source." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In addition, there are obvious process-wide aspects such as the virtual " +"memory layout, the set of open files and dynamic shared objects, but with " +"the exception of shared objects, these can be manipulated in a relatively " +"isolated way." +msgstr "" diff --git a/defensive-coding/it-IT/Tasks/Processes.po b/defensive-coding/it-IT/Tasks/Processes.po new file mode 100644 index 0000000..911455f --- /dev/null +++ b/defensive-coding/it-IT/Tasks/Processes.po @@ -0,0 +1,597 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:29+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Italian \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: it\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: title +#, no-c-format +msgid "Processes" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Safe process creation" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"This section describes how to create new child processes in a safe manner. " +"In addition to the concerns addressed below, there is the possibility of " +"file descriptor leaks, see ." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Obtaining the program path and the command line template" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The name and path to the program being invoked should be hard-coded or " +"controlled by a static configuration file stored at a fixed location (at an " +"file system absolute path). The same applies to the template for generating " +"the command line." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The configured program name should be an absolute path. If it is a relative " +"path, the contents of the PATH must be obtained in s secure " +"manner (see )." +" If the PATH variable is not set or untrusted, the safe " +"default /bin:/usr/bin must be used." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If too much flexibility is provided here, it may allow invocation of " +"arbitrary programs without proper authorization." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Bypassing the shell" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Child processes should be created without involving the system shell." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"For C/C++, system should not be used. The " +"posix_spawn function can be used instead, or a " +"combination fork and execve. (In " +"some cases, it may be preferable to use vfork or the " +"Linux-specific clone system call instead of " +"fork.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In Python, the subprocess module bypasses the shell by " +"default (when the shell keyword argument is not set to " +"true). os.system should not be used." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The Java class java.lang.ProcessBuilder can be used to create " +"subprocesses without interference from the system shell." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Portability notice" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"On Windows, there is no argument vector, only a single argument string. Each" +" application is responsible for parsing this string into an argument vector." +" There is considerable variance among the quoting style recognized by " +"applications. Some of them expand shell wildcards, others do not. Extensive " +"application-specific testing is required to make this secure." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Note that some common applications (notably ssh) " +"unconditionally introduce the use of a shell, even if invoked directly " +"without a shell. It is difficult to use these applications in a secure " +"manner. In this case, untrusted data should be supplied by other means. For " +"example, standard input could be used, instead of the command line." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Specifying the process environment" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Child processes should be created with a minimal set of environment " +"variables. This is absolutely essential if there is a trust transition " +"involved, either when the parent process was created, or during the creation" +" of the child process." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In C/C++, the environment should be constructed as an array of strings and " +"passed as the envp argument to " +"posix_spawn or execve. The " +"functions setenv, unsetenv and " +"putenv should not be used. They are not thread-safe and" +" suffer from memory leaks." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Python programs need to specify a dict for the the " +"env argument of the subprocess.Popen" +" constructor. The Java class java.lang.ProcessBuilder " +"provides a environment() method, which returns a map " +"that can be manipulated." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The following list provides guidelines for selecting the set of environment " +"variables passed to the child process." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"PATH should be initialized to " +"/bin:/usr/bin." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"USER and HOME can be inhereted from the parent" +" process environment, or they can be initialized from the " +"pwent structure for the user." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The DISPLAY and XAUTHORITY variables should be" +" passed to the subprocess if it is an X program. Note that this will " +"typically not work across trust boundaries because XAUTHORITY" +" refers to a file with 0600 permissions." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The location-related environment variables LANG, " +"LANGUAGE, LC_ADDRESS, LC_ALL, " +"LC_COLLATE, LC_CTYPE, " +"LC_IDENTIFICATION, LC_MEASUREMENT, " +"LC_MESSAGES, LC_MONETARY, " +"LC_NAME, LC_NUMERIC, LC_PAPER, " +"LC_TELEPHONE and LC_TIME can be passed to the " +"subprocess if present." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The called process may need application-specific environment variables, for " +"example for passing passwords. (See .)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"All other environment variables should be dropped. Names for new environment" +" variables should not be accepted from untrusted sources." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Robust argument list processing" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When invoking a program, it is sometimes necessary to include data from " +"untrusted sources. Such data should be check against embedded " +"NUL characters because the system APIs will sliently " +"truncate argument strings at the first NUL character." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The following recommendations assume that the program being invoked uses " +"GNU-style option processing using getopt_long. This " +"convention is widely used, but it is just that, and individual programs " +"might interpret a command line in a different way." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If the untrusted data has to go into an option, use the --option-" +"name=VALUE syntax, placing the option and its value into the same " +"command line argument. This avoids any potential confusion if the data " +"starts with -." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"For positional arguments, terminate the option list with a single " +" marker after the last option, and include the data at " +"the right position. The marker terminates option " +"processing, and the data will not be treated as an option even if it starts " +"with a dash." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Passing secrets to subprocesses" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The command line (the name of the program and its argument) of a running " +"process is traditionally available to all local users. The called program " +"can overwrite this information, but only after it has run for a bit of time," +" during which the information may have been read by other processes. " +"However, on Linux, the process environment is restricted to the user who " +"runs the process. Therefore, if you need a convenient way to pass a password" +" to a child process, use an environment variable, and not a command line " +"argument. (See .)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"On some UNIX-like systems (notably Solaris), environment variables can be " +"read by any system user, just like command lines." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If the environment-based approach cannot be used due to portability " +"concerns, the data can be passed on standard input. Some programs (notably " +"gpg) use special file descriptors whose numbers " +"are specified on the command line. Temporary files are an option as well, " +"but they might give digital forensics access to sensitive data (such as " +"passphrases) because it is difficult to safely delete them in all cases." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Handling child process termination" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When child processes terminate, the parent process is signalled. A stub of " +"the terminated processes (a zombie, shown as " +"<defunct> by ps) is kept" +" around until the status information is collected " +"(reaped) by the parent process. Over the years, several" +" interfaces for this have been invented:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The parent process calls wait, " +"waitpid, waitid, " +"wait3 or wait4, without specifying" +" a process ID. This will deliver any matching process ID. This approach is " +"typically used from within event loops." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The parent process calls waitpid, " +"waitid, or wait4, with a specific " +"process ID. Only data for the specific process ID is returned. This is " +"typically used in code which spawns a single subprocess in a synchronous " +"manner." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The parent process installs a handler for the SIGCHLD " +"signal, using sigaction, and specifies to the " +"SA_NOCLDWAIT flag. This approach could be used by event " +"loops as well." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"None of these approaches can be used to wait for child process terminated in" +" a completely thread-safe manner. The parent process might execute an event " +"loop in another thread, which could pick up the termination signal. This " +"means that libraries typically cannot make free use of child processes (for " +"example, to run problematic code with reduced privileges in a separate " +"address space)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"At the moment, the parent process should explicitly wait for termination of " +"the child process using waitpid or " +"waitpid, and hope that the status is not collected by " +"an event loop first." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "SUID/SGID processes" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Programs can be marked in the file system to indicate to the kernel that a " +"trust transition should happen if the program is run. The " +"SUID file permission bit indicates that an executable " +"should run with the effective user ID equal to the owner of the executable " +"file. Similarly, with the SGID bit, the effective group " +"ID is set to the group of the executable file." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Linux supports fscaps, which can grant additional " +"capabilities to a process in a finer-grained manner. Additional mechanisms " +"can be provided by loadable security modules." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When such a trust transition has happened, the process runs in a potentially" +" hostile environment. Additional care is necessary not to rely on any " +"untrusted information. These concerns also apply to libraries which can be " +"linked into such processes." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Accessing environment variables" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The following steps are required so that a program does not accidentally " +"pick up untrusted data from environment variables." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Compile your C/C++ sources with -D_GNU_SOURCE. The " +"Autoconf macro AC_GNU_SOURCE ensures this." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Check for the presence of the secure_getenv and " +"__secure_getenv function. The Autoconf directive " +"AC_CHECK_FUNCS([__secure_getenv secure_getenv]) performs " +"these checks." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Arrange for a proper definition of the secure_getenv " +"function. See ." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Use secure_getenv instead of " +"getenv to obtain the value of critical environment " +"variables. secure_getenv will pretend the variable has " +"not bee set if the process environment is not trusted." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Critical environment variables are debugging flags, configuration file " +"locations, plug-in and log file locations, and anything else that might be " +"used to bypass security restrictions or cause a privileged process to behave" +" in an unexpected way." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Either the secure_getenv function or the " +"__secure_getenv is available from GNU libc." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Obtaining a definition for secure_getenv" +msgstr "" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"\n" +"#include <stdlib.h>\n" +"\n" +"#ifndef HAVE_SECURE_GETENV\n" +"# ifdef HAVE__SECURE_GETENV\n" +"# define secure_getenv __secure_getenv\n" +"# else\n" +"# error neither secure_getenv nor __secure_getenv are available\n" +"# endif\n" +"#endif\n" +"\n" +"\t" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Daemons" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Background processes providing system services " +"(daemons) need to decouple themselves from the " +"controlling terminal and the parent process environment:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Fork." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In the child process, call setsid. The parent process " +"can simply exit (using _exit, to avoid running clean-up" +" actions twice)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In the child process, fork again. Processing continues in the child process." +" Again, the parent process should just exit." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Replace the descriptors 0, 1, 2 with a descriptor for " +"/dev/null. Logging should be redirected to " +"syslog." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Older instructions for creating daemon processes recommended a call to " +"umask(0). This is risky because it often leads to world-" +"writable files and directories, resulting in security vulnerabilities such " +"as arbitrary process termination by untrusted local users, or log file " +"truncation. If the umask needs setting, a restrictive " +"value such as 027 or 077 is " +"recommended." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Other aspects of the process environment may have to changed as well " +"(environment variables, signal handler disposition)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"It is increasingly common that server processes do not run as background " +"processes, but as regular foreground process under a supervising master " +"process (such as systemd). Server processes " +"should offer a command line option which disables forking and replacement of" +" the standard output and standard error streams. Such an option is also " +"useful for debugging." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Semantics of command line arguments" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"After process creation and option processing, it is up to the child process " +"to interpret the arguments. Arguments can be file names, host names, or " +"URLs, and many other things. URLs can refer to the local network, some " +"server on the Internet, or to the local file system. Some applications even " +"accept arbitrary code in arguments (for example, " +"python with the option)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Similar concerns apply to environment variables, the contents of the current" +" directory and its subdirectories." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Consequently, careful analysis is required if it is safe to pass untrusted " +"data to another program." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "fork as a primitive for parallelism" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"A call to fork which is not immediately followed by a " +"call to execve (perhaps after rearranging and closing " +"file descriptors) is typically unsafe, especially from a library which does " +"not control the state of the entire process. Such use of " +"fork should be replaced with proper child processes or " +"threads." +msgstr "" diff --git a/defensive-coding/it-IT/Tasks/Serialization.po b/defensive-coding/it-IT/Tasks/Serialization.po new file mode 100644 index 0000000..e9d36c8 --- /dev/null +++ b/defensive-coding/it-IT/Tasks/Serialization.po @@ -0,0 +1,513 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:45\n" +"PO-Revision-Date: 2013-03-19 15:29+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Italian \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: it\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: title +#, no-c-format +msgid "Serialization and Deserialization" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Protocol decoders and file format parsers are often the most-exposed part of" +" an application because they are exposed with little or no user interaction " +"and before any authentication and security checks are made. They are also " +"difficult to write robustly in languages which are not memory-safe." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Recommendations for manually written decoders" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"For C and C++, the advice in applies. In addition, avoid non-character " +"pointers directly into input buffers. Pointer misalignment causes crashes on" +" some architectures." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When reading variable-sized objects, do not allocate large amounts of data " +"solely based on the value of a size field. If possible, grow the data " +"structure as more data is read from the source, and stop when no data is " +"available. This helps to avoid denial-of-service attacks where little " +"amounts of input data results in enormous memory allocations during " +"decoding. Alternatively, you can impose reasonable bounds on memory " +"allocations, but some protocols do not permit this." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Protocol design" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Binary formats with explicit length fields are more difficult to parse " +"robustly than those where the length of dynamically-sized elements is " +"derived from sentinel values. A protocol which does not use length fields " +"and can be written in printable ASCII characters simplifies testing and " +"debugging. However, binary protocols with length fields may be more " +"efficient to parse." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Library support for deserialization" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"For some languages, generic libraries are available which allow to serialize" +" and deserialize user-defined objects. The deserialization part comes in one" +" of two flavors, depending on the library. The first kind uses type " +"information in the data stream to control which objects are instantiated. " +"The second kind uses type definitions supplied by the programmer. The first " +"one allows arbitrary object instantiation, the second one generally does " +"not." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The following serialization frameworks are in the first category, are known " +"to be unsafe, and must not be used for untrusted data:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Python's pickle and cPickle modules" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Perl's Storable package" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Java serialization (java.io.ObjectInputStream)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "PHP serialization (unserialize)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Most implementations of YAML" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When using a type-directed deserialization format where the types of the " +"deserialized objects are specified by the programmer, make sure that the " +"objects which can be instantiated cannot perform any destructive actions in " +"their destructors, even when the data members have been manipulated." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"JSON decoders do not suffer from this problem. But you must not use the " +"eval function to parse JSON objects in Javascript; even" +" with the regular expression filter from RFC 4627, there are still " +"information leaks remaining." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "XML serialization" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "External references" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"XML documents can contain external references. They can occur in various " +"places." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "In the DTD declaration in the header of an XML document:" +msgstr "" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"<!DOCTYPE html PUBLIC\n" +" \"-//W3C//DTD XHTML 1.0 Transitional//EN\"\n" +" \"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd\">\n" +"\t " +msgstr "" + +#. Tag: para +#, no-c-format +msgid "In a namespace declaration:" +msgstr "" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"<xsd:schema xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\">\n" +"\t " +msgstr "" + +#. Tag: para +#, no-c-format +msgid "In an entity defintion:" +msgstr "" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"<!ENTITY sys SYSTEM \"http://www.example.com/ent.xml\">\n" +"<!ENTITY pub PUBLIC \"-//Example//Public Entity//EN\"\n" +" \"http://www.example.com/pub-ent.xml\">\n" +"\t " +msgstr "" + +#. Tag: para +#, no-c-format +msgid "In a notation:" +msgstr "" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"<!NOTATION not SYSTEM \"../not.xml\">\n" +"\t " +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Originally, these external references were intended as unique identifiers, " +"but by many XML implementations, they are used for locating the data for the" +" referenced element. This causes unwanted network traffic, and may disclose " +"file system contents or otherwise unreachable network resources, so this " +"functionality should be disabled." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Depending on the XML library, external referenced might be processed not " +"just when parsing XML, but also when generating it." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Entity expansion" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When external DTD processing is disabled, an internal DTD subset can still " +"contain entity definitions. Entity declarations can reference other " +"entities. Some XML libraries expand entities automatically, and this " +"processing cannot be switched off in some places (such as attribute values " +"or content models). Without limits on the entity nesting level, this " +"expansion results in data which can grow exponentially in length with size " +"of the input. (If there is a limit on the nesting level, the growth is still" +" polynomial, unless further limits are imposed.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Consequently, the processing internal DTD subsets should be disabled if " +"possible, and only trusted DTDs should be processed. If a particular XML " +"application does not permit such restrictions, then application-specific " +"limits are called for." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "XInclude processing" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"XInclude processing can reference file and network resources and include " +"them into the document, much like external entity references. When parsing " +"untrusted XML documents, XInclude processing should be truned off." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"XInclude processing is also fairly complex and may pull in support for the " +"XPointer and XPath specifications, considerably increasing the amount of " +"code required for XML processing." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Algorithmic complexity of XML validation" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"DTD-based XML validation uses regular expressions for content models. The " +"XML specification requires that content models are deterministic, which " +"means that efficient validation is possible. However, some implementations " +"do not enforce determinism, and require exponential (or just polynomial) " +"amount of space or time for validating some DTD/document combinations." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"XML schemas and RELAX NG (via the xsd: prefix) directly " +"support textual regular expressions which are not required to be " +"deterministic." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Using Expat for XML parsing" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"By default, Expat does not try to resolve external IDs, so no steps are " +"required to block them. However, internal entity declarations are processed." +" Installing a callback which stops parsing as soon as such entities are " +"encountered disables them, see . Expat does not perform any " +"validation, so there are no problems related to that." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Disabling XML entity processing with Expat" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"This handler must be installed when the XML_Parser object" +" is created ()." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Creating an Expat XML parser" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"It is also possible to reject internal DTD subsets altogeher, using a " +"suitable XML_StartDoctypeDeclHandler handler installed " +"with XML_SetDoctypeDeclHandler." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Using OpenJDK for XML parsing and validation" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"OpenJDK contains facilities for DOM-based, SAX-based, and StAX-based " +"document parsing. Documents can be validated against DTDs or XML schemas." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The approach taken to deal with entity expansion differs from the general " +"recommendation in . We enable the the feature flag " +"javax.xml.XMLConstants.FEATURE_SECURE_PROCESSING, which " +"enforces heuristic restrictions on the number of entity expansions. Note " +"that this flag alone does not prevent resolution of external references " +"(system IDs or public IDs), so it is slightly misnamed." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In the following sections, we use helper classes to prevent external ID " +"resolution." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Helper class to prevent DTD external entity resolution in OpenJDK" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Helper class to prevent schema resolution in OpenJDK" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +" shows the imports used by the examples." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Java imports for OpenJDK XML parsing" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "DOM-based XML parsing and DTD validation in OpenJDK" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"This approach produces a org.w3c.dom.Document object from" +" an input stream. use the data from the " +"java.io.InputStream instance in the " +"inputStream variable." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "DOM-based XML parsing in OpenJDK" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"External entity references are prohibited using the " +"NoEntityResolver class in . " +"Because external DTD references are prohibited, DTD validation (if enabled) " +"will only happen against the internal DTD subset embedded in the XML " +"document." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"To validate the document against an external DTD, use a " +"javax.xml.transform.Transformer class to add the DTD " +"reference to the document, and an entity resolver which whitelists this " +"external reference." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "XML Schema validation in OpenJDK" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +" shows how to validate a document against an XML Schema, " +"using a SAX-based approach. The XML data is read from an " +"java.io.InputStream in the inputStream" +" variable." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "SAX-based validation against an XML schema in OpenJDK" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The NoResourceResolver class is defined in ." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If you need to validate a document against an XML schema, use the code in " +" to create the document, but do not enable validation at this point." +" Then use to perform the schema-based validation on " +"the org.w3c.dom.Document instance " +"document." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Validation of a DOM document against an XML schema in OpenJDK" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Protocol Encoders" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"For protocol encoders, you should write bytes to a buffer which grows as " +"needed, using an exponential sizing policy. Explicit lengths can be patched " +"in later, once they are known. Allocating the required number of bytes " +"upfront typically requires separate code to compute the final size, which " +"must be kept in sync with the actual encoding step, or vulnerabilities may " +"result. In multi-threaded code, parts of the object being deserialized might" +" change, so that the computed size is out of date." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"You should avoid copying data directly from a received packet during " +"encoding, disregarding the format. Propagating malformed data could enable " +"attacks on other recipients of that data." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When using C or C++ and copying whole data structures directly into the " +"output, make sure that you do not leak information in padding bytes between " +"fields or at the end of the struct." +msgstr "" diff --git a/defensive-coding/it-IT/Tasks/Temporary_Files.po b/defensive-coding/it-IT/Tasks/Temporary_Files.po new file mode 100644 index 0000000..03c3425 --- /dev/null +++ b/defensive-coding/it-IT/Tasks/Temporary_Files.po @@ -0,0 +1,309 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:45\n" +"PO-Revision-Date: 2013-03-19 15:29+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Italian \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: it\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: title +#, no-c-format +msgid "Temporary files" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In this chapter, we describe how to create temporary files and directories, " +"how to remove them, and how to work with programs which do not create files " +"in ways that a safe with a shared directory for temporary files. General " +"file system manipulation is treated in a separate chapter, ." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Secure creation of temporary files has four different aspects." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The location of the directory for temporary files must be obtained in a " +"secure manner (that is, untrusted environment variables must be ignored, see" +" )." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"A new file must be created. Reusing an existing file must be avoided (the " +"/tmp race condition). This is " +"tricky because traditionally, system-wide temporary directories shared by " +"all users are used." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The file must be created in a way that makes it impossible for other users " +"to open it." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "The descriptor for the temporary file should not leak to subprocesses." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "All functions mentioned below will take care of these aspects." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Traditionally, temporary files are often used to reduce memory usage of " +"programs. More and more systems use RAM-based file systems such as " +"tmpfs for storing temporary files, to increase " +"performance and decrease wear on Flash storage. As a result, spooling data " +"to temporary files does not result in any memory savings, and the related " +"complexity can be avoided if the data is kept in process memory." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Obtaining the location of temporary directory" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Some functions below need the location of a directory which stores temporary" +" files. For C/C++ programs, use the following steps to obtain that " +"directory:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Use secure_getenv to obtain the value of the " +"TMPDIR environment variable. If it is set, convert the " +"path to a fully-resolved absolute path, using realpath(path, " +"NULL). Check if the new path refers to a directory and is " +"writeable. In this case, use it as the temporary directory." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Fall back to /tmp." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In Python, you can use the tempfile.tempdir variable." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Java does not support SUID/SGID programs, so you can use the " +"java.lang.System.getenv(String) method to obtain the " +"value of the TMPDIR environment variable, and follow the " +"two steps described above. (Java's default directory selection does not " +"honor TMPDIR.)" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Named temporary files" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The mkostemp function creates a named temporary file. " +"You should specify the O_CLOEXEC flag to avoid file " +"descriptor leaks to subprocesses. (Applications which do not use multiple " +"threads can also use mkstemp, but libraries should use " +"mkostemp.) For determining the directory part of the " +"file name pattern, see ." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The file is not removed automatically. It is not safe to rename or delete " +"the file before processing, or transform the name in any way (for example, " +"by adding a file extension). If you need multiple temporary files, call " +"mkostemp multiple times. Do not create additional file " +"names derived from the name provided by a previous " +"mkostemp call. However, it is safe to close the " +"descriptor returned by mkostemp and reopen the file " +"using the generated name." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The Python class tempfile.NamedTemporaryFile provides " +"similar functionality, except that the file is deleted automatically by " +"default. Note that you may have to use the file attribute" +" to obtain the actual file object because some programming interfaces cannot" +" deal with file-like objects. The C function mkostemp " +"is also available as tempfile.mkstemp." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In Java, you can use the java.io.File.createTempFile(String, " +"String, File) function, using the temporary file location " +"determined according to . Do not use " +"java.io.File.deleteOnExit() to delete temporary files, " +"and do not register a shutdown hook for each temporary file you create. In " +"both cases, the deletion hint cannot be removed from the system if you " +"delete the temporary file prior to termination of the VM, causing a memory " +"leak." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Temporary files without names" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The tmpfile function creates a temporary file and " +"immediately deletes it, while keeping the file open. As a result, the file " +"lacks a name and its space is deallocated as soon as the file descriptor is " +"closed (including the implicit close when the process terminates). This " +"avoids cluttering the temporary directory with orphaned files." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Alternatively, if the maximum size of the temporary file is known " +"beforehand, the fmemopen function can be used to create" +" a FILE * object which is backed by memory." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In Python, unnamed temporary files are provided by the " +"tempfile.TemporaryFile class, and the " +"tempfile.SpooledTemporaryFile class provides a way to " +"avoid creation of small temporary files." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Java does not support unnamed temporary files." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Temporary directories" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The mkdtemp function can be used to create a temporary " +"directory. (For determining the directory part of the file name pattern, see" +" .)" +" The directory is not automatically removed. In Python, this function is " +"available as tempfile.mkdtemp. In Java 7, temporary " +"directories can be created using the " +"java.nio.file.Files.createTempDirectory(Path, String, " +"FileAttribute...) function." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When creating files in the temporary directory, use automatically generated " +"names, e.g., derived from a sequential counter. Files with externally " +"provided names could be picked up in unexpected contexts, and crafted names " +"could actually point outside of the tempoary directory (due to " +"directory traversal)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Removing a directory tree in a completely safe manner is complicated. Unless" +" there are overriding performance concerns, the " +"rm program should be used, with the " +" and options." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Compensating for unsafe file creation" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"There are two ways to make a function or program which excepts a file name " +"safe for use with temporary files. See , for details on subprocess " +"creation." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Create a temporary directory and place the file there. If possible, run the " +"program in a subprocess which uses the temporary directory as its current " +"directory, with a restricted environment. Use generated names for all files " +"in that temporary directory. (See .)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Create the temporary file and pass the generated file name to the function " +"or program. This only works if the function or program can cope with a zero-" +"length existing file. It is safe only under additional assumptions:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The function or program must not create additional files whose name is " +"derived from the specified file name or are otherwise predictable." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "The function or program must not delete the file before processing it." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "It must not access any existing files in the same directory." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"It is often difficult to check whether these additional assumptions are " +"matched, therefore this approach is not recommended." +msgstr "" diff --git a/defensive-coding/it-IT/Tasks/snippets/Serialization-XML-Expat-Create.po b/defensive-coding/it-IT/Tasks/snippets/Serialization-XML-Expat-Create.po new file mode 100644 index 0000000..07d9b7d --- /dev/null +++ b/defensive-coding/it-IT/Tasks/snippets/Serialization-XML-Expat-Create.po @@ -0,0 +1,33 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:45\n" +"PO-Revision-Date: 2013-03-19 15:29+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Italian \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: it\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"XML_Parser parser = XML_ParserCreate(\"UTF-8\");\n" +"if (parser == NULL) {\n" +" fprintf(stderr, \"XML_ParserCreate failed\n" +"\");\n" +" close(fd);\n" +" exit(1);\n" +"}\n" +"// EntityDeclHandler needs a reference to the parser to stop\n" +"// parsing.\n" +"XML_SetUserData(parser, parser);\n" +"// Disable entity processing, to inhibit entity expansion.\n" +"XML_SetEntityDeclHandler(parser, EntityDeclHandler);\n" +msgstr "" diff --git a/defensive-coding/it-IT/Tasks/snippets/Serialization-XML-Expat-EntityDeclHandler.po b/defensive-coding/it-IT/Tasks/snippets/Serialization-XML-Expat-EntityDeclHandler.po new file mode 100644 index 0000000..862b738 --- /dev/null +++ b/defensive-coding/it-IT/Tasks/snippets/Serialization-XML-Expat-EntityDeclHandler.po @@ -0,0 +1,31 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:45\n" +"PO-Revision-Date: 2013-03-19 15:30+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Italian \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: it\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Stop the parser when an entity declaration is encountered.\n" +"static void\n" +"EntityDeclHandler(void *userData,\n" +"\t\t const XML_Char *entityName, int is_parameter_entity,\n" +"\t\t const XML_Char *value, int value_length,\n" +"\t\t const XML_Char *base, const XML_Char *systemId,\n" +"\t\t const XML_Char *publicId, const XML_Char *notationName)\n" +"{\n" +" XML_StopParser((XML_Parser)userData, XML_FALSE);\n" +"}\n" +msgstr "" diff --git a/defensive-coding/it-IT/Tasks/snippets/Serialization-XML-OpenJDK-Errors.po b/defensive-coding/it-IT/Tasks/snippets/Serialization-XML-OpenJDK-Errors.po new file mode 100644 index 0000000..b55b440 --- /dev/null +++ b/defensive-coding/it-IT/Tasks/snippets/Serialization-XML-OpenJDK-Errors.po @@ -0,0 +1,37 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:45\n" +"PO-Revision-Date: 2013-03-19 15:29+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Italian \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: it\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"class Errors implements ErrorHandler {\n" +" @Override\n" +" public void warning(SAXParseException exception) {\n" +" exception.printStackTrace();\n" +" }\n" +" \n" +" @Override\n" +" public void fatalError(SAXParseException exception) {\n" +" exception.printStackTrace();\n" +" }\n" +" \n" +" @Override\n" +" public void error(SAXParseException exception) {\n" +" exception.printStackTrace();\n" +" }\n" +"}\n" +msgstr "" diff --git a/defensive-coding/it-IT/Tasks/snippets/Serialization-XML-OpenJDK-Imports.po b/defensive-coding/it-IT/Tasks/snippets/Serialization-XML-OpenJDK-Imports.po new file mode 100644 index 0000000..d1e5275 --- /dev/null +++ b/defensive-coding/it-IT/Tasks/snippets/Serialization-XML-OpenJDK-Imports.po @@ -0,0 +1,42 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:45\n" +"PO-Revision-Date: 2013-03-19 15:30+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Italian \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: it\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"import javax.xml.XMLConstants;\n" +"import javax.xml.parsers.DocumentBuilder;\n" +"import javax.xml.parsers.DocumentBuilderFactory;\n" +"import javax.xml.parsers.ParserConfigurationException;\n" +"import javax.xml.parsers.SAXParser;\n" +"import javax.xml.parsers.SAXParserFactory;\n" +"import javax.xml.transform.dom.DOMSource;\n" +"import javax.xml.transform.sax.SAXSource;\n" +"import javax.xml.validation.Schema;\n" +"import javax.xml.validation.SchemaFactory;\n" +"import javax.xml.validation.Validator;\n" +"\n" +"import org.w3c.dom.Document;\n" +"import org.w3c.dom.ls.LSInput;\n" +"import org.w3c.dom.ls.LSResourceResolver;\n" +"import org.xml.sax.EntityResolver;\n" +"import org.xml.sax.ErrorHandler;\n" +"import org.xml.sax.InputSource;\n" +"import org.xml.sax.SAXException;\n" +"import org.xml.sax.SAXParseException;\n" +"import org.xml.sax.XMLReader;\n" +msgstr "" diff --git a/defensive-coding/it-IT/Tasks/snippets/Serialization-XML-OpenJDK-NoEntityResolver.po b/defensive-coding/it-IT/Tasks/snippets/Serialization-XML-OpenJDK-NoEntityResolver.po new file mode 100644 index 0000000..5f098ac --- /dev/null +++ b/defensive-coding/it-IT/Tasks/snippets/Serialization-XML-OpenJDK-NoEntityResolver.po @@ -0,0 +1,30 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:45\n" +"PO-Revision-Date: 2013-03-19 15:30+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Italian \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: it\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"class NoEntityResolver implements EntityResolver {\n" +" @Override\n" +" public InputSource resolveEntity(String publicId, String systemId)\n" +" throws SAXException, IOException {\n" +" // Throwing an exception stops validation.\n" +" throw new IOException(String.format(\n" +" \"attempt to resolve \\\"%s\\\" \\\"%s\\\"\", publicId, systemId));\n" +" }\n" +"}\n" +msgstr "" diff --git a/defensive-coding/it-IT/Tasks/snippets/Serialization-XML-OpenJDK-NoResourceResolver.po b/defensive-coding/it-IT/Tasks/snippets/Serialization-XML-OpenJDK-NoResourceResolver.po new file mode 100644 index 0000000..7d717e9 --- /dev/null +++ b/defensive-coding/it-IT/Tasks/snippets/Serialization-XML-OpenJDK-NoResourceResolver.po @@ -0,0 +1,32 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:45\n" +"PO-Revision-Date: 2013-03-19 15:29+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Italian \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: it\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"class NoResourceResolver implements LSResourceResolver {\n" +" @Override\n" +" public LSInput resolveResource(String type, String namespaceURI,\n" +" String publicId, String systemId, String baseURI) {\n" +" // Throwing an exception stops validation.\n" +" throw new RuntimeException(String.format(\n" +" \"resolution attempt: type=%s namespace=%s \" +\n" +" \"publicId=%s systemId=%s baseURI=%s\",\n" +" type, namespaceURI, publicId, systemId, baseURI));\n" +" }\n" +"}\n" +msgstr "" diff --git a/defensive-coding/it-IT/Tasks/snippets/Serialization-XML-OpenJDK_Parse-DOM.po b/defensive-coding/it-IT/Tasks/snippets/Serialization-XML-OpenJDK_Parse-DOM.po new file mode 100644 index 0000000..6601b72 --- /dev/null +++ b/defensive-coding/it-IT/Tasks/snippets/Serialization-XML-OpenJDK_Parse-DOM.po @@ -0,0 +1,34 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:45\n" +"PO-Revision-Date: 2013-03-19 15:29+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Italian \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: it\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();\n" +"// Impose restrictions on the complexity of the DTD.\n" +"factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);\n" +"\n" +"// Turn on validation.\n" +"// This step can be omitted if validation is not desired.\n" +"factory.setValidating(true);\n" +"\n" +"// Parse the document.\n" +"DocumentBuilder builder = factory.newDocumentBuilder();\n" +"builder.setEntityResolver(new NoEntityResolver());\n" +"builder.setErrorHandler(new Errors());\n" +"Document document = builder.parse(inputStream);\n" +msgstr "" diff --git a/defensive-coding/it-IT/Tasks/snippets/Serialization-XML-OpenJDK_Parse-XMLSchema_DOM.po b/defensive-coding/it-IT/Tasks/snippets/Serialization-XML-OpenJDK_Parse-XMLSchema_DOM.po new file mode 100644 index 0000000..71525e3 --- /dev/null +++ b/defensive-coding/it-IT/Tasks/snippets/Serialization-XML-OpenJDK_Parse-XMLSchema_DOM.po @@ -0,0 +1,38 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:45\n" +"PO-Revision-Date: 2013-03-19 15:29+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Italian \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: it\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"SchemaFactory factory = SchemaFactory.newInstance(\n" +" XMLConstants.W3C_XML_SCHEMA_NS_URI);\n" +"\n" +"// This enables restrictions on schema complexity.\n" +"factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);\n" +"\n" +"// The following line prevents resource resolution\n" +"// by the schema itself.\n" +"factory.setResourceResolver(new NoResourceResolver());\n" +"\n" +"Schema schema = factory.newSchema(schemaFile);\n" +"\n" +"Validator validator = schema.newValidator();\n" +"\n" +"// This prevents external resource resolution.\n" +"validator.setResourceResolver(new NoResourceResolver());\n" +"validator.validate(new DOMSource(document));\n" +msgstr "" diff --git a/defensive-coding/it-IT/Tasks/snippets/Serialization-XML-OpenJDK_Parse-XMLSchema_SAX.po b/defensive-coding/it-IT/Tasks/snippets/Serialization-XML-OpenJDK_Parse-XMLSchema_SAX.po new file mode 100644 index 0000000..7ae591f --- /dev/null +++ b/defensive-coding/it-IT/Tasks/snippets/Serialization-XML-OpenJDK_Parse-XMLSchema_SAX.po @@ -0,0 +1,41 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:45\n" +"PO-Revision-Date: 2013-03-19 15:29+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Italian \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: it\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"SchemaFactory factory = SchemaFactory.newInstance(\n" +" XMLConstants.W3C_XML_SCHEMA_NS_URI);\n" +"\n" +"// This enables restrictions on the schema and document\n" +"// complexity.\n" +"factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);\n" +"\n" +"// This prevents resource resolution by the schema itself.\n" +"// If the schema is trusted and references additional files,\n" +"// this line must be omitted, otherwise loading these files\n" +"// will fail.\n" +"factory.setResourceResolver(new NoResourceResolver());\n" +"\n" +"Schema schema = factory.newSchema(schemaFile);\n" +"Validator validator = schema.newValidator();\n" +"\n" +"// This prevents external resource resolution.\n" +"validator.setResourceResolver(new NoResourceResolver());\n" +"\n" +"validator.validate(new SAXSource(new InputSource(inputStream)));\n" +msgstr "" diff --git a/defensive-coding/ka/Author_Group.po b/defensive-coding/ka/Author_Group.po new file mode 100644 index 0000000..77ff69a --- /dev/null +++ b/defensive-coding/ka/Author_Group.po @@ -0,0 +1,35 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-12 04:18+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Georgian (http://www.transifex.com/projects/p/fedora/language/ka/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: ka\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: firstname +#, no-c-format +msgid "Florian" +msgstr "" + +#. Tag: surname +#, no-c-format +msgid "Weimer" +msgstr "" + +#. Tag: orgname +#, no-c-format +msgid "Red Hat" +msgstr "" + +#. Tag: orgdiv +#, no-c-format +msgid "Product Security Team" +msgstr "" diff --git a/defensive-coding/ka/Book_Info.po b/defensive-coding/ka/Book_Info.po new file mode 100644 index 0000000..d880e71 --- /dev/null +++ b/defensive-coding/ka/Book_Info.po @@ -0,0 +1,38 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-12 04:19+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Georgian (http://www.transifex.com/projects/p/fedora/language/ka/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: ka\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: title +#, no-c-format +msgid "Defensive Coding" +msgstr "" + +#. Tag: subtitle +#, no-c-format +msgid "A Guide to Improving Software Security" +msgstr "" + +#. Tag: productname +#, no-c-format +msgid "Fedora Security Team" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"This document provides guidelines for improving software security through " +"secure coding. It covers common programming languages and libraries, and " +"focuses on concrete recommendations." +msgstr "" diff --git a/defensive-coding/ka/C/Allocators.po b/defensive-coding/ka/C/Allocators.po new file mode 100644 index 0000000..9a05676 --- /dev/null +++ b/defensive-coding/ka/C/Allocators.po @@ -0,0 +1,265 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:30+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Georgian (http://www.transifex.com/projects/p/fedora/language/ka/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: ka\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: title +#, no-c-format +msgid "Memory allocators" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "malloc and related functions" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The C library interfaces for memory allocation are provided by " +"malloc, free and " +"realloc, and the calloc function. " +"In addition to these generic functions, there are derived functions such as " +"strdup which perform allocation using " +"malloc internally, but do not return untyped heap " +"memory (which could be used for any object)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The C compiler knows about these functions and can use their expected " +"behavior for optimizations. For instance, the compiler assumes that an " +"existing pointer (or a pointer derived from an existing pointer by " +"arithmetic) will not point into the memory area returned by " +"malloc." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If the allocation fails, realloc does not free the old " +"pointer. Therefore, the idiom ptr = realloc(ptr, size); " +"is wrong because the memory pointed to by ptr leaks in " +"case of an error." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Use-after-free errors" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"After free, the pointer is invalid. Further pointer " +"dereferences are not allowed (and are usually detected by " +"valgrind). Less obvious is that any " +"use of the old pointer value is not allowed, either. In" +" particular, comparisons with any other pointer (or the null pointer) are " +"undefined according to the C standard." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The same rules apply to realloc if the memory area " +"cannot be enlarged in-place. For instance, the compiler may assume that a " +"comparison between the old and new pointer will always return false, so it " +"is impossible to detect movement this way." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Handling memory allocation errors" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Recovering from out-of-memory errors is often difficult or even impossible. " +"In these cases, malloc and other allocation functions " +"return a null pointer. Dereferencing this pointer lead to a crash. Such " +"dereferences can even be exploitable for code execution if the dereference " +"is combined with an array subscript." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In general, if you cannot check all allocation calls and handle failure, you" +" should abort the program on allocation failure, and not rely on the null " +"pointer dereference to terminate the process. See for related memory " +"allocation concerns." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "alloca and other forms of stack-based allocation" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Allocation on the stack is risky because stack overflow checking is " +"implicit. There is a guard page at the end of the memory area reserved for " +"the stack. If the program attempts to read from or write to this guard page," +" a SIGSEGV signal is generated and the program typically " +"terminates." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"This is sufficient for detecting typical stack overflow situations such as " +"unbounded recursion, but it fails when the stack grows in increments larger " +"than the size of the guard page. In this case, it is possible that the stack" +" pointer ends up pointing into a memory area which has been allocated for a " +"different purposes. Such misbehavior can be exploitable." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"A common source for large stack growth are calls to " +"alloca and related functions such as " +"strdupa. These functions should be avoided because of " +"the lack of error checking. (They can be used safely if the allocated size " +"is less than the page size (typically, 4096 bytes), but this case is " +"relatively rare.) Additionally, relying on alloca makes" +" it more difficult to reorgnize the code because it is not allowed to use " +"the pointer after the function calling alloca has " +"returned, even if this function has been inlined into its caller." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Similar concerns apply to variable-length arrays " +"(VLAs), a feature of the C99 standard which started as a GNU extension. For " +"large objects exceeding the page size, there is no error checking, either." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In both cases, negative or very large sizes can trigger a stack-pointer " +"wraparound, and the stack pointer and end up pointing into caller stack " +"frames, which is fatal and can be exploitable." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If you want to use alloca or VLAs for performance " +"reasons, consider using a small on-stack array (less than the page size, " +"large enough to fulfill most requests). If the requested size is small " +"enough, use the on-stack array. Otherwise, call malloc." +" When exiting the function, check if malloc had been " +"called, and free the buffer as needed." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Array allocation" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When allocating arrays, it is important to check for overflows. The " +"calloc function performs such checks." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If malloc or realloc is used, the " +"size check must be written manually. For instance, to allocate an array of " +"n elements of type T, check that the " +"requested size is not greater than n / sizeof(T)." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Custom memory allocators" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Custom memory allocates come in two forms: replacements for " +"malloc, and completely different interfaces for memory " +"management. Both approaches can reduce the effectiveness of " +"valgrind and similar tools, and the heap " +"corruption detection provided by GNU libc, so they should be avoided." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Memory allocators are difficult to write and contain many performance and " +"security pitfalls." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When computing array sizes or rounding up allocation requests (to the next " +"allocation granularity, or for alignment purposes), checks for arithmetic " +"overflow are required." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Size computations for array allocations need overflow checking. See ." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"It can be difficult to beat well-tuned general-purpose allocators. In micro-" +"benchmarks, pool allocators can show huge wins, and size-specific pools can " +"reduce internal fragmentation. But often, utilization of individual pools is" +" poor, and" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Conservative garbage collection" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Garbage collection can be an alternative to explicit memory management using" +" malloc and free. The Boehm-" +"Dehmers-Weiser allocator can be used from C programs, with minimal type " +"annotations. Performance is competitive with malloc on " +"64-bit architectures, especially for multi-threaded programs. The stop-the-" +"world pauses may be problematic for some real-time applications, though." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"However, using a conservative garbage collector may reduce opertunities for " +"code reduce because once one library in a program uses garbage collection, " +"the whole process memory needs to be subject to it, so that no pointers are " +"missed. The Boehm-Dehmers-Weiser collector also reserves certain signals for" +" internal use, so it is not fully transparent to the rest of the program." +msgstr "" diff --git a/defensive-coding/ka/C/C.po b/defensive-coding/ka/C/C.po new file mode 100644 index 0000000..2991852 --- /dev/null +++ b/defensive-coding/ka/C/C.po @@ -0,0 +1,20 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:30+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Georgian (http://www.transifex.com/projects/p/fedora/language/ka/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: ka\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: title +#, no-c-format +msgid "The C Programming Language" +msgstr "" diff --git a/defensive-coding/ka/C/Libc.po b/defensive-coding/ka/C/Libc.po new file mode 100644 index 0000000..78b9e3f --- /dev/null +++ b/defensive-coding/ka/C/Libc.po @@ -0,0 +1,278 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:30+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Georgian (http://www.transifex.com/projects/p/fedora/language/ka/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: ka\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: title +#, no-c-format +msgid "The C standard library" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Parts of the C standard library (and the UNIX and GNU extensions) are " +"difficult to use, so you shoud avoid them." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Please check the applicable documentation before using the recommended " +"replacements. Many of these functions allocate buffers using " +"malloc which your code must deallocate explicitly using" +" free." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Absolutely banned interfaces" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The functions listed below must not be used because they are almost always " +"unsafe. Use the indicated replacements instead." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "getsfgets" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"getwdgetcwd or " +"get_current_dir_name" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "readdir_rreaddir" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"realpath (with a non-NULL second parameter) ⟶ " +"realpath with NULL as the second parameter, or " +"canonicalize_file_name" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The constants listed below must not be used, either. Instead, code must " +"allocate memory dynamically and use interfaces with length checking." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"NAME_MAX (limit not actually enforced by the kernel)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"PATH_MAX (limit not actually enforced by the kernel)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"_PC_NAME_MAX (This limit, returned by the " +"pathconf function, is not enforced by the kernel.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"_PC_PATH_MAX (This limit, returned by the " +"pathconf function, is not enforced by the kernel.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "The following structure members must not be used." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"f_namemax in struct statvfs (limit not" +" actually enforced by the kernel, see _PC_NAME_MAX above)" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Functions to avoid" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The following string manipulation functions can be used securely in " +"principle, but their use should be avoided because they are difficult to use" +" correctly. Calls to these functions can be replaced with " +"asprintf or vasprintf. (For non-" +"GNU targets, these functions are available from Gnulib.) In some cases, the " +"snprintf function might be a suitable replacement, see " +"." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "sprintf" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "strcat" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "strcpy" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "vsprintf" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Use the indicated replacements for the functions below." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"allocamalloc and " +"free (see )" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"putenv ⟶ explicit envp argument in " +"process creation (see )" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"setenv ⟶ explicit envp argument in " +"process creation (see )" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"strdupastrdup and " +"free (see )" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"strndupastrndup and " +"free (see )" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"systemposix_spawn or " +"fork/execve/ (see )" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"unsetenv ⟶ explicit envp argument in" +" process creation (see )" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "String Functions With Explicit Length Arguments" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The snprintf function provides a way to construct a " +"string in a statically-sized buffer. (If the buffer size is dynamic, use " +"asprintf instead.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The second argument to the snprintf should always be " +"the size of the buffer in the first argument (which should be a character " +"array). Complex pointer and length arithmetic can introduce errors and " +"nullify the security benefits of snprintf. If you need " +"to construct a string iteratively, by repeatedly appending fragments, " +"consider constructing the string on the heap, increasing the buffer with " +"realloc as needed. (snprintf does " +"not support overlapping the result buffer with argument strings.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If you use vsnprintf (or snprintf)" +" with a format string which is not a constant, but a function argument, it " +"is important to annotate the function with a format " +"function attribute, so that GCC can warn about misuse of your function (see " +")." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "The format function attribute" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"There are other functions which operator on NUL-terminated strings and take " +"a length argument which affects the number of bytes written to the " +"destination: strncpy, strncat, and" +" stpncpy. These functions do not ensure that the result" +" string is NUL-terminated. For strncpy, NUL termination" +" can be added this way:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Some systems support strlcpy and " +"strlcat functions which behave this way, but these " +"functions are not part of GNU libc. Using snprintf with" +" a suitable format string is a simple (albeit slightly slower) replacement." +msgstr "" diff --git a/defensive-coding/ka/C/snippets/Arithmetic-add.po b/defensive-coding/ka/C/snippets/Arithmetic-add.po new file mode 100644 index 0000000..fe45677 --- /dev/null +++ b/defensive-coding/ka/C/snippets/Arithmetic-add.po @@ -0,0 +1,36 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:30+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Georgian (http://www.transifex.com/projects/p/fedora/language/ka/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: ka\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"void report_overflow(void);\n" +"\n" +"int\n" +"add(int a, int b)\n" +"{\n" +" int result = a + b;\n" +" if (a < 0 || b < 0) {\n" +" return -1;\n" +" }\n" +" // The compiler can optimize away the following if statement.\n" +" if (result < 0) {\n" +" report_overflow();\n" +" }\n" +" return result;\n" +"}\n" +msgstr "" diff --git a/defensive-coding/ka/C/snippets/Arithmetic-mult.po b/defensive-coding/ka/C/snippets/Arithmetic-mult.po new file mode 100644 index 0000000..62b0d7e --- /dev/null +++ b/defensive-coding/ka/C/snippets/Arithmetic-mult.po @@ -0,0 +1,29 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:30+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Georgian (http://www.transifex.com/projects/p/fedora/language/ka/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: ka\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"unsigned\n" +"mul(unsigned a, unsigned b)\n" +"{\n" +" if (b && a > ((unsigned)-1) / b) {\n" +" report_overflow();\n" +" }\n" +" return a * b;\n" +"}\n" +msgstr "" diff --git a/defensive-coding/ka/C/snippets/Pointers-remaining.po b/defensive-coding/ka/C/snippets/Pointers-remaining.po new file mode 100644 index 0000000..dccf3a9 --- /dev/null +++ b/defensive-coding/ka/C/snippets/Pointers-remaining.po @@ -0,0 +1,64 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:30+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Georgian (http://www.transifex.com/projects/p/fedora/language/ka/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: ka\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"ssize_t\n" +"extract_strings(const char *in, size_t inlen, char **out, size_t outlen)\n" +"{\n" +" const char *inp = in;\n" +" const char *inend = in + inlen;\n" +" char **outp = out;\n" +" char **outend = out + outlen;\n" +"\n" +" while (inp != inend) {\n" +" size_t len;\n" +" char *s;\n" +" if (outp == outend) {\n" +" errno = ENOSPC;\n" +" goto err;\n" +" }\n" +" len = (unsigned char)*inp;\n" +" ++inp;\n" +" if (len > (size_t)(inend - inp)) {\n" +" errno = EINVAL;\n" +" goto err;\n" +" }\n" +" s = malloc(len + 1);\n" +" if (s == NULL) {\n" +" goto err;\n" +" }\n" +" memcpy(s, inp, len);\n" +" inp += len;\n" +" s[len] = '\\0';\n" +" *outp = s;\n" +" ++outp;\n" +" }\n" +" return outp - out;\n" +"err:\n" +" {\n" +" int errno_old = errno;\n" +" while (out != outp) {\n" +" free(*out);\n" +" ++out;\n" +" }\n" +" errno = errno_old;\n" +" }\n" +" return -1;\n" +"}\n" +msgstr "" diff --git a/defensive-coding/ka/C/snippets/String-Functions-format.po b/defensive-coding/ka/C/snippets/String-Functions-format.po new file mode 100644 index 0000000..d694c4a --- /dev/null +++ b/defensive-coding/ka/C/snippets/String-Functions-format.po @@ -0,0 +1,33 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:30+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Georgian (http://www.transifex.com/projects/p/fedora/language/ka/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: ka\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"void log_format(const char *format, ...) __attribute__((format(printf, 1, 2)));\n" +"\n" +"void\n" +"log_format(const char *format, ...)\n" +"{\n" +" char buf[1000];\n" +" va_list ap;\n" +" va_start(ap, format);\n" +" vsnprintf(buf, sizeof(buf), format, ap);\n" +" va_end(ap);\n" +" log_string(buf);\n" +"}\n" +msgstr "" diff --git a/defensive-coding/ka/C/snippets/String-Functions-snprintf.po b/defensive-coding/ka/C/snippets/String-Functions-snprintf.po new file mode 100644 index 0000000..37635a1 --- /dev/null +++ b/defensive-coding/ka/C/snippets/String-Functions-snprintf.po @@ -0,0 +1,23 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:30+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Georgian (http://www.transifex.com/projects/p/fedora/language/ka/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: ka\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"char fraction[30];\n" +"snprintf(fraction, sizeof(fraction), \"%d/%d\", numerator, denominator);\n" +msgstr "" diff --git a/defensive-coding/ka/C/snippets/String-Functions-strncpy.po b/defensive-coding/ka/C/snippets/String-Functions-strncpy.po new file mode 100644 index 0000000..bd7f5c3 --- /dev/null +++ b/defensive-coding/ka/C/snippets/String-Functions-strncpy.po @@ -0,0 +1,24 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:30+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Georgian (http://www.transifex.com/projects/p/fedora/language/ka/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: ka\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"char buf[10];\n" +"strncpy(buf, data, sizeof(buf));\n" +"buf[sizeof(buf) - 1] = '\\0';\n" +msgstr "" diff --git a/defensive-coding/ka/CXX/CXX.po b/defensive-coding/ka/CXX/CXX.po new file mode 100644 index 0000000..e08f79f --- /dev/null +++ b/defensive-coding/ka/CXX/CXX.po @@ -0,0 +1,20 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:31+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Georgian (http://www.transifex.com/projects/p/fedora/language/ka/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: ka\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: title +#, no-c-format +msgid "The C++ Programming Language" +msgstr "" diff --git a/defensive-coding/ka/CXX/Language.po b/defensive-coding/ka/CXX/Language.po new file mode 100644 index 0000000..984d77d --- /dev/null +++ b/defensive-coding/ka/CXX/Language.po @@ -0,0 +1,234 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:18+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Georgian (http://www.transifex.com/projects/p/fedora/language/ka/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: ka\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: title +#, no-c-format +msgid "The core language" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"C++ includes a large subset of the C language. As far as the C subset is " +"used, the recommendations in " +"apply." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Array allocation with operator new[]" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"For very large values of n, an expression like " +"new T[n] can return a pointer to a heap region which is " +"too small. In other words, not all array elements are actually backed with " +"heap memory reserved to the array. Current GCC versions generate code that " +"performs a computation of the form sizeof(T) * size_t(n) + " +"cookie_size, where cookie_size is currently at " +"most 8. This computation can overflow, and GCC-generated code does not " +"detect this." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The std::vector template can be used instead an explicit " +"array allocation. (The GCC implementation detects overflow internally.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If there is no alternative to operator new[], code which " +"allocates arrays with a variable length must check for overflow manually. " +"For the new T[n] example, the size check could be " +"n || (n > 0 && n > (size_t(-1) - 8) / " +"sizeof(T)). (See .) If there are additional dimensions " +"(which must be constants according to the C++ standard), these should be " +"included as factors in the divisor." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"These countermeasures prevent out-of-bounds writes and potential code " +"execution. Very large memory allocations can still lead to a denial of " +"service. contains suggestions for mitigating this problem when " +"processing untrusted data." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"See for array" +" allocation advice for C-style memory allocation." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Overloading" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Do not overload functions with versions that have different security " +"characteristics. For instance, do not implement a function " +"strcat which works on std::string " +"arguments. Similarly, do not name methods after such functions." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "ABI compatibility and preparing for security updates" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"A stable binary interface (ABI) is vastly preferred for security updates. " +"Without a stable ABI, all reverse dependencies need recompiling, which can " +"be a lot of work and could even be impossible in some cases. Ideally, a " +"security update only updates a single dynamic shared object, and is picked " +"up automatically after restarting affected processes." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Outside of extremely performance-critical code, you should ensure that a " +"wide range of changes is possible without breaking ABI. Some very basic " +"guidelines are:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Avoid inline functions." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Use the pointer-to-implementation idiom." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Try to avoid templates. Use them if the increased type safety provides a " +"benefit to the programmer." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Move security-critical code out of templated code, so that it can be patched" +" in a central place if necessary." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The KDE project publishes a document with more extensive guidelines on ABI-" +"preserving changes to C++ code, Policies/Binary" +" Compatibility Issues With C++ (d-pointer " +"refers to the pointer-to-implementation idiom)." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "C++0X and C++11 support" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "GCC offers different language compatibility modes:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid " for the original 1998 C++ standard" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +" for the 1998 standard with the changes from the " +"TR1 technical report" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +" for the 2011 C++ standard. This option should " +"not be used." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +" for several different versions of C++11 support " +"in development, depending on the GCC version. This option should not be " +"used." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"For each of these flags, there are variants which also enable GNU extensions" +" (mostly language features also found in C99 or C11): " +", , " +". Again, should " +"not be used." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If you enable C++11 support, the ABI of the standard C++ library " +"libstdc++ will change in subtle ways. Currently, no C++ " +"libraries are compiled in C++11 mode, so if you compile your code in C++11 " +"mode, it will be incompatible with the rest of the system. Unfortunately, " +"this is also the case if you do not use any C++11 features. Currently, there" +" is no safe way to enable C++11 mode (except for freestanding applications)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The meaning of C++0X mode changed from GCC release to GCC release. Earlier " +"versions were still ABI-compatible with C++98 mode, but in the most recent " +"versions, switching to C++0X mode activates C++11 support, with its " +"compatibility problems." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Some C++11 features (or approximations thereof) are available with TR1 " +"support, that is, with or " +" and in the <tr1/*> " +"header files. This includes std::tr1::shared_ptr (from " +"<tr1/memory>) and " +"std::tr1::function (from " +"<tr1/functional>). For other C++11 features, the " +"Boost C++ library contains replacements." +msgstr "" diff --git a/defensive-coding/ka/CXX/Std.po b/defensive-coding/ka/CXX/Std.po new file mode 100644 index 0000000..49fa259 --- /dev/null +++ b/defensive-coding/ka/CXX/Std.po @@ -0,0 +1,55 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:30+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Georgian (http://www.transifex.com/projects/p/fedora/language/ka/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: ka\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: title +#, no-c-format +msgid "The C++ standard library" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The C++ standard library includes most of its C counterpart by reference, " +"see ." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Containers and operator[]" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Many containers similar to std::vector provide both " +"operator[](size_type) and a member function " +"at(size_type). This applies to " +"std::vector itself, std::array, " +"std::string and other instances of " +"std::basic_string." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"operator[](size_type) is not required by the standard to " +"perform bounds checking (and the implementation in GCC does not). In " +"contrast, at(size_type) must perform such a check. " +"Therefore, in code which is not performance-critical, you should prefer " +"at(size_type) over " +"operator[](size_type), even though it is slightly more " +"verbose." +msgstr "" diff --git a/defensive-coding/ka/Defensive_Coding.po b/defensive-coding/ka/Defensive_Coding.po new file mode 100644 index 0000000..047fbeb --- /dev/null +++ b/defensive-coding/ka/Defensive_Coding.po @@ -0,0 +1,30 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:18+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Georgian (http://www.transifex.com/projects/p/fedora/language/ka/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: ka\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: title +#, no-c-format +msgid "Programming Languages" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Specific Programming Tasks" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Implementing Security Features" +msgstr "" diff --git a/defensive-coding/ka/Features/Authentication.po b/defensive-coding/ka/Features/Authentication.po new file mode 100644 index 0000000..c4ae2e0 --- /dev/null +++ b/defensive-coding/ka/Features/Authentication.po @@ -0,0 +1,231 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:31+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Georgian (http://www.transifex.com/projects/p/fedora/language/ka/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: ka\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: title +#, no-c-format +msgid "Authentication and Authorization" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Authenticating servers" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When connecting to a server, a client has to make sure that it is actually " +"talking to the server it expects. There are two different aspects, securing " +"the network path, and making sure that the expected user runs the process on" +" the target host. There are several ways to ensure that:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The server uses a TLS certificate which is valid according to the web " +"browser public key infrastructure, and the client verifies the certificate " +"and the host name." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The server uses a TLS certificate which is expectedby the client (perhaps it" +" is stored in a configuration file read by the client). In this case, no " +"host name checking is required." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"On Linux, UNIX domain sockets (of the PF_UNIX protocol " +"family, sometimes called PF_LOCAL) are restricted by file" +" system permissions. If the server socket path is not world-writable, the " +"server identity cannot be spoofed by local users." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Port numbers less than 1024 (trusted ports) can only be" +" used by root, so if a UDP or TCP server is running on " +"the local host and it uses a trusted port, its identity is assured. (Not all" +" operating systems enforce the trusted ports concept, and the network might " +"not be trusted, so it is only useful on the local system.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"TLS () is the recommended way " +"for securing connections over untrusted networks." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If the server port number is 1024 is higher, a local user can impersonate " +"the process by binding to this socket, perhaps after crashing the real " +"server by exploiting a denial-of-service vulnerability." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Host-based authentication" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Host-based authentication uses access control lists (ACLs) to accept or deny" +" requests from clients. Thsis authentication method comes in two flavors: " +"IP-based (or, more generally, address-based) and name-based (with the name " +"coming from DNS or /etc/hosts). IP-based ACLs often use" +" prefix notation to extend access to entire subnets. Name-based ACLs " +"sometimes use wildcards for adding groups of hosts (from entire DNS " +"subtrees). (In the SSH context, host-based authentication means something " +"completely different and is not covered in this section.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Host-based authentication trust the network and may not offer sufficient " +"granularity, so it has to be considered a weak form of authentication. On " +"the other hand, IP-based authentication can be made extremely robust and can" +" be applied very early in input processing, so it offers an opportunity for " +"significantly reducing the number of potential attackers for many services." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The names returned by gethostbyaddr and " +"getnameinfo functions cannot be trusted. (DNS PTR " +"records can be set to arbitrary values, not just names belong to the address" +" owner.) If these names are used for ACL matching, a forward lookup using " +"gethostbyaddr or getaddrinfo has " +"to be performed. The name is only valid if the original address is found " +"among the results of the forward lookup (double-reverse " +"lookup)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"An empty ACL should deny all access (deny-by-default). If empty ACLs permits" +" all access, configuring any access list must switch to deny-by-default for " +"all unconfigured protocols, in both name-based and address-based variants." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Similarly, if an address or name is not matched by the list, it should be " +"denied. However, many implementations behave differently, so the actual " +"behavior must be documented properly." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"IPv6 addresses can embed IPv4 addresses. There is no universally correct way" +" to deal with this ambiguity. The behavior of the ACL implementation should " +"be documented." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "UNIX domain socket authentication" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"UNIX domain sockets (with address family AF_UNIX or " +"AF_LOCAL) are restricted to the local host and offer a " +"special authentication mechanism: credentials passing." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Nowadays, most systems support the SO_PEERCRED (Linux) or" +" LOCAL_PEERCRED (FreeBSD) socket options, or the " +"getpeereid (other BSDs, MacOS X). These interfaces " +"provide direct access to the (effective) user ID on the other end of a " +"domain socket connect, without cooperation from the other end." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Historically, credentials passing was implemented using ancillary data in " +"the sendmsg and recvmsg functions." +" On some systems, only credentials data that the peer has explicitly sent " +"can be received, and the kernel checks the data for correctness on the " +"sending side. This means that both peers need to deal with ancillary data. " +"Compared to that, the modern interfaces are easier to use. Both sets of " +"interfaces vary considerably among UNIX-like systems, unfortunately." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If you want to authenticate based on supplementary groups, you should obtain" +" the user ID using one of these methods, and look up the list of " +"supplementary groups using getpwuid (or " +"getpwuid_r) and getgrouplist. " +"Using the PID and information from /proc/PID/status is " +"prone to race conditions and insecure." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "AF_NETLINK authentication of origin" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Netlink messages are used as a high-performance data transfer mechanism " +"between the kernel and the userspace. Traditionally, they are used to " +"exchange information related to the network statck, such as routing table " +"entries." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When processing Netlink messages from the kernel, it is important to check " +"that these messages actually originate from the kernel, by checking that the" +" port ID (or PID) field nl_pid in the " +"sockaddr_nl structure is 0. (This " +"structure can be obtained using recvfrom or " +"recvmsg, it is different from the " +"nlmsghdr structure.) The kernel does not prevent other " +"processes from sending unicast Netlink messages, but the " +"nl_pid field in the sender's socket address will be non-" +"zero in such cases." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Applications should not use AF_NETLINK sockets as an IPC " +"mechanism among processes, but prefer UNIX domain sockets for this tasks." +msgstr "" diff --git a/defensive-coding/ka/Features/TLS.po b/defensive-coding/ka/Features/TLS.po new file mode 100644 index 0000000..217550b --- /dev/null +++ b/defensive-coding/ka/Features/TLS.po @@ -0,0 +1,1120 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:31+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Georgian (http://www.transifex.com/projects/p/fedora/language/ka/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: ka\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: title +#, no-c-format +msgid "Transport Layer Security" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Transport Layer Security (TLS, formerly Secure Sockets Layer/SSL) is the " +"recommended way to to protect integrity and confidentiality while data is " +"transferred over an untrusted network connection, and to identify the " +"endpoint." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Common Pitfalls" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"TLS implementations are difficult to use, and most of them lack a clean API " +"design. The following sections contain implementation-specific advice, and " +"some generic pitfalls are mentioned below." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Most TLS implementations have questionable default TLS cipher suites. Most " +"of them enable anonymous Diffie-Hellman key exchange (but we generally want " +"servers to authenticate themselves). Many do not disable ciphers which are " +"subject to brute-force attacks because of restricted key lengths. Some even " +"disable all variants of AES in the default configuration." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When overriding the cipher suite defaults, it is recommended to disable all " +"cipher suites which are not present on a whitelist, instead of simply " +"enabling a list of cipher suites. This way, if an algorithm is disabled by " +"default in the TLS implementation in a future security update, the " +"application will not re-enable it." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The name which is used in certificate validation must match the name " +"provided by the user or configuration file. No host name canonicalization or" +" IP address lookup must be performed." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The TLS handshake has very poor performance if the TCP Nagle algorithm is " +"active. You should switch on the TCP_NODELAY socket " +"option (at least for the duration of the handshake), or use the Linux-" +"specific TCP_CORK option." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Deactivating the TCP Nagle algorithm" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Implementing proper session resumption decreases handshake overhead " +"considerably. This is important if the upper-layer protocol uses short-lived" +" connections (like most application of HTTPS)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Both client and server should work towards an orderly connection shutdown, " +"that is send close_notify alerts and respond to them. " +"This is especially important if the upper-layer protocol does not provide " +"means to detect connection truncation (like some uses of HTTP)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When implementing a server using event-driven programming, it is important " +"to handle the TLS handshake properly because it includes multiple network " +"round-trips which can block when an ordinary TCP accept" +" would not. Otherwise, a client which fails to complete the TLS handshake " +"for some reason will prevent the server from handling input from other " +"clients." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Unlike regular file descriptors, TLS connections cannot be passed between " +"processes. Some TLS implementations add additional restrictions, and TLS " +"connections generally cannot be used across fork " +"function calls (see )." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "OpenSSL Pitfalls" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Some OpenSSL function use tri-state return values. " +"Correct error checking is extremely important. Several functions return " +"int values with the following meaning:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The value 1 indicates success (for example, a successful " +"signature verification)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The value 0 indicates semantic failure (for example, a " +"signature verification which was unsuccessful because the signing " +"certificate was self-signed)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The value -1 indicates a low-level error in the system, " +"such as failure to allocate memory using malloc." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Treating such tri-state return values as booleans can lead to security " +"vulnerabilities. Note that some OpenSSL functions return boolean results or " +"yet another set of status indicators. Each function needs to be checked " +"individually." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Recovering precise error information is difficult. shows how to obtain a more precise " +"error code after a function call on an SSL object has " +"failed. However, there are still cases where no detailed error information " +"is available (e.g., if SSL_shutdown fails due to a " +"connection teardown by the other end)." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Obtaining OpenSSL error codes" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The OPENSSL_config function is documented to never " +"fail. In reality, it can terminate the entire process if there is a failure " +"accessing the configuration file. An error message is written to standard " +"error, but which might not be visible if the function is called from a " +"daemon process." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"OpenSSL contains two separate ASN.1 DER decoders. One set of decoders " +"operate on BIO handles (the input/output stream abstraction provided by " +"OpenSSL); their decoder function names start with d2i_ " +"and end in _fp or _bio (e.g., " +"d2i_X509_fp or d2i_X509_bio). " +"These decoders must not be used for parsing data from untrusted sources; " +"instead, the variants without the _fp and " +"_bio (e.g., d2i_X509) shall be used." +" The BIO variants have received considerably less testing and are not very " +"robust." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"For the same reason, the OpenSSL command line tools (such as " +"openssl x509) are generally generally less robust than " +"the actual library code. They use the BIO functions internally, and not the " +"more robust variants." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The command line tools do not always indicate failure in the exit status of " +"the openssl process. For instance, a verification" +" failure in openssl verify result in an exit status of " +"zero." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The OpenSSL server and client applications (openssl " +"s_client and openssl s_server) are debugging " +"tools and should never be used as generic clients. For " +"instance, the s_client tool reacts in a " +"surprisign way to lines starting with R and " +"Q." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"OpenSSL allows application code to access private key material over " +"documented interfaces. This can significantly increase the part of the code " +"base which has to undergo security certification." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "GNUTLS Pitfalls" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"libgnutls.so.26 links to " +"libpthread.so.0. Loading the threading library too late" +" causes problems, so the main program should be linked with " +"-lpthread as well. As a result, it can be difficult to " +"use GNUTLS in a plugin which is loaded with the dlopen " +"function. Another side effect is that applications which merely link against" +" GNUTLS (even without actually using it) may incur a substantial overhead " +"because other libraries automatically switch to thread-safe algorithms." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The gnutls_global_init function must be called before " +"using any functionality provided by the library. This function is not " +"thread-safe, so external locking is required, but it is not clear which lock" +" should be used. Omitting the synchronization does not just lead to a memory" +" leak, as it is suggested in the GNUTLS documentation, but to undefined " +"behavior because there is no barrier that would enforce memory ordering." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The gnutls_global_deinit function does not actually " +"deallocate all resources allocated by " +"gnutls_global_init. It is currently not thread-safe. " +"Therefore, it is best to avoid calling it altogether." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The X.509 implementation in GNUTLS is rather lenient. For example, it is " +"possible to create and process X.509 version 1 certificates which carry" +" extensions. These certificates are (correctly) rejected by other " +"implementations." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "OpenJDK Pitfalls" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The Java cryptographic framework is highly modular. As a result, when you " +"request an object implementing some cryptographic functionality, you cannot " +"be completely sure that you end up with the well-tested, reviewed " +"implementation in OpenJDK." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"OpenJDK (in the source code as published by Oracle) and other " +"implementations of the Java platform require that the system administrator " +"has installed so-called unlimited strength jurisdiction policy " +"files. Without this step, it is not possible to use the secure " +"algorithms which offer sufficient cryptographic strength. Most downstream " +"redistributors of OpenJDK remove this requirement." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Some versions of OpenJDK use /dev/random as the " +"randomness source for nonces and other random data which is needed for TLS " +"operation, but does not actually require physical randomness. As a result, " +"TLS applications can block, waiting for more bits to become available in " +"/dev/random." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "NSS Pitfalls" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"NSS was not designed to be used by other libraries which can be linked into " +"applications without modifying them. There is a lot of global state. There " +"does not seem to be a way to perform required NSS initialization without " +"race conditions." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If the NSPR descriptor is in an unexpected state, the " +"SSL_ForceHandshake function can succeed, but no TLS " +"handshake takes place, the peer is not authenticated, and subsequent data is" +" exchanged in the clear." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"NSS disables itself if it detects that the process underwent a " +"fork after the library has been initialized. This " +"behavior is required by the PKCS#11 API specification." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "TLS Clients" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Secure use of TLS in a client generally involves all of the following steps." +" (Individual instructions for specific TLS implementations follow in the " +"next sections.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The client must configure the TLS library to use a set of trusted root " +"certificates. These certificates are provided by the system in /etc/ssl/certs or files derived from it." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The client selects sufficiently strong cryptographic primitives and disables" +" insecure ones (such as no-op encryption). Compression and SSL version 2 " +"support must be disabled (including the SSLv2-compatible handshake)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The client initiates the TLS connection. The Server Name Indication " +"extension should be used if supported by the TLS implementation. Before " +"switching to the encrypted connection state, the contents of all input and " +"output buffers must be discarded." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The client needs to validate the peer certificate provided by the server, " +"that is, the client must check that there is a cryptographically protected " +"chain from a trusted root certificate to the peer certificate. (Depending on" +" the TLS implementation, a TLS handshake can succeed even if the certificate" +" cannot be validated.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The client must check that the configured or user-provided server name " +"matches the peer certificate provided by the server." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"It is safe to provide users detailed diagnostics on certificate validation " +"failures. Other causes of handshake failures and, generally speaking, any " +"details on other errors reported by the TLS implementation (particularly " +"exception tracebacks), must not be divulged in ways that make them " +"accessible to potential attackers. Otherwise, it is possible to create " +"decryption oracles." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Depending on the application, revocation checking (against certificate " +"revocations lists or via OCSP) and session resumption are important aspects " +"of production-quality client. These aspects are not yet covered." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Implementation TLS Clients With OpenSSL" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In the following code, the error handling is only exploratory. Proper error " +"handling is required for production use, especially in libraries." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The OpenSSL library needs explicit initialization (see )." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "OpenSSL library initialization" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"After that, a context object has to be created, which acts as a factory for " +"connection objects (). We use an explicit cipher list so that we do not pick up any " +"strange ciphers when OpenSSL is upgraded. The actual version requested in " +"the client hello depends on additional restrictions in the OpenSSL library. " +"If possible, you should follow the example code and use the default list of " +"trusted root certificate authorities provided by the system because you " +"would have to maintain your own set otherwise, which can be cumbersome." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "OpenSSL client context creation" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"A single context object can be used to create multiple connection objects. " +"It is safe to use the same SSL_CTX object for creating " +"connections concurrently from multiple threads, provided that the " +"SSL_CTX object is not modified (e.g., callbacks must not " +"be changed)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"After creating the TCP socket and disabling the Nagle algorithm (per ), the actual connection object " +"needs to be created, as show in . If the handshake started by " +"SSL_connect fails, the " +"ssl_print_error_and_exit function from is called." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The certificate_validity_override function provides an " +"opportunity to override the validity of the certificate in case the OpenSSL " +"check fails. If such functionality is not required, the call can be removed," +" otherwise, the application developer has to implement it." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The host name passed to the functions " +"SSL_set_tlsext_host_name and " +"X509_check_host must be the name that was passed to " +"getaddrinfo or a similar name resolution function. No " +"host name canonicalization must be performed. The " +"X509_check_host function used in the final step for " +"host name matching is currently only implemented in OpenSSL 1.1, which is " +"not released yet. In case host name matching fails, the function " +"certificate_host_name_override is called. This function" +" should check user-specific certificate store, to allow a connection even if" +" the host name does not match the certificate. This function has to be " +"provided by the application developer. Note that the override must be keyed " +"by both the certificate and the host name." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Creating a client connection using OpenSSL" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The connection object can be used for sending and receiving data, as in " +". It is " +"also possible to create a BIO object and use the " +"SSL object as the underlying transport, using " +"BIO_set_ssl." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Using an OpenSSL connection to send and receive data" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When it is time to close the connection, the " +"SSL_shutdown function needs to be called twice for an " +"orderly, synchronous connection termination (). This exchanges " +"close_notify alerts with the server. The additional logic" +" is required to deal with an unexpected close_notify from" +" the server. Note that is necessary to explicitly close the underlying " +"socket after the connection object has been freed." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Closing an OpenSSL connection in an orderly fashion" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +" shows how" +" to deallocate the context object when it is no longer needed because no " +"further TLS connections will be established." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Implementation TLS Clients With GNUTLS" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"This section describes how to implement a TLS client with full certificate " +"validation (but without certificate revocation checking). Note that the " +"error handling in is only exploratory and needs to be replaced before " +"production use." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "The GNUTLS library needs explicit initialization:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Failing to do so can result in obscure failures in Base64 decoding. See " +" for " +"additional aspects of initialization." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Before setting up TLS connections, a credentials objects has to be allocated" +" and initialized with the set of trusted root CAs ()." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Initializing a GNUTLS credentials structure" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"After the last TLS connection has been closed, this credentials object " +"should be freed:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"During its lifetime, the credentials object can be used to initialize TLS " +"session objects from multiple threads, provided that it is not changed." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Once the TCP connection has been established, the Nagle algorithm should be " +"disabled (see ). After " +"that, the socket can be associated with a new GNUTLS session object. The " +"previously allocated credentials object provides the set of root CAs. The " +"NORMAL set of cipher suites and protocols provides a " +"reasonable default. Then the TLS handshake must be initiated. This is shown " +"in ." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Establishing a TLS client connection using GNUTLS" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"After the handshake has been completed, the server certificate needs to be " +"verified (). In the example, the user-defined " +"certificate_validity_override function is called if the" +" verification fails, so that a separate, user-specific trust store can be " +"checked. This function call can be omitted if the functionality is not " +"needed." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Verifying a server certificate using GNUTLS" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In the next step (, the certificate must be matched against the host name (note the " +"unusual return value from " +"gnutls_x509_crt_check_hostname). Again, an override " +"function certificate_host_name_override is called. Note" +" that the override must be keyed to the certificate and" +" the host name. The function call can be omitted if the override is not " +"needed." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Matching the server host name and certificate in a GNUTLS client" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In newer GNUTLS versions, certificate checking and host name validation can " +"be combined using the gnutls_certificate_verify_peers3 " +"function." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"An established TLS session can be used for sending and receiving data, as in" +" ." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Using a GNUTLS session" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In order to shut down a connection in an orderly manner, you should call the" +" gnutls_bye function. Finally, the session object can " +"be deallocated using gnutls_deinit (see )." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Implementing TLS Clients With OpenJDK" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "The examples below use the following cryptographic-related classes:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If compatibility with OpenJDK 6 is required, it is necessary to use the " +"internal class sun.security.util.HostnameChecker. (The " +"public OpenJDK API does not provide any support for dissecting the subject " +"distinguished name of an X.509 certificate, so a custom-written DER parser " +"is needed—or we have to use an internal class, which we do below.) In " +"OpenJDK 7, the setEndpointIdentificationAlgorithm " +"method was added to the javax.net.ssl.SSLParameters " +"class, providing an official way to implement host name checking." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"TLS connections are established using an SSLContext " +"instance. With a properly configured OpenJDK installation, the " +"SunJSSE provider uses the system-wide set of trusted root" +" certificate authorities, so no further configuration is necessary. For " +"backwards compatibility with OpenJDK 6, the TLSv1 " +"provider has to be supported as a fall-back option. This is shown in ." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Setting up an SSLContext for OpenJDK TLS clients" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In addition to the context, a TLS parameter object will be needed which " +"adjusts the cipher suites and protocols (). Like the context, these " +"parameters can be reused for multiple TLS connections." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Setting up SSLParameters for TLS use with OpenJDK" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"As initialized above, the parameter object does not yet require host name " +"checking. This has to be enabled separately, and this is only supported by " +"OpenJDK 7 and later:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"All application protocols can use the \"HTTPS\" " +"algorithm. (The algorithms have minor differences with regard to wildcard " +"handling, which should not matter in practice.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +" shows " +"how to establish the connection. Before the handshake is initialized, the " +"protocol and cipher configuration has to be performed, by applying the " +"parameter object params. (After this point, changes to " +"params will not affect this TLS socket.) As mentioned " +"initially, host name checking requires using an internal API on OpenJDK 6." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Establishing a TLS connection with OpenJDK" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Starting with OpenJDK 7, the last lines can be omitted, provided that host " +"name verification has been enabled by calling the " +"setEndpointIdentificationAlgorithm method on the " +"params object (before it was applied to the socket)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The TLS socket can be used as a regular socket, as shown in ." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Using a TLS client socket in OpenJDK" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Overriding server certificate validation with OpenJDK 6" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Overriding certificate validation requires a custom trust manager. With " +"OpenJDK 6, the trust manager lacks information about the TLS session, and to" +" which server the connection is made. Certificate overrides have to be tied " +"to specific servers (host names). Consequently, different " +"TrustManager and SSLContext objects " +"have to be used for different servers." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In the trust manager shown in , the server certificate is identified by its " +"SHA-256 hash." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "A customer trust manager for OpenJDK TLS clients" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"This trust manager has to be passed to the init method of" +" the SSLContext object, as show in ." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Using a custom TLS trust manager with OpenJDK" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When certificate overrides are in place, host name verification should not " +"be performed because there is no security requirement that the host name in " +"the certificate matches the host name used to establish the connection (and " +"it often will not). However, without host name verification, it is not " +"possible to perform transparent fallback to certification validation using " +"the system certificate store." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The approach described above works with OpenJDK 6 and later versions. " +"Starting with OpenJDK 7, it is possible to use a custom subclass of the " +"javax.net.ssl.X509ExtendedTrustManager class. The OpenJDK" +" TLS implementation will call the new methods, passing along TLS session " +"information. This can be used to implement certificate overrides as a " +"fallback (if certificate or host name verification fails), and a trust " +"manager object can be used for multiple servers because the server address " +"is available to the trust manager." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Implementing TLS Clients With NSS" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The following code shows how to implement a simple TLS client using NSS. " +"Note that the error handling needs replacing before production use." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Using NSS needs several header files, as shown in ." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Include files for NSS" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Initializing the NSS library is a complex task (). It is not thread-safe. By default, the " +"library is in export mode, and all strong ciphers are disabled. Therefore, " +"after creating the NSSInitCContext object, we probe all " +"the strong ciphers we want to use, and check if at least one of them is " +"available. If not, we call NSS_SetDomesticPolicy to " +"switch to unrestricted policy mode. This function replaces the existing " +"global cipher suite policy, that is why we avoid calling it unless " +"absolutely necessary." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The simplest way to configured the trusted root certificates involves " +"loading the libnssckbi.so NSS module with a call to the" +" SECMOD_LoadUserModule function. The root certificates " +"are compiled into this module. (The PEM module for NSS, " +"libnsspem.so, offers a way to load trusted CA " +"certificates from a file.)" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Initializing the NSS library" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Some of the effects of the initialization can be reverted with the following" +" function calls:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"After NSS has been initialized, the TLS connection can be created (). The internal " +"PR_ImportTCPSocket function is used to turn the POSIX " +"file descriptor sockfd into an NSPR file descriptor. " +"(This function is de-facto part of the NSS public ABI, so it will not go " +"away.) Creating the TLS-capable file descriptor requires a " +"model descriptor, which is configured with the desired " +"set of protocols and ciphers. (The good_ciphers variable " +"is part of .) We cannot" +" resort to disabling ciphers not on a whitelist because by default, the AES " +"cipher suites are disabled. The model descriptor is not needed anymore after" +" TLS support has been activated for the existing connection descriptor." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The call to SSL_BadCertHook can be omitted if no " +"mechanism to override certificate verification is needed. The " +"bad_certificate function must check both the host name " +"specified for the connection and the certificate before granting the " +"override." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Triggering the actual handshake requires three function calls, " +"SSL_ResetHandshake, SSL_SetURL, " +"and SSL_ForceHandshake. (If " +"SSL_ResetHandshake is omitted, " +"SSL_ForceHandshake will succeed, but the data will not " +"be encrypted.) During the handshake, the certificate is verified and matched" +" against the host name." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Creating a TLS connection with NSS" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"After the connection has been established, shows how to use the NSPR descriptor to " +"communicate with the server." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Using NSS for sending and receiving data" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +" shows how to " +"close the connection." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Closing NSS client connections" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Implementing TLS Clients With Python" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The Python distribution provides a TLS implementation in the " +"ssl module (actually a wrapper around OpenSSL). The " +"exported interface is somewhat restricted, so that the client code shown " +"below does not fully implement the recommendations in ." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Currently, most Python function which accept https:// " +"URLs or otherwise implement HTTPS support do not perform certificate " +"validation at all. (For example, this is true for the " +"httplib and xmlrpclib modules.) If you" +" use HTTPS, you should not use the built-in HTTP clients. The " +"Curl class in the curl module, as " +"provided by the python-pycurl package implements proper " +"certificate validation." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The ssl module currently does not perform host name " +"checking on the server certificate. shows how to implement certificate " +"matching, using the parsed certificate returned by " +"getpeercert." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Implementing TLS host name checking Python (without wildcard support)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"To turn a regular, connected TCP socket into a TLS-enabled socket, use the " +"ssl.wrap_socket function. The function call in provides " +"additional arguments to override questionable defaults in OpenSSL and in the" +" Python module." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"ciphers=\"HIGH:-aNULL:-eNULL:-PSK:RC4-SHA:RC4-MD5\" " +"selects relatively strong cipher suites with certificate-based " +"authentication. (The call to check_host_name function " +"provides additional protection against anonymous cipher suites.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"ssl_version=ssl.PROTOCOL_TLSv1 disables SSL 2.0 support. " +"By default, the ssl module sends an SSL 2.0 client hello," +" which is rejected by some servers. Ideally, we would request OpenSSL to " +"negotiated the most recent TLS version supported by the server and the " +"client, but the Python module does not allow this." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"cert_reqs=ssl.CERT_REQUIRED turns on certificate " +"validation." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"ca_certs='/etc/ssl/certs/ca-bundle.crt' initializes the " +"certificate store with a set of trusted root CAs. Unfortunately, it is " +"necessary to hard-code this path into applications because the default path " +"in OpenSSL is not available through the Python ssl " +"module." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The ssl module (and OpenSSL) perform certificate " +"validation, but the certificate must be compared manually against the host " +"name, by calling the check_host_name defined above." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Establishing a TLS client connection with Python" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"After the connection has been established, the TLS socket can be used like a" +" regular socket:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Closing the TLS socket is straightforward as well:" +msgstr "" diff --git a/defensive-coding/ka/Features/snippets/TLS-Client-GNUTLS-Connect.po b/defensive-coding/ka/Features/snippets/TLS-Client-GNUTLS-Connect.po new file mode 100644 index 0000000..2e69454 --- /dev/null +++ b/defensive-coding/ka/Features/snippets/TLS-Client-GNUTLS-Connect.po @@ -0,0 +1,71 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:33+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Georgian (http://www.transifex.com/projects/p/fedora/language/ka/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: ka\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Create the session object.\n" +"gnutls_session_t session;\n" +"ret = gnutls_init(&session, GNUTLS_CLIENT);\n" +"if (ret != GNUTLS_E_SUCCESS) {\n" +" fprintf(stderr, \"error: gnutls_init: %s\n" +"\",\n" +"\t gnutls_strerror(ret));\n" +" exit(1);\n" +"}\n" +"\n" +"// Configure the cipher preferences.\n" +"const char *errptr = NULL;\n" +"ret = gnutls_priority_set_direct(session, \"NORMAL\", &errptr);\n" +"if (ret != GNUTLS_E_SUCCESS) {\n" +" fprintf(stderr, \"error: gnutls_priority_set_direct: %s\n" +"\"\n" +"\t \"error: at: \\\"%s\\\"\n" +"\", gnutls_strerror(ret), errptr);\n" +" exit(1);\n" +"}\n" +"\n" +"// Install the trusted certificates.\n" +"ret = gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, cred);\n" +"if (ret != GNUTLS_E_SUCCESS) {\n" +" fprintf(stderr, \"error: gnutls_credentials_set: %s\n" +"\",\n" +"\t gnutls_strerror(ret));\n" +" exit(1);\n" +"}\n" +"\n" +"// Associate the socket with the session object and set the server\n" +"// name.\n" +"gnutls_transport_set_ptr(session, (gnutls_transport_ptr_t)(uintptr_t)sockfd);\n" +"ret = gnutls_server_name_set(session, GNUTLS_NAME_DNS,\n" +"\t\t\t host, strlen(host));\n" +"if (ret != GNUTLS_E_SUCCESS) {\n" +" fprintf(stderr, \"error: gnutls_server_name_set: %s\n" +"\",\n" +"\t gnutls_strerror(ret));\n" +" exit(1);\n" +"}\n" +"\n" +"// Establish the session.\n" +"ret = gnutls_handshake(session);\n" +"if (ret != GNUTLS_E_SUCCESS) {\n" +" fprintf(stderr, \"error: gnutls_handshake: %s\n" +"\",\n" +"\t gnutls_strerror(ret));\n" +" exit(1);\n" +"}\n" +msgstr "" diff --git a/defensive-coding/ka/Features/snippets/TLS-Client-GNUTLS-Credentials.po b/defensive-coding/ka/Features/snippets/TLS-Client-GNUTLS-Credentials.po new file mode 100644 index 0000000..0f3c7aa --- /dev/null +++ b/defensive-coding/ka/Features/snippets/TLS-Client-GNUTLS-Credentials.po @@ -0,0 +1,47 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:33+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Georgian (http://www.transifex.com/projects/p/fedora/language/ka/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: ka\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Load the trusted CA certificates.\n" +"gnutls_certificate_credentials_t cred = NULL;\n" +"int ret = gnutls_certificate_allocate_credentials (&cred);\n" +"if (ret != GNUTLS_E_SUCCESS) {\n" +" fprintf(stderr, \"error: gnutls_certificate_allocate_credentials: %s\n" +"\",\n" +"\t gnutls_strerror(ret));\n" +" exit(1);\n" +"}\n" +"// gnutls_certificate_set_x509_system_trust needs GNUTLS version 3.0\n" +"// or newer, so we hard-code the path to the certificate store\n" +"// instead.\n" +"static const char ca_bundle[] = \"/etc/ssl/certs/ca-bundle.crt\";\n" +"ret = gnutls_certificate_set_x509_trust_file\n" +" (cred, ca_bundle, GNUTLS_X509_FMT_PEM);\n" +"if (ret == 0) {\n" +" fprintf(stderr, \"error: no certificates found in: %s\n" +"\", ca_bundle);\n" +" exit(1);\n" +"}\n" +"if (ret < 0) {\n" +" fprintf(stderr, \"error: gnutls_certificate_set_x509_trust_files(%s): %s\n" +"\",\n" +"\t ca_bundle, gnutls_strerror(ret));\n" +" exit(1);\n" +"}\n" +msgstr "" diff --git a/defensive-coding/ka/Features/snippets/TLS-Client-GNUTLS-Match.po b/defensive-coding/ka/Features/snippets/TLS-Client-GNUTLS-Match.po new file mode 100644 index 0000000..989ff5f --- /dev/null +++ b/defensive-coding/ka/Features/snippets/TLS-Client-GNUTLS-Match.po @@ -0,0 +1,48 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:32+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Georgian (http://www.transifex.com/projects/p/fedora/language/ka/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: ka\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Match the peer certificate against the host name.\n" +"// We can only obtain a set of DER-encoded certificates from the\n" +"// session object, so we have to re-parse the peer certificate into\n" +"// a certificate object.\n" +"gnutls_x509_crt_t cert;\n" +"ret = gnutls_x509_crt_init(&cert);\n" +"if (ret != GNUTLS_E_SUCCESS) {\n" +" fprintf(stderr, \"error: gnutls_x509_crt_init: %s\n" +"\",\n" +"\t gnutls_strerror(ret));\n" +" exit(1);\n" +"}\n" +"// The peer certificate is the first certificate in the list.\n" +"ret = gnutls_x509_crt_import(cert, certs, GNUTLS_X509_FMT_DER);\n" +"if (ret != GNUTLS_E_SUCCESS) {\n" +" fprintf(stderr, \"error: gnutls_x509_crt_import: %s\n" +"\",\n" +"\t gnutls_strerror(ret));\n" +" exit(1);\n" +"}\n" +"ret = gnutls_x509_crt_check_hostname(cert, host);\n" +"if (ret == 0 && !certificate_host_name_override(certs[0], host)) {\n" +" fprintf(stderr, \"error: host name does not match certificate\n" +"\");\n" +" exit(1);\n" +"}\n" +"gnutls_x509_crt_deinit(cert);\n" +msgstr "" diff --git a/defensive-coding/ka/Features/snippets/TLS-Client-GNUTLS-Verify.po b/defensive-coding/ka/Features/snippets/TLS-Client-GNUTLS-Verify.po new file mode 100644 index 0000000..e277d48 --- /dev/null +++ b/defensive-coding/ka/Features/snippets/TLS-Client-GNUTLS-Verify.po @@ -0,0 +1,61 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:33+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Georgian (http://www.transifex.com/projects/p/fedora/language/ka/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: ka\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Obtain the server certificate chain. The server certificate\n" +"// itself is stored in the first element of the array.\n" +"unsigned certslen = 0;\n" +"const gnutls_datum_t *const certs =\n" +" gnutls_certificate_get_peers(session, &certslen);\n" +"if (certs == NULL || certslen == 0) {\n" +" fprintf(stderr, \"error: could not obtain peer certificate\n" +"\");\n" +" exit(1);\n" +"}\n" +"\n" +"// Validate the certificate chain.\n" +"unsigned status = (unsigned)-1;\n" +"ret = gnutls_certificate_verify_peers2(session, &status);\n" +"if (ret != GNUTLS_E_SUCCESS) {\n" +" fprintf(stderr, \"error: gnutls_certificate_verify_peers2: %s\n" +"\",\n" +"\t gnutls_strerror(ret));\n" +" exit(1);\n" +"}\n" +"if (status != 0 && !certificate_validity_override(certs[0])) {\n" +" gnutls_datum_t msg;\n" +"#if GNUTLS_VERSION_AT_LEAST_3_1_4\n" +" int type = gnutls_certificate_type_get (session);\n" +" ret = gnutls_certificate_verification_status_print(status, type, &out, 0);\n" +"#else\n" +" ret = -1;\n" +"#endif\n" +" if (ret == 0) {\n" +" fprintf(stderr, \"error: %s\n" +"\", msg.data);\n" +" gnutls_free(msg.data);\n" +" exit(1);\n" +" } else {\n" +" fprintf(stderr, \"error: certificate validation failed with code 0x%x\n" +"\",\n" +"\t status);\n" +" exit(1);\n" +" }\n" +"}\n" +msgstr "" diff --git a/defensive-coding/ka/Features/snippets/TLS-Client-NSS-Close.po b/defensive-coding/ka/Features/snippets/TLS-Client-NSS-Close.po new file mode 100644 index 0000000..d9ee67f --- /dev/null +++ b/defensive-coding/ka/Features/snippets/TLS-Client-NSS-Close.po @@ -0,0 +1,31 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:32+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Georgian (http://www.transifex.com/projects/p/fedora/language/ka/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: ka\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Send close_notify alert.\n" +"if (PR_Shutdown(nspr, PR_SHUTDOWN_BOTH) != PR_SUCCESS) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: PR_Read error %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +"}\n" +"// Closes the underlying POSIX file descriptor, too.\n" +"PR_Close(nspr);\n" +msgstr "" diff --git a/defensive-coding/ka/Features/snippets/TLS-Client-NSS-Connect.po b/defensive-coding/ka/Features/snippets/TLS-Client-NSS-Connect.po new file mode 100644 index 0000000..0761f73 --- /dev/null +++ b/defensive-coding/ka/Features/snippets/TLS-Client-NSS-Connect.po @@ -0,0 +1,132 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:33+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Georgian (http://www.transifex.com/projects/p/fedora/language/ka/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: ka\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Wrap the POSIX file descriptor. This is an internal NSPR\n" +"// function, but it is very unlikely to change.\n" +"PRFileDesc* nspr = PR_ImportTCPSocket(sockfd);\n" +"sockfd = -1; // Has been taken over by NSPR.\n" +"\n" +"// Add the SSL layer.\n" +"{\n" +" PRFileDesc *model = PR_NewTCPSocket();\n" +" PRFileDesc *newfd = SSL_ImportFD(NULL, model);\n" +" if (newfd == NULL) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: NSPR error code %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +" }\n" +" model = newfd;\n" +" newfd = NULL;\n" +" if (SSL_OptionSet(model, SSL_ENABLE_SSL2, PR_FALSE) != SECSuccess) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: set SSL_ENABLE_SSL2 error %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +" }\n" +" if (SSL_OptionSet(model, SSL_V2_COMPATIBLE_HELLO, PR_FALSE) != SECSuccess) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: set SSL_V2_COMPATIBLE_HELLO error %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +" }\n" +" if (SSL_OptionSet(model, SSL_ENABLE_DEFLATE, PR_FALSE) != SECSuccess) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: set SSL_ENABLE_DEFLATE error %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +" }\n" +"\n" +" // Disable all ciphers (except RC4-based ciphers, for backwards\n" +" // compatibility).\n" +" const PRUint16 *const ciphers = SSL_GetImplementedCiphers();\n" +" for (unsigned i = 0; i < SSL_GetNumImplementedCiphers(); i++) {\n" +" if (ciphers[i] != SSL_RSA_WITH_RC4_128_SHA\n" +"\t && ciphers[i] != SSL_RSA_WITH_RC4_128_MD5) {\n" +"\tif (SSL_CipherPrefSet(model, ciphers[i], PR_FALSE) != SECSuccess) {\n" +"\t const PRErrorCode err = PR_GetError();\n" +"\t fprintf(stderr, \"error: disable cipher %u: error %d: %s\n" +"\",\n" +"\t\t (unsigned)ciphers[i], err, PR_ErrorToName(err));\n" +"\t exit(1);\n" +"\t}\n" +" }\n" +" }\n" +"\n" +" // Enable the strong ciphers.\n" +" for (const PRUint16 *p = good_ciphers; *p != SSL_NULL_WITH_NULL_NULL;\n" +"\t ++p) {\n" +" if (SSL_CipherPrefSet(model, *p, PR_TRUE) != SECSuccess) {\n" +"\tconst PRErrorCode err = PR_GetError();\n" +"\tfprintf(stderr, \"error: enable cipher %u: error %d: %s\n" +"\",\n" +"\t\t(unsigned)*p, err, PR_ErrorToName(err));\n" +"\texit(1);\n" +" }\n" +" }\n" +"\n" +" // Allow overriding invalid certificate.\n" +" if (SSL_BadCertHook(model, bad_certificate, (char *)host) != SECSuccess) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: SSL_BadCertHook error %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +" }\n" +"\n" +" newfd = SSL_ImportFD(model, nspr);\n" +" if (newfd == NULL) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: SSL_ImportFD error %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +" }\n" +" nspr = newfd;\n" +" PR_Close(model);\n" +"}\n" +"\n" +"// Perform the handshake.\n" +"if (SSL_ResetHandshake(nspr, PR_FALSE) != SECSuccess) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: SSL_ResetHandshake error %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +"}\n" +"if (SSL_SetURL(nspr, host) != SECSuccess) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: SSL_SetURL error %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +"}\n" +"if (SSL_ForceHandshake(nspr) != SECSuccess) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: SSL_ForceHandshake error %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +"}\n" +msgstr "" diff --git a/defensive-coding/ka/Features/snippets/TLS-Client-OpenJDK-Connect.po b/defensive-coding/ka/Features/snippets/TLS-Client-OpenJDK-Connect.po new file mode 100644 index 0000000..edbeb73 --- /dev/null +++ b/defensive-coding/ka/Features/snippets/TLS-Client-OpenJDK-Connect.po @@ -0,0 +1,41 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:32+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Georgian (http://www.transifex.com/projects/p/fedora/language/ka/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: ka\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Create the socket and connect it at the TCP layer.\n" +"SSLSocket socket = (SSLSocket) ctx.getSocketFactory()\n" +" .createSocket(host, port);\n" +"\n" +"// Disable the Nagle algorithm.\n" +"socket.setTcpNoDelay(true);\n" +"\n" +"// Adjust ciphers and protocols.\n" +"socket.setSSLParameters(params);\n" +"\n" +"// Perform the handshake.\n" +"socket.startHandshake();\n" +"\n" +"// Validate the host name. The match() method throws\n" +"// CertificateException on failure.\n" +"X509Certificate peer = (X509Certificate)\n" +" socket.getSession().getPeerCertificates()[0];\n" +"// This is the only way to perform host name checking on OpenJDK 6.\n" +"HostnameChecker.getInstance(HostnameChecker.TYPE_TLS).match(\n" +" host, peer);\n" +msgstr "" diff --git a/defensive-coding/ka/Features/snippets/TLS-Client-OpenJDK-Context.po b/defensive-coding/ka/Features/snippets/TLS-Client-OpenJDK-Context.po new file mode 100644 index 0000000..093fd31 --- /dev/null +++ b/defensive-coding/ka/Features/snippets/TLS-Client-OpenJDK-Context.po @@ -0,0 +1,41 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:32+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Georgian (http://www.transifex.com/projects/p/fedora/language/ka/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: ka\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Create the context. Specify the SunJSSE provider to avoid\n" +"// picking up third-party providers. Try the TLS 1.2 provider\n" +"// first, then fall back to TLS 1.0.\n" +"SSLContext ctx;\n" +"try {\n" +" ctx = SSLContext.getInstance(\"TLSv1.2\", \"SunJSSE\");\n" +"} catch (NoSuchAlgorithmException e) {\n" +" try {\n" +" ctx = SSLContext.getInstance(\"TLSv1\", \"SunJSSE\");\n" +" } catch (NoSuchAlgorithmException e1) {\n" +" // The TLS 1.0 provider should always be available.\n" +" throw new AssertionError(e1);\n" +" } catch (NoSuchProviderException e1) {\n" +" throw new AssertionError(e1);\n" +" } \n" +"} catch (NoSuchProviderException e) {\n" +" // The SunJSSE provider should always be available.\n" +" throw new AssertionError(e);\n" +"}\n" +"ctx.init(null, null, null);\n" +msgstr "" diff --git a/defensive-coding/ka/Features/snippets/TLS-Client-OpenJDK-Context_For_Cert.po b/defensive-coding/ka/Features/snippets/TLS-Client-OpenJDK-Context_For_Cert.po new file mode 100644 index 0000000..f271373 --- /dev/null +++ b/defensive-coding/ka/Features/snippets/TLS-Client-OpenJDK-Context_For_Cert.po @@ -0,0 +1,37 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:33+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Georgian (http://www.transifex.com/projects/p/fedora/language/ka/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: ka\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"SSLContext ctx;\n" +"try {\n" +" ctx = SSLContext.getInstance(\"TLSv1.2\", \"SunJSSE\");\n" +"} catch (NoSuchAlgorithmException e) {\n" +" try {\n" +" ctx = SSLContext.getInstance(\"TLSv1\", \"SunJSSE\");\n" +" } catch (NoSuchAlgorithmException e1) {\n" +" throw new AssertionError(e1);\n" +" } catch (NoSuchProviderException e1) {\n" +" throw new AssertionError(e1);\n" +" }\n" +"} catch (NoSuchProviderException e) {\n" +" throw new AssertionError(e);\n" +"}\n" +"MyTrustManager tm = new MyTrustManager(certHash);\n" +"ctx.init(null, new TrustManager[] {tm}, null);\n" +msgstr "" diff --git a/defensive-coding/ka/Features/snippets/TLS-Client-OpenJDK-Hostname.po b/defensive-coding/ka/Features/snippets/TLS-Client-OpenJDK-Hostname.po new file mode 100644 index 0000000..8967c7d --- /dev/null +++ b/defensive-coding/ka/Features/snippets/TLS-Client-OpenJDK-Hostname.po @@ -0,0 +1,22 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:31+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Georgian (http://www.transifex.com/projects/p/fedora/language/ka/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: ka\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"params.setEndpointIdentificationAlgorithm(\"HTTPS\");\n" +msgstr "" diff --git a/defensive-coding/ka/Features/snippets/TLS-Client-OpenJDK-Import.po b/defensive-coding/ka/Features/snippets/TLS-Client-OpenJDK-Import.po new file mode 100644 index 0000000..1f87332 --- /dev/null +++ b/defensive-coding/ka/Features/snippets/TLS-Client-OpenJDK-Import.po @@ -0,0 +1,33 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:31+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Georgian (http://www.transifex.com/projects/p/fedora/language/ka/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: ka\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"import java.security.NoSuchAlgorithmException;\n" +"import java.security.NoSuchProviderException;\n" +"import java.security.cert.CertificateEncodingException;\n" +"import java.security.cert.CertificateException;\n" +"import java.security.cert.X509Certificate;\n" +"import javax.net.ssl.SSLContext;\n" +"import javax.net.ssl.SSLParameters;\n" +"import javax.net.ssl.SSLSocket;\n" +"import javax.net.ssl.TrustManager;\n" +"import javax.net.ssl.X509TrustManager;\n" +"\n" +"import sun.security.util.HostnameChecker;\n" +msgstr "" diff --git a/defensive-coding/ka/Features/snippets/TLS-Client-OpenJDK-MyTrustManager.po b/defensive-coding/ka/Features/snippets/TLS-Client-OpenJDK-MyTrustManager.po new file mode 100644 index 0000000..725e13c --- /dev/null +++ b/defensive-coding/ka/Features/snippets/TLS-Client-OpenJDK-MyTrustManager.po @@ -0,0 +1,53 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:31+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Georgian (http://www.transifex.com/projects/p/fedora/language/ka/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: ka\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"public class MyTrustManager implements X509TrustManager {\n" +" private final byte[] certHash;\n" +"\n" +" public MyTrustManager(byte[] certHash) throws Exception {\n" +" this.certHash = certHash;\n" +" }\n" +"\n" +" @Override\n" +" public void checkClientTrusted(X509Certificate[] chain, String authType)\n" +" throws CertificateException {\n" +" throw new UnsupportedOperationException();\n" +" }\n" +"\n" +" @Override\n" +" public void checkServerTrusted(X509Certificate[] chain,\n" +" String authType) throws CertificateException {\n" +" byte[] digest = getCertificateDigest(chain[0]);\n" +" String digestHex = formatHex(digest);\n" +"\n" +" if (Arrays.equals(digest, certHash)) {\n" +" System.err.println(\"info: accepting certificate: \" + digestHex);\n" +" } else {\n" +" throw new CertificateException(\"certificate rejected: \" +\n" +" digestHex);\n" +" }\n" +" }\n" +"\n" +" @Override\n" +" public X509Certificate[] getAcceptedIssuers() {\n" +" return new X509Certificate[0];\n" +" }\n" +"}\n" +msgstr "" diff --git a/defensive-coding/ka/Features/snippets/TLS-Client-OpenJDK-Use.po b/defensive-coding/ka/Features/snippets/TLS-Client-OpenJDK-Use.po new file mode 100644 index 0000000..7655355 --- /dev/null +++ b/defensive-coding/ka/Features/snippets/TLS-Client-OpenJDK-Use.po @@ -0,0 +1,28 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:31+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Georgian (http://www.transifex.com/projects/p/fedora/language/ka/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: ka\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"socket.getOutputStream().write(\"GET / HTTP/1.0\\r\n" +"\\r\n" +"\"\n" +" .getBytes(Charset.forName(\"UTF-8\")));\n" +"byte[] buffer = new byte[4096];\n" +"int count = socket.getInputStream().read(buffer);\n" +"System.out.write(buffer, 0, count);\n" +msgstr "" diff --git a/defensive-coding/ka/Features/snippets/TLS-Client-OpenSSL-CTX.po b/defensive-coding/ka/Features/snippets/TLS-Client-OpenSSL-CTX.po new file mode 100644 index 0000000..1947c15 --- /dev/null +++ b/defensive-coding/ka/Features/snippets/TLS-Client-OpenSSL-CTX.po @@ -0,0 +1,86 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:32+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Georgian (http://www.transifex.com/projects/p/fedora/language/ka/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: ka\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Configure a client connection context. Send a hendshake for the\n" +"// highest supported TLS version, and disable compression.\n" +"const SSL_METHOD *const req_method = SSLv23_client_method();\n" +"SSL_CTX *const ctx = SSL_CTX_new(req_method);\n" +"if (ctx == NULL) {\n" +" ERR_print_errors(bio_err);\n" +" exit(1);\n" +"}\n" +"SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_COMPRESSION);\n" +"\n" +"// Adjust the ciphers list based on a whitelist. First enable all\n" +"// ciphers of at least medium strength, to get the list which is\n" +"// compiled into OpenSSL.\n" +"if (SSL_CTX_set_cipher_list(ctx, \"HIGH:MEDIUM\") != 1) {\n" +" ERR_print_errors(bio_err);\n" +" exit(1);\n" +"}\n" +"{\n" +" // Create a dummy SSL session to obtain the cipher list.\n" +" SSL *ssl = SSL_new(ctx);\n" +" if (ssl == NULL) {\n" +" ERR_print_errors(bio_err);\n" +" exit(1);\n" +" }\n" +" STACK_OF(SSL_CIPHER) *active_ciphers = SSL_get_ciphers(ssl);\n" +" if (active_ciphers == NULL) {\n" +" ERR_print_errors(bio_err);\n" +" exit(1);\n" +" }\n" +" // Whitelist of candidate ciphers.\n" +" static const char *const candidates[] = {\n" +" \"AES128-GCM-SHA256\", \"AES128-SHA256\", \"AES256-SHA256\", // strong ciphers\n" +" \"AES128-SHA\", \"AES256-SHA\", // strong ciphers, also in older versions\n" +" \"RC4-SHA\", \"RC4-MD5\", // backwards compatibility, supposed to be weak\n" +" \"DES-CBC3-SHA\", \"DES-CBC3-MD5\", // more backwards compatibility\n" +" NULL\n" +" };\n" +" // Actually selected ciphers.\n" +" char ciphers[300];\n" +" ciphers[0] = '\\0';\n" +" for (const char *const *c = candidates; *c; ++c) {\n" +" for (int i = 0; i < sk_SSL_CIPHER_num(active_ciphers); ++i) {\n" +"\tif (strcmp(SSL_CIPHER_get_name(sk_SSL_CIPHER_value(active_ciphers, i)),\n" +"\t\t *c) == 0) {\n" +"\t if (*ciphers) {\n" +"\t strcat(ciphers, \":\");\n" +"\t }\n" +"\t strcat(ciphers, *c);\n" +"\t break;\n" +"\t}\n" +" }\n" +" }\n" +" SSL_free(ssl);\n" +" // Apply final cipher list.\n" +" if (SSL_CTX_set_cipher_list(ctx, ciphers) != 1) {\n" +" ERR_print_errors(bio_err);\n" +" exit(1);\n" +" }\n" +"}\n" +"\n" +"// Load the set of trusted root certificates.\n" +"if (!SSL_CTX_set_default_verify_paths(ctx)) {\n" +" ERR_print_errors(bio_err);\n" +" exit(1);\n" +"}\n" +msgstr "" diff --git a/defensive-coding/ka/Features/snippets/TLS-Client-OpenSSL-Connect.po b/defensive-coding/ka/Features/snippets/TLS-Client-OpenSSL-Connect.po new file mode 100644 index 0000000..31b31b2 --- /dev/null +++ b/defensive-coding/ka/Features/snippets/TLS-Client-OpenSSL-Connect.po @@ -0,0 +1,72 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:33+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Georgian (http://www.transifex.com/projects/p/fedora/language/ka/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: ka\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Create the connection object.\n" +"SSL *ssl = SSL_new(ctx);\n" +"if (ssl == NULL) {\n" +" ERR_print_errors(bio_err);\n" +" exit(1);\n" +"}\n" +"SSL_set_fd(ssl, sockfd);\n" +"\n" +"// Enable the ServerNameIndication extension\n" +"if (!SSL_set_tlsext_host_name(ssl, host)) {\n" +" ERR_print_errors(bio_err);\n" +" exit(1);\n" +"}\n" +"\n" +"// Perform the TLS handshake with the server.\n" +"ret = SSL_connect(ssl);\n" +"if (ret != 1) {\n" +" // Error status can be 0 or negative.\n" +" ssl_print_error_and_exit(ssl, \"SSL_connect\", ret);\n" +"}\n" +"\n" +"// Obtain the server certificate.\n" +"X509 *peercert = SSL_get_peer_certificate(ssl);\n" +"if (peercert == NULL) {\n" +" fprintf(stderr, \"peer certificate missing\");\n" +" exit(1);\n" +"}\n" +"\n" +"// Check the certificate verification result. Allow an explicit\n" +"// certificate validation override in case verification fails.\n" +"int verifystatus = SSL_get_verify_result(ssl);\n" +"if (verifystatus != X509_V_OK && !certificate_validity_override(peercert)) {\n" +" fprintf(stderr, \"SSL_connect: verify result: %s\n" +"\",\n" +"\t X509_verify_cert_error_string(verifystatus));\n" +" exit(1);\n" +"}\n" +"\n" +"// Check if the server certificate matches the host name used to\n" +"// establish the connection.\n" +"// FIXME: Currently needs OpenSSL 1.1.\n" +"if (X509_check_host(peercert, (const unsigned char *)host, strlen(host),\n" +"\t\t 0) != 1\n" +" && !certificate_host_name_override(peercert, host)) {\n" +" fprintf(stderr, \"SSL certificate does not match host name\n" +"\");\n" +" exit(1);\n" +"}\n" +"\n" +"X509_free(peercert);\n" +"\n" +msgstr "" diff --git a/defensive-coding/ka/Features/snippets/TLS-Client-OpenSSL-Connection-Use.po b/defensive-coding/ka/Features/snippets/TLS-Client-OpenSSL-Connection-Use.po new file mode 100644 index 0000000..94049a9 --- /dev/null +++ b/defensive-coding/ka/Features/snippets/TLS-Client-OpenSSL-Connection-Use.po @@ -0,0 +1,32 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:32+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Georgian (http://www.transifex.com/projects/p/fedora/language/ka/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: ka\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"const char *const req = \"GET / HTTP/1.0\\r\n" +"\\r\n" +"\";\n" +"if (SSL_write(ssl, req, strlen(req)) < 0) {\n" +" ssl_print_error_and_exit(ssl, \"SSL_write\", ret);\n" +"}\n" +"char buf[4096];\n" +"ret = SSL_read(ssl, buf, sizeof(buf));\n" +"if (ret < 0) {\n" +" ssl_print_error_and_exit(ssl, \"SSL_read\", ret);\n" +"}\n" +msgstr "" diff --git a/defensive-coding/ka/Features/snippets/TLS-Client-OpenSSL-Init.po b/defensive-coding/ka/Features/snippets/TLS-Client-OpenSSL-Init.po new file mode 100644 index 0000000..db59928 --- /dev/null +++ b/defensive-coding/ka/Features/snippets/TLS-Client-OpenSSL-Init.po @@ -0,0 +1,28 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:32+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Georgian (http://www.transifex.com/projects/p/fedora/language/ka/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: ka\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// The following call prints an error message and calls exit() if\n" +"// the OpenSSL configuration file is unreadable.\n" +"OPENSSL_config(NULL);\n" +"// Provide human-readable error messages.\n" +"SSL_load_error_strings();\n" +"// Register ciphers.\n" +"SSL_library_init();\n" +msgstr "" diff --git a/defensive-coding/ka/Features/snippets/TLS-Client-Python-Connect.po b/defensive-coding/ka/Features/snippets/TLS-Client-Python-Connect.po new file mode 100644 index 0000000..9bc7d63 --- /dev/null +++ b/defensive-coding/ka/Features/snippets/TLS-Client-Python-Connect.po @@ -0,0 +1,29 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:32+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Georgian (http://www.transifex.com/projects/p/fedora/language/ka/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: ka\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"sock = ssl.wrap_socket(sock,\n" +" ciphers=\"HIGH:-aNULL:-eNULL:-PSK:RC4-SHA:RC4-MD5\",\n" +" ssl_version=ssl.PROTOCOL_TLSv1,\n" +" cert_reqs=ssl.CERT_REQUIRED,\n" +" ca_certs='/etc/ssl/certs/ca-bundle.crt')\n" +"# getpeercert() triggers the handshake as a side effect.\n" +"if not check_host_name(sock.getpeercert(), host):\n" +" raise IOError(\"peer certificate does not match host name\")\n" +msgstr "" diff --git a/defensive-coding/ka/Features/snippets/TLS-Client-Python-check_host_name.po b/defensive-coding/ka/Features/snippets/TLS-Client-Python-check_host_name.po new file mode 100644 index 0000000..0321738 --- /dev/null +++ b/defensive-coding/ka/Features/snippets/TLS-Client-Python-check_host_name.po @@ -0,0 +1,44 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:31+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Georgian (http://www.transifex.com/projects/p/fedora/language/ka/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: ka\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"def check_host_name(peercert, name):\n" +" \"\"\"Simple certificate/host name checker. Returns True if the\n" +" certificate matches, False otherwise. Does not support\n" +" wildcards.\"\"\"\n" +" # Check that the peer has supplied a certificate.\n" +" # None/{} is not acceptable.\n" +" if not peercert:\n" +" return False\n" +" if peercert.has_key(\"subjectAltName\"):\n" +" for typ, val in peercert[\"subjectAltName\"]:\n" +" if typ == \"DNS\" and val == name:\n" +" return True\n" +" else:\n" +" # Only check the subject DN if there is no subject alternative\n" +" # name.\n" +" cn = None\n" +" for attr, val in peercert[\"subject\"]:\n" +" # Use most-specific (last) commonName attribute.\n" +" if attr == \"commonName\":\n" +" cn = val\n" +" if cn is not None:\n" +" return cn == name\n" +" return False\n" +msgstr "" diff --git a/defensive-coding/ka/Features/snippets/TLS-GNUTLS-Credentials-Close.po b/defensive-coding/ka/Features/snippets/TLS-GNUTLS-Credentials-Close.po new file mode 100644 index 0000000..f2ba0f7 --- /dev/null +++ b/defensive-coding/ka/Features/snippets/TLS-GNUTLS-Credentials-Close.po @@ -0,0 +1,22 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:31+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Georgian (http://www.transifex.com/projects/p/fedora/language/ka/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: ka\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"gnutls_certificate_free_credentials(cred);\n" +msgstr "" diff --git a/defensive-coding/ka/Features/snippets/TLS-GNUTLS-Disconnect.po b/defensive-coding/ka/Features/snippets/TLS-GNUTLS-Disconnect.po new file mode 100644 index 0000000..683c76d --- /dev/null +++ b/defensive-coding/ka/Features/snippets/TLS-GNUTLS-Disconnect.po @@ -0,0 +1,30 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:32+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Georgian (http://www.transifex.com/projects/p/fedora/language/ka/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: ka\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Initiate an orderly connection shutdown.\n" +"ret = gnutls_bye(session, GNUTLS_SHUT_RDWR);\n" +"if (ret < 0) {\n" +" fprintf(stderr, \"error: gnutls_bye: %s\n" +"\", gnutls_strerror(ret));\n" +" exit(1);\n" +"}\n" +"// Free the session object.\n" +"gnutls_deinit(session);\n" +msgstr "" diff --git a/defensive-coding/ka/Features/snippets/TLS-GNUTLS-Init.po b/defensive-coding/ka/Features/snippets/TLS-GNUTLS-Init.po new file mode 100644 index 0000000..ff19c44 --- /dev/null +++ b/defensive-coding/ka/Features/snippets/TLS-GNUTLS-Init.po @@ -0,0 +1,22 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:32+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Georgian (http://www.transifex.com/projects/p/fedora/language/ka/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: ka\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"gnutls_global_init();\n" +msgstr "" diff --git a/defensive-coding/ka/Features/snippets/TLS-GNUTLS-Use.po b/defensive-coding/ka/Features/snippets/TLS-GNUTLS-Use.po new file mode 100644 index 0000000..ada13bc --- /dev/null +++ b/defensive-coding/ka/Features/snippets/TLS-GNUTLS-Use.po @@ -0,0 +1,38 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:33+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Georgian (http://www.transifex.com/projects/p/fedora/language/ka/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: ka\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"char buf[4096];\n" +"snprintf(buf, sizeof(buf), \"GET / HTTP/1.0\\r\n" +"Host: %s\\r\n" +"\\r\n" +"\", host);\n" +"ret = gnutls_record_send(session, buf, strlen(buf));\n" +"if (ret < 0) {\n" +" fprintf(stderr, \"error: gnutls_record_send: %s\n" +"\", gnutls_strerror(ret));\n" +" exit(1);\n" +"}\n" +"ret = gnutls_record_recv(session, buf, sizeof(buf));\n" +"if (ret < 0) {\n" +" fprintf(stderr, \"error: gnutls_record_recv: %s\n" +"\", gnutls_strerror(ret));\n" +" exit(1);\n" +"}\n" +msgstr "" diff --git a/defensive-coding/ka/Features/snippets/TLS-NSS-Close.po b/defensive-coding/ka/Features/snippets/TLS-NSS-Close.po new file mode 100644 index 0000000..cfd0f83 --- /dev/null +++ b/defensive-coding/ka/Features/snippets/TLS-NSS-Close.po @@ -0,0 +1,23 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:31+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Georgian (http://www.transifex.com/projects/p/fedora/language/ka/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: ka\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"SECMOD_DestroyModule(module);\n" +"NSS_ShutdownContext(ctx);\n" +msgstr "" diff --git a/defensive-coding/ka/Features/snippets/TLS-NSS-Includes.po b/defensive-coding/ka/Features/snippets/TLS-NSS-Includes.po new file mode 100644 index 0000000..f3c397f --- /dev/null +++ b/defensive-coding/ka/Features/snippets/TLS-NSS-Includes.po @@ -0,0 +1,35 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:33+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Georgian (http://www.transifex.com/projects/p/fedora/language/ka/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: ka\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// NSPR include files\n" +"#include <prerror.h>\n" +"#include <prinit.h>\n" +"\n" +"// NSS include files\n" +"#include <nss.h>\n" +"#include <pk11pub.h>\n" +"#include <secmod.h>\n" +"#include <ssl.h>\n" +"#include <sslproto.h>\n" +"\n" +"// Private API, no other way to turn a POSIX file descriptor into an\n" +"// NSPR handle.\n" +"NSPR_API(PRFileDesc*) PR_ImportTCPSocket(int);\n" +msgstr "" diff --git a/defensive-coding/ka/Features/snippets/TLS-NSS-Init.po b/defensive-coding/ka/Features/snippets/TLS-NSS-Init.po new file mode 100644 index 0000000..959a46f --- /dev/null +++ b/defensive-coding/ka/Features/snippets/TLS-NSS-Init.po @@ -0,0 +1,83 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:33+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Georgian (http://www.transifex.com/projects/p/fedora/language/ka/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: ka\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"PR_Init(PR_USER_THREAD, PR_PRIORITY_NORMAL, 0);\n" +"NSSInitContext *const ctx =\n" +" NSS_InitContext(\"sql:/etc/pki/nssdb\", \"\", \"\", \"\", NULL,\n" +"\t\t NSS_INIT_READONLY | NSS_INIT_PK11RELOAD);\n" +"if (ctx == NULL) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: NSPR error code %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +"}\n" +"\n" +"// Ciphers to enable.\n" +"static const PRUint16 good_ciphers[] = {\n" +" TLS_RSA_WITH_AES_128_CBC_SHA,\n" +" TLS_RSA_WITH_AES_256_CBC_SHA,\n" +" SSL_RSA_WITH_3DES_EDE_CBC_SHA,\n" +" SSL_NULL_WITH_NULL_NULL // sentinel\n" +"};\n" +"\n" +"// Check if the current policy allows any strong ciphers. If it\n" +"// doesn't, switch to the \"domestic\" (unrestricted) policy. This is\n" +"// not thread-safe and has global impact. Consequently, we only do\n" +"// it if absolutely necessary.\n" +"int found_good_cipher = 0;\n" +"for (const PRUint16 *p = good_ciphers; *p != SSL_NULL_WITH_NULL_NULL;\n" +" ++p) {\n" +" PRInt32 policy;\n" +" if (SSL_CipherPolicyGet(*p, &policy) != SECSuccess) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: policy for cipher %u: error %d: %s\n" +"\",\n" +"\t (unsigned)*p, err, PR_ErrorToName(err));\n" +" exit(1);\n" +" }\n" +" if (policy == SSL_ALLOWED) {\n" +" fprintf(stderr, \"info: found cipher %x\n" +"\", (unsigned)*p);\n" +" found_good_cipher = 1;\n" +" break;\n" +" }\n" +"}\n" +"if (!found_good_cipher) {\n" +" if (NSS_SetDomesticPolicy() != SECSuccess) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: NSS_SetDomesticPolicy: error %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +" }\n" +"}\n" +"\n" +"// Initialize the trusted certificate store.\n" +"char module_name[] = \"library=libnssckbi.so name=\\\"Root Certs\\\"\";\n" +"SECMODModule *module = SECMOD_LoadUserModule(module_name, NULL, PR_FALSE);\n" +"if (module == NULL || !module->loaded) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: NSPR error code %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +"}\n" +msgstr "" diff --git a/defensive-coding/ka/Features/snippets/TLS-NSS-Use.po b/defensive-coding/ka/Features/snippets/TLS-NSS-Use.po new file mode 100644 index 0000000..db62b2d --- /dev/null +++ b/defensive-coding/ka/Features/snippets/TLS-NSS-Use.po @@ -0,0 +1,42 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:32+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Georgian (http://www.transifex.com/projects/p/fedora/language/ka/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: ka\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"char buf[4096];\n" +"snprintf(buf, sizeof(buf), \"GET / HTTP/1.0\\r\n" +"Host: %s\\r\n" +"\\r\n" +"\", host);\n" +"PRInt32 ret = PR_Write(nspr, buf, strlen(buf));\n" +"if (ret < 0) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: PR_Write error %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +"}\n" +"ret = PR_Read(nspr, buf, sizeof(buf));\n" +"if (ret < 0) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: PR_Read error %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +"}\n" +msgstr "" diff --git a/defensive-coding/ka/Features/snippets/TLS-Nagle.po b/defensive-coding/ka/Features/snippets/TLS-Nagle.po new file mode 100644 index 0000000..759a3ed --- /dev/null +++ b/defensive-coding/ka/Features/snippets/TLS-Nagle.po @@ -0,0 +1,27 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:31+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Georgian (http://www.transifex.com/projects/p/fedora/language/ka/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: ka\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"const int val = 1;\n" +"int ret = setsockopt(sockfd, IPPROTO_TCP, TCP_NODELAY, &val, sizeof(val));\n" +"if (ret < 0) {\n" +" perror(\"setsockopt(TCP_NODELAY)\");\n" +" exit(1);\n" +"}\n" +msgstr "" diff --git a/defensive-coding/ka/Features/snippets/TLS-OpenJDK-Parameters.po b/defensive-coding/ka/Features/snippets/TLS-OpenJDK-Parameters.po new file mode 100644 index 0000000..ce06d87 --- /dev/null +++ b/defensive-coding/ka/Features/snippets/TLS-OpenJDK-Parameters.po @@ -0,0 +1,42 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:33+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Georgian (http://www.transifex.com/projects/p/fedora/language/ka/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: ka\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Prepare TLS parameters. These have to applied to every TLS\n" +"// socket before the handshake is triggered.\n" +"SSLParameters params = ctx.getDefaultSSLParameters();\n" +"// Do not send an SSL-2.0-compatible Client Hello.\n" +"ArrayList<String> protocols = new ArrayList<String>(\n" +" Arrays.asList(params.getProtocols()));\n" +"protocols.remove(\"SSLv2Hello\");\n" +"params.setProtocols(protocols.toArray(new String[protocols.size()]));\n" +"// Adjust the supported ciphers.\n" +"ArrayList<String> ciphers = new ArrayList<String>(\n" +" Arrays.asList(params.getCipherSuites()));\n" +"ciphers.retainAll(Arrays.asList(\n" +" \"TLS_RSA_WITH_AES_128_CBC_SHA256\",\n" +" \"TLS_RSA_WITH_AES_256_CBC_SHA256\",\n" +" \"TLS_RSA_WITH_AES_256_CBC_SHA\",\n" +" \"TLS_RSA_WITH_AES_128_CBC_SHA\",\n" +" \"SSL_RSA_WITH_3DES_EDE_CBC_SHA\",\n" +" \"SSL_RSA_WITH_RC4_128_SHA1\",\n" +" \"SSL_RSA_WITH_RC4_128_MD5\",\n" +" \"TLS_EMPTY_RENEGOTIATION_INFO_SCSV\"));\n" +"params.setCipherSuites(ciphers.toArray(new String[ciphers.size()]));\n" +msgstr "" diff --git a/defensive-coding/ka/Features/snippets/TLS-OpenSSL-Connection-Close.po b/defensive-coding/ka/Features/snippets/TLS-OpenSSL-Connection-Close.po new file mode 100644 index 0000000..5cbd6f2 --- /dev/null +++ b/defensive-coding/ka/Features/snippets/TLS-OpenSSL-Connection-Close.po @@ -0,0 +1,46 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:33+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Georgian (http://www.transifex.com/projects/p/fedora/language/ka/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: ka\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Send the close_notify alert.\n" +"ret = SSL_shutdown(ssl);\n" +"switch (ret) {\n" +"case 1:\n" +" // A close_notify alert has already been received.\n" +" break;\n" +"case 0:\n" +" // Wait for the close_notify alert from the peer.\n" +" ret = SSL_shutdown(ssl);\n" +" switch (ret) {\n" +" case 0:\n" +" fprintf(stderr, \"info: second SSL_shutdown returned zero\n" +"\");\n" +" break;\n" +" case 1:\n" +" break;\n" +" default:\n" +" ssl_print_error_and_exit(ssl, \"SSL_shutdown 2\", ret);\n" +" }\n" +" break;\n" +"default:\n" +" ssl_print_error_and_exit(ssl, \"SSL_shutdown 1\", ret);\n" +"}\n" +"SSL_free(ssl);\n" +"close(sockfd);\n" +msgstr "" diff --git a/defensive-coding/ka/Features/snippets/TLS-OpenSSL-Context-Close.po b/defensive-coding/ka/Features/snippets/TLS-OpenSSL-Context-Close.po new file mode 100644 index 0000000..2dc9a5f --- /dev/null +++ b/defensive-coding/ka/Features/snippets/TLS-OpenSSL-Context-Close.po @@ -0,0 +1,22 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:33+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Georgian (http://www.transifex.com/projects/p/fedora/language/ka/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: ka\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"SSL_CTX_free(ctx);\n" +msgstr "" diff --git a/defensive-coding/ka/Features/snippets/TLS-OpenSSL-Errors.po b/defensive-coding/ka/Features/snippets/TLS-OpenSSL-Errors.po new file mode 100644 index 0000000..02597a6 --- /dev/null +++ b/defensive-coding/ka/Features/snippets/TLS-OpenSSL-Errors.po @@ -0,0 +1,51 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:32+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Georgian (http://www.transifex.com/projects/p/fedora/language/ka/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: ka\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"static void __attribute__((noreturn))\n" +"ssl_print_error_and_exit(SSL *ssl, const char *op, int ret)\n" +"{\n" +" int subcode = SSL_get_error(ssl, ret);\n" +" switch (subcode) {\n" +" case SSL_ERROR_NONE:\n" +" fprintf(stderr, \"error: %s: no error to report\n" +"\", op);\n" +" break;\n" +" case SSL_ERROR_WANT_READ:\n" +" case SSL_ERROR_WANT_WRITE:\n" +" case SSL_ERROR_WANT_X509_LOOKUP:\n" +" case SSL_ERROR_WANT_CONNECT:\n" +" case SSL_ERROR_WANT_ACCEPT:\n" +" fprintf(stderr, \"error: %s: invalid blocking state %d\n" +"\", op, subcode);\n" +" break;\n" +" case SSL_ERROR_SSL:\n" +" fprintf(stderr, \"error: %s: TLS layer problem\n" +"\", op);\n" +" case SSL_ERROR_SYSCALL:\n" +" fprintf(stderr, \"error: %s: system call failed: %s\n" +"\", op, strerror(errno));\n" +" break;\n" +" case SSL_ERROR_ZERO_RETURN:\n" +" fprintf(stderr, \"error: %s: zero return\n" +"\", op);\n" +" }\n" +" exit(1);\n" +"}\n" +msgstr "" diff --git a/defensive-coding/ka/Features/snippets/TLS-Python-Close.po b/defensive-coding/ka/Features/snippets/TLS-Python-Close.po new file mode 100644 index 0000000..2e77b80 --- /dev/null +++ b/defensive-coding/ka/Features/snippets/TLS-Python-Close.po @@ -0,0 +1,22 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:31+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Georgian (http://www.transifex.com/projects/p/fedora/language/ka/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: ka\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"sock.close()\n" +msgstr "" diff --git a/defensive-coding/ka/Features/snippets/TLS-Python-Use.po b/defensive-coding/ka/Features/snippets/TLS-Python-Use.po new file mode 100644 index 0000000..e448ddd --- /dev/null +++ b/defensive-coding/ka/Features/snippets/TLS-Python-Use.po @@ -0,0 +1,26 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:32+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Georgian (http://www.transifex.com/projects/p/fedora/language/ka/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: ka\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"sock.write(\"GET / HTTP/1.1\\r\n" +"Host: \" + host + \"\\r\n" +"\\r\n" +"\")\n" +"print sock.read()\n" +msgstr "" diff --git a/defensive-coding/ka/Revision_History.po b/defensive-coding/ka/Revision_History.po new file mode 100644 index 0000000..3f75863 --- /dev/null +++ b/defensive-coding/ka/Revision_History.po @@ -0,0 +1,35 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:18+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Georgian (http://www.transifex.com/projects/p/fedora/language/ka/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: ka\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: title +#, no-c-format +msgid "Revision History" +msgstr "" + +#. Tag: firstname +#, no-c-format +msgid "Eric" +msgstr "" + +#. Tag: surname +#, no-c-format +msgid "Christensen" +msgstr "" + +#. Tag: member +#, no-c-format +msgid "Initial publication." +msgstr "" diff --git a/defensive-coding/ka/Tasks/Cryptography.po b/defensive-coding/ka/Tasks/Cryptography.po new file mode 100644 index 0000000..e8e5550 --- /dev/null +++ b/defensive-coding/ka/Tasks/Cryptography.po @@ -0,0 +1,199 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:29+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Georgian (http://www.transifex.com/projects/p/fedora/language/ka/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: ka\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: title +#, no-c-format +msgid "Cryptography" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Primitives" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Chosing from the following cryptographic primitives is recommended:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "RSA with 2048 bit keys and OAEP" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "AES-128 in CBC mode" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "SHA-256" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "HMAC-SHA-256" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "HMAC-SHA-1" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Other cryptographic algorithms can be used if they are required for " +"interoperability with existing software:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "RSA with key sizes larger than 1024 and legacy padding" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "AES-192" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "AES-256" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "3DES (triple DES, with two or three 56 bit keys)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "RC4 (but very, very strongly discouraged)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "SHA-1" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "HMAC-MD5" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Important" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"These primitives are difficult to use in a secure way. Custom implementation" +" of security protocols should be avoided. For protecting confidentiality and" +" integrity of network transmissions, TLS should be used ()." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Randomness" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The following facilities can be used to generate unpredictable and non-" +"repeating values. When these functions are used without special safeguards, " +"each individual rnadom value should be at least 12 bytes long." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"PK11_GenerateRandom in the NSS library (usable for high" +" data rates)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"RAND_bytes in the OpenSSL library (usable for high data" +" rates)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"gnutls_rnd in GNUTLS, with " +"GNUTLS_RND_RANDOM as the first argument (usable for high " +"data rates)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"java.security.SecureRandom in Java (usable for high data rates)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "os.urandom in Python" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Reading from the /dev/urandom character device" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"All these functions should be non-blocking, and they should not wait until " +"physical randomness becomes available. (Some cryptography providers for Java" +" can cause java.security.SecureRandom to block, however.) Those" +" functions which do not obtain all bits directly from " +"/dev/urandom are suitable for high data rates because " +"they do not deplete the system-wide entropy pool." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Difficult to use API" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Both RAND_bytes and " +"PK11_GenerateRandom have three-state return values " +"(with conflicting meanings). Careful error checking is required. Please " +"review the documentation when using these functions." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Other sources of randomness should be considered predictable." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Generating randomness for cryptographic keys in long-term use may need " +"different steps and is best left to cryptographic libraries." +msgstr "" diff --git a/defensive-coding/ka/Tasks/Descriptors.po b/defensive-coding/ka/Tasks/Descriptors.po new file mode 100644 index 0000000..f71a0a0 --- /dev/null +++ b/defensive-coding/ka/Tasks/Descriptors.po @@ -0,0 +1,332 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:29+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Georgian (http://www.transifex.com/projects/p/fedora/language/ka/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: ka\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: title +#, no-c-format +msgid "File Descriptor Management" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"File descriptors underlie all input/output mechanisms offered by the system." +" They are used to implementation the FILE *-based " +"functions found in <stdio.h>, and all the file and " +"network communication facilities provided by the Python and Java " +"environments are eventually implemented in them." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"File descriptors are small, non-negative integers in userspace, and are " +"backed on the kernel side with complicated data structures which can " +"sometimes grow very large." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Closing descriptors" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If a descriptor is no longer used by a program and is not closed explicitly," +" its number cannot be reused (which is problematic in itself, see ), and the " +"kernel resources are not freed. Therefore, it is important to close all " +"descriptors at the earlierst point in time possible, but not earlier." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Error handling during descriptor close" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The close system call is always successful in the sense" +" that the passed file descriptor is never valid after the function has been " +"called. However, close still can return an error, for " +"example if there was a file system failure. But this error is not very " +"useful because the absence of an error does not mean that all caches have " +"been emptied and previous writes have been made durable. Programs which need" +" such guarantees must open files with O_SYNC or use " +"fsync or fdatasync, and may also have " +"to fsync the directory containing the file." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Closing descriptors and race conditions" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Unlike process IDs, which are recycle only gradually, the kernel always " +"allocates the lowest unused file descriptor when a new descriptor is " +"created. This means that in a multi-threaded program which constantly opens " +"and closes file descriptors, descriptors are reused very quickly. Unless " +"descriptor closing and other operations on the same file descriptor are " +"synchronized (typically, using a mutex), there will be race coniditons and " +"I/O operations will be applied to the wrong file descriptor." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Sometimes, it is necessary to close a file descriptor concurrently, while " +"another thread might be about to use it in a system call. In order to " +"support this, a program needs to create a single special file descriptor, " +"one on which all I/O operations fail. One way to achieve this is to use " +"socketpair, close one of the descriptors, and call " +"shutdown(fd, SHUTRDWR) on the other." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When a descriptor is closed concurrently, the program does not call " +"close on the descriptor. Instead it program uses " +"dup2 to replace the descriptor to be closed with the " +"dummy descriptor created earlier. This way, the kernel will not reuse the " +"descriptor, but it will carry out all other steps associated with calling a " +"descriptor (for instance, if the descriptor refers to a stream socket, the " +"peer will be notified)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"This is just a sketch, and many details are missing. Additional data " +"structures are needed to determine when it is safe to really close the " +"descriptor, and proper locking is required for that." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Lingering state after close" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"By default, closing a stream socket returns immediately, and the kernel will" +" try to send the data in the background. This means that it is impossible to" +" implement accurate accounting of network-related resource utilization from " +"userspace." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The SO_LINGER socket option alters the behavior of " +"close, so that it will return only after the lingering " +"data has been processed, either by sending it to the peer successfully, or " +"by discarding it after the configured timeout. However, there is no " +"interface which could perform this operation in the background, so a " +"separate userspace thread is needed for each close " +"call, causing scalability issues." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Currently, there is no application-level countermeasure which applies " +"universally. Mitigation is possible with iptables" +" (the connlimit match type in particular) and specialized" +" filtering devices for denial-of-service network traffic." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"These problems are not related to the TIME_WAIT state " +"commonly seen in netstat output. The kernel " +"automatically expires such sockets if necessary." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Preventing file descriptor leaks to child processes" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Child processes created with fork share the initial set" +" of file descriptors with their parent process. By default, file descriptors" +" are also preserved if a new process image is created with " +"execve (or any of the other functions such as " +"system or posix_spawn)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Usually, this behavior is not desirable. There are two ways to turn it off, " +"that is, to prevent new process images from inheriting the file descriptors " +"in the parent process:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Set the close-on-exec flag on all newly created file descriptors. " +"Traditionally, this flag is controlled by the FD_CLOEXEC " +"flag, using F_GETFD and F_SETFD " +"operations of the fcntl function." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"However, in a multi-threaded process, there is a race condition: a " +"subprocess could have been created between the time the descriptor was " +"created and the FD_CLOEXEC was set. Therefore, many " +"system calls which create descriptors (such as open and" +" openat) now accept the O_CLOEXEC " +"flag (SOCK_CLOEXEC for socket and " +"socketpair), which cause the " +"FD_CLOEXEC flag to be set for the file descriptor in an " +"atomic fashion. In addition, a few new systems calls were introduced, such " +"as pipe2 and dup3." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The downside of this approach is that every descriptor needs to receive " +"special treatment at the time of creation, otherwise it is not completely " +"effective." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"After calling fork, but before creating a new process " +"image with execve, all file descriptors which the child" +" process will not need are closed." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Traditionally, this was implemented as a loop over file descriptors ranging " +"from 3 to 255 and later " +"1023. But this is only an approximatio because it is " +"possible to create file descriptors outside this range easily (see ). Another " +"approach reads /proc/self/fd and closes the unexpected " +"descriptors listed there, but this approach is much slower." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"At present, environments which care about file descriptor leakage implement " +"the second approach. OpenJDK 6 and 7 are among them." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Dealing with the select limit" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"By default, a user is allowed to open only 1024 files in a single process, " +"but the system administrator can easily change this limit (which is " +"necessary for busy network servers). However, there is another restriction " +"which is more difficult to overcome." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The select function only supports a maximum of " +"FD_SETSIZE file descriptors (that is, the maximum " +"permitted value for a file descriptor is FD_SETSIZE - 1, " +"usually 1023.) If a process opens many files, descriptors may exceed such " +"limits. It is impossible to query such descriptors using " +"select." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If a library which creates many file descriptors is used in the same process" +" as a library which uses select, at least one of them " +"needs to be changed. Calls to select can be replaced " +"with calls to poll or another event handling mechanism." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Alternatively, the library with high descriptor usage can relocate " +"descriptors above the FD_SETSIZE limit using the " +"following procedure." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Create the file descriptor fd as usual, preferably with " +"the O_CLOEXEC flag." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Before doing anything else with the descriptor fd, " +"invoke:" +msgstr "" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"\t int newfd = fcntl(fd, F_DUPFD_CLOEXEC, (long)FD_SETSIZE);\n" +"\t" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Check that newfd result is non-negative, otherwise close " +"fd and report an error, and return." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Close fd and continue to use newfd." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The new descriptor has been allocated above the " +"FD_SETSIZE. Even though this algorithm is racy in the " +"sense that the FD_SETSIZE first descriptors could fill " +"up, a very high degree of physical parallelism is required before this " +"becomes a problem." +msgstr "" diff --git a/defensive-coding/ka/Tasks/File_System.po b/defensive-coding/ka/Tasks/File_System.po new file mode 100644 index 0000000..ff37032 --- /dev/null +++ b/defensive-coding/ka/Tasks/File_System.po @@ -0,0 +1,396 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:25+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Georgian (http://www.transifex.com/projects/p/fedora/language/ka/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: ka\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: title +#, no-c-format +msgid "File system manipulation" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In this chapter, we discuss general file system manipulation, with a focus " +"on access files and directories to which an other, potentially untrusted " +"user has write access." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Temporary files are covered in their own chapter, ." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Working with files and directories owned by other users" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Sometimes, it is necessary to operate on files and directories owned by " +"other (potentially untrusted) users. For example, a system administrator " +"could remove the home directory of a user, or a package manager could update" +" a file in a directory which is owned by an application-specific user. This " +"differs from accessing the file system as a specific user; see ." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Accessing files across trust boundaries faces several challenges, " +"particularly if an entire directory tree is being traversed:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Another user might add file names to a writable directory at any time. This " +"can interfere with file creation and the order of names returned by " +"readdir." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Merely opening and closing a file can have side effects. For instance, an " +"automounter can be triggered, or a tape device rewound. Opening a file on a " +"local file system can block indefinitely, due to mandatory file locking, " +"unless the O_NONBLOCK flag is specified." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Hard links and symbolic links can redirect the effect of file system " +"operations in unexpected ways. The O_NOFOLLOW and " +"AT_SYMLINK_NOFOLLOW variants of system calls only " +"affected final path name component." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The structure of a directory tree can change. For example, the parent " +"directory of what used to be a subdirectory within the directory tree being " +"processed could suddenly point outside that directory tree." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Files should always be created with the O_CREAT and " +"O_EXCL flags, so that creating the file will fail if it " +"already exists. This guards against the unexpected appearance of file names," +" either due to creation of a new file, or hard-linking of an existing file. " +"In multi-threaded programs, rather than manipulating the umask, create the " +"files with mode 000 if possible, and adjust it afterwards" +" with fchmod." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"To avoid issues related to symbolic links and directory tree restructuring, " +"the “at” variants of system calls have to be used (that " +"is, functions like openat, " +"fchownat, fchmodat, and " +"unlinkat, together with O_NOFOLLOW " +"or AT_SYMLINK_NOFOLLOW). Path names passed to these " +"functions must have just a single component (that is, without a slash). When" +" descending, the descriptors of parent directories must be kept open. The " +"missing opendirat function can be emulated with " +"openat (with an O_DIRECTORY flag, to " +"avoid opening special files with side effects), followed by " +"fdopendir." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If the “at” functions are not available, it is possible " +"to emulate them by changing the current directory. (Obviously, this only " +"works if the process is not multi-threaded.) fchdir has" +" to be used to change the current directory, and the descriptors of the " +"parent directories have to be kept open, just as with the " +"“at”-based approach. chdir(\"...\") is" +" unsafe because it might ascend outside the intended directory tree." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"This “at” function emulation is currently required when " +"manipulating extended attributes. In this case, the " +"lsetxattr function can be used, with a relative path " +"name consisting of a single component. This also applies to SELinux contexts" +" and the lsetfilecon function." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Currently, it is not possible to avoid opening special files " +"and changes to files with hard links if the directory " +"containing them is owned by an untrusted user. (Device nodes can be hard-" +"linked, just as regular files.) fchmodat and " +"fchownat affect files whose link count is greater than " +"one. But opening the files, checking that the link count is one with " +"fstat, and using fchmod and " +"fchown on the file descriptor may have unwanted side " +"effects, due to item 2 above. When creating directories, it is therefore " +"important to change the ownership and permissions only after it has been " +"fully created. Until that point, file names are stable, and no files with " +"unexpected hard links can be introduced." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Similarly, when just reading a directory owned by an untrusted user, it is " +"currently impossible to reliably avoid opening special files." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"There is no workaround against the instability of the file list returned by " +"readdir. Concurrent modification of the directory can " +"result in a list of files being returned which never actually existed on " +"disk." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Hard links and symbolic links can be safely deleted using " +"unlinkat without further checks because deletion only " +"affects the name within the directory tree being processed." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Accessing the file system as a different user" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"This section deals with access to the file system as a specific user. This " +"is different from accessing files and directories owned by a different, " +"potentially untrusted user; see ." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"One approach is to spawn a child process which runs under the target user " +"and group IDs (both effective and real IDs). Note that this child process " +"can block indefinitely, even when processing regular files only. For " +"example, a special FUSE file system could cause the process to hang in " +"uninterruptible sleep inside a stat system call." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"An existing process could change its user and group ID using " +"setfsuid and setfsgid. (These " +"functions are preferred over seteuid and " +"setegid because they do not allow the impersonated user" +" to send signals to the process.) These functions are not thread safe. In " +"multi-threaded processes, these operations need to be performed in a single-" +"threaded child process. Unexpected blocking may occur as well." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"It is not recommended to try to reimplement the kernel permission checks in " +"user space because the required checks are complex. It is also very " +"difficult to avoid race conditions during path name resolution." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "File system limits" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"For historical reasons, there are preprocessor constants such as " +"PATH_MAX, NAME_MAX. However, on most " +"systems, the length of canonical path names (absolute path names with all " +"symbolic links resolved, as returned by realpath or " +"canonicalize_file_name) can exceed " +"PATH_MAX bytes, and individual file name components can " +"be longer than NAME_MAX. This is also true of the " +"_PC_PATH_MAX and _PC_NAME_MAX values " +"returned by pathconf, and the " +"f_namemax member of struct statvfs. " +"Therefore, these constants should not be used. This is also reason why the " +"readdir_r should never be used (instead, use " +"readdir)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"You should not write code in a way that assumes that there is an upper limit" +" on the number of subdirectories of a directory, the number of regular files" +" in a directory, or the link count of an inode." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "File system features" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Not all file systems support all features. This makes it very difficult to " +"write general-purpose tools for copying files. For example, a copy operation" +" intending to preserve file permissions will generally fail when copying to " +"a FAT file system." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Some file systems are case-insensitive. Most should be case-preserving, " +"though." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Name length limits vary greatly, from eight to thousands of bytes. Path " +"length limits differ as well. Most systems impose an upper bound on path " +"names passed to the kernel, but using relative path names, it is possible to" +" create and access files whose absolute path name is essentially of " +"unbounded length." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Some file systems do not store names as fairly unrestricted byte sequences, " +"as it has been traditionally the case on GNU systems. This means that some " +"byte sequences (outside the POSIX safe character set) are not valid names. " +"Conversely, names of existing files may not be representable as byte " +"sequences, and the files are thus inaccessible on GNU systems. Some file " +"systems perform Unicode canonicalization on file names. These file systems " +"preserve case, but reading the name of a just-created file using " +"readdir might still result in a different byte " +"sequence." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Permissions and owners are not universally supported (and SUID/SGID bits may" +" not be available). For example, FAT file systems assign ownership based on " +"a mount option, and generally mark all files as executable. Any attempt to " +"change permissions would result in an error." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Non-regular files (device nodes, FIFOs) are not generally available." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Only on some file systems, files can have holes, that is, not all of their " +"contents is backed by disk storage." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"ioctl support (even fairly generic functionality such " +"as FIEMAP for discovering physical file layout and holes)" +" is file-system-specific." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Not all file systems support extended attributes, ACLs and SELinux metadata." +" Size and naming restriction on extended attributes vary." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Hard links may not be supported at all (FAT) or only within the same " +"directory (AFS). Symbolic links may not be available, either. Reflinks (hard" +" links with copy-on-write semantics) are still very rare. Recent systems " +"restrict creation of hard links to users which own the target file or have " +"read/write access to it, but older systems do not." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Renaming (or moving) files using rename can fail (even " +"when stat indicates that the source and target " +"directories are located on the same file system). This system call should " +"work if the old and new paths are located in the same directory, though." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Locking semantics vary among file systems. This affects advisory and " +"mandatory locks. For example, some network file systems do not allow " +"deleting files which are opened by any process." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Resolution of time stamps varies from two seconds to nanoseconds. Not all " +"time stamps are available on all file systems. File creation time " +"(birth time) is not exposed over the " +"stat/fstat interface, even if " +"stored by the file system." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Checking free space" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The statvfs and fstatvfs functions" +" allow programs to examine the number of available blocks and inodes, " +"through the members f_bfree, f_bavail," +" f_ffree, and f_favail of " +"struct statvfs. Some file systems return fictional values" +" in the f_ffree and f_favail fields, " +"so the only reliable way to discover if the file system still has space for " +"a file is to try to create it. The f_bfree field should " +"be reasonably accurate, though." +msgstr "" diff --git a/defensive-coding/ka/Tasks/Library_Design.po b/defensive-coding/ka/Tasks/Library_Design.po new file mode 100644 index 0000000..5ef266f --- /dev/null +++ b/defensive-coding/ka/Tasks/Library_Design.po @@ -0,0 +1,267 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:29+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Georgian (http://www.transifex.com/projects/p/fedora/language/ka/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: ka\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: title +#, no-c-format +msgid "Library Design" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Throught this section, the term client code refers to " +"applications and other libraries using the library." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "State management" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Global state" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Global state should be avoided." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If this is impossible, the global state must be protected with a lock. For " +"C/C++, you can use the pthread_mutex_lock and " +"pthread_mutex_unlock functions without linking against " +"-lpthread because the system provides stubs for non-" +"threaded processes." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"For compatibility with fork, these locks should be " +"acquired and released in helpers registered with " +"pthread_atfork. This function is not available without " +"-lpthread, so you need to use dlsym " +"or a weak symbol to obtain its address." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If you need fork protection for other reasons, you " +"should store the process ID and compare it to the value returned by " +"getpid each time you access the global state. " +"(getpid is not implemented as a system call and is " +"fast.) If the value changes, you know that you have to re-create the state " +"object. (This needs to be combined with locking, of course.)" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Handles" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Library state should be kept behind a curtain. Client code should receive " +"only a handle. In C, the handle can be a pointer to an incomplete " +"struct. In C++, the handle can be a pointer to an " +"abstract base class, or it can be hidden using the pointer-to-implementation" +" idiom." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The library should provide functions for creating and destroying handles. " +"(In C++, it is possible to use virtual destructors for the latter.) " +"Consistency between creation and destruction of handles is strongly " +"recommended: If the client code created a handle, it is the responsibility " +"of the client code to destroy it. (This is not always possible or " +"convenient, so sometimes, a transfer of ownership has to happen.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Using handles ensures that it is possible to change the way the library " +"represents state in a way that is transparent to client code. This is " +"important to facilitate security updates and many other code changes." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"It is not always necessary to protect state behind a handle with a lock. " +"This depends on the level of thread safety the library provides." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Object orientation" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Classes should be either designed as base classes, or it should be " +"impossible to use them as base classes (like final " +"classes in Java). Classes which are not designed for inheritance and are " +"used as base classes nevertheless create potential maintenance hazards " +"because it is difficult to predict how client code will react when calls to " +"virtual methods are added, reordered or removed." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Virtual member functions can be used as callbacks. See for some of the " +"challenges involved." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Callbacks" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Higher-order code is difficult to analyze for humans and computers alike, so" +" it should be avoided. Often, an iterator-based interface (a library " +"function which is called repeatedly by client code and returns a stream of " +"events) leads to a better design which is easier to document and use." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "If callbacks are unavoidable, some guidelines for them follow." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In modern C++ code, std::function objects should be used " +"for callbacks." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In older C++ code and in C code, all callbacks must have an additional " +"closure parameter of type void *, the value of which can " +"be specified by client code. If possible, the value of the closure parameter" +" should be provided by client code at the same time a specific callback is " +"registered (or specified as a function argument). If a single closure " +"parameter is shared by multiple callbacks, flexibility is greatly reduced, " +"and conflicts between different pieces of client code using the same library" +" object could be unresolvable. In some cases, it makes sense to provide a " +"de-registration callback which can be used to destroy the closure parameter " +"when the callback is no longer used." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Callbacks can throw exceptions or call longjmp. If " +"possible, all library objects should remain in a valid state. (All further " +"operations on them can fail, but it should be possible to deallocate them " +"without causing resource leaks.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The presence of callbacks raises the question if functions provided by the " +"library are reentrant. Unless a library was designed " +"for such use, bad things will happen if a callback function uses functions " +"in the same library (particularly if they are invoked on the same objects " +"and manipulate the same state). When the callback is invoked, the library " +"can be in an inconsistent state. Reentrant functions are more difficult to " +"write than thread-safe functions (by definition, simple locking would " +"immediately lead to deadlocks). It is also difficult to decide what to do " +"when destruction of an object which is currently processing a callback is " +"requested." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Process attributes" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Several attributes are global and affect all code in the process, not just " +"the library that manipulates them." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"environment variables (see )" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "umask" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "user IDs, group IDs and capabilities" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "current working directory" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "signal handlers, signal masks and signal delivery" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"file locks (especially fcntl locks behave in surprising" +" ways, not just in a multi-threaded environment)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Library code should avoid manipulating these global process attributes. It " +"should not rely on environment variables, umask, the current working " +"directory and signal masks because these attributes can be inherted from an " +"untrusted source." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In addition, there are obvious process-wide aspects such as the virtual " +"memory layout, the set of open files and dynamic shared objects, but with " +"the exception of shared objects, these can be manipulated in a relatively " +"isolated way." +msgstr "" diff --git a/defensive-coding/ka/Tasks/Processes.po b/defensive-coding/ka/Tasks/Processes.po new file mode 100644 index 0000000..1aa935e --- /dev/null +++ b/defensive-coding/ka/Tasks/Processes.po @@ -0,0 +1,597 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:29+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Georgian (http://www.transifex.com/projects/p/fedora/language/ka/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: ka\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: title +#, no-c-format +msgid "Processes" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Safe process creation" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"This section describes how to create new child processes in a safe manner. " +"In addition to the concerns addressed below, there is the possibility of " +"file descriptor leaks, see ." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Obtaining the program path and the command line template" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The name and path to the program being invoked should be hard-coded or " +"controlled by a static configuration file stored at a fixed location (at an " +"file system absolute path). The same applies to the template for generating " +"the command line." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The configured program name should be an absolute path. If it is a relative " +"path, the contents of the PATH must be obtained in s secure " +"manner (see )." +" If the PATH variable is not set or untrusted, the safe " +"default /bin:/usr/bin must be used." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If too much flexibility is provided here, it may allow invocation of " +"arbitrary programs without proper authorization." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Bypassing the shell" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Child processes should be created without involving the system shell." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"For C/C++, system should not be used. The " +"posix_spawn function can be used instead, or a " +"combination fork and execve. (In " +"some cases, it may be preferable to use vfork or the " +"Linux-specific clone system call instead of " +"fork.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In Python, the subprocess module bypasses the shell by " +"default (when the shell keyword argument is not set to " +"true). os.system should not be used." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The Java class java.lang.ProcessBuilder can be used to create " +"subprocesses without interference from the system shell." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Portability notice" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"On Windows, there is no argument vector, only a single argument string. Each" +" application is responsible for parsing this string into an argument vector." +" There is considerable variance among the quoting style recognized by " +"applications. Some of them expand shell wildcards, others do not. Extensive " +"application-specific testing is required to make this secure." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Note that some common applications (notably ssh) " +"unconditionally introduce the use of a shell, even if invoked directly " +"without a shell. It is difficult to use these applications in a secure " +"manner. In this case, untrusted data should be supplied by other means. For " +"example, standard input could be used, instead of the command line." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Specifying the process environment" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Child processes should be created with a minimal set of environment " +"variables. This is absolutely essential if there is a trust transition " +"involved, either when the parent process was created, or during the creation" +" of the child process." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In C/C++, the environment should be constructed as an array of strings and " +"passed as the envp argument to " +"posix_spawn or execve. The " +"functions setenv, unsetenv and " +"putenv should not be used. They are not thread-safe and" +" suffer from memory leaks." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Python programs need to specify a dict for the the " +"env argument of the subprocess.Popen" +" constructor. The Java class java.lang.ProcessBuilder " +"provides a environment() method, which returns a map " +"that can be manipulated." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The following list provides guidelines for selecting the set of environment " +"variables passed to the child process." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"PATH should be initialized to " +"/bin:/usr/bin." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"USER and HOME can be inhereted from the parent" +" process environment, or they can be initialized from the " +"pwent structure for the user." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The DISPLAY and XAUTHORITY variables should be" +" passed to the subprocess if it is an X program. Note that this will " +"typically not work across trust boundaries because XAUTHORITY" +" refers to a file with 0600 permissions." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The location-related environment variables LANG, " +"LANGUAGE, LC_ADDRESS, LC_ALL, " +"LC_COLLATE, LC_CTYPE, " +"LC_IDENTIFICATION, LC_MEASUREMENT, " +"LC_MESSAGES, LC_MONETARY, " +"LC_NAME, LC_NUMERIC, LC_PAPER, " +"LC_TELEPHONE and LC_TIME can be passed to the " +"subprocess if present." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The called process may need application-specific environment variables, for " +"example for passing passwords. (See .)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"All other environment variables should be dropped. Names for new environment" +" variables should not be accepted from untrusted sources." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Robust argument list processing" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When invoking a program, it is sometimes necessary to include data from " +"untrusted sources. Such data should be check against embedded " +"NUL characters because the system APIs will sliently " +"truncate argument strings at the first NUL character." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The following recommendations assume that the program being invoked uses " +"GNU-style option processing using getopt_long. This " +"convention is widely used, but it is just that, and individual programs " +"might interpret a command line in a different way." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If the untrusted data has to go into an option, use the --option-" +"name=VALUE syntax, placing the option and its value into the same " +"command line argument. This avoids any potential confusion if the data " +"starts with -." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"For positional arguments, terminate the option list with a single " +" marker after the last option, and include the data at " +"the right position. The marker terminates option " +"processing, and the data will not be treated as an option even if it starts " +"with a dash." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Passing secrets to subprocesses" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The command line (the name of the program and its argument) of a running " +"process is traditionally available to all local users. The called program " +"can overwrite this information, but only after it has run for a bit of time," +" during which the information may have been read by other processes. " +"However, on Linux, the process environment is restricted to the user who " +"runs the process. Therefore, if you need a convenient way to pass a password" +" to a child process, use an environment variable, and not a command line " +"argument. (See .)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"On some UNIX-like systems (notably Solaris), environment variables can be " +"read by any system user, just like command lines." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If the environment-based approach cannot be used due to portability " +"concerns, the data can be passed on standard input. Some programs (notably " +"gpg) use special file descriptors whose numbers " +"are specified on the command line. Temporary files are an option as well, " +"but they might give digital forensics access to sensitive data (such as " +"passphrases) because it is difficult to safely delete them in all cases." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Handling child process termination" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When child processes terminate, the parent process is signalled. A stub of " +"the terminated processes (a zombie, shown as " +"<defunct> by ps) is kept" +" around until the status information is collected " +"(reaped) by the parent process. Over the years, several" +" interfaces for this have been invented:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The parent process calls wait, " +"waitpid, waitid, " +"wait3 or wait4, without specifying" +" a process ID. This will deliver any matching process ID. This approach is " +"typically used from within event loops." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The parent process calls waitpid, " +"waitid, or wait4, with a specific " +"process ID. Only data for the specific process ID is returned. This is " +"typically used in code which spawns a single subprocess in a synchronous " +"manner." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The parent process installs a handler for the SIGCHLD " +"signal, using sigaction, and specifies to the " +"SA_NOCLDWAIT flag. This approach could be used by event " +"loops as well." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"None of these approaches can be used to wait for child process terminated in" +" a completely thread-safe manner. The parent process might execute an event " +"loop in another thread, which could pick up the termination signal. This " +"means that libraries typically cannot make free use of child processes (for " +"example, to run problematic code with reduced privileges in a separate " +"address space)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"At the moment, the parent process should explicitly wait for termination of " +"the child process using waitpid or " +"waitpid, and hope that the status is not collected by " +"an event loop first." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "SUID/SGID processes" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Programs can be marked in the file system to indicate to the kernel that a " +"trust transition should happen if the program is run. The " +"SUID file permission bit indicates that an executable " +"should run with the effective user ID equal to the owner of the executable " +"file. Similarly, with the SGID bit, the effective group " +"ID is set to the group of the executable file." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Linux supports fscaps, which can grant additional " +"capabilities to a process in a finer-grained manner. Additional mechanisms " +"can be provided by loadable security modules." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When such a trust transition has happened, the process runs in a potentially" +" hostile environment. Additional care is necessary not to rely on any " +"untrusted information. These concerns also apply to libraries which can be " +"linked into such processes." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Accessing environment variables" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The following steps are required so that a program does not accidentally " +"pick up untrusted data from environment variables." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Compile your C/C++ sources with -D_GNU_SOURCE. The " +"Autoconf macro AC_GNU_SOURCE ensures this." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Check for the presence of the secure_getenv and " +"__secure_getenv function. The Autoconf directive " +"AC_CHECK_FUNCS([__secure_getenv secure_getenv]) performs " +"these checks." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Arrange for a proper definition of the secure_getenv " +"function. See ." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Use secure_getenv instead of " +"getenv to obtain the value of critical environment " +"variables. secure_getenv will pretend the variable has " +"not bee set if the process environment is not trusted." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Critical environment variables are debugging flags, configuration file " +"locations, plug-in and log file locations, and anything else that might be " +"used to bypass security restrictions or cause a privileged process to behave" +" in an unexpected way." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Either the secure_getenv function or the " +"__secure_getenv is available from GNU libc." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Obtaining a definition for secure_getenv" +msgstr "" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"\n" +"#include <stdlib.h>\n" +"\n" +"#ifndef HAVE_SECURE_GETENV\n" +"# ifdef HAVE__SECURE_GETENV\n" +"# define secure_getenv __secure_getenv\n" +"# else\n" +"# error neither secure_getenv nor __secure_getenv are available\n" +"# endif\n" +"#endif\n" +"\n" +"\t" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Daemons" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Background processes providing system services " +"(daemons) need to decouple themselves from the " +"controlling terminal and the parent process environment:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Fork." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In the child process, call setsid. The parent process " +"can simply exit (using _exit, to avoid running clean-up" +" actions twice)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In the child process, fork again. Processing continues in the child process." +" Again, the parent process should just exit." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Replace the descriptors 0, 1, 2 with a descriptor for " +"/dev/null. Logging should be redirected to " +"syslog." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Older instructions for creating daemon processes recommended a call to " +"umask(0). This is risky because it often leads to world-" +"writable files and directories, resulting in security vulnerabilities such " +"as arbitrary process termination by untrusted local users, or log file " +"truncation. If the umask needs setting, a restrictive " +"value such as 027 or 077 is " +"recommended." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Other aspects of the process environment may have to changed as well " +"(environment variables, signal handler disposition)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"It is increasingly common that server processes do not run as background " +"processes, but as regular foreground process under a supervising master " +"process (such as systemd). Server processes " +"should offer a command line option which disables forking and replacement of" +" the standard output and standard error streams. Such an option is also " +"useful for debugging." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Semantics of command line arguments" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"After process creation and option processing, it is up to the child process " +"to interpret the arguments. Arguments can be file names, host names, or " +"URLs, and many other things. URLs can refer to the local network, some " +"server on the Internet, or to the local file system. Some applications even " +"accept arbitrary code in arguments (for example, " +"python with the option)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Similar concerns apply to environment variables, the contents of the current" +" directory and its subdirectories." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Consequently, careful analysis is required if it is safe to pass untrusted " +"data to another program." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "fork as a primitive for parallelism" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"A call to fork which is not immediately followed by a " +"call to execve (perhaps after rearranging and closing " +"file descriptors) is typically unsafe, especially from a library which does " +"not control the state of the entire process. Such use of " +"fork should be replaced with proper child processes or " +"threads." +msgstr "" diff --git a/defensive-coding/ka/Tasks/Serialization.po b/defensive-coding/ka/Tasks/Serialization.po new file mode 100644 index 0000000..359a8f0 --- /dev/null +++ b/defensive-coding/ka/Tasks/Serialization.po @@ -0,0 +1,513 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:45\n" +"PO-Revision-Date: 2013-03-19 15:29+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Georgian (http://www.transifex.com/projects/p/fedora/language/ka/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: ka\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: title +#, no-c-format +msgid "Serialization and Deserialization" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Protocol decoders and file format parsers are often the most-exposed part of" +" an application because they are exposed with little or no user interaction " +"and before any authentication and security checks are made. They are also " +"difficult to write robustly in languages which are not memory-safe." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Recommendations for manually written decoders" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"For C and C++, the advice in applies. In addition, avoid non-character " +"pointers directly into input buffers. Pointer misalignment causes crashes on" +" some architectures." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When reading variable-sized objects, do not allocate large amounts of data " +"solely based on the value of a size field. If possible, grow the data " +"structure as more data is read from the source, and stop when no data is " +"available. This helps to avoid denial-of-service attacks where little " +"amounts of input data results in enormous memory allocations during " +"decoding. Alternatively, you can impose reasonable bounds on memory " +"allocations, but some protocols do not permit this." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Protocol design" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Binary formats with explicit length fields are more difficult to parse " +"robustly than those where the length of dynamically-sized elements is " +"derived from sentinel values. A protocol which does not use length fields " +"and can be written in printable ASCII characters simplifies testing and " +"debugging. However, binary protocols with length fields may be more " +"efficient to parse." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Library support for deserialization" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"For some languages, generic libraries are available which allow to serialize" +" and deserialize user-defined objects. The deserialization part comes in one" +" of two flavors, depending on the library. The first kind uses type " +"information in the data stream to control which objects are instantiated. " +"The second kind uses type definitions supplied by the programmer. The first " +"one allows arbitrary object instantiation, the second one generally does " +"not." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The following serialization frameworks are in the first category, are known " +"to be unsafe, and must not be used for untrusted data:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Python's pickle and cPickle modules" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Perl's Storable package" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Java serialization (java.io.ObjectInputStream)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "PHP serialization (unserialize)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Most implementations of YAML" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When using a type-directed deserialization format where the types of the " +"deserialized objects are specified by the programmer, make sure that the " +"objects which can be instantiated cannot perform any destructive actions in " +"their destructors, even when the data members have been manipulated." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"JSON decoders do not suffer from this problem. But you must not use the " +"eval function to parse JSON objects in Javascript; even" +" with the regular expression filter from RFC 4627, there are still " +"information leaks remaining." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "XML serialization" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "External references" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"XML documents can contain external references. They can occur in various " +"places." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "In the DTD declaration in the header of an XML document:" +msgstr "" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"<!DOCTYPE html PUBLIC\n" +" \"-//W3C//DTD XHTML 1.0 Transitional//EN\"\n" +" \"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd\">\n" +"\t " +msgstr "" + +#. Tag: para +#, no-c-format +msgid "In a namespace declaration:" +msgstr "" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"<xsd:schema xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\">\n" +"\t " +msgstr "" + +#. Tag: para +#, no-c-format +msgid "In an entity defintion:" +msgstr "" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"<!ENTITY sys SYSTEM \"http://www.example.com/ent.xml\">\n" +"<!ENTITY pub PUBLIC \"-//Example//Public Entity//EN\"\n" +" \"http://www.example.com/pub-ent.xml\">\n" +"\t " +msgstr "" + +#. Tag: para +#, no-c-format +msgid "In a notation:" +msgstr "" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"<!NOTATION not SYSTEM \"../not.xml\">\n" +"\t " +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Originally, these external references were intended as unique identifiers, " +"but by many XML implementations, they are used for locating the data for the" +" referenced element. This causes unwanted network traffic, and may disclose " +"file system contents or otherwise unreachable network resources, so this " +"functionality should be disabled." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Depending on the XML library, external referenced might be processed not " +"just when parsing XML, but also when generating it." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Entity expansion" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When external DTD processing is disabled, an internal DTD subset can still " +"contain entity definitions. Entity declarations can reference other " +"entities. Some XML libraries expand entities automatically, and this " +"processing cannot be switched off in some places (such as attribute values " +"or content models). Without limits on the entity nesting level, this " +"expansion results in data which can grow exponentially in length with size " +"of the input. (If there is a limit on the nesting level, the growth is still" +" polynomial, unless further limits are imposed.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Consequently, the processing internal DTD subsets should be disabled if " +"possible, and only trusted DTDs should be processed. If a particular XML " +"application does not permit such restrictions, then application-specific " +"limits are called for." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "XInclude processing" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"XInclude processing can reference file and network resources and include " +"them into the document, much like external entity references. When parsing " +"untrusted XML documents, XInclude processing should be truned off." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"XInclude processing is also fairly complex and may pull in support for the " +"XPointer and XPath specifications, considerably increasing the amount of " +"code required for XML processing." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Algorithmic complexity of XML validation" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"DTD-based XML validation uses regular expressions for content models. The " +"XML specification requires that content models are deterministic, which " +"means that efficient validation is possible. However, some implementations " +"do not enforce determinism, and require exponential (or just polynomial) " +"amount of space or time for validating some DTD/document combinations." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"XML schemas and RELAX NG (via the xsd: prefix) directly " +"support textual regular expressions which are not required to be " +"deterministic." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Using Expat for XML parsing" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"By default, Expat does not try to resolve external IDs, so no steps are " +"required to block them. However, internal entity declarations are processed." +" Installing a callback which stops parsing as soon as such entities are " +"encountered disables them, see . Expat does not perform any " +"validation, so there are no problems related to that." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Disabling XML entity processing with Expat" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"This handler must be installed when the XML_Parser object" +" is created ()." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Creating an Expat XML parser" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"It is also possible to reject internal DTD subsets altogeher, using a " +"suitable XML_StartDoctypeDeclHandler handler installed " +"with XML_SetDoctypeDeclHandler." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Using OpenJDK for XML parsing and validation" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"OpenJDK contains facilities for DOM-based, SAX-based, and StAX-based " +"document parsing. Documents can be validated against DTDs or XML schemas." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The approach taken to deal with entity expansion differs from the general " +"recommendation in . We enable the the feature flag " +"javax.xml.XMLConstants.FEATURE_SECURE_PROCESSING, which " +"enforces heuristic restrictions on the number of entity expansions. Note " +"that this flag alone does not prevent resolution of external references " +"(system IDs or public IDs), so it is slightly misnamed." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In the following sections, we use helper classes to prevent external ID " +"resolution." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Helper class to prevent DTD external entity resolution in OpenJDK" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Helper class to prevent schema resolution in OpenJDK" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +" shows the imports used by the examples." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Java imports for OpenJDK XML parsing" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "DOM-based XML parsing and DTD validation in OpenJDK" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"This approach produces a org.w3c.dom.Document object from" +" an input stream. use the data from the " +"java.io.InputStream instance in the " +"inputStream variable." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "DOM-based XML parsing in OpenJDK" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"External entity references are prohibited using the " +"NoEntityResolver class in . " +"Because external DTD references are prohibited, DTD validation (if enabled) " +"will only happen against the internal DTD subset embedded in the XML " +"document." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"To validate the document against an external DTD, use a " +"javax.xml.transform.Transformer class to add the DTD " +"reference to the document, and an entity resolver which whitelists this " +"external reference." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "XML Schema validation in OpenJDK" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +" shows how to validate a document against an XML Schema, " +"using a SAX-based approach. The XML data is read from an " +"java.io.InputStream in the inputStream" +" variable." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "SAX-based validation against an XML schema in OpenJDK" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The NoResourceResolver class is defined in ." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If you need to validate a document against an XML schema, use the code in " +" to create the document, but do not enable validation at this point." +" Then use to perform the schema-based validation on " +"the org.w3c.dom.Document instance " +"document." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Validation of a DOM document against an XML schema in OpenJDK" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Protocol Encoders" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"For protocol encoders, you should write bytes to a buffer which grows as " +"needed, using an exponential sizing policy. Explicit lengths can be patched " +"in later, once they are known. Allocating the required number of bytes " +"upfront typically requires separate code to compute the final size, which " +"must be kept in sync with the actual encoding step, or vulnerabilities may " +"result. In multi-threaded code, parts of the object being deserialized might" +" change, so that the computed size is out of date." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"You should avoid copying data directly from a received packet during " +"encoding, disregarding the format. Propagating malformed data could enable " +"attacks on other recipients of that data." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When using C or C++ and copying whole data structures directly into the " +"output, make sure that you do not leak information in padding bytes between " +"fields or at the end of the struct." +msgstr "" diff --git a/defensive-coding/ka/Tasks/Temporary_Files.po b/defensive-coding/ka/Tasks/Temporary_Files.po new file mode 100644 index 0000000..0375dfa --- /dev/null +++ b/defensive-coding/ka/Tasks/Temporary_Files.po @@ -0,0 +1,309 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:45\n" +"PO-Revision-Date: 2013-03-19 15:29+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Georgian (http://www.transifex.com/projects/p/fedora/language/ka/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: ka\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: title +#, no-c-format +msgid "Temporary files" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In this chapter, we describe how to create temporary files and directories, " +"how to remove them, and how to work with programs which do not create files " +"in ways that a safe with a shared directory for temporary files. General " +"file system manipulation is treated in a separate chapter, ." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Secure creation of temporary files has four different aspects." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The location of the directory for temporary files must be obtained in a " +"secure manner (that is, untrusted environment variables must be ignored, see" +" )." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"A new file must be created. Reusing an existing file must be avoided (the " +"/tmp race condition). This is " +"tricky because traditionally, system-wide temporary directories shared by " +"all users are used." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The file must be created in a way that makes it impossible for other users " +"to open it." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "The descriptor for the temporary file should not leak to subprocesses." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "All functions mentioned below will take care of these aspects." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Traditionally, temporary files are often used to reduce memory usage of " +"programs. More and more systems use RAM-based file systems such as " +"tmpfs for storing temporary files, to increase " +"performance and decrease wear on Flash storage. As a result, spooling data " +"to temporary files does not result in any memory savings, and the related " +"complexity can be avoided if the data is kept in process memory." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Obtaining the location of temporary directory" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Some functions below need the location of a directory which stores temporary" +" files. For C/C++ programs, use the following steps to obtain that " +"directory:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Use secure_getenv to obtain the value of the " +"TMPDIR environment variable. If it is set, convert the " +"path to a fully-resolved absolute path, using realpath(path, " +"NULL). Check if the new path refers to a directory and is " +"writeable. In this case, use it as the temporary directory." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Fall back to /tmp." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In Python, you can use the tempfile.tempdir variable." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Java does not support SUID/SGID programs, so you can use the " +"java.lang.System.getenv(String) method to obtain the " +"value of the TMPDIR environment variable, and follow the " +"two steps described above. (Java's default directory selection does not " +"honor TMPDIR.)" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Named temporary files" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The mkostemp function creates a named temporary file. " +"You should specify the O_CLOEXEC flag to avoid file " +"descriptor leaks to subprocesses. (Applications which do not use multiple " +"threads can also use mkstemp, but libraries should use " +"mkostemp.) For determining the directory part of the " +"file name pattern, see ." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The file is not removed automatically. It is not safe to rename or delete " +"the file before processing, or transform the name in any way (for example, " +"by adding a file extension). If you need multiple temporary files, call " +"mkostemp multiple times. Do not create additional file " +"names derived from the name provided by a previous " +"mkostemp call. However, it is safe to close the " +"descriptor returned by mkostemp and reopen the file " +"using the generated name." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The Python class tempfile.NamedTemporaryFile provides " +"similar functionality, except that the file is deleted automatically by " +"default. Note that you may have to use the file attribute" +" to obtain the actual file object because some programming interfaces cannot" +" deal with file-like objects. The C function mkostemp " +"is also available as tempfile.mkstemp." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In Java, you can use the java.io.File.createTempFile(String, " +"String, File) function, using the temporary file location " +"determined according to . Do not use " +"java.io.File.deleteOnExit() to delete temporary files, " +"and do not register a shutdown hook for each temporary file you create. In " +"both cases, the deletion hint cannot be removed from the system if you " +"delete the temporary file prior to termination of the VM, causing a memory " +"leak." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Temporary files without names" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The tmpfile function creates a temporary file and " +"immediately deletes it, while keeping the file open. As a result, the file " +"lacks a name and its space is deallocated as soon as the file descriptor is " +"closed (including the implicit close when the process terminates). This " +"avoids cluttering the temporary directory with orphaned files." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Alternatively, if the maximum size of the temporary file is known " +"beforehand, the fmemopen function can be used to create" +" a FILE * object which is backed by memory." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In Python, unnamed temporary files are provided by the " +"tempfile.TemporaryFile class, and the " +"tempfile.SpooledTemporaryFile class provides a way to " +"avoid creation of small temporary files." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Java does not support unnamed temporary files." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Temporary directories" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The mkdtemp function can be used to create a temporary " +"directory. (For determining the directory part of the file name pattern, see" +" .)" +" The directory is not automatically removed. In Python, this function is " +"available as tempfile.mkdtemp. In Java 7, temporary " +"directories can be created using the " +"java.nio.file.Files.createTempDirectory(Path, String, " +"FileAttribute...) function." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When creating files in the temporary directory, use automatically generated " +"names, e.g., derived from a sequential counter. Files with externally " +"provided names could be picked up in unexpected contexts, and crafted names " +"could actually point outside of the tempoary directory (due to " +"directory traversal)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Removing a directory tree in a completely safe manner is complicated. Unless" +" there are overriding performance concerns, the " +"rm program should be used, with the " +" and options." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Compensating for unsafe file creation" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"There are two ways to make a function or program which excepts a file name " +"safe for use with temporary files. See , for details on subprocess " +"creation." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Create a temporary directory and place the file there. If possible, run the " +"program in a subprocess which uses the temporary directory as its current " +"directory, with a restricted environment. Use generated names for all files " +"in that temporary directory. (See .)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Create the temporary file and pass the generated file name to the function " +"or program. This only works if the function or program can cope with a zero-" +"length existing file. It is safe only under additional assumptions:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The function or program must not create additional files whose name is " +"derived from the specified file name or are otherwise predictable." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "The function or program must not delete the file before processing it." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "It must not access any existing files in the same directory." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"It is often difficult to check whether these additional assumptions are " +"matched, therefore this approach is not recommended." +msgstr "" diff --git a/defensive-coding/ka/Tasks/snippets/Serialization-XML-Expat-Create.po b/defensive-coding/ka/Tasks/snippets/Serialization-XML-Expat-Create.po new file mode 100644 index 0000000..14de762 --- /dev/null +++ b/defensive-coding/ka/Tasks/snippets/Serialization-XML-Expat-Create.po @@ -0,0 +1,33 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:45\n" +"PO-Revision-Date: 2013-03-19 15:29+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Georgian (http://www.transifex.com/projects/p/fedora/language/ka/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: ka\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"XML_Parser parser = XML_ParserCreate(\"UTF-8\");\n" +"if (parser == NULL) {\n" +" fprintf(stderr, \"XML_ParserCreate failed\n" +"\");\n" +" close(fd);\n" +" exit(1);\n" +"}\n" +"// EntityDeclHandler needs a reference to the parser to stop\n" +"// parsing.\n" +"XML_SetUserData(parser, parser);\n" +"// Disable entity processing, to inhibit entity expansion.\n" +"XML_SetEntityDeclHandler(parser, EntityDeclHandler);\n" +msgstr "" diff --git a/defensive-coding/ka/Tasks/snippets/Serialization-XML-Expat-EntityDeclHandler.po b/defensive-coding/ka/Tasks/snippets/Serialization-XML-Expat-EntityDeclHandler.po new file mode 100644 index 0000000..e52935c --- /dev/null +++ b/defensive-coding/ka/Tasks/snippets/Serialization-XML-Expat-EntityDeclHandler.po @@ -0,0 +1,31 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:45\n" +"PO-Revision-Date: 2013-03-19 15:30+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Georgian (http://www.transifex.com/projects/p/fedora/language/ka/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: ka\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Stop the parser when an entity declaration is encountered.\n" +"static void\n" +"EntityDeclHandler(void *userData,\n" +"\t\t const XML_Char *entityName, int is_parameter_entity,\n" +"\t\t const XML_Char *value, int value_length,\n" +"\t\t const XML_Char *base, const XML_Char *systemId,\n" +"\t\t const XML_Char *publicId, const XML_Char *notationName)\n" +"{\n" +" XML_StopParser((XML_Parser)userData, XML_FALSE);\n" +"}\n" +msgstr "" diff --git a/defensive-coding/ka/Tasks/snippets/Serialization-XML-OpenJDK-Errors.po b/defensive-coding/ka/Tasks/snippets/Serialization-XML-OpenJDK-Errors.po new file mode 100644 index 0000000..c79c7b1 --- /dev/null +++ b/defensive-coding/ka/Tasks/snippets/Serialization-XML-OpenJDK-Errors.po @@ -0,0 +1,37 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:45\n" +"PO-Revision-Date: 2013-03-19 15:29+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Georgian (http://www.transifex.com/projects/p/fedora/language/ka/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: ka\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"class Errors implements ErrorHandler {\n" +" @Override\n" +" public void warning(SAXParseException exception) {\n" +" exception.printStackTrace();\n" +" }\n" +" \n" +" @Override\n" +" public void fatalError(SAXParseException exception) {\n" +" exception.printStackTrace();\n" +" }\n" +" \n" +" @Override\n" +" public void error(SAXParseException exception) {\n" +" exception.printStackTrace();\n" +" }\n" +"}\n" +msgstr "" diff --git a/defensive-coding/ka/Tasks/snippets/Serialization-XML-OpenJDK-Imports.po b/defensive-coding/ka/Tasks/snippets/Serialization-XML-OpenJDK-Imports.po new file mode 100644 index 0000000..ec0eee7 --- /dev/null +++ b/defensive-coding/ka/Tasks/snippets/Serialization-XML-OpenJDK-Imports.po @@ -0,0 +1,42 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:45\n" +"PO-Revision-Date: 2013-03-19 15:30+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Georgian (http://www.transifex.com/projects/p/fedora/language/ka/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: ka\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"import javax.xml.XMLConstants;\n" +"import javax.xml.parsers.DocumentBuilder;\n" +"import javax.xml.parsers.DocumentBuilderFactory;\n" +"import javax.xml.parsers.ParserConfigurationException;\n" +"import javax.xml.parsers.SAXParser;\n" +"import javax.xml.parsers.SAXParserFactory;\n" +"import javax.xml.transform.dom.DOMSource;\n" +"import javax.xml.transform.sax.SAXSource;\n" +"import javax.xml.validation.Schema;\n" +"import javax.xml.validation.SchemaFactory;\n" +"import javax.xml.validation.Validator;\n" +"\n" +"import org.w3c.dom.Document;\n" +"import org.w3c.dom.ls.LSInput;\n" +"import org.w3c.dom.ls.LSResourceResolver;\n" +"import org.xml.sax.EntityResolver;\n" +"import org.xml.sax.ErrorHandler;\n" +"import org.xml.sax.InputSource;\n" +"import org.xml.sax.SAXException;\n" +"import org.xml.sax.SAXParseException;\n" +"import org.xml.sax.XMLReader;\n" +msgstr "" diff --git a/defensive-coding/ka/Tasks/snippets/Serialization-XML-OpenJDK-NoEntityResolver.po b/defensive-coding/ka/Tasks/snippets/Serialization-XML-OpenJDK-NoEntityResolver.po new file mode 100644 index 0000000..fbeaee4 --- /dev/null +++ b/defensive-coding/ka/Tasks/snippets/Serialization-XML-OpenJDK-NoEntityResolver.po @@ -0,0 +1,30 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:45\n" +"PO-Revision-Date: 2013-03-19 15:30+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Georgian (http://www.transifex.com/projects/p/fedora/language/ka/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: ka\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"class NoEntityResolver implements EntityResolver {\n" +" @Override\n" +" public InputSource resolveEntity(String publicId, String systemId)\n" +" throws SAXException, IOException {\n" +" // Throwing an exception stops validation.\n" +" throw new IOException(String.format(\n" +" \"attempt to resolve \\\"%s\\\" \\\"%s\\\"\", publicId, systemId));\n" +" }\n" +"}\n" +msgstr "" diff --git a/defensive-coding/ka/Tasks/snippets/Serialization-XML-OpenJDK-NoResourceResolver.po b/defensive-coding/ka/Tasks/snippets/Serialization-XML-OpenJDK-NoResourceResolver.po new file mode 100644 index 0000000..784a8a1 --- /dev/null +++ b/defensive-coding/ka/Tasks/snippets/Serialization-XML-OpenJDK-NoResourceResolver.po @@ -0,0 +1,32 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:45\n" +"PO-Revision-Date: 2013-03-19 15:29+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Georgian (http://www.transifex.com/projects/p/fedora/language/ka/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: ka\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"class NoResourceResolver implements LSResourceResolver {\n" +" @Override\n" +" public LSInput resolveResource(String type, String namespaceURI,\n" +" String publicId, String systemId, String baseURI) {\n" +" // Throwing an exception stops validation.\n" +" throw new RuntimeException(String.format(\n" +" \"resolution attempt: type=%s namespace=%s \" +\n" +" \"publicId=%s systemId=%s baseURI=%s\",\n" +" type, namespaceURI, publicId, systemId, baseURI));\n" +" }\n" +"}\n" +msgstr "" diff --git a/defensive-coding/ka/Tasks/snippets/Serialization-XML-OpenJDK_Parse-DOM.po b/defensive-coding/ka/Tasks/snippets/Serialization-XML-OpenJDK_Parse-DOM.po new file mode 100644 index 0000000..11753ed --- /dev/null +++ b/defensive-coding/ka/Tasks/snippets/Serialization-XML-OpenJDK_Parse-DOM.po @@ -0,0 +1,34 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:45\n" +"PO-Revision-Date: 2013-03-19 15:29+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Georgian (http://www.transifex.com/projects/p/fedora/language/ka/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: ka\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();\n" +"// Impose restrictions on the complexity of the DTD.\n" +"factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);\n" +"\n" +"// Turn on validation.\n" +"// This step can be omitted if validation is not desired.\n" +"factory.setValidating(true);\n" +"\n" +"// Parse the document.\n" +"DocumentBuilder builder = factory.newDocumentBuilder();\n" +"builder.setEntityResolver(new NoEntityResolver());\n" +"builder.setErrorHandler(new Errors());\n" +"Document document = builder.parse(inputStream);\n" +msgstr "" diff --git a/defensive-coding/ka/Tasks/snippets/Serialization-XML-OpenJDK_Parse-XMLSchema_DOM.po b/defensive-coding/ka/Tasks/snippets/Serialization-XML-OpenJDK_Parse-XMLSchema_DOM.po new file mode 100644 index 0000000..b8aa972 --- /dev/null +++ b/defensive-coding/ka/Tasks/snippets/Serialization-XML-OpenJDK_Parse-XMLSchema_DOM.po @@ -0,0 +1,38 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:45\n" +"PO-Revision-Date: 2013-03-19 15:29+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Georgian (http://www.transifex.com/projects/p/fedora/language/ka/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: ka\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"SchemaFactory factory = SchemaFactory.newInstance(\n" +" XMLConstants.W3C_XML_SCHEMA_NS_URI);\n" +"\n" +"// This enables restrictions on schema complexity.\n" +"factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);\n" +"\n" +"// The following line prevents resource resolution\n" +"// by the schema itself.\n" +"factory.setResourceResolver(new NoResourceResolver());\n" +"\n" +"Schema schema = factory.newSchema(schemaFile);\n" +"\n" +"Validator validator = schema.newValidator();\n" +"\n" +"// This prevents external resource resolution.\n" +"validator.setResourceResolver(new NoResourceResolver());\n" +"validator.validate(new DOMSource(document));\n" +msgstr "" diff --git a/defensive-coding/ka/Tasks/snippets/Serialization-XML-OpenJDK_Parse-XMLSchema_SAX.po b/defensive-coding/ka/Tasks/snippets/Serialization-XML-OpenJDK_Parse-XMLSchema_SAX.po new file mode 100644 index 0000000..d783a00 --- /dev/null +++ b/defensive-coding/ka/Tasks/snippets/Serialization-XML-OpenJDK_Parse-XMLSchema_SAX.po @@ -0,0 +1,41 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:45\n" +"PO-Revision-Date: 2013-03-19 15:29+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Georgian (http://www.transifex.com/projects/p/fedora/language/ka/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: ka\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"SchemaFactory factory = SchemaFactory.newInstance(\n" +" XMLConstants.W3C_XML_SCHEMA_NS_URI);\n" +"\n" +"// This enables restrictions on the schema and document\n" +"// complexity.\n" +"factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);\n" +"\n" +"// This prevents resource resolution by the schema itself.\n" +"// If the schema is trusted and references additional files,\n" +"// this line must be omitted, otherwise loading these files\n" +"// will fail.\n" +"factory.setResourceResolver(new NoResourceResolver());\n" +"\n" +"Schema schema = factory.newSchema(schemaFile);\n" +"Validator validator = schema.newValidator();\n" +"\n" +"// This prevents external resource resolution.\n" +"validator.setResourceResolver(new NoResourceResolver());\n" +"\n" +"validator.validate(new SAXSource(new InputSource(inputStream)));\n" +msgstr "" diff --git a/defensive-coding/kn-IN/Author_Group.po b/defensive-coding/kn-IN/Author_Group.po new file mode 100644 index 0000000..d18790a --- /dev/null +++ b/defensive-coding/kn-IN/Author_Group.po @@ -0,0 +1,35 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-12 04:18+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Kannada (http://www.transifex.com/projects/p/fedora/language/kn/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: kn\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: firstname +#, no-c-format +msgid "Florian" +msgstr "" + +#. Tag: surname +#, no-c-format +msgid "Weimer" +msgstr "" + +#. Tag: orgname +#, no-c-format +msgid "Red Hat" +msgstr "" + +#. Tag: orgdiv +#, no-c-format +msgid "Product Security Team" +msgstr "" diff --git a/defensive-coding/kn-IN/Book_Info.po b/defensive-coding/kn-IN/Book_Info.po new file mode 100644 index 0000000..2023295 --- /dev/null +++ b/defensive-coding/kn-IN/Book_Info.po @@ -0,0 +1,38 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-12 04:19+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Kannada (http://www.transifex.com/projects/p/fedora/language/kn/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: kn\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: title +#, no-c-format +msgid "Defensive Coding" +msgstr "" + +#. Tag: subtitle +#, no-c-format +msgid "A Guide to Improving Software Security" +msgstr "" + +#. Tag: productname +#, no-c-format +msgid "Fedora Security Team" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"This document provides guidelines for improving software security through " +"secure coding. It covers common programming languages and libraries, and " +"focuses on concrete recommendations." +msgstr "" diff --git a/defensive-coding/kn-IN/C/Allocators.po b/defensive-coding/kn-IN/C/Allocators.po new file mode 100644 index 0000000..b087845 --- /dev/null +++ b/defensive-coding/kn-IN/C/Allocators.po @@ -0,0 +1,265 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:30+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Kannada (http://www.transifex.com/projects/p/fedora/language/kn/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: kn\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: title +#, no-c-format +msgid "Memory allocators" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "malloc and related functions" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The C library interfaces for memory allocation are provided by " +"malloc, free and " +"realloc, and the calloc function. " +"In addition to these generic functions, there are derived functions such as " +"strdup which perform allocation using " +"malloc internally, but do not return untyped heap " +"memory (which could be used for any object)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The C compiler knows about these functions and can use their expected " +"behavior for optimizations. For instance, the compiler assumes that an " +"existing pointer (or a pointer derived from an existing pointer by " +"arithmetic) will not point into the memory area returned by " +"malloc." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If the allocation fails, realloc does not free the old " +"pointer. Therefore, the idiom ptr = realloc(ptr, size); " +"is wrong because the memory pointed to by ptr leaks in " +"case of an error." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Use-after-free errors" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"After free, the pointer is invalid. Further pointer " +"dereferences are not allowed (and are usually detected by " +"valgrind). Less obvious is that any " +"use of the old pointer value is not allowed, either. In" +" particular, comparisons with any other pointer (or the null pointer) are " +"undefined according to the C standard." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The same rules apply to realloc if the memory area " +"cannot be enlarged in-place. For instance, the compiler may assume that a " +"comparison between the old and new pointer will always return false, so it " +"is impossible to detect movement this way." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Handling memory allocation errors" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Recovering from out-of-memory errors is often difficult or even impossible. " +"In these cases, malloc and other allocation functions " +"return a null pointer. Dereferencing this pointer lead to a crash. Such " +"dereferences can even be exploitable for code execution if the dereference " +"is combined with an array subscript." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In general, if you cannot check all allocation calls and handle failure, you" +" should abort the program on allocation failure, and not rely on the null " +"pointer dereference to terminate the process. See for related memory " +"allocation concerns." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "alloca and other forms of stack-based allocation" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Allocation on the stack is risky because stack overflow checking is " +"implicit. There is a guard page at the end of the memory area reserved for " +"the stack. If the program attempts to read from or write to this guard page," +" a SIGSEGV signal is generated and the program typically " +"terminates." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"This is sufficient for detecting typical stack overflow situations such as " +"unbounded recursion, but it fails when the stack grows in increments larger " +"than the size of the guard page. In this case, it is possible that the stack" +" pointer ends up pointing into a memory area which has been allocated for a " +"different purposes. Such misbehavior can be exploitable." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"A common source for large stack growth are calls to " +"alloca and related functions such as " +"strdupa. These functions should be avoided because of " +"the lack of error checking. (They can be used safely if the allocated size " +"is less than the page size (typically, 4096 bytes), but this case is " +"relatively rare.) Additionally, relying on alloca makes" +" it more difficult to reorgnize the code because it is not allowed to use " +"the pointer after the function calling alloca has " +"returned, even if this function has been inlined into its caller." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Similar concerns apply to variable-length arrays " +"(VLAs), a feature of the C99 standard which started as a GNU extension. For " +"large objects exceeding the page size, there is no error checking, either." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In both cases, negative or very large sizes can trigger a stack-pointer " +"wraparound, and the stack pointer and end up pointing into caller stack " +"frames, which is fatal and can be exploitable." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If you want to use alloca or VLAs for performance " +"reasons, consider using a small on-stack array (less than the page size, " +"large enough to fulfill most requests). If the requested size is small " +"enough, use the on-stack array. Otherwise, call malloc." +" When exiting the function, check if malloc had been " +"called, and free the buffer as needed." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Array allocation" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When allocating arrays, it is important to check for overflows. The " +"calloc function performs such checks." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If malloc or realloc is used, the " +"size check must be written manually. For instance, to allocate an array of " +"n elements of type T, check that the " +"requested size is not greater than n / sizeof(T)." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Custom memory allocators" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Custom memory allocates come in two forms: replacements for " +"malloc, and completely different interfaces for memory " +"management. Both approaches can reduce the effectiveness of " +"valgrind and similar tools, and the heap " +"corruption detection provided by GNU libc, so they should be avoided." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Memory allocators are difficult to write and contain many performance and " +"security pitfalls." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When computing array sizes or rounding up allocation requests (to the next " +"allocation granularity, or for alignment purposes), checks for arithmetic " +"overflow are required." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Size computations for array allocations need overflow checking. See ." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"It can be difficult to beat well-tuned general-purpose allocators. In micro-" +"benchmarks, pool allocators can show huge wins, and size-specific pools can " +"reduce internal fragmentation. But often, utilization of individual pools is" +" poor, and" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Conservative garbage collection" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Garbage collection can be an alternative to explicit memory management using" +" malloc and free. The Boehm-" +"Dehmers-Weiser allocator can be used from C programs, with minimal type " +"annotations. Performance is competitive with malloc on " +"64-bit architectures, especially for multi-threaded programs. The stop-the-" +"world pauses may be problematic for some real-time applications, though." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"However, using a conservative garbage collector may reduce opertunities for " +"code reduce because once one library in a program uses garbage collection, " +"the whole process memory needs to be subject to it, so that no pointers are " +"missed. The Boehm-Dehmers-Weiser collector also reserves certain signals for" +" internal use, so it is not fully transparent to the rest of the program." +msgstr "" diff --git a/defensive-coding/kn-IN/C/C.po b/defensive-coding/kn-IN/C/C.po new file mode 100644 index 0000000..b5b72b5 --- /dev/null +++ b/defensive-coding/kn-IN/C/C.po @@ -0,0 +1,20 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:30+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Kannada (http://www.transifex.com/projects/p/fedora/language/kn/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: kn\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: title +#, no-c-format +msgid "The C Programming Language" +msgstr "" diff --git a/defensive-coding/kn-IN/C/Libc.po b/defensive-coding/kn-IN/C/Libc.po new file mode 100644 index 0000000..f125f90 --- /dev/null +++ b/defensive-coding/kn-IN/C/Libc.po @@ -0,0 +1,278 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:30+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Kannada (http://www.transifex.com/projects/p/fedora/language/kn/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: kn\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: title +#, no-c-format +msgid "The C standard library" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Parts of the C standard library (and the UNIX and GNU extensions) are " +"difficult to use, so you shoud avoid them." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Please check the applicable documentation before using the recommended " +"replacements. Many of these functions allocate buffers using " +"malloc which your code must deallocate explicitly using" +" free." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Absolutely banned interfaces" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The functions listed below must not be used because they are almost always " +"unsafe. Use the indicated replacements instead." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "getsfgets" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"getwdgetcwd or " +"get_current_dir_name" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "readdir_rreaddir" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"realpath (with a non-NULL second parameter) ⟶ " +"realpath with NULL as the second parameter, or " +"canonicalize_file_name" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The constants listed below must not be used, either. Instead, code must " +"allocate memory dynamically and use interfaces with length checking." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"NAME_MAX (limit not actually enforced by the kernel)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"PATH_MAX (limit not actually enforced by the kernel)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"_PC_NAME_MAX (This limit, returned by the " +"pathconf function, is not enforced by the kernel.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"_PC_PATH_MAX (This limit, returned by the " +"pathconf function, is not enforced by the kernel.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "The following structure members must not be used." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"f_namemax in struct statvfs (limit not" +" actually enforced by the kernel, see _PC_NAME_MAX above)" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Functions to avoid" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The following string manipulation functions can be used securely in " +"principle, but their use should be avoided because they are difficult to use" +" correctly. Calls to these functions can be replaced with " +"asprintf or vasprintf. (For non-" +"GNU targets, these functions are available from Gnulib.) In some cases, the " +"snprintf function might be a suitable replacement, see " +"." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "sprintf" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "strcat" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "strcpy" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "vsprintf" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Use the indicated replacements for the functions below." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"allocamalloc and " +"free (see )" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"putenv ⟶ explicit envp argument in " +"process creation (see )" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"setenv ⟶ explicit envp argument in " +"process creation (see )" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"strdupastrdup and " +"free (see )" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"strndupastrndup and " +"free (see )" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"systemposix_spawn or " +"fork/execve/ (see )" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"unsetenv ⟶ explicit envp argument in" +" process creation (see )" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "String Functions With Explicit Length Arguments" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The snprintf function provides a way to construct a " +"string in a statically-sized buffer. (If the buffer size is dynamic, use " +"asprintf instead.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The second argument to the snprintf should always be " +"the size of the buffer in the first argument (which should be a character " +"array). Complex pointer and length arithmetic can introduce errors and " +"nullify the security benefits of snprintf. If you need " +"to construct a string iteratively, by repeatedly appending fragments, " +"consider constructing the string on the heap, increasing the buffer with " +"realloc as needed. (snprintf does " +"not support overlapping the result buffer with argument strings.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If you use vsnprintf (or snprintf)" +" with a format string which is not a constant, but a function argument, it " +"is important to annotate the function with a format " +"function attribute, so that GCC can warn about misuse of your function (see " +")." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "The format function attribute" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"There are other functions which operator on NUL-terminated strings and take " +"a length argument which affects the number of bytes written to the " +"destination: strncpy, strncat, and" +" stpncpy. These functions do not ensure that the result" +" string is NUL-terminated. For strncpy, NUL termination" +" can be added this way:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Some systems support strlcpy and " +"strlcat functions which behave this way, but these " +"functions are not part of GNU libc. Using snprintf with" +" a suitable format string is a simple (albeit slightly slower) replacement." +msgstr "" diff --git a/defensive-coding/kn-IN/C/snippets/Arithmetic-add.po b/defensive-coding/kn-IN/C/snippets/Arithmetic-add.po new file mode 100644 index 0000000..442104a --- /dev/null +++ b/defensive-coding/kn-IN/C/snippets/Arithmetic-add.po @@ -0,0 +1,36 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:30+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Kannada (http://www.transifex.com/projects/p/fedora/language/kn/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: kn\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"void report_overflow(void);\n" +"\n" +"int\n" +"add(int a, int b)\n" +"{\n" +" int result = a + b;\n" +" if (a < 0 || b < 0) {\n" +" return -1;\n" +" }\n" +" // The compiler can optimize away the following if statement.\n" +" if (result < 0) {\n" +" report_overflow();\n" +" }\n" +" return result;\n" +"}\n" +msgstr "" diff --git a/defensive-coding/kn-IN/C/snippets/Arithmetic-mult.po b/defensive-coding/kn-IN/C/snippets/Arithmetic-mult.po new file mode 100644 index 0000000..39d8ac6 --- /dev/null +++ b/defensive-coding/kn-IN/C/snippets/Arithmetic-mult.po @@ -0,0 +1,29 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:30+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Kannada (http://www.transifex.com/projects/p/fedora/language/kn/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: kn\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"unsigned\n" +"mul(unsigned a, unsigned b)\n" +"{\n" +" if (b && a > ((unsigned)-1) / b) {\n" +" report_overflow();\n" +" }\n" +" return a * b;\n" +"}\n" +msgstr "" diff --git a/defensive-coding/kn-IN/C/snippets/Pointers-remaining.po b/defensive-coding/kn-IN/C/snippets/Pointers-remaining.po new file mode 100644 index 0000000..9e77708 --- /dev/null +++ b/defensive-coding/kn-IN/C/snippets/Pointers-remaining.po @@ -0,0 +1,64 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:30+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Kannada (http://www.transifex.com/projects/p/fedora/language/kn/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: kn\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"ssize_t\n" +"extract_strings(const char *in, size_t inlen, char **out, size_t outlen)\n" +"{\n" +" const char *inp = in;\n" +" const char *inend = in + inlen;\n" +" char **outp = out;\n" +" char **outend = out + outlen;\n" +"\n" +" while (inp != inend) {\n" +" size_t len;\n" +" char *s;\n" +" if (outp == outend) {\n" +" errno = ENOSPC;\n" +" goto err;\n" +" }\n" +" len = (unsigned char)*inp;\n" +" ++inp;\n" +" if (len > (size_t)(inend - inp)) {\n" +" errno = EINVAL;\n" +" goto err;\n" +" }\n" +" s = malloc(len + 1);\n" +" if (s == NULL) {\n" +" goto err;\n" +" }\n" +" memcpy(s, inp, len);\n" +" inp += len;\n" +" s[len] = '\\0';\n" +" *outp = s;\n" +" ++outp;\n" +" }\n" +" return outp - out;\n" +"err:\n" +" {\n" +" int errno_old = errno;\n" +" while (out != outp) {\n" +" free(*out);\n" +" ++out;\n" +" }\n" +" errno = errno_old;\n" +" }\n" +" return -1;\n" +"}\n" +msgstr "" diff --git a/defensive-coding/kn-IN/C/snippets/String-Functions-format.po b/defensive-coding/kn-IN/C/snippets/String-Functions-format.po new file mode 100644 index 0000000..938c379 --- /dev/null +++ b/defensive-coding/kn-IN/C/snippets/String-Functions-format.po @@ -0,0 +1,33 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:30+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Kannada (http://www.transifex.com/projects/p/fedora/language/kn/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: kn\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"void log_format(const char *format, ...) __attribute__((format(printf, 1, 2)));\n" +"\n" +"void\n" +"log_format(const char *format, ...)\n" +"{\n" +" char buf[1000];\n" +" va_list ap;\n" +" va_start(ap, format);\n" +" vsnprintf(buf, sizeof(buf), format, ap);\n" +" va_end(ap);\n" +" log_string(buf);\n" +"}\n" +msgstr "" diff --git a/defensive-coding/kn-IN/C/snippets/String-Functions-snprintf.po b/defensive-coding/kn-IN/C/snippets/String-Functions-snprintf.po new file mode 100644 index 0000000..522f109 --- /dev/null +++ b/defensive-coding/kn-IN/C/snippets/String-Functions-snprintf.po @@ -0,0 +1,23 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:30+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Kannada (http://www.transifex.com/projects/p/fedora/language/kn/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: kn\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"char fraction[30];\n" +"snprintf(fraction, sizeof(fraction), \"%d/%d\", numerator, denominator);\n" +msgstr "" diff --git a/defensive-coding/kn-IN/C/snippets/String-Functions-strncpy.po b/defensive-coding/kn-IN/C/snippets/String-Functions-strncpy.po new file mode 100644 index 0000000..8b6f5a9 --- /dev/null +++ b/defensive-coding/kn-IN/C/snippets/String-Functions-strncpy.po @@ -0,0 +1,24 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:30+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Kannada (http://www.transifex.com/projects/p/fedora/language/kn/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: kn\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"char buf[10];\n" +"strncpy(buf, data, sizeof(buf));\n" +"buf[sizeof(buf) - 1] = '\\0';\n" +msgstr "" diff --git a/defensive-coding/kn-IN/CXX/CXX.po b/defensive-coding/kn-IN/CXX/CXX.po new file mode 100644 index 0000000..10a8854 --- /dev/null +++ b/defensive-coding/kn-IN/CXX/CXX.po @@ -0,0 +1,20 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:31+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Kannada (http://www.transifex.com/projects/p/fedora/language/kn/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: kn\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: title +#, no-c-format +msgid "The C++ Programming Language" +msgstr "" diff --git a/defensive-coding/kn-IN/CXX/Language.po b/defensive-coding/kn-IN/CXX/Language.po new file mode 100644 index 0000000..da3b93c --- /dev/null +++ b/defensive-coding/kn-IN/CXX/Language.po @@ -0,0 +1,234 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:18+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Kannada (http://www.transifex.com/projects/p/fedora/language/kn/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: kn\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: title +#, no-c-format +msgid "The core language" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"C++ includes a large subset of the C language. As far as the C subset is " +"used, the recommendations in " +"apply." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Array allocation with operator new[]" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"For very large values of n, an expression like " +"new T[n] can return a pointer to a heap region which is " +"too small. In other words, not all array elements are actually backed with " +"heap memory reserved to the array. Current GCC versions generate code that " +"performs a computation of the form sizeof(T) * size_t(n) + " +"cookie_size, where cookie_size is currently at " +"most 8. This computation can overflow, and GCC-generated code does not " +"detect this." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The std::vector template can be used instead an explicit " +"array allocation. (The GCC implementation detects overflow internally.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If there is no alternative to operator new[], code which " +"allocates arrays with a variable length must check for overflow manually. " +"For the new T[n] example, the size check could be " +"n || (n > 0 && n > (size_t(-1) - 8) / " +"sizeof(T)). (See .) If there are additional dimensions " +"(which must be constants according to the C++ standard), these should be " +"included as factors in the divisor." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"These countermeasures prevent out-of-bounds writes and potential code " +"execution. Very large memory allocations can still lead to a denial of " +"service. contains suggestions for mitigating this problem when " +"processing untrusted data." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"See for array" +" allocation advice for C-style memory allocation." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Overloading" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Do not overload functions with versions that have different security " +"characteristics. For instance, do not implement a function " +"strcat which works on std::string " +"arguments. Similarly, do not name methods after such functions." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "ABI compatibility and preparing for security updates" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"A stable binary interface (ABI) is vastly preferred for security updates. " +"Without a stable ABI, all reverse dependencies need recompiling, which can " +"be a lot of work and could even be impossible in some cases. Ideally, a " +"security update only updates a single dynamic shared object, and is picked " +"up automatically after restarting affected processes." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Outside of extremely performance-critical code, you should ensure that a " +"wide range of changes is possible without breaking ABI. Some very basic " +"guidelines are:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Avoid inline functions." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Use the pointer-to-implementation idiom." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Try to avoid templates. Use them if the increased type safety provides a " +"benefit to the programmer." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Move security-critical code out of templated code, so that it can be patched" +" in a central place if necessary." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The KDE project publishes a document with more extensive guidelines on ABI-" +"preserving changes to C++ code, Policies/Binary" +" Compatibility Issues With C++ (d-pointer " +"refers to the pointer-to-implementation idiom)." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "C++0X and C++11 support" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "GCC offers different language compatibility modes:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid " for the original 1998 C++ standard" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +" for the 1998 standard with the changes from the " +"TR1 technical report" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +" for the 2011 C++ standard. This option should " +"not be used." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +" for several different versions of C++11 support " +"in development, depending on the GCC version. This option should not be " +"used." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"For each of these flags, there are variants which also enable GNU extensions" +" (mostly language features also found in C99 or C11): " +", , " +". Again, should " +"not be used." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If you enable C++11 support, the ABI of the standard C++ library " +"libstdc++ will change in subtle ways. Currently, no C++ " +"libraries are compiled in C++11 mode, so if you compile your code in C++11 " +"mode, it will be incompatible with the rest of the system. Unfortunately, " +"this is also the case if you do not use any C++11 features. Currently, there" +" is no safe way to enable C++11 mode (except for freestanding applications)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The meaning of C++0X mode changed from GCC release to GCC release. Earlier " +"versions were still ABI-compatible with C++98 mode, but in the most recent " +"versions, switching to C++0X mode activates C++11 support, with its " +"compatibility problems." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Some C++11 features (or approximations thereof) are available with TR1 " +"support, that is, with or " +" and in the <tr1/*> " +"header files. This includes std::tr1::shared_ptr (from " +"<tr1/memory>) and " +"std::tr1::function (from " +"<tr1/functional>). For other C++11 features, the " +"Boost C++ library contains replacements." +msgstr "" diff --git a/defensive-coding/kn-IN/CXX/Std.po b/defensive-coding/kn-IN/CXX/Std.po new file mode 100644 index 0000000..aef5b6a --- /dev/null +++ b/defensive-coding/kn-IN/CXX/Std.po @@ -0,0 +1,55 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:30+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Kannada (http://www.transifex.com/projects/p/fedora/language/kn/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: kn\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: title +#, no-c-format +msgid "The C++ standard library" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The C++ standard library includes most of its C counterpart by reference, " +"see ." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Containers and operator[]" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Many containers similar to std::vector provide both " +"operator[](size_type) and a member function " +"at(size_type). This applies to " +"std::vector itself, std::array, " +"std::string and other instances of " +"std::basic_string." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"operator[](size_type) is not required by the standard to " +"perform bounds checking (and the implementation in GCC does not). In " +"contrast, at(size_type) must perform such a check. " +"Therefore, in code which is not performance-critical, you should prefer " +"at(size_type) over " +"operator[](size_type), even though it is slightly more " +"verbose." +msgstr "" diff --git a/defensive-coding/kn-IN/Defensive_Coding.po b/defensive-coding/kn-IN/Defensive_Coding.po new file mode 100644 index 0000000..9ec0da5 --- /dev/null +++ b/defensive-coding/kn-IN/Defensive_Coding.po @@ -0,0 +1,30 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:18+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Kannada (http://www.transifex.com/projects/p/fedora/language/kn/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: kn\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: title +#, no-c-format +msgid "Programming Languages" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Specific Programming Tasks" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Implementing Security Features" +msgstr "" diff --git a/defensive-coding/kn-IN/Features/Authentication.po b/defensive-coding/kn-IN/Features/Authentication.po new file mode 100644 index 0000000..12935ac --- /dev/null +++ b/defensive-coding/kn-IN/Features/Authentication.po @@ -0,0 +1,231 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:31+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Kannada (http://www.transifex.com/projects/p/fedora/language/kn/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: kn\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: title +#, no-c-format +msgid "Authentication and Authorization" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Authenticating servers" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When connecting to a server, a client has to make sure that it is actually " +"talking to the server it expects. There are two different aspects, securing " +"the network path, and making sure that the expected user runs the process on" +" the target host. There are several ways to ensure that:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The server uses a TLS certificate which is valid according to the web " +"browser public key infrastructure, and the client verifies the certificate " +"and the host name." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The server uses a TLS certificate which is expectedby the client (perhaps it" +" is stored in a configuration file read by the client). In this case, no " +"host name checking is required." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"On Linux, UNIX domain sockets (of the PF_UNIX protocol " +"family, sometimes called PF_LOCAL) are restricted by file" +" system permissions. If the server socket path is not world-writable, the " +"server identity cannot be spoofed by local users." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Port numbers less than 1024 (trusted ports) can only be" +" used by root, so if a UDP or TCP server is running on " +"the local host and it uses a trusted port, its identity is assured. (Not all" +" operating systems enforce the trusted ports concept, and the network might " +"not be trusted, so it is only useful on the local system.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"TLS () is the recommended way " +"for securing connections over untrusted networks." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If the server port number is 1024 is higher, a local user can impersonate " +"the process by binding to this socket, perhaps after crashing the real " +"server by exploiting a denial-of-service vulnerability." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Host-based authentication" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Host-based authentication uses access control lists (ACLs) to accept or deny" +" requests from clients. Thsis authentication method comes in two flavors: " +"IP-based (or, more generally, address-based) and name-based (with the name " +"coming from DNS or /etc/hosts). IP-based ACLs often use" +" prefix notation to extend access to entire subnets. Name-based ACLs " +"sometimes use wildcards for adding groups of hosts (from entire DNS " +"subtrees). (In the SSH context, host-based authentication means something " +"completely different and is not covered in this section.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Host-based authentication trust the network and may not offer sufficient " +"granularity, so it has to be considered a weak form of authentication. On " +"the other hand, IP-based authentication can be made extremely robust and can" +" be applied very early in input processing, so it offers an opportunity for " +"significantly reducing the number of potential attackers for many services." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The names returned by gethostbyaddr and " +"getnameinfo functions cannot be trusted. (DNS PTR " +"records can be set to arbitrary values, not just names belong to the address" +" owner.) If these names are used for ACL matching, a forward lookup using " +"gethostbyaddr or getaddrinfo has " +"to be performed. The name is only valid if the original address is found " +"among the results of the forward lookup (double-reverse " +"lookup)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"An empty ACL should deny all access (deny-by-default). If empty ACLs permits" +" all access, configuring any access list must switch to deny-by-default for " +"all unconfigured protocols, in both name-based and address-based variants." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Similarly, if an address or name is not matched by the list, it should be " +"denied. However, many implementations behave differently, so the actual " +"behavior must be documented properly." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"IPv6 addresses can embed IPv4 addresses. There is no universally correct way" +" to deal with this ambiguity. The behavior of the ACL implementation should " +"be documented." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "UNIX domain socket authentication" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"UNIX domain sockets (with address family AF_UNIX or " +"AF_LOCAL) are restricted to the local host and offer a " +"special authentication mechanism: credentials passing." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Nowadays, most systems support the SO_PEERCRED (Linux) or" +" LOCAL_PEERCRED (FreeBSD) socket options, or the " +"getpeereid (other BSDs, MacOS X). These interfaces " +"provide direct access to the (effective) user ID on the other end of a " +"domain socket connect, without cooperation from the other end." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Historically, credentials passing was implemented using ancillary data in " +"the sendmsg and recvmsg functions." +" On some systems, only credentials data that the peer has explicitly sent " +"can be received, and the kernel checks the data for correctness on the " +"sending side. This means that both peers need to deal with ancillary data. " +"Compared to that, the modern interfaces are easier to use. Both sets of " +"interfaces vary considerably among UNIX-like systems, unfortunately." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If you want to authenticate based on supplementary groups, you should obtain" +" the user ID using one of these methods, and look up the list of " +"supplementary groups using getpwuid (or " +"getpwuid_r) and getgrouplist. " +"Using the PID and information from /proc/PID/status is " +"prone to race conditions and insecure." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "AF_NETLINK authentication of origin" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Netlink messages are used as a high-performance data transfer mechanism " +"between the kernel and the userspace. Traditionally, they are used to " +"exchange information related to the network statck, such as routing table " +"entries." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When processing Netlink messages from the kernel, it is important to check " +"that these messages actually originate from the kernel, by checking that the" +" port ID (or PID) field nl_pid in the " +"sockaddr_nl structure is 0. (This " +"structure can be obtained using recvfrom or " +"recvmsg, it is different from the " +"nlmsghdr structure.) The kernel does not prevent other " +"processes from sending unicast Netlink messages, but the " +"nl_pid field in the sender's socket address will be non-" +"zero in such cases." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Applications should not use AF_NETLINK sockets as an IPC " +"mechanism among processes, but prefer UNIX domain sockets for this tasks." +msgstr "" diff --git a/defensive-coding/kn-IN/Features/TLS.po b/defensive-coding/kn-IN/Features/TLS.po new file mode 100644 index 0000000..25f7a81 --- /dev/null +++ b/defensive-coding/kn-IN/Features/TLS.po @@ -0,0 +1,1120 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:31+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Kannada (http://www.transifex.com/projects/p/fedora/language/kn/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: kn\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: title +#, no-c-format +msgid "Transport Layer Security" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Transport Layer Security (TLS, formerly Secure Sockets Layer/SSL) is the " +"recommended way to to protect integrity and confidentiality while data is " +"transferred over an untrusted network connection, and to identify the " +"endpoint." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Common Pitfalls" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"TLS implementations are difficult to use, and most of them lack a clean API " +"design. The following sections contain implementation-specific advice, and " +"some generic pitfalls are mentioned below." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Most TLS implementations have questionable default TLS cipher suites. Most " +"of them enable anonymous Diffie-Hellman key exchange (but we generally want " +"servers to authenticate themselves). Many do not disable ciphers which are " +"subject to brute-force attacks because of restricted key lengths. Some even " +"disable all variants of AES in the default configuration." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When overriding the cipher suite defaults, it is recommended to disable all " +"cipher suites which are not present on a whitelist, instead of simply " +"enabling a list of cipher suites. This way, if an algorithm is disabled by " +"default in the TLS implementation in a future security update, the " +"application will not re-enable it." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The name which is used in certificate validation must match the name " +"provided by the user or configuration file. No host name canonicalization or" +" IP address lookup must be performed." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The TLS handshake has very poor performance if the TCP Nagle algorithm is " +"active. You should switch on the TCP_NODELAY socket " +"option (at least for the duration of the handshake), or use the Linux-" +"specific TCP_CORK option." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Deactivating the TCP Nagle algorithm" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Implementing proper session resumption decreases handshake overhead " +"considerably. This is important if the upper-layer protocol uses short-lived" +" connections (like most application of HTTPS)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Both client and server should work towards an orderly connection shutdown, " +"that is send close_notify alerts and respond to them. " +"This is especially important if the upper-layer protocol does not provide " +"means to detect connection truncation (like some uses of HTTP)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When implementing a server using event-driven programming, it is important " +"to handle the TLS handshake properly because it includes multiple network " +"round-trips which can block when an ordinary TCP accept" +" would not. Otherwise, a client which fails to complete the TLS handshake " +"for some reason will prevent the server from handling input from other " +"clients." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Unlike regular file descriptors, TLS connections cannot be passed between " +"processes. Some TLS implementations add additional restrictions, and TLS " +"connections generally cannot be used across fork " +"function calls (see )." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "OpenSSL Pitfalls" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Some OpenSSL function use tri-state return values. " +"Correct error checking is extremely important. Several functions return " +"int values with the following meaning:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The value 1 indicates success (for example, a successful " +"signature verification)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The value 0 indicates semantic failure (for example, a " +"signature verification which was unsuccessful because the signing " +"certificate was self-signed)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The value -1 indicates a low-level error in the system, " +"such as failure to allocate memory using malloc." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Treating such tri-state return values as booleans can lead to security " +"vulnerabilities. Note that some OpenSSL functions return boolean results or " +"yet another set of status indicators. Each function needs to be checked " +"individually." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Recovering precise error information is difficult. shows how to obtain a more precise " +"error code after a function call on an SSL object has " +"failed. However, there are still cases where no detailed error information " +"is available (e.g., if SSL_shutdown fails due to a " +"connection teardown by the other end)." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Obtaining OpenSSL error codes" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The OPENSSL_config function is documented to never " +"fail. In reality, it can terminate the entire process if there is a failure " +"accessing the configuration file. An error message is written to standard " +"error, but which might not be visible if the function is called from a " +"daemon process." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"OpenSSL contains two separate ASN.1 DER decoders. One set of decoders " +"operate on BIO handles (the input/output stream abstraction provided by " +"OpenSSL); their decoder function names start with d2i_ " +"and end in _fp or _bio (e.g., " +"d2i_X509_fp or d2i_X509_bio). " +"These decoders must not be used for parsing data from untrusted sources; " +"instead, the variants without the _fp and " +"_bio (e.g., d2i_X509) shall be used." +" The BIO variants have received considerably less testing and are not very " +"robust." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"For the same reason, the OpenSSL command line tools (such as " +"openssl x509) are generally generally less robust than " +"the actual library code. They use the BIO functions internally, and not the " +"more robust variants." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The command line tools do not always indicate failure in the exit status of " +"the openssl process. For instance, a verification" +" failure in openssl verify result in an exit status of " +"zero." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The OpenSSL server and client applications (openssl " +"s_client and openssl s_server) are debugging " +"tools and should never be used as generic clients. For " +"instance, the s_client tool reacts in a " +"surprisign way to lines starting with R and " +"Q." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"OpenSSL allows application code to access private key material over " +"documented interfaces. This can significantly increase the part of the code " +"base which has to undergo security certification." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "GNUTLS Pitfalls" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"libgnutls.so.26 links to " +"libpthread.so.0. Loading the threading library too late" +" causes problems, so the main program should be linked with " +"-lpthread as well. As a result, it can be difficult to " +"use GNUTLS in a plugin which is loaded with the dlopen " +"function. Another side effect is that applications which merely link against" +" GNUTLS (even without actually using it) may incur a substantial overhead " +"because other libraries automatically switch to thread-safe algorithms." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The gnutls_global_init function must be called before " +"using any functionality provided by the library. This function is not " +"thread-safe, so external locking is required, but it is not clear which lock" +" should be used. Omitting the synchronization does not just lead to a memory" +" leak, as it is suggested in the GNUTLS documentation, but to undefined " +"behavior because there is no barrier that would enforce memory ordering." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The gnutls_global_deinit function does not actually " +"deallocate all resources allocated by " +"gnutls_global_init. It is currently not thread-safe. " +"Therefore, it is best to avoid calling it altogether." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The X.509 implementation in GNUTLS is rather lenient. For example, it is " +"possible to create and process X.509 version 1 certificates which carry" +" extensions. These certificates are (correctly) rejected by other " +"implementations." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "OpenJDK Pitfalls" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The Java cryptographic framework is highly modular. As a result, when you " +"request an object implementing some cryptographic functionality, you cannot " +"be completely sure that you end up with the well-tested, reviewed " +"implementation in OpenJDK." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"OpenJDK (in the source code as published by Oracle) and other " +"implementations of the Java platform require that the system administrator " +"has installed so-called unlimited strength jurisdiction policy " +"files. Without this step, it is not possible to use the secure " +"algorithms which offer sufficient cryptographic strength. Most downstream " +"redistributors of OpenJDK remove this requirement." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Some versions of OpenJDK use /dev/random as the " +"randomness source for nonces and other random data which is needed for TLS " +"operation, but does not actually require physical randomness. As a result, " +"TLS applications can block, waiting for more bits to become available in " +"/dev/random." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "NSS Pitfalls" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"NSS was not designed to be used by other libraries which can be linked into " +"applications without modifying them. There is a lot of global state. There " +"does not seem to be a way to perform required NSS initialization without " +"race conditions." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If the NSPR descriptor is in an unexpected state, the " +"SSL_ForceHandshake function can succeed, but no TLS " +"handshake takes place, the peer is not authenticated, and subsequent data is" +" exchanged in the clear." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"NSS disables itself if it detects that the process underwent a " +"fork after the library has been initialized. This " +"behavior is required by the PKCS#11 API specification." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "TLS Clients" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Secure use of TLS in a client generally involves all of the following steps." +" (Individual instructions for specific TLS implementations follow in the " +"next sections.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The client must configure the TLS library to use a set of trusted root " +"certificates. These certificates are provided by the system in /etc/ssl/certs or files derived from it." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The client selects sufficiently strong cryptographic primitives and disables" +" insecure ones (such as no-op encryption). Compression and SSL version 2 " +"support must be disabled (including the SSLv2-compatible handshake)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The client initiates the TLS connection. The Server Name Indication " +"extension should be used if supported by the TLS implementation. Before " +"switching to the encrypted connection state, the contents of all input and " +"output buffers must be discarded." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The client needs to validate the peer certificate provided by the server, " +"that is, the client must check that there is a cryptographically protected " +"chain from a trusted root certificate to the peer certificate. (Depending on" +" the TLS implementation, a TLS handshake can succeed even if the certificate" +" cannot be validated.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The client must check that the configured or user-provided server name " +"matches the peer certificate provided by the server." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"It is safe to provide users detailed diagnostics on certificate validation " +"failures. Other causes of handshake failures and, generally speaking, any " +"details on other errors reported by the TLS implementation (particularly " +"exception tracebacks), must not be divulged in ways that make them " +"accessible to potential attackers. Otherwise, it is possible to create " +"decryption oracles." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Depending on the application, revocation checking (against certificate " +"revocations lists or via OCSP) and session resumption are important aspects " +"of production-quality client. These aspects are not yet covered." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Implementation TLS Clients With OpenSSL" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In the following code, the error handling is only exploratory. Proper error " +"handling is required for production use, especially in libraries." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The OpenSSL library needs explicit initialization (see )." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "OpenSSL library initialization" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"After that, a context object has to be created, which acts as a factory for " +"connection objects (). We use an explicit cipher list so that we do not pick up any " +"strange ciphers when OpenSSL is upgraded. The actual version requested in " +"the client hello depends on additional restrictions in the OpenSSL library. " +"If possible, you should follow the example code and use the default list of " +"trusted root certificate authorities provided by the system because you " +"would have to maintain your own set otherwise, which can be cumbersome." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "OpenSSL client context creation" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"A single context object can be used to create multiple connection objects. " +"It is safe to use the same SSL_CTX object for creating " +"connections concurrently from multiple threads, provided that the " +"SSL_CTX object is not modified (e.g., callbacks must not " +"be changed)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"After creating the TCP socket and disabling the Nagle algorithm (per ), the actual connection object " +"needs to be created, as show in . If the handshake started by " +"SSL_connect fails, the " +"ssl_print_error_and_exit function from is called." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The certificate_validity_override function provides an " +"opportunity to override the validity of the certificate in case the OpenSSL " +"check fails. If such functionality is not required, the call can be removed," +" otherwise, the application developer has to implement it." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The host name passed to the functions " +"SSL_set_tlsext_host_name and " +"X509_check_host must be the name that was passed to " +"getaddrinfo or a similar name resolution function. No " +"host name canonicalization must be performed. The " +"X509_check_host function used in the final step for " +"host name matching is currently only implemented in OpenSSL 1.1, which is " +"not released yet. In case host name matching fails, the function " +"certificate_host_name_override is called. This function" +" should check user-specific certificate store, to allow a connection even if" +" the host name does not match the certificate. This function has to be " +"provided by the application developer. Note that the override must be keyed " +"by both the certificate and the host name." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Creating a client connection using OpenSSL" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The connection object can be used for sending and receiving data, as in " +". It is " +"also possible to create a BIO object and use the " +"SSL object as the underlying transport, using " +"BIO_set_ssl." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Using an OpenSSL connection to send and receive data" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When it is time to close the connection, the " +"SSL_shutdown function needs to be called twice for an " +"orderly, synchronous connection termination (). This exchanges " +"close_notify alerts with the server. The additional logic" +" is required to deal with an unexpected close_notify from" +" the server. Note that is necessary to explicitly close the underlying " +"socket after the connection object has been freed." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Closing an OpenSSL connection in an orderly fashion" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +" shows how" +" to deallocate the context object when it is no longer needed because no " +"further TLS connections will be established." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Implementation TLS Clients With GNUTLS" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"This section describes how to implement a TLS client with full certificate " +"validation (but without certificate revocation checking). Note that the " +"error handling in is only exploratory and needs to be replaced before " +"production use." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "The GNUTLS library needs explicit initialization:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Failing to do so can result in obscure failures in Base64 decoding. See " +" for " +"additional aspects of initialization." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Before setting up TLS connections, a credentials objects has to be allocated" +" and initialized with the set of trusted root CAs ()." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Initializing a GNUTLS credentials structure" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"After the last TLS connection has been closed, this credentials object " +"should be freed:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"During its lifetime, the credentials object can be used to initialize TLS " +"session objects from multiple threads, provided that it is not changed." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Once the TCP connection has been established, the Nagle algorithm should be " +"disabled (see ). After " +"that, the socket can be associated with a new GNUTLS session object. The " +"previously allocated credentials object provides the set of root CAs. The " +"NORMAL set of cipher suites and protocols provides a " +"reasonable default. Then the TLS handshake must be initiated. This is shown " +"in ." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Establishing a TLS client connection using GNUTLS" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"After the handshake has been completed, the server certificate needs to be " +"verified (). In the example, the user-defined " +"certificate_validity_override function is called if the" +" verification fails, so that a separate, user-specific trust store can be " +"checked. This function call can be omitted if the functionality is not " +"needed." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Verifying a server certificate using GNUTLS" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In the next step (, the certificate must be matched against the host name (note the " +"unusual return value from " +"gnutls_x509_crt_check_hostname). Again, an override " +"function certificate_host_name_override is called. Note" +" that the override must be keyed to the certificate and" +" the host name. The function call can be omitted if the override is not " +"needed." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Matching the server host name and certificate in a GNUTLS client" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In newer GNUTLS versions, certificate checking and host name validation can " +"be combined using the gnutls_certificate_verify_peers3 " +"function." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"An established TLS session can be used for sending and receiving data, as in" +" ." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Using a GNUTLS session" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In order to shut down a connection in an orderly manner, you should call the" +" gnutls_bye function. Finally, the session object can " +"be deallocated using gnutls_deinit (see )." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Implementing TLS Clients With OpenJDK" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "The examples below use the following cryptographic-related classes:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If compatibility with OpenJDK 6 is required, it is necessary to use the " +"internal class sun.security.util.HostnameChecker. (The " +"public OpenJDK API does not provide any support for dissecting the subject " +"distinguished name of an X.509 certificate, so a custom-written DER parser " +"is needed—or we have to use an internal class, which we do below.) In " +"OpenJDK 7, the setEndpointIdentificationAlgorithm " +"method was added to the javax.net.ssl.SSLParameters " +"class, providing an official way to implement host name checking." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"TLS connections are established using an SSLContext " +"instance. With a properly configured OpenJDK installation, the " +"SunJSSE provider uses the system-wide set of trusted root" +" certificate authorities, so no further configuration is necessary. For " +"backwards compatibility with OpenJDK 6, the TLSv1 " +"provider has to be supported as a fall-back option. This is shown in ." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Setting up an SSLContext for OpenJDK TLS clients" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In addition to the context, a TLS parameter object will be needed which " +"adjusts the cipher suites and protocols (). Like the context, these " +"parameters can be reused for multiple TLS connections." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Setting up SSLParameters for TLS use with OpenJDK" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"As initialized above, the parameter object does not yet require host name " +"checking. This has to be enabled separately, and this is only supported by " +"OpenJDK 7 and later:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"All application protocols can use the \"HTTPS\" " +"algorithm. (The algorithms have minor differences with regard to wildcard " +"handling, which should not matter in practice.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +" shows " +"how to establish the connection. Before the handshake is initialized, the " +"protocol and cipher configuration has to be performed, by applying the " +"parameter object params. (After this point, changes to " +"params will not affect this TLS socket.) As mentioned " +"initially, host name checking requires using an internal API on OpenJDK 6." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Establishing a TLS connection with OpenJDK" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Starting with OpenJDK 7, the last lines can be omitted, provided that host " +"name verification has been enabled by calling the " +"setEndpointIdentificationAlgorithm method on the " +"params object (before it was applied to the socket)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The TLS socket can be used as a regular socket, as shown in ." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Using a TLS client socket in OpenJDK" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Overriding server certificate validation with OpenJDK 6" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Overriding certificate validation requires a custom trust manager. With " +"OpenJDK 6, the trust manager lacks information about the TLS session, and to" +" which server the connection is made. Certificate overrides have to be tied " +"to specific servers (host names). Consequently, different " +"TrustManager and SSLContext objects " +"have to be used for different servers." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In the trust manager shown in , the server certificate is identified by its " +"SHA-256 hash." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "A customer trust manager for OpenJDK TLS clients" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"This trust manager has to be passed to the init method of" +" the SSLContext object, as show in ." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Using a custom TLS trust manager with OpenJDK" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When certificate overrides are in place, host name verification should not " +"be performed because there is no security requirement that the host name in " +"the certificate matches the host name used to establish the connection (and " +"it often will not). However, without host name verification, it is not " +"possible to perform transparent fallback to certification validation using " +"the system certificate store." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The approach described above works with OpenJDK 6 and later versions. " +"Starting with OpenJDK 7, it is possible to use a custom subclass of the " +"javax.net.ssl.X509ExtendedTrustManager class. The OpenJDK" +" TLS implementation will call the new methods, passing along TLS session " +"information. This can be used to implement certificate overrides as a " +"fallback (if certificate or host name verification fails), and a trust " +"manager object can be used for multiple servers because the server address " +"is available to the trust manager." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Implementing TLS Clients With NSS" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The following code shows how to implement a simple TLS client using NSS. " +"Note that the error handling needs replacing before production use." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Using NSS needs several header files, as shown in ." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Include files for NSS" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Initializing the NSS library is a complex task (). It is not thread-safe. By default, the " +"library is in export mode, and all strong ciphers are disabled. Therefore, " +"after creating the NSSInitCContext object, we probe all " +"the strong ciphers we want to use, and check if at least one of them is " +"available. If not, we call NSS_SetDomesticPolicy to " +"switch to unrestricted policy mode. This function replaces the existing " +"global cipher suite policy, that is why we avoid calling it unless " +"absolutely necessary." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The simplest way to configured the trusted root certificates involves " +"loading the libnssckbi.so NSS module with a call to the" +" SECMOD_LoadUserModule function. The root certificates " +"are compiled into this module. (The PEM module for NSS, " +"libnsspem.so, offers a way to load trusted CA " +"certificates from a file.)" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Initializing the NSS library" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Some of the effects of the initialization can be reverted with the following" +" function calls:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"After NSS has been initialized, the TLS connection can be created (). The internal " +"PR_ImportTCPSocket function is used to turn the POSIX " +"file descriptor sockfd into an NSPR file descriptor. " +"(This function is de-facto part of the NSS public ABI, so it will not go " +"away.) Creating the TLS-capable file descriptor requires a " +"model descriptor, which is configured with the desired " +"set of protocols and ciphers. (The good_ciphers variable " +"is part of .) We cannot" +" resort to disabling ciphers not on a whitelist because by default, the AES " +"cipher suites are disabled. The model descriptor is not needed anymore after" +" TLS support has been activated for the existing connection descriptor." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The call to SSL_BadCertHook can be omitted if no " +"mechanism to override certificate verification is needed. The " +"bad_certificate function must check both the host name " +"specified for the connection and the certificate before granting the " +"override." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Triggering the actual handshake requires three function calls, " +"SSL_ResetHandshake, SSL_SetURL, " +"and SSL_ForceHandshake. (If " +"SSL_ResetHandshake is omitted, " +"SSL_ForceHandshake will succeed, but the data will not " +"be encrypted.) During the handshake, the certificate is verified and matched" +" against the host name." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Creating a TLS connection with NSS" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"After the connection has been established, shows how to use the NSPR descriptor to " +"communicate with the server." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Using NSS for sending and receiving data" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +" shows how to " +"close the connection." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Closing NSS client connections" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Implementing TLS Clients With Python" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The Python distribution provides a TLS implementation in the " +"ssl module (actually a wrapper around OpenSSL). The " +"exported interface is somewhat restricted, so that the client code shown " +"below does not fully implement the recommendations in ." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Currently, most Python function which accept https:// " +"URLs or otherwise implement HTTPS support do not perform certificate " +"validation at all. (For example, this is true for the " +"httplib and xmlrpclib modules.) If you" +" use HTTPS, you should not use the built-in HTTP clients. The " +"Curl class in the curl module, as " +"provided by the python-pycurl package implements proper " +"certificate validation." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The ssl module currently does not perform host name " +"checking on the server certificate. shows how to implement certificate " +"matching, using the parsed certificate returned by " +"getpeercert." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Implementing TLS host name checking Python (without wildcard support)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"To turn a regular, connected TCP socket into a TLS-enabled socket, use the " +"ssl.wrap_socket function. The function call in provides " +"additional arguments to override questionable defaults in OpenSSL and in the" +" Python module." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"ciphers=\"HIGH:-aNULL:-eNULL:-PSK:RC4-SHA:RC4-MD5\" " +"selects relatively strong cipher suites with certificate-based " +"authentication. (The call to check_host_name function " +"provides additional protection against anonymous cipher suites.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"ssl_version=ssl.PROTOCOL_TLSv1 disables SSL 2.0 support. " +"By default, the ssl module sends an SSL 2.0 client hello," +" which is rejected by some servers. Ideally, we would request OpenSSL to " +"negotiated the most recent TLS version supported by the server and the " +"client, but the Python module does not allow this." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"cert_reqs=ssl.CERT_REQUIRED turns on certificate " +"validation." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"ca_certs='/etc/ssl/certs/ca-bundle.crt' initializes the " +"certificate store with a set of trusted root CAs. Unfortunately, it is " +"necessary to hard-code this path into applications because the default path " +"in OpenSSL is not available through the Python ssl " +"module." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The ssl module (and OpenSSL) perform certificate " +"validation, but the certificate must be compared manually against the host " +"name, by calling the check_host_name defined above." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Establishing a TLS client connection with Python" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"After the connection has been established, the TLS socket can be used like a" +" regular socket:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Closing the TLS socket is straightforward as well:" +msgstr "" diff --git a/defensive-coding/kn-IN/Features/snippets/TLS-Client-GNUTLS-Connect.po b/defensive-coding/kn-IN/Features/snippets/TLS-Client-GNUTLS-Connect.po new file mode 100644 index 0000000..23dca9e --- /dev/null +++ b/defensive-coding/kn-IN/Features/snippets/TLS-Client-GNUTLS-Connect.po @@ -0,0 +1,71 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:33+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Kannada (http://www.transifex.com/projects/p/fedora/language/kn/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: kn\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Create the session object.\n" +"gnutls_session_t session;\n" +"ret = gnutls_init(&session, GNUTLS_CLIENT);\n" +"if (ret != GNUTLS_E_SUCCESS) {\n" +" fprintf(stderr, \"error: gnutls_init: %s\n" +"\",\n" +"\t gnutls_strerror(ret));\n" +" exit(1);\n" +"}\n" +"\n" +"// Configure the cipher preferences.\n" +"const char *errptr = NULL;\n" +"ret = gnutls_priority_set_direct(session, \"NORMAL\", &errptr);\n" +"if (ret != GNUTLS_E_SUCCESS) {\n" +" fprintf(stderr, \"error: gnutls_priority_set_direct: %s\n" +"\"\n" +"\t \"error: at: \\\"%s\\\"\n" +"\", gnutls_strerror(ret), errptr);\n" +" exit(1);\n" +"}\n" +"\n" +"// Install the trusted certificates.\n" +"ret = gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, cred);\n" +"if (ret != GNUTLS_E_SUCCESS) {\n" +" fprintf(stderr, \"error: gnutls_credentials_set: %s\n" +"\",\n" +"\t gnutls_strerror(ret));\n" +" exit(1);\n" +"}\n" +"\n" +"// Associate the socket with the session object and set the server\n" +"// name.\n" +"gnutls_transport_set_ptr(session, (gnutls_transport_ptr_t)(uintptr_t)sockfd);\n" +"ret = gnutls_server_name_set(session, GNUTLS_NAME_DNS,\n" +"\t\t\t host, strlen(host));\n" +"if (ret != GNUTLS_E_SUCCESS) {\n" +" fprintf(stderr, \"error: gnutls_server_name_set: %s\n" +"\",\n" +"\t gnutls_strerror(ret));\n" +" exit(1);\n" +"}\n" +"\n" +"// Establish the session.\n" +"ret = gnutls_handshake(session);\n" +"if (ret != GNUTLS_E_SUCCESS) {\n" +" fprintf(stderr, \"error: gnutls_handshake: %s\n" +"\",\n" +"\t gnutls_strerror(ret));\n" +" exit(1);\n" +"}\n" +msgstr "" diff --git a/defensive-coding/kn-IN/Features/snippets/TLS-Client-GNUTLS-Credentials.po b/defensive-coding/kn-IN/Features/snippets/TLS-Client-GNUTLS-Credentials.po new file mode 100644 index 0000000..4ac5ff9 --- /dev/null +++ b/defensive-coding/kn-IN/Features/snippets/TLS-Client-GNUTLS-Credentials.po @@ -0,0 +1,47 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:33+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Kannada (http://www.transifex.com/projects/p/fedora/language/kn/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: kn\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Load the trusted CA certificates.\n" +"gnutls_certificate_credentials_t cred = NULL;\n" +"int ret = gnutls_certificate_allocate_credentials (&cred);\n" +"if (ret != GNUTLS_E_SUCCESS) {\n" +" fprintf(stderr, \"error: gnutls_certificate_allocate_credentials: %s\n" +"\",\n" +"\t gnutls_strerror(ret));\n" +" exit(1);\n" +"}\n" +"// gnutls_certificate_set_x509_system_trust needs GNUTLS version 3.0\n" +"// or newer, so we hard-code the path to the certificate store\n" +"// instead.\n" +"static const char ca_bundle[] = \"/etc/ssl/certs/ca-bundle.crt\";\n" +"ret = gnutls_certificate_set_x509_trust_file\n" +" (cred, ca_bundle, GNUTLS_X509_FMT_PEM);\n" +"if (ret == 0) {\n" +" fprintf(stderr, \"error: no certificates found in: %s\n" +"\", ca_bundle);\n" +" exit(1);\n" +"}\n" +"if (ret < 0) {\n" +" fprintf(stderr, \"error: gnutls_certificate_set_x509_trust_files(%s): %s\n" +"\",\n" +"\t ca_bundle, gnutls_strerror(ret));\n" +" exit(1);\n" +"}\n" +msgstr "" diff --git a/defensive-coding/kn-IN/Features/snippets/TLS-Client-GNUTLS-Match.po b/defensive-coding/kn-IN/Features/snippets/TLS-Client-GNUTLS-Match.po new file mode 100644 index 0000000..4231c28 --- /dev/null +++ b/defensive-coding/kn-IN/Features/snippets/TLS-Client-GNUTLS-Match.po @@ -0,0 +1,48 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:32+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Kannada (http://www.transifex.com/projects/p/fedora/language/kn/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: kn\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Match the peer certificate against the host name.\n" +"// We can only obtain a set of DER-encoded certificates from the\n" +"// session object, so we have to re-parse the peer certificate into\n" +"// a certificate object.\n" +"gnutls_x509_crt_t cert;\n" +"ret = gnutls_x509_crt_init(&cert);\n" +"if (ret != GNUTLS_E_SUCCESS) {\n" +" fprintf(stderr, \"error: gnutls_x509_crt_init: %s\n" +"\",\n" +"\t gnutls_strerror(ret));\n" +" exit(1);\n" +"}\n" +"// The peer certificate is the first certificate in the list.\n" +"ret = gnutls_x509_crt_import(cert, certs, GNUTLS_X509_FMT_DER);\n" +"if (ret != GNUTLS_E_SUCCESS) {\n" +" fprintf(stderr, \"error: gnutls_x509_crt_import: %s\n" +"\",\n" +"\t gnutls_strerror(ret));\n" +" exit(1);\n" +"}\n" +"ret = gnutls_x509_crt_check_hostname(cert, host);\n" +"if (ret == 0 && !certificate_host_name_override(certs[0], host)) {\n" +" fprintf(stderr, \"error: host name does not match certificate\n" +"\");\n" +" exit(1);\n" +"}\n" +"gnutls_x509_crt_deinit(cert);\n" +msgstr "" diff --git a/defensive-coding/kn-IN/Features/snippets/TLS-Client-GNUTLS-Verify.po b/defensive-coding/kn-IN/Features/snippets/TLS-Client-GNUTLS-Verify.po new file mode 100644 index 0000000..0fcc3f9 --- /dev/null +++ b/defensive-coding/kn-IN/Features/snippets/TLS-Client-GNUTLS-Verify.po @@ -0,0 +1,61 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:33+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Kannada (http://www.transifex.com/projects/p/fedora/language/kn/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: kn\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Obtain the server certificate chain. The server certificate\n" +"// itself is stored in the first element of the array.\n" +"unsigned certslen = 0;\n" +"const gnutls_datum_t *const certs =\n" +" gnutls_certificate_get_peers(session, &certslen);\n" +"if (certs == NULL || certslen == 0) {\n" +" fprintf(stderr, \"error: could not obtain peer certificate\n" +"\");\n" +" exit(1);\n" +"}\n" +"\n" +"// Validate the certificate chain.\n" +"unsigned status = (unsigned)-1;\n" +"ret = gnutls_certificate_verify_peers2(session, &status);\n" +"if (ret != GNUTLS_E_SUCCESS) {\n" +" fprintf(stderr, \"error: gnutls_certificate_verify_peers2: %s\n" +"\",\n" +"\t gnutls_strerror(ret));\n" +" exit(1);\n" +"}\n" +"if (status != 0 && !certificate_validity_override(certs[0])) {\n" +" gnutls_datum_t msg;\n" +"#if GNUTLS_VERSION_AT_LEAST_3_1_4\n" +" int type = gnutls_certificate_type_get (session);\n" +" ret = gnutls_certificate_verification_status_print(status, type, &out, 0);\n" +"#else\n" +" ret = -1;\n" +"#endif\n" +" if (ret == 0) {\n" +" fprintf(stderr, \"error: %s\n" +"\", msg.data);\n" +" gnutls_free(msg.data);\n" +" exit(1);\n" +" } else {\n" +" fprintf(stderr, \"error: certificate validation failed with code 0x%x\n" +"\",\n" +"\t status);\n" +" exit(1);\n" +" }\n" +"}\n" +msgstr "" diff --git a/defensive-coding/kn-IN/Features/snippets/TLS-Client-NSS-Close.po b/defensive-coding/kn-IN/Features/snippets/TLS-Client-NSS-Close.po new file mode 100644 index 0000000..d2bcbb3 --- /dev/null +++ b/defensive-coding/kn-IN/Features/snippets/TLS-Client-NSS-Close.po @@ -0,0 +1,31 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:32+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Kannada (http://www.transifex.com/projects/p/fedora/language/kn/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: kn\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Send close_notify alert.\n" +"if (PR_Shutdown(nspr, PR_SHUTDOWN_BOTH) != PR_SUCCESS) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: PR_Read error %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +"}\n" +"// Closes the underlying POSIX file descriptor, too.\n" +"PR_Close(nspr);\n" +msgstr "" diff --git a/defensive-coding/kn-IN/Features/snippets/TLS-Client-NSS-Connect.po b/defensive-coding/kn-IN/Features/snippets/TLS-Client-NSS-Connect.po new file mode 100644 index 0000000..47789f3 --- /dev/null +++ b/defensive-coding/kn-IN/Features/snippets/TLS-Client-NSS-Connect.po @@ -0,0 +1,132 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:33+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Kannada (http://www.transifex.com/projects/p/fedora/language/kn/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: kn\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Wrap the POSIX file descriptor. This is an internal NSPR\n" +"// function, but it is very unlikely to change.\n" +"PRFileDesc* nspr = PR_ImportTCPSocket(sockfd);\n" +"sockfd = -1; // Has been taken over by NSPR.\n" +"\n" +"// Add the SSL layer.\n" +"{\n" +" PRFileDesc *model = PR_NewTCPSocket();\n" +" PRFileDesc *newfd = SSL_ImportFD(NULL, model);\n" +" if (newfd == NULL) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: NSPR error code %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +" }\n" +" model = newfd;\n" +" newfd = NULL;\n" +" if (SSL_OptionSet(model, SSL_ENABLE_SSL2, PR_FALSE) != SECSuccess) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: set SSL_ENABLE_SSL2 error %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +" }\n" +" if (SSL_OptionSet(model, SSL_V2_COMPATIBLE_HELLO, PR_FALSE) != SECSuccess) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: set SSL_V2_COMPATIBLE_HELLO error %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +" }\n" +" if (SSL_OptionSet(model, SSL_ENABLE_DEFLATE, PR_FALSE) != SECSuccess) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: set SSL_ENABLE_DEFLATE error %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +" }\n" +"\n" +" // Disable all ciphers (except RC4-based ciphers, for backwards\n" +" // compatibility).\n" +" const PRUint16 *const ciphers = SSL_GetImplementedCiphers();\n" +" for (unsigned i = 0; i < SSL_GetNumImplementedCiphers(); i++) {\n" +" if (ciphers[i] != SSL_RSA_WITH_RC4_128_SHA\n" +"\t && ciphers[i] != SSL_RSA_WITH_RC4_128_MD5) {\n" +"\tif (SSL_CipherPrefSet(model, ciphers[i], PR_FALSE) != SECSuccess) {\n" +"\t const PRErrorCode err = PR_GetError();\n" +"\t fprintf(stderr, \"error: disable cipher %u: error %d: %s\n" +"\",\n" +"\t\t (unsigned)ciphers[i], err, PR_ErrorToName(err));\n" +"\t exit(1);\n" +"\t}\n" +" }\n" +" }\n" +"\n" +" // Enable the strong ciphers.\n" +" for (const PRUint16 *p = good_ciphers; *p != SSL_NULL_WITH_NULL_NULL;\n" +"\t ++p) {\n" +" if (SSL_CipherPrefSet(model, *p, PR_TRUE) != SECSuccess) {\n" +"\tconst PRErrorCode err = PR_GetError();\n" +"\tfprintf(stderr, \"error: enable cipher %u: error %d: %s\n" +"\",\n" +"\t\t(unsigned)*p, err, PR_ErrorToName(err));\n" +"\texit(1);\n" +" }\n" +" }\n" +"\n" +" // Allow overriding invalid certificate.\n" +" if (SSL_BadCertHook(model, bad_certificate, (char *)host) != SECSuccess) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: SSL_BadCertHook error %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +" }\n" +"\n" +" newfd = SSL_ImportFD(model, nspr);\n" +" if (newfd == NULL) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: SSL_ImportFD error %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +" }\n" +" nspr = newfd;\n" +" PR_Close(model);\n" +"}\n" +"\n" +"// Perform the handshake.\n" +"if (SSL_ResetHandshake(nspr, PR_FALSE) != SECSuccess) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: SSL_ResetHandshake error %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +"}\n" +"if (SSL_SetURL(nspr, host) != SECSuccess) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: SSL_SetURL error %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +"}\n" +"if (SSL_ForceHandshake(nspr) != SECSuccess) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: SSL_ForceHandshake error %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +"}\n" +msgstr "" diff --git a/defensive-coding/kn-IN/Features/snippets/TLS-Client-OpenJDK-Connect.po b/defensive-coding/kn-IN/Features/snippets/TLS-Client-OpenJDK-Connect.po new file mode 100644 index 0000000..8f454c6 --- /dev/null +++ b/defensive-coding/kn-IN/Features/snippets/TLS-Client-OpenJDK-Connect.po @@ -0,0 +1,41 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:32+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Kannada (http://www.transifex.com/projects/p/fedora/language/kn/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: kn\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Create the socket and connect it at the TCP layer.\n" +"SSLSocket socket = (SSLSocket) ctx.getSocketFactory()\n" +" .createSocket(host, port);\n" +"\n" +"// Disable the Nagle algorithm.\n" +"socket.setTcpNoDelay(true);\n" +"\n" +"// Adjust ciphers and protocols.\n" +"socket.setSSLParameters(params);\n" +"\n" +"// Perform the handshake.\n" +"socket.startHandshake();\n" +"\n" +"// Validate the host name. The match() method throws\n" +"// CertificateException on failure.\n" +"X509Certificate peer = (X509Certificate)\n" +" socket.getSession().getPeerCertificates()[0];\n" +"// This is the only way to perform host name checking on OpenJDK 6.\n" +"HostnameChecker.getInstance(HostnameChecker.TYPE_TLS).match(\n" +" host, peer);\n" +msgstr "" diff --git a/defensive-coding/kn-IN/Features/snippets/TLS-Client-OpenJDK-Context.po b/defensive-coding/kn-IN/Features/snippets/TLS-Client-OpenJDK-Context.po new file mode 100644 index 0000000..39a3e3e --- /dev/null +++ b/defensive-coding/kn-IN/Features/snippets/TLS-Client-OpenJDK-Context.po @@ -0,0 +1,41 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:32+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Kannada (http://www.transifex.com/projects/p/fedora/language/kn/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: kn\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Create the context. Specify the SunJSSE provider to avoid\n" +"// picking up third-party providers. Try the TLS 1.2 provider\n" +"// first, then fall back to TLS 1.0.\n" +"SSLContext ctx;\n" +"try {\n" +" ctx = SSLContext.getInstance(\"TLSv1.2\", \"SunJSSE\");\n" +"} catch (NoSuchAlgorithmException e) {\n" +" try {\n" +" ctx = SSLContext.getInstance(\"TLSv1\", \"SunJSSE\");\n" +" } catch (NoSuchAlgorithmException e1) {\n" +" // The TLS 1.0 provider should always be available.\n" +" throw new AssertionError(e1);\n" +" } catch (NoSuchProviderException e1) {\n" +" throw new AssertionError(e1);\n" +" } \n" +"} catch (NoSuchProviderException e) {\n" +" // The SunJSSE provider should always be available.\n" +" throw new AssertionError(e);\n" +"}\n" +"ctx.init(null, null, null);\n" +msgstr "" diff --git a/defensive-coding/kn-IN/Features/snippets/TLS-Client-OpenJDK-Context_For_Cert.po b/defensive-coding/kn-IN/Features/snippets/TLS-Client-OpenJDK-Context_For_Cert.po new file mode 100644 index 0000000..136e75a --- /dev/null +++ b/defensive-coding/kn-IN/Features/snippets/TLS-Client-OpenJDK-Context_For_Cert.po @@ -0,0 +1,37 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:33+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Kannada (http://www.transifex.com/projects/p/fedora/language/kn/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: kn\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"SSLContext ctx;\n" +"try {\n" +" ctx = SSLContext.getInstance(\"TLSv1.2\", \"SunJSSE\");\n" +"} catch (NoSuchAlgorithmException e) {\n" +" try {\n" +" ctx = SSLContext.getInstance(\"TLSv1\", \"SunJSSE\");\n" +" } catch (NoSuchAlgorithmException e1) {\n" +" throw new AssertionError(e1);\n" +" } catch (NoSuchProviderException e1) {\n" +" throw new AssertionError(e1);\n" +" }\n" +"} catch (NoSuchProviderException e) {\n" +" throw new AssertionError(e);\n" +"}\n" +"MyTrustManager tm = new MyTrustManager(certHash);\n" +"ctx.init(null, new TrustManager[] {tm}, null);\n" +msgstr "" diff --git a/defensive-coding/kn-IN/Features/snippets/TLS-Client-OpenJDK-Hostname.po b/defensive-coding/kn-IN/Features/snippets/TLS-Client-OpenJDK-Hostname.po new file mode 100644 index 0000000..e5dd864 --- /dev/null +++ b/defensive-coding/kn-IN/Features/snippets/TLS-Client-OpenJDK-Hostname.po @@ -0,0 +1,22 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:31+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Kannada (http://www.transifex.com/projects/p/fedora/language/kn/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: kn\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"params.setEndpointIdentificationAlgorithm(\"HTTPS\");\n" +msgstr "" diff --git a/defensive-coding/kn-IN/Features/snippets/TLS-Client-OpenJDK-Import.po b/defensive-coding/kn-IN/Features/snippets/TLS-Client-OpenJDK-Import.po new file mode 100644 index 0000000..d01b0b9 --- /dev/null +++ b/defensive-coding/kn-IN/Features/snippets/TLS-Client-OpenJDK-Import.po @@ -0,0 +1,33 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:31+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Kannada (http://www.transifex.com/projects/p/fedora/language/kn/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: kn\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"import java.security.NoSuchAlgorithmException;\n" +"import java.security.NoSuchProviderException;\n" +"import java.security.cert.CertificateEncodingException;\n" +"import java.security.cert.CertificateException;\n" +"import java.security.cert.X509Certificate;\n" +"import javax.net.ssl.SSLContext;\n" +"import javax.net.ssl.SSLParameters;\n" +"import javax.net.ssl.SSLSocket;\n" +"import javax.net.ssl.TrustManager;\n" +"import javax.net.ssl.X509TrustManager;\n" +"\n" +"import sun.security.util.HostnameChecker;\n" +msgstr "" diff --git a/defensive-coding/kn-IN/Features/snippets/TLS-Client-OpenJDK-MyTrustManager.po b/defensive-coding/kn-IN/Features/snippets/TLS-Client-OpenJDK-MyTrustManager.po new file mode 100644 index 0000000..d6351c5 --- /dev/null +++ b/defensive-coding/kn-IN/Features/snippets/TLS-Client-OpenJDK-MyTrustManager.po @@ -0,0 +1,53 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:31+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Kannada (http://www.transifex.com/projects/p/fedora/language/kn/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: kn\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"public class MyTrustManager implements X509TrustManager {\n" +" private final byte[] certHash;\n" +"\n" +" public MyTrustManager(byte[] certHash) throws Exception {\n" +" this.certHash = certHash;\n" +" }\n" +"\n" +" @Override\n" +" public void checkClientTrusted(X509Certificate[] chain, String authType)\n" +" throws CertificateException {\n" +" throw new UnsupportedOperationException();\n" +" }\n" +"\n" +" @Override\n" +" public void checkServerTrusted(X509Certificate[] chain,\n" +" String authType) throws CertificateException {\n" +" byte[] digest = getCertificateDigest(chain[0]);\n" +" String digestHex = formatHex(digest);\n" +"\n" +" if (Arrays.equals(digest, certHash)) {\n" +" System.err.println(\"info: accepting certificate: \" + digestHex);\n" +" } else {\n" +" throw new CertificateException(\"certificate rejected: \" +\n" +" digestHex);\n" +" }\n" +" }\n" +"\n" +" @Override\n" +" public X509Certificate[] getAcceptedIssuers() {\n" +" return new X509Certificate[0];\n" +" }\n" +"}\n" +msgstr "" diff --git a/defensive-coding/kn-IN/Features/snippets/TLS-Client-OpenJDK-Use.po b/defensive-coding/kn-IN/Features/snippets/TLS-Client-OpenJDK-Use.po new file mode 100644 index 0000000..2e40cdc --- /dev/null +++ b/defensive-coding/kn-IN/Features/snippets/TLS-Client-OpenJDK-Use.po @@ -0,0 +1,28 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:31+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Kannada (http://www.transifex.com/projects/p/fedora/language/kn/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: kn\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"socket.getOutputStream().write(\"GET / HTTP/1.0\\r\n" +"\\r\n" +"\"\n" +" .getBytes(Charset.forName(\"UTF-8\")));\n" +"byte[] buffer = new byte[4096];\n" +"int count = socket.getInputStream().read(buffer);\n" +"System.out.write(buffer, 0, count);\n" +msgstr "" diff --git a/defensive-coding/kn-IN/Features/snippets/TLS-Client-OpenSSL-CTX.po b/defensive-coding/kn-IN/Features/snippets/TLS-Client-OpenSSL-CTX.po new file mode 100644 index 0000000..672261c --- /dev/null +++ b/defensive-coding/kn-IN/Features/snippets/TLS-Client-OpenSSL-CTX.po @@ -0,0 +1,86 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:32+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Kannada (http://www.transifex.com/projects/p/fedora/language/kn/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: kn\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Configure a client connection context. Send a hendshake for the\n" +"// highest supported TLS version, and disable compression.\n" +"const SSL_METHOD *const req_method = SSLv23_client_method();\n" +"SSL_CTX *const ctx = SSL_CTX_new(req_method);\n" +"if (ctx == NULL) {\n" +" ERR_print_errors(bio_err);\n" +" exit(1);\n" +"}\n" +"SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_COMPRESSION);\n" +"\n" +"// Adjust the ciphers list based on a whitelist. First enable all\n" +"// ciphers of at least medium strength, to get the list which is\n" +"// compiled into OpenSSL.\n" +"if (SSL_CTX_set_cipher_list(ctx, \"HIGH:MEDIUM\") != 1) {\n" +" ERR_print_errors(bio_err);\n" +" exit(1);\n" +"}\n" +"{\n" +" // Create a dummy SSL session to obtain the cipher list.\n" +" SSL *ssl = SSL_new(ctx);\n" +" if (ssl == NULL) {\n" +" ERR_print_errors(bio_err);\n" +" exit(1);\n" +" }\n" +" STACK_OF(SSL_CIPHER) *active_ciphers = SSL_get_ciphers(ssl);\n" +" if (active_ciphers == NULL) {\n" +" ERR_print_errors(bio_err);\n" +" exit(1);\n" +" }\n" +" // Whitelist of candidate ciphers.\n" +" static const char *const candidates[] = {\n" +" \"AES128-GCM-SHA256\", \"AES128-SHA256\", \"AES256-SHA256\", // strong ciphers\n" +" \"AES128-SHA\", \"AES256-SHA\", // strong ciphers, also in older versions\n" +" \"RC4-SHA\", \"RC4-MD5\", // backwards compatibility, supposed to be weak\n" +" \"DES-CBC3-SHA\", \"DES-CBC3-MD5\", // more backwards compatibility\n" +" NULL\n" +" };\n" +" // Actually selected ciphers.\n" +" char ciphers[300];\n" +" ciphers[0] = '\\0';\n" +" for (const char *const *c = candidates; *c; ++c) {\n" +" for (int i = 0; i < sk_SSL_CIPHER_num(active_ciphers); ++i) {\n" +"\tif (strcmp(SSL_CIPHER_get_name(sk_SSL_CIPHER_value(active_ciphers, i)),\n" +"\t\t *c) == 0) {\n" +"\t if (*ciphers) {\n" +"\t strcat(ciphers, \":\");\n" +"\t }\n" +"\t strcat(ciphers, *c);\n" +"\t break;\n" +"\t}\n" +" }\n" +" }\n" +" SSL_free(ssl);\n" +" // Apply final cipher list.\n" +" if (SSL_CTX_set_cipher_list(ctx, ciphers) != 1) {\n" +" ERR_print_errors(bio_err);\n" +" exit(1);\n" +" }\n" +"}\n" +"\n" +"// Load the set of trusted root certificates.\n" +"if (!SSL_CTX_set_default_verify_paths(ctx)) {\n" +" ERR_print_errors(bio_err);\n" +" exit(1);\n" +"}\n" +msgstr "" diff --git a/defensive-coding/kn-IN/Features/snippets/TLS-Client-OpenSSL-Connect.po b/defensive-coding/kn-IN/Features/snippets/TLS-Client-OpenSSL-Connect.po new file mode 100644 index 0000000..fe99d57 --- /dev/null +++ b/defensive-coding/kn-IN/Features/snippets/TLS-Client-OpenSSL-Connect.po @@ -0,0 +1,72 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:33+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Kannada (http://www.transifex.com/projects/p/fedora/language/kn/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: kn\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Create the connection object.\n" +"SSL *ssl = SSL_new(ctx);\n" +"if (ssl == NULL) {\n" +" ERR_print_errors(bio_err);\n" +" exit(1);\n" +"}\n" +"SSL_set_fd(ssl, sockfd);\n" +"\n" +"// Enable the ServerNameIndication extension\n" +"if (!SSL_set_tlsext_host_name(ssl, host)) {\n" +" ERR_print_errors(bio_err);\n" +" exit(1);\n" +"}\n" +"\n" +"// Perform the TLS handshake with the server.\n" +"ret = SSL_connect(ssl);\n" +"if (ret != 1) {\n" +" // Error status can be 0 or negative.\n" +" ssl_print_error_and_exit(ssl, \"SSL_connect\", ret);\n" +"}\n" +"\n" +"// Obtain the server certificate.\n" +"X509 *peercert = SSL_get_peer_certificate(ssl);\n" +"if (peercert == NULL) {\n" +" fprintf(stderr, \"peer certificate missing\");\n" +" exit(1);\n" +"}\n" +"\n" +"// Check the certificate verification result. Allow an explicit\n" +"// certificate validation override in case verification fails.\n" +"int verifystatus = SSL_get_verify_result(ssl);\n" +"if (verifystatus != X509_V_OK && !certificate_validity_override(peercert)) {\n" +" fprintf(stderr, \"SSL_connect: verify result: %s\n" +"\",\n" +"\t X509_verify_cert_error_string(verifystatus));\n" +" exit(1);\n" +"}\n" +"\n" +"// Check if the server certificate matches the host name used to\n" +"// establish the connection.\n" +"// FIXME: Currently needs OpenSSL 1.1.\n" +"if (X509_check_host(peercert, (const unsigned char *)host, strlen(host),\n" +"\t\t 0) != 1\n" +" && !certificate_host_name_override(peercert, host)) {\n" +" fprintf(stderr, \"SSL certificate does not match host name\n" +"\");\n" +" exit(1);\n" +"}\n" +"\n" +"X509_free(peercert);\n" +"\n" +msgstr "" diff --git a/defensive-coding/kn-IN/Features/snippets/TLS-Client-OpenSSL-Connection-Use.po b/defensive-coding/kn-IN/Features/snippets/TLS-Client-OpenSSL-Connection-Use.po new file mode 100644 index 0000000..636a89a --- /dev/null +++ b/defensive-coding/kn-IN/Features/snippets/TLS-Client-OpenSSL-Connection-Use.po @@ -0,0 +1,32 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:32+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Kannada (http://www.transifex.com/projects/p/fedora/language/kn/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: kn\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"const char *const req = \"GET / HTTP/1.0\\r\n" +"\\r\n" +"\";\n" +"if (SSL_write(ssl, req, strlen(req)) < 0) {\n" +" ssl_print_error_and_exit(ssl, \"SSL_write\", ret);\n" +"}\n" +"char buf[4096];\n" +"ret = SSL_read(ssl, buf, sizeof(buf));\n" +"if (ret < 0) {\n" +" ssl_print_error_and_exit(ssl, \"SSL_read\", ret);\n" +"}\n" +msgstr "" diff --git a/defensive-coding/kn-IN/Features/snippets/TLS-Client-OpenSSL-Init.po b/defensive-coding/kn-IN/Features/snippets/TLS-Client-OpenSSL-Init.po new file mode 100644 index 0000000..8cee3ad --- /dev/null +++ b/defensive-coding/kn-IN/Features/snippets/TLS-Client-OpenSSL-Init.po @@ -0,0 +1,28 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:32+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Kannada (http://www.transifex.com/projects/p/fedora/language/kn/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: kn\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// The following call prints an error message and calls exit() if\n" +"// the OpenSSL configuration file is unreadable.\n" +"OPENSSL_config(NULL);\n" +"// Provide human-readable error messages.\n" +"SSL_load_error_strings();\n" +"// Register ciphers.\n" +"SSL_library_init();\n" +msgstr "" diff --git a/defensive-coding/kn-IN/Features/snippets/TLS-Client-Python-Connect.po b/defensive-coding/kn-IN/Features/snippets/TLS-Client-Python-Connect.po new file mode 100644 index 0000000..561383f --- /dev/null +++ b/defensive-coding/kn-IN/Features/snippets/TLS-Client-Python-Connect.po @@ -0,0 +1,29 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:32+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Kannada (http://www.transifex.com/projects/p/fedora/language/kn/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: kn\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"sock = ssl.wrap_socket(sock,\n" +" ciphers=\"HIGH:-aNULL:-eNULL:-PSK:RC4-SHA:RC4-MD5\",\n" +" ssl_version=ssl.PROTOCOL_TLSv1,\n" +" cert_reqs=ssl.CERT_REQUIRED,\n" +" ca_certs='/etc/ssl/certs/ca-bundle.crt')\n" +"# getpeercert() triggers the handshake as a side effect.\n" +"if not check_host_name(sock.getpeercert(), host):\n" +" raise IOError(\"peer certificate does not match host name\")\n" +msgstr "" diff --git a/defensive-coding/kn-IN/Features/snippets/TLS-Client-Python-check_host_name.po b/defensive-coding/kn-IN/Features/snippets/TLS-Client-Python-check_host_name.po new file mode 100644 index 0000000..3b9d4a0 --- /dev/null +++ b/defensive-coding/kn-IN/Features/snippets/TLS-Client-Python-check_host_name.po @@ -0,0 +1,44 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:31+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Kannada (http://www.transifex.com/projects/p/fedora/language/kn/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: kn\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"def check_host_name(peercert, name):\n" +" \"\"\"Simple certificate/host name checker. Returns True if the\n" +" certificate matches, False otherwise. Does not support\n" +" wildcards.\"\"\"\n" +" # Check that the peer has supplied a certificate.\n" +" # None/{} is not acceptable.\n" +" if not peercert:\n" +" return False\n" +" if peercert.has_key(\"subjectAltName\"):\n" +" for typ, val in peercert[\"subjectAltName\"]:\n" +" if typ == \"DNS\" and val == name:\n" +" return True\n" +" else:\n" +" # Only check the subject DN if there is no subject alternative\n" +" # name.\n" +" cn = None\n" +" for attr, val in peercert[\"subject\"]:\n" +" # Use most-specific (last) commonName attribute.\n" +" if attr == \"commonName\":\n" +" cn = val\n" +" if cn is not None:\n" +" return cn == name\n" +" return False\n" +msgstr "" diff --git a/defensive-coding/kn-IN/Features/snippets/TLS-GNUTLS-Credentials-Close.po b/defensive-coding/kn-IN/Features/snippets/TLS-GNUTLS-Credentials-Close.po new file mode 100644 index 0000000..546b153 --- /dev/null +++ b/defensive-coding/kn-IN/Features/snippets/TLS-GNUTLS-Credentials-Close.po @@ -0,0 +1,22 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:31+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Kannada (http://www.transifex.com/projects/p/fedora/language/kn/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: kn\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"gnutls_certificate_free_credentials(cred);\n" +msgstr "" diff --git a/defensive-coding/kn-IN/Features/snippets/TLS-GNUTLS-Disconnect.po b/defensive-coding/kn-IN/Features/snippets/TLS-GNUTLS-Disconnect.po new file mode 100644 index 0000000..dfd8153 --- /dev/null +++ b/defensive-coding/kn-IN/Features/snippets/TLS-GNUTLS-Disconnect.po @@ -0,0 +1,30 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:32+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Kannada (http://www.transifex.com/projects/p/fedora/language/kn/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: kn\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Initiate an orderly connection shutdown.\n" +"ret = gnutls_bye(session, GNUTLS_SHUT_RDWR);\n" +"if (ret < 0) {\n" +" fprintf(stderr, \"error: gnutls_bye: %s\n" +"\", gnutls_strerror(ret));\n" +" exit(1);\n" +"}\n" +"// Free the session object.\n" +"gnutls_deinit(session);\n" +msgstr "" diff --git a/defensive-coding/kn-IN/Features/snippets/TLS-GNUTLS-Init.po b/defensive-coding/kn-IN/Features/snippets/TLS-GNUTLS-Init.po new file mode 100644 index 0000000..23c289d --- /dev/null +++ b/defensive-coding/kn-IN/Features/snippets/TLS-GNUTLS-Init.po @@ -0,0 +1,22 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:32+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Kannada (http://www.transifex.com/projects/p/fedora/language/kn/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: kn\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"gnutls_global_init();\n" +msgstr "" diff --git a/defensive-coding/kn-IN/Features/snippets/TLS-GNUTLS-Use.po b/defensive-coding/kn-IN/Features/snippets/TLS-GNUTLS-Use.po new file mode 100644 index 0000000..4167bcd --- /dev/null +++ b/defensive-coding/kn-IN/Features/snippets/TLS-GNUTLS-Use.po @@ -0,0 +1,38 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:33+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Kannada (http://www.transifex.com/projects/p/fedora/language/kn/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: kn\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"char buf[4096];\n" +"snprintf(buf, sizeof(buf), \"GET / HTTP/1.0\\r\n" +"Host: %s\\r\n" +"\\r\n" +"\", host);\n" +"ret = gnutls_record_send(session, buf, strlen(buf));\n" +"if (ret < 0) {\n" +" fprintf(stderr, \"error: gnutls_record_send: %s\n" +"\", gnutls_strerror(ret));\n" +" exit(1);\n" +"}\n" +"ret = gnutls_record_recv(session, buf, sizeof(buf));\n" +"if (ret < 0) {\n" +" fprintf(stderr, \"error: gnutls_record_recv: %s\n" +"\", gnutls_strerror(ret));\n" +" exit(1);\n" +"}\n" +msgstr "" diff --git a/defensive-coding/kn-IN/Features/snippets/TLS-NSS-Close.po b/defensive-coding/kn-IN/Features/snippets/TLS-NSS-Close.po new file mode 100644 index 0000000..86ae74c --- /dev/null +++ b/defensive-coding/kn-IN/Features/snippets/TLS-NSS-Close.po @@ -0,0 +1,23 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:31+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Kannada (http://www.transifex.com/projects/p/fedora/language/kn/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: kn\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"SECMOD_DestroyModule(module);\n" +"NSS_ShutdownContext(ctx);\n" +msgstr "" diff --git a/defensive-coding/kn-IN/Features/snippets/TLS-NSS-Includes.po b/defensive-coding/kn-IN/Features/snippets/TLS-NSS-Includes.po new file mode 100644 index 0000000..94c7813 --- /dev/null +++ b/defensive-coding/kn-IN/Features/snippets/TLS-NSS-Includes.po @@ -0,0 +1,35 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:33+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Kannada (http://www.transifex.com/projects/p/fedora/language/kn/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: kn\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// NSPR include files\n" +"#include <prerror.h>\n" +"#include <prinit.h>\n" +"\n" +"// NSS include files\n" +"#include <nss.h>\n" +"#include <pk11pub.h>\n" +"#include <secmod.h>\n" +"#include <ssl.h>\n" +"#include <sslproto.h>\n" +"\n" +"// Private API, no other way to turn a POSIX file descriptor into an\n" +"// NSPR handle.\n" +"NSPR_API(PRFileDesc*) PR_ImportTCPSocket(int);\n" +msgstr "" diff --git a/defensive-coding/kn-IN/Features/snippets/TLS-NSS-Init.po b/defensive-coding/kn-IN/Features/snippets/TLS-NSS-Init.po new file mode 100644 index 0000000..1d85697 --- /dev/null +++ b/defensive-coding/kn-IN/Features/snippets/TLS-NSS-Init.po @@ -0,0 +1,83 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:33+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Kannada (http://www.transifex.com/projects/p/fedora/language/kn/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: kn\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"PR_Init(PR_USER_THREAD, PR_PRIORITY_NORMAL, 0);\n" +"NSSInitContext *const ctx =\n" +" NSS_InitContext(\"sql:/etc/pki/nssdb\", \"\", \"\", \"\", NULL,\n" +"\t\t NSS_INIT_READONLY | NSS_INIT_PK11RELOAD);\n" +"if (ctx == NULL) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: NSPR error code %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +"}\n" +"\n" +"// Ciphers to enable.\n" +"static const PRUint16 good_ciphers[] = {\n" +" TLS_RSA_WITH_AES_128_CBC_SHA,\n" +" TLS_RSA_WITH_AES_256_CBC_SHA,\n" +" SSL_RSA_WITH_3DES_EDE_CBC_SHA,\n" +" SSL_NULL_WITH_NULL_NULL // sentinel\n" +"};\n" +"\n" +"// Check if the current policy allows any strong ciphers. If it\n" +"// doesn't, switch to the \"domestic\" (unrestricted) policy. This is\n" +"// not thread-safe and has global impact. Consequently, we only do\n" +"// it if absolutely necessary.\n" +"int found_good_cipher = 0;\n" +"for (const PRUint16 *p = good_ciphers; *p != SSL_NULL_WITH_NULL_NULL;\n" +" ++p) {\n" +" PRInt32 policy;\n" +" if (SSL_CipherPolicyGet(*p, &policy) != SECSuccess) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: policy for cipher %u: error %d: %s\n" +"\",\n" +"\t (unsigned)*p, err, PR_ErrorToName(err));\n" +" exit(1);\n" +" }\n" +" if (policy == SSL_ALLOWED) {\n" +" fprintf(stderr, \"info: found cipher %x\n" +"\", (unsigned)*p);\n" +" found_good_cipher = 1;\n" +" break;\n" +" }\n" +"}\n" +"if (!found_good_cipher) {\n" +" if (NSS_SetDomesticPolicy() != SECSuccess) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: NSS_SetDomesticPolicy: error %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +" }\n" +"}\n" +"\n" +"// Initialize the trusted certificate store.\n" +"char module_name[] = \"library=libnssckbi.so name=\\\"Root Certs\\\"\";\n" +"SECMODModule *module = SECMOD_LoadUserModule(module_name, NULL, PR_FALSE);\n" +"if (module == NULL || !module->loaded) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: NSPR error code %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +"}\n" +msgstr "" diff --git a/defensive-coding/kn-IN/Features/snippets/TLS-NSS-Use.po b/defensive-coding/kn-IN/Features/snippets/TLS-NSS-Use.po new file mode 100644 index 0000000..31a27b9 --- /dev/null +++ b/defensive-coding/kn-IN/Features/snippets/TLS-NSS-Use.po @@ -0,0 +1,42 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:32+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Kannada (http://www.transifex.com/projects/p/fedora/language/kn/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: kn\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"char buf[4096];\n" +"snprintf(buf, sizeof(buf), \"GET / HTTP/1.0\\r\n" +"Host: %s\\r\n" +"\\r\n" +"\", host);\n" +"PRInt32 ret = PR_Write(nspr, buf, strlen(buf));\n" +"if (ret < 0) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: PR_Write error %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +"}\n" +"ret = PR_Read(nspr, buf, sizeof(buf));\n" +"if (ret < 0) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: PR_Read error %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +"}\n" +msgstr "" diff --git a/defensive-coding/kn-IN/Features/snippets/TLS-Nagle.po b/defensive-coding/kn-IN/Features/snippets/TLS-Nagle.po new file mode 100644 index 0000000..f5a90bd --- /dev/null +++ b/defensive-coding/kn-IN/Features/snippets/TLS-Nagle.po @@ -0,0 +1,27 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:31+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Kannada (http://www.transifex.com/projects/p/fedora/language/kn/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: kn\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"const int val = 1;\n" +"int ret = setsockopt(sockfd, IPPROTO_TCP, TCP_NODELAY, &val, sizeof(val));\n" +"if (ret < 0) {\n" +" perror(\"setsockopt(TCP_NODELAY)\");\n" +" exit(1);\n" +"}\n" +msgstr "" diff --git a/defensive-coding/kn-IN/Features/snippets/TLS-OpenJDK-Parameters.po b/defensive-coding/kn-IN/Features/snippets/TLS-OpenJDK-Parameters.po new file mode 100644 index 0000000..8a8f24f --- /dev/null +++ b/defensive-coding/kn-IN/Features/snippets/TLS-OpenJDK-Parameters.po @@ -0,0 +1,42 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:33+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Kannada (http://www.transifex.com/projects/p/fedora/language/kn/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: kn\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Prepare TLS parameters. These have to applied to every TLS\n" +"// socket before the handshake is triggered.\n" +"SSLParameters params = ctx.getDefaultSSLParameters();\n" +"// Do not send an SSL-2.0-compatible Client Hello.\n" +"ArrayList<String> protocols = new ArrayList<String>(\n" +" Arrays.asList(params.getProtocols()));\n" +"protocols.remove(\"SSLv2Hello\");\n" +"params.setProtocols(protocols.toArray(new String[protocols.size()]));\n" +"// Adjust the supported ciphers.\n" +"ArrayList<String> ciphers = new ArrayList<String>(\n" +" Arrays.asList(params.getCipherSuites()));\n" +"ciphers.retainAll(Arrays.asList(\n" +" \"TLS_RSA_WITH_AES_128_CBC_SHA256\",\n" +" \"TLS_RSA_WITH_AES_256_CBC_SHA256\",\n" +" \"TLS_RSA_WITH_AES_256_CBC_SHA\",\n" +" \"TLS_RSA_WITH_AES_128_CBC_SHA\",\n" +" \"SSL_RSA_WITH_3DES_EDE_CBC_SHA\",\n" +" \"SSL_RSA_WITH_RC4_128_SHA1\",\n" +" \"SSL_RSA_WITH_RC4_128_MD5\",\n" +" \"TLS_EMPTY_RENEGOTIATION_INFO_SCSV\"));\n" +"params.setCipherSuites(ciphers.toArray(new String[ciphers.size()]));\n" +msgstr "" diff --git a/defensive-coding/kn-IN/Features/snippets/TLS-OpenSSL-Connection-Close.po b/defensive-coding/kn-IN/Features/snippets/TLS-OpenSSL-Connection-Close.po new file mode 100644 index 0000000..85ce730 --- /dev/null +++ b/defensive-coding/kn-IN/Features/snippets/TLS-OpenSSL-Connection-Close.po @@ -0,0 +1,46 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:33+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Kannada (http://www.transifex.com/projects/p/fedora/language/kn/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: kn\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Send the close_notify alert.\n" +"ret = SSL_shutdown(ssl);\n" +"switch (ret) {\n" +"case 1:\n" +" // A close_notify alert has already been received.\n" +" break;\n" +"case 0:\n" +" // Wait for the close_notify alert from the peer.\n" +" ret = SSL_shutdown(ssl);\n" +" switch (ret) {\n" +" case 0:\n" +" fprintf(stderr, \"info: second SSL_shutdown returned zero\n" +"\");\n" +" break;\n" +" case 1:\n" +" break;\n" +" default:\n" +" ssl_print_error_and_exit(ssl, \"SSL_shutdown 2\", ret);\n" +" }\n" +" break;\n" +"default:\n" +" ssl_print_error_and_exit(ssl, \"SSL_shutdown 1\", ret);\n" +"}\n" +"SSL_free(ssl);\n" +"close(sockfd);\n" +msgstr "" diff --git a/defensive-coding/kn-IN/Features/snippets/TLS-OpenSSL-Context-Close.po b/defensive-coding/kn-IN/Features/snippets/TLS-OpenSSL-Context-Close.po new file mode 100644 index 0000000..161f0a9 --- /dev/null +++ b/defensive-coding/kn-IN/Features/snippets/TLS-OpenSSL-Context-Close.po @@ -0,0 +1,22 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:33+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Kannada (http://www.transifex.com/projects/p/fedora/language/kn/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: kn\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"SSL_CTX_free(ctx);\n" +msgstr "" diff --git a/defensive-coding/kn-IN/Features/snippets/TLS-OpenSSL-Errors.po b/defensive-coding/kn-IN/Features/snippets/TLS-OpenSSL-Errors.po new file mode 100644 index 0000000..e6e8deb --- /dev/null +++ b/defensive-coding/kn-IN/Features/snippets/TLS-OpenSSL-Errors.po @@ -0,0 +1,51 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:32+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Kannada (http://www.transifex.com/projects/p/fedora/language/kn/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: kn\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"static void __attribute__((noreturn))\n" +"ssl_print_error_and_exit(SSL *ssl, const char *op, int ret)\n" +"{\n" +" int subcode = SSL_get_error(ssl, ret);\n" +" switch (subcode) {\n" +" case SSL_ERROR_NONE:\n" +" fprintf(stderr, \"error: %s: no error to report\n" +"\", op);\n" +" break;\n" +" case SSL_ERROR_WANT_READ:\n" +" case SSL_ERROR_WANT_WRITE:\n" +" case SSL_ERROR_WANT_X509_LOOKUP:\n" +" case SSL_ERROR_WANT_CONNECT:\n" +" case SSL_ERROR_WANT_ACCEPT:\n" +" fprintf(stderr, \"error: %s: invalid blocking state %d\n" +"\", op, subcode);\n" +" break;\n" +" case SSL_ERROR_SSL:\n" +" fprintf(stderr, \"error: %s: TLS layer problem\n" +"\", op);\n" +" case SSL_ERROR_SYSCALL:\n" +" fprintf(stderr, \"error: %s: system call failed: %s\n" +"\", op, strerror(errno));\n" +" break;\n" +" case SSL_ERROR_ZERO_RETURN:\n" +" fprintf(stderr, \"error: %s: zero return\n" +"\", op);\n" +" }\n" +" exit(1);\n" +"}\n" +msgstr "" diff --git a/defensive-coding/kn-IN/Features/snippets/TLS-Python-Close.po b/defensive-coding/kn-IN/Features/snippets/TLS-Python-Close.po new file mode 100644 index 0000000..fd34179 --- /dev/null +++ b/defensive-coding/kn-IN/Features/snippets/TLS-Python-Close.po @@ -0,0 +1,22 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:31+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Kannada (http://www.transifex.com/projects/p/fedora/language/kn/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: kn\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"sock.close()\n" +msgstr "" diff --git a/defensive-coding/kn-IN/Features/snippets/TLS-Python-Use.po b/defensive-coding/kn-IN/Features/snippets/TLS-Python-Use.po new file mode 100644 index 0000000..cfd2a58 --- /dev/null +++ b/defensive-coding/kn-IN/Features/snippets/TLS-Python-Use.po @@ -0,0 +1,26 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:32+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Kannada (http://www.transifex.com/projects/p/fedora/language/kn/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: kn\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"sock.write(\"GET / HTTP/1.1\\r\n" +"Host: \" + host + \"\\r\n" +"\\r\n" +"\")\n" +"print sock.read()\n" +msgstr "" diff --git a/defensive-coding/kn-IN/Revision_History.po b/defensive-coding/kn-IN/Revision_History.po new file mode 100644 index 0000000..f88a4fd --- /dev/null +++ b/defensive-coding/kn-IN/Revision_History.po @@ -0,0 +1,35 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:18+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Kannada (http://www.transifex.com/projects/p/fedora/language/kn/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: kn\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: title +#, no-c-format +msgid "Revision History" +msgstr "" + +#. Tag: firstname +#, no-c-format +msgid "Eric" +msgstr "" + +#. Tag: surname +#, no-c-format +msgid "Christensen" +msgstr "" + +#. Tag: member +#, no-c-format +msgid "Initial publication." +msgstr "" diff --git a/defensive-coding/kn-IN/Tasks/Cryptography.po b/defensive-coding/kn-IN/Tasks/Cryptography.po new file mode 100644 index 0000000..d0f0bad --- /dev/null +++ b/defensive-coding/kn-IN/Tasks/Cryptography.po @@ -0,0 +1,199 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:29+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Kannada (http://www.transifex.com/projects/p/fedora/language/kn/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: kn\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: title +#, no-c-format +msgid "Cryptography" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Primitives" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Chosing from the following cryptographic primitives is recommended:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "RSA with 2048 bit keys and OAEP" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "AES-128 in CBC mode" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "SHA-256" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "HMAC-SHA-256" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "HMAC-SHA-1" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Other cryptographic algorithms can be used if they are required for " +"interoperability with existing software:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "RSA with key sizes larger than 1024 and legacy padding" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "AES-192" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "AES-256" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "3DES (triple DES, with two or three 56 bit keys)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "RC4 (but very, very strongly discouraged)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "SHA-1" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "HMAC-MD5" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Important" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"These primitives are difficult to use in a secure way. Custom implementation" +" of security protocols should be avoided. For protecting confidentiality and" +" integrity of network transmissions, TLS should be used ()." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Randomness" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The following facilities can be used to generate unpredictable and non-" +"repeating values. When these functions are used without special safeguards, " +"each individual rnadom value should be at least 12 bytes long." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"PK11_GenerateRandom in the NSS library (usable for high" +" data rates)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"RAND_bytes in the OpenSSL library (usable for high data" +" rates)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"gnutls_rnd in GNUTLS, with " +"GNUTLS_RND_RANDOM as the first argument (usable for high " +"data rates)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"java.security.SecureRandom in Java (usable for high data rates)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "os.urandom in Python" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Reading from the /dev/urandom character device" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"All these functions should be non-blocking, and they should not wait until " +"physical randomness becomes available. (Some cryptography providers for Java" +" can cause java.security.SecureRandom to block, however.) Those" +" functions which do not obtain all bits directly from " +"/dev/urandom are suitable for high data rates because " +"they do not deplete the system-wide entropy pool." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Difficult to use API" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Both RAND_bytes and " +"PK11_GenerateRandom have three-state return values " +"(with conflicting meanings). Careful error checking is required. Please " +"review the documentation when using these functions." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Other sources of randomness should be considered predictable." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Generating randomness for cryptographic keys in long-term use may need " +"different steps and is best left to cryptographic libraries." +msgstr "" diff --git a/defensive-coding/kn-IN/Tasks/Descriptors.po b/defensive-coding/kn-IN/Tasks/Descriptors.po new file mode 100644 index 0000000..333c184 --- /dev/null +++ b/defensive-coding/kn-IN/Tasks/Descriptors.po @@ -0,0 +1,332 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:29+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Kannada (http://www.transifex.com/projects/p/fedora/language/kn/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: kn\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: title +#, no-c-format +msgid "File Descriptor Management" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"File descriptors underlie all input/output mechanisms offered by the system." +" They are used to implementation the FILE *-based " +"functions found in <stdio.h>, and all the file and " +"network communication facilities provided by the Python and Java " +"environments are eventually implemented in them." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"File descriptors are small, non-negative integers in userspace, and are " +"backed on the kernel side with complicated data structures which can " +"sometimes grow very large." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Closing descriptors" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If a descriptor is no longer used by a program and is not closed explicitly," +" its number cannot be reused (which is problematic in itself, see ), and the " +"kernel resources are not freed. Therefore, it is important to close all " +"descriptors at the earlierst point in time possible, but not earlier." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Error handling during descriptor close" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The close system call is always successful in the sense" +" that the passed file descriptor is never valid after the function has been " +"called. However, close still can return an error, for " +"example if there was a file system failure. But this error is not very " +"useful because the absence of an error does not mean that all caches have " +"been emptied and previous writes have been made durable. Programs which need" +" such guarantees must open files with O_SYNC or use " +"fsync or fdatasync, and may also have " +"to fsync the directory containing the file." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Closing descriptors and race conditions" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Unlike process IDs, which are recycle only gradually, the kernel always " +"allocates the lowest unused file descriptor when a new descriptor is " +"created. This means that in a multi-threaded program which constantly opens " +"and closes file descriptors, descriptors are reused very quickly. Unless " +"descriptor closing and other operations on the same file descriptor are " +"synchronized (typically, using a mutex), there will be race coniditons and " +"I/O operations will be applied to the wrong file descriptor." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Sometimes, it is necessary to close a file descriptor concurrently, while " +"another thread might be about to use it in a system call. In order to " +"support this, a program needs to create a single special file descriptor, " +"one on which all I/O operations fail. One way to achieve this is to use " +"socketpair, close one of the descriptors, and call " +"shutdown(fd, SHUTRDWR) on the other." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When a descriptor is closed concurrently, the program does not call " +"close on the descriptor. Instead it program uses " +"dup2 to replace the descriptor to be closed with the " +"dummy descriptor created earlier. This way, the kernel will not reuse the " +"descriptor, but it will carry out all other steps associated with calling a " +"descriptor (for instance, if the descriptor refers to a stream socket, the " +"peer will be notified)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"This is just a sketch, and many details are missing. Additional data " +"structures are needed to determine when it is safe to really close the " +"descriptor, and proper locking is required for that." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Lingering state after close" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"By default, closing a stream socket returns immediately, and the kernel will" +" try to send the data in the background. This means that it is impossible to" +" implement accurate accounting of network-related resource utilization from " +"userspace." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The SO_LINGER socket option alters the behavior of " +"close, so that it will return only after the lingering " +"data has been processed, either by sending it to the peer successfully, or " +"by discarding it after the configured timeout. However, there is no " +"interface which could perform this operation in the background, so a " +"separate userspace thread is needed for each close " +"call, causing scalability issues." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Currently, there is no application-level countermeasure which applies " +"universally. Mitigation is possible with iptables" +" (the connlimit match type in particular) and specialized" +" filtering devices for denial-of-service network traffic." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"These problems are not related to the TIME_WAIT state " +"commonly seen in netstat output. The kernel " +"automatically expires such sockets if necessary." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Preventing file descriptor leaks to child processes" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Child processes created with fork share the initial set" +" of file descriptors with their parent process. By default, file descriptors" +" are also preserved if a new process image is created with " +"execve (or any of the other functions such as " +"system or posix_spawn)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Usually, this behavior is not desirable. There are two ways to turn it off, " +"that is, to prevent new process images from inheriting the file descriptors " +"in the parent process:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Set the close-on-exec flag on all newly created file descriptors. " +"Traditionally, this flag is controlled by the FD_CLOEXEC " +"flag, using F_GETFD and F_SETFD " +"operations of the fcntl function." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"However, in a multi-threaded process, there is a race condition: a " +"subprocess could have been created between the time the descriptor was " +"created and the FD_CLOEXEC was set. Therefore, many " +"system calls which create descriptors (such as open and" +" openat) now accept the O_CLOEXEC " +"flag (SOCK_CLOEXEC for socket and " +"socketpair), which cause the " +"FD_CLOEXEC flag to be set for the file descriptor in an " +"atomic fashion. In addition, a few new systems calls were introduced, such " +"as pipe2 and dup3." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The downside of this approach is that every descriptor needs to receive " +"special treatment at the time of creation, otherwise it is not completely " +"effective." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"After calling fork, but before creating a new process " +"image with execve, all file descriptors which the child" +" process will not need are closed." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Traditionally, this was implemented as a loop over file descriptors ranging " +"from 3 to 255 and later " +"1023. But this is only an approximatio because it is " +"possible to create file descriptors outside this range easily (see ). Another " +"approach reads /proc/self/fd and closes the unexpected " +"descriptors listed there, but this approach is much slower." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"At present, environments which care about file descriptor leakage implement " +"the second approach. OpenJDK 6 and 7 are among them." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Dealing with the select limit" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"By default, a user is allowed to open only 1024 files in a single process, " +"but the system administrator can easily change this limit (which is " +"necessary for busy network servers). However, there is another restriction " +"which is more difficult to overcome." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The select function only supports a maximum of " +"FD_SETSIZE file descriptors (that is, the maximum " +"permitted value for a file descriptor is FD_SETSIZE - 1, " +"usually 1023.) If a process opens many files, descriptors may exceed such " +"limits. It is impossible to query such descriptors using " +"select." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If a library which creates many file descriptors is used in the same process" +" as a library which uses select, at least one of them " +"needs to be changed. Calls to select can be replaced " +"with calls to poll or another event handling mechanism." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Alternatively, the library with high descriptor usage can relocate " +"descriptors above the FD_SETSIZE limit using the " +"following procedure." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Create the file descriptor fd as usual, preferably with " +"the O_CLOEXEC flag." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Before doing anything else with the descriptor fd, " +"invoke:" +msgstr "" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"\t int newfd = fcntl(fd, F_DUPFD_CLOEXEC, (long)FD_SETSIZE);\n" +"\t" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Check that newfd result is non-negative, otherwise close " +"fd and report an error, and return." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Close fd and continue to use newfd." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The new descriptor has been allocated above the " +"FD_SETSIZE. Even though this algorithm is racy in the " +"sense that the FD_SETSIZE first descriptors could fill " +"up, a very high degree of physical parallelism is required before this " +"becomes a problem." +msgstr "" diff --git a/defensive-coding/kn-IN/Tasks/File_System.po b/defensive-coding/kn-IN/Tasks/File_System.po new file mode 100644 index 0000000..45cfee3 --- /dev/null +++ b/defensive-coding/kn-IN/Tasks/File_System.po @@ -0,0 +1,396 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:25+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Kannada (http://www.transifex.com/projects/p/fedora/language/kn/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: kn\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: title +#, no-c-format +msgid "File system manipulation" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In this chapter, we discuss general file system manipulation, with a focus " +"on access files and directories to which an other, potentially untrusted " +"user has write access." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Temporary files are covered in their own chapter, ." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Working with files and directories owned by other users" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Sometimes, it is necessary to operate on files and directories owned by " +"other (potentially untrusted) users. For example, a system administrator " +"could remove the home directory of a user, or a package manager could update" +" a file in a directory which is owned by an application-specific user. This " +"differs from accessing the file system as a specific user; see ." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Accessing files across trust boundaries faces several challenges, " +"particularly if an entire directory tree is being traversed:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Another user might add file names to a writable directory at any time. This " +"can interfere with file creation and the order of names returned by " +"readdir." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Merely opening and closing a file can have side effects. For instance, an " +"automounter can be triggered, or a tape device rewound. Opening a file on a " +"local file system can block indefinitely, due to mandatory file locking, " +"unless the O_NONBLOCK flag is specified." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Hard links and symbolic links can redirect the effect of file system " +"operations in unexpected ways. The O_NOFOLLOW and " +"AT_SYMLINK_NOFOLLOW variants of system calls only " +"affected final path name component." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The structure of a directory tree can change. For example, the parent " +"directory of what used to be a subdirectory within the directory tree being " +"processed could suddenly point outside that directory tree." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Files should always be created with the O_CREAT and " +"O_EXCL flags, so that creating the file will fail if it " +"already exists. This guards against the unexpected appearance of file names," +" either due to creation of a new file, or hard-linking of an existing file. " +"In multi-threaded programs, rather than manipulating the umask, create the " +"files with mode 000 if possible, and adjust it afterwards" +" with fchmod." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"To avoid issues related to symbolic links and directory tree restructuring, " +"the “at” variants of system calls have to be used (that " +"is, functions like openat, " +"fchownat, fchmodat, and " +"unlinkat, together with O_NOFOLLOW " +"or AT_SYMLINK_NOFOLLOW). Path names passed to these " +"functions must have just a single component (that is, without a slash). When" +" descending, the descriptors of parent directories must be kept open. The " +"missing opendirat function can be emulated with " +"openat (with an O_DIRECTORY flag, to " +"avoid opening special files with side effects), followed by " +"fdopendir." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If the “at” functions are not available, it is possible " +"to emulate them by changing the current directory. (Obviously, this only " +"works if the process is not multi-threaded.) fchdir has" +" to be used to change the current directory, and the descriptors of the " +"parent directories have to be kept open, just as with the " +"“at”-based approach. chdir(\"...\") is" +" unsafe because it might ascend outside the intended directory tree." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"This “at” function emulation is currently required when " +"manipulating extended attributes. In this case, the " +"lsetxattr function can be used, with a relative path " +"name consisting of a single component. This also applies to SELinux contexts" +" and the lsetfilecon function." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Currently, it is not possible to avoid opening special files " +"and changes to files with hard links if the directory " +"containing them is owned by an untrusted user. (Device nodes can be hard-" +"linked, just as regular files.) fchmodat and " +"fchownat affect files whose link count is greater than " +"one. But opening the files, checking that the link count is one with " +"fstat, and using fchmod and " +"fchown on the file descriptor may have unwanted side " +"effects, due to item 2 above. When creating directories, it is therefore " +"important to change the ownership and permissions only after it has been " +"fully created. Until that point, file names are stable, and no files with " +"unexpected hard links can be introduced." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Similarly, when just reading a directory owned by an untrusted user, it is " +"currently impossible to reliably avoid opening special files." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"There is no workaround against the instability of the file list returned by " +"readdir. Concurrent modification of the directory can " +"result in a list of files being returned which never actually existed on " +"disk." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Hard links and symbolic links can be safely deleted using " +"unlinkat without further checks because deletion only " +"affects the name within the directory tree being processed." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Accessing the file system as a different user" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"This section deals with access to the file system as a specific user. This " +"is different from accessing files and directories owned by a different, " +"potentially untrusted user; see ." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"One approach is to spawn a child process which runs under the target user " +"and group IDs (both effective and real IDs). Note that this child process " +"can block indefinitely, even when processing regular files only. For " +"example, a special FUSE file system could cause the process to hang in " +"uninterruptible sleep inside a stat system call." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"An existing process could change its user and group ID using " +"setfsuid and setfsgid. (These " +"functions are preferred over seteuid and " +"setegid because they do not allow the impersonated user" +" to send signals to the process.) These functions are not thread safe. In " +"multi-threaded processes, these operations need to be performed in a single-" +"threaded child process. Unexpected blocking may occur as well." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"It is not recommended to try to reimplement the kernel permission checks in " +"user space because the required checks are complex. It is also very " +"difficult to avoid race conditions during path name resolution." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "File system limits" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"For historical reasons, there are preprocessor constants such as " +"PATH_MAX, NAME_MAX. However, on most " +"systems, the length of canonical path names (absolute path names with all " +"symbolic links resolved, as returned by realpath or " +"canonicalize_file_name) can exceed " +"PATH_MAX bytes, and individual file name components can " +"be longer than NAME_MAX. This is also true of the " +"_PC_PATH_MAX and _PC_NAME_MAX values " +"returned by pathconf, and the " +"f_namemax member of struct statvfs. " +"Therefore, these constants should not be used. This is also reason why the " +"readdir_r should never be used (instead, use " +"readdir)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"You should not write code in a way that assumes that there is an upper limit" +" on the number of subdirectories of a directory, the number of regular files" +" in a directory, or the link count of an inode." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "File system features" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Not all file systems support all features. This makes it very difficult to " +"write general-purpose tools for copying files. For example, a copy operation" +" intending to preserve file permissions will generally fail when copying to " +"a FAT file system." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Some file systems are case-insensitive. Most should be case-preserving, " +"though." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Name length limits vary greatly, from eight to thousands of bytes. Path " +"length limits differ as well. Most systems impose an upper bound on path " +"names passed to the kernel, but using relative path names, it is possible to" +" create and access files whose absolute path name is essentially of " +"unbounded length." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Some file systems do not store names as fairly unrestricted byte sequences, " +"as it has been traditionally the case on GNU systems. This means that some " +"byte sequences (outside the POSIX safe character set) are not valid names. " +"Conversely, names of existing files may not be representable as byte " +"sequences, and the files are thus inaccessible on GNU systems. Some file " +"systems perform Unicode canonicalization on file names. These file systems " +"preserve case, but reading the name of a just-created file using " +"readdir might still result in a different byte " +"sequence." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Permissions and owners are not universally supported (and SUID/SGID bits may" +" not be available). For example, FAT file systems assign ownership based on " +"a mount option, and generally mark all files as executable. Any attempt to " +"change permissions would result in an error." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Non-regular files (device nodes, FIFOs) are not generally available." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Only on some file systems, files can have holes, that is, not all of their " +"contents is backed by disk storage." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"ioctl support (even fairly generic functionality such " +"as FIEMAP for discovering physical file layout and holes)" +" is file-system-specific." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Not all file systems support extended attributes, ACLs and SELinux metadata." +" Size and naming restriction on extended attributes vary." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Hard links may not be supported at all (FAT) or only within the same " +"directory (AFS). Symbolic links may not be available, either. Reflinks (hard" +" links with copy-on-write semantics) are still very rare. Recent systems " +"restrict creation of hard links to users which own the target file or have " +"read/write access to it, but older systems do not." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Renaming (or moving) files using rename can fail (even " +"when stat indicates that the source and target " +"directories are located on the same file system). This system call should " +"work if the old and new paths are located in the same directory, though." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Locking semantics vary among file systems. This affects advisory and " +"mandatory locks. For example, some network file systems do not allow " +"deleting files which are opened by any process." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Resolution of time stamps varies from two seconds to nanoseconds. Not all " +"time stamps are available on all file systems. File creation time " +"(birth time) is not exposed over the " +"stat/fstat interface, even if " +"stored by the file system." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Checking free space" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The statvfs and fstatvfs functions" +" allow programs to examine the number of available blocks and inodes, " +"through the members f_bfree, f_bavail," +" f_ffree, and f_favail of " +"struct statvfs. Some file systems return fictional values" +" in the f_ffree and f_favail fields, " +"so the only reliable way to discover if the file system still has space for " +"a file is to try to create it. The f_bfree field should " +"be reasonably accurate, though." +msgstr "" diff --git a/defensive-coding/kn-IN/Tasks/Library_Design.po b/defensive-coding/kn-IN/Tasks/Library_Design.po new file mode 100644 index 0000000..b0050bf --- /dev/null +++ b/defensive-coding/kn-IN/Tasks/Library_Design.po @@ -0,0 +1,267 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:29+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Kannada (http://www.transifex.com/projects/p/fedora/language/kn/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: kn\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: title +#, no-c-format +msgid "Library Design" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Throught this section, the term client code refers to " +"applications and other libraries using the library." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "State management" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Global state" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Global state should be avoided." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If this is impossible, the global state must be protected with a lock. For " +"C/C++, you can use the pthread_mutex_lock and " +"pthread_mutex_unlock functions without linking against " +"-lpthread because the system provides stubs for non-" +"threaded processes." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"For compatibility with fork, these locks should be " +"acquired and released in helpers registered with " +"pthread_atfork. This function is not available without " +"-lpthread, so you need to use dlsym " +"or a weak symbol to obtain its address." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If you need fork protection for other reasons, you " +"should store the process ID and compare it to the value returned by " +"getpid each time you access the global state. " +"(getpid is not implemented as a system call and is " +"fast.) If the value changes, you know that you have to re-create the state " +"object. (This needs to be combined with locking, of course.)" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Handles" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Library state should be kept behind a curtain. Client code should receive " +"only a handle. In C, the handle can be a pointer to an incomplete " +"struct. In C++, the handle can be a pointer to an " +"abstract base class, or it can be hidden using the pointer-to-implementation" +" idiom." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The library should provide functions for creating and destroying handles. " +"(In C++, it is possible to use virtual destructors for the latter.) " +"Consistency between creation and destruction of handles is strongly " +"recommended: If the client code created a handle, it is the responsibility " +"of the client code to destroy it. (This is not always possible or " +"convenient, so sometimes, a transfer of ownership has to happen.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Using handles ensures that it is possible to change the way the library " +"represents state in a way that is transparent to client code. This is " +"important to facilitate security updates and many other code changes." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"It is not always necessary to protect state behind a handle with a lock. " +"This depends on the level of thread safety the library provides." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Object orientation" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Classes should be either designed as base classes, or it should be " +"impossible to use them as base classes (like final " +"classes in Java). Classes which are not designed for inheritance and are " +"used as base classes nevertheless create potential maintenance hazards " +"because it is difficult to predict how client code will react when calls to " +"virtual methods are added, reordered or removed." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Virtual member functions can be used as callbacks. See for some of the " +"challenges involved." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Callbacks" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Higher-order code is difficult to analyze for humans and computers alike, so" +" it should be avoided. Often, an iterator-based interface (a library " +"function which is called repeatedly by client code and returns a stream of " +"events) leads to a better design which is easier to document and use." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "If callbacks are unavoidable, some guidelines for them follow." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In modern C++ code, std::function objects should be used " +"for callbacks." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In older C++ code and in C code, all callbacks must have an additional " +"closure parameter of type void *, the value of which can " +"be specified by client code. If possible, the value of the closure parameter" +" should be provided by client code at the same time a specific callback is " +"registered (or specified as a function argument). If a single closure " +"parameter is shared by multiple callbacks, flexibility is greatly reduced, " +"and conflicts between different pieces of client code using the same library" +" object could be unresolvable. In some cases, it makes sense to provide a " +"de-registration callback which can be used to destroy the closure parameter " +"when the callback is no longer used." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Callbacks can throw exceptions or call longjmp. If " +"possible, all library objects should remain in a valid state. (All further " +"operations on them can fail, but it should be possible to deallocate them " +"without causing resource leaks.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The presence of callbacks raises the question if functions provided by the " +"library are reentrant. Unless a library was designed " +"for such use, bad things will happen if a callback function uses functions " +"in the same library (particularly if they are invoked on the same objects " +"and manipulate the same state). When the callback is invoked, the library " +"can be in an inconsistent state. Reentrant functions are more difficult to " +"write than thread-safe functions (by definition, simple locking would " +"immediately lead to deadlocks). It is also difficult to decide what to do " +"when destruction of an object which is currently processing a callback is " +"requested." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Process attributes" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Several attributes are global and affect all code in the process, not just " +"the library that manipulates them." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"environment variables (see )" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "umask" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "user IDs, group IDs and capabilities" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "current working directory" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "signal handlers, signal masks and signal delivery" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"file locks (especially fcntl locks behave in surprising" +" ways, not just in a multi-threaded environment)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Library code should avoid manipulating these global process attributes. It " +"should not rely on environment variables, umask, the current working " +"directory and signal masks because these attributes can be inherted from an " +"untrusted source." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In addition, there are obvious process-wide aspects such as the virtual " +"memory layout, the set of open files and dynamic shared objects, but with " +"the exception of shared objects, these can be manipulated in a relatively " +"isolated way." +msgstr "" diff --git a/defensive-coding/kn-IN/Tasks/Processes.po b/defensive-coding/kn-IN/Tasks/Processes.po new file mode 100644 index 0000000..9043897 --- /dev/null +++ b/defensive-coding/kn-IN/Tasks/Processes.po @@ -0,0 +1,597 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:29+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Kannada (http://www.transifex.com/projects/p/fedora/language/kn/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: kn\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: title +#, no-c-format +msgid "Processes" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Safe process creation" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"This section describes how to create new child processes in a safe manner. " +"In addition to the concerns addressed below, there is the possibility of " +"file descriptor leaks, see ." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Obtaining the program path and the command line template" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The name and path to the program being invoked should be hard-coded or " +"controlled by a static configuration file stored at a fixed location (at an " +"file system absolute path). The same applies to the template for generating " +"the command line." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The configured program name should be an absolute path. If it is a relative " +"path, the contents of the PATH must be obtained in s secure " +"manner (see )." +" If the PATH variable is not set or untrusted, the safe " +"default /bin:/usr/bin must be used." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If too much flexibility is provided here, it may allow invocation of " +"arbitrary programs without proper authorization." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Bypassing the shell" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Child processes should be created without involving the system shell." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"For C/C++, system should not be used. The " +"posix_spawn function can be used instead, or a " +"combination fork and execve. (In " +"some cases, it may be preferable to use vfork or the " +"Linux-specific clone system call instead of " +"fork.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In Python, the subprocess module bypasses the shell by " +"default (when the shell keyword argument is not set to " +"true). os.system should not be used." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The Java class java.lang.ProcessBuilder can be used to create " +"subprocesses without interference from the system shell." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Portability notice" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"On Windows, there is no argument vector, only a single argument string. Each" +" application is responsible for parsing this string into an argument vector." +" There is considerable variance among the quoting style recognized by " +"applications. Some of them expand shell wildcards, others do not. Extensive " +"application-specific testing is required to make this secure." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Note that some common applications (notably ssh) " +"unconditionally introduce the use of a shell, even if invoked directly " +"without a shell. It is difficult to use these applications in a secure " +"manner. In this case, untrusted data should be supplied by other means. For " +"example, standard input could be used, instead of the command line." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Specifying the process environment" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Child processes should be created with a minimal set of environment " +"variables. This is absolutely essential if there is a trust transition " +"involved, either when the parent process was created, or during the creation" +" of the child process." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In C/C++, the environment should be constructed as an array of strings and " +"passed as the envp argument to " +"posix_spawn or execve. The " +"functions setenv, unsetenv and " +"putenv should not be used. They are not thread-safe and" +" suffer from memory leaks." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Python programs need to specify a dict for the the " +"env argument of the subprocess.Popen" +" constructor. The Java class java.lang.ProcessBuilder " +"provides a environment() method, which returns a map " +"that can be manipulated." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The following list provides guidelines for selecting the set of environment " +"variables passed to the child process." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"PATH should be initialized to " +"/bin:/usr/bin." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"USER and HOME can be inhereted from the parent" +" process environment, or they can be initialized from the " +"pwent structure for the user." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The DISPLAY and XAUTHORITY variables should be" +" passed to the subprocess if it is an X program. Note that this will " +"typically not work across trust boundaries because XAUTHORITY" +" refers to a file with 0600 permissions." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The location-related environment variables LANG, " +"LANGUAGE, LC_ADDRESS, LC_ALL, " +"LC_COLLATE, LC_CTYPE, " +"LC_IDENTIFICATION, LC_MEASUREMENT, " +"LC_MESSAGES, LC_MONETARY, " +"LC_NAME, LC_NUMERIC, LC_PAPER, " +"LC_TELEPHONE and LC_TIME can be passed to the " +"subprocess if present." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The called process may need application-specific environment variables, for " +"example for passing passwords. (See .)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"All other environment variables should be dropped. Names for new environment" +" variables should not be accepted from untrusted sources." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Robust argument list processing" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When invoking a program, it is sometimes necessary to include data from " +"untrusted sources. Such data should be check against embedded " +"NUL characters because the system APIs will sliently " +"truncate argument strings at the first NUL character." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The following recommendations assume that the program being invoked uses " +"GNU-style option processing using getopt_long. This " +"convention is widely used, but it is just that, and individual programs " +"might interpret a command line in a different way." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If the untrusted data has to go into an option, use the --option-" +"name=VALUE syntax, placing the option and its value into the same " +"command line argument. This avoids any potential confusion if the data " +"starts with -." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"For positional arguments, terminate the option list with a single " +" marker after the last option, and include the data at " +"the right position. The marker terminates option " +"processing, and the data will not be treated as an option even if it starts " +"with a dash." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Passing secrets to subprocesses" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The command line (the name of the program and its argument) of a running " +"process is traditionally available to all local users. The called program " +"can overwrite this information, but only after it has run for a bit of time," +" during which the information may have been read by other processes. " +"However, on Linux, the process environment is restricted to the user who " +"runs the process. Therefore, if you need a convenient way to pass a password" +" to a child process, use an environment variable, and not a command line " +"argument. (See .)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"On some UNIX-like systems (notably Solaris), environment variables can be " +"read by any system user, just like command lines." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If the environment-based approach cannot be used due to portability " +"concerns, the data can be passed on standard input. Some programs (notably " +"gpg) use special file descriptors whose numbers " +"are specified on the command line. Temporary files are an option as well, " +"but they might give digital forensics access to sensitive data (such as " +"passphrases) because it is difficult to safely delete them in all cases." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Handling child process termination" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When child processes terminate, the parent process is signalled. A stub of " +"the terminated processes (a zombie, shown as " +"<defunct> by ps) is kept" +" around until the status information is collected " +"(reaped) by the parent process. Over the years, several" +" interfaces for this have been invented:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The parent process calls wait, " +"waitpid, waitid, " +"wait3 or wait4, without specifying" +" a process ID. This will deliver any matching process ID. This approach is " +"typically used from within event loops." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The parent process calls waitpid, " +"waitid, or wait4, with a specific " +"process ID. Only data for the specific process ID is returned. This is " +"typically used in code which spawns a single subprocess in a synchronous " +"manner." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The parent process installs a handler for the SIGCHLD " +"signal, using sigaction, and specifies to the " +"SA_NOCLDWAIT flag. This approach could be used by event " +"loops as well." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"None of these approaches can be used to wait for child process terminated in" +" a completely thread-safe manner. The parent process might execute an event " +"loop in another thread, which could pick up the termination signal. This " +"means that libraries typically cannot make free use of child processes (for " +"example, to run problematic code with reduced privileges in a separate " +"address space)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"At the moment, the parent process should explicitly wait for termination of " +"the child process using waitpid or " +"waitpid, and hope that the status is not collected by " +"an event loop first." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "SUID/SGID processes" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Programs can be marked in the file system to indicate to the kernel that a " +"trust transition should happen if the program is run. The " +"SUID file permission bit indicates that an executable " +"should run with the effective user ID equal to the owner of the executable " +"file. Similarly, with the SGID bit, the effective group " +"ID is set to the group of the executable file." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Linux supports fscaps, which can grant additional " +"capabilities to a process in a finer-grained manner. Additional mechanisms " +"can be provided by loadable security modules." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When such a trust transition has happened, the process runs in a potentially" +" hostile environment. Additional care is necessary not to rely on any " +"untrusted information. These concerns also apply to libraries which can be " +"linked into such processes." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Accessing environment variables" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The following steps are required so that a program does not accidentally " +"pick up untrusted data from environment variables." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Compile your C/C++ sources with -D_GNU_SOURCE. The " +"Autoconf macro AC_GNU_SOURCE ensures this." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Check for the presence of the secure_getenv and " +"__secure_getenv function. The Autoconf directive " +"AC_CHECK_FUNCS([__secure_getenv secure_getenv]) performs " +"these checks." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Arrange for a proper definition of the secure_getenv " +"function. See ." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Use secure_getenv instead of " +"getenv to obtain the value of critical environment " +"variables. secure_getenv will pretend the variable has " +"not bee set if the process environment is not trusted." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Critical environment variables are debugging flags, configuration file " +"locations, plug-in and log file locations, and anything else that might be " +"used to bypass security restrictions or cause a privileged process to behave" +" in an unexpected way." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Either the secure_getenv function or the " +"__secure_getenv is available from GNU libc." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Obtaining a definition for secure_getenv" +msgstr "" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"\n" +"#include <stdlib.h>\n" +"\n" +"#ifndef HAVE_SECURE_GETENV\n" +"# ifdef HAVE__SECURE_GETENV\n" +"# define secure_getenv __secure_getenv\n" +"# else\n" +"# error neither secure_getenv nor __secure_getenv are available\n" +"# endif\n" +"#endif\n" +"\n" +"\t" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Daemons" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Background processes providing system services " +"(daemons) need to decouple themselves from the " +"controlling terminal and the parent process environment:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Fork." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In the child process, call setsid. The parent process " +"can simply exit (using _exit, to avoid running clean-up" +" actions twice)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In the child process, fork again. Processing continues in the child process." +" Again, the parent process should just exit." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Replace the descriptors 0, 1, 2 with a descriptor for " +"/dev/null. Logging should be redirected to " +"syslog." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Older instructions for creating daemon processes recommended a call to " +"umask(0). This is risky because it often leads to world-" +"writable files and directories, resulting in security vulnerabilities such " +"as arbitrary process termination by untrusted local users, or log file " +"truncation. If the umask needs setting, a restrictive " +"value such as 027 or 077 is " +"recommended." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Other aspects of the process environment may have to changed as well " +"(environment variables, signal handler disposition)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"It is increasingly common that server processes do not run as background " +"processes, but as regular foreground process under a supervising master " +"process (such as systemd). Server processes " +"should offer a command line option which disables forking and replacement of" +" the standard output and standard error streams. Such an option is also " +"useful for debugging." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Semantics of command line arguments" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"After process creation and option processing, it is up to the child process " +"to interpret the arguments. Arguments can be file names, host names, or " +"URLs, and many other things. URLs can refer to the local network, some " +"server on the Internet, or to the local file system. Some applications even " +"accept arbitrary code in arguments (for example, " +"python with the option)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Similar concerns apply to environment variables, the contents of the current" +" directory and its subdirectories." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Consequently, careful analysis is required if it is safe to pass untrusted " +"data to another program." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "fork as a primitive for parallelism" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"A call to fork which is not immediately followed by a " +"call to execve (perhaps after rearranging and closing " +"file descriptors) is typically unsafe, especially from a library which does " +"not control the state of the entire process. Such use of " +"fork should be replaced with proper child processes or " +"threads." +msgstr "" diff --git a/defensive-coding/kn-IN/Tasks/Serialization.po b/defensive-coding/kn-IN/Tasks/Serialization.po new file mode 100644 index 0000000..fe4d49e --- /dev/null +++ b/defensive-coding/kn-IN/Tasks/Serialization.po @@ -0,0 +1,513 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:45\n" +"PO-Revision-Date: 2013-03-19 15:29+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Kannada (http://www.transifex.com/projects/p/fedora/language/kn/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: kn\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: title +#, no-c-format +msgid "Serialization and Deserialization" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Protocol decoders and file format parsers are often the most-exposed part of" +" an application because they are exposed with little or no user interaction " +"and before any authentication and security checks are made. They are also " +"difficult to write robustly in languages which are not memory-safe." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Recommendations for manually written decoders" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"For C and C++, the advice in applies. In addition, avoid non-character " +"pointers directly into input buffers. Pointer misalignment causes crashes on" +" some architectures." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When reading variable-sized objects, do not allocate large amounts of data " +"solely based on the value of a size field. If possible, grow the data " +"structure as more data is read from the source, and stop when no data is " +"available. This helps to avoid denial-of-service attacks where little " +"amounts of input data results in enormous memory allocations during " +"decoding. Alternatively, you can impose reasonable bounds on memory " +"allocations, but some protocols do not permit this." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Protocol design" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Binary formats with explicit length fields are more difficult to parse " +"robustly than those where the length of dynamically-sized elements is " +"derived from sentinel values. A protocol which does not use length fields " +"and can be written in printable ASCII characters simplifies testing and " +"debugging. However, binary protocols with length fields may be more " +"efficient to parse." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Library support for deserialization" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"For some languages, generic libraries are available which allow to serialize" +" and deserialize user-defined objects. The deserialization part comes in one" +" of two flavors, depending on the library. The first kind uses type " +"information in the data stream to control which objects are instantiated. " +"The second kind uses type definitions supplied by the programmer. The first " +"one allows arbitrary object instantiation, the second one generally does " +"not." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The following serialization frameworks are in the first category, are known " +"to be unsafe, and must not be used for untrusted data:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Python's pickle and cPickle modules" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Perl's Storable package" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Java serialization (java.io.ObjectInputStream)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "PHP serialization (unserialize)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Most implementations of YAML" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When using a type-directed deserialization format where the types of the " +"deserialized objects are specified by the programmer, make sure that the " +"objects which can be instantiated cannot perform any destructive actions in " +"their destructors, even when the data members have been manipulated." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"JSON decoders do not suffer from this problem. But you must not use the " +"eval function to parse JSON objects in Javascript; even" +" with the regular expression filter from RFC 4627, there are still " +"information leaks remaining." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "XML serialization" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "External references" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"XML documents can contain external references. They can occur in various " +"places." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "In the DTD declaration in the header of an XML document:" +msgstr "" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"<!DOCTYPE html PUBLIC\n" +" \"-//W3C//DTD XHTML 1.0 Transitional//EN\"\n" +" \"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd\">\n" +"\t " +msgstr "" + +#. Tag: para +#, no-c-format +msgid "In a namespace declaration:" +msgstr "" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"<xsd:schema xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\">\n" +"\t " +msgstr "" + +#. Tag: para +#, no-c-format +msgid "In an entity defintion:" +msgstr "" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"<!ENTITY sys SYSTEM \"http://www.example.com/ent.xml\">\n" +"<!ENTITY pub PUBLIC \"-//Example//Public Entity//EN\"\n" +" \"http://www.example.com/pub-ent.xml\">\n" +"\t " +msgstr "" + +#. Tag: para +#, no-c-format +msgid "In a notation:" +msgstr "" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"<!NOTATION not SYSTEM \"../not.xml\">\n" +"\t " +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Originally, these external references were intended as unique identifiers, " +"but by many XML implementations, they are used for locating the data for the" +" referenced element. This causes unwanted network traffic, and may disclose " +"file system contents or otherwise unreachable network resources, so this " +"functionality should be disabled." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Depending on the XML library, external referenced might be processed not " +"just when parsing XML, but also when generating it." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Entity expansion" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When external DTD processing is disabled, an internal DTD subset can still " +"contain entity definitions. Entity declarations can reference other " +"entities. Some XML libraries expand entities automatically, and this " +"processing cannot be switched off in some places (such as attribute values " +"or content models). Without limits on the entity nesting level, this " +"expansion results in data which can grow exponentially in length with size " +"of the input. (If there is a limit on the nesting level, the growth is still" +" polynomial, unless further limits are imposed.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Consequently, the processing internal DTD subsets should be disabled if " +"possible, and only trusted DTDs should be processed. If a particular XML " +"application does not permit such restrictions, then application-specific " +"limits are called for." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "XInclude processing" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"XInclude processing can reference file and network resources and include " +"them into the document, much like external entity references. When parsing " +"untrusted XML documents, XInclude processing should be truned off." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"XInclude processing is also fairly complex and may pull in support for the " +"XPointer and XPath specifications, considerably increasing the amount of " +"code required for XML processing." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Algorithmic complexity of XML validation" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"DTD-based XML validation uses regular expressions for content models. The " +"XML specification requires that content models are deterministic, which " +"means that efficient validation is possible. However, some implementations " +"do not enforce determinism, and require exponential (or just polynomial) " +"amount of space or time for validating some DTD/document combinations." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"XML schemas and RELAX NG (via the xsd: prefix) directly " +"support textual regular expressions which are not required to be " +"deterministic." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Using Expat for XML parsing" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"By default, Expat does not try to resolve external IDs, so no steps are " +"required to block them. However, internal entity declarations are processed." +" Installing a callback which stops parsing as soon as such entities are " +"encountered disables them, see . Expat does not perform any " +"validation, so there are no problems related to that." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Disabling XML entity processing with Expat" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"This handler must be installed when the XML_Parser object" +" is created ()." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Creating an Expat XML parser" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"It is also possible to reject internal DTD subsets altogeher, using a " +"suitable XML_StartDoctypeDeclHandler handler installed " +"with XML_SetDoctypeDeclHandler." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Using OpenJDK for XML parsing and validation" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"OpenJDK contains facilities for DOM-based, SAX-based, and StAX-based " +"document parsing. Documents can be validated against DTDs or XML schemas." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The approach taken to deal with entity expansion differs from the general " +"recommendation in . We enable the the feature flag " +"javax.xml.XMLConstants.FEATURE_SECURE_PROCESSING, which " +"enforces heuristic restrictions on the number of entity expansions. Note " +"that this flag alone does not prevent resolution of external references " +"(system IDs or public IDs), so it is slightly misnamed." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In the following sections, we use helper classes to prevent external ID " +"resolution." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Helper class to prevent DTD external entity resolution in OpenJDK" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Helper class to prevent schema resolution in OpenJDK" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +" shows the imports used by the examples." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Java imports for OpenJDK XML parsing" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "DOM-based XML parsing and DTD validation in OpenJDK" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"This approach produces a org.w3c.dom.Document object from" +" an input stream. use the data from the " +"java.io.InputStream instance in the " +"inputStream variable." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "DOM-based XML parsing in OpenJDK" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"External entity references are prohibited using the " +"NoEntityResolver class in . " +"Because external DTD references are prohibited, DTD validation (if enabled) " +"will only happen against the internal DTD subset embedded in the XML " +"document." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"To validate the document against an external DTD, use a " +"javax.xml.transform.Transformer class to add the DTD " +"reference to the document, and an entity resolver which whitelists this " +"external reference." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "XML Schema validation in OpenJDK" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +" shows how to validate a document against an XML Schema, " +"using a SAX-based approach. The XML data is read from an " +"java.io.InputStream in the inputStream" +" variable." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "SAX-based validation against an XML schema in OpenJDK" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The NoResourceResolver class is defined in ." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If you need to validate a document against an XML schema, use the code in " +" to create the document, but do not enable validation at this point." +" Then use to perform the schema-based validation on " +"the org.w3c.dom.Document instance " +"document." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Validation of a DOM document against an XML schema in OpenJDK" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Protocol Encoders" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"For protocol encoders, you should write bytes to a buffer which grows as " +"needed, using an exponential sizing policy. Explicit lengths can be patched " +"in later, once they are known. Allocating the required number of bytes " +"upfront typically requires separate code to compute the final size, which " +"must be kept in sync with the actual encoding step, or vulnerabilities may " +"result. In multi-threaded code, parts of the object being deserialized might" +" change, so that the computed size is out of date." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"You should avoid copying data directly from a received packet during " +"encoding, disregarding the format. Propagating malformed data could enable " +"attacks on other recipients of that data." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When using C or C++ and copying whole data structures directly into the " +"output, make sure that you do not leak information in padding bytes between " +"fields or at the end of the struct." +msgstr "" diff --git a/defensive-coding/kn-IN/Tasks/Temporary_Files.po b/defensive-coding/kn-IN/Tasks/Temporary_Files.po new file mode 100644 index 0000000..820395b --- /dev/null +++ b/defensive-coding/kn-IN/Tasks/Temporary_Files.po @@ -0,0 +1,309 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:45\n" +"PO-Revision-Date: 2013-03-19 15:29+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Kannada (http://www.transifex.com/projects/p/fedora/language/kn/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: kn\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: title +#, no-c-format +msgid "Temporary files" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In this chapter, we describe how to create temporary files and directories, " +"how to remove them, and how to work with programs which do not create files " +"in ways that a safe with a shared directory for temporary files. General " +"file system manipulation is treated in a separate chapter, ." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Secure creation of temporary files has four different aspects." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The location of the directory for temporary files must be obtained in a " +"secure manner (that is, untrusted environment variables must be ignored, see" +" )." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"A new file must be created. Reusing an existing file must be avoided (the " +"/tmp race condition). This is " +"tricky because traditionally, system-wide temporary directories shared by " +"all users are used." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The file must be created in a way that makes it impossible for other users " +"to open it." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "The descriptor for the temporary file should not leak to subprocesses." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "All functions mentioned below will take care of these aspects." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Traditionally, temporary files are often used to reduce memory usage of " +"programs. More and more systems use RAM-based file systems such as " +"tmpfs for storing temporary files, to increase " +"performance and decrease wear on Flash storage. As a result, spooling data " +"to temporary files does not result in any memory savings, and the related " +"complexity can be avoided if the data is kept in process memory." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Obtaining the location of temporary directory" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Some functions below need the location of a directory which stores temporary" +" files. For C/C++ programs, use the following steps to obtain that " +"directory:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Use secure_getenv to obtain the value of the " +"TMPDIR environment variable. If it is set, convert the " +"path to a fully-resolved absolute path, using realpath(path, " +"NULL). Check if the new path refers to a directory and is " +"writeable. In this case, use it as the temporary directory." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Fall back to /tmp." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In Python, you can use the tempfile.tempdir variable." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Java does not support SUID/SGID programs, so you can use the " +"java.lang.System.getenv(String) method to obtain the " +"value of the TMPDIR environment variable, and follow the " +"two steps described above. (Java's default directory selection does not " +"honor TMPDIR.)" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Named temporary files" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The mkostemp function creates a named temporary file. " +"You should specify the O_CLOEXEC flag to avoid file " +"descriptor leaks to subprocesses. (Applications which do not use multiple " +"threads can also use mkstemp, but libraries should use " +"mkostemp.) For determining the directory part of the " +"file name pattern, see ." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The file is not removed automatically. It is not safe to rename or delete " +"the file before processing, or transform the name in any way (for example, " +"by adding a file extension). If you need multiple temporary files, call " +"mkostemp multiple times. Do not create additional file " +"names derived from the name provided by a previous " +"mkostemp call. However, it is safe to close the " +"descriptor returned by mkostemp and reopen the file " +"using the generated name." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The Python class tempfile.NamedTemporaryFile provides " +"similar functionality, except that the file is deleted automatically by " +"default. Note that you may have to use the file attribute" +" to obtain the actual file object because some programming interfaces cannot" +" deal with file-like objects. The C function mkostemp " +"is also available as tempfile.mkstemp." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In Java, you can use the java.io.File.createTempFile(String, " +"String, File) function, using the temporary file location " +"determined according to . Do not use " +"java.io.File.deleteOnExit() to delete temporary files, " +"and do not register a shutdown hook for each temporary file you create. In " +"both cases, the deletion hint cannot be removed from the system if you " +"delete the temporary file prior to termination of the VM, causing a memory " +"leak." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Temporary files without names" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The tmpfile function creates a temporary file and " +"immediately deletes it, while keeping the file open. As a result, the file " +"lacks a name and its space is deallocated as soon as the file descriptor is " +"closed (including the implicit close when the process terminates). This " +"avoids cluttering the temporary directory with orphaned files." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Alternatively, if the maximum size of the temporary file is known " +"beforehand, the fmemopen function can be used to create" +" a FILE * object which is backed by memory." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In Python, unnamed temporary files are provided by the " +"tempfile.TemporaryFile class, and the " +"tempfile.SpooledTemporaryFile class provides a way to " +"avoid creation of small temporary files." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Java does not support unnamed temporary files." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Temporary directories" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The mkdtemp function can be used to create a temporary " +"directory. (For determining the directory part of the file name pattern, see" +" .)" +" The directory is not automatically removed. In Python, this function is " +"available as tempfile.mkdtemp. In Java 7, temporary " +"directories can be created using the " +"java.nio.file.Files.createTempDirectory(Path, String, " +"FileAttribute...) function." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When creating files in the temporary directory, use automatically generated " +"names, e.g., derived from a sequential counter. Files with externally " +"provided names could be picked up in unexpected contexts, and crafted names " +"could actually point outside of the tempoary directory (due to " +"directory traversal)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Removing a directory tree in a completely safe manner is complicated. Unless" +" there are overriding performance concerns, the " +"rm program should be used, with the " +" and options." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Compensating for unsafe file creation" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"There are two ways to make a function or program which excepts a file name " +"safe for use with temporary files. See , for details on subprocess " +"creation." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Create a temporary directory and place the file there. If possible, run the " +"program in a subprocess which uses the temporary directory as its current " +"directory, with a restricted environment. Use generated names for all files " +"in that temporary directory. (See .)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Create the temporary file and pass the generated file name to the function " +"or program. This only works if the function or program can cope with a zero-" +"length existing file. It is safe only under additional assumptions:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The function or program must not create additional files whose name is " +"derived from the specified file name or are otherwise predictable." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "The function or program must not delete the file before processing it." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "It must not access any existing files in the same directory." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"It is often difficult to check whether these additional assumptions are " +"matched, therefore this approach is not recommended." +msgstr "" diff --git a/defensive-coding/kn-IN/Tasks/snippets/Serialization-XML-Expat-Create.po b/defensive-coding/kn-IN/Tasks/snippets/Serialization-XML-Expat-Create.po new file mode 100644 index 0000000..21bd850 --- /dev/null +++ b/defensive-coding/kn-IN/Tasks/snippets/Serialization-XML-Expat-Create.po @@ -0,0 +1,33 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:45\n" +"PO-Revision-Date: 2013-03-19 15:29+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Kannada (http://www.transifex.com/projects/p/fedora/language/kn/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: kn\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"XML_Parser parser = XML_ParserCreate(\"UTF-8\");\n" +"if (parser == NULL) {\n" +" fprintf(stderr, \"XML_ParserCreate failed\n" +"\");\n" +" close(fd);\n" +" exit(1);\n" +"}\n" +"// EntityDeclHandler needs a reference to the parser to stop\n" +"// parsing.\n" +"XML_SetUserData(parser, parser);\n" +"// Disable entity processing, to inhibit entity expansion.\n" +"XML_SetEntityDeclHandler(parser, EntityDeclHandler);\n" +msgstr "" diff --git a/defensive-coding/kn-IN/Tasks/snippets/Serialization-XML-Expat-EntityDeclHandler.po b/defensive-coding/kn-IN/Tasks/snippets/Serialization-XML-Expat-EntityDeclHandler.po new file mode 100644 index 0000000..66c4356 --- /dev/null +++ b/defensive-coding/kn-IN/Tasks/snippets/Serialization-XML-Expat-EntityDeclHandler.po @@ -0,0 +1,31 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:45\n" +"PO-Revision-Date: 2013-03-19 15:30+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Kannada (http://www.transifex.com/projects/p/fedora/language/kn/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: kn\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Stop the parser when an entity declaration is encountered.\n" +"static void\n" +"EntityDeclHandler(void *userData,\n" +"\t\t const XML_Char *entityName, int is_parameter_entity,\n" +"\t\t const XML_Char *value, int value_length,\n" +"\t\t const XML_Char *base, const XML_Char *systemId,\n" +"\t\t const XML_Char *publicId, const XML_Char *notationName)\n" +"{\n" +" XML_StopParser((XML_Parser)userData, XML_FALSE);\n" +"}\n" +msgstr "" diff --git a/defensive-coding/kn-IN/Tasks/snippets/Serialization-XML-OpenJDK-Errors.po b/defensive-coding/kn-IN/Tasks/snippets/Serialization-XML-OpenJDK-Errors.po new file mode 100644 index 0000000..6480901 --- /dev/null +++ b/defensive-coding/kn-IN/Tasks/snippets/Serialization-XML-OpenJDK-Errors.po @@ -0,0 +1,37 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:45\n" +"PO-Revision-Date: 2013-03-19 15:29+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Kannada (http://www.transifex.com/projects/p/fedora/language/kn/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: kn\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"class Errors implements ErrorHandler {\n" +" @Override\n" +" public void warning(SAXParseException exception) {\n" +" exception.printStackTrace();\n" +" }\n" +" \n" +" @Override\n" +" public void fatalError(SAXParseException exception) {\n" +" exception.printStackTrace();\n" +" }\n" +" \n" +" @Override\n" +" public void error(SAXParseException exception) {\n" +" exception.printStackTrace();\n" +" }\n" +"}\n" +msgstr "" diff --git a/defensive-coding/kn-IN/Tasks/snippets/Serialization-XML-OpenJDK-Imports.po b/defensive-coding/kn-IN/Tasks/snippets/Serialization-XML-OpenJDK-Imports.po new file mode 100644 index 0000000..bca28d8 --- /dev/null +++ b/defensive-coding/kn-IN/Tasks/snippets/Serialization-XML-OpenJDK-Imports.po @@ -0,0 +1,42 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:45\n" +"PO-Revision-Date: 2013-03-19 15:30+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Kannada (http://www.transifex.com/projects/p/fedora/language/kn/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: kn\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"import javax.xml.XMLConstants;\n" +"import javax.xml.parsers.DocumentBuilder;\n" +"import javax.xml.parsers.DocumentBuilderFactory;\n" +"import javax.xml.parsers.ParserConfigurationException;\n" +"import javax.xml.parsers.SAXParser;\n" +"import javax.xml.parsers.SAXParserFactory;\n" +"import javax.xml.transform.dom.DOMSource;\n" +"import javax.xml.transform.sax.SAXSource;\n" +"import javax.xml.validation.Schema;\n" +"import javax.xml.validation.SchemaFactory;\n" +"import javax.xml.validation.Validator;\n" +"\n" +"import org.w3c.dom.Document;\n" +"import org.w3c.dom.ls.LSInput;\n" +"import org.w3c.dom.ls.LSResourceResolver;\n" +"import org.xml.sax.EntityResolver;\n" +"import org.xml.sax.ErrorHandler;\n" +"import org.xml.sax.InputSource;\n" +"import org.xml.sax.SAXException;\n" +"import org.xml.sax.SAXParseException;\n" +"import org.xml.sax.XMLReader;\n" +msgstr "" diff --git a/defensive-coding/kn-IN/Tasks/snippets/Serialization-XML-OpenJDK-NoEntityResolver.po b/defensive-coding/kn-IN/Tasks/snippets/Serialization-XML-OpenJDK-NoEntityResolver.po new file mode 100644 index 0000000..d34fd45 --- /dev/null +++ b/defensive-coding/kn-IN/Tasks/snippets/Serialization-XML-OpenJDK-NoEntityResolver.po @@ -0,0 +1,30 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:45\n" +"PO-Revision-Date: 2013-03-19 15:30+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Kannada (http://www.transifex.com/projects/p/fedora/language/kn/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: kn\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"class NoEntityResolver implements EntityResolver {\n" +" @Override\n" +" public InputSource resolveEntity(String publicId, String systemId)\n" +" throws SAXException, IOException {\n" +" // Throwing an exception stops validation.\n" +" throw new IOException(String.format(\n" +" \"attempt to resolve \\\"%s\\\" \\\"%s\\\"\", publicId, systemId));\n" +" }\n" +"}\n" +msgstr "" diff --git a/defensive-coding/kn-IN/Tasks/snippets/Serialization-XML-OpenJDK-NoResourceResolver.po b/defensive-coding/kn-IN/Tasks/snippets/Serialization-XML-OpenJDK-NoResourceResolver.po new file mode 100644 index 0000000..89c8507 --- /dev/null +++ b/defensive-coding/kn-IN/Tasks/snippets/Serialization-XML-OpenJDK-NoResourceResolver.po @@ -0,0 +1,32 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:45\n" +"PO-Revision-Date: 2013-03-19 15:29+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Kannada (http://www.transifex.com/projects/p/fedora/language/kn/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: kn\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"class NoResourceResolver implements LSResourceResolver {\n" +" @Override\n" +" public LSInput resolveResource(String type, String namespaceURI,\n" +" String publicId, String systemId, String baseURI) {\n" +" // Throwing an exception stops validation.\n" +" throw new RuntimeException(String.format(\n" +" \"resolution attempt: type=%s namespace=%s \" +\n" +" \"publicId=%s systemId=%s baseURI=%s\",\n" +" type, namespaceURI, publicId, systemId, baseURI));\n" +" }\n" +"}\n" +msgstr "" diff --git a/defensive-coding/kn-IN/Tasks/snippets/Serialization-XML-OpenJDK_Parse-DOM.po b/defensive-coding/kn-IN/Tasks/snippets/Serialization-XML-OpenJDK_Parse-DOM.po new file mode 100644 index 0000000..da605e2 --- /dev/null +++ b/defensive-coding/kn-IN/Tasks/snippets/Serialization-XML-OpenJDK_Parse-DOM.po @@ -0,0 +1,34 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:45\n" +"PO-Revision-Date: 2013-03-19 15:29+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Kannada (http://www.transifex.com/projects/p/fedora/language/kn/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: kn\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();\n" +"// Impose restrictions on the complexity of the DTD.\n" +"factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);\n" +"\n" +"// Turn on validation.\n" +"// This step can be omitted if validation is not desired.\n" +"factory.setValidating(true);\n" +"\n" +"// Parse the document.\n" +"DocumentBuilder builder = factory.newDocumentBuilder();\n" +"builder.setEntityResolver(new NoEntityResolver());\n" +"builder.setErrorHandler(new Errors());\n" +"Document document = builder.parse(inputStream);\n" +msgstr "" diff --git a/defensive-coding/kn-IN/Tasks/snippets/Serialization-XML-OpenJDK_Parse-XMLSchema_DOM.po b/defensive-coding/kn-IN/Tasks/snippets/Serialization-XML-OpenJDK_Parse-XMLSchema_DOM.po new file mode 100644 index 0000000..258717b --- /dev/null +++ b/defensive-coding/kn-IN/Tasks/snippets/Serialization-XML-OpenJDK_Parse-XMLSchema_DOM.po @@ -0,0 +1,38 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:45\n" +"PO-Revision-Date: 2013-03-19 15:29+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Kannada (http://www.transifex.com/projects/p/fedora/language/kn/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: kn\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"SchemaFactory factory = SchemaFactory.newInstance(\n" +" XMLConstants.W3C_XML_SCHEMA_NS_URI);\n" +"\n" +"// This enables restrictions on schema complexity.\n" +"factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);\n" +"\n" +"// The following line prevents resource resolution\n" +"// by the schema itself.\n" +"factory.setResourceResolver(new NoResourceResolver());\n" +"\n" +"Schema schema = factory.newSchema(schemaFile);\n" +"\n" +"Validator validator = schema.newValidator();\n" +"\n" +"// This prevents external resource resolution.\n" +"validator.setResourceResolver(new NoResourceResolver());\n" +"validator.validate(new DOMSource(document));\n" +msgstr "" diff --git a/defensive-coding/kn-IN/Tasks/snippets/Serialization-XML-OpenJDK_Parse-XMLSchema_SAX.po b/defensive-coding/kn-IN/Tasks/snippets/Serialization-XML-OpenJDK_Parse-XMLSchema_SAX.po new file mode 100644 index 0000000..19a42ad --- /dev/null +++ b/defensive-coding/kn-IN/Tasks/snippets/Serialization-XML-OpenJDK_Parse-XMLSchema_SAX.po @@ -0,0 +1,41 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:45\n" +"PO-Revision-Date: 2013-03-19 15:29+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Kannada (http://www.transifex.com/projects/p/fedora/language/kn/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: kn\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"SchemaFactory factory = SchemaFactory.newInstance(\n" +" XMLConstants.W3C_XML_SCHEMA_NS_URI);\n" +"\n" +"// This enables restrictions on the schema and document\n" +"// complexity.\n" +"factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);\n" +"\n" +"// This prevents resource resolution by the schema itself.\n" +"// If the schema is trusted and references additional files,\n" +"// this line must be omitted, otherwise loading these files\n" +"// will fail.\n" +"factory.setResourceResolver(new NoResourceResolver());\n" +"\n" +"Schema schema = factory.newSchema(schemaFile);\n" +"Validator validator = schema.newValidator();\n" +"\n" +"// This prevents external resource resolution.\n" +"validator.setResourceResolver(new NoResourceResolver());\n" +"\n" +"validator.validate(new SAXSource(new InputSource(inputStream)));\n" +msgstr "" diff --git a/defensive-coding/ko-KR/Author_Group.po b/defensive-coding/ko-KR/Author_Group.po new file mode 100644 index 0000000..b1b6eb7 --- /dev/null +++ b/defensive-coding/ko-KR/Author_Group.po @@ -0,0 +1,35 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-12 04:18+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Korean (http://www.transifex.com/projects/p/fedora/language/ko/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: ko\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: firstname +#, no-c-format +msgid "Florian" +msgstr "" + +#. Tag: surname +#, no-c-format +msgid "Weimer" +msgstr "" + +#. Tag: orgname +#, no-c-format +msgid "Red Hat" +msgstr "" + +#. Tag: orgdiv +#, no-c-format +msgid "Product Security Team" +msgstr "" diff --git a/defensive-coding/ko-KR/Book_Info.po b/defensive-coding/ko-KR/Book_Info.po new file mode 100644 index 0000000..02b2d06 --- /dev/null +++ b/defensive-coding/ko-KR/Book_Info.po @@ -0,0 +1,38 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-12 04:19+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Korean (http://www.transifex.com/projects/p/fedora/language/ko/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: ko\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: title +#, no-c-format +msgid "Defensive Coding" +msgstr "" + +#. Tag: subtitle +#, no-c-format +msgid "A Guide to Improving Software Security" +msgstr "" + +#. Tag: productname +#, no-c-format +msgid "Fedora Security Team" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"This document provides guidelines for improving software security through " +"secure coding. It covers common programming languages and libraries, and " +"focuses on concrete recommendations." +msgstr "" diff --git a/defensive-coding/nl-NL/Author_Group.po b/defensive-coding/nl-NL/Author_Group.po new file mode 100644 index 0000000..2d1328a --- /dev/null +++ b/defensive-coding/nl-NL/Author_Group.po @@ -0,0 +1,35 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-12 04:18+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Dutch (http://www.transifex.com/projects/p/fedora/language/nl/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: nl\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: firstname +#, no-c-format +msgid "Florian" +msgstr "" + +#. Tag: surname +#, no-c-format +msgid "Weimer" +msgstr "" + +#. Tag: orgname +#, no-c-format +msgid "Red Hat" +msgstr "" + +#. Tag: orgdiv +#, no-c-format +msgid "Product Security Team" +msgstr "" diff --git a/defensive-coding/nl-NL/Book_Info.po b/defensive-coding/nl-NL/Book_Info.po new file mode 100644 index 0000000..5f94935 --- /dev/null +++ b/defensive-coding/nl-NL/Book_Info.po @@ -0,0 +1,38 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-12 04:19+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Dutch (http://www.transifex.com/projects/p/fedora/language/nl/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: nl\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: title +#, no-c-format +msgid "Defensive Coding" +msgstr "" + +#. Tag: subtitle +#, no-c-format +msgid "A Guide to Improving Software Security" +msgstr "" + +#. Tag: productname +#, no-c-format +msgid "Fedora Security Team" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"This document provides guidelines for improving software security through " +"secure coding. It covers common programming languages and libraries, and " +"focuses on concrete recommendations." +msgstr "" diff --git a/defensive-coding/nl-NL/C/Allocators.po b/defensive-coding/nl-NL/C/Allocators.po new file mode 100644 index 0000000..ad54802 --- /dev/null +++ b/defensive-coding/nl-NL/C/Allocators.po @@ -0,0 +1,265 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:30+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Dutch (http://www.transifex.com/projects/p/fedora/language/nl/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: nl\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: title +#, no-c-format +msgid "Memory allocators" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "malloc and related functions" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The C library interfaces for memory allocation are provided by " +"malloc, free and " +"realloc, and the calloc function. " +"In addition to these generic functions, there are derived functions such as " +"strdup which perform allocation using " +"malloc internally, but do not return untyped heap " +"memory (which could be used for any object)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The C compiler knows about these functions and can use their expected " +"behavior for optimizations. For instance, the compiler assumes that an " +"existing pointer (or a pointer derived from an existing pointer by " +"arithmetic) will not point into the memory area returned by " +"malloc." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If the allocation fails, realloc does not free the old " +"pointer. Therefore, the idiom ptr = realloc(ptr, size); " +"is wrong because the memory pointed to by ptr leaks in " +"case of an error." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Use-after-free errors" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"After free, the pointer is invalid. Further pointer " +"dereferences are not allowed (and are usually detected by " +"valgrind). Less obvious is that any " +"use of the old pointer value is not allowed, either. In" +" particular, comparisons with any other pointer (or the null pointer) are " +"undefined according to the C standard." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The same rules apply to realloc if the memory area " +"cannot be enlarged in-place. For instance, the compiler may assume that a " +"comparison between the old and new pointer will always return false, so it " +"is impossible to detect movement this way." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Handling memory allocation errors" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Recovering from out-of-memory errors is often difficult or even impossible. " +"In these cases, malloc and other allocation functions " +"return a null pointer. Dereferencing this pointer lead to a crash. Such " +"dereferences can even be exploitable for code execution if the dereference " +"is combined with an array subscript." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In general, if you cannot check all allocation calls and handle failure, you" +" should abort the program on allocation failure, and not rely on the null " +"pointer dereference to terminate the process. See for related memory " +"allocation concerns." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "alloca and other forms of stack-based allocation" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Allocation on the stack is risky because stack overflow checking is " +"implicit. There is a guard page at the end of the memory area reserved for " +"the stack. If the program attempts to read from or write to this guard page," +" a SIGSEGV signal is generated and the program typically " +"terminates." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"This is sufficient for detecting typical stack overflow situations such as " +"unbounded recursion, but it fails when the stack grows in increments larger " +"than the size of the guard page. In this case, it is possible that the stack" +" pointer ends up pointing into a memory area which has been allocated for a " +"different purposes. Such misbehavior can be exploitable." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"A common source for large stack growth are calls to " +"alloca and related functions such as " +"strdupa. These functions should be avoided because of " +"the lack of error checking. (They can be used safely if the allocated size " +"is less than the page size (typically, 4096 bytes), but this case is " +"relatively rare.) Additionally, relying on alloca makes" +" it more difficult to reorgnize the code because it is not allowed to use " +"the pointer after the function calling alloca has " +"returned, even if this function has been inlined into its caller." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Similar concerns apply to variable-length arrays " +"(VLAs), a feature of the C99 standard which started as a GNU extension. For " +"large objects exceeding the page size, there is no error checking, either." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In both cases, negative or very large sizes can trigger a stack-pointer " +"wraparound, and the stack pointer and end up pointing into caller stack " +"frames, which is fatal and can be exploitable." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If you want to use alloca or VLAs for performance " +"reasons, consider using a small on-stack array (less than the page size, " +"large enough to fulfill most requests). If the requested size is small " +"enough, use the on-stack array. Otherwise, call malloc." +" When exiting the function, check if malloc had been " +"called, and free the buffer as needed." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Array allocation" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When allocating arrays, it is important to check for overflows. The " +"calloc function performs such checks." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If malloc or realloc is used, the " +"size check must be written manually. For instance, to allocate an array of " +"n elements of type T, check that the " +"requested size is not greater than n / sizeof(T)." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Custom memory allocators" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Custom memory allocates come in two forms: replacements for " +"malloc, and completely different interfaces for memory " +"management. Both approaches can reduce the effectiveness of " +"valgrind and similar tools, and the heap " +"corruption detection provided by GNU libc, so they should be avoided." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Memory allocators are difficult to write and contain many performance and " +"security pitfalls." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When computing array sizes or rounding up allocation requests (to the next " +"allocation granularity, or for alignment purposes), checks for arithmetic " +"overflow are required." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Size computations for array allocations need overflow checking. See ." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"It can be difficult to beat well-tuned general-purpose allocators. In micro-" +"benchmarks, pool allocators can show huge wins, and size-specific pools can " +"reduce internal fragmentation. But often, utilization of individual pools is" +" poor, and" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Conservative garbage collection" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Garbage collection can be an alternative to explicit memory management using" +" malloc and free. The Boehm-" +"Dehmers-Weiser allocator can be used from C programs, with minimal type " +"annotations. Performance is competitive with malloc on " +"64-bit architectures, especially for multi-threaded programs. The stop-the-" +"world pauses may be problematic for some real-time applications, though." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"However, using a conservative garbage collector may reduce opertunities for " +"code reduce because once one library in a program uses garbage collection, " +"the whole process memory needs to be subject to it, so that no pointers are " +"missed. The Boehm-Dehmers-Weiser collector also reserves certain signals for" +" internal use, so it is not fully transparent to the rest of the program." +msgstr "" diff --git a/defensive-coding/nl-NL/C/C.po b/defensive-coding/nl-NL/C/C.po new file mode 100644 index 0000000..c95b367 --- /dev/null +++ b/defensive-coding/nl-NL/C/C.po @@ -0,0 +1,20 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:30+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Dutch (http://www.transifex.com/projects/p/fedora/language/nl/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: nl\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: title +#, no-c-format +msgid "The C Programming Language" +msgstr "" diff --git a/defensive-coding/nl-NL/C/Libc.po b/defensive-coding/nl-NL/C/Libc.po new file mode 100644 index 0000000..7e62539 --- /dev/null +++ b/defensive-coding/nl-NL/C/Libc.po @@ -0,0 +1,278 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:30+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Dutch (http://www.transifex.com/projects/p/fedora/language/nl/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: nl\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: title +#, no-c-format +msgid "The C standard library" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Parts of the C standard library (and the UNIX and GNU extensions) are " +"difficult to use, so you shoud avoid them." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Please check the applicable documentation before using the recommended " +"replacements. Many of these functions allocate buffers using " +"malloc which your code must deallocate explicitly using" +" free." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Absolutely banned interfaces" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The functions listed below must not be used because they are almost always " +"unsafe. Use the indicated replacements instead." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "getsfgets" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"getwdgetcwd or " +"get_current_dir_name" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "readdir_rreaddir" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"realpath (with a non-NULL second parameter) ⟶ " +"realpath with NULL as the second parameter, or " +"canonicalize_file_name" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The constants listed below must not be used, either. Instead, code must " +"allocate memory dynamically and use interfaces with length checking." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"NAME_MAX (limit not actually enforced by the kernel)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"PATH_MAX (limit not actually enforced by the kernel)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"_PC_NAME_MAX (This limit, returned by the " +"pathconf function, is not enforced by the kernel.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"_PC_PATH_MAX (This limit, returned by the " +"pathconf function, is not enforced by the kernel.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "The following structure members must not be used." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"f_namemax in struct statvfs (limit not" +" actually enforced by the kernel, see _PC_NAME_MAX above)" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Functions to avoid" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The following string manipulation functions can be used securely in " +"principle, but their use should be avoided because they are difficult to use" +" correctly. Calls to these functions can be replaced with " +"asprintf or vasprintf. (For non-" +"GNU targets, these functions are available from Gnulib.) In some cases, the " +"snprintf function might be a suitable replacement, see " +"." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "sprintf" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "strcat" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "strcpy" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "vsprintf" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Use the indicated replacements for the functions below." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"allocamalloc and " +"free (see )" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"putenv ⟶ explicit envp argument in " +"process creation (see )" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"setenv ⟶ explicit envp argument in " +"process creation (see )" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"strdupastrdup and " +"free (see )" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"strndupastrndup and " +"free (see )" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"systemposix_spawn or " +"fork/execve/ (see )" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"unsetenv ⟶ explicit envp argument in" +" process creation (see )" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "String Functions With Explicit Length Arguments" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The snprintf function provides a way to construct a " +"string in a statically-sized buffer. (If the buffer size is dynamic, use " +"asprintf instead.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The second argument to the snprintf should always be " +"the size of the buffer in the first argument (which should be a character " +"array). Complex pointer and length arithmetic can introduce errors and " +"nullify the security benefits of snprintf. If you need " +"to construct a string iteratively, by repeatedly appending fragments, " +"consider constructing the string on the heap, increasing the buffer with " +"realloc as needed. (snprintf does " +"not support overlapping the result buffer with argument strings.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If you use vsnprintf (or snprintf)" +" with a format string which is not a constant, but a function argument, it " +"is important to annotate the function with a format " +"function attribute, so that GCC can warn about misuse of your function (see " +")." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "The format function attribute" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"There are other functions which operator on NUL-terminated strings and take " +"a length argument which affects the number of bytes written to the " +"destination: strncpy, strncat, and" +" stpncpy. These functions do not ensure that the result" +" string is NUL-terminated. For strncpy, NUL termination" +" can be added this way:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Some systems support strlcpy and " +"strlcat functions which behave this way, but these " +"functions are not part of GNU libc. Using snprintf with" +" a suitable format string is a simple (albeit slightly slower) replacement." +msgstr "" diff --git a/defensive-coding/nl-NL/C/snippets/Arithmetic-add.po b/defensive-coding/nl-NL/C/snippets/Arithmetic-add.po new file mode 100644 index 0000000..b897c6a --- /dev/null +++ b/defensive-coding/nl-NL/C/snippets/Arithmetic-add.po @@ -0,0 +1,36 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:30+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Dutch (http://www.transifex.com/projects/p/fedora/language/nl/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: nl\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"void report_overflow(void);\n" +"\n" +"int\n" +"add(int a, int b)\n" +"{\n" +" int result = a + b;\n" +" if (a < 0 || b < 0) {\n" +" return -1;\n" +" }\n" +" // The compiler can optimize away the following if statement.\n" +" if (result < 0) {\n" +" report_overflow();\n" +" }\n" +" return result;\n" +"}\n" +msgstr "" diff --git a/defensive-coding/nl-NL/C/snippets/Arithmetic-mult.po b/defensive-coding/nl-NL/C/snippets/Arithmetic-mult.po new file mode 100644 index 0000000..ccfebb4 --- /dev/null +++ b/defensive-coding/nl-NL/C/snippets/Arithmetic-mult.po @@ -0,0 +1,29 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:30+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Dutch (http://www.transifex.com/projects/p/fedora/language/nl/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: nl\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"unsigned\n" +"mul(unsigned a, unsigned b)\n" +"{\n" +" if (b && a > ((unsigned)-1) / b) {\n" +" report_overflow();\n" +" }\n" +" return a * b;\n" +"}\n" +msgstr "" diff --git a/defensive-coding/nl-NL/C/snippets/Pointers-remaining.po b/defensive-coding/nl-NL/C/snippets/Pointers-remaining.po new file mode 100644 index 0000000..cf0ee7b --- /dev/null +++ b/defensive-coding/nl-NL/C/snippets/Pointers-remaining.po @@ -0,0 +1,64 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:30+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Dutch (http://www.transifex.com/projects/p/fedora/language/nl/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: nl\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"ssize_t\n" +"extract_strings(const char *in, size_t inlen, char **out, size_t outlen)\n" +"{\n" +" const char *inp = in;\n" +" const char *inend = in + inlen;\n" +" char **outp = out;\n" +" char **outend = out + outlen;\n" +"\n" +" while (inp != inend) {\n" +" size_t len;\n" +" char *s;\n" +" if (outp == outend) {\n" +" errno = ENOSPC;\n" +" goto err;\n" +" }\n" +" len = (unsigned char)*inp;\n" +" ++inp;\n" +" if (len > (size_t)(inend - inp)) {\n" +" errno = EINVAL;\n" +" goto err;\n" +" }\n" +" s = malloc(len + 1);\n" +" if (s == NULL) {\n" +" goto err;\n" +" }\n" +" memcpy(s, inp, len);\n" +" inp += len;\n" +" s[len] = '\\0';\n" +" *outp = s;\n" +" ++outp;\n" +" }\n" +" return outp - out;\n" +"err:\n" +" {\n" +" int errno_old = errno;\n" +" while (out != outp) {\n" +" free(*out);\n" +" ++out;\n" +" }\n" +" errno = errno_old;\n" +" }\n" +" return -1;\n" +"}\n" +msgstr "" diff --git a/defensive-coding/nl-NL/C/snippets/String-Functions-format.po b/defensive-coding/nl-NL/C/snippets/String-Functions-format.po new file mode 100644 index 0000000..8a143f6 --- /dev/null +++ b/defensive-coding/nl-NL/C/snippets/String-Functions-format.po @@ -0,0 +1,33 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:30+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Dutch (http://www.transifex.com/projects/p/fedora/language/nl/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: nl\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"void log_format(const char *format, ...) __attribute__((format(printf, 1, 2)));\n" +"\n" +"void\n" +"log_format(const char *format, ...)\n" +"{\n" +" char buf[1000];\n" +" va_list ap;\n" +" va_start(ap, format);\n" +" vsnprintf(buf, sizeof(buf), format, ap);\n" +" va_end(ap);\n" +" log_string(buf);\n" +"}\n" +msgstr "" diff --git a/defensive-coding/nl-NL/C/snippets/String-Functions-snprintf.po b/defensive-coding/nl-NL/C/snippets/String-Functions-snprintf.po new file mode 100644 index 0000000..f5b2f7b --- /dev/null +++ b/defensive-coding/nl-NL/C/snippets/String-Functions-snprintf.po @@ -0,0 +1,23 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:30+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Dutch (http://www.transifex.com/projects/p/fedora/language/nl/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: nl\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"char fraction[30];\n" +"snprintf(fraction, sizeof(fraction), \"%d/%d\", numerator, denominator);\n" +msgstr "" diff --git a/defensive-coding/nl-NL/C/snippets/String-Functions-strncpy.po b/defensive-coding/nl-NL/C/snippets/String-Functions-strncpy.po new file mode 100644 index 0000000..a8590a2 --- /dev/null +++ b/defensive-coding/nl-NL/C/snippets/String-Functions-strncpy.po @@ -0,0 +1,24 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:30+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Dutch (http://www.transifex.com/projects/p/fedora/language/nl/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: nl\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"char buf[10];\n" +"strncpy(buf, data, sizeof(buf));\n" +"buf[sizeof(buf) - 1] = '\\0';\n" +msgstr "" diff --git a/defensive-coding/nl-NL/CXX/CXX.po b/defensive-coding/nl-NL/CXX/CXX.po new file mode 100644 index 0000000..f02f913 --- /dev/null +++ b/defensive-coding/nl-NL/CXX/CXX.po @@ -0,0 +1,20 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:31+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Dutch (http://www.transifex.com/projects/p/fedora/language/nl/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: nl\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: title +#, no-c-format +msgid "The C++ Programming Language" +msgstr "" diff --git a/defensive-coding/nl-NL/CXX/Language.po b/defensive-coding/nl-NL/CXX/Language.po new file mode 100644 index 0000000..8145d99 --- /dev/null +++ b/defensive-coding/nl-NL/CXX/Language.po @@ -0,0 +1,234 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:18+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Dutch (http://www.transifex.com/projects/p/fedora/language/nl/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: nl\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: title +#, no-c-format +msgid "The core language" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"C++ includes a large subset of the C language. As far as the C subset is " +"used, the recommendations in " +"apply." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Array allocation with operator new[]" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"For very large values of n, an expression like " +"new T[n] can return a pointer to a heap region which is " +"too small. In other words, not all array elements are actually backed with " +"heap memory reserved to the array. Current GCC versions generate code that " +"performs a computation of the form sizeof(T) * size_t(n) + " +"cookie_size, where cookie_size is currently at " +"most 8. This computation can overflow, and GCC-generated code does not " +"detect this." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The std::vector template can be used instead an explicit " +"array allocation. (The GCC implementation detects overflow internally.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If there is no alternative to operator new[], code which " +"allocates arrays with a variable length must check for overflow manually. " +"For the new T[n] example, the size check could be " +"n || (n > 0 && n > (size_t(-1) - 8) / " +"sizeof(T)). (See .) If there are additional dimensions " +"(which must be constants according to the C++ standard), these should be " +"included as factors in the divisor." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"These countermeasures prevent out-of-bounds writes and potential code " +"execution. Very large memory allocations can still lead to a denial of " +"service. contains suggestions for mitigating this problem when " +"processing untrusted data." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"See for array" +" allocation advice for C-style memory allocation." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Overloading" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Do not overload functions with versions that have different security " +"characteristics. For instance, do not implement a function " +"strcat which works on std::string " +"arguments. Similarly, do not name methods after such functions." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "ABI compatibility and preparing for security updates" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"A stable binary interface (ABI) is vastly preferred for security updates. " +"Without a stable ABI, all reverse dependencies need recompiling, which can " +"be a lot of work and could even be impossible in some cases. Ideally, a " +"security update only updates a single dynamic shared object, and is picked " +"up automatically after restarting affected processes." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Outside of extremely performance-critical code, you should ensure that a " +"wide range of changes is possible without breaking ABI. Some very basic " +"guidelines are:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Avoid inline functions." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Use the pointer-to-implementation idiom." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Try to avoid templates. Use them if the increased type safety provides a " +"benefit to the programmer." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Move security-critical code out of templated code, so that it can be patched" +" in a central place if necessary." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The KDE project publishes a document with more extensive guidelines on ABI-" +"preserving changes to C++ code, Policies/Binary" +" Compatibility Issues With C++ (d-pointer " +"refers to the pointer-to-implementation idiom)." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "C++0X and C++11 support" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "GCC offers different language compatibility modes:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid " for the original 1998 C++ standard" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +" for the 1998 standard with the changes from the " +"TR1 technical report" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +" for the 2011 C++ standard. This option should " +"not be used." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +" for several different versions of C++11 support " +"in development, depending on the GCC version. This option should not be " +"used." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"For each of these flags, there are variants which also enable GNU extensions" +" (mostly language features also found in C99 or C11): " +", , " +". Again, should " +"not be used." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If you enable C++11 support, the ABI of the standard C++ library " +"libstdc++ will change in subtle ways. Currently, no C++ " +"libraries are compiled in C++11 mode, so if you compile your code in C++11 " +"mode, it will be incompatible with the rest of the system. Unfortunately, " +"this is also the case if you do not use any C++11 features. Currently, there" +" is no safe way to enable C++11 mode (except for freestanding applications)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The meaning of C++0X mode changed from GCC release to GCC release. Earlier " +"versions were still ABI-compatible with C++98 mode, but in the most recent " +"versions, switching to C++0X mode activates C++11 support, with its " +"compatibility problems." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Some C++11 features (or approximations thereof) are available with TR1 " +"support, that is, with or " +" and in the <tr1/*> " +"header files. This includes std::tr1::shared_ptr (from " +"<tr1/memory>) and " +"std::tr1::function (from " +"<tr1/functional>). For other C++11 features, the " +"Boost C++ library contains replacements." +msgstr "" diff --git a/defensive-coding/nl-NL/CXX/Std.po b/defensive-coding/nl-NL/CXX/Std.po new file mode 100644 index 0000000..41eeab1 --- /dev/null +++ b/defensive-coding/nl-NL/CXX/Std.po @@ -0,0 +1,55 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:30+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Dutch (http://www.transifex.com/projects/p/fedora/language/nl/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: nl\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: title +#, no-c-format +msgid "The C++ standard library" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The C++ standard library includes most of its C counterpart by reference, " +"see ." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Containers and operator[]" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Many containers similar to std::vector provide both " +"operator[](size_type) and a member function " +"at(size_type). This applies to " +"std::vector itself, std::array, " +"std::string and other instances of " +"std::basic_string." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"operator[](size_type) is not required by the standard to " +"perform bounds checking (and the implementation in GCC does not). In " +"contrast, at(size_type) must perform such a check. " +"Therefore, in code which is not performance-critical, you should prefer " +"at(size_type) over " +"operator[](size_type), even though it is slightly more " +"verbose." +msgstr "" diff --git a/defensive-coding/nl-NL/Defensive_Coding.po b/defensive-coding/nl-NL/Defensive_Coding.po new file mode 100644 index 0000000..5a56b59 --- /dev/null +++ b/defensive-coding/nl-NL/Defensive_Coding.po @@ -0,0 +1,30 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:18+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Dutch (http://www.transifex.com/projects/p/fedora/language/nl/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: nl\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: title +#, no-c-format +msgid "Programming Languages" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Specific Programming Tasks" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Implementing Security Features" +msgstr "" diff --git a/defensive-coding/nl-NL/Features/Authentication.po b/defensive-coding/nl-NL/Features/Authentication.po new file mode 100644 index 0000000..4e356d2 --- /dev/null +++ b/defensive-coding/nl-NL/Features/Authentication.po @@ -0,0 +1,231 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:31+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Dutch (http://www.transifex.com/projects/p/fedora/language/nl/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: nl\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: title +#, no-c-format +msgid "Authentication and Authorization" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Authenticating servers" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When connecting to a server, a client has to make sure that it is actually " +"talking to the server it expects. There are two different aspects, securing " +"the network path, and making sure that the expected user runs the process on" +" the target host. There are several ways to ensure that:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The server uses a TLS certificate which is valid according to the web " +"browser public key infrastructure, and the client verifies the certificate " +"and the host name." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The server uses a TLS certificate which is expectedby the client (perhaps it" +" is stored in a configuration file read by the client). In this case, no " +"host name checking is required." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"On Linux, UNIX domain sockets (of the PF_UNIX protocol " +"family, sometimes called PF_LOCAL) are restricted by file" +" system permissions. If the server socket path is not world-writable, the " +"server identity cannot be spoofed by local users." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Port numbers less than 1024 (trusted ports) can only be" +" used by root, so if a UDP or TCP server is running on " +"the local host and it uses a trusted port, its identity is assured. (Not all" +" operating systems enforce the trusted ports concept, and the network might " +"not be trusted, so it is only useful on the local system.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"TLS () is the recommended way " +"for securing connections over untrusted networks." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If the server port number is 1024 is higher, a local user can impersonate " +"the process by binding to this socket, perhaps after crashing the real " +"server by exploiting a denial-of-service vulnerability." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Host-based authentication" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Host-based authentication uses access control lists (ACLs) to accept or deny" +" requests from clients. Thsis authentication method comes in two flavors: " +"IP-based (or, more generally, address-based) and name-based (with the name " +"coming from DNS or /etc/hosts). IP-based ACLs often use" +" prefix notation to extend access to entire subnets. Name-based ACLs " +"sometimes use wildcards for adding groups of hosts (from entire DNS " +"subtrees). (In the SSH context, host-based authentication means something " +"completely different and is not covered in this section.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Host-based authentication trust the network and may not offer sufficient " +"granularity, so it has to be considered a weak form of authentication. On " +"the other hand, IP-based authentication can be made extremely robust and can" +" be applied very early in input processing, so it offers an opportunity for " +"significantly reducing the number of potential attackers for many services." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The names returned by gethostbyaddr and " +"getnameinfo functions cannot be trusted. (DNS PTR " +"records can be set to arbitrary values, not just names belong to the address" +" owner.) If these names are used for ACL matching, a forward lookup using " +"gethostbyaddr or getaddrinfo has " +"to be performed. The name is only valid if the original address is found " +"among the results of the forward lookup (double-reverse " +"lookup)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"An empty ACL should deny all access (deny-by-default). If empty ACLs permits" +" all access, configuring any access list must switch to deny-by-default for " +"all unconfigured protocols, in both name-based and address-based variants." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Similarly, if an address or name is not matched by the list, it should be " +"denied. However, many implementations behave differently, so the actual " +"behavior must be documented properly." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"IPv6 addresses can embed IPv4 addresses. There is no universally correct way" +" to deal with this ambiguity. The behavior of the ACL implementation should " +"be documented." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "UNIX domain socket authentication" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"UNIX domain sockets (with address family AF_UNIX or " +"AF_LOCAL) are restricted to the local host and offer a " +"special authentication mechanism: credentials passing." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Nowadays, most systems support the SO_PEERCRED (Linux) or" +" LOCAL_PEERCRED (FreeBSD) socket options, or the " +"getpeereid (other BSDs, MacOS X). These interfaces " +"provide direct access to the (effective) user ID on the other end of a " +"domain socket connect, without cooperation from the other end." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Historically, credentials passing was implemented using ancillary data in " +"the sendmsg and recvmsg functions." +" On some systems, only credentials data that the peer has explicitly sent " +"can be received, and the kernel checks the data for correctness on the " +"sending side. This means that both peers need to deal with ancillary data. " +"Compared to that, the modern interfaces are easier to use. Both sets of " +"interfaces vary considerably among UNIX-like systems, unfortunately." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If you want to authenticate based on supplementary groups, you should obtain" +" the user ID using one of these methods, and look up the list of " +"supplementary groups using getpwuid (or " +"getpwuid_r) and getgrouplist. " +"Using the PID and information from /proc/PID/status is " +"prone to race conditions and insecure." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "AF_NETLINK authentication of origin" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Netlink messages are used as a high-performance data transfer mechanism " +"between the kernel and the userspace. Traditionally, they are used to " +"exchange information related to the network statck, such as routing table " +"entries." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When processing Netlink messages from the kernel, it is important to check " +"that these messages actually originate from the kernel, by checking that the" +" port ID (or PID) field nl_pid in the " +"sockaddr_nl structure is 0. (This " +"structure can be obtained using recvfrom or " +"recvmsg, it is different from the " +"nlmsghdr structure.) The kernel does not prevent other " +"processes from sending unicast Netlink messages, but the " +"nl_pid field in the sender's socket address will be non-" +"zero in such cases." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Applications should not use AF_NETLINK sockets as an IPC " +"mechanism among processes, but prefer UNIX domain sockets for this tasks." +msgstr "" diff --git a/defensive-coding/nl-NL/Features/TLS.po b/defensive-coding/nl-NL/Features/TLS.po new file mode 100644 index 0000000..1a493be --- /dev/null +++ b/defensive-coding/nl-NL/Features/TLS.po @@ -0,0 +1,1120 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:31+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Dutch (http://www.transifex.com/projects/p/fedora/language/nl/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: nl\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: title +#, no-c-format +msgid "Transport Layer Security" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Transport Layer Security (TLS, formerly Secure Sockets Layer/SSL) is the " +"recommended way to to protect integrity and confidentiality while data is " +"transferred over an untrusted network connection, and to identify the " +"endpoint." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Common Pitfalls" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"TLS implementations are difficult to use, and most of them lack a clean API " +"design. The following sections contain implementation-specific advice, and " +"some generic pitfalls are mentioned below." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Most TLS implementations have questionable default TLS cipher suites. Most " +"of them enable anonymous Diffie-Hellman key exchange (but we generally want " +"servers to authenticate themselves). Many do not disable ciphers which are " +"subject to brute-force attacks because of restricted key lengths. Some even " +"disable all variants of AES in the default configuration." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When overriding the cipher suite defaults, it is recommended to disable all " +"cipher suites which are not present on a whitelist, instead of simply " +"enabling a list of cipher suites. This way, if an algorithm is disabled by " +"default in the TLS implementation in a future security update, the " +"application will not re-enable it." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The name which is used in certificate validation must match the name " +"provided by the user or configuration file. No host name canonicalization or" +" IP address lookup must be performed." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The TLS handshake has very poor performance if the TCP Nagle algorithm is " +"active. You should switch on the TCP_NODELAY socket " +"option (at least for the duration of the handshake), or use the Linux-" +"specific TCP_CORK option." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Deactivating the TCP Nagle algorithm" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Implementing proper session resumption decreases handshake overhead " +"considerably. This is important if the upper-layer protocol uses short-lived" +" connections (like most application of HTTPS)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Both client and server should work towards an orderly connection shutdown, " +"that is send close_notify alerts and respond to them. " +"This is especially important if the upper-layer protocol does not provide " +"means to detect connection truncation (like some uses of HTTP)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When implementing a server using event-driven programming, it is important " +"to handle the TLS handshake properly because it includes multiple network " +"round-trips which can block when an ordinary TCP accept" +" would not. Otherwise, a client which fails to complete the TLS handshake " +"for some reason will prevent the server from handling input from other " +"clients." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Unlike regular file descriptors, TLS connections cannot be passed between " +"processes. Some TLS implementations add additional restrictions, and TLS " +"connections generally cannot be used across fork " +"function calls (see )." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "OpenSSL Pitfalls" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Some OpenSSL function use tri-state return values. " +"Correct error checking is extremely important. Several functions return " +"int values with the following meaning:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The value 1 indicates success (for example, a successful " +"signature verification)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The value 0 indicates semantic failure (for example, a " +"signature verification which was unsuccessful because the signing " +"certificate was self-signed)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The value -1 indicates a low-level error in the system, " +"such as failure to allocate memory using malloc." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Treating such tri-state return values as booleans can lead to security " +"vulnerabilities. Note that some OpenSSL functions return boolean results or " +"yet another set of status indicators. Each function needs to be checked " +"individually." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Recovering precise error information is difficult. shows how to obtain a more precise " +"error code after a function call on an SSL object has " +"failed. However, there are still cases where no detailed error information " +"is available (e.g., if SSL_shutdown fails due to a " +"connection teardown by the other end)." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Obtaining OpenSSL error codes" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The OPENSSL_config function is documented to never " +"fail. In reality, it can terminate the entire process if there is a failure " +"accessing the configuration file. An error message is written to standard " +"error, but which might not be visible if the function is called from a " +"daemon process." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"OpenSSL contains two separate ASN.1 DER decoders. One set of decoders " +"operate on BIO handles (the input/output stream abstraction provided by " +"OpenSSL); their decoder function names start with d2i_ " +"and end in _fp or _bio (e.g., " +"d2i_X509_fp or d2i_X509_bio). " +"These decoders must not be used for parsing data from untrusted sources; " +"instead, the variants without the _fp and " +"_bio (e.g., d2i_X509) shall be used." +" The BIO variants have received considerably less testing and are not very " +"robust." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"For the same reason, the OpenSSL command line tools (such as " +"openssl x509) are generally generally less robust than " +"the actual library code. They use the BIO functions internally, and not the " +"more robust variants." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The command line tools do not always indicate failure in the exit status of " +"the openssl process. For instance, a verification" +" failure in openssl verify result in an exit status of " +"zero." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The OpenSSL server and client applications (openssl " +"s_client and openssl s_server) are debugging " +"tools and should never be used as generic clients. For " +"instance, the s_client tool reacts in a " +"surprisign way to lines starting with R and " +"Q." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"OpenSSL allows application code to access private key material over " +"documented interfaces. This can significantly increase the part of the code " +"base which has to undergo security certification." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "GNUTLS Pitfalls" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"libgnutls.so.26 links to " +"libpthread.so.0. Loading the threading library too late" +" causes problems, so the main program should be linked with " +"-lpthread as well. As a result, it can be difficult to " +"use GNUTLS in a plugin which is loaded with the dlopen " +"function. Another side effect is that applications which merely link against" +" GNUTLS (even without actually using it) may incur a substantial overhead " +"because other libraries automatically switch to thread-safe algorithms." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The gnutls_global_init function must be called before " +"using any functionality provided by the library. This function is not " +"thread-safe, so external locking is required, but it is not clear which lock" +" should be used. Omitting the synchronization does not just lead to a memory" +" leak, as it is suggested in the GNUTLS documentation, but to undefined " +"behavior because there is no barrier that would enforce memory ordering." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The gnutls_global_deinit function does not actually " +"deallocate all resources allocated by " +"gnutls_global_init. It is currently not thread-safe. " +"Therefore, it is best to avoid calling it altogether." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The X.509 implementation in GNUTLS is rather lenient. For example, it is " +"possible to create and process X.509 version 1 certificates which carry" +" extensions. These certificates are (correctly) rejected by other " +"implementations." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "OpenJDK Pitfalls" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The Java cryptographic framework is highly modular. As a result, when you " +"request an object implementing some cryptographic functionality, you cannot " +"be completely sure that you end up with the well-tested, reviewed " +"implementation in OpenJDK." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"OpenJDK (in the source code as published by Oracle) and other " +"implementations of the Java platform require that the system administrator " +"has installed so-called unlimited strength jurisdiction policy " +"files. Without this step, it is not possible to use the secure " +"algorithms which offer sufficient cryptographic strength. Most downstream " +"redistributors of OpenJDK remove this requirement." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Some versions of OpenJDK use /dev/random as the " +"randomness source for nonces and other random data which is needed for TLS " +"operation, but does not actually require physical randomness. As a result, " +"TLS applications can block, waiting for more bits to become available in " +"/dev/random." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "NSS Pitfalls" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"NSS was not designed to be used by other libraries which can be linked into " +"applications without modifying them. There is a lot of global state. There " +"does not seem to be a way to perform required NSS initialization without " +"race conditions." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If the NSPR descriptor is in an unexpected state, the " +"SSL_ForceHandshake function can succeed, but no TLS " +"handshake takes place, the peer is not authenticated, and subsequent data is" +" exchanged in the clear." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"NSS disables itself if it detects that the process underwent a " +"fork after the library has been initialized. This " +"behavior is required by the PKCS#11 API specification." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "TLS Clients" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Secure use of TLS in a client generally involves all of the following steps." +" (Individual instructions for specific TLS implementations follow in the " +"next sections.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The client must configure the TLS library to use a set of trusted root " +"certificates. These certificates are provided by the system in /etc/ssl/certs or files derived from it." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The client selects sufficiently strong cryptographic primitives and disables" +" insecure ones (such as no-op encryption). Compression and SSL version 2 " +"support must be disabled (including the SSLv2-compatible handshake)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The client initiates the TLS connection. The Server Name Indication " +"extension should be used if supported by the TLS implementation. Before " +"switching to the encrypted connection state, the contents of all input and " +"output buffers must be discarded." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The client needs to validate the peer certificate provided by the server, " +"that is, the client must check that there is a cryptographically protected " +"chain from a trusted root certificate to the peer certificate. (Depending on" +" the TLS implementation, a TLS handshake can succeed even if the certificate" +" cannot be validated.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The client must check that the configured or user-provided server name " +"matches the peer certificate provided by the server." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"It is safe to provide users detailed diagnostics on certificate validation " +"failures. Other causes of handshake failures and, generally speaking, any " +"details on other errors reported by the TLS implementation (particularly " +"exception tracebacks), must not be divulged in ways that make them " +"accessible to potential attackers. Otherwise, it is possible to create " +"decryption oracles." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Depending on the application, revocation checking (against certificate " +"revocations lists or via OCSP) and session resumption are important aspects " +"of production-quality client. These aspects are not yet covered." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Implementation TLS Clients With OpenSSL" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In the following code, the error handling is only exploratory. Proper error " +"handling is required for production use, especially in libraries." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The OpenSSL library needs explicit initialization (see )." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "OpenSSL library initialization" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"After that, a context object has to be created, which acts as a factory for " +"connection objects (). We use an explicit cipher list so that we do not pick up any " +"strange ciphers when OpenSSL is upgraded. The actual version requested in " +"the client hello depends on additional restrictions in the OpenSSL library. " +"If possible, you should follow the example code and use the default list of " +"trusted root certificate authorities provided by the system because you " +"would have to maintain your own set otherwise, which can be cumbersome." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "OpenSSL client context creation" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"A single context object can be used to create multiple connection objects. " +"It is safe to use the same SSL_CTX object for creating " +"connections concurrently from multiple threads, provided that the " +"SSL_CTX object is not modified (e.g., callbacks must not " +"be changed)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"After creating the TCP socket and disabling the Nagle algorithm (per ), the actual connection object " +"needs to be created, as show in . If the handshake started by " +"SSL_connect fails, the " +"ssl_print_error_and_exit function from is called." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The certificate_validity_override function provides an " +"opportunity to override the validity of the certificate in case the OpenSSL " +"check fails. If such functionality is not required, the call can be removed," +" otherwise, the application developer has to implement it." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The host name passed to the functions " +"SSL_set_tlsext_host_name and " +"X509_check_host must be the name that was passed to " +"getaddrinfo or a similar name resolution function. No " +"host name canonicalization must be performed. The " +"X509_check_host function used in the final step for " +"host name matching is currently only implemented in OpenSSL 1.1, which is " +"not released yet. In case host name matching fails, the function " +"certificate_host_name_override is called. This function" +" should check user-specific certificate store, to allow a connection even if" +" the host name does not match the certificate. This function has to be " +"provided by the application developer. Note that the override must be keyed " +"by both the certificate and the host name." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Creating a client connection using OpenSSL" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The connection object can be used for sending and receiving data, as in " +". It is " +"also possible to create a BIO object and use the " +"SSL object as the underlying transport, using " +"BIO_set_ssl." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Using an OpenSSL connection to send and receive data" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When it is time to close the connection, the " +"SSL_shutdown function needs to be called twice for an " +"orderly, synchronous connection termination (). This exchanges " +"close_notify alerts with the server. The additional logic" +" is required to deal with an unexpected close_notify from" +" the server. Note that is necessary to explicitly close the underlying " +"socket after the connection object has been freed." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Closing an OpenSSL connection in an orderly fashion" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +" shows how" +" to deallocate the context object when it is no longer needed because no " +"further TLS connections will be established." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Implementation TLS Clients With GNUTLS" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"This section describes how to implement a TLS client with full certificate " +"validation (but without certificate revocation checking). Note that the " +"error handling in is only exploratory and needs to be replaced before " +"production use." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "The GNUTLS library needs explicit initialization:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Failing to do so can result in obscure failures in Base64 decoding. See " +" for " +"additional aspects of initialization." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Before setting up TLS connections, a credentials objects has to be allocated" +" and initialized with the set of trusted root CAs ()." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Initializing a GNUTLS credentials structure" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"After the last TLS connection has been closed, this credentials object " +"should be freed:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"During its lifetime, the credentials object can be used to initialize TLS " +"session objects from multiple threads, provided that it is not changed." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Once the TCP connection has been established, the Nagle algorithm should be " +"disabled (see ). After " +"that, the socket can be associated with a new GNUTLS session object. The " +"previously allocated credentials object provides the set of root CAs. The " +"NORMAL set of cipher suites and protocols provides a " +"reasonable default. Then the TLS handshake must be initiated. This is shown " +"in ." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Establishing a TLS client connection using GNUTLS" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"After the handshake has been completed, the server certificate needs to be " +"verified (). In the example, the user-defined " +"certificate_validity_override function is called if the" +" verification fails, so that a separate, user-specific trust store can be " +"checked. This function call can be omitted if the functionality is not " +"needed." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Verifying a server certificate using GNUTLS" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In the next step (, the certificate must be matched against the host name (note the " +"unusual return value from " +"gnutls_x509_crt_check_hostname). Again, an override " +"function certificate_host_name_override is called. Note" +" that the override must be keyed to the certificate and" +" the host name. The function call can be omitted if the override is not " +"needed." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Matching the server host name and certificate in a GNUTLS client" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In newer GNUTLS versions, certificate checking and host name validation can " +"be combined using the gnutls_certificate_verify_peers3 " +"function." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"An established TLS session can be used for sending and receiving data, as in" +" ." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Using a GNUTLS session" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In order to shut down a connection in an orderly manner, you should call the" +" gnutls_bye function. Finally, the session object can " +"be deallocated using gnutls_deinit (see )." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Implementing TLS Clients With OpenJDK" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "The examples below use the following cryptographic-related classes:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If compatibility with OpenJDK 6 is required, it is necessary to use the " +"internal class sun.security.util.HostnameChecker. (The " +"public OpenJDK API does not provide any support for dissecting the subject " +"distinguished name of an X.509 certificate, so a custom-written DER parser " +"is needed—or we have to use an internal class, which we do below.) In " +"OpenJDK 7, the setEndpointIdentificationAlgorithm " +"method was added to the javax.net.ssl.SSLParameters " +"class, providing an official way to implement host name checking." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"TLS connections are established using an SSLContext " +"instance. With a properly configured OpenJDK installation, the " +"SunJSSE provider uses the system-wide set of trusted root" +" certificate authorities, so no further configuration is necessary. For " +"backwards compatibility with OpenJDK 6, the TLSv1 " +"provider has to be supported as a fall-back option. This is shown in ." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Setting up an SSLContext for OpenJDK TLS clients" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In addition to the context, a TLS parameter object will be needed which " +"adjusts the cipher suites and protocols (). Like the context, these " +"parameters can be reused for multiple TLS connections." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Setting up SSLParameters for TLS use with OpenJDK" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"As initialized above, the parameter object does not yet require host name " +"checking. This has to be enabled separately, and this is only supported by " +"OpenJDK 7 and later:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"All application protocols can use the \"HTTPS\" " +"algorithm. (The algorithms have minor differences with regard to wildcard " +"handling, which should not matter in practice.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +" shows " +"how to establish the connection. Before the handshake is initialized, the " +"protocol and cipher configuration has to be performed, by applying the " +"parameter object params. (After this point, changes to " +"params will not affect this TLS socket.) As mentioned " +"initially, host name checking requires using an internal API on OpenJDK 6." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Establishing a TLS connection with OpenJDK" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Starting with OpenJDK 7, the last lines can be omitted, provided that host " +"name verification has been enabled by calling the " +"setEndpointIdentificationAlgorithm method on the " +"params object (before it was applied to the socket)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The TLS socket can be used as a regular socket, as shown in ." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Using a TLS client socket in OpenJDK" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Overriding server certificate validation with OpenJDK 6" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Overriding certificate validation requires a custom trust manager. With " +"OpenJDK 6, the trust manager lacks information about the TLS session, and to" +" which server the connection is made. Certificate overrides have to be tied " +"to specific servers (host names). Consequently, different " +"TrustManager and SSLContext objects " +"have to be used for different servers." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In the trust manager shown in , the server certificate is identified by its " +"SHA-256 hash." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "A customer trust manager for OpenJDK TLS clients" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"This trust manager has to be passed to the init method of" +" the SSLContext object, as show in ." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Using a custom TLS trust manager with OpenJDK" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When certificate overrides are in place, host name verification should not " +"be performed because there is no security requirement that the host name in " +"the certificate matches the host name used to establish the connection (and " +"it often will not). However, without host name verification, it is not " +"possible to perform transparent fallback to certification validation using " +"the system certificate store." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The approach described above works with OpenJDK 6 and later versions. " +"Starting with OpenJDK 7, it is possible to use a custom subclass of the " +"javax.net.ssl.X509ExtendedTrustManager class. The OpenJDK" +" TLS implementation will call the new methods, passing along TLS session " +"information. This can be used to implement certificate overrides as a " +"fallback (if certificate or host name verification fails), and a trust " +"manager object can be used for multiple servers because the server address " +"is available to the trust manager." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Implementing TLS Clients With NSS" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The following code shows how to implement a simple TLS client using NSS. " +"Note that the error handling needs replacing before production use." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Using NSS needs several header files, as shown in ." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Include files for NSS" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Initializing the NSS library is a complex task (). It is not thread-safe. By default, the " +"library is in export mode, and all strong ciphers are disabled. Therefore, " +"after creating the NSSInitCContext object, we probe all " +"the strong ciphers we want to use, and check if at least one of them is " +"available. If not, we call NSS_SetDomesticPolicy to " +"switch to unrestricted policy mode. This function replaces the existing " +"global cipher suite policy, that is why we avoid calling it unless " +"absolutely necessary." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The simplest way to configured the trusted root certificates involves " +"loading the libnssckbi.so NSS module with a call to the" +" SECMOD_LoadUserModule function. The root certificates " +"are compiled into this module. (The PEM module for NSS, " +"libnsspem.so, offers a way to load trusted CA " +"certificates from a file.)" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Initializing the NSS library" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Some of the effects of the initialization can be reverted with the following" +" function calls:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"After NSS has been initialized, the TLS connection can be created (). The internal " +"PR_ImportTCPSocket function is used to turn the POSIX " +"file descriptor sockfd into an NSPR file descriptor. " +"(This function is de-facto part of the NSS public ABI, so it will not go " +"away.) Creating the TLS-capable file descriptor requires a " +"model descriptor, which is configured with the desired " +"set of protocols and ciphers. (The good_ciphers variable " +"is part of .) We cannot" +" resort to disabling ciphers not on a whitelist because by default, the AES " +"cipher suites are disabled. The model descriptor is not needed anymore after" +" TLS support has been activated for the existing connection descriptor." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The call to SSL_BadCertHook can be omitted if no " +"mechanism to override certificate verification is needed. The " +"bad_certificate function must check both the host name " +"specified for the connection and the certificate before granting the " +"override." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Triggering the actual handshake requires three function calls, " +"SSL_ResetHandshake, SSL_SetURL, " +"and SSL_ForceHandshake. (If " +"SSL_ResetHandshake is omitted, " +"SSL_ForceHandshake will succeed, but the data will not " +"be encrypted.) During the handshake, the certificate is verified and matched" +" against the host name." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Creating a TLS connection with NSS" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"After the connection has been established, shows how to use the NSPR descriptor to " +"communicate with the server." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Using NSS for sending and receiving data" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +" shows how to " +"close the connection." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Closing NSS client connections" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Implementing TLS Clients With Python" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The Python distribution provides a TLS implementation in the " +"ssl module (actually a wrapper around OpenSSL). The " +"exported interface is somewhat restricted, so that the client code shown " +"below does not fully implement the recommendations in ." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Currently, most Python function which accept https:// " +"URLs or otherwise implement HTTPS support do not perform certificate " +"validation at all. (For example, this is true for the " +"httplib and xmlrpclib modules.) If you" +" use HTTPS, you should not use the built-in HTTP clients. The " +"Curl class in the curl module, as " +"provided by the python-pycurl package implements proper " +"certificate validation." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The ssl module currently does not perform host name " +"checking on the server certificate. shows how to implement certificate " +"matching, using the parsed certificate returned by " +"getpeercert." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Implementing TLS host name checking Python (without wildcard support)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"To turn a regular, connected TCP socket into a TLS-enabled socket, use the " +"ssl.wrap_socket function. The function call in provides " +"additional arguments to override questionable defaults in OpenSSL and in the" +" Python module." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"ciphers=\"HIGH:-aNULL:-eNULL:-PSK:RC4-SHA:RC4-MD5\" " +"selects relatively strong cipher suites with certificate-based " +"authentication. (The call to check_host_name function " +"provides additional protection against anonymous cipher suites.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"ssl_version=ssl.PROTOCOL_TLSv1 disables SSL 2.0 support. " +"By default, the ssl module sends an SSL 2.0 client hello," +" which is rejected by some servers. Ideally, we would request OpenSSL to " +"negotiated the most recent TLS version supported by the server and the " +"client, but the Python module does not allow this." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"cert_reqs=ssl.CERT_REQUIRED turns on certificate " +"validation." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"ca_certs='/etc/ssl/certs/ca-bundle.crt' initializes the " +"certificate store with a set of trusted root CAs. Unfortunately, it is " +"necessary to hard-code this path into applications because the default path " +"in OpenSSL is not available through the Python ssl " +"module." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The ssl module (and OpenSSL) perform certificate " +"validation, but the certificate must be compared manually against the host " +"name, by calling the check_host_name defined above." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Establishing a TLS client connection with Python" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"After the connection has been established, the TLS socket can be used like a" +" regular socket:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Closing the TLS socket is straightforward as well:" +msgstr "" diff --git a/defensive-coding/nl-NL/Features/snippets/TLS-Client-GNUTLS-Connect.po b/defensive-coding/nl-NL/Features/snippets/TLS-Client-GNUTLS-Connect.po new file mode 100644 index 0000000..2818cd8 --- /dev/null +++ b/defensive-coding/nl-NL/Features/snippets/TLS-Client-GNUTLS-Connect.po @@ -0,0 +1,71 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:33+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Dutch (http://www.transifex.com/projects/p/fedora/language/nl/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: nl\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Create the session object.\n" +"gnutls_session_t session;\n" +"ret = gnutls_init(&session, GNUTLS_CLIENT);\n" +"if (ret != GNUTLS_E_SUCCESS) {\n" +" fprintf(stderr, \"error: gnutls_init: %s\n" +"\",\n" +"\t gnutls_strerror(ret));\n" +" exit(1);\n" +"}\n" +"\n" +"// Configure the cipher preferences.\n" +"const char *errptr = NULL;\n" +"ret = gnutls_priority_set_direct(session, \"NORMAL\", &errptr);\n" +"if (ret != GNUTLS_E_SUCCESS) {\n" +" fprintf(stderr, \"error: gnutls_priority_set_direct: %s\n" +"\"\n" +"\t \"error: at: \\\"%s\\\"\n" +"\", gnutls_strerror(ret), errptr);\n" +" exit(1);\n" +"}\n" +"\n" +"// Install the trusted certificates.\n" +"ret = gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, cred);\n" +"if (ret != GNUTLS_E_SUCCESS) {\n" +" fprintf(stderr, \"error: gnutls_credentials_set: %s\n" +"\",\n" +"\t gnutls_strerror(ret));\n" +" exit(1);\n" +"}\n" +"\n" +"// Associate the socket with the session object and set the server\n" +"// name.\n" +"gnutls_transport_set_ptr(session, (gnutls_transport_ptr_t)(uintptr_t)sockfd);\n" +"ret = gnutls_server_name_set(session, GNUTLS_NAME_DNS,\n" +"\t\t\t host, strlen(host));\n" +"if (ret != GNUTLS_E_SUCCESS) {\n" +" fprintf(stderr, \"error: gnutls_server_name_set: %s\n" +"\",\n" +"\t gnutls_strerror(ret));\n" +" exit(1);\n" +"}\n" +"\n" +"// Establish the session.\n" +"ret = gnutls_handshake(session);\n" +"if (ret != GNUTLS_E_SUCCESS) {\n" +" fprintf(stderr, \"error: gnutls_handshake: %s\n" +"\",\n" +"\t gnutls_strerror(ret));\n" +" exit(1);\n" +"}\n" +msgstr "" diff --git a/defensive-coding/nl-NL/Features/snippets/TLS-Client-GNUTLS-Credentials.po b/defensive-coding/nl-NL/Features/snippets/TLS-Client-GNUTLS-Credentials.po new file mode 100644 index 0000000..001bbed --- /dev/null +++ b/defensive-coding/nl-NL/Features/snippets/TLS-Client-GNUTLS-Credentials.po @@ -0,0 +1,47 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:33+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Dutch (http://www.transifex.com/projects/p/fedora/language/nl/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: nl\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Load the trusted CA certificates.\n" +"gnutls_certificate_credentials_t cred = NULL;\n" +"int ret = gnutls_certificate_allocate_credentials (&cred);\n" +"if (ret != GNUTLS_E_SUCCESS) {\n" +" fprintf(stderr, \"error: gnutls_certificate_allocate_credentials: %s\n" +"\",\n" +"\t gnutls_strerror(ret));\n" +" exit(1);\n" +"}\n" +"// gnutls_certificate_set_x509_system_trust needs GNUTLS version 3.0\n" +"// or newer, so we hard-code the path to the certificate store\n" +"// instead.\n" +"static const char ca_bundle[] = \"/etc/ssl/certs/ca-bundle.crt\";\n" +"ret = gnutls_certificate_set_x509_trust_file\n" +" (cred, ca_bundle, GNUTLS_X509_FMT_PEM);\n" +"if (ret == 0) {\n" +" fprintf(stderr, \"error: no certificates found in: %s\n" +"\", ca_bundle);\n" +" exit(1);\n" +"}\n" +"if (ret < 0) {\n" +" fprintf(stderr, \"error: gnutls_certificate_set_x509_trust_files(%s): %s\n" +"\",\n" +"\t ca_bundle, gnutls_strerror(ret));\n" +" exit(1);\n" +"}\n" +msgstr "" diff --git a/defensive-coding/nl-NL/Features/snippets/TLS-Client-GNUTLS-Match.po b/defensive-coding/nl-NL/Features/snippets/TLS-Client-GNUTLS-Match.po new file mode 100644 index 0000000..4b78e18 --- /dev/null +++ b/defensive-coding/nl-NL/Features/snippets/TLS-Client-GNUTLS-Match.po @@ -0,0 +1,48 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:32+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Dutch (http://www.transifex.com/projects/p/fedora/language/nl/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: nl\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Match the peer certificate against the host name.\n" +"// We can only obtain a set of DER-encoded certificates from the\n" +"// session object, so we have to re-parse the peer certificate into\n" +"// a certificate object.\n" +"gnutls_x509_crt_t cert;\n" +"ret = gnutls_x509_crt_init(&cert);\n" +"if (ret != GNUTLS_E_SUCCESS) {\n" +" fprintf(stderr, \"error: gnutls_x509_crt_init: %s\n" +"\",\n" +"\t gnutls_strerror(ret));\n" +" exit(1);\n" +"}\n" +"// The peer certificate is the first certificate in the list.\n" +"ret = gnutls_x509_crt_import(cert, certs, GNUTLS_X509_FMT_DER);\n" +"if (ret != GNUTLS_E_SUCCESS) {\n" +" fprintf(stderr, \"error: gnutls_x509_crt_import: %s\n" +"\",\n" +"\t gnutls_strerror(ret));\n" +" exit(1);\n" +"}\n" +"ret = gnutls_x509_crt_check_hostname(cert, host);\n" +"if (ret == 0 && !certificate_host_name_override(certs[0], host)) {\n" +" fprintf(stderr, \"error: host name does not match certificate\n" +"\");\n" +" exit(1);\n" +"}\n" +"gnutls_x509_crt_deinit(cert);\n" +msgstr "" diff --git a/defensive-coding/nl-NL/Features/snippets/TLS-Client-GNUTLS-Verify.po b/defensive-coding/nl-NL/Features/snippets/TLS-Client-GNUTLS-Verify.po new file mode 100644 index 0000000..4eb5aa7 --- /dev/null +++ b/defensive-coding/nl-NL/Features/snippets/TLS-Client-GNUTLS-Verify.po @@ -0,0 +1,61 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:33+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Dutch (http://www.transifex.com/projects/p/fedora/language/nl/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: nl\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Obtain the server certificate chain. The server certificate\n" +"// itself is stored in the first element of the array.\n" +"unsigned certslen = 0;\n" +"const gnutls_datum_t *const certs =\n" +" gnutls_certificate_get_peers(session, &certslen);\n" +"if (certs == NULL || certslen == 0) {\n" +" fprintf(stderr, \"error: could not obtain peer certificate\n" +"\");\n" +" exit(1);\n" +"}\n" +"\n" +"// Validate the certificate chain.\n" +"unsigned status = (unsigned)-1;\n" +"ret = gnutls_certificate_verify_peers2(session, &status);\n" +"if (ret != GNUTLS_E_SUCCESS) {\n" +" fprintf(stderr, \"error: gnutls_certificate_verify_peers2: %s\n" +"\",\n" +"\t gnutls_strerror(ret));\n" +" exit(1);\n" +"}\n" +"if (status != 0 && !certificate_validity_override(certs[0])) {\n" +" gnutls_datum_t msg;\n" +"#if GNUTLS_VERSION_AT_LEAST_3_1_4\n" +" int type = gnutls_certificate_type_get (session);\n" +" ret = gnutls_certificate_verification_status_print(status, type, &out, 0);\n" +"#else\n" +" ret = -1;\n" +"#endif\n" +" if (ret == 0) {\n" +" fprintf(stderr, \"error: %s\n" +"\", msg.data);\n" +" gnutls_free(msg.data);\n" +" exit(1);\n" +" } else {\n" +" fprintf(stderr, \"error: certificate validation failed with code 0x%x\n" +"\",\n" +"\t status);\n" +" exit(1);\n" +" }\n" +"}\n" +msgstr "" diff --git a/defensive-coding/nl-NL/Features/snippets/TLS-Client-NSS-Close.po b/defensive-coding/nl-NL/Features/snippets/TLS-Client-NSS-Close.po new file mode 100644 index 0000000..5d9fa36 --- /dev/null +++ b/defensive-coding/nl-NL/Features/snippets/TLS-Client-NSS-Close.po @@ -0,0 +1,31 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:32+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Dutch (http://www.transifex.com/projects/p/fedora/language/nl/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: nl\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Send close_notify alert.\n" +"if (PR_Shutdown(nspr, PR_SHUTDOWN_BOTH) != PR_SUCCESS) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: PR_Read error %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +"}\n" +"// Closes the underlying POSIX file descriptor, too.\n" +"PR_Close(nspr);\n" +msgstr "" diff --git a/defensive-coding/nl-NL/Features/snippets/TLS-Client-NSS-Connect.po b/defensive-coding/nl-NL/Features/snippets/TLS-Client-NSS-Connect.po new file mode 100644 index 0000000..02e635f --- /dev/null +++ b/defensive-coding/nl-NL/Features/snippets/TLS-Client-NSS-Connect.po @@ -0,0 +1,132 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:33+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Dutch (http://www.transifex.com/projects/p/fedora/language/nl/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: nl\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Wrap the POSIX file descriptor. This is an internal NSPR\n" +"// function, but it is very unlikely to change.\n" +"PRFileDesc* nspr = PR_ImportTCPSocket(sockfd);\n" +"sockfd = -1; // Has been taken over by NSPR.\n" +"\n" +"// Add the SSL layer.\n" +"{\n" +" PRFileDesc *model = PR_NewTCPSocket();\n" +" PRFileDesc *newfd = SSL_ImportFD(NULL, model);\n" +" if (newfd == NULL) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: NSPR error code %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +" }\n" +" model = newfd;\n" +" newfd = NULL;\n" +" if (SSL_OptionSet(model, SSL_ENABLE_SSL2, PR_FALSE) != SECSuccess) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: set SSL_ENABLE_SSL2 error %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +" }\n" +" if (SSL_OptionSet(model, SSL_V2_COMPATIBLE_HELLO, PR_FALSE) != SECSuccess) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: set SSL_V2_COMPATIBLE_HELLO error %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +" }\n" +" if (SSL_OptionSet(model, SSL_ENABLE_DEFLATE, PR_FALSE) != SECSuccess) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: set SSL_ENABLE_DEFLATE error %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +" }\n" +"\n" +" // Disable all ciphers (except RC4-based ciphers, for backwards\n" +" // compatibility).\n" +" const PRUint16 *const ciphers = SSL_GetImplementedCiphers();\n" +" for (unsigned i = 0; i < SSL_GetNumImplementedCiphers(); i++) {\n" +" if (ciphers[i] != SSL_RSA_WITH_RC4_128_SHA\n" +"\t && ciphers[i] != SSL_RSA_WITH_RC4_128_MD5) {\n" +"\tif (SSL_CipherPrefSet(model, ciphers[i], PR_FALSE) != SECSuccess) {\n" +"\t const PRErrorCode err = PR_GetError();\n" +"\t fprintf(stderr, \"error: disable cipher %u: error %d: %s\n" +"\",\n" +"\t\t (unsigned)ciphers[i], err, PR_ErrorToName(err));\n" +"\t exit(1);\n" +"\t}\n" +" }\n" +" }\n" +"\n" +" // Enable the strong ciphers.\n" +" for (const PRUint16 *p = good_ciphers; *p != SSL_NULL_WITH_NULL_NULL;\n" +"\t ++p) {\n" +" if (SSL_CipherPrefSet(model, *p, PR_TRUE) != SECSuccess) {\n" +"\tconst PRErrorCode err = PR_GetError();\n" +"\tfprintf(stderr, \"error: enable cipher %u: error %d: %s\n" +"\",\n" +"\t\t(unsigned)*p, err, PR_ErrorToName(err));\n" +"\texit(1);\n" +" }\n" +" }\n" +"\n" +" // Allow overriding invalid certificate.\n" +" if (SSL_BadCertHook(model, bad_certificate, (char *)host) != SECSuccess) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: SSL_BadCertHook error %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +" }\n" +"\n" +" newfd = SSL_ImportFD(model, nspr);\n" +" if (newfd == NULL) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: SSL_ImportFD error %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +" }\n" +" nspr = newfd;\n" +" PR_Close(model);\n" +"}\n" +"\n" +"// Perform the handshake.\n" +"if (SSL_ResetHandshake(nspr, PR_FALSE) != SECSuccess) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: SSL_ResetHandshake error %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +"}\n" +"if (SSL_SetURL(nspr, host) != SECSuccess) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: SSL_SetURL error %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +"}\n" +"if (SSL_ForceHandshake(nspr) != SECSuccess) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: SSL_ForceHandshake error %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +"}\n" +msgstr "" diff --git a/defensive-coding/nl-NL/Features/snippets/TLS-Client-OpenJDK-Connect.po b/defensive-coding/nl-NL/Features/snippets/TLS-Client-OpenJDK-Connect.po new file mode 100644 index 0000000..8850e33 --- /dev/null +++ b/defensive-coding/nl-NL/Features/snippets/TLS-Client-OpenJDK-Connect.po @@ -0,0 +1,41 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:32+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Dutch (http://www.transifex.com/projects/p/fedora/language/nl/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: nl\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Create the socket and connect it at the TCP layer.\n" +"SSLSocket socket = (SSLSocket) ctx.getSocketFactory()\n" +" .createSocket(host, port);\n" +"\n" +"// Disable the Nagle algorithm.\n" +"socket.setTcpNoDelay(true);\n" +"\n" +"// Adjust ciphers and protocols.\n" +"socket.setSSLParameters(params);\n" +"\n" +"// Perform the handshake.\n" +"socket.startHandshake();\n" +"\n" +"// Validate the host name. The match() method throws\n" +"// CertificateException on failure.\n" +"X509Certificate peer = (X509Certificate)\n" +" socket.getSession().getPeerCertificates()[0];\n" +"// This is the only way to perform host name checking on OpenJDK 6.\n" +"HostnameChecker.getInstance(HostnameChecker.TYPE_TLS).match(\n" +" host, peer);\n" +msgstr "" diff --git a/defensive-coding/nl-NL/Features/snippets/TLS-Client-OpenJDK-Context.po b/defensive-coding/nl-NL/Features/snippets/TLS-Client-OpenJDK-Context.po new file mode 100644 index 0000000..664053c --- /dev/null +++ b/defensive-coding/nl-NL/Features/snippets/TLS-Client-OpenJDK-Context.po @@ -0,0 +1,41 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:32+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Dutch (http://www.transifex.com/projects/p/fedora/language/nl/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: nl\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Create the context. Specify the SunJSSE provider to avoid\n" +"// picking up third-party providers. Try the TLS 1.2 provider\n" +"// first, then fall back to TLS 1.0.\n" +"SSLContext ctx;\n" +"try {\n" +" ctx = SSLContext.getInstance(\"TLSv1.2\", \"SunJSSE\");\n" +"} catch (NoSuchAlgorithmException e) {\n" +" try {\n" +" ctx = SSLContext.getInstance(\"TLSv1\", \"SunJSSE\");\n" +" } catch (NoSuchAlgorithmException e1) {\n" +" // The TLS 1.0 provider should always be available.\n" +" throw new AssertionError(e1);\n" +" } catch (NoSuchProviderException e1) {\n" +" throw new AssertionError(e1);\n" +" } \n" +"} catch (NoSuchProviderException e) {\n" +" // The SunJSSE provider should always be available.\n" +" throw new AssertionError(e);\n" +"}\n" +"ctx.init(null, null, null);\n" +msgstr "" diff --git a/defensive-coding/nl-NL/Features/snippets/TLS-Client-OpenJDK-Context_For_Cert.po b/defensive-coding/nl-NL/Features/snippets/TLS-Client-OpenJDK-Context_For_Cert.po new file mode 100644 index 0000000..c62d924 --- /dev/null +++ b/defensive-coding/nl-NL/Features/snippets/TLS-Client-OpenJDK-Context_For_Cert.po @@ -0,0 +1,37 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:33+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Dutch (http://www.transifex.com/projects/p/fedora/language/nl/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: nl\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"SSLContext ctx;\n" +"try {\n" +" ctx = SSLContext.getInstance(\"TLSv1.2\", \"SunJSSE\");\n" +"} catch (NoSuchAlgorithmException e) {\n" +" try {\n" +" ctx = SSLContext.getInstance(\"TLSv1\", \"SunJSSE\");\n" +" } catch (NoSuchAlgorithmException e1) {\n" +" throw new AssertionError(e1);\n" +" } catch (NoSuchProviderException e1) {\n" +" throw new AssertionError(e1);\n" +" }\n" +"} catch (NoSuchProviderException e) {\n" +" throw new AssertionError(e);\n" +"}\n" +"MyTrustManager tm = new MyTrustManager(certHash);\n" +"ctx.init(null, new TrustManager[] {tm}, null);\n" +msgstr "" diff --git a/defensive-coding/nl-NL/Features/snippets/TLS-Client-OpenJDK-Hostname.po b/defensive-coding/nl-NL/Features/snippets/TLS-Client-OpenJDK-Hostname.po new file mode 100644 index 0000000..0433a6c --- /dev/null +++ b/defensive-coding/nl-NL/Features/snippets/TLS-Client-OpenJDK-Hostname.po @@ -0,0 +1,22 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:31+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Dutch (http://www.transifex.com/projects/p/fedora/language/nl/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: nl\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"params.setEndpointIdentificationAlgorithm(\"HTTPS\");\n" +msgstr "" diff --git a/defensive-coding/nl-NL/Features/snippets/TLS-Client-OpenJDK-Import.po b/defensive-coding/nl-NL/Features/snippets/TLS-Client-OpenJDK-Import.po new file mode 100644 index 0000000..99d9a13 --- /dev/null +++ b/defensive-coding/nl-NL/Features/snippets/TLS-Client-OpenJDK-Import.po @@ -0,0 +1,33 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:31+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Dutch (http://www.transifex.com/projects/p/fedora/language/nl/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: nl\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"import java.security.NoSuchAlgorithmException;\n" +"import java.security.NoSuchProviderException;\n" +"import java.security.cert.CertificateEncodingException;\n" +"import java.security.cert.CertificateException;\n" +"import java.security.cert.X509Certificate;\n" +"import javax.net.ssl.SSLContext;\n" +"import javax.net.ssl.SSLParameters;\n" +"import javax.net.ssl.SSLSocket;\n" +"import javax.net.ssl.TrustManager;\n" +"import javax.net.ssl.X509TrustManager;\n" +"\n" +"import sun.security.util.HostnameChecker;\n" +msgstr "" diff --git a/defensive-coding/nl-NL/Features/snippets/TLS-Client-OpenJDK-MyTrustManager.po b/defensive-coding/nl-NL/Features/snippets/TLS-Client-OpenJDK-MyTrustManager.po new file mode 100644 index 0000000..c10bd22 --- /dev/null +++ b/defensive-coding/nl-NL/Features/snippets/TLS-Client-OpenJDK-MyTrustManager.po @@ -0,0 +1,53 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:31+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Dutch (http://www.transifex.com/projects/p/fedora/language/nl/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: nl\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"public class MyTrustManager implements X509TrustManager {\n" +" private final byte[] certHash;\n" +"\n" +" public MyTrustManager(byte[] certHash) throws Exception {\n" +" this.certHash = certHash;\n" +" }\n" +"\n" +" @Override\n" +" public void checkClientTrusted(X509Certificate[] chain, String authType)\n" +" throws CertificateException {\n" +" throw new UnsupportedOperationException();\n" +" }\n" +"\n" +" @Override\n" +" public void checkServerTrusted(X509Certificate[] chain,\n" +" String authType) throws CertificateException {\n" +" byte[] digest = getCertificateDigest(chain[0]);\n" +" String digestHex = formatHex(digest);\n" +"\n" +" if (Arrays.equals(digest, certHash)) {\n" +" System.err.println(\"info: accepting certificate: \" + digestHex);\n" +" } else {\n" +" throw new CertificateException(\"certificate rejected: \" +\n" +" digestHex);\n" +" }\n" +" }\n" +"\n" +" @Override\n" +" public X509Certificate[] getAcceptedIssuers() {\n" +" return new X509Certificate[0];\n" +" }\n" +"}\n" +msgstr "" diff --git a/defensive-coding/nl-NL/Features/snippets/TLS-Client-OpenJDK-Use.po b/defensive-coding/nl-NL/Features/snippets/TLS-Client-OpenJDK-Use.po new file mode 100644 index 0000000..6d25d71 --- /dev/null +++ b/defensive-coding/nl-NL/Features/snippets/TLS-Client-OpenJDK-Use.po @@ -0,0 +1,28 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:31+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Dutch (http://www.transifex.com/projects/p/fedora/language/nl/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: nl\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"socket.getOutputStream().write(\"GET / HTTP/1.0\\r\n" +"\\r\n" +"\"\n" +" .getBytes(Charset.forName(\"UTF-8\")));\n" +"byte[] buffer = new byte[4096];\n" +"int count = socket.getInputStream().read(buffer);\n" +"System.out.write(buffer, 0, count);\n" +msgstr "" diff --git a/defensive-coding/nl-NL/Features/snippets/TLS-Client-OpenSSL-CTX.po b/defensive-coding/nl-NL/Features/snippets/TLS-Client-OpenSSL-CTX.po new file mode 100644 index 0000000..02aa9af --- /dev/null +++ b/defensive-coding/nl-NL/Features/snippets/TLS-Client-OpenSSL-CTX.po @@ -0,0 +1,86 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:32+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Dutch (http://www.transifex.com/projects/p/fedora/language/nl/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: nl\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Configure a client connection context. Send a hendshake for the\n" +"// highest supported TLS version, and disable compression.\n" +"const SSL_METHOD *const req_method = SSLv23_client_method();\n" +"SSL_CTX *const ctx = SSL_CTX_new(req_method);\n" +"if (ctx == NULL) {\n" +" ERR_print_errors(bio_err);\n" +" exit(1);\n" +"}\n" +"SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_COMPRESSION);\n" +"\n" +"// Adjust the ciphers list based on a whitelist. First enable all\n" +"// ciphers of at least medium strength, to get the list which is\n" +"// compiled into OpenSSL.\n" +"if (SSL_CTX_set_cipher_list(ctx, \"HIGH:MEDIUM\") != 1) {\n" +" ERR_print_errors(bio_err);\n" +" exit(1);\n" +"}\n" +"{\n" +" // Create a dummy SSL session to obtain the cipher list.\n" +" SSL *ssl = SSL_new(ctx);\n" +" if (ssl == NULL) {\n" +" ERR_print_errors(bio_err);\n" +" exit(1);\n" +" }\n" +" STACK_OF(SSL_CIPHER) *active_ciphers = SSL_get_ciphers(ssl);\n" +" if (active_ciphers == NULL) {\n" +" ERR_print_errors(bio_err);\n" +" exit(1);\n" +" }\n" +" // Whitelist of candidate ciphers.\n" +" static const char *const candidates[] = {\n" +" \"AES128-GCM-SHA256\", \"AES128-SHA256\", \"AES256-SHA256\", // strong ciphers\n" +" \"AES128-SHA\", \"AES256-SHA\", // strong ciphers, also in older versions\n" +" \"RC4-SHA\", \"RC4-MD5\", // backwards compatibility, supposed to be weak\n" +" \"DES-CBC3-SHA\", \"DES-CBC3-MD5\", // more backwards compatibility\n" +" NULL\n" +" };\n" +" // Actually selected ciphers.\n" +" char ciphers[300];\n" +" ciphers[0] = '\\0';\n" +" for (const char *const *c = candidates; *c; ++c) {\n" +" for (int i = 0; i < sk_SSL_CIPHER_num(active_ciphers); ++i) {\n" +"\tif (strcmp(SSL_CIPHER_get_name(sk_SSL_CIPHER_value(active_ciphers, i)),\n" +"\t\t *c) == 0) {\n" +"\t if (*ciphers) {\n" +"\t strcat(ciphers, \":\");\n" +"\t }\n" +"\t strcat(ciphers, *c);\n" +"\t break;\n" +"\t}\n" +" }\n" +" }\n" +" SSL_free(ssl);\n" +" // Apply final cipher list.\n" +" if (SSL_CTX_set_cipher_list(ctx, ciphers) != 1) {\n" +" ERR_print_errors(bio_err);\n" +" exit(1);\n" +" }\n" +"}\n" +"\n" +"// Load the set of trusted root certificates.\n" +"if (!SSL_CTX_set_default_verify_paths(ctx)) {\n" +" ERR_print_errors(bio_err);\n" +" exit(1);\n" +"}\n" +msgstr "" diff --git a/defensive-coding/nl-NL/Features/snippets/TLS-Client-OpenSSL-Connect.po b/defensive-coding/nl-NL/Features/snippets/TLS-Client-OpenSSL-Connect.po new file mode 100644 index 0000000..c3baed3 --- /dev/null +++ b/defensive-coding/nl-NL/Features/snippets/TLS-Client-OpenSSL-Connect.po @@ -0,0 +1,72 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:33+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Dutch (http://www.transifex.com/projects/p/fedora/language/nl/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: nl\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Create the connection object.\n" +"SSL *ssl = SSL_new(ctx);\n" +"if (ssl == NULL) {\n" +" ERR_print_errors(bio_err);\n" +" exit(1);\n" +"}\n" +"SSL_set_fd(ssl, sockfd);\n" +"\n" +"// Enable the ServerNameIndication extension\n" +"if (!SSL_set_tlsext_host_name(ssl, host)) {\n" +" ERR_print_errors(bio_err);\n" +" exit(1);\n" +"}\n" +"\n" +"// Perform the TLS handshake with the server.\n" +"ret = SSL_connect(ssl);\n" +"if (ret != 1) {\n" +" // Error status can be 0 or negative.\n" +" ssl_print_error_and_exit(ssl, \"SSL_connect\", ret);\n" +"}\n" +"\n" +"// Obtain the server certificate.\n" +"X509 *peercert = SSL_get_peer_certificate(ssl);\n" +"if (peercert == NULL) {\n" +" fprintf(stderr, \"peer certificate missing\");\n" +" exit(1);\n" +"}\n" +"\n" +"// Check the certificate verification result. Allow an explicit\n" +"// certificate validation override in case verification fails.\n" +"int verifystatus = SSL_get_verify_result(ssl);\n" +"if (verifystatus != X509_V_OK && !certificate_validity_override(peercert)) {\n" +" fprintf(stderr, \"SSL_connect: verify result: %s\n" +"\",\n" +"\t X509_verify_cert_error_string(verifystatus));\n" +" exit(1);\n" +"}\n" +"\n" +"// Check if the server certificate matches the host name used to\n" +"// establish the connection.\n" +"// FIXME: Currently needs OpenSSL 1.1.\n" +"if (X509_check_host(peercert, (const unsigned char *)host, strlen(host),\n" +"\t\t 0) != 1\n" +" && !certificate_host_name_override(peercert, host)) {\n" +" fprintf(stderr, \"SSL certificate does not match host name\n" +"\");\n" +" exit(1);\n" +"}\n" +"\n" +"X509_free(peercert);\n" +"\n" +msgstr "" diff --git a/defensive-coding/nl-NL/Features/snippets/TLS-Client-OpenSSL-Connection-Use.po b/defensive-coding/nl-NL/Features/snippets/TLS-Client-OpenSSL-Connection-Use.po new file mode 100644 index 0000000..667252e --- /dev/null +++ b/defensive-coding/nl-NL/Features/snippets/TLS-Client-OpenSSL-Connection-Use.po @@ -0,0 +1,32 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:32+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Dutch (http://www.transifex.com/projects/p/fedora/language/nl/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: nl\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"const char *const req = \"GET / HTTP/1.0\\r\n" +"\\r\n" +"\";\n" +"if (SSL_write(ssl, req, strlen(req)) < 0) {\n" +" ssl_print_error_and_exit(ssl, \"SSL_write\", ret);\n" +"}\n" +"char buf[4096];\n" +"ret = SSL_read(ssl, buf, sizeof(buf));\n" +"if (ret < 0) {\n" +" ssl_print_error_and_exit(ssl, \"SSL_read\", ret);\n" +"}\n" +msgstr "" diff --git a/defensive-coding/nl-NL/Features/snippets/TLS-Client-OpenSSL-Init.po b/defensive-coding/nl-NL/Features/snippets/TLS-Client-OpenSSL-Init.po new file mode 100644 index 0000000..9ee829a --- /dev/null +++ b/defensive-coding/nl-NL/Features/snippets/TLS-Client-OpenSSL-Init.po @@ -0,0 +1,28 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:32+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Dutch (http://www.transifex.com/projects/p/fedora/language/nl/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: nl\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// The following call prints an error message and calls exit() if\n" +"// the OpenSSL configuration file is unreadable.\n" +"OPENSSL_config(NULL);\n" +"// Provide human-readable error messages.\n" +"SSL_load_error_strings();\n" +"// Register ciphers.\n" +"SSL_library_init();\n" +msgstr "" diff --git a/defensive-coding/nl-NL/Features/snippets/TLS-Client-Python-Connect.po b/defensive-coding/nl-NL/Features/snippets/TLS-Client-Python-Connect.po new file mode 100644 index 0000000..8c07d3f --- /dev/null +++ b/defensive-coding/nl-NL/Features/snippets/TLS-Client-Python-Connect.po @@ -0,0 +1,29 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:32+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Dutch (http://www.transifex.com/projects/p/fedora/language/nl/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: nl\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"sock = ssl.wrap_socket(sock,\n" +" ciphers=\"HIGH:-aNULL:-eNULL:-PSK:RC4-SHA:RC4-MD5\",\n" +" ssl_version=ssl.PROTOCOL_TLSv1,\n" +" cert_reqs=ssl.CERT_REQUIRED,\n" +" ca_certs='/etc/ssl/certs/ca-bundle.crt')\n" +"# getpeercert() triggers the handshake as a side effect.\n" +"if not check_host_name(sock.getpeercert(), host):\n" +" raise IOError(\"peer certificate does not match host name\")\n" +msgstr "" diff --git a/defensive-coding/nl-NL/Features/snippets/TLS-Client-Python-check_host_name.po b/defensive-coding/nl-NL/Features/snippets/TLS-Client-Python-check_host_name.po new file mode 100644 index 0000000..c1099c2 --- /dev/null +++ b/defensive-coding/nl-NL/Features/snippets/TLS-Client-Python-check_host_name.po @@ -0,0 +1,44 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:31+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Dutch (http://www.transifex.com/projects/p/fedora/language/nl/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: nl\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"def check_host_name(peercert, name):\n" +" \"\"\"Simple certificate/host name checker. Returns True if the\n" +" certificate matches, False otherwise. Does not support\n" +" wildcards.\"\"\"\n" +" # Check that the peer has supplied a certificate.\n" +" # None/{} is not acceptable.\n" +" if not peercert:\n" +" return False\n" +" if peercert.has_key(\"subjectAltName\"):\n" +" for typ, val in peercert[\"subjectAltName\"]:\n" +" if typ == \"DNS\" and val == name:\n" +" return True\n" +" else:\n" +" # Only check the subject DN if there is no subject alternative\n" +" # name.\n" +" cn = None\n" +" for attr, val in peercert[\"subject\"]:\n" +" # Use most-specific (last) commonName attribute.\n" +" if attr == \"commonName\":\n" +" cn = val\n" +" if cn is not None:\n" +" return cn == name\n" +" return False\n" +msgstr "" diff --git a/defensive-coding/nl-NL/Features/snippets/TLS-GNUTLS-Credentials-Close.po b/defensive-coding/nl-NL/Features/snippets/TLS-GNUTLS-Credentials-Close.po new file mode 100644 index 0000000..9e9ae6d --- /dev/null +++ b/defensive-coding/nl-NL/Features/snippets/TLS-GNUTLS-Credentials-Close.po @@ -0,0 +1,22 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:31+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Dutch (http://www.transifex.com/projects/p/fedora/language/nl/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: nl\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"gnutls_certificate_free_credentials(cred);\n" +msgstr "" diff --git a/defensive-coding/nl-NL/Features/snippets/TLS-GNUTLS-Disconnect.po b/defensive-coding/nl-NL/Features/snippets/TLS-GNUTLS-Disconnect.po new file mode 100644 index 0000000..c721172 --- /dev/null +++ b/defensive-coding/nl-NL/Features/snippets/TLS-GNUTLS-Disconnect.po @@ -0,0 +1,30 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:32+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Dutch (http://www.transifex.com/projects/p/fedora/language/nl/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: nl\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Initiate an orderly connection shutdown.\n" +"ret = gnutls_bye(session, GNUTLS_SHUT_RDWR);\n" +"if (ret < 0) {\n" +" fprintf(stderr, \"error: gnutls_bye: %s\n" +"\", gnutls_strerror(ret));\n" +" exit(1);\n" +"}\n" +"// Free the session object.\n" +"gnutls_deinit(session);\n" +msgstr "" diff --git a/defensive-coding/nl-NL/Features/snippets/TLS-GNUTLS-Init.po b/defensive-coding/nl-NL/Features/snippets/TLS-GNUTLS-Init.po new file mode 100644 index 0000000..f048292 --- /dev/null +++ b/defensive-coding/nl-NL/Features/snippets/TLS-GNUTLS-Init.po @@ -0,0 +1,22 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:32+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Dutch (http://www.transifex.com/projects/p/fedora/language/nl/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: nl\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"gnutls_global_init();\n" +msgstr "" diff --git a/defensive-coding/nl-NL/Features/snippets/TLS-GNUTLS-Use.po b/defensive-coding/nl-NL/Features/snippets/TLS-GNUTLS-Use.po new file mode 100644 index 0000000..3a84a43 --- /dev/null +++ b/defensive-coding/nl-NL/Features/snippets/TLS-GNUTLS-Use.po @@ -0,0 +1,38 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:33+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Dutch (http://www.transifex.com/projects/p/fedora/language/nl/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: nl\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"char buf[4096];\n" +"snprintf(buf, sizeof(buf), \"GET / HTTP/1.0\\r\n" +"Host: %s\\r\n" +"\\r\n" +"\", host);\n" +"ret = gnutls_record_send(session, buf, strlen(buf));\n" +"if (ret < 0) {\n" +" fprintf(stderr, \"error: gnutls_record_send: %s\n" +"\", gnutls_strerror(ret));\n" +" exit(1);\n" +"}\n" +"ret = gnutls_record_recv(session, buf, sizeof(buf));\n" +"if (ret < 0) {\n" +" fprintf(stderr, \"error: gnutls_record_recv: %s\n" +"\", gnutls_strerror(ret));\n" +" exit(1);\n" +"}\n" +msgstr "" diff --git a/defensive-coding/nl-NL/Features/snippets/TLS-NSS-Close.po b/defensive-coding/nl-NL/Features/snippets/TLS-NSS-Close.po new file mode 100644 index 0000000..9ea31cf --- /dev/null +++ b/defensive-coding/nl-NL/Features/snippets/TLS-NSS-Close.po @@ -0,0 +1,23 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:31+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Dutch (http://www.transifex.com/projects/p/fedora/language/nl/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: nl\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"SECMOD_DestroyModule(module);\n" +"NSS_ShutdownContext(ctx);\n" +msgstr "" diff --git a/defensive-coding/nl-NL/Features/snippets/TLS-NSS-Includes.po b/defensive-coding/nl-NL/Features/snippets/TLS-NSS-Includes.po new file mode 100644 index 0000000..6e93a2d --- /dev/null +++ b/defensive-coding/nl-NL/Features/snippets/TLS-NSS-Includes.po @@ -0,0 +1,35 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:33+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Dutch (http://www.transifex.com/projects/p/fedora/language/nl/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: nl\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// NSPR include files\n" +"#include <prerror.h>\n" +"#include <prinit.h>\n" +"\n" +"// NSS include files\n" +"#include <nss.h>\n" +"#include <pk11pub.h>\n" +"#include <secmod.h>\n" +"#include <ssl.h>\n" +"#include <sslproto.h>\n" +"\n" +"// Private API, no other way to turn a POSIX file descriptor into an\n" +"// NSPR handle.\n" +"NSPR_API(PRFileDesc*) PR_ImportTCPSocket(int);\n" +msgstr "" diff --git a/defensive-coding/nl-NL/Features/snippets/TLS-NSS-Init.po b/defensive-coding/nl-NL/Features/snippets/TLS-NSS-Init.po new file mode 100644 index 0000000..0013584 --- /dev/null +++ b/defensive-coding/nl-NL/Features/snippets/TLS-NSS-Init.po @@ -0,0 +1,83 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:33+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Dutch (http://www.transifex.com/projects/p/fedora/language/nl/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: nl\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"PR_Init(PR_USER_THREAD, PR_PRIORITY_NORMAL, 0);\n" +"NSSInitContext *const ctx =\n" +" NSS_InitContext(\"sql:/etc/pki/nssdb\", \"\", \"\", \"\", NULL,\n" +"\t\t NSS_INIT_READONLY | NSS_INIT_PK11RELOAD);\n" +"if (ctx == NULL) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: NSPR error code %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +"}\n" +"\n" +"// Ciphers to enable.\n" +"static const PRUint16 good_ciphers[] = {\n" +" TLS_RSA_WITH_AES_128_CBC_SHA,\n" +" TLS_RSA_WITH_AES_256_CBC_SHA,\n" +" SSL_RSA_WITH_3DES_EDE_CBC_SHA,\n" +" SSL_NULL_WITH_NULL_NULL // sentinel\n" +"};\n" +"\n" +"// Check if the current policy allows any strong ciphers. If it\n" +"// doesn't, switch to the \"domestic\" (unrestricted) policy. This is\n" +"// not thread-safe and has global impact. Consequently, we only do\n" +"// it if absolutely necessary.\n" +"int found_good_cipher = 0;\n" +"for (const PRUint16 *p = good_ciphers; *p != SSL_NULL_WITH_NULL_NULL;\n" +" ++p) {\n" +" PRInt32 policy;\n" +" if (SSL_CipherPolicyGet(*p, &policy) != SECSuccess) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: policy for cipher %u: error %d: %s\n" +"\",\n" +"\t (unsigned)*p, err, PR_ErrorToName(err));\n" +" exit(1);\n" +" }\n" +" if (policy == SSL_ALLOWED) {\n" +" fprintf(stderr, \"info: found cipher %x\n" +"\", (unsigned)*p);\n" +" found_good_cipher = 1;\n" +" break;\n" +" }\n" +"}\n" +"if (!found_good_cipher) {\n" +" if (NSS_SetDomesticPolicy() != SECSuccess) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: NSS_SetDomesticPolicy: error %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +" }\n" +"}\n" +"\n" +"// Initialize the trusted certificate store.\n" +"char module_name[] = \"library=libnssckbi.so name=\\\"Root Certs\\\"\";\n" +"SECMODModule *module = SECMOD_LoadUserModule(module_name, NULL, PR_FALSE);\n" +"if (module == NULL || !module->loaded) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: NSPR error code %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +"}\n" +msgstr "" diff --git a/defensive-coding/nl-NL/Features/snippets/TLS-NSS-Use.po b/defensive-coding/nl-NL/Features/snippets/TLS-NSS-Use.po new file mode 100644 index 0000000..17bbf1f --- /dev/null +++ b/defensive-coding/nl-NL/Features/snippets/TLS-NSS-Use.po @@ -0,0 +1,42 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:32+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Dutch (http://www.transifex.com/projects/p/fedora/language/nl/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: nl\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"char buf[4096];\n" +"snprintf(buf, sizeof(buf), \"GET / HTTP/1.0\\r\n" +"Host: %s\\r\n" +"\\r\n" +"\", host);\n" +"PRInt32 ret = PR_Write(nspr, buf, strlen(buf));\n" +"if (ret < 0) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: PR_Write error %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +"}\n" +"ret = PR_Read(nspr, buf, sizeof(buf));\n" +"if (ret < 0) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: PR_Read error %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +"}\n" +msgstr "" diff --git a/defensive-coding/nl-NL/Features/snippets/TLS-Nagle.po b/defensive-coding/nl-NL/Features/snippets/TLS-Nagle.po new file mode 100644 index 0000000..68a154e --- /dev/null +++ b/defensive-coding/nl-NL/Features/snippets/TLS-Nagle.po @@ -0,0 +1,27 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:31+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Dutch (http://www.transifex.com/projects/p/fedora/language/nl/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: nl\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"const int val = 1;\n" +"int ret = setsockopt(sockfd, IPPROTO_TCP, TCP_NODELAY, &val, sizeof(val));\n" +"if (ret < 0) {\n" +" perror(\"setsockopt(TCP_NODELAY)\");\n" +" exit(1);\n" +"}\n" +msgstr "" diff --git a/defensive-coding/nl-NL/Features/snippets/TLS-OpenJDK-Parameters.po b/defensive-coding/nl-NL/Features/snippets/TLS-OpenJDK-Parameters.po new file mode 100644 index 0000000..883cc7d --- /dev/null +++ b/defensive-coding/nl-NL/Features/snippets/TLS-OpenJDK-Parameters.po @@ -0,0 +1,42 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:33+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Dutch (http://www.transifex.com/projects/p/fedora/language/nl/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: nl\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Prepare TLS parameters. These have to applied to every TLS\n" +"// socket before the handshake is triggered.\n" +"SSLParameters params = ctx.getDefaultSSLParameters();\n" +"// Do not send an SSL-2.0-compatible Client Hello.\n" +"ArrayList<String> protocols = new ArrayList<String>(\n" +" Arrays.asList(params.getProtocols()));\n" +"protocols.remove(\"SSLv2Hello\");\n" +"params.setProtocols(protocols.toArray(new String[protocols.size()]));\n" +"// Adjust the supported ciphers.\n" +"ArrayList<String> ciphers = new ArrayList<String>(\n" +" Arrays.asList(params.getCipherSuites()));\n" +"ciphers.retainAll(Arrays.asList(\n" +" \"TLS_RSA_WITH_AES_128_CBC_SHA256\",\n" +" \"TLS_RSA_WITH_AES_256_CBC_SHA256\",\n" +" \"TLS_RSA_WITH_AES_256_CBC_SHA\",\n" +" \"TLS_RSA_WITH_AES_128_CBC_SHA\",\n" +" \"SSL_RSA_WITH_3DES_EDE_CBC_SHA\",\n" +" \"SSL_RSA_WITH_RC4_128_SHA1\",\n" +" \"SSL_RSA_WITH_RC4_128_MD5\",\n" +" \"TLS_EMPTY_RENEGOTIATION_INFO_SCSV\"));\n" +"params.setCipherSuites(ciphers.toArray(new String[ciphers.size()]));\n" +msgstr "" diff --git a/defensive-coding/nl-NL/Features/snippets/TLS-OpenSSL-Connection-Close.po b/defensive-coding/nl-NL/Features/snippets/TLS-OpenSSL-Connection-Close.po new file mode 100644 index 0000000..7f9aea0 --- /dev/null +++ b/defensive-coding/nl-NL/Features/snippets/TLS-OpenSSL-Connection-Close.po @@ -0,0 +1,46 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:33+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Dutch (http://www.transifex.com/projects/p/fedora/language/nl/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: nl\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Send the close_notify alert.\n" +"ret = SSL_shutdown(ssl);\n" +"switch (ret) {\n" +"case 1:\n" +" // A close_notify alert has already been received.\n" +" break;\n" +"case 0:\n" +" // Wait for the close_notify alert from the peer.\n" +" ret = SSL_shutdown(ssl);\n" +" switch (ret) {\n" +" case 0:\n" +" fprintf(stderr, \"info: second SSL_shutdown returned zero\n" +"\");\n" +" break;\n" +" case 1:\n" +" break;\n" +" default:\n" +" ssl_print_error_and_exit(ssl, \"SSL_shutdown 2\", ret);\n" +" }\n" +" break;\n" +"default:\n" +" ssl_print_error_and_exit(ssl, \"SSL_shutdown 1\", ret);\n" +"}\n" +"SSL_free(ssl);\n" +"close(sockfd);\n" +msgstr "" diff --git a/defensive-coding/nl-NL/Features/snippets/TLS-OpenSSL-Context-Close.po b/defensive-coding/nl-NL/Features/snippets/TLS-OpenSSL-Context-Close.po new file mode 100644 index 0000000..b3f2f13 --- /dev/null +++ b/defensive-coding/nl-NL/Features/snippets/TLS-OpenSSL-Context-Close.po @@ -0,0 +1,22 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:33+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Dutch (http://www.transifex.com/projects/p/fedora/language/nl/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: nl\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"SSL_CTX_free(ctx);\n" +msgstr "" diff --git a/defensive-coding/nl-NL/Features/snippets/TLS-OpenSSL-Errors.po b/defensive-coding/nl-NL/Features/snippets/TLS-OpenSSL-Errors.po new file mode 100644 index 0000000..83a1b5b --- /dev/null +++ b/defensive-coding/nl-NL/Features/snippets/TLS-OpenSSL-Errors.po @@ -0,0 +1,51 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:32+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Dutch (http://www.transifex.com/projects/p/fedora/language/nl/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: nl\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"static void __attribute__((noreturn))\n" +"ssl_print_error_and_exit(SSL *ssl, const char *op, int ret)\n" +"{\n" +" int subcode = SSL_get_error(ssl, ret);\n" +" switch (subcode) {\n" +" case SSL_ERROR_NONE:\n" +" fprintf(stderr, \"error: %s: no error to report\n" +"\", op);\n" +" break;\n" +" case SSL_ERROR_WANT_READ:\n" +" case SSL_ERROR_WANT_WRITE:\n" +" case SSL_ERROR_WANT_X509_LOOKUP:\n" +" case SSL_ERROR_WANT_CONNECT:\n" +" case SSL_ERROR_WANT_ACCEPT:\n" +" fprintf(stderr, \"error: %s: invalid blocking state %d\n" +"\", op, subcode);\n" +" break;\n" +" case SSL_ERROR_SSL:\n" +" fprintf(stderr, \"error: %s: TLS layer problem\n" +"\", op);\n" +" case SSL_ERROR_SYSCALL:\n" +" fprintf(stderr, \"error: %s: system call failed: %s\n" +"\", op, strerror(errno));\n" +" break;\n" +" case SSL_ERROR_ZERO_RETURN:\n" +" fprintf(stderr, \"error: %s: zero return\n" +"\", op);\n" +" }\n" +" exit(1);\n" +"}\n" +msgstr "" diff --git a/defensive-coding/nl-NL/Features/snippets/TLS-Python-Close.po b/defensive-coding/nl-NL/Features/snippets/TLS-Python-Close.po new file mode 100644 index 0000000..c46150d --- /dev/null +++ b/defensive-coding/nl-NL/Features/snippets/TLS-Python-Close.po @@ -0,0 +1,22 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:31+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Dutch (http://www.transifex.com/projects/p/fedora/language/nl/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: nl\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"sock.close()\n" +msgstr "" diff --git a/defensive-coding/nl-NL/Features/snippets/TLS-Python-Use.po b/defensive-coding/nl-NL/Features/snippets/TLS-Python-Use.po new file mode 100644 index 0000000..12fea7d --- /dev/null +++ b/defensive-coding/nl-NL/Features/snippets/TLS-Python-Use.po @@ -0,0 +1,26 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:32+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Dutch (http://www.transifex.com/projects/p/fedora/language/nl/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: nl\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"sock.write(\"GET / HTTP/1.1\\r\n" +"Host: \" + host + \"\\r\n" +"\\r\n" +"\")\n" +"print sock.read()\n" +msgstr "" diff --git a/defensive-coding/nl-NL/Revision_History.po b/defensive-coding/nl-NL/Revision_History.po new file mode 100644 index 0000000..6778be1 --- /dev/null +++ b/defensive-coding/nl-NL/Revision_History.po @@ -0,0 +1,35 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:18+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Dutch (http://www.transifex.com/projects/p/fedora/language/nl/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: nl\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: title +#, no-c-format +msgid "Revision History" +msgstr "" + +#. Tag: firstname +#, no-c-format +msgid "Eric" +msgstr "" + +#. Tag: surname +#, no-c-format +msgid "Christensen" +msgstr "" + +#. Tag: member +#, no-c-format +msgid "Initial publication." +msgstr "" diff --git a/defensive-coding/nl-NL/Tasks/Cryptography.po b/defensive-coding/nl-NL/Tasks/Cryptography.po new file mode 100644 index 0000000..f5eb48f --- /dev/null +++ b/defensive-coding/nl-NL/Tasks/Cryptography.po @@ -0,0 +1,199 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:29+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Dutch (http://www.transifex.com/projects/p/fedora/language/nl/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: nl\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: title +#, no-c-format +msgid "Cryptography" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Primitives" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Chosing from the following cryptographic primitives is recommended:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "RSA with 2048 bit keys and OAEP" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "AES-128 in CBC mode" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "SHA-256" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "HMAC-SHA-256" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "HMAC-SHA-1" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Other cryptographic algorithms can be used if they are required for " +"interoperability with existing software:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "RSA with key sizes larger than 1024 and legacy padding" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "AES-192" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "AES-256" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "3DES (triple DES, with two or three 56 bit keys)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "RC4 (but very, very strongly discouraged)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "SHA-1" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "HMAC-MD5" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Important" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"These primitives are difficult to use in a secure way. Custom implementation" +" of security protocols should be avoided. For protecting confidentiality and" +" integrity of network transmissions, TLS should be used ()." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Randomness" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The following facilities can be used to generate unpredictable and non-" +"repeating values. When these functions are used without special safeguards, " +"each individual rnadom value should be at least 12 bytes long." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"PK11_GenerateRandom in the NSS library (usable for high" +" data rates)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"RAND_bytes in the OpenSSL library (usable for high data" +" rates)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"gnutls_rnd in GNUTLS, with " +"GNUTLS_RND_RANDOM as the first argument (usable for high " +"data rates)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"java.security.SecureRandom in Java (usable for high data rates)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "os.urandom in Python" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Reading from the /dev/urandom character device" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"All these functions should be non-blocking, and they should not wait until " +"physical randomness becomes available. (Some cryptography providers for Java" +" can cause java.security.SecureRandom to block, however.) Those" +" functions which do not obtain all bits directly from " +"/dev/urandom are suitable for high data rates because " +"they do not deplete the system-wide entropy pool." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Difficult to use API" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Both RAND_bytes and " +"PK11_GenerateRandom have three-state return values " +"(with conflicting meanings). Careful error checking is required. Please " +"review the documentation when using these functions." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Other sources of randomness should be considered predictable." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Generating randomness for cryptographic keys in long-term use may need " +"different steps and is best left to cryptographic libraries." +msgstr "" diff --git a/defensive-coding/nl-NL/Tasks/Descriptors.po b/defensive-coding/nl-NL/Tasks/Descriptors.po new file mode 100644 index 0000000..f177497 --- /dev/null +++ b/defensive-coding/nl-NL/Tasks/Descriptors.po @@ -0,0 +1,332 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:29+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Dutch (http://www.transifex.com/projects/p/fedora/language/nl/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: nl\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: title +#, no-c-format +msgid "File Descriptor Management" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"File descriptors underlie all input/output mechanisms offered by the system." +" They are used to implementation the FILE *-based " +"functions found in <stdio.h>, and all the file and " +"network communication facilities provided by the Python and Java " +"environments are eventually implemented in them." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"File descriptors are small, non-negative integers in userspace, and are " +"backed on the kernel side with complicated data structures which can " +"sometimes grow very large." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Closing descriptors" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If a descriptor is no longer used by a program and is not closed explicitly," +" its number cannot be reused (which is problematic in itself, see ), and the " +"kernel resources are not freed. Therefore, it is important to close all " +"descriptors at the earlierst point in time possible, but not earlier." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Error handling during descriptor close" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The close system call is always successful in the sense" +" that the passed file descriptor is never valid after the function has been " +"called. However, close still can return an error, for " +"example if there was a file system failure. But this error is not very " +"useful because the absence of an error does not mean that all caches have " +"been emptied and previous writes have been made durable. Programs which need" +" such guarantees must open files with O_SYNC or use " +"fsync or fdatasync, and may also have " +"to fsync the directory containing the file." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Closing descriptors and race conditions" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Unlike process IDs, which are recycle only gradually, the kernel always " +"allocates the lowest unused file descriptor when a new descriptor is " +"created. This means that in a multi-threaded program which constantly opens " +"and closes file descriptors, descriptors are reused very quickly. Unless " +"descriptor closing and other operations on the same file descriptor are " +"synchronized (typically, using a mutex), there will be race coniditons and " +"I/O operations will be applied to the wrong file descriptor." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Sometimes, it is necessary to close a file descriptor concurrently, while " +"another thread might be about to use it in a system call. In order to " +"support this, a program needs to create a single special file descriptor, " +"one on which all I/O operations fail. One way to achieve this is to use " +"socketpair, close one of the descriptors, and call " +"shutdown(fd, SHUTRDWR) on the other." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When a descriptor is closed concurrently, the program does not call " +"close on the descriptor. Instead it program uses " +"dup2 to replace the descriptor to be closed with the " +"dummy descriptor created earlier. This way, the kernel will not reuse the " +"descriptor, but it will carry out all other steps associated with calling a " +"descriptor (for instance, if the descriptor refers to a stream socket, the " +"peer will be notified)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"This is just a sketch, and many details are missing. Additional data " +"structures are needed to determine when it is safe to really close the " +"descriptor, and proper locking is required for that." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Lingering state after close" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"By default, closing a stream socket returns immediately, and the kernel will" +" try to send the data in the background. This means that it is impossible to" +" implement accurate accounting of network-related resource utilization from " +"userspace." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The SO_LINGER socket option alters the behavior of " +"close, so that it will return only after the lingering " +"data has been processed, either by sending it to the peer successfully, or " +"by discarding it after the configured timeout. However, there is no " +"interface which could perform this operation in the background, so a " +"separate userspace thread is needed for each close " +"call, causing scalability issues." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Currently, there is no application-level countermeasure which applies " +"universally. Mitigation is possible with iptables" +" (the connlimit match type in particular) and specialized" +" filtering devices for denial-of-service network traffic." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"These problems are not related to the TIME_WAIT state " +"commonly seen in netstat output. The kernel " +"automatically expires such sockets if necessary." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Preventing file descriptor leaks to child processes" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Child processes created with fork share the initial set" +" of file descriptors with their parent process. By default, file descriptors" +" are also preserved if a new process image is created with " +"execve (or any of the other functions such as " +"system or posix_spawn)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Usually, this behavior is not desirable. There are two ways to turn it off, " +"that is, to prevent new process images from inheriting the file descriptors " +"in the parent process:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Set the close-on-exec flag on all newly created file descriptors. " +"Traditionally, this flag is controlled by the FD_CLOEXEC " +"flag, using F_GETFD and F_SETFD " +"operations of the fcntl function." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"However, in a multi-threaded process, there is a race condition: a " +"subprocess could have been created between the time the descriptor was " +"created and the FD_CLOEXEC was set. Therefore, many " +"system calls which create descriptors (such as open and" +" openat) now accept the O_CLOEXEC " +"flag (SOCK_CLOEXEC for socket and " +"socketpair), which cause the " +"FD_CLOEXEC flag to be set for the file descriptor in an " +"atomic fashion. In addition, a few new systems calls were introduced, such " +"as pipe2 and dup3." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The downside of this approach is that every descriptor needs to receive " +"special treatment at the time of creation, otherwise it is not completely " +"effective." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"After calling fork, but before creating a new process " +"image with execve, all file descriptors which the child" +" process will not need are closed." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Traditionally, this was implemented as a loop over file descriptors ranging " +"from 3 to 255 and later " +"1023. But this is only an approximatio because it is " +"possible to create file descriptors outside this range easily (see ). Another " +"approach reads /proc/self/fd and closes the unexpected " +"descriptors listed there, but this approach is much slower." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"At present, environments which care about file descriptor leakage implement " +"the second approach. OpenJDK 6 and 7 are among them." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Dealing with the select limit" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"By default, a user is allowed to open only 1024 files in a single process, " +"but the system administrator can easily change this limit (which is " +"necessary for busy network servers). However, there is another restriction " +"which is more difficult to overcome." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The select function only supports a maximum of " +"FD_SETSIZE file descriptors (that is, the maximum " +"permitted value for a file descriptor is FD_SETSIZE - 1, " +"usually 1023.) If a process opens many files, descriptors may exceed such " +"limits. It is impossible to query such descriptors using " +"select." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If a library which creates many file descriptors is used in the same process" +" as a library which uses select, at least one of them " +"needs to be changed. Calls to select can be replaced " +"with calls to poll or another event handling mechanism." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Alternatively, the library with high descriptor usage can relocate " +"descriptors above the FD_SETSIZE limit using the " +"following procedure." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Create the file descriptor fd as usual, preferably with " +"the O_CLOEXEC flag." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Before doing anything else with the descriptor fd, " +"invoke:" +msgstr "" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"\t int newfd = fcntl(fd, F_DUPFD_CLOEXEC, (long)FD_SETSIZE);\n" +"\t" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Check that newfd result is non-negative, otherwise close " +"fd and report an error, and return." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Close fd and continue to use newfd." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The new descriptor has been allocated above the " +"FD_SETSIZE. Even though this algorithm is racy in the " +"sense that the FD_SETSIZE first descriptors could fill " +"up, a very high degree of physical parallelism is required before this " +"becomes a problem." +msgstr "" diff --git a/defensive-coding/nl-NL/Tasks/File_System.po b/defensive-coding/nl-NL/Tasks/File_System.po new file mode 100644 index 0000000..095486d --- /dev/null +++ b/defensive-coding/nl-NL/Tasks/File_System.po @@ -0,0 +1,396 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:25+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Dutch (http://www.transifex.com/projects/p/fedora/language/nl/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: nl\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: title +#, no-c-format +msgid "File system manipulation" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In this chapter, we discuss general file system manipulation, with a focus " +"on access files and directories to which an other, potentially untrusted " +"user has write access." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Temporary files are covered in their own chapter, ." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Working with files and directories owned by other users" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Sometimes, it is necessary to operate on files and directories owned by " +"other (potentially untrusted) users. For example, a system administrator " +"could remove the home directory of a user, or a package manager could update" +" a file in a directory which is owned by an application-specific user. This " +"differs from accessing the file system as a specific user; see ." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Accessing files across trust boundaries faces several challenges, " +"particularly if an entire directory tree is being traversed:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Another user might add file names to a writable directory at any time. This " +"can interfere with file creation and the order of names returned by " +"readdir." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Merely opening and closing a file can have side effects. For instance, an " +"automounter can be triggered, or a tape device rewound. Opening a file on a " +"local file system can block indefinitely, due to mandatory file locking, " +"unless the O_NONBLOCK flag is specified." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Hard links and symbolic links can redirect the effect of file system " +"operations in unexpected ways. The O_NOFOLLOW and " +"AT_SYMLINK_NOFOLLOW variants of system calls only " +"affected final path name component." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The structure of a directory tree can change. For example, the parent " +"directory of what used to be a subdirectory within the directory tree being " +"processed could suddenly point outside that directory tree." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Files should always be created with the O_CREAT and " +"O_EXCL flags, so that creating the file will fail if it " +"already exists. This guards against the unexpected appearance of file names," +" either due to creation of a new file, or hard-linking of an existing file. " +"In multi-threaded programs, rather than manipulating the umask, create the " +"files with mode 000 if possible, and adjust it afterwards" +" with fchmod." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"To avoid issues related to symbolic links and directory tree restructuring, " +"the “at” variants of system calls have to be used (that " +"is, functions like openat, " +"fchownat, fchmodat, and " +"unlinkat, together with O_NOFOLLOW " +"or AT_SYMLINK_NOFOLLOW). Path names passed to these " +"functions must have just a single component (that is, without a slash). When" +" descending, the descriptors of parent directories must be kept open. The " +"missing opendirat function can be emulated with " +"openat (with an O_DIRECTORY flag, to " +"avoid opening special files with side effects), followed by " +"fdopendir." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If the “at” functions are not available, it is possible " +"to emulate them by changing the current directory. (Obviously, this only " +"works if the process is not multi-threaded.) fchdir has" +" to be used to change the current directory, and the descriptors of the " +"parent directories have to be kept open, just as with the " +"“at”-based approach. chdir(\"...\") is" +" unsafe because it might ascend outside the intended directory tree." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"This “at” function emulation is currently required when " +"manipulating extended attributes. In this case, the " +"lsetxattr function can be used, with a relative path " +"name consisting of a single component. This also applies to SELinux contexts" +" and the lsetfilecon function." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Currently, it is not possible to avoid opening special files " +"and changes to files with hard links if the directory " +"containing them is owned by an untrusted user. (Device nodes can be hard-" +"linked, just as regular files.) fchmodat and " +"fchownat affect files whose link count is greater than " +"one. But opening the files, checking that the link count is one with " +"fstat, and using fchmod and " +"fchown on the file descriptor may have unwanted side " +"effects, due to item 2 above. When creating directories, it is therefore " +"important to change the ownership and permissions only after it has been " +"fully created. Until that point, file names are stable, and no files with " +"unexpected hard links can be introduced." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Similarly, when just reading a directory owned by an untrusted user, it is " +"currently impossible to reliably avoid opening special files." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"There is no workaround against the instability of the file list returned by " +"readdir. Concurrent modification of the directory can " +"result in a list of files being returned which never actually existed on " +"disk." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Hard links and symbolic links can be safely deleted using " +"unlinkat without further checks because deletion only " +"affects the name within the directory tree being processed." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Accessing the file system as a different user" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"This section deals with access to the file system as a specific user. This " +"is different from accessing files and directories owned by a different, " +"potentially untrusted user; see ." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"One approach is to spawn a child process which runs under the target user " +"and group IDs (both effective and real IDs). Note that this child process " +"can block indefinitely, even when processing regular files only. For " +"example, a special FUSE file system could cause the process to hang in " +"uninterruptible sleep inside a stat system call." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"An existing process could change its user and group ID using " +"setfsuid and setfsgid. (These " +"functions are preferred over seteuid and " +"setegid because they do not allow the impersonated user" +" to send signals to the process.) These functions are not thread safe. In " +"multi-threaded processes, these operations need to be performed in a single-" +"threaded child process. Unexpected blocking may occur as well." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"It is not recommended to try to reimplement the kernel permission checks in " +"user space because the required checks are complex. It is also very " +"difficult to avoid race conditions during path name resolution." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "File system limits" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"For historical reasons, there are preprocessor constants such as " +"PATH_MAX, NAME_MAX. However, on most " +"systems, the length of canonical path names (absolute path names with all " +"symbolic links resolved, as returned by realpath or " +"canonicalize_file_name) can exceed " +"PATH_MAX bytes, and individual file name components can " +"be longer than NAME_MAX. This is also true of the " +"_PC_PATH_MAX and _PC_NAME_MAX values " +"returned by pathconf, and the " +"f_namemax member of struct statvfs. " +"Therefore, these constants should not be used. This is also reason why the " +"readdir_r should never be used (instead, use " +"readdir)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"You should not write code in a way that assumes that there is an upper limit" +" on the number of subdirectories of a directory, the number of regular files" +" in a directory, or the link count of an inode." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "File system features" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Not all file systems support all features. This makes it very difficult to " +"write general-purpose tools for copying files. For example, a copy operation" +" intending to preserve file permissions will generally fail when copying to " +"a FAT file system." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Some file systems are case-insensitive. Most should be case-preserving, " +"though." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Name length limits vary greatly, from eight to thousands of bytes. Path " +"length limits differ as well. Most systems impose an upper bound on path " +"names passed to the kernel, but using relative path names, it is possible to" +" create and access files whose absolute path name is essentially of " +"unbounded length." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Some file systems do not store names as fairly unrestricted byte sequences, " +"as it has been traditionally the case on GNU systems. This means that some " +"byte sequences (outside the POSIX safe character set) are not valid names. " +"Conversely, names of existing files may not be representable as byte " +"sequences, and the files are thus inaccessible on GNU systems. Some file " +"systems perform Unicode canonicalization on file names. These file systems " +"preserve case, but reading the name of a just-created file using " +"readdir might still result in a different byte " +"sequence." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Permissions and owners are not universally supported (and SUID/SGID bits may" +" not be available). For example, FAT file systems assign ownership based on " +"a mount option, and generally mark all files as executable. Any attempt to " +"change permissions would result in an error." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Non-regular files (device nodes, FIFOs) are not generally available." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Only on some file systems, files can have holes, that is, not all of their " +"contents is backed by disk storage." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"ioctl support (even fairly generic functionality such " +"as FIEMAP for discovering physical file layout and holes)" +" is file-system-specific." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Not all file systems support extended attributes, ACLs and SELinux metadata." +" Size and naming restriction on extended attributes vary." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Hard links may not be supported at all (FAT) or only within the same " +"directory (AFS). Symbolic links may not be available, either. Reflinks (hard" +" links with copy-on-write semantics) are still very rare. Recent systems " +"restrict creation of hard links to users which own the target file or have " +"read/write access to it, but older systems do not." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Renaming (or moving) files using rename can fail (even " +"when stat indicates that the source and target " +"directories are located on the same file system). This system call should " +"work if the old and new paths are located in the same directory, though." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Locking semantics vary among file systems. This affects advisory and " +"mandatory locks. For example, some network file systems do not allow " +"deleting files which are opened by any process." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Resolution of time stamps varies from two seconds to nanoseconds. Not all " +"time stamps are available on all file systems. File creation time " +"(birth time) is not exposed over the " +"stat/fstat interface, even if " +"stored by the file system." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Checking free space" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The statvfs and fstatvfs functions" +" allow programs to examine the number of available blocks and inodes, " +"through the members f_bfree, f_bavail," +" f_ffree, and f_favail of " +"struct statvfs. Some file systems return fictional values" +" in the f_ffree and f_favail fields, " +"so the only reliable way to discover if the file system still has space for " +"a file is to try to create it. The f_bfree field should " +"be reasonably accurate, though." +msgstr "" diff --git a/defensive-coding/nl-NL/Tasks/Library_Design.po b/defensive-coding/nl-NL/Tasks/Library_Design.po new file mode 100644 index 0000000..22fb5e6 --- /dev/null +++ b/defensive-coding/nl-NL/Tasks/Library_Design.po @@ -0,0 +1,267 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:29+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Dutch (http://www.transifex.com/projects/p/fedora/language/nl/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: nl\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: title +#, no-c-format +msgid "Library Design" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Throught this section, the term client code refers to " +"applications and other libraries using the library." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "State management" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Global state" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Global state should be avoided." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If this is impossible, the global state must be protected with a lock. For " +"C/C++, you can use the pthread_mutex_lock and " +"pthread_mutex_unlock functions without linking against " +"-lpthread because the system provides stubs for non-" +"threaded processes." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"For compatibility with fork, these locks should be " +"acquired and released in helpers registered with " +"pthread_atfork. This function is not available without " +"-lpthread, so you need to use dlsym " +"or a weak symbol to obtain its address." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If you need fork protection for other reasons, you " +"should store the process ID and compare it to the value returned by " +"getpid each time you access the global state. " +"(getpid is not implemented as a system call and is " +"fast.) If the value changes, you know that you have to re-create the state " +"object. (This needs to be combined with locking, of course.)" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Handles" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Library state should be kept behind a curtain. Client code should receive " +"only a handle. In C, the handle can be a pointer to an incomplete " +"struct. In C++, the handle can be a pointer to an " +"abstract base class, or it can be hidden using the pointer-to-implementation" +" idiom." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The library should provide functions for creating and destroying handles. " +"(In C++, it is possible to use virtual destructors for the latter.) " +"Consistency between creation and destruction of handles is strongly " +"recommended: If the client code created a handle, it is the responsibility " +"of the client code to destroy it. (This is not always possible or " +"convenient, so sometimes, a transfer of ownership has to happen.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Using handles ensures that it is possible to change the way the library " +"represents state in a way that is transparent to client code. This is " +"important to facilitate security updates and many other code changes." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"It is not always necessary to protect state behind a handle with a lock. " +"This depends on the level of thread safety the library provides." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Object orientation" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Classes should be either designed as base classes, or it should be " +"impossible to use them as base classes (like final " +"classes in Java). Classes which are not designed for inheritance and are " +"used as base classes nevertheless create potential maintenance hazards " +"because it is difficult to predict how client code will react when calls to " +"virtual methods are added, reordered or removed." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Virtual member functions can be used as callbacks. See for some of the " +"challenges involved." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Callbacks" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Higher-order code is difficult to analyze for humans and computers alike, so" +" it should be avoided. Often, an iterator-based interface (a library " +"function which is called repeatedly by client code and returns a stream of " +"events) leads to a better design which is easier to document and use." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "If callbacks are unavoidable, some guidelines for them follow." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In modern C++ code, std::function objects should be used " +"for callbacks." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In older C++ code and in C code, all callbacks must have an additional " +"closure parameter of type void *, the value of which can " +"be specified by client code. If possible, the value of the closure parameter" +" should be provided by client code at the same time a specific callback is " +"registered (or specified as a function argument). If a single closure " +"parameter is shared by multiple callbacks, flexibility is greatly reduced, " +"and conflicts between different pieces of client code using the same library" +" object could be unresolvable. In some cases, it makes sense to provide a " +"de-registration callback which can be used to destroy the closure parameter " +"when the callback is no longer used." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Callbacks can throw exceptions or call longjmp. If " +"possible, all library objects should remain in a valid state. (All further " +"operations on them can fail, but it should be possible to deallocate them " +"without causing resource leaks.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The presence of callbacks raises the question if functions provided by the " +"library are reentrant. Unless a library was designed " +"for such use, bad things will happen if a callback function uses functions " +"in the same library (particularly if they are invoked on the same objects " +"and manipulate the same state). When the callback is invoked, the library " +"can be in an inconsistent state. Reentrant functions are more difficult to " +"write than thread-safe functions (by definition, simple locking would " +"immediately lead to deadlocks). It is also difficult to decide what to do " +"when destruction of an object which is currently processing a callback is " +"requested." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Process attributes" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Several attributes are global and affect all code in the process, not just " +"the library that manipulates them." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"environment variables (see )" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "umask" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "user IDs, group IDs and capabilities" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "current working directory" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "signal handlers, signal masks and signal delivery" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"file locks (especially fcntl locks behave in surprising" +" ways, not just in a multi-threaded environment)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Library code should avoid manipulating these global process attributes. It " +"should not rely on environment variables, umask, the current working " +"directory and signal masks because these attributes can be inherted from an " +"untrusted source." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In addition, there are obvious process-wide aspects such as the virtual " +"memory layout, the set of open files and dynamic shared objects, but with " +"the exception of shared objects, these can be manipulated in a relatively " +"isolated way." +msgstr "" diff --git a/defensive-coding/nl-NL/Tasks/Processes.po b/defensive-coding/nl-NL/Tasks/Processes.po new file mode 100644 index 0000000..43805e3 --- /dev/null +++ b/defensive-coding/nl-NL/Tasks/Processes.po @@ -0,0 +1,597 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:29+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Dutch (http://www.transifex.com/projects/p/fedora/language/nl/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: nl\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: title +#, no-c-format +msgid "Processes" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Safe process creation" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"This section describes how to create new child processes in a safe manner. " +"In addition to the concerns addressed below, there is the possibility of " +"file descriptor leaks, see ." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Obtaining the program path and the command line template" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The name and path to the program being invoked should be hard-coded or " +"controlled by a static configuration file stored at a fixed location (at an " +"file system absolute path). The same applies to the template for generating " +"the command line." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The configured program name should be an absolute path. If it is a relative " +"path, the contents of the PATH must be obtained in s secure " +"manner (see )." +" If the PATH variable is not set or untrusted, the safe " +"default /bin:/usr/bin must be used." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If too much flexibility is provided here, it may allow invocation of " +"arbitrary programs without proper authorization." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Bypassing the shell" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Child processes should be created without involving the system shell." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"For C/C++, system should not be used. The " +"posix_spawn function can be used instead, or a " +"combination fork and execve. (In " +"some cases, it may be preferable to use vfork or the " +"Linux-specific clone system call instead of " +"fork.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In Python, the subprocess module bypasses the shell by " +"default (when the shell keyword argument is not set to " +"true). os.system should not be used." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The Java class java.lang.ProcessBuilder can be used to create " +"subprocesses without interference from the system shell." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Portability notice" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"On Windows, there is no argument vector, only a single argument string. Each" +" application is responsible for parsing this string into an argument vector." +" There is considerable variance among the quoting style recognized by " +"applications. Some of them expand shell wildcards, others do not. Extensive " +"application-specific testing is required to make this secure." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Note that some common applications (notably ssh) " +"unconditionally introduce the use of a shell, even if invoked directly " +"without a shell. It is difficult to use these applications in a secure " +"manner. In this case, untrusted data should be supplied by other means. For " +"example, standard input could be used, instead of the command line." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Specifying the process environment" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Child processes should be created with a minimal set of environment " +"variables. This is absolutely essential if there is a trust transition " +"involved, either when the parent process was created, or during the creation" +" of the child process." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In C/C++, the environment should be constructed as an array of strings and " +"passed as the envp argument to " +"posix_spawn or execve. The " +"functions setenv, unsetenv and " +"putenv should not be used. They are not thread-safe and" +" suffer from memory leaks." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Python programs need to specify a dict for the the " +"env argument of the subprocess.Popen" +" constructor. The Java class java.lang.ProcessBuilder " +"provides a environment() method, which returns a map " +"that can be manipulated." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The following list provides guidelines for selecting the set of environment " +"variables passed to the child process." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"PATH should be initialized to " +"/bin:/usr/bin." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"USER and HOME can be inhereted from the parent" +" process environment, or they can be initialized from the " +"pwent structure for the user." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The DISPLAY and XAUTHORITY variables should be" +" passed to the subprocess if it is an X program. Note that this will " +"typically not work across trust boundaries because XAUTHORITY" +" refers to a file with 0600 permissions." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The location-related environment variables LANG, " +"LANGUAGE, LC_ADDRESS, LC_ALL, " +"LC_COLLATE, LC_CTYPE, " +"LC_IDENTIFICATION, LC_MEASUREMENT, " +"LC_MESSAGES, LC_MONETARY, " +"LC_NAME, LC_NUMERIC, LC_PAPER, " +"LC_TELEPHONE and LC_TIME can be passed to the " +"subprocess if present." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The called process may need application-specific environment variables, for " +"example for passing passwords. (See .)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"All other environment variables should be dropped. Names for new environment" +" variables should not be accepted from untrusted sources." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Robust argument list processing" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When invoking a program, it is sometimes necessary to include data from " +"untrusted sources. Such data should be check against embedded " +"NUL characters because the system APIs will sliently " +"truncate argument strings at the first NUL character." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The following recommendations assume that the program being invoked uses " +"GNU-style option processing using getopt_long. This " +"convention is widely used, but it is just that, and individual programs " +"might interpret a command line in a different way." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If the untrusted data has to go into an option, use the --option-" +"name=VALUE syntax, placing the option and its value into the same " +"command line argument. This avoids any potential confusion if the data " +"starts with -." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"For positional arguments, terminate the option list with a single " +" marker after the last option, and include the data at " +"the right position. The marker terminates option " +"processing, and the data will not be treated as an option even if it starts " +"with a dash." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Passing secrets to subprocesses" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The command line (the name of the program and its argument) of a running " +"process is traditionally available to all local users. The called program " +"can overwrite this information, but only after it has run for a bit of time," +" during which the information may have been read by other processes. " +"However, on Linux, the process environment is restricted to the user who " +"runs the process. Therefore, if you need a convenient way to pass a password" +" to a child process, use an environment variable, and not a command line " +"argument. (See .)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"On some UNIX-like systems (notably Solaris), environment variables can be " +"read by any system user, just like command lines." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If the environment-based approach cannot be used due to portability " +"concerns, the data can be passed on standard input. Some programs (notably " +"gpg) use special file descriptors whose numbers " +"are specified on the command line. Temporary files are an option as well, " +"but they might give digital forensics access to sensitive data (such as " +"passphrases) because it is difficult to safely delete them in all cases." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Handling child process termination" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When child processes terminate, the parent process is signalled. A stub of " +"the terminated processes (a zombie, shown as " +"<defunct> by ps) is kept" +" around until the status information is collected " +"(reaped) by the parent process. Over the years, several" +" interfaces for this have been invented:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The parent process calls wait, " +"waitpid, waitid, " +"wait3 or wait4, without specifying" +" a process ID. This will deliver any matching process ID. This approach is " +"typically used from within event loops." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The parent process calls waitpid, " +"waitid, or wait4, with a specific " +"process ID. Only data for the specific process ID is returned. This is " +"typically used in code which spawns a single subprocess in a synchronous " +"manner." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The parent process installs a handler for the SIGCHLD " +"signal, using sigaction, and specifies to the " +"SA_NOCLDWAIT flag. This approach could be used by event " +"loops as well." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"None of these approaches can be used to wait for child process terminated in" +" a completely thread-safe manner. The parent process might execute an event " +"loop in another thread, which could pick up the termination signal. This " +"means that libraries typically cannot make free use of child processes (for " +"example, to run problematic code with reduced privileges in a separate " +"address space)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"At the moment, the parent process should explicitly wait for termination of " +"the child process using waitpid or " +"waitpid, and hope that the status is not collected by " +"an event loop first." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "SUID/SGID processes" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Programs can be marked in the file system to indicate to the kernel that a " +"trust transition should happen if the program is run. The " +"SUID file permission bit indicates that an executable " +"should run with the effective user ID equal to the owner of the executable " +"file. Similarly, with the SGID bit, the effective group " +"ID is set to the group of the executable file." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Linux supports fscaps, which can grant additional " +"capabilities to a process in a finer-grained manner. Additional mechanisms " +"can be provided by loadable security modules." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When such a trust transition has happened, the process runs in a potentially" +" hostile environment. Additional care is necessary not to rely on any " +"untrusted information. These concerns also apply to libraries which can be " +"linked into such processes." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Accessing environment variables" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The following steps are required so that a program does not accidentally " +"pick up untrusted data from environment variables." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Compile your C/C++ sources with -D_GNU_SOURCE. The " +"Autoconf macro AC_GNU_SOURCE ensures this." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Check for the presence of the secure_getenv and " +"__secure_getenv function. The Autoconf directive " +"AC_CHECK_FUNCS([__secure_getenv secure_getenv]) performs " +"these checks." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Arrange for a proper definition of the secure_getenv " +"function. See ." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Use secure_getenv instead of " +"getenv to obtain the value of critical environment " +"variables. secure_getenv will pretend the variable has " +"not bee set if the process environment is not trusted." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Critical environment variables are debugging flags, configuration file " +"locations, plug-in and log file locations, and anything else that might be " +"used to bypass security restrictions or cause a privileged process to behave" +" in an unexpected way." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Either the secure_getenv function or the " +"__secure_getenv is available from GNU libc." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Obtaining a definition for secure_getenv" +msgstr "" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"\n" +"#include <stdlib.h>\n" +"\n" +"#ifndef HAVE_SECURE_GETENV\n" +"# ifdef HAVE__SECURE_GETENV\n" +"# define secure_getenv __secure_getenv\n" +"# else\n" +"# error neither secure_getenv nor __secure_getenv are available\n" +"# endif\n" +"#endif\n" +"\n" +"\t" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Daemons" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Background processes providing system services " +"(daemons) need to decouple themselves from the " +"controlling terminal and the parent process environment:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Fork." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In the child process, call setsid. The parent process " +"can simply exit (using _exit, to avoid running clean-up" +" actions twice)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In the child process, fork again. Processing continues in the child process." +" Again, the parent process should just exit." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Replace the descriptors 0, 1, 2 with a descriptor for " +"/dev/null. Logging should be redirected to " +"syslog." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Older instructions for creating daemon processes recommended a call to " +"umask(0). This is risky because it often leads to world-" +"writable files and directories, resulting in security vulnerabilities such " +"as arbitrary process termination by untrusted local users, or log file " +"truncation. If the umask needs setting, a restrictive " +"value such as 027 or 077 is " +"recommended." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Other aspects of the process environment may have to changed as well " +"(environment variables, signal handler disposition)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"It is increasingly common that server processes do not run as background " +"processes, but as regular foreground process under a supervising master " +"process (such as systemd). Server processes " +"should offer a command line option which disables forking and replacement of" +" the standard output and standard error streams. Such an option is also " +"useful for debugging." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Semantics of command line arguments" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"After process creation and option processing, it is up to the child process " +"to interpret the arguments. Arguments can be file names, host names, or " +"URLs, and many other things. URLs can refer to the local network, some " +"server on the Internet, or to the local file system. Some applications even " +"accept arbitrary code in arguments (for example, " +"python with the option)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Similar concerns apply to environment variables, the contents of the current" +" directory and its subdirectories." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Consequently, careful analysis is required if it is safe to pass untrusted " +"data to another program." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "fork as a primitive for parallelism" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"A call to fork which is not immediately followed by a " +"call to execve (perhaps after rearranging and closing " +"file descriptors) is typically unsafe, especially from a library which does " +"not control the state of the entire process. Such use of " +"fork should be replaced with proper child processes or " +"threads." +msgstr "" diff --git a/defensive-coding/nl-NL/Tasks/Serialization.po b/defensive-coding/nl-NL/Tasks/Serialization.po new file mode 100644 index 0000000..37b404a --- /dev/null +++ b/defensive-coding/nl-NL/Tasks/Serialization.po @@ -0,0 +1,513 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:45\n" +"PO-Revision-Date: 2013-03-19 15:29+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Dutch (http://www.transifex.com/projects/p/fedora/language/nl/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: nl\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: title +#, no-c-format +msgid "Serialization and Deserialization" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Protocol decoders and file format parsers are often the most-exposed part of" +" an application because they are exposed with little or no user interaction " +"and before any authentication and security checks are made. They are also " +"difficult to write robustly in languages which are not memory-safe." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Recommendations for manually written decoders" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"For C and C++, the advice in applies. In addition, avoid non-character " +"pointers directly into input buffers. Pointer misalignment causes crashes on" +" some architectures." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When reading variable-sized objects, do not allocate large amounts of data " +"solely based on the value of a size field. If possible, grow the data " +"structure as more data is read from the source, and stop when no data is " +"available. This helps to avoid denial-of-service attacks where little " +"amounts of input data results in enormous memory allocations during " +"decoding. Alternatively, you can impose reasonable bounds on memory " +"allocations, but some protocols do not permit this." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Protocol design" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Binary formats with explicit length fields are more difficult to parse " +"robustly than those where the length of dynamically-sized elements is " +"derived from sentinel values. A protocol which does not use length fields " +"and can be written in printable ASCII characters simplifies testing and " +"debugging. However, binary protocols with length fields may be more " +"efficient to parse." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Library support for deserialization" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"For some languages, generic libraries are available which allow to serialize" +" and deserialize user-defined objects. The deserialization part comes in one" +" of two flavors, depending on the library. The first kind uses type " +"information in the data stream to control which objects are instantiated. " +"The second kind uses type definitions supplied by the programmer. The first " +"one allows arbitrary object instantiation, the second one generally does " +"not." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The following serialization frameworks are in the first category, are known " +"to be unsafe, and must not be used for untrusted data:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Python's pickle and cPickle modules" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Perl's Storable package" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Java serialization (java.io.ObjectInputStream)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "PHP serialization (unserialize)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Most implementations of YAML" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When using a type-directed deserialization format where the types of the " +"deserialized objects are specified by the programmer, make sure that the " +"objects which can be instantiated cannot perform any destructive actions in " +"their destructors, even when the data members have been manipulated." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"JSON decoders do not suffer from this problem. But you must not use the " +"eval function to parse JSON objects in Javascript; even" +" with the regular expression filter from RFC 4627, there are still " +"information leaks remaining." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "XML serialization" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "External references" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"XML documents can contain external references. They can occur in various " +"places." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "In the DTD declaration in the header of an XML document:" +msgstr "" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"<!DOCTYPE html PUBLIC\n" +" \"-//W3C//DTD XHTML 1.0 Transitional//EN\"\n" +" \"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd\">\n" +"\t " +msgstr "" + +#. Tag: para +#, no-c-format +msgid "In a namespace declaration:" +msgstr "" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"<xsd:schema xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\">\n" +"\t " +msgstr "" + +#. Tag: para +#, no-c-format +msgid "In an entity defintion:" +msgstr "" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"<!ENTITY sys SYSTEM \"http://www.example.com/ent.xml\">\n" +"<!ENTITY pub PUBLIC \"-//Example//Public Entity//EN\"\n" +" \"http://www.example.com/pub-ent.xml\">\n" +"\t " +msgstr "" + +#. Tag: para +#, no-c-format +msgid "In a notation:" +msgstr "" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"<!NOTATION not SYSTEM \"../not.xml\">\n" +"\t " +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Originally, these external references were intended as unique identifiers, " +"but by many XML implementations, they are used for locating the data for the" +" referenced element. This causes unwanted network traffic, and may disclose " +"file system contents or otherwise unreachable network resources, so this " +"functionality should be disabled." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Depending on the XML library, external referenced might be processed not " +"just when parsing XML, but also when generating it." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Entity expansion" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When external DTD processing is disabled, an internal DTD subset can still " +"contain entity definitions. Entity declarations can reference other " +"entities. Some XML libraries expand entities automatically, and this " +"processing cannot be switched off in some places (such as attribute values " +"or content models). Without limits on the entity nesting level, this " +"expansion results in data which can grow exponentially in length with size " +"of the input. (If there is a limit on the nesting level, the growth is still" +" polynomial, unless further limits are imposed.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Consequently, the processing internal DTD subsets should be disabled if " +"possible, and only trusted DTDs should be processed. If a particular XML " +"application does not permit such restrictions, then application-specific " +"limits are called for." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "XInclude processing" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"XInclude processing can reference file and network resources and include " +"them into the document, much like external entity references. When parsing " +"untrusted XML documents, XInclude processing should be truned off." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"XInclude processing is also fairly complex and may pull in support for the " +"XPointer and XPath specifications, considerably increasing the amount of " +"code required for XML processing." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Algorithmic complexity of XML validation" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"DTD-based XML validation uses regular expressions for content models. The " +"XML specification requires that content models are deterministic, which " +"means that efficient validation is possible. However, some implementations " +"do not enforce determinism, and require exponential (or just polynomial) " +"amount of space or time for validating some DTD/document combinations." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"XML schemas and RELAX NG (via the xsd: prefix) directly " +"support textual regular expressions which are not required to be " +"deterministic." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Using Expat for XML parsing" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"By default, Expat does not try to resolve external IDs, so no steps are " +"required to block them. However, internal entity declarations are processed." +" Installing a callback which stops parsing as soon as such entities are " +"encountered disables them, see . Expat does not perform any " +"validation, so there are no problems related to that." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Disabling XML entity processing with Expat" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"This handler must be installed when the XML_Parser object" +" is created ()." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Creating an Expat XML parser" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"It is also possible to reject internal DTD subsets altogeher, using a " +"suitable XML_StartDoctypeDeclHandler handler installed " +"with XML_SetDoctypeDeclHandler." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Using OpenJDK for XML parsing and validation" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"OpenJDK contains facilities for DOM-based, SAX-based, and StAX-based " +"document parsing. Documents can be validated against DTDs or XML schemas." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The approach taken to deal with entity expansion differs from the general " +"recommendation in . We enable the the feature flag " +"javax.xml.XMLConstants.FEATURE_SECURE_PROCESSING, which " +"enforces heuristic restrictions on the number of entity expansions. Note " +"that this flag alone does not prevent resolution of external references " +"(system IDs or public IDs), so it is slightly misnamed." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In the following sections, we use helper classes to prevent external ID " +"resolution." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Helper class to prevent DTD external entity resolution in OpenJDK" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Helper class to prevent schema resolution in OpenJDK" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +" shows the imports used by the examples." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Java imports for OpenJDK XML parsing" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "DOM-based XML parsing and DTD validation in OpenJDK" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"This approach produces a org.w3c.dom.Document object from" +" an input stream. use the data from the " +"java.io.InputStream instance in the " +"inputStream variable." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "DOM-based XML parsing in OpenJDK" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"External entity references are prohibited using the " +"NoEntityResolver class in . " +"Because external DTD references are prohibited, DTD validation (if enabled) " +"will only happen against the internal DTD subset embedded in the XML " +"document." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"To validate the document against an external DTD, use a " +"javax.xml.transform.Transformer class to add the DTD " +"reference to the document, and an entity resolver which whitelists this " +"external reference." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "XML Schema validation in OpenJDK" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +" shows how to validate a document against an XML Schema, " +"using a SAX-based approach. The XML data is read from an " +"java.io.InputStream in the inputStream" +" variable." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "SAX-based validation against an XML schema in OpenJDK" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The NoResourceResolver class is defined in ." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If you need to validate a document against an XML schema, use the code in " +" to create the document, but do not enable validation at this point." +" Then use to perform the schema-based validation on " +"the org.w3c.dom.Document instance " +"document." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Validation of a DOM document against an XML schema in OpenJDK" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Protocol Encoders" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"For protocol encoders, you should write bytes to a buffer which grows as " +"needed, using an exponential sizing policy. Explicit lengths can be patched " +"in later, once they are known. Allocating the required number of bytes " +"upfront typically requires separate code to compute the final size, which " +"must be kept in sync with the actual encoding step, or vulnerabilities may " +"result. In multi-threaded code, parts of the object being deserialized might" +" change, so that the computed size is out of date." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"You should avoid copying data directly from a received packet during " +"encoding, disregarding the format. Propagating malformed data could enable " +"attacks on other recipients of that data." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When using C or C++ and copying whole data structures directly into the " +"output, make sure that you do not leak information in padding bytes between " +"fields or at the end of the struct." +msgstr "" diff --git a/defensive-coding/nl-NL/Tasks/Temporary_Files.po b/defensive-coding/nl-NL/Tasks/Temporary_Files.po new file mode 100644 index 0000000..6af1373 --- /dev/null +++ b/defensive-coding/nl-NL/Tasks/Temporary_Files.po @@ -0,0 +1,309 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:45\n" +"PO-Revision-Date: 2013-03-19 15:29+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Dutch (http://www.transifex.com/projects/p/fedora/language/nl/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: nl\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: title +#, no-c-format +msgid "Temporary files" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In this chapter, we describe how to create temporary files and directories, " +"how to remove them, and how to work with programs which do not create files " +"in ways that a safe with a shared directory for temporary files. General " +"file system manipulation is treated in a separate chapter, ." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Secure creation of temporary files has four different aspects." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The location of the directory for temporary files must be obtained in a " +"secure manner (that is, untrusted environment variables must be ignored, see" +" )." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"A new file must be created. Reusing an existing file must be avoided (the " +"/tmp race condition). This is " +"tricky because traditionally, system-wide temporary directories shared by " +"all users are used." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The file must be created in a way that makes it impossible for other users " +"to open it." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "The descriptor for the temporary file should not leak to subprocesses." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "All functions mentioned below will take care of these aspects." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Traditionally, temporary files are often used to reduce memory usage of " +"programs. More and more systems use RAM-based file systems such as " +"tmpfs for storing temporary files, to increase " +"performance and decrease wear on Flash storage. As a result, spooling data " +"to temporary files does not result in any memory savings, and the related " +"complexity can be avoided if the data is kept in process memory." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Obtaining the location of temporary directory" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Some functions below need the location of a directory which stores temporary" +" files. For C/C++ programs, use the following steps to obtain that " +"directory:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Use secure_getenv to obtain the value of the " +"TMPDIR environment variable. If it is set, convert the " +"path to a fully-resolved absolute path, using realpath(path, " +"NULL). Check if the new path refers to a directory and is " +"writeable. In this case, use it as the temporary directory." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Fall back to /tmp." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In Python, you can use the tempfile.tempdir variable." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Java does not support SUID/SGID programs, so you can use the " +"java.lang.System.getenv(String) method to obtain the " +"value of the TMPDIR environment variable, and follow the " +"two steps described above. (Java's default directory selection does not " +"honor TMPDIR.)" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Named temporary files" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The mkostemp function creates a named temporary file. " +"You should specify the O_CLOEXEC flag to avoid file " +"descriptor leaks to subprocesses. (Applications which do not use multiple " +"threads can also use mkstemp, but libraries should use " +"mkostemp.) For determining the directory part of the " +"file name pattern, see ." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The file is not removed automatically. It is not safe to rename or delete " +"the file before processing, or transform the name in any way (for example, " +"by adding a file extension). If you need multiple temporary files, call " +"mkostemp multiple times. Do not create additional file " +"names derived from the name provided by a previous " +"mkostemp call. However, it is safe to close the " +"descriptor returned by mkostemp and reopen the file " +"using the generated name." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The Python class tempfile.NamedTemporaryFile provides " +"similar functionality, except that the file is deleted automatically by " +"default. Note that you may have to use the file attribute" +" to obtain the actual file object because some programming interfaces cannot" +" deal with file-like objects. The C function mkostemp " +"is also available as tempfile.mkstemp." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In Java, you can use the java.io.File.createTempFile(String, " +"String, File) function, using the temporary file location " +"determined according to . Do not use " +"java.io.File.deleteOnExit() to delete temporary files, " +"and do not register a shutdown hook for each temporary file you create. In " +"both cases, the deletion hint cannot be removed from the system if you " +"delete the temporary file prior to termination of the VM, causing a memory " +"leak." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Temporary files without names" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The tmpfile function creates a temporary file and " +"immediately deletes it, while keeping the file open. As a result, the file " +"lacks a name and its space is deallocated as soon as the file descriptor is " +"closed (including the implicit close when the process terminates). This " +"avoids cluttering the temporary directory with orphaned files." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Alternatively, if the maximum size of the temporary file is known " +"beforehand, the fmemopen function can be used to create" +" a FILE * object which is backed by memory." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In Python, unnamed temporary files are provided by the " +"tempfile.TemporaryFile class, and the " +"tempfile.SpooledTemporaryFile class provides a way to " +"avoid creation of small temporary files." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Java does not support unnamed temporary files." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Temporary directories" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The mkdtemp function can be used to create a temporary " +"directory. (For determining the directory part of the file name pattern, see" +" .)" +" The directory is not automatically removed. In Python, this function is " +"available as tempfile.mkdtemp. In Java 7, temporary " +"directories can be created using the " +"java.nio.file.Files.createTempDirectory(Path, String, " +"FileAttribute...) function." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When creating files in the temporary directory, use automatically generated " +"names, e.g., derived from a sequential counter. Files with externally " +"provided names could be picked up in unexpected contexts, and crafted names " +"could actually point outside of the tempoary directory (due to " +"directory traversal)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Removing a directory tree in a completely safe manner is complicated. Unless" +" there are overriding performance concerns, the " +"rm program should be used, with the " +" and options." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Compensating for unsafe file creation" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"There are two ways to make a function or program which excepts a file name " +"safe for use with temporary files. See , for details on subprocess " +"creation." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Create a temporary directory and place the file there. If possible, run the " +"program in a subprocess which uses the temporary directory as its current " +"directory, with a restricted environment. Use generated names for all files " +"in that temporary directory. (See .)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Create the temporary file and pass the generated file name to the function " +"or program. This only works if the function or program can cope with a zero-" +"length existing file. It is safe only under additional assumptions:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The function or program must not create additional files whose name is " +"derived from the specified file name or are otherwise predictable." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "The function or program must not delete the file before processing it." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "It must not access any existing files in the same directory." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"It is often difficult to check whether these additional assumptions are " +"matched, therefore this approach is not recommended." +msgstr "" diff --git a/defensive-coding/nl-NL/Tasks/snippets/Serialization-XML-Expat-Create.po b/defensive-coding/nl-NL/Tasks/snippets/Serialization-XML-Expat-Create.po new file mode 100644 index 0000000..e77fc46 --- /dev/null +++ b/defensive-coding/nl-NL/Tasks/snippets/Serialization-XML-Expat-Create.po @@ -0,0 +1,33 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:45\n" +"PO-Revision-Date: 2013-03-19 15:29+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Dutch (http://www.transifex.com/projects/p/fedora/language/nl/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: nl\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"XML_Parser parser = XML_ParserCreate(\"UTF-8\");\n" +"if (parser == NULL) {\n" +" fprintf(stderr, \"XML_ParserCreate failed\n" +"\");\n" +" close(fd);\n" +" exit(1);\n" +"}\n" +"// EntityDeclHandler needs a reference to the parser to stop\n" +"// parsing.\n" +"XML_SetUserData(parser, parser);\n" +"// Disable entity processing, to inhibit entity expansion.\n" +"XML_SetEntityDeclHandler(parser, EntityDeclHandler);\n" +msgstr "" diff --git a/defensive-coding/nl-NL/Tasks/snippets/Serialization-XML-Expat-EntityDeclHandler.po b/defensive-coding/nl-NL/Tasks/snippets/Serialization-XML-Expat-EntityDeclHandler.po new file mode 100644 index 0000000..37af827 --- /dev/null +++ b/defensive-coding/nl-NL/Tasks/snippets/Serialization-XML-Expat-EntityDeclHandler.po @@ -0,0 +1,31 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:45\n" +"PO-Revision-Date: 2013-03-19 15:30+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Dutch (http://www.transifex.com/projects/p/fedora/language/nl/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: nl\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Stop the parser when an entity declaration is encountered.\n" +"static void\n" +"EntityDeclHandler(void *userData,\n" +"\t\t const XML_Char *entityName, int is_parameter_entity,\n" +"\t\t const XML_Char *value, int value_length,\n" +"\t\t const XML_Char *base, const XML_Char *systemId,\n" +"\t\t const XML_Char *publicId, const XML_Char *notationName)\n" +"{\n" +" XML_StopParser((XML_Parser)userData, XML_FALSE);\n" +"}\n" +msgstr "" diff --git a/defensive-coding/nl-NL/Tasks/snippets/Serialization-XML-OpenJDK-Errors.po b/defensive-coding/nl-NL/Tasks/snippets/Serialization-XML-OpenJDK-Errors.po new file mode 100644 index 0000000..18d9672 --- /dev/null +++ b/defensive-coding/nl-NL/Tasks/snippets/Serialization-XML-OpenJDK-Errors.po @@ -0,0 +1,37 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:45\n" +"PO-Revision-Date: 2013-03-19 15:29+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Dutch (http://www.transifex.com/projects/p/fedora/language/nl/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: nl\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"class Errors implements ErrorHandler {\n" +" @Override\n" +" public void warning(SAXParseException exception) {\n" +" exception.printStackTrace();\n" +" }\n" +" \n" +" @Override\n" +" public void fatalError(SAXParseException exception) {\n" +" exception.printStackTrace();\n" +" }\n" +" \n" +" @Override\n" +" public void error(SAXParseException exception) {\n" +" exception.printStackTrace();\n" +" }\n" +"}\n" +msgstr "" diff --git a/defensive-coding/nl-NL/Tasks/snippets/Serialization-XML-OpenJDK-Imports.po b/defensive-coding/nl-NL/Tasks/snippets/Serialization-XML-OpenJDK-Imports.po new file mode 100644 index 0000000..7c80628 --- /dev/null +++ b/defensive-coding/nl-NL/Tasks/snippets/Serialization-XML-OpenJDK-Imports.po @@ -0,0 +1,42 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:45\n" +"PO-Revision-Date: 2013-03-19 15:30+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Dutch (http://www.transifex.com/projects/p/fedora/language/nl/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: nl\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"import javax.xml.XMLConstants;\n" +"import javax.xml.parsers.DocumentBuilder;\n" +"import javax.xml.parsers.DocumentBuilderFactory;\n" +"import javax.xml.parsers.ParserConfigurationException;\n" +"import javax.xml.parsers.SAXParser;\n" +"import javax.xml.parsers.SAXParserFactory;\n" +"import javax.xml.transform.dom.DOMSource;\n" +"import javax.xml.transform.sax.SAXSource;\n" +"import javax.xml.validation.Schema;\n" +"import javax.xml.validation.SchemaFactory;\n" +"import javax.xml.validation.Validator;\n" +"\n" +"import org.w3c.dom.Document;\n" +"import org.w3c.dom.ls.LSInput;\n" +"import org.w3c.dom.ls.LSResourceResolver;\n" +"import org.xml.sax.EntityResolver;\n" +"import org.xml.sax.ErrorHandler;\n" +"import org.xml.sax.InputSource;\n" +"import org.xml.sax.SAXException;\n" +"import org.xml.sax.SAXParseException;\n" +"import org.xml.sax.XMLReader;\n" +msgstr "" diff --git a/defensive-coding/nl-NL/Tasks/snippets/Serialization-XML-OpenJDK-NoEntityResolver.po b/defensive-coding/nl-NL/Tasks/snippets/Serialization-XML-OpenJDK-NoEntityResolver.po new file mode 100644 index 0000000..1ae00bb --- /dev/null +++ b/defensive-coding/nl-NL/Tasks/snippets/Serialization-XML-OpenJDK-NoEntityResolver.po @@ -0,0 +1,30 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:45\n" +"PO-Revision-Date: 2013-03-19 15:30+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Dutch (http://www.transifex.com/projects/p/fedora/language/nl/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: nl\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"class NoEntityResolver implements EntityResolver {\n" +" @Override\n" +" public InputSource resolveEntity(String publicId, String systemId)\n" +" throws SAXException, IOException {\n" +" // Throwing an exception stops validation.\n" +" throw new IOException(String.format(\n" +" \"attempt to resolve \\\"%s\\\" \\\"%s\\\"\", publicId, systemId));\n" +" }\n" +"}\n" +msgstr "" diff --git a/defensive-coding/nl-NL/Tasks/snippets/Serialization-XML-OpenJDK-NoResourceResolver.po b/defensive-coding/nl-NL/Tasks/snippets/Serialization-XML-OpenJDK-NoResourceResolver.po new file mode 100644 index 0000000..30e17f5 --- /dev/null +++ b/defensive-coding/nl-NL/Tasks/snippets/Serialization-XML-OpenJDK-NoResourceResolver.po @@ -0,0 +1,32 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:45\n" +"PO-Revision-Date: 2013-03-19 15:29+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Dutch (http://www.transifex.com/projects/p/fedora/language/nl/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: nl\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"class NoResourceResolver implements LSResourceResolver {\n" +" @Override\n" +" public LSInput resolveResource(String type, String namespaceURI,\n" +" String publicId, String systemId, String baseURI) {\n" +" // Throwing an exception stops validation.\n" +" throw new RuntimeException(String.format(\n" +" \"resolution attempt: type=%s namespace=%s \" +\n" +" \"publicId=%s systemId=%s baseURI=%s\",\n" +" type, namespaceURI, publicId, systemId, baseURI));\n" +" }\n" +"}\n" +msgstr "" diff --git a/defensive-coding/nl-NL/Tasks/snippets/Serialization-XML-OpenJDK_Parse-DOM.po b/defensive-coding/nl-NL/Tasks/snippets/Serialization-XML-OpenJDK_Parse-DOM.po new file mode 100644 index 0000000..073f251 --- /dev/null +++ b/defensive-coding/nl-NL/Tasks/snippets/Serialization-XML-OpenJDK_Parse-DOM.po @@ -0,0 +1,34 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:45\n" +"PO-Revision-Date: 2013-03-19 15:29+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Dutch (http://www.transifex.com/projects/p/fedora/language/nl/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: nl\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();\n" +"// Impose restrictions on the complexity of the DTD.\n" +"factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);\n" +"\n" +"// Turn on validation.\n" +"// This step can be omitted if validation is not desired.\n" +"factory.setValidating(true);\n" +"\n" +"// Parse the document.\n" +"DocumentBuilder builder = factory.newDocumentBuilder();\n" +"builder.setEntityResolver(new NoEntityResolver());\n" +"builder.setErrorHandler(new Errors());\n" +"Document document = builder.parse(inputStream);\n" +msgstr "" diff --git a/defensive-coding/nl-NL/Tasks/snippets/Serialization-XML-OpenJDK_Parse-XMLSchema_DOM.po b/defensive-coding/nl-NL/Tasks/snippets/Serialization-XML-OpenJDK_Parse-XMLSchema_DOM.po new file mode 100644 index 0000000..e5af483 --- /dev/null +++ b/defensive-coding/nl-NL/Tasks/snippets/Serialization-XML-OpenJDK_Parse-XMLSchema_DOM.po @@ -0,0 +1,38 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:45\n" +"PO-Revision-Date: 2013-03-19 15:29+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Dutch (http://www.transifex.com/projects/p/fedora/language/nl/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: nl\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"SchemaFactory factory = SchemaFactory.newInstance(\n" +" XMLConstants.W3C_XML_SCHEMA_NS_URI);\n" +"\n" +"// This enables restrictions on schema complexity.\n" +"factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);\n" +"\n" +"// The following line prevents resource resolution\n" +"// by the schema itself.\n" +"factory.setResourceResolver(new NoResourceResolver());\n" +"\n" +"Schema schema = factory.newSchema(schemaFile);\n" +"\n" +"Validator validator = schema.newValidator();\n" +"\n" +"// This prevents external resource resolution.\n" +"validator.setResourceResolver(new NoResourceResolver());\n" +"validator.validate(new DOMSource(document));\n" +msgstr "" diff --git a/defensive-coding/nl-NL/Tasks/snippets/Serialization-XML-OpenJDK_Parse-XMLSchema_SAX.po b/defensive-coding/nl-NL/Tasks/snippets/Serialization-XML-OpenJDK_Parse-XMLSchema_SAX.po new file mode 100644 index 0000000..050cd42 --- /dev/null +++ b/defensive-coding/nl-NL/Tasks/snippets/Serialization-XML-OpenJDK_Parse-XMLSchema_SAX.po @@ -0,0 +1,41 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:45\n" +"PO-Revision-Date: 2013-03-19 15:29+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Dutch (http://www.transifex.com/projects/p/fedora/language/nl/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: nl\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"SchemaFactory factory = SchemaFactory.newInstance(\n" +" XMLConstants.W3C_XML_SCHEMA_NS_URI);\n" +"\n" +"// This enables restrictions on the schema and document\n" +"// complexity.\n" +"factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);\n" +"\n" +"// This prevents resource resolution by the schema itself.\n" +"// If the schema is trusted and references additional files,\n" +"// this line must be omitted, otherwise loading these files\n" +"// will fail.\n" +"factory.setResourceResolver(new NoResourceResolver());\n" +"\n" +"Schema schema = factory.newSchema(schemaFile);\n" +"Validator validator = schema.newValidator();\n" +"\n" +"// This prevents external resource resolution.\n" +"validator.setResourceResolver(new NoResourceResolver());\n" +"\n" +"validator.validate(new SAXSource(new InputSource(inputStream)));\n" +msgstr "" diff --git a/defensive-coding/pt-BR/Author_Group.po b/defensive-coding/pt-BR/Author_Group.po new file mode 100644 index 0000000..5ac69d8 --- /dev/null +++ b/defensive-coding/pt-BR/Author_Group.po @@ -0,0 +1,35 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-12 04:18+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Portuguese (Brazil) \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: pt_BR\n" +"Plural-Forms: nplurals=2; plural=(n > 1);\n" + +#. Tag: firstname +#, no-c-format +msgid "Florian" +msgstr "" + +#. Tag: surname +#, no-c-format +msgid "Weimer" +msgstr "" + +#. Tag: orgname +#, no-c-format +msgid "Red Hat" +msgstr "" + +#. Tag: orgdiv +#, no-c-format +msgid "Product Security Team" +msgstr "" diff --git a/defensive-coding/pt-BR/Book_Info.po b/defensive-coding/pt-BR/Book_Info.po new file mode 100644 index 0000000..a1aab70 --- /dev/null +++ b/defensive-coding/pt-BR/Book_Info.po @@ -0,0 +1,38 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-12 04:19+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Portuguese (Brazil) \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: pt_BR\n" +"Plural-Forms: nplurals=2; plural=(n > 1);\n" + +#. Tag: title +#, no-c-format +msgid "Defensive Coding" +msgstr "" + +#. Tag: subtitle +#, no-c-format +msgid "A Guide to Improving Software Security" +msgstr "" + +#. Tag: productname +#, no-c-format +msgid "Fedora Security Team" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"This document provides guidelines for improving software security through " +"secure coding. It covers common programming languages and libraries, and " +"focuses on concrete recommendations." +msgstr "" diff --git a/defensive-coding/pt-BR/C/Allocators.po b/defensive-coding/pt-BR/C/Allocators.po new file mode 100644 index 0000000..6c59d4d --- /dev/null +++ b/defensive-coding/pt-BR/C/Allocators.po @@ -0,0 +1,265 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:30+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Portuguese (Brazil) \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: pt_BR\n" +"Plural-Forms: nplurals=2; plural=(n > 1);\n" + +#. Tag: title +#, no-c-format +msgid "Memory allocators" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "malloc and related functions" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The C library interfaces for memory allocation are provided by " +"malloc, free and " +"realloc, and the calloc function. " +"In addition to these generic functions, there are derived functions such as " +"strdup which perform allocation using " +"malloc internally, but do not return untyped heap " +"memory (which could be used for any object)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The C compiler knows about these functions and can use their expected " +"behavior for optimizations. For instance, the compiler assumes that an " +"existing pointer (or a pointer derived from an existing pointer by " +"arithmetic) will not point into the memory area returned by " +"malloc." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If the allocation fails, realloc does not free the old " +"pointer. Therefore, the idiom ptr = realloc(ptr, size); " +"is wrong because the memory pointed to by ptr leaks in " +"case of an error." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Use-after-free errors" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"After free, the pointer is invalid. Further pointer " +"dereferences are not allowed (and are usually detected by " +"valgrind). Less obvious is that any " +"use of the old pointer value is not allowed, either. In" +" particular, comparisons with any other pointer (or the null pointer) are " +"undefined according to the C standard." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The same rules apply to realloc if the memory area " +"cannot be enlarged in-place. For instance, the compiler may assume that a " +"comparison between the old and new pointer will always return false, so it " +"is impossible to detect movement this way." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Handling memory allocation errors" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Recovering from out-of-memory errors is often difficult or even impossible. " +"In these cases, malloc and other allocation functions " +"return a null pointer. Dereferencing this pointer lead to a crash. Such " +"dereferences can even be exploitable for code execution if the dereference " +"is combined with an array subscript." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In general, if you cannot check all allocation calls and handle failure, you" +" should abort the program on allocation failure, and not rely on the null " +"pointer dereference to terminate the process. See for related memory " +"allocation concerns." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "alloca and other forms of stack-based allocation" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Allocation on the stack is risky because stack overflow checking is " +"implicit. There is a guard page at the end of the memory area reserved for " +"the stack. If the program attempts to read from or write to this guard page," +" a SIGSEGV signal is generated and the program typically " +"terminates." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"This is sufficient for detecting typical stack overflow situations such as " +"unbounded recursion, but it fails when the stack grows in increments larger " +"than the size of the guard page. In this case, it is possible that the stack" +" pointer ends up pointing into a memory area which has been allocated for a " +"different purposes. Such misbehavior can be exploitable." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"A common source for large stack growth are calls to " +"alloca and related functions such as " +"strdupa. These functions should be avoided because of " +"the lack of error checking. (They can be used safely if the allocated size " +"is less than the page size (typically, 4096 bytes), but this case is " +"relatively rare.) Additionally, relying on alloca makes" +" it more difficult to reorgnize the code because it is not allowed to use " +"the pointer after the function calling alloca has " +"returned, even if this function has been inlined into its caller." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Similar concerns apply to variable-length arrays " +"(VLAs), a feature of the C99 standard which started as a GNU extension. For " +"large objects exceeding the page size, there is no error checking, either." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In both cases, negative or very large sizes can trigger a stack-pointer " +"wraparound, and the stack pointer and end up pointing into caller stack " +"frames, which is fatal and can be exploitable." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If you want to use alloca or VLAs for performance " +"reasons, consider using a small on-stack array (less than the page size, " +"large enough to fulfill most requests). If the requested size is small " +"enough, use the on-stack array. Otherwise, call malloc." +" When exiting the function, check if malloc had been " +"called, and free the buffer as needed." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Array allocation" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When allocating arrays, it is important to check for overflows. The " +"calloc function performs such checks." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If malloc or realloc is used, the " +"size check must be written manually. For instance, to allocate an array of " +"n elements of type T, check that the " +"requested size is not greater than n / sizeof(T)." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Custom memory allocators" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Custom memory allocates come in two forms: replacements for " +"malloc, and completely different interfaces for memory " +"management. Both approaches can reduce the effectiveness of " +"valgrind and similar tools, and the heap " +"corruption detection provided by GNU libc, so they should be avoided." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Memory allocators are difficult to write and contain many performance and " +"security pitfalls." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When computing array sizes or rounding up allocation requests (to the next " +"allocation granularity, or for alignment purposes), checks for arithmetic " +"overflow are required." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Size computations for array allocations need overflow checking. See ." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"It can be difficult to beat well-tuned general-purpose allocators. In micro-" +"benchmarks, pool allocators can show huge wins, and size-specific pools can " +"reduce internal fragmentation. But often, utilization of individual pools is" +" poor, and" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Conservative garbage collection" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Garbage collection can be an alternative to explicit memory management using" +" malloc and free. The Boehm-" +"Dehmers-Weiser allocator can be used from C programs, with minimal type " +"annotations. Performance is competitive with malloc on " +"64-bit architectures, especially for multi-threaded programs. The stop-the-" +"world pauses may be problematic for some real-time applications, though." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"However, using a conservative garbage collector may reduce opertunities for " +"code reduce because once one library in a program uses garbage collection, " +"the whole process memory needs to be subject to it, so that no pointers are " +"missed. The Boehm-Dehmers-Weiser collector also reserves certain signals for" +" internal use, so it is not fully transparent to the rest of the program." +msgstr "" diff --git a/defensive-coding/pt-BR/C/C.po b/defensive-coding/pt-BR/C/C.po new file mode 100644 index 0000000..3b2584d --- /dev/null +++ b/defensive-coding/pt-BR/C/C.po @@ -0,0 +1,20 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:30+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Portuguese (Brazil) \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: pt_BR\n" +"Plural-Forms: nplurals=2; plural=(n > 1);\n" + +#. Tag: title +#, no-c-format +msgid "The C Programming Language" +msgstr "" diff --git a/defensive-coding/pt-BR/C/Libc.po b/defensive-coding/pt-BR/C/Libc.po new file mode 100644 index 0000000..20ec6a7 --- /dev/null +++ b/defensive-coding/pt-BR/C/Libc.po @@ -0,0 +1,278 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:30+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Portuguese (Brazil) \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: pt_BR\n" +"Plural-Forms: nplurals=2; plural=(n > 1);\n" + +#. Tag: title +#, no-c-format +msgid "The C standard library" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Parts of the C standard library (and the UNIX and GNU extensions) are " +"difficult to use, so you shoud avoid them." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Please check the applicable documentation before using the recommended " +"replacements. Many of these functions allocate buffers using " +"malloc which your code must deallocate explicitly using" +" free." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Absolutely banned interfaces" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The functions listed below must not be used because they are almost always " +"unsafe. Use the indicated replacements instead." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "getsfgets" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"getwdgetcwd or " +"get_current_dir_name" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "readdir_rreaddir" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"realpath (with a non-NULL second parameter) ⟶ " +"realpath with NULL as the second parameter, or " +"canonicalize_file_name" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The constants listed below must not be used, either. Instead, code must " +"allocate memory dynamically and use interfaces with length checking." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"NAME_MAX (limit not actually enforced by the kernel)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"PATH_MAX (limit not actually enforced by the kernel)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"_PC_NAME_MAX (This limit, returned by the " +"pathconf function, is not enforced by the kernel.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"_PC_PATH_MAX (This limit, returned by the " +"pathconf function, is not enforced by the kernel.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "The following structure members must not be used." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"f_namemax in struct statvfs (limit not" +" actually enforced by the kernel, see _PC_NAME_MAX above)" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Functions to avoid" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The following string manipulation functions can be used securely in " +"principle, but their use should be avoided because they are difficult to use" +" correctly. Calls to these functions can be replaced with " +"asprintf or vasprintf. (For non-" +"GNU targets, these functions are available from Gnulib.) In some cases, the " +"snprintf function might be a suitable replacement, see " +"." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "sprintf" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "strcat" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "strcpy" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "vsprintf" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Use the indicated replacements for the functions below." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"allocamalloc and " +"free (see )" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"putenv ⟶ explicit envp argument in " +"process creation (see )" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"setenv ⟶ explicit envp argument in " +"process creation (see )" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"strdupastrdup and " +"free (see )" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"strndupastrndup and " +"free (see )" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"systemposix_spawn or " +"fork/execve/ (see )" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"unsetenv ⟶ explicit envp argument in" +" process creation (see )" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "String Functions With Explicit Length Arguments" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The snprintf function provides a way to construct a " +"string in a statically-sized buffer. (If the buffer size is dynamic, use " +"asprintf instead.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The second argument to the snprintf should always be " +"the size of the buffer in the first argument (which should be a character " +"array). Complex pointer and length arithmetic can introduce errors and " +"nullify the security benefits of snprintf. If you need " +"to construct a string iteratively, by repeatedly appending fragments, " +"consider constructing the string on the heap, increasing the buffer with " +"realloc as needed. (snprintf does " +"not support overlapping the result buffer with argument strings.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If you use vsnprintf (or snprintf)" +" with a format string which is not a constant, but a function argument, it " +"is important to annotate the function with a format " +"function attribute, so that GCC can warn about misuse of your function (see " +")." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "The format function attribute" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"There are other functions which operator on NUL-terminated strings and take " +"a length argument which affects the number of bytes written to the " +"destination: strncpy, strncat, and" +" stpncpy. These functions do not ensure that the result" +" string is NUL-terminated. For strncpy, NUL termination" +" can be added this way:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Some systems support strlcpy and " +"strlcat functions which behave this way, but these " +"functions are not part of GNU libc. Using snprintf with" +" a suitable format string is a simple (albeit slightly slower) replacement." +msgstr "" diff --git a/defensive-coding/pt-BR/C/snippets/Arithmetic-add.po b/defensive-coding/pt-BR/C/snippets/Arithmetic-add.po new file mode 100644 index 0000000..af898bd --- /dev/null +++ b/defensive-coding/pt-BR/C/snippets/Arithmetic-add.po @@ -0,0 +1,36 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:30+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Portuguese (Brazil) \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: pt_BR\n" +"Plural-Forms: nplurals=2; plural=(n > 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"void report_overflow(void);\n" +"\n" +"int\n" +"add(int a, int b)\n" +"{\n" +" int result = a + b;\n" +" if (a < 0 || b < 0) {\n" +" return -1;\n" +" }\n" +" // The compiler can optimize away the following if statement.\n" +" if (result < 0) {\n" +" report_overflow();\n" +" }\n" +" return result;\n" +"}\n" +msgstr "" diff --git a/defensive-coding/pt-BR/C/snippets/Arithmetic-mult.po b/defensive-coding/pt-BR/C/snippets/Arithmetic-mult.po new file mode 100644 index 0000000..0aae28d --- /dev/null +++ b/defensive-coding/pt-BR/C/snippets/Arithmetic-mult.po @@ -0,0 +1,29 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:30+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Portuguese (Brazil) \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: pt_BR\n" +"Plural-Forms: nplurals=2; plural=(n > 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"unsigned\n" +"mul(unsigned a, unsigned b)\n" +"{\n" +" if (b && a > ((unsigned)-1) / b) {\n" +" report_overflow();\n" +" }\n" +" return a * b;\n" +"}\n" +msgstr "" diff --git a/defensive-coding/pt-BR/C/snippets/Pointers-remaining.po b/defensive-coding/pt-BR/C/snippets/Pointers-remaining.po new file mode 100644 index 0000000..6e2407f --- /dev/null +++ b/defensive-coding/pt-BR/C/snippets/Pointers-remaining.po @@ -0,0 +1,64 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:30+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Portuguese (Brazil) \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: pt_BR\n" +"Plural-Forms: nplurals=2; plural=(n > 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"ssize_t\n" +"extract_strings(const char *in, size_t inlen, char **out, size_t outlen)\n" +"{\n" +" const char *inp = in;\n" +" const char *inend = in + inlen;\n" +" char **outp = out;\n" +" char **outend = out + outlen;\n" +"\n" +" while (inp != inend) {\n" +" size_t len;\n" +" char *s;\n" +" if (outp == outend) {\n" +" errno = ENOSPC;\n" +" goto err;\n" +" }\n" +" len = (unsigned char)*inp;\n" +" ++inp;\n" +" if (len > (size_t)(inend - inp)) {\n" +" errno = EINVAL;\n" +" goto err;\n" +" }\n" +" s = malloc(len + 1);\n" +" if (s == NULL) {\n" +" goto err;\n" +" }\n" +" memcpy(s, inp, len);\n" +" inp += len;\n" +" s[len] = '\\0';\n" +" *outp = s;\n" +" ++outp;\n" +" }\n" +" return outp - out;\n" +"err:\n" +" {\n" +" int errno_old = errno;\n" +" while (out != outp) {\n" +" free(*out);\n" +" ++out;\n" +" }\n" +" errno = errno_old;\n" +" }\n" +" return -1;\n" +"}\n" +msgstr "" diff --git a/defensive-coding/pt-BR/C/snippets/String-Functions-format.po b/defensive-coding/pt-BR/C/snippets/String-Functions-format.po new file mode 100644 index 0000000..9333951 --- /dev/null +++ b/defensive-coding/pt-BR/C/snippets/String-Functions-format.po @@ -0,0 +1,33 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:30+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Portuguese (Brazil) \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: pt_BR\n" +"Plural-Forms: nplurals=2; plural=(n > 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"void log_format(const char *format, ...) __attribute__((format(printf, 1, 2)));\n" +"\n" +"void\n" +"log_format(const char *format, ...)\n" +"{\n" +" char buf[1000];\n" +" va_list ap;\n" +" va_start(ap, format);\n" +" vsnprintf(buf, sizeof(buf), format, ap);\n" +" va_end(ap);\n" +" log_string(buf);\n" +"}\n" +msgstr "" diff --git a/defensive-coding/pt-BR/C/snippets/String-Functions-snprintf.po b/defensive-coding/pt-BR/C/snippets/String-Functions-snprintf.po new file mode 100644 index 0000000..e278b51 --- /dev/null +++ b/defensive-coding/pt-BR/C/snippets/String-Functions-snprintf.po @@ -0,0 +1,23 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:30+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Portuguese (Brazil) \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: pt_BR\n" +"Plural-Forms: nplurals=2; plural=(n > 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"char fraction[30];\n" +"snprintf(fraction, sizeof(fraction), \"%d/%d\", numerator, denominator);\n" +msgstr "" diff --git a/defensive-coding/pt-BR/C/snippets/String-Functions-strncpy.po b/defensive-coding/pt-BR/C/snippets/String-Functions-strncpy.po new file mode 100644 index 0000000..9acd0fd --- /dev/null +++ b/defensive-coding/pt-BR/C/snippets/String-Functions-strncpy.po @@ -0,0 +1,24 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:30+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Portuguese (Brazil) \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: pt_BR\n" +"Plural-Forms: nplurals=2; plural=(n > 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"char buf[10];\n" +"strncpy(buf, data, sizeof(buf));\n" +"buf[sizeof(buf) - 1] = '\\0';\n" +msgstr "" diff --git a/defensive-coding/pt-BR/CXX/CXX.po b/defensive-coding/pt-BR/CXX/CXX.po new file mode 100644 index 0000000..feabe98 --- /dev/null +++ b/defensive-coding/pt-BR/CXX/CXX.po @@ -0,0 +1,20 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:31+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Portuguese (Brazil) \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: pt_BR\n" +"Plural-Forms: nplurals=2; plural=(n > 1);\n" + +#. Tag: title +#, no-c-format +msgid "The C++ Programming Language" +msgstr "" diff --git a/defensive-coding/pt-BR/CXX/Language.po b/defensive-coding/pt-BR/CXX/Language.po new file mode 100644 index 0000000..8ed0842 --- /dev/null +++ b/defensive-coding/pt-BR/CXX/Language.po @@ -0,0 +1,234 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:18+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Portuguese (Brazil) \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: pt_BR\n" +"Plural-Forms: nplurals=2; plural=(n > 1);\n" + +#. Tag: title +#, no-c-format +msgid "The core language" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"C++ includes a large subset of the C language. As far as the C subset is " +"used, the recommendations in " +"apply." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Array allocation with operator new[]" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"For very large values of n, an expression like " +"new T[n] can return a pointer to a heap region which is " +"too small. In other words, not all array elements are actually backed with " +"heap memory reserved to the array. Current GCC versions generate code that " +"performs a computation of the form sizeof(T) * size_t(n) + " +"cookie_size, where cookie_size is currently at " +"most 8. This computation can overflow, and GCC-generated code does not " +"detect this." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The std::vector template can be used instead an explicit " +"array allocation. (The GCC implementation detects overflow internally.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If there is no alternative to operator new[], code which " +"allocates arrays with a variable length must check for overflow manually. " +"For the new T[n] example, the size check could be " +"n || (n > 0 && n > (size_t(-1) - 8) / " +"sizeof(T)). (See .) If there are additional dimensions " +"(which must be constants according to the C++ standard), these should be " +"included as factors in the divisor." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"These countermeasures prevent out-of-bounds writes and potential code " +"execution. Very large memory allocations can still lead to a denial of " +"service. contains suggestions for mitigating this problem when " +"processing untrusted data." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"See for array" +" allocation advice for C-style memory allocation." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Overloading" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Do not overload functions with versions that have different security " +"characteristics. For instance, do not implement a function " +"strcat which works on std::string " +"arguments. Similarly, do not name methods after such functions." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "ABI compatibility and preparing for security updates" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"A stable binary interface (ABI) is vastly preferred for security updates. " +"Without a stable ABI, all reverse dependencies need recompiling, which can " +"be a lot of work and could even be impossible in some cases. Ideally, a " +"security update only updates a single dynamic shared object, and is picked " +"up automatically after restarting affected processes." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Outside of extremely performance-critical code, you should ensure that a " +"wide range of changes is possible without breaking ABI. Some very basic " +"guidelines are:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Avoid inline functions." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Use the pointer-to-implementation idiom." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Try to avoid templates. Use them if the increased type safety provides a " +"benefit to the programmer." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Move security-critical code out of templated code, so that it can be patched" +" in a central place if necessary." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The KDE project publishes a document with more extensive guidelines on ABI-" +"preserving changes to C++ code, Policies/Binary" +" Compatibility Issues With C++ (d-pointer " +"refers to the pointer-to-implementation idiom)." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "C++0X and C++11 support" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "GCC offers different language compatibility modes:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid " for the original 1998 C++ standard" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +" for the 1998 standard with the changes from the " +"TR1 technical report" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +" for the 2011 C++ standard. This option should " +"not be used." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +" for several different versions of C++11 support " +"in development, depending on the GCC version. This option should not be " +"used." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"For each of these flags, there are variants which also enable GNU extensions" +" (mostly language features also found in C99 or C11): " +", , " +". Again, should " +"not be used." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If you enable C++11 support, the ABI of the standard C++ library " +"libstdc++ will change in subtle ways. Currently, no C++ " +"libraries are compiled in C++11 mode, so if you compile your code in C++11 " +"mode, it will be incompatible with the rest of the system. Unfortunately, " +"this is also the case if you do not use any C++11 features. Currently, there" +" is no safe way to enable C++11 mode (except for freestanding applications)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The meaning of C++0X mode changed from GCC release to GCC release. Earlier " +"versions were still ABI-compatible with C++98 mode, but in the most recent " +"versions, switching to C++0X mode activates C++11 support, with its " +"compatibility problems." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Some C++11 features (or approximations thereof) are available with TR1 " +"support, that is, with or " +" and in the <tr1/*> " +"header files. This includes std::tr1::shared_ptr (from " +"<tr1/memory>) and " +"std::tr1::function (from " +"<tr1/functional>). For other C++11 features, the " +"Boost C++ library contains replacements." +msgstr "" diff --git a/defensive-coding/pt-BR/CXX/Std.po b/defensive-coding/pt-BR/CXX/Std.po new file mode 100644 index 0000000..27980e9 --- /dev/null +++ b/defensive-coding/pt-BR/CXX/Std.po @@ -0,0 +1,55 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:30+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Portuguese (Brazil) \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: pt_BR\n" +"Plural-Forms: nplurals=2; plural=(n > 1);\n" + +#. Tag: title +#, no-c-format +msgid "The C++ standard library" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The C++ standard library includes most of its C counterpart by reference, " +"see ." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Containers and operator[]" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Many containers similar to std::vector provide both " +"operator[](size_type) and a member function " +"at(size_type). This applies to " +"std::vector itself, std::array, " +"std::string and other instances of " +"std::basic_string." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"operator[](size_type) is not required by the standard to " +"perform bounds checking (and the implementation in GCC does not). In " +"contrast, at(size_type) must perform such a check. " +"Therefore, in code which is not performance-critical, you should prefer " +"at(size_type) over " +"operator[](size_type), even though it is slightly more " +"verbose." +msgstr "" diff --git a/defensive-coding/pt-BR/Defensive_Coding.po b/defensive-coding/pt-BR/Defensive_Coding.po new file mode 100644 index 0000000..4f30d9d --- /dev/null +++ b/defensive-coding/pt-BR/Defensive_Coding.po @@ -0,0 +1,30 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:18+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Portuguese (Brazil) \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: pt_BR\n" +"Plural-Forms: nplurals=2; plural=(n > 1);\n" + +#. Tag: title +#, no-c-format +msgid "Programming Languages" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Specific Programming Tasks" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Implementing Security Features" +msgstr "" diff --git a/defensive-coding/pt-BR/Features/Authentication.po b/defensive-coding/pt-BR/Features/Authentication.po new file mode 100644 index 0000000..bdc742d --- /dev/null +++ b/defensive-coding/pt-BR/Features/Authentication.po @@ -0,0 +1,231 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:31+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Portuguese (Brazil) \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: pt_BR\n" +"Plural-Forms: nplurals=2; plural=(n > 1);\n" + +#. Tag: title +#, no-c-format +msgid "Authentication and Authorization" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Authenticating servers" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When connecting to a server, a client has to make sure that it is actually " +"talking to the server it expects. There are two different aspects, securing " +"the network path, and making sure that the expected user runs the process on" +" the target host. There are several ways to ensure that:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The server uses a TLS certificate which is valid according to the web " +"browser public key infrastructure, and the client verifies the certificate " +"and the host name." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The server uses a TLS certificate which is expectedby the client (perhaps it" +" is stored in a configuration file read by the client). In this case, no " +"host name checking is required." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"On Linux, UNIX domain sockets (of the PF_UNIX protocol " +"family, sometimes called PF_LOCAL) are restricted by file" +" system permissions. If the server socket path is not world-writable, the " +"server identity cannot be spoofed by local users." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Port numbers less than 1024 (trusted ports) can only be" +" used by root, so if a UDP or TCP server is running on " +"the local host and it uses a trusted port, its identity is assured. (Not all" +" operating systems enforce the trusted ports concept, and the network might " +"not be trusted, so it is only useful on the local system.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"TLS () is the recommended way " +"for securing connections over untrusted networks." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If the server port number is 1024 is higher, a local user can impersonate " +"the process by binding to this socket, perhaps after crashing the real " +"server by exploiting a denial-of-service vulnerability." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Host-based authentication" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Host-based authentication uses access control lists (ACLs) to accept or deny" +" requests from clients. Thsis authentication method comes in two flavors: " +"IP-based (or, more generally, address-based) and name-based (with the name " +"coming from DNS or /etc/hosts). IP-based ACLs often use" +" prefix notation to extend access to entire subnets. Name-based ACLs " +"sometimes use wildcards for adding groups of hosts (from entire DNS " +"subtrees). (In the SSH context, host-based authentication means something " +"completely different and is not covered in this section.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Host-based authentication trust the network and may not offer sufficient " +"granularity, so it has to be considered a weak form of authentication. On " +"the other hand, IP-based authentication can be made extremely robust and can" +" be applied very early in input processing, so it offers an opportunity for " +"significantly reducing the number of potential attackers for many services." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The names returned by gethostbyaddr and " +"getnameinfo functions cannot be trusted. (DNS PTR " +"records can be set to arbitrary values, not just names belong to the address" +" owner.) If these names are used for ACL matching, a forward lookup using " +"gethostbyaddr or getaddrinfo has " +"to be performed. The name is only valid if the original address is found " +"among the results of the forward lookup (double-reverse " +"lookup)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"An empty ACL should deny all access (deny-by-default). If empty ACLs permits" +" all access, configuring any access list must switch to deny-by-default for " +"all unconfigured protocols, in both name-based and address-based variants." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Similarly, if an address or name is not matched by the list, it should be " +"denied. However, many implementations behave differently, so the actual " +"behavior must be documented properly." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"IPv6 addresses can embed IPv4 addresses. There is no universally correct way" +" to deal with this ambiguity. The behavior of the ACL implementation should " +"be documented." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "UNIX domain socket authentication" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"UNIX domain sockets (with address family AF_UNIX or " +"AF_LOCAL) are restricted to the local host and offer a " +"special authentication mechanism: credentials passing." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Nowadays, most systems support the SO_PEERCRED (Linux) or" +" LOCAL_PEERCRED (FreeBSD) socket options, or the " +"getpeereid (other BSDs, MacOS X). These interfaces " +"provide direct access to the (effective) user ID on the other end of a " +"domain socket connect, without cooperation from the other end." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Historically, credentials passing was implemented using ancillary data in " +"the sendmsg and recvmsg functions." +" On some systems, only credentials data that the peer has explicitly sent " +"can be received, and the kernel checks the data for correctness on the " +"sending side. This means that both peers need to deal with ancillary data. " +"Compared to that, the modern interfaces are easier to use. Both sets of " +"interfaces vary considerably among UNIX-like systems, unfortunately." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If you want to authenticate based on supplementary groups, you should obtain" +" the user ID using one of these methods, and look up the list of " +"supplementary groups using getpwuid (or " +"getpwuid_r) and getgrouplist. " +"Using the PID and information from /proc/PID/status is " +"prone to race conditions and insecure." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "AF_NETLINK authentication of origin" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Netlink messages are used as a high-performance data transfer mechanism " +"between the kernel and the userspace. Traditionally, they are used to " +"exchange information related to the network statck, such as routing table " +"entries." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When processing Netlink messages from the kernel, it is important to check " +"that these messages actually originate from the kernel, by checking that the" +" port ID (or PID) field nl_pid in the " +"sockaddr_nl structure is 0. (This " +"structure can be obtained using recvfrom or " +"recvmsg, it is different from the " +"nlmsghdr structure.) The kernel does not prevent other " +"processes from sending unicast Netlink messages, but the " +"nl_pid field in the sender's socket address will be non-" +"zero in such cases." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Applications should not use AF_NETLINK sockets as an IPC " +"mechanism among processes, but prefer UNIX domain sockets for this tasks." +msgstr "" diff --git a/defensive-coding/pt-BR/Features/TLS.po b/defensive-coding/pt-BR/Features/TLS.po new file mode 100644 index 0000000..2de4099 --- /dev/null +++ b/defensive-coding/pt-BR/Features/TLS.po @@ -0,0 +1,1120 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:31+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Portuguese (Brazil) \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: pt_BR\n" +"Plural-Forms: nplurals=2; plural=(n > 1);\n" + +#. Tag: title +#, no-c-format +msgid "Transport Layer Security" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Transport Layer Security (TLS, formerly Secure Sockets Layer/SSL) is the " +"recommended way to to protect integrity and confidentiality while data is " +"transferred over an untrusted network connection, and to identify the " +"endpoint." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Common Pitfalls" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"TLS implementations are difficult to use, and most of them lack a clean API " +"design. The following sections contain implementation-specific advice, and " +"some generic pitfalls are mentioned below." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Most TLS implementations have questionable default TLS cipher suites. Most " +"of them enable anonymous Diffie-Hellman key exchange (but we generally want " +"servers to authenticate themselves). Many do not disable ciphers which are " +"subject to brute-force attacks because of restricted key lengths. Some even " +"disable all variants of AES in the default configuration." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When overriding the cipher suite defaults, it is recommended to disable all " +"cipher suites which are not present on a whitelist, instead of simply " +"enabling a list of cipher suites. This way, if an algorithm is disabled by " +"default in the TLS implementation in a future security update, the " +"application will not re-enable it." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The name which is used in certificate validation must match the name " +"provided by the user or configuration file. No host name canonicalization or" +" IP address lookup must be performed." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The TLS handshake has very poor performance if the TCP Nagle algorithm is " +"active. You should switch on the TCP_NODELAY socket " +"option (at least for the duration of the handshake), or use the Linux-" +"specific TCP_CORK option." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Deactivating the TCP Nagle algorithm" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Implementing proper session resumption decreases handshake overhead " +"considerably. This is important if the upper-layer protocol uses short-lived" +" connections (like most application of HTTPS)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Both client and server should work towards an orderly connection shutdown, " +"that is send close_notify alerts and respond to them. " +"This is especially important if the upper-layer protocol does not provide " +"means to detect connection truncation (like some uses of HTTP)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When implementing a server using event-driven programming, it is important " +"to handle the TLS handshake properly because it includes multiple network " +"round-trips which can block when an ordinary TCP accept" +" would not. Otherwise, a client which fails to complete the TLS handshake " +"for some reason will prevent the server from handling input from other " +"clients." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Unlike regular file descriptors, TLS connections cannot be passed between " +"processes. Some TLS implementations add additional restrictions, and TLS " +"connections generally cannot be used across fork " +"function calls (see )." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "OpenSSL Pitfalls" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Some OpenSSL function use tri-state return values. " +"Correct error checking is extremely important. Several functions return " +"int values with the following meaning:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The value 1 indicates success (for example, a successful " +"signature verification)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The value 0 indicates semantic failure (for example, a " +"signature verification which was unsuccessful because the signing " +"certificate was self-signed)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The value -1 indicates a low-level error in the system, " +"such as failure to allocate memory using malloc." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Treating such tri-state return values as booleans can lead to security " +"vulnerabilities. Note that some OpenSSL functions return boolean results or " +"yet another set of status indicators. Each function needs to be checked " +"individually." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Recovering precise error information is difficult. shows how to obtain a more precise " +"error code after a function call on an SSL object has " +"failed. However, there are still cases where no detailed error information " +"is available (e.g., if SSL_shutdown fails due to a " +"connection teardown by the other end)." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Obtaining OpenSSL error codes" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The OPENSSL_config function is documented to never " +"fail. In reality, it can terminate the entire process if there is a failure " +"accessing the configuration file. An error message is written to standard " +"error, but which might not be visible if the function is called from a " +"daemon process." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"OpenSSL contains two separate ASN.1 DER decoders. One set of decoders " +"operate on BIO handles (the input/output stream abstraction provided by " +"OpenSSL); their decoder function names start with d2i_ " +"and end in _fp or _bio (e.g., " +"d2i_X509_fp or d2i_X509_bio). " +"These decoders must not be used for parsing data from untrusted sources; " +"instead, the variants without the _fp and " +"_bio (e.g., d2i_X509) shall be used." +" The BIO variants have received considerably less testing and are not very " +"robust." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"For the same reason, the OpenSSL command line tools (such as " +"openssl x509) are generally generally less robust than " +"the actual library code. They use the BIO functions internally, and not the " +"more robust variants." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The command line tools do not always indicate failure in the exit status of " +"the openssl process. For instance, a verification" +" failure in openssl verify result in an exit status of " +"zero." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The OpenSSL server and client applications (openssl " +"s_client and openssl s_server) are debugging " +"tools and should never be used as generic clients. For " +"instance, the s_client tool reacts in a " +"surprisign way to lines starting with R and " +"Q." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"OpenSSL allows application code to access private key material over " +"documented interfaces. This can significantly increase the part of the code " +"base which has to undergo security certification." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "GNUTLS Pitfalls" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"libgnutls.so.26 links to " +"libpthread.so.0. Loading the threading library too late" +" causes problems, so the main program should be linked with " +"-lpthread as well. As a result, it can be difficult to " +"use GNUTLS in a plugin which is loaded with the dlopen " +"function. Another side effect is that applications which merely link against" +" GNUTLS (even without actually using it) may incur a substantial overhead " +"because other libraries automatically switch to thread-safe algorithms." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The gnutls_global_init function must be called before " +"using any functionality provided by the library. This function is not " +"thread-safe, so external locking is required, but it is not clear which lock" +" should be used. Omitting the synchronization does not just lead to a memory" +" leak, as it is suggested in the GNUTLS documentation, but to undefined " +"behavior because there is no barrier that would enforce memory ordering." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The gnutls_global_deinit function does not actually " +"deallocate all resources allocated by " +"gnutls_global_init. It is currently not thread-safe. " +"Therefore, it is best to avoid calling it altogether." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The X.509 implementation in GNUTLS is rather lenient. For example, it is " +"possible to create and process X.509 version 1 certificates which carry" +" extensions. These certificates are (correctly) rejected by other " +"implementations." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "OpenJDK Pitfalls" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The Java cryptographic framework is highly modular. As a result, when you " +"request an object implementing some cryptographic functionality, you cannot " +"be completely sure that you end up with the well-tested, reviewed " +"implementation in OpenJDK." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"OpenJDK (in the source code as published by Oracle) and other " +"implementations of the Java platform require that the system administrator " +"has installed so-called unlimited strength jurisdiction policy " +"files. Without this step, it is not possible to use the secure " +"algorithms which offer sufficient cryptographic strength. Most downstream " +"redistributors of OpenJDK remove this requirement." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Some versions of OpenJDK use /dev/random as the " +"randomness source for nonces and other random data which is needed for TLS " +"operation, but does not actually require physical randomness. As a result, " +"TLS applications can block, waiting for more bits to become available in " +"/dev/random." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "NSS Pitfalls" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"NSS was not designed to be used by other libraries which can be linked into " +"applications without modifying them. There is a lot of global state. There " +"does not seem to be a way to perform required NSS initialization without " +"race conditions." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If the NSPR descriptor is in an unexpected state, the " +"SSL_ForceHandshake function can succeed, but no TLS " +"handshake takes place, the peer is not authenticated, and subsequent data is" +" exchanged in the clear." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"NSS disables itself if it detects that the process underwent a " +"fork after the library has been initialized. This " +"behavior is required by the PKCS#11 API specification." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "TLS Clients" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Secure use of TLS in a client generally involves all of the following steps." +" (Individual instructions for specific TLS implementations follow in the " +"next sections.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The client must configure the TLS library to use a set of trusted root " +"certificates. These certificates are provided by the system in /etc/ssl/certs or files derived from it." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The client selects sufficiently strong cryptographic primitives and disables" +" insecure ones (such as no-op encryption). Compression and SSL version 2 " +"support must be disabled (including the SSLv2-compatible handshake)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The client initiates the TLS connection. The Server Name Indication " +"extension should be used if supported by the TLS implementation. Before " +"switching to the encrypted connection state, the contents of all input and " +"output buffers must be discarded." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The client needs to validate the peer certificate provided by the server, " +"that is, the client must check that there is a cryptographically protected " +"chain from a trusted root certificate to the peer certificate. (Depending on" +" the TLS implementation, a TLS handshake can succeed even if the certificate" +" cannot be validated.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The client must check that the configured or user-provided server name " +"matches the peer certificate provided by the server." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"It is safe to provide users detailed diagnostics on certificate validation " +"failures. Other causes of handshake failures and, generally speaking, any " +"details on other errors reported by the TLS implementation (particularly " +"exception tracebacks), must not be divulged in ways that make them " +"accessible to potential attackers. Otherwise, it is possible to create " +"decryption oracles." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Depending on the application, revocation checking (against certificate " +"revocations lists or via OCSP) and session resumption are important aspects " +"of production-quality client. These aspects are not yet covered." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Implementation TLS Clients With OpenSSL" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In the following code, the error handling is only exploratory. Proper error " +"handling is required for production use, especially in libraries." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The OpenSSL library needs explicit initialization (see )." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "OpenSSL library initialization" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"After that, a context object has to be created, which acts as a factory for " +"connection objects (). We use an explicit cipher list so that we do not pick up any " +"strange ciphers when OpenSSL is upgraded. The actual version requested in " +"the client hello depends on additional restrictions in the OpenSSL library. " +"If possible, you should follow the example code and use the default list of " +"trusted root certificate authorities provided by the system because you " +"would have to maintain your own set otherwise, which can be cumbersome." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "OpenSSL client context creation" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"A single context object can be used to create multiple connection objects. " +"It is safe to use the same SSL_CTX object for creating " +"connections concurrently from multiple threads, provided that the " +"SSL_CTX object is not modified (e.g., callbacks must not " +"be changed)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"After creating the TCP socket and disabling the Nagle algorithm (per ), the actual connection object " +"needs to be created, as show in . If the handshake started by " +"SSL_connect fails, the " +"ssl_print_error_and_exit function from is called." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The certificate_validity_override function provides an " +"opportunity to override the validity of the certificate in case the OpenSSL " +"check fails. If such functionality is not required, the call can be removed," +" otherwise, the application developer has to implement it." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The host name passed to the functions " +"SSL_set_tlsext_host_name and " +"X509_check_host must be the name that was passed to " +"getaddrinfo or a similar name resolution function. No " +"host name canonicalization must be performed. The " +"X509_check_host function used in the final step for " +"host name matching is currently only implemented in OpenSSL 1.1, which is " +"not released yet. In case host name matching fails, the function " +"certificate_host_name_override is called. This function" +" should check user-specific certificate store, to allow a connection even if" +" the host name does not match the certificate. This function has to be " +"provided by the application developer. Note that the override must be keyed " +"by both the certificate and the host name." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Creating a client connection using OpenSSL" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The connection object can be used for sending and receiving data, as in " +". It is " +"also possible to create a BIO object and use the " +"SSL object as the underlying transport, using " +"BIO_set_ssl." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Using an OpenSSL connection to send and receive data" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When it is time to close the connection, the " +"SSL_shutdown function needs to be called twice for an " +"orderly, synchronous connection termination (). This exchanges " +"close_notify alerts with the server. The additional logic" +" is required to deal with an unexpected close_notify from" +" the server. Note that is necessary to explicitly close the underlying " +"socket after the connection object has been freed." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Closing an OpenSSL connection in an orderly fashion" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +" shows how" +" to deallocate the context object when it is no longer needed because no " +"further TLS connections will be established." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Implementation TLS Clients With GNUTLS" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"This section describes how to implement a TLS client with full certificate " +"validation (but without certificate revocation checking). Note that the " +"error handling in is only exploratory and needs to be replaced before " +"production use." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "The GNUTLS library needs explicit initialization:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Failing to do so can result in obscure failures in Base64 decoding. See " +" for " +"additional aspects of initialization." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Before setting up TLS connections, a credentials objects has to be allocated" +" and initialized with the set of trusted root CAs ()." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Initializing a GNUTLS credentials structure" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"After the last TLS connection has been closed, this credentials object " +"should be freed:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"During its lifetime, the credentials object can be used to initialize TLS " +"session objects from multiple threads, provided that it is not changed." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Once the TCP connection has been established, the Nagle algorithm should be " +"disabled (see ). After " +"that, the socket can be associated with a new GNUTLS session object. The " +"previously allocated credentials object provides the set of root CAs. The " +"NORMAL set of cipher suites and protocols provides a " +"reasonable default. Then the TLS handshake must be initiated. This is shown " +"in ." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Establishing a TLS client connection using GNUTLS" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"After the handshake has been completed, the server certificate needs to be " +"verified (). In the example, the user-defined " +"certificate_validity_override function is called if the" +" verification fails, so that a separate, user-specific trust store can be " +"checked. This function call can be omitted if the functionality is not " +"needed." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Verifying a server certificate using GNUTLS" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In the next step (, the certificate must be matched against the host name (note the " +"unusual return value from " +"gnutls_x509_crt_check_hostname). Again, an override " +"function certificate_host_name_override is called. Note" +" that the override must be keyed to the certificate and" +" the host name. The function call can be omitted if the override is not " +"needed." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Matching the server host name and certificate in a GNUTLS client" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In newer GNUTLS versions, certificate checking and host name validation can " +"be combined using the gnutls_certificate_verify_peers3 " +"function." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"An established TLS session can be used for sending and receiving data, as in" +" ." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Using a GNUTLS session" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In order to shut down a connection in an orderly manner, you should call the" +" gnutls_bye function. Finally, the session object can " +"be deallocated using gnutls_deinit (see )." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Implementing TLS Clients With OpenJDK" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "The examples below use the following cryptographic-related classes:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If compatibility with OpenJDK 6 is required, it is necessary to use the " +"internal class sun.security.util.HostnameChecker. (The " +"public OpenJDK API does not provide any support for dissecting the subject " +"distinguished name of an X.509 certificate, so a custom-written DER parser " +"is needed—or we have to use an internal class, which we do below.) In " +"OpenJDK 7, the setEndpointIdentificationAlgorithm " +"method was added to the javax.net.ssl.SSLParameters " +"class, providing an official way to implement host name checking." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"TLS connections are established using an SSLContext " +"instance. With a properly configured OpenJDK installation, the " +"SunJSSE provider uses the system-wide set of trusted root" +" certificate authorities, so no further configuration is necessary. For " +"backwards compatibility with OpenJDK 6, the TLSv1 " +"provider has to be supported as a fall-back option. This is shown in ." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Setting up an SSLContext for OpenJDK TLS clients" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In addition to the context, a TLS parameter object will be needed which " +"adjusts the cipher suites and protocols (). Like the context, these " +"parameters can be reused for multiple TLS connections." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Setting up SSLParameters for TLS use with OpenJDK" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"As initialized above, the parameter object does not yet require host name " +"checking. This has to be enabled separately, and this is only supported by " +"OpenJDK 7 and later:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"All application protocols can use the \"HTTPS\" " +"algorithm. (The algorithms have minor differences with regard to wildcard " +"handling, which should not matter in practice.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +" shows " +"how to establish the connection. Before the handshake is initialized, the " +"protocol and cipher configuration has to be performed, by applying the " +"parameter object params. (After this point, changes to " +"params will not affect this TLS socket.) As mentioned " +"initially, host name checking requires using an internal API on OpenJDK 6." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Establishing a TLS connection with OpenJDK" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Starting with OpenJDK 7, the last lines can be omitted, provided that host " +"name verification has been enabled by calling the " +"setEndpointIdentificationAlgorithm method on the " +"params object (before it was applied to the socket)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The TLS socket can be used as a regular socket, as shown in ." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Using a TLS client socket in OpenJDK" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Overriding server certificate validation with OpenJDK 6" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Overriding certificate validation requires a custom trust manager. With " +"OpenJDK 6, the trust manager lacks information about the TLS session, and to" +" which server the connection is made. Certificate overrides have to be tied " +"to specific servers (host names). Consequently, different " +"TrustManager and SSLContext objects " +"have to be used for different servers." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In the trust manager shown in , the server certificate is identified by its " +"SHA-256 hash." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "A customer trust manager for OpenJDK TLS clients" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"This trust manager has to be passed to the init method of" +" the SSLContext object, as show in ." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Using a custom TLS trust manager with OpenJDK" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When certificate overrides are in place, host name verification should not " +"be performed because there is no security requirement that the host name in " +"the certificate matches the host name used to establish the connection (and " +"it often will not). However, without host name verification, it is not " +"possible to perform transparent fallback to certification validation using " +"the system certificate store." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The approach described above works with OpenJDK 6 and later versions. " +"Starting with OpenJDK 7, it is possible to use a custom subclass of the " +"javax.net.ssl.X509ExtendedTrustManager class. The OpenJDK" +" TLS implementation will call the new methods, passing along TLS session " +"information. This can be used to implement certificate overrides as a " +"fallback (if certificate or host name verification fails), and a trust " +"manager object can be used for multiple servers because the server address " +"is available to the trust manager." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Implementing TLS Clients With NSS" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The following code shows how to implement a simple TLS client using NSS. " +"Note that the error handling needs replacing before production use." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Using NSS needs several header files, as shown in ." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Include files for NSS" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Initializing the NSS library is a complex task (). It is not thread-safe. By default, the " +"library is in export mode, and all strong ciphers are disabled. Therefore, " +"after creating the NSSInitCContext object, we probe all " +"the strong ciphers we want to use, and check if at least one of them is " +"available. If not, we call NSS_SetDomesticPolicy to " +"switch to unrestricted policy mode. This function replaces the existing " +"global cipher suite policy, that is why we avoid calling it unless " +"absolutely necessary." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The simplest way to configured the trusted root certificates involves " +"loading the libnssckbi.so NSS module with a call to the" +" SECMOD_LoadUserModule function. The root certificates " +"are compiled into this module. (The PEM module for NSS, " +"libnsspem.so, offers a way to load trusted CA " +"certificates from a file.)" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Initializing the NSS library" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Some of the effects of the initialization can be reverted with the following" +" function calls:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"After NSS has been initialized, the TLS connection can be created (). The internal " +"PR_ImportTCPSocket function is used to turn the POSIX " +"file descriptor sockfd into an NSPR file descriptor. " +"(This function is de-facto part of the NSS public ABI, so it will not go " +"away.) Creating the TLS-capable file descriptor requires a " +"model descriptor, which is configured with the desired " +"set of protocols and ciphers. (The good_ciphers variable " +"is part of .) We cannot" +" resort to disabling ciphers not on a whitelist because by default, the AES " +"cipher suites are disabled. The model descriptor is not needed anymore after" +" TLS support has been activated for the existing connection descriptor." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The call to SSL_BadCertHook can be omitted if no " +"mechanism to override certificate verification is needed. The " +"bad_certificate function must check both the host name " +"specified for the connection and the certificate before granting the " +"override." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Triggering the actual handshake requires three function calls, " +"SSL_ResetHandshake, SSL_SetURL, " +"and SSL_ForceHandshake. (If " +"SSL_ResetHandshake is omitted, " +"SSL_ForceHandshake will succeed, but the data will not " +"be encrypted.) During the handshake, the certificate is verified and matched" +" against the host name." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Creating a TLS connection with NSS" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"After the connection has been established, shows how to use the NSPR descriptor to " +"communicate with the server." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Using NSS for sending and receiving data" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +" shows how to " +"close the connection." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Closing NSS client connections" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Implementing TLS Clients With Python" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The Python distribution provides a TLS implementation in the " +"ssl module (actually a wrapper around OpenSSL). The " +"exported interface is somewhat restricted, so that the client code shown " +"below does not fully implement the recommendations in ." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Currently, most Python function which accept https:// " +"URLs or otherwise implement HTTPS support do not perform certificate " +"validation at all. (For example, this is true for the " +"httplib and xmlrpclib modules.) If you" +" use HTTPS, you should not use the built-in HTTP clients. The " +"Curl class in the curl module, as " +"provided by the python-pycurl package implements proper " +"certificate validation." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The ssl module currently does not perform host name " +"checking on the server certificate. shows how to implement certificate " +"matching, using the parsed certificate returned by " +"getpeercert." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Implementing TLS host name checking Python (without wildcard support)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"To turn a regular, connected TCP socket into a TLS-enabled socket, use the " +"ssl.wrap_socket function. The function call in provides " +"additional arguments to override questionable defaults in OpenSSL and in the" +" Python module." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"ciphers=\"HIGH:-aNULL:-eNULL:-PSK:RC4-SHA:RC4-MD5\" " +"selects relatively strong cipher suites with certificate-based " +"authentication. (The call to check_host_name function " +"provides additional protection against anonymous cipher suites.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"ssl_version=ssl.PROTOCOL_TLSv1 disables SSL 2.0 support. " +"By default, the ssl module sends an SSL 2.0 client hello," +" which is rejected by some servers. Ideally, we would request OpenSSL to " +"negotiated the most recent TLS version supported by the server and the " +"client, but the Python module does not allow this." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"cert_reqs=ssl.CERT_REQUIRED turns on certificate " +"validation." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"ca_certs='/etc/ssl/certs/ca-bundle.crt' initializes the " +"certificate store with a set of trusted root CAs. Unfortunately, it is " +"necessary to hard-code this path into applications because the default path " +"in OpenSSL is not available through the Python ssl " +"module." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The ssl module (and OpenSSL) perform certificate " +"validation, but the certificate must be compared manually against the host " +"name, by calling the check_host_name defined above." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Establishing a TLS client connection with Python" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"After the connection has been established, the TLS socket can be used like a" +" regular socket:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Closing the TLS socket is straightforward as well:" +msgstr "" diff --git a/defensive-coding/pt-BR/Features/snippets/TLS-Client-GNUTLS-Connect.po b/defensive-coding/pt-BR/Features/snippets/TLS-Client-GNUTLS-Connect.po new file mode 100644 index 0000000..894f7b3 --- /dev/null +++ b/defensive-coding/pt-BR/Features/snippets/TLS-Client-GNUTLS-Connect.po @@ -0,0 +1,71 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:33+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Portuguese (Brazil) \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: pt_BR\n" +"Plural-Forms: nplurals=2; plural=(n > 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Create the session object.\n" +"gnutls_session_t session;\n" +"ret = gnutls_init(&session, GNUTLS_CLIENT);\n" +"if (ret != GNUTLS_E_SUCCESS) {\n" +" fprintf(stderr, \"error: gnutls_init: %s\n" +"\",\n" +"\t gnutls_strerror(ret));\n" +" exit(1);\n" +"}\n" +"\n" +"// Configure the cipher preferences.\n" +"const char *errptr = NULL;\n" +"ret = gnutls_priority_set_direct(session, \"NORMAL\", &errptr);\n" +"if (ret != GNUTLS_E_SUCCESS) {\n" +" fprintf(stderr, \"error: gnutls_priority_set_direct: %s\n" +"\"\n" +"\t \"error: at: \\\"%s\\\"\n" +"\", gnutls_strerror(ret), errptr);\n" +" exit(1);\n" +"}\n" +"\n" +"// Install the trusted certificates.\n" +"ret = gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, cred);\n" +"if (ret != GNUTLS_E_SUCCESS) {\n" +" fprintf(stderr, \"error: gnutls_credentials_set: %s\n" +"\",\n" +"\t gnutls_strerror(ret));\n" +" exit(1);\n" +"}\n" +"\n" +"// Associate the socket with the session object and set the server\n" +"// name.\n" +"gnutls_transport_set_ptr(session, (gnutls_transport_ptr_t)(uintptr_t)sockfd);\n" +"ret = gnutls_server_name_set(session, GNUTLS_NAME_DNS,\n" +"\t\t\t host, strlen(host));\n" +"if (ret != GNUTLS_E_SUCCESS) {\n" +" fprintf(stderr, \"error: gnutls_server_name_set: %s\n" +"\",\n" +"\t gnutls_strerror(ret));\n" +" exit(1);\n" +"}\n" +"\n" +"// Establish the session.\n" +"ret = gnutls_handshake(session);\n" +"if (ret != GNUTLS_E_SUCCESS) {\n" +" fprintf(stderr, \"error: gnutls_handshake: %s\n" +"\",\n" +"\t gnutls_strerror(ret));\n" +" exit(1);\n" +"}\n" +msgstr "" diff --git a/defensive-coding/pt-BR/Features/snippets/TLS-Client-GNUTLS-Credentials.po b/defensive-coding/pt-BR/Features/snippets/TLS-Client-GNUTLS-Credentials.po new file mode 100644 index 0000000..ccb6bba --- /dev/null +++ b/defensive-coding/pt-BR/Features/snippets/TLS-Client-GNUTLS-Credentials.po @@ -0,0 +1,47 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:33+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Portuguese (Brazil) \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: pt_BR\n" +"Plural-Forms: nplurals=2; plural=(n > 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Load the trusted CA certificates.\n" +"gnutls_certificate_credentials_t cred = NULL;\n" +"int ret = gnutls_certificate_allocate_credentials (&cred);\n" +"if (ret != GNUTLS_E_SUCCESS) {\n" +" fprintf(stderr, \"error: gnutls_certificate_allocate_credentials: %s\n" +"\",\n" +"\t gnutls_strerror(ret));\n" +" exit(1);\n" +"}\n" +"// gnutls_certificate_set_x509_system_trust needs GNUTLS version 3.0\n" +"// or newer, so we hard-code the path to the certificate store\n" +"// instead.\n" +"static const char ca_bundle[] = \"/etc/ssl/certs/ca-bundle.crt\";\n" +"ret = gnutls_certificate_set_x509_trust_file\n" +" (cred, ca_bundle, GNUTLS_X509_FMT_PEM);\n" +"if (ret == 0) {\n" +" fprintf(stderr, \"error: no certificates found in: %s\n" +"\", ca_bundle);\n" +" exit(1);\n" +"}\n" +"if (ret < 0) {\n" +" fprintf(stderr, \"error: gnutls_certificate_set_x509_trust_files(%s): %s\n" +"\",\n" +"\t ca_bundle, gnutls_strerror(ret));\n" +" exit(1);\n" +"}\n" +msgstr "" diff --git a/defensive-coding/pt-BR/Features/snippets/TLS-Client-GNUTLS-Match.po b/defensive-coding/pt-BR/Features/snippets/TLS-Client-GNUTLS-Match.po new file mode 100644 index 0000000..7acaaf7 --- /dev/null +++ b/defensive-coding/pt-BR/Features/snippets/TLS-Client-GNUTLS-Match.po @@ -0,0 +1,48 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:32+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Portuguese (Brazil) \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: pt_BR\n" +"Plural-Forms: nplurals=2; plural=(n > 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Match the peer certificate against the host name.\n" +"// We can only obtain a set of DER-encoded certificates from the\n" +"// session object, so we have to re-parse the peer certificate into\n" +"// a certificate object.\n" +"gnutls_x509_crt_t cert;\n" +"ret = gnutls_x509_crt_init(&cert);\n" +"if (ret != GNUTLS_E_SUCCESS) {\n" +" fprintf(stderr, \"error: gnutls_x509_crt_init: %s\n" +"\",\n" +"\t gnutls_strerror(ret));\n" +" exit(1);\n" +"}\n" +"// The peer certificate is the first certificate in the list.\n" +"ret = gnutls_x509_crt_import(cert, certs, GNUTLS_X509_FMT_DER);\n" +"if (ret != GNUTLS_E_SUCCESS) {\n" +" fprintf(stderr, \"error: gnutls_x509_crt_import: %s\n" +"\",\n" +"\t gnutls_strerror(ret));\n" +" exit(1);\n" +"}\n" +"ret = gnutls_x509_crt_check_hostname(cert, host);\n" +"if (ret == 0 && !certificate_host_name_override(certs[0], host)) {\n" +" fprintf(stderr, \"error: host name does not match certificate\n" +"\");\n" +" exit(1);\n" +"}\n" +"gnutls_x509_crt_deinit(cert);\n" +msgstr "" diff --git a/defensive-coding/pt-BR/Features/snippets/TLS-Client-GNUTLS-Verify.po b/defensive-coding/pt-BR/Features/snippets/TLS-Client-GNUTLS-Verify.po new file mode 100644 index 0000000..6490cb4 --- /dev/null +++ b/defensive-coding/pt-BR/Features/snippets/TLS-Client-GNUTLS-Verify.po @@ -0,0 +1,61 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:33+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Portuguese (Brazil) \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: pt_BR\n" +"Plural-Forms: nplurals=2; plural=(n > 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Obtain the server certificate chain. The server certificate\n" +"// itself is stored in the first element of the array.\n" +"unsigned certslen = 0;\n" +"const gnutls_datum_t *const certs =\n" +" gnutls_certificate_get_peers(session, &certslen);\n" +"if (certs == NULL || certslen == 0) {\n" +" fprintf(stderr, \"error: could not obtain peer certificate\n" +"\");\n" +" exit(1);\n" +"}\n" +"\n" +"// Validate the certificate chain.\n" +"unsigned status = (unsigned)-1;\n" +"ret = gnutls_certificate_verify_peers2(session, &status);\n" +"if (ret != GNUTLS_E_SUCCESS) {\n" +" fprintf(stderr, \"error: gnutls_certificate_verify_peers2: %s\n" +"\",\n" +"\t gnutls_strerror(ret));\n" +" exit(1);\n" +"}\n" +"if (status != 0 && !certificate_validity_override(certs[0])) {\n" +" gnutls_datum_t msg;\n" +"#if GNUTLS_VERSION_AT_LEAST_3_1_4\n" +" int type = gnutls_certificate_type_get (session);\n" +" ret = gnutls_certificate_verification_status_print(status, type, &out, 0);\n" +"#else\n" +" ret = -1;\n" +"#endif\n" +" if (ret == 0) {\n" +" fprintf(stderr, \"error: %s\n" +"\", msg.data);\n" +" gnutls_free(msg.data);\n" +" exit(1);\n" +" } else {\n" +" fprintf(stderr, \"error: certificate validation failed with code 0x%x\n" +"\",\n" +"\t status);\n" +" exit(1);\n" +" }\n" +"}\n" +msgstr "" diff --git a/defensive-coding/pt-BR/Features/snippets/TLS-Client-NSS-Close.po b/defensive-coding/pt-BR/Features/snippets/TLS-Client-NSS-Close.po new file mode 100644 index 0000000..f8ec723 --- /dev/null +++ b/defensive-coding/pt-BR/Features/snippets/TLS-Client-NSS-Close.po @@ -0,0 +1,31 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:32+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Portuguese (Brazil) \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: pt_BR\n" +"Plural-Forms: nplurals=2; plural=(n > 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Send close_notify alert.\n" +"if (PR_Shutdown(nspr, PR_SHUTDOWN_BOTH) != PR_SUCCESS) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: PR_Read error %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +"}\n" +"// Closes the underlying POSIX file descriptor, too.\n" +"PR_Close(nspr);\n" +msgstr "" diff --git a/defensive-coding/pt-BR/Features/snippets/TLS-Client-NSS-Connect.po b/defensive-coding/pt-BR/Features/snippets/TLS-Client-NSS-Connect.po new file mode 100644 index 0000000..839046b --- /dev/null +++ b/defensive-coding/pt-BR/Features/snippets/TLS-Client-NSS-Connect.po @@ -0,0 +1,132 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:33+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Portuguese (Brazil) \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: pt_BR\n" +"Plural-Forms: nplurals=2; plural=(n > 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Wrap the POSIX file descriptor. This is an internal NSPR\n" +"// function, but it is very unlikely to change.\n" +"PRFileDesc* nspr = PR_ImportTCPSocket(sockfd);\n" +"sockfd = -1; // Has been taken over by NSPR.\n" +"\n" +"// Add the SSL layer.\n" +"{\n" +" PRFileDesc *model = PR_NewTCPSocket();\n" +" PRFileDesc *newfd = SSL_ImportFD(NULL, model);\n" +" if (newfd == NULL) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: NSPR error code %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +" }\n" +" model = newfd;\n" +" newfd = NULL;\n" +" if (SSL_OptionSet(model, SSL_ENABLE_SSL2, PR_FALSE) != SECSuccess) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: set SSL_ENABLE_SSL2 error %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +" }\n" +" if (SSL_OptionSet(model, SSL_V2_COMPATIBLE_HELLO, PR_FALSE) != SECSuccess) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: set SSL_V2_COMPATIBLE_HELLO error %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +" }\n" +" if (SSL_OptionSet(model, SSL_ENABLE_DEFLATE, PR_FALSE) != SECSuccess) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: set SSL_ENABLE_DEFLATE error %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +" }\n" +"\n" +" // Disable all ciphers (except RC4-based ciphers, for backwards\n" +" // compatibility).\n" +" const PRUint16 *const ciphers = SSL_GetImplementedCiphers();\n" +" for (unsigned i = 0; i < SSL_GetNumImplementedCiphers(); i++) {\n" +" if (ciphers[i] != SSL_RSA_WITH_RC4_128_SHA\n" +"\t && ciphers[i] != SSL_RSA_WITH_RC4_128_MD5) {\n" +"\tif (SSL_CipherPrefSet(model, ciphers[i], PR_FALSE) != SECSuccess) {\n" +"\t const PRErrorCode err = PR_GetError();\n" +"\t fprintf(stderr, \"error: disable cipher %u: error %d: %s\n" +"\",\n" +"\t\t (unsigned)ciphers[i], err, PR_ErrorToName(err));\n" +"\t exit(1);\n" +"\t}\n" +" }\n" +" }\n" +"\n" +" // Enable the strong ciphers.\n" +" for (const PRUint16 *p = good_ciphers; *p != SSL_NULL_WITH_NULL_NULL;\n" +"\t ++p) {\n" +" if (SSL_CipherPrefSet(model, *p, PR_TRUE) != SECSuccess) {\n" +"\tconst PRErrorCode err = PR_GetError();\n" +"\tfprintf(stderr, \"error: enable cipher %u: error %d: %s\n" +"\",\n" +"\t\t(unsigned)*p, err, PR_ErrorToName(err));\n" +"\texit(1);\n" +" }\n" +" }\n" +"\n" +" // Allow overriding invalid certificate.\n" +" if (SSL_BadCertHook(model, bad_certificate, (char *)host) != SECSuccess) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: SSL_BadCertHook error %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +" }\n" +"\n" +" newfd = SSL_ImportFD(model, nspr);\n" +" if (newfd == NULL) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: SSL_ImportFD error %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +" }\n" +" nspr = newfd;\n" +" PR_Close(model);\n" +"}\n" +"\n" +"// Perform the handshake.\n" +"if (SSL_ResetHandshake(nspr, PR_FALSE) != SECSuccess) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: SSL_ResetHandshake error %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +"}\n" +"if (SSL_SetURL(nspr, host) != SECSuccess) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: SSL_SetURL error %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +"}\n" +"if (SSL_ForceHandshake(nspr) != SECSuccess) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: SSL_ForceHandshake error %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +"}\n" +msgstr "" diff --git a/defensive-coding/pt-BR/Features/snippets/TLS-Client-OpenJDK-Connect.po b/defensive-coding/pt-BR/Features/snippets/TLS-Client-OpenJDK-Connect.po new file mode 100644 index 0000000..7e12222 --- /dev/null +++ b/defensive-coding/pt-BR/Features/snippets/TLS-Client-OpenJDK-Connect.po @@ -0,0 +1,41 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:32+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Portuguese (Brazil) \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: pt_BR\n" +"Plural-Forms: nplurals=2; plural=(n > 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Create the socket and connect it at the TCP layer.\n" +"SSLSocket socket = (SSLSocket) ctx.getSocketFactory()\n" +" .createSocket(host, port);\n" +"\n" +"// Disable the Nagle algorithm.\n" +"socket.setTcpNoDelay(true);\n" +"\n" +"// Adjust ciphers and protocols.\n" +"socket.setSSLParameters(params);\n" +"\n" +"// Perform the handshake.\n" +"socket.startHandshake();\n" +"\n" +"// Validate the host name. The match() method throws\n" +"// CertificateException on failure.\n" +"X509Certificate peer = (X509Certificate)\n" +" socket.getSession().getPeerCertificates()[0];\n" +"// This is the only way to perform host name checking on OpenJDK 6.\n" +"HostnameChecker.getInstance(HostnameChecker.TYPE_TLS).match(\n" +" host, peer);\n" +msgstr "" diff --git a/defensive-coding/pt-BR/Features/snippets/TLS-Client-OpenJDK-Context.po b/defensive-coding/pt-BR/Features/snippets/TLS-Client-OpenJDK-Context.po new file mode 100644 index 0000000..b510bd4 --- /dev/null +++ b/defensive-coding/pt-BR/Features/snippets/TLS-Client-OpenJDK-Context.po @@ -0,0 +1,41 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:32+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Portuguese (Brazil) \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: pt_BR\n" +"Plural-Forms: nplurals=2; plural=(n > 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Create the context. Specify the SunJSSE provider to avoid\n" +"// picking up third-party providers. Try the TLS 1.2 provider\n" +"// first, then fall back to TLS 1.0.\n" +"SSLContext ctx;\n" +"try {\n" +" ctx = SSLContext.getInstance(\"TLSv1.2\", \"SunJSSE\");\n" +"} catch (NoSuchAlgorithmException e) {\n" +" try {\n" +" ctx = SSLContext.getInstance(\"TLSv1\", \"SunJSSE\");\n" +" } catch (NoSuchAlgorithmException e1) {\n" +" // The TLS 1.0 provider should always be available.\n" +" throw new AssertionError(e1);\n" +" } catch (NoSuchProviderException e1) {\n" +" throw new AssertionError(e1);\n" +" } \n" +"} catch (NoSuchProviderException e) {\n" +" // The SunJSSE provider should always be available.\n" +" throw new AssertionError(e);\n" +"}\n" +"ctx.init(null, null, null);\n" +msgstr "" diff --git a/defensive-coding/pt-BR/Features/snippets/TLS-Client-OpenJDK-Context_For_Cert.po b/defensive-coding/pt-BR/Features/snippets/TLS-Client-OpenJDK-Context_For_Cert.po new file mode 100644 index 0000000..251e884 --- /dev/null +++ b/defensive-coding/pt-BR/Features/snippets/TLS-Client-OpenJDK-Context_For_Cert.po @@ -0,0 +1,37 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:33+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Portuguese (Brazil) \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: pt_BR\n" +"Plural-Forms: nplurals=2; plural=(n > 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"SSLContext ctx;\n" +"try {\n" +" ctx = SSLContext.getInstance(\"TLSv1.2\", \"SunJSSE\");\n" +"} catch (NoSuchAlgorithmException e) {\n" +" try {\n" +" ctx = SSLContext.getInstance(\"TLSv1\", \"SunJSSE\");\n" +" } catch (NoSuchAlgorithmException e1) {\n" +" throw new AssertionError(e1);\n" +" } catch (NoSuchProviderException e1) {\n" +" throw new AssertionError(e1);\n" +" }\n" +"} catch (NoSuchProviderException e) {\n" +" throw new AssertionError(e);\n" +"}\n" +"MyTrustManager tm = new MyTrustManager(certHash);\n" +"ctx.init(null, new TrustManager[] {tm}, null);\n" +msgstr "" diff --git a/defensive-coding/pt-BR/Features/snippets/TLS-Client-OpenJDK-Hostname.po b/defensive-coding/pt-BR/Features/snippets/TLS-Client-OpenJDK-Hostname.po new file mode 100644 index 0000000..5b6b9e3 --- /dev/null +++ b/defensive-coding/pt-BR/Features/snippets/TLS-Client-OpenJDK-Hostname.po @@ -0,0 +1,22 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:31+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Portuguese (Brazil) \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: pt_BR\n" +"Plural-Forms: nplurals=2; plural=(n > 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"params.setEndpointIdentificationAlgorithm(\"HTTPS\");\n" +msgstr "" diff --git a/defensive-coding/pt-BR/Features/snippets/TLS-Client-OpenJDK-Import.po b/defensive-coding/pt-BR/Features/snippets/TLS-Client-OpenJDK-Import.po new file mode 100644 index 0000000..08750ea --- /dev/null +++ b/defensive-coding/pt-BR/Features/snippets/TLS-Client-OpenJDK-Import.po @@ -0,0 +1,33 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:31+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Portuguese (Brazil) \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: pt_BR\n" +"Plural-Forms: nplurals=2; plural=(n > 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"import java.security.NoSuchAlgorithmException;\n" +"import java.security.NoSuchProviderException;\n" +"import java.security.cert.CertificateEncodingException;\n" +"import java.security.cert.CertificateException;\n" +"import java.security.cert.X509Certificate;\n" +"import javax.net.ssl.SSLContext;\n" +"import javax.net.ssl.SSLParameters;\n" +"import javax.net.ssl.SSLSocket;\n" +"import javax.net.ssl.TrustManager;\n" +"import javax.net.ssl.X509TrustManager;\n" +"\n" +"import sun.security.util.HostnameChecker;\n" +msgstr "" diff --git a/defensive-coding/pt-BR/Features/snippets/TLS-Client-OpenJDK-MyTrustManager.po b/defensive-coding/pt-BR/Features/snippets/TLS-Client-OpenJDK-MyTrustManager.po new file mode 100644 index 0000000..672123f --- /dev/null +++ b/defensive-coding/pt-BR/Features/snippets/TLS-Client-OpenJDK-MyTrustManager.po @@ -0,0 +1,53 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:31+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Portuguese (Brazil) \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: pt_BR\n" +"Plural-Forms: nplurals=2; plural=(n > 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"public class MyTrustManager implements X509TrustManager {\n" +" private final byte[] certHash;\n" +"\n" +" public MyTrustManager(byte[] certHash) throws Exception {\n" +" this.certHash = certHash;\n" +" }\n" +"\n" +" @Override\n" +" public void checkClientTrusted(X509Certificate[] chain, String authType)\n" +" throws CertificateException {\n" +" throw new UnsupportedOperationException();\n" +" }\n" +"\n" +" @Override\n" +" public void checkServerTrusted(X509Certificate[] chain,\n" +" String authType) throws CertificateException {\n" +" byte[] digest = getCertificateDigest(chain[0]);\n" +" String digestHex = formatHex(digest);\n" +"\n" +" if (Arrays.equals(digest, certHash)) {\n" +" System.err.println(\"info: accepting certificate: \" + digestHex);\n" +" } else {\n" +" throw new CertificateException(\"certificate rejected: \" +\n" +" digestHex);\n" +" }\n" +" }\n" +"\n" +" @Override\n" +" public X509Certificate[] getAcceptedIssuers() {\n" +" return new X509Certificate[0];\n" +" }\n" +"}\n" +msgstr "" diff --git a/defensive-coding/pt-BR/Features/snippets/TLS-Client-OpenJDK-Use.po b/defensive-coding/pt-BR/Features/snippets/TLS-Client-OpenJDK-Use.po new file mode 100644 index 0000000..270c381 --- /dev/null +++ b/defensive-coding/pt-BR/Features/snippets/TLS-Client-OpenJDK-Use.po @@ -0,0 +1,28 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:31+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Portuguese (Brazil) \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: pt_BR\n" +"Plural-Forms: nplurals=2; plural=(n > 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"socket.getOutputStream().write(\"GET / HTTP/1.0\\r\n" +"\\r\n" +"\"\n" +" .getBytes(Charset.forName(\"UTF-8\")));\n" +"byte[] buffer = new byte[4096];\n" +"int count = socket.getInputStream().read(buffer);\n" +"System.out.write(buffer, 0, count);\n" +msgstr "" diff --git a/defensive-coding/pt-BR/Features/snippets/TLS-Client-OpenSSL-CTX.po b/defensive-coding/pt-BR/Features/snippets/TLS-Client-OpenSSL-CTX.po new file mode 100644 index 0000000..82adfdd --- /dev/null +++ b/defensive-coding/pt-BR/Features/snippets/TLS-Client-OpenSSL-CTX.po @@ -0,0 +1,86 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:32+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Portuguese (Brazil) \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: pt_BR\n" +"Plural-Forms: nplurals=2; plural=(n > 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Configure a client connection context. Send a hendshake for the\n" +"// highest supported TLS version, and disable compression.\n" +"const SSL_METHOD *const req_method = SSLv23_client_method();\n" +"SSL_CTX *const ctx = SSL_CTX_new(req_method);\n" +"if (ctx == NULL) {\n" +" ERR_print_errors(bio_err);\n" +" exit(1);\n" +"}\n" +"SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_COMPRESSION);\n" +"\n" +"// Adjust the ciphers list based on a whitelist. First enable all\n" +"// ciphers of at least medium strength, to get the list which is\n" +"// compiled into OpenSSL.\n" +"if (SSL_CTX_set_cipher_list(ctx, \"HIGH:MEDIUM\") != 1) {\n" +" ERR_print_errors(bio_err);\n" +" exit(1);\n" +"}\n" +"{\n" +" // Create a dummy SSL session to obtain the cipher list.\n" +" SSL *ssl = SSL_new(ctx);\n" +" if (ssl == NULL) {\n" +" ERR_print_errors(bio_err);\n" +" exit(1);\n" +" }\n" +" STACK_OF(SSL_CIPHER) *active_ciphers = SSL_get_ciphers(ssl);\n" +" if (active_ciphers == NULL) {\n" +" ERR_print_errors(bio_err);\n" +" exit(1);\n" +" }\n" +" // Whitelist of candidate ciphers.\n" +" static const char *const candidates[] = {\n" +" \"AES128-GCM-SHA256\", \"AES128-SHA256\", \"AES256-SHA256\", // strong ciphers\n" +" \"AES128-SHA\", \"AES256-SHA\", // strong ciphers, also in older versions\n" +" \"RC4-SHA\", \"RC4-MD5\", // backwards compatibility, supposed to be weak\n" +" \"DES-CBC3-SHA\", \"DES-CBC3-MD5\", // more backwards compatibility\n" +" NULL\n" +" };\n" +" // Actually selected ciphers.\n" +" char ciphers[300];\n" +" ciphers[0] = '\\0';\n" +" for (const char *const *c = candidates; *c; ++c) {\n" +" for (int i = 0; i < sk_SSL_CIPHER_num(active_ciphers); ++i) {\n" +"\tif (strcmp(SSL_CIPHER_get_name(sk_SSL_CIPHER_value(active_ciphers, i)),\n" +"\t\t *c) == 0) {\n" +"\t if (*ciphers) {\n" +"\t strcat(ciphers, \":\");\n" +"\t }\n" +"\t strcat(ciphers, *c);\n" +"\t break;\n" +"\t}\n" +" }\n" +" }\n" +" SSL_free(ssl);\n" +" // Apply final cipher list.\n" +" if (SSL_CTX_set_cipher_list(ctx, ciphers) != 1) {\n" +" ERR_print_errors(bio_err);\n" +" exit(1);\n" +" }\n" +"}\n" +"\n" +"// Load the set of trusted root certificates.\n" +"if (!SSL_CTX_set_default_verify_paths(ctx)) {\n" +" ERR_print_errors(bio_err);\n" +" exit(1);\n" +"}\n" +msgstr "" diff --git a/defensive-coding/pt-BR/Features/snippets/TLS-Client-OpenSSL-Connect.po b/defensive-coding/pt-BR/Features/snippets/TLS-Client-OpenSSL-Connect.po new file mode 100644 index 0000000..7d85084 --- /dev/null +++ b/defensive-coding/pt-BR/Features/snippets/TLS-Client-OpenSSL-Connect.po @@ -0,0 +1,72 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:33+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Portuguese (Brazil) \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: pt_BR\n" +"Plural-Forms: nplurals=2; plural=(n > 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Create the connection object.\n" +"SSL *ssl = SSL_new(ctx);\n" +"if (ssl == NULL) {\n" +" ERR_print_errors(bio_err);\n" +" exit(1);\n" +"}\n" +"SSL_set_fd(ssl, sockfd);\n" +"\n" +"// Enable the ServerNameIndication extension\n" +"if (!SSL_set_tlsext_host_name(ssl, host)) {\n" +" ERR_print_errors(bio_err);\n" +" exit(1);\n" +"}\n" +"\n" +"// Perform the TLS handshake with the server.\n" +"ret = SSL_connect(ssl);\n" +"if (ret != 1) {\n" +" // Error status can be 0 or negative.\n" +" ssl_print_error_and_exit(ssl, \"SSL_connect\", ret);\n" +"}\n" +"\n" +"// Obtain the server certificate.\n" +"X509 *peercert = SSL_get_peer_certificate(ssl);\n" +"if (peercert == NULL) {\n" +" fprintf(stderr, \"peer certificate missing\");\n" +" exit(1);\n" +"}\n" +"\n" +"// Check the certificate verification result. Allow an explicit\n" +"// certificate validation override in case verification fails.\n" +"int verifystatus = SSL_get_verify_result(ssl);\n" +"if (verifystatus != X509_V_OK && !certificate_validity_override(peercert)) {\n" +" fprintf(stderr, \"SSL_connect: verify result: %s\n" +"\",\n" +"\t X509_verify_cert_error_string(verifystatus));\n" +" exit(1);\n" +"}\n" +"\n" +"// Check if the server certificate matches the host name used to\n" +"// establish the connection.\n" +"// FIXME: Currently needs OpenSSL 1.1.\n" +"if (X509_check_host(peercert, (const unsigned char *)host, strlen(host),\n" +"\t\t 0) != 1\n" +" && !certificate_host_name_override(peercert, host)) {\n" +" fprintf(stderr, \"SSL certificate does not match host name\n" +"\");\n" +" exit(1);\n" +"}\n" +"\n" +"X509_free(peercert);\n" +"\n" +msgstr "" diff --git a/defensive-coding/pt-BR/Features/snippets/TLS-Client-OpenSSL-Connection-Use.po b/defensive-coding/pt-BR/Features/snippets/TLS-Client-OpenSSL-Connection-Use.po new file mode 100644 index 0000000..4766bff --- /dev/null +++ b/defensive-coding/pt-BR/Features/snippets/TLS-Client-OpenSSL-Connection-Use.po @@ -0,0 +1,32 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:32+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Portuguese (Brazil) \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: pt_BR\n" +"Plural-Forms: nplurals=2; plural=(n > 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"const char *const req = \"GET / HTTP/1.0\\r\n" +"\\r\n" +"\";\n" +"if (SSL_write(ssl, req, strlen(req)) < 0) {\n" +" ssl_print_error_and_exit(ssl, \"SSL_write\", ret);\n" +"}\n" +"char buf[4096];\n" +"ret = SSL_read(ssl, buf, sizeof(buf));\n" +"if (ret < 0) {\n" +" ssl_print_error_and_exit(ssl, \"SSL_read\", ret);\n" +"}\n" +msgstr "" diff --git a/defensive-coding/pt-BR/Features/snippets/TLS-Client-OpenSSL-Init.po b/defensive-coding/pt-BR/Features/snippets/TLS-Client-OpenSSL-Init.po new file mode 100644 index 0000000..0f9fdb0 --- /dev/null +++ b/defensive-coding/pt-BR/Features/snippets/TLS-Client-OpenSSL-Init.po @@ -0,0 +1,28 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:32+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Portuguese (Brazil) \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: pt_BR\n" +"Plural-Forms: nplurals=2; plural=(n > 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// The following call prints an error message and calls exit() if\n" +"// the OpenSSL configuration file is unreadable.\n" +"OPENSSL_config(NULL);\n" +"// Provide human-readable error messages.\n" +"SSL_load_error_strings();\n" +"// Register ciphers.\n" +"SSL_library_init();\n" +msgstr "" diff --git a/defensive-coding/pt-BR/Features/snippets/TLS-Client-Python-Connect.po b/defensive-coding/pt-BR/Features/snippets/TLS-Client-Python-Connect.po new file mode 100644 index 0000000..5aa9bd0 --- /dev/null +++ b/defensive-coding/pt-BR/Features/snippets/TLS-Client-Python-Connect.po @@ -0,0 +1,29 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:32+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Portuguese (Brazil) \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: pt_BR\n" +"Plural-Forms: nplurals=2; plural=(n > 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"sock = ssl.wrap_socket(sock,\n" +" ciphers=\"HIGH:-aNULL:-eNULL:-PSK:RC4-SHA:RC4-MD5\",\n" +" ssl_version=ssl.PROTOCOL_TLSv1,\n" +" cert_reqs=ssl.CERT_REQUIRED,\n" +" ca_certs='/etc/ssl/certs/ca-bundle.crt')\n" +"# getpeercert() triggers the handshake as a side effect.\n" +"if not check_host_name(sock.getpeercert(), host):\n" +" raise IOError(\"peer certificate does not match host name\")\n" +msgstr "" diff --git a/defensive-coding/pt-BR/Features/snippets/TLS-Client-Python-check_host_name.po b/defensive-coding/pt-BR/Features/snippets/TLS-Client-Python-check_host_name.po new file mode 100644 index 0000000..f5d7b92 --- /dev/null +++ b/defensive-coding/pt-BR/Features/snippets/TLS-Client-Python-check_host_name.po @@ -0,0 +1,44 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:31+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Portuguese (Brazil) \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: pt_BR\n" +"Plural-Forms: nplurals=2; plural=(n > 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"def check_host_name(peercert, name):\n" +" \"\"\"Simple certificate/host name checker. Returns True if the\n" +" certificate matches, False otherwise. Does not support\n" +" wildcards.\"\"\"\n" +" # Check that the peer has supplied a certificate.\n" +" # None/{} is not acceptable.\n" +" if not peercert:\n" +" return False\n" +" if peercert.has_key(\"subjectAltName\"):\n" +" for typ, val in peercert[\"subjectAltName\"]:\n" +" if typ == \"DNS\" and val == name:\n" +" return True\n" +" else:\n" +" # Only check the subject DN if there is no subject alternative\n" +" # name.\n" +" cn = None\n" +" for attr, val in peercert[\"subject\"]:\n" +" # Use most-specific (last) commonName attribute.\n" +" if attr == \"commonName\":\n" +" cn = val\n" +" if cn is not None:\n" +" return cn == name\n" +" return False\n" +msgstr "" diff --git a/defensive-coding/pt-BR/Features/snippets/TLS-GNUTLS-Credentials-Close.po b/defensive-coding/pt-BR/Features/snippets/TLS-GNUTLS-Credentials-Close.po new file mode 100644 index 0000000..1520c3a --- /dev/null +++ b/defensive-coding/pt-BR/Features/snippets/TLS-GNUTLS-Credentials-Close.po @@ -0,0 +1,22 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:31+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Portuguese (Brazil) \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: pt_BR\n" +"Plural-Forms: nplurals=2; plural=(n > 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"gnutls_certificate_free_credentials(cred);\n" +msgstr "" diff --git a/defensive-coding/pt-BR/Features/snippets/TLS-GNUTLS-Disconnect.po b/defensive-coding/pt-BR/Features/snippets/TLS-GNUTLS-Disconnect.po new file mode 100644 index 0000000..a4a5436 --- /dev/null +++ b/defensive-coding/pt-BR/Features/snippets/TLS-GNUTLS-Disconnect.po @@ -0,0 +1,30 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:32+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Portuguese (Brazil) \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: pt_BR\n" +"Plural-Forms: nplurals=2; plural=(n > 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Initiate an orderly connection shutdown.\n" +"ret = gnutls_bye(session, GNUTLS_SHUT_RDWR);\n" +"if (ret < 0) {\n" +" fprintf(stderr, \"error: gnutls_bye: %s\n" +"\", gnutls_strerror(ret));\n" +" exit(1);\n" +"}\n" +"// Free the session object.\n" +"gnutls_deinit(session);\n" +msgstr "" diff --git a/defensive-coding/pt-BR/Features/snippets/TLS-GNUTLS-Init.po b/defensive-coding/pt-BR/Features/snippets/TLS-GNUTLS-Init.po new file mode 100644 index 0000000..7e682c1 --- /dev/null +++ b/defensive-coding/pt-BR/Features/snippets/TLS-GNUTLS-Init.po @@ -0,0 +1,22 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:32+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Portuguese (Brazil) \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: pt_BR\n" +"Plural-Forms: nplurals=2; plural=(n > 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"gnutls_global_init();\n" +msgstr "" diff --git a/defensive-coding/pt-BR/Features/snippets/TLS-GNUTLS-Use.po b/defensive-coding/pt-BR/Features/snippets/TLS-GNUTLS-Use.po new file mode 100644 index 0000000..ceae614 --- /dev/null +++ b/defensive-coding/pt-BR/Features/snippets/TLS-GNUTLS-Use.po @@ -0,0 +1,38 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:33+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Portuguese (Brazil) \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: pt_BR\n" +"Plural-Forms: nplurals=2; plural=(n > 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"char buf[4096];\n" +"snprintf(buf, sizeof(buf), \"GET / HTTP/1.0\\r\n" +"Host: %s\\r\n" +"\\r\n" +"\", host);\n" +"ret = gnutls_record_send(session, buf, strlen(buf));\n" +"if (ret < 0) {\n" +" fprintf(stderr, \"error: gnutls_record_send: %s\n" +"\", gnutls_strerror(ret));\n" +" exit(1);\n" +"}\n" +"ret = gnutls_record_recv(session, buf, sizeof(buf));\n" +"if (ret < 0) {\n" +" fprintf(stderr, \"error: gnutls_record_recv: %s\n" +"\", gnutls_strerror(ret));\n" +" exit(1);\n" +"}\n" +msgstr "" diff --git a/defensive-coding/pt-BR/Features/snippets/TLS-NSS-Close.po b/defensive-coding/pt-BR/Features/snippets/TLS-NSS-Close.po new file mode 100644 index 0000000..dfd9a2f --- /dev/null +++ b/defensive-coding/pt-BR/Features/snippets/TLS-NSS-Close.po @@ -0,0 +1,23 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:31+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Portuguese (Brazil) \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: pt_BR\n" +"Plural-Forms: nplurals=2; plural=(n > 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"SECMOD_DestroyModule(module);\n" +"NSS_ShutdownContext(ctx);\n" +msgstr "" diff --git a/defensive-coding/pt-BR/Features/snippets/TLS-NSS-Includes.po b/defensive-coding/pt-BR/Features/snippets/TLS-NSS-Includes.po new file mode 100644 index 0000000..0122fca --- /dev/null +++ b/defensive-coding/pt-BR/Features/snippets/TLS-NSS-Includes.po @@ -0,0 +1,35 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:33+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Portuguese (Brazil) \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: pt_BR\n" +"Plural-Forms: nplurals=2; plural=(n > 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// NSPR include files\n" +"#include <prerror.h>\n" +"#include <prinit.h>\n" +"\n" +"// NSS include files\n" +"#include <nss.h>\n" +"#include <pk11pub.h>\n" +"#include <secmod.h>\n" +"#include <ssl.h>\n" +"#include <sslproto.h>\n" +"\n" +"// Private API, no other way to turn a POSIX file descriptor into an\n" +"// NSPR handle.\n" +"NSPR_API(PRFileDesc*) PR_ImportTCPSocket(int);\n" +msgstr "" diff --git a/defensive-coding/pt-BR/Features/snippets/TLS-NSS-Init.po b/defensive-coding/pt-BR/Features/snippets/TLS-NSS-Init.po new file mode 100644 index 0000000..b0dd94b --- /dev/null +++ b/defensive-coding/pt-BR/Features/snippets/TLS-NSS-Init.po @@ -0,0 +1,83 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:33+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Portuguese (Brazil) \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: pt_BR\n" +"Plural-Forms: nplurals=2; plural=(n > 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"PR_Init(PR_USER_THREAD, PR_PRIORITY_NORMAL, 0);\n" +"NSSInitContext *const ctx =\n" +" NSS_InitContext(\"sql:/etc/pki/nssdb\", \"\", \"\", \"\", NULL,\n" +"\t\t NSS_INIT_READONLY | NSS_INIT_PK11RELOAD);\n" +"if (ctx == NULL) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: NSPR error code %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +"}\n" +"\n" +"// Ciphers to enable.\n" +"static const PRUint16 good_ciphers[] = {\n" +" TLS_RSA_WITH_AES_128_CBC_SHA,\n" +" TLS_RSA_WITH_AES_256_CBC_SHA,\n" +" SSL_RSA_WITH_3DES_EDE_CBC_SHA,\n" +" SSL_NULL_WITH_NULL_NULL // sentinel\n" +"};\n" +"\n" +"// Check if the current policy allows any strong ciphers. If it\n" +"// doesn't, switch to the \"domestic\" (unrestricted) policy. This is\n" +"// not thread-safe and has global impact. Consequently, we only do\n" +"// it if absolutely necessary.\n" +"int found_good_cipher = 0;\n" +"for (const PRUint16 *p = good_ciphers; *p != SSL_NULL_WITH_NULL_NULL;\n" +" ++p) {\n" +" PRInt32 policy;\n" +" if (SSL_CipherPolicyGet(*p, &policy) != SECSuccess) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: policy for cipher %u: error %d: %s\n" +"\",\n" +"\t (unsigned)*p, err, PR_ErrorToName(err));\n" +" exit(1);\n" +" }\n" +" if (policy == SSL_ALLOWED) {\n" +" fprintf(stderr, \"info: found cipher %x\n" +"\", (unsigned)*p);\n" +" found_good_cipher = 1;\n" +" break;\n" +" }\n" +"}\n" +"if (!found_good_cipher) {\n" +" if (NSS_SetDomesticPolicy() != SECSuccess) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: NSS_SetDomesticPolicy: error %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +" }\n" +"}\n" +"\n" +"// Initialize the trusted certificate store.\n" +"char module_name[] = \"library=libnssckbi.so name=\\\"Root Certs\\\"\";\n" +"SECMODModule *module = SECMOD_LoadUserModule(module_name, NULL, PR_FALSE);\n" +"if (module == NULL || !module->loaded) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: NSPR error code %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +"}\n" +msgstr "" diff --git a/defensive-coding/pt-BR/Features/snippets/TLS-NSS-Use.po b/defensive-coding/pt-BR/Features/snippets/TLS-NSS-Use.po new file mode 100644 index 0000000..e3447f4 --- /dev/null +++ b/defensive-coding/pt-BR/Features/snippets/TLS-NSS-Use.po @@ -0,0 +1,42 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:32+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Portuguese (Brazil) \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: pt_BR\n" +"Plural-Forms: nplurals=2; plural=(n > 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"char buf[4096];\n" +"snprintf(buf, sizeof(buf), \"GET / HTTP/1.0\\r\n" +"Host: %s\\r\n" +"\\r\n" +"\", host);\n" +"PRInt32 ret = PR_Write(nspr, buf, strlen(buf));\n" +"if (ret < 0) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: PR_Write error %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +"}\n" +"ret = PR_Read(nspr, buf, sizeof(buf));\n" +"if (ret < 0) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: PR_Read error %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +"}\n" +msgstr "" diff --git a/defensive-coding/pt-BR/Features/snippets/TLS-Nagle.po b/defensive-coding/pt-BR/Features/snippets/TLS-Nagle.po new file mode 100644 index 0000000..9b2ce84 --- /dev/null +++ b/defensive-coding/pt-BR/Features/snippets/TLS-Nagle.po @@ -0,0 +1,27 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:31+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Portuguese (Brazil) \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: pt_BR\n" +"Plural-Forms: nplurals=2; plural=(n > 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"const int val = 1;\n" +"int ret = setsockopt(sockfd, IPPROTO_TCP, TCP_NODELAY, &val, sizeof(val));\n" +"if (ret < 0) {\n" +" perror(\"setsockopt(TCP_NODELAY)\");\n" +" exit(1);\n" +"}\n" +msgstr "" diff --git a/defensive-coding/pt-BR/Features/snippets/TLS-OpenJDK-Parameters.po b/defensive-coding/pt-BR/Features/snippets/TLS-OpenJDK-Parameters.po new file mode 100644 index 0000000..4cabd12 --- /dev/null +++ b/defensive-coding/pt-BR/Features/snippets/TLS-OpenJDK-Parameters.po @@ -0,0 +1,42 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:33+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Portuguese (Brazil) \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: pt_BR\n" +"Plural-Forms: nplurals=2; plural=(n > 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Prepare TLS parameters. These have to applied to every TLS\n" +"// socket before the handshake is triggered.\n" +"SSLParameters params = ctx.getDefaultSSLParameters();\n" +"// Do not send an SSL-2.0-compatible Client Hello.\n" +"ArrayList<String> protocols = new ArrayList<String>(\n" +" Arrays.asList(params.getProtocols()));\n" +"protocols.remove(\"SSLv2Hello\");\n" +"params.setProtocols(protocols.toArray(new String[protocols.size()]));\n" +"// Adjust the supported ciphers.\n" +"ArrayList<String> ciphers = new ArrayList<String>(\n" +" Arrays.asList(params.getCipherSuites()));\n" +"ciphers.retainAll(Arrays.asList(\n" +" \"TLS_RSA_WITH_AES_128_CBC_SHA256\",\n" +" \"TLS_RSA_WITH_AES_256_CBC_SHA256\",\n" +" \"TLS_RSA_WITH_AES_256_CBC_SHA\",\n" +" \"TLS_RSA_WITH_AES_128_CBC_SHA\",\n" +" \"SSL_RSA_WITH_3DES_EDE_CBC_SHA\",\n" +" \"SSL_RSA_WITH_RC4_128_SHA1\",\n" +" \"SSL_RSA_WITH_RC4_128_MD5\",\n" +" \"TLS_EMPTY_RENEGOTIATION_INFO_SCSV\"));\n" +"params.setCipherSuites(ciphers.toArray(new String[ciphers.size()]));\n" +msgstr "" diff --git a/defensive-coding/pt-BR/Features/snippets/TLS-OpenSSL-Connection-Close.po b/defensive-coding/pt-BR/Features/snippets/TLS-OpenSSL-Connection-Close.po new file mode 100644 index 0000000..58c2128 --- /dev/null +++ b/defensive-coding/pt-BR/Features/snippets/TLS-OpenSSL-Connection-Close.po @@ -0,0 +1,46 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:33+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Portuguese (Brazil) \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: pt_BR\n" +"Plural-Forms: nplurals=2; plural=(n > 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Send the close_notify alert.\n" +"ret = SSL_shutdown(ssl);\n" +"switch (ret) {\n" +"case 1:\n" +" // A close_notify alert has already been received.\n" +" break;\n" +"case 0:\n" +" // Wait for the close_notify alert from the peer.\n" +" ret = SSL_shutdown(ssl);\n" +" switch (ret) {\n" +" case 0:\n" +" fprintf(stderr, \"info: second SSL_shutdown returned zero\n" +"\");\n" +" break;\n" +" case 1:\n" +" break;\n" +" default:\n" +" ssl_print_error_and_exit(ssl, \"SSL_shutdown 2\", ret);\n" +" }\n" +" break;\n" +"default:\n" +" ssl_print_error_and_exit(ssl, \"SSL_shutdown 1\", ret);\n" +"}\n" +"SSL_free(ssl);\n" +"close(sockfd);\n" +msgstr "" diff --git a/defensive-coding/pt-BR/Features/snippets/TLS-OpenSSL-Context-Close.po b/defensive-coding/pt-BR/Features/snippets/TLS-OpenSSL-Context-Close.po new file mode 100644 index 0000000..a51231b --- /dev/null +++ b/defensive-coding/pt-BR/Features/snippets/TLS-OpenSSL-Context-Close.po @@ -0,0 +1,22 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:33+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Portuguese (Brazil) \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: pt_BR\n" +"Plural-Forms: nplurals=2; plural=(n > 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"SSL_CTX_free(ctx);\n" +msgstr "" diff --git a/defensive-coding/pt-BR/Features/snippets/TLS-OpenSSL-Errors.po b/defensive-coding/pt-BR/Features/snippets/TLS-OpenSSL-Errors.po new file mode 100644 index 0000000..3c23c0e --- /dev/null +++ b/defensive-coding/pt-BR/Features/snippets/TLS-OpenSSL-Errors.po @@ -0,0 +1,51 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:32+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Portuguese (Brazil) \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: pt_BR\n" +"Plural-Forms: nplurals=2; plural=(n > 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"static void __attribute__((noreturn))\n" +"ssl_print_error_and_exit(SSL *ssl, const char *op, int ret)\n" +"{\n" +" int subcode = SSL_get_error(ssl, ret);\n" +" switch (subcode) {\n" +" case SSL_ERROR_NONE:\n" +" fprintf(stderr, \"error: %s: no error to report\n" +"\", op);\n" +" break;\n" +" case SSL_ERROR_WANT_READ:\n" +" case SSL_ERROR_WANT_WRITE:\n" +" case SSL_ERROR_WANT_X509_LOOKUP:\n" +" case SSL_ERROR_WANT_CONNECT:\n" +" case SSL_ERROR_WANT_ACCEPT:\n" +" fprintf(stderr, \"error: %s: invalid blocking state %d\n" +"\", op, subcode);\n" +" break;\n" +" case SSL_ERROR_SSL:\n" +" fprintf(stderr, \"error: %s: TLS layer problem\n" +"\", op);\n" +" case SSL_ERROR_SYSCALL:\n" +" fprintf(stderr, \"error: %s: system call failed: %s\n" +"\", op, strerror(errno));\n" +" break;\n" +" case SSL_ERROR_ZERO_RETURN:\n" +" fprintf(stderr, \"error: %s: zero return\n" +"\", op);\n" +" }\n" +" exit(1);\n" +"}\n" +msgstr "" diff --git a/defensive-coding/pt-BR/Features/snippets/TLS-Python-Close.po b/defensive-coding/pt-BR/Features/snippets/TLS-Python-Close.po new file mode 100644 index 0000000..7d900d9 --- /dev/null +++ b/defensive-coding/pt-BR/Features/snippets/TLS-Python-Close.po @@ -0,0 +1,22 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:31+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Portuguese (Brazil) \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: pt_BR\n" +"Plural-Forms: nplurals=2; plural=(n > 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"sock.close()\n" +msgstr "" diff --git a/defensive-coding/pt-BR/Features/snippets/TLS-Python-Use.po b/defensive-coding/pt-BR/Features/snippets/TLS-Python-Use.po new file mode 100644 index 0000000..ca8fc31 --- /dev/null +++ b/defensive-coding/pt-BR/Features/snippets/TLS-Python-Use.po @@ -0,0 +1,26 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:32+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Portuguese (Brazil) \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: pt_BR\n" +"Plural-Forms: nplurals=2; plural=(n > 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"sock.write(\"GET / HTTP/1.1\\r\n" +"Host: \" + host + \"\\r\n" +"\\r\n" +"\")\n" +"print sock.read()\n" +msgstr "" diff --git a/defensive-coding/pt-BR/Revision_History.po b/defensive-coding/pt-BR/Revision_History.po new file mode 100644 index 0000000..bf009cc --- /dev/null +++ b/defensive-coding/pt-BR/Revision_History.po @@ -0,0 +1,35 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:18+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Portuguese (Brazil) \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: pt_BR\n" +"Plural-Forms: nplurals=2; plural=(n > 1);\n" + +#. Tag: title +#, no-c-format +msgid "Revision History" +msgstr "" + +#. Tag: firstname +#, no-c-format +msgid "Eric" +msgstr "" + +#. Tag: surname +#, no-c-format +msgid "Christensen" +msgstr "" + +#. Tag: member +#, no-c-format +msgid "Initial publication." +msgstr "" diff --git a/defensive-coding/pt-BR/Tasks/Cryptography.po b/defensive-coding/pt-BR/Tasks/Cryptography.po new file mode 100644 index 0000000..779ae45 --- /dev/null +++ b/defensive-coding/pt-BR/Tasks/Cryptography.po @@ -0,0 +1,199 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:29+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Portuguese (Brazil) \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: pt_BR\n" +"Plural-Forms: nplurals=2; plural=(n > 1);\n" + +#. Tag: title +#, no-c-format +msgid "Cryptography" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Primitives" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Chosing from the following cryptographic primitives is recommended:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "RSA with 2048 bit keys and OAEP" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "AES-128 in CBC mode" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "SHA-256" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "HMAC-SHA-256" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "HMAC-SHA-1" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Other cryptographic algorithms can be used if they are required for " +"interoperability with existing software:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "RSA with key sizes larger than 1024 and legacy padding" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "AES-192" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "AES-256" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "3DES (triple DES, with two or three 56 bit keys)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "RC4 (but very, very strongly discouraged)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "SHA-1" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "HMAC-MD5" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Important" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"These primitives are difficult to use in a secure way. Custom implementation" +" of security protocols should be avoided. For protecting confidentiality and" +" integrity of network transmissions, TLS should be used ()." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Randomness" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The following facilities can be used to generate unpredictable and non-" +"repeating values. When these functions are used without special safeguards, " +"each individual rnadom value should be at least 12 bytes long." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"PK11_GenerateRandom in the NSS library (usable for high" +" data rates)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"RAND_bytes in the OpenSSL library (usable for high data" +" rates)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"gnutls_rnd in GNUTLS, with " +"GNUTLS_RND_RANDOM as the first argument (usable for high " +"data rates)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"java.security.SecureRandom in Java (usable for high data rates)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "os.urandom in Python" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Reading from the /dev/urandom character device" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"All these functions should be non-blocking, and they should not wait until " +"physical randomness becomes available. (Some cryptography providers for Java" +" can cause java.security.SecureRandom to block, however.) Those" +" functions which do not obtain all bits directly from " +"/dev/urandom are suitable for high data rates because " +"they do not deplete the system-wide entropy pool." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Difficult to use API" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Both RAND_bytes and " +"PK11_GenerateRandom have three-state return values " +"(with conflicting meanings). Careful error checking is required. Please " +"review the documentation when using these functions." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Other sources of randomness should be considered predictable." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Generating randomness for cryptographic keys in long-term use may need " +"different steps and is best left to cryptographic libraries." +msgstr "" diff --git a/defensive-coding/pt-BR/Tasks/Descriptors.po b/defensive-coding/pt-BR/Tasks/Descriptors.po new file mode 100644 index 0000000..0dc471e --- /dev/null +++ b/defensive-coding/pt-BR/Tasks/Descriptors.po @@ -0,0 +1,332 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:29+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Portuguese (Brazil) \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: pt_BR\n" +"Plural-Forms: nplurals=2; plural=(n > 1);\n" + +#. Tag: title +#, no-c-format +msgid "File Descriptor Management" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"File descriptors underlie all input/output mechanisms offered by the system." +" They are used to implementation the FILE *-based " +"functions found in <stdio.h>, and all the file and " +"network communication facilities provided by the Python and Java " +"environments are eventually implemented in them." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"File descriptors are small, non-negative integers in userspace, and are " +"backed on the kernel side with complicated data structures which can " +"sometimes grow very large." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Closing descriptors" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If a descriptor is no longer used by a program and is not closed explicitly," +" its number cannot be reused (which is problematic in itself, see ), and the " +"kernel resources are not freed. Therefore, it is important to close all " +"descriptors at the earlierst point in time possible, but not earlier." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Error handling during descriptor close" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The close system call is always successful in the sense" +" that the passed file descriptor is never valid after the function has been " +"called. However, close still can return an error, for " +"example if there was a file system failure. But this error is not very " +"useful because the absence of an error does not mean that all caches have " +"been emptied and previous writes have been made durable. Programs which need" +" such guarantees must open files with O_SYNC or use " +"fsync or fdatasync, and may also have " +"to fsync the directory containing the file." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Closing descriptors and race conditions" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Unlike process IDs, which are recycle only gradually, the kernel always " +"allocates the lowest unused file descriptor when a new descriptor is " +"created. This means that in a multi-threaded program which constantly opens " +"and closes file descriptors, descriptors are reused very quickly. Unless " +"descriptor closing and other operations on the same file descriptor are " +"synchronized (typically, using a mutex), there will be race coniditons and " +"I/O operations will be applied to the wrong file descriptor." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Sometimes, it is necessary to close a file descriptor concurrently, while " +"another thread might be about to use it in a system call. In order to " +"support this, a program needs to create a single special file descriptor, " +"one on which all I/O operations fail. One way to achieve this is to use " +"socketpair, close one of the descriptors, and call " +"shutdown(fd, SHUTRDWR) on the other." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When a descriptor is closed concurrently, the program does not call " +"close on the descriptor. Instead it program uses " +"dup2 to replace the descriptor to be closed with the " +"dummy descriptor created earlier. This way, the kernel will not reuse the " +"descriptor, but it will carry out all other steps associated with calling a " +"descriptor (for instance, if the descriptor refers to a stream socket, the " +"peer will be notified)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"This is just a sketch, and many details are missing. Additional data " +"structures are needed to determine when it is safe to really close the " +"descriptor, and proper locking is required for that." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Lingering state after close" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"By default, closing a stream socket returns immediately, and the kernel will" +" try to send the data in the background. This means that it is impossible to" +" implement accurate accounting of network-related resource utilization from " +"userspace." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The SO_LINGER socket option alters the behavior of " +"close, so that it will return only after the lingering " +"data has been processed, either by sending it to the peer successfully, or " +"by discarding it after the configured timeout. However, there is no " +"interface which could perform this operation in the background, so a " +"separate userspace thread is needed for each close " +"call, causing scalability issues." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Currently, there is no application-level countermeasure which applies " +"universally. Mitigation is possible with iptables" +" (the connlimit match type in particular) and specialized" +" filtering devices for denial-of-service network traffic." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"These problems are not related to the TIME_WAIT state " +"commonly seen in netstat output. The kernel " +"automatically expires such sockets if necessary." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Preventing file descriptor leaks to child processes" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Child processes created with fork share the initial set" +" of file descriptors with their parent process. By default, file descriptors" +" are also preserved if a new process image is created with " +"execve (or any of the other functions such as " +"system or posix_spawn)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Usually, this behavior is not desirable. There are two ways to turn it off, " +"that is, to prevent new process images from inheriting the file descriptors " +"in the parent process:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Set the close-on-exec flag on all newly created file descriptors. " +"Traditionally, this flag is controlled by the FD_CLOEXEC " +"flag, using F_GETFD and F_SETFD " +"operations of the fcntl function." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"However, in a multi-threaded process, there is a race condition: a " +"subprocess could have been created between the time the descriptor was " +"created and the FD_CLOEXEC was set. Therefore, many " +"system calls which create descriptors (such as open and" +" openat) now accept the O_CLOEXEC " +"flag (SOCK_CLOEXEC for socket and " +"socketpair), which cause the " +"FD_CLOEXEC flag to be set for the file descriptor in an " +"atomic fashion. In addition, a few new systems calls were introduced, such " +"as pipe2 and dup3." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The downside of this approach is that every descriptor needs to receive " +"special treatment at the time of creation, otherwise it is not completely " +"effective." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"After calling fork, but before creating a new process " +"image with execve, all file descriptors which the child" +" process will not need are closed." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Traditionally, this was implemented as a loop over file descriptors ranging " +"from 3 to 255 and later " +"1023. But this is only an approximatio because it is " +"possible to create file descriptors outside this range easily (see ). Another " +"approach reads /proc/self/fd and closes the unexpected " +"descriptors listed there, but this approach is much slower." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"At present, environments which care about file descriptor leakage implement " +"the second approach. OpenJDK 6 and 7 are among them." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Dealing with the select limit" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"By default, a user is allowed to open only 1024 files in a single process, " +"but the system administrator can easily change this limit (which is " +"necessary for busy network servers). However, there is another restriction " +"which is more difficult to overcome." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The select function only supports a maximum of " +"FD_SETSIZE file descriptors (that is, the maximum " +"permitted value for a file descriptor is FD_SETSIZE - 1, " +"usually 1023.) If a process opens many files, descriptors may exceed such " +"limits. It is impossible to query such descriptors using " +"select." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If a library which creates many file descriptors is used in the same process" +" as a library which uses select, at least one of them " +"needs to be changed. Calls to select can be replaced " +"with calls to poll or another event handling mechanism." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Alternatively, the library with high descriptor usage can relocate " +"descriptors above the FD_SETSIZE limit using the " +"following procedure." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Create the file descriptor fd as usual, preferably with " +"the O_CLOEXEC flag." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Before doing anything else with the descriptor fd, " +"invoke:" +msgstr "" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"\t int newfd = fcntl(fd, F_DUPFD_CLOEXEC, (long)FD_SETSIZE);\n" +"\t" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Check that newfd result is non-negative, otherwise close " +"fd and report an error, and return." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Close fd and continue to use newfd." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The new descriptor has been allocated above the " +"FD_SETSIZE. Even though this algorithm is racy in the " +"sense that the FD_SETSIZE first descriptors could fill " +"up, a very high degree of physical parallelism is required before this " +"becomes a problem." +msgstr "" diff --git a/defensive-coding/pt-BR/Tasks/File_System.po b/defensive-coding/pt-BR/Tasks/File_System.po new file mode 100644 index 0000000..b7a629a --- /dev/null +++ b/defensive-coding/pt-BR/Tasks/File_System.po @@ -0,0 +1,396 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:25+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Portuguese (Brazil) \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: pt_BR\n" +"Plural-Forms: nplurals=2; plural=(n > 1);\n" + +#. Tag: title +#, no-c-format +msgid "File system manipulation" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In this chapter, we discuss general file system manipulation, with a focus " +"on access files and directories to which an other, potentially untrusted " +"user has write access." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Temporary files are covered in their own chapter, ." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Working with files and directories owned by other users" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Sometimes, it is necessary to operate on files and directories owned by " +"other (potentially untrusted) users. For example, a system administrator " +"could remove the home directory of a user, or a package manager could update" +" a file in a directory which is owned by an application-specific user. This " +"differs from accessing the file system as a specific user; see ." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Accessing files across trust boundaries faces several challenges, " +"particularly if an entire directory tree is being traversed:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Another user might add file names to a writable directory at any time. This " +"can interfere with file creation and the order of names returned by " +"readdir." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Merely opening and closing a file can have side effects. For instance, an " +"automounter can be triggered, or a tape device rewound. Opening a file on a " +"local file system can block indefinitely, due to mandatory file locking, " +"unless the O_NONBLOCK flag is specified." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Hard links and symbolic links can redirect the effect of file system " +"operations in unexpected ways. The O_NOFOLLOW and " +"AT_SYMLINK_NOFOLLOW variants of system calls only " +"affected final path name component." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The structure of a directory tree can change. For example, the parent " +"directory of what used to be a subdirectory within the directory tree being " +"processed could suddenly point outside that directory tree." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Files should always be created with the O_CREAT and " +"O_EXCL flags, so that creating the file will fail if it " +"already exists. This guards against the unexpected appearance of file names," +" either due to creation of a new file, or hard-linking of an existing file. " +"In multi-threaded programs, rather than manipulating the umask, create the " +"files with mode 000 if possible, and adjust it afterwards" +" with fchmod." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"To avoid issues related to symbolic links and directory tree restructuring, " +"the “at” variants of system calls have to be used (that " +"is, functions like openat, " +"fchownat, fchmodat, and " +"unlinkat, together with O_NOFOLLOW " +"or AT_SYMLINK_NOFOLLOW). Path names passed to these " +"functions must have just a single component (that is, without a slash). When" +" descending, the descriptors of parent directories must be kept open. The " +"missing opendirat function can be emulated with " +"openat (with an O_DIRECTORY flag, to " +"avoid opening special files with side effects), followed by " +"fdopendir." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If the “at” functions are not available, it is possible " +"to emulate them by changing the current directory. (Obviously, this only " +"works if the process is not multi-threaded.) fchdir has" +" to be used to change the current directory, and the descriptors of the " +"parent directories have to be kept open, just as with the " +"“at”-based approach. chdir(\"...\") is" +" unsafe because it might ascend outside the intended directory tree." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"This “at” function emulation is currently required when " +"manipulating extended attributes. In this case, the " +"lsetxattr function can be used, with a relative path " +"name consisting of a single component. This also applies to SELinux contexts" +" and the lsetfilecon function." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Currently, it is not possible to avoid opening special files " +"and changes to files with hard links if the directory " +"containing them is owned by an untrusted user. (Device nodes can be hard-" +"linked, just as regular files.) fchmodat and " +"fchownat affect files whose link count is greater than " +"one. But opening the files, checking that the link count is one with " +"fstat, and using fchmod and " +"fchown on the file descriptor may have unwanted side " +"effects, due to item 2 above. When creating directories, it is therefore " +"important to change the ownership and permissions only after it has been " +"fully created. Until that point, file names are stable, and no files with " +"unexpected hard links can be introduced." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Similarly, when just reading a directory owned by an untrusted user, it is " +"currently impossible to reliably avoid opening special files." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"There is no workaround against the instability of the file list returned by " +"readdir. Concurrent modification of the directory can " +"result in a list of files being returned which never actually existed on " +"disk." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Hard links and symbolic links can be safely deleted using " +"unlinkat without further checks because deletion only " +"affects the name within the directory tree being processed." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Accessing the file system as a different user" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"This section deals with access to the file system as a specific user. This " +"is different from accessing files and directories owned by a different, " +"potentially untrusted user; see ." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"One approach is to spawn a child process which runs under the target user " +"and group IDs (both effective and real IDs). Note that this child process " +"can block indefinitely, even when processing regular files only. For " +"example, a special FUSE file system could cause the process to hang in " +"uninterruptible sleep inside a stat system call." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"An existing process could change its user and group ID using " +"setfsuid and setfsgid. (These " +"functions are preferred over seteuid and " +"setegid because they do not allow the impersonated user" +" to send signals to the process.) These functions are not thread safe. In " +"multi-threaded processes, these operations need to be performed in a single-" +"threaded child process. Unexpected blocking may occur as well." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"It is not recommended to try to reimplement the kernel permission checks in " +"user space because the required checks are complex. It is also very " +"difficult to avoid race conditions during path name resolution." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "File system limits" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"For historical reasons, there are preprocessor constants such as " +"PATH_MAX, NAME_MAX. However, on most " +"systems, the length of canonical path names (absolute path names with all " +"symbolic links resolved, as returned by realpath or " +"canonicalize_file_name) can exceed " +"PATH_MAX bytes, and individual file name components can " +"be longer than NAME_MAX. This is also true of the " +"_PC_PATH_MAX and _PC_NAME_MAX values " +"returned by pathconf, and the " +"f_namemax member of struct statvfs. " +"Therefore, these constants should not be used. This is also reason why the " +"readdir_r should never be used (instead, use " +"readdir)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"You should not write code in a way that assumes that there is an upper limit" +" on the number of subdirectories of a directory, the number of regular files" +" in a directory, or the link count of an inode." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "File system features" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Not all file systems support all features. This makes it very difficult to " +"write general-purpose tools for copying files. For example, a copy operation" +" intending to preserve file permissions will generally fail when copying to " +"a FAT file system." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Some file systems are case-insensitive. Most should be case-preserving, " +"though." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Name length limits vary greatly, from eight to thousands of bytes. Path " +"length limits differ as well. Most systems impose an upper bound on path " +"names passed to the kernel, but using relative path names, it is possible to" +" create and access files whose absolute path name is essentially of " +"unbounded length." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Some file systems do not store names as fairly unrestricted byte sequences, " +"as it has been traditionally the case on GNU systems. This means that some " +"byte sequences (outside the POSIX safe character set) are not valid names. " +"Conversely, names of existing files may not be representable as byte " +"sequences, and the files are thus inaccessible on GNU systems. Some file " +"systems perform Unicode canonicalization on file names. These file systems " +"preserve case, but reading the name of a just-created file using " +"readdir might still result in a different byte " +"sequence." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Permissions and owners are not universally supported (and SUID/SGID bits may" +" not be available). For example, FAT file systems assign ownership based on " +"a mount option, and generally mark all files as executable. Any attempt to " +"change permissions would result in an error." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Non-regular files (device nodes, FIFOs) are not generally available." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Only on some file systems, files can have holes, that is, not all of their " +"contents is backed by disk storage." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"ioctl support (even fairly generic functionality such " +"as FIEMAP for discovering physical file layout and holes)" +" is file-system-specific." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Not all file systems support extended attributes, ACLs and SELinux metadata." +" Size and naming restriction on extended attributes vary." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Hard links may not be supported at all (FAT) or only within the same " +"directory (AFS). Symbolic links may not be available, either. Reflinks (hard" +" links with copy-on-write semantics) are still very rare. Recent systems " +"restrict creation of hard links to users which own the target file or have " +"read/write access to it, but older systems do not." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Renaming (or moving) files using rename can fail (even " +"when stat indicates that the source and target " +"directories are located on the same file system). This system call should " +"work if the old and new paths are located in the same directory, though." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Locking semantics vary among file systems. This affects advisory and " +"mandatory locks. For example, some network file systems do not allow " +"deleting files which are opened by any process." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Resolution of time stamps varies from two seconds to nanoseconds. Not all " +"time stamps are available on all file systems. File creation time " +"(birth time) is not exposed over the " +"stat/fstat interface, even if " +"stored by the file system." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Checking free space" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The statvfs and fstatvfs functions" +" allow programs to examine the number of available blocks and inodes, " +"through the members f_bfree, f_bavail," +" f_ffree, and f_favail of " +"struct statvfs. Some file systems return fictional values" +" in the f_ffree and f_favail fields, " +"so the only reliable way to discover if the file system still has space for " +"a file is to try to create it. The f_bfree field should " +"be reasonably accurate, though." +msgstr "" diff --git a/defensive-coding/pt-BR/Tasks/Library_Design.po b/defensive-coding/pt-BR/Tasks/Library_Design.po new file mode 100644 index 0000000..1838d88 --- /dev/null +++ b/defensive-coding/pt-BR/Tasks/Library_Design.po @@ -0,0 +1,267 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:29+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Portuguese (Brazil) \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: pt_BR\n" +"Plural-Forms: nplurals=2; plural=(n > 1);\n" + +#. Tag: title +#, no-c-format +msgid "Library Design" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Throught this section, the term client code refers to " +"applications and other libraries using the library." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "State management" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Global state" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Global state should be avoided." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If this is impossible, the global state must be protected with a lock. For " +"C/C++, you can use the pthread_mutex_lock and " +"pthread_mutex_unlock functions without linking against " +"-lpthread because the system provides stubs for non-" +"threaded processes." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"For compatibility with fork, these locks should be " +"acquired and released in helpers registered with " +"pthread_atfork. This function is not available without " +"-lpthread, so you need to use dlsym " +"or a weak symbol to obtain its address." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If you need fork protection for other reasons, you " +"should store the process ID and compare it to the value returned by " +"getpid each time you access the global state. " +"(getpid is not implemented as a system call and is " +"fast.) If the value changes, you know that you have to re-create the state " +"object. (This needs to be combined with locking, of course.)" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Handles" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Library state should be kept behind a curtain. Client code should receive " +"only a handle. In C, the handle can be a pointer to an incomplete " +"struct. In C++, the handle can be a pointer to an " +"abstract base class, or it can be hidden using the pointer-to-implementation" +" idiom." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The library should provide functions for creating and destroying handles. " +"(In C++, it is possible to use virtual destructors for the latter.) " +"Consistency between creation and destruction of handles is strongly " +"recommended: If the client code created a handle, it is the responsibility " +"of the client code to destroy it. (This is not always possible or " +"convenient, so sometimes, a transfer of ownership has to happen.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Using handles ensures that it is possible to change the way the library " +"represents state in a way that is transparent to client code. This is " +"important to facilitate security updates and many other code changes." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"It is not always necessary to protect state behind a handle with a lock. " +"This depends on the level of thread safety the library provides." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Object orientation" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Classes should be either designed as base classes, or it should be " +"impossible to use them as base classes (like final " +"classes in Java). Classes which are not designed for inheritance and are " +"used as base classes nevertheless create potential maintenance hazards " +"because it is difficult to predict how client code will react when calls to " +"virtual methods are added, reordered or removed." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Virtual member functions can be used as callbacks. See for some of the " +"challenges involved." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Callbacks" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Higher-order code is difficult to analyze for humans and computers alike, so" +" it should be avoided. Often, an iterator-based interface (a library " +"function which is called repeatedly by client code and returns a stream of " +"events) leads to a better design which is easier to document and use." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "If callbacks are unavoidable, some guidelines for them follow." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In modern C++ code, std::function objects should be used " +"for callbacks." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In older C++ code and in C code, all callbacks must have an additional " +"closure parameter of type void *, the value of which can " +"be specified by client code. If possible, the value of the closure parameter" +" should be provided by client code at the same time a specific callback is " +"registered (or specified as a function argument). If a single closure " +"parameter is shared by multiple callbacks, flexibility is greatly reduced, " +"and conflicts between different pieces of client code using the same library" +" object could be unresolvable. In some cases, it makes sense to provide a " +"de-registration callback which can be used to destroy the closure parameter " +"when the callback is no longer used." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Callbacks can throw exceptions or call longjmp. If " +"possible, all library objects should remain in a valid state. (All further " +"operations on them can fail, but it should be possible to deallocate them " +"without causing resource leaks.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The presence of callbacks raises the question if functions provided by the " +"library are reentrant. Unless a library was designed " +"for such use, bad things will happen if a callback function uses functions " +"in the same library (particularly if they are invoked on the same objects " +"and manipulate the same state). When the callback is invoked, the library " +"can be in an inconsistent state. Reentrant functions are more difficult to " +"write than thread-safe functions (by definition, simple locking would " +"immediately lead to deadlocks). It is also difficult to decide what to do " +"when destruction of an object which is currently processing a callback is " +"requested." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Process attributes" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Several attributes are global and affect all code in the process, not just " +"the library that manipulates them." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"environment variables (see )" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "umask" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "user IDs, group IDs and capabilities" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "current working directory" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "signal handlers, signal masks and signal delivery" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"file locks (especially fcntl locks behave in surprising" +" ways, not just in a multi-threaded environment)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Library code should avoid manipulating these global process attributes. It " +"should not rely on environment variables, umask, the current working " +"directory and signal masks because these attributes can be inherted from an " +"untrusted source." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In addition, there are obvious process-wide aspects such as the virtual " +"memory layout, the set of open files and dynamic shared objects, but with " +"the exception of shared objects, these can be manipulated in a relatively " +"isolated way." +msgstr "" diff --git a/defensive-coding/pt-BR/Tasks/Processes.po b/defensive-coding/pt-BR/Tasks/Processes.po new file mode 100644 index 0000000..9c7e805 --- /dev/null +++ b/defensive-coding/pt-BR/Tasks/Processes.po @@ -0,0 +1,597 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:29+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Portuguese (Brazil) \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: pt_BR\n" +"Plural-Forms: nplurals=2; plural=(n > 1);\n" + +#. Tag: title +#, no-c-format +msgid "Processes" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Safe process creation" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"This section describes how to create new child processes in a safe manner. " +"In addition to the concerns addressed below, there is the possibility of " +"file descriptor leaks, see ." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Obtaining the program path and the command line template" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The name and path to the program being invoked should be hard-coded or " +"controlled by a static configuration file stored at a fixed location (at an " +"file system absolute path). The same applies to the template for generating " +"the command line." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The configured program name should be an absolute path. If it is a relative " +"path, the contents of the PATH must be obtained in s secure " +"manner (see )." +" If the PATH variable is not set or untrusted, the safe " +"default /bin:/usr/bin must be used." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If too much flexibility is provided here, it may allow invocation of " +"arbitrary programs without proper authorization." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Bypassing the shell" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Child processes should be created without involving the system shell." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"For C/C++, system should not be used. The " +"posix_spawn function can be used instead, or a " +"combination fork and execve. (In " +"some cases, it may be preferable to use vfork or the " +"Linux-specific clone system call instead of " +"fork.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In Python, the subprocess module bypasses the shell by " +"default (when the shell keyword argument is not set to " +"true). os.system should not be used." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The Java class java.lang.ProcessBuilder can be used to create " +"subprocesses without interference from the system shell." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Portability notice" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"On Windows, there is no argument vector, only a single argument string. Each" +" application is responsible for parsing this string into an argument vector." +" There is considerable variance among the quoting style recognized by " +"applications. Some of them expand shell wildcards, others do not. Extensive " +"application-specific testing is required to make this secure." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Note that some common applications (notably ssh) " +"unconditionally introduce the use of a shell, even if invoked directly " +"without a shell. It is difficult to use these applications in a secure " +"manner. In this case, untrusted data should be supplied by other means. For " +"example, standard input could be used, instead of the command line." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Specifying the process environment" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Child processes should be created with a minimal set of environment " +"variables. This is absolutely essential if there is a trust transition " +"involved, either when the parent process was created, or during the creation" +" of the child process." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In C/C++, the environment should be constructed as an array of strings and " +"passed as the envp argument to " +"posix_spawn or execve. The " +"functions setenv, unsetenv and " +"putenv should not be used. They are not thread-safe and" +" suffer from memory leaks." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Python programs need to specify a dict for the the " +"env argument of the subprocess.Popen" +" constructor. The Java class java.lang.ProcessBuilder " +"provides a environment() method, which returns a map " +"that can be manipulated." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The following list provides guidelines for selecting the set of environment " +"variables passed to the child process." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"PATH should be initialized to " +"/bin:/usr/bin." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"USER and HOME can be inhereted from the parent" +" process environment, or they can be initialized from the " +"pwent structure for the user." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The DISPLAY and XAUTHORITY variables should be" +" passed to the subprocess if it is an X program. Note that this will " +"typically not work across trust boundaries because XAUTHORITY" +" refers to a file with 0600 permissions." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The location-related environment variables LANG, " +"LANGUAGE, LC_ADDRESS, LC_ALL, " +"LC_COLLATE, LC_CTYPE, " +"LC_IDENTIFICATION, LC_MEASUREMENT, " +"LC_MESSAGES, LC_MONETARY, " +"LC_NAME, LC_NUMERIC, LC_PAPER, " +"LC_TELEPHONE and LC_TIME can be passed to the " +"subprocess if present." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The called process may need application-specific environment variables, for " +"example for passing passwords. (See .)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"All other environment variables should be dropped. Names for new environment" +" variables should not be accepted from untrusted sources." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Robust argument list processing" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When invoking a program, it is sometimes necessary to include data from " +"untrusted sources. Such data should be check against embedded " +"NUL characters because the system APIs will sliently " +"truncate argument strings at the first NUL character." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The following recommendations assume that the program being invoked uses " +"GNU-style option processing using getopt_long. This " +"convention is widely used, but it is just that, and individual programs " +"might interpret a command line in a different way." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If the untrusted data has to go into an option, use the --option-" +"name=VALUE syntax, placing the option and its value into the same " +"command line argument. This avoids any potential confusion if the data " +"starts with -." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"For positional arguments, terminate the option list with a single " +" marker after the last option, and include the data at " +"the right position. The marker terminates option " +"processing, and the data will not be treated as an option even if it starts " +"with a dash." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Passing secrets to subprocesses" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The command line (the name of the program and its argument) of a running " +"process is traditionally available to all local users. The called program " +"can overwrite this information, but only after it has run for a bit of time," +" during which the information may have been read by other processes. " +"However, on Linux, the process environment is restricted to the user who " +"runs the process. Therefore, if you need a convenient way to pass a password" +" to a child process, use an environment variable, and not a command line " +"argument. (See .)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"On some UNIX-like systems (notably Solaris), environment variables can be " +"read by any system user, just like command lines." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If the environment-based approach cannot be used due to portability " +"concerns, the data can be passed on standard input. Some programs (notably " +"gpg) use special file descriptors whose numbers " +"are specified on the command line. Temporary files are an option as well, " +"but they might give digital forensics access to sensitive data (such as " +"passphrases) because it is difficult to safely delete them in all cases." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Handling child process termination" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When child processes terminate, the parent process is signalled. A stub of " +"the terminated processes (a zombie, shown as " +"<defunct> by ps) is kept" +" around until the status information is collected " +"(reaped) by the parent process. Over the years, several" +" interfaces for this have been invented:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The parent process calls wait, " +"waitpid, waitid, " +"wait3 or wait4, without specifying" +" a process ID. This will deliver any matching process ID. This approach is " +"typically used from within event loops." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The parent process calls waitpid, " +"waitid, or wait4, with a specific " +"process ID. Only data for the specific process ID is returned. This is " +"typically used in code which spawns a single subprocess in a synchronous " +"manner." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The parent process installs a handler for the SIGCHLD " +"signal, using sigaction, and specifies to the " +"SA_NOCLDWAIT flag. This approach could be used by event " +"loops as well." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"None of these approaches can be used to wait for child process terminated in" +" a completely thread-safe manner. The parent process might execute an event " +"loop in another thread, which could pick up the termination signal. This " +"means that libraries typically cannot make free use of child processes (for " +"example, to run problematic code with reduced privileges in a separate " +"address space)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"At the moment, the parent process should explicitly wait for termination of " +"the child process using waitpid or " +"waitpid, and hope that the status is not collected by " +"an event loop first." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "SUID/SGID processes" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Programs can be marked in the file system to indicate to the kernel that a " +"trust transition should happen if the program is run. The " +"SUID file permission bit indicates that an executable " +"should run with the effective user ID equal to the owner of the executable " +"file. Similarly, with the SGID bit, the effective group " +"ID is set to the group of the executable file." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Linux supports fscaps, which can grant additional " +"capabilities to a process in a finer-grained manner. Additional mechanisms " +"can be provided by loadable security modules." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When such a trust transition has happened, the process runs in a potentially" +" hostile environment. Additional care is necessary not to rely on any " +"untrusted information. These concerns also apply to libraries which can be " +"linked into such processes." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Accessing environment variables" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The following steps are required so that a program does not accidentally " +"pick up untrusted data from environment variables." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Compile your C/C++ sources with -D_GNU_SOURCE. The " +"Autoconf macro AC_GNU_SOURCE ensures this." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Check for the presence of the secure_getenv and " +"__secure_getenv function. The Autoconf directive " +"AC_CHECK_FUNCS([__secure_getenv secure_getenv]) performs " +"these checks." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Arrange for a proper definition of the secure_getenv " +"function. See ." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Use secure_getenv instead of " +"getenv to obtain the value of critical environment " +"variables. secure_getenv will pretend the variable has " +"not bee set if the process environment is not trusted." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Critical environment variables are debugging flags, configuration file " +"locations, plug-in and log file locations, and anything else that might be " +"used to bypass security restrictions or cause a privileged process to behave" +" in an unexpected way." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Either the secure_getenv function or the " +"__secure_getenv is available from GNU libc." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Obtaining a definition for secure_getenv" +msgstr "" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"\n" +"#include <stdlib.h>\n" +"\n" +"#ifndef HAVE_SECURE_GETENV\n" +"# ifdef HAVE__SECURE_GETENV\n" +"# define secure_getenv __secure_getenv\n" +"# else\n" +"# error neither secure_getenv nor __secure_getenv are available\n" +"# endif\n" +"#endif\n" +"\n" +"\t" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Daemons" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Background processes providing system services " +"(daemons) need to decouple themselves from the " +"controlling terminal and the parent process environment:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Fork." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In the child process, call setsid. The parent process " +"can simply exit (using _exit, to avoid running clean-up" +" actions twice)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In the child process, fork again. Processing continues in the child process." +" Again, the parent process should just exit." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Replace the descriptors 0, 1, 2 with a descriptor for " +"/dev/null. Logging should be redirected to " +"syslog." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Older instructions for creating daemon processes recommended a call to " +"umask(0). This is risky because it often leads to world-" +"writable files and directories, resulting in security vulnerabilities such " +"as arbitrary process termination by untrusted local users, or log file " +"truncation. If the umask needs setting, a restrictive " +"value such as 027 or 077 is " +"recommended." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Other aspects of the process environment may have to changed as well " +"(environment variables, signal handler disposition)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"It is increasingly common that server processes do not run as background " +"processes, but as regular foreground process under a supervising master " +"process (such as systemd). Server processes " +"should offer a command line option which disables forking and replacement of" +" the standard output and standard error streams. Such an option is also " +"useful for debugging." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Semantics of command line arguments" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"After process creation and option processing, it is up to the child process " +"to interpret the arguments. Arguments can be file names, host names, or " +"URLs, and many other things. URLs can refer to the local network, some " +"server on the Internet, or to the local file system. Some applications even " +"accept arbitrary code in arguments (for example, " +"python with the option)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Similar concerns apply to environment variables, the contents of the current" +" directory and its subdirectories." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Consequently, careful analysis is required if it is safe to pass untrusted " +"data to another program." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "fork as a primitive for parallelism" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"A call to fork which is not immediately followed by a " +"call to execve (perhaps after rearranging and closing " +"file descriptors) is typically unsafe, especially from a library which does " +"not control the state of the entire process. Such use of " +"fork should be replaced with proper child processes or " +"threads." +msgstr "" diff --git a/defensive-coding/pt-BR/Tasks/Serialization.po b/defensive-coding/pt-BR/Tasks/Serialization.po new file mode 100644 index 0000000..0cb8751 --- /dev/null +++ b/defensive-coding/pt-BR/Tasks/Serialization.po @@ -0,0 +1,513 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:45\n" +"PO-Revision-Date: 2013-03-19 15:29+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Portuguese (Brazil) \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: pt_BR\n" +"Plural-Forms: nplurals=2; plural=(n > 1);\n" + +#. Tag: title +#, no-c-format +msgid "Serialization and Deserialization" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Protocol decoders and file format parsers are often the most-exposed part of" +" an application because they are exposed with little or no user interaction " +"and before any authentication and security checks are made. They are also " +"difficult to write robustly in languages which are not memory-safe." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Recommendations for manually written decoders" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"For C and C++, the advice in applies. In addition, avoid non-character " +"pointers directly into input buffers. Pointer misalignment causes crashes on" +" some architectures." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When reading variable-sized objects, do not allocate large amounts of data " +"solely based on the value of a size field. If possible, grow the data " +"structure as more data is read from the source, and stop when no data is " +"available. This helps to avoid denial-of-service attacks where little " +"amounts of input data results in enormous memory allocations during " +"decoding. Alternatively, you can impose reasonable bounds on memory " +"allocations, but some protocols do not permit this." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Protocol design" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Binary formats with explicit length fields are more difficult to parse " +"robustly than those where the length of dynamically-sized elements is " +"derived from sentinel values. A protocol which does not use length fields " +"and can be written in printable ASCII characters simplifies testing and " +"debugging. However, binary protocols with length fields may be more " +"efficient to parse." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Library support for deserialization" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"For some languages, generic libraries are available which allow to serialize" +" and deserialize user-defined objects. The deserialization part comes in one" +" of two flavors, depending on the library. The first kind uses type " +"information in the data stream to control which objects are instantiated. " +"The second kind uses type definitions supplied by the programmer. The first " +"one allows arbitrary object instantiation, the second one generally does " +"not." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The following serialization frameworks are in the first category, are known " +"to be unsafe, and must not be used for untrusted data:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Python's pickle and cPickle modules" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Perl's Storable package" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Java serialization (java.io.ObjectInputStream)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "PHP serialization (unserialize)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Most implementations of YAML" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When using a type-directed deserialization format where the types of the " +"deserialized objects are specified by the programmer, make sure that the " +"objects which can be instantiated cannot perform any destructive actions in " +"their destructors, even when the data members have been manipulated." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"JSON decoders do not suffer from this problem. But you must not use the " +"eval function to parse JSON objects in Javascript; even" +" with the regular expression filter from RFC 4627, there are still " +"information leaks remaining." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "XML serialization" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "External references" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"XML documents can contain external references. They can occur in various " +"places." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "In the DTD declaration in the header of an XML document:" +msgstr "" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"<!DOCTYPE html PUBLIC\n" +" \"-//W3C//DTD XHTML 1.0 Transitional//EN\"\n" +" \"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd\">\n" +"\t " +msgstr "" + +#. Tag: para +#, no-c-format +msgid "In a namespace declaration:" +msgstr "" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"<xsd:schema xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\">\n" +"\t " +msgstr "" + +#. Tag: para +#, no-c-format +msgid "In an entity defintion:" +msgstr "" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"<!ENTITY sys SYSTEM \"http://www.example.com/ent.xml\">\n" +"<!ENTITY pub PUBLIC \"-//Example//Public Entity//EN\"\n" +" \"http://www.example.com/pub-ent.xml\">\n" +"\t " +msgstr "" + +#. Tag: para +#, no-c-format +msgid "In a notation:" +msgstr "" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"<!NOTATION not SYSTEM \"../not.xml\">\n" +"\t " +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Originally, these external references were intended as unique identifiers, " +"but by many XML implementations, they are used for locating the data for the" +" referenced element. This causes unwanted network traffic, and may disclose " +"file system contents or otherwise unreachable network resources, so this " +"functionality should be disabled." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Depending on the XML library, external referenced might be processed not " +"just when parsing XML, but also when generating it." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Entity expansion" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When external DTD processing is disabled, an internal DTD subset can still " +"contain entity definitions. Entity declarations can reference other " +"entities. Some XML libraries expand entities automatically, and this " +"processing cannot be switched off in some places (such as attribute values " +"or content models). Without limits on the entity nesting level, this " +"expansion results in data which can grow exponentially in length with size " +"of the input. (If there is a limit on the nesting level, the growth is still" +" polynomial, unless further limits are imposed.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Consequently, the processing internal DTD subsets should be disabled if " +"possible, and only trusted DTDs should be processed. If a particular XML " +"application does not permit such restrictions, then application-specific " +"limits are called for." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "XInclude processing" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"XInclude processing can reference file and network resources and include " +"them into the document, much like external entity references. When parsing " +"untrusted XML documents, XInclude processing should be truned off." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"XInclude processing is also fairly complex and may pull in support for the " +"XPointer and XPath specifications, considerably increasing the amount of " +"code required for XML processing." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Algorithmic complexity of XML validation" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"DTD-based XML validation uses regular expressions for content models. The " +"XML specification requires that content models are deterministic, which " +"means that efficient validation is possible. However, some implementations " +"do not enforce determinism, and require exponential (or just polynomial) " +"amount of space or time for validating some DTD/document combinations." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"XML schemas and RELAX NG (via the xsd: prefix) directly " +"support textual regular expressions which are not required to be " +"deterministic." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Using Expat for XML parsing" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"By default, Expat does not try to resolve external IDs, so no steps are " +"required to block them. However, internal entity declarations are processed." +" Installing a callback which stops parsing as soon as such entities are " +"encountered disables them, see . Expat does not perform any " +"validation, so there are no problems related to that." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Disabling XML entity processing with Expat" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"This handler must be installed when the XML_Parser object" +" is created ()." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Creating an Expat XML parser" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"It is also possible to reject internal DTD subsets altogeher, using a " +"suitable XML_StartDoctypeDeclHandler handler installed " +"with XML_SetDoctypeDeclHandler." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Using OpenJDK for XML parsing and validation" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"OpenJDK contains facilities for DOM-based, SAX-based, and StAX-based " +"document parsing. Documents can be validated against DTDs or XML schemas." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The approach taken to deal with entity expansion differs from the general " +"recommendation in . We enable the the feature flag " +"javax.xml.XMLConstants.FEATURE_SECURE_PROCESSING, which " +"enforces heuristic restrictions on the number of entity expansions. Note " +"that this flag alone does not prevent resolution of external references " +"(system IDs or public IDs), so it is slightly misnamed." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In the following sections, we use helper classes to prevent external ID " +"resolution." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Helper class to prevent DTD external entity resolution in OpenJDK" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Helper class to prevent schema resolution in OpenJDK" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +" shows the imports used by the examples." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Java imports for OpenJDK XML parsing" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "DOM-based XML parsing and DTD validation in OpenJDK" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"This approach produces a org.w3c.dom.Document object from" +" an input stream. use the data from the " +"java.io.InputStream instance in the " +"inputStream variable." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "DOM-based XML parsing in OpenJDK" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"External entity references are prohibited using the " +"NoEntityResolver class in . " +"Because external DTD references are prohibited, DTD validation (if enabled) " +"will only happen against the internal DTD subset embedded in the XML " +"document." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"To validate the document against an external DTD, use a " +"javax.xml.transform.Transformer class to add the DTD " +"reference to the document, and an entity resolver which whitelists this " +"external reference." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "XML Schema validation in OpenJDK" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +" shows how to validate a document against an XML Schema, " +"using a SAX-based approach. The XML data is read from an " +"java.io.InputStream in the inputStream" +" variable." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "SAX-based validation against an XML schema in OpenJDK" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The NoResourceResolver class is defined in ." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If you need to validate a document against an XML schema, use the code in " +" to create the document, but do not enable validation at this point." +" Then use to perform the schema-based validation on " +"the org.w3c.dom.Document instance " +"document." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Validation of a DOM document against an XML schema in OpenJDK" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Protocol Encoders" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"For protocol encoders, you should write bytes to a buffer which grows as " +"needed, using an exponential sizing policy. Explicit lengths can be patched " +"in later, once they are known. Allocating the required number of bytes " +"upfront typically requires separate code to compute the final size, which " +"must be kept in sync with the actual encoding step, or vulnerabilities may " +"result. In multi-threaded code, parts of the object being deserialized might" +" change, so that the computed size is out of date." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"You should avoid copying data directly from a received packet during " +"encoding, disregarding the format. Propagating malformed data could enable " +"attacks on other recipients of that data." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When using C or C++ and copying whole data structures directly into the " +"output, make sure that you do not leak information in padding bytes between " +"fields or at the end of the struct." +msgstr "" diff --git a/defensive-coding/pt-BR/Tasks/Temporary_Files.po b/defensive-coding/pt-BR/Tasks/Temporary_Files.po new file mode 100644 index 0000000..2bc8447 --- /dev/null +++ b/defensive-coding/pt-BR/Tasks/Temporary_Files.po @@ -0,0 +1,309 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:45\n" +"PO-Revision-Date: 2013-03-19 15:29+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Portuguese (Brazil) \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: pt_BR\n" +"Plural-Forms: nplurals=2; plural=(n > 1);\n" + +#. Tag: title +#, no-c-format +msgid "Temporary files" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In this chapter, we describe how to create temporary files and directories, " +"how to remove them, and how to work with programs which do not create files " +"in ways that a safe with a shared directory for temporary files. General " +"file system manipulation is treated in a separate chapter, ." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Secure creation of temporary files has four different aspects." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The location of the directory for temporary files must be obtained in a " +"secure manner (that is, untrusted environment variables must be ignored, see" +" )." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"A new file must be created. Reusing an existing file must be avoided (the " +"/tmp race condition). This is " +"tricky because traditionally, system-wide temporary directories shared by " +"all users are used." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The file must be created in a way that makes it impossible for other users " +"to open it." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "The descriptor for the temporary file should not leak to subprocesses." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "All functions mentioned below will take care of these aspects." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Traditionally, temporary files are often used to reduce memory usage of " +"programs. More and more systems use RAM-based file systems such as " +"tmpfs for storing temporary files, to increase " +"performance and decrease wear on Flash storage. As a result, spooling data " +"to temporary files does not result in any memory savings, and the related " +"complexity can be avoided if the data is kept in process memory." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Obtaining the location of temporary directory" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Some functions below need the location of a directory which stores temporary" +" files. For C/C++ programs, use the following steps to obtain that " +"directory:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Use secure_getenv to obtain the value of the " +"TMPDIR environment variable. If it is set, convert the " +"path to a fully-resolved absolute path, using realpath(path, " +"NULL). Check if the new path refers to a directory and is " +"writeable. In this case, use it as the temporary directory." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Fall back to /tmp." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In Python, you can use the tempfile.tempdir variable." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Java does not support SUID/SGID programs, so you can use the " +"java.lang.System.getenv(String) method to obtain the " +"value of the TMPDIR environment variable, and follow the " +"two steps described above. (Java's default directory selection does not " +"honor TMPDIR.)" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Named temporary files" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The mkostemp function creates a named temporary file. " +"You should specify the O_CLOEXEC flag to avoid file " +"descriptor leaks to subprocesses. (Applications which do not use multiple " +"threads can also use mkstemp, but libraries should use " +"mkostemp.) For determining the directory part of the " +"file name pattern, see ." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The file is not removed automatically. It is not safe to rename or delete " +"the file before processing, or transform the name in any way (for example, " +"by adding a file extension). If you need multiple temporary files, call " +"mkostemp multiple times. Do not create additional file " +"names derived from the name provided by a previous " +"mkostemp call. However, it is safe to close the " +"descriptor returned by mkostemp and reopen the file " +"using the generated name." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The Python class tempfile.NamedTemporaryFile provides " +"similar functionality, except that the file is deleted automatically by " +"default. Note that you may have to use the file attribute" +" to obtain the actual file object because some programming interfaces cannot" +" deal with file-like objects. The C function mkostemp " +"is also available as tempfile.mkstemp." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In Java, you can use the java.io.File.createTempFile(String, " +"String, File) function, using the temporary file location " +"determined according to . Do not use " +"java.io.File.deleteOnExit() to delete temporary files, " +"and do not register a shutdown hook for each temporary file you create. In " +"both cases, the deletion hint cannot be removed from the system if you " +"delete the temporary file prior to termination of the VM, causing a memory " +"leak." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Temporary files without names" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The tmpfile function creates a temporary file and " +"immediately deletes it, while keeping the file open. As a result, the file " +"lacks a name and its space is deallocated as soon as the file descriptor is " +"closed (including the implicit close when the process terminates). This " +"avoids cluttering the temporary directory with orphaned files." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Alternatively, if the maximum size of the temporary file is known " +"beforehand, the fmemopen function can be used to create" +" a FILE * object which is backed by memory." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In Python, unnamed temporary files are provided by the " +"tempfile.TemporaryFile class, and the " +"tempfile.SpooledTemporaryFile class provides a way to " +"avoid creation of small temporary files." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Java does not support unnamed temporary files." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Temporary directories" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The mkdtemp function can be used to create a temporary " +"directory. (For determining the directory part of the file name pattern, see" +" .)" +" The directory is not automatically removed. In Python, this function is " +"available as tempfile.mkdtemp. In Java 7, temporary " +"directories can be created using the " +"java.nio.file.Files.createTempDirectory(Path, String, " +"FileAttribute...) function." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When creating files in the temporary directory, use automatically generated " +"names, e.g., derived from a sequential counter. Files with externally " +"provided names could be picked up in unexpected contexts, and crafted names " +"could actually point outside of the tempoary directory (due to " +"directory traversal)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Removing a directory tree in a completely safe manner is complicated. Unless" +" there are overriding performance concerns, the " +"rm program should be used, with the " +" and options." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Compensating for unsafe file creation" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"There are two ways to make a function or program which excepts a file name " +"safe for use with temporary files. See , for details on subprocess " +"creation." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Create a temporary directory and place the file there. If possible, run the " +"program in a subprocess which uses the temporary directory as its current " +"directory, with a restricted environment. Use generated names for all files " +"in that temporary directory. (See .)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Create the temporary file and pass the generated file name to the function " +"or program. This only works if the function or program can cope with a zero-" +"length existing file. It is safe only under additional assumptions:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The function or program must not create additional files whose name is " +"derived from the specified file name or are otherwise predictable." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "The function or program must not delete the file before processing it." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "It must not access any existing files in the same directory." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"It is often difficult to check whether these additional assumptions are " +"matched, therefore this approach is not recommended." +msgstr "" diff --git a/defensive-coding/pt-BR/Tasks/snippets/Serialization-XML-Expat-Create.po b/defensive-coding/pt-BR/Tasks/snippets/Serialization-XML-Expat-Create.po new file mode 100644 index 0000000..06f53b8 --- /dev/null +++ b/defensive-coding/pt-BR/Tasks/snippets/Serialization-XML-Expat-Create.po @@ -0,0 +1,33 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:45\n" +"PO-Revision-Date: 2013-03-19 15:29+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Portuguese (Brazil) \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: pt_BR\n" +"Plural-Forms: nplurals=2; plural=(n > 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"XML_Parser parser = XML_ParserCreate(\"UTF-8\");\n" +"if (parser == NULL) {\n" +" fprintf(stderr, \"XML_ParserCreate failed\n" +"\");\n" +" close(fd);\n" +" exit(1);\n" +"}\n" +"// EntityDeclHandler needs a reference to the parser to stop\n" +"// parsing.\n" +"XML_SetUserData(parser, parser);\n" +"// Disable entity processing, to inhibit entity expansion.\n" +"XML_SetEntityDeclHandler(parser, EntityDeclHandler);\n" +msgstr "" diff --git a/defensive-coding/pt-BR/Tasks/snippets/Serialization-XML-Expat-EntityDeclHandler.po b/defensive-coding/pt-BR/Tasks/snippets/Serialization-XML-Expat-EntityDeclHandler.po new file mode 100644 index 0000000..5c32b72 --- /dev/null +++ b/defensive-coding/pt-BR/Tasks/snippets/Serialization-XML-Expat-EntityDeclHandler.po @@ -0,0 +1,31 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:45\n" +"PO-Revision-Date: 2013-03-19 15:30+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Portuguese (Brazil) \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: pt_BR\n" +"Plural-Forms: nplurals=2; plural=(n > 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Stop the parser when an entity declaration is encountered.\n" +"static void\n" +"EntityDeclHandler(void *userData,\n" +"\t\t const XML_Char *entityName, int is_parameter_entity,\n" +"\t\t const XML_Char *value, int value_length,\n" +"\t\t const XML_Char *base, const XML_Char *systemId,\n" +"\t\t const XML_Char *publicId, const XML_Char *notationName)\n" +"{\n" +" XML_StopParser((XML_Parser)userData, XML_FALSE);\n" +"}\n" +msgstr "" diff --git a/defensive-coding/pt-BR/Tasks/snippets/Serialization-XML-OpenJDK-Errors.po b/defensive-coding/pt-BR/Tasks/snippets/Serialization-XML-OpenJDK-Errors.po new file mode 100644 index 0000000..27c5dde --- /dev/null +++ b/defensive-coding/pt-BR/Tasks/snippets/Serialization-XML-OpenJDK-Errors.po @@ -0,0 +1,37 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:45\n" +"PO-Revision-Date: 2013-03-19 15:29+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Portuguese (Brazil) \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: pt_BR\n" +"Plural-Forms: nplurals=2; plural=(n > 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"class Errors implements ErrorHandler {\n" +" @Override\n" +" public void warning(SAXParseException exception) {\n" +" exception.printStackTrace();\n" +" }\n" +" \n" +" @Override\n" +" public void fatalError(SAXParseException exception) {\n" +" exception.printStackTrace();\n" +" }\n" +" \n" +" @Override\n" +" public void error(SAXParseException exception) {\n" +" exception.printStackTrace();\n" +" }\n" +"}\n" +msgstr "" diff --git a/defensive-coding/pt-BR/Tasks/snippets/Serialization-XML-OpenJDK-Imports.po b/defensive-coding/pt-BR/Tasks/snippets/Serialization-XML-OpenJDK-Imports.po new file mode 100644 index 0000000..01ba680 --- /dev/null +++ b/defensive-coding/pt-BR/Tasks/snippets/Serialization-XML-OpenJDK-Imports.po @@ -0,0 +1,42 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:45\n" +"PO-Revision-Date: 2013-03-19 15:30+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Portuguese (Brazil) \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: pt_BR\n" +"Plural-Forms: nplurals=2; plural=(n > 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"import javax.xml.XMLConstants;\n" +"import javax.xml.parsers.DocumentBuilder;\n" +"import javax.xml.parsers.DocumentBuilderFactory;\n" +"import javax.xml.parsers.ParserConfigurationException;\n" +"import javax.xml.parsers.SAXParser;\n" +"import javax.xml.parsers.SAXParserFactory;\n" +"import javax.xml.transform.dom.DOMSource;\n" +"import javax.xml.transform.sax.SAXSource;\n" +"import javax.xml.validation.Schema;\n" +"import javax.xml.validation.SchemaFactory;\n" +"import javax.xml.validation.Validator;\n" +"\n" +"import org.w3c.dom.Document;\n" +"import org.w3c.dom.ls.LSInput;\n" +"import org.w3c.dom.ls.LSResourceResolver;\n" +"import org.xml.sax.EntityResolver;\n" +"import org.xml.sax.ErrorHandler;\n" +"import org.xml.sax.InputSource;\n" +"import org.xml.sax.SAXException;\n" +"import org.xml.sax.SAXParseException;\n" +"import org.xml.sax.XMLReader;\n" +msgstr "" diff --git a/defensive-coding/pt-BR/Tasks/snippets/Serialization-XML-OpenJDK-NoEntityResolver.po b/defensive-coding/pt-BR/Tasks/snippets/Serialization-XML-OpenJDK-NoEntityResolver.po new file mode 100644 index 0000000..d6b8333 --- /dev/null +++ b/defensive-coding/pt-BR/Tasks/snippets/Serialization-XML-OpenJDK-NoEntityResolver.po @@ -0,0 +1,30 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:45\n" +"PO-Revision-Date: 2013-03-19 15:30+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Portuguese (Brazil) \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: pt_BR\n" +"Plural-Forms: nplurals=2; plural=(n > 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"class NoEntityResolver implements EntityResolver {\n" +" @Override\n" +" public InputSource resolveEntity(String publicId, String systemId)\n" +" throws SAXException, IOException {\n" +" // Throwing an exception stops validation.\n" +" throw new IOException(String.format(\n" +" \"attempt to resolve \\\"%s\\\" \\\"%s\\\"\", publicId, systemId));\n" +" }\n" +"}\n" +msgstr "" diff --git a/defensive-coding/pt-BR/Tasks/snippets/Serialization-XML-OpenJDK-NoResourceResolver.po b/defensive-coding/pt-BR/Tasks/snippets/Serialization-XML-OpenJDK-NoResourceResolver.po new file mode 100644 index 0000000..f8039ff --- /dev/null +++ b/defensive-coding/pt-BR/Tasks/snippets/Serialization-XML-OpenJDK-NoResourceResolver.po @@ -0,0 +1,32 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:45\n" +"PO-Revision-Date: 2013-03-19 15:29+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Portuguese (Brazil) \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: pt_BR\n" +"Plural-Forms: nplurals=2; plural=(n > 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"class NoResourceResolver implements LSResourceResolver {\n" +" @Override\n" +" public LSInput resolveResource(String type, String namespaceURI,\n" +" String publicId, String systemId, String baseURI) {\n" +" // Throwing an exception stops validation.\n" +" throw new RuntimeException(String.format(\n" +" \"resolution attempt: type=%s namespace=%s \" +\n" +" \"publicId=%s systemId=%s baseURI=%s\",\n" +" type, namespaceURI, publicId, systemId, baseURI));\n" +" }\n" +"}\n" +msgstr "" diff --git a/defensive-coding/pt-BR/Tasks/snippets/Serialization-XML-OpenJDK_Parse-DOM.po b/defensive-coding/pt-BR/Tasks/snippets/Serialization-XML-OpenJDK_Parse-DOM.po new file mode 100644 index 0000000..111811e --- /dev/null +++ b/defensive-coding/pt-BR/Tasks/snippets/Serialization-XML-OpenJDK_Parse-DOM.po @@ -0,0 +1,34 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:45\n" +"PO-Revision-Date: 2013-03-19 15:29+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Portuguese (Brazil) \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: pt_BR\n" +"Plural-Forms: nplurals=2; plural=(n > 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();\n" +"// Impose restrictions on the complexity of the DTD.\n" +"factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);\n" +"\n" +"// Turn on validation.\n" +"// This step can be omitted if validation is not desired.\n" +"factory.setValidating(true);\n" +"\n" +"// Parse the document.\n" +"DocumentBuilder builder = factory.newDocumentBuilder();\n" +"builder.setEntityResolver(new NoEntityResolver());\n" +"builder.setErrorHandler(new Errors());\n" +"Document document = builder.parse(inputStream);\n" +msgstr "" diff --git a/defensive-coding/pt-BR/Tasks/snippets/Serialization-XML-OpenJDK_Parse-XMLSchema_DOM.po b/defensive-coding/pt-BR/Tasks/snippets/Serialization-XML-OpenJDK_Parse-XMLSchema_DOM.po new file mode 100644 index 0000000..3300c80 --- /dev/null +++ b/defensive-coding/pt-BR/Tasks/snippets/Serialization-XML-OpenJDK_Parse-XMLSchema_DOM.po @@ -0,0 +1,38 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:45\n" +"PO-Revision-Date: 2013-03-19 15:29+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Portuguese (Brazil) \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: pt_BR\n" +"Plural-Forms: nplurals=2; plural=(n > 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"SchemaFactory factory = SchemaFactory.newInstance(\n" +" XMLConstants.W3C_XML_SCHEMA_NS_URI);\n" +"\n" +"// This enables restrictions on schema complexity.\n" +"factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);\n" +"\n" +"// The following line prevents resource resolution\n" +"// by the schema itself.\n" +"factory.setResourceResolver(new NoResourceResolver());\n" +"\n" +"Schema schema = factory.newSchema(schemaFile);\n" +"\n" +"Validator validator = schema.newValidator();\n" +"\n" +"// This prevents external resource resolution.\n" +"validator.setResourceResolver(new NoResourceResolver());\n" +"validator.validate(new DOMSource(document));\n" +msgstr "" diff --git a/defensive-coding/pt-BR/Tasks/snippets/Serialization-XML-OpenJDK_Parse-XMLSchema_SAX.po b/defensive-coding/pt-BR/Tasks/snippets/Serialization-XML-OpenJDK_Parse-XMLSchema_SAX.po new file mode 100644 index 0000000..8ff6bb3 --- /dev/null +++ b/defensive-coding/pt-BR/Tasks/snippets/Serialization-XML-OpenJDK_Parse-XMLSchema_SAX.po @@ -0,0 +1,41 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:45\n" +"PO-Revision-Date: 2013-03-19 15:29+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Portuguese (Brazil) \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: pt_BR\n" +"Plural-Forms: nplurals=2; plural=(n > 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"SchemaFactory factory = SchemaFactory.newInstance(\n" +" XMLConstants.W3C_XML_SCHEMA_NS_URI);\n" +"\n" +"// This enables restrictions on the schema and document\n" +"// complexity.\n" +"factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);\n" +"\n" +"// This prevents resource resolution by the schema itself.\n" +"// If the schema is trusted and references additional files,\n" +"// this line must be omitted, otherwise loading these files\n" +"// will fail.\n" +"factory.setResourceResolver(new NoResourceResolver());\n" +"\n" +"Schema schema = factory.newSchema(schemaFile);\n" +"Validator validator = schema.newValidator();\n" +"\n" +"// This prevents external resource resolution.\n" +"validator.setResourceResolver(new NoResourceResolver());\n" +"\n" +"validator.validate(new SAXSource(new InputSource(inputStream)));\n" +msgstr "" diff --git a/defensive-coding/pt-PT/Author_Group.po b/defensive-coding/pt-PT/Author_Group.po new file mode 100644 index 0000000..d9ee200 --- /dev/null +++ b/defensive-coding/pt-PT/Author_Group.po @@ -0,0 +1,35 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-12 04:18+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Portuguese \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: pt\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: firstname +#, no-c-format +msgid "Florian" +msgstr "" + +#. Tag: surname +#, no-c-format +msgid "Weimer" +msgstr "" + +#. Tag: orgname +#, no-c-format +msgid "Red Hat" +msgstr "" + +#. Tag: orgdiv +#, no-c-format +msgid "Product Security Team" +msgstr "" diff --git a/defensive-coding/pt-PT/Book_Info.po b/defensive-coding/pt-PT/Book_Info.po new file mode 100644 index 0000000..09cb06e --- /dev/null +++ b/defensive-coding/pt-PT/Book_Info.po @@ -0,0 +1,38 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-12 04:19+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Portuguese \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: pt\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: title +#, no-c-format +msgid "Defensive Coding" +msgstr "" + +#. Tag: subtitle +#, no-c-format +msgid "A Guide to Improving Software Security" +msgstr "" + +#. Tag: productname +#, no-c-format +msgid "Fedora Security Team" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"This document provides guidelines for improving software security through " +"secure coding. It covers common programming languages and libraries, and " +"focuses on concrete recommendations." +msgstr "" diff --git a/defensive-coding/pt-PT/C/Allocators.po b/defensive-coding/pt-PT/C/Allocators.po new file mode 100644 index 0000000..6fbb87e --- /dev/null +++ b/defensive-coding/pt-PT/C/Allocators.po @@ -0,0 +1,265 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:30+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Portuguese \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: pt\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: title +#, no-c-format +msgid "Memory allocators" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "malloc and related functions" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The C library interfaces for memory allocation are provided by " +"malloc, free and " +"realloc, and the calloc function. " +"In addition to these generic functions, there are derived functions such as " +"strdup which perform allocation using " +"malloc internally, but do not return untyped heap " +"memory (which could be used for any object)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The C compiler knows about these functions and can use their expected " +"behavior for optimizations. For instance, the compiler assumes that an " +"existing pointer (or a pointer derived from an existing pointer by " +"arithmetic) will not point into the memory area returned by " +"malloc." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If the allocation fails, realloc does not free the old " +"pointer. Therefore, the idiom ptr = realloc(ptr, size); " +"is wrong because the memory pointed to by ptr leaks in " +"case of an error." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Use-after-free errors" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"After free, the pointer is invalid. Further pointer " +"dereferences are not allowed (and are usually detected by " +"valgrind). Less obvious is that any " +"use of the old pointer value is not allowed, either. In" +" particular, comparisons with any other pointer (or the null pointer) are " +"undefined according to the C standard." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The same rules apply to realloc if the memory area " +"cannot be enlarged in-place. For instance, the compiler may assume that a " +"comparison between the old and new pointer will always return false, so it " +"is impossible to detect movement this way." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Handling memory allocation errors" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Recovering from out-of-memory errors is often difficult or even impossible. " +"In these cases, malloc and other allocation functions " +"return a null pointer. Dereferencing this pointer lead to a crash. Such " +"dereferences can even be exploitable for code execution if the dereference " +"is combined with an array subscript." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In general, if you cannot check all allocation calls and handle failure, you" +" should abort the program on allocation failure, and not rely on the null " +"pointer dereference to terminate the process. See for related memory " +"allocation concerns." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "alloca and other forms of stack-based allocation" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Allocation on the stack is risky because stack overflow checking is " +"implicit. There is a guard page at the end of the memory area reserved for " +"the stack. If the program attempts to read from or write to this guard page," +" a SIGSEGV signal is generated and the program typically " +"terminates." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"This is sufficient for detecting typical stack overflow situations such as " +"unbounded recursion, but it fails when the stack grows in increments larger " +"than the size of the guard page. In this case, it is possible that the stack" +" pointer ends up pointing into a memory area which has been allocated for a " +"different purposes. Such misbehavior can be exploitable." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"A common source for large stack growth are calls to " +"alloca and related functions such as " +"strdupa. These functions should be avoided because of " +"the lack of error checking. (They can be used safely if the allocated size " +"is less than the page size (typically, 4096 bytes), but this case is " +"relatively rare.) Additionally, relying on alloca makes" +" it more difficult to reorgnize the code because it is not allowed to use " +"the pointer after the function calling alloca has " +"returned, even if this function has been inlined into its caller." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Similar concerns apply to variable-length arrays " +"(VLAs), a feature of the C99 standard which started as a GNU extension. For " +"large objects exceeding the page size, there is no error checking, either." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In both cases, negative or very large sizes can trigger a stack-pointer " +"wraparound, and the stack pointer and end up pointing into caller stack " +"frames, which is fatal and can be exploitable." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If you want to use alloca or VLAs for performance " +"reasons, consider using a small on-stack array (less than the page size, " +"large enough to fulfill most requests). If the requested size is small " +"enough, use the on-stack array. Otherwise, call malloc." +" When exiting the function, check if malloc had been " +"called, and free the buffer as needed." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Array allocation" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When allocating arrays, it is important to check for overflows. The " +"calloc function performs such checks." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If malloc or realloc is used, the " +"size check must be written manually. For instance, to allocate an array of " +"n elements of type T, check that the " +"requested size is not greater than n / sizeof(T)." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Custom memory allocators" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Custom memory allocates come in two forms: replacements for " +"malloc, and completely different interfaces for memory " +"management. Both approaches can reduce the effectiveness of " +"valgrind and similar tools, and the heap " +"corruption detection provided by GNU libc, so they should be avoided." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Memory allocators are difficult to write and contain many performance and " +"security pitfalls." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When computing array sizes or rounding up allocation requests (to the next " +"allocation granularity, or for alignment purposes), checks for arithmetic " +"overflow are required." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Size computations for array allocations need overflow checking. See ." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"It can be difficult to beat well-tuned general-purpose allocators. In micro-" +"benchmarks, pool allocators can show huge wins, and size-specific pools can " +"reduce internal fragmentation. But often, utilization of individual pools is" +" poor, and" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Conservative garbage collection" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Garbage collection can be an alternative to explicit memory management using" +" malloc and free. The Boehm-" +"Dehmers-Weiser allocator can be used from C programs, with minimal type " +"annotations. Performance is competitive with malloc on " +"64-bit architectures, especially for multi-threaded programs. The stop-the-" +"world pauses may be problematic for some real-time applications, though." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"However, using a conservative garbage collector may reduce opertunities for " +"code reduce because once one library in a program uses garbage collection, " +"the whole process memory needs to be subject to it, so that no pointers are " +"missed. The Boehm-Dehmers-Weiser collector also reserves certain signals for" +" internal use, so it is not fully transparent to the rest of the program." +msgstr "" diff --git a/defensive-coding/pt-PT/C/C.po b/defensive-coding/pt-PT/C/C.po new file mode 100644 index 0000000..ff48a40 --- /dev/null +++ b/defensive-coding/pt-PT/C/C.po @@ -0,0 +1,20 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:30+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Portuguese \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: pt\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: title +#, no-c-format +msgid "The C Programming Language" +msgstr "" diff --git a/defensive-coding/pt-PT/C/Libc.po b/defensive-coding/pt-PT/C/Libc.po new file mode 100644 index 0000000..45d9b44 --- /dev/null +++ b/defensive-coding/pt-PT/C/Libc.po @@ -0,0 +1,278 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:30+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Portuguese \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: pt\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: title +#, no-c-format +msgid "The C standard library" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Parts of the C standard library (and the UNIX and GNU extensions) are " +"difficult to use, so you shoud avoid them." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Please check the applicable documentation before using the recommended " +"replacements. Many of these functions allocate buffers using " +"malloc which your code must deallocate explicitly using" +" free." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Absolutely banned interfaces" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The functions listed below must not be used because they are almost always " +"unsafe. Use the indicated replacements instead." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "getsfgets" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"getwdgetcwd or " +"get_current_dir_name" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "readdir_rreaddir" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"realpath (with a non-NULL second parameter) ⟶ " +"realpath with NULL as the second parameter, or " +"canonicalize_file_name" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The constants listed below must not be used, either. Instead, code must " +"allocate memory dynamically and use interfaces with length checking." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"NAME_MAX (limit not actually enforced by the kernel)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"PATH_MAX (limit not actually enforced by the kernel)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"_PC_NAME_MAX (This limit, returned by the " +"pathconf function, is not enforced by the kernel.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"_PC_PATH_MAX (This limit, returned by the " +"pathconf function, is not enforced by the kernel.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "The following structure members must not be used." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"f_namemax in struct statvfs (limit not" +" actually enforced by the kernel, see _PC_NAME_MAX above)" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Functions to avoid" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The following string manipulation functions can be used securely in " +"principle, but their use should be avoided because they are difficult to use" +" correctly. Calls to these functions can be replaced with " +"asprintf or vasprintf. (For non-" +"GNU targets, these functions are available from Gnulib.) In some cases, the " +"snprintf function might be a suitable replacement, see " +"." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "sprintf" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "strcat" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "strcpy" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "vsprintf" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Use the indicated replacements for the functions below." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"allocamalloc and " +"free (see )" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"putenv ⟶ explicit envp argument in " +"process creation (see )" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"setenv ⟶ explicit envp argument in " +"process creation (see )" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"strdupastrdup and " +"free (see )" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"strndupastrndup and " +"free (see )" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"systemposix_spawn or " +"fork/execve/ (see )" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"unsetenv ⟶ explicit envp argument in" +" process creation (see )" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "String Functions With Explicit Length Arguments" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The snprintf function provides a way to construct a " +"string in a statically-sized buffer. (If the buffer size is dynamic, use " +"asprintf instead.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The second argument to the snprintf should always be " +"the size of the buffer in the first argument (which should be a character " +"array). Complex pointer and length arithmetic can introduce errors and " +"nullify the security benefits of snprintf. If you need " +"to construct a string iteratively, by repeatedly appending fragments, " +"consider constructing the string on the heap, increasing the buffer with " +"realloc as needed. (snprintf does " +"not support overlapping the result buffer with argument strings.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If you use vsnprintf (or snprintf)" +" with a format string which is not a constant, but a function argument, it " +"is important to annotate the function with a format " +"function attribute, so that GCC can warn about misuse of your function (see " +")." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "The format function attribute" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"There are other functions which operator on NUL-terminated strings and take " +"a length argument which affects the number of bytes written to the " +"destination: strncpy, strncat, and" +" stpncpy. These functions do not ensure that the result" +" string is NUL-terminated. For strncpy, NUL termination" +" can be added this way:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Some systems support strlcpy and " +"strlcat functions which behave this way, but these " +"functions are not part of GNU libc. Using snprintf with" +" a suitable format string is a simple (albeit slightly slower) replacement." +msgstr "" diff --git a/defensive-coding/pt-PT/C/snippets/Arithmetic-add.po b/defensive-coding/pt-PT/C/snippets/Arithmetic-add.po new file mode 100644 index 0000000..d703409 --- /dev/null +++ b/defensive-coding/pt-PT/C/snippets/Arithmetic-add.po @@ -0,0 +1,36 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:30+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Portuguese \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: pt\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"void report_overflow(void);\n" +"\n" +"int\n" +"add(int a, int b)\n" +"{\n" +" int result = a + b;\n" +" if (a < 0 || b < 0) {\n" +" return -1;\n" +" }\n" +" // The compiler can optimize away the following if statement.\n" +" if (result < 0) {\n" +" report_overflow();\n" +" }\n" +" return result;\n" +"}\n" +msgstr "" diff --git a/defensive-coding/pt-PT/C/snippets/Arithmetic-mult.po b/defensive-coding/pt-PT/C/snippets/Arithmetic-mult.po new file mode 100644 index 0000000..9b67894 --- /dev/null +++ b/defensive-coding/pt-PT/C/snippets/Arithmetic-mult.po @@ -0,0 +1,29 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:30+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Portuguese \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: pt\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"unsigned\n" +"mul(unsigned a, unsigned b)\n" +"{\n" +" if (b && a > ((unsigned)-1) / b) {\n" +" report_overflow();\n" +" }\n" +" return a * b;\n" +"}\n" +msgstr "" diff --git a/defensive-coding/pt-PT/C/snippets/Pointers-remaining.po b/defensive-coding/pt-PT/C/snippets/Pointers-remaining.po new file mode 100644 index 0000000..5cf81ca --- /dev/null +++ b/defensive-coding/pt-PT/C/snippets/Pointers-remaining.po @@ -0,0 +1,64 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:30+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Portuguese \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: pt\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"ssize_t\n" +"extract_strings(const char *in, size_t inlen, char **out, size_t outlen)\n" +"{\n" +" const char *inp = in;\n" +" const char *inend = in + inlen;\n" +" char **outp = out;\n" +" char **outend = out + outlen;\n" +"\n" +" while (inp != inend) {\n" +" size_t len;\n" +" char *s;\n" +" if (outp == outend) {\n" +" errno = ENOSPC;\n" +" goto err;\n" +" }\n" +" len = (unsigned char)*inp;\n" +" ++inp;\n" +" if (len > (size_t)(inend - inp)) {\n" +" errno = EINVAL;\n" +" goto err;\n" +" }\n" +" s = malloc(len + 1);\n" +" if (s == NULL) {\n" +" goto err;\n" +" }\n" +" memcpy(s, inp, len);\n" +" inp += len;\n" +" s[len] = '\\0';\n" +" *outp = s;\n" +" ++outp;\n" +" }\n" +" return outp - out;\n" +"err:\n" +" {\n" +" int errno_old = errno;\n" +" while (out != outp) {\n" +" free(*out);\n" +" ++out;\n" +" }\n" +" errno = errno_old;\n" +" }\n" +" return -1;\n" +"}\n" +msgstr "" diff --git a/defensive-coding/pt-PT/C/snippets/String-Functions-format.po b/defensive-coding/pt-PT/C/snippets/String-Functions-format.po new file mode 100644 index 0000000..013d4f3 --- /dev/null +++ b/defensive-coding/pt-PT/C/snippets/String-Functions-format.po @@ -0,0 +1,33 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:30+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Portuguese \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: pt\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"void log_format(const char *format, ...) __attribute__((format(printf, 1, 2)));\n" +"\n" +"void\n" +"log_format(const char *format, ...)\n" +"{\n" +" char buf[1000];\n" +" va_list ap;\n" +" va_start(ap, format);\n" +" vsnprintf(buf, sizeof(buf), format, ap);\n" +" va_end(ap);\n" +" log_string(buf);\n" +"}\n" +msgstr "" diff --git a/defensive-coding/pt-PT/C/snippets/String-Functions-snprintf.po b/defensive-coding/pt-PT/C/snippets/String-Functions-snprintf.po new file mode 100644 index 0000000..6c0e1a8 --- /dev/null +++ b/defensive-coding/pt-PT/C/snippets/String-Functions-snprintf.po @@ -0,0 +1,23 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:30+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Portuguese \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: pt\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"char fraction[30];\n" +"snprintf(fraction, sizeof(fraction), \"%d/%d\", numerator, denominator);\n" +msgstr "" diff --git a/defensive-coding/pt-PT/C/snippets/String-Functions-strncpy.po b/defensive-coding/pt-PT/C/snippets/String-Functions-strncpy.po new file mode 100644 index 0000000..be098bb --- /dev/null +++ b/defensive-coding/pt-PT/C/snippets/String-Functions-strncpy.po @@ -0,0 +1,24 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:30+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Portuguese \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: pt\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"char buf[10];\n" +"strncpy(buf, data, sizeof(buf));\n" +"buf[sizeof(buf) - 1] = '\\0';\n" +msgstr "" diff --git a/defensive-coding/pt-PT/CXX/CXX.po b/defensive-coding/pt-PT/CXX/CXX.po new file mode 100644 index 0000000..897af0b --- /dev/null +++ b/defensive-coding/pt-PT/CXX/CXX.po @@ -0,0 +1,20 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:31+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Portuguese \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: pt\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: title +#, no-c-format +msgid "The C++ Programming Language" +msgstr "" diff --git a/defensive-coding/pt-PT/CXX/Language.po b/defensive-coding/pt-PT/CXX/Language.po new file mode 100644 index 0000000..414d827 --- /dev/null +++ b/defensive-coding/pt-PT/CXX/Language.po @@ -0,0 +1,234 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:18+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Portuguese \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: pt\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: title +#, no-c-format +msgid "The core language" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"C++ includes a large subset of the C language. As far as the C subset is " +"used, the recommendations in " +"apply." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Array allocation with operator new[]" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"For very large values of n, an expression like " +"new T[n] can return a pointer to a heap region which is " +"too small. In other words, not all array elements are actually backed with " +"heap memory reserved to the array. Current GCC versions generate code that " +"performs a computation of the form sizeof(T) * size_t(n) + " +"cookie_size, where cookie_size is currently at " +"most 8. This computation can overflow, and GCC-generated code does not " +"detect this." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The std::vector template can be used instead an explicit " +"array allocation. (The GCC implementation detects overflow internally.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If there is no alternative to operator new[], code which " +"allocates arrays with a variable length must check for overflow manually. " +"For the new T[n] example, the size check could be " +"n || (n > 0 && n > (size_t(-1) - 8) / " +"sizeof(T)). (See .) If there are additional dimensions " +"(which must be constants according to the C++ standard), these should be " +"included as factors in the divisor." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"These countermeasures prevent out-of-bounds writes and potential code " +"execution. Very large memory allocations can still lead to a denial of " +"service. contains suggestions for mitigating this problem when " +"processing untrusted data." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"See for array" +" allocation advice for C-style memory allocation." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Overloading" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Do not overload functions with versions that have different security " +"characteristics. For instance, do not implement a function " +"strcat which works on std::string " +"arguments. Similarly, do not name methods after such functions." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "ABI compatibility and preparing for security updates" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"A stable binary interface (ABI) is vastly preferred for security updates. " +"Without a stable ABI, all reverse dependencies need recompiling, which can " +"be a lot of work and could even be impossible in some cases. Ideally, a " +"security update only updates a single dynamic shared object, and is picked " +"up automatically after restarting affected processes." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Outside of extremely performance-critical code, you should ensure that a " +"wide range of changes is possible without breaking ABI. Some very basic " +"guidelines are:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Avoid inline functions." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Use the pointer-to-implementation idiom." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Try to avoid templates. Use them if the increased type safety provides a " +"benefit to the programmer." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Move security-critical code out of templated code, so that it can be patched" +" in a central place if necessary." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The KDE project publishes a document with more extensive guidelines on ABI-" +"preserving changes to C++ code, Policies/Binary" +" Compatibility Issues With C++ (d-pointer " +"refers to the pointer-to-implementation idiom)." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "C++0X and C++11 support" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "GCC offers different language compatibility modes:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid " for the original 1998 C++ standard" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +" for the 1998 standard with the changes from the " +"TR1 technical report" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +" for the 2011 C++ standard. This option should " +"not be used." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +" for several different versions of C++11 support " +"in development, depending on the GCC version. This option should not be " +"used." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"For each of these flags, there are variants which also enable GNU extensions" +" (mostly language features also found in C99 or C11): " +", , " +". Again, should " +"not be used." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If you enable C++11 support, the ABI of the standard C++ library " +"libstdc++ will change in subtle ways. Currently, no C++ " +"libraries are compiled in C++11 mode, so if you compile your code in C++11 " +"mode, it will be incompatible with the rest of the system. Unfortunately, " +"this is also the case if you do not use any C++11 features. Currently, there" +" is no safe way to enable C++11 mode (except for freestanding applications)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The meaning of C++0X mode changed from GCC release to GCC release. Earlier " +"versions were still ABI-compatible with C++98 mode, but in the most recent " +"versions, switching to C++0X mode activates C++11 support, with its " +"compatibility problems." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Some C++11 features (or approximations thereof) are available with TR1 " +"support, that is, with or " +" and in the <tr1/*> " +"header files. This includes std::tr1::shared_ptr (from " +"<tr1/memory>) and " +"std::tr1::function (from " +"<tr1/functional>). For other C++11 features, the " +"Boost C++ library contains replacements." +msgstr "" diff --git a/defensive-coding/pt-PT/CXX/Std.po b/defensive-coding/pt-PT/CXX/Std.po new file mode 100644 index 0000000..b3d41c4 --- /dev/null +++ b/defensive-coding/pt-PT/CXX/Std.po @@ -0,0 +1,55 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:30+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Portuguese \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: pt\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: title +#, no-c-format +msgid "The C++ standard library" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The C++ standard library includes most of its C counterpart by reference, " +"see ." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Containers and operator[]" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Many containers similar to std::vector provide both " +"operator[](size_type) and a member function " +"at(size_type). This applies to " +"std::vector itself, std::array, " +"std::string and other instances of " +"std::basic_string." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"operator[](size_type) is not required by the standard to " +"perform bounds checking (and the implementation in GCC does not). In " +"contrast, at(size_type) must perform such a check. " +"Therefore, in code which is not performance-critical, you should prefer " +"at(size_type) over " +"operator[](size_type), even though it is slightly more " +"verbose." +msgstr "" diff --git a/defensive-coding/pt-PT/Defensive_Coding.po b/defensive-coding/pt-PT/Defensive_Coding.po new file mode 100644 index 0000000..8ec69f8 --- /dev/null +++ b/defensive-coding/pt-PT/Defensive_Coding.po @@ -0,0 +1,30 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:18+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Portuguese \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: pt\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: title +#, no-c-format +msgid "Programming Languages" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Specific Programming Tasks" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Implementing Security Features" +msgstr "" diff --git a/defensive-coding/pt-PT/Features/Authentication.po b/defensive-coding/pt-PT/Features/Authentication.po new file mode 100644 index 0000000..378dd7a --- /dev/null +++ b/defensive-coding/pt-PT/Features/Authentication.po @@ -0,0 +1,231 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:31+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Portuguese \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: pt\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: title +#, no-c-format +msgid "Authentication and Authorization" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Authenticating servers" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When connecting to a server, a client has to make sure that it is actually " +"talking to the server it expects. There are two different aspects, securing " +"the network path, and making sure that the expected user runs the process on" +" the target host. There are several ways to ensure that:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The server uses a TLS certificate which is valid according to the web " +"browser public key infrastructure, and the client verifies the certificate " +"and the host name." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The server uses a TLS certificate which is expectedby the client (perhaps it" +" is stored in a configuration file read by the client). In this case, no " +"host name checking is required." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"On Linux, UNIX domain sockets (of the PF_UNIX protocol " +"family, sometimes called PF_LOCAL) are restricted by file" +" system permissions. If the server socket path is not world-writable, the " +"server identity cannot be spoofed by local users." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Port numbers less than 1024 (trusted ports) can only be" +" used by root, so if a UDP or TCP server is running on " +"the local host and it uses a trusted port, its identity is assured. (Not all" +" operating systems enforce the trusted ports concept, and the network might " +"not be trusted, so it is only useful on the local system.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"TLS () is the recommended way " +"for securing connections over untrusted networks." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If the server port number is 1024 is higher, a local user can impersonate " +"the process by binding to this socket, perhaps after crashing the real " +"server by exploiting a denial-of-service vulnerability." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Host-based authentication" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Host-based authentication uses access control lists (ACLs) to accept or deny" +" requests from clients. Thsis authentication method comes in two flavors: " +"IP-based (or, more generally, address-based) and name-based (with the name " +"coming from DNS or /etc/hosts). IP-based ACLs often use" +" prefix notation to extend access to entire subnets. Name-based ACLs " +"sometimes use wildcards for adding groups of hosts (from entire DNS " +"subtrees). (In the SSH context, host-based authentication means something " +"completely different and is not covered in this section.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Host-based authentication trust the network and may not offer sufficient " +"granularity, so it has to be considered a weak form of authentication. On " +"the other hand, IP-based authentication can be made extremely robust and can" +" be applied very early in input processing, so it offers an opportunity for " +"significantly reducing the number of potential attackers for many services." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The names returned by gethostbyaddr and " +"getnameinfo functions cannot be trusted. (DNS PTR " +"records can be set to arbitrary values, not just names belong to the address" +" owner.) If these names are used for ACL matching, a forward lookup using " +"gethostbyaddr or getaddrinfo has " +"to be performed. The name is only valid if the original address is found " +"among the results of the forward lookup (double-reverse " +"lookup)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"An empty ACL should deny all access (deny-by-default). If empty ACLs permits" +" all access, configuring any access list must switch to deny-by-default for " +"all unconfigured protocols, in both name-based and address-based variants." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Similarly, if an address or name is not matched by the list, it should be " +"denied. However, many implementations behave differently, so the actual " +"behavior must be documented properly." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"IPv6 addresses can embed IPv4 addresses. There is no universally correct way" +" to deal with this ambiguity. The behavior of the ACL implementation should " +"be documented." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "UNIX domain socket authentication" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"UNIX domain sockets (with address family AF_UNIX or " +"AF_LOCAL) are restricted to the local host and offer a " +"special authentication mechanism: credentials passing." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Nowadays, most systems support the SO_PEERCRED (Linux) or" +" LOCAL_PEERCRED (FreeBSD) socket options, or the " +"getpeereid (other BSDs, MacOS X). These interfaces " +"provide direct access to the (effective) user ID on the other end of a " +"domain socket connect, without cooperation from the other end." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Historically, credentials passing was implemented using ancillary data in " +"the sendmsg and recvmsg functions." +" On some systems, only credentials data that the peer has explicitly sent " +"can be received, and the kernel checks the data for correctness on the " +"sending side. This means that both peers need to deal with ancillary data. " +"Compared to that, the modern interfaces are easier to use. Both sets of " +"interfaces vary considerably among UNIX-like systems, unfortunately." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If you want to authenticate based on supplementary groups, you should obtain" +" the user ID using one of these methods, and look up the list of " +"supplementary groups using getpwuid (or " +"getpwuid_r) and getgrouplist. " +"Using the PID and information from /proc/PID/status is " +"prone to race conditions and insecure." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "AF_NETLINK authentication of origin" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Netlink messages are used as a high-performance data transfer mechanism " +"between the kernel and the userspace. Traditionally, they are used to " +"exchange information related to the network statck, such as routing table " +"entries." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When processing Netlink messages from the kernel, it is important to check " +"that these messages actually originate from the kernel, by checking that the" +" port ID (or PID) field nl_pid in the " +"sockaddr_nl structure is 0. (This " +"structure can be obtained using recvfrom or " +"recvmsg, it is different from the " +"nlmsghdr structure.) The kernel does not prevent other " +"processes from sending unicast Netlink messages, but the " +"nl_pid field in the sender's socket address will be non-" +"zero in such cases." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Applications should not use AF_NETLINK sockets as an IPC " +"mechanism among processes, but prefer UNIX domain sockets for this tasks." +msgstr "" diff --git a/defensive-coding/pt-PT/Features/TLS.po b/defensive-coding/pt-PT/Features/TLS.po new file mode 100644 index 0000000..f34f746 --- /dev/null +++ b/defensive-coding/pt-PT/Features/TLS.po @@ -0,0 +1,1120 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:31+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Portuguese \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: pt\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: title +#, no-c-format +msgid "Transport Layer Security" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Transport Layer Security (TLS, formerly Secure Sockets Layer/SSL) is the " +"recommended way to to protect integrity and confidentiality while data is " +"transferred over an untrusted network connection, and to identify the " +"endpoint." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Common Pitfalls" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"TLS implementations are difficult to use, and most of them lack a clean API " +"design. The following sections contain implementation-specific advice, and " +"some generic pitfalls are mentioned below." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Most TLS implementations have questionable default TLS cipher suites. Most " +"of them enable anonymous Diffie-Hellman key exchange (but we generally want " +"servers to authenticate themselves). Many do not disable ciphers which are " +"subject to brute-force attacks because of restricted key lengths. Some even " +"disable all variants of AES in the default configuration." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When overriding the cipher suite defaults, it is recommended to disable all " +"cipher suites which are not present on a whitelist, instead of simply " +"enabling a list of cipher suites. This way, if an algorithm is disabled by " +"default in the TLS implementation in a future security update, the " +"application will not re-enable it." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The name which is used in certificate validation must match the name " +"provided by the user or configuration file. No host name canonicalization or" +" IP address lookup must be performed." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The TLS handshake has very poor performance if the TCP Nagle algorithm is " +"active. You should switch on the TCP_NODELAY socket " +"option (at least for the duration of the handshake), or use the Linux-" +"specific TCP_CORK option." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Deactivating the TCP Nagle algorithm" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Implementing proper session resumption decreases handshake overhead " +"considerably. This is important if the upper-layer protocol uses short-lived" +" connections (like most application of HTTPS)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Both client and server should work towards an orderly connection shutdown, " +"that is send close_notify alerts and respond to them. " +"This is especially important if the upper-layer protocol does not provide " +"means to detect connection truncation (like some uses of HTTP)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When implementing a server using event-driven programming, it is important " +"to handle the TLS handshake properly because it includes multiple network " +"round-trips which can block when an ordinary TCP accept" +" would not. Otherwise, a client which fails to complete the TLS handshake " +"for some reason will prevent the server from handling input from other " +"clients." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Unlike regular file descriptors, TLS connections cannot be passed between " +"processes. Some TLS implementations add additional restrictions, and TLS " +"connections generally cannot be used across fork " +"function calls (see )." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "OpenSSL Pitfalls" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Some OpenSSL function use tri-state return values. " +"Correct error checking is extremely important. Several functions return " +"int values with the following meaning:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The value 1 indicates success (for example, a successful " +"signature verification)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The value 0 indicates semantic failure (for example, a " +"signature verification which was unsuccessful because the signing " +"certificate was self-signed)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The value -1 indicates a low-level error in the system, " +"such as failure to allocate memory using malloc." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Treating such tri-state return values as booleans can lead to security " +"vulnerabilities. Note that some OpenSSL functions return boolean results or " +"yet another set of status indicators. Each function needs to be checked " +"individually." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Recovering precise error information is difficult. shows how to obtain a more precise " +"error code after a function call on an SSL object has " +"failed. However, there are still cases where no detailed error information " +"is available (e.g., if SSL_shutdown fails due to a " +"connection teardown by the other end)." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Obtaining OpenSSL error codes" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The OPENSSL_config function is documented to never " +"fail. In reality, it can terminate the entire process if there is a failure " +"accessing the configuration file. An error message is written to standard " +"error, but which might not be visible if the function is called from a " +"daemon process." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"OpenSSL contains two separate ASN.1 DER decoders. One set of decoders " +"operate on BIO handles (the input/output stream abstraction provided by " +"OpenSSL); their decoder function names start with d2i_ " +"and end in _fp or _bio (e.g., " +"d2i_X509_fp or d2i_X509_bio). " +"These decoders must not be used for parsing data from untrusted sources; " +"instead, the variants without the _fp and " +"_bio (e.g., d2i_X509) shall be used." +" The BIO variants have received considerably less testing and are not very " +"robust." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"For the same reason, the OpenSSL command line tools (such as " +"openssl x509) are generally generally less robust than " +"the actual library code. They use the BIO functions internally, and not the " +"more robust variants." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The command line tools do not always indicate failure in the exit status of " +"the openssl process. For instance, a verification" +" failure in openssl verify result in an exit status of " +"zero." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The OpenSSL server and client applications (openssl " +"s_client and openssl s_server) are debugging " +"tools and should never be used as generic clients. For " +"instance, the s_client tool reacts in a " +"surprisign way to lines starting with R and " +"Q." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"OpenSSL allows application code to access private key material over " +"documented interfaces. This can significantly increase the part of the code " +"base which has to undergo security certification." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "GNUTLS Pitfalls" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"libgnutls.so.26 links to " +"libpthread.so.0. Loading the threading library too late" +" causes problems, so the main program should be linked with " +"-lpthread as well. As a result, it can be difficult to " +"use GNUTLS in a plugin which is loaded with the dlopen " +"function. Another side effect is that applications which merely link against" +" GNUTLS (even without actually using it) may incur a substantial overhead " +"because other libraries automatically switch to thread-safe algorithms." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The gnutls_global_init function must be called before " +"using any functionality provided by the library. This function is not " +"thread-safe, so external locking is required, but it is not clear which lock" +" should be used. Omitting the synchronization does not just lead to a memory" +" leak, as it is suggested in the GNUTLS documentation, but to undefined " +"behavior because there is no barrier that would enforce memory ordering." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The gnutls_global_deinit function does not actually " +"deallocate all resources allocated by " +"gnutls_global_init. It is currently not thread-safe. " +"Therefore, it is best to avoid calling it altogether." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The X.509 implementation in GNUTLS is rather lenient. For example, it is " +"possible to create and process X.509 version 1 certificates which carry" +" extensions. These certificates are (correctly) rejected by other " +"implementations." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "OpenJDK Pitfalls" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The Java cryptographic framework is highly modular. As a result, when you " +"request an object implementing some cryptographic functionality, you cannot " +"be completely sure that you end up with the well-tested, reviewed " +"implementation in OpenJDK." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"OpenJDK (in the source code as published by Oracle) and other " +"implementations of the Java platform require that the system administrator " +"has installed so-called unlimited strength jurisdiction policy " +"files. Without this step, it is not possible to use the secure " +"algorithms which offer sufficient cryptographic strength. Most downstream " +"redistributors of OpenJDK remove this requirement." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Some versions of OpenJDK use /dev/random as the " +"randomness source for nonces and other random data which is needed for TLS " +"operation, but does not actually require physical randomness. As a result, " +"TLS applications can block, waiting for more bits to become available in " +"/dev/random." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "NSS Pitfalls" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"NSS was not designed to be used by other libraries which can be linked into " +"applications without modifying them. There is a lot of global state. There " +"does not seem to be a way to perform required NSS initialization without " +"race conditions." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If the NSPR descriptor is in an unexpected state, the " +"SSL_ForceHandshake function can succeed, but no TLS " +"handshake takes place, the peer is not authenticated, and subsequent data is" +" exchanged in the clear." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"NSS disables itself if it detects that the process underwent a " +"fork after the library has been initialized. This " +"behavior is required by the PKCS#11 API specification." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "TLS Clients" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Secure use of TLS in a client generally involves all of the following steps." +" (Individual instructions for specific TLS implementations follow in the " +"next sections.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The client must configure the TLS library to use a set of trusted root " +"certificates. These certificates are provided by the system in /etc/ssl/certs or files derived from it." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The client selects sufficiently strong cryptographic primitives and disables" +" insecure ones (such as no-op encryption). Compression and SSL version 2 " +"support must be disabled (including the SSLv2-compatible handshake)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The client initiates the TLS connection. The Server Name Indication " +"extension should be used if supported by the TLS implementation. Before " +"switching to the encrypted connection state, the contents of all input and " +"output buffers must be discarded." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The client needs to validate the peer certificate provided by the server, " +"that is, the client must check that there is a cryptographically protected " +"chain from a trusted root certificate to the peer certificate. (Depending on" +" the TLS implementation, a TLS handshake can succeed even if the certificate" +" cannot be validated.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The client must check that the configured or user-provided server name " +"matches the peer certificate provided by the server." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"It is safe to provide users detailed diagnostics on certificate validation " +"failures. Other causes of handshake failures and, generally speaking, any " +"details on other errors reported by the TLS implementation (particularly " +"exception tracebacks), must not be divulged in ways that make them " +"accessible to potential attackers. Otherwise, it is possible to create " +"decryption oracles." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Depending on the application, revocation checking (against certificate " +"revocations lists or via OCSP) and session resumption are important aspects " +"of production-quality client. These aspects are not yet covered." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Implementation TLS Clients With OpenSSL" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In the following code, the error handling is only exploratory. Proper error " +"handling is required for production use, especially in libraries." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The OpenSSL library needs explicit initialization (see )." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "OpenSSL library initialization" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"After that, a context object has to be created, which acts as a factory for " +"connection objects (). We use an explicit cipher list so that we do not pick up any " +"strange ciphers when OpenSSL is upgraded. The actual version requested in " +"the client hello depends on additional restrictions in the OpenSSL library. " +"If possible, you should follow the example code and use the default list of " +"trusted root certificate authorities provided by the system because you " +"would have to maintain your own set otherwise, which can be cumbersome." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "OpenSSL client context creation" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"A single context object can be used to create multiple connection objects. " +"It is safe to use the same SSL_CTX object for creating " +"connections concurrently from multiple threads, provided that the " +"SSL_CTX object is not modified (e.g., callbacks must not " +"be changed)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"After creating the TCP socket and disabling the Nagle algorithm (per ), the actual connection object " +"needs to be created, as show in . If the handshake started by " +"SSL_connect fails, the " +"ssl_print_error_and_exit function from is called." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The certificate_validity_override function provides an " +"opportunity to override the validity of the certificate in case the OpenSSL " +"check fails. If such functionality is not required, the call can be removed," +" otherwise, the application developer has to implement it." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The host name passed to the functions " +"SSL_set_tlsext_host_name and " +"X509_check_host must be the name that was passed to " +"getaddrinfo or a similar name resolution function. No " +"host name canonicalization must be performed. The " +"X509_check_host function used in the final step for " +"host name matching is currently only implemented in OpenSSL 1.1, which is " +"not released yet. In case host name matching fails, the function " +"certificate_host_name_override is called. This function" +" should check user-specific certificate store, to allow a connection even if" +" the host name does not match the certificate. This function has to be " +"provided by the application developer. Note that the override must be keyed " +"by both the certificate and the host name." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Creating a client connection using OpenSSL" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The connection object can be used for sending and receiving data, as in " +". It is " +"also possible to create a BIO object and use the " +"SSL object as the underlying transport, using " +"BIO_set_ssl." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Using an OpenSSL connection to send and receive data" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When it is time to close the connection, the " +"SSL_shutdown function needs to be called twice for an " +"orderly, synchronous connection termination (). This exchanges " +"close_notify alerts with the server. The additional logic" +" is required to deal with an unexpected close_notify from" +" the server. Note that is necessary to explicitly close the underlying " +"socket after the connection object has been freed." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Closing an OpenSSL connection in an orderly fashion" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +" shows how" +" to deallocate the context object when it is no longer needed because no " +"further TLS connections will be established." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Implementation TLS Clients With GNUTLS" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"This section describes how to implement a TLS client with full certificate " +"validation (but without certificate revocation checking). Note that the " +"error handling in is only exploratory and needs to be replaced before " +"production use." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "The GNUTLS library needs explicit initialization:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Failing to do so can result in obscure failures in Base64 decoding. See " +" for " +"additional aspects of initialization." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Before setting up TLS connections, a credentials objects has to be allocated" +" and initialized with the set of trusted root CAs ()." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Initializing a GNUTLS credentials structure" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"After the last TLS connection has been closed, this credentials object " +"should be freed:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"During its lifetime, the credentials object can be used to initialize TLS " +"session objects from multiple threads, provided that it is not changed." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Once the TCP connection has been established, the Nagle algorithm should be " +"disabled (see ). After " +"that, the socket can be associated with a new GNUTLS session object. The " +"previously allocated credentials object provides the set of root CAs. The " +"NORMAL set of cipher suites and protocols provides a " +"reasonable default. Then the TLS handshake must be initiated. This is shown " +"in ." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Establishing a TLS client connection using GNUTLS" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"After the handshake has been completed, the server certificate needs to be " +"verified (). In the example, the user-defined " +"certificate_validity_override function is called if the" +" verification fails, so that a separate, user-specific trust store can be " +"checked. This function call can be omitted if the functionality is not " +"needed." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Verifying a server certificate using GNUTLS" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In the next step (, the certificate must be matched against the host name (note the " +"unusual return value from " +"gnutls_x509_crt_check_hostname). Again, an override " +"function certificate_host_name_override is called. Note" +" that the override must be keyed to the certificate and" +" the host name. The function call can be omitted if the override is not " +"needed." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Matching the server host name and certificate in a GNUTLS client" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In newer GNUTLS versions, certificate checking and host name validation can " +"be combined using the gnutls_certificate_verify_peers3 " +"function." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"An established TLS session can be used for sending and receiving data, as in" +" ." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Using a GNUTLS session" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In order to shut down a connection in an orderly manner, you should call the" +" gnutls_bye function. Finally, the session object can " +"be deallocated using gnutls_deinit (see )." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Implementing TLS Clients With OpenJDK" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "The examples below use the following cryptographic-related classes:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If compatibility with OpenJDK 6 is required, it is necessary to use the " +"internal class sun.security.util.HostnameChecker. (The " +"public OpenJDK API does not provide any support for dissecting the subject " +"distinguished name of an X.509 certificate, so a custom-written DER parser " +"is needed—or we have to use an internal class, which we do below.) In " +"OpenJDK 7, the setEndpointIdentificationAlgorithm " +"method was added to the javax.net.ssl.SSLParameters " +"class, providing an official way to implement host name checking." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"TLS connections are established using an SSLContext " +"instance. With a properly configured OpenJDK installation, the " +"SunJSSE provider uses the system-wide set of trusted root" +" certificate authorities, so no further configuration is necessary. For " +"backwards compatibility with OpenJDK 6, the TLSv1 " +"provider has to be supported as a fall-back option. This is shown in ." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Setting up an SSLContext for OpenJDK TLS clients" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In addition to the context, a TLS parameter object will be needed which " +"adjusts the cipher suites and protocols (). Like the context, these " +"parameters can be reused for multiple TLS connections." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Setting up SSLParameters for TLS use with OpenJDK" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"As initialized above, the parameter object does not yet require host name " +"checking. This has to be enabled separately, and this is only supported by " +"OpenJDK 7 and later:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"All application protocols can use the \"HTTPS\" " +"algorithm. (The algorithms have minor differences with regard to wildcard " +"handling, which should not matter in practice.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +" shows " +"how to establish the connection. Before the handshake is initialized, the " +"protocol and cipher configuration has to be performed, by applying the " +"parameter object params. (After this point, changes to " +"params will not affect this TLS socket.) As mentioned " +"initially, host name checking requires using an internal API on OpenJDK 6." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Establishing a TLS connection with OpenJDK" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Starting with OpenJDK 7, the last lines can be omitted, provided that host " +"name verification has been enabled by calling the " +"setEndpointIdentificationAlgorithm method on the " +"params object (before it was applied to the socket)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The TLS socket can be used as a regular socket, as shown in ." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Using a TLS client socket in OpenJDK" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Overriding server certificate validation with OpenJDK 6" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Overriding certificate validation requires a custom trust manager. With " +"OpenJDK 6, the trust manager lacks information about the TLS session, and to" +" which server the connection is made. Certificate overrides have to be tied " +"to specific servers (host names). Consequently, different " +"TrustManager and SSLContext objects " +"have to be used for different servers." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In the trust manager shown in , the server certificate is identified by its " +"SHA-256 hash." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "A customer trust manager for OpenJDK TLS clients" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"This trust manager has to be passed to the init method of" +" the SSLContext object, as show in ." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Using a custom TLS trust manager with OpenJDK" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When certificate overrides are in place, host name verification should not " +"be performed because there is no security requirement that the host name in " +"the certificate matches the host name used to establish the connection (and " +"it often will not). However, without host name verification, it is not " +"possible to perform transparent fallback to certification validation using " +"the system certificate store." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The approach described above works with OpenJDK 6 and later versions. " +"Starting with OpenJDK 7, it is possible to use a custom subclass of the " +"javax.net.ssl.X509ExtendedTrustManager class. The OpenJDK" +" TLS implementation will call the new methods, passing along TLS session " +"information. This can be used to implement certificate overrides as a " +"fallback (if certificate or host name verification fails), and a trust " +"manager object can be used for multiple servers because the server address " +"is available to the trust manager." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Implementing TLS Clients With NSS" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The following code shows how to implement a simple TLS client using NSS. " +"Note that the error handling needs replacing before production use." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Using NSS needs several header files, as shown in ." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Include files for NSS" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Initializing the NSS library is a complex task (). It is not thread-safe. By default, the " +"library is in export mode, and all strong ciphers are disabled. Therefore, " +"after creating the NSSInitCContext object, we probe all " +"the strong ciphers we want to use, and check if at least one of them is " +"available. If not, we call NSS_SetDomesticPolicy to " +"switch to unrestricted policy mode. This function replaces the existing " +"global cipher suite policy, that is why we avoid calling it unless " +"absolutely necessary." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The simplest way to configured the trusted root certificates involves " +"loading the libnssckbi.so NSS module with a call to the" +" SECMOD_LoadUserModule function. The root certificates " +"are compiled into this module. (The PEM module for NSS, " +"libnsspem.so, offers a way to load trusted CA " +"certificates from a file.)" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Initializing the NSS library" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Some of the effects of the initialization can be reverted with the following" +" function calls:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"After NSS has been initialized, the TLS connection can be created (). The internal " +"PR_ImportTCPSocket function is used to turn the POSIX " +"file descriptor sockfd into an NSPR file descriptor. " +"(This function is de-facto part of the NSS public ABI, so it will not go " +"away.) Creating the TLS-capable file descriptor requires a " +"model descriptor, which is configured with the desired " +"set of protocols and ciphers. (The good_ciphers variable " +"is part of .) We cannot" +" resort to disabling ciphers not on a whitelist because by default, the AES " +"cipher suites are disabled. The model descriptor is not needed anymore after" +" TLS support has been activated for the existing connection descriptor." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The call to SSL_BadCertHook can be omitted if no " +"mechanism to override certificate verification is needed. The " +"bad_certificate function must check both the host name " +"specified for the connection and the certificate before granting the " +"override." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Triggering the actual handshake requires three function calls, " +"SSL_ResetHandshake, SSL_SetURL, " +"and SSL_ForceHandshake. (If " +"SSL_ResetHandshake is omitted, " +"SSL_ForceHandshake will succeed, but the data will not " +"be encrypted.) During the handshake, the certificate is verified and matched" +" against the host name." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Creating a TLS connection with NSS" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"After the connection has been established, shows how to use the NSPR descriptor to " +"communicate with the server." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Using NSS for sending and receiving data" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +" shows how to " +"close the connection." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Closing NSS client connections" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Implementing TLS Clients With Python" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The Python distribution provides a TLS implementation in the " +"ssl module (actually a wrapper around OpenSSL). The " +"exported interface is somewhat restricted, so that the client code shown " +"below does not fully implement the recommendations in ." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Currently, most Python function which accept https:// " +"URLs or otherwise implement HTTPS support do not perform certificate " +"validation at all. (For example, this is true for the " +"httplib and xmlrpclib modules.) If you" +" use HTTPS, you should not use the built-in HTTP clients. The " +"Curl class in the curl module, as " +"provided by the python-pycurl package implements proper " +"certificate validation." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The ssl module currently does not perform host name " +"checking on the server certificate. shows how to implement certificate " +"matching, using the parsed certificate returned by " +"getpeercert." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Implementing TLS host name checking Python (without wildcard support)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"To turn a regular, connected TCP socket into a TLS-enabled socket, use the " +"ssl.wrap_socket function. The function call in provides " +"additional arguments to override questionable defaults in OpenSSL and in the" +" Python module." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"ciphers=\"HIGH:-aNULL:-eNULL:-PSK:RC4-SHA:RC4-MD5\" " +"selects relatively strong cipher suites with certificate-based " +"authentication. (The call to check_host_name function " +"provides additional protection against anonymous cipher suites.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"ssl_version=ssl.PROTOCOL_TLSv1 disables SSL 2.0 support. " +"By default, the ssl module sends an SSL 2.0 client hello," +" which is rejected by some servers. Ideally, we would request OpenSSL to " +"negotiated the most recent TLS version supported by the server and the " +"client, but the Python module does not allow this." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"cert_reqs=ssl.CERT_REQUIRED turns on certificate " +"validation." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"ca_certs='/etc/ssl/certs/ca-bundle.crt' initializes the " +"certificate store with a set of trusted root CAs. Unfortunately, it is " +"necessary to hard-code this path into applications because the default path " +"in OpenSSL is not available through the Python ssl " +"module." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The ssl module (and OpenSSL) perform certificate " +"validation, but the certificate must be compared manually against the host " +"name, by calling the check_host_name defined above." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Establishing a TLS client connection with Python" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"After the connection has been established, the TLS socket can be used like a" +" regular socket:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Closing the TLS socket is straightforward as well:" +msgstr "" diff --git a/defensive-coding/pt-PT/Features/snippets/TLS-Client-GNUTLS-Connect.po b/defensive-coding/pt-PT/Features/snippets/TLS-Client-GNUTLS-Connect.po new file mode 100644 index 0000000..505e21f --- /dev/null +++ b/defensive-coding/pt-PT/Features/snippets/TLS-Client-GNUTLS-Connect.po @@ -0,0 +1,71 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:33+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Portuguese \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: pt\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Create the session object.\n" +"gnutls_session_t session;\n" +"ret = gnutls_init(&session, GNUTLS_CLIENT);\n" +"if (ret != GNUTLS_E_SUCCESS) {\n" +" fprintf(stderr, \"error: gnutls_init: %s\n" +"\",\n" +"\t gnutls_strerror(ret));\n" +" exit(1);\n" +"}\n" +"\n" +"// Configure the cipher preferences.\n" +"const char *errptr = NULL;\n" +"ret = gnutls_priority_set_direct(session, \"NORMAL\", &errptr);\n" +"if (ret != GNUTLS_E_SUCCESS) {\n" +" fprintf(stderr, \"error: gnutls_priority_set_direct: %s\n" +"\"\n" +"\t \"error: at: \\\"%s\\\"\n" +"\", gnutls_strerror(ret), errptr);\n" +" exit(1);\n" +"}\n" +"\n" +"// Install the trusted certificates.\n" +"ret = gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, cred);\n" +"if (ret != GNUTLS_E_SUCCESS) {\n" +" fprintf(stderr, \"error: gnutls_credentials_set: %s\n" +"\",\n" +"\t gnutls_strerror(ret));\n" +" exit(1);\n" +"}\n" +"\n" +"// Associate the socket with the session object and set the server\n" +"// name.\n" +"gnutls_transport_set_ptr(session, (gnutls_transport_ptr_t)(uintptr_t)sockfd);\n" +"ret = gnutls_server_name_set(session, GNUTLS_NAME_DNS,\n" +"\t\t\t host, strlen(host));\n" +"if (ret != GNUTLS_E_SUCCESS) {\n" +" fprintf(stderr, \"error: gnutls_server_name_set: %s\n" +"\",\n" +"\t gnutls_strerror(ret));\n" +" exit(1);\n" +"}\n" +"\n" +"// Establish the session.\n" +"ret = gnutls_handshake(session);\n" +"if (ret != GNUTLS_E_SUCCESS) {\n" +" fprintf(stderr, \"error: gnutls_handshake: %s\n" +"\",\n" +"\t gnutls_strerror(ret));\n" +" exit(1);\n" +"}\n" +msgstr "" diff --git a/defensive-coding/pt-PT/Features/snippets/TLS-Client-GNUTLS-Credentials.po b/defensive-coding/pt-PT/Features/snippets/TLS-Client-GNUTLS-Credentials.po new file mode 100644 index 0000000..daf9a76 --- /dev/null +++ b/defensive-coding/pt-PT/Features/snippets/TLS-Client-GNUTLS-Credentials.po @@ -0,0 +1,47 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:33+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Portuguese \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: pt\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Load the trusted CA certificates.\n" +"gnutls_certificate_credentials_t cred = NULL;\n" +"int ret = gnutls_certificate_allocate_credentials (&cred);\n" +"if (ret != GNUTLS_E_SUCCESS) {\n" +" fprintf(stderr, \"error: gnutls_certificate_allocate_credentials: %s\n" +"\",\n" +"\t gnutls_strerror(ret));\n" +" exit(1);\n" +"}\n" +"// gnutls_certificate_set_x509_system_trust needs GNUTLS version 3.0\n" +"// or newer, so we hard-code the path to the certificate store\n" +"// instead.\n" +"static const char ca_bundle[] = \"/etc/ssl/certs/ca-bundle.crt\";\n" +"ret = gnutls_certificate_set_x509_trust_file\n" +" (cred, ca_bundle, GNUTLS_X509_FMT_PEM);\n" +"if (ret == 0) {\n" +" fprintf(stderr, \"error: no certificates found in: %s\n" +"\", ca_bundle);\n" +" exit(1);\n" +"}\n" +"if (ret < 0) {\n" +" fprintf(stderr, \"error: gnutls_certificate_set_x509_trust_files(%s): %s\n" +"\",\n" +"\t ca_bundle, gnutls_strerror(ret));\n" +" exit(1);\n" +"}\n" +msgstr "" diff --git a/defensive-coding/pt-PT/Features/snippets/TLS-Client-GNUTLS-Match.po b/defensive-coding/pt-PT/Features/snippets/TLS-Client-GNUTLS-Match.po new file mode 100644 index 0000000..c56a815 --- /dev/null +++ b/defensive-coding/pt-PT/Features/snippets/TLS-Client-GNUTLS-Match.po @@ -0,0 +1,48 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:32+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Portuguese \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: pt\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Match the peer certificate against the host name.\n" +"// We can only obtain a set of DER-encoded certificates from the\n" +"// session object, so we have to re-parse the peer certificate into\n" +"// a certificate object.\n" +"gnutls_x509_crt_t cert;\n" +"ret = gnutls_x509_crt_init(&cert);\n" +"if (ret != GNUTLS_E_SUCCESS) {\n" +" fprintf(stderr, \"error: gnutls_x509_crt_init: %s\n" +"\",\n" +"\t gnutls_strerror(ret));\n" +" exit(1);\n" +"}\n" +"// The peer certificate is the first certificate in the list.\n" +"ret = gnutls_x509_crt_import(cert, certs, GNUTLS_X509_FMT_DER);\n" +"if (ret != GNUTLS_E_SUCCESS) {\n" +" fprintf(stderr, \"error: gnutls_x509_crt_import: %s\n" +"\",\n" +"\t gnutls_strerror(ret));\n" +" exit(1);\n" +"}\n" +"ret = gnutls_x509_crt_check_hostname(cert, host);\n" +"if (ret == 0 && !certificate_host_name_override(certs[0], host)) {\n" +" fprintf(stderr, \"error: host name does not match certificate\n" +"\");\n" +" exit(1);\n" +"}\n" +"gnutls_x509_crt_deinit(cert);\n" +msgstr "" diff --git a/defensive-coding/pt-PT/Features/snippets/TLS-Client-GNUTLS-Verify.po b/defensive-coding/pt-PT/Features/snippets/TLS-Client-GNUTLS-Verify.po new file mode 100644 index 0000000..53a8ad5 --- /dev/null +++ b/defensive-coding/pt-PT/Features/snippets/TLS-Client-GNUTLS-Verify.po @@ -0,0 +1,61 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:33+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Portuguese \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: pt\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Obtain the server certificate chain. The server certificate\n" +"// itself is stored in the first element of the array.\n" +"unsigned certslen = 0;\n" +"const gnutls_datum_t *const certs =\n" +" gnutls_certificate_get_peers(session, &certslen);\n" +"if (certs == NULL || certslen == 0) {\n" +" fprintf(stderr, \"error: could not obtain peer certificate\n" +"\");\n" +" exit(1);\n" +"}\n" +"\n" +"// Validate the certificate chain.\n" +"unsigned status = (unsigned)-1;\n" +"ret = gnutls_certificate_verify_peers2(session, &status);\n" +"if (ret != GNUTLS_E_SUCCESS) {\n" +" fprintf(stderr, \"error: gnutls_certificate_verify_peers2: %s\n" +"\",\n" +"\t gnutls_strerror(ret));\n" +" exit(1);\n" +"}\n" +"if (status != 0 && !certificate_validity_override(certs[0])) {\n" +" gnutls_datum_t msg;\n" +"#if GNUTLS_VERSION_AT_LEAST_3_1_4\n" +" int type = gnutls_certificate_type_get (session);\n" +" ret = gnutls_certificate_verification_status_print(status, type, &out, 0);\n" +"#else\n" +" ret = -1;\n" +"#endif\n" +" if (ret == 0) {\n" +" fprintf(stderr, \"error: %s\n" +"\", msg.data);\n" +" gnutls_free(msg.data);\n" +" exit(1);\n" +" } else {\n" +" fprintf(stderr, \"error: certificate validation failed with code 0x%x\n" +"\",\n" +"\t status);\n" +" exit(1);\n" +" }\n" +"}\n" +msgstr "" diff --git a/defensive-coding/pt-PT/Features/snippets/TLS-Client-NSS-Close.po b/defensive-coding/pt-PT/Features/snippets/TLS-Client-NSS-Close.po new file mode 100644 index 0000000..d1147ed --- /dev/null +++ b/defensive-coding/pt-PT/Features/snippets/TLS-Client-NSS-Close.po @@ -0,0 +1,31 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:32+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Portuguese \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: pt\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Send close_notify alert.\n" +"if (PR_Shutdown(nspr, PR_SHUTDOWN_BOTH) != PR_SUCCESS) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: PR_Read error %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +"}\n" +"// Closes the underlying POSIX file descriptor, too.\n" +"PR_Close(nspr);\n" +msgstr "" diff --git a/defensive-coding/pt-PT/Features/snippets/TLS-Client-NSS-Connect.po b/defensive-coding/pt-PT/Features/snippets/TLS-Client-NSS-Connect.po new file mode 100644 index 0000000..597a381 --- /dev/null +++ b/defensive-coding/pt-PT/Features/snippets/TLS-Client-NSS-Connect.po @@ -0,0 +1,132 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:33+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Portuguese \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: pt\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Wrap the POSIX file descriptor. This is an internal NSPR\n" +"// function, but it is very unlikely to change.\n" +"PRFileDesc* nspr = PR_ImportTCPSocket(sockfd);\n" +"sockfd = -1; // Has been taken over by NSPR.\n" +"\n" +"// Add the SSL layer.\n" +"{\n" +" PRFileDesc *model = PR_NewTCPSocket();\n" +" PRFileDesc *newfd = SSL_ImportFD(NULL, model);\n" +" if (newfd == NULL) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: NSPR error code %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +" }\n" +" model = newfd;\n" +" newfd = NULL;\n" +" if (SSL_OptionSet(model, SSL_ENABLE_SSL2, PR_FALSE) != SECSuccess) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: set SSL_ENABLE_SSL2 error %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +" }\n" +" if (SSL_OptionSet(model, SSL_V2_COMPATIBLE_HELLO, PR_FALSE) != SECSuccess) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: set SSL_V2_COMPATIBLE_HELLO error %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +" }\n" +" if (SSL_OptionSet(model, SSL_ENABLE_DEFLATE, PR_FALSE) != SECSuccess) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: set SSL_ENABLE_DEFLATE error %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +" }\n" +"\n" +" // Disable all ciphers (except RC4-based ciphers, for backwards\n" +" // compatibility).\n" +" const PRUint16 *const ciphers = SSL_GetImplementedCiphers();\n" +" for (unsigned i = 0; i < SSL_GetNumImplementedCiphers(); i++) {\n" +" if (ciphers[i] != SSL_RSA_WITH_RC4_128_SHA\n" +"\t && ciphers[i] != SSL_RSA_WITH_RC4_128_MD5) {\n" +"\tif (SSL_CipherPrefSet(model, ciphers[i], PR_FALSE) != SECSuccess) {\n" +"\t const PRErrorCode err = PR_GetError();\n" +"\t fprintf(stderr, \"error: disable cipher %u: error %d: %s\n" +"\",\n" +"\t\t (unsigned)ciphers[i], err, PR_ErrorToName(err));\n" +"\t exit(1);\n" +"\t}\n" +" }\n" +" }\n" +"\n" +" // Enable the strong ciphers.\n" +" for (const PRUint16 *p = good_ciphers; *p != SSL_NULL_WITH_NULL_NULL;\n" +"\t ++p) {\n" +" if (SSL_CipherPrefSet(model, *p, PR_TRUE) != SECSuccess) {\n" +"\tconst PRErrorCode err = PR_GetError();\n" +"\tfprintf(stderr, \"error: enable cipher %u: error %d: %s\n" +"\",\n" +"\t\t(unsigned)*p, err, PR_ErrorToName(err));\n" +"\texit(1);\n" +" }\n" +" }\n" +"\n" +" // Allow overriding invalid certificate.\n" +" if (SSL_BadCertHook(model, bad_certificate, (char *)host) != SECSuccess) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: SSL_BadCertHook error %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +" }\n" +"\n" +" newfd = SSL_ImportFD(model, nspr);\n" +" if (newfd == NULL) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: SSL_ImportFD error %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +" }\n" +" nspr = newfd;\n" +" PR_Close(model);\n" +"}\n" +"\n" +"// Perform the handshake.\n" +"if (SSL_ResetHandshake(nspr, PR_FALSE) != SECSuccess) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: SSL_ResetHandshake error %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +"}\n" +"if (SSL_SetURL(nspr, host) != SECSuccess) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: SSL_SetURL error %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +"}\n" +"if (SSL_ForceHandshake(nspr) != SECSuccess) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: SSL_ForceHandshake error %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +"}\n" +msgstr "" diff --git a/defensive-coding/pt-PT/Features/snippets/TLS-Client-OpenJDK-Connect.po b/defensive-coding/pt-PT/Features/snippets/TLS-Client-OpenJDK-Connect.po new file mode 100644 index 0000000..48ab263 --- /dev/null +++ b/defensive-coding/pt-PT/Features/snippets/TLS-Client-OpenJDK-Connect.po @@ -0,0 +1,41 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:32+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Portuguese \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: pt\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Create the socket and connect it at the TCP layer.\n" +"SSLSocket socket = (SSLSocket) ctx.getSocketFactory()\n" +" .createSocket(host, port);\n" +"\n" +"// Disable the Nagle algorithm.\n" +"socket.setTcpNoDelay(true);\n" +"\n" +"// Adjust ciphers and protocols.\n" +"socket.setSSLParameters(params);\n" +"\n" +"// Perform the handshake.\n" +"socket.startHandshake();\n" +"\n" +"// Validate the host name. The match() method throws\n" +"// CertificateException on failure.\n" +"X509Certificate peer = (X509Certificate)\n" +" socket.getSession().getPeerCertificates()[0];\n" +"// This is the only way to perform host name checking on OpenJDK 6.\n" +"HostnameChecker.getInstance(HostnameChecker.TYPE_TLS).match(\n" +" host, peer);\n" +msgstr "" diff --git a/defensive-coding/pt-PT/Features/snippets/TLS-Client-OpenJDK-Context.po b/defensive-coding/pt-PT/Features/snippets/TLS-Client-OpenJDK-Context.po new file mode 100644 index 0000000..8200caa --- /dev/null +++ b/defensive-coding/pt-PT/Features/snippets/TLS-Client-OpenJDK-Context.po @@ -0,0 +1,41 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:32+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Portuguese \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: pt\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Create the context. Specify the SunJSSE provider to avoid\n" +"// picking up third-party providers. Try the TLS 1.2 provider\n" +"// first, then fall back to TLS 1.0.\n" +"SSLContext ctx;\n" +"try {\n" +" ctx = SSLContext.getInstance(\"TLSv1.2\", \"SunJSSE\");\n" +"} catch (NoSuchAlgorithmException e) {\n" +" try {\n" +" ctx = SSLContext.getInstance(\"TLSv1\", \"SunJSSE\");\n" +" } catch (NoSuchAlgorithmException e1) {\n" +" // The TLS 1.0 provider should always be available.\n" +" throw new AssertionError(e1);\n" +" } catch (NoSuchProviderException e1) {\n" +" throw new AssertionError(e1);\n" +" } \n" +"} catch (NoSuchProviderException e) {\n" +" // The SunJSSE provider should always be available.\n" +" throw new AssertionError(e);\n" +"}\n" +"ctx.init(null, null, null);\n" +msgstr "" diff --git a/defensive-coding/pt-PT/Features/snippets/TLS-Client-OpenJDK-Context_For_Cert.po b/defensive-coding/pt-PT/Features/snippets/TLS-Client-OpenJDK-Context_For_Cert.po new file mode 100644 index 0000000..fdd7858 --- /dev/null +++ b/defensive-coding/pt-PT/Features/snippets/TLS-Client-OpenJDK-Context_For_Cert.po @@ -0,0 +1,37 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:33+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Portuguese \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: pt\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"SSLContext ctx;\n" +"try {\n" +" ctx = SSLContext.getInstance(\"TLSv1.2\", \"SunJSSE\");\n" +"} catch (NoSuchAlgorithmException e) {\n" +" try {\n" +" ctx = SSLContext.getInstance(\"TLSv1\", \"SunJSSE\");\n" +" } catch (NoSuchAlgorithmException e1) {\n" +" throw new AssertionError(e1);\n" +" } catch (NoSuchProviderException e1) {\n" +" throw new AssertionError(e1);\n" +" }\n" +"} catch (NoSuchProviderException e) {\n" +" throw new AssertionError(e);\n" +"}\n" +"MyTrustManager tm = new MyTrustManager(certHash);\n" +"ctx.init(null, new TrustManager[] {tm}, null);\n" +msgstr "" diff --git a/defensive-coding/pt-PT/Features/snippets/TLS-Client-OpenJDK-Hostname.po b/defensive-coding/pt-PT/Features/snippets/TLS-Client-OpenJDK-Hostname.po new file mode 100644 index 0000000..fa2c361 --- /dev/null +++ b/defensive-coding/pt-PT/Features/snippets/TLS-Client-OpenJDK-Hostname.po @@ -0,0 +1,22 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:31+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Portuguese \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: pt\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"params.setEndpointIdentificationAlgorithm(\"HTTPS\");\n" +msgstr "" diff --git a/defensive-coding/pt-PT/Features/snippets/TLS-Client-OpenJDK-Import.po b/defensive-coding/pt-PT/Features/snippets/TLS-Client-OpenJDK-Import.po new file mode 100644 index 0000000..abbe1a4 --- /dev/null +++ b/defensive-coding/pt-PT/Features/snippets/TLS-Client-OpenJDK-Import.po @@ -0,0 +1,33 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:31+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Portuguese \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: pt\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"import java.security.NoSuchAlgorithmException;\n" +"import java.security.NoSuchProviderException;\n" +"import java.security.cert.CertificateEncodingException;\n" +"import java.security.cert.CertificateException;\n" +"import java.security.cert.X509Certificate;\n" +"import javax.net.ssl.SSLContext;\n" +"import javax.net.ssl.SSLParameters;\n" +"import javax.net.ssl.SSLSocket;\n" +"import javax.net.ssl.TrustManager;\n" +"import javax.net.ssl.X509TrustManager;\n" +"\n" +"import sun.security.util.HostnameChecker;\n" +msgstr "" diff --git a/defensive-coding/pt-PT/Features/snippets/TLS-Client-OpenJDK-MyTrustManager.po b/defensive-coding/pt-PT/Features/snippets/TLS-Client-OpenJDK-MyTrustManager.po new file mode 100644 index 0000000..276b632 --- /dev/null +++ b/defensive-coding/pt-PT/Features/snippets/TLS-Client-OpenJDK-MyTrustManager.po @@ -0,0 +1,53 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:31+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Portuguese \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: pt\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"public class MyTrustManager implements X509TrustManager {\n" +" private final byte[] certHash;\n" +"\n" +" public MyTrustManager(byte[] certHash) throws Exception {\n" +" this.certHash = certHash;\n" +" }\n" +"\n" +" @Override\n" +" public void checkClientTrusted(X509Certificate[] chain, String authType)\n" +" throws CertificateException {\n" +" throw new UnsupportedOperationException();\n" +" }\n" +"\n" +" @Override\n" +" public void checkServerTrusted(X509Certificate[] chain,\n" +" String authType) throws CertificateException {\n" +" byte[] digest = getCertificateDigest(chain[0]);\n" +" String digestHex = formatHex(digest);\n" +"\n" +" if (Arrays.equals(digest, certHash)) {\n" +" System.err.println(\"info: accepting certificate: \" + digestHex);\n" +" } else {\n" +" throw new CertificateException(\"certificate rejected: \" +\n" +" digestHex);\n" +" }\n" +" }\n" +"\n" +" @Override\n" +" public X509Certificate[] getAcceptedIssuers() {\n" +" return new X509Certificate[0];\n" +" }\n" +"}\n" +msgstr "" diff --git a/defensive-coding/pt-PT/Features/snippets/TLS-Client-OpenJDK-Use.po b/defensive-coding/pt-PT/Features/snippets/TLS-Client-OpenJDK-Use.po new file mode 100644 index 0000000..008b178 --- /dev/null +++ b/defensive-coding/pt-PT/Features/snippets/TLS-Client-OpenJDK-Use.po @@ -0,0 +1,28 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:31+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Portuguese \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: pt\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"socket.getOutputStream().write(\"GET / HTTP/1.0\\r\n" +"\\r\n" +"\"\n" +" .getBytes(Charset.forName(\"UTF-8\")));\n" +"byte[] buffer = new byte[4096];\n" +"int count = socket.getInputStream().read(buffer);\n" +"System.out.write(buffer, 0, count);\n" +msgstr "" diff --git a/defensive-coding/pt-PT/Features/snippets/TLS-Client-OpenSSL-CTX.po b/defensive-coding/pt-PT/Features/snippets/TLS-Client-OpenSSL-CTX.po new file mode 100644 index 0000000..fef7aab --- /dev/null +++ b/defensive-coding/pt-PT/Features/snippets/TLS-Client-OpenSSL-CTX.po @@ -0,0 +1,86 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:32+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Portuguese \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: pt\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Configure a client connection context. Send a hendshake for the\n" +"// highest supported TLS version, and disable compression.\n" +"const SSL_METHOD *const req_method = SSLv23_client_method();\n" +"SSL_CTX *const ctx = SSL_CTX_new(req_method);\n" +"if (ctx == NULL) {\n" +" ERR_print_errors(bio_err);\n" +" exit(1);\n" +"}\n" +"SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_COMPRESSION);\n" +"\n" +"// Adjust the ciphers list based on a whitelist. First enable all\n" +"// ciphers of at least medium strength, to get the list which is\n" +"// compiled into OpenSSL.\n" +"if (SSL_CTX_set_cipher_list(ctx, \"HIGH:MEDIUM\") != 1) {\n" +" ERR_print_errors(bio_err);\n" +" exit(1);\n" +"}\n" +"{\n" +" // Create a dummy SSL session to obtain the cipher list.\n" +" SSL *ssl = SSL_new(ctx);\n" +" if (ssl == NULL) {\n" +" ERR_print_errors(bio_err);\n" +" exit(1);\n" +" }\n" +" STACK_OF(SSL_CIPHER) *active_ciphers = SSL_get_ciphers(ssl);\n" +" if (active_ciphers == NULL) {\n" +" ERR_print_errors(bio_err);\n" +" exit(1);\n" +" }\n" +" // Whitelist of candidate ciphers.\n" +" static const char *const candidates[] = {\n" +" \"AES128-GCM-SHA256\", \"AES128-SHA256\", \"AES256-SHA256\", // strong ciphers\n" +" \"AES128-SHA\", \"AES256-SHA\", // strong ciphers, also in older versions\n" +" \"RC4-SHA\", \"RC4-MD5\", // backwards compatibility, supposed to be weak\n" +" \"DES-CBC3-SHA\", \"DES-CBC3-MD5\", // more backwards compatibility\n" +" NULL\n" +" };\n" +" // Actually selected ciphers.\n" +" char ciphers[300];\n" +" ciphers[0] = '\\0';\n" +" for (const char *const *c = candidates; *c; ++c) {\n" +" for (int i = 0; i < sk_SSL_CIPHER_num(active_ciphers); ++i) {\n" +"\tif (strcmp(SSL_CIPHER_get_name(sk_SSL_CIPHER_value(active_ciphers, i)),\n" +"\t\t *c) == 0) {\n" +"\t if (*ciphers) {\n" +"\t strcat(ciphers, \":\");\n" +"\t }\n" +"\t strcat(ciphers, *c);\n" +"\t break;\n" +"\t}\n" +" }\n" +" }\n" +" SSL_free(ssl);\n" +" // Apply final cipher list.\n" +" if (SSL_CTX_set_cipher_list(ctx, ciphers) != 1) {\n" +" ERR_print_errors(bio_err);\n" +" exit(1);\n" +" }\n" +"}\n" +"\n" +"// Load the set of trusted root certificates.\n" +"if (!SSL_CTX_set_default_verify_paths(ctx)) {\n" +" ERR_print_errors(bio_err);\n" +" exit(1);\n" +"}\n" +msgstr "" diff --git a/defensive-coding/pt-PT/Features/snippets/TLS-Client-OpenSSL-Connect.po b/defensive-coding/pt-PT/Features/snippets/TLS-Client-OpenSSL-Connect.po new file mode 100644 index 0000000..74205cc --- /dev/null +++ b/defensive-coding/pt-PT/Features/snippets/TLS-Client-OpenSSL-Connect.po @@ -0,0 +1,72 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:33+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Portuguese \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: pt\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Create the connection object.\n" +"SSL *ssl = SSL_new(ctx);\n" +"if (ssl == NULL) {\n" +" ERR_print_errors(bio_err);\n" +" exit(1);\n" +"}\n" +"SSL_set_fd(ssl, sockfd);\n" +"\n" +"// Enable the ServerNameIndication extension\n" +"if (!SSL_set_tlsext_host_name(ssl, host)) {\n" +" ERR_print_errors(bio_err);\n" +" exit(1);\n" +"}\n" +"\n" +"// Perform the TLS handshake with the server.\n" +"ret = SSL_connect(ssl);\n" +"if (ret != 1) {\n" +" // Error status can be 0 or negative.\n" +" ssl_print_error_and_exit(ssl, \"SSL_connect\", ret);\n" +"}\n" +"\n" +"// Obtain the server certificate.\n" +"X509 *peercert = SSL_get_peer_certificate(ssl);\n" +"if (peercert == NULL) {\n" +" fprintf(stderr, \"peer certificate missing\");\n" +" exit(1);\n" +"}\n" +"\n" +"// Check the certificate verification result. Allow an explicit\n" +"// certificate validation override in case verification fails.\n" +"int verifystatus = SSL_get_verify_result(ssl);\n" +"if (verifystatus != X509_V_OK && !certificate_validity_override(peercert)) {\n" +" fprintf(stderr, \"SSL_connect: verify result: %s\n" +"\",\n" +"\t X509_verify_cert_error_string(verifystatus));\n" +" exit(1);\n" +"}\n" +"\n" +"// Check if the server certificate matches the host name used to\n" +"// establish the connection.\n" +"// FIXME: Currently needs OpenSSL 1.1.\n" +"if (X509_check_host(peercert, (const unsigned char *)host, strlen(host),\n" +"\t\t 0) != 1\n" +" && !certificate_host_name_override(peercert, host)) {\n" +" fprintf(stderr, \"SSL certificate does not match host name\n" +"\");\n" +" exit(1);\n" +"}\n" +"\n" +"X509_free(peercert);\n" +"\n" +msgstr "" diff --git a/defensive-coding/pt-PT/Features/snippets/TLS-Client-OpenSSL-Connection-Use.po b/defensive-coding/pt-PT/Features/snippets/TLS-Client-OpenSSL-Connection-Use.po new file mode 100644 index 0000000..3d3017a --- /dev/null +++ b/defensive-coding/pt-PT/Features/snippets/TLS-Client-OpenSSL-Connection-Use.po @@ -0,0 +1,32 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:32+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Portuguese \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: pt\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"const char *const req = \"GET / HTTP/1.0\\r\n" +"\\r\n" +"\";\n" +"if (SSL_write(ssl, req, strlen(req)) < 0) {\n" +" ssl_print_error_and_exit(ssl, \"SSL_write\", ret);\n" +"}\n" +"char buf[4096];\n" +"ret = SSL_read(ssl, buf, sizeof(buf));\n" +"if (ret < 0) {\n" +" ssl_print_error_and_exit(ssl, \"SSL_read\", ret);\n" +"}\n" +msgstr "" diff --git a/defensive-coding/pt-PT/Features/snippets/TLS-Client-OpenSSL-Init.po b/defensive-coding/pt-PT/Features/snippets/TLS-Client-OpenSSL-Init.po new file mode 100644 index 0000000..ca85b66 --- /dev/null +++ b/defensive-coding/pt-PT/Features/snippets/TLS-Client-OpenSSL-Init.po @@ -0,0 +1,28 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:32+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Portuguese \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: pt\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// The following call prints an error message and calls exit() if\n" +"// the OpenSSL configuration file is unreadable.\n" +"OPENSSL_config(NULL);\n" +"// Provide human-readable error messages.\n" +"SSL_load_error_strings();\n" +"// Register ciphers.\n" +"SSL_library_init();\n" +msgstr "" diff --git a/defensive-coding/pt-PT/Features/snippets/TLS-Client-Python-Connect.po b/defensive-coding/pt-PT/Features/snippets/TLS-Client-Python-Connect.po new file mode 100644 index 0000000..c9237df --- /dev/null +++ b/defensive-coding/pt-PT/Features/snippets/TLS-Client-Python-Connect.po @@ -0,0 +1,29 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:32+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Portuguese \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: pt\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"sock = ssl.wrap_socket(sock,\n" +" ciphers=\"HIGH:-aNULL:-eNULL:-PSK:RC4-SHA:RC4-MD5\",\n" +" ssl_version=ssl.PROTOCOL_TLSv1,\n" +" cert_reqs=ssl.CERT_REQUIRED,\n" +" ca_certs='/etc/ssl/certs/ca-bundle.crt')\n" +"# getpeercert() triggers the handshake as a side effect.\n" +"if not check_host_name(sock.getpeercert(), host):\n" +" raise IOError(\"peer certificate does not match host name\")\n" +msgstr "" diff --git a/defensive-coding/pt-PT/Features/snippets/TLS-Client-Python-check_host_name.po b/defensive-coding/pt-PT/Features/snippets/TLS-Client-Python-check_host_name.po new file mode 100644 index 0000000..44e5344 --- /dev/null +++ b/defensive-coding/pt-PT/Features/snippets/TLS-Client-Python-check_host_name.po @@ -0,0 +1,44 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:31+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Portuguese \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: pt\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"def check_host_name(peercert, name):\n" +" \"\"\"Simple certificate/host name checker. Returns True if the\n" +" certificate matches, False otherwise. Does not support\n" +" wildcards.\"\"\"\n" +" # Check that the peer has supplied a certificate.\n" +" # None/{} is not acceptable.\n" +" if not peercert:\n" +" return False\n" +" if peercert.has_key(\"subjectAltName\"):\n" +" for typ, val in peercert[\"subjectAltName\"]:\n" +" if typ == \"DNS\" and val == name:\n" +" return True\n" +" else:\n" +" # Only check the subject DN if there is no subject alternative\n" +" # name.\n" +" cn = None\n" +" for attr, val in peercert[\"subject\"]:\n" +" # Use most-specific (last) commonName attribute.\n" +" if attr == \"commonName\":\n" +" cn = val\n" +" if cn is not None:\n" +" return cn == name\n" +" return False\n" +msgstr "" diff --git a/defensive-coding/pt-PT/Features/snippets/TLS-GNUTLS-Credentials-Close.po b/defensive-coding/pt-PT/Features/snippets/TLS-GNUTLS-Credentials-Close.po new file mode 100644 index 0000000..610bf92 --- /dev/null +++ b/defensive-coding/pt-PT/Features/snippets/TLS-GNUTLS-Credentials-Close.po @@ -0,0 +1,22 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:31+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Portuguese \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: pt\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"gnutls_certificate_free_credentials(cred);\n" +msgstr "" diff --git a/defensive-coding/pt-PT/Features/snippets/TLS-GNUTLS-Disconnect.po b/defensive-coding/pt-PT/Features/snippets/TLS-GNUTLS-Disconnect.po new file mode 100644 index 0000000..08e77ef --- /dev/null +++ b/defensive-coding/pt-PT/Features/snippets/TLS-GNUTLS-Disconnect.po @@ -0,0 +1,30 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:32+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Portuguese \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: pt\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Initiate an orderly connection shutdown.\n" +"ret = gnutls_bye(session, GNUTLS_SHUT_RDWR);\n" +"if (ret < 0) {\n" +" fprintf(stderr, \"error: gnutls_bye: %s\n" +"\", gnutls_strerror(ret));\n" +" exit(1);\n" +"}\n" +"// Free the session object.\n" +"gnutls_deinit(session);\n" +msgstr "" diff --git a/defensive-coding/pt-PT/Features/snippets/TLS-GNUTLS-Init.po b/defensive-coding/pt-PT/Features/snippets/TLS-GNUTLS-Init.po new file mode 100644 index 0000000..dc7318b --- /dev/null +++ b/defensive-coding/pt-PT/Features/snippets/TLS-GNUTLS-Init.po @@ -0,0 +1,22 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:32+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Portuguese \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: pt\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"gnutls_global_init();\n" +msgstr "" diff --git a/defensive-coding/pt-PT/Features/snippets/TLS-GNUTLS-Use.po b/defensive-coding/pt-PT/Features/snippets/TLS-GNUTLS-Use.po new file mode 100644 index 0000000..47ab977 --- /dev/null +++ b/defensive-coding/pt-PT/Features/snippets/TLS-GNUTLS-Use.po @@ -0,0 +1,38 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:33+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Portuguese \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: pt\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"char buf[4096];\n" +"snprintf(buf, sizeof(buf), \"GET / HTTP/1.0\\r\n" +"Host: %s\\r\n" +"\\r\n" +"\", host);\n" +"ret = gnutls_record_send(session, buf, strlen(buf));\n" +"if (ret < 0) {\n" +" fprintf(stderr, \"error: gnutls_record_send: %s\n" +"\", gnutls_strerror(ret));\n" +" exit(1);\n" +"}\n" +"ret = gnutls_record_recv(session, buf, sizeof(buf));\n" +"if (ret < 0) {\n" +" fprintf(stderr, \"error: gnutls_record_recv: %s\n" +"\", gnutls_strerror(ret));\n" +" exit(1);\n" +"}\n" +msgstr "" diff --git a/defensive-coding/pt-PT/Features/snippets/TLS-NSS-Close.po b/defensive-coding/pt-PT/Features/snippets/TLS-NSS-Close.po new file mode 100644 index 0000000..e0a7333 --- /dev/null +++ b/defensive-coding/pt-PT/Features/snippets/TLS-NSS-Close.po @@ -0,0 +1,23 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:31+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Portuguese \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: pt\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"SECMOD_DestroyModule(module);\n" +"NSS_ShutdownContext(ctx);\n" +msgstr "" diff --git a/defensive-coding/pt-PT/Features/snippets/TLS-NSS-Includes.po b/defensive-coding/pt-PT/Features/snippets/TLS-NSS-Includes.po new file mode 100644 index 0000000..9fefed3 --- /dev/null +++ b/defensive-coding/pt-PT/Features/snippets/TLS-NSS-Includes.po @@ -0,0 +1,35 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:33+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Portuguese \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: pt\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// NSPR include files\n" +"#include <prerror.h>\n" +"#include <prinit.h>\n" +"\n" +"// NSS include files\n" +"#include <nss.h>\n" +"#include <pk11pub.h>\n" +"#include <secmod.h>\n" +"#include <ssl.h>\n" +"#include <sslproto.h>\n" +"\n" +"// Private API, no other way to turn a POSIX file descriptor into an\n" +"// NSPR handle.\n" +"NSPR_API(PRFileDesc*) PR_ImportTCPSocket(int);\n" +msgstr "" diff --git a/defensive-coding/pt-PT/Features/snippets/TLS-NSS-Init.po b/defensive-coding/pt-PT/Features/snippets/TLS-NSS-Init.po new file mode 100644 index 0000000..52869b8 --- /dev/null +++ b/defensive-coding/pt-PT/Features/snippets/TLS-NSS-Init.po @@ -0,0 +1,83 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:33+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Portuguese \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: pt\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"PR_Init(PR_USER_THREAD, PR_PRIORITY_NORMAL, 0);\n" +"NSSInitContext *const ctx =\n" +" NSS_InitContext(\"sql:/etc/pki/nssdb\", \"\", \"\", \"\", NULL,\n" +"\t\t NSS_INIT_READONLY | NSS_INIT_PK11RELOAD);\n" +"if (ctx == NULL) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: NSPR error code %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +"}\n" +"\n" +"// Ciphers to enable.\n" +"static const PRUint16 good_ciphers[] = {\n" +" TLS_RSA_WITH_AES_128_CBC_SHA,\n" +" TLS_RSA_WITH_AES_256_CBC_SHA,\n" +" SSL_RSA_WITH_3DES_EDE_CBC_SHA,\n" +" SSL_NULL_WITH_NULL_NULL // sentinel\n" +"};\n" +"\n" +"// Check if the current policy allows any strong ciphers. If it\n" +"// doesn't, switch to the \"domestic\" (unrestricted) policy. This is\n" +"// not thread-safe and has global impact. Consequently, we only do\n" +"// it if absolutely necessary.\n" +"int found_good_cipher = 0;\n" +"for (const PRUint16 *p = good_ciphers; *p != SSL_NULL_WITH_NULL_NULL;\n" +" ++p) {\n" +" PRInt32 policy;\n" +" if (SSL_CipherPolicyGet(*p, &policy) != SECSuccess) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: policy for cipher %u: error %d: %s\n" +"\",\n" +"\t (unsigned)*p, err, PR_ErrorToName(err));\n" +" exit(1);\n" +" }\n" +" if (policy == SSL_ALLOWED) {\n" +" fprintf(stderr, \"info: found cipher %x\n" +"\", (unsigned)*p);\n" +" found_good_cipher = 1;\n" +" break;\n" +" }\n" +"}\n" +"if (!found_good_cipher) {\n" +" if (NSS_SetDomesticPolicy() != SECSuccess) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: NSS_SetDomesticPolicy: error %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +" }\n" +"}\n" +"\n" +"// Initialize the trusted certificate store.\n" +"char module_name[] = \"library=libnssckbi.so name=\\\"Root Certs\\\"\";\n" +"SECMODModule *module = SECMOD_LoadUserModule(module_name, NULL, PR_FALSE);\n" +"if (module == NULL || !module->loaded) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: NSPR error code %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +"}\n" +msgstr "" diff --git a/defensive-coding/pt-PT/Features/snippets/TLS-NSS-Use.po b/defensive-coding/pt-PT/Features/snippets/TLS-NSS-Use.po new file mode 100644 index 0000000..7239df1 --- /dev/null +++ b/defensive-coding/pt-PT/Features/snippets/TLS-NSS-Use.po @@ -0,0 +1,42 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:32+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Portuguese \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: pt\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"char buf[4096];\n" +"snprintf(buf, sizeof(buf), \"GET / HTTP/1.0\\r\n" +"Host: %s\\r\n" +"\\r\n" +"\", host);\n" +"PRInt32 ret = PR_Write(nspr, buf, strlen(buf));\n" +"if (ret < 0) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: PR_Write error %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +"}\n" +"ret = PR_Read(nspr, buf, sizeof(buf));\n" +"if (ret < 0) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: PR_Read error %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +"}\n" +msgstr "" diff --git a/defensive-coding/pt-PT/Features/snippets/TLS-Nagle.po b/defensive-coding/pt-PT/Features/snippets/TLS-Nagle.po new file mode 100644 index 0000000..3b69eda --- /dev/null +++ b/defensive-coding/pt-PT/Features/snippets/TLS-Nagle.po @@ -0,0 +1,27 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:31+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Portuguese \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: pt\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"const int val = 1;\n" +"int ret = setsockopt(sockfd, IPPROTO_TCP, TCP_NODELAY, &val, sizeof(val));\n" +"if (ret < 0) {\n" +" perror(\"setsockopt(TCP_NODELAY)\");\n" +" exit(1);\n" +"}\n" +msgstr "" diff --git a/defensive-coding/pt-PT/Features/snippets/TLS-OpenJDK-Parameters.po b/defensive-coding/pt-PT/Features/snippets/TLS-OpenJDK-Parameters.po new file mode 100644 index 0000000..9e8015b --- /dev/null +++ b/defensive-coding/pt-PT/Features/snippets/TLS-OpenJDK-Parameters.po @@ -0,0 +1,42 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:33+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Portuguese \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: pt\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Prepare TLS parameters. These have to applied to every TLS\n" +"// socket before the handshake is triggered.\n" +"SSLParameters params = ctx.getDefaultSSLParameters();\n" +"// Do not send an SSL-2.0-compatible Client Hello.\n" +"ArrayList<String> protocols = new ArrayList<String>(\n" +" Arrays.asList(params.getProtocols()));\n" +"protocols.remove(\"SSLv2Hello\");\n" +"params.setProtocols(protocols.toArray(new String[protocols.size()]));\n" +"// Adjust the supported ciphers.\n" +"ArrayList<String> ciphers = new ArrayList<String>(\n" +" Arrays.asList(params.getCipherSuites()));\n" +"ciphers.retainAll(Arrays.asList(\n" +" \"TLS_RSA_WITH_AES_128_CBC_SHA256\",\n" +" \"TLS_RSA_WITH_AES_256_CBC_SHA256\",\n" +" \"TLS_RSA_WITH_AES_256_CBC_SHA\",\n" +" \"TLS_RSA_WITH_AES_128_CBC_SHA\",\n" +" \"SSL_RSA_WITH_3DES_EDE_CBC_SHA\",\n" +" \"SSL_RSA_WITH_RC4_128_SHA1\",\n" +" \"SSL_RSA_WITH_RC4_128_MD5\",\n" +" \"TLS_EMPTY_RENEGOTIATION_INFO_SCSV\"));\n" +"params.setCipherSuites(ciphers.toArray(new String[ciphers.size()]));\n" +msgstr "" diff --git a/defensive-coding/pt-PT/Features/snippets/TLS-OpenSSL-Connection-Close.po b/defensive-coding/pt-PT/Features/snippets/TLS-OpenSSL-Connection-Close.po new file mode 100644 index 0000000..f5c785f --- /dev/null +++ b/defensive-coding/pt-PT/Features/snippets/TLS-OpenSSL-Connection-Close.po @@ -0,0 +1,46 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:33+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Portuguese \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: pt\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Send the close_notify alert.\n" +"ret = SSL_shutdown(ssl);\n" +"switch (ret) {\n" +"case 1:\n" +" // A close_notify alert has already been received.\n" +" break;\n" +"case 0:\n" +" // Wait for the close_notify alert from the peer.\n" +" ret = SSL_shutdown(ssl);\n" +" switch (ret) {\n" +" case 0:\n" +" fprintf(stderr, \"info: second SSL_shutdown returned zero\n" +"\");\n" +" break;\n" +" case 1:\n" +" break;\n" +" default:\n" +" ssl_print_error_and_exit(ssl, \"SSL_shutdown 2\", ret);\n" +" }\n" +" break;\n" +"default:\n" +" ssl_print_error_and_exit(ssl, \"SSL_shutdown 1\", ret);\n" +"}\n" +"SSL_free(ssl);\n" +"close(sockfd);\n" +msgstr "" diff --git a/defensive-coding/pt-PT/Features/snippets/TLS-OpenSSL-Context-Close.po b/defensive-coding/pt-PT/Features/snippets/TLS-OpenSSL-Context-Close.po new file mode 100644 index 0000000..0985695 --- /dev/null +++ b/defensive-coding/pt-PT/Features/snippets/TLS-OpenSSL-Context-Close.po @@ -0,0 +1,22 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:33+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Portuguese \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: pt\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"SSL_CTX_free(ctx);\n" +msgstr "" diff --git a/defensive-coding/pt-PT/Features/snippets/TLS-OpenSSL-Errors.po b/defensive-coding/pt-PT/Features/snippets/TLS-OpenSSL-Errors.po new file mode 100644 index 0000000..7b74b62 --- /dev/null +++ b/defensive-coding/pt-PT/Features/snippets/TLS-OpenSSL-Errors.po @@ -0,0 +1,51 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:32+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Portuguese \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: pt\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"static void __attribute__((noreturn))\n" +"ssl_print_error_and_exit(SSL *ssl, const char *op, int ret)\n" +"{\n" +" int subcode = SSL_get_error(ssl, ret);\n" +" switch (subcode) {\n" +" case SSL_ERROR_NONE:\n" +" fprintf(stderr, \"error: %s: no error to report\n" +"\", op);\n" +" break;\n" +" case SSL_ERROR_WANT_READ:\n" +" case SSL_ERROR_WANT_WRITE:\n" +" case SSL_ERROR_WANT_X509_LOOKUP:\n" +" case SSL_ERROR_WANT_CONNECT:\n" +" case SSL_ERROR_WANT_ACCEPT:\n" +" fprintf(stderr, \"error: %s: invalid blocking state %d\n" +"\", op, subcode);\n" +" break;\n" +" case SSL_ERROR_SSL:\n" +" fprintf(stderr, \"error: %s: TLS layer problem\n" +"\", op);\n" +" case SSL_ERROR_SYSCALL:\n" +" fprintf(stderr, \"error: %s: system call failed: %s\n" +"\", op, strerror(errno));\n" +" break;\n" +" case SSL_ERROR_ZERO_RETURN:\n" +" fprintf(stderr, \"error: %s: zero return\n" +"\", op);\n" +" }\n" +" exit(1);\n" +"}\n" +msgstr "" diff --git a/defensive-coding/pt-PT/Features/snippets/TLS-Python-Close.po b/defensive-coding/pt-PT/Features/snippets/TLS-Python-Close.po new file mode 100644 index 0000000..8ddfeaf --- /dev/null +++ b/defensive-coding/pt-PT/Features/snippets/TLS-Python-Close.po @@ -0,0 +1,22 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:31+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Portuguese \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: pt\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"sock.close()\n" +msgstr "" diff --git a/defensive-coding/pt-PT/Features/snippets/TLS-Python-Use.po b/defensive-coding/pt-PT/Features/snippets/TLS-Python-Use.po new file mode 100644 index 0000000..286ac79 --- /dev/null +++ b/defensive-coding/pt-PT/Features/snippets/TLS-Python-Use.po @@ -0,0 +1,26 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:32+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Portuguese \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: pt\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"sock.write(\"GET / HTTP/1.1\\r\n" +"Host: \" + host + \"\\r\n" +"\\r\n" +"\")\n" +"print sock.read()\n" +msgstr "" diff --git a/defensive-coding/pt-PT/Revision_History.po b/defensive-coding/pt-PT/Revision_History.po new file mode 100644 index 0000000..3f27ef0 --- /dev/null +++ b/defensive-coding/pt-PT/Revision_History.po @@ -0,0 +1,35 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:18+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Portuguese \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: pt\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: title +#, no-c-format +msgid "Revision History" +msgstr "" + +#. Tag: firstname +#, no-c-format +msgid "Eric" +msgstr "" + +#. Tag: surname +#, no-c-format +msgid "Christensen" +msgstr "" + +#. Tag: member +#, no-c-format +msgid "Initial publication." +msgstr "" diff --git a/defensive-coding/pt-PT/Tasks/Cryptography.po b/defensive-coding/pt-PT/Tasks/Cryptography.po new file mode 100644 index 0000000..147be1e --- /dev/null +++ b/defensive-coding/pt-PT/Tasks/Cryptography.po @@ -0,0 +1,199 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:29+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Portuguese \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: pt\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: title +#, no-c-format +msgid "Cryptography" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Primitives" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Chosing from the following cryptographic primitives is recommended:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "RSA with 2048 bit keys and OAEP" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "AES-128 in CBC mode" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "SHA-256" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "HMAC-SHA-256" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "HMAC-SHA-1" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Other cryptographic algorithms can be used if they are required for " +"interoperability with existing software:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "RSA with key sizes larger than 1024 and legacy padding" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "AES-192" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "AES-256" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "3DES (triple DES, with two or three 56 bit keys)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "RC4 (but very, very strongly discouraged)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "SHA-1" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "HMAC-MD5" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Important" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"These primitives are difficult to use in a secure way. Custom implementation" +" of security protocols should be avoided. For protecting confidentiality and" +" integrity of network transmissions, TLS should be used ()." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Randomness" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The following facilities can be used to generate unpredictable and non-" +"repeating values. When these functions are used without special safeguards, " +"each individual rnadom value should be at least 12 bytes long." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"PK11_GenerateRandom in the NSS library (usable for high" +" data rates)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"RAND_bytes in the OpenSSL library (usable for high data" +" rates)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"gnutls_rnd in GNUTLS, with " +"GNUTLS_RND_RANDOM as the first argument (usable for high " +"data rates)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"java.security.SecureRandom in Java (usable for high data rates)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "os.urandom in Python" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Reading from the /dev/urandom character device" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"All these functions should be non-blocking, and they should not wait until " +"physical randomness becomes available. (Some cryptography providers for Java" +" can cause java.security.SecureRandom to block, however.) Those" +" functions which do not obtain all bits directly from " +"/dev/urandom are suitable for high data rates because " +"they do not deplete the system-wide entropy pool." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Difficult to use API" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Both RAND_bytes and " +"PK11_GenerateRandom have three-state return values " +"(with conflicting meanings). Careful error checking is required. Please " +"review the documentation when using these functions." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Other sources of randomness should be considered predictable." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Generating randomness for cryptographic keys in long-term use may need " +"different steps and is best left to cryptographic libraries." +msgstr "" diff --git a/defensive-coding/pt-PT/Tasks/Descriptors.po b/defensive-coding/pt-PT/Tasks/Descriptors.po new file mode 100644 index 0000000..4a6385f --- /dev/null +++ b/defensive-coding/pt-PT/Tasks/Descriptors.po @@ -0,0 +1,332 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:29+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Portuguese \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: pt\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: title +#, no-c-format +msgid "File Descriptor Management" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"File descriptors underlie all input/output mechanisms offered by the system." +" They are used to implementation the FILE *-based " +"functions found in <stdio.h>, and all the file and " +"network communication facilities provided by the Python and Java " +"environments are eventually implemented in them." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"File descriptors are small, non-negative integers in userspace, and are " +"backed on the kernel side with complicated data structures which can " +"sometimes grow very large." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Closing descriptors" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If a descriptor is no longer used by a program and is not closed explicitly," +" its number cannot be reused (which is problematic in itself, see ), and the " +"kernel resources are not freed. Therefore, it is important to close all " +"descriptors at the earlierst point in time possible, but not earlier." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Error handling during descriptor close" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The close system call is always successful in the sense" +" that the passed file descriptor is never valid after the function has been " +"called. However, close still can return an error, for " +"example if there was a file system failure. But this error is not very " +"useful because the absence of an error does not mean that all caches have " +"been emptied and previous writes have been made durable. Programs which need" +" such guarantees must open files with O_SYNC or use " +"fsync or fdatasync, and may also have " +"to fsync the directory containing the file." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Closing descriptors and race conditions" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Unlike process IDs, which are recycle only gradually, the kernel always " +"allocates the lowest unused file descriptor when a new descriptor is " +"created. This means that in a multi-threaded program which constantly opens " +"and closes file descriptors, descriptors are reused very quickly. Unless " +"descriptor closing and other operations on the same file descriptor are " +"synchronized (typically, using a mutex), there will be race coniditons and " +"I/O operations will be applied to the wrong file descriptor." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Sometimes, it is necessary to close a file descriptor concurrently, while " +"another thread might be about to use it in a system call. In order to " +"support this, a program needs to create a single special file descriptor, " +"one on which all I/O operations fail. One way to achieve this is to use " +"socketpair, close one of the descriptors, and call " +"shutdown(fd, SHUTRDWR) on the other." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When a descriptor is closed concurrently, the program does not call " +"close on the descriptor. Instead it program uses " +"dup2 to replace the descriptor to be closed with the " +"dummy descriptor created earlier. This way, the kernel will not reuse the " +"descriptor, but it will carry out all other steps associated with calling a " +"descriptor (for instance, if the descriptor refers to a stream socket, the " +"peer will be notified)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"This is just a sketch, and many details are missing. Additional data " +"structures are needed to determine when it is safe to really close the " +"descriptor, and proper locking is required for that." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Lingering state after close" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"By default, closing a stream socket returns immediately, and the kernel will" +" try to send the data in the background. This means that it is impossible to" +" implement accurate accounting of network-related resource utilization from " +"userspace." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The SO_LINGER socket option alters the behavior of " +"close, so that it will return only after the lingering " +"data has been processed, either by sending it to the peer successfully, or " +"by discarding it after the configured timeout. However, there is no " +"interface which could perform this operation in the background, so a " +"separate userspace thread is needed for each close " +"call, causing scalability issues." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Currently, there is no application-level countermeasure which applies " +"universally. Mitigation is possible with iptables" +" (the connlimit match type in particular) and specialized" +" filtering devices for denial-of-service network traffic." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"These problems are not related to the TIME_WAIT state " +"commonly seen in netstat output. The kernel " +"automatically expires such sockets if necessary." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Preventing file descriptor leaks to child processes" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Child processes created with fork share the initial set" +" of file descriptors with their parent process. By default, file descriptors" +" are also preserved if a new process image is created with " +"execve (or any of the other functions such as " +"system or posix_spawn)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Usually, this behavior is not desirable. There are two ways to turn it off, " +"that is, to prevent new process images from inheriting the file descriptors " +"in the parent process:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Set the close-on-exec flag on all newly created file descriptors. " +"Traditionally, this flag is controlled by the FD_CLOEXEC " +"flag, using F_GETFD and F_SETFD " +"operations of the fcntl function." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"However, in a multi-threaded process, there is a race condition: a " +"subprocess could have been created between the time the descriptor was " +"created and the FD_CLOEXEC was set. Therefore, many " +"system calls which create descriptors (such as open and" +" openat) now accept the O_CLOEXEC " +"flag (SOCK_CLOEXEC for socket and " +"socketpair), which cause the " +"FD_CLOEXEC flag to be set for the file descriptor in an " +"atomic fashion. In addition, a few new systems calls were introduced, such " +"as pipe2 and dup3." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The downside of this approach is that every descriptor needs to receive " +"special treatment at the time of creation, otherwise it is not completely " +"effective." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"After calling fork, but before creating a new process " +"image with execve, all file descriptors which the child" +" process will not need are closed." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Traditionally, this was implemented as a loop over file descriptors ranging " +"from 3 to 255 and later " +"1023. But this is only an approximatio because it is " +"possible to create file descriptors outside this range easily (see ). Another " +"approach reads /proc/self/fd and closes the unexpected " +"descriptors listed there, but this approach is much slower." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"At present, environments which care about file descriptor leakage implement " +"the second approach. OpenJDK 6 and 7 are among them." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Dealing with the select limit" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"By default, a user is allowed to open only 1024 files in a single process, " +"but the system administrator can easily change this limit (which is " +"necessary for busy network servers). However, there is another restriction " +"which is more difficult to overcome." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The select function only supports a maximum of " +"FD_SETSIZE file descriptors (that is, the maximum " +"permitted value for a file descriptor is FD_SETSIZE - 1, " +"usually 1023.) If a process opens many files, descriptors may exceed such " +"limits. It is impossible to query such descriptors using " +"select." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If a library which creates many file descriptors is used in the same process" +" as a library which uses select, at least one of them " +"needs to be changed. Calls to select can be replaced " +"with calls to poll or another event handling mechanism." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Alternatively, the library with high descriptor usage can relocate " +"descriptors above the FD_SETSIZE limit using the " +"following procedure." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Create the file descriptor fd as usual, preferably with " +"the O_CLOEXEC flag." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Before doing anything else with the descriptor fd, " +"invoke:" +msgstr "" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"\t int newfd = fcntl(fd, F_DUPFD_CLOEXEC, (long)FD_SETSIZE);\n" +"\t" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Check that newfd result is non-negative, otherwise close " +"fd and report an error, and return." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Close fd and continue to use newfd." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The new descriptor has been allocated above the " +"FD_SETSIZE. Even though this algorithm is racy in the " +"sense that the FD_SETSIZE first descriptors could fill " +"up, a very high degree of physical parallelism is required before this " +"becomes a problem." +msgstr "" diff --git a/defensive-coding/pt-PT/Tasks/File_System.po b/defensive-coding/pt-PT/Tasks/File_System.po new file mode 100644 index 0000000..d9629e2 --- /dev/null +++ b/defensive-coding/pt-PT/Tasks/File_System.po @@ -0,0 +1,396 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:25+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Portuguese \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: pt\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: title +#, no-c-format +msgid "File system manipulation" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In this chapter, we discuss general file system manipulation, with a focus " +"on access files and directories to which an other, potentially untrusted " +"user has write access." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Temporary files are covered in their own chapter, ." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Working with files and directories owned by other users" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Sometimes, it is necessary to operate on files and directories owned by " +"other (potentially untrusted) users. For example, a system administrator " +"could remove the home directory of a user, or a package manager could update" +" a file in a directory which is owned by an application-specific user. This " +"differs from accessing the file system as a specific user; see ." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Accessing files across trust boundaries faces several challenges, " +"particularly if an entire directory tree is being traversed:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Another user might add file names to a writable directory at any time. This " +"can interfere with file creation and the order of names returned by " +"readdir." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Merely opening and closing a file can have side effects. For instance, an " +"automounter can be triggered, or a tape device rewound. Opening a file on a " +"local file system can block indefinitely, due to mandatory file locking, " +"unless the O_NONBLOCK flag is specified." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Hard links and symbolic links can redirect the effect of file system " +"operations in unexpected ways. The O_NOFOLLOW and " +"AT_SYMLINK_NOFOLLOW variants of system calls only " +"affected final path name component." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The structure of a directory tree can change. For example, the parent " +"directory of what used to be a subdirectory within the directory tree being " +"processed could suddenly point outside that directory tree." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Files should always be created with the O_CREAT and " +"O_EXCL flags, so that creating the file will fail if it " +"already exists. This guards against the unexpected appearance of file names," +" either due to creation of a new file, or hard-linking of an existing file. " +"In multi-threaded programs, rather than manipulating the umask, create the " +"files with mode 000 if possible, and adjust it afterwards" +" with fchmod." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"To avoid issues related to symbolic links and directory tree restructuring, " +"the “at” variants of system calls have to be used (that " +"is, functions like openat, " +"fchownat, fchmodat, and " +"unlinkat, together with O_NOFOLLOW " +"or AT_SYMLINK_NOFOLLOW). Path names passed to these " +"functions must have just a single component (that is, without a slash). When" +" descending, the descriptors of parent directories must be kept open. The " +"missing opendirat function can be emulated with " +"openat (with an O_DIRECTORY flag, to " +"avoid opening special files with side effects), followed by " +"fdopendir." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If the “at” functions are not available, it is possible " +"to emulate them by changing the current directory. (Obviously, this only " +"works if the process is not multi-threaded.) fchdir has" +" to be used to change the current directory, and the descriptors of the " +"parent directories have to be kept open, just as with the " +"“at”-based approach. chdir(\"...\") is" +" unsafe because it might ascend outside the intended directory tree." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"This “at” function emulation is currently required when " +"manipulating extended attributes. In this case, the " +"lsetxattr function can be used, with a relative path " +"name consisting of a single component. This also applies to SELinux contexts" +" and the lsetfilecon function." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Currently, it is not possible to avoid opening special files " +"and changes to files with hard links if the directory " +"containing them is owned by an untrusted user. (Device nodes can be hard-" +"linked, just as regular files.) fchmodat and " +"fchownat affect files whose link count is greater than " +"one. But opening the files, checking that the link count is one with " +"fstat, and using fchmod and " +"fchown on the file descriptor may have unwanted side " +"effects, due to item 2 above. When creating directories, it is therefore " +"important to change the ownership and permissions only after it has been " +"fully created. Until that point, file names are stable, and no files with " +"unexpected hard links can be introduced." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Similarly, when just reading a directory owned by an untrusted user, it is " +"currently impossible to reliably avoid opening special files." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"There is no workaround against the instability of the file list returned by " +"readdir. Concurrent modification of the directory can " +"result in a list of files being returned which never actually existed on " +"disk." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Hard links and symbolic links can be safely deleted using " +"unlinkat without further checks because deletion only " +"affects the name within the directory tree being processed." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Accessing the file system as a different user" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"This section deals with access to the file system as a specific user. This " +"is different from accessing files and directories owned by a different, " +"potentially untrusted user; see ." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"One approach is to spawn a child process which runs under the target user " +"and group IDs (both effective and real IDs). Note that this child process " +"can block indefinitely, even when processing regular files only. For " +"example, a special FUSE file system could cause the process to hang in " +"uninterruptible sleep inside a stat system call." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"An existing process could change its user and group ID using " +"setfsuid and setfsgid. (These " +"functions are preferred over seteuid and " +"setegid because they do not allow the impersonated user" +" to send signals to the process.) These functions are not thread safe. In " +"multi-threaded processes, these operations need to be performed in a single-" +"threaded child process. Unexpected blocking may occur as well." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"It is not recommended to try to reimplement the kernel permission checks in " +"user space because the required checks are complex. It is also very " +"difficult to avoid race conditions during path name resolution." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "File system limits" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"For historical reasons, there are preprocessor constants such as " +"PATH_MAX, NAME_MAX. However, on most " +"systems, the length of canonical path names (absolute path names with all " +"symbolic links resolved, as returned by realpath or " +"canonicalize_file_name) can exceed " +"PATH_MAX bytes, and individual file name components can " +"be longer than NAME_MAX. This is also true of the " +"_PC_PATH_MAX and _PC_NAME_MAX values " +"returned by pathconf, and the " +"f_namemax member of struct statvfs. " +"Therefore, these constants should not be used. This is also reason why the " +"readdir_r should never be used (instead, use " +"readdir)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"You should not write code in a way that assumes that there is an upper limit" +" on the number of subdirectories of a directory, the number of regular files" +" in a directory, or the link count of an inode." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "File system features" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Not all file systems support all features. This makes it very difficult to " +"write general-purpose tools for copying files. For example, a copy operation" +" intending to preserve file permissions will generally fail when copying to " +"a FAT file system." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Some file systems are case-insensitive. Most should be case-preserving, " +"though." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Name length limits vary greatly, from eight to thousands of bytes. Path " +"length limits differ as well. Most systems impose an upper bound on path " +"names passed to the kernel, but using relative path names, it is possible to" +" create and access files whose absolute path name is essentially of " +"unbounded length." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Some file systems do not store names as fairly unrestricted byte sequences, " +"as it has been traditionally the case on GNU systems. This means that some " +"byte sequences (outside the POSIX safe character set) are not valid names. " +"Conversely, names of existing files may not be representable as byte " +"sequences, and the files are thus inaccessible on GNU systems. Some file " +"systems perform Unicode canonicalization on file names. These file systems " +"preserve case, but reading the name of a just-created file using " +"readdir might still result in a different byte " +"sequence." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Permissions and owners are not universally supported (and SUID/SGID bits may" +" not be available). For example, FAT file systems assign ownership based on " +"a mount option, and generally mark all files as executable. Any attempt to " +"change permissions would result in an error." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Non-regular files (device nodes, FIFOs) are not generally available." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Only on some file systems, files can have holes, that is, not all of their " +"contents is backed by disk storage." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"ioctl support (even fairly generic functionality such " +"as FIEMAP for discovering physical file layout and holes)" +" is file-system-specific." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Not all file systems support extended attributes, ACLs and SELinux metadata." +" Size and naming restriction on extended attributes vary." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Hard links may not be supported at all (FAT) or only within the same " +"directory (AFS). Symbolic links may not be available, either. Reflinks (hard" +" links with copy-on-write semantics) are still very rare. Recent systems " +"restrict creation of hard links to users which own the target file or have " +"read/write access to it, but older systems do not." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Renaming (or moving) files using rename can fail (even " +"when stat indicates that the source and target " +"directories are located on the same file system). This system call should " +"work if the old and new paths are located in the same directory, though." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Locking semantics vary among file systems. This affects advisory and " +"mandatory locks. For example, some network file systems do not allow " +"deleting files which are opened by any process." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Resolution of time stamps varies from two seconds to nanoseconds. Not all " +"time stamps are available on all file systems. File creation time " +"(birth time) is not exposed over the " +"stat/fstat interface, even if " +"stored by the file system." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Checking free space" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The statvfs and fstatvfs functions" +" allow programs to examine the number of available blocks and inodes, " +"through the members f_bfree, f_bavail," +" f_ffree, and f_favail of " +"struct statvfs. Some file systems return fictional values" +" in the f_ffree and f_favail fields, " +"so the only reliable way to discover if the file system still has space for " +"a file is to try to create it. The f_bfree field should " +"be reasonably accurate, though." +msgstr "" diff --git a/defensive-coding/pt-PT/Tasks/Library_Design.po b/defensive-coding/pt-PT/Tasks/Library_Design.po new file mode 100644 index 0000000..eda7fc2 --- /dev/null +++ b/defensive-coding/pt-PT/Tasks/Library_Design.po @@ -0,0 +1,267 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:29+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Portuguese \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: pt\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: title +#, no-c-format +msgid "Library Design" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Throught this section, the term client code refers to " +"applications and other libraries using the library." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "State management" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Global state" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Global state should be avoided." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If this is impossible, the global state must be protected with a lock. For " +"C/C++, you can use the pthread_mutex_lock and " +"pthread_mutex_unlock functions without linking against " +"-lpthread because the system provides stubs for non-" +"threaded processes." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"For compatibility with fork, these locks should be " +"acquired and released in helpers registered with " +"pthread_atfork. This function is not available without " +"-lpthread, so you need to use dlsym " +"or a weak symbol to obtain its address." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If you need fork protection for other reasons, you " +"should store the process ID and compare it to the value returned by " +"getpid each time you access the global state. " +"(getpid is not implemented as a system call and is " +"fast.) If the value changes, you know that you have to re-create the state " +"object. (This needs to be combined with locking, of course.)" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Handles" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Library state should be kept behind a curtain. Client code should receive " +"only a handle. In C, the handle can be a pointer to an incomplete " +"struct. In C++, the handle can be a pointer to an " +"abstract base class, or it can be hidden using the pointer-to-implementation" +" idiom." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The library should provide functions for creating and destroying handles. " +"(In C++, it is possible to use virtual destructors for the latter.) " +"Consistency between creation and destruction of handles is strongly " +"recommended: If the client code created a handle, it is the responsibility " +"of the client code to destroy it. (This is not always possible or " +"convenient, so sometimes, a transfer of ownership has to happen.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Using handles ensures that it is possible to change the way the library " +"represents state in a way that is transparent to client code. This is " +"important to facilitate security updates and many other code changes." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"It is not always necessary to protect state behind a handle with a lock. " +"This depends on the level of thread safety the library provides." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Object orientation" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Classes should be either designed as base classes, or it should be " +"impossible to use them as base classes (like final " +"classes in Java). Classes which are not designed for inheritance and are " +"used as base classes nevertheless create potential maintenance hazards " +"because it is difficult to predict how client code will react when calls to " +"virtual methods are added, reordered or removed." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Virtual member functions can be used as callbacks. See for some of the " +"challenges involved." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Callbacks" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Higher-order code is difficult to analyze for humans and computers alike, so" +" it should be avoided. Often, an iterator-based interface (a library " +"function which is called repeatedly by client code and returns a stream of " +"events) leads to a better design which is easier to document and use." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "If callbacks are unavoidable, some guidelines for them follow." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In modern C++ code, std::function objects should be used " +"for callbacks." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In older C++ code and in C code, all callbacks must have an additional " +"closure parameter of type void *, the value of which can " +"be specified by client code. If possible, the value of the closure parameter" +" should be provided by client code at the same time a specific callback is " +"registered (or specified as a function argument). If a single closure " +"parameter is shared by multiple callbacks, flexibility is greatly reduced, " +"and conflicts between different pieces of client code using the same library" +" object could be unresolvable. In some cases, it makes sense to provide a " +"de-registration callback which can be used to destroy the closure parameter " +"when the callback is no longer used." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Callbacks can throw exceptions or call longjmp. If " +"possible, all library objects should remain in a valid state. (All further " +"operations on them can fail, but it should be possible to deallocate them " +"without causing resource leaks.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The presence of callbacks raises the question if functions provided by the " +"library are reentrant. Unless a library was designed " +"for such use, bad things will happen if a callback function uses functions " +"in the same library (particularly if they are invoked on the same objects " +"and manipulate the same state). When the callback is invoked, the library " +"can be in an inconsistent state. Reentrant functions are more difficult to " +"write than thread-safe functions (by definition, simple locking would " +"immediately lead to deadlocks). It is also difficult to decide what to do " +"when destruction of an object which is currently processing a callback is " +"requested." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Process attributes" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Several attributes are global and affect all code in the process, not just " +"the library that manipulates them." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"environment variables (see )" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "umask" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "user IDs, group IDs and capabilities" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "current working directory" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "signal handlers, signal masks and signal delivery" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"file locks (especially fcntl locks behave in surprising" +" ways, not just in a multi-threaded environment)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Library code should avoid manipulating these global process attributes. It " +"should not rely on environment variables, umask, the current working " +"directory and signal masks because these attributes can be inherted from an " +"untrusted source." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In addition, there are obvious process-wide aspects such as the virtual " +"memory layout, the set of open files and dynamic shared objects, but with " +"the exception of shared objects, these can be manipulated in a relatively " +"isolated way." +msgstr "" diff --git a/defensive-coding/pt-PT/Tasks/Processes.po b/defensive-coding/pt-PT/Tasks/Processes.po new file mode 100644 index 0000000..ae0fa37 --- /dev/null +++ b/defensive-coding/pt-PT/Tasks/Processes.po @@ -0,0 +1,597 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:29+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Portuguese \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: pt\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: title +#, no-c-format +msgid "Processes" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Safe process creation" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"This section describes how to create new child processes in a safe manner. " +"In addition to the concerns addressed below, there is the possibility of " +"file descriptor leaks, see ." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Obtaining the program path and the command line template" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The name and path to the program being invoked should be hard-coded or " +"controlled by a static configuration file stored at a fixed location (at an " +"file system absolute path). The same applies to the template for generating " +"the command line." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The configured program name should be an absolute path. If it is a relative " +"path, the contents of the PATH must be obtained in s secure " +"manner (see )." +" If the PATH variable is not set or untrusted, the safe " +"default /bin:/usr/bin must be used." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If too much flexibility is provided here, it may allow invocation of " +"arbitrary programs without proper authorization." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Bypassing the shell" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Child processes should be created without involving the system shell." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"For C/C++, system should not be used. The " +"posix_spawn function can be used instead, or a " +"combination fork and execve. (In " +"some cases, it may be preferable to use vfork or the " +"Linux-specific clone system call instead of " +"fork.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In Python, the subprocess module bypasses the shell by " +"default (when the shell keyword argument is not set to " +"true). os.system should not be used." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The Java class java.lang.ProcessBuilder can be used to create " +"subprocesses without interference from the system shell." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Portability notice" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"On Windows, there is no argument vector, only a single argument string. Each" +" application is responsible for parsing this string into an argument vector." +" There is considerable variance among the quoting style recognized by " +"applications. Some of them expand shell wildcards, others do not. Extensive " +"application-specific testing is required to make this secure." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Note that some common applications (notably ssh) " +"unconditionally introduce the use of a shell, even if invoked directly " +"without a shell. It is difficult to use these applications in a secure " +"manner. In this case, untrusted data should be supplied by other means. For " +"example, standard input could be used, instead of the command line." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Specifying the process environment" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Child processes should be created with a minimal set of environment " +"variables. This is absolutely essential if there is a trust transition " +"involved, either when the parent process was created, or during the creation" +" of the child process." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In C/C++, the environment should be constructed as an array of strings and " +"passed as the envp argument to " +"posix_spawn or execve. The " +"functions setenv, unsetenv and " +"putenv should not be used. They are not thread-safe and" +" suffer from memory leaks." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Python programs need to specify a dict for the the " +"env argument of the subprocess.Popen" +" constructor. The Java class java.lang.ProcessBuilder " +"provides a environment() method, which returns a map " +"that can be manipulated." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The following list provides guidelines for selecting the set of environment " +"variables passed to the child process." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"PATH should be initialized to " +"/bin:/usr/bin." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"USER and HOME can be inhereted from the parent" +" process environment, or they can be initialized from the " +"pwent structure for the user." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The DISPLAY and XAUTHORITY variables should be" +" passed to the subprocess if it is an X program. Note that this will " +"typically not work across trust boundaries because XAUTHORITY" +" refers to a file with 0600 permissions." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The location-related environment variables LANG, " +"LANGUAGE, LC_ADDRESS, LC_ALL, " +"LC_COLLATE, LC_CTYPE, " +"LC_IDENTIFICATION, LC_MEASUREMENT, " +"LC_MESSAGES, LC_MONETARY, " +"LC_NAME, LC_NUMERIC, LC_PAPER, " +"LC_TELEPHONE and LC_TIME can be passed to the " +"subprocess if present." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The called process may need application-specific environment variables, for " +"example for passing passwords. (See .)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"All other environment variables should be dropped. Names for new environment" +" variables should not be accepted from untrusted sources." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Robust argument list processing" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When invoking a program, it is sometimes necessary to include data from " +"untrusted sources. Such data should be check against embedded " +"NUL characters because the system APIs will sliently " +"truncate argument strings at the first NUL character." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The following recommendations assume that the program being invoked uses " +"GNU-style option processing using getopt_long. This " +"convention is widely used, but it is just that, and individual programs " +"might interpret a command line in a different way." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If the untrusted data has to go into an option, use the --option-" +"name=VALUE syntax, placing the option and its value into the same " +"command line argument. This avoids any potential confusion if the data " +"starts with -." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"For positional arguments, terminate the option list with a single " +" marker after the last option, and include the data at " +"the right position. The marker terminates option " +"processing, and the data will not be treated as an option even if it starts " +"with a dash." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Passing secrets to subprocesses" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The command line (the name of the program and its argument) of a running " +"process is traditionally available to all local users. The called program " +"can overwrite this information, but only after it has run for a bit of time," +" during which the information may have been read by other processes. " +"However, on Linux, the process environment is restricted to the user who " +"runs the process. Therefore, if you need a convenient way to pass a password" +" to a child process, use an environment variable, and not a command line " +"argument. (See .)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"On some UNIX-like systems (notably Solaris), environment variables can be " +"read by any system user, just like command lines." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If the environment-based approach cannot be used due to portability " +"concerns, the data can be passed on standard input. Some programs (notably " +"gpg) use special file descriptors whose numbers " +"are specified on the command line. Temporary files are an option as well, " +"but they might give digital forensics access to sensitive data (such as " +"passphrases) because it is difficult to safely delete them in all cases." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Handling child process termination" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When child processes terminate, the parent process is signalled. A stub of " +"the terminated processes (a zombie, shown as " +"<defunct> by ps) is kept" +" around until the status information is collected " +"(reaped) by the parent process. Over the years, several" +" interfaces for this have been invented:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The parent process calls wait, " +"waitpid, waitid, " +"wait3 or wait4, without specifying" +" a process ID. This will deliver any matching process ID. This approach is " +"typically used from within event loops." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The parent process calls waitpid, " +"waitid, or wait4, with a specific " +"process ID. Only data for the specific process ID is returned. This is " +"typically used in code which spawns a single subprocess in a synchronous " +"manner." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The parent process installs a handler for the SIGCHLD " +"signal, using sigaction, and specifies to the " +"SA_NOCLDWAIT flag. This approach could be used by event " +"loops as well." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"None of these approaches can be used to wait for child process terminated in" +" a completely thread-safe manner. The parent process might execute an event " +"loop in another thread, which could pick up the termination signal. This " +"means that libraries typically cannot make free use of child processes (for " +"example, to run problematic code with reduced privileges in a separate " +"address space)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"At the moment, the parent process should explicitly wait for termination of " +"the child process using waitpid or " +"waitpid, and hope that the status is not collected by " +"an event loop first." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "SUID/SGID processes" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Programs can be marked in the file system to indicate to the kernel that a " +"trust transition should happen if the program is run. The " +"SUID file permission bit indicates that an executable " +"should run with the effective user ID equal to the owner of the executable " +"file. Similarly, with the SGID bit, the effective group " +"ID is set to the group of the executable file." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Linux supports fscaps, which can grant additional " +"capabilities to a process in a finer-grained manner. Additional mechanisms " +"can be provided by loadable security modules." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When such a trust transition has happened, the process runs in a potentially" +" hostile environment. Additional care is necessary not to rely on any " +"untrusted information. These concerns also apply to libraries which can be " +"linked into such processes." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Accessing environment variables" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The following steps are required so that a program does not accidentally " +"pick up untrusted data from environment variables." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Compile your C/C++ sources with -D_GNU_SOURCE. The " +"Autoconf macro AC_GNU_SOURCE ensures this." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Check for the presence of the secure_getenv and " +"__secure_getenv function. The Autoconf directive " +"AC_CHECK_FUNCS([__secure_getenv secure_getenv]) performs " +"these checks." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Arrange for a proper definition of the secure_getenv " +"function. See ." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Use secure_getenv instead of " +"getenv to obtain the value of critical environment " +"variables. secure_getenv will pretend the variable has " +"not bee set if the process environment is not trusted." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Critical environment variables are debugging flags, configuration file " +"locations, plug-in and log file locations, and anything else that might be " +"used to bypass security restrictions or cause a privileged process to behave" +" in an unexpected way." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Either the secure_getenv function or the " +"__secure_getenv is available from GNU libc." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Obtaining a definition for secure_getenv" +msgstr "" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"\n" +"#include <stdlib.h>\n" +"\n" +"#ifndef HAVE_SECURE_GETENV\n" +"# ifdef HAVE__SECURE_GETENV\n" +"# define secure_getenv __secure_getenv\n" +"# else\n" +"# error neither secure_getenv nor __secure_getenv are available\n" +"# endif\n" +"#endif\n" +"\n" +"\t" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Daemons" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Background processes providing system services " +"(daemons) need to decouple themselves from the " +"controlling terminal and the parent process environment:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Fork." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In the child process, call setsid. The parent process " +"can simply exit (using _exit, to avoid running clean-up" +" actions twice)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In the child process, fork again. Processing continues in the child process." +" Again, the parent process should just exit." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Replace the descriptors 0, 1, 2 with a descriptor for " +"/dev/null. Logging should be redirected to " +"syslog." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Older instructions for creating daemon processes recommended a call to " +"umask(0). This is risky because it often leads to world-" +"writable files and directories, resulting in security vulnerabilities such " +"as arbitrary process termination by untrusted local users, or log file " +"truncation. If the umask needs setting, a restrictive " +"value such as 027 or 077 is " +"recommended." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Other aspects of the process environment may have to changed as well " +"(environment variables, signal handler disposition)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"It is increasingly common that server processes do not run as background " +"processes, but as regular foreground process under a supervising master " +"process (such as systemd). Server processes " +"should offer a command line option which disables forking and replacement of" +" the standard output and standard error streams. Such an option is also " +"useful for debugging." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Semantics of command line arguments" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"After process creation and option processing, it is up to the child process " +"to interpret the arguments. Arguments can be file names, host names, or " +"URLs, and many other things. URLs can refer to the local network, some " +"server on the Internet, or to the local file system. Some applications even " +"accept arbitrary code in arguments (for example, " +"python with the option)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Similar concerns apply to environment variables, the contents of the current" +" directory and its subdirectories." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Consequently, careful analysis is required if it is safe to pass untrusted " +"data to another program." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "fork as a primitive for parallelism" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"A call to fork which is not immediately followed by a " +"call to execve (perhaps after rearranging and closing " +"file descriptors) is typically unsafe, especially from a library which does " +"not control the state of the entire process. Such use of " +"fork should be replaced with proper child processes or " +"threads." +msgstr "" diff --git a/defensive-coding/pt-PT/Tasks/Serialization.po b/defensive-coding/pt-PT/Tasks/Serialization.po new file mode 100644 index 0000000..f75bb0b --- /dev/null +++ b/defensive-coding/pt-PT/Tasks/Serialization.po @@ -0,0 +1,513 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:45\n" +"PO-Revision-Date: 2013-03-19 15:29+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Portuguese \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: pt\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: title +#, no-c-format +msgid "Serialization and Deserialization" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Protocol decoders and file format parsers are often the most-exposed part of" +" an application because they are exposed with little or no user interaction " +"and before any authentication and security checks are made. They are also " +"difficult to write robustly in languages which are not memory-safe." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Recommendations for manually written decoders" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"For C and C++, the advice in applies. In addition, avoid non-character " +"pointers directly into input buffers. Pointer misalignment causes crashes on" +" some architectures." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When reading variable-sized objects, do not allocate large amounts of data " +"solely based on the value of a size field. If possible, grow the data " +"structure as more data is read from the source, and stop when no data is " +"available. This helps to avoid denial-of-service attacks where little " +"amounts of input data results in enormous memory allocations during " +"decoding. Alternatively, you can impose reasonable bounds on memory " +"allocations, but some protocols do not permit this." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Protocol design" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Binary formats with explicit length fields are more difficult to parse " +"robustly than those where the length of dynamically-sized elements is " +"derived from sentinel values. A protocol which does not use length fields " +"and can be written in printable ASCII characters simplifies testing and " +"debugging. However, binary protocols with length fields may be more " +"efficient to parse." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Library support for deserialization" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"For some languages, generic libraries are available which allow to serialize" +" and deserialize user-defined objects. The deserialization part comes in one" +" of two flavors, depending on the library. The first kind uses type " +"information in the data stream to control which objects are instantiated. " +"The second kind uses type definitions supplied by the programmer. The first " +"one allows arbitrary object instantiation, the second one generally does " +"not." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The following serialization frameworks are in the first category, are known " +"to be unsafe, and must not be used for untrusted data:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Python's pickle and cPickle modules" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Perl's Storable package" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Java serialization (java.io.ObjectInputStream)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "PHP serialization (unserialize)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Most implementations of YAML" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When using a type-directed deserialization format where the types of the " +"deserialized objects are specified by the programmer, make sure that the " +"objects which can be instantiated cannot perform any destructive actions in " +"their destructors, even when the data members have been manipulated." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"JSON decoders do not suffer from this problem. But you must not use the " +"eval function to parse JSON objects in Javascript; even" +" with the regular expression filter from RFC 4627, there are still " +"information leaks remaining." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "XML serialization" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "External references" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"XML documents can contain external references. They can occur in various " +"places." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "In the DTD declaration in the header of an XML document:" +msgstr "" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"<!DOCTYPE html PUBLIC\n" +" \"-//W3C//DTD XHTML 1.0 Transitional//EN\"\n" +" \"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd\">\n" +"\t " +msgstr "" + +#. Tag: para +#, no-c-format +msgid "In a namespace declaration:" +msgstr "" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"<xsd:schema xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\">\n" +"\t " +msgstr "" + +#. Tag: para +#, no-c-format +msgid "In an entity defintion:" +msgstr "" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"<!ENTITY sys SYSTEM \"http://www.example.com/ent.xml\">\n" +"<!ENTITY pub PUBLIC \"-//Example//Public Entity//EN\"\n" +" \"http://www.example.com/pub-ent.xml\">\n" +"\t " +msgstr "" + +#. Tag: para +#, no-c-format +msgid "In a notation:" +msgstr "" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"<!NOTATION not SYSTEM \"../not.xml\">\n" +"\t " +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Originally, these external references were intended as unique identifiers, " +"but by many XML implementations, they are used for locating the data for the" +" referenced element. This causes unwanted network traffic, and may disclose " +"file system contents or otherwise unreachable network resources, so this " +"functionality should be disabled." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Depending on the XML library, external referenced might be processed not " +"just when parsing XML, but also when generating it." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Entity expansion" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When external DTD processing is disabled, an internal DTD subset can still " +"contain entity definitions. Entity declarations can reference other " +"entities. Some XML libraries expand entities automatically, and this " +"processing cannot be switched off in some places (such as attribute values " +"or content models). Without limits on the entity nesting level, this " +"expansion results in data which can grow exponentially in length with size " +"of the input. (If there is a limit on the nesting level, the growth is still" +" polynomial, unless further limits are imposed.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Consequently, the processing internal DTD subsets should be disabled if " +"possible, and only trusted DTDs should be processed. If a particular XML " +"application does not permit such restrictions, then application-specific " +"limits are called for." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "XInclude processing" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"XInclude processing can reference file and network resources and include " +"them into the document, much like external entity references. When parsing " +"untrusted XML documents, XInclude processing should be truned off." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"XInclude processing is also fairly complex and may pull in support for the " +"XPointer and XPath specifications, considerably increasing the amount of " +"code required for XML processing." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Algorithmic complexity of XML validation" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"DTD-based XML validation uses regular expressions for content models. The " +"XML specification requires that content models are deterministic, which " +"means that efficient validation is possible. However, some implementations " +"do not enforce determinism, and require exponential (or just polynomial) " +"amount of space or time for validating some DTD/document combinations." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"XML schemas and RELAX NG (via the xsd: prefix) directly " +"support textual regular expressions which are not required to be " +"deterministic." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Using Expat for XML parsing" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"By default, Expat does not try to resolve external IDs, so no steps are " +"required to block them. However, internal entity declarations are processed." +" Installing a callback which stops parsing as soon as such entities are " +"encountered disables them, see . Expat does not perform any " +"validation, so there are no problems related to that." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Disabling XML entity processing with Expat" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"This handler must be installed when the XML_Parser object" +" is created ()." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Creating an Expat XML parser" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"It is also possible to reject internal DTD subsets altogeher, using a " +"suitable XML_StartDoctypeDeclHandler handler installed " +"with XML_SetDoctypeDeclHandler." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Using OpenJDK for XML parsing and validation" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"OpenJDK contains facilities for DOM-based, SAX-based, and StAX-based " +"document parsing. Documents can be validated against DTDs or XML schemas." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The approach taken to deal with entity expansion differs from the general " +"recommendation in . We enable the the feature flag " +"javax.xml.XMLConstants.FEATURE_SECURE_PROCESSING, which " +"enforces heuristic restrictions on the number of entity expansions. Note " +"that this flag alone does not prevent resolution of external references " +"(system IDs or public IDs), so it is slightly misnamed." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In the following sections, we use helper classes to prevent external ID " +"resolution." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Helper class to prevent DTD external entity resolution in OpenJDK" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Helper class to prevent schema resolution in OpenJDK" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +" shows the imports used by the examples." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Java imports for OpenJDK XML parsing" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "DOM-based XML parsing and DTD validation in OpenJDK" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"This approach produces a org.w3c.dom.Document object from" +" an input stream. use the data from the " +"java.io.InputStream instance in the " +"inputStream variable." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "DOM-based XML parsing in OpenJDK" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"External entity references are prohibited using the " +"NoEntityResolver class in . " +"Because external DTD references are prohibited, DTD validation (if enabled) " +"will only happen against the internal DTD subset embedded in the XML " +"document." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"To validate the document against an external DTD, use a " +"javax.xml.transform.Transformer class to add the DTD " +"reference to the document, and an entity resolver which whitelists this " +"external reference." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "XML Schema validation in OpenJDK" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +" shows how to validate a document against an XML Schema, " +"using a SAX-based approach. The XML data is read from an " +"java.io.InputStream in the inputStream" +" variable." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "SAX-based validation against an XML schema in OpenJDK" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The NoResourceResolver class is defined in ." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If you need to validate a document against an XML schema, use the code in " +" to create the document, but do not enable validation at this point." +" Then use to perform the schema-based validation on " +"the org.w3c.dom.Document instance " +"document." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Validation of a DOM document against an XML schema in OpenJDK" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Protocol Encoders" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"For protocol encoders, you should write bytes to a buffer which grows as " +"needed, using an exponential sizing policy. Explicit lengths can be patched " +"in later, once they are known. Allocating the required number of bytes " +"upfront typically requires separate code to compute the final size, which " +"must be kept in sync with the actual encoding step, or vulnerabilities may " +"result. In multi-threaded code, parts of the object being deserialized might" +" change, so that the computed size is out of date." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"You should avoid copying data directly from a received packet during " +"encoding, disregarding the format. Propagating malformed data could enable " +"attacks on other recipients of that data." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When using C or C++ and copying whole data structures directly into the " +"output, make sure that you do not leak information in padding bytes between " +"fields or at the end of the struct." +msgstr "" diff --git a/defensive-coding/pt-PT/Tasks/Temporary_Files.po b/defensive-coding/pt-PT/Tasks/Temporary_Files.po new file mode 100644 index 0000000..ff91224 --- /dev/null +++ b/defensive-coding/pt-PT/Tasks/Temporary_Files.po @@ -0,0 +1,309 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:45\n" +"PO-Revision-Date: 2013-03-19 15:29+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Portuguese \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: pt\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: title +#, no-c-format +msgid "Temporary files" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In this chapter, we describe how to create temporary files and directories, " +"how to remove them, and how to work with programs which do not create files " +"in ways that a safe with a shared directory for temporary files. General " +"file system manipulation is treated in a separate chapter, ." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Secure creation of temporary files has four different aspects." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The location of the directory for temporary files must be obtained in a " +"secure manner (that is, untrusted environment variables must be ignored, see" +" )." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"A new file must be created. Reusing an existing file must be avoided (the " +"/tmp race condition). This is " +"tricky because traditionally, system-wide temporary directories shared by " +"all users are used." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The file must be created in a way that makes it impossible for other users " +"to open it." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "The descriptor for the temporary file should not leak to subprocesses." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "All functions mentioned below will take care of these aspects." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Traditionally, temporary files are often used to reduce memory usage of " +"programs. More and more systems use RAM-based file systems such as " +"tmpfs for storing temporary files, to increase " +"performance and decrease wear on Flash storage. As a result, spooling data " +"to temporary files does not result in any memory savings, and the related " +"complexity can be avoided if the data is kept in process memory." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Obtaining the location of temporary directory" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Some functions below need the location of a directory which stores temporary" +" files. For C/C++ programs, use the following steps to obtain that " +"directory:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Use secure_getenv to obtain the value of the " +"TMPDIR environment variable. If it is set, convert the " +"path to a fully-resolved absolute path, using realpath(path, " +"NULL). Check if the new path refers to a directory and is " +"writeable. In this case, use it as the temporary directory." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Fall back to /tmp." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In Python, you can use the tempfile.tempdir variable." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Java does not support SUID/SGID programs, so you can use the " +"java.lang.System.getenv(String) method to obtain the " +"value of the TMPDIR environment variable, and follow the " +"two steps described above. (Java's default directory selection does not " +"honor TMPDIR.)" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Named temporary files" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The mkostemp function creates a named temporary file. " +"You should specify the O_CLOEXEC flag to avoid file " +"descriptor leaks to subprocesses. (Applications which do not use multiple " +"threads can also use mkstemp, but libraries should use " +"mkostemp.) For determining the directory part of the " +"file name pattern, see ." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The file is not removed automatically. It is not safe to rename or delete " +"the file before processing, or transform the name in any way (for example, " +"by adding a file extension). If you need multiple temporary files, call " +"mkostemp multiple times. Do not create additional file " +"names derived from the name provided by a previous " +"mkostemp call. However, it is safe to close the " +"descriptor returned by mkostemp and reopen the file " +"using the generated name." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The Python class tempfile.NamedTemporaryFile provides " +"similar functionality, except that the file is deleted automatically by " +"default. Note that you may have to use the file attribute" +" to obtain the actual file object because some programming interfaces cannot" +" deal with file-like objects. The C function mkostemp " +"is also available as tempfile.mkstemp." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In Java, you can use the java.io.File.createTempFile(String, " +"String, File) function, using the temporary file location " +"determined according to . Do not use " +"java.io.File.deleteOnExit() to delete temporary files, " +"and do not register a shutdown hook for each temporary file you create. In " +"both cases, the deletion hint cannot be removed from the system if you " +"delete the temporary file prior to termination of the VM, causing a memory " +"leak." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Temporary files without names" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The tmpfile function creates a temporary file and " +"immediately deletes it, while keeping the file open. As a result, the file " +"lacks a name and its space is deallocated as soon as the file descriptor is " +"closed (including the implicit close when the process terminates). This " +"avoids cluttering the temporary directory with orphaned files." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Alternatively, if the maximum size of the temporary file is known " +"beforehand, the fmemopen function can be used to create" +" a FILE * object which is backed by memory." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In Python, unnamed temporary files are provided by the " +"tempfile.TemporaryFile class, and the " +"tempfile.SpooledTemporaryFile class provides a way to " +"avoid creation of small temporary files." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Java does not support unnamed temporary files." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Temporary directories" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The mkdtemp function can be used to create a temporary " +"directory. (For determining the directory part of the file name pattern, see" +" .)" +" The directory is not automatically removed. In Python, this function is " +"available as tempfile.mkdtemp. In Java 7, temporary " +"directories can be created using the " +"java.nio.file.Files.createTempDirectory(Path, String, " +"FileAttribute...) function." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When creating files in the temporary directory, use automatically generated " +"names, e.g., derived from a sequential counter. Files with externally " +"provided names could be picked up in unexpected contexts, and crafted names " +"could actually point outside of the tempoary directory (due to " +"directory traversal)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Removing a directory tree in a completely safe manner is complicated. Unless" +" there are overriding performance concerns, the " +"rm program should be used, with the " +" and options." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Compensating for unsafe file creation" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"There are two ways to make a function or program which excepts a file name " +"safe for use with temporary files. See , for details on subprocess " +"creation." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Create a temporary directory and place the file there. If possible, run the " +"program in a subprocess which uses the temporary directory as its current " +"directory, with a restricted environment. Use generated names for all files " +"in that temporary directory. (See .)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Create the temporary file and pass the generated file name to the function " +"or program. This only works if the function or program can cope with a zero-" +"length existing file. It is safe only under additional assumptions:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The function or program must not create additional files whose name is " +"derived from the specified file name or are otherwise predictable." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "The function or program must not delete the file before processing it." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "It must not access any existing files in the same directory." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"It is often difficult to check whether these additional assumptions are " +"matched, therefore this approach is not recommended." +msgstr "" diff --git a/defensive-coding/pt-PT/Tasks/snippets/Serialization-XML-Expat-Create.po b/defensive-coding/pt-PT/Tasks/snippets/Serialization-XML-Expat-Create.po new file mode 100644 index 0000000..9e457b5 --- /dev/null +++ b/defensive-coding/pt-PT/Tasks/snippets/Serialization-XML-Expat-Create.po @@ -0,0 +1,33 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:45\n" +"PO-Revision-Date: 2013-03-19 15:29+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Portuguese \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: pt\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"XML_Parser parser = XML_ParserCreate(\"UTF-8\");\n" +"if (parser == NULL) {\n" +" fprintf(stderr, \"XML_ParserCreate failed\n" +"\");\n" +" close(fd);\n" +" exit(1);\n" +"}\n" +"// EntityDeclHandler needs a reference to the parser to stop\n" +"// parsing.\n" +"XML_SetUserData(parser, parser);\n" +"// Disable entity processing, to inhibit entity expansion.\n" +"XML_SetEntityDeclHandler(parser, EntityDeclHandler);\n" +msgstr "" diff --git a/defensive-coding/pt-PT/Tasks/snippets/Serialization-XML-Expat-EntityDeclHandler.po b/defensive-coding/pt-PT/Tasks/snippets/Serialization-XML-Expat-EntityDeclHandler.po new file mode 100644 index 0000000..edb9113 --- /dev/null +++ b/defensive-coding/pt-PT/Tasks/snippets/Serialization-XML-Expat-EntityDeclHandler.po @@ -0,0 +1,31 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:45\n" +"PO-Revision-Date: 2013-03-19 15:30+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Portuguese \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: pt\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Stop the parser when an entity declaration is encountered.\n" +"static void\n" +"EntityDeclHandler(void *userData,\n" +"\t\t const XML_Char *entityName, int is_parameter_entity,\n" +"\t\t const XML_Char *value, int value_length,\n" +"\t\t const XML_Char *base, const XML_Char *systemId,\n" +"\t\t const XML_Char *publicId, const XML_Char *notationName)\n" +"{\n" +" XML_StopParser((XML_Parser)userData, XML_FALSE);\n" +"}\n" +msgstr "" diff --git a/defensive-coding/pt-PT/Tasks/snippets/Serialization-XML-OpenJDK-Errors.po b/defensive-coding/pt-PT/Tasks/snippets/Serialization-XML-OpenJDK-Errors.po new file mode 100644 index 0000000..95dc55c --- /dev/null +++ b/defensive-coding/pt-PT/Tasks/snippets/Serialization-XML-OpenJDK-Errors.po @@ -0,0 +1,37 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:45\n" +"PO-Revision-Date: 2013-03-19 15:29+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Portuguese \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: pt\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"class Errors implements ErrorHandler {\n" +" @Override\n" +" public void warning(SAXParseException exception) {\n" +" exception.printStackTrace();\n" +" }\n" +" \n" +" @Override\n" +" public void fatalError(SAXParseException exception) {\n" +" exception.printStackTrace();\n" +" }\n" +" \n" +" @Override\n" +" public void error(SAXParseException exception) {\n" +" exception.printStackTrace();\n" +" }\n" +"}\n" +msgstr "" diff --git a/defensive-coding/pt-PT/Tasks/snippets/Serialization-XML-OpenJDK-Imports.po b/defensive-coding/pt-PT/Tasks/snippets/Serialization-XML-OpenJDK-Imports.po new file mode 100644 index 0000000..d9b9258 --- /dev/null +++ b/defensive-coding/pt-PT/Tasks/snippets/Serialization-XML-OpenJDK-Imports.po @@ -0,0 +1,42 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:45\n" +"PO-Revision-Date: 2013-03-19 15:30+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Portuguese \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: pt\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"import javax.xml.XMLConstants;\n" +"import javax.xml.parsers.DocumentBuilder;\n" +"import javax.xml.parsers.DocumentBuilderFactory;\n" +"import javax.xml.parsers.ParserConfigurationException;\n" +"import javax.xml.parsers.SAXParser;\n" +"import javax.xml.parsers.SAXParserFactory;\n" +"import javax.xml.transform.dom.DOMSource;\n" +"import javax.xml.transform.sax.SAXSource;\n" +"import javax.xml.validation.Schema;\n" +"import javax.xml.validation.SchemaFactory;\n" +"import javax.xml.validation.Validator;\n" +"\n" +"import org.w3c.dom.Document;\n" +"import org.w3c.dom.ls.LSInput;\n" +"import org.w3c.dom.ls.LSResourceResolver;\n" +"import org.xml.sax.EntityResolver;\n" +"import org.xml.sax.ErrorHandler;\n" +"import org.xml.sax.InputSource;\n" +"import org.xml.sax.SAXException;\n" +"import org.xml.sax.SAXParseException;\n" +"import org.xml.sax.XMLReader;\n" +msgstr "" diff --git a/defensive-coding/pt-PT/Tasks/snippets/Serialization-XML-OpenJDK-NoEntityResolver.po b/defensive-coding/pt-PT/Tasks/snippets/Serialization-XML-OpenJDK-NoEntityResolver.po new file mode 100644 index 0000000..e3afdfa --- /dev/null +++ b/defensive-coding/pt-PT/Tasks/snippets/Serialization-XML-OpenJDK-NoEntityResolver.po @@ -0,0 +1,30 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:45\n" +"PO-Revision-Date: 2013-03-19 15:30+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Portuguese \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: pt\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"class NoEntityResolver implements EntityResolver {\n" +" @Override\n" +" public InputSource resolveEntity(String publicId, String systemId)\n" +" throws SAXException, IOException {\n" +" // Throwing an exception stops validation.\n" +" throw new IOException(String.format(\n" +" \"attempt to resolve \\\"%s\\\" \\\"%s\\\"\", publicId, systemId));\n" +" }\n" +"}\n" +msgstr "" diff --git a/defensive-coding/pt-PT/Tasks/snippets/Serialization-XML-OpenJDK-NoResourceResolver.po b/defensive-coding/pt-PT/Tasks/snippets/Serialization-XML-OpenJDK-NoResourceResolver.po new file mode 100644 index 0000000..1681498 --- /dev/null +++ b/defensive-coding/pt-PT/Tasks/snippets/Serialization-XML-OpenJDK-NoResourceResolver.po @@ -0,0 +1,32 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:45\n" +"PO-Revision-Date: 2013-03-19 15:29+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Portuguese \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: pt\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"class NoResourceResolver implements LSResourceResolver {\n" +" @Override\n" +" public LSInput resolveResource(String type, String namespaceURI,\n" +" String publicId, String systemId, String baseURI) {\n" +" // Throwing an exception stops validation.\n" +" throw new RuntimeException(String.format(\n" +" \"resolution attempt: type=%s namespace=%s \" +\n" +" \"publicId=%s systemId=%s baseURI=%s\",\n" +" type, namespaceURI, publicId, systemId, baseURI));\n" +" }\n" +"}\n" +msgstr "" diff --git a/defensive-coding/pt-PT/Tasks/snippets/Serialization-XML-OpenJDK_Parse-DOM.po b/defensive-coding/pt-PT/Tasks/snippets/Serialization-XML-OpenJDK_Parse-DOM.po new file mode 100644 index 0000000..162db9a --- /dev/null +++ b/defensive-coding/pt-PT/Tasks/snippets/Serialization-XML-OpenJDK_Parse-DOM.po @@ -0,0 +1,34 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:45\n" +"PO-Revision-Date: 2013-03-19 15:29+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Portuguese \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: pt\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();\n" +"// Impose restrictions on the complexity of the DTD.\n" +"factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);\n" +"\n" +"// Turn on validation.\n" +"// This step can be omitted if validation is not desired.\n" +"factory.setValidating(true);\n" +"\n" +"// Parse the document.\n" +"DocumentBuilder builder = factory.newDocumentBuilder();\n" +"builder.setEntityResolver(new NoEntityResolver());\n" +"builder.setErrorHandler(new Errors());\n" +"Document document = builder.parse(inputStream);\n" +msgstr "" diff --git a/defensive-coding/pt-PT/Tasks/snippets/Serialization-XML-OpenJDK_Parse-XMLSchema_DOM.po b/defensive-coding/pt-PT/Tasks/snippets/Serialization-XML-OpenJDK_Parse-XMLSchema_DOM.po new file mode 100644 index 0000000..e231129 --- /dev/null +++ b/defensive-coding/pt-PT/Tasks/snippets/Serialization-XML-OpenJDK_Parse-XMLSchema_DOM.po @@ -0,0 +1,38 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:45\n" +"PO-Revision-Date: 2013-03-19 15:29+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Portuguese \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: pt\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"SchemaFactory factory = SchemaFactory.newInstance(\n" +" XMLConstants.W3C_XML_SCHEMA_NS_URI);\n" +"\n" +"// This enables restrictions on schema complexity.\n" +"factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);\n" +"\n" +"// The following line prevents resource resolution\n" +"// by the schema itself.\n" +"factory.setResourceResolver(new NoResourceResolver());\n" +"\n" +"Schema schema = factory.newSchema(schemaFile);\n" +"\n" +"Validator validator = schema.newValidator();\n" +"\n" +"// This prevents external resource resolution.\n" +"validator.setResourceResolver(new NoResourceResolver());\n" +"validator.validate(new DOMSource(document));\n" +msgstr "" diff --git a/defensive-coding/pt-PT/Tasks/snippets/Serialization-XML-OpenJDK_Parse-XMLSchema_SAX.po b/defensive-coding/pt-PT/Tasks/snippets/Serialization-XML-OpenJDK_Parse-XMLSchema_SAX.po new file mode 100644 index 0000000..2755b9f --- /dev/null +++ b/defensive-coding/pt-PT/Tasks/snippets/Serialization-XML-OpenJDK_Parse-XMLSchema_SAX.po @@ -0,0 +1,41 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:45\n" +"PO-Revision-Date: 2013-03-19 15:29+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Portuguese \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: pt\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"SchemaFactory factory = SchemaFactory.newInstance(\n" +" XMLConstants.W3C_XML_SCHEMA_NS_URI);\n" +"\n" +"// This enables restrictions on the schema and document\n" +"// complexity.\n" +"factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);\n" +"\n" +"// This prevents resource resolution by the schema itself.\n" +"// If the schema is trusted and references additional files,\n" +"// this line must be omitted, otherwise loading these files\n" +"// will fail.\n" +"factory.setResourceResolver(new NoResourceResolver());\n" +"\n" +"Schema schema = factory.newSchema(schemaFile);\n" +"Validator validator = schema.newValidator();\n" +"\n" +"// This prevents external resource resolution.\n" +"validator.setResourceResolver(new NoResourceResolver());\n" +"\n" +"validator.validate(new SAXSource(new InputSource(inputStream)));\n" +msgstr "" diff --git a/defensive-coding/ru-RU/Author_Group.po b/defensive-coding/ru-RU/Author_Group.po new file mode 100644 index 0000000..e683b3a --- /dev/null +++ b/defensive-coding/ru-RU/Author_Group.po @@ -0,0 +1,35 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-12 04:18+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Russian \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: ru\n" +"Plural-Forms: nplurals=3; plural=(n%10==1 && n%100!=11 ? 0 : n%10>=2 && n%10<=4 && (n%100<10 || n%100>=20) ? 1 : 2);\n" + +#. Tag: firstname +#, no-c-format +msgid "Florian" +msgstr "" + +#. Tag: surname +#, no-c-format +msgid "Weimer" +msgstr "" + +#. Tag: orgname +#, no-c-format +msgid "Red Hat" +msgstr "" + +#. Tag: orgdiv +#, no-c-format +msgid "Product Security Team" +msgstr "" diff --git a/defensive-coding/ru-RU/Book_Info.po b/defensive-coding/ru-RU/Book_Info.po new file mode 100644 index 0000000..7ecaf0f --- /dev/null +++ b/defensive-coding/ru-RU/Book_Info.po @@ -0,0 +1,38 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-12 04:19+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Russian \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: ru\n" +"Plural-Forms: nplurals=3; plural=(n%10==1 && n%100!=11 ? 0 : n%10>=2 && n%10<=4 && (n%100<10 || n%100>=20) ? 1 : 2);\n" + +#. Tag: title +#, no-c-format +msgid "Defensive Coding" +msgstr "" + +#. Tag: subtitle +#, no-c-format +msgid "A Guide to Improving Software Security" +msgstr "" + +#. Tag: productname +#, no-c-format +msgid "Fedora Security Team" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"This document provides guidelines for improving software security through " +"secure coding. It covers common programming languages and libraries, and " +"focuses on concrete recommendations." +msgstr "" diff --git a/defensive-coding/sl-SI/Author_Group.po b/defensive-coding/sl-SI/Author_Group.po new file mode 100644 index 0000000..db2f3e2 --- /dev/null +++ b/defensive-coding/sl-SI/Author_Group.po @@ -0,0 +1,35 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-12 04:18+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Slovenian (http://www.transifex.com/projects/p/fedora/language/sl/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: sl\n" +"Plural-Forms: nplurals=4; plural=(n%100==1 ? 0 : n%100==2 ? 1 : n%100==3 || n%100==4 ? 2 : 3);\n" + +#. Tag: firstname +#, no-c-format +msgid "Florian" +msgstr "" + +#. Tag: surname +#, no-c-format +msgid "Weimer" +msgstr "" + +#. Tag: orgname +#, no-c-format +msgid "Red Hat" +msgstr "" + +#. Tag: orgdiv +#, no-c-format +msgid "Product Security Team" +msgstr "" diff --git a/defensive-coding/sl-SI/Book_Info.po b/defensive-coding/sl-SI/Book_Info.po new file mode 100644 index 0000000..9691fb8 --- /dev/null +++ b/defensive-coding/sl-SI/Book_Info.po @@ -0,0 +1,38 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-12 04:19+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Slovenian (http://www.transifex.com/projects/p/fedora/language/sl/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: sl\n" +"Plural-Forms: nplurals=4; plural=(n%100==1 ? 0 : n%100==2 ? 1 : n%100==3 || n%100==4 ? 2 : 3);\n" + +#. Tag: title +#, no-c-format +msgid "Defensive Coding" +msgstr "" + +#. Tag: subtitle +#, no-c-format +msgid "A Guide to Improving Software Security" +msgstr "" + +#. Tag: productname +#, no-c-format +msgid "Fedora Security Team" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"This document provides guidelines for improving software security through " +"secure coding. It covers common programming languages and libraries, and " +"focuses on concrete recommendations." +msgstr "" diff --git a/defensive-coding/te-IN/Author_Group.po b/defensive-coding/te-IN/Author_Group.po new file mode 100644 index 0000000..bd2498e --- /dev/null +++ b/defensive-coding/te-IN/Author_Group.po @@ -0,0 +1,35 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-12 04:18+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Telugu (http://www.transifex.com/projects/p/fedora/language/te/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: te\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: firstname +#, no-c-format +msgid "Florian" +msgstr "" + +#. Tag: surname +#, no-c-format +msgid "Weimer" +msgstr "" + +#. Tag: orgname +#, no-c-format +msgid "Red Hat" +msgstr "" + +#. Tag: orgdiv +#, no-c-format +msgid "Product Security Team" +msgstr "" diff --git a/defensive-coding/te-IN/Book_Info.po b/defensive-coding/te-IN/Book_Info.po new file mode 100644 index 0000000..e7dc9a1 --- /dev/null +++ b/defensive-coding/te-IN/Book_Info.po @@ -0,0 +1,38 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-12 04:19+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Telugu (http://www.transifex.com/projects/p/fedora/language/te/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: te\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: title +#, no-c-format +msgid "Defensive Coding" +msgstr "" + +#. Tag: subtitle +#, no-c-format +msgid "A Guide to Improving Software Security" +msgstr "" + +#. Tag: productname +#, no-c-format +msgid "Fedora Security Team" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"This document provides guidelines for improving software security through " +"secure coding. It covers common programming languages and libraries, and " +"focuses on concrete recommendations." +msgstr "" diff --git a/defensive-coding/te-IN/C/Allocators.po b/defensive-coding/te-IN/C/Allocators.po new file mode 100644 index 0000000..536ddfc --- /dev/null +++ b/defensive-coding/te-IN/C/Allocators.po @@ -0,0 +1,265 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:30+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Telugu (http://www.transifex.com/projects/p/fedora/language/te/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: te\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: title +#, no-c-format +msgid "Memory allocators" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "malloc and related functions" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The C library interfaces for memory allocation are provided by " +"malloc, free and " +"realloc, and the calloc function. " +"In addition to these generic functions, there are derived functions such as " +"strdup which perform allocation using " +"malloc internally, but do not return untyped heap " +"memory (which could be used for any object)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The C compiler knows about these functions and can use their expected " +"behavior for optimizations. For instance, the compiler assumes that an " +"existing pointer (or a pointer derived from an existing pointer by " +"arithmetic) will not point into the memory area returned by " +"malloc." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If the allocation fails, realloc does not free the old " +"pointer. Therefore, the idiom ptr = realloc(ptr, size); " +"is wrong because the memory pointed to by ptr leaks in " +"case of an error." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Use-after-free errors" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"After free, the pointer is invalid. Further pointer " +"dereferences are not allowed (and are usually detected by " +"valgrind). Less obvious is that any " +"use of the old pointer value is not allowed, either. In" +" particular, comparisons with any other pointer (or the null pointer) are " +"undefined according to the C standard." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The same rules apply to realloc if the memory area " +"cannot be enlarged in-place. For instance, the compiler may assume that a " +"comparison between the old and new pointer will always return false, so it " +"is impossible to detect movement this way." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Handling memory allocation errors" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Recovering from out-of-memory errors is often difficult or even impossible. " +"In these cases, malloc and other allocation functions " +"return a null pointer. Dereferencing this pointer lead to a crash. Such " +"dereferences can even be exploitable for code execution if the dereference " +"is combined with an array subscript." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In general, if you cannot check all allocation calls and handle failure, you" +" should abort the program on allocation failure, and not rely on the null " +"pointer dereference to terminate the process. See for related memory " +"allocation concerns." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "alloca and other forms of stack-based allocation" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Allocation on the stack is risky because stack overflow checking is " +"implicit. There is a guard page at the end of the memory area reserved for " +"the stack. If the program attempts to read from or write to this guard page," +" a SIGSEGV signal is generated and the program typically " +"terminates." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"This is sufficient for detecting typical stack overflow situations such as " +"unbounded recursion, but it fails when the stack grows in increments larger " +"than the size of the guard page. In this case, it is possible that the stack" +" pointer ends up pointing into a memory area which has been allocated for a " +"different purposes. Such misbehavior can be exploitable." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"A common source for large stack growth are calls to " +"alloca and related functions such as " +"strdupa. These functions should be avoided because of " +"the lack of error checking. (They can be used safely if the allocated size " +"is less than the page size (typically, 4096 bytes), but this case is " +"relatively rare.) Additionally, relying on alloca makes" +" it more difficult to reorgnize the code because it is not allowed to use " +"the pointer after the function calling alloca has " +"returned, even if this function has been inlined into its caller." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Similar concerns apply to variable-length arrays " +"(VLAs), a feature of the C99 standard which started as a GNU extension. For " +"large objects exceeding the page size, there is no error checking, either." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In both cases, negative or very large sizes can trigger a stack-pointer " +"wraparound, and the stack pointer and end up pointing into caller stack " +"frames, which is fatal and can be exploitable." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If you want to use alloca or VLAs for performance " +"reasons, consider using a small on-stack array (less than the page size, " +"large enough to fulfill most requests). If the requested size is small " +"enough, use the on-stack array. Otherwise, call malloc." +" When exiting the function, check if malloc had been " +"called, and free the buffer as needed." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Array allocation" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When allocating arrays, it is important to check for overflows. The " +"calloc function performs such checks." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If malloc or realloc is used, the " +"size check must be written manually. For instance, to allocate an array of " +"n elements of type T, check that the " +"requested size is not greater than n / sizeof(T)." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Custom memory allocators" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Custom memory allocates come in two forms: replacements for " +"malloc, and completely different interfaces for memory " +"management. Both approaches can reduce the effectiveness of " +"valgrind and similar tools, and the heap " +"corruption detection provided by GNU libc, so they should be avoided." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Memory allocators are difficult to write and contain many performance and " +"security pitfalls." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When computing array sizes or rounding up allocation requests (to the next " +"allocation granularity, or for alignment purposes), checks for arithmetic " +"overflow are required." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Size computations for array allocations need overflow checking. See ." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"It can be difficult to beat well-tuned general-purpose allocators. In micro-" +"benchmarks, pool allocators can show huge wins, and size-specific pools can " +"reduce internal fragmentation. But often, utilization of individual pools is" +" poor, and" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Conservative garbage collection" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Garbage collection can be an alternative to explicit memory management using" +" malloc and free. The Boehm-" +"Dehmers-Weiser allocator can be used from C programs, with minimal type " +"annotations. Performance is competitive with malloc on " +"64-bit architectures, especially for multi-threaded programs. The stop-the-" +"world pauses may be problematic for some real-time applications, though." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"However, using a conservative garbage collector may reduce opertunities for " +"code reduce because once one library in a program uses garbage collection, " +"the whole process memory needs to be subject to it, so that no pointers are " +"missed. The Boehm-Dehmers-Weiser collector also reserves certain signals for" +" internal use, so it is not fully transparent to the rest of the program." +msgstr "" diff --git a/defensive-coding/te-IN/C/C.po b/defensive-coding/te-IN/C/C.po new file mode 100644 index 0000000..6a84ae4 --- /dev/null +++ b/defensive-coding/te-IN/C/C.po @@ -0,0 +1,20 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:30+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Telugu (http://www.transifex.com/projects/p/fedora/language/te/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: te\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: title +#, no-c-format +msgid "The C Programming Language" +msgstr "" diff --git a/defensive-coding/te-IN/C/Libc.po b/defensive-coding/te-IN/C/Libc.po new file mode 100644 index 0000000..5673d72 --- /dev/null +++ b/defensive-coding/te-IN/C/Libc.po @@ -0,0 +1,278 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:30+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Telugu (http://www.transifex.com/projects/p/fedora/language/te/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: te\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: title +#, no-c-format +msgid "The C standard library" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Parts of the C standard library (and the UNIX and GNU extensions) are " +"difficult to use, so you shoud avoid them." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Please check the applicable documentation before using the recommended " +"replacements. Many of these functions allocate buffers using " +"malloc which your code must deallocate explicitly using" +" free." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Absolutely banned interfaces" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The functions listed below must not be used because they are almost always " +"unsafe. Use the indicated replacements instead." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "getsfgets" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"getwdgetcwd or " +"get_current_dir_name" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "readdir_rreaddir" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"realpath (with a non-NULL second parameter) ⟶ " +"realpath with NULL as the second parameter, or " +"canonicalize_file_name" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The constants listed below must not be used, either. Instead, code must " +"allocate memory dynamically and use interfaces with length checking." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"NAME_MAX (limit not actually enforced by the kernel)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"PATH_MAX (limit not actually enforced by the kernel)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"_PC_NAME_MAX (This limit, returned by the " +"pathconf function, is not enforced by the kernel.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"_PC_PATH_MAX (This limit, returned by the " +"pathconf function, is not enforced by the kernel.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "The following structure members must not be used." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"f_namemax in struct statvfs (limit not" +" actually enforced by the kernel, see _PC_NAME_MAX above)" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Functions to avoid" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The following string manipulation functions can be used securely in " +"principle, but their use should be avoided because they are difficult to use" +" correctly. Calls to these functions can be replaced with " +"asprintf or vasprintf. (For non-" +"GNU targets, these functions are available from Gnulib.) In some cases, the " +"snprintf function might be a suitable replacement, see " +"." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "sprintf" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "strcat" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "strcpy" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "vsprintf" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Use the indicated replacements for the functions below." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"allocamalloc and " +"free (see )" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"putenv ⟶ explicit envp argument in " +"process creation (see )" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"setenv ⟶ explicit envp argument in " +"process creation (see )" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"strdupastrdup and " +"free (see )" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"strndupastrndup and " +"free (see )" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"systemposix_spawn or " +"fork/execve/ (see )" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"unsetenv ⟶ explicit envp argument in" +" process creation (see )" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "String Functions With Explicit Length Arguments" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The snprintf function provides a way to construct a " +"string in a statically-sized buffer. (If the buffer size is dynamic, use " +"asprintf instead.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The second argument to the snprintf should always be " +"the size of the buffer in the first argument (which should be a character " +"array). Complex pointer and length arithmetic can introduce errors and " +"nullify the security benefits of snprintf. If you need " +"to construct a string iteratively, by repeatedly appending fragments, " +"consider constructing the string on the heap, increasing the buffer with " +"realloc as needed. (snprintf does " +"not support overlapping the result buffer with argument strings.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If you use vsnprintf (or snprintf)" +" with a format string which is not a constant, but a function argument, it " +"is important to annotate the function with a format " +"function attribute, so that GCC can warn about misuse of your function (see " +")." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "The format function attribute" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"There are other functions which operator on NUL-terminated strings and take " +"a length argument which affects the number of bytes written to the " +"destination: strncpy, strncat, and" +" stpncpy. These functions do not ensure that the result" +" string is NUL-terminated. For strncpy, NUL termination" +" can be added this way:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Some systems support strlcpy and " +"strlcat functions which behave this way, but these " +"functions are not part of GNU libc. Using snprintf with" +" a suitable format string is a simple (albeit slightly slower) replacement." +msgstr "" diff --git a/defensive-coding/te-IN/C/snippets/Arithmetic-add.po b/defensive-coding/te-IN/C/snippets/Arithmetic-add.po new file mode 100644 index 0000000..c0ed762 --- /dev/null +++ b/defensive-coding/te-IN/C/snippets/Arithmetic-add.po @@ -0,0 +1,36 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:30+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Telugu (http://www.transifex.com/projects/p/fedora/language/te/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: te\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"void report_overflow(void);\n" +"\n" +"int\n" +"add(int a, int b)\n" +"{\n" +" int result = a + b;\n" +" if (a < 0 || b < 0) {\n" +" return -1;\n" +" }\n" +" // The compiler can optimize away the following if statement.\n" +" if (result < 0) {\n" +" report_overflow();\n" +" }\n" +" return result;\n" +"}\n" +msgstr "" diff --git a/defensive-coding/te-IN/C/snippets/Arithmetic-mult.po b/defensive-coding/te-IN/C/snippets/Arithmetic-mult.po new file mode 100644 index 0000000..4e63bcb --- /dev/null +++ b/defensive-coding/te-IN/C/snippets/Arithmetic-mult.po @@ -0,0 +1,29 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:30+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Telugu (http://www.transifex.com/projects/p/fedora/language/te/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: te\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"unsigned\n" +"mul(unsigned a, unsigned b)\n" +"{\n" +" if (b && a > ((unsigned)-1) / b) {\n" +" report_overflow();\n" +" }\n" +" return a * b;\n" +"}\n" +msgstr "" diff --git a/defensive-coding/te-IN/C/snippets/Pointers-remaining.po b/defensive-coding/te-IN/C/snippets/Pointers-remaining.po new file mode 100644 index 0000000..48a2093 --- /dev/null +++ b/defensive-coding/te-IN/C/snippets/Pointers-remaining.po @@ -0,0 +1,64 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:30+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Telugu (http://www.transifex.com/projects/p/fedora/language/te/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: te\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"ssize_t\n" +"extract_strings(const char *in, size_t inlen, char **out, size_t outlen)\n" +"{\n" +" const char *inp = in;\n" +" const char *inend = in + inlen;\n" +" char **outp = out;\n" +" char **outend = out + outlen;\n" +"\n" +" while (inp != inend) {\n" +" size_t len;\n" +" char *s;\n" +" if (outp == outend) {\n" +" errno = ENOSPC;\n" +" goto err;\n" +" }\n" +" len = (unsigned char)*inp;\n" +" ++inp;\n" +" if (len > (size_t)(inend - inp)) {\n" +" errno = EINVAL;\n" +" goto err;\n" +" }\n" +" s = malloc(len + 1);\n" +" if (s == NULL) {\n" +" goto err;\n" +" }\n" +" memcpy(s, inp, len);\n" +" inp += len;\n" +" s[len] = '\\0';\n" +" *outp = s;\n" +" ++outp;\n" +" }\n" +" return outp - out;\n" +"err:\n" +" {\n" +" int errno_old = errno;\n" +" while (out != outp) {\n" +" free(*out);\n" +" ++out;\n" +" }\n" +" errno = errno_old;\n" +" }\n" +" return -1;\n" +"}\n" +msgstr "" diff --git a/defensive-coding/te-IN/C/snippets/String-Functions-format.po b/defensive-coding/te-IN/C/snippets/String-Functions-format.po new file mode 100644 index 0000000..3614ded --- /dev/null +++ b/defensive-coding/te-IN/C/snippets/String-Functions-format.po @@ -0,0 +1,33 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:30+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Telugu (http://www.transifex.com/projects/p/fedora/language/te/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: te\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"void log_format(const char *format, ...) __attribute__((format(printf, 1, 2)));\n" +"\n" +"void\n" +"log_format(const char *format, ...)\n" +"{\n" +" char buf[1000];\n" +" va_list ap;\n" +" va_start(ap, format);\n" +" vsnprintf(buf, sizeof(buf), format, ap);\n" +" va_end(ap);\n" +" log_string(buf);\n" +"}\n" +msgstr "" diff --git a/defensive-coding/te-IN/C/snippets/String-Functions-snprintf.po b/defensive-coding/te-IN/C/snippets/String-Functions-snprintf.po new file mode 100644 index 0000000..6e78ee8 --- /dev/null +++ b/defensive-coding/te-IN/C/snippets/String-Functions-snprintf.po @@ -0,0 +1,23 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:30+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Telugu (http://www.transifex.com/projects/p/fedora/language/te/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: te\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"char fraction[30];\n" +"snprintf(fraction, sizeof(fraction), \"%d/%d\", numerator, denominator);\n" +msgstr "" diff --git a/defensive-coding/te-IN/C/snippets/String-Functions-strncpy.po b/defensive-coding/te-IN/C/snippets/String-Functions-strncpy.po new file mode 100644 index 0000000..a6b0ff2 --- /dev/null +++ b/defensive-coding/te-IN/C/snippets/String-Functions-strncpy.po @@ -0,0 +1,24 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:30+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Telugu (http://www.transifex.com/projects/p/fedora/language/te/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: te\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"char buf[10];\n" +"strncpy(buf, data, sizeof(buf));\n" +"buf[sizeof(buf) - 1] = '\\0';\n" +msgstr "" diff --git a/defensive-coding/te-IN/CXX/CXX.po b/defensive-coding/te-IN/CXX/CXX.po new file mode 100644 index 0000000..4521576 --- /dev/null +++ b/defensive-coding/te-IN/CXX/CXX.po @@ -0,0 +1,20 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:31+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Telugu (http://www.transifex.com/projects/p/fedora/language/te/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: te\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: title +#, no-c-format +msgid "The C++ Programming Language" +msgstr "" diff --git a/defensive-coding/te-IN/CXX/Language.po b/defensive-coding/te-IN/CXX/Language.po new file mode 100644 index 0000000..5133ee5 --- /dev/null +++ b/defensive-coding/te-IN/CXX/Language.po @@ -0,0 +1,234 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:18+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Telugu (http://www.transifex.com/projects/p/fedora/language/te/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: te\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: title +#, no-c-format +msgid "The core language" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"C++ includes a large subset of the C language. As far as the C subset is " +"used, the recommendations in " +"apply." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Array allocation with operator new[]" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"For very large values of n, an expression like " +"new T[n] can return a pointer to a heap region which is " +"too small. In other words, not all array elements are actually backed with " +"heap memory reserved to the array. Current GCC versions generate code that " +"performs a computation of the form sizeof(T) * size_t(n) + " +"cookie_size, where cookie_size is currently at " +"most 8. This computation can overflow, and GCC-generated code does not " +"detect this." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The std::vector template can be used instead an explicit " +"array allocation. (The GCC implementation detects overflow internally.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If there is no alternative to operator new[], code which " +"allocates arrays with a variable length must check for overflow manually. " +"For the new T[n] example, the size check could be " +"n || (n > 0 && n > (size_t(-1) - 8) / " +"sizeof(T)). (See .) If there are additional dimensions " +"(which must be constants according to the C++ standard), these should be " +"included as factors in the divisor." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"These countermeasures prevent out-of-bounds writes and potential code " +"execution. Very large memory allocations can still lead to a denial of " +"service. contains suggestions for mitigating this problem when " +"processing untrusted data." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"See for array" +" allocation advice for C-style memory allocation." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Overloading" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Do not overload functions with versions that have different security " +"characteristics. For instance, do not implement a function " +"strcat which works on std::string " +"arguments. Similarly, do not name methods after such functions." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "ABI compatibility and preparing for security updates" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"A stable binary interface (ABI) is vastly preferred for security updates. " +"Without a stable ABI, all reverse dependencies need recompiling, which can " +"be a lot of work and could even be impossible in some cases. Ideally, a " +"security update only updates a single dynamic shared object, and is picked " +"up automatically after restarting affected processes." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Outside of extremely performance-critical code, you should ensure that a " +"wide range of changes is possible without breaking ABI. Some very basic " +"guidelines are:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Avoid inline functions." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Use the pointer-to-implementation idiom." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Try to avoid templates. Use them if the increased type safety provides a " +"benefit to the programmer." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Move security-critical code out of templated code, so that it can be patched" +" in a central place if necessary." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The KDE project publishes a document with more extensive guidelines on ABI-" +"preserving changes to C++ code, Policies/Binary" +" Compatibility Issues With C++ (d-pointer " +"refers to the pointer-to-implementation idiom)." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "C++0X and C++11 support" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "GCC offers different language compatibility modes:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid " for the original 1998 C++ standard" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +" for the 1998 standard with the changes from the " +"TR1 technical report" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +" for the 2011 C++ standard. This option should " +"not be used." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +" for several different versions of C++11 support " +"in development, depending on the GCC version. This option should not be " +"used." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"For each of these flags, there are variants which also enable GNU extensions" +" (mostly language features also found in C99 or C11): " +", , " +". Again, should " +"not be used." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If you enable C++11 support, the ABI of the standard C++ library " +"libstdc++ will change in subtle ways. Currently, no C++ " +"libraries are compiled in C++11 mode, so if you compile your code in C++11 " +"mode, it will be incompatible with the rest of the system. Unfortunately, " +"this is also the case if you do not use any C++11 features. Currently, there" +" is no safe way to enable C++11 mode (except for freestanding applications)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The meaning of C++0X mode changed from GCC release to GCC release. Earlier " +"versions were still ABI-compatible with C++98 mode, but in the most recent " +"versions, switching to C++0X mode activates C++11 support, with its " +"compatibility problems." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Some C++11 features (or approximations thereof) are available with TR1 " +"support, that is, with or " +" and in the <tr1/*> " +"header files. This includes std::tr1::shared_ptr (from " +"<tr1/memory>) and " +"std::tr1::function (from " +"<tr1/functional>). For other C++11 features, the " +"Boost C++ library contains replacements." +msgstr "" diff --git a/defensive-coding/te-IN/CXX/Std.po b/defensive-coding/te-IN/CXX/Std.po new file mode 100644 index 0000000..41ade2a --- /dev/null +++ b/defensive-coding/te-IN/CXX/Std.po @@ -0,0 +1,55 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:30+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Telugu (http://www.transifex.com/projects/p/fedora/language/te/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: te\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: title +#, no-c-format +msgid "The C++ standard library" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The C++ standard library includes most of its C counterpart by reference, " +"see ." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Containers and operator[]" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Many containers similar to std::vector provide both " +"operator[](size_type) and a member function " +"at(size_type). This applies to " +"std::vector itself, std::array, " +"std::string and other instances of " +"std::basic_string." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"operator[](size_type) is not required by the standard to " +"perform bounds checking (and the implementation in GCC does not). In " +"contrast, at(size_type) must perform such a check. " +"Therefore, in code which is not performance-critical, you should prefer " +"at(size_type) over " +"operator[](size_type), even though it is slightly more " +"verbose." +msgstr "" diff --git a/defensive-coding/te-IN/Defensive_Coding.po b/defensive-coding/te-IN/Defensive_Coding.po new file mode 100644 index 0000000..e0e6fd6 --- /dev/null +++ b/defensive-coding/te-IN/Defensive_Coding.po @@ -0,0 +1,30 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:18+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Telugu (http://www.transifex.com/projects/p/fedora/language/te/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: te\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: title +#, no-c-format +msgid "Programming Languages" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Specific Programming Tasks" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Implementing Security Features" +msgstr "" diff --git a/defensive-coding/te-IN/Features/Authentication.po b/defensive-coding/te-IN/Features/Authentication.po new file mode 100644 index 0000000..5aa83ba --- /dev/null +++ b/defensive-coding/te-IN/Features/Authentication.po @@ -0,0 +1,231 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:31+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Telugu (http://www.transifex.com/projects/p/fedora/language/te/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: te\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: title +#, no-c-format +msgid "Authentication and Authorization" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Authenticating servers" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When connecting to a server, a client has to make sure that it is actually " +"talking to the server it expects. There are two different aspects, securing " +"the network path, and making sure that the expected user runs the process on" +" the target host. There are several ways to ensure that:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The server uses a TLS certificate which is valid according to the web " +"browser public key infrastructure, and the client verifies the certificate " +"and the host name." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The server uses a TLS certificate which is expectedby the client (perhaps it" +" is stored in a configuration file read by the client). In this case, no " +"host name checking is required." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"On Linux, UNIX domain sockets (of the PF_UNIX protocol " +"family, sometimes called PF_LOCAL) are restricted by file" +" system permissions. If the server socket path is not world-writable, the " +"server identity cannot be spoofed by local users." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Port numbers less than 1024 (trusted ports) can only be" +" used by root, so if a UDP or TCP server is running on " +"the local host and it uses a trusted port, its identity is assured. (Not all" +" operating systems enforce the trusted ports concept, and the network might " +"not be trusted, so it is only useful on the local system.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"TLS () is the recommended way " +"for securing connections over untrusted networks." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If the server port number is 1024 is higher, a local user can impersonate " +"the process by binding to this socket, perhaps after crashing the real " +"server by exploiting a denial-of-service vulnerability." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Host-based authentication" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Host-based authentication uses access control lists (ACLs) to accept or deny" +" requests from clients. Thsis authentication method comes in two flavors: " +"IP-based (or, more generally, address-based) and name-based (with the name " +"coming from DNS or /etc/hosts). IP-based ACLs often use" +" prefix notation to extend access to entire subnets. Name-based ACLs " +"sometimes use wildcards for adding groups of hosts (from entire DNS " +"subtrees). (In the SSH context, host-based authentication means something " +"completely different and is not covered in this section.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Host-based authentication trust the network and may not offer sufficient " +"granularity, so it has to be considered a weak form of authentication. On " +"the other hand, IP-based authentication can be made extremely robust and can" +" be applied very early in input processing, so it offers an opportunity for " +"significantly reducing the number of potential attackers for many services." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The names returned by gethostbyaddr and " +"getnameinfo functions cannot be trusted. (DNS PTR " +"records can be set to arbitrary values, not just names belong to the address" +" owner.) If these names are used for ACL matching, a forward lookup using " +"gethostbyaddr or getaddrinfo has " +"to be performed. The name is only valid if the original address is found " +"among the results of the forward lookup (double-reverse " +"lookup)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"An empty ACL should deny all access (deny-by-default). If empty ACLs permits" +" all access, configuring any access list must switch to deny-by-default for " +"all unconfigured protocols, in both name-based and address-based variants." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Similarly, if an address or name is not matched by the list, it should be " +"denied. However, many implementations behave differently, so the actual " +"behavior must be documented properly." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"IPv6 addresses can embed IPv4 addresses. There is no universally correct way" +" to deal with this ambiguity. The behavior of the ACL implementation should " +"be documented." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "UNIX domain socket authentication" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"UNIX domain sockets (with address family AF_UNIX or " +"AF_LOCAL) are restricted to the local host and offer a " +"special authentication mechanism: credentials passing." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Nowadays, most systems support the SO_PEERCRED (Linux) or" +" LOCAL_PEERCRED (FreeBSD) socket options, or the " +"getpeereid (other BSDs, MacOS X). These interfaces " +"provide direct access to the (effective) user ID on the other end of a " +"domain socket connect, without cooperation from the other end." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Historically, credentials passing was implemented using ancillary data in " +"the sendmsg and recvmsg functions." +" On some systems, only credentials data that the peer has explicitly sent " +"can be received, and the kernel checks the data for correctness on the " +"sending side. This means that both peers need to deal with ancillary data. " +"Compared to that, the modern interfaces are easier to use. Both sets of " +"interfaces vary considerably among UNIX-like systems, unfortunately." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If you want to authenticate based on supplementary groups, you should obtain" +" the user ID using one of these methods, and look up the list of " +"supplementary groups using getpwuid (or " +"getpwuid_r) and getgrouplist. " +"Using the PID and information from /proc/PID/status is " +"prone to race conditions and insecure." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "AF_NETLINK authentication of origin" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Netlink messages are used as a high-performance data transfer mechanism " +"between the kernel and the userspace. Traditionally, they are used to " +"exchange information related to the network statck, such as routing table " +"entries." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When processing Netlink messages from the kernel, it is important to check " +"that these messages actually originate from the kernel, by checking that the" +" port ID (or PID) field nl_pid in the " +"sockaddr_nl structure is 0. (This " +"structure can be obtained using recvfrom or " +"recvmsg, it is different from the " +"nlmsghdr structure.) The kernel does not prevent other " +"processes from sending unicast Netlink messages, but the " +"nl_pid field in the sender's socket address will be non-" +"zero in such cases." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Applications should not use AF_NETLINK sockets as an IPC " +"mechanism among processes, but prefer UNIX domain sockets for this tasks." +msgstr "" diff --git a/defensive-coding/te-IN/Features/TLS.po b/defensive-coding/te-IN/Features/TLS.po new file mode 100644 index 0000000..ad0c7d0 --- /dev/null +++ b/defensive-coding/te-IN/Features/TLS.po @@ -0,0 +1,1120 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:31+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Telugu (http://www.transifex.com/projects/p/fedora/language/te/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: te\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: title +#, no-c-format +msgid "Transport Layer Security" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Transport Layer Security (TLS, formerly Secure Sockets Layer/SSL) is the " +"recommended way to to protect integrity and confidentiality while data is " +"transferred over an untrusted network connection, and to identify the " +"endpoint." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Common Pitfalls" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"TLS implementations are difficult to use, and most of them lack a clean API " +"design. The following sections contain implementation-specific advice, and " +"some generic pitfalls are mentioned below." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Most TLS implementations have questionable default TLS cipher suites. Most " +"of them enable anonymous Diffie-Hellman key exchange (but we generally want " +"servers to authenticate themselves). Many do not disable ciphers which are " +"subject to brute-force attacks because of restricted key lengths. Some even " +"disable all variants of AES in the default configuration." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When overriding the cipher suite defaults, it is recommended to disable all " +"cipher suites which are not present on a whitelist, instead of simply " +"enabling a list of cipher suites. This way, if an algorithm is disabled by " +"default in the TLS implementation in a future security update, the " +"application will not re-enable it." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The name which is used in certificate validation must match the name " +"provided by the user or configuration file. No host name canonicalization or" +" IP address lookup must be performed." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The TLS handshake has very poor performance if the TCP Nagle algorithm is " +"active. You should switch on the TCP_NODELAY socket " +"option (at least for the duration of the handshake), or use the Linux-" +"specific TCP_CORK option." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Deactivating the TCP Nagle algorithm" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Implementing proper session resumption decreases handshake overhead " +"considerably. This is important if the upper-layer protocol uses short-lived" +" connections (like most application of HTTPS)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Both client and server should work towards an orderly connection shutdown, " +"that is send close_notify alerts and respond to them. " +"This is especially important if the upper-layer protocol does not provide " +"means to detect connection truncation (like some uses of HTTP)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When implementing a server using event-driven programming, it is important " +"to handle the TLS handshake properly because it includes multiple network " +"round-trips which can block when an ordinary TCP accept" +" would not. Otherwise, a client which fails to complete the TLS handshake " +"for some reason will prevent the server from handling input from other " +"clients." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Unlike regular file descriptors, TLS connections cannot be passed between " +"processes. Some TLS implementations add additional restrictions, and TLS " +"connections generally cannot be used across fork " +"function calls (see )." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "OpenSSL Pitfalls" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Some OpenSSL function use tri-state return values. " +"Correct error checking is extremely important. Several functions return " +"int values with the following meaning:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The value 1 indicates success (for example, a successful " +"signature verification)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The value 0 indicates semantic failure (for example, a " +"signature verification which was unsuccessful because the signing " +"certificate was self-signed)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The value -1 indicates a low-level error in the system, " +"such as failure to allocate memory using malloc." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Treating such tri-state return values as booleans can lead to security " +"vulnerabilities. Note that some OpenSSL functions return boolean results or " +"yet another set of status indicators. Each function needs to be checked " +"individually." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Recovering precise error information is difficult. shows how to obtain a more precise " +"error code after a function call on an SSL object has " +"failed. However, there are still cases where no detailed error information " +"is available (e.g., if SSL_shutdown fails due to a " +"connection teardown by the other end)." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Obtaining OpenSSL error codes" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The OPENSSL_config function is documented to never " +"fail. In reality, it can terminate the entire process if there is a failure " +"accessing the configuration file. An error message is written to standard " +"error, but which might not be visible if the function is called from a " +"daemon process." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"OpenSSL contains two separate ASN.1 DER decoders. One set of decoders " +"operate on BIO handles (the input/output stream abstraction provided by " +"OpenSSL); their decoder function names start with d2i_ " +"and end in _fp or _bio (e.g., " +"d2i_X509_fp or d2i_X509_bio). " +"These decoders must not be used for parsing data from untrusted sources; " +"instead, the variants without the _fp and " +"_bio (e.g., d2i_X509) shall be used." +" The BIO variants have received considerably less testing and are not very " +"robust." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"For the same reason, the OpenSSL command line tools (such as " +"openssl x509) are generally generally less robust than " +"the actual library code. They use the BIO functions internally, and not the " +"more robust variants." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The command line tools do not always indicate failure in the exit status of " +"the openssl process. For instance, a verification" +" failure in openssl verify result in an exit status of " +"zero." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The OpenSSL server and client applications (openssl " +"s_client and openssl s_server) are debugging " +"tools and should never be used as generic clients. For " +"instance, the s_client tool reacts in a " +"surprisign way to lines starting with R and " +"Q." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"OpenSSL allows application code to access private key material over " +"documented interfaces. This can significantly increase the part of the code " +"base which has to undergo security certification." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "GNUTLS Pitfalls" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"libgnutls.so.26 links to " +"libpthread.so.0. Loading the threading library too late" +" causes problems, so the main program should be linked with " +"-lpthread as well. As a result, it can be difficult to " +"use GNUTLS in a plugin which is loaded with the dlopen " +"function. Another side effect is that applications which merely link against" +" GNUTLS (even without actually using it) may incur a substantial overhead " +"because other libraries automatically switch to thread-safe algorithms." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The gnutls_global_init function must be called before " +"using any functionality provided by the library. This function is not " +"thread-safe, so external locking is required, but it is not clear which lock" +" should be used. Omitting the synchronization does not just lead to a memory" +" leak, as it is suggested in the GNUTLS documentation, but to undefined " +"behavior because there is no barrier that would enforce memory ordering." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The gnutls_global_deinit function does not actually " +"deallocate all resources allocated by " +"gnutls_global_init. It is currently not thread-safe. " +"Therefore, it is best to avoid calling it altogether." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The X.509 implementation in GNUTLS is rather lenient. For example, it is " +"possible to create and process X.509 version 1 certificates which carry" +" extensions. These certificates are (correctly) rejected by other " +"implementations." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "OpenJDK Pitfalls" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The Java cryptographic framework is highly modular. As a result, when you " +"request an object implementing some cryptographic functionality, you cannot " +"be completely sure that you end up with the well-tested, reviewed " +"implementation in OpenJDK." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"OpenJDK (in the source code as published by Oracle) and other " +"implementations of the Java platform require that the system administrator " +"has installed so-called unlimited strength jurisdiction policy " +"files. Without this step, it is not possible to use the secure " +"algorithms which offer sufficient cryptographic strength. Most downstream " +"redistributors of OpenJDK remove this requirement." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Some versions of OpenJDK use /dev/random as the " +"randomness source for nonces and other random data which is needed for TLS " +"operation, but does not actually require physical randomness. As a result, " +"TLS applications can block, waiting for more bits to become available in " +"/dev/random." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "NSS Pitfalls" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"NSS was not designed to be used by other libraries which can be linked into " +"applications without modifying them. There is a lot of global state. There " +"does not seem to be a way to perform required NSS initialization without " +"race conditions." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If the NSPR descriptor is in an unexpected state, the " +"SSL_ForceHandshake function can succeed, but no TLS " +"handshake takes place, the peer is not authenticated, and subsequent data is" +" exchanged in the clear." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"NSS disables itself if it detects that the process underwent a " +"fork after the library has been initialized. This " +"behavior is required by the PKCS#11 API specification." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "TLS Clients" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Secure use of TLS in a client generally involves all of the following steps." +" (Individual instructions for specific TLS implementations follow in the " +"next sections.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The client must configure the TLS library to use a set of trusted root " +"certificates. These certificates are provided by the system in /etc/ssl/certs or files derived from it." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The client selects sufficiently strong cryptographic primitives and disables" +" insecure ones (such as no-op encryption). Compression and SSL version 2 " +"support must be disabled (including the SSLv2-compatible handshake)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The client initiates the TLS connection. The Server Name Indication " +"extension should be used if supported by the TLS implementation. Before " +"switching to the encrypted connection state, the contents of all input and " +"output buffers must be discarded." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The client needs to validate the peer certificate provided by the server, " +"that is, the client must check that there is a cryptographically protected " +"chain from a trusted root certificate to the peer certificate. (Depending on" +" the TLS implementation, a TLS handshake can succeed even if the certificate" +" cannot be validated.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The client must check that the configured or user-provided server name " +"matches the peer certificate provided by the server." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"It is safe to provide users detailed diagnostics on certificate validation " +"failures. Other causes of handshake failures and, generally speaking, any " +"details on other errors reported by the TLS implementation (particularly " +"exception tracebacks), must not be divulged in ways that make them " +"accessible to potential attackers. Otherwise, it is possible to create " +"decryption oracles." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Depending on the application, revocation checking (against certificate " +"revocations lists or via OCSP) and session resumption are important aspects " +"of production-quality client. These aspects are not yet covered." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Implementation TLS Clients With OpenSSL" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In the following code, the error handling is only exploratory. Proper error " +"handling is required for production use, especially in libraries." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The OpenSSL library needs explicit initialization (see )." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "OpenSSL library initialization" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"After that, a context object has to be created, which acts as a factory for " +"connection objects (). We use an explicit cipher list so that we do not pick up any " +"strange ciphers when OpenSSL is upgraded. The actual version requested in " +"the client hello depends on additional restrictions in the OpenSSL library. " +"If possible, you should follow the example code and use the default list of " +"trusted root certificate authorities provided by the system because you " +"would have to maintain your own set otherwise, which can be cumbersome." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "OpenSSL client context creation" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"A single context object can be used to create multiple connection objects. " +"It is safe to use the same SSL_CTX object for creating " +"connections concurrently from multiple threads, provided that the " +"SSL_CTX object is not modified (e.g., callbacks must not " +"be changed)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"After creating the TCP socket and disabling the Nagle algorithm (per ), the actual connection object " +"needs to be created, as show in . If the handshake started by " +"SSL_connect fails, the " +"ssl_print_error_and_exit function from is called." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The certificate_validity_override function provides an " +"opportunity to override the validity of the certificate in case the OpenSSL " +"check fails. If such functionality is not required, the call can be removed," +" otherwise, the application developer has to implement it." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The host name passed to the functions " +"SSL_set_tlsext_host_name and " +"X509_check_host must be the name that was passed to " +"getaddrinfo or a similar name resolution function. No " +"host name canonicalization must be performed. The " +"X509_check_host function used in the final step for " +"host name matching is currently only implemented in OpenSSL 1.1, which is " +"not released yet. In case host name matching fails, the function " +"certificate_host_name_override is called. This function" +" should check user-specific certificate store, to allow a connection even if" +" the host name does not match the certificate. This function has to be " +"provided by the application developer. Note that the override must be keyed " +"by both the certificate and the host name." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Creating a client connection using OpenSSL" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The connection object can be used for sending and receiving data, as in " +". It is " +"also possible to create a BIO object and use the " +"SSL object as the underlying transport, using " +"BIO_set_ssl." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Using an OpenSSL connection to send and receive data" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When it is time to close the connection, the " +"SSL_shutdown function needs to be called twice for an " +"orderly, synchronous connection termination (). This exchanges " +"close_notify alerts with the server. The additional logic" +" is required to deal with an unexpected close_notify from" +" the server. Note that is necessary to explicitly close the underlying " +"socket after the connection object has been freed." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Closing an OpenSSL connection in an orderly fashion" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +" shows how" +" to deallocate the context object when it is no longer needed because no " +"further TLS connections will be established." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Implementation TLS Clients With GNUTLS" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"This section describes how to implement a TLS client with full certificate " +"validation (but without certificate revocation checking). Note that the " +"error handling in is only exploratory and needs to be replaced before " +"production use." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "The GNUTLS library needs explicit initialization:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Failing to do so can result in obscure failures in Base64 decoding. See " +" for " +"additional aspects of initialization." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Before setting up TLS connections, a credentials objects has to be allocated" +" and initialized with the set of trusted root CAs ()." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Initializing a GNUTLS credentials structure" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"After the last TLS connection has been closed, this credentials object " +"should be freed:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"During its lifetime, the credentials object can be used to initialize TLS " +"session objects from multiple threads, provided that it is not changed." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Once the TCP connection has been established, the Nagle algorithm should be " +"disabled (see ). After " +"that, the socket can be associated with a new GNUTLS session object. The " +"previously allocated credentials object provides the set of root CAs. The " +"NORMAL set of cipher suites and protocols provides a " +"reasonable default. Then the TLS handshake must be initiated. This is shown " +"in ." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Establishing a TLS client connection using GNUTLS" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"After the handshake has been completed, the server certificate needs to be " +"verified (). In the example, the user-defined " +"certificate_validity_override function is called if the" +" verification fails, so that a separate, user-specific trust store can be " +"checked. This function call can be omitted if the functionality is not " +"needed." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Verifying a server certificate using GNUTLS" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In the next step (, the certificate must be matched against the host name (note the " +"unusual return value from " +"gnutls_x509_crt_check_hostname). Again, an override " +"function certificate_host_name_override is called. Note" +" that the override must be keyed to the certificate and" +" the host name. The function call can be omitted if the override is not " +"needed." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Matching the server host name and certificate in a GNUTLS client" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In newer GNUTLS versions, certificate checking and host name validation can " +"be combined using the gnutls_certificate_verify_peers3 " +"function." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"An established TLS session can be used for sending and receiving data, as in" +" ." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Using a GNUTLS session" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In order to shut down a connection in an orderly manner, you should call the" +" gnutls_bye function. Finally, the session object can " +"be deallocated using gnutls_deinit (see )." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Implementing TLS Clients With OpenJDK" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "The examples below use the following cryptographic-related classes:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If compatibility with OpenJDK 6 is required, it is necessary to use the " +"internal class sun.security.util.HostnameChecker. (The " +"public OpenJDK API does not provide any support for dissecting the subject " +"distinguished name of an X.509 certificate, so a custom-written DER parser " +"is needed—or we have to use an internal class, which we do below.) In " +"OpenJDK 7, the setEndpointIdentificationAlgorithm " +"method was added to the javax.net.ssl.SSLParameters " +"class, providing an official way to implement host name checking." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"TLS connections are established using an SSLContext " +"instance. With a properly configured OpenJDK installation, the " +"SunJSSE provider uses the system-wide set of trusted root" +" certificate authorities, so no further configuration is necessary. For " +"backwards compatibility with OpenJDK 6, the TLSv1 " +"provider has to be supported as a fall-back option. This is shown in ." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Setting up an SSLContext for OpenJDK TLS clients" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In addition to the context, a TLS parameter object will be needed which " +"adjusts the cipher suites and protocols (). Like the context, these " +"parameters can be reused for multiple TLS connections." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Setting up SSLParameters for TLS use with OpenJDK" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"As initialized above, the parameter object does not yet require host name " +"checking. This has to be enabled separately, and this is only supported by " +"OpenJDK 7 and later:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"All application protocols can use the \"HTTPS\" " +"algorithm. (The algorithms have minor differences with regard to wildcard " +"handling, which should not matter in practice.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +" shows " +"how to establish the connection. Before the handshake is initialized, the " +"protocol and cipher configuration has to be performed, by applying the " +"parameter object params. (After this point, changes to " +"params will not affect this TLS socket.) As mentioned " +"initially, host name checking requires using an internal API on OpenJDK 6." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Establishing a TLS connection with OpenJDK" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Starting with OpenJDK 7, the last lines can be omitted, provided that host " +"name verification has been enabled by calling the " +"setEndpointIdentificationAlgorithm method on the " +"params object (before it was applied to the socket)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The TLS socket can be used as a regular socket, as shown in ." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Using a TLS client socket in OpenJDK" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Overriding server certificate validation with OpenJDK 6" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Overriding certificate validation requires a custom trust manager. With " +"OpenJDK 6, the trust manager lacks information about the TLS session, and to" +" which server the connection is made. Certificate overrides have to be tied " +"to specific servers (host names). Consequently, different " +"TrustManager and SSLContext objects " +"have to be used for different servers." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In the trust manager shown in , the server certificate is identified by its " +"SHA-256 hash." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "A customer trust manager for OpenJDK TLS clients" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"This trust manager has to be passed to the init method of" +" the SSLContext object, as show in ." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Using a custom TLS trust manager with OpenJDK" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When certificate overrides are in place, host name verification should not " +"be performed because there is no security requirement that the host name in " +"the certificate matches the host name used to establish the connection (and " +"it often will not). However, without host name verification, it is not " +"possible to perform transparent fallback to certification validation using " +"the system certificate store." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The approach described above works with OpenJDK 6 and later versions. " +"Starting with OpenJDK 7, it is possible to use a custom subclass of the " +"javax.net.ssl.X509ExtendedTrustManager class. The OpenJDK" +" TLS implementation will call the new methods, passing along TLS session " +"information. This can be used to implement certificate overrides as a " +"fallback (if certificate or host name verification fails), and a trust " +"manager object can be used for multiple servers because the server address " +"is available to the trust manager." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Implementing TLS Clients With NSS" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The following code shows how to implement a simple TLS client using NSS. " +"Note that the error handling needs replacing before production use." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Using NSS needs several header files, as shown in ." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Include files for NSS" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Initializing the NSS library is a complex task (). It is not thread-safe. By default, the " +"library is in export mode, and all strong ciphers are disabled. Therefore, " +"after creating the NSSInitCContext object, we probe all " +"the strong ciphers we want to use, and check if at least one of them is " +"available. If not, we call NSS_SetDomesticPolicy to " +"switch to unrestricted policy mode. This function replaces the existing " +"global cipher suite policy, that is why we avoid calling it unless " +"absolutely necessary." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The simplest way to configured the trusted root certificates involves " +"loading the libnssckbi.so NSS module with a call to the" +" SECMOD_LoadUserModule function. The root certificates " +"are compiled into this module. (The PEM module for NSS, " +"libnsspem.so, offers a way to load trusted CA " +"certificates from a file.)" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Initializing the NSS library" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Some of the effects of the initialization can be reverted with the following" +" function calls:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"After NSS has been initialized, the TLS connection can be created (). The internal " +"PR_ImportTCPSocket function is used to turn the POSIX " +"file descriptor sockfd into an NSPR file descriptor. " +"(This function is de-facto part of the NSS public ABI, so it will not go " +"away.) Creating the TLS-capable file descriptor requires a " +"model descriptor, which is configured with the desired " +"set of protocols and ciphers. (The good_ciphers variable " +"is part of .) We cannot" +" resort to disabling ciphers not on a whitelist because by default, the AES " +"cipher suites are disabled. The model descriptor is not needed anymore after" +" TLS support has been activated for the existing connection descriptor." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The call to SSL_BadCertHook can be omitted if no " +"mechanism to override certificate verification is needed. The " +"bad_certificate function must check both the host name " +"specified for the connection and the certificate before granting the " +"override." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Triggering the actual handshake requires three function calls, " +"SSL_ResetHandshake, SSL_SetURL, " +"and SSL_ForceHandshake. (If " +"SSL_ResetHandshake is omitted, " +"SSL_ForceHandshake will succeed, but the data will not " +"be encrypted.) During the handshake, the certificate is verified and matched" +" against the host name." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Creating a TLS connection with NSS" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"After the connection has been established, shows how to use the NSPR descriptor to " +"communicate with the server." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Using NSS for sending and receiving data" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +" shows how to " +"close the connection." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Closing NSS client connections" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Implementing TLS Clients With Python" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The Python distribution provides a TLS implementation in the " +"ssl module (actually a wrapper around OpenSSL). The " +"exported interface is somewhat restricted, so that the client code shown " +"below does not fully implement the recommendations in ." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Currently, most Python function which accept https:// " +"URLs or otherwise implement HTTPS support do not perform certificate " +"validation at all. (For example, this is true for the " +"httplib and xmlrpclib modules.) If you" +" use HTTPS, you should not use the built-in HTTP clients. The " +"Curl class in the curl module, as " +"provided by the python-pycurl package implements proper " +"certificate validation." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The ssl module currently does not perform host name " +"checking on the server certificate. shows how to implement certificate " +"matching, using the parsed certificate returned by " +"getpeercert." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Implementing TLS host name checking Python (without wildcard support)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"To turn a regular, connected TCP socket into a TLS-enabled socket, use the " +"ssl.wrap_socket function. The function call in provides " +"additional arguments to override questionable defaults in OpenSSL and in the" +" Python module." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"ciphers=\"HIGH:-aNULL:-eNULL:-PSK:RC4-SHA:RC4-MD5\" " +"selects relatively strong cipher suites with certificate-based " +"authentication. (The call to check_host_name function " +"provides additional protection against anonymous cipher suites.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"ssl_version=ssl.PROTOCOL_TLSv1 disables SSL 2.0 support. " +"By default, the ssl module sends an SSL 2.0 client hello," +" which is rejected by some servers. Ideally, we would request OpenSSL to " +"negotiated the most recent TLS version supported by the server and the " +"client, but the Python module does not allow this." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"cert_reqs=ssl.CERT_REQUIRED turns on certificate " +"validation." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"ca_certs='/etc/ssl/certs/ca-bundle.crt' initializes the " +"certificate store with a set of trusted root CAs. Unfortunately, it is " +"necessary to hard-code this path into applications because the default path " +"in OpenSSL is not available through the Python ssl " +"module." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The ssl module (and OpenSSL) perform certificate " +"validation, but the certificate must be compared manually against the host " +"name, by calling the check_host_name defined above." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Establishing a TLS client connection with Python" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"After the connection has been established, the TLS socket can be used like a" +" regular socket:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Closing the TLS socket is straightforward as well:" +msgstr "" diff --git a/defensive-coding/te-IN/Features/snippets/TLS-Client-GNUTLS-Connect.po b/defensive-coding/te-IN/Features/snippets/TLS-Client-GNUTLS-Connect.po new file mode 100644 index 0000000..b1966db --- /dev/null +++ b/defensive-coding/te-IN/Features/snippets/TLS-Client-GNUTLS-Connect.po @@ -0,0 +1,71 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:33+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Telugu (http://www.transifex.com/projects/p/fedora/language/te/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: te\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Create the session object.\n" +"gnutls_session_t session;\n" +"ret = gnutls_init(&session, GNUTLS_CLIENT);\n" +"if (ret != GNUTLS_E_SUCCESS) {\n" +" fprintf(stderr, \"error: gnutls_init: %s\n" +"\",\n" +"\t gnutls_strerror(ret));\n" +" exit(1);\n" +"}\n" +"\n" +"// Configure the cipher preferences.\n" +"const char *errptr = NULL;\n" +"ret = gnutls_priority_set_direct(session, \"NORMAL\", &errptr);\n" +"if (ret != GNUTLS_E_SUCCESS) {\n" +" fprintf(stderr, \"error: gnutls_priority_set_direct: %s\n" +"\"\n" +"\t \"error: at: \\\"%s\\\"\n" +"\", gnutls_strerror(ret), errptr);\n" +" exit(1);\n" +"}\n" +"\n" +"// Install the trusted certificates.\n" +"ret = gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, cred);\n" +"if (ret != GNUTLS_E_SUCCESS) {\n" +" fprintf(stderr, \"error: gnutls_credentials_set: %s\n" +"\",\n" +"\t gnutls_strerror(ret));\n" +" exit(1);\n" +"}\n" +"\n" +"// Associate the socket with the session object and set the server\n" +"// name.\n" +"gnutls_transport_set_ptr(session, (gnutls_transport_ptr_t)(uintptr_t)sockfd);\n" +"ret = gnutls_server_name_set(session, GNUTLS_NAME_DNS,\n" +"\t\t\t host, strlen(host));\n" +"if (ret != GNUTLS_E_SUCCESS) {\n" +" fprintf(stderr, \"error: gnutls_server_name_set: %s\n" +"\",\n" +"\t gnutls_strerror(ret));\n" +" exit(1);\n" +"}\n" +"\n" +"// Establish the session.\n" +"ret = gnutls_handshake(session);\n" +"if (ret != GNUTLS_E_SUCCESS) {\n" +" fprintf(stderr, \"error: gnutls_handshake: %s\n" +"\",\n" +"\t gnutls_strerror(ret));\n" +" exit(1);\n" +"}\n" +msgstr "" diff --git a/defensive-coding/te-IN/Features/snippets/TLS-Client-GNUTLS-Credentials.po b/defensive-coding/te-IN/Features/snippets/TLS-Client-GNUTLS-Credentials.po new file mode 100644 index 0000000..d0d6a79 --- /dev/null +++ b/defensive-coding/te-IN/Features/snippets/TLS-Client-GNUTLS-Credentials.po @@ -0,0 +1,47 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:33+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Telugu (http://www.transifex.com/projects/p/fedora/language/te/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: te\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Load the trusted CA certificates.\n" +"gnutls_certificate_credentials_t cred = NULL;\n" +"int ret = gnutls_certificate_allocate_credentials (&cred);\n" +"if (ret != GNUTLS_E_SUCCESS) {\n" +" fprintf(stderr, \"error: gnutls_certificate_allocate_credentials: %s\n" +"\",\n" +"\t gnutls_strerror(ret));\n" +" exit(1);\n" +"}\n" +"// gnutls_certificate_set_x509_system_trust needs GNUTLS version 3.0\n" +"// or newer, so we hard-code the path to the certificate store\n" +"// instead.\n" +"static const char ca_bundle[] = \"/etc/ssl/certs/ca-bundle.crt\";\n" +"ret = gnutls_certificate_set_x509_trust_file\n" +" (cred, ca_bundle, GNUTLS_X509_FMT_PEM);\n" +"if (ret == 0) {\n" +" fprintf(stderr, \"error: no certificates found in: %s\n" +"\", ca_bundle);\n" +" exit(1);\n" +"}\n" +"if (ret < 0) {\n" +" fprintf(stderr, \"error: gnutls_certificate_set_x509_trust_files(%s): %s\n" +"\",\n" +"\t ca_bundle, gnutls_strerror(ret));\n" +" exit(1);\n" +"}\n" +msgstr "" diff --git a/defensive-coding/te-IN/Features/snippets/TLS-Client-GNUTLS-Match.po b/defensive-coding/te-IN/Features/snippets/TLS-Client-GNUTLS-Match.po new file mode 100644 index 0000000..663eca1 --- /dev/null +++ b/defensive-coding/te-IN/Features/snippets/TLS-Client-GNUTLS-Match.po @@ -0,0 +1,48 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:32+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Telugu (http://www.transifex.com/projects/p/fedora/language/te/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: te\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Match the peer certificate against the host name.\n" +"// We can only obtain a set of DER-encoded certificates from the\n" +"// session object, so we have to re-parse the peer certificate into\n" +"// a certificate object.\n" +"gnutls_x509_crt_t cert;\n" +"ret = gnutls_x509_crt_init(&cert);\n" +"if (ret != GNUTLS_E_SUCCESS) {\n" +" fprintf(stderr, \"error: gnutls_x509_crt_init: %s\n" +"\",\n" +"\t gnutls_strerror(ret));\n" +" exit(1);\n" +"}\n" +"// The peer certificate is the first certificate in the list.\n" +"ret = gnutls_x509_crt_import(cert, certs, GNUTLS_X509_FMT_DER);\n" +"if (ret != GNUTLS_E_SUCCESS) {\n" +" fprintf(stderr, \"error: gnutls_x509_crt_import: %s\n" +"\",\n" +"\t gnutls_strerror(ret));\n" +" exit(1);\n" +"}\n" +"ret = gnutls_x509_crt_check_hostname(cert, host);\n" +"if (ret == 0 && !certificate_host_name_override(certs[0], host)) {\n" +" fprintf(stderr, \"error: host name does not match certificate\n" +"\");\n" +" exit(1);\n" +"}\n" +"gnutls_x509_crt_deinit(cert);\n" +msgstr "" diff --git a/defensive-coding/te-IN/Features/snippets/TLS-Client-GNUTLS-Verify.po b/defensive-coding/te-IN/Features/snippets/TLS-Client-GNUTLS-Verify.po new file mode 100644 index 0000000..3435a2b --- /dev/null +++ b/defensive-coding/te-IN/Features/snippets/TLS-Client-GNUTLS-Verify.po @@ -0,0 +1,61 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:33+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Telugu (http://www.transifex.com/projects/p/fedora/language/te/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: te\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Obtain the server certificate chain. The server certificate\n" +"// itself is stored in the first element of the array.\n" +"unsigned certslen = 0;\n" +"const gnutls_datum_t *const certs =\n" +" gnutls_certificate_get_peers(session, &certslen);\n" +"if (certs == NULL || certslen == 0) {\n" +" fprintf(stderr, \"error: could not obtain peer certificate\n" +"\");\n" +" exit(1);\n" +"}\n" +"\n" +"// Validate the certificate chain.\n" +"unsigned status = (unsigned)-1;\n" +"ret = gnutls_certificate_verify_peers2(session, &status);\n" +"if (ret != GNUTLS_E_SUCCESS) {\n" +" fprintf(stderr, \"error: gnutls_certificate_verify_peers2: %s\n" +"\",\n" +"\t gnutls_strerror(ret));\n" +" exit(1);\n" +"}\n" +"if (status != 0 && !certificate_validity_override(certs[0])) {\n" +" gnutls_datum_t msg;\n" +"#if GNUTLS_VERSION_AT_LEAST_3_1_4\n" +" int type = gnutls_certificate_type_get (session);\n" +" ret = gnutls_certificate_verification_status_print(status, type, &out, 0);\n" +"#else\n" +" ret = -1;\n" +"#endif\n" +" if (ret == 0) {\n" +" fprintf(stderr, \"error: %s\n" +"\", msg.data);\n" +" gnutls_free(msg.data);\n" +" exit(1);\n" +" } else {\n" +" fprintf(stderr, \"error: certificate validation failed with code 0x%x\n" +"\",\n" +"\t status);\n" +" exit(1);\n" +" }\n" +"}\n" +msgstr "" diff --git a/defensive-coding/te-IN/Features/snippets/TLS-Client-NSS-Close.po b/defensive-coding/te-IN/Features/snippets/TLS-Client-NSS-Close.po new file mode 100644 index 0000000..cbadd0f --- /dev/null +++ b/defensive-coding/te-IN/Features/snippets/TLS-Client-NSS-Close.po @@ -0,0 +1,31 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:32+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Telugu (http://www.transifex.com/projects/p/fedora/language/te/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: te\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Send close_notify alert.\n" +"if (PR_Shutdown(nspr, PR_SHUTDOWN_BOTH) != PR_SUCCESS) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: PR_Read error %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +"}\n" +"// Closes the underlying POSIX file descriptor, too.\n" +"PR_Close(nspr);\n" +msgstr "" diff --git a/defensive-coding/te-IN/Features/snippets/TLS-Client-NSS-Connect.po b/defensive-coding/te-IN/Features/snippets/TLS-Client-NSS-Connect.po new file mode 100644 index 0000000..7a61a97 --- /dev/null +++ b/defensive-coding/te-IN/Features/snippets/TLS-Client-NSS-Connect.po @@ -0,0 +1,132 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:33+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Telugu (http://www.transifex.com/projects/p/fedora/language/te/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: te\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Wrap the POSIX file descriptor. This is an internal NSPR\n" +"// function, but it is very unlikely to change.\n" +"PRFileDesc* nspr = PR_ImportTCPSocket(sockfd);\n" +"sockfd = -1; // Has been taken over by NSPR.\n" +"\n" +"// Add the SSL layer.\n" +"{\n" +" PRFileDesc *model = PR_NewTCPSocket();\n" +" PRFileDesc *newfd = SSL_ImportFD(NULL, model);\n" +" if (newfd == NULL) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: NSPR error code %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +" }\n" +" model = newfd;\n" +" newfd = NULL;\n" +" if (SSL_OptionSet(model, SSL_ENABLE_SSL2, PR_FALSE) != SECSuccess) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: set SSL_ENABLE_SSL2 error %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +" }\n" +" if (SSL_OptionSet(model, SSL_V2_COMPATIBLE_HELLO, PR_FALSE) != SECSuccess) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: set SSL_V2_COMPATIBLE_HELLO error %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +" }\n" +" if (SSL_OptionSet(model, SSL_ENABLE_DEFLATE, PR_FALSE) != SECSuccess) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: set SSL_ENABLE_DEFLATE error %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +" }\n" +"\n" +" // Disable all ciphers (except RC4-based ciphers, for backwards\n" +" // compatibility).\n" +" const PRUint16 *const ciphers = SSL_GetImplementedCiphers();\n" +" for (unsigned i = 0; i < SSL_GetNumImplementedCiphers(); i++) {\n" +" if (ciphers[i] != SSL_RSA_WITH_RC4_128_SHA\n" +"\t && ciphers[i] != SSL_RSA_WITH_RC4_128_MD5) {\n" +"\tif (SSL_CipherPrefSet(model, ciphers[i], PR_FALSE) != SECSuccess) {\n" +"\t const PRErrorCode err = PR_GetError();\n" +"\t fprintf(stderr, \"error: disable cipher %u: error %d: %s\n" +"\",\n" +"\t\t (unsigned)ciphers[i], err, PR_ErrorToName(err));\n" +"\t exit(1);\n" +"\t}\n" +" }\n" +" }\n" +"\n" +" // Enable the strong ciphers.\n" +" for (const PRUint16 *p = good_ciphers; *p != SSL_NULL_WITH_NULL_NULL;\n" +"\t ++p) {\n" +" if (SSL_CipherPrefSet(model, *p, PR_TRUE) != SECSuccess) {\n" +"\tconst PRErrorCode err = PR_GetError();\n" +"\tfprintf(stderr, \"error: enable cipher %u: error %d: %s\n" +"\",\n" +"\t\t(unsigned)*p, err, PR_ErrorToName(err));\n" +"\texit(1);\n" +" }\n" +" }\n" +"\n" +" // Allow overriding invalid certificate.\n" +" if (SSL_BadCertHook(model, bad_certificate, (char *)host) != SECSuccess) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: SSL_BadCertHook error %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +" }\n" +"\n" +" newfd = SSL_ImportFD(model, nspr);\n" +" if (newfd == NULL) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: SSL_ImportFD error %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +" }\n" +" nspr = newfd;\n" +" PR_Close(model);\n" +"}\n" +"\n" +"// Perform the handshake.\n" +"if (SSL_ResetHandshake(nspr, PR_FALSE) != SECSuccess) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: SSL_ResetHandshake error %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +"}\n" +"if (SSL_SetURL(nspr, host) != SECSuccess) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: SSL_SetURL error %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +"}\n" +"if (SSL_ForceHandshake(nspr) != SECSuccess) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: SSL_ForceHandshake error %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +"}\n" +msgstr "" diff --git a/defensive-coding/te-IN/Features/snippets/TLS-Client-OpenJDK-Connect.po b/defensive-coding/te-IN/Features/snippets/TLS-Client-OpenJDK-Connect.po new file mode 100644 index 0000000..5ece3fc --- /dev/null +++ b/defensive-coding/te-IN/Features/snippets/TLS-Client-OpenJDK-Connect.po @@ -0,0 +1,41 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:32+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Telugu (http://www.transifex.com/projects/p/fedora/language/te/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: te\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Create the socket and connect it at the TCP layer.\n" +"SSLSocket socket = (SSLSocket) ctx.getSocketFactory()\n" +" .createSocket(host, port);\n" +"\n" +"// Disable the Nagle algorithm.\n" +"socket.setTcpNoDelay(true);\n" +"\n" +"// Adjust ciphers and protocols.\n" +"socket.setSSLParameters(params);\n" +"\n" +"// Perform the handshake.\n" +"socket.startHandshake();\n" +"\n" +"// Validate the host name. The match() method throws\n" +"// CertificateException on failure.\n" +"X509Certificate peer = (X509Certificate)\n" +" socket.getSession().getPeerCertificates()[0];\n" +"// This is the only way to perform host name checking on OpenJDK 6.\n" +"HostnameChecker.getInstance(HostnameChecker.TYPE_TLS).match(\n" +" host, peer);\n" +msgstr "" diff --git a/defensive-coding/te-IN/Features/snippets/TLS-Client-OpenJDK-Context.po b/defensive-coding/te-IN/Features/snippets/TLS-Client-OpenJDK-Context.po new file mode 100644 index 0000000..c7499c0 --- /dev/null +++ b/defensive-coding/te-IN/Features/snippets/TLS-Client-OpenJDK-Context.po @@ -0,0 +1,41 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:32+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Telugu (http://www.transifex.com/projects/p/fedora/language/te/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: te\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Create the context. Specify the SunJSSE provider to avoid\n" +"// picking up third-party providers. Try the TLS 1.2 provider\n" +"// first, then fall back to TLS 1.0.\n" +"SSLContext ctx;\n" +"try {\n" +" ctx = SSLContext.getInstance(\"TLSv1.2\", \"SunJSSE\");\n" +"} catch (NoSuchAlgorithmException e) {\n" +" try {\n" +" ctx = SSLContext.getInstance(\"TLSv1\", \"SunJSSE\");\n" +" } catch (NoSuchAlgorithmException e1) {\n" +" // The TLS 1.0 provider should always be available.\n" +" throw new AssertionError(e1);\n" +" } catch (NoSuchProviderException e1) {\n" +" throw new AssertionError(e1);\n" +" } \n" +"} catch (NoSuchProviderException e) {\n" +" // The SunJSSE provider should always be available.\n" +" throw new AssertionError(e);\n" +"}\n" +"ctx.init(null, null, null);\n" +msgstr "" diff --git a/defensive-coding/te-IN/Features/snippets/TLS-Client-OpenJDK-Context_For_Cert.po b/defensive-coding/te-IN/Features/snippets/TLS-Client-OpenJDK-Context_For_Cert.po new file mode 100644 index 0000000..cbd56f3 --- /dev/null +++ b/defensive-coding/te-IN/Features/snippets/TLS-Client-OpenJDK-Context_For_Cert.po @@ -0,0 +1,37 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:33+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Telugu (http://www.transifex.com/projects/p/fedora/language/te/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: te\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"SSLContext ctx;\n" +"try {\n" +" ctx = SSLContext.getInstance(\"TLSv1.2\", \"SunJSSE\");\n" +"} catch (NoSuchAlgorithmException e) {\n" +" try {\n" +" ctx = SSLContext.getInstance(\"TLSv1\", \"SunJSSE\");\n" +" } catch (NoSuchAlgorithmException e1) {\n" +" throw new AssertionError(e1);\n" +" } catch (NoSuchProviderException e1) {\n" +" throw new AssertionError(e1);\n" +" }\n" +"} catch (NoSuchProviderException e) {\n" +" throw new AssertionError(e);\n" +"}\n" +"MyTrustManager tm = new MyTrustManager(certHash);\n" +"ctx.init(null, new TrustManager[] {tm}, null);\n" +msgstr "" diff --git a/defensive-coding/te-IN/Features/snippets/TLS-Client-OpenJDK-Hostname.po b/defensive-coding/te-IN/Features/snippets/TLS-Client-OpenJDK-Hostname.po new file mode 100644 index 0000000..a2d21f1 --- /dev/null +++ b/defensive-coding/te-IN/Features/snippets/TLS-Client-OpenJDK-Hostname.po @@ -0,0 +1,22 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:31+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Telugu (http://www.transifex.com/projects/p/fedora/language/te/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: te\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"params.setEndpointIdentificationAlgorithm(\"HTTPS\");\n" +msgstr "" diff --git a/defensive-coding/te-IN/Features/snippets/TLS-Client-OpenJDK-Import.po b/defensive-coding/te-IN/Features/snippets/TLS-Client-OpenJDK-Import.po new file mode 100644 index 0000000..4047e91 --- /dev/null +++ b/defensive-coding/te-IN/Features/snippets/TLS-Client-OpenJDK-Import.po @@ -0,0 +1,33 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:31+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Telugu (http://www.transifex.com/projects/p/fedora/language/te/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: te\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"import java.security.NoSuchAlgorithmException;\n" +"import java.security.NoSuchProviderException;\n" +"import java.security.cert.CertificateEncodingException;\n" +"import java.security.cert.CertificateException;\n" +"import java.security.cert.X509Certificate;\n" +"import javax.net.ssl.SSLContext;\n" +"import javax.net.ssl.SSLParameters;\n" +"import javax.net.ssl.SSLSocket;\n" +"import javax.net.ssl.TrustManager;\n" +"import javax.net.ssl.X509TrustManager;\n" +"\n" +"import sun.security.util.HostnameChecker;\n" +msgstr "" diff --git a/defensive-coding/te-IN/Features/snippets/TLS-Client-OpenJDK-MyTrustManager.po b/defensive-coding/te-IN/Features/snippets/TLS-Client-OpenJDK-MyTrustManager.po new file mode 100644 index 0000000..7a276b6 --- /dev/null +++ b/defensive-coding/te-IN/Features/snippets/TLS-Client-OpenJDK-MyTrustManager.po @@ -0,0 +1,53 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:31+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Telugu (http://www.transifex.com/projects/p/fedora/language/te/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: te\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"public class MyTrustManager implements X509TrustManager {\n" +" private final byte[] certHash;\n" +"\n" +" public MyTrustManager(byte[] certHash) throws Exception {\n" +" this.certHash = certHash;\n" +" }\n" +"\n" +" @Override\n" +" public void checkClientTrusted(X509Certificate[] chain, String authType)\n" +" throws CertificateException {\n" +" throw new UnsupportedOperationException();\n" +" }\n" +"\n" +" @Override\n" +" public void checkServerTrusted(X509Certificate[] chain,\n" +" String authType) throws CertificateException {\n" +" byte[] digest = getCertificateDigest(chain[0]);\n" +" String digestHex = formatHex(digest);\n" +"\n" +" if (Arrays.equals(digest, certHash)) {\n" +" System.err.println(\"info: accepting certificate: \" + digestHex);\n" +" } else {\n" +" throw new CertificateException(\"certificate rejected: \" +\n" +" digestHex);\n" +" }\n" +" }\n" +"\n" +" @Override\n" +" public X509Certificate[] getAcceptedIssuers() {\n" +" return new X509Certificate[0];\n" +" }\n" +"}\n" +msgstr "" diff --git a/defensive-coding/te-IN/Features/snippets/TLS-Client-OpenJDK-Use.po b/defensive-coding/te-IN/Features/snippets/TLS-Client-OpenJDK-Use.po new file mode 100644 index 0000000..d3b9f4f --- /dev/null +++ b/defensive-coding/te-IN/Features/snippets/TLS-Client-OpenJDK-Use.po @@ -0,0 +1,28 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:31+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Telugu (http://www.transifex.com/projects/p/fedora/language/te/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: te\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"socket.getOutputStream().write(\"GET / HTTP/1.0\\r\n" +"\\r\n" +"\"\n" +" .getBytes(Charset.forName(\"UTF-8\")));\n" +"byte[] buffer = new byte[4096];\n" +"int count = socket.getInputStream().read(buffer);\n" +"System.out.write(buffer, 0, count);\n" +msgstr "" diff --git a/defensive-coding/te-IN/Features/snippets/TLS-Client-OpenSSL-CTX.po b/defensive-coding/te-IN/Features/snippets/TLS-Client-OpenSSL-CTX.po new file mode 100644 index 0000000..125a94c --- /dev/null +++ b/defensive-coding/te-IN/Features/snippets/TLS-Client-OpenSSL-CTX.po @@ -0,0 +1,86 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:32+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Telugu (http://www.transifex.com/projects/p/fedora/language/te/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: te\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Configure a client connection context. Send a hendshake for the\n" +"// highest supported TLS version, and disable compression.\n" +"const SSL_METHOD *const req_method = SSLv23_client_method();\n" +"SSL_CTX *const ctx = SSL_CTX_new(req_method);\n" +"if (ctx == NULL) {\n" +" ERR_print_errors(bio_err);\n" +" exit(1);\n" +"}\n" +"SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_COMPRESSION);\n" +"\n" +"// Adjust the ciphers list based on a whitelist. First enable all\n" +"// ciphers of at least medium strength, to get the list which is\n" +"// compiled into OpenSSL.\n" +"if (SSL_CTX_set_cipher_list(ctx, \"HIGH:MEDIUM\") != 1) {\n" +" ERR_print_errors(bio_err);\n" +" exit(1);\n" +"}\n" +"{\n" +" // Create a dummy SSL session to obtain the cipher list.\n" +" SSL *ssl = SSL_new(ctx);\n" +" if (ssl == NULL) {\n" +" ERR_print_errors(bio_err);\n" +" exit(1);\n" +" }\n" +" STACK_OF(SSL_CIPHER) *active_ciphers = SSL_get_ciphers(ssl);\n" +" if (active_ciphers == NULL) {\n" +" ERR_print_errors(bio_err);\n" +" exit(1);\n" +" }\n" +" // Whitelist of candidate ciphers.\n" +" static const char *const candidates[] = {\n" +" \"AES128-GCM-SHA256\", \"AES128-SHA256\", \"AES256-SHA256\", // strong ciphers\n" +" \"AES128-SHA\", \"AES256-SHA\", // strong ciphers, also in older versions\n" +" \"RC4-SHA\", \"RC4-MD5\", // backwards compatibility, supposed to be weak\n" +" \"DES-CBC3-SHA\", \"DES-CBC3-MD5\", // more backwards compatibility\n" +" NULL\n" +" };\n" +" // Actually selected ciphers.\n" +" char ciphers[300];\n" +" ciphers[0] = '\\0';\n" +" for (const char *const *c = candidates; *c; ++c) {\n" +" for (int i = 0; i < sk_SSL_CIPHER_num(active_ciphers); ++i) {\n" +"\tif (strcmp(SSL_CIPHER_get_name(sk_SSL_CIPHER_value(active_ciphers, i)),\n" +"\t\t *c) == 0) {\n" +"\t if (*ciphers) {\n" +"\t strcat(ciphers, \":\");\n" +"\t }\n" +"\t strcat(ciphers, *c);\n" +"\t break;\n" +"\t}\n" +" }\n" +" }\n" +" SSL_free(ssl);\n" +" // Apply final cipher list.\n" +" if (SSL_CTX_set_cipher_list(ctx, ciphers) != 1) {\n" +" ERR_print_errors(bio_err);\n" +" exit(1);\n" +" }\n" +"}\n" +"\n" +"// Load the set of trusted root certificates.\n" +"if (!SSL_CTX_set_default_verify_paths(ctx)) {\n" +" ERR_print_errors(bio_err);\n" +" exit(1);\n" +"}\n" +msgstr "" diff --git a/defensive-coding/te-IN/Features/snippets/TLS-Client-OpenSSL-Connect.po b/defensive-coding/te-IN/Features/snippets/TLS-Client-OpenSSL-Connect.po new file mode 100644 index 0000000..452b60e --- /dev/null +++ b/defensive-coding/te-IN/Features/snippets/TLS-Client-OpenSSL-Connect.po @@ -0,0 +1,72 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:33+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Telugu (http://www.transifex.com/projects/p/fedora/language/te/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: te\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Create the connection object.\n" +"SSL *ssl = SSL_new(ctx);\n" +"if (ssl == NULL) {\n" +" ERR_print_errors(bio_err);\n" +" exit(1);\n" +"}\n" +"SSL_set_fd(ssl, sockfd);\n" +"\n" +"// Enable the ServerNameIndication extension\n" +"if (!SSL_set_tlsext_host_name(ssl, host)) {\n" +" ERR_print_errors(bio_err);\n" +" exit(1);\n" +"}\n" +"\n" +"// Perform the TLS handshake with the server.\n" +"ret = SSL_connect(ssl);\n" +"if (ret != 1) {\n" +" // Error status can be 0 or negative.\n" +" ssl_print_error_and_exit(ssl, \"SSL_connect\", ret);\n" +"}\n" +"\n" +"// Obtain the server certificate.\n" +"X509 *peercert = SSL_get_peer_certificate(ssl);\n" +"if (peercert == NULL) {\n" +" fprintf(stderr, \"peer certificate missing\");\n" +" exit(1);\n" +"}\n" +"\n" +"// Check the certificate verification result. Allow an explicit\n" +"// certificate validation override in case verification fails.\n" +"int verifystatus = SSL_get_verify_result(ssl);\n" +"if (verifystatus != X509_V_OK && !certificate_validity_override(peercert)) {\n" +" fprintf(stderr, \"SSL_connect: verify result: %s\n" +"\",\n" +"\t X509_verify_cert_error_string(verifystatus));\n" +" exit(1);\n" +"}\n" +"\n" +"// Check if the server certificate matches the host name used to\n" +"// establish the connection.\n" +"// FIXME: Currently needs OpenSSL 1.1.\n" +"if (X509_check_host(peercert, (const unsigned char *)host, strlen(host),\n" +"\t\t 0) != 1\n" +" && !certificate_host_name_override(peercert, host)) {\n" +" fprintf(stderr, \"SSL certificate does not match host name\n" +"\");\n" +" exit(1);\n" +"}\n" +"\n" +"X509_free(peercert);\n" +"\n" +msgstr "" diff --git a/defensive-coding/te-IN/Features/snippets/TLS-Client-OpenSSL-Connection-Use.po b/defensive-coding/te-IN/Features/snippets/TLS-Client-OpenSSL-Connection-Use.po new file mode 100644 index 0000000..0443c06 --- /dev/null +++ b/defensive-coding/te-IN/Features/snippets/TLS-Client-OpenSSL-Connection-Use.po @@ -0,0 +1,32 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:32+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Telugu (http://www.transifex.com/projects/p/fedora/language/te/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: te\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"const char *const req = \"GET / HTTP/1.0\\r\n" +"\\r\n" +"\";\n" +"if (SSL_write(ssl, req, strlen(req)) < 0) {\n" +" ssl_print_error_and_exit(ssl, \"SSL_write\", ret);\n" +"}\n" +"char buf[4096];\n" +"ret = SSL_read(ssl, buf, sizeof(buf));\n" +"if (ret < 0) {\n" +" ssl_print_error_and_exit(ssl, \"SSL_read\", ret);\n" +"}\n" +msgstr "" diff --git a/defensive-coding/te-IN/Features/snippets/TLS-Client-OpenSSL-Init.po b/defensive-coding/te-IN/Features/snippets/TLS-Client-OpenSSL-Init.po new file mode 100644 index 0000000..e84e792 --- /dev/null +++ b/defensive-coding/te-IN/Features/snippets/TLS-Client-OpenSSL-Init.po @@ -0,0 +1,28 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:32+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Telugu (http://www.transifex.com/projects/p/fedora/language/te/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: te\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// The following call prints an error message and calls exit() if\n" +"// the OpenSSL configuration file is unreadable.\n" +"OPENSSL_config(NULL);\n" +"// Provide human-readable error messages.\n" +"SSL_load_error_strings();\n" +"// Register ciphers.\n" +"SSL_library_init();\n" +msgstr "" diff --git a/defensive-coding/te-IN/Features/snippets/TLS-Client-Python-Connect.po b/defensive-coding/te-IN/Features/snippets/TLS-Client-Python-Connect.po new file mode 100644 index 0000000..d15909a --- /dev/null +++ b/defensive-coding/te-IN/Features/snippets/TLS-Client-Python-Connect.po @@ -0,0 +1,29 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:32+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Telugu (http://www.transifex.com/projects/p/fedora/language/te/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: te\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"sock = ssl.wrap_socket(sock,\n" +" ciphers=\"HIGH:-aNULL:-eNULL:-PSK:RC4-SHA:RC4-MD5\",\n" +" ssl_version=ssl.PROTOCOL_TLSv1,\n" +" cert_reqs=ssl.CERT_REQUIRED,\n" +" ca_certs='/etc/ssl/certs/ca-bundle.crt')\n" +"# getpeercert() triggers the handshake as a side effect.\n" +"if not check_host_name(sock.getpeercert(), host):\n" +" raise IOError(\"peer certificate does not match host name\")\n" +msgstr "" diff --git a/defensive-coding/te-IN/Features/snippets/TLS-Client-Python-check_host_name.po b/defensive-coding/te-IN/Features/snippets/TLS-Client-Python-check_host_name.po new file mode 100644 index 0000000..ea68043 --- /dev/null +++ b/defensive-coding/te-IN/Features/snippets/TLS-Client-Python-check_host_name.po @@ -0,0 +1,44 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:31+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Telugu (http://www.transifex.com/projects/p/fedora/language/te/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: te\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"def check_host_name(peercert, name):\n" +" \"\"\"Simple certificate/host name checker. Returns True if the\n" +" certificate matches, False otherwise. Does not support\n" +" wildcards.\"\"\"\n" +" # Check that the peer has supplied a certificate.\n" +" # None/{} is not acceptable.\n" +" if not peercert:\n" +" return False\n" +" if peercert.has_key(\"subjectAltName\"):\n" +" for typ, val in peercert[\"subjectAltName\"]:\n" +" if typ == \"DNS\" and val == name:\n" +" return True\n" +" else:\n" +" # Only check the subject DN if there is no subject alternative\n" +" # name.\n" +" cn = None\n" +" for attr, val in peercert[\"subject\"]:\n" +" # Use most-specific (last) commonName attribute.\n" +" if attr == \"commonName\":\n" +" cn = val\n" +" if cn is not None:\n" +" return cn == name\n" +" return False\n" +msgstr "" diff --git a/defensive-coding/te-IN/Features/snippets/TLS-GNUTLS-Credentials-Close.po b/defensive-coding/te-IN/Features/snippets/TLS-GNUTLS-Credentials-Close.po new file mode 100644 index 0000000..b25de0f --- /dev/null +++ b/defensive-coding/te-IN/Features/snippets/TLS-GNUTLS-Credentials-Close.po @@ -0,0 +1,22 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:31+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Telugu (http://www.transifex.com/projects/p/fedora/language/te/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: te\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"gnutls_certificate_free_credentials(cred);\n" +msgstr "" diff --git a/defensive-coding/te-IN/Features/snippets/TLS-GNUTLS-Disconnect.po b/defensive-coding/te-IN/Features/snippets/TLS-GNUTLS-Disconnect.po new file mode 100644 index 0000000..643ea2b --- /dev/null +++ b/defensive-coding/te-IN/Features/snippets/TLS-GNUTLS-Disconnect.po @@ -0,0 +1,30 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:32+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Telugu (http://www.transifex.com/projects/p/fedora/language/te/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: te\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Initiate an orderly connection shutdown.\n" +"ret = gnutls_bye(session, GNUTLS_SHUT_RDWR);\n" +"if (ret < 0) {\n" +" fprintf(stderr, \"error: gnutls_bye: %s\n" +"\", gnutls_strerror(ret));\n" +" exit(1);\n" +"}\n" +"// Free the session object.\n" +"gnutls_deinit(session);\n" +msgstr "" diff --git a/defensive-coding/te-IN/Features/snippets/TLS-GNUTLS-Init.po b/defensive-coding/te-IN/Features/snippets/TLS-GNUTLS-Init.po new file mode 100644 index 0000000..d0a80f6 --- /dev/null +++ b/defensive-coding/te-IN/Features/snippets/TLS-GNUTLS-Init.po @@ -0,0 +1,22 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:32+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Telugu (http://www.transifex.com/projects/p/fedora/language/te/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: te\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"gnutls_global_init();\n" +msgstr "" diff --git a/defensive-coding/te-IN/Features/snippets/TLS-GNUTLS-Use.po b/defensive-coding/te-IN/Features/snippets/TLS-GNUTLS-Use.po new file mode 100644 index 0000000..7a4b706 --- /dev/null +++ b/defensive-coding/te-IN/Features/snippets/TLS-GNUTLS-Use.po @@ -0,0 +1,38 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:33+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Telugu (http://www.transifex.com/projects/p/fedora/language/te/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: te\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"char buf[4096];\n" +"snprintf(buf, sizeof(buf), \"GET / HTTP/1.0\\r\n" +"Host: %s\\r\n" +"\\r\n" +"\", host);\n" +"ret = gnutls_record_send(session, buf, strlen(buf));\n" +"if (ret < 0) {\n" +" fprintf(stderr, \"error: gnutls_record_send: %s\n" +"\", gnutls_strerror(ret));\n" +" exit(1);\n" +"}\n" +"ret = gnutls_record_recv(session, buf, sizeof(buf));\n" +"if (ret < 0) {\n" +" fprintf(stderr, \"error: gnutls_record_recv: %s\n" +"\", gnutls_strerror(ret));\n" +" exit(1);\n" +"}\n" +msgstr "" diff --git a/defensive-coding/te-IN/Features/snippets/TLS-NSS-Close.po b/defensive-coding/te-IN/Features/snippets/TLS-NSS-Close.po new file mode 100644 index 0000000..bb2f0ae --- /dev/null +++ b/defensive-coding/te-IN/Features/snippets/TLS-NSS-Close.po @@ -0,0 +1,23 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:31+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Telugu (http://www.transifex.com/projects/p/fedora/language/te/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: te\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"SECMOD_DestroyModule(module);\n" +"NSS_ShutdownContext(ctx);\n" +msgstr "" diff --git a/defensive-coding/te-IN/Features/snippets/TLS-NSS-Includes.po b/defensive-coding/te-IN/Features/snippets/TLS-NSS-Includes.po new file mode 100644 index 0000000..450c168 --- /dev/null +++ b/defensive-coding/te-IN/Features/snippets/TLS-NSS-Includes.po @@ -0,0 +1,35 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:33+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Telugu (http://www.transifex.com/projects/p/fedora/language/te/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: te\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// NSPR include files\n" +"#include <prerror.h>\n" +"#include <prinit.h>\n" +"\n" +"// NSS include files\n" +"#include <nss.h>\n" +"#include <pk11pub.h>\n" +"#include <secmod.h>\n" +"#include <ssl.h>\n" +"#include <sslproto.h>\n" +"\n" +"// Private API, no other way to turn a POSIX file descriptor into an\n" +"// NSPR handle.\n" +"NSPR_API(PRFileDesc*) PR_ImportTCPSocket(int);\n" +msgstr "" diff --git a/defensive-coding/te-IN/Features/snippets/TLS-NSS-Init.po b/defensive-coding/te-IN/Features/snippets/TLS-NSS-Init.po new file mode 100644 index 0000000..c20227a --- /dev/null +++ b/defensive-coding/te-IN/Features/snippets/TLS-NSS-Init.po @@ -0,0 +1,83 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:33+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Telugu (http://www.transifex.com/projects/p/fedora/language/te/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: te\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"PR_Init(PR_USER_THREAD, PR_PRIORITY_NORMAL, 0);\n" +"NSSInitContext *const ctx =\n" +" NSS_InitContext(\"sql:/etc/pki/nssdb\", \"\", \"\", \"\", NULL,\n" +"\t\t NSS_INIT_READONLY | NSS_INIT_PK11RELOAD);\n" +"if (ctx == NULL) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: NSPR error code %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +"}\n" +"\n" +"// Ciphers to enable.\n" +"static const PRUint16 good_ciphers[] = {\n" +" TLS_RSA_WITH_AES_128_CBC_SHA,\n" +" TLS_RSA_WITH_AES_256_CBC_SHA,\n" +" SSL_RSA_WITH_3DES_EDE_CBC_SHA,\n" +" SSL_NULL_WITH_NULL_NULL // sentinel\n" +"};\n" +"\n" +"// Check if the current policy allows any strong ciphers. If it\n" +"// doesn't, switch to the \"domestic\" (unrestricted) policy. This is\n" +"// not thread-safe and has global impact. Consequently, we only do\n" +"// it if absolutely necessary.\n" +"int found_good_cipher = 0;\n" +"for (const PRUint16 *p = good_ciphers; *p != SSL_NULL_WITH_NULL_NULL;\n" +" ++p) {\n" +" PRInt32 policy;\n" +" if (SSL_CipherPolicyGet(*p, &policy) != SECSuccess) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: policy for cipher %u: error %d: %s\n" +"\",\n" +"\t (unsigned)*p, err, PR_ErrorToName(err));\n" +" exit(1);\n" +" }\n" +" if (policy == SSL_ALLOWED) {\n" +" fprintf(stderr, \"info: found cipher %x\n" +"\", (unsigned)*p);\n" +" found_good_cipher = 1;\n" +" break;\n" +" }\n" +"}\n" +"if (!found_good_cipher) {\n" +" if (NSS_SetDomesticPolicy() != SECSuccess) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: NSS_SetDomesticPolicy: error %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +" }\n" +"}\n" +"\n" +"// Initialize the trusted certificate store.\n" +"char module_name[] = \"library=libnssckbi.so name=\\\"Root Certs\\\"\";\n" +"SECMODModule *module = SECMOD_LoadUserModule(module_name, NULL, PR_FALSE);\n" +"if (module == NULL || !module->loaded) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: NSPR error code %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +"}\n" +msgstr "" diff --git a/defensive-coding/te-IN/Features/snippets/TLS-NSS-Use.po b/defensive-coding/te-IN/Features/snippets/TLS-NSS-Use.po new file mode 100644 index 0000000..6609c64 --- /dev/null +++ b/defensive-coding/te-IN/Features/snippets/TLS-NSS-Use.po @@ -0,0 +1,42 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:32+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Telugu (http://www.transifex.com/projects/p/fedora/language/te/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: te\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"char buf[4096];\n" +"snprintf(buf, sizeof(buf), \"GET / HTTP/1.0\\r\n" +"Host: %s\\r\n" +"\\r\n" +"\", host);\n" +"PRInt32 ret = PR_Write(nspr, buf, strlen(buf));\n" +"if (ret < 0) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: PR_Write error %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +"}\n" +"ret = PR_Read(nspr, buf, sizeof(buf));\n" +"if (ret < 0) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: PR_Read error %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +"}\n" +msgstr "" diff --git a/defensive-coding/te-IN/Features/snippets/TLS-Nagle.po b/defensive-coding/te-IN/Features/snippets/TLS-Nagle.po new file mode 100644 index 0000000..11e1983 --- /dev/null +++ b/defensive-coding/te-IN/Features/snippets/TLS-Nagle.po @@ -0,0 +1,27 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:31+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Telugu (http://www.transifex.com/projects/p/fedora/language/te/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: te\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"const int val = 1;\n" +"int ret = setsockopt(sockfd, IPPROTO_TCP, TCP_NODELAY, &val, sizeof(val));\n" +"if (ret < 0) {\n" +" perror(\"setsockopt(TCP_NODELAY)\");\n" +" exit(1);\n" +"}\n" +msgstr "" diff --git a/defensive-coding/te-IN/Features/snippets/TLS-OpenJDK-Parameters.po b/defensive-coding/te-IN/Features/snippets/TLS-OpenJDK-Parameters.po new file mode 100644 index 0000000..5d85f0f --- /dev/null +++ b/defensive-coding/te-IN/Features/snippets/TLS-OpenJDK-Parameters.po @@ -0,0 +1,42 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:33+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Telugu (http://www.transifex.com/projects/p/fedora/language/te/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: te\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Prepare TLS parameters. These have to applied to every TLS\n" +"// socket before the handshake is triggered.\n" +"SSLParameters params = ctx.getDefaultSSLParameters();\n" +"// Do not send an SSL-2.0-compatible Client Hello.\n" +"ArrayList<String> protocols = new ArrayList<String>(\n" +" Arrays.asList(params.getProtocols()));\n" +"protocols.remove(\"SSLv2Hello\");\n" +"params.setProtocols(protocols.toArray(new String[protocols.size()]));\n" +"// Adjust the supported ciphers.\n" +"ArrayList<String> ciphers = new ArrayList<String>(\n" +" Arrays.asList(params.getCipherSuites()));\n" +"ciphers.retainAll(Arrays.asList(\n" +" \"TLS_RSA_WITH_AES_128_CBC_SHA256\",\n" +" \"TLS_RSA_WITH_AES_256_CBC_SHA256\",\n" +" \"TLS_RSA_WITH_AES_256_CBC_SHA\",\n" +" \"TLS_RSA_WITH_AES_128_CBC_SHA\",\n" +" \"SSL_RSA_WITH_3DES_EDE_CBC_SHA\",\n" +" \"SSL_RSA_WITH_RC4_128_SHA1\",\n" +" \"SSL_RSA_WITH_RC4_128_MD5\",\n" +" \"TLS_EMPTY_RENEGOTIATION_INFO_SCSV\"));\n" +"params.setCipherSuites(ciphers.toArray(new String[ciphers.size()]));\n" +msgstr "" diff --git a/defensive-coding/te-IN/Features/snippets/TLS-OpenSSL-Connection-Close.po b/defensive-coding/te-IN/Features/snippets/TLS-OpenSSL-Connection-Close.po new file mode 100644 index 0000000..1f3074f --- /dev/null +++ b/defensive-coding/te-IN/Features/snippets/TLS-OpenSSL-Connection-Close.po @@ -0,0 +1,46 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:33+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Telugu (http://www.transifex.com/projects/p/fedora/language/te/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: te\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Send the close_notify alert.\n" +"ret = SSL_shutdown(ssl);\n" +"switch (ret) {\n" +"case 1:\n" +" // A close_notify alert has already been received.\n" +" break;\n" +"case 0:\n" +" // Wait for the close_notify alert from the peer.\n" +" ret = SSL_shutdown(ssl);\n" +" switch (ret) {\n" +" case 0:\n" +" fprintf(stderr, \"info: second SSL_shutdown returned zero\n" +"\");\n" +" break;\n" +" case 1:\n" +" break;\n" +" default:\n" +" ssl_print_error_and_exit(ssl, \"SSL_shutdown 2\", ret);\n" +" }\n" +" break;\n" +"default:\n" +" ssl_print_error_and_exit(ssl, \"SSL_shutdown 1\", ret);\n" +"}\n" +"SSL_free(ssl);\n" +"close(sockfd);\n" +msgstr "" diff --git a/defensive-coding/te-IN/Features/snippets/TLS-OpenSSL-Context-Close.po b/defensive-coding/te-IN/Features/snippets/TLS-OpenSSL-Context-Close.po new file mode 100644 index 0000000..be6b94b --- /dev/null +++ b/defensive-coding/te-IN/Features/snippets/TLS-OpenSSL-Context-Close.po @@ -0,0 +1,22 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:33+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Telugu (http://www.transifex.com/projects/p/fedora/language/te/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: te\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"SSL_CTX_free(ctx);\n" +msgstr "" diff --git a/defensive-coding/te-IN/Features/snippets/TLS-OpenSSL-Errors.po b/defensive-coding/te-IN/Features/snippets/TLS-OpenSSL-Errors.po new file mode 100644 index 0000000..2eb5045 --- /dev/null +++ b/defensive-coding/te-IN/Features/snippets/TLS-OpenSSL-Errors.po @@ -0,0 +1,51 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:32+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Telugu (http://www.transifex.com/projects/p/fedora/language/te/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: te\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"static void __attribute__((noreturn))\n" +"ssl_print_error_and_exit(SSL *ssl, const char *op, int ret)\n" +"{\n" +" int subcode = SSL_get_error(ssl, ret);\n" +" switch (subcode) {\n" +" case SSL_ERROR_NONE:\n" +" fprintf(stderr, \"error: %s: no error to report\n" +"\", op);\n" +" break;\n" +" case SSL_ERROR_WANT_READ:\n" +" case SSL_ERROR_WANT_WRITE:\n" +" case SSL_ERROR_WANT_X509_LOOKUP:\n" +" case SSL_ERROR_WANT_CONNECT:\n" +" case SSL_ERROR_WANT_ACCEPT:\n" +" fprintf(stderr, \"error: %s: invalid blocking state %d\n" +"\", op, subcode);\n" +" break;\n" +" case SSL_ERROR_SSL:\n" +" fprintf(stderr, \"error: %s: TLS layer problem\n" +"\", op);\n" +" case SSL_ERROR_SYSCALL:\n" +" fprintf(stderr, \"error: %s: system call failed: %s\n" +"\", op, strerror(errno));\n" +" break;\n" +" case SSL_ERROR_ZERO_RETURN:\n" +" fprintf(stderr, \"error: %s: zero return\n" +"\", op);\n" +" }\n" +" exit(1);\n" +"}\n" +msgstr "" diff --git a/defensive-coding/te-IN/Features/snippets/TLS-Python-Close.po b/defensive-coding/te-IN/Features/snippets/TLS-Python-Close.po new file mode 100644 index 0000000..7616422 --- /dev/null +++ b/defensive-coding/te-IN/Features/snippets/TLS-Python-Close.po @@ -0,0 +1,22 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:31+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Telugu (http://www.transifex.com/projects/p/fedora/language/te/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: te\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"sock.close()\n" +msgstr "" diff --git a/defensive-coding/te-IN/Features/snippets/TLS-Python-Use.po b/defensive-coding/te-IN/Features/snippets/TLS-Python-Use.po new file mode 100644 index 0000000..109df9e --- /dev/null +++ b/defensive-coding/te-IN/Features/snippets/TLS-Python-Use.po @@ -0,0 +1,26 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:32+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Telugu (http://www.transifex.com/projects/p/fedora/language/te/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: te\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"sock.write(\"GET / HTTP/1.1\\r\n" +"Host: \" + host + \"\\r\n" +"\\r\n" +"\")\n" +"print sock.read()\n" +msgstr "" diff --git a/defensive-coding/te-IN/Revision_History.po b/defensive-coding/te-IN/Revision_History.po new file mode 100644 index 0000000..10b2fc3 --- /dev/null +++ b/defensive-coding/te-IN/Revision_History.po @@ -0,0 +1,35 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:18+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Telugu (http://www.transifex.com/projects/p/fedora/language/te/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: te\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: title +#, no-c-format +msgid "Revision History" +msgstr "" + +#. Tag: firstname +#, no-c-format +msgid "Eric" +msgstr "" + +#. Tag: surname +#, no-c-format +msgid "Christensen" +msgstr "" + +#. Tag: member +#, no-c-format +msgid "Initial publication." +msgstr "" diff --git a/defensive-coding/te-IN/Tasks/Cryptography.po b/defensive-coding/te-IN/Tasks/Cryptography.po new file mode 100644 index 0000000..89cda6e --- /dev/null +++ b/defensive-coding/te-IN/Tasks/Cryptography.po @@ -0,0 +1,199 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:29+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Telugu (http://www.transifex.com/projects/p/fedora/language/te/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: te\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: title +#, no-c-format +msgid "Cryptography" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Primitives" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Chosing from the following cryptographic primitives is recommended:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "RSA with 2048 bit keys and OAEP" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "AES-128 in CBC mode" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "SHA-256" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "HMAC-SHA-256" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "HMAC-SHA-1" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Other cryptographic algorithms can be used if they are required for " +"interoperability with existing software:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "RSA with key sizes larger than 1024 and legacy padding" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "AES-192" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "AES-256" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "3DES (triple DES, with two or three 56 bit keys)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "RC4 (but very, very strongly discouraged)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "SHA-1" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "HMAC-MD5" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Important" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"These primitives are difficult to use in a secure way. Custom implementation" +" of security protocols should be avoided. For protecting confidentiality and" +" integrity of network transmissions, TLS should be used ()." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Randomness" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The following facilities can be used to generate unpredictable and non-" +"repeating values. When these functions are used without special safeguards, " +"each individual rnadom value should be at least 12 bytes long." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"PK11_GenerateRandom in the NSS library (usable for high" +" data rates)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"RAND_bytes in the OpenSSL library (usable for high data" +" rates)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"gnutls_rnd in GNUTLS, with " +"GNUTLS_RND_RANDOM as the first argument (usable for high " +"data rates)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"java.security.SecureRandom in Java (usable for high data rates)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "os.urandom in Python" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Reading from the /dev/urandom character device" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"All these functions should be non-blocking, and they should not wait until " +"physical randomness becomes available. (Some cryptography providers for Java" +" can cause java.security.SecureRandom to block, however.) Those" +" functions which do not obtain all bits directly from " +"/dev/urandom are suitable for high data rates because " +"they do not deplete the system-wide entropy pool." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Difficult to use API" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Both RAND_bytes and " +"PK11_GenerateRandom have three-state return values " +"(with conflicting meanings). Careful error checking is required. Please " +"review the documentation when using these functions." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Other sources of randomness should be considered predictable." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Generating randomness for cryptographic keys in long-term use may need " +"different steps and is best left to cryptographic libraries." +msgstr "" diff --git a/defensive-coding/te-IN/Tasks/Descriptors.po b/defensive-coding/te-IN/Tasks/Descriptors.po new file mode 100644 index 0000000..2326c98 --- /dev/null +++ b/defensive-coding/te-IN/Tasks/Descriptors.po @@ -0,0 +1,332 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:29+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Telugu (http://www.transifex.com/projects/p/fedora/language/te/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: te\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: title +#, no-c-format +msgid "File Descriptor Management" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"File descriptors underlie all input/output mechanisms offered by the system." +" They are used to implementation the FILE *-based " +"functions found in <stdio.h>, and all the file and " +"network communication facilities provided by the Python and Java " +"environments are eventually implemented in them." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"File descriptors are small, non-negative integers in userspace, and are " +"backed on the kernel side with complicated data structures which can " +"sometimes grow very large." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Closing descriptors" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If a descriptor is no longer used by a program and is not closed explicitly," +" its number cannot be reused (which is problematic in itself, see ), and the " +"kernel resources are not freed. Therefore, it is important to close all " +"descriptors at the earlierst point in time possible, but not earlier." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Error handling during descriptor close" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The close system call is always successful in the sense" +" that the passed file descriptor is never valid after the function has been " +"called. However, close still can return an error, for " +"example if there was a file system failure. But this error is not very " +"useful because the absence of an error does not mean that all caches have " +"been emptied and previous writes have been made durable. Programs which need" +" such guarantees must open files with O_SYNC or use " +"fsync or fdatasync, and may also have " +"to fsync the directory containing the file." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Closing descriptors and race conditions" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Unlike process IDs, which are recycle only gradually, the kernel always " +"allocates the lowest unused file descriptor when a new descriptor is " +"created. This means that in a multi-threaded program which constantly opens " +"and closes file descriptors, descriptors are reused very quickly. Unless " +"descriptor closing and other operations on the same file descriptor are " +"synchronized (typically, using a mutex), there will be race coniditons and " +"I/O operations will be applied to the wrong file descriptor." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Sometimes, it is necessary to close a file descriptor concurrently, while " +"another thread might be about to use it in a system call. In order to " +"support this, a program needs to create a single special file descriptor, " +"one on which all I/O operations fail. One way to achieve this is to use " +"socketpair, close one of the descriptors, and call " +"shutdown(fd, SHUTRDWR) on the other." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When a descriptor is closed concurrently, the program does not call " +"close on the descriptor. Instead it program uses " +"dup2 to replace the descriptor to be closed with the " +"dummy descriptor created earlier. This way, the kernel will not reuse the " +"descriptor, but it will carry out all other steps associated with calling a " +"descriptor (for instance, if the descriptor refers to a stream socket, the " +"peer will be notified)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"This is just a sketch, and many details are missing. Additional data " +"structures are needed to determine when it is safe to really close the " +"descriptor, and proper locking is required for that." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Lingering state after close" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"By default, closing a stream socket returns immediately, and the kernel will" +" try to send the data in the background. This means that it is impossible to" +" implement accurate accounting of network-related resource utilization from " +"userspace." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The SO_LINGER socket option alters the behavior of " +"close, so that it will return only after the lingering " +"data has been processed, either by sending it to the peer successfully, or " +"by discarding it after the configured timeout. However, there is no " +"interface which could perform this operation in the background, so a " +"separate userspace thread is needed for each close " +"call, causing scalability issues." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Currently, there is no application-level countermeasure which applies " +"universally. Mitigation is possible with iptables" +" (the connlimit match type in particular) and specialized" +" filtering devices for denial-of-service network traffic." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"These problems are not related to the TIME_WAIT state " +"commonly seen in netstat output. The kernel " +"automatically expires such sockets if necessary." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Preventing file descriptor leaks to child processes" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Child processes created with fork share the initial set" +" of file descriptors with their parent process. By default, file descriptors" +" are also preserved if a new process image is created with " +"execve (or any of the other functions such as " +"system or posix_spawn)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Usually, this behavior is not desirable. There are two ways to turn it off, " +"that is, to prevent new process images from inheriting the file descriptors " +"in the parent process:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Set the close-on-exec flag on all newly created file descriptors. " +"Traditionally, this flag is controlled by the FD_CLOEXEC " +"flag, using F_GETFD and F_SETFD " +"operations of the fcntl function." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"However, in a multi-threaded process, there is a race condition: a " +"subprocess could have been created between the time the descriptor was " +"created and the FD_CLOEXEC was set. Therefore, many " +"system calls which create descriptors (such as open and" +" openat) now accept the O_CLOEXEC " +"flag (SOCK_CLOEXEC for socket and " +"socketpair), which cause the " +"FD_CLOEXEC flag to be set for the file descriptor in an " +"atomic fashion. In addition, a few new systems calls were introduced, such " +"as pipe2 and dup3." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The downside of this approach is that every descriptor needs to receive " +"special treatment at the time of creation, otherwise it is not completely " +"effective." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"After calling fork, but before creating a new process " +"image with execve, all file descriptors which the child" +" process will not need are closed." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Traditionally, this was implemented as a loop over file descriptors ranging " +"from 3 to 255 and later " +"1023. But this is only an approximatio because it is " +"possible to create file descriptors outside this range easily (see ). Another " +"approach reads /proc/self/fd and closes the unexpected " +"descriptors listed there, but this approach is much slower." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"At present, environments which care about file descriptor leakage implement " +"the second approach. OpenJDK 6 and 7 are among them." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Dealing with the select limit" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"By default, a user is allowed to open only 1024 files in a single process, " +"but the system administrator can easily change this limit (which is " +"necessary for busy network servers). However, there is another restriction " +"which is more difficult to overcome." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The select function only supports a maximum of " +"FD_SETSIZE file descriptors (that is, the maximum " +"permitted value for a file descriptor is FD_SETSIZE - 1, " +"usually 1023.) If a process opens many files, descriptors may exceed such " +"limits. It is impossible to query such descriptors using " +"select." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If a library which creates many file descriptors is used in the same process" +" as a library which uses select, at least one of them " +"needs to be changed. Calls to select can be replaced " +"with calls to poll or another event handling mechanism." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Alternatively, the library with high descriptor usage can relocate " +"descriptors above the FD_SETSIZE limit using the " +"following procedure." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Create the file descriptor fd as usual, preferably with " +"the O_CLOEXEC flag." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Before doing anything else with the descriptor fd, " +"invoke:" +msgstr "" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"\t int newfd = fcntl(fd, F_DUPFD_CLOEXEC, (long)FD_SETSIZE);\n" +"\t" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Check that newfd result is non-negative, otherwise close " +"fd and report an error, and return." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Close fd and continue to use newfd." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The new descriptor has been allocated above the " +"FD_SETSIZE. Even though this algorithm is racy in the " +"sense that the FD_SETSIZE first descriptors could fill " +"up, a very high degree of physical parallelism is required before this " +"becomes a problem." +msgstr "" diff --git a/defensive-coding/te-IN/Tasks/File_System.po b/defensive-coding/te-IN/Tasks/File_System.po new file mode 100644 index 0000000..d40f298 --- /dev/null +++ b/defensive-coding/te-IN/Tasks/File_System.po @@ -0,0 +1,396 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:25+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Telugu (http://www.transifex.com/projects/p/fedora/language/te/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: te\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: title +#, no-c-format +msgid "File system manipulation" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In this chapter, we discuss general file system manipulation, with a focus " +"on access files and directories to which an other, potentially untrusted " +"user has write access." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Temporary files are covered in their own chapter, ." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Working with files and directories owned by other users" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Sometimes, it is necessary to operate on files and directories owned by " +"other (potentially untrusted) users. For example, a system administrator " +"could remove the home directory of a user, or a package manager could update" +" a file in a directory which is owned by an application-specific user. This " +"differs from accessing the file system as a specific user; see ." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Accessing files across trust boundaries faces several challenges, " +"particularly if an entire directory tree is being traversed:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Another user might add file names to a writable directory at any time. This " +"can interfere with file creation and the order of names returned by " +"readdir." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Merely opening and closing a file can have side effects. For instance, an " +"automounter can be triggered, or a tape device rewound. Opening a file on a " +"local file system can block indefinitely, due to mandatory file locking, " +"unless the O_NONBLOCK flag is specified." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Hard links and symbolic links can redirect the effect of file system " +"operations in unexpected ways. The O_NOFOLLOW and " +"AT_SYMLINK_NOFOLLOW variants of system calls only " +"affected final path name component." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The structure of a directory tree can change. For example, the parent " +"directory of what used to be a subdirectory within the directory tree being " +"processed could suddenly point outside that directory tree." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Files should always be created with the O_CREAT and " +"O_EXCL flags, so that creating the file will fail if it " +"already exists. This guards against the unexpected appearance of file names," +" either due to creation of a new file, or hard-linking of an existing file. " +"In multi-threaded programs, rather than manipulating the umask, create the " +"files with mode 000 if possible, and adjust it afterwards" +" with fchmod." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"To avoid issues related to symbolic links and directory tree restructuring, " +"the “at” variants of system calls have to be used (that " +"is, functions like openat, " +"fchownat, fchmodat, and " +"unlinkat, together with O_NOFOLLOW " +"or AT_SYMLINK_NOFOLLOW). Path names passed to these " +"functions must have just a single component (that is, without a slash). When" +" descending, the descriptors of parent directories must be kept open. The " +"missing opendirat function can be emulated with " +"openat (with an O_DIRECTORY flag, to " +"avoid opening special files with side effects), followed by " +"fdopendir." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If the “at” functions are not available, it is possible " +"to emulate them by changing the current directory. (Obviously, this only " +"works if the process is not multi-threaded.) fchdir has" +" to be used to change the current directory, and the descriptors of the " +"parent directories have to be kept open, just as with the " +"“at”-based approach. chdir(\"...\") is" +" unsafe because it might ascend outside the intended directory tree." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"This “at” function emulation is currently required when " +"manipulating extended attributes. In this case, the " +"lsetxattr function can be used, with a relative path " +"name consisting of a single component. This also applies to SELinux contexts" +" and the lsetfilecon function." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Currently, it is not possible to avoid opening special files " +"and changes to files with hard links if the directory " +"containing them is owned by an untrusted user. (Device nodes can be hard-" +"linked, just as regular files.) fchmodat and " +"fchownat affect files whose link count is greater than " +"one. But opening the files, checking that the link count is one with " +"fstat, and using fchmod and " +"fchown on the file descriptor may have unwanted side " +"effects, due to item 2 above. When creating directories, it is therefore " +"important to change the ownership and permissions only after it has been " +"fully created. Until that point, file names are stable, and no files with " +"unexpected hard links can be introduced." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Similarly, when just reading a directory owned by an untrusted user, it is " +"currently impossible to reliably avoid opening special files." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"There is no workaround against the instability of the file list returned by " +"readdir. Concurrent modification of the directory can " +"result in a list of files being returned which never actually existed on " +"disk." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Hard links and symbolic links can be safely deleted using " +"unlinkat without further checks because deletion only " +"affects the name within the directory tree being processed." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Accessing the file system as a different user" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"This section deals with access to the file system as a specific user. This " +"is different from accessing files and directories owned by a different, " +"potentially untrusted user; see ." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"One approach is to spawn a child process which runs under the target user " +"and group IDs (both effective and real IDs). Note that this child process " +"can block indefinitely, even when processing regular files only. For " +"example, a special FUSE file system could cause the process to hang in " +"uninterruptible sleep inside a stat system call." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"An existing process could change its user and group ID using " +"setfsuid and setfsgid. (These " +"functions are preferred over seteuid and " +"setegid because they do not allow the impersonated user" +" to send signals to the process.) These functions are not thread safe. In " +"multi-threaded processes, these operations need to be performed in a single-" +"threaded child process. Unexpected blocking may occur as well." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"It is not recommended to try to reimplement the kernel permission checks in " +"user space because the required checks are complex. It is also very " +"difficult to avoid race conditions during path name resolution." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "File system limits" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"For historical reasons, there are preprocessor constants such as " +"PATH_MAX, NAME_MAX. However, on most " +"systems, the length of canonical path names (absolute path names with all " +"symbolic links resolved, as returned by realpath or " +"canonicalize_file_name) can exceed " +"PATH_MAX bytes, and individual file name components can " +"be longer than NAME_MAX. This is also true of the " +"_PC_PATH_MAX and _PC_NAME_MAX values " +"returned by pathconf, and the " +"f_namemax member of struct statvfs. " +"Therefore, these constants should not be used. This is also reason why the " +"readdir_r should never be used (instead, use " +"readdir)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"You should not write code in a way that assumes that there is an upper limit" +" on the number of subdirectories of a directory, the number of regular files" +" in a directory, or the link count of an inode." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "File system features" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Not all file systems support all features. This makes it very difficult to " +"write general-purpose tools for copying files. For example, a copy operation" +" intending to preserve file permissions will generally fail when copying to " +"a FAT file system." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Some file systems are case-insensitive. Most should be case-preserving, " +"though." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Name length limits vary greatly, from eight to thousands of bytes. Path " +"length limits differ as well. Most systems impose an upper bound on path " +"names passed to the kernel, but using relative path names, it is possible to" +" create and access files whose absolute path name is essentially of " +"unbounded length." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Some file systems do not store names as fairly unrestricted byte sequences, " +"as it has been traditionally the case on GNU systems. This means that some " +"byte sequences (outside the POSIX safe character set) are not valid names. " +"Conversely, names of existing files may not be representable as byte " +"sequences, and the files are thus inaccessible on GNU systems. Some file " +"systems perform Unicode canonicalization on file names. These file systems " +"preserve case, but reading the name of a just-created file using " +"readdir might still result in a different byte " +"sequence." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Permissions and owners are not universally supported (and SUID/SGID bits may" +" not be available). For example, FAT file systems assign ownership based on " +"a mount option, and generally mark all files as executable. Any attempt to " +"change permissions would result in an error." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Non-regular files (device nodes, FIFOs) are not generally available." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Only on some file systems, files can have holes, that is, not all of their " +"contents is backed by disk storage." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"ioctl support (even fairly generic functionality such " +"as FIEMAP for discovering physical file layout and holes)" +" is file-system-specific." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Not all file systems support extended attributes, ACLs and SELinux metadata." +" Size and naming restriction on extended attributes vary." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Hard links may not be supported at all (FAT) or only within the same " +"directory (AFS). Symbolic links may not be available, either. Reflinks (hard" +" links with copy-on-write semantics) are still very rare. Recent systems " +"restrict creation of hard links to users which own the target file or have " +"read/write access to it, but older systems do not." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Renaming (or moving) files using rename can fail (even " +"when stat indicates that the source and target " +"directories are located on the same file system). This system call should " +"work if the old and new paths are located in the same directory, though." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Locking semantics vary among file systems. This affects advisory and " +"mandatory locks. For example, some network file systems do not allow " +"deleting files which are opened by any process." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Resolution of time stamps varies from two seconds to nanoseconds. Not all " +"time stamps are available on all file systems. File creation time " +"(birth time) is not exposed over the " +"stat/fstat interface, even if " +"stored by the file system." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Checking free space" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The statvfs and fstatvfs functions" +" allow programs to examine the number of available blocks and inodes, " +"through the members f_bfree, f_bavail," +" f_ffree, and f_favail of " +"struct statvfs. Some file systems return fictional values" +" in the f_ffree and f_favail fields, " +"so the only reliable way to discover if the file system still has space for " +"a file is to try to create it. The f_bfree field should " +"be reasonably accurate, though." +msgstr "" diff --git a/defensive-coding/te-IN/Tasks/Library_Design.po b/defensive-coding/te-IN/Tasks/Library_Design.po new file mode 100644 index 0000000..209f90e --- /dev/null +++ b/defensive-coding/te-IN/Tasks/Library_Design.po @@ -0,0 +1,267 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:29+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Telugu (http://www.transifex.com/projects/p/fedora/language/te/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: te\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: title +#, no-c-format +msgid "Library Design" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Throught this section, the term client code refers to " +"applications and other libraries using the library." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "State management" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Global state" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Global state should be avoided." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If this is impossible, the global state must be protected with a lock. For " +"C/C++, you can use the pthread_mutex_lock and " +"pthread_mutex_unlock functions without linking against " +"-lpthread because the system provides stubs for non-" +"threaded processes." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"For compatibility with fork, these locks should be " +"acquired and released in helpers registered with " +"pthread_atfork. This function is not available without " +"-lpthread, so you need to use dlsym " +"or a weak symbol to obtain its address." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If you need fork protection for other reasons, you " +"should store the process ID and compare it to the value returned by " +"getpid each time you access the global state. " +"(getpid is not implemented as a system call and is " +"fast.) If the value changes, you know that you have to re-create the state " +"object. (This needs to be combined with locking, of course.)" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Handles" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Library state should be kept behind a curtain. Client code should receive " +"only a handle. In C, the handle can be a pointer to an incomplete " +"struct. In C++, the handle can be a pointer to an " +"abstract base class, or it can be hidden using the pointer-to-implementation" +" idiom." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The library should provide functions for creating and destroying handles. " +"(In C++, it is possible to use virtual destructors for the latter.) " +"Consistency between creation and destruction of handles is strongly " +"recommended: If the client code created a handle, it is the responsibility " +"of the client code to destroy it. (This is not always possible or " +"convenient, so sometimes, a transfer of ownership has to happen.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Using handles ensures that it is possible to change the way the library " +"represents state in a way that is transparent to client code. This is " +"important to facilitate security updates and many other code changes." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"It is not always necessary to protect state behind a handle with a lock. " +"This depends on the level of thread safety the library provides." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Object orientation" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Classes should be either designed as base classes, or it should be " +"impossible to use them as base classes (like final " +"classes in Java). Classes which are not designed for inheritance and are " +"used as base classes nevertheless create potential maintenance hazards " +"because it is difficult to predict how client code will react when calls to " +"virtual methods are added, reordered or removed." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Virtual member functions can be used as callbacks. See for some of the " +"challenges involved." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Callbacks" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Higher-order code is difficult to analyze for humans and computers alike, so" +" it should be avoided. Often, an iterator-based interface (a library " +"function which is called repeatedly by client code and returns a stream of " +"events) leads to a better design which is easier to document and use." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "If callbacks are unavoidable, some guidelines for them follow." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In modern C++ code, std::function objects should be used " +"for callbacks." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In older C++ code and in C code, all callbacks must have an additional " +"closure parameter of type void *, the value of which can " +"be specified by client code. If possible, the value of the closure parameter" +" should be provided by client code at the same time a specific callback is " +"registered (or specified as a function argument). If a single closure " +"parameter is shared by multiple callbacks, flexibility is greatly reduced, " +"and conflicts between different pieces of client code using the same library" +" object could be unresolvable. In some cases, it makes sense to provide a " +"de-registration callback which can be used to destroy the closure parameter " +"when the callback is no longer used." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Callbacks can throw exceptions or call longjmp. If " +"possible, all library objects should remain in a valid state. (All further " +"operations on them can fail, but it should be possible to deallocate them " +"without causing resource leaks.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The presence of callbacks raises the question if functions provided by the " +"library are reentrant. Unless a library was designed " +"for such use, bad things will happen if a callback function uses functions " +"in the same library (particularly if they are invoked on the same objects " +"and manipulate the same state). When the callback is invoked, the library " +"can be in an inconsistent state. Reentrant functions are more difficult to " +"write than thread-safe functions (by definition, simple locking would " +"immediately lead to deadlocks). It is also difficult to decide what to do " +"when destruction of an object which is currently processing a callback is " +"requested." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Process attributes" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Several attributes are global and affect all code in the process, not just " +"the library that manipulates them." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"environment variables (see )" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "umask" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "user IDs, group IDs and capabilities" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "current working directory" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "signal handlers, signal masks and signal delivery" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"file locks (especially fcntl locks behave in surprising" +" ways, not just in a multi-threaded environment)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Library code should avoid manipulating these global process attributes. It " +"should not rely on environment variables, umask, the current working " +"directory and signal masks because these attributes can be inherted from an " +"untrusted source." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In addition, there are obvious process-wide aspects such as the virtual " +"memory layout, the set of open files and dynamic shared objects, but with " +"the exception of shared objects, these can be manipulated in a relatively " +"isolated way." +msgstr "" diff --git a/defensive-coding/te-IN/Tasks/Processes.po b/defensive-coding/te-IN/Tasks/Processes.po new file mode 100644 index 0000000..d577925 --- /dev/null +++ b/defensive-coding/te-IN/Tasks/Processes.po @@ -0,0 +1,597 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:29+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Telugu (http://www.transifex.com/projects/p/fedora/language/te/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: te\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: title +#, no-c-format +msgid "Processes" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Safe process creation" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"This section describes how to create new child processes in a safe manner. " +"In addition to the concerns addressed below, there is the possibility of " +"file descriptor leaks, see ." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Obtaining the program path and the command line template" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The name and path to the program being invoked should be hard-coded or " +"controlled by a static configuration file stored at a fixed location (at an " +"file system absolute path). The same applies to the template for generating " +"the command line." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The configured program name should be an absolute path. If it is a relative " +"path, the contents of the PATH must be obtained in s secure " +"manner (see )." +" If the PATH variable is not set or untrusted, the safe " +"default /bin:/usr/bin must be used." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If too much flexibility is provided here, it may allow invocation of " +"arbitrary programs without proper authorization." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Bypassing the shell" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Child processes should be created without involving the system shell." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"For C/C++, system should not be used. The " +"posix_spawn function can be used instead, or a " +"combination fork and execve. (In " +"some cases, it may be preferable to use vfork or the " +"Linux-specific clone system call instead of " +"fork.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In Python, the subprocess module bypasses the shell by " +"default (when the shell keyword argument is not set to " +"true). os.system should not be used." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The Java class java.lang.ProcessBuilder can be used to create " +"subprocesses without interference from the system shell." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Portability notice" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"On Windows, there is no argument vector, only a single argument string. Each" +" application is responsible for parsing this string into an argument vector." +" There is considerable variance among the quoting style recognized by " +"applications. Some of them expand shell wildcards, others do not. Extensive " +"application-specific testing is required to make this secure." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Note that some common applications (notably ssh) " +"unconditionally introduce the use of a shell, even if invoked directly " +"without a shell. It is difficult to use these applications in a secure " +"manner. In this case, untrusted data should be supplied by other means. For " +"example, standard input could be used, instead of the command line." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Specifying the process environment" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Child processes should be created with a minimal set of environment " +"variables. This is absolutely essential if there is a trust transition " +"involved, either when the parent process was created, or during the creation" +" of the child process." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In C/C++, the environment should be constructed as an array of strings and " +"passed as the envp argument to " +"posix_spawn or execve. The " +"functions setenv, unsetenv and " +"putenv should not be used. They are not thread-safe and" +" suffer from memory leaks." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Python programs need to specify a dict for the the " +"env argument of the subprocess.Popen" +" constructor. The Java class java.lang.ProcessBuilder " +"provides a environment() method, which returns a map " +"that can be manipulated." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The following list provides guidelines for selecting the set of environment " +"variables passed to the child process." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"PATH should be initialized to " +"/bin:/usr/bin." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"USER and HOME can be inhereted from the parent" +" process environment, or they can be initialized from the " +"pwent structure for the user." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The DISPLAY and XAUTHORITY variables should be" +" passed to the subprocess if it is an X program. Note that this will " +"typically not work across trust boundaries because XAUTHORITY" +" refers to a file with 0600 permissions." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The location-related environment variables LANG, " +"LANGUAGE, LC_ADDRESS, LC_ALL, " +"LC_COLLATE, LC_CTYPE, " +"LC_IDENTIFICATION, LC_MEASUREMENT, " +"LC_MESSAGES, LC_MONETARY, " +"LC_NAME, LC_NUMERIC, LC_PAPER, " +"LC_TELEPHONE and LC_TIME can be passed to the " +"subprocess if present." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The called process may need application-specific environment variables, for " +"example for passing passwords. (See .)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"All other environment variables should be dropped. Names for new environment" +" variables should not be accepted from untrusted sources." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Robust argument list processing" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When invoking a program, it is sometimes necessary to include data from " +"untrusted sources. Such data should be check against embedded " +"NUL characters because the system APIs will sliently " +"truncate argument strings at the first NUL character." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The following recommendations assume that the program being invoked uses " +"GNU-style option processing using getopt_long. This " +"convention is widely used, but it is just that, and individual programs " +"might interpret a command line in a different way." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If the untrusted data has to go into an option, use the --option-" +"name=VALUE syntax, placing the option and its value into the same " +"command line argument. This avoids any potential confusion if the data " +"starts with -." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"For positional arguments, terminate the option list with a single " +" marker after the last option, and include the data at " +"the right position. The marker terminates option " +"processing, and the data will not be treated as an option even if it starts " +"with a dash." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Passing secrets to subprocesses" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The command line (the name of the program and its argument) of a running " +"process is traditionally available to all local users. The called program " +"can overwrite this information, but only after it has run for a bit of time," +" during which the information may have been read by other processes. " +"However, on Linux, the process environment is restricted to the user who " +"runs the process. Therefore, if you need a convenient way to pass a password" +" to a child process, use an environment variable, and not a command line " +"argument. (See .)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"On some UNIX-like systems (notably Solaris), environment variables can be " +"read by any system user, just like command lines." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If the environment-based approach cannot be used due to portability " +"concerns, the data can be passed on standard input. Some programs (notably " +"gpg) use special file descriptors whose numbers " +"are specified on the command line. Temporary files are an option as well, " +"but they might give digital forensics access to sensitive data (such as " +"passphrases) because it is difficult to safely delete them in all cases." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Handling child process termination" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When child processes terminate, the parent process is signalled. A stub of " +"the terminated processes (a zombie, shown as " +"<defunct> by ps) is kept" +" around until the status information is collected " +"(reaped) by the parent process. Over the years, several" +" interfaces for this have been invented:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The parent process calls wait, " +"waitpid, waitid, " +"wait3 or wait4, without specifying" +" a process ID. This will deliver any matching process ID. This approach is " +"typically used from within event loops." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The parent process calls waitpid, " +"waitid, or wait4, with a specific " +"process ID. Only data for the specific process ID is returned. This is " +"typically used in code which spawns a single subprocess in a synchronous " +"manner." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The parent process installs a handler for the SIGCHLD " +"signal, using sigaction, and specifies to the " +"SA_NOCLDWAIT flag. This approach could be used by event " +"loops as well." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"None of these approaches can be used to wait for child process terminated in" +" a completely thread-safe manner. The parent process might execute an event " +"loop in another thread, which could pick up the termination signal. This " +"means that libraries typically cannot make free use of child processes (for " +"example, to run problematic code with reduced privileges in a separate " +"address space)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"At the moment, the parent process should explicitly wait for termination of " +"the child process using waitpid or " +"waitpid, and hope that the status is not collected by " +"an event loop first." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "SUID/SGID processes" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Programs can be marked in the file system to indicate to the kernel that a " +"trust transition should happen if the program is run. The " +"SUID file permission bit indicates that an executable " +"should run with the effective user ID equal to the owner of the executable " +"file. Similarly, with the SGID bit, the effective group " +"ID is set to the group of the executable file." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Linux supports fscaps, which can grant additional " +"capabilities to a process in a finer-grained manner. Additional mechanisms " +"can be provided by loadable security modules." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When such a trust transition has happened, the process runs in a potentially" +" hostile environment. Additional care is necessary not to rely on any " +"untrusted information. These concerns also apply to libraries which can be " +"linked into such processes." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Accessing environment variables" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The following steps are required so that a program does not accidentally " +"pick up untrusted data from environment variables." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Compile your C/C++ sources with -D_GNU_SOURCE. The " +"Autoconf macro AC_GNU_SOURCE ensures this." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Check for the presence of the secure_getenv and " +"__secure_getenv function. The Autoconf directive " +"AC_CHECK_FUNCS([__secure_getenv secure_getenv]) performs " +"these checks." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Arrange for a proper definition of the secure_getenv " +"function. See ." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Use secure_getenv instead of " +"getenv to obtain the value of critical environment " +"variables. secure_getenv will pretend the variable has " +"not bee set if the process environment is not trusted." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Critical environment variables are debugging flags, configuration file " +"locations, plug-in and log file locations, and anything else that might be " +"used to bypass security restrictions or cause a privileged process to behave" +" in an unexpected way." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Either the secure_getenv function or the " +"__secure_getenv is available from GNU libc." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Obtaining a definition for secure_getenv" +msgstr "" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"\n" +"#include <stdlib.h>\n" +"\n" +"#ifndef HAVE_SECURE_GETENV\n" +"# ifdef HAVE__SECURE_GETENV\n" +"# define secure_getenv __secure_getenv\n" +"# else\n" +"# error neither secure_getenv nor __secure_getenv are available\n" +"# endif\n" +"#endif\n" +"\n" +"\t" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Daemons" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Background processes providing system services " +"(daemons) need to decouple themselves from the " +"controlling terminal and the parent process environment:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Fork." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In the child process, call setsid. The parent process " +"can simply exit (using _exit, to avoid running clean-up" +" actions twice)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In the child process, fork again. Processing continues in the child process." +" Again, the parent process should just exit." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Replace the descriptors 0, 1, 2 with a descriptor for " +"/dev/null. Logging should be redirected to " +"syslog." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Older instructions for creating daemon processes recommended a call to " +"umask(0). This is risky because it often leads to world-" +"writable files and directories, resulting in security vulnerabilities such " +"as arbitrary process termination by untrusted local users, or log file " +"truncation. If the umask needs setting, a restrictive " +"value such as 027 or 077 is " +"recommended." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Other aspects of the process environment may have to changed as well " +"(environment variables, signal handler disposition)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"It is increasingly common that server processes do not run as background " +"processes, but as regular foreground process under a supervising master " +"process (such as systemd). Server processes " +"should offer a command line option which disables forking and replacement of" +" the standard output and standard error streams. Such an option is also " +"useful for debugging." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Semantics of command line arguments" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"After process creation and option processing, it is up to the child process " +"to interpret the arguments. Arguments can be file names, host names, or " +"URLs, and many other things. URLs can refer to the local network, some " +"server on the Internet, or to the local file system. Some applications even " +"accept arbitrary code in arguments (for example, " +"python with the option)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Similar concerns apply to environment variables, the contents of the current" +" directory and its subdirectories." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Consequently, careful analysis is required if it is safe to pass untrusted " +"data to another program." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "fork as a primitive for parallelism" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"A call to fork which is not immediately followed by a " +"call to execve (perhaps after rearranging and closing " +"file descriptors) is typically unsafe, especially from a library which does " +"not control the state of the entire process. Such use of " +"fork should be replaced with proper child processes or " +"threads." +msgstr "" diff --git a/defensive-coding/te-IN/Tasks/Serialization.po b/defensive-coding/te-IN/Tasks/Serialization.po new file mode 100644 index 0000000..d906a9a --- /dev/null +++ b/defensive-coding/te-IN/Tasks/Serialization.po @@ -0,0 +1,513 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:45\n" +"PO-Revision-Date: 2013-03-19 15:29+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Telugu (http://www.transifex.com/projects/p/fedora/language/te/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: te\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: title +#, no-c-format +msgid "Serialization and Deserialization" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Protocol decoders and file format parsers are often the most-exposed part of" +" an application because they are exposed with little or no user interaction " +"and before any authentication and security checks are made. They are also " +"difficult to write robustly in languages which are not memory-safe." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Recommendations for manually written decoders" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"For C and C++, the advice in applies. In addition, avoid non-character " +"pointers directly into input buffers. Pointer misalignment causes crashes on" +" some architectures." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When reading variable-sized objects, do not allocate large amounts of data " +"solely based on the value of a size field. If possible, grow the data " +"structure as more data is read from the source, and stop when no data is " +"available. This helps to avoid denial-of-service attacks where little " +"amounts of input data results in enormous memory allocations during " +"decoding. Alternatively, you can impose reasonable bounds on memory " +"allocations, but some protocols do not permit this." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Protocol design" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Binary formats with explicit length fields are more difficult to parse " +"robustly than those where the length of dynamically-sized elements is " +"derived from sentinel values. A protocol which does not use length fields " +"and can be written in printable ASCII characters simplifies testing and " +"debugging. However, binary protocols with length fields may be more " +"efficient to parse." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Library support for deserialization" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"For some languages, generic libraries are available which allow to serialize" +" and deserialize user-defined objects. The deserialization part comes in one" +" of two flavors, depending on the library. The first kind uses type " +"information in the data stream to control which objects are instantiated. " +"The second kind uses type definitions supplied by the programmer. The first " +"one allows arbitrary object instantiation, the second one generally does " +"not." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The following serialization frameworks are in the first category, are known " +"to be unsafe, and must not be used for untrusted data:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Python's pickle and cPickle modules" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Perl's Storable package" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Java serialization (java.io.ObjectInputStream)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "PHP serialization (unserialize)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Most implementations of YAML" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When using a type-directed deserialization format where the types of the " +"deserialized objects are specified by the programmer, make sure that the " +"objects which can be instantiated cannot perform any destructive actions in " +"their destructors, even when the data members have been manipulated." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"JSON decoders do not suffer from this problem. But you must not use the " +"eval function to parse JSON objects in Javascript; even" +" with the regular expression filter from RFC 4627, there are still " +"information leaks remaining." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "XML serialization" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "External references" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"XML documents can contain external references. They can occur in various " +"places." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "In the DTD declaration in the header of an XML document:" +msgstr "" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"<!DOCTYPE html PUBLIC\n" +" \"-//W3C//DTD XHTML 1.0 Transitional//EN\"\n" +" \"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd\">\n" +"\t " +msgstr "" + +#. Tag: para +#, no-c-format +msgid "In a namespace declaration:" +msgstr "" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"<xsd:schema xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\">\n" +"\t " +msgstr "" + +#. Tag: para +#, no-c-format +msgid "In an entity defintion:" +msgstr "" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"<!ENTITY sys SYSTEM \"http://www.example.com/ent.xml\">\n" +"<!ENTITY pub PUBLIC \"-//Example//Public Entity//EN\"\n" +" \"http://www.example.com/pub-ent.xml\">\n" +"\t " +msgstr "" + +#. Tag: para +#, no-c-format +msgid "In a notation:" +msgstr "" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"<!NOTATION not SYSTEM \"../not.xml\">\n" +"\t " +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Originally, these external references were intended as unique identifiers, " +"but by many XML implementations, they are used for locating the data for the" +" referenced element. This causes unwanted network traffic, and may disclose " +"file system contents or otherwise unreachable network resources, so this " +"functionality should be disabled." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Depending on the XML library, external referenced might be processed not " +"just when parsing XML, but also when generating it." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Entity expansion" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When external DTD processing is disabled, an internal DTD subset can still " +"contain entity definitions. Entity declarations can reference other " +"entities. Some XML libraries expand entities automatically, and this " +"processing cannot be switched off in some places (such as attribute values " +"or content models). Without limits on the entity nesting level, this " +"expansion results in data which can grow exponentially in length with size " +"of the input. (If there is a limit on the nesting level, the growth is still" +" polynomial, unless further limits are imposed.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Consequently, the processing internal DTD subsets should be disabled if " +"possible, and only trusted DTDs should be processed. If a particular XML " +"application does not permit such restrictions, then application-specific " +"limits are called for." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "XInclude processing" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"XInclude processing can reference file and network resources and include " +"them into the document, much like external entity references. When parsing " +"untrusted XML documents, XInclude processing should be truned off." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"XInclude processing is also fairly complex and may pull in support for the " +"XPointer and XPath specifications, considerably increasing the amount of " +"code required for XML processing." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Algorithmic complexity of XML validation" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"DTD-based XML validation uses regular expressions for content models. The " +"XML specification requires that content models are deterministic, which " +"means that efficient validation is possible. However, some implementations " +"do not enforce determinism, and require exponential (or just polynomial) " +"amount of space or time for validating some DTD/document combinations." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"XML schemas and RELAX NG (via the xsd: prefix) directly " +"support textual regular expressions which are not required to be " +"deterministic." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Using Expat for XML parsing" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"By default, Expat does not try to resolve external IDs, so no steps are " +"required to block them. However, internal entity declarations are processed." +" Installing a callback which stops parsing as soon as such entities are " +"encountered disables them, see . Expat does not perform any " +"validation, so there are no problems related to that." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Disabling XML entity processing with Expat" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"This handler must be installed when the XML_Parser object" +" is created ()." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Creating an Expat XML parser" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"It is also possible to reject internal DTD subsets altogeher, using a " +"suitable XML_StartDoctypeDeclHandler handler installed " +"with XML_SetDoctypeDeclHandler." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Using OpenJDK for XML parsing and validation" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"OpenJDK contains facilities for DOM-based, SAX-based, and StAX-based " +"document parsing. Documents can be validated against DTDs or XML schemas." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The approach taken to deal with entity expansion differs from the general " +"recommendation in . We enable the the feature flag " +"javax.xml.XMLConstants.FEATURE_SECURE_PROCESSING, which " +"enforces heuristic restrictions on the number of entity expansions. Note " +"that this flag alone does not prevent resolution of external references " +"(system IDs or public IDs), so it is slightly misnamed." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In the following sections, we use helper classes to prevent external ID " +"resolution." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Helper class to prevent DTD external entity resolution in OpenJDK" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Helper class to prevent schema resolution in OpenJDK" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +" shows the imports used by the examples." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Java imports for OpenJDK XML parsing" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "DOM-based XML parsing and DTD validation in OpenJDK" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"This approach produces a org.w3c.dom.Document object from" +" an input stream. use the data from the " +"java.io.InputStream instance in the " +"inputStream variable." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "DOM-based XML parsing in OpenJDK" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"External entity references are prohibited using the " +"NoEntityResolver class in . " +"Because external DTD references are prohibited, DTD validation (if enabled) " +"will only happen against the internal DTD subset embedded in the XML " +"document." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"To validate the document against an external DTD, use a " +"javax.xml.transform.Transformer class to add the DTD " +"reference to the document, and an entity resolver which whitelists this " +"external reference." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "XML Schema validation in OpenJDK" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +" shows how to validate a document against an XML Schema, " +"using a SAX-based approach. The XML data is read from an " +"java.io.InputStream in the inputStream" +" variable." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "SAX-based validation against an XML schema in OpenJDK" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The NoResourceResolver class is defined in ." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If you need to validate a document against an XML schema, use the code in " +" to create the document, but do not enable validation at this point." +" Then use to perform the schema-based validation on " +"the org.w3c.dom.Document instance " +"document." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Validation of a DOM document against an XML schema in OpenJDK" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Protocol Encoders" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"For protocol encoders, you should write bytes to a buffer which grows as " +"needed, using an exponential sizing policy. Explicit lengths can be patched " +"in later, once they are known. Allocating the required number of bytes " +"upfront typically requires separate code to compute the final size, which " +"must be kept in sync with the actual encoding step, or vulnerabilities may " +"result. In multi-threaded code, parts of the object being deserialized might" +" change, so that the computed size is out of date." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"You should avoid copying data directly from a received packet during " +"encoding, disregarding the format. Propagating malformed data could enable " +"attacks on other recipients of that data." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When using C or C++ and copying whole data structures directly into the " +"output, make sure that you do not leak information in padding bytes between " +"fields or at the end of the struct." +msgstr "" diff --git a/defensive-coding/te-IN/Tasks/Temporary_Files.po b/defensive-coding/te-IN/Tasks/Temporary_Files.po new file mode 100644 index 0000000..b99c3a8 --- /dev/null +++ b/defensive-coding/te-IN/Tasks/Temporary_Files.po @@ -0,0 +1,309 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:45\n" +"PO-Revision-Date: 2013-03-19 15:29+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Telugu (http://www.transifex.com/projects/p/fedora/language/te/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: te\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: title +#, no-c-format +msgid "Temporary files" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In this chapter, we describe how to create temporary files and directories, " +"how to remove them, and how to work with programs which do not create files " +"in ways that a safe with a shared directory for temporary files. General " +"file system manipulation is treated in a separate chapter, ." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Secure creation of temporary files has four different aspects." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The location of the directory for temporary files must be obtained in a " +"secure manner (that is, untrusted environment variables must be ignored, see" +" )." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"A new file must be created. Reusing an existing file must be avoided (the " +"/tmp race condition). This is " +"tricky because traditionally, system-wide temporary directories shared by " +"all users are used." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The file must be created in a way that makes it impossible for other users " +"to open it." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "The descriptor for the temporary file should not leak to subprocesses." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "All functions mentioned below will take care of these aspects." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Traditionally, temporary files are often used to reduce memory usage of " +"programs. More and more systems use RAM-based file systems such as " +"tmpfs for storing temporary files, to increase " +"performance and decrease wear on Flash storage. As a result, spooling data " +"to temporary files does not result in any memory savings, and the related " +"complexity can be avoided if the data is kept in process memory." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Obtaining the location of temporary directory" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Some functions below need the location of a directory which stores temporary" +" files. For C/C++ programs, use the following steps to obtain that " +"directory:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Use secure_getenv to obtain the value of the " +"TMPDIR environment variable. If it is set, convert the " +"path to a fully-resolved absolute path, using realpath(path, " +"NULL). Check if the new path refers to a directory and is " +"writeable. In this case, use it as the temporary directory." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Fall back to /tmp." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In Python, you can use the tempfile.tempdir variable." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Java does not support SUID/SGID programs, so you can use the " +"java.lang.System.getenv(String) method to obtain the " +"value of the TMPDIR environment variable, and follow the " +"two steps described above. (Java's default directory selection does not " +"honor TMPDIR.)" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Named temporary files" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The mkostemp function creates a named temporary file. " +"You should specify the O_CLOEXEC flag to avoid file " +"descriptor leaks to subprocesses. (Applications which do not use multiple " +"threads can also use mkstemp, but libraries should use " +"mkostemp.) For determining the directory part of the " +"file name pattern, see ." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The file is not removed automatically. It is not safe to rename or delete " +"the file before processing, or transform the name in any way (for example, " +"by adding a file extension). If you need multiple temporary files, call " +"mkostemp multiple times. Do not create additional file " +"names derived from the name provided by a previous " +"mkostemp call. However, it is safe to close the " +"descriptor returned by mkostemp and reopen the file " +"using the generated name." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The Python class tempfile.NamedTemporaryFile provides " +"similar functionality, except that the file is deleted automatically by " +"default. Note that you may have to use the file attribute" +" to obtain the actual file object because some programming interfaces cannot" +" deal with file-like objects. The C function mkostemp " +"is also available as tempfile.mkstemp." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In Java, you can use the java.io.File.createTempFile(String, " +"String, File) function, using the temporary file location " +"determined according to . Do not use " +"java.io.File.deleteOnExit() to delete temporary files, " +"and do not register a shutdown hook for each temporary file you create. In " +"both cases, the deletion hint cannot be removed from the system if you " +"delete the temporary file prior to termination of the VM, causing a memory " +"leak." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Temporary files without names" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The tmpfile function creates a temporary file and " +"immediately deletes it, while keeping the file open. As a result, the file " +"lacks a name and its space is deallocated as soon as the file descriptor is " +"closed (including the implicit close when the process terminates). This " +"avoids cluttering the temporary directory with orphaned files." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Alternatively, if the maximum size of the temporary file is known " +"beforehand, the fmemopen function can be used to create" +" a FILE * object which is backed by memory." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In Python, unnamed temporary files are provided by the " +"tempfile.TemporaryFile class, and the " +"tempfile.SpooledTemporaryFile class provides a way to " +"avoid creation of small temporary files." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Java does not support unnamed temporary files." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Temporary directories" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The mkdtemp function can be used to create a temporary " +"directory. (For determining the directory part of the file name pattern, see" +" .)" +" The directory is not automatically removed. In Python, this function is " +"available as tempfile.mkdtemp. In Java 7, temporary " +"directories can be created using the " +"java.nio.file.Files.createTempDirectory(Path, String, " +"FileAttribute...) function." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When creating files in the temporary directory, use automatically generated " +"names, e.g., derived from a sequential counter. Files with externally " +"provided names could be picked up in unexpected contexts, and crafted names " +"could actually point outside of the tempoary directory (due to " +"directory traversal)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Removing a directory tree in a completely safe manner is complicated. Unless" +" there are overriding performance concerns, the " +"rm program should be used, with the " +" and options." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Compensating for unsafe file creation" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"There are two ways to make a function or program which excepts a file name " +"safe for use with temporary files. See , for details on subprocess " +"creation." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Create a temporary directory and place the file there. If possible, run the " +"program in a subprocess which uses the temporary directory as its current " +"directory, with a restricted environment. Use generated names for all files " +"in that temporary directory. (See .)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Create the temporary file and pass the generated file name to the function " +"or program. This only works if the function or program can cope with a zero-" +"length existing file. It is safe only under additional assumptions:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The function or program must not create additional files whose name is " +"derived from the specified file name or are otherwise predictable." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "The function or program must not delete the file before processing it." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "It must not access any existing files in the same directory." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"It is often difficult to check whether these additional assumptions are " +"matched, therefore this approach is not recommended." +msgstr "" diff --git a/defensive-coding/te-IN/Tasks/snippets/Serialization-XML-Expat-Create.po b/defensive-coding/te-IN/Tasks/snippets/Serialization-XML-Expat-Create.po new file mode 100644 index 0000000..7be4da9 --- /dev/null +++ b/defensive-coding/te-IN/Tasks/snippets/Serialization-XML-Expat-Create.po @@ -0,0 +1,33 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:45\n" +"PO-Revision-Date: 2013-03-19 15:29+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Telugu (http://www.transifex.com/projects/p/fedora/language/te/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: te\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"XML_Parser parser = XML_ParserCreate(\"UTF-8\");\n" +"if (parser == NULL) {\n" +" fprintf(stderr, \"XML_ParserCreate failed\n" +"\");\n" +" close(fd);\n" +" exit(1);\n" +"}\n" +"// EntityDeclHandler needs a reference to the parser to stop\n" +"// parsing.\n" +"XML_SetUserData(parser, parser);\n" +"// Disable entity processing, to inhibit entity expansion.\n" +"XML_SetEntityDeclHandler(parser, EntityDeclHandler);\n" +msgstr "" diff --git a/defensive-coding/te-IN/Tasks/snippets/Serialization-XML-Expat-EntityDeclHandler.po b/defensive-coding/te-IN/Tasks/snippets/Serialization-XML-Expat-EntityDeclHandler.po new file mode 100644 index 0000000..dcc15de --- /dev/null +++ b/defensive-coding/te-IN/Tasks/snippets/Serialization-XML-Expat-EntityDeclHandler.po @@ -0,0 +1,31 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:45\n" +"PO-Revision-Date: 2013-03-19 15:30+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Telugu (http://www.transifex.com/projects/p/fedora/language/te/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: te\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Stop the parser when an entity declaration is encountered.\n" +"static void\n" +"EntityDeclHandler(void *userData,\n" +"\t\t const XML_Char *entityName, int is_parameter_entity,\n" +"\t\t const XML_Char *value, int value_length,\n" +"\t\t const XML_Char *base, const XML_Char *systemId,\n" +"\t\t const XML_Char *publicId, const XML_Char *notationName)\n" +"{\n" +" XML_StopParser((XML_Parser)userData, XML_FALSE);\n" +"}\n" +msgstr "" diff --git a/defensive-coding/te-IN/Tasks/snippets/Serialization-XML-OpenJDK-Errors.po b/defensive-coding/te-IN/Tasks/snippets/Serialization-XML-OpenJDK-Errors.po new file mode 100644 index 0000000..da3320b --- /dev/null +++ b/defensive-coding/te-IN/Tasks/snippets/Serialization-XML-OpenJDK-Errors.po @@ -0,0 +1,37 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:45\n" +"PO-Revision-Date: 2013-03-19 15:29+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Telugu (http://www.transifex.com/projects/p/fedora/language/te/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: te\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"class Errors implements ErrorHandler {\n" +" @Override\n" +" public void warning(SAXParseException exception) {\n" +" exception.printStackTrace();\n" +" }\n" +" \n" +" @Override\n" +" public void fatalError(SAXParseException exception) {\n" +" exception.printStackTrace();\n" +" }\n" +" \n" +" @Override\n" +" public void error(SAXParseException exception) {\n" +" exception.printStackTrace();\n" +" }\n" +"}\n" +msgstr "" diff --git a/defensive-coding/te-IN/Tasks/snippets/Serialization-XML-OpenJDK-Imports.po b/defensive-coding/te-IN/Tasks/snippets/Serialization-XML-OpenJDK-Imports.po new file mode 100644 index 0000000..d355e88 --- /dev/null +++ b/defensive-coding/te-IN/Tasks/snippets/Serialization-XML-OpenJDK-Imports.po @@ -0,0 +1,42 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:45\n" +"PO-Revision-Date: 2013-03-19 15:30+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Telugu (http://www.transifex.com/projects/p/fedora/language/te/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: te\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"import javax.xml.XMLConstants;\n" +"import javax.xml.parsers.DocumentBuilder;\n" +"import javax.xml.parsers.DocumentBuilderFactory;\n" +"import javax.xml.parsers.ParserConfigurationException;\n" +"import javax.xml.parsers.SAXParser;\n" +"import javax.xml.parsers.SAXParserFactory;\n" +"import javax.xml.transform.dom.DOMSource;\n" +"import javax.xml.transform.sax.SAXSource;\n" +"import javax.xml.validation.Schema;\n" +"import javax.xml.validation.SchemaFactory;\n" +"import javax.xml.validation.Validator;\n" +"\n" +"import org.w3c.dom.Document;\n" +"import org.w3c.dom.ls.LSInput;\n" +"import org.w3c.dom.ls.LSResourceResolver;\n" +"import org.xml.sax.EntityResolver;\n" +"import org.xml.sax.ErrorHandler;\n" +"import org.xml.sax.InputSource;\n" +"import org.xml.sax.SAXException;\n" +"import org.xml.sax.SAXParseException;\n" +"import org.xml.sax.XMLReader;\n" +msgstr "" diff --git a/defensive-coding/te-IN/Tasks/snippets/Serialization-XML-OpenJDK-NoEntityResolver.po b/defensive-coding/te-IN/Tasks/snippets/Serialization-XML-OpenJDK-NoEntityResolver.po new file mode 100644 index 0000000..67d75d3 --- /dev/null +++ b/defensive-coding/te-IN/Tasks/snippets/Serialization-XML-OpenJDK-NoEntityResolver.po @@ -0,0 +1,30 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:45\n" +"PO-Revision-Date: 2013-03-19 15:30+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Telugu (http://www.transifex.com/projects/p/fedora/language/te/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: te\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"class NoEntityResolver implements EntityResolver {\n" +" @Override\n" +" public InputSource resolveEntity(String publicId, String systemId)\n" +" throws SAXException, IOException {\n" +" // Throwing an exception stops validation.\n" +" throw new IOException(String.format(\n" +" \"attempt to resolve \\\"%s\\\" \\\"%s\\\"\", publicId, systemId));\n" +" }\n" +"}\n" +msgstr "" diff --git a/defensive-coding/te-IN/Tasks/snippets/Serialization-XML-OpenJDK-NoResourceResolver.po b/defensive-coding/te-IN/Tasks/snippets/Serialization-XML-OpenJDK-NoResourceResolver.po new file mode 100644 index 0000000..cd738ce --- /dev/null +++ b/defensive-coding/te-IN/Tasks/snippets/Serialization-XML-OpenJDK-NoResourceResolver.po @@ -0,0 +1,32 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:45\n" +"PO-Revision-Date: 2013-03-19 15:29+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Telugu (http://www.transifex.com/projects/p/fedora/language/te/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: te\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"class NoResourceResolver implements LSResourceResolver {\n" +" @Override\n" +" public LSInput resolveResource(String type, String namespaceURI,\n" +" String publicId, String systemId, String baseURI) {\n" +" // Throwing an exception stops validation.\n" +" throw new RuntimeException(String.format(\n" +" \"resolution attempt: type=%s namespace=%s \" +\n" +" \"publicId=%s systemId=%s baseURI=%s\",\n" +" type, namespaceURI, publicId, systemId, baseURI));\n" +" }\n" +"}\n" +msgstr "" diff --git a/defensive-coding/te-IN/Tasks/snippets/Serialization-XML-OpenJDK_Parse-DOM.po b/defensive-coding/te-IN/Tasks/snippets/Serialization-XML-OpenJDK_Parse-DOM.po new file mode 100644 index 0000000..7ad98ea --- /dev/null +++ b/defensive-coding/te-IN/Tasks/snippets/Serialization-XML-OpenJDK_Parse-DOM.po @@ -0,0 +1,34 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:45\n" +"PO-Revision-Date: 2013-03-19 15:29+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Telugu (http://www.transifex.com/projects/p/fedora/language/te/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: te\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();\n" +"// Impose restrictions on the complexity of the DTD.\n" +"factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);\n" +"\n" +"// Turn on validation.\n" +"// This step can be omitted if validation is not desired.\n" +"factory.setValidating(true);\n" +"\n" +"// Parse the document.\n" +"DocumentBuilder builder = factory.newDocumentBuilder();\n" +"builder.setEntityResolver(new NoEntityResolver());\n" +"builder.setErrorHandler(new Errors());\n" +"Document document = builder.parse(inputStream);\n" +msgstr "" diff --git a/defensive-coding/te-IN/Tasks/snippets/Serialization-XML-OpenJDK_Parse-XMLSchema_DOM.po b/defensive-coding/te-IN/Tasks/snippets/Serialization-XML-OpenJDK_Parse-XMLSchema_DOM.po new file mode 100644 index 0000000..1f3718d --- /dev/null +++ b/defensive-coding/te-IN/Tasks/snippets/Serialization-XML-OpenJDK_Parse-XMLSchema_DOM.po @@ -0,0 +1,38 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:45\n" +"PO-Revision-Date: 2013-03-19 15:29+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Telugu (http://www.transifex.com/projects/p/fedora/language/te/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: te\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"SchemaFactory factory = SchemaFactory.newInstance(\n" +" XMLConstants.W3C_XML_SCHEMA_NS_URI);\n" +"\n" +"// This enables restrictions on schema complexity.\n" +"factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);\n" +"\n" +"// The following line prevents resource resolution\n" +"// by the schema itself.\n" +"factory.setResourceResolver(new NoResourceResolver());\n" +"\n" +"Schema schema = factory.newSchema(schemaFile);\n" +"\n" +"Validator validator = schema.newValidator();\n" +"\n" +"// This prevents external resource resolution.\n" +"validator.setResourceResolver(new NoResourceResolver());\n" +"validator.validate(new DOMSource(document));\n" +msgstr "" diff --git a/defensive-coding/te-IN/Tasks/snippets/Serialization-XML-OpenJDK_Parse-XMLSchema_SAX.po b/defensive-coding/te-IN/Tasks/snippets/Serialization-XML-OpenJDK_Parse-XMLSchema_SAX.po new file mode 100644 index 0000000..daefd6c --- /dev/null +++ b/defensive-coding/te-IN/Tasks/snippets/Serialization-XML-OpenJDK_Parse-XMLSchema_SAX.po @@ -0,0 +1,41 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:45\n" +"PO-Revision-Date: 2013-03-19 15:29+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Telugu (http://www.transifex.com/projects/p/fedora/language/te/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: te\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"SchemaFactory factory = SchemaFactory.newInstance(\n" +" XMLConstants.W3C_XML_SCHEMA_NS_URI);\n" +"\n" +"// This enables restrictions on the schema and document\n" +"// complexity.\n" +"factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);\n" +"\n" +"// This prevents resource resolution by the schema itself.\n" +"// If the schema is trusted and references additional files,\n" +"// this line must be omitted, otherwise loading these files\n" +"// will fail.\n" +"factory.setResourceResolver(new NoResourceResolver());\n" +"\n" +"Schema schema = factory.newSchema(schemaFile);\n" +"Validator validator = schema.newValidator();\n" +"\n" +"// This prevents external resource resolution.\n" +"validator.setResourceResolver(new NoResourceResolver());\n" +"\n" +"validator.validate(new SAXSource(new InputSource(inputStream)));\n" +msgstr "" diff --git a/defensive-coding/tr-TR/Author_Group.po b/defensive-coding/tr-TR/Author_Group.po new file mode 100644 index 0000000..1ca7bdc --- /dev/null +++ b/defensive-coding/tr-TR/Author_Group.po @@ -0,0 +1,35 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-12 04:18+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Turkish (http://www.transifex.com/projects/p/fedora/language/tr/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: tr\n" +"Plural-Forms: nplurals=2; plural=(n > 1);\n" + +#. Tag: firstname +#, no-c-format +msgid "Florian" +msgstr "" + +#. Tag: surname +#, no-c-format +msgid "Weimer" +msgstr "" + +#. Tag: orgname +#, no-c-format +msgid "Red Hat" +msgstr "" + +#. Tag: orgdiv +#, no-c-format +msgid "Product Security Team" +msgstr "" diff --git a/defensive-coding/tr-TR/Book_Info.po b/defensive-coding/tr-TR/Book_Info.po new file mode 100644 index 0000000..ccbdad2 --- /dev/null +++ b/defensive-coding/tr-TR/Book_Info.po @@ -0,0 +1,38 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-12 04:19+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Turkish (http://www.transifex.com/projects/p/fedora/language/tr/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: tr\n" +"Plural-Forms: nplurals=2; plural=(n > 1);\n" + +#. Tag: title +#, no-c-format +msgid "Defensive Coding" +msgstr "" + +#. Tag: subtitle +#, no-c-format +msgid "A Guide to Improving Software Security" +msgstr "" + +#. Tag: productname +#, no-c-format +msgid "Fedora Security Team" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"This document provides guidelines for improving software security through " +"secure coding. It covers common programming languages and libraries, and " +"focuses on concrete recommendations." +msgstr "" diff --git a/defensive-coding/tr-TR/C/Allocators.po b/defensive-coding/tr-TR/C/Allocators.po new file mode 100644 index 0000000..5ce13da --- /dev/null +++ b/defensive-coding/tr-TR/C/Allocators.po @@ -0,0 +1,265 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:30+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Turkish (http://www.transifex.com/projects/p/fedora/language/tr/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: tr\n" +"Plural-Forms: nplurals=2; plural=(n > 1);\n" + +#. Tag: title +#, no-c-format +msgid "Memory allocators" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "malloc and related functions" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The C library interfaces for memory allocation are provided by " +"malloc, free and " +"realloc, and the calloc function. " +"In addition to these generic functions, there are derived functions such as " +"strdup which perform allocation using " +"malloc internally, but do not return untyped heap " +"memory (which could be used for any object)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The C compiler knows about these functions and can use their expected " +"behavior for optimizations. For instance, the compiler assumes that an " +"existing pointer (or a pointer derived from an existing pointer by " +"arithmetic) will not point into the memory area returned by " +"malloc." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If the allocation fails, realloc does not free the old " +"pointer. Therefore, the idiom ptr = realloc(ptr, size); " +"is wrong because the memory pointed to by ptr leaks in " +"case of an error." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Use-after-free errors" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"After free, the pointer is invalid. Further pointer " +"dereferences are not allowed (and are usually detected by " +"valgrind). Less obvious is that any " +"use of the old pointer value is not allowed, either. In" +" particular, comparisons with any other pointer (or the null pointer) are " +"undefined according to the C standard." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The same rules apply to realloc if the memory area " +"cannot be enlarged in-place. For instance, the compiler may assume that a " +"comparison between the old and new pointer will always return false, so it " +"is impossible to detect movement this way." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Handling memory allocation errors" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Recovering from out-of-memory errors is often difficult or even impossible. " +"In these cases, malloc and other allocation functions " +"return a null pointer. Dereferencing this pointer lead to a crash. Such " +"dereferences can even be exploitable for code execution if the dereference " +"is combined with an array subscript." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In general, if you cannot check all allocation calls and handle failure, you" +" should abort the program on allocation failure, and not rely on the null " +"pointer dereference to terminate the process. See for related memory " +"allocation concerns." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "alloca and other forms of stack-based allocation" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Allocation on the stack is risky because stack overflow checking is " +"implicit. There is a guard page at the end of the memory area reserved for " +"the stack. If the program attempts to read from or write to this guard page," +" a SIGSEGV signal is generated and the program typically " +"terminates." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"This is sufficient for detecting typical stack overflow situations such as " +"unbounded recursion, but it fails when the stack grows in increments larger " +"than the size of the guard page. In this case, it is possible that the stack" +" pointer ends up pointing into a memory area which has been allocated for a " +"different purposes. Such misbehavior can be exploitable." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"A common source for large stack growth are calls to " +"alloca and related functions such as " +"strdupa. These functions should be avoided because of " +"the lack of error checking. (They can be used safely if the allocated size " +"is less than the page size (typically, 4096 bytes), but this case is " +"relatively rare.) Additionally, relying on alloca makes" +" it more difficult to reorgnize the code because it is not allowed to use " +"the pointer after the function calling alloca has " +"returned, even if this function has been inlined into its caller." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Similar concerns apply to variable-length arrays " +"(VLAs), a feature of the C99 standard which started as a GNU extension. For " +"large objects exceeding the page size, there is no error checking, either." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In both cases, negative or very large sizes can trigger a stack-pointer " +"wraparound, and the stack pointer and end up pointing into caller stack " +"frames, which is fatal and can be exploitable." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If you want to use alloca or VLAs for performance " +"reasons, consider using a small on-stack array (less than the page size, " +"large enough to fulfill most requests). If the requested size is small " +"enough, use the on-stack array. Otherwise, call malloc." +" When exiting the function, check if malloc had been " +"called, and free the buffer as needed." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Array allocation" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When allocating arrays, it is important to check for overflows. The " +"calloc function performs such checks." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If malloc or realloc is used, the " +"size check must be written manually. For instance, to allocate an array of " +"n elements of type T, check that the " +"requested size is not greater than n / sizeof(T)." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Custom memory allocators" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Custom memory allocates come in two forms: replacements for " +"malloc, and completely different interfaces for memory " +"management. Both approaches can reduce the effectiveness of " +"valgrind and similar tools, and the heap " +"corruption detection provided by GNU libc, so they should be avoided." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Memory allocators are difficult to write and contain many performance and " +"security pitfalls." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When computing array sizes or rounding up allocation requests (to the next " +"allocation granularity, or for alignment purposes), checks for arithmetic " +"overflow are required." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Size computations for array allocations need overflow checking. See ." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"It can be difficult to beat well-tuned general-purpose allocators. In micro-" +"benchmarks, pool allocators can show huge wins, and size-specific pools can " +"reduce internal fragmentation. But often, utilization of individual pools is" +" poor, and" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Conservative garbage collection" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Garbage collection can be an alternative to explicit memory management using" +" malloc and free. The Boehm-" +"Dehmers-Weiser allocator can be used from C programs, with minimal type " +"annotations. Performance is competitive with malloc on " +"64-bit architectures, especially for multi-threaded programs. The stop-the-" +"world pauses may be problematic for some real-time applications, though." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"However, using a conservative garbage collector may reduce opertunities for " +"code reduce because once one library in a program uses garbage collection, " +"the whole process memory needs to be subject to it, so that no pointers are " +"missed. The Boehm-Dehmers-Weiser collector also reserves certain signals for" +" internal use, so it is not fully transparent to the rest of the program." +msgstr "" diff --git a/defensive-coding/tr-TR/C/C.po b/defensive-coding/tr-TR/C/C.po new file mode 100644 index 0000000..b635cae --- /dev/null +++ b/defensive-coding/tr-TR/C/C.po @@ -0,0 +1,20 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:30+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Turkish (http://www.transifex.com/projects/p/fedora/language/tr/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: tr\n" +"Plural-Forms: nplurals=2; plural=(n > 1);\n" + +#. Tag: title +#, no-c-format +msgid "The C Programming Language" +msgstr "" diff --git a/defensive-coding/tr-TR/C/Libc.po b/defensive-coding/tr-TR/C/Libc.po new file mode 100644 index 0000000..303f962 --- /dev/null +++ b/defensive-coding/tr-TR/C/Libc.po @@ -0,0 +1,278 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:30+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Turkish (http://www.transifex.com/projects/p/fedora/language/tr/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: tr\n" +"Plural-Forms: nplurals=2; plural=(n > 1);\n" + +#. Tag: title +#, no-c-format +msgid "The C standard library" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Parts of the C standard library (and the UNIX and GNU extensions) are " +"difficult to use, so you shoud avoid them." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Please check the applicable documentation before using the recommended " +"replacements. Many of these functions allocate buffers using " +"malloc which your code must deallocate explicitly using" +" free." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Absolutely banned interfaces" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The functions listed below must not be used because they are almost always " +"unsafe. Use the indicated replacements instead." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "getsfgets" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"getwdgetcwd or " +"get_current_dir_name" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "readdir_rreaddir" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"realpath (with a non-NULL second parameter) ⟶ " +"realpath with NULL as the second parameter, or " +"canonicalize_file_name" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The constants listed below must not be used, either. Instead, code must " +"allocate memory dynamically and use interfaces with length checking." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"NAME_MAX (limit not actually enforced by the kernel)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"PATH_MAX (limit not actually enforced by the kernel)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"_PC_NAME_MAX (This limit, returned by the " +"pathconf function, is not enforced by the kernel.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"_PC_PATH_MAX (This limit, returned by the " +"pathconf function, is not enforced by the kernel.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "The following structure members must not be used." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"f_namemax in struct statvfs (limit not" +" actually enforced by the kernel, see _PC_NAME_MAX above)" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Functions to avoid" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The following string manipulation functions can be used securely in " +"principle, but their use should be avoided because they are difficult to use" +" correctly. Calls to these functions can be replaced with " +"asprintf or vasprintf. (For non-" +"GNU targets, these functions are available from Gnulib.) In some cases, the " +"snprintf function might be a suitable replacement, see " +"." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "sprintf" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "strcat" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "strcpy" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "vsprintf" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Use the indicated replacements for the functions below." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"allocamalloc and " +"free (see )" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"putenv ⟶ explicit envp argument in " +"process creation (see )" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"setenv ⟶ explicit envp argument in " +"process creation (see )" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"strdupastrdup and " +"free (see )" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"strndupastrndup and " +"free (see )" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"systemposix_spawn or " +"fork/execve/ (see )" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"unsetenv ⟶ explicit envp argument in" +" process creation (see )" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "String Functions With Explicit Length Arguments" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The snprintf function provides a way to construct a " +"string in a statically-sized buffer. (If the buffer size is dynamic, use " +"asprintf instead.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The second argument to the snprintf should always be " +"the size of the buffer in the first argument (which should be a character " +"array). Complex pointer and length arithmetic can introduce errors and " +"nullify the security benefits of snprintf. If you need " +"to construct a string iteratively, by repeatedly appending fragments, " +"consider constructing the string on the heap, increasing the buffer with " +"realloc as needed. (snprintf does " +"not support overlapping the result buffer with argument strings.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If you use vsnprintf (or snprintf)" +" with a format string which is not a constant, but a function argument, it " +"is important to annotate the function with a format " +"function attribute, so that GCC can warn about misuse of your function (see " +")." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "The format function attribute" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"There are other functions which operator on NUL-terminated strings and take " +"a length argument which affects the number of bytes written to the " +"destination: strncpy, strncat, and" +" stpncpy. These functions do not ensure that the result" +" string is NUL-terminated. For strncpy, NUL termination" +" can be added this way:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Some systems support strlcpy and " +"strlcat functions which behave this way, but these " +"functions are not part of GNU libc. Using snprintf with" +" a suitable format string is a simple (albeit slightly slower) replacement." +msgstr "" diff --git a/defensive-coding/tr-TR/C/snippets/Arithmetic-add.po b/defensive-coding/tr-TR/C/snippets/Arithmetic-add.po new file mode 100644 index 0000000..5d63633 --- /dev/null +++ b/defensive-coding/tr-TR/C/snippets/Arithmetic-add.po @@ -0,0 +1,36 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:30+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Turkish (http://www.transifex.com/projects/p/fedora/language/tr/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: tr\n" +"Plural-Forms: nplurals=2; plural=(n > 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"void report_overflow(void);\n" +"\n" +"int\n" +"add(int a, int b)\n" +"{\n" +" int result = a + b;\n" +" if (a < 0 || b < 0) {\n" +" return -1;\n" +" }\n" +" // The compiler can optimize away the following if statement.\n" +" if (result < 0) {\n" +" report_overflow();\n" +" }\n" +" return result;\n" +"}\n" +msgstr "" diff --git a/defensive-coding/tr-TR/C/snippets/Arithmetic-mult.po b/defensive-coding/tr-TR/C/snippets/Arithmetic-mult.po new file mode 100644 index 0000000..eadaea7 --- /dev/null +++ b/defensive-coding/tr-TR/C/snippets/Arithmetic-mult.po @@ -0,0 +1,29 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:30+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Turkish (http://www.transifex.com/projects/p/fedora/language/tr/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: tr\n" +"Plural-Forms: nplurals=2; plural=(n > 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"unsigned\n" +"mul(unsigned a, unsigned b)\n" +"{\n" +" if (b && a > ((unsigned)-1) / b) {\n" +" report_overflow();\n" +" }\n" +" return a * b;\n" +"}\n" +msgstr "" diff --git a/defensive-coding/tr-TR/C/snippets/Pointers-remaining.po b/defensive-coding/tr-TR/C/snippets/Pointers-remaining.po new file mode 100644 index 0000000..a4bacee --- /dev/null +++ b/defensive-coding/tr-TR/C/snippets/Pointers-remaining.po @@ -0,0 +1,64 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:30+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Turkish (http://www.transifex.com/projects/p/fedora/language/tr/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: tr\n" +"Plural-Forms: nplurals=2; plural=(n > 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"ssize_t\n" +"extract_strings(const char *in, size_t inlen, char **out, size_t outlen)\n" +"{\n" +" const char *inp = in;\n" +" const char *inend = in + inlen;\n" +" char **outp = out;\n" +" char **outend = out + outlen;\n" +"\n" +" while (inp != inend) {\n" +" size_t len;\n" +" char *s;\n" +" if (outp == outend) {\n" +" errno = ENOSPC;\n" +" goto err;\n" +" }\n" +" len = (unsigned char)*inp;\n" +" ++inp;\n" +" if (len > (size_t)(inend - inp)) {\n" +" errno = EINVAL;\n" +" goto err;\n" +" }\n" +" s = malloc(len + 1);\n" +" if (s == NULL) {\n" +" goto err;\n" +" }\n" +" memcpy(s, inp, len);\n" +" inp += len;\n" +" s[len] = '\\0';\n" +" *outp = s;\n" +" ++outp;\n" +" }\n" +" return outp - out;\n" +"err:\n" +" {\n" +" int errno_old = errno;\n" +" while (out != outp) {\n" +" free(*out);\n" +" ++out;\n" +" }\n" +" errno = errno_old;\n" +" }\n" +" return -1;\n" +"}\n" +msgstr "" diff --git a/defensive-coding/tr-TR/C/snippets/String-Functions-format.po b/defensive-coding/tr-TR/C/snippets/String-Functions-format.po new file mode 100644 index 0000000..e744633 --- /dev/null +++ b/defensive-coding/tr-TR/C/snippets/String-Functions-format.po @@ -0,0 +1,33 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:30+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Turkish (http://www.transifex.com/projects/p/fedora/language/tr/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: tr\n" +"Plural-Forms: nplurals=2; plural=(n > 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"void log_format(const char *format, ...) __attribute__((format(printf, 1, 2)));\n" +"\n" +"void\n" +"log_format(const char *format, ...)\n" +"{\n" +" char buf[1000];\n" +" va_list ap;\n" +" va_start(ap, format);\n" +" vsnprintf(buf, sizeof(buf), format, ap);\n" +" va_end(ap);\n" +" log_string(buf);\n" +"}\n" +msgstr "" diff --git a/defensive-coding/tr-TR/C/snippets/String-Functions-snprintf.po b/defensive-coding/tr-TR/C/snippets/String-Functions-snprintf.po new file mode 100644 index 0000000..46367a6 --- /dev/null +++ b/defensive-coding/tr-TR/C/snippets/String-Functions-snprintf.po @@ -0,0 +1,23 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:30+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Turkish (http://www.transifex.com/projects/p/fedora/language/tr/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: tr\n" +"Plural-Forms: nplurals=2; plural=(n > 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"char fraction[30];\n" +"snprintf(fraction, sizeof(fraction), \"%d/%d\", numerator, denominator);\n" +msgstr "" diff --git a/defensive-coding/tr-TR/C/snippets/String-Functions-strncpy.po b/defensive-coding/tr-TR/C/snippets/String-Functions-strncpy.po new file mode 100644 index 0000000..8327054 --- /dev/null +++ b/defensive-coding/tr-TR/C/snippets/String-Functions-strncpy.po @@ -0,0 +1,24 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:30+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Turkish (http://www.transifex.com/projects/p/fedora/language/tr/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: tr\n" +"Plural-Forms: nplurals=2; plural=(n > 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"char buf[10];\n" +"strncpy(buf, data, sizeof(buf));\n" +"buf[sizeof(buf) - 1] = '\\0';\n" +msgstr "" diff --git a/defensive-coding/tr-TR/CXX/CXX.po b/defensive-coding/tr-TR/CXX/CXX.po new file mode 100644 index 0000000..2dfdb9d --- /dev/null +++ b/defensive-coding/tr-TR/CXX/CXX.po @@ -0,0 +1,20 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:31+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Turkish (http://www.transifex.com/projects/p/fedora/language/tr/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: tr\n" +"Plural-Forms: nplurals=2; plural=(n > 1);\n" + +#. Tag: title +#, no-c-format +msgid "The C++ Programming Language" +msgstr "" diff --git a/defensive-coding/tr-TR/CXX/Language.po b/defensive-coding/tr-TR/CXX/Language.po new file mode 100644 index 0000000..21c40d8 --- /dev/null +++ b/defensive-coding/tr-TR/CXX/Language.po @@ -0,0 +1,234 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:18+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Turkish (http://www.transifex.com/projects/p/fedora/language/tr/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: tr\n" +"Plural-Forms: nplurals=2; plural=(n > 1);\n" + +#. Tag: title +#, no-c-format +msgid "The core language" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"C++ includes a large subset of the C language. As far as the C subset is " +"used, the recommendations in " +"apply." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Array allocation with operator new[]" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"For very large values of n, an expression like " +"new T[n] can return a pointer to a heap region which is " +"too small. In other words, not all array elements are actually backed with " +"heap memory reserved to the array. Current GCC versions generate code that " +"performs a computation of the form sizeof(T) * size_t(n) + " +"cookie_size, where cookie_size is currently at " +"most 8. This computation can overflow, and GCC-generated code does not " +"detect this." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The std::vector template can be used instead an explicit " +"array allocation. (The GCC implementation detects overflow internally.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If there is no alternative to operator new[], code which " +"allocates arrays with a variable length must check for overflow manually. " +"For the new T[n] example, the size check could be " +"n || (n > 0 && n > (size_t(-1) - 8) / " +"sizeof(T)). (See .) If there are additional dimensions " +"(which must be constants according to the C++ standard), these should be " +"included as factors in the divisor." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"These countermeasures prevent out-of-bounds writes and potential code " +"execution. Very large memory allocations can still lead to a denial of " +"service. contains suggestions for mitigating this problem when " +"processing untrusted data." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"See for array" +" allocation advice for C-style memory allocation." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Overloading" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Do not overload functions with versions that have different security " +"characteristics. For instance, do not implement a function " +"strcat which works on std::string " +"arguments. Similarly, do not name methods after such functions." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "ABI compatibility and preparing for security updates" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"A stable binary interface (ABI) is vastly preferred for security updates. " +"Without a stable ABI, all reverse dependencies need recompiling, which can " +"be a lot of work and could even be impossible in some cases. Ideally, a " +"security update only updates a single dynamic shared object, and is picked " +"up automatically after restarting affected processes." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Outside of extremely performance-critical code, you should ensure that a " +"wide range of changes is possible without breaking ABI. Some very basic " +"guidelines are:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Avoid inline functions." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Use the pointer-to-implementation idiom." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Try to avoid templates. Use them if the increased type safety provides a " +"benefit to the programmer." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Move security-critical code out of templated code, so that it can be patched" +" in a central place if necessary." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The KDE project publishes a document with more extensive guidelines on ABI-" +"preserving changes to C++ code, Policies/Binary" +" Compatibility Issues With C++ (d-pointer " +"refers to the pointer-to-implementation idiom)." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "C++0X and C++11 support" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "GCC offers different language compatibility modes:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid " for the original 1998 C++ standard" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +" for the 1998 standard with the changes from the " +"TR1 technical report" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +" for the 2011 C++ standard. This option should " +"not be used." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +" for several different versions of C++11 support " +"in development, depending on the GCC version. This option should not be " +"used." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"For each of these flags, there are variants which also enable GNU extensions" +" (mostly language features also found in C99 or C11): " +", , " +". Again, should " +"not be used." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If you enable C++11 support, the ABI of the standard C++ library " +"libstdc++ will change in subtle ways. Currently, no C++ " +"libraries are compiled in C++11 mode, so if you compile your code in C++11 " +"mode, it will be incompatible with the rest of the system. Unfortunately, " +"this is also the case if you do not use any C++11 features. Currently, there" +" is no safe way to enable C++11 mode (except for freestanding applications)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The meaning of C++0X mode changed from GCC release to GCC release. Earlier " +"versions were still ABI-compatible with C++98 mode, but in the most recent " +"versions, switching to C++0X mode activates C++11 support, with its " +"compatibility problems." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Some C++11 features (or approximations thereof) are available with TR1 " +"support, that is, with or " +" and in the <tr1/*> " +"header files. This includes std::tr1::shared_ptr (from " +"<tr1/memory>) and " +"std::tr1::function (from " +"<tr1/functional>). For other C++11 features, the " +"Boost C++ library contains replacements." +msgstr "" diff --git a/defensive-coding/tr-TR/CXX/Std.po b/defensive-coding/tr-TR/CXX/Std.po new file mode 100644 index 0000000..3f02978 --- /dev/null +++ b/defensive-coding/tr-TR/CXX/Std.po @@ -0,0 +1,55 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:30+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Turkish (http://www.transifex.com/projects/p/fedora/language/tr/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: tr\n" +"Plural-Forms: nplurals=2; plural=(n > 1);\n" + +#. Tag: title +#, no-c-format +msgid "The C++ standard library" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The C++ standard library includes most of its C counterpart by reference, " +"see ." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Containers and operator[]" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Many containers similar to std::vector provide both " +"operator[](size_type) and a member function " +"at(size_type). This applies to " +"std::vector itself, std::array, " +"std::string and other instances of " +"std::basic_string." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"operator[](size_type) is not required by the standard to " +"perform bounds checking (and the implementation in GCC does not). In " +"contrast, at(size_type) must perform such a check. " +"Therefore, in code which is not performance-critical, you should prefer " +"at(size_type) over " +"operator[](size_type), even though it is slightly more " +"verbose." +msgstr "" diff --git a/defensive-coding/tr-TR/Defensive_Coding.po b/defensive-coding/tr-TR/Defensive_Coding.po new file mode 100644 index 0000000..95c4fcc --- /dev/null +++ b/defensive-coding/tr-TR/Defensive_Coding.po @@ -0,0 +1,30 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:18+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Turkish (http://www.transifex.com/projects/p/fedora/language/tr/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: tr\n" +"Plural-Forms: nplurals=2; plural=(n > 1);\n" + +#. Tag: title +#, no-c-format +msgid "Programming Languages" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Specific Programming Tasks" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Implementing Security Features" +msgstr "" diff --git a/defensive-coding/tr-TR/Features/Authentication.po b/defensive-coding/tr-TR/Features/Authentication.po new file mode 100644 index 0000000..73506af --- /dev/null +++ b/defensive-coding/tr-TR/Features/Authentication.po @@ -0,0 +1,231 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:31+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Turkish (http://www.transifex.com/projects/p/fedora/language/tr/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: tr\n" +"Plural-Forms: nplurals=2; plural=(n > 1);\n" + +#. Tag: title +#, no-c-format +msgid "Authentication and Authorization" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Authenticating servers" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When connecting to a server, a client has to make sure that it is actually " +"talking to the server it expects. There are two different aspects, securing " +"the network path, and making sure that the expected user runs the process on" +" the target host. There are several ways to ensure that:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The server uses a TLS certificate which is valid according to the web " +"browser public key infrastructure, and the client verifies the certificate " +"and the host name." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The server uses a TLS certificate which is expectedby the client (perhaps it" +" is stored in a configuration file read by the client). In this case, no " +"host name checking is required." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"On Linux, UNIX domain sockets (of the PF_UNIX protocol " +"family, sometimes called PF_LOCAL) are restricted by file" +" system permissions. If the server socket path is not world-writable, the " +"server identity cannot be spoofed by local users." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Port numbers less than 1024 (trusted ports) can only be" +" used by root, so if a UDP or TCP server is running on " +"the local host and it uses a trusted port, its identity is assured. (Not all" +" operating systems enforce the trusted ports concept, and the network might " +"not be trusted, so it is only useful on the local system.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"TLS () is the recommended way " +"for securing connections over untrusted networks." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If the server port number is 1024 is higher, a local user can impersonate " +"the process by binding to this socket, perhaps after crashing the real " +"server by exploiting a denial-of-service vulnerability." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Host-based authentication" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Host-based authentication uses access control lists (ACLs) to accept or deny" +" requests from clients. Thsis authentication method comes in two flavors: " +"IP-based (or, more generally, address-based) and name-based (with the name " +"coming from DNS or /etc/hosts). IP-based ACLs often use" +" prefix notation to extend access to entire subnets. Name-based ACLs " +"sometimes use wildcards for adding groups of hosts (from entire DNS " +"subtrees). (In the SSH context, host-based authentication means something " +"completely different and is not covered in this section.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Host-based authentication trust the network and may not offer sufficient " +"granularity, so it has to be considered a weak form of authentication. On " +"the other hand, IP-based authentication can be made extremely robust and can" +" be applied very early in input processing, so it offers an opportunity for " +"significantly reducing the number of potential attackers for many services." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The names returned by gethostbyaddr and " +"getnameinfo functions cannot be trusted. (DNS PTR " +"records can be set to arbitrary values, not just names belong to the address" +" owner.) If these names are used for ACL matching, a forward lookup using " +"gethostbyaddr or getaddrinfo has " +"to be performed. The name is only valid if the original address is found " +"among the results of the forward lookup (double-reverse " +"lookup)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"An empty ACL should deny all access (deny-by-default). If empty ACLs permits" +" all access, configuring any access list must switch to deny-by-default for " +"all unconfigured protocols, in both name-based and address-based variants." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Similarly, if an address or name is not matched by the list, it should be " +"denied. However, many implementations behave differently, so the actual " +"behavior must be documented properly." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"IPv6 addresses can embed IPv4 addresses. There is no universally correct way" +" to deal with this ambiguity. The behavior of the ACL implementation should " +"be documented." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "UNIX domain socket authentication" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"UNIX domain sockets (with address family AF_UNIX or " +"AF_LOCAL) are restricted to the local host and offer a " +"special authentication mechanism: credentials passing." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Nowadays, most systems support the SO_PEERCRED (Linux) or" +" LOCAL_PEERCRED (FreeBSD) socket options, or the " +"getpeereid (other BSDs, MacOS X). These interfaces " +"provide direct access to the (effective) user ID on the other end of a " +"domain socket connect, without cooperation from the other end." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Historically, credentials passing was implemented using ancillary data in " +"the sendmsg and recvmsg functions." +" On some systems, only credentials data that the peer has explicitly sent " +"can be received, and the kernel checks the data for correctness on the " +"sending side. This means that both peers need to deal with ancillary data. " +"Compared to that, the modern interfaces are easier to use. Both sets of " +"interfaces vary considerably among UNIX-like systems, unfortunately." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If you want to authenticate based on supplementary groups, you should obtain" +" the user ID using one of these methods, and look up the list of " +"supplementary groups using getpwuid (or " +"getpwuid_r) and getgrouplist. " +"Using the PID and information from /proc/PID/status is " +"prone to race conditions and insecure." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "AF_NETLINK authentication of origin" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Netlink messages are used as a high-performance data transfer mechanism " +"between the kernel and the userspace. Traditionally, they are used to " +"exchange information related to the network statck, such as routing table " +"entries." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When processing Netlink messages from the kernel, it is important to check " +"that these messages actually originate from the kernel, by checking that the" +" port ID (or PID) field nl_pid in the " +"sockaddr_nl structure is 0. (This " +"structure can be obtained using recvfrom or " +"recvmsg, it is different from the " +"nlmsghdr structure.) The kernel does not prevent other " +"processes from sending unicast Netlink messages, but the " +"nl_pid field in the sender's socket address will be non-" +"zero in such cases." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Applications should not use AF_NETLINK sockets as an IPC " +"mechanism among processes, but prefer UNIX domain sockets for this tasks." +msgstr "" diff --git a/defensive-coding/tr-TR/Features/TLS.po b/defensive-coding/tr-TR/Features/TLS.po new file mode 100644 index 0000000..19c3336 --- /dev/null +++ b/defensive-coding/tr-TR/Features/TLS.po @@ -0,0 +1,1120 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:31+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Turkish (http://www.transifex.com/projects/p/fedora/language/tr/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: tr\n" +"Plural-Forms: nplurals=2; plural=(n > 1);\n" + +#. Tag: title +#, no-c-format +msgid "Transport Layer Security" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Transport Layer Security (TLS, formerly Secure Sockets Layer/SSL) is the " +"recommended way to to protect integrity and confidentiality while data is " +"transferred over an untrusted network connection, and to identify the " +"endpoint." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Common Pitfalls" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"TLS implementations are difficult to use, and most of them lack a clean API " +"design. The following sections contain implementation-specific advice, and " +"some generic pitfalls are mentioned below." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Most TLS implementations have questionable default TLS cipher suites. Most " +"of them enable anonymous Diffie-Hellman key exchange (but we generally want " +"servers to authenticate themselves). Many do not disable ciphers which are " +"subject to brute-force attacks because of restricted key lengths. Some even " +"disable all variants of AES in the default configuration." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When overriding the cipher suite defaults, it is recommended to disable all " +"cipher suites which are not present on a whitelist, instead of simply " +"enabling a list of cipher suites. This way, if an algorithm is disabled by " +"default in the TLS implementation in a future security update, the " +"application will not re-enable it." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The name which is used in certificate validation must match the name " +"provided by the user or configuration file. No host name canonicalization or" +" IP address lookup must be performed." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The TLS handshake has very poor performance if the TCP Nagle algorithm is " +"active. You should switch on the TCP_NODELAY socket " +"option (at least for the duration of the handshake), or use the Linux-" +"specific TCP_CORK option." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Deactivating the TCP Nagle algorithm" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Implementing proper session resumption decreases handshake overhead " +"considerably. This is important if the upper-layer protocol uses short-lived" +" connections (like most application of HTTPS)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Both client and server should work towards an orderly connection shutdown, " +"that is send close_notify alerts and respond to them. " +"This is especially important if the upper-layer protocol does not provide " +"means to detect connection truncation (like some uses of HTTP)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When implementing a server using event-driven programming, it is important " +"to handle the TLS handshake properly because it includes multiple network " +"round-trips which can block when an ordinary TCP accept" +" would not. Otherwise, a client which fails to complete the TLS handshake " +"for some reason will prevent the server from handling input from other " +"clients." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Unlike regular file descriptors, TLS connections cannot be passed between " +"processes. Some TLS implementations add additional restrictions, and TLS " +"connections generally cannot be used across fork " +"function calls (see )." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "OpenSSL Pitfalls" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Some OpenSSL function use tri-state return values. " +"Correct error checking is extremely important. Several functions return " +"int values with the following meaning:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The value 1 indicates success (for example, a successful " +"signature verification)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The value 0 indicates semantic failure (for example, a " +"signature verification which was unsuccessful because the signing " +"certificate was self-signed)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The value -1 indicates a low-level error in the system, " +"such as failure to allocate memory using malloc." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Treating such tri-state return values as booleans can lead to security " +"vulnerabilities. Note that some OpenSSL functions return boolean results or " +"yet another set of status indicators. Each function needs to be checked " +"individually." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Recovering precise error information is difficult. shows how to obtain a more precise " +"error code after a function call on an SSL object has " +"failed. However, there are still cases where no detailed error information " +"is available (e.g., if SSL_shutdown fails due to a " +"connection teardown by the other end)." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Obtaining OpenSSL error codes" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The OPENSSL_config function is documented to never " +"fail. In reality, it can terminate the entire process if there is a failure " +"accessing the configuration file. An error message is written to standard " +"error, but which might not be visible if the function is called from a " +"daemon process." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"OpenSSL contains two separate ASN.1 DER decoders. One set of decoders " +"operate on BIO handles (the input/output stream abstraction provided by " +"OpenSSL); their decoder function names start with d2i_ " +"and end in _fp or _bio (e.g., " +"d2i_X509_fp or d2i_X509_bio). " +"These decoders must not be used for parsing data from untrusted sources; " +"instead, the variants without the _fp and " +"_bio (e.g., d2i_X509) shall be used." +" The BIO variants have received considerably less testing and are not very " +"robust." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"For the same reason, the OpenSSL command line tools (such as " +"openssl x509) are generally generally less robust than " +"the actual library code. They use the BIO functions internally, and not the " +"more robust variants." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The command line tools do not always indicate failure in the exit status of " +"the openssl process. For instance, a verification" +" failure in openssl verify result in an exit status of " +"zero." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The OpenSSL server and client applications (openssl " +"s_client and openssl s_server) are debugging " +"tools and should never be used as generic clients. For " +"instance, the s_client tool reacts in a " +"surprisign way to lines starting with R and " +"Q." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"OpenSSL allows application code to access private key material over " +"documented interfaces. This can significantly increase the part of the code " +"base which has to undergo security certification." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "GNUTLS Pitfalls" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"libgnutls.so.26 links to " +"libpthread.so.0. Loading the threading library too late" +" causes problems, so the main program should be linked with " +"-lpthread as well. As a result, it can be difficult to " +"use GNUTLS in a plugin which is loaded with the dlopen " +"function. Another side effect is that applications which merely link against" +" GNUTLS (even without actually using it) may incur a substantial overhead " +"because other libraries automatically switch to thread-safe algorithms." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The gnutls_global_init function must be called before " +"using any functionality provided by the library. This function is not " +"thread-safe, so external locking is required, but it is not clear which lock" +" should be used. Omitting the synchronization does not just lead to a memory" +" leak, as it is suggested in the GNUTLS documentation, but to undefined " +"behavior because there is no barrier that would enforce memory ordering." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The gnutls_global_deinit function does not actually " +"deallocate all resources allocated by " +"gnutls_global_init. It is currently not thread-safe. " +"Therefore, it is best to avoid calling it altogether." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The X.509 implementation in GNUTLS is rather lenient. For example, it is " +"possible to create and process X.509 version 1 certificates which carry" +" extensions. These certificates are (correctly) rejected by other " +"implementations." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "OpenJDK Pitfalls" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The Java cryptographic framework is highly modular. As a result, when you " +"request an object implementing some cryptographic functionality, you cannot " +"be completely sure that you end up with the well-tested, reviewed " +"implementation in OpenJDK." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"OpenJDK (in the source code as published by Oracle) and other " +"implementations of the Java platform require that the system administrator " +"has installed so-called unlimited strength jurisdiction policy " +"files. Without this step, it is not possible to use the secure " +"algorithms which offer sufficient cryptographic strength. Most downstream " +"redistributors of OpenJDK remove this requirement." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Some versions of OpenJDK use /dev/random as the " +"randomness source for nonces and other random data which is needed for TLS " +"operation, but does not actually require physical randomness. As a result, " +"TLS applications can block, waiting for more bits to become available in " +"/dev/random." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "NSS Pitfalls" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"NSS was not designed to be used by other libraries which can be linked into " +"applications without modifying them. There is a lot of global state. There " +"does not seem to be a way to perform required NSS initialization without " +"race conditions." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If the NSPR descriptor is in an unexpected state, the " +"SSL_ForceHandshake function can succeed, but no TLS " +"handshake takes place, the peer is not authenticated, and subsequent data is" +" exchanged in the clear." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"NSS disables itself if it detects that the process underwent a " +"fork after the library has been initialized. This " +"behavior is required by the PKCS#11 API specification." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "TLS Clients" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Secure use of TLS in a client generally involves all of the following steps." +" (Individual instructions for specific TLS implementations follow in the " +"next sections.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The client must configure the TLS library to use a set of trusted root " +"certificates. These certificates are provided by the system in /etc/ssl/certs or files derived from it." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The client selects sufficiently strong cryptographic primitives and disables" +" insecure ones (such as no-op encryption). Compression and SSL version 2 " +"support must be disabled (including the SSLv2-compatible handshake)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The client initiates the TLS connection. The Server Name Indication " +"extension should be used if supported by the TLS implementation. Before " +"switching to the encrypted connection state, the contents of all input and " +"output buffers must be discarded." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The client needs to validate the peer certificate provided by the server, " +"that is, the client must check that there is a cryptographically protected " +"chain from a trusted root certificate to the peer certificate. (Depending on" +" the TLS implementation, a TLS handshake can succeed even if the certificate" +" cannot be validated.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The client must check that the configured or user-provided server name " +"matches the peer certificate provided by the server." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"It is safe to provide users detailed diagnostics on certificate validation " +"failures. Other causes of handshake failures and, generally speaking, any " +"details on other errors reported by the TLS implementation (particularly " +"exception tracebacks), must not be divulged in ways that make them " +"accessible to potential attackers. Otherwise, it is possible to create " +"decryption oracles." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Depending on the application, revocation checking (against certificate " +"revocations lists or via OCSP) and session resumption are important aspects " +"of production-quality client. These aspects are not yet covered." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Implementation TLS Clients With OpenSSL" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In the following code, the error handling is only exploratory. Proper error " +"handling is required for production use, especially in libraries." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The OpenSSL library needs explicit initialization (see )." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "OpenSSL library initialization" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"After that, a context object has to be created, which acts as a factory for " +"connection objects (). We use an explicit cipher list so that we do not pick up any " +"strange ciphers when OpenSSL is upgraded. The actual version requested in " +"the client hello depends on additional restrictions in the OpenSSL library. " +"If possible, you should follow the example code and use the default list of " +"trusted root certificate authorities provided by the system because you " +"would have to maintain your own set otherwise, which can be cumbersome." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "OpenSSL client context creation" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"A single context object can be used to create multiple connection objects. " +"It is safe to use the same SSL_CTX object for creating " +"connections concurrently from multiple threads, provided that the " +"SSL_CTX object is not modified (e.g., callbacks must not " +"be changed)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"After creating the TCP socket and disabling the Nagle algorithm (per ), the actual connection object " +"needs to be created, as show in . If the handshake started by " +"SSL_connect fails, the " +"ssl_print_error_and_exit function from is called." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The certificate_validity_override function provides an " +"opportunity to override the validity of the certificate in case the OpenSSL " +"check fails. If such functionality is not required, the call can be removed," +" otherwise, the application developer has to implement it." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The host name passed to the functions " +"SSL_set_tlsext_host_name and " +"X509_check_host must be the name that was passed to " +"getaddrinfo or a similar name resolution function. No " +"host name canonicalization must be performed. The " +"X509_check_host function used in the final step for " +"host name matching is currently only implemented in OpenSSL 1.1, which is " +"not released yet. In case host name matching fails, the function " +"certificate_host_name_override is called. This function" +" should check user-specific certificate store, to allow a connection even if" +" the host name does not match the certificate. This function has to be " +"provided by the application developer. Note that the override must be keyed " +"by both the certificate and the host name." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Creating a client connection using OpenSSL" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The connection object can be used for sending and receiving data, as in " +". It is " +"also possible to create a BIO object and use the " +"SSL object as the underlying transport, using " +"BIO_set_ssl." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Using an OpenSSL connection to send and receive data" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When it is time to close the connection, the " +"SSL_shutdown function needs to be called twice for an " +"orderly, synchronous connection termination (). This exchanges " +"close_notify alerts with the server. The additional logic" +" is required to deal with an unexpected close_notify from" +" the server. Note that is necessary to explicitly close the underlying " +"socket after the connection object has been freed." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Closing an OpenSSL connection in an orderly fashion" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +" shows how" +" to deallocate the context object when it is no longer needed because no " +"further TLS connections will be established." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Implementation TLS Clients With GNUTLS" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"This section describes how to implement a TLS client with full certificate " +"validation (but without certificate revocation checking). Note that the " +"error handling in is only exploratory and needs to be replaced before " +"production use." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "The GNUTLS library needs explicit initialization:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Failing to do so can result in obscure failures in Base64 decoding. See " +" for " +"additional aspects of initialization." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Before setting up TLS connections, a credentials objects has to be allocated" +" and initialized with the set of trusted root CAs ()." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Initializing a GNUTLS credentials structure" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"After the last TLS connection has been closed, this credentials object " +"should be freed:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"During its lifetime, the credentials object can be used to initialize TLS " +"session objects from multiple threads, provided that it is not changed." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Once the TCP connection has been established, the Nagle algorithm should be " +"disabled (see ). After " +"that, the socket can be associated with a new GNUTLS session object. The " +"previously allocated credentials object provides the set of root CAs. The " +"NORMAL set of cipher suites and protocols provides a " +"reasonable default. Then the TLS handshake must be initiated. This is shown " +"in ." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Establishing a TLS client connection using GNUTLS" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"After the handshake has been completed, the server certificate needs to be " +"verified (). In the example, the user-defined " +"certificate_validity_override function is called if the" +" verification fails, so that a separate, user-specific trust store can be " +"checked. This function call can be omitted if the functionality is not " +"needed." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Verifying a server certificate using GNUTLS" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In the next step (, the certificate must be matched against the host name (note the " +"unusual return value from " +"gnutls_x509_crt_check_hostname). Again, an override " +"function certificate_host_name_override is called. Note" +" that the override must be keyed to the certificate and" +" the host name. The function call can be omitted if the override is not " +"needed." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Matching the server host name and certificate in a GNUTLS client" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In newer GNUTLS versions, certificate checking and host name validation can " +"be combined using the gnutls_certificate_verify_peers3 " +"function." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"An established TLS session can be used for sending and receiving data, as in" +" ." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Using a GNUTLS session" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In order to shut down a connection in an orderly manner, you should call the" +" gnutls_bye function. Finally, the session object can " +"be deallocated using gnutls_deinit (see )." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Implementing TLS Clients With OpenJDK" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "The examples below use the following cryptographic-related classes:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If compatibility with OpenJDK 6 is required, it is necessary to use the " +"internal class sun.security.util.HostnameChecker. (The " +"public OpenJDK API does not provide any support for dissecting the subject " +"distinguished name of an X.509 certificate, so a custom-written DER parser " +"is needed—or we have to use an internal class, which we do below.) In " +"OpenJDK 7, the setEndpointIdentificationAlgorithm " +"method was added to the javax.net.ssl.SSLParameters " +"class, providing an official way to implement host name checking." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"TLS connections are established using an SSLContext " +"instance. With a properly configured OpenJDK installation, the " +"SunJSSE provider uses the system-wide set of trusted root" +" certificate authorities, so no further configuration is necessary. For " +"backwards compatibility with OpenJDK 6, the TLSv1 " +"provider has to be supported as a fall-back option. This is shown in ." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Setting up an SSLContext for OpenJDK TLS clients" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In addition to the context, a TLS parameter object will be needed which " +"adjusts the cipher suites and protocols (). Like the context, these " +"parameters can be reused for multiple TLS connections." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Setting up SSLParameters for TLS use with OpenJDK" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"As initialized above, the parameter object does not yet require host name " +"checking. This has to be enabled separately, and this is only supported by " +"OpenJDK 7 and later:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"All application protocols can use the \"HTTPS\" " +"algorithm. (The algorithms have minor differences with regard to wildcard " +"handling, which should not matter in practice.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +" shows " +"how to establish the connection. Before the handshake is initialized, the " +"protocol and cipher configuration has to be performed, by applying the " +"parameter object params. (After this point, changes to " +"params will not affect this TLS socket.) As mentioned " +"initially, host name checking requires using an internal API on OpenJDK 6." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Establishing a TLS connection with OpenJDK" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Starting with OpenJDK 7, the last lines can be omitted, provided that host " +"name verification has been enabled by calling the " +"setEndpointIdentificationAlgorithm method on the " +"params object (before it was applied to the socket)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The TLS socket can be used as a regular socket, as shown in ." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Using a TLS client socket in OpenJDK" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Overriding server certificate validation with OpenJDK 6" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Overriding certificate validation requires a custom trust manager. With " +"OpenJDK 6, the trust manager lacks information about the TLS session, and to" +" which server the connection is made. Certificate overrides have to be tied " +"to specific servers (host names). Consequently, different " +"TrustManager and SSLContext objects " +"have to be used for different servers." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In the trust manager shown in , the server certificate is identified by its " +"SHA-256 hash." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "A customer trust manager for OpenJDK TLS clients" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"This trust manager has to be passed to the init method of" +" the SSLContext object, as show in ." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Using a custom TLS trust manager with OpenJDK" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When certificate overrides are in place, host name verification should not " +"be performed because there is no security requirement that the host name in " +"the certificate matches the host name used to establish the connection (and " +"it often will not). However, without host name verification, it is not " +"possible to perform transparent fallback to certification validation using " +"the system certificate store." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The approach described above works with OpenJDK 6 and later versions. " +"Starting with OpenJDK 7, it is possible to use a custom subclass of the " +"javax.net.ssl.X509ExtendedTrustManager class. The OpenJDK" +" TLS implementation will call the new methods, passing along TLS session " +"information. This can be used to implement certificate overrides as a " +"fallback (if certificate or host name verification fails), and a trust " +"manager object can be used for multiple servers because the server address " +"is available to the trust manager." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Implementing TLS Clients With NSS" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The following code shows how to implement a simple TLS client using NSS. " +"Note that the error handling needs replacing before production use." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Using NSS needs several header files, as shown in ." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Include files for NSS" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Initializing the NSS library is a complex task (). It is not thread-safe. By default, the " +"library is in export mode, and all strong ciphers are disabled. Therefore, " +"after creating the NSSInitCContext object, we probe all " +"the strong ciphers we want to use, and check if at least one of them is " +"available. If not, we call NSS_SetDomesticPolicy to " +"switch to unrestricted policy mode. This function replaces the existing " +"global cipher suite policy, that is why we avoid calling it unless " +"absolutely necessary." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The simplest way to configured the trusted root certificates involves " +"loading the libnssckbi.so NSS module with a call to the" +" SECMOD_LoadUserModule function. The root certificates " +"are compiled into this module. (The PEM module for NSS, " +"libnsspem.so, offers a way to load trusted CA " +"certificates from a file.)" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Initializing the NSS library" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Some of the effects of the initialization can be reverted with the following" +" function calls:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"After NSS has been initialized, the TLS connection can be created (). The internal " +"PR_ImportTCPSocket function is used to turn the POSIX " +"file descriptor sockfd into an NSPR file descriptor. " +"(This function is de-facto part of the NSS public ABI, so it will not go " +"away.) Creating the TLS-capable file descriptor requires a " +"model descriptor, which is configured with the desired " +"set of protocols and ciphers. (The good_ciphers variable " +"is part of .) We cannot" +" resort to disabling ciphers not on a whitelist because by default, the AES " +"cipher suites are disabled. The model descriptor is not needed anymore after" +" TLS support has been activated for the existing connection descriptor." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The call to SSL_BadCertHook can be omitted if no " +"mechanism to override certificate verification is needed. The " +"bad_certificate function must check both the host name " +"specified for the connection and the certificate before granting the " +"override." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Triggering the actual handshake requires three function calls, " +"SSL_ResetHandshake, SSL_SetURL, " +"and SSL_ForceHandshake. (If " +"SSL_ResetHandshake is omitted, " +"SSL_ForceHandshake will succeed, but the data will not " +"be encrypted.) During the handshake, the certificate is verified and matched" +" against the host name." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Creating a TLS connection with NSS" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"After the connection has been established, shows how to use the NSPR descriptor to " +"communicate with the server." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Using NSS for sending and receiving data" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +" shows how to " +"close the connection." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Closing NSS client connections" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Implementing TLS Clients With Python" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The Python distribution provides a TLS implementation in the " +"ssl module (actually a wrapper around OpenSSL). The " +"exported interface is somewhat restricted, so that the client code shown " +"below does not fully implement the recommendations in ." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Currently, most Python function which accept https:// " +"URLs or otherwise implement HTTPS support do not perform certificate " +"validation at all. (For example, this is true for the " +"httplib and xmlrpclib modules.) If you" +" use HTTPS, you should not use the built-in HTTP clients. The " +"Curl class in the curl module, as " +"provided by the python-pycurl package implements proper " +"certificate validation." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The ssl module currently does not perform host name " +"checking on the server certificate. shows how to implement certificate " +"matching, using the parsed certificate returned by " +"getpeercert." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Implementing TLS host name checking Python (without wildcard support)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"To turn a regular, connected TCP socket into a TLS-enabled socket, use the " +"ssl.wrap_socket function. The function call in provides " +"additional arguments to override questionable defaults in OpenSSL and in the" +" Python module." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"ciphers=\"HIGH:-aNULL:-eNULL:-PSK:RC4-SHA:RC4-MD5\" " +"selects relatively strong cipher suites with certificate-based " +"authentication. (The call to check_host_name function " +"provides additional protection against anonymous cipher suites.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"ssl_version=ssl.PROTOCOL_TLSv1 disables SSL 2.0 support. " +"By default, the ssl module sends an SSL 2.0 client hello," +" which is rejected by some servers. Ideally, we would request OpenSSL to " +"negotiated the most recent TLS version supported by the server and the " +"client, but the Python module does not allow this." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"cert_reqs=ssl.CERT_REQUIRED turns on certificate " +"validation." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"ca_certs='/etc/ssl/certs/ca-bundle.crt' initializes the " +"certificate store with a set of trusted root CAs. Unfortunately, it is " +"necessary to hard-code this path into applications because the default path " +"in OpenSSL is not available through the Python ssl " +"module." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The ssl module (and OpenSSL) perform certificate " +"validation, but the certificate must be compared manually against the host " +"name, by calling the check_host_name defined above." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Establishing a TLS client connection with Python" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"After the connection has been established, the TLS socket can be used like a" +" regular socket:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Closing the TLS socket is straightforward as well:" +msgstr "" diff --git a/defensive-coding/tr-TR/Features/snippets/TLS-Client-GNUTLS-Connect.po b/defensive-coding/tr-TR/Features/snippets/TLS-Client-GNUTLS-Connect.po new file mode 100644 index 0000000..aa42416 --- /dev/null +++ b/defensive-coding/tr-TR/Features/snippets/TLS-Client-GNUTLS-Connect.po @@ -0,0 +1,71 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:33+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Turkish (http://www.transifex.com/projects/p/fedora/language/tr/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: tr\n" +"Plural-Forms: nplurals=2; plural=(n > 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Create the session object.\n" +"gnutls_session_t session;\n" +"ret = gnutls_init(&session, GNUTLS_CLIENT);\n" +"if (ret != GNUTLS_E_SUCCESS) {\n" +" fprintf(stderr, \"error: gnutls_init: %s\n" +"\",\n" +"\t gnutls_strerror(ret));\n" +" exit(1);\n" +"}\n" +"\n" +"// Configure the cipher preferences.\n" +"const char *errptr = NULL;\n" +"ret = gnutls_priority_set_direct(session, \"NORMAL\", &errptr);\n" +"if (ret != GNUTLS_E_SUCCESS) {\n" +" fprintf(stderr, \"error: gnutls_priority_set_direct: %s\n" +"\"\n" +"\t \"error: at: \\\"%s\\\"\n" +"\", gnutls_strerror(ret), errptr);\n" +" exit(1);\n" +"}\n" +"\n" +"// Install the trusted certificates.\n" +"ret = gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, cred);\n" +"if (ret != GNUTLS_E_SUCCESS) {\n" +" fprintf(stderr, \"error: gnutls_credentials_set: %s\n" +"\",\n" +"\t gnutls_strerror(ret));\n" +" exit(1);\n" +"}\n" +"\n" +"// Associate the socket with the session object and set the server\n" +"// name.\n" +"gnutls_transport_set_ptr(session, (gnutls_transport_ptr_t)(uintptr_t)sockfd);\n" +"ret = gnutls_server_name_set(session, GNUTLS_NAME_DNS,\n" +"\t\t\t host, strlen(host));\n" +"if (ret != GNUTLS_E_SUCCESS) {\n" +" fprintf(stderr, \"error: gnutls_server_name_set: %s\n" +"\",\n" +"\t gnutls_strerror(ret));\n" +" exit(1);\n" +"}\n" +"\n" +"// Establish the session.\n" +"ret = gnutls_handshake(session);\n" +"if (ret != GNUTLS_E_SUCCESS) {\n" +" fprintf(stderr, \"error: gnutls_handshake: %s\n" +"\",\n" +"\t gnutls_strerror(ret));\n" +" exit(1);\n" +"}\n" +msgstr "" diff --git a/defensive-coding/tr-TR/Features/snippets/TLS-Client-GNUTLS-Credentials.po b/defensive-coding/tr-TR/Features/snippets/TLS-Client-GNUTLS-Credentials.po new file mode 100644 index 0000000..cb2a7c2 --- /dev/null +++ b/defensive-coding/tr-TR/Features/snippets/TLS-Client-GNUTLS-Credentials.po @@ -0,0 +1,47 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:33+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Turkish (http://www.transifex.com/projects/p/fedora/language/tr/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: tr\n" +"Plural-Forms: nplurals=2; plural=(n > 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Load the trusted CA certificates.\n" +"gnutls_certificate_credentials_t cred = NULL;\n" +"int ret = gnutls_certificate_allocate_credentials (&cred);\n" +"if (ret != GNUTLS_E_SUCCESS) {\n" +" fprintf(stderr, \"error: gnutls_certificate_allocate_credentials: %s\n" +"\",\n" +"\t gnutls_strerror(ret));\n" +" exit(1);\n" +"}\n" +"// gnutls_certificate_set_x509_system_trust needs GNUTLS version 3.0\n" +"// or newer, so we hard-code the path to the certificate store\n" +"// instead.\n" +"static const char ca_bundle[] = \"/etc/ssl/certs/ca-bundle.crt\";\n" +"ret = gnutls_certificate_set_x509_trust_file\n" +" (cred, ca_bundle, GNUTLS_X509_FMT_PEM);\n" +"if (ret == 0) {\n" +" fprintf(stderr, \"error: no certificates found in: %s\n" +"\", ca_bundle);\n" +" exit(1);\n" +"}\n" +"if (ret < 0) {\n" +" fprintf(stderr, \"error: gnutls_certificate_set_x509_trust_files(%s): %s\n" +"\",\n" +"\t ca_bundle, gnutls_strerror(ret));\n" +" exit(1);\n" +"}\n" +msgstr "" diff --git a/defensive-coding/tr-TR/Features/snippets/TLS-Client-GNUTLS-Match.po b/defensive-coding/tr-TR/Features/snippets/TLS-Client-GNUTLS-Match.po new file mode 100644 index 0000000..bc303c1 --- /dev/null +++ b/defensive-coding/tr-TR/Features/snippets/TLS-Client-GNUTLS-Match.po @@ -0,0 +1,48 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:32+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Turkish (http://www.transifex.com/projects/p/fedora/language/tr/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: tr\n" +"Plural-Forms: nplurals=2; plural=(n > 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Match the peer certificate against the host name.\n" +"// We can only obtain a set of DER-encoded certificates from the\n" +"// session object, so we have to re-parse the peer certificate into\n" +"// a certificate object.\n" +"gnutls_x509_crt_t cert;\n" +"ret = gnutls_x509_crt_init(&cert);\n" +"if (ret != GNUTLS_E_SUCCESS) {\n" +" fprintf(stderr, \"error: gnutls_x509_crt_init: %s\n" +"\",\n" +"\t gnutls_strerror(ret));\n" +" exit(1);\n" +"}\n" +"// The peer certificate is the first certificate in the list.\n" +"ret = gnutls_x509_crt_import(cert, certs, GNUTLS_X509_FMT_DER);\n" +"if (ret != GNUTLS_E_SUCCESS) {\n" +" fprintf(stderr, \"error: gnutls_x509_crt_import: %s\n" +"\",\n" +"\t gnutls_strerror(ret));\n" +" exit(1);\n" +"}\n" +"ret = gnutls_x509_crt_check_hostname(cert, host);\n" +"if (ret == 0 && !certificate_host_name_override(certs[0], host)) {\n" +" fprintf(stderr, \"error: host name does not match certificate\n" +"\");\n" +" exit(1);\n" +"}\n" +"gnutls_x509_crt_deinit(cert);\n" +msgstr "" diff --git a/defensive-coding/tr-TR/Features/snippets/TLS-Client-GNUTLS-Verify.po b/defensive-coding/tr-TR/Features/snippets/TLS-Client-GNUTLS-Verify.po new file mode 100644 index 0000000..6d37303 --- /dev/null +++ b/defensive-coding/tr-TR/Features/snippets/TLS-Client-GNUTLS-Verify.po @@ -0,0 +1,61 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:33+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Turkish (http://www.transifex.com/projects/p/fedora/language/tr/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: tr\n" +"Plural-Forms: nplurals=2; plural=(n > 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Obtain the server certificate chain. The server certificate\n" +"// itself is stored in the first element of the array.\n" +"unsigned certslen = 0;\n" +"const gnutls_datum_t *const certs =\n" +" gnutls_certificate_get_peers(session, &certslen);\n" +"if (certs == NULL || certslen == 0) {\n" +" fprintf(stderr, \"error: could not obtain peer certificate\n" +"\");\n" +" exit(1);\n" +"}\n" +"\n" +"// Validate the certificate chain.\n" +"unsigned status = (unsigned)-1;\n" +"ret = gnutls_certificate_verify_peers2(session, &status);\n" +"if (ret != GNUTLS_E_SUCCESS) {\n" +" fprintf(stderr, \"error: gnutls_certificate_verify_peers2: %s\n" +"\",\n" +"\t gnutls_strerror(ret));\n" +" exit(1);\n" +"}\n" +"if (status != 0 && !certificate_validity_override(certs[0])) {\n" +" gnutls_datum_t msg;\n" +"#if GNUTLS_VERSION_AT_LEAST_3_1_4\n" +" int type = gnutls_certificate_type_get (session);\n" +" ret = gnutls_certificate_verification_status_print(status, type, &out, 0);\n" +"#else\n" +" ret = -1;\n" +"#endif\n" +" if (ret == 0) {\n" +" fprintf(stderr, \"error: %s\n" +"\", msg.data);\n" +" gnutls_free(msg.data);\n" +" exit(1);\n" +" } else {\n" +" fprintf(stderr, \"error: certificate validation failed with code 0x%x\n" +"\",\n" +"\t status);\n" +" exit(1);\n" +" }\n" +"}\n" +msgstr "" diff --git a/defensive-coding/tr-TR/Features/snippets/TLS-Client-NSS-Close.po b/defensive-coding/tr-TR/Features/snippets/TLS-Client-NSS-Close.po new file mode 100644 index 0000000..33aa879 --- /dev/null +++ b/defensive-coding/tr-TR/Features/snippets/TLS-Client-NSS-Close.po @@ -0,0 +1,31 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:32+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Turkish (http://www.transifex.com/projects/p/fedora/language/tr/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: tr\n" +"Plural-Forms: nplurals=2; plural=(n > 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Send close_notify alert.\n" +"if (PR_Shutdown(nspr, PR_SHUTDOWN_BOTH) != PR_SUCCESS) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: PR_Read error %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +"}\n" +"// Closes the underlying POSIX file descriptor, too.\n" +"PR_Close(nspr);\n" +msgstr "" diff --git a/defensive-coding/tr-TR/Features/snippets/TLS-Client-NSS-Connect.po b/defensive-coding/tr-TR/Features/snippets/TLS-Client-NSS-Connect.po new file mode 100644 index 0000000..b4aa9b9 --- /dev/null +++ b/defensive-coding/tr-TR/Features/snippets/TLS-Client-NSS-Connect.po @@ -0,0 +1,132 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:33+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Turkish (http://www.transifex.com/projects/p/fedora/language/tr/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: tr\n" +"Plural-Forms: nplurals=2; plural=(n > 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Wrap the POSIX file descriptor. This is an internal NSPR\n" +"// function, but it is very unlikely to change.\n" +"PRFileDesc* nspr = PR_ImportTCPSocket(sockfd);\n" +"sockfd = -1; // Has been taken over by NSPR.\n" +"\n" +"// Add the SSL layer.\n" +"{\n" +" PRFileDesc *model = PR_NewTCPSocket();\n" +" PRFileDesc *newfd = SSL_ImportFD(NULL, model);\n" +" if (newfd == NULL) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: NSPR error code %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +" }\n" +" model = newfd;\n" +" newfd = NULL;\n" +" if (SSL_OptionSet(model, SSL_ENABLE_SSL2, PR_FALSE) != SECSuccess) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: set SSL_ENABLE_SSL2 error %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +" }\n" +" if (SSL_OptionSet(model, SSL_V2_COMPATIBLE_HELLO, PR_FALSE) != SECSuccess) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: set SSL_V2_COMPATIBLE_HELLO error %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +" }\n" +" if (SSL_OptionSet(model, SSL_ENABLE_DEFLATE, PR_FALSE) != SECSuccess) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: set SSL_ENABLE_DEFLATE error %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +" }\n" +"\n" +" // Disable all ciphers (except RC4-based ciphers, for backwards\n" +" // compatibility).\n" +" const PRUint16 *const ciphers = SSL_GetImplementedCiphers();\n" +" for (unsigned i = 0; i < SSL_GetNumImplementedCiphers(); i++) {\n" +" if (ciphers[i] != SSL_RSA_WITH_RC4_128_SHA\n" +"\t && ciphers[i] != SSL_RSA_WITH_RC4_128_MD5) {\n" +"\tif (SSL_CipherPrefSet(model, ciphers[i], PR_FALSE) != SECSuccess) {\n" +"\t const PRErrorCode err = PR_GetError();\n" +"\t fprintf(stderr, \"error: disable cipher %u: error %d: %s\n" +"\",\n" +"\t\t (unsigned)ciphers[i], err, PR_ErrorToName(err));\n" +"\t exit(1);\n" +"\t}\n" +" }\n" +" }\n" +"\n" +" // Enable the strong ciphers.\n" +" for (const PRUint16 *p = good_ciphers; *p != SSL_NULL_WITH_NULL_NULL;\n" +"\t ++p) {\n" +" if (SSL_CipherPrefSet(model, *p, PR_TRUE) != SECSuccess) {\n" +"\tconst PRErrorCode err = PR_GetError();\n" +"\tfprintf(stderr, \"error: enable cipher %u: error %d: %s\n" +"\",\n" +"\t\t(unsigned)*p, err, PR_ErrorToName(err));\n" +"\texit(1);\n" +" }\n" +" }\n" +"\n" +" // Allow overriding invalid certificate.\n" +" if (SSL_BadCertHook(model, bad_certificate, (char *)host) != SECSuccess) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: SSL_BadCertHook error %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +" }\n" +"\n" +" newfd = SSL_ImportFD(model, nspr);\n" +" if (newfd == NULL) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: SSL_ImportFD error %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +" }\n" +" nspr = newfd;\n" +" PR_Close(model);\n" +"}\n" +"\n" +"// Perform the handshake.\n" +"if (SSL_ResetHandshake(nspr, PR_FALSE) != SECSuccess) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: SSL_ResetHandshake error %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +"}\n" +"if (SSL_SetURL(nspr, host) != SECSuccess) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: SSL_SetURL error %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +"}\n" +"if (SSL_ForceHandshake(nspr) != SECSuccess) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: SSL_ForceHandshake error %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +"}\n" +msgstr "" diff --git a/defensive-coding/tr-TR/Features/snippets/TLS-Client-OpenJDK-Connect.po b/defensive-coding/tr-TR/Features/snippets/TLS-Client-OpenJDK-Connect.po new file mode 100644 index 0000000..d4572d7 --- /dev/null +++ b/defensive-coding/tr-TR/Features/snippets/TLS-Client-OpenJDK-Connect.po @@ -0,0 +1,41 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:32+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Turkish (http://www.transifex.com/projects/p/fedora/language/tr/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: tr\n" +"Plural-Forms: nplurals=2; plural=(n > 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Create the socket and connect it at the TCP layer.\n" +"SSLSocket socket = (SSLSocket) ctx.getSocketFactory()\n" +" .createSocket(host, port);\n" +"\n" +"// Disable the Nagle algorithm.\n" +"socket.setTcpNoDelay(true);\n" +"\n" +"// Adjust ciphers and protocols.\n" +"socket.setSSLParameters(params);\n" +"\n" +"// Perform the handshake.\n" +"socket.startHandshake();\n" +"\n" +"// Validate the host name. The match() method throws\n" +"// CertificateException on failure.\n" +"X509Certificate peer = (X509Certificate)\n" +" socket.getSession().getPeerCertificates()[0];\n" +"// This is the only way to perform host name checking on OpenJDK 6.\n" +"HostnameChecker.getInstance(HostnameChecker.TYPE_TLS).match(\n" +" host, peer);\n" +msgstr "" diff --git a/defensive-coding/tr-TR/Features/snippets/TLS-Client-OpenJDK-Context.po b/defensive-coding/tr-TR/Features/snippets/TLS-Client-OpenJDK-Context.po new file mode 100644 index 0000000..a33bb69 --- /dev/null +++ b/defensive-coding/tr-TR/Features/snippets/TLS-Client-OpenJDK-Context.po @@ -0,0 +1,41 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:32+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Turkish (http://www.transifex.com/projects/p/fedora/language/tr/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: tr\n" +"Plural-Forms: nplurals=2; plural=(n > 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Create the context. Specify the SunJSSE provider to avoid\n" +"// picking up third-party providers. Try the TLS 1.2 provider\n" +"// first, then fall back to TLS 1.0.\n" +"SSLContext ctx;\n" +"try {\n" +" ctx = SSLContext.getInstance(\"TLSv1.2\", \"SunJSSE\");\n" +"} catch (NoSuchAlgorithmException e) {\n" +" try {\n" +" ctx = SSLContext.getInstance(\"TLSv1\", \"SunJSSE\");\n" +" } catch (NoSuchAlgorithmException e1) {\n" +" // The TLS 1.0 provider should always be available.\n" +" throw new AssertionError(e1);\n" +" } catch (NoSuchProviderException e1) {\n" +" throw new AssertionError(e1);\n" +" } \n" +"} catch (NoSuchProviderException e) {\n" +" // The SunJSSE provider should always be available.\n" +" throw new AssertionError(e);\n" +"}\n" +"ctx.init(null, null, null);\n" +msgstr "" diff --git a/defensive-coding/tr-TR/Features/snippets/TLS-Client-OpenJDK-Context_For_Cert.po b/defensive-coding/tr-TR/Features/snippets/TLS-Client-OpenJDK-Context_For_Cert.po new file mode 100644 index 0000000..06ca1f7 --- /dev/null +++ b/defensive-coding/tr-TR/Features/snippets/TLS-Client-OpenJDK-Context_For_Cert.po @@ -0,0 +1,37 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:33+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Turkish (http://www.transifex.com/projects/p/fedora/language/tr/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: tr\n" +"Plural-Forms: nplurals=2; plural=(n > 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"SSLContext ctx;\n" +"try {\n" +" ctx = SSLContext.getInstance(\"TLSv1.2\", \"SunJSSE\");\n" +"} catch (NoSuchAlgorithmException e) {\n" +" try {\n" +" ctx = SSLContext.getInstance(\"TLSv1\", \"SunJSSE\");\n" +" } catch (NoSuchAlgorithmException e1) {\n" +" throw new AssertionError(e1);\n" +" } catch (NoSuchProviderException e1) {\n" +" throw new AssertionError(e1);\n" +" }\n" +"} catch (NoSuchProviderException e) {\n" +" throw new AssertionError(e);\n" +"}\n" +"MyTrustManager tm = new MyTrustManager(certHash);\n" +"ctx.init(null, new TrustManager[] {tm}, null);\n" +msgstr "" diff --git a/defensive-coding/tr-TR/Features/snippets/TLS-Client-OpenJDK-Hostname.po b/defensive-coding/tr-TR/Features/snippets/TLS-Client-OpenJDK-Hostname.po new file mode 100644 index 0000000..af96d4d --- /dev/null +++ b/defensive-coding/tr-TR/Features/snippets/TLS-Client-OpenJDK-Hostname.po @@ -0,0 +1,22 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:31+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Turkish (http://www.transifex.com/projects/p/fedora/language/tr/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: tr\n" +"Plural-Forms: nplurals=2; plural=(n > 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"params.setEndpointIdentificationAlgorithm(\"HTTPS\");\n" +msgstr "" diff --git a/defensive-coding/tr-TR/Features/snippets/TLS-Client-OpenJDK-Import.po b/defensive-coding/tr-TR/Features/snippets/TLS-Client-OpenJDK-Import.po new file mode 100644 index 0000000..9b7c592 --- /dev/null +++ b/defensive-coding/tr-TR/Features/snippets/TLS-Client-OpenJDK-Import.po @@ -0,0 +1,33 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:31+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Turkish (http://www.transifex.com/projects/p/fedora/language/tr/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: tr\n" +"Plural-Forms: nplurals=2; plural=(n > 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"import java.security.NoSuchAlgorithmException;\n" +"import java.security.NoSuchProviderException;\n" +"import java.security.cert.CertificateEncodingException;\n" +"import java.security.cert.CertificateException;\n" +"import java.security.cert.X509Certificate;\n" +"import javax.net.ssl.SSLContext;\n" +"import javax.net.ssl.SSLParameters;\n" +"import javax.net.ssl.SSLSocket;\n" +"import javax.net.ssl.TrustManager;\n" +"import javax.net.ssl.X509TrustManager;\n" +"\n" +"import sun.security.util.HostnameChecker;\n" +msgstr "" diff --git a/defensive-coding/tr-TR/Features/snippets/TLS-Client-OpenJDK-MyTrustManager.po b/defensive-coding/tr-TR/Features/snippets/TLS-Client-OpenJDK-MyTrustManager.po new file mode 100644 index 0000000..ea697f5 --- /dev/null +++ b/defensive-coding/tr-TR/Features/snippets/TLS-Client-OpenJDK-MyTrustManager.po @@ -0,0 +1,53 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:31+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Turkish (http://www.transifex.com/projects/p/fedora/language/tr/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: tr\n" +"Plural-Forms: nplurals=2; plural=(n > 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"public class MyTrustManager implements X509TrustManager {\n" +" private final byte[] certHash;\n" +"\n" +" public MyTrustManager(byte[] certHash) throws Exception {\n" +" this.certHash = certHash;\n" +" }\n" +"\n" +" @Override\n" +" public void checkClientTrusted(X509Certificate[] chain, String authType)\n" +" throws CertificateException {\n" +" throw new UnsupportedOperationException();\n" +" }\n" +"\n" +" @Override\n" +" public void checkServerTrusted(X509Certificate[] chain,\n" +" String authType) throws CertificateException {\n" +" byte[] digest = getCertificateDigest(chain[0]);\n" +" String digestHex = formatHex(digest);\n" +"\n" +" if (Arrays.equals(digest, certHash)) {\n" +" System.err.println(\"info: accepting certificate: \" + digestHex);\n" +" } else {\n" +" throw new CertificateException(\"certificate rejected: \" +\n" +" digestHex);\n" +" }\n" +" }\n" +"\n" +" @Override\n" +" public X509Certificate[] getAcceptedIssuers() {\n" +" return new X509Certificate[0];\n" +" }\n" +"}\n" +msgstr "" diff --git a/defensive-coding/tr-TR/Features/snippets/TLS-Client-OpenJDK-Use.po b/defensive-coding/tr-TR/Features/snippets/TLS-Client-OpenJDK-Use.po new file mode 100644 index 0000000..6c6ae28 --- /dev/null +++ b/defensive-coding/tr-TR/Features/snippets/TLS-Client-OpenJDK-Use.po @@ -0,0 +1,28 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:31+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Turkish (http://www.transifex.com/projects/p/fedora/language/tr/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: tr\n" +"Plural-Forms: nplurals=2; plural=(n > 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"socket.getOutputStream().write(\"GET / HTTP/1.0\\r\n" +"\\r\n" +"\"\n" +" .getBytes(Charset.forName(\"UTF-8\")));\n" +"byte[] buffer = new byte[4096];\n" +"int count = socket.getInputStream().read(buffer);\n" +"System.out.write(buffer, 0, count);\n" +msgstr "" diff --git a/defensive-coding/tr-TR/Features/snippets/TLS-Client-OpenSSL-CTX.po b/defensive-coding/tr-TR/Features/snippets/TLS-Client-OpenSSL-CTX.po new file mode 100644 index 0000000..8217218 --- /dev/null +++ b/defensive-coding/tr-TR/Features/snippets/TLS-Client-OpenSSL-CTX.po @@ -0,0 +1,86 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:32+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Turkish (http://www.transifex.com/projects/p/fedora/language/tr/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: tr\n" +"Plural-Forms: nplurals=2; plural=(n > 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Configure a client connection context. Send a hendshake for the\n" +"// highest supported TLS version, and disable compression.\n" +"const SSL_METHOD *const req_method = SSLv23_client_method();\n" +"SSL_CTX *const ctx = SSL_CTX_new(req_method);\n" +"if (ctx == NULL) {\n" +" ERR_print_errors(bio_err);\n" +" exit(1);\n" +"}\n" +"SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_COMPRESSION);\n" +"\n" +"// Adjust the ciphers list based on a whitelist. First enable all\n" +"// ciphers of at least medium strength, to get the list which is\n" +"// compiled into OpenSSL.\n" +"if (SSL_CTX_set_cipher_list(ctx, \"HIGH:MEDIUM\") != 1) {\n" +" ERR_print_errors(bio_err);\n" +" exit(1);\n" +"}\n" +"{\n" +" // Create a dummy SSL session to obtain the cipher list.\n" +" SSL *ssl = SSL_new(ctx);\n" +" if (ssl == NULL) {\n" +" ERR_print_errors(bio_err);\n" +" exit(1);\n" +" }\n" +" STACK_OF(SSL_CIPHER) *active_ciphers = SSL_get_ciphers(ssl);\n" +" if (active_ciphers == NULL) {\n" +" ERR_print_errors(bio_err);\n" +" exit(1);\n" +" }\n" +" // Whitelist of candidate ciphers.\n" +" static const char *const candidates[] = {\n" +" \"AES128-GCM-SHA256\", \"AES128-SHA256\", \"AES256-SHA256\", // strong ciphers\n" +" \"AES128-SHA\", \"AES256-SHA\", // strong ciphers, also in older versions\n" +" \"RC4-SHA\", \"RC4-MD5\", // backwards compatibility, supposed to be weak\n" +" \"DES-CBC3-SHA\", \"DES-CBC3-MD5\", // more backwards compatibility\n" +" NULL\n" +" };\n" +" // Actually selected ciphers.\n" +" char ciphers[300];\n" +" ciphers[0] = '\\0';\n" +" for (const char *const *c = candidates; *c; ++c) {\n" +" for (int i = 0; i < sk_SSL_CIPHER_num(active_ciphers); ++i) {\n" +"\tif (strcmp(SSL_CIPHER_get_name(sk_SSL_CIPHER_value(active_ciphers, i)),\n" +"\t\t *c) == 0) {\n" +"\t if (*ciphers) {\n" +"\t strcat(ciphers, \":\");\n" +"\t }\n" +"\t strcat(ciphers, *c);\n" +"\t break;\n" +"\t}\n" +" }\n" +" }\n" +" SSL_free(ssl);\n" +" // Apply final cipher list.\n" +" if (SSL_CTX_set_cipher_list(ctx, ciphers) != 1) {\n" +" ERR_print_errors(bio_err);\n" +" exit(1);\n" +" }\n" +"}\n" +"\n" +"// Load the set of trusted root certificates.\n" +"if (!SSL_CTX_set_default_verify_paths(ctx)) {\n" +" ERR_print_errors(bio_err);\n" +" exit(1);\n" +"}\n" +msgstr "" diff --git a/defensive-coding/tr-TR/Features/snippets/TLS-Client-OpenSSL-Connect.po b/defensive-coding/tr-TR/Features/snippets/TLS-Client-OpenSSL-Connect.po new file mode 100644 index 0000000..01ce8bc --- /dev/null +++ b/defensive-coding/tr-TR/Features/snippets/TLS-Client-OpenSSL-Connect.po @@ -0,0 +1,72 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:33+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Turkish (http://www.transifex.com/projects/p/fedora/language/tr/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: tr\n" +"Plural-Forms: nplurals=2; plural=(n > 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Create the connection object.\n" +"SSL *ssl = SSL_new(ctx);\n" +"if (ssl == NULL) {\n" +" ERR_print_errors(bio_err);\n" +" exit(1);\n" +"}\n" +"SSL_set_fd(ssl, sockfd);\n" +"\n" +"// Enable the ServerNameIndication extension\n" +"if (!SSL_set_tlsext_host_name(ssl, host)) {\n" +" ERR_print_errors(bio_err);\n" +" exit(1);\n" +"}\n" +"\n" +"// Perform the TLS handshake with the server.\n" +"ret = SSL_connect(ssl);\n" +"if (ret != 1) {\n" +" // Error status can be 0 or negative.\n" +" ssl_print_error_and_exit(ssl, \"SSL_connect\", ret);\n" +"}\n" +"\n" +"// Obtain the server certificate.\n" +"X509 *peercert = SSL_get_peer_certificate(ssl);\n" +"if (peercert == NULL) {\n" +" fprintf(stderr, \"peer certificate missing\");\n" +" exit(1);\n" +"}\n" +"\n" +"// Check the certificate verification result. Allow an explicit\n" +"// certificate validation override in case verification fails.\n" +"int verifystatus = SSL_get_verify_result(ssl);\n" +"if (verifystatus != X509_V_OK && !certificate_validity_override(peercert)) {\n" +" fprintf(stderr, \"SSL_connect: verify result: %s\n" +"\",\n" +"\t X509_verify_cert_error_string(verifystatus));\n" +" exit(1);\n" +"}\n" +"\n" +"// Check if the server certificate matches the host name used to\n" +"// establish the connection.\n" +"// FIXME: Currently needs OpenSSL 1.1.\n" +"if (X509_check_host(peercert, (const unsigned char *)host, strlen(host),\n" +"\t\t 0) != 1\n" +" && !certificate_host_name_override(peercert, host)) {\n" +" fprintf(stderr, \"SSL certificate does not match host name\n" +"\");\n" +" exit(1);\n" +"}\n" +"\n" +"X509_free(peercert);\n" +"\n" +msgstr "" diff --git a/defensive-coding/tr-TR/Features/snippets/TLS-Client-OpenSSL-Connection-Use.po b/defensive-coding/tr-TR/Features/snippets/TLS-Client-OpenSSL-Connection-Use.po new file mode 100644 index 0000000..90bdb96 --- /dev/null +++ b/defensive-coding/tr-TR/Features/snippets/TLS-Client-OpenSSL-Connection-Use.po @@ -0,0 +1,32 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:32+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Turkish (http://www.transifex.com/projects/p/fedora/language/tr/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: tr\n" +"Plural-Forms: nplurals=2; plural=(n > 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"const char *const req = \"GET / HTTP/1.0\\r\n" +"\\r\n" +"\";\n" +"if (SSL_write(ssl, req, strlen(req)) < 0) {\n" +" ssl_print_error_and_exit(ssl, \"SSL_write\", ret);\n" +"}\n" +"char buf[4096];\n" +"ret = SSL_read(ssl, buf, sizeof(buf));\n" +"if (ret < 0) {\n" +" ssl_print_error_and_exit(ssl, \"SSL_read\", ret);\n" +"}\n" +msgstr "" diff --git a/defensive-coding/tr-TR/Features/snippets/TLS-Client-OpenSSL-Init.po b/defensive-coding/tr-TR/Features/snippets/TLS-Client-OpenSSL-Init.po new file mode 100644 index 0000000..eb226de --- /dev/null +++ b/defensive-coding/tr-TR/Features/snippets/TLS-Client-OpenSSL-Init.po @@ -0,0 +1,28 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:32+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Turkish (http://www.transifex.com/projects/p/fedora/language/tr/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: tr\n" +"Plural-Forms: nplurals=2; plural=(n > 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// The following call prints an error message and calls exit() if\n" +"// the OpenSSL configuration file is unreadable.\n" +"OPENSSL_config(NULL);\n" +"// Provide human-readable error messages.\n" +"SSL_load_error_strings();\n" +"// Register ciphers.\n" +"SSL_library_init();\n" +msgstr "" diff --git a/defensive-coding/tr-TR/Features/snippets/TLS-Client-Python-Connect.po b/defensive-coding/tr-TR/Features/snippets/TLS-Client-Python-Connect.po new file mode 100644 index 0000000..437caca --- /dev/null +++ b/defensive-coding/tr-TR/Features/snippets/TLS-Client-Python-Connect.po @@ -0,0 +1,29 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:32+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Turkish (http://www.transifex.com/projects/p/fedora/language/tr/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: tr\n" +"Plural-Forms: nplurals=2; plural=(n > 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"sock = ssl.wrap_socket(sock,\n" +" ciphers=\"HIGH:-aNULL:-eNULL:-PSK:RC4-SHA:RC4-MD5\",\n" +" ssl_version=ssl.PROTOCOL_TLSv1,\n" +" cert_reqs=ssl.CERT_REQUIRED,\n" +" ca_certs='/etc/ssl/certs/ca-bundle.crt')\n" +"# getpeercert() triggers the handshake as a side effect.\n" +"if not check_host_name(sock.getpeercert(), host):\n" +" raise IOError(\"peer certificate does not match host name\")\n" +msgstr "" diff --git a/defensive-coding/tr-TR/Features/snippets/TLS-Client-Python-check_host_name.po b/defensive-coding/tr-TR/Features/snippets/TLS-Client-Python-check_host_name.po new file mode 100644 index 0000000..ac2c522 --- /dev/null +++ b/defensive-coding/tr-TR/Features/snippets/TLS-Client-Python-check_host_name.po @@ -0,0 +1,44 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:31+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Turkish (http://www.transifex.com/projects/p/fedora/language/tr/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: tr\n" +"Plural-Forms: nplurals=2; plural=(n > 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"def check_host_name(peercert, name):\n" +" \"\"\"Simple certificate/host name checker. Returns True if the\n" +" certificate matches, False otherwise. Does not support\n" +" wildcards.\"\"\"\n" +" # Check that the peer has supplied a certificate.\n" +" # None/{} is not acceptable.\n" +" if not peercert:\n" +" return False\n" +" if peercert.has_key(\"subjectAltName\"):\n" +" for typ, val in peercert[\"subjectAltName\"]:\n" +" if typ == \"DNS\" and val == name:\n" +" return True\n" +" else:\n" +" # Only check the subject DN if there is no subject alternative\n" +" # name.\n" +" cn = None\n" +" for attr, val in peercert[\"subject\"]:\n" +" # Use most-specific (last) commonName attribute.\n" +" if attr == \"commonName\":\n" +" cn = val\n" +" if cn is not None:\n" +" return cn == name\n" +" return False\n" +msgstr "" diff --git a/defensive-coding/tr-TR/Features/snippets/TLS-GNUTLS-Credentials-Close.po b/defensive-coding/tr-TR/Features/snippets/TLS-GNUTLS-Credentials-Close.po new file mode 100644 index 0000000..b7865fe --- /dev/null +++ b/defensive-coding/tr-TR/Features/snippets/TLS-GNUTLS-Credentials-Close.po @@ -0,0 +1,22 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:31+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Turkish (http://www.transifex.com/projects/p/fedora/language/tr/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: tr\n" +"Plural-Forms: nplurals=2; plural=(n > 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"gnutls_certificate_free_credentials(cred);\n" +msgstr "" diff --git a/defensive-coding/tr-TR/Features/snippets/TLS-GNUTLS-Disconnect.po b/defensive-coding/tr-TR/Features/snippets/TLS-GNUTLS-Disconnect.po new file mode 100644 index 0000000..64e7b72 --- /dev/null +++ b/defensive-coding/tr-TR/Features/snippets/TLS-GNUTLS-Disconnect.po @@ -0,0 +1,30 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:32+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Turkish (http://www.transifex.com/projects/p/fedora/language/tr/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: tr\n" +"Plural-Forms: nplurals=2; plural=(n > 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Initiate an orderly connection shutdown.\n" +"ret = gnutls_bye(session, GNUTLS_SHUT_RDWR);\n" +"if (ret < 0) {\n" +" fprintf(stderr, \"error: gnutls_bye: %s\n" +"\", gnutls_strerror(ret));\n" +" exit(1);\n" +"}\n" +"// Free the session object.\n" +"gnutls_deinit(session);\n" +msgstr "" diff --git a/defensive-coding/tr-TR/Features/snippets/TLS-GNUTLS-Init.po b/defensive-coding/tr-TR/Features/snippets/TLS-GNUTLS-Init.po new file mode 100644 index 0000000..f2f44d9 --- /dev/null +++ b/defensive-coding/tr-TR/Features/snippets/TLS-GNUTLS-Init.po @@ -0,0 +1,22 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:32+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Turkish (http://www.transifex.com/projects/p/fedora/language/tr/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: tr\n" +"Plural-Forms: nplurals=2; plural=(n > 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"gnutls_global_init();\n" +msgstr "" diff --git a/defensive-coding/tr-TR/Features/snippets/TLS-GNUTLS-Use.po b/defensive-coding/tr-TR/Features/snippets/TLS-GNUTLS-Use.po new file mode 100644 index 0000000..c6a706e --- /dev/null +++ b/defensive-coding/tr-TR/Features/snippets/TLS-GNUTLS-Use.po @@ -0,0 +1,38 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:33+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Turkish (http://www.transifex.com/projects/p/fedora/language/tr/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: tr\n" +"Plural-Forms: nplurals=2; plural=(n > 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"char buf[4096];\n" +"snprintf(buf, sizeof(buf), \"GET / HTTP/1.0\\r\n" +"Host: %s\\r\n" +"\\r\n" +"\", host);\n" +"ret = gnutls_record_send(session, buf, strlen(buf));\n" +"if (ret < 0) {\n" +" fprintf(stderr, \"error: gnutls_record_send: %s\n" +"\", gnutls_strerror(ret));\n" +" exit(1);\n" +"}\n" +"ret = gnutls_record_recv(session, buf, sizeof(buf));\n" +"if (ret < 0) {\n" +" fprintf(stderr, \"error: gnutls_record_recv: %s\n" +"\", gnutls_strerror(ret));\n" +" exit(1);\n" +"}\n" +msgstr "" diff --git a/defensive-coding/tr-TR/Features/snippets/TLS-NSS-Close.po b/defensive-coding/tr-TR/Features/snippets/TLS-NSS-Close.po new file mode 100644 index 0000000..f95fa36 --- /dev/null +++ b/defensive-coding/tr-TR/Features/snippets/TLS-NSS-Close.po @@ -0,0 +1,23 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:31+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Turkish (http://www.transifex.com/projects/p/fedora/language/tr/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: tr\n" +"Plural-Forms: nplurals=2; plural=(n > 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"SECMOD_DestroyModule(module);\n" +"NSS_ShutdownContext(ctx);\n" +msgstr "" diff --git a/defensive-coding/tr-TR/Features/snippets/TLS-NSS-Includes.po b/defensive-coding/tr-TR/Features/snippets/TLS-NSS-Includes.po new file mode 100644 index 0000000..268cbb6 --- /dev/null +++ b/defensive-coding/tr-TR/Features/snippets/TLS-NSS-Includes.po @@ -0,0 +1,35 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:33+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Turkish (http://www.transifex.com/projects/p/fedora/language/tr/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: tr\n" +"Plural-Forms: nplurals=2; plural=(n > 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// NSPR include files\n" +"#include <prerror.h>\n" +"#include <prinit.h>\n" +"\n" +"// NSS include files\n" +"#include <nss.h>\n" +"#include <pk11pub.h>\n" +"#include <secmod.h>\n" +"#include <ssl.h>\n" +"#include <sslproto.h>\n" +"\n" +"// Private API, no other way to turn a POSIX file descriptor into an\n" +"// NSPR handle.\n" +"NSPR_API(PRFileDesc*) PR_ImportTCPSocket(int);\n" +msgstr "" diff --git a/defensive-coding/tr-TR/Features/snippets/TLS-NSS-Init.po b/defensive-coding/tr-TR/Features/snippets/TLS-NSS-Init.po new file mode 100644 index 0000000..5e5548d --- /dev/null +++ b/defensive-coding/tr-TR/Features/snippets/TLS-NSS-Init.po @@ -0,0 +1,83 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:33+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Turkish (http://www.transifex.com/projects/p/fedora/language/tr/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: tr\n" +"Plural-Forms: nplurals=2; plural=(n > 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"PR_Init(PR_USER_THREAD, PR_PRIORITY_NORMAL, 0);\n" +"NSSInitContext *const ctx =\n" +" NSS_InitContext(\"sql:/etc/pki/nssdb\", \"\", \"\", \"\", NULL,\n" +"\t\t NSS_INIT_READONLY | NSS_INIT_PK11RELOAD);\n" +"if (ctx == NULL) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: NSPR error code %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +"}\n" +"\n" +"// Ciphers to enable.\n" +"static const PRUint16 good_ciphers[] = {\n" +" TLS_RSA_WITH_AES_128_CBC_SHA,\n" +" TLS_RSA_WITH_AES_256_CBC_SHA,\n" +" SSL_RSA_WITH_3DES_EDE_CBC_SHA,\n" +" SSL_NULL_WITH_NULL_NULL // sentinel\n" +"};\n" +"\n" +"// Check if the current policy allows any strong ciphers. If it\n" +"// doesn't, switch to the \"domestic\" (unrestricted) policy. This is\n" +"// not thread-safe and has global impact. Consequently, we only do\n" +"// it if absolutely necessary.\n" +"int found_good_cipher = 0;\n" +"for (const PRUint16 *p = good_ciphers; *p != SSL_NULL_WITH_NULL_NULL;\n" +" ++p) {\n" +" PRInt32 policy;\n" +" if (SSL_CipherPolicyGet(*p, &policy) != SECSuccess) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: policy for cipher %u: error %d: %s\n" +"\",\n" +"\t (unsigned)*p, err, PR_ErrorToName(err));\n" +" exit(1);\n" +" }\n" +" if (policy == SSL_ALLOWED) {\n" +" fprintf(stderr, \"info: found cipher %x\n" +"\", (unsigned)*p);\n" +" found_good_cipher = 1;\n" +" break;\n" +" }\n" +"}\n" +"if (!found_good_cipher) {\n" +" if (NSS_SetDomesticPolicy() != SECSuccess) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: NSS_SetDomesticPolicy: error %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +" }\n" +"}\n" +"\n" +"// Initialize the trusted certificate store.\n" +"char module_name[] = \"library=libnssckbi.so name=\\\"Root Certs\\\"\";\n" +"SECMODModule *module = SECMOD_LoadUserModule(module_name, NULL, PR_FALSE);\n" +"if (module == NULL || !module->loaded) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: NSPR error code %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +"}\n" +msgstr "" diff --git a/defensive-coding/tr-TR/Features/snippets/TLS-NSS-Use.po b/defensive-coding/tr-TR/Features/snippets/TLS-NSS-Use.po new file mode 100644 index 0000000..9bb07cd --- /dev/null +++ b/defensive-coding/tr-TR/Features/snippets/TLS-NSS-Use.po @@ -0,0 +1,42 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:32+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Turkish (http://www.transifex.com/projects/p/fedora/language/tr/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: tr\n" +"Plural-Forms: nplurals=2; plural=(n > 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"char buf[4096];\n" +"snprintf(buf, sizeof(buf), \"GET / HTTP/1.0\\r\n" +"Host: %s\\r\n" +"\\r\n" +"\", host);\n" +"PRInt32 ret = PR_Write(nspr, buf, strlen(buf));\n" +"if (ret < 0) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: PR_Write error %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +"}\n" +"ret = PR_Read(nspr, buf, sizeof(buf));\n" +"if (ret < 0) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: PR_Read error %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +"}\n" +msgstr "" diff --git a/defensive-coding/tr-TR/Features/snippets/TLS-Nagle.po b/defensive-coding/tr-TR/Features/snippets/TLS-Nagle.po new file mode 100644 index 0000000..42f10a5 --- /dev/null +++ b/defensive-coding/tr-TR/Features/snippets/TLS-Nagle.po @@ -0,0 +1,27 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:31+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Turkish (http://www.transifex.com/projects/p/fedora/language/tr/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: tr\n" +"Plural-Forms: nplurals=2; plural=(n > 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"const int val = 1;\n" +"int ret = setsockopt(sockfd, IPPROTO_TCP, TCP_NODELAY, &val, sizeof(val));\n" +"if (ret < 0) {\n" +" perror(\"setsockopt(TCP_NODELAY)\");\n" +" exit(1);\n" +"}\n" +msgstr "" diff --git a/defensive-coding/tr-TR/Features/snippets/TLS-OpenJDK-Parameters.po b/defensive-coding/tr-TR/Features/snippets/TLS-OpenJDK-Parameters.po new file mode 100644 index 0000000..0064be5 --- /dev/null +++ b/defensive-coding/tr-TR/Features/snippets/TLS-OpenJDK-Parameters.po @@ -0,0 +1,42 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:33+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Turkish (http://www.transifex.com/projects/p/fedora/language/tr/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: tr\n" +"Plural-Forms: nplurals=2; plural=(n > 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Prepare TLS parameters. These have to applied to every TLS\n" +"// socket before the handshake is triggered.\n" +"SSLParameters params = ctx.getDefaultSSLParameters();\n" +"// Do not send an SSL-2.0-compatible Client Hello.\n" +"ArrayList<String> protocols = new ArrayList<String>(\n" +" Arrays.asList(params.getProtocols()));\n" +"protocols.remove(\"SSLv2Hello\");\n" +"params.setProtocols(protocols.toArray(new String[protocols.size()]));\n" +"// Adjust the supported ciphers.\n" +"ArrayList<String> ciphers = new ArrayList<String>(\n" +" Arrays.asList(params.getCipherSuites()));\n" +"ciphers.retainAll(Arrays.asList(\n" +" \"TLS_RSA_WITH_AES_128_CBC_SHA256\",\n" +" \"TLS_RSA_WITH_AES_256_CBC_SHA256\",\n" +" \"TLS_RSA_WITH_AES_256_CBC_SHA\",\n" +" \"TLS_RSA_WITH_AES_128_CBC_SHA\",\n" +" \"SSL_RSA_WITH_3DES_EDE_CBC_SHA\",\n" +" \"SSL_RSA_WITH_RC4_128_SHA1\",\n" +" \"SSL_RSA_WITH_RC4_128_MD5\",\n" +" \"TLS_EMPTY_RENEGOTIATION_INFO_SCSV\"));\n" +"params.setCipherSuites(ciphers.toArray(new String[ciphers.size()]));\n" +msgstr "" diff --git a/defensive-coding/tr-TR/Features/snippets/TLS-OpenSSL-Connection-Close.po b/defensive-coding/tr-TR/Features/snippets/TLS-OpenSSL-Connection-Close.po new file mode 100644 index 0000000..486a67c --- /dev/null +++ b/defensive-coding/tr-TR/Features/snippets/TLS-OpenSSL-Connection-Close.po @@ -0,0 +1,46 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:33+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Turkish (http://www.transifex.com/projects/p/fedora/language/tr/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: tr\n" +"Plural-Forms: nplurals=2; plural=(n > 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Send the close_notify alert.\n" +"ret = SSL_shutdown(ssl);\n" +"switch (ret) {\n" +"case 1:\n" +" // A close_notify alert has already been received.\n" +" break;\n" +"case 0:\n" +" // Wait for the close_notify alert from the peer.\n" +" ret = SSL_shutdown(ssl);\n" +" switch (ret) {\n" +" case 0:\n" +" fprintf(stderr, \"info: second SSL_shutdown returned zero\n" +"\");\n" +" break;\n" +" case 1:\n" +" break;\n" +" default:\n" +" ssl_print_error_and_exit(ssl, \"SSL_shutdown 2\", ret);\n" +" }\n" +" break;\n" +"default:\n" +" ssl_print_error_and_exit(ssl, \"SSL_shutdown 1\", ret);\n" +"}\n" +"SSL_free(ssl);\n" +"close(sockfd);\n" +msgstr "" diff --git a/defensive-coding/tr-TR/Features/snippets/TLS-OpenSSL-Context-Close.po b/defensive-coding/tr-TR/Features/snippets/TLS-OpenSSL-Context-Close.po new file mode 100644 index 0000000..9ee6d6b --- /dev/null +++ b/defensive-coding/tr-TR/Features/snippets/TLS-OpenSSL-Context-Close.po @@ -0,0 +1,22 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:33+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Turkish (http://www.transifex.com/projects/p/fedora/language/tr/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: tr\n" +"Plural-Forms: nplurals=2; plural=(n > 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"SSL_CTX_free(ctx);\n" +msgstr "" diff --git a/defensive-coding/tr-TR/Features/snippets/TLS-OpenSSL-Errors.po b/defensive-coding/tr-TR/Features/snippets/TLS-OpenSSL-Errors.po new file mode 100644 index 0000000..13196ad --- /dev/null +++ b/defensive-coding/tr-TR/Features/snippets/TLS-OpenSSL-Errors.po @@ -0,0 +1,51 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:32+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Turkish (http://www.transifex.com/projects/p/fedora/language/tr/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: tr\n" +"Plural-Forms: nplurals=2; plural=(n > 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"static void __attribute__((noreturn))\n" +"ssl_print_error_and_exit(SSL *ssl, const char *op, int ret)\n" +"{\n" +" int subcode = SSL_get_error(ssl, ret);\n" +" switch (subcode) {\n" +" case SSL_ERROR_NONE:\n" +" fprintf(stderr, \"error: %s: no error to report\n" +"\", op);\n" +" break;\n" +" case SSL_ERROR_WANT_READ:\n" +" case SSL_ERROR_WANT_WRITE:\n" +" case SSL_ERROR_WANT_X509_LOOKUP:\n" +" case SSL_ERROR_WANT_CONNECT:\n" +" case SSL_ERROR_WANT_ACCEPT:\n" +" fprintf(stderr, \"error: %s: invalid blocking state %d\n" +"\", op, subcode);\n" +" break;\n" +" case SSL_ERROR_SSL:\n" +" fprintf(stderr, \"error: %s: TLS layer problem\n" +"\", op);\n" +" case SSL_ERROR_SYSCALL:\n" +" fprintf(stderr, \"error: %s: system call failed: %s\n" +"\", op, strerror(errno));\n" +" break;\n" +" case SSL_ERROR_ZERO_RETURN:\n" +" fprintf(stderr, \"error: %s: zero return\n" +"\", op);\n" +" }\n" +" exit(1);\n" +"}\n" +msgstr "" diff --git a/defensive-coding/tr-TR/Features/snippets/TLS-Python-Close.po b/defensive-coding/tr-TR/Features/snippets/TLS-Python-Close.po new file mode 100644 index 0000000..971a0f0 --- /dev/null +++ b/defensive-coding/tr-TR/Features/snippets/TLS-Python-Close.po @@ -0,0 +1,22 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:31+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Turkish (http://www.transifex.com/projects/p/fedora/language/tr/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: tr\n" +"Plural-Forms: nplurals=2; plural=(n > 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"sock.close()\n" +msgstr "" diff --git a/defensive-coding/tr-TR/Features/snippets/TLS-Python-Use.po b/defensive-coding/tr-TR/Features/snippets/TLS-Python-Use.po new file mode 100644 index 0000000..5a04196 --- /dev/null +++ b/defensive-coding/tr-TR/Features/snippets/TLS-Python-Use.po @@ -0,0 +1,26 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:32+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Turkish (http://www.transifex.com/projects/p/fedora/language/tr/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: tr\n" +"Plural-Forms: nplurals=2; plural=(n > 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"sock.write(\"GET / HTTP/1.1\\r\n" +"Host: \" + host + \"\\r\n" +"\\r\n" +"\")\n" +"print sock.read()\n" +msgstr "" diff --git a/defensive-coding/tr-TR/Revision_History.po b/defensive-coding/tr-TR/Revision_History.po new file mode 100644 index 0000000..b76a061 --- /dev/null +++ b/defensive-coding/tr-TR/Revision_History.po @@ -0,0 +1,35 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:18+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Turkish (http://www.transifex.com/projects/p/fedora/language/tr/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: tr\n" +"Plural-Forms: nplurals=2; plural=(n > 1);\n" + +#. Tag: title +#, no-c-format +msgid "Revision History" +msgstr "" + +#. Tag: firstname +#, no-c-format +msgid "Eric" +msgstr "" + +#. Tag: surname +#, no-c-format +msgid "Christensen" +msgstr "" + +#. Tag: member +#, no-c-format +msgid "Initial publication." +msgstr "" diff --git a/defensive-coding/tr-TR/Tasks/Cryptography.po b/defensive-coding/tr-TR/Tasks/Cryptography.po new file mode 100644 index 0000000..8e1769b --- /dev/null +++ b/defensive-coding/tr-TR/Tasks/Cryptography.po @@ -0,0 +1,199 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:29+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Turkish (http://www.transifex.com/projects/p/fedora/language/tr/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: tr\n" +"Plural-Forms: nplurals=2; plural=(n > 1);\n" + +#. Tag: title +#, no-c-format +msgid "Cryptography" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Primitives" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Chosing from the following cryptographic primitives is recommended:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "RSA with 2048 bit keys and OAEP" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "AES-128 in CBC mode" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "SHA-256" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "HMAC-SHA-256" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "HMAC-SHA-1" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Other cryptographic algorithms can be used if they are required for " +"interoperability with existing software:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "RSA with key sizes larger than 1024 and legacy padding" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "AES-192" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "AES-256" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "3DES (triple DES, with two or three 56 bit keys)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "RC4 (but very, very strongly discouraged)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "SHA-1" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "HMAC-MD5" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Important" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"These primitives are difficult to use in a secure way. Custom implementation" +" of security protocols should be avoided. For protecting confidentiality and" +" integrity of network transmissions, TLS should be used ()." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Randomness" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The following facilities can be used to generate unpredictable and non-" +"repeating values. When these functions are used without special safeguards, " +"each individual rnadom value should be at least 12 bytes long." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"PK11_GenerateRandom in the NSS library (usable for high" +" data rates)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"RAND_bytes in the OpenSSL library (usable for high data" +" rates)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"gnutls_rnd in GNUTLS, with " +"GNUTLS_RND_RANDOM as the first argument (usable for high " +"data rates)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"java.security.SecureRandom in Java (usable for high data rates)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "os.urandom in Python" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Reading from the /dev/urandom character device" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"All these functions should be non-blocking, and they should not wait until " +"physical randomness becomes available. (Some cryptography providers for Java" +" can cause java.security.SecureRandom to block, however.) Those" +" functions which do not obtain all bits directly from " +"/dev/urandom are suitable for high data rates because " +"they do not deplete the system-wide entropy pool." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Difficult to use API" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Both RAND_bytes and " +"PK11_GenerateRandom have three-state return values " +"(with conflicting meanings). Careful error checking is required. Please " +"review the documentation when using these functions." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Other sources of randomness should be considered predictable." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Generating randomness for cryptographic keys in long-term use may need " +"different steps and is best left to cryptographic libraries." +msgstr "" diff --git a/defensive-coding/tr-TR/Tasks/Descriptors.po b/defensive-coding/tr-TR/Tasks/Descriptors.po new file mode 100644 index 0000000..50b885d --- /dev/null +++ b/defensive-coding/tr-TR/Tasks/Descriptors.po @@ -0,0 +1,332 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:29+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Turkish (http://www.transifex.com/projects/p/fedora/language/tr/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: tr\n" +"Plural-Forms: nplurals=2; plural=(n > 1);\n" + +#. Tag: title +#, no-c-format +msgid "File Descriptor Management" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"File descriptors underlie all input/output mechanisms offered by the system." +" They are used to implementation the FILE *-based " +"functions found in <stdio.h>, and all the file and " +"network communication facilities provided by the Python and Java " +"environments are eventually implemented in them." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"File descriptors are small, non-negative integers in userspace, and are " +"backed on the kernel side with complicated data structures which can " +"sometimes grow very large." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Closing descriptors" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If a descriptor is no longer used by a program and is not closed explicitly," +" its number cannot be reused (which is problematic in itself, see ), and the " +"kernel resources are not freed. Therefore, it is important to close all " +"descriptors at the earlierst point in time possible, but not earlier." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Error handling during descriptor close" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The close system call is always successful in the sense" +" that the passed file descriptor is never valid after the function has been " +"called. However, close still can return an error, for " +"example if there was a file system failure. But this error is not very " +"useful because the absence of an error does not mean that all caches have " +"been emptied and previous writes have been made durable. Programs which need" +" such guarantees must open files with O_SYNC or use " +"fsync or fdatasync, and may also have " +"to fsync the directory containing the file." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Closing descriptors and race conditions" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Unlike process IDs, which are recycle only gradually, the kernel always " +"allocates the lowest unused file descriptor when a new descriptor is " +"created. This means that in a multi-threaded program which constantly opens " +"and closes file descriptors, descriptors are reused very quickly. Unless " +"descriptor closing and other operations on the same file descriptor are " +"synchronized (typically, using a mutex), there will be race coniditons and " +"I/O operations will be applied to the wrong file descriptor." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Sometimes, it is necessary to close a file descriptor concurrently, while " +"another thread might be about to use it in a system call. In order to " +"support this, a program needs to create a single special file descriptor, " +"one on which all I/O operations fail. One way to achieve this is to use " +"socketpair, close one of the descriptors, and call " +"shutdown(fd, SHUTRDWR) on the other." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When a descriptor is closed concurrently, the program does not call " +"close on the descriptor. Instead it program uses " +"dup2 to replace the descriptor to be closed with the " +"dummy descriptor created earlier. This way, the kernel will not reuse the " +"descriptor, but it will carry out all other steps associated with calling a " +"descriptor (for instance, if the descriptor refers to a stream socket, the " +"peer will be notified)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"This is just a sketch, and many details are missing. Additional data " +"structures are needed to determine when it is safe to really close the " +"descriptor, and proper locking is required for that." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Lingering state after close" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"By default, closing a stream socket returns immediately, and the kernel will" +" try to send the data in the background. This means that it is impossible to" +" implement accurate accounting of network-related resource utilization from " +"userspace." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The SO_LINGER socket option alters the behavior of " +"close, so that it will return only after the lingering " +"data has been processed, either by sending it to the peer successfully, or " +"by discarding it after the configured timeout. However, there is no " +"interface which could perform this operation in the background, so a " +"separate userspace thread is needed for each close " +"call, causing scalability issues." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Currently, there is no application-level countermeasure which applies " +"universally. Mitigation is possible with iptables" +" (the connlimit match type in particular) and specialized" +" filtering devices for denial-of-service network traffic." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"These problems are not related to the TIME_WAIT state " +"commonly seen in netstat output. The kernel " +"automatically expires such sockets if necessary." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Preventing file descriptor leaks to child processes" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Child processes created with fork share the initial set" +" of file descriptors with their parent process. By default, file descriptors" +" are also preserved if a new process image is created with " +"execve (or any of the other functions such as " +"system or posix_spawn)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Usually, this behavior is not desirable. There are two ways to turn it off, " +"that is, to prevent new process images from inheriting the file descriptors " +"in the parent process:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Set the close-on-exec flag on all newly created file descriptors. " +"Traditionally, this flag is controlled by the FD_CLOEXEC " +"flag, using F_GETFD and F_SETFD " +"operations of the fcntl function." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"However, in a multi-threaded process, there is a race condition: a " +"subprocess could have been created between the time the descriptor was " +"created and the FD_CLOEXEC was set. Therefore, many " +"system calls which create descriptors (such as open and" +" openat) now accept the O_CLOEXEC " +"flag (SOCK_CLOEXEC for socket and " +"socketpair), which cause the " +"FD_CLOEXEC flag to be set for the file descriptor in an " +"atomic fashion. In addition, a few new systems calls were introduced, such " +"as pipe2 and dup3." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The downside of this approach is that every descriptor needs to receive " +"special treatment at the time of creation, otherwise it is not completely " +"effective." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"After calling fork, but before creating a new process " +"image with execve, all file descriptors which the child" +" process will not need are closed." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Traditionally, this was implemented as a loop over file descriptors ranging " +"from 3 to 255 and later " +"1023. But this is only an approximatio because it is " +"possible to create file descriptors outside this range easily (see ). Another " +"approach reads /proc/self/fd and closes the unexpected " +"descriptors listed there, but this approach is much slower." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"At present, environments which care about file descriptor leakage implement " +"the second approach. OpenJDK 6 and 7 are among them." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Dealing with the select limit" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"By default, a user is allowed to open only 1024 files in a single process, " +"but the system administrator can easily change this limit (which is " +"necessary for busy network servers). However, there is another restriction " +"which is more difficult to overcome." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The select function only supports a maximum of " +"FD_SETSIZE file descriptors (that is, the maximum " +"permitted value for a file descriptor is FD_SETSIZE - 1, " +"usually 1023.) If a process opens many files, descriptors may exceed such " +"limits. It is impossible to query such descriptors using " +"select." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If a library which creates many file descriptors is used in the same process" +" as a library which uses select, at least one of them " +"needs to be changed. Calls to select can be replaced " +"with calls to poll or another event handling mechanism." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Alternatively, the library with high descriptor usage can relocate " +"descriptors above the FD_SETSIZE limit using the " +"following procedure." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Create the file descriptor fd as usual, preferably with " +"the O_CLOEXEC flag." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Before doing anything else with the descriptor fd, " +"invoke:" +msgstr "" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"\t int newfd = fcntl(fd, F_DUPFD_CLOEXEC, (long)FD_SETSIZE);\n" +"\t" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Check that newfd result is non-negative, otherwise close " +"fd and report an error, and return." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Close fd and continue to use newfd." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The new descriptor has been allocated above the " +"FD_SETSIZE. Even though this algorithm is racy in the " +"sense that the FD_SETSIZE first descriptors could fill " +"up, a very high degree of physical parallelism is required before this " +"becomes a problem." +msgstr "" diff --git a/defensive-coding/tr-TR/Tasks/File_System.po b/defensive-coding/tr-TR/Tasks/File_System.po new file mode 100644 index 0000000..b874e45 --- /dev/null +++ b/defensive-coding/tr-TR/Tasks/File_System.po @@ -0,0 +1,396 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:25+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Turkish (http://www.transifex.com/projects/p/fedora/language/tr/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: tr\n" +"Plural-Forms: nplurals=2; plural=(n > 1);\n" + +#. Tag: title +#, no-c-format +msgid "File system manipulation" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In this chapter, we discuss general file system manipulation, with a focus " +"on access files and directories to which an other, potentially untrusted " +"user has write access." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Temporary files are covered in their own chapter, ." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Working with files and directories owned by other users" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Sometimes, it is necessary to operate on files and directories owned by " +"other (potentially untrusted) users. For example, a system administrator " +"could remove the home directory of a user, or a package manager could update" +" a file in a directory which is owned by an application-specific user. This " +"differs from accessing the file system as a specific user; see ." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Accessing files across trust boundaries faces several challenges, " +"particularly if an entire directory tree is being traversed:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Another user might add file names to a writable directory at any time. This " +"can interfere with file creation and the order of names returned by " +"readdir." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Merely opening and closing a file can have side effects. For instance, an " +"automounter can be triggered, or a tape device rewound. Opening a file on a " +"local file system can block indefinitely, due to mandatory file locking, " +"unless the O_NONBLOCK flag is specified." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Hard links and symbolic links can redirect the effect of file system " +"operations in unexpected ways. The O_NOFOLLOW and " +"AT_SYMLINK_NOFOLLOW variants of system calls only " +"affected final path name component." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The structure of a directory tree can change. For example, the parent " +"directory of what used to be a subdirectory within the directory tree being " +"processed could suddenly point outside that directory tree." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Files should always be created with the O_CREAT and " +"O_EXCL flags, so that creating the file will fail if it " +"already exists. This guards against the unexpected appearance of file names," +" either due to creation of a new file, or hard-linking of an existing file. " +"In multi-threaded programs, rather than manipulating the umask, create the " +"files with mode 000 if possible, and adjust it afterwards" +" with fchmod." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"To avoid issues related to symbolic links and directory tree restructuring, " +"the “at” variants of system calls have to be used (that " +"is, functions like openat, " +"fchownat, fchmodat, and " +"unlinkat, together with O_NOFOLLOW " +"or AT_SYMLINK_NOFOLLOW). Path names passed to these " +"functions must have just a single component (that is, without a slash). When" +" descending, the descriptors of parent directories must be kept open. The " +"missing opendirat function can be emulated with " +"openat (with an O_DIRECTORY flag, to " +"avoid opening special files with side effects), followed by " +"fdopendir." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If the “at” functions are not available, it is possible " +"to emulate them by changing the current directory. (Obviously, this only " +"works if the process is not multi-threaded.) fchdir has" +" to be used to change the current directory, and the descriptors of the " +"parent directories have to be kept open, just as with the " +"“at”-based approach. chdir(\"...\") is" +" unsafe because it might ascend outside the intended directory tree." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"This “at” function emulation is currently required when " +"manipulating extended attributes. In this case, the " +"lsetxattr function can be used, with a relative path " +"name consisting of a single component. This also applies to SELinux contexts" +" and the lsetfilecon function." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Currently, it is not possible to avoid opening special files " +"and changes to files with hard links if the directory " +"containing them is owned by an untrusted user. (Device nodes can be hard-" +"linked, just as regular files.) fchmodat and " +"fchownat affect files whose link count is greater than " +"one. But opening the files, checking that the link count is one with " +"fstat, and using fchmod and " +"fchown on the file descriptor may have unwanted side " +"effects, due to item 2 above. When creating directories, it is therefore " +"important to change the ownership and permissions only after it has been " +"fully created. Until that point, file names are stable, and no files with " +"unexpected hard links can be introduced." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Similarly, when just reading a directory owned by an untrusted user, it is " +"currently impossible to reliably avoid opening special files." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"There is no workaround against the instability of the file list returned by " +"readdir. Concurrent modification of the directory can " +"result in a list of files being returned which never actually existed on " +"disk." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Hard links and symbolic links can be safely deleted using " +"unlinkat without further checks because deletion only " +"affects the name within the directory tree being processed." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Accessing the file system as a different user" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"This section deals with access to the file system as a specific user. This " +"is different from accessing files and directories owned by a different, " +"potentially untrusted user; see ." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"One approach is to spawn a child process which runs under the target user " +"and group IDs (both effective and real IDs). Note that this child process " +"can block indefinitely, even when processing regular files only. For " +"example, a special FUSE file system could cause the process to hang in " +"uninterruptible sleep inside a stat system call." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"An existing process could change its user and group ID using " +"setfsuid and setfsgid. (These " +"functions are preferred over seteuid and " +"setegid because they do not allow the impersonated user" +" to send signals to the process.) These functions are not thread safe. In " +"multi-threaded processes, these operations need to be performed in a single-" +"threaded child process. Unexpected blocking may occur as well." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"It is not recommended to try to reimplement the kernel permission checks in " +"user space because the required checks are complex. It is also very " +"difficult to avoid race conditions during path name resolution." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "File system limits" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"For historical reasons, there are preprocessor constants such as " +"PATH_MAX, NAME_MAX. However, on most " +"systems, the length of canonical path names (absolute path names with all " +"symbolic links resolved, as returned by realpath or " +"canonicalize_file_name) can exceed " +"PATH_MAX bytes, and individual file name components can " +"be longer than NAME_MAX. This is also true of the " +"_PC_PATH_MAX and _PC_NAME_MAX values " +"returned by pathconf, and the " +"f_namemax member of struct statvfs. " +"Therefore, these constants should not be used. This is also reason why the " +"readdir_r should never be used (instead, use " +"readdir)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"You should not write code in a way that assumes that there is an upper limit" +" on the number of subdirectories of a directory, the number of regular files" +" in a directory, or the link count of an inode." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "File system features" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Not all file systems support all features. This makes it very difficult to " +"write general-purpose tools for copying files. For example, a copy operation" +" intending to preserve file permissions will generally fail when copying to " +"a FAT file system." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Some file systems are case-insensitive. Most should be case-preserving, " +"though." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Name length limits vary greatly, from eight to thousands of bytes. Path " +"length limits differ as well. Most systems impose an upper bound on path " +"names passed to the kernel, but using relative path names, it is possible to" +" create and access files whose absolute path name is essentially of " +"unbounded length." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Some file systems do not store names as fairly unrestricted byte sequences, " +"as it has been traditionally the case on GNU systems. This means that some " +"byte sequences (outside the POSIX safe character set) are not valid names. " +"Conversely, names of existing files may not be representable as byte " +"sequences, and the files are thus inaccessible on GNU systems. Some file " +"systems perform Unicode canonicalization on file names. These file systems " +"preserve case, but reading the name of a just-created file using " +"readdir might still result in a different byte " +"sequence." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Permissions and owners are not universally supported (and SUID/SGID bits may" +" not be available). For example, FAT file systems assign ownership based on " +"a mount option, and generally mark all files as executable. Any attempt to " +"change permissions would result in an error." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Non-regular files (device nodes, FIFOs) are not generally available." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Only on some file systems, files can have holes, that is, not all of their " +"contents is backed by disk storage." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"ioctl support (even fairly generic functionality such " +"as FIEMAP for discovering physical file layout and holes)" +" is file-system-specific." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Not all file systems support extended attributes, ACLs and SELinux metadata." +" Size and naming restriction on extended attributes vary." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Hard links may not be supported at all (FAT) or only within the same " +"directory (AFS). Symbolic links may not be available, either. Reflinks (hard" +" links with copy-on-write semantics) are still very rare. Recent systems " +"restrict creation of hard links to users which own the target file or have " +"read/write access to it, but older systems do not." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Renaming (or moving) files using rename can fail (even " +"when stat indicates that the source and target " +"directories are located on the same file system). This system call should " +"work if the old and new paths are located in the same directory, though." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Locking semantics vary among file systems. This affects advisory and " +"mandatory locks. For example, some network file systems do not allow " +"deleting files which are opened by any process." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Resolution of time stamps varies from two seconds to nanoseconds. Not all " +"time stamps are available on all file systems. File creation time " +"(birth time) is not exposed over the " +"stat/fstat interface, even if " +"stored by the file system." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Checking free space" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The statvfs and fstatvfs functions" +" allow programs to examine the number of available blocks and inodes, " +"through the members f_bfree, f_bavail," +" f_ffree, and f_favail of " +"struct statvfs. Some file systems return fictional values" +" in the f_ffree and f_favail fields, " +"so the only reliable way to discover if the file system still has space for " +"a file is to try to create it. The f_bfree field should " +"be reasonably accurate, though." +msgstr "" diff --git a/defensive-coding/tr-TR/Tasks/Library_Design.po b/defensive-coding/tr-TR/Tasks/Library_Design.po new file mode 100644 index 0000000..748b83c --- /dev/null +++ b/defensive-coding/tr-TR/Tasks/Library_Design.po @@ -0,0 +1,267 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:29+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Turkish (http://www.transifex.com/projects/p/fedora/language/tr/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: tr\n" +"Plural-Forms: nplurals=2; plural=(n > 1);\n" + +#. Tag: title +#, no-c-format +msgid "Library Design" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Throught this section, the term client code refers to " +"applications and other libraries using the library." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "State management" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Global state" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Global state should be avoided." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If this is impossible, the global state must be protected with a lock. For " +"C/C++, you can use the pthread_mutex_lock and " +"pthread_mutex_unlock functions without linking against " +"-lpthread because the system provides stubs for non-" +"threaded processes." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"For compatibility with fork, these locks should be " +"acquired and released in helpers registered with " +"pthread_atfork. This function is not available without " +"-lpthread, so you need to use dlsym " +"or a weak symbol to obtain its address." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If you need fork protection for other reasons, you " +"should store the process ID and compare it to the value returned by " +"getpid each time you access the global state. " +"(getpid is not implemented as a system call and is " +"fast.) If the value changes, you know that you have to re-create the state " +"object. (This needs to be combined with locking, of course.)" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Handles" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Library state should be kept behind a curtain. Client code should receive " +"only a handle. In C, the handle can be a pointer to an incomplete " +"struct. In C++, the handle can be a pointer to an " +"abstract base class, or it can be hidden using the pointer-to-implementation" +" idiom." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The library should provide functions for creating and destroying handles. " +"(In C++, it is possible to use virtual destructors for the latter.) " +"Consistency between creation and destruction of handles is strongly " +"recommended: If the client code created a handle, it is the responsibility " +"of the client code to destroy it. (This is not always possible or " +"convenient, so sometimes, a transfer of ownership has to happen.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Using handles ensures that it is possible to change the way the library " +"represents state in a way that is transparent to client code. This is " +"important to facilitate security updates and many other code changes." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"It is not always necessary to protect state behind a handle with a lock. " +"This depends on the level of thread safety the library provides." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Object orientation" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Classes should be either designed as base classes, or it should be " +"impossible to use them as base classes (like final " +"classes in Java). Classes which are not designed for inheritance and are " +"used as base classes nevertheless create potential maintenance hazards " +"because it is difficult to predict how client code will react when calls to " +"virtual methods are added, reordered or removed." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Virtual member functions can be used as callbacks. See for some of the " +"challenges involved." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Callbacks" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Higher-order code is difficult to analyze for humans and computers alike, so" +" it should be avoided. Often, an iterator-based interface (a library " +"function which is called repeatedly by client code and returns a stream of " +"events) leads to a better design which is easier to document and use." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "If callbacks are unavoidable, some guidelines for them follow." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In modern C++ code, std::function objects should be used " +"for callbacks." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In older C++ code and in C code, all callbacks must have an additional " +"closure parameter of type void *, the value of which can " +"be specified by client code. If possible, the value of the closure parameter" +" should be provided by client code at the same time a specific callback is " +"registered (or specified as a function argument). If a single closure " +"parameter is shared by multiple callbacks, flexibility is greatly reduced, " +"and conflicts between different pieces of client code using the same library" +" object could be unresolvable. In some cases, it makes sense to provide a " +"de-registration callback which can be used to destroy the closure parameter " +"when the callback is no longer used." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Callbacks can throw exceptions or call longjmp. If " +"possible, all library objects should remain in a valid state. (All further " +"operations on them can fail, but it should be possible to deallocate them " +"without causing resource leaks.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The presence of callbacks raises the question if functions provided by the " +"library are reentrant. Unless a library was designed " +"for such use, bad things will happen if a callback function uses functions " +"in the same library (particularly if they are invoked on the same objects " +"and manipulate the same state). When the callback is invoked, the library " +"can be in an inconsistent state. Reentrant functions are more difficult to " +"write than thread-safe functions (by definition, simple locking would " +"immediately lead to deadlocks). It is also difficult to decide what to do " +"when destruction of an object which is currently processing a callback is " +"requested." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Process attributes" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Several attributes are global and affect all code in the process, not just " +"the library that manipulates them." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"environment variables (see )" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "umask" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "user IDs, group IDs and capabilities" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "current working directory" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "signal handlers, signal masks and signal delivery" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"file locks (especially fcntl locks behave in surprising" +" ways, not just in a multi-threaded environment)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Library code should avoid manipulating these global process attributes. It " +"should not rely on environment variables, umask, the current working " +"directory and signal masks because these attributes can be inherted from an " +"untrusted source." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In addition, there are obvious process-wide aspects such as the virtual " +"memory layout, the set of open files and dynamic shared objects, but with " +"the exception of shared objects, these can be manipulated in a relatively " +"isolated way." +msgstr "" diff --git a/defensive-coding/tr-TR/Tasks/Processes.po b/defensive-coding/tr-TR/Tasks/Processes.po new file mode 100644 index 0000000..c33fee8 --- /dev/null +++ b/defensive-coding/tr-TR/Tasks/Processes.po @@ -0,0 +1,597 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:29+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Turkish (http://www.transifex.com/projects/p/fedora/language/tr/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: tr\n" +"Plural-Forms: nplurals=2; plural=(n > 1);\n" + +#. Tag: title +#, no-c-format +msgid "Processes" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Safe process creation" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"This section describes how to create new child processes in a safe manner. " +"In addition to the concerns addressed below, there is the possibility of " +"file descriptor leaks, see ." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Obtaining the program path and the command line template" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The name and path to the program being invoked should be hard-coded or " +"controlled by a static configuration file stored at a fixed location (at an " +"file system absolute path). The same applies to the template for generating " +"the command line." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The configured program name should be an absolute path. If it is a relative " +"path, the contents of the PATH must be obtained in s secure " +"manner (see )." +" If the PATH variable is not set or untrusted, the safe " +"default /bin:/usr/bin must be used." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If too much flexibility is provided here, it may allow invocation of " +"arbitrary programs without proper authorization." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Bypassing the shell" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Child processes should be created without involving the system shell." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"For C/C++, system should not be used. The " +"posix_spawn function can be used instead, or a " +"combination fork and execve. (In " +"some cases, it may be preferable to use vfork or the " +"Linux-specific clone system call instead of " +"fork.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In Python, the subprocess module bypasses the shell by " +"default (when the shell keyword argument is not set to " +"true). os.system should not be used." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The Java class java.lang.ProcessBuilder can be used to create " +"subprocesses without interference from the system shell." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Portability notice" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"On Windows, there is no argument vector, only a single argument string. Each" +" application is responsible for parsing this string into an argument vector." +" There is considerable variance among the quoting style recognized by " +"applications. Some of them expand shell wildcards, others do not. Extensive " +"application-specific testing is required to make this secure." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Note that some common applications (notably ssh) " +"unconditionally introduce the use of a shell, even if invoked directly " +"without a shell. It is difficult to use these applications in a secure " +"manner. In this case, untrusted data should be supplied by other means. For " +"example, standard input could be used, instead of the command line." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Specifying the process environment" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Child processes should be created with a minimal set of environment " +"variables. This is absolutely essential if there is a trust transition " +"involved, either when the parent process was created, or during the creation" +" of the child process." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In C/C++, the environment should be constructed as an array of strings and " +"passed as the envp argument to " +"posix_spawn or execve. The " +"functions setenv, unsetenv and " +"putenv should not be used. They are not thread-safe and" +" suffer from memory leaks." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Python programs need to specify a dict for the the " +"env argument of the subprocess.Popen" +" constructor. The Java class java.lang.ProcessBuilder " +"provides a environment() method, which returns a map " +"that can be manipulated." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The following list provides guidelines for selecting the set of environment " +"variables passed to the child process." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"PATH should be initialized to " +"/bin:/usr/bin." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"USER and HOME can be inhereted from the parent" +" process environment, or they can be initialized from the " +"pwent structure for the user." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The DISPLAY and XAUTHORITY variables should be" +" passed to the subprocess if it is an X program. Note that this will " +"typically not work across trust boundaries because XAUTHORITY" +" refers to a file with 0600 permissions." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The location-related environment variables LANG, " +"LANGUAGE, LC_ADDRESS, LC_ALL, " +"LC_COLLATE, LC_CTYPE, " +"LC_IDENTIFICATION, LC_MEASUREMENT, " +"LC_MESSAGES, LC_MONETARY, " +"LC_NAME, LC_NUMERIC, LC_PAPER, " +"LC_TELEPHONE and LC_TIME can be passed to the " +"subprocess if present." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The called process may need application-specific environment variables, for " +"example for passing passwords. (See .)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"All other environment variables should be dropped. Names for new environment" +" variables should not be accepted from untrusted sources." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Robust argument list processing" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When invoking a program, it is sometimes necessary to include data from " +"untrusted sources. Such data should be check against embedded " +"NUL characters because the system APIs will sliently " +"truncate argument strings at the first NUL character." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The following recommendations assume that the program being invoked uses " +"GNU-style option processing using getopt_long. This " +"convention is widely used, but it is just that, and individual programs " +"might interpret a command line in a different way." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If the untrusted data has to go into an option, use the --option-" +"name=VALUE syntax, placing the option and its value into the same " +"command line argument. This avoids any potential confusion if the data " +"starts with -." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"For positional arguments, terminate the option list with a single " +" marker after the last option, and include the data at " +"the right position. The marker terminates option " +"processing, and the data will not be treated as an option even if it starts " +"with a dash." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Passing secrets to subprocesses" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The command line (the name of the program and its argument) of a running " +"process is traditionally available to all local users. The called program " +"can overwrite this information, but only after it has run for a bit of time," +" during which the information may have been read by other processes. " +"However, on Linux, the process environment is restricted to the user who " +"runs the process. Therefore, if you need a convenient way to pass a password" +" to a child process, use an environment variable, and not a command line " +"argument. (See .)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"On some UNIX-like systems (notably Solaris), environment variables can be " +"read by any system user, just like command lines." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If the environment-based approach cannot be used due to portability " +"concerns, the data can be passed on standard input. Some programs (notably " +"gpg) use special file descriptors whose numbers " +"are specified on the command line. Temporary files are an option as well, " +"but they might give digital forensics access to sensitive data (such as " +"passphrases) because it is difficult to safely delete them in all cases." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Handling child process termination" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When child processes terminate, the parent process is signalled. A stub of " +"the terminated processes (a zombie, shown as " +"<defunct> by ps) is kept" +" around until the status information is collected " +"(reaped) by the parent process. Over the years, several" +" interfaces for this have been invented:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The parent process calls wait, " +"waitpid, waitid, " +"wait3 or wait4, without specifying" +" a process ID. This will deliver any matching process ID. This approach is " +"typically used from within event loops." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The parent process calls waitpid, " +"waitid, or wait4, with a specific " +"process ID. Only data for the specific process ID is returned. This is " +"typically used in code which spawns a single subprocess in a synchronous " +"manner." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The parent process installs a handler for the SIGCHLD " +"signal, using sigaction, and specifies to the " +"SA_NOCLDWAIT flag. This approach could be used by event " +"loops as well." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"None of these approaches can be used to wait for child process terminated in" +" a completely thread-safe manner. The parent process might execute an event " +"loop in another thread, which could pick up the termination signal. This " +"means that libraries typically cannot make free use of child processes (for " +"example, to run problematic code with reduced privileges in a separate " +"address space)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"At the moment, the parent process should explicitly wait for termination of " +"the child process using waitpid or " +"waitpid, and hope that the status is not collected by " +"an event loop first." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "SUID/SGID processes" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Programs can be marked in the file system to indicate to the kernel that a " +"trust transition should happen if the program is run. The " +"SUID file permission bit indicates that an executable " +"should run with the effective user ID equal to the owner of the executable " +"file. Similarly, with the SGID bit, the effective group " +"ID is set to the group of the executable file." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Linux supports fscaps, which can grant additional " +"capabilities to a process in a finer-grained manner. Additional mechanisms " +"can be provided by loadable security modules." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When such a trust transition has happened, the process runs in a potentially" +" hostile environment. Additional care is necessary not to rely on any " +"untrusted information. These concerns also apply to libraries which can be " +"linked into such processes." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Accessing environment variables" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The following steps are required so that a program does not accidentally " +"pick up untrusted data from environment variables." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Compile your C/C++ sources with -D_GNU_SOURCE. The " +"Autoconf macro AC_GNU_SOURCE ensures this." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Check for the presence of the secure_getenv and " +"__secure_getenv function. The Autoconf directive " +"AC_CHECK_FUNCS([__secure_getenv secure_getenv]) performs " +"these checks." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Arrange for a proper definition of the secure_getenv " +"function. See ." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Use secure_getenv instead of " +"getenv to obtain the value of critical environment " +"variables. secure_getenv will pretend the variable has " +"not bee set if the process environment is not trusted." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Critical environment variables are debugging flags, configuration file " +"locations, plug-in and log file locations, and anything else that might be " +"used to bypass security restrictions or cause a privileged process to behave" +" in an unexpected way." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Either the secure_getenv function or the " +"__secure_getenv is available from GNU libc." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Obtaining a definition for secure_getenv" +msgstr "" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"\n" +"#include <stdlib.h>\n" +"\n" +"#ifndef HAVE_SECURE_GETENV\n" +"# ifdef HAVE__SECURE_GETENV\n" +"# define secure_getenv __secure_getenv\n" +"# else\n" +"# error neither secure_getenv nor __secure_getenv are available\n" +"# endif\n" +"#endif\n" +"\n" +"\t" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Daemons" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Background processes providing system services " +"(daemons) need to decouple themselves from the " +"controlling terminal and the parent process environment:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Fork." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In the child process, call setsid. The parent process " +"can simply exit (using _exit, to avoid running clean-up" +" actions twice)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In the child process, fork again. Processing continues in the child process." +" Again, the parent process should just exit." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Replace the descriptors 0, 1, 2 with a descriptor for " +"/dev/null. Logging should be redirected to " +"syslog." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Older instructions for creating daemon processes recommended a call to " +"umask(0). This is risky because it often leads to world-" +"writable files and directories, resulting in security vulnerabilities such " +"as arbitrary process termination by untrusted local users, or log file " +"truncation. If the umask needs setting, a restrictive " +"value such as 027 or 077 is " +"recommended." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Other aspects of the process environment may have to changed as well " +"(environment variables, signal handler disposition)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"It is increasingly common that server processes do not run as background " +"processes, but as regular foreground process under a supervising master " +"process (such as systemd). Server processes " +"should offer a command line option which disables forking and replacement of" +" the standard output and standard error streams. Such an option is also " +"useful for debugging." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Semantics of command line arguments" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"After process creation and option processing, it is up to the child process " +"to interpret the arguments. Arguments can be file names, host names, or " +"URLs, and many other things. URLs can refer to the local network, some " +"server on the Internet, or to the local file system. Some applications even " +"accept arbitrary code in arguments (for example, " +"python with the option)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Similar concerns apply to environment variables, the contents of the current" +" directory and its subdirectories." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Consequently, careful analysis is required if it is safe to pass untrusted " +"data to another program." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "fork as a primitive for parallelism" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"A call to fork which is not immediately followed by a " +"call to execve (perhaps after rearranging and closing " +"file descriptors) is typically unsafe, especially from a library which does " +"not control the state of the entire process. Such use of " +"fork should be replaced with proper child processes or " +"threads." +msgstr "" diff --git a/defensive-coding/tr-TR/Tasks/Serialization.po b/defensive-coding/tr-TR/Tasks/Serialization.po new file mode 100644 index 0000000..52f759e --- /dev/null +++ b/defensive-coding/tr-TR/Tasks/Serialization.po @@ -0,0 +1,513 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:45\n" +"PO-Revision-Date: 2013-03-19 15:29+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Turkish (http://www.transifex.com/projects/p/fedora/language/tr/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: tr\n" +"Plural-Forms: nplurals=2; plural=(n > 1);\n" + +#. Tag: title +#, no-c-format +msgid "Serialization and Deserialization" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Protocol decoders and file format parsers are often the most-exposed part of" +" an application because they are exposed with little or no user interaction " +"and before any authentication and security checks are made. They are also " +"difficult to write robustly in languages which are not memory-safe." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Recommendations for manually written decoders" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"For C and C++, the advice in applies. In addition, avoid non-character " +"pointers directly into input buffers. Pointer misalignment causes crashes on" +" some architectures." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When reading variable-sized objects, do not allocate large amounts of data " +"solely based on the value of a size field. If possible, grow the data " +"structure as more data is read from the source, and stop when no data is " +"available. This helps to avoid denial-of-service attacks where little " +"amounts of input data results in enormous memory allocations during " +"decoding. Alternatively, you can impose reasonable bounds on memory " +"allocations, but some protocols do not permit this." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Protocol design" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Binary formats with explicit length fields are more difficult to parse " +"robustly than those where the length of dynamically-sized elements is " +"derived from sentinel values. A protocol which does not use length fields " +"and can be written in printable ASCII characters simplifies testing and " +"debugging. However, binary protocols with length fields may be more " +"efficient to parse." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Library support for deserialization" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"For some languages, generic libraries are available which allow to serialize" +" and deserialize user-defined objects. The deserialization part comes in one" +" of two flavors, depending on the library. The first kind uses type " +"information in the data stream to control which objects are instantiated. " +"The second kind uses type definitions supplied by the programmer. The first " +"one allows arbitrary object instantiation, the second one generally does " +"not." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The following serialization frameworks are in the first category, are known " +"to be unsafe, and must not be used for untrusted data:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Python's pickle and cPickle modules" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Perl's Storable package" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Java serialization (java.io.ObjectInputStream)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "PHP serialization (unserialize)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Most implementations of YAML" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When using a type-directed deserialization format where the types of the " +"deserialized objects are specified by the programmer, make sure that the " +"objects which can be instantiated cannot perform any destructive actions in " +"their destructors, even when the data members have been manipulated." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"JSON decoders do not suffer from this problem. But you must not use the " +"eval function to parse JSON objects in Javascript; even" +" with the regular expression filter from RFC 4627, there are still " +"information leaks remaining." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "XML serialization" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "External references" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"XML documents can contain external references. They can occur in various " +"places." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "In the DTD declaration in the header of an XML document:" +msgstr "" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"<!DOCTYPE html PUBLIC\n" +" \"-//W3C//DTD XHTML 1.0 Transitional//EN\"\n" +" \"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd\">\n" +"\t " +msgstr "" + +#. Tag: para +#, no-c-format +msgid "In a namespace declaration:" +msgstr "" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"<xsd:schema xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\">\n" +"\t " +msgstr "" + +#. Tag: para +#, no-c-format +msgid "In an entity defintion:" +msgstr "" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"<!ENTITY sys SYSTEM \"http://www.example.com/ent.xml\">\n" +"<!ENTITY pub PUBLIC \"-//Example//Public Entity//EN\"\n" +" \"http://www.example.com/pub-ent.xml\">\n" +"\t " +msgstr "" + +#. Tag: para +#, no-c-format +msgid "In a notation:" +msgstr "" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"<!NOTATION not SYSTEM \"../not.xml\">\n" +"\t " +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Originally, these external references were intended as unique identifiers, " +"but by many XML implementations, they are used for locating the data for the" +" referenced element. This causes unwanted network traffic, and may disclose " +"file system contents or otherwise unreachable network resources, so this " +"functionality should be disabled." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Depending on the XML library, external referenced might be processed not " +"just when parsing XML, but also when generating it." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Entity expansion" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When external DTD processing is disabled, an internal DTD subset can still " +"contain entity definitions. Entity declarations can reference other " +"entities. Some XML libraries expand entities automatically, and this " +"processing cannot be switched off in some places (such as attribute values " +"or content models). Without limits on the entity nesting level, this " +"expansion results in data which can grow exponentially in length with size " +"of the input. (If there is a limit on the nesting level, the growth is still" +" polynomial, unless further limits are imposed.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Consequently, the processing internal DTD subsets should be disabled if " +"possible, and only trusted DTDs should be processed. If a particular XML " +"application does not permit such restrictions, then application-specific " +"limits are called for." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "XInclude processing" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"XInclude processing can reference file and network resources and include " +"them into the document, much like external entity references. When parsing " +"untrusted XML documents, XInclude processing should be truned off." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"XInclude processing is also fairly complex and may pull in support for the " +"XPointer and XPath specifications, considerably increasing the amount of " +"code required for XML processing." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Algorithmic complexity of XML validation" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"DTD-based XML validation uses regular expressions for content models. The " +"XML specification requires that content models are deterministic, which " +"means that efficient validation is possible. However, some implementations " +"do not enforce determinism, and require exponential (or just polynomial) " +"amount of space or time for validating some DTD/document combinations." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"XML schemas and RELAX NG (via the xsd: prefix) directly " +"support textual regular expressions which are not required to be " +"deterministic." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Using Expat for XML parsing" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"By default, Expat does not try to resolve external IDs, so no steps are " +"required to block them. However, internal entity declarations are processed." +" Installing a callback which stops parsing as soon as such entities are " +"encountered disables them, see . Expat does not perform any " +"validation, so there are no problems related to that." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Disabling XML entity processing with Expat" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"This handler must be installed when the XML_Parser object" +" is created ()." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Creating an Expat XML parser" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"It is also possible to reject internal DTD subsets altogeher, using a " +"suitable XML_StartDoctypeDeclHandler handler installed " +"with XML_SetDoctypeDeclHandler." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Using OpenJDK for XML parsing and validation" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"OpenJDK contains facilities for DOM-based, SAX-based, and StAX-based " +"document parsing. Documents can be validated against DTDs or XML schemas." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The approach taken to deal with entity expansion differs from the general " +"recommendation in . We enable the the feature flag " +"javax.xml.XMLConstants.FEATURE_SECURE_PROCESSING, which " +"enforces heuristic restrictions on the number of entity expansions. Note " +"that this flag alone does not prevent resolution of external references " +"(system IDs or public IDs), so it is slightly misnamed." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In the following sections, we use helper classes to prevent external ID " +"resolution." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Helper class to prevent DTD external entity resolution in OpenJDK" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Helper class to prevent schema resolution in OpenJDK" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +" shows the imports used by the examples." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Java imports for OpenJDK XML parsing" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "DOM-based XML parsing and DTD validation in OpenJDK" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"This approach produces a org.w3c.dom.Document object from" +" an input stream. use the data from the " +"java.io.InputStream instance in the " +"inputStream variable." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "DOM-based XML parsing in OpenJDK" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"External entity references are prohibited using the " +"NoEntityResolver class in . " +"Because external DTD references are prohibited, DTD validation (if enabled) " +"will only happen against the internal DTD subset embedded in the XML " +"document." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"To validate the document against an external DTD, use a " +"javax.xml.transform.Transformer class to add the DTD " +"reference to the document, and an entity resolver which whitelists this " +"external reference." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "XML Schema validation in OpenJDK" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +" shows how to validate a document against an XML Schema, " +"using a SAX-based approach. The XML data is read from an " +"java.io.InputStream in the inputStream" +" variable." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "SAX-based validation against an XML schema in OpenJDK" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The NoResourceResolver class is defined in ." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If you need to validate a document against an XML schema, use the code in " +" to create the document, but do not enable validation at this point." +" Then use to perform the schema-based validation on " +"the org.w3c.dom.Document instance " +"document." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Validation of a DOM document against an XML schema in OpenJDK" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Protocol Encoders" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"For protocol encoders, you should write bytes to a buffer which grows as " +"needed, using an exponential sizing policy. Explicit lengths can be patched " +"in later, once they are known. Allocating the required number of bytes " +"upfront typically requires separate code to compute the final size, which " +"must be kept in sync with the actual encoding step, or vulnerabilities may " +"result. In multi-threaded code, parts of the object being deserialized might" +" change, so that the computed size is out of date." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"You should avoid copying data directly from a received packet during " +"encoding, disregarding the format. Propagating malformed data could enable " +"attacks on other recipients of that data." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When using C or C++ and copying whole data structures directly into the " +"output, make sure that you do not leak information in padding bytes between " +"fields or at the end of the struct." +msgstr "" diff --git a/defensive-coding/tr-TR/Tasks/Temporary_Files.po b/defensive-coding/tr-TR/Tasks/Temporary_Files.po new file mode 100644 index 0000000..95f1c18 --- /dev/null +++ b/defensive-coding/tr-TR/Tasks/Temporary_Files.po @@ -0,0 +1,309 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:45\n" +"PO-Revision-Date: 2013-03-19 15:29+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Turkish (http://www.transifex.com/projects/p/fedora/language/tr/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: tr\n" +"Plural-Forms: nplurals=2; plural=(n > 1);\n" + +#. Tag: title +#, no-c-format +msgid "Temporary files" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In this chapter, we describe how to create temporary files and directories, " +"how to remove them, and how to work with programs which do not create files " +"in ways that a safe with a shared directory for temporary files. General " +"file system manipulation is treated in a separate chapter, ." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Secure creation of temporary files has four different aspects." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The location of the directory for temporary files must be obtained in a " +"secure manner (that is, untrusted environment variables must be ignored, see" +" )." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"A new file must be created. Reusing an existing file must be avoided (the " +"/tmp race condition). This is " +"tricky because traditionally, system-wide temporary directories shared by " +"all users are used." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The file must be created in a way that makes it impossible for other users " +"to open it." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "The descriptor for the temporary file should not leak to subprocesses." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "All functions mentioned below will take care of these aspects." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Traditionally, temporary files are often used to reduce memory usage of " +"programs. More and more systems use RAM-based file systems such as " +"tmpfs for storing temporary files, to increase " +"performance and decrease wear on Flash storage. As a result, spooling data " +"to temporary files does not result in any memory savings, and the related " +"complexity can be avoided if the data is kept in process memory." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Obtaining the location of temporary directory" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Some functions below need the location of a directory which stores temporary" +" files. For C/C++ programs, use the following steps to obtain that " +"directory:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Use secure_getenv to obtain the value of the " +"TMPDIR environment variable. If it is set, convert the " +"path to a fully-resolved absolute path, using realpath(path, " +"NULL). Check if the new path refers to a directory and is " +"writeable. In this case, use it as the temporary directory." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Fall back to /tmp." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In Python, you can use the tempfile.tempdir variable." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Java does not support SUID/SGID programs, so you can use the " +"java.lang.System.getenv(String) method to obtain the " +"value of the TMPDIR environment variable, and follow the " +"two steps described above. (Java's default directory selection does not " +"honor TMPDIR.)" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Named temporary files" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The mkostemp function creates a named temporary file. " +"You should specify the O_CLOEXEC flag to avoid file " +"descriptor leaks to subprocesses. (Applications which do not use multiple " +"threads can also use mkstemp, but libraries should use " +"mkostemp.) For determining the directory part of the " +"file name pattern, see ." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The file is not removed automatically. It is not safe to rename or delete " +"the file before processing, or transform the name in any way (for example, " +"by adding a file extension). If you need multiple temporary files, call " +"mkostemp multiple times. Do not create additional file " +"names derived from the name provided by a previous " +"mkostemp call. However, it is safe to close the " +"descriptor returned by mkostemp and reopen the file " +"using the generated name." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The Python class tempfile.NamedTemporaryFile provides " +"similar functionality, except that the file is deleted automatically by " +"default. Note that you may have to use the file attribute" +" to obtain the actual file object because some programming interfaces cannot" +" deal with file-like objects. The C function mkostemp " +"is also available as tempfile.mkstemp." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In Java, you can use the java.io.File.createTempFile(String, " +"String, File) function, using the temporary file location " +"determined according to . Do not use " +"java.io.File.deleteOnExit() to delete temporary files, " +"and do not register a shutdown hook for each temporary file you create. In " +"both cases, the deletion hint cannot be removed from the system if you " +"delete the temporary file prior to termination of the VM, causing a memory " +"leak." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Temporary files without names" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The tmpfile function creates a temporary file and " +"immediately deletes it, while keeping the file open. As a result, the file " +"lacks a name and its space is deallocated as soon as the file descriptor is " +"closed (including the implicit close when the process terminates). This " +"avoids cluttering the temporary directory with orphaned files." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Alternatively, if the maximum size of the temporary file is known " +"beforehand, the fmemopen function can be used to create" +" a FILE * object which is backed by memory." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In Python, unnamed temporary files are provided by the " +"tempfile.TemporaryFile class, and the " +"tempfile.SpooledTemporaryFile class provides a way to " +"avoid creation of small temporary files." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Java does not support unnamed temporary files." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Temporary directories" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The mkdtemp function can be used to create a temporary " +"directory. (For determining the directory part of the file name pattern, see" +" .)" +" The directory is not automatically removed. In Python, this function is " +"available as tempfile.mkdtemp. In Java 7, temporary " +"directories can be created using the " +"java.nio.file.Files.createTempDirectory(Path, String, " +"FileAttribute...) function." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When creating files in the temporary directory, use automatically generated " +"names, e.g., derived from a sequential counter. Files with externally " +"provided names could be picked up in unexpected contexts, and crafted names " +"could actually point outside of the tempoary directory (due to " +"directory traversal)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Removing a directory tree in a completely safe manner is complicated. Unless" +" there are overriding performance concerns, the " +"rm program should be used, with the " +" and options." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Compensating for unsafe file creation" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"There are two ways to make a function or program which excepts a file name " +"safe for use with temporary files. See , for details on subprocess " +"creation." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Create a temporary directory and place the file there. If possible, run the " +"program in a subprocess which uses the temporary directory as its current " +"directory, with a restricted environment. Use generated names for all files " +"in that temporary directory. (See .)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Create the temporary file and pass the generated file name to the function " +"or program. This only works if the function or program can cope with a zero-" +"length existing file. It is safe only under additional assumptions:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The function or program must not create additional files whose name is " +"derived from the specified file name or are otherwise predictable." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "The function or program must not delete the file before processing it." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "It must not access any existing files in the same directory." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"It is often difficult to check whether these additional assumptions are " +"matched, therefore this approach is not recommended." +msgstr "" diff --git a/defensive-coding/tr-TR/Tasks/snippets/Serialization-XML-Expat-Create.po b/defensive-coding/tr-TR/Tasks/snippets/Serialization-XML-Expat-Create.po new file mode 100644 index 0000000..a916d15 --- /dev/null +++ b/defensive-coding/tr-TR/Tasks/snippets/Serialization-XML-Expat-Create.po @@ -0,0 +1,33 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:45\n" +"PO-Revision-Date: 2013-03-19 15:29+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Turkish (http://www.transifex.com/projects/p/fedora/language/tr/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: tr\n" +"Plural-Forms: nplurals=2; plural=(n > 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"XML_Parser parser = XML_ParserCreate(\"UTF-8\");\n" +"if (parser == NULL) {\n" +" fprintf(stderr, \"XML_ParserCreate failed\n" +"\");\n" +" close(fd);\n" +" exit(1);\n" +"}\n" +"// EntityDeclHandler needs a reference to the parser to stop\n" +"// parsing.\n" +"XML_SetUserData(parser, parser);\n" +"// Disable entity processing, to inhibit entity expansion.\n" +"XML_SetEntityDeclHandler(parser, EntityDeclHandler);\n" +msgstr "" diff --git a/defensive-coding/tr-TR/Tasks/snippets/Serialization-XML-Expat-EntityDeclHandler.po b/defensive-coding/tr-TR/Tasks/snippets/Serialization-XML-Expat-EntityDeclHandler.po new file mode 100644 index 0000000..acef59e --- /dev/null +++ b/defensive-coding/tr-TR/Tasks/snippets/Serialization-XML-Expat-EntityDeclHandler.po @@ -0,0 +1,31 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:45\n" +"PO-Revision-Date: 2013-03-19 15:30+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Turkish (http://www.transifex.com/projects/p/fedora/language/tr/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: tr\n" +"Plural-Forms: nplurals=2; plural=(n > 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Stop the parser when an entity declaration is encountered.\n" +"static void\n" +"EntityDeclHandler(void *userData,\n" +"\t\t const XML_Char *entityName, int is_parameter_entity,\n" +"\t\t const XML_Char *value, int value_length,\n" +"\t\t const XML_Char *base, const XML_Char *systemId,\n" +"\t\t const XML_Char *publicId, const XML_Char *notationName)\n" +"{\n" +" XML_StopParser((XML_Parser)userData, XML_FALSE);\n" +"}\n" +msgstr "" diff --git a/defensive-coding/tr-TR/Tasks/snippets/Serialization-XML-OpenJDK-Errors.po b/defensive-coding/tr-TR/Tasks/snippets/Serialization-XML-OpenJDK-Errors.po new file mode 100644 index 0000000..b190985 --- /dev/null +++ b/defensive-coding/tr-TR/Tasks/snippets/Serialization-XML-OpenJDK-Errors.po @@ -0,0 +1,37 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:45\n" +"PO-Revision-Date: 2013-03-19 15:29+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Turkish (http://www.transifex.com/projects/p/fedora/language/tr/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: tr\n" +"Plural-Forms: nplurals=2; plural=(n > 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"class Errors implements ErrorHandler {\n" +" @Override\n" +" public void warning(SAXParseException exception) {\n" +" exception.printStackTrace();\n" +" }\n" +" \n" +" @Override\n" +" public void fatalError(SAXParseException exception) {\n" +" exception.printStackTrace();\n" +" }\n" +" \n" +" @Override\n" +" public void error(SAXParseException exception) {\n" +" exception.printStackTrace();\n" +" }\n" +"}\n" +msgstr "" diff --git a/defensive-coding/tr-TR/Tasks/snippets/Serialization-XML-OpenJDK-Imports.po b/defensive-coding/tr-TR/Tasks/snippets/Serialization-XML-OpenJDK-Imports.po new file mode 100644 index 0000000..1f19dcf --- /dev/null +++ b/defensive-coding/tr-TR/Tasks/snippets/Serialization-XML-OpenJDK-Imports.po @@ -0,0 +1,42 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:45\n" +"PO-Revision-Date: 2013-03-19 15:30+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Turkish (http://www.transifex.com/projects/p/fedora/language/tr/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: tr\n" +"Plural-Forms: nplurals=2; plural=(n > 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"import javax.xml.XMLConstants;\n" +"import javax.xml.parsers.DocumentBuilder;\n" +"import javax.xml.parsers.DocumentBuilderFactory;\n" +"import javax.xml.parsers.ParserConfigurationException;\n" +"import javax.xml.parsers.SAXParser;\n" +"import javax.xml.parsers.SAXParserFactory;\n" +"import javax.xml.transform.dom.DOMSource;\n" +"import javax.xml.transform.sax.SAXSource;\n" +"import javax.xml.validation.Schema;\n" +"import javax.xml.validation.SchemaFactory;\n" +"import javax.xml.validation.Validator;\n" +"\n" +"import org.w3c.dom.Document;\n" +"import org.w3c.dom.ls.LSInput;\n" +"import org.w3c.dom.ls.LSResourceResolver;\n" +"import org.xml.sax.EntityResolver;\n" +"import org.xml.sax.ErrorHandler;\n" +"import org.xml.sax.InputSource;\n" +"import org.xml.sax.SAXException;\n" +"import org.xml.sax.SAXParseException;\n" +"import org.xml.sax.XMLReader;\n" +msgstr "" diff --git a/defensive-coding/tr-TR/Tasks/snippets/Serialization-XML-OpenJDK-NoEntityResolver.po b/defensive-coding/tr-TR/Tasks/snippets/Serialization-XML-OpenJDK-NoEntityResolver.po new file mode 100644 index 0000000..dc9c552 --- /dev/null +++ b/defensive-coding/tr-TR/Tasks/snippets/Serialization-XML-OpenJDK-NoEntityResolver.po @@ -0,0 +1,30 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:45\n" +"PO-Revision-Date: 2013-03-19 15:30+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Turkish (http://www.transifex.com/projects/p/fedora/language/tr/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: tr\n" +"Plural-Forms: nplurals=2; plural=(n > 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"class NoEntityResolver implements EntityResolver {\n" +" @Override\n" +" public InputSource resolveEntity(String publicId, String systemId)\n" +" throws SAXException, IOException {\n" +" // Throwing an exception stops validation.\n" +" throw new IOException(String.format(\n" +" \"attempt to resolve \\\"%s\\\" \\\"%s\\\"\", publicId, systemId));\n" +" }\n" +"}\n" +msgstr "" diff --git a/defensive-coding/tr-TR/Tasks/snippets/Serialization-XML-OpenJDK-NoResourceResolver.po b/defensive-coding/tr-TR/Tasks/snippets/Serialization-XML-OpenJDK-NoResourceResolver.po new file mode 100644 index 0000000..4b8ab26 --- /dev/null +++ b/defensive-coding/tr-TR/Tasks/snippets/Serialization-XML-OpenJDK-NoResourceResolver.po @@ -0,0 +1,32 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:45\n" +"PO-Revision-Date: 2013-03-19 15:29+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Turkish (http://www.transifex.com/projects/p/fedora/language/tr/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: tr\n" +"Plural-Forms: nplurals=2; plural=(n > 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"class NoResourceResolver implements LSResourceResolver {\n" +" @Override\n" +" public LSInput resolveResource(String type, String namespaceURI,\n" +" String publicId, String systemId, String baseURI) {\n" +" // Throwing an exception stops validation.\n" +" throw new RuntimeException(String.format(\n" +" \"resolution attempt: type=%s namespace=%s \" +\n" +" \"publicId=%s systemId=%s baseURI=%s\",\n" +" type, namespaceURI, publicId, systemId, baseURI));\n" +" }\n" +"}\n" +msgstr "" diff --git a/defensive-coding/tr-TR/Tasks/snippets/Serialization-XML-OpenJDK_Parse-DOM.po b/defensive-coding/tr-TR/Tasks/snippets/Serialization-XML-OpenJDK_Parse-DOM.po new file mode 100644 index 0000000..83c0b9f --- /dev/null +++ b/defensive-coding/tr-TR/Tasks/snippets/Serialization-XML-OpenJDK_Parse-DOM.po @@ -0,0 +1,34 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:45\n" +"PO-Revision-Date: 2013-03-19 15:29+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Turkish (http://www.transifex.com/projects/p/fedora/language/tr/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: tr\n" +"Plural-Forms: nplurals=2; plural=(n > 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();\n" +"// Impose restrictions on the complexity of the DTD.\n" +"factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);\n" +"\n" +"// Turn on validation.\n" +"// This step can be omitted if validation is not desired.\n" +"factory.setValidating(true);\n" +"\n" +"// Parse the document.\n" +"DocumentBuilder builder = factory.newDocumentBuilder();\n" +"builder.setEntityResolver(new NoEntityResolver());\n" +"builder.setErrorHandler(new Errors());\n" +"Document document = builder.parse(inputStream);\n" +msgstr "" diff --git a/defensive-coding/tr-TR/Tasks/snippets/Serialization-XML-OpenJDK_Parse-XMLSchema_DOM.po b/defensive-coding/tr-TR/Tasks/snippets/Serialization-XML-OpenJDK_Parse-XMLSchema_DOM.po new file mode 100644 index 0000000..42450d0 --- /dev/null +++ b/defensive-coding/tr-TR/Tasks/snippets/Serialization-XML-OpenJDK_Parse-XMLSchema_DOM.po @@ -0,0 +1,38 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:45\n" +"PO-Revision-Date: 2013-03-19 15:29+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Turkish (http://www.transifex.com/projects/p/fedora/language/tr/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: tr\n" +"Plural-Forms: nplurals=2; plural=(n > 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"SchemaFactory factory = SchemaFactory.newInstance(\n" +" XMLConstants.W3C_XML_SCHEMA_NS_URI);\n" +"\n" +"// This enables restrictions on schema complexity.\n" +"factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);\n" +"\n" +"// The following line prevents resource resolution\n" +"// by the schema itself.\n" +"factory.setResourceResolver(new NoResourceResolver());\n" +"\n" +"Schema schema = factory.newSchema(schemaFile);\n" +"\n" +"Validator validator = schema.newValidator();\n" +"\n" +"// This prevents external resource resolution.\n" +"validator.setResourceResolver(new NoResourceResolver());\n" +"validator.validate(new DOMSource(document));\n" +msgstr "" diff --git a/defensive-coding/tr-TR/Tasks/snippets/Serialization-XML-OpenJDK_Parse-XMLSchema_SAX.po b/defensive-coding/tr-TR/Tasks/snippets/Serialization-XML-OpenJDK_Parse-XMLSchema_SAX.po new file mode 100644 index 0000000..b018618 --- /dev/null +++ b/defensive-coding/tr-TR/Tasks/snippets/Serialization-XML-OpenJDK_Parse-XMLSchema_SAX.po @@ -0,0 +1,41 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:45\n" +"PO-Revision-Date: 2013-03-19 15:29+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Turkish (http://www.transifex.com/projects/p/fedora/language/tr/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: tr\n" +"Plural-Forms: nplurals=2; plural=(n > 1);\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"SchemaFactory factory = SchemaFactory.newInstance(\n" +" XMLConstants.W3C_XML_SCHEMA_NS_URI);\n" +"\n" +"// This enables restrictions on the schema and document\n" +"// complexity.\n" +"factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);\n" +"\n" +"// This prevents resource resolution by the schema itself.\n" +"// If the schema is trusted and references additional files,\n" +"// this line must be omitted, otherwise loading these files\n" +"// will fail.\n" +"factory.setResourceResolver(new NoResourceResolver());\n" +"\n" +"Schema schema = factory.newSchema(schemaFile);\n" +"Validator validator = schema.newValidator();\n" +"\n" +"// This prevents external resource resolution.\n" +"validator.setResourceResolver(new NoResourceResolver());\n" +"\n" +"validator.validate(new SAXSource(new InputSource(inputStream)));\n" +msgstr "" diff --git a/defensive-coding/vi-VN/Author_Group.po b/defensive-coding/vi-VN/Author_Group.po new file mode 100644 index 0000000..f276138 --- /dev/null +++ b/defensive-coding/vi-VN/Author_Group.po @@ -0,0 +1,35 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-12 04:18+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Vietnamese (http://www.transifex.com/projects/p/fedora/language/vi/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: vi\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: firstname +#, no-c-format +msgid "Florian" +msgstr "" + +#. Tag: surname +#, no-c-format +msgid "Weimer" +msgstr "" + +#. Tag: orgname +#, no-c-format +msgid "Red Hat" +msgstr "" + +#. Tag: orgdiv +#, no-c-format +msgid "Product Security Team" +msgstr "" diff --git a/defensive-coding/vi-VN/Book_Info.po b/defensive-coding/vi-VN/Book_Info.po new file mode 100644 index 0000000..5b64401 --- /dev/null +++ b/defensive-coding/vi-VN/Book_Info.po @@ -0,0 +1,38 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-12 04:19+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Vietnamese (http://www.transifex.com/projects/p/fedora/language/vi/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: vi\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: title +#, no-c-format +msgid "Defensive Coding" +msgstr "" + +#. Tag: subtitle +#, no-c-format +msgid "A Guide to Improving Software Security" +msgstr "" + +#. Tag: productname +#, no-c-format +msgid "Fedora Security Team" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"This document provides guidelines for improving software security through " +"secure coding. It covers common programming languages and libraries, and " +"focuses on concrete recommendations." +msgstr "" diff --git a/defensive-coding/vi-VN/C/Allocators.po b/defensive-coding/vi-VN/C/Allocators.po new file mode 100644 index 0000000..cc9af71 --- /dev/null +++ b/defensive-coding/vi-VN/C/Allocators.po @@ -0,0 +1,265 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:30+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Vietnamese (http://www.transifex.com/projects/p/fedora/language/vi/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: vi\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: title +#, no-c-format +msgid "Memory allocators" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "malloc and related functions" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The C library interfaces for memory allocation are provided by " +"malloc, free and " +"realloc, and the calloc function. " +"In addition to these generic functions, there are derived functions such as " +"strdup which perform allocation using " +"malloc internally, but do not return untyped heap " +"memory (which could be used for any object)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The C compiler knows about these functions and can use their expected " +"behavior for optimizations. For instance, the compiler assumes that an " +"existing pointer (or a pointer derived from an existing pointer by " +"arithmetic) will not point into the memory area returned by " +"malloc." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If the allocation fails, realloc does not free the old " +"pointer. Therefore, the idiom ptr = realloc(ptr, size); " +"is wrong because the memory pointed to by ptr leaks in " +"case of an error." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Use-after-free errors" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"After free, the pointer is invalid. Further pointer " +"dereferences are not allowed (and are usually detected by " +"valgrind). Less obvious is that any " +"use of the old pointer value is not allowed, either. In" +" particular, comparisons with any other pointer (or the null pointer) are " +"undefined according to the C standard." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The same rules apply to realloc if the memory area " +"cannot be enlarged in-place. For instance, the compiler may assume that a " +"comparison between the old and new pointer will always return false, so it " +"is impossible to detect movement this way." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Handling memory allocation errors" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Recovering from out-of-memory errors is often difficult or even impossible. " +"In these cases, malloc and other allocation functions " +"return a null pointer. Dereferencing this pointer lead to a crash. Such " +"dereferences can even be exploitable for code execution if the dereference " +"is combined with an array subscript." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In general, if you cannot check all allocation calls and handle failure, you" +" should abort the program on allocation failure, and not rely on the null " +"pointer dereference to terminate the process. See for related memory " +"allocation concerns." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "alloca and other forms of stack-based allocation" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Allocation on the stack is risky because stack overflow checking is " +"implicit. There is a guard page at the end of the memory area reserved for " +"the stack. If the program attempts to read from or write to this guard page," +" a SIGSEGV signal is generated and the program typically " +"terminates." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"This is sufficient for detecting typical stack overflow situations such as " +"unbounded recursion, but it fails when the stack grows in increments larger " +"than the size of the guard page. In this case, it is possible that the stack" +" pointer ends up pointing into a memory area which has been allocated for a " +"different purposes. Such misbehavior can be exploitable." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"A common source for large stack growth are calls to " +"alloca and related functions such as " +"strdupa. These functions should be avoided because of " +"the lack of error checking. (They can be used safely if the allocated size " +"is less than the page size (typically, 4096 bytes), but this case is " +"relatively rare.) Additionally, relying on alloca makes" +" it more difficult to reorgnize the code because it is not allowed to use " +"the pointer after the function calling alloca has " +"returned, even if this function has been inlined into its caller." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Similar concerns apply to variable-length arrays " +"(VLAs), a feature of the C99 standard which started as a GNU extension. For " +"large objects exceeding the page size, there is no error checking, either." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In both cases, negative or very large sizes can trigger a stack-pointer " +"wraparound, and the stack pointer and end up pointing into caller stack " +"frames, which is fatal and can be exploitable." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If you want to use alloca or VLAs for performance " +"reasons, consider using a small on-stack array (less than the page size, " +"large enough to fulfill most requests). If the requested size is small " +"enough, use the on-stack array. Otherwise, call malloc." +" When exiting the function, check if malloc had been " +"called, and free the buffer as needed." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Array allocation" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When allocating arrays, it is important to check for overflows. The " +"calloc function performs such checks." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If malloc or realloc is used, the " +"size check must be written manually. For instance, to allocate an array of " +"n elements of type T, check that the " +"requested size is not greater than n / sizeof(T)." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Custom memory allocators" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Custom memory allocates come in two forms: replacements for " +"malloc, and completely different interfaces for memory " +"management. Both approaches can reduce the effectiveness of " +"valgrind and similar tools, and the heap " +"corruption detection provided by GNU libc, so they should be avoided." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Memory allocators are difficult to write and contain many performance and " +"security pitfalls." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When computing array sizes or rounding up allocation requests (to the next " +"allocation granularity, or for alignment purposes), checks for arithmetic " +"overflow are required." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Size computations for array allocations need overflow checking. See ." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"It can be difficult to beat well-tuned general-purpose allocators. In micro-" +"benchmarks, pool allocators can show huge wins, and size-specific pools can " +"reduce internal fragmentation. But often, utilization of individual pools is" +" poor, and" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Conservative garbage collection" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Garbage collection can be an alternative to explicit memory management using" +" malloc and free. The Boehm-" +"Dehmers-Weiser allocator can be used from C programs, with minimal type " +"annotations. Performance is competitive with malloc on " +"64-bit architectures, especially for multi-threaded programs. The stop-the-" +"world pauses may be problematic for some real-time applications, though." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"However, using a conservative garbage collector may reduce opertunities for " +"code reduce because once one library in a program uses garbage collection, " +"the whole process memory needs to be subject to it, so that no pointers are " +"missed. The Boehm-Dehmers-Weiser collector also reserves certain signals for" +" internal use, so it is not fully transparent to the rest of the program." +msgstr "" diff --git a/defensive-coding/vi-VN/C/C.po b/defensive-coding/vi-VN/C/C.po new file mode 100644 index 0000000..060c0fd --- /dev/null +++ b/defensive-coding/vi-VN/C/C.po @@ -0,0 +1,20 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:30+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Vietnamese (http://www.transifex.com/projects/p/fedora/language/vi/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: vi\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: title +#, no-c-format +msgid "The C Programming Language" +msgstr "" diff --git a/defensive-coding/vi-VN/C/Libc.po b/defensive-coding/vi-VN/C/Libc.po new file mode 100644 index 0000000..7dd31fe --- /dev/null +++ b/defensive-coding/vi-VN/C/Libc.po @@ -0,0 +1,278 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:30+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Vietnamese (http://www.transifex.com/projects/p/fedora/language/vi/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: vi\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: title +#, no-c-format +msgid "The C standard library" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Parts of the C standard library (and the UNIX and GNU extensions) are " +"difficult to use, so you shoud avoid them." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Please check the applicable documentation before using the recommended " +"replacements. Many of these functions allocate buffers using " +"malloc which your code must deallocate explicitly using" +" free." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Absolutely banned interfaces" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The functions listed below must not be used because they are almost always " +"unsafe. Use the indicated replacements instead." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "getsfgets" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"getwdgetcwd or " +"get_current_dir_name" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "readdir_rreaddir" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"realpath (with a non-NULL second parameter) ⟶ " +"realpath with NULL as the second parameter, or " +"canonicalize_file_name" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The constants listed below must not be used, either. Instead, code must " +"allocate memory dynamically and use interfaces with length checking." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"NAME_MAX (limit not actually enforced by the kernel)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"PATH_MAX (limit not actually enforced by the kernel)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"_PC_NAME_MAX (This limit, returned by the " +"pathconf function, is not enforced by the kernel.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"_PC_PATH_MAX (This limit, returned by the " +"pathconf function, is not enforced by the kernel.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "The following structure members must not be used." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"f_namemax in struct statvfs (limit not" +" actually enforced by the kernel, see _PC_NAME_MAX above)" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Functions to avoid" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The following string manipulation functions can be used securely in " +"principle, but their use should be avoided because they are difficult to use" +" correctly. Calls to these functions can be replaced with " +"asprintf or vasprintf. (For non-" +"GNU targets, these functions are available from Gnulib.) In some cases, the " +"snprintf function might be a suitable replacement, see " +"." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "sprintf" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "strcat" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "strcpy" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "vsprintf" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Use the indicated replacements for the functions below." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"allocamalloc and " +"free (see )" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"putenv ⟶ explicit envp argument in " +"process creation (see )" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"setenv ⟶ explicit envp argument in " +"process creation (see )" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"strdupastrdup and " +"free (see )" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"strndupastrndup and " +"free (see )" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"systemposix_spawn or " +"fork/execve/ (see )" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"unsetenv ⟶ explicit envp argument in" +" process creation (see )" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "String Functions With Explicit Length Arguments" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The snprintf function provides a way to construct a " +"string in a statically-sized buffer. (If the buffer size is dynamic, use " +"asprintf instead.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The second argument to the snprintf should always be " +"the size of the buffer in the first argument (which should be a character " +"array). Complex pointer and length arithmetic can introduce errors and " +"nullify the security benefits of snprintf. If you need " +"to construct a string iteratively, by repeatedly appending fragments, " +"consider constructing the string on the heap, increasing the buffer with " +"realloc as needed. (snprintf does " +"not support overlapping the result buffer with argument strings.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If you use vsnprintf (or snprintf)" +" with a format string which is not a constant, but a function argument, it " +"is important to annotate the function with a format " +"function attribute, so that GCC can warn about misuse of your function (see " +")." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "The format function attribute" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"There are other functions which operator on NUL-terminated strings and take " +"a length argument which affects the number of bytes written to the " +"destination: strncpy, strncat, and" +" stpncpy. These functions do not ensure that the result" +" string is NUL-terminated. For strncpy, NUL termination" +" can be added this way:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Some systems support strlcpy and " +"strlcat functions which behave this way, but these " +"functions are not part of GNU libc. Using snprintf with" +" a suitable format string is a simple (albeit slightly slower) replacement." +msgstr "" diff --git a/defensive-coding/vi-VN/C/snippets/Arithmetic-add.po b/defensive-coding/vi-VN/C/snippets/Arithmetic-add.po new file mode 100644 index 0000000..70b5468 --- /dev/null +++ b/defensive-coding/vi-VN/C/snippets/Arithmetic-add.po @@ -0,0 +1,36 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:30+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Vietnamese (http://www.transifex.com/projects/p/fedora/language/vi/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: vi\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"void report_overflow(void);\n" +"\n" +"int\n" +"add(int a, int b)\n" +"{\n" +" int result = a + b;\n" +" if (a < 0 || b < 0) {\n" +" return -1;\n" +" }\n" +" // The compiler can optimize away the following if statement.\n" +" if (result < 0) {\n" +" report_overflow();\n" +" }\n" +" return result;\n" +"}\n" +msgstr "" diff --git a/defensive-coding/vi-VN/C/snippets/Arithmetic-mult.po b/defensive-coding/vi-VN/C/snippets/Arithmetic-mult.po new file mode 100644 index 0000000..7737570 --- /dev/null +++ b/defensive-coding/vi-VN/C/snippets/Arithmetic-mult.po @@ -0,0 +1,29 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:30+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Vietnamese (http://www.transifex.com/projects/p/fedora/language/vi/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: vi\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"unsigned\n" +"mul(unsigned a, unsigned b)\n" +"{\n" +" if (b && a > ((unsigned)-1) / b) {\n" +" report_overflow();\n" +" }\n" +" return a * b;\n" +"}\n" +msgstr "" diff --git a/defensive-coding/vi-VN/C/snippets/Pointers-remaining.po b/defensive-coding/vi-VN/C/snippets/Pointers-remaining.po new file mode 100644 index 0000000..c9e301d --- /dev/null +++ b/defensive-coding/vi-VN/C/snippets/Pointers-remaining.po @@ -0,0 +1,64 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:30+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Vietnamese (http://www.transifex.com/projects/p/fedora/language/vi/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: vi\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"ssize_t\n" +"extract_strings(const char *in, size_t inlen, char **out, size_t outlen)\n" +"{\n" +" const char *inp = in;\n" +" const char *inend = in + inlen;\n" +" char **outp = out;\n" +" char **outend = out + outlen;\n" +"\n" +" while (inp != inend) {\n" +" size_t len;\n" +" char *s;\n" +" if (outp == outend) {\n" +" errno = ENOSPC;\n" +" goto err;\n" +" }\n" +" len = (unsigned char)*inp;\n" +" ++inp;\n" +" if (len > (size_t)(inend - inp)) {\n" +" errno = EINVAL;\n" +" goto err;\n" +" }\n" +" s = malloc(len + 1);\n" +" if (s == NULL) {\n" +" goto err;\n" +" }\n" +" memcpy(s, inp, len);\n" +" inp += len;\n" +" s[len] = '\\0';\n" +" *outp = s;\n" +" ++outp;\n" +" }\n" +" return outp - out;\n" +"err:\n" +" {\n" +" int errno_old = errno;\n" +" while (out != outp) {\n" +" free(*out);\n" +" ++out;\n" +" }\n" +" errno = errno_old;\n" +" }\n" +" return -1;\n" +"}\n" +msgstr "" diff --git a/defensive-coding/vi-VN/C/snippets/String-Functions-format.po b/defensive-coding/vi-VN/C/snippets/String-Functions-format.po new file mode 100644 index 0000000..796e53d --- /dev/null +++ b/defensive-coding/vi-VN/C/snippets/String-Functions-format.po @@ -0,0 +1,33 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:30+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Vietnamese (http://www.transifex.com/projects/p/fedora/language/vi/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: vi\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"void log_format(const char *format, ...) __attribute__((format(printf, 1, 2)));\n" +"\n" +"void\n" +"log_format(const char *format, ...)\n" +"{\n" +" char buf[1000];\n" +" va_list ap;\n" +" va_start(ap, format);\n" +" vsnprintf(buf, sizeof(buf), format, ap);\n" +" va_end(ap);\n" +" log_string(buf);\n" +"}\n" +msgstr "" diff --git a/defensive-coding/vi-VN/C/snippets/String-Functions-snprintf.po b/defensive-coding/vi-VN/C/snippets/String-Functions-snprintf.po new file mode 100644 index 0000000..8bf063e --- /dev/null +++ b/defensive-coding/vi-VN/C/snippets/String-Functions-snprintf.po @@ -0,0 +1,23 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:30+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Vietnamese (http://www.transifex.com/projects/p/fedora/language/vi/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: vi\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"char fraction[30];\n" +"snprintf(fraction, sizeof(fraction), \"%d/%d\", numerator, denominator);\n" +msgstr "" diff --git a/defensive-coding/vi-VN/C/snippets/String-Functions-strncpy.po b/defensive-coding/vi-VN/C/snippets/String-Functions-strncpy.po new file mode 100644 index 0000000..9b93fe4 --- /dev/null +++ b/defensive-coding/vi-VN/C/snippets/String-Functions-strncpy.po @@ -0,0 +1,24 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:30+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Vietnamese (http://www.transifex.com/projects/p/fedora/language/vi/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: vi\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"char buf[10];\n" +"strncpy(buf, data, sizeof(buf));\n" +"buf[sizeof(buf) - 1] = '\\0';\n" +msgstr "" diff --git a/defensive-coding/vi-VN/CXX/CXX.po b/defensive-coding/vi-VN/CXX/CXX.po new file mode 100644 index 0000000..4e3d36d --- /dev/null +++ b/defensive-coding/vi-VN/CXX/CXX.po @@ -0,0 +1,20 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:31+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Vietnamese (http://www.transifex.com/projects/p/fedora/language/vi/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: vi\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: title +#, no-c-format +msgid "The C++ Programming Language" +msgstr "" diff --git a/defensive-coding/vi-VN/CXX/Language.po b/defensive-coding/vi-VN/CXX/Language.po new file mode 100644 index 0000000..783fc09 --- /dev/null +++ b/defensive-coding/vi-VN/CXX/Language.po @@ -0,0 +1,234 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:18+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Vietnamese (http://www.transifex.com/projects/p/fedora/language/vi/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: vi\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: title +#, no-c-format +msgid "The core language" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"C++ includes a large subset of the C language. As far as the C subset is " +"used, the recommendations in " +"apply." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Array allocation with operator new[]" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"For very large values of n, an expression like " +"new T[n] can return a pointer to a heap region which is " +"too small. In other words, not all array elements are actually backed with " +"heap memory reserved to the array. Current GCC versions generate code that " +"performs a computation of the form sizeof(T) * size_t(n) + " +"cookie_size, where cookie_size is currently at " +"most 8. This computation can overflow, and GCC-generated code does not " +"detect this." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The std::vector template can be used instead an explicit " +"array allocation. (The GCC implementation detects overflow internally.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If there is no alternative to operator new[], code which " +"allocates arrays with a variable length must check for overflow manually. " +"For the new T[n] example, the size check could be " +"n || (n > 0 && n > (size_t(-1) - 8) / " +"sizeof(T)). (See .) If there are additional dimensions " +"(which must be constants according to the C++ standard), these should be " +"included as factors in the divisor." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"These countermeasures prevent out-of-bounds writes and potential code " +"execution. Very large memory allocations can still lead to a denial of " +"service. contains suggestions for mitigating this problem when " +"processing untrusted data." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"See for array" +" allocation advice for C-style memory allocation." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Overloading" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Do not overload functions with versions that have different security " +"characteristics. For instance, do not implement a function " +"strcat which works on std::string " +"arguments. Similarly, do not name methods after such functions." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "ABI compatibility and preparing for security updates" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"A stable binary interface (ABI) is vastly preferred for security updates. " +"Without a stable ABI, all reverse dependencies need recompiling, which can " +"be a lot of work and could even be impossible in some cases. Ideally, a " +"security update only updates a single dynamic shared object, and is picked " +"up automatically after restarting affected processes." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Outside of extremely performance-critical code, you should ensure that a " +"wide range of changes is possible without breaking ABI. Some very basic " +"guidelines are:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Avoid inline functions." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Use the pointer-to-implementation idiom." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Try to avoid templates. Use them if the increased type safety provides a " +"benefit to the programmer." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Move security-critical code out of templated code, so that it can be patched" +" in a central place if necessary." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The KDE project publishes a document with more extensive guidelines on ABI-" +"preserving changes to C++ code, Policies/Binary" +" Compatibility Issues With C++ (d-pointer " +"refers to the pointer-to-implementation idiom)." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "C++0X and C++11 support" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "GCC offers different language compatibility modes:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid " for the original 1998 C++ standard" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +" for the 1998 standard with the changes from the " +"TR1 technical report" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +" for the 2011 C++ standard. This option should " +"not be used." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +" for several different versions of C++11 support " +"in development, depending on the GCC version. This option should not be " +"used." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"For each of these flags, there are variants which also enable GNU extensions" +" (mostly language features also found in C99 or C11): " +", , " +". Again, should " +"not be used." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If you enable C++11 support, the ABI of the standard C++ library " +"libstdc++ will change in subtle ways. Currently, no C++ " +"libraries are compiled in C++11 mode, so if you compile your code in C++11 " +"mode, it will be incompatible with the rest of the system. Unfortunately, " +"this is also the case if you do not use any C++11 features. Currently, there" +" is no safe way to enable C++11 mode (except for freestanding applications)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The meaning of C++0X mode changed from GCC release to GCC release. Earlier " +"versions were still ABI-compatible with C++98 mode, but in the most recent " +"versions, switching to C++0X mode activates C++11 support, with its " +"compatibility problems." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Some C++11 features (or approximations thereof) are available with TR1 " +"support, that is, with or " +" and in the <tr1/*> " +"header files. This includes std::tr1::shared_ptr (from " +"<tr1/memory>) and " +"std::tr1::function (from " +"<tr1/functional>). For other C++11 features, the " +"Boost C++ library contains replacements." +msgstr "" diff --git a/defensive-coding/vi-VN/CXX/Std.po b/defensive-coding/vi-VN/CXX/Std.po new file mode 100644 index 0000000..a89aa13 --- /dev/null +++ b/defensive-coding/vi-VN/CXX/Std.po @@ -0,0 +1,55 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:30+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Vietnamese (http://www.transifex.com/projects/p/fedora/language/vi/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: vi\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: title +#, no-c-format +msgid "The C++ standard library" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The C++ standard library includes most of its C counterpart by reference, " +"see ." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Containers and operator[]" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Many containers similar to std::vector provide both " +"operator[](size_type) and a member function " +"at(size_type). This applies to " +"std::vector itself, std::array, " +"std::string and other instances of " +"std::basic_string." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"operator[](size_type) is not required by the standard to " +"perform bounds checking (and the implementation in GCC does not). In " +"contrast, at(size_type) must perform such a check. " +"Therefore, in code which is not performance-critical, you should prefer " +"at(size_type) over " +"operator[](size_type), even though it is slightly more " +"verbose." +msgstr "" diff --git a/defensive-coding/vi-VN/Defensive_Coding.po b/defensive-coding/vi-VN/Defensive_Coding.po new file mode 100644 index 0000000..a30b3e8 --- /dev/null +++ b/defensive-coding/vi-VN/Defensive_Coding.po @@ -0,0 +1,30 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:18+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Vietnamese (http://www.transifex.com/projects/p/fedora/language/vi/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: vi\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: title +#, no-c-format +msgid "Programming Languages" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Specific Programming Tasks" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Implementing Security Features" +msgstr "" diff --git a/defensive-coding/vi-VN/Features/Authentication.po b/defensive-coding/vi-VN/Features/Authentication.po new file mode 100644 index 0000000..c2ea987 --- /dev/null +++ b/defensive-coding/vi-VN/Features/Authentication.po @@ -0,0 +1,231 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:31+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Vietnamese (http://www.transifex.com/projects/p/fedora/language/vi/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: vi\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: title +#, no-c-format +msgid "Authentication and Authorization" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Authenticating servers" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When connecting to a server, a client has to make sure that it is actually " +"talking to the server it expects. There are two different aspects, securing " +"the network path, and making sure that the expected user runs the process on" +" the target host. There are several ways to ensure that:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The server uses a TLS certificate which is valid according to the web " +"browser public key infrastructure, and the client verifies the certificate " +"and the host name." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The server uses a TLS certificate which is expectedby the client (perhaps it" +" is stored in a configuration file read by the client). In this case, no " +"host name checking is required." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"On Linux, UNIX domain sockets (of the PF_UNIX protocol " +"family, sometimes called PF_LOCAL) are restricted by file" +" system permissions. If the server socket path is not world-writable, the " +"server identity cannot be spoofed by local users." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Port numbers less than 1024 (trusted ports) can only be" +" used by root, so if a UDP or TCP server is running on " +"the local host and it uses a trusted port, its identity is assured. (Not all" +" operating systems enforce the trusted ports concept, and the network might " +"not be trusted, so it is only useful on the local system.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"TLS () is the recommended way " +"for securing connections over untrusted networks." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If the server port number is 1024 is higher, a local user can impersonate " +"the process by binding to this socket, perhaps after crashing the real " +"server by exploiting a denial-of-service vulnerability." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Host-based authentication" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Host-based authentication uses access control lists (ACLs) to accept or deny" +" requests from clients. Thsis authentication method comes in two flavors: " +"IP-based (or, more generally, address-based) and name-based (with the name " +"coming from DNS or /etc/hosts). IP-based ACLs often use" +" prefix notation to extend access to entire subnets. Name-based ACLs " +"sometimes use wildcards for adding groups of hosts (from entire DNS " +"subtrees). (In the SSH context, host-based authentication means something " +"completely different and is not covered in this section.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Host-based authentication trust the network and may not offer sufficient " +"granularity, so it has to be considered a weak form of authentication. On " +"the other hand, IP-based authentication can be made extremely robust and can" +" be applied very early in input processing, so it offers an opportunity for " +"significantly reducing the number of potential attackers for many services." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The names returned by gethostbyaddr and " +"getnameinfo functions cannot be trusted. (DNS PTR " +"records can be set to arbitrary values, not just names belong to the address" +" owner.) If these names are used for ACL matching, a forward lookup using " +"gethostbyaddr or getaddrinfo has " +"to be performed. The name is only valid if the original address is found " +"among the results of the forward lookup (double-reverse " +"lookup)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"An empty ACL should deny all access (deny-by-default). If empty ACLs permits" +" all access, configuring any access list must switch to deny-by-default for " +"all unconfigured protocols, in both name-based and address-based variants." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Similarly, if an address or name is not matched by the list, it should be " +"denied. However, many implementations behave differently, so the actual " +"behavior must be documented properly." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"IPv6 addresses can embed IPv4 addresses. There is no universally correct way" +" to deal with this ambiguity. The behavior of the ACL implementation should " +"be documented." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "UNIX domain socket authentication" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"UNIX domain sockets (with address family AF_UNIX or " +"AF_LOCAL) are restricted to the local host and offer a " +"special authentication mechanism: credentials passing." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Nowadays, most systems support the SO_PEERCRED (Linux) or" +" LOCAL_PEERCRED (FreeBSD) socket options, or the " +"getpeereid (other BSDs, MacOS X). These interfaces " +"provide direct access to the (effective) user ID on the other end of a " +"domain socket connect, without cooperation from the other end." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Historically, credentials passing was implemented using ancillary data in " +"the sendmsg and recvmsg functions." +" On some systems, only credentials data that the peer has explicitly sent " +"can be received, and the kernel checks the data for correctness on the " +"sending side. This means that both peers need to deal with ancillary data. " +"Compared to that, the modern interfaces are easier to use. Both sets of " +"interfaces vary considerably among UNIX-like systems, unfortunately." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If you want to authenticate based on supplementary groups, you should obtain" +" the user ID using one of these methods, and look up the list of " +"supplementary groups using getpwuid (or " +"getpwuid_r) and getgrouplist. " +"Using the PID and information from /proc/PID/status is " +"prone to race conditions and insecure." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "AF_NETLINK authentication of origin" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Netlink messages are used as a high-performance data transfer mechanism " +"between the kernel and the userspace. Traditionally, they are used to " +"exchange information related to the network statck, such as routing table " +"entries." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When processing Netlink messages from the kernel, it is important to check " +"that these messages actually originate from the kernel, by checking that the" +" port ID (or PID) field nl_pid in the " +"sockaddr_nl structure is 0. (This " +"structure can be obtained using recvfrom or " +"recvmsg, it is different from the " +"nlmsghdr structure.) The kernel does not prevent other " +"processes from sending unicast Netlink messages, but the " +"nl_pid field in the sender's socket address will be non-" +"zero in such cases." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Applications should not use AF_NETLINK sockets as an IPC " +"mechanism among processes, but prefer UNIX domain sockets for this tasks." +msgstr "" diff --git a/defensive-coding/vi-VN/Features/TLS.po b/defensive-coding/vi-VN/Features/TLS.po new file mode 100644 index 0000000..9975ae6 --- /dev/null +++ b/defensive-coding/vi-VN/Features/TLS.po @@ -0,0 +1,1120 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:31+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Vietnamese (http://www.transifex.com/projects/p/fedora/language/vi/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: vi\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: title +#, no-c-format +msgid "Transport Layer Security" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Transport Layer Security (TLS, formerly Secure Sockets Layer/SSL) is the " +"recommended way to to protect integrity and confidentiality while data is " +"transferred over an untrusted network connection, and to identify the " +"endpoint." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Common Pitfalls" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"TLS implementations are difficult to use, and most of them lack a clean API " +"design. The following sections contain implementation-specific advice, and " +"some generic pitfalls are mentioned below." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Most TLS implementations have questionable default TLS cipher suites. Most " +"of them enable anonymous Diffie-Hellman key exchange (but we generally want " +"servers to authenticate themselves). Many do not disable ciphers which are " +"subject to brute-force attacks because of restricted key lengths. Some even " +"disable all variants of AES in the default configuration." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When overriding the cipher suite defaults, it is recommended to disable all " +"cipher suites which are not present on a whitelist, instead of simply " +"enabling a list of cipher suites. This way, if an algorithm is disabled by " +"default in the TLS implementation in a future security update, the " +"application will not re-enable it." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The name which is used in certificate validation must match the name " +"provided by the user or configuration file. No host name canonicalization or" +" IP address lookup must be performed." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The TLS handshake has very poor performance if the TCP Nagle algorithm is " +"active. You should switch on the TCP_NODELAY socket " +"option (at least for the duration of the handshake), or use the Linux-" +"specific TCP_CORK option." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Deactivating the TCP Nagle algorithm" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Implementing proper session resumption decreases handshake overhead " +"considerably. This is important if the upper-layer protocol uses short-lived" +" connections (like most application of HTTPS)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Both client and server should work towards an orderly connection shutdown, " +"that is send close_notify alerts and respond to them. " +"This is especially important if the upper-layer protocol does not provide " +"means to detect connection truncation (like some uses of HTTP)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When implementing a server using event-driven programming, it is important " +"to handle the TLS handshake properly because it includes multiple network " +"round-trips which can block when an ordinary TCP accept" +" would not. Otherwise, a client which fails to complete the TLS handshake " +"for some reason will prevent the server from handling input from other " +"clients." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Unlike regular file descriptors, TLS connections cannot be passed between " +"processes. Some TLS implementations add additional restrictions, and TLS " +"connections generally cannot be used across fork " +"function calls (see )." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "OpenSSL Pitfalls" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Some OpenSSL function use tri-state return values. " +"Correct error checking is extremely important. Several functions return " +"int values with the following meaning:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The value 1 indicates success (for example, a successful " +"signature verification)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The value 0 indicates semantic failure (for example, a " +"signature verification which was unsuccessful because the signing " +"certificate was self-signed)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The value -1 indicates a low-level error in the system, " +"such as failure to allocate memory using malloc." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Treating such tri-state return values as booleans can lead to security " +"vulnerabilities. Note that some OpenSSL functions return boolean results or " +"yet another set of status indicators. Each function needs to be checked " +"individually." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Recovering precise error information is difficult. shows how to obtain a more precise " +"error code after a function call on an SSL object has " +"failed. However, there are still cases where no detailed error information " +"is available (e.g., if SSL_shutdown fails due to a " +"connection teardown by the other end)." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Obtaining OpenSSL error codes" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The OPENSSL_config function is documented to never " +"fail. In reality, it can terminate the entire process if there is a failure " +"accessing the configuration file. An error message is written to standard " +"error, but which might not be visible if the function is called from a " +"daemon process." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"OpenSSL contains two separate ASN.1 DER decoders. One set of decoders " +"operate on BIO handles (the input/output stream abstraction provided by " +"OpenSSL); their decoder function names start with d2i_ " +"and end in _fp or _bio (e.g., " +"d2i_X509_fp or d2i_X509_bio). " +"These decoders must not be used for parsing data from untrusted sources; " +"instead, the variants without the _fp and " +"_bio (e.g., d2i_X509) shall be used." +" The BIO variants have received considerably less testing and are not very " +"robust." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"For the same reason, the OpenSSL command line tools (such as " +"openssl x509) are generally generally less robust than " +"the actual library code. They use the BIO functions internally, and not the " +"more robust variants." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The command line tools do not always indicate failure in the exit status of " +"the openssl process. For instance, a verification" +" failure in openssl verify result in an exit status of " +"zero." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The OpenSSL server and client applications (openssl " +"s_client and openssl s_server) are debugging " +"tools and should never be used as generic clients. For " +"instance, the s_client tool reacts in a " +"surprisign way to lines starting with R and " +"Q." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"OpenSSL allows application code to access private key material over " +"documented interfaces. This can significantly increase the part of the code " +"base which has to undergo security certification." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "GNUTLS Pitfalls" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"libgnutls.so.26 links to " +"libpthread.so.0. Loading the threading library too late" +" causes problems, so the main program should be linked with " +"-lpthread as well. As a result, it can be difficult to " +"use GNUTLS in a plugin which is loaded with the dlopen " +"function. Another side effect is that applications which merely link against" +" GNUTLS (even without actually using it) may incur a substantial overhead " +"because other libraries automatically switch to thread-safe algorithms." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The gnutls_global_init function must be called before " +"using any functionality provided by the library. This function is not " +"thread-safe, so external locking is required, but it is not clear which lock" +" should be used. Omitting the synchronization does not just lead to a memory" +" leak, as it is suggested in the GNUTLS documentation, but to undefined " +"behavior because there is no barrier that would enforce memory ordering." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The gnutls_global_deinit function does not actually " +"deallocate all resources allocated by " +"gnutls_global_init. It is currently not thread-safe. " +"Therefore, it is best to avoid calling it altogether." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The X.509 implementation in GNUTLS is rather lenient. For example, it is " +"possible to create and process X.509 version 1 certificates which carry" +" extensions. These certificates are (correctly) rejected by other " +"implementations." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "OpenJDK Pitfalls" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The Java cryptographic framework is highly modular. As a result, when you " +"request an object implementing some cryptographic functionality, you cannot " +"be completely sure that you end up with the well-tested, reviewed " +"implementation in OpenJDK." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"OpenJDK (in the source code as published by Oracle) and other " +"implementations of the Java platform require that the system administrator " +"has installed so-called unlimited strength jurisdiction policy " +"files. Without this step, it is not possible to use the secure " +"algorithms which offer sufficient cryptographic strength. Most downstream " +"redistributors of OpenJDK remove this requirement." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Some versions of OpenJDK use /dev/random as the " +"randomness source for nonces and other random data which is needed for TLS " +"operation, but does not actually require physical randomness. As a result, " +"TLS applications can block, waiting for more bits to become available in " +"/dev/random." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "NSS Pitfalls" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"NSS was not designed to be used by other libraries which can be linked into " +"applications without modifying them. There is a lot of global state. There " +"does not seem to be a way to perform required NSS initialization without " +"race conditions." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If the NSPR descriptor is in an unexpected state, the " +"SSL_ForceHandshake function can succeed, but no TLS " +"handshake takes place, the peer is not authenticated, and subsequent data is" +" exchanged in the clear." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"NSS disables itself if it detects that the process underwent a " +"fork after the library has been initialized. This " +"behavior is required by the PKCS#11 API specification." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "TLS Clients" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Secure use of TLS in a client generally involves all of the following steps." +" (Individual instructions for specific TLS implementations follow in the " +"next sections.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The client must configure the TLS library to use a set of trusted root " +"certificates. These certificates are provided by the system in /etc/ssl/certs or files derived from it." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The client selects sufficiently strong cryptographic primitives and disables" +" insecure ones (such as no-op encryption). Compression and SSL version 2 " +"support must be disabled (including the SSLv2-compatible handshake)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The client initiates the TLS connection. The Server Name Indication " +"extension should be used if supported by the TLS implementation. Before " +"switching to the encrypted connection state, the contents of all input and " +"output buffers must be discarded." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The client needs to validate the peer certificate provided by the server, " +"that is, the client must check that there is a cryptographically protected " +"chain from a trusted root certificate to the peer certificate. (Depending on" +" the TLS implementation, a TLS handshake can succeed even if the certificate" +" cannot be validated.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The client must check that the configured or user-provided server name " +"matches the peer certificate provided by the server." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"It is safe to provide users detailed diagnostics on certificate validation " +"failures. Other causes of handshake failures and, generally speaking, any " +"details on other errors reported by the TLS implementation (particularly " +"exception tracebacks), must not be divulged in ways that make them " +"accessible to potential attackers. Otherwise, it is possible to create " +"decryption oracles." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Depending on the application, revocation checking (against certificate " +"revocations lists or via OCSP) and session resumption are important aspects " +"of production-quality client. These aspects are not yet covered." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Implementation TLS Clients With OpenSSL" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In the following code, the error handling is only exploratory. Proper error " +"handling is required for production use, especially in libraries." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The OpenSSL library needs explicit initialization (see )." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "OpenSSL library initialization" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"After that, a context object has to be created, which acts as a factory for " +"connection objects (). We use an explicit cipher list so that we do not pick up any " +"strange ciphers when OpenSSL is upgraded. The actual version requested in " +"the client hello depends on additional restrictions in the OpenSSL library. " +"If possible, you should follow the example code and use the default list of " +"trusted root certificate authorities provided by the system because you " +"would have to maintain your own set otherwise, which can be cumbersome." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "OpenSSL client context creation" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"A single context object can be used to create multiple connection objects. " +"It is safe to use the same SSL_CTX object for creating " +"connections concurrently from multiple threads, provided that the " +"SSL_CTX object is not modified (e.g., callbacks must not " +"be changed)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"After creating the TCP socket and disabling the Nagle algorithm (per ), the actual connection object " +"needs to be created, as show in . If the handshake started by " +"SSL_connect fails, the " +"ssl_print_error_and_exit function from is called." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The certificate_validity_override function provides an " +"opportunity to override the validity of the certificate in case the OpenSSL " +"check fails. If such functionality is not required, the call can be removed," +" otherwise, the application developer has to implement it." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The host name passed to the functions " +"SSL_set_tlsext_host_name and " +"X509_check_host must be the name that was passed to " +"getaddrinfo or a similar name resolution function. No " +"host name canonicalization must be performed. The " +"X509_check_host function used in the final step for " +"host name matching is currently only implemented in OpenSSL 1.1, which is " +"not released yet. In case host name matching fails, the function " +"certificate_host_name_override is called. This function" +" should check user-specific certificate store, to allow a connection even if" +" the host name does not match the certificate. This function has to be " +"provided by the application developer. Note that the override must be keyed " +"by both the certificate and the host name." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Creating a client connection using OpenSSL" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The connection object can be used for sending and receiving data, as in " +". It is " +"also possible to create a BIO object and use the " +"SSL object as the underlying transport, using " +"BIO_set_ssl." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Using an OpenSSL connection to send and receive data" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When it is time to close the connection, the " +"SSL_shutdown function needs to be called twice for an " +"orderly, synchronous connection termination (). This exchanges " +"close_notify alerts with the server. The additional logic" +" is required to deal with an unexpected close_notify from" +" the server. Note that is necessary to explicitly close the underlying " +"socket after the connection object has been freed." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Closing an OpenSSL connection in an orderly fashion" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +" shows how" +" to deallocate the context object when it is no longer needed because no " +"further TLS connections will be established." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Implementation TLS Clients With GNUTLS" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"This section describes how to implement a TLS client with full certificate " +"validation (but without certificate revocation checking). Note that the " +"error handling in is only exploratory and needs to be replaced before " +"production use." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "The GNUTLS library needs explicit initialization:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Failing to do so can result in obscure failures in Base64 decoding. See " +" for " +"additional aspects of initialization." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Before setting up TLS connections, a credentials objects has to be allocated" +" and initialized with the set of trusted root CAs ()." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Initializing a GNUTLS credentials structure" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"After the last TLS connection has been closed, this credentials object " +"should be freed:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"During its lifetime, the credentials object can be used to initialize TLS " +"session objects from multiple threads, provided that it is not changed." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Once the TCP connection has been established, the Nagle algorithm should be " +"disabled (see ). After " +"that, the socket can be associated with a new GNUTLS session object. The " +"previously allocated credentials object provides the set of root CAs. The " +"NORMAL set of cipher suites and protocols provides a " +"reasonable default. Then the TLS handshake must be initiated. This is shown " +"in ." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Establishing a TLS client connection using GNUTLS" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"After the handshake has been completed, the server certificate needs to be " +"verified (). In the example, the user-defined " +"certificate_validity_override function is called if the" +" verification fails, so that a separate, user-specific trust store can be " +"checked. This function call can be omitted if the functionality is not " +"needed." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Verifying a server certificate using GNUTLS" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In the next step (, the certificate must be matched against the host name (note the " +"unusual return value from " +"gnutls_x509_crt_check_hostname). Again, an override " +"function certificate_host_name_override is called. Note" +" that the override must be keyed to the certificate and" +" the host name. The function call can be omitted if the override is not " +"needed." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Matching the server host name and certificate in a GNUTLS client" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In newer GNUTLS versions, certificate checking and host name validation can " +"be combined using the gnutls_certificate_verify_peers3 " +"function." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"An established TLS session can be used for sending and receiving data, as in" +" ." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Using a GNUTLS session" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In order to shut down a connection in an orderly manner, you should call the" +" gnutls_bye function. Finally, the session object can " +"be deallocated using gnutls_deinit (see )." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Implementing TLS Clients With OpenJDK" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "The examples below use the following cryptographic-related classes:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If compatibility with OpenJDK 6 is required, it is necessary to use the " +"internal class sun.security.util.HostnameChecker. (The " +"public OpenJDK API does not provide any support for dissecting the subject " +"distinguished name of an X.509 certificate, so a custom-written DER parser " +"is needed—or we have to use an internal class, which we do below.) In " +"OpenJDK 7, the setEndpointIdentificationAlgorithm " +"method was added to the javax.net.ssl.SSLParameters " +"class, providing an official way to implement host name checking." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"TLS connections are established using an SSLContext " +"instance. With a properly configured OpenJDK installation, the " +"SunJSSE provider uses the system-wide set of trusted root" +" certificate authorities, so no further configuration is necessary. For " +"backwards compatibility with OpenJDK 6, the TLSv1 " +"provider has to be supported as a fall-back option. This is shown in ." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Setting up an SSLContext for OpenJDK TLS clients" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In addition to the context, a TLS parameter object will be needed which " +"adjusts the cipher suites and protocols (). Like the context, these " +"parameters can be reused for multiple TLS connections." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Setting up SSLParameters for TLS use with OpenJDK" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"As initialized above, the parameter object does not yet require host name " +"checking. This has to be enabled separately, and this is only supported by " +"OpenJDK 7 and later:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"All application protocols can use the \"HTTPS\" " +"algorithm. (The algorithms have minor differences with regard to wildcard " +"handling, which should not matter in practice.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +" shows " +"how to establish the connection. Before the handshake is initialized, the " +"protocol and cipher configuration has to be performed, by applying the " +"parameter object params. (After this point, changes to " +"params will not affect this TLS socket.) As mentioned " +"initially, host name checking requires using an internal API on OpenJDK 6." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Establishing a TLS connection with OpenJDK" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Starting with OpenJDK 7, the last lines can be omitted, provided that host " +"name verification has been enabled by calling the " +"setEndpointIdentificationAlgorithm method on the " +"params object (before it was applied to the socket)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The TLS socket can be used as a regular socket, as shown in ." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Using a TLS client socket in OpenJDK" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Overriding server certificate validation with OpenJDK 6" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Overriding certificate validation requires a custom trust manager. With " +"OpenJDK 6, the trust manager lacks information about the TLS session, and to" +" which server the connection is made. Certificate overrides have to be tied " +"to specific servers (host names). Consequently, different " +"TrustManager and SSLContext objects " +"have to be used for different servers." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In the trust manager shown in , the server certificate is identified by its " +"SHA-256 hash." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "A customer trust manager for OpenJDK TLS clients" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"This trust manager has to be passed to the init method of" +" the SSLContext object, as show in ." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Using a custom TLS trust manager with OpenJDK" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When certificate overrides are in place, host name verification should not " +"be performed because there is no security requirement that the host name in " +"the certificate matches the host name used to establish the connection (and " +"it often will not). However, without host name verification, it is not " +"possible to perform transparent fallback to certification validation using " +"the system certificate store." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The approach described above works with OpenJDK 6 and later versions. " +"Starting with OpenJDK 7, it is possible to use a custom subclass of the " +"javax.net.ssl.X509ExtendedTrustManager class. The OpenJDK" +" TLS implementation will call the new methods, passing along TLS session " +"information. This can be used to implement certificate overrides as a " +"fallback (if certificate or host name verification fails), and a trust " +"manager object can be used for multiple servers because the server address " +"is available to the trust manager." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Implementing TLS Clients With NSS" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The following code shows how to implement a simple TLS client using NSS. " +"Note that the error handling needs replacing before production use." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Using NSS needs several header files, as shown in ." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Include files for NSS" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Initializing the NSS library is a complex task (). It is not thread-safe. By default, the " +"library is in export mode, and all strong ciphers are disabled. Therefore, " +"after creating the NSSInitCContext object, we probe all " +"the strong ciphers we want to use, and check if at least one of them is " +"available. If not, we call NSS_SetDomesticPolicy to " +"switch to unrestricted policy mode. This function replaces the existing " +"global cipher suite policy, that is why we avoid calling it unless " +"absolutely necessary." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The simplest way to configured the trusted root certificates involves " +"loading the libnssckbi.so NSS module with a call to the" +" SECMOD_LoadUserModule function. The root certificates " +"are compiled into this module. (The PEM module for NSS, " +"libnsspem.so, offers a way to load trusted CA " +"certificates from a file.)" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Initializing the NSS library" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Some of the effects of the initialization can be reverted with the following" +" function calls:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"After NSS has been initialized, the TLS connection can be created (). The internal " +"PR_ImportTCPSocket function is used to turn the POSIX " +"file descriptor sockfd into an NSPR file descriptor. " +"(This function is de-facto part of the NSS public ABI, so it will not go " +"away.) Creating the TLS-capable file descriptor requires a " +"model descriptor, which is configured with the desired " +"set of protocols and ciphers. (The good_ciphers variable " +"is part of .) We cannot" +" resort to disabling ciphers not on a whitelist because by default, the AES " +"cipher suites are disabled. The model descriptor is not needed anymore after" +" TLS support has been activated for the existing connection descriptor." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The call to SSL_BadCertHook can be omitted if no " +"mechanism to override certificate verification is needed. The " +"bad_certificate function must check both the host name " +"specified for the connection and the certificate before granting the " +"override." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Triggering the actual handshake requires three function calls, " +"SSL_ResetHandshake, SSL_SetURL, " +"and SSL_ForceHandshake. (If " +"SSL_ResetHandshake is omitted, " +"SSL_ForceHandshake will succeed, but the data will not " +"be encrypted.) During the handshake, the certificate is verified and matched" +" against the host name." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Creating a TLS connection with NSS" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"After the connection has been established, shows how to use the NSPR descriptor to " +"communicate with the server." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Using NSS for sending and receiving data" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +" shows how to " +"close the connection." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Closing NSS client connections" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Implementing TLS Clients With Python" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The Python distribution provides a TLS implementation in the " +"ssl module (actually a wrapper around OpenSSL). The " +"exported interface is somewhat restricted, so that the client code shown " +"below does not fully implement the recommendations in ." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Currently, most Python function which accept https:// " +"URLs or otherwise implement HTTPS support do not perform certificate " +"validation at all. (For example, this is true for the " +"httplib and xmlrpclib modules.) If you" +" use HTTPS, you should not use the built-in HTTP clients. The " +"Curl class in the curl module, as " +"provided by the python-pycurl package implements proper " +"certificate validation." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The ssl module currently does not perform host name " +"checking on the server certificate. shows how to implement certificate " +"matching, using the parsed certificate returned by " +"getpeercert." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Implementing TLS host name checking Python (without wildcard support)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"To turn a regular, connected TCP socket into a TLS-enabled socket, use the " +"ssl.wrap_socket function. The function call in provides " +"additional arguments to override questionable defaults in OpenSSL and in the" +" Python module." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"ciphers=\"HIGH:-aNULL:-eNULL:-PSK:RC4-SHA:RC4-MD5\" " +"selects relatively strong cipher suites with certificate-based " +"authentication. (The call to check_host_name function " +"provides additional protection against anonymous cipher suites.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"ssl_version=ssl.PROTOCOL_TLSv1 disables SSL 2.0 support. " +"By default, the ssl module sends an SSL 2.0 client hello," +" which is rejected by some servers. Ideally, we would request OpenSSL to " +"negotiated the most recent TLS version supported by the server and the " +"client, but the Python module does not allow this." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"cert_reqs=ssl.CERT_REQUIRED turns on certificate " +"validation." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"ca_certs='/etc/ssl/certs/ca-bundle.crt' initializes the " +"certificate store with a set of trusted root CAs. Unfortunately, it is " +"necessary to hard-code this path into applications because the default path " +"in OpenSSL is not available through the Python ssl " +"module." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The ssl module (and OpenSSL) perform certificate " +"validation, but the certificate must be compared manually against the host " +"name, by calling the check_host_name defined above." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Establishing a TLS client connection with Python" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"After the connection has been established, the TLS socket can be used like a" +" regular socket:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Closing the TLS socket is straightforward as well:" +msgstr "" diff --git a/defensive-coding/vi-VN/Features/snippets/TLS-Client-GNUTLS-Connect.po b/defensive-coding/vi-VN/Features/snippets/TLS-Client-GNUTLS-Connect.po new file mode 100644 index 0000000..a491b21 --- /dev/null +++ b/defensive-coding/vi-VN/Features/snippets/TLS-Client-GNUTLS-Connect.po @@ -0,0 +1,71 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:33+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Vietnamese (http://www.transifex.com/projects/p/fedora/language/vi/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: vi\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Create the session object.\n" +"gnutls_session_t session;\n" +"ret = gnutls_init(&session, GNUTLS_CLIENT);\n" +"if (ret != GNUTLS_E_SUCCESS) {\n" +" fprintf(stderr, \"error: gnutls_init: %s\n" +"\",\n" +"\t gnutls_strerror(ret));\n" +" exit(1);\n" +"}\n" +"\n" +"// Configure the cipher preferences.\n" +"const char *errptr = NULL;\n" +"ret = gnutls_priority_set_direct(session, \"NORMAL\", &errptr);\n" +"if (ret != GNUTLS_E_SUCCESS) {\n" +" fprintf(stderr, \"error: gnutls_priority_set_direct: %s\n" +"\"\n" +"\t \"error: at: \\\"%s\\\"\n" +"\", gnutls_strerror(ret), errptr);\n" +" exit(1);\n" +"}\n" +"\n" +"// Install the trusted certificates.\n" +"ret = gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, cred);\n" +"if (ret != GNUTLS_E_SUCCESS) {\n" +" fprintf(stderr, \"error: gnutls_credentials_set: %s\n" +"\",\n" +"\t gnutls_strerror(ret));\n" +" exit(1);\n" +"}\n" +"\n" +"// Associate the socket with the session object and set the server\n" +"// name.\n" +"gnutls_transport_set_ptr(session, (gnutls_transport_ptr_t)(uintptr_t)sockfd);\n" +"ret = gnutls_server_name_set(session, GNUTLS_NAME_DNS,\n" +"\t\t\t host, strlen(host));\n" +"if (ret != GNUTLS_E_SUCCESS) {\n" +" fprintf(stderr, \"error: gnutls_server_name_set: %s\n" +"\",\n" +"\t gnutls_strerror(ret));\n" +" exit(1);\n" +"}\n" +"\n" +"// Establish the session.\n" +"ret = gnutls_handshake(session);\n" +"if (ret != GNUTLS_E_SUCCESS) {\n" +" fprintf(stderr, \"error: gnutls_handshake: %s\n" +"\",\n" +"\t gnutls_strerror(ret));\n" +" exit(1);\n" +"}\n" +msgstr "" diff --git a/defensive-coding/vi-VN/Features/snippets/TLS-Client-GNUTLS-Credentials.po b/defensive-coding/vi-VN/Features/snippets/TLS-Client-GNUTLS-Credentials.po new file mode 100644 index 0000000..0ea60a7 --- /dev/null +++ b/defensive-coding/vi-VN/Features/snippets/TLS-Client-GNUTLS-Credentials.po @@ -0,0 +1,47 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:33+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Vietnamese (http://www.transifex.com/projects/p/fedora/language/vi/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: vi\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Load the trusted CA certificates.\n" +"gnutls_certificate_credentials_t cred = NULL;\n" +"int ret = gnutls_certificate_allocate_credentials (&cred);\n" +"if (ret != GNUTLS_E_SUCCESS) {\n" +" fprintf(stderr, \"error: gnutls_certificate_allocate_credentials: %s\n" +"\",\n" +"\t gnutls_strerror(ret));\n" +" exit(1);\n" +"}\n" +"// gnutls_certificate_set_x509_system_trust needs GNUTLS version 3.0\n" +"// or newer, so we hard-code the path to the certificate store\n" +"// instead.\n" +"static const char ca_bundle[] = \"/etc/ssl/certs/ca-bundle.crt\";\n" +"ret = gnutls_certificate_set_x509_trust_file\n" +" (cred, ca_bundle, GNUTLS_X509_FMT_PEM);\n" +"if (ret == 0) {\n" +" fprintf(stderr, \"error: no certificates found in: %s\n" +"\", ca_bundle);\n" +" exit(1);\n" +"}\n" +"if (ret < 0) {\n" +" fprintf(stderr, \"error: gnutls_certificate_set_x509_trust_files(%s): %s\n" +"\",\n" +"\t ca_bundle, gnutls_strerror(ret));\n" +" exit(1);\n" +"}\n" +msgstr "" diff --git a/defensive-coding/vi-VN/Features/snippets/TLS-Client-GNUTLS-Match.po b/defensive-coding/vi-VN/Features/snippets/TLS-Client-GNUTLS-Match.po new file mode 100644 index 0000000..2473057 --- /dev/null +++ b/defensive-coding/vi-VN/Features/snippets/TLS-Client-GNUTLS-Match.po @@ -0,0 +1,48 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:32+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Vietnamese (http://www.transifex.com/projects/p/fedora/language/vi/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: vi\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Match the peer certificate against the host name.\n" +"// We can only obtain a set of DER-encoded certificates from the\n" +"// session object, so we have to re-parse the peer certificate into\n" +"// a certificate object.\n" +"gnutls_x509_crt_t cert;\n" +"ret = gnutls_x509_crt_init(&cert);\n" +"if (ret != GNUTLS_E_SUCCESS) {\n" +" fprintf(stderr, \"error: gnutls_x509_crt_init: %s\n" +"\",\n" +"\t gnutls_strerror(ret));\n" +" exit(1);\n" +"}\n" +"// The peer certificate is the first certificate in the list.\n" +"ret = gnutls_x509_crt_import(cert, certs, GNUTLS_X509_FMT_DER);\n" +"if (ret != GNUTLS_E_SUCCESS) {\n" +" fprintf(stderr, \"error: gnutls_x509_crt_import: %s\n" +"\",\n" +"\t gnutls_strerror(ret));\n" +" exit(1);\n" +"}\n" +"ret = gnutls_x509_crt_check_hostname(cert, host);\n" +"if (ret == 0 && !certificate_host_name_override(certs[0], host)) {\n" +" fprintf(stderr, \"error: host name does not match certificate\n" +"\");\n" +" exit(1);\n" +"}\n" +"gnutls_x509_crt_deinit(cert);\n" +msgstr "" diff --git a/defensive-coding/vi-VN/Features/snippets/TLS-Client-GNUTLS-Verify.po b/defensive-coding/vi-VN/Features/snippets/TLS-Client-GNUTLS-Verify.po new file mode 100644 index 0000000..5d2f377 --- /dev/null +++ b/defensive-coding/vi-VN/Features/snippets/TLS-Client-GNUTLS-Verify.po @@ -0,0 +1,61 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:33+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Vietnamese (http://www.transifex.com/projects/p/fedora/language/vi/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: vi\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Obtain the server certificate chain. The server certificate\n" +"// itself is stored in the first element of the array.\n" +"unsigned certslen = 0;\n" +"const gnutls_datum_t *const certs =\n" +" gnutls_certificate_get_peers(session, &certslen);\n" +"if (certs == NULL || certslen == 0) {\n" +" fprintf(stderr, \"error: could not obtain peer certificate\n" +"\");\n" +" exit(1);\n" +"}\n" +"\n" +"// Validate the certificate chain.\n" +"unsigned status = (unsigned)-1;\n" +"ret = gnutls_certificate_verify_peers2(session, &status);\n" +"if (ret != GNUTLS_E_SUCCESS) {\n" +" fprintf(stderr, \"error: gnutls_certificate_verify_peers2: %s\n" +"\",\n" +"\t gnutls_strerror(ret));\n" +" exit(1);\n" +"}\n" +"if (status != 0 && !certificate_validity_override(certs[0])) {\n" +" gnutls_datum_t msg;\n" +"#if GNUTLS_VERSION_AT_LEAST_3_1_4\n" +" int type = gnutls_certificate_type_get (session);\n" +" ret = gnutls_certificate_verification_status_print(status, type, &out, 0);\n" +"#else\n" +" ret = -1;\n" +"#endif\n" +" if (ret == 0) {\n" +" fprintf(stderr, \"error: %s\n" +"\", msg.data);\n" +" gnutls_free(msg.data);\n" +" exit(1);\n" +" } else {\n" +" fprintf(stderr, \"error: certificate validation failed with code 0x%x\n" +"\",\n" +"\t status);\n" +" exit(1);\n" +" }\n" +"}\n" +msgstr "" diff --git a/defensive-coding/vi-VN/Features/snippets/TLS-Client-NSS-Close.po b/defensive-coding/vi-VN/Features/snippets/TLS-Client-NSS-Close.po new file mode 100644 index 0000000..e1429fa --- /dev/null +++ b/defensive-coding/vi-VN/Features/snippets/TLS-Client-NSS-Close.po @@ -0,0 +1,31 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:32+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Vietnamese (http://www.transifex.com/projects/p/fedora/language/vi/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: vi\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Send close_notify alert.\n" +"if (PR_Shutdown(nspr, PR_SHUTDOWN_BOTH) != PR_SUCCESS) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: PR_Read error %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +"}\n" +"// Closes the underlying POSIX file descriptor, too.\n" +"PR_Close(nspr);\n" +msgstr "" diff --git a/defensive-coding/vi-VN/Features/snippets/TLS-Client-NSS-Connect.po b/defensive-coding/vi-VN/Features/snippets/TLS-Client-NSS-Connect.po new file mode 100644 index 0000000..3c2925a --- /dev/null +++ b/defensive-coding/vi-VN/Features/snippets/TLS-Client-NSS-Connect.po @@ -0,0 +1,132 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:33+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Vietnamese (http://www.transifex.com/projects/p/fedora/language/vi/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: vi\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Wrap the POSIX file descriptor. This is an internal NSPR\n" +"// function, but it is very unlikely to change.\n" +"PRFileDesc* nspr = PR_ImportTCPSocket(sockfd);\n" +"sockfd = -1; // Has been taken over by NSPR.\n" +"\n" +"// Add the SSL layer.\n" +"{\n" +" PRFileDesc *model = PR_NewTCPSocket();\n" +" PRFileDesc *newfd = SSL_ImportFD(NULL, model);\n" +" if (newfd == NULL) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: NSPR error code %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +" }\n" +" model = newfd;\n" +" newfd = NULL;\n" +" if (SSL_OptionSet(model, SSL_ENABLE_SSL2, PR_FALSE) != SECSuccess) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: set SSL_ENABLE_SSL2 error %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +" }\n" +" if (SSL_OptionSet(model, SSL_V2_COMPATIBLE_HELLO, PR_FALSE) != SECSuccess) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: set SSL_V2_COMPATIBLE_HELLO error %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +" }\n" +" if (SSL_OptionSet(model, SSL_ENABLE_DEFLATE, PR_FALSE) != SECSuccess) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: set SSL_ENABLE_DEFLATE error %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +" }\n" +"\n" +" // Disable all ciphers (except RC4-based ciphers, for backwards\n" +" // compatibility).\n" +" const PRUint16 *const ciphers = SSL_GetImplementedCiphers();\n" +" for (unsigned i = 0; i < SSL_GetNumImplementedCiphers(); i++) {\n" +" if (ciphers[i] != SSL_RSA_WITH_RC4_128_SHA\n" +"\t && ciphers[i] != SSL_RSA_WITH_RC4_128_MD5) {\n" +"\tif (SSL_CipherPrefSet(model, ciphers[i], PR_FALSE) != SECSuccess) {\n" +"\t const PRErrorCode err = PR_GetError();\n" +"\t fprintf(stderr, \"error: disable cipher %u: error %d: %s\n" +"\",\n" +"\t\t (unsigned)ciphers[i], err, PR_ErrorToName(err));\n" +"\t exit(1);\n" +"\t}\n" +" }\n" +" }\n" +"\n" +" // Enable the strong ciphers.\n" +" for (const PRUint16 *p = good_ciphers; *p != SSL_NULL_WITH_NULL_NULL;\n" +"\t ++p) {\n" +" if (SSL_CipherPrefSet(model, *p, PR_TRUE) != SECSuccess) {\n" +"\tconst PRErrorCode err = PR_GetError();\n" +"\tfprintf(stderr, \"error: enable cipher %u: error %d: %s\n" +"\",\n" +"\t\t(unsigned)*p, err, PR_ErrorToName(err));\n" +"\texit(1);\n" +" }\n" +" }\n" +"\n" +" // Allow overriding invalid certificate.\n" +" if (SSL_BadCertHook(model, bad_certificate, (char *)host) != SECSuccess) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: SSL_BadCertHook error %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +" }\n" +"\n" +" newfd = SSL_ImportFD(model, nspr);\n" +" if (newfd == NULL) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: SSL_ImportFD error %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +" }\n" +" nspr = newfd;\n" +" PR_Close(model);\n" +"}\n" +"\n" +"// Perform the handshake.\n" +"if (SSL_ResetHandshake(nspr, PR_FALSE) != SECSuccess) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: SSL_ResetHandshake error %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +"}\n" +"if (SSL_SetURL(nspr, host) != SECSuccess) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: SSL_SetURL error %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +"}\n" +"if (SSL_ForceHandshake(nspr) != SECSuccess) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: SSL_ForceHandshake error %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +"}\n" +msgstr "" diff --git a/defensive-coding/vi-VN/Features/snippets/TLS-Client-OpenJDK-Connect.po b/defensive-coding/vi-VN/Features/snippets/TLS-Client-OpenJDK-Connect.po new file mode 100644 index 0000000..22588b6 --- /dev/null +++ b/defensive-coding/vi-VN/Features/snippets/TLS-Client-OpenJDK-Connect.po @@ -0,0 +1,41 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:32+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Vietnamese (http://www.transifex.com/projects/p/fedora/language/vi/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: vi\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Create the socket and connect it at the TCP layer.\n" +"SSLSocket socket = (SSLSocket) ctx.getSocketFactory()\n" +" .createSocket(host, port);\n" +"\n" +"// Disable the Nagle algorithm.\n" +"socket.setTcpNoDelay(true);\n" +"\n" +"// Adjust ciphers and protocols.\n" +"socket.setSSLParameters(params);\n" +"\n" +"// Perform the handshake.\n" +"socket.startHandshake();\n" +"\n" +"// Validate the host name. The match() method throws\n" +"// CertificateException on failure.\n" +"X509Certificate peer = (X509Certificate)\n" +" socket.getSession().getPeerCertificates()[0];\n" +"// This is the only way to perform host name checking on OpenJDK 6.\n" +"HostnameChecker.getInstance(HostnameChecker.TYPE_TLS).match(\n" +" host, peer);\n" +msgstr "" diff --git a/defensive-coding/vi-VN/Features/snippets/TLS-Client-OpenJDK-Context.po b/defensive-coding/vi-VN/Features/snippets/TLS-Client-OpenJDK-Context.po new file mode 100644 index 0000000..530c333 --- /dev/null +++ b/defensive-coding/vi-VN/Features/snippets/TLS-Client-OpenJDK-Context.po @@ -0,0 +1,41 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:32+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Vietnamese (http://www.transifex.com/projects/p/fedora/language/vi/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: vi\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Create the context. Specify the SunJSSE provider to avoid\n" +"// picking up third-party providers. Try the TLS 1.2 provider\n" +"// first, then fall back to TLS 1.0.\n" +"SSLContext ctx;\n" +"try {\n" +" ctx = SSLContext.getInstance(\"TLSv1.2\", \"SunJSSE\");\n" +"} catch (NoSuchAlgorithmException e) {\n" +" try {\n" +" ctx = SSLContext.getInstance(\"TLSv1\", \"SunJSSE\");\n" +" } catch (NoSuchAlgorithmException e1) {\n" +" // The TLS 1.0 provider should always be available.\n" +" throw new AssertionError(e1);\n" +" } catch (NoSuchProviderException e1) {\n" +" throw new AssertionError(e1);\n" +" } \n" +"} catch (NoSuchProviderException e) {\n" +" // The SunJSSE provider should always be available.\n" +" throw new AssertionError(e);\n" +"}\n" +"ctx.init(null, null, null);\n" +msgstr "" diff --git a/defensive-coding/vi-VN/Features/snippets/TLS-Client-OpenJDK-Context_For_Cert.po b/defensive-coding/vi-VN/Features/snippets/TLS-Client-OpenJDK-Context_For_Cert.po new file mode 100644 index 0000000..d4b7dd5 --- /dev/null +++ b/defensive-coding/vi-VN/Features/snippets/TLS-Client-OpenJDK-Context_For_Cert.po @@ -0,0 +1,37 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:33+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Vietnamese (http://www.transifex.com/projects/p/fedora/language/vi/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: vi\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"SSLContext ctx;\n" +"try {\n" +" ctx = SSLContext.getInstance(\"TLSv1.2\", \"SunJSSE\");\n" +"} catch (NoSuchAlgorithmException e) {\n" +" try {\n" +" ctx = SSLContext.getInstance(\"TLSv1\", \"SunJSSE\");\n" +" } catch (NoSuchAlgorithmException e1) {\n" +" throw new AssertionError(e1);\n" +" } catch (NoSuchProviderException e1) {\n" +" throw new AssertionError(e1);\n" +" }\n" +"} catch (NoSuchProviderException e) {\n" +" throw new AssertionError(e);\n" +"}\n" +"MyTrustManager tm = new MyTrustManager(certHash);\n" +"ctx.init(null, new TrustManager[] {tm}, null);\n" +msgstr "" diff --git a/defensive-coding/vi-VN/Features/snippets/TLS-Client-OpenJDK-Hostname.po b/defensive-coding/vi-VN/Features/snippets/TLS-Client-OpenJDK-Hostname.po new file mode 100644 index 0000000..af359fc --- /dev/null +++ b/defensive-coding/vi-VN/Features/snippets/TLS-Client-OpenJDK-Hostname.po @@ -0,0 +1,22 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:31+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Vietnamese (http://www.transifex.com/projects/p/fedora/language/vi/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: vi\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"params.setEndpointIdentificationAlgorithm(\"HTTPS\");\n" +msgstr "" diff --git a/defensive-coding/vi-VN/Features/snippets/TLS-Client-OpenJDK-Import.po b/defensive-coding/vi-VN/Features/snippets/TLS-Client-OpenJDK-Import.po new file mode 100644 index 0000000..fba42ec --- /dev/null +++ b/defensive-coding/vi-VN/Features/snippets/TLS-Client-OpenJDK-Import.po @@ -0,0 +1,33 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:31+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Vietnamese (http://www.transifex.com/projects/p/fedora/language/vi/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: vi\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"import java.security.NoSuchAlgorithmException;\n" +"import java.security.NoSuchProviderException;\n" +"import java.security.cert.CertificateEncodingException;\n" +"import java.security.cert.CertificateException;\n" +"import java.security.cert.X509Certificate;\n" +"import javax.net.ssl.SSLContext;\n" +"import javax.net.ssl.SSLParameters;\n" +"import javax.net.ssl.SSLSocket;\n" +"import javax.net.ssl.TrustManager;\n" +"import javax.net.ssl.X509TrustManager;\n" +"\n" +"import sun.security.util.HostnameChecker;\n" +msgstr "" diff --git a/defensive-coding/vi-VN/Features/snippets/TLS-Client-OpenJDK-MyTrustManager.po b/defensive-coding/vi-VN/Features/snippets/TLS-Client-OpenJDK-MyTrustManager.po new file mode 100644 index 0000000..0a2957b --- /dev/null +++ b/defensive-coding/vi-VN/Features/snippets/TLS-Client-OpenJDK-MyTrustManager.po @@ -0,0 +1,53 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:31+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Vietnamese (http://www.transifex.com/projects/p/fedora/language/vi/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: vi\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"public class MyTrustManager implements X509TrustManager {\n" +" private final byte[] certHash;\n" +"\n" +" public MyTrustManager(byte[] certHash) throws Exception {\n" +" this.certHash = certHash;\n" +" }\n" +"\n" +" @Override\n" +" public void checkClientTrusted(X509Certificate[] chain, String authType)\n" +" throws CertificateException {\n" +" throw new UnsupportedOperationException();\n" +" }\n" +"\n" +" @Override\n" +" public void checkServerTrusted(X509Certificate[] chain,\n" +" String authType) throws CertificateException {\n" +" byte[] digest = getCertificateDigest(chain[0]);\n" +" String digestHex = formatHex(digest);\n" +"\n" +" if (Arrays.equals(digest, certHash)) {\n" +" System.err.println(\"info: accepting certificate: \" + digestHex);\n" +" } else {\n" +" throw new CertificateException(\"certificate rejected: \" +\n" +" digestHex);\n" +" }\n" +" }\n" +"\n" +" @Override\n" +" public X509Certificate[] getAcceptedIssuers() {\n" +" return new X509Certificate[0];\n" +" }\n" +"}\n" +msgstr "" diff --git a/defensive-coding/vi-VN/Features/snippets/TLS-Client-OpenJDK-Use.po b/defensive-coding/vi-VN/Features/snippets/TLS-Client-OpenJDK-Use.po new file mode 100644 index 0000000..a33a1fb --- /dev/null +++ b/defensive-coding/vi-VN/Features/snippets/TLS-Client-OpenJDK-Use.po @@ -0,0 +1,28 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:31+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Vietnamese (http://www.transifex.com/projects/p/fedora/language/vi/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: vi\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"socket.getOutputStream().write(\"GET / HTTP/1.0\\r\n" +"\\r\n" +"\"\n" +" .getBytes(Charset.forName(\"UTF-8\")));\n" +"byte[] buffer = new byte[4096];\n" +"int count = socket.getInputStream().read(buffer);\n" +"System.out.write(buffer, 0, count);\n" +msgstr "" diff --git a/defensive-coding/vi-VN/Features/snippets/TLS-Client-OpenSSL-CTX.po b/defensive-coding/vi-VN/Features/snippets/TLS-Client-OpenSSL-CTX.po new file mode 100644 index 0000000..27dfbd0 --- /dev/null +++ b/defensive-coding/vi-VN/Features/snippets/TLS-Client-OpenSSL-CTX.po @@ -0,0 +1,86 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:32+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Vietnamese (http://www.transifex.com/projects/p/fedora/language/vi/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: vi\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Configure a client connection context. Send a hendshake for the\n" +"// highest supported TLS version, and disable compression.\n" +"const SSL_METHOD *const req_method = SSLv23_client_method();\n" +"SSL_CTX *const ctx = SSL_CTX_new(req_method);\n" +"if (ctx == NULL) {\n" +" ERR_print_errors(bio_err);\n" +" exit(1);\n" +"}\n" +"SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_COMPRESSION);\n" +"\n" +"// Adjust the ciphers list based on a whitelist. First enable all\n" +"// ciphers of at least medium strength, to get the list which is\n" +"// compiled into OpenSSL.\n" +"if (SSL_CTX_set_cipher_list(ctx, \"HIGH:MEDIUM\") != 1) {\n" +" ERR_print_errors(bio_err);\n" +" exit(1);\n" +"}\n" +"{\n" +" // Create a dummy SSL session to obtain the cipher list.\n" +" SSL *ssl = SSL_new(ctx);\n" +" if (ssl == NULL) {\n" +" ERR_print_errors(bio_err);\n" +" exit(1);\n" +" }\n" +" STACK_OF(SSL_CIPHER) *active_ciphers = SSL_get_ciphers(ssl);\n" +" if (active_ciphers == NULL) {\n" +" ERR_print_errors(bio_err);\n" +" exit(1);\n" +" }\n" +" // Whitelist of candidate ciphers.\n" +" static const char *const candidates[] = {\n" +" \"AES128-GCM-SHA256\", \"AES128-SHA256\", \"AES256-SHA256\", // strong ciphers\n" +" \"AES128-SHA\", \"AES256-SHA\", // strong ciphers, also in older versions\n" +" \"RC4-SHA\", \"RC4-MD5\", // backwards compatibility, supposed to be weak\n" +" \"DES-CBC3-SHA\", \"DES-CBC3-MD5\", // more backwards compatibility\n" +" NULL\n" +" };\n" +" // Actually selected ciphers.\n" +" char ciphers[300];\n" +" ciphers[0] = '\\0';\n" +" for (const char *const *c = candidates; *c; ++c) {\n" +" for (int i = 0; i < sk_SSL_CIPHER_num(active_ciphers); ++i) {\n" +"\tif (strcmp(SSL_CIPHER_get_name(sk_SSL_CIPHER_value(active_ciphers, i)),\n" +"\t\t *c) == 0) {\n" +"\t if (*ciphers) {\n" +"\t strcat(ciphers, \":\");\n" +"\t }\n" +"\t strcat(ciphers, *c);\n" +"\t break;\n" +"\t}\n" +" }\n" +" }\n" +" SSL_free(ssl);\n" +" // Apply final cipher list.\n" +" if (SSL_CTX_set_cipher_list(ctx, ciphers) != 1) {\n" +" ERR_print_errors(bio_err);\n" +" exit(1);\n" +" }\n" +"}\n" +"\n" +"// Load the set of trusted root certificates.\n" +"if (!SSL_CTX_set_default_verify_paths(ctx)) {\n" +" ERR_print_errors(bio_err);\n" +" exit(1);\n" +"}\n" +msgstr "" diff --git a/defensive-coding/vi-VN/Features/snippets/TLS-Client-OpenSSL-Connect.po b/defensive-coding/vi-VN/Features/snippets/TLS-Client-OpenSSL-Connect.po new file mode 100644 index 0000000..1dadadc --- /dev/null +++ b/defensive-coding/vi-VN/Features/snippets/TLS-Client-OpenSSL-Connect.po @@ -0,0 +1,72 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:33+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Vietnamese (http://www.transifex.com/projects/p/fedora/language/vi/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: vi\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Create the connection object.\n" +"SSL *ssl = SSL_new(ctx);\n" +"if (ssl == NULL) {\n" +" ERR_print_errors(bio_err);\n" +" exit(1);\n" +"}\n" +"SSL_set_fd(ssl, sockfd);\n" +"\n" +"// Enable the ServerNameIndication extension\n" +"if (!SSL_set_tlsext_host_name(ssl, host)) {\n" +" ERR_print_errors(bio_err);\n" +" exit(1);\n" +"}\n" +"\n" +"// Perform the TLS handshake with the server.\n" +"ret = SSL_connect(ssl);\n" +"if (ret != 1) {\n" +" // Error status can be 0 or negative.\n" +" ssl_print_error_and_exit(ssl, \"SSL_connect\", ret);\n" +"}\n" +"\n" +"// Obtain the server certificate.\n" +"X509 *peercert = SSL_get_peer_certificate(ssl);\n" +"if (peercert == NULL) {\n" +" fprintf(stderr, \"peer certificate missing\");\n" +" exit(1);\n" +"}\n" +"\n" +"// Check the certificate verification result. Allow an explicit\n" +"// certificate validation override in case verification fails.\n" +"int verifystatus = SSL_get_verify_result(ssl);\n" +"if (verifystatus != X509_V_OK && !certificate_validity_override(peercert)) {\n" +" fprintf(stderr, \"SSL_connect: verify result: %s\n" +"\",\n" +"\t X509_verify_cert_error_string(verifystatus));\n" +" exit(1);\n" +"}\n" +"\n" +"// Check if the server certificate matches the host name used to\n" +"// establish the connection.\n" +"// FIXME: Currently needs OpenSSL 1.1.\n" +"if (X509_check_host(peercert, (const unsigned char *)host, strlen(host),\n" +"\t\t 0) != 1\n" +" && !certificate_host_name_override(peercert, host)) {\n" +" fprintf(stderr, \"SSL certificate does not match host name\n" +"\");\n" +" exit(1);\n" +"}\n" +"\n" +"X509_free(peercert);\n" +"\n" +msgstr "" diff --git a/defensive-coding/vi-VN/Features/snippets/TLS-Client-OpenSSL-Connection-Use.po b/defensive-coding/vi-VN/Features/snippets/TLS-Client-OpenSSL-Connection-Use.po new file mode 100644 index 0000000..e351f64 --- /dev/null +++ b/defensive-coding/vi-VN/Features/snippets/TLS-Client-OpenSSL-Connection-Use.po @@ -0,0 +1,32 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:32+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Vietnamese (http://www.transifex.com/projects/p/fedora/language/vi/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: vi\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"const char *const req = \"GET / HTTP/1.0\\r\n" +"\\r\n" +"\";\n" +"if (SSL_write(ssl, req, strlen(req)) < 0) {\n" +" ssl_print_error_and_exit(ssl, \"SSL_write\", ret);\n" +"}\n" +"char buf[4096];\n" +"ret = SSL_read(ssl, buf, sizeof(buf));\n" +"if (ret < 0) {\n" +" ssl_print_error_and_exit(ssl, \"SSL_read\", ret);\n" +"}\n" +msgstr "" diff --git a/defensive-coding/vi-VN/Features/snippets/TLS-Client-OpenSSL-Init.po b/defensive-coding/vi-VN/Features/snippets/TLS-Client-OpenSSL-Init.po new file mode 100644 index 0000000..672db53 --- /dev/null +++ b/defensive-coding/vi-VN/Features/snippets/TLS-Client-OpenSSL-Init.po @@ -0,0 +1,28 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:32+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Vietnamese (http://www.transifex.com/projects/p/fedora/language/vi/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: vi\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// The following call prints an error message and calls exit() if\n" +"// the OpenSSL configuration file is unreadable.\n" +"OPENSSL_config(NULL);\n" +"// Provide human-readable error messages.\n" +"SSL_load_error_strings();\n" +"// Register ciphers.\n" +"SSL_library_init();\n" +msgstr "" diff --git a/defensive-coding/vi-VN/Features/snippets/TLS-Client-Python-Connect.po b/defensive-coding/vi-VN/Features/snippets/TLS-Client-Python-Connect.po new file mode 100644 index 0000000..3f1715d --- /dev/null +++ b/defensive-coding/vi-VN/Features/snippets/TLS-Client-Python-Connect.po @@ -0,0 +1,29 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:32+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Vietnamese (http://www.transifex.com/projects/p/fedora/language/vi/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: vi\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"sock = ssl.wrap_socket(sock,\n" +" ciphers=\"HIGH:-aNULL:-eNULL:-PSK:RC4-SHA:RC4-MD5\",\n" +" ssl_version=ssl.PROTOCOL_TLSv1,\n" +" cert_reqs=ssl.CERT_REQUIRED,\n" +" ca_certs='/etc/ssl/certs/ca-bundle.crt')\n" +"# getpeercert() triggers the handshake as a side effect.\n" +"if not check_host_name(sock.getpeercert(), host):\n" +" raise IOError(\"peer certificate does not match host name\")\n" +msgstr "" diff --git a/defensive-coding/vi-VN/Features/snippets/TLS-Client-Python-check_host_name.po b/defensive-coding/vi-VN/Features/snippets/TLS-Client-Python-check_host_name.po new file mode 100644 index 0000000..80e0dc0 --- /dev/null +++ b/defensive-coding/vi-VN/Features/snippets/TLS-Client-Python-check_host_name.po @@ -0,0 +1,44 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:31+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Vietnamese (http://www.transifex.com/projects/p/fedora/language/vi/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: vi\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"def check_host_name(peercert, name):\n" +" \"\"\"Simple certificate/host name checker. Returns True if the\n" +" certificate matches, False otherwise. Does not support\n" +" wildcards.\"\"\"\n" +" # Check that the peer has supplied a certificate.\n" +" # None/{} is not acceptable.\n" +" if not peercert:\n" +" return False\n" +" if peercert.has_key(\"subjectAltName\"):\n" +" for typ, val in peercert[\"subjectAltName\"]:\n" +" if typ == \"DNS\" and val == name:\n" +" return True\n" +" else:\n" +" # Only check the subject DN if there is no subject alternative\n" +" # name.\n" +" cn = None\n" +" for attr, val in peercert[\"subject\"]:\n" +" # Use most-specific (last) commonName attribute.\n" +" if attr == \"commonName\":\n" +" cn = val\n" +" if cn is not None:\n" +" return cn == name\n" +" return False\n" +msgstr "" diff --git a/defensive-coding/vi-VN/Features/snippets/TLS-GNUTLS-Credentials-Close.po b/defensive-coding/vi-VN/Features/snippets/TLS-GNUTLS-Credentials-Close.po new file mode 100644 index 0000000..e6aa46c --- /dev/null +++ b/defensive-coding/vi-VN/Features/snippets/TLS-GNUTLS-Credentials-Close.po @@ -0,0 +1,22 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:31+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Vietnamese (http://www.transifex.com/projects/p/fedora/language/vi/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: vi\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"gnutls_certificate_free_credentials(cred);\n" +msgstr "" diff --git a/defensive-coding/vi-VN/Features/snippets/TLS-GNUTLS-Disconnect.po b/defensive-coding/vi-VN/Features/snippets/TLS-GNUTLS-Disconnect.po new file mode 100644 index 0000000..fd19d24 --- /dev/null +++ b/defensive-coding/vi-VN/Features/snippets/TLS-GNUTLS-Disconnect.po @@ -0,0 +1,30 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:32+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Vietnamese (http://www.transifex.com/projects/p/fedora/language/vi/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: vi\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Initiate an orderly connection shutdown.\n" +"ret = gnutls_bye(session, GNUTLS_SHUT_RDWR);\n" +"if (ret < 0) {\n" +" fprintf(stderr, \"error: gnutls_bye: %s\n" +"\", gnutls_strerror(ret));\n" +" exit(1);\n" +"}\n" +"// Free the session object.\n" +"gnutls_deinit(session);\n" +msgstr "" diff --git a/defensive-coding/vi-VN/Features/snippets/TLS-GNUTLS-Init.po b/defensive-coding/vi-VN/Features/snippets/TLS-GNUTLS-Init.po new file mode 100644 index 0000000..d9baf54 --- /dev/null +++ b/defensive-coding/vi-VN/Features/snippets/TLS-GNUTLS-Init.po @@ -0,0 +1,22 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:32+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Vietnamese (http://www.transifex.com/projects/p/fedora/language/vi/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: vi\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"gnutls_global_init();\n" +msgstr "" diff --git a/defensive-coding/vi-VN/Features/snippets/TLS-GNUTLS-Use.po b/defensive-coding/vi-VN/Features/snippets/TLS-GNUTLS-Use.po new file mode 100644 index 0000000..95f7a16 --- /dev/null +++ b/defensive-coding/vi-VN/Features/snippets/TLS-GNUTLS-Use.po @@ -0,0 +1,38 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:33+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Vietnamese (http://www.transifex.com/projects/p/fedora/language/vi/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: vi\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"char buf[4096];\n" +"snprintf(buf, sizeof(buf), \"GET / HTTP/1.0\\r\n" +"Host: %s\\r\n" +"\\r\n" +"\", host);\n" +"ret = gnutls_record_send(session, buf, strlen(buf));\n" +"if (ret < 0) {\n" +" fprintf(stderr, \"error: gnutls_record_send: %s\n" +"\", gnutls_strerror(ret));\n" +" exit(1);\n" +"}\n" +"ret = gnutls_record_recv(session, buf, sizeof(buf));\n" +"if (ret < 0) {\n" +" fprintf(stderr, \"error: gnutls_record_recv: %s\n" +"\", gnutls_strerror(ret));\n" +" exit(1);\n" +"}\n" +msgstr "" diff --git a/defensive-coding/vi-VN/Features/snippets/TLS-NSS-Close.po b/defensive-coding/vi-VN/Features/snippets/TLS-NSS-Close.po new file mode 100644 index 0000000..a13adc5 --- /dev/null +++ b/defensive-coding/vi-VN/Features/snippets/TLS-NSS-Close.po @@ -0,0 +1,23 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:31+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Vietnamese (http://www.transifex.com/projects/p/fedora/language/vi/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: vi\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"SECMOD_DestroyModule(module);\n" +"NSS_ShutdownContext(ctx);\n" +msgstr "" diff --git a/defensive-coding/vi-VN/Features/snippets/TLS-NSS-Includes.po b/defensive-coding/vi-VN/Features/snippets/TLS-NSS-Includes.po new file mode 100644 index 0000000..6b644ca --- /dev/null +++ b/defensive-coding/vi-VN/Features/snippets/TLS-NSS-Includes.po @@ -0,0 +1,35 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:33+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Vietnamese (http://www.transifex.com/projects/p/fedora/language/vi/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: vi\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// NSPR include files\n" +"#include <prerror.h>\n" +"#include <prinit.h>\n" +"\n" +"// NSS include files\n" +"#include <nss.h>\n" +"#include <pk11pub.h>\n" +"#include <secmod.h>\n" +"#include <ssl.h>\n" +"#include <sslproto.h>\n" +"\n" +"// Private API, no other way to turn a POSIX file descriptor into an\n" +"// NSPR handle.\n" +"NSPR_API(PRFileDesc*) PR_ImportTCPSocket(int);\n" +msgstr "" diff --git a/defensive-coding/vi-VN/Features/snippets/TLS-NSS-Init.po b/defensive-coding/vi-VN/Features/snippets/TLS-NSS-Init.po new file mode 100644 index 0000000..dd71042 --- /dev/null +++ b/defensive-coding/vi-VN/Features/snippets/TLS-NSS-Init.po @@ -0,0 +1,83 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:33+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Vietnamese (http://www.transifex.com/projects/p/fedora/language/vi/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: vi\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"PR_Init(PR_USER_THREAD, PR_PRIORITY_NORMAL, 0);\n" +"NSSInitContext *const ctx =\n" +" NSS_InitContext(\"sql:/etc/pki/nssdb\", \"\", \"\", \"\", NULL,\n" +"\t\t NSS_INIT_READONLY | NSS_INIT_PK11RELOAD);\n" +"if (ctx == NULL) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: NSPR error code %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +"}\n" +"\n" +"// Ciphers to enable.\n" +"static const PRUint16 good_ciphers[] = {\n" +" TLS_RSA_WITH_AES_128_CBC_SHA,\n" +" TLS_RSA_WITH_AES_256_CBC_SHA,\n" +" SSL_RSA_WITH_3DES_EDE_CBC_SHA,\n" +" SSL_NULL_WITH_NULL_NULL // sentinel\n" +"};\n" +"\n" +"// Check if the current policy allows any strong ciphers. If it\n" +"// doesn't, switch to the \"domestic\" (unrestricted) policy. This is\n" +"// not thread-safe and has global impact. Consequently, we only do\n" +"// it if absolutely necessary.\n" +"int found_good_cipher = 0;\n" +"for (const PRUint16 *p = good_ciphers; *p != SSL_NULL_WITH_NULL_NULL;\n" +" ++p) {\n" +" PRInt32 policy;\n" +" if (SSL_CipherPolicyGet(*p, &policy) != SECSuccess) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: policy for cipher %u: error %d: %s\n" +"\",\n" +"\t (unsigned)*p, err, PR_ErrorToName(err));\n" +" exit(1);\n" +" }\n" +" if (policy == SSL_ALLOWED) {\n" +" fprintf(stderr, \"info: found cipher %x\n" +"\", (unsigned)*p);\n" +" found_good_cipher = 1;\n" +" break;\n" +" }\n" +"}\n" +"if (!found_good_cipher) {\n" +" if (NSS_SetDomesticPolicy() != SECSuccess) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: NSS_SetDomesticPolicy: error %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +" }\n" +"}\n" +"\n" +"// Initialize the trusted certificate store.\n" +"char module_name[] = \"library=libnssckbi.so name=\\\"Root Certs\\\"\";\n" +"SECMODModule *module = SECMOD_LoadUserModule(module_name, NULL, PR_FALSE);\n" +"if (module == NULL || !module->loaded) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: NSPR error code %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +"}\n" +msgstr "" diff --git a/defensive-coding/vi-VN/Features/snippets/TLS-NSS-Use.po b/defensive-coding/vi-VN/Features/snippets/TLS-NSS-Use.po new file mode 100644 index 0000000..c16eb48 --- /dev/null +++ b/defensive-coding/vi-VN/Features/snippets/TLS-NSS-Use.po @@ -0,0 +1,42 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:32+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Vietnamese (http://www.transifex.com/projects/p/fedora/language/vi/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: vi\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"char buf[4096];\n" +"snprintf(buf, sizeof(buf), \"GET / HTTP/1.0\\r\n" +"Host: %s\\r\n" +"\\r\n" +"\", host);\n" +"PRInt32 ret = PR_Write(nspr, buf, strlen(buf));\n" +"if (ret < 0) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: PR_Write error %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +"}\n" +"ret = PR_Read(nspr, buf, sizeof(buf));\n" +"if (ret < 0) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: PR_Read error %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +"}\n" +msgstr "" diff --git a/defensive-coding/vi-VN/Features/snippets/TLS-Nagle.po b/defensive-coding/vi-VN/Features/snippets/TLS-Nagle.po new file mode 100644 index 0000000..57f73e9 --- /dev/null +++ b/defensive-coding/vi-VN/Features/snippets/TLS-Nagle.po @@ -0,0 +1,27 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:31+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Vietnamese (http://www.transifex.com/projects/p/fedora/language/vi/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: vi\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"const int val = 1;\n" +"int ret = setsockopt(sockfd, IPPROTO_TCP, TCP_NODELAY, &val, sizeof(val));\n" +"if (ret < 0) {\n" +" perror(\"setsockopt(TCP_NODELAY)\");\n" +" exit(1);\n" +"}\n" +msgstr "" diff --git a/defensive-coding/vi-VN/Features/snippets/TLS-OpenJDK-Parameters.po b/defensive-coding/vi-VN/Features/snippets/TLS-OpenJDK-Parameters.po new file mode 100644 index 0000000..d8814b2 --- /dev/null +++ b/defensive-coding/vi-VN/Features/snippets/TLS-OpenJDK-Parameters.po @@ -0,0 +1,42 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:33+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Vietnamese (http://www.transifex.com/projects/p/fedora/language/vi/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: vi\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Prepare TLS parameters. These have to applied to every TLS\n" +"// socket before the handshake is triggered.\n" +"SSLParameters params = ctx.getDefaultSSLParameters();\n" +"// Do not send an SSL-2.0-compatible Client Hello.\n" +"ArrayList<String> protocols = new ArrayList<String>(\n" +" Arrays.asList(params.getProtocols()));\n" +"protocols.remove(\"SSLv2Hello\");\n" +"params.setProtocols(protocols.toArray(new String[protocols.size()]));\n" +"// Adjust the supported ciphers.\n" +"ArrayList<String> ciphers = new ArrayList<String>(\n" +" Arrays.asList(params.getCipherSuites()));\n" +"ciphers.retainAll(Arrays.asList(\n" +" \"TLS_RSA_WITH_AES_128_CBC_SHA256\",\n" +" \"TLS_RSA_WITH_AES_256_CBC_SHA256\",\n" +" \"TLS_RSA_WITH_AES_256_CBC_SHA\",\n" +" \"TLS_RSA_WITH_AES_128_CBC_SHA\",\n" +" \"SSL_RSA_WITH_3DES_EDE_CBC_SHA\",\n" +" \"SSL_RSA_WITH_RC4_128_SHA1\",\n" +" \"SSL_RSA_WITH_RC4_128_MD5\",\n" +" \"TLS_EMPTY_RENEGOTIATION_INFO_SCSV\"));\n" +"params.setCipherSuites(ciphers.toArray(new String[ciphers.size()]));\n" +msgstr "" diff --git a/defensive-coding/vi-VN/Features/snippets/TLS-OpenSSL-Connection-Close.po b/defensive-coding/vi-VN/Features/snippets/TLS-OpenSSL-Connection-Close.po new file mode 100644 index 0000000..2b7ed48 --- /dev/null +++ b/defensive-coding/vi-VN/Features/snippets/TLS-OpenSSL-Connection-Close.po @@ -0,0 +1,46 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:33+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Vietnamese (http://www.transifex.com/projects/p/fedora/language/vi/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: vi\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Send the close_notify alert.\n" +"ret = SSL_shutdown(ssl);\n" +"switch (ret) {\n" +"case 1:\n" +" // A close_notify alert has already been received.\n" +" break;\n" +"case 0:\n" +" // Wait for the close_notify alert from the peer.\n" +" ret = SSL_shutdown(ssl);\n" +" switch (ret) {\n" +" case 0:\n" +" fprintf(stderr, \"info: second SSL_shutdown returned zero\n" +"\");\n" +" break;\n" +" case 1:\n" +" break;\n" +" default:\n" +" ssl_print_error_and_exit(ssl, \"SSL_shutdown 2\", ret);\n" +" }\n" +" break;\n" +"default:\n" +" ssl_print_error_and_exit(ssl, \"SSL_shutdown 1\", ret);\n" +"}\n" +"SSL_free(ssl);\n" +"close(sockfd);\n" +msgstr "" diff --git a/defensive-coding/vi-VN/Features/snippets/TLS-OpenSSL-Context-Close.po b/defensive-coding/vi-VN/Features/snippets/TLS-OpenSSL-Context-Close.po new file mode 100644 index 0000000..93107f4 --- /dev/null +++ b/defensive-coding/vi-VN/Features/snippets/TLS-OpenSSL-Context-Close.po @@ -0,0 +1,22 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:33+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Vietnamese (http://www.transifex.com/projects/p/fedora/language/vi/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: vi\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"SSL_CTX_free(ctx);\n" +msgstr "" diff --git a/defensive-coding/vi-VN/Features/snippets/TLS-OpenSSL-Errors.po b/defensive-coding/vi-VN/Features/snippets/TLS-OpenSSL-Errors.po new file mode 100644 index 0000000..c300ace --- /dev/null +++ b/defensive-coding/vi-VN/Features/snippets/TLS-OpenSSL-Errors.po @@ -0,0 +1,51 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:32+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Vietnamese (http://www.transifex.com/projects/p/fedora/language/vi/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: vi\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"static void __attribute__((noreturn))\n" +"ssl_print_error_and_exit(SSL *ssl, const char *op, int ret)\n" +"{\n" +" int subcode = SSL_get_error(ssl, ret);\n" +" switch (subcode) {\n" +" case SSL_ERROR_NONE:\n" +" fprintf(stderr, \"error: %s: no error to report\n" +"\", op);\n" +" break;\n" +" case SSL_ERROR_WANT_READ:\n" +" case SSL_ERROR_WANT_WRITE:\n" +" case SSL_ERROR_WANT_X509_LOOKUP:\n" +" case SSL_ERROR_WANT_CONNECT:\n" +" case SSL_ERROR_WANT_ACCEPT:\n" +" fprintf(stderr, \"error: %s: invalid blocking state %d\n" +"\", op, subcode);\n" +" break;\n" +" case SSL_ERROR_SSL:\n" +" fprintf(stderr, \"error: %s: TLS layer problem\n" +"\", op);\n" +" case SSL_ERROR_SYSCALL:\n" +" fprintf(stderr, \"error: %s: system call failed: %s\n" +"\", op, strerror(errno));\n" +" break;\n" +" case SSL_ERROR_ZERO_RETURN:\n" +" fprintf(stderr, \"error: %s: zero return\n" +"\", op);\n" +" }\n" +" exit(1);\n" +"}\n" +msgstr "" diff --git a/defensive-coding/vi-VN/Features/snippets/TLS-Python-Close.po b/defensive-coding/vi-VN/Features/snippets/TLS-Python-Close.po new file mode 100644 index 0000000..fe2ffd4 --- /dev/null +++ b/defensive-coding/vi-VN/Features/snippets/TLS-Python-Close.po @@ -0,0 +1,22 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:31+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Vietnamese (http://www.transifex.com/projects/p/fedora/language/vi/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: vi\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"sock.close()\n" +msgstr "" diff --git a/defensive-coding/vi-VN/Features/snippets/TLS-Python-Use.po b/defensive-coding/vi-VN/Features/snippets/TLS-Python-Use.po new file mode 100644 index 0000000..729f55b --- /dev/null +++ b/defensive-coding/vi-VN/Features/snippets/TLS-Python-Use.po @@ -0,0 +1,26 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:32+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Vietnamese (http://www.transifex.com/projects/p/fedora/language/vi/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: vi\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"sock.write(\"GET / HTTP/1.1\\r\n" +"Host: \" + host + \"\\r\n" +"\\r\n" +"\")\n" +"print sock.read()\n" +msgstr "" diff --git a/defensive-coding/vi-VN/Revision_History.po b/defensive-coding/vi-VN/Revision_History.po new file mode 100644 index 0000000..5120af2 --- /dev/null +++ b/defensive-coding/vi-VN/Revision_History.po @@ -0,0 +1,35 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:18+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Vietnamese (http://www.transifex.com/projects/p/fedora/language/vi/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: vi\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: title +#, no-c-format +msgid "Revision History" +msgstr "" + +#. Tag: firstname +#, no-c-format +msgid "Eric" +msgstr "" + +#. Tag: surname +#, no-c-format +msgid "Christensen" +msgstr "" + +#. Tag: member +#, no-c-format +msgid "Initial publication." +msgstr "" diff --git a/defensive-coding/vi-VN/Tasks/Cryptography.po b/defensive-coding/vi-VN/Tasks/Cryptography.po new file mode 100644 index 0000000..39c68ae --- /dev/null +++ b/defensive-coding/vi-VN/Tasks/Cryptography.po @@ -0,0 +1,199 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:29+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Vietnamese (http://www.transifex.com/projects/p/fedora/language/vi/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: vi\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: title +#, no-c-format +msgid "Cryptography" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Primitives" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Chosing from the following cryptographic primitives is recommended:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "RSA with 2048 bit keys and OAEP" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "AES-128 in CBC mode" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "SHA-256" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "HMAC-SHA-256" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "HMAC-SHA-1" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Other cryptographic algorithms can be used if they are required for " +"interoperability with existing software:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "RSA with key sizes larger than 1024 and legacy padding" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "AES-192" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "AES-256" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "3DES (triple DES, with two or three 56 bit keys)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "RC4 (but very, very strongly discouraged)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "SHA-1" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "HMAC-MD5" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Important" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"These primitives are difficult to use in a secure way. Custom implementation" +" of security protocols should be avoided. For protecting confidentiality and" +" integrity of network transmissions, TLS should be used ()." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Randomness" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The following facilities can be used to generate unpredictable and non-" +"repeating values. When these functions are used without special safeguards, " +"each individual rnadom value should be at least 12 bytes long." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"PK11_GenerateRandom in the NSS library (usable for high" +" data rates)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"RAND_bytes in the OpenSSL library (usable for high data" +" rates)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"gnutls_rnd in GNUTLS, with " +"GNUTLS_RND_RANDOM as the first argument (usable for high " +"data rates)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"java.security.SecureRandom in Java (usable for high data rates)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "os.urandom in Python" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Reading from the /dev/urandom character device" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"All these functions should be non-blocking, and they should not wait until " +"physical randomness becomes available. (Some cryptography providers for Java" +" can cause java.security.SecureRandom to block, however.) Those" +" functions which do not obtain all bits directly from " +"/dev/urandom are suitable for high data rates because " +"they do not deplete the system-wide entropy pool." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Difficult to use API" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Both RAND_bytes and " +"PK11_GenerateRandom have three-state return values " +"(with conflicting meanings). Careful error checking is required. Please " +"review the documentation when using these functions." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Other sources of randomness should be considered predictable." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Generating randomness for cryptographic keys in long-term use may need " +"different steps and is best left to cryptographic libraries." +msgstr "" diff --git a/defensive-coding/vi-VN/Tasks/Descriptors.po b/defensive-coding/vi-VN/Tasks/Descriptors.po new file mode 100644 index 0000000..8a3a7b7 --- /dev/null +++ b/defensive-coding/vi-VN/Tasks/Descriptors.po @@ -0,0 +1,332 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:29+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Vietnamese (http://www.transifex.com/projects/p/fedora/language/vi/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: vi\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: title +#, no-c-format +msgid "File Descriptor Management" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"File descriptors underlie all input/output mechanisms offered by the system." +" They are used to implementation the FILE *-based " +"functions found in <stdio.h>, and all the file and " +"network communication facilities provided by the Python and Java " +"environments are eventually implemented in them." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"File descriptors are small, non-negative integers in userspace, and are " +"backed on the kernel side with complicated data structures which can " +"sometimes grow very large." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Closing descriptors" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If a descriptor is no longer used by a program and is not closed explicitly," +" its number cannot be reused (which is problematic in itself, see ), and the " +"kernel resources are not freed. Therefore, it is important to close all " +"descriptors at the earlierst point in time possible, but not earlier." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Error handling during descriptor close" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The close system call is always successful in the sense" +" that the passed file descriptor is never valid after the function has been " +"called. However, close still can return an error, for " +"example if there was a file system failure. But this error is not very " +"useful because the absence of an error does not mean that all caches have " +"been emptied and previous writes have been made durable. Programs which need" +" such guarantees must open files with O_SYNC or use " +"fsync or fdatasync, and may also have " +"to fsync the directory containing the file." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Closing descriptors and race conditions" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Unlike process IDs, which are recycle only gradually, the kernel always " +"allocates the lowest unused file descriptor when a new descriptor is " +"created. This means that in a multi-threaded program which constantly opens " +"and closes file descriptors, descriptors are reused very quickly. Unless " +"descriptor closing and other operations on the same file descriptor are " +"synchronized (typically, using a mutex), there will be race coniditons and " +"I/O operations will be applied to the wrong file descriptor." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Sometimes, it is necessary to close a file descriptor concurrently, while " +"another thread might be about to use it in a system call. In order to " +"support this, a program needs to create a single special file descriptor, " +"one on which all I/O operations fail. One way to achieve this is to use " +"socketpair, close one of the descriptors, and call " +"shutdown(fd, SHUTRDWR) on the other." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When a descriptor is closed concurrently, the program does not call " +"close on the descriptor. Instead it program uses " +"dup2 to replace the descriptor to be closed with the " +"dummy descriptor created earlier. This way, the kernel will not reuse the " +"descriptor, but it will carry out all other steps associated with calling a " +"descriptor (for instance, if the descriptor refers to a stream socket, the " +"peer will be notified)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"This is just a sketch, and many details are missing. Additional data " +"structures are needed to determine when it is safe to really close the " +"descriptor, and proper locking is required for that." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Lingering state after close" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"By default, closing a stream socket returns immediately, and the kernel will" +" try to send the data in the background. This means that it is impossible to" +" implement accurate accounting of network-related resource utilization from " +"userspace." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The SO_LINGER socket option alters the behavior of " +"close, so that it will return only after the lingering " +"data has been processed, either by sending it to the peer successfully, or " +"by discarding it after the configured timeout. However, there is no " +"interface which could perform this operation in the background, so a " +"separate userspace thread is needed for each close " +"call, causing scalability issues." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Currently, there is no application-level countermeasure which applies " +"universally. Mitigation is possible with iptables" +" (the connlimit match type in particular) and specialized" +" filtering devices for denial-of-service network traffic." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"These problems are not related to the TIME_WAIT state " +"commonly seen in netstat output. The kernel " +"automatically expires such sockets if necessary." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Preventing file descriptor leaks to child processes" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Child processes created with fork share the initial set" +" of file descriptors with their parent process. By default, file descriptors" +" are also preserved if a new process image is created with " +"execve (or any of the other functions such as " +"system or posix_spawn)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Usually, this behavior is not desirable. There are two ways to turn it off, " +"that is, to prevent new process images from inheriting the file descriptors " +"in the parent process:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Set the close-on-exec flag on all newly created file descriptors. " +"Traditionally, this flag is controlled by the FD_CLOEXEC " +"flag, using F_GETFD and F_SETFD " +"operations of the fcntl function." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"However, in a multi-threaded process, there is a race condition: a " +"subprocess could have been created between the time the descriptor was " +"created and the FD_CLOEXEC was set. Therefore, many " +"system calls which create descriptors (such as open and" +" openat) now accept the O_CLOEXEC " +"flag (SOCK_CLOEXEC for socket and " +"socketpair), which cause the " +"FD_CLOEXEC flag to be set for the file descriptor in an " +"atomic fashion. In addition, a few new systems calls were introduced, such " +"as pipe2 and dup3." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The downside of this approach is that every descriptor needs to receive " +"special treatment at the time of creation, otherwise it is not completely " +"effective." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"After calling fork, but before creating a new process " +"image with execve, all file descriptors which the child" +" process will not need are closed." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Traditionally, this was implemented as a loop over file descriptors ranging " +"from 3 to 255 and later " +"1023. But this is only an approximatio because it is " +"possible to create file descriptors outside this range easily (see ). Another " +"approach reads /proc/self/fd and closes the unexpected " +"descriptors listed there, but this approach is much slower." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"At present, environments which care about file descriptor leakage implement " +"the second approach. OpenJDK 6 and 7 are among them." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Dealing with the select limit" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"By default, a user is allowed to open only 1024 files in a single process, " +"but the system administrator can easily change this limit (which is " +"necessary for busy network servers). However, there is another restriction " +"which is more difficult to overcome." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The select function only supports a maximum of " +"FD_SETSIZE file descriptors (that is, the maximum " +"permitted value for a file descriptor is FD_SETSIZE - 1, " +"usually 1023.) If a process opens many files, descriptors may exceed such " +"limits. It is impossible to query such descriptors using " +"select." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If a library which creates many file descriptors is used in the same process" +" as a library which uses select, at least one of them " +"needs to be changed. Calls to select can be replaced " +"with calls to poll or another event handling mechanism." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Alternatively, the library with high descriptor usage can relocate " +"descriptors above the FD_SETSIZE limit using the " +"following procedure." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Create the file descriptor fd as usual, preferably with " +"the O_CLOEXEC flag." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Before doing anything else with the descriptor fd, " +"invoke:" +msgstr "" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"\t int newfd = fcntl(fd, F_DUPFD_CLOEXEC, (long)FD_SETSIZE);\n" +"\t" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Check that newfd result is non-negative, otherwise close " +"fd and report an error, and return." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Close fd and continue to use newfd." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The new descriptor has been allocated above the " +"FD_SETSIZE. Even though this algorithm is racy in the " +"sense that the FD_SETSIZE first descriptors could fill " +"up, a very high degree of physical parallelism is required before this " +"becomes a problem." +msgstr "" diff --git a/defensive-coding/vi-VN/Tasks/File_System.po b/defensive-coding/vi-VN/Tasks/File_System.po new file mode 100644 index 0000000..d0cc6ae --- /dev/null +++ b/defensive-coding/vi-VN/Tasks/File_System.po @@ -0,0 +1,396 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:25+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Vietnamese (http://www.transifex.com/projects/p/fedora/language/vi/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: vi\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: title +#, no-c-format +msgid "File system manipulation" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In this chapter, we discuss general file system manipulation, with a focus " +"on access files and directories to which an other, potentially untrusted " +"user has write access." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Temporary files are covered in their own chapter, ." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Working with files and directories owned by other users" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Sometimes, it is necessary to operate on files and directories owned by " +"other (potentially untrusted) users. For example, a system administrator " +"could remove the home directory of a user, or a package manager could update" +" a file in a directory which is owned by an application-specific user. This " +"differs from accessing the file system as a specific user; see ." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Accessing files across trust boundaries faces several challenges, " +"particularly if an entire directory tree is being traversed:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Another user might add file names to a writable directory at any time. This " +"can interfere with file creation and the order of names returned by " +"readdir." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Merely opening and closing a file can have side effects. For instance, an " +"automounter can be triggered, or a tape device rewound. Opening a file on a " +"local file system can block indefinitely, due to mandatory file locking, " +"unless the O_NONBLOCK flag is specified." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Hard links and symbolic links can redirect the effect of file system " +"operations in unexpected ways. The O_NOFOLLOW and " +"AT_SYMLINK_NOFOLLOW variants of system calls only " +"affected final path name component." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The structure of a directory tree can change. For example, the parent " +"directory of what used to be a subdirectory within the directory tree being " +"processed could suddenly point outside that directory tree." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Files should always be created with the O_CREAT and " +"O_EXCL flags, so that creating the file will fail if it " +"already exists. This guards against the unexpected appearance of file names," +" either due to creation of a new file, or hard-linking of an existing file. " +"In multi-threaded programs, rather than manipulating the umask, create the " +"files with mode 000 if possible, and adjust it afterwards" +" with fchmod." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"To avoid issues related to symbolic links and directory tree restructuring, " +"the “at” variants of system calls have to be used (that " +"is, functions like openat, " +"fchownat, fchmodat, and " +"unlinkat, together with O_NOFOLLOW " +"or AT_SYMLINK_NOFOLLOW). Path names passed to these " +"functions must have just a single component (that is, without a slash). When" +" descending, the descriptors of parent directories must be kept open. The " +"missing opendirat function can be emulated with " +"openat (with an O_DIRECTORY flag, to " +"avoid opening special files with side effects), followed by " +"fdopendir." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If the “at” functions are not available, it is possible " +"to emulate them by changing the current directory. (Obviously, this only " +"works if the process is not multi-threaded.) fchdir has" +" to be used to change the current directory, and the descriptors of the " +"parent directories have to be kept open, just as with the " +"“at”-based approach. chdir(\"...\") is" +" unsafe because it might ascend outside the intended directory tree." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"This “at” function emulation is currently required when " +"manipulating extended attributes. In this case, the " +"lsetxattr function can be used, with a relative path " +"name consisting of a single component. This also applies to SELinux contexts" +" and the lsetfilecon function." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Currently, it is not possible to avoid opening special files " +"and changes to files with hard links if the directory " +"containing them is owned by an untrusted user. (Device nodes can be hard-" +"linked, just as regular files.) fchmodat and " +"fchownat affect files whose link count is greater than " +"one. But opening the files, checking that the link count is one with " +"fstat, and using fchmod and " +"fchown on the file descriptor may have unwanted side " +"effects, due to item 2 above. When creating directories, it is therefore " +"important to change the ownership and permissions only after it has been " +"fully created. Until that point, file names are stable, and no files with " +"unexpected hard links can be introduced." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Similarly, when just reading a directory owned by an untrusted user, it is " +"currently impossible to reliably avoid opening special files." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"There is no workaround against the instability of the file list returned by " +"readdir. Concurrent modification of the directory can " +"result in a list of files being returned which never actually existed on " +"disk." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Hard links and symbolic links can be safely deleted using " +"unlinkat without further checks because deletion only " +"affects the name within the directory tree being processed." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Accessing the file system as a different user" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"This section deals with access to the file system as a specific user. This " +"is different from accessing files and directories owned by a different, " +"potentially untrusted user; see ." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"One approach is to spawn a child process which runs under the target user " +"and group IDs (both effective and real IDs). Note that this child process " +"can block indefinitely, even when processing regular files only. For " +"example, a special FUSE file system could cause the process to hang in " +"uninterruptible sleep inside a stat system call." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"An existing process could change its user and group ID using " +"setfsuid and setfsgid. (These " +"functions are preferred over seteuid and " +"setegid because they do not allow the impersonated user" +" to send signals to the process.) These functions are not thread safe. In " +"multi-threaded processes, these operations need to be performed in a single-" +"threaded child process. Unexpected blocking may occur as well." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"It is not recommended to try to reimplement the kernel permission checks in " +"user space because the required checks are complex. It is also very " +"difficult to avoid race conditions during path name resolution." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "File system limits" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"For historical reasons, there are preprocessor constants such as " +"PATH_MAX, NAME_MAX. However, on most " +"systems, the length of canonical path names (absolute path names with all " +"symbolic links resolved, as returned by realpath or " +"canonicalize_file_name) can exceed " +"PATH_MAX bytes, and individual file name components can " +"be longer than NAME_MAX. This is also true of the " +"_PC_PATH_MAX and _PC_NAME_MAX values " +"returned by pathconf, and the " +"f_namemax member of struct statvfs. " +"Therefore, these constants should not be used. This is also reason why the " +"readdir_r should never be used (instead, use " +"readdir)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"You should not write code in a way that assumes that there is an upper limit" +" on the number of subdirectories of a directory, the number of regular files" +" in a directory, or the link count of an inode." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "File system features" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Not all file systems support all features. This makes it very difficult to " +"write general-purpose tools for copying files. For example, a copy operation" +" intending to preserve file permissions will generally fail when copying to " +"a FAT file system." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Some file systems are case-insensitive. Most should be case-preserving, " +"though." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Name length limits vary greatly, from eight to thousands of bytes. Path " +"length limits differ as well. Most systems impose an upper bound on path " +"names passed to the kernel, but using relative path names, it is possible to" +" create and access files whose absolute path name is essentially of " +"unbounded length." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Some file systems do not store names as fairly unrestricted byte sequences, " +"as it has been traditionally the case on GNU systems. This means that some " +"byte sequences (outside the POSIX safe character set) are not valid names. " +"Conversely, names of existing files may not be representable as byte " +"sequences, and the files are thus inaccessible on GNU systems. Some file " +"systems perform Unicode canonicalization on file names. These file systems " +"preserve case, but reading the name of a just-created file using " +"readdir might still result in a different byte " +"sequence." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Permissions and owners are not universally supported (and SUID/SGID bits may" +" not be available). For example, FAT file systems assign ownership based on " +"a mount option, and generally mark all files as executable. Any attempt to " +"change permissions would result in an error." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Non-regular files (device nodes, FIFOs) are not generally available." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Only on some file systems, files can have holes, that is, not all of their " +"contents is backed by disk storage." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"ioctl support (even fairly generic functionality such " +"as FIEMAP for discovering physical file layout and holes)" +" is file-system-specific." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Not all file systems support extended attributes, ACLs and SELinux metadata." +" Size and naming restriction on extended attributes vary." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Hard links may not be supported at all (FAT) or only within the same " +"directory (AFS). Symbolic links may not be available, either. Reflinks (hard" +" links with copy-on-write semantics) are still very rare. Recent systems " +"restrict creation of hard links to users which own the target file or have " +"read/write access to it, but older systems do not." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Renaming (or moving) files using rename can fail (even " +"when stat indicates that the source and target " +"directories are located on the same file system). This system call should " +"work if the old and new paths are located in the same directory, though." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Locking semantics vary among file systems. This affects advisory and " +"mandatory locks. For example, some network file systems do not allow " +"deleting files which are opened by any process." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Resolution of time stamps varies from two seconds to nanoseconds. Not all " +"time stamps are available on all file systems. File creation time " +"(birth time) is not exposed over the " +"stat/fstat interface, even if " +"stored by the file system." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Checking free space" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The statvfs and fstatvfs functions" +" allow programs to examine the number of available blocks and inodes, " +"through the members f_bfree, f_bavail," +" f_ffree, and f_favail of " +"struct statvfs. Some file systems return fictional values" +" in the f_ffree and f_favail fields, " +"so the only reliable way to discover if the file system still has space for " +"a file is to try to create it. The f_bfree field should " +"be reasonably accurate, though." +msgstr "" diff --git a/defensive-coding/vi-VN/Tasks/Library_Design.po b/defensive-coding/vi-VN/Tasks/Library_Design.po new file mode 100644 index 0000000..c0cd9b4 --- /dev/null +++ b/defensive-coding/vi-VN/Tasks/Library_Design.po @@ -0,0 +1,267 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:29+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Vietnamese (http://www.transifex.com/projects/p/fedora/language/vi/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: vi\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: title +#, no-c-format +msgid "Library Design" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Throught this section, the term client code refers to " +"applications and other libraries using the library." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "State management" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Global state" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Global state should be avoided." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If this is impossible, the global state must be protected with a lock. For " +"C/C++, you can use the pthread_mutex_lock and " +"pthread_mutex_unlock functions without linking against " +"-lpthread because the system provides stubs for non-" +"threaded processes." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"For compatibility with fork, these locks should be " +"acquired and released in helpers registered with " +"pthread_atfork. This function is not available without " +"-lpthread, so you need to use dlsym " +"or a weak symbol to obtain its address." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If you need fork protection for other reasons, you " +"should store the process ID and compare it to the value returned by " +"getpid each time you access the global state. " +"(getpid is not implemented as a system call and is " +"fast.) If the value changes, you know that you have to re-create the state " +"object. (This needs to be combined with locking, of course.)" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Handles" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Library state should be kept behind a curtain. Client code should receive " +"only a handle. In C, the handle can be a pointer to an incomplete " +"struct. In C++, the handle can be a pointer to an " +"abstract base class, or it can be hidden using the pointer-to-implementation" +" idiom." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The library should provide functions for creating and destroying handles. " +"(In C++, it is possible to use virtual destructors for the latter.) " +"Consistency between creation and destruction of handles is strongly " +"recommended: If the client code created a handle, it is the responsibility " +"of the client code to destroy it. (This is not always possible or " +"convenient, so sometimes, a transfer of ownership has to happen.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Using handles ensures that it is possible to change the way the library " +"represents state in a way that is transparent to client code. This is " +"important to facilitate security updates and many other code changes." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"It is not always necessary to protect state behind a handle with a lock. " +"This depends on the level of thread safety the library provides." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Object orientation" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Classes should be either designed as base classes, or it should be " +"impossible to use them as base classes (like final " +"classes in Java). Classes which are not designed for inheritance and are " +"used as base classes nevertheless create potential maintenance hazards " +"because it is difficult to predict how client code will react when calls to " +"virtual methods are added, reordered or removed." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Virtual member functions can be used as callbacks. See for some of the " +"challenges involved." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Callbacks" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Higher-order code is difficult to analyze for humans and computers alike, so" +" it should be avoided. Often, an iterator-based interface (a library " +"function which is called repeatedly by client code and returns a stream of " +"events) leads to a better design which is easier to document and use." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "If callbacks are unavoidable, some guidelines for them follow." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In modern C++ code, std::function objects should be used " +"for callbacks." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In older C++ code and in C code, all callbacks must have an additional " +"closure parameter of type void *, the value of which can " +"be specified by client code. If possible, the value of the closure parameter" +" should be provided by client code at the same time a specific callback is " +"registered (or specified as a function argument). If a single closure " +"parameter is shared by multiple callbacks, flexibility is greatly reduced, " +"and conflicts between different pieces of client code using the same library" +" object could be unresolvable. In some cases, it makes sense to provide a " +"de-registration callback which can be used to destroy the closure parameter " +"when the callback is no longer used." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Callbacks can throw exceptions or call longjmp. If " +"possible, all library objects should remain in a valid state. (All further " +"operations on them can fail, but it should be possible to deallocate them " +"without causing resource leaks.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The presence of callbacks raises the question if functions provided by the " +"library are reentrant. Unless a library was designed " +"for such use, bad things will happen if a callback function uses functions " +"in the same library (particularly if they are invoked on the same objects " +"and manipulate the same state). When the callback is invoked, the library " +"can be in an inconsistent state. Reentrant functions are more difficult to " +"write than thread-safe functions (by definition, simple locking would " +"immediately lead to deadlocks). It is also difficult to decide what to do " +"when destruction of an object which is currently processing a callback is " +"requested." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Process attributes" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Several attributes are global and affect all code in the process, not just " +"the library that manipulates them." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"environment variables (see )" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "umask" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "user IDs, group IDs and capabilities" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "current working directory" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "signal handlers, signal masks and signal delivery" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"file locks (especially fcntl locks behave in surprising" +" ways, not just in a multi-threaded environment)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Library code should avoid manipulating these global process attributes. It " +"should not rely on environment variables, umask, the current working " +"directory and signal masks because these attributes can be inherted from an " +"untrusted source." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In addition, there are obvious process-wide aspects such as the virtual " +"memory layout, the set of open files and dynamic shared objects, but with " +"the exception of shared objects, these can be manipulated in a relatively " +"isolated way." +msgstr "" diff --git a/defensive-coding/vi-VN/Tasks/Processes.po b/defensive-coding/vi-VN/Tasks/Processes.po new file mode 100644 index 0000000..655ab26 --- /dev/null +++ b/defensive-coding/vi-VN/Tasks/Processes.po @@ -0,0 +1,597 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:29+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Vietnamese (http://www.transifex.com/projects/p/fedora/language/vi/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: vi\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: title +#, no-c-format +msgid "Processes" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Safe process creation" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"This section describes how to create new child processes in a safe manner. " +"In addition to the concerns addressed below, there is the possibility of " +"file descriptor leaks, see ." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Obtaining the program path and the command line template" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The name and path to the program being invoked should be hard-coded or " +"controlled by a static configuration file stored at a fixed location (at an " +"file system absolute path). The same applies to the template for generating " +"the command line." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The configured program name should be an absolute path. If it is a relative " +"path, the contents of the PATH must be obtained in s secure " +"manner (see )." +" If the PATH variable is not set or untrusted, the safe " +"default /bin:/usr/bin must be used." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If too much flexibility is provided here, it may allow invocation of " +"arbitrary programs without proper authorization." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Bypassing the shell" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Child processes should be created without involving the system shell." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"For C/C++, system should not be used. The " +"posix_spawn function can be used instead, or a " +"combination fork and execve. (In " +"some cases, it may be preferable to use vfork or the " +"Linux-specific clone system call instead of " +"fork.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In Python, the subprocess module bypasses the shell by " +"default (when the shell keyword argument is not set to " +"true). os.system should not be used." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The Java class java.lang.ProcessBuilder can be used to create " +"subprocesses without interference from the system shell." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Portability notice" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"On Windows, there is no argument vector, only a single argument string. Each" +" application is responsible for parsing this string into an argument vector." +" There is considerable variance among the quoting style recognized by " +"applications. Some of them expand shell wildcards, others do not. Extensive " +"application-specific testing is required to make this secure." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Note that some common applications (notably ssh) " +"unconditionally introduce the use of a shell, even if invoked directly " +"without a shell. It is difficult to use these applications in a secure " +"manner. In this case, untrusted data should be supplied by other means. For " +"example, standard input could be used, instead of the command line." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Specifying the process environment" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Child processes should be created with a minimal set of environment " +"variables. This is absolutely essential if there is a trust transition " +"involved, either when the parent process was created, or during the creation" +" of the child process." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In C/C++, the environment should be constructed as an array of strings and " +"passed as the envp argument to " +"posix_spawn or execve. The " +"functions setenv, unsetenv and " +"putenv should not be used. They are not thread-safe and" +" suffer from memory leaks." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Python programs need to specify a dict for the the " +"env argument of the subprocess.Popen" +" constructor. The Java class java.lang.ProcessBuilder " +"provides a environment() method, which returns a map " +"that can be manipulated." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The following list provides guidelines for selecting the set of environment " +"variables passed to the child process." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"PATH should be initialized to " +"/bin:/usr/bin." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"USER and HOME can be inhereted from the parent" +" process environment, or they can be initialized from the " +"pwent structure for the user." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The DISPLAY and XAUTHORITY variables should be" +" passed to the subprocess if it is an X program. Note that this will " +"typically not work across trust boundaries because XAUTHORITY" +" refers to a file with 0600 permissions." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The location-related environment variables LANG, " +"LANGUAGE, LC_ADDRESS, LC_ALL, " +"LC_COLLATE, LC_CTYPE, " +"LC_IDENTIFICATION, LC_MEASUREMENT, " +"LC_MESSAGES, LC_MONETARY, " +"LC_NAME, LC_NUMERIC, LC_PAPER, " +"LC_TELEPHONE and LC_TIME can be passed to the " +"subprocess if present." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The called process may need application-specific environment variables, for " +"example for passing passwords. (See .)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"All other environment variables should be dropped. Names for new environment" +" variables should not be accepted from untrusted sources." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Robust argument list processing" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When invoking a program, it is sometimes necessary to include data from " +"untrusted sources. Such data should be check against embedded " +"NUL characters because the system APIs will sliently " +"truncate argument strings at the first NUL character." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The following recommendations assume that the program being invoked uses " +"GNU-style option processing using getopt_long. This " +"convention is widely used, but it is just that, and individual programs " +"might interpret a command line in a different way." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If the untrusted data has to go into an option, use the --option-" +"name=VALUE syntax, placing the option and its value into the same " +"command line argument. This avoids any potential confusion if the data " +"starts with -." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"For positional arguments, terminate the option list with a single " +" marker after the last option, and include the data at " +"the right position. The marker terminates option " +"processing, and the data will not be treated as an option even if it starts " +"with a dash." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Passing secrets to subprocesses" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The command line (the name of the program and its argument) of a running " +"process is traditionally available to all local users. The called program " +"can overwrite this information, but only after it has run for a bit of time," +" during which the information may have been read by other processes. " +"However, on Linux, the process environment is restricted to the user who " +"runs the process. Therefore, if you need a convenient way to pass a password" +" to a child process, use an environment variable, and not a command line " +"argument. (See .)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"On some UNIX-like systems (notably Solaris), environment variables can be " +"read by any system user, just like command lines." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If the environment-based approach cannot be used due to portability " +"concerns, the data can be passed on standard input. Some programs (notably " +"gpg) use special file descriptors whose numbers " +"are specified on the command line. Temporary files are an option as well, " +"but they might give digital forensics access to sensitive data (such as " +"passphrases) because it is difficult to safely delete them in all cases." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Handling child process termination" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When child processes terminate, the parent process is signalled. A stub of " +"the terminated processes (a zombie, shown as " +"<defunct> by ps) is kept" +" around until the status information is collected " +"(reaped) by the parent process. Over the years, several" +" interfaces for this have been invented:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The parent process calls wait, " +"waitpid, waitid, " +"wait3 or wait4, without specifying" +" a process ID. This will deliver any matching process ID. This approach is " +"typically used from within event loops." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The parent process calls waitpid, " +"waitid, or wait4, with a specific " +"process ID. Only data for the specific process ID is returned. This is " +"typically used in code which spawns a single subprocess in a synchronous " +"manner." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The parent process installs a handler for the SIGCHLD " +"signal, using sigaction, and specifies to the " +"SA_NOCLDWAIT flag. This approach could be used by event " +"loops as well." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"None of these approaches can be used to wait for child process terminated in" +" a completely thread-safe manner. The parent process might execute an event " +"loop in another thread, which could pick up the termination signal. This " +"means that libraries typically cannot make free use of child processes (for " +"example, to run problematic code with reduced privileges in a separate " +"address space)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"At the moment, the parent process should explicitly wait for termination of " +"the child process using waitpid or " +"waitpid, and hope that the status is not collected by " +"an event loop first." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "SUID/SGID processes" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Programs can be marked in the file system to indicate to the kernel that a " +"trust transition should happen if the program is run. The " +"SUID file permission bit indicates that an executable " +"should run with the effective user ID equal to the owner of the executable " +"file. Similarly, with the SGID bit, the effective group " +"ID is set to the group of the executable file." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Linux supports fscaps, which can grant additional " +"capabilities to a process in a finer-grained manner. Additional mechanisms " +"can be provided by loadable security modules." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When such a trust transition has happened, the process runs in a potentially" +" hostile environment. Additional care is necessary not to rely on any " +"untrusted information. These concerns also apply to libraries which can be " +"linked into such processes." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Accessing environment variables" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The following steps are required so that a program does not accidentally " +"pick up untrusted data from environment variables." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Compile your C/C++ sources with -D_GNU_SOURCE. The " +"Autoconf macro AC_GNU_SOURCE ensures this." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Check for the presence of the secure_getenv and " +"__secure_getenv function. The Autoconf directive " +"AC_CHECK_FUNCS([__secure_getenv secure_getenv]) performs " +"these checks." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Arrange for a proper definition of the secure_getenv " +"function. See ." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Use secure_getenv instead of " +"getenv to obtain the value of critical environment " +"variables. secure_getenv will pretend the variable has " +"not bee set if the process environment is not trusted." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Critical environment variables are debugging flags, configuration file " +"locations, plug-in and log file locations, and anything else that might be " +"used to bypass security restrictions or cause a privileged process to behave" +" in an unexpected way." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Either the secure_getenv function or the " +"__secure_getenv is available from GNU libc." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Obtaining a definition for secure_getenv" +msgstr "" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"\n" +"#include <stdlib.h>\n" +"\n" +"#ifndef HAVE_SECURE_GETENV\n" +"# ifdef HAVE__SECURE_GETENV\n" +"# define secure_getenv __secure_getenv\n" +"# else\n" +"# error neither secure_getenv nor __secure_getenv are available\n" +"# endif\n" +"#endif\n" +"\n" +"\t" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Daemons" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Background processes providing system services " +"(daemons) need to decouple themselves from the " +"controlling terminal and the parent process environment:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Fork." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In the child process, call setsid. The parent process " +"can simply exit (using _exit, to avoid running clean-up" +" actions twice)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In the child process, fork again. Processing continues in the child process." +" Again, the parent process should just exit." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Replace the descriptors 0, 1, 2 with a descriptor for " +"/dev/null. Logging should be redirected to " +"syslog." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Older instructions for creating daemon processes recommended a call to " +"umask(0). This is risky because it often leads to world-" +"writable files and directories, resulting in security vulnerabilities such " +"as arbitrary process termination by untrusted local users, or log file " +"truncation. If the umask needs setting, a restrictive " +"value such as 027 or 077 is " +"recommended." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Other aspects of the process environment may have to changed as well " +"(environment variables, signal handler disposition)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"It is increasingly common that server processes do not run as background " +"processes, but as regular foreground process under a supervising master " +"process (such as systemd). Server processes " +"should offer a command line option which disables forking and replacement of" +" the standard output and standard error streams. Such an option is also " +"useful for debugging." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Semantics of command line arguments" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"After process creation and option processing, it is up to the child process " +"to interpret the arguments. Arguments can be file names, host names, or " +"URLs, and many other things. URLs can refer to the local network, some " +"server on the Internet, or to the local file system. Some applications even " +"accept arbitrary code in arguments (for example, " +"python with the option)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Similar concerns apply to environment variables, the contents of the current" +" directory and its subdirectories." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Consequently, careful analysis is required if it is safe to pass untrusted " +"data to another program." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "fork as a primitive for parallelism" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"A call to fork which is not immediately followed by a " +"call to execve (perhaps after rearranging and closing " +"file descriptors) is typically unsafe, especially from a library which does " +"not control the state of the entire process. Such use of " +"fork should be replaced with proper child processes or " +"threads." +msgstr "" diff --git a/defensive-coding/vi-VN/Tasks/Serialization.po b/defensive-coding/vi-VN/Tasks/Serialization.po new file mode 100644 index 0000000..424d621 --- /dev/null +++ b/defensive-coding/vi-VN/Tasks/Serialization.po @@ -0,0 +1,513 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:45\n" +"PO-Revision-Date: 2013-03-19 15:29+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Vietnamese (http://www.transifex.com/projects/p/fedora/language/vi/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: vi\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: title +#, no-c-format +msgid "Serialization and Deserialization" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Protocol decoders and file format parsers are often the most-exposed part of" +" an application because they are exposed with little or no user interaction " +"and before any authentication and security checks are made. They are also " +"difficult to write robustly in languages which are not memory-safe." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Recommendations for manually written decoders" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"For C and C++, the advice in applies. In addition, avoid non-character " +"pointers directly into input buffers. Pointer misalignment causes crashes on" +" some architectures." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When reading variable-sized objects, do not allocate large amounts of data " +"solely based on the value of a size field. If possible, grow the data " +"structure as more data is read from the source, and stop when no data is " +"available. This helps to avoid denial-of-service attacks where little " +"amounts of input data results in enormous memory allocations during " +"decoding. Alternatively, you can impose reasonable bounds on memory " +"allocations, but some protocols do not permit this." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Protocol design" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Binary formats with explicit length fields are more difficult to parse " +"robustly than those where the length of dynamically-sized elements is " +"derived from sentinel values. A protocol which does not use length fields " +"and can be written in printable ASCII characters simplifies testing and " +"debugging. However, binary protocols with length fields may be more " +"efficient to parse." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Library support for deserialization" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"For some languages, generic libraries are available which allow to serialize" +" and deserialize user-defined objects. The deserialization part comes in one" +" of two flavors, depending on the library. The first kind uses type " +"information in the data stream to control which objects are instantiated. " +"The second kind uses type definitions supplied by the programmer. The first " +"one allows arbitrary object instantiation, the second one generally does " +"not." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The following serialization frameworks are in the first category, are known " +"to be unsafe, and must not be used for untrusted data:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Python's pickle and cPickle modules" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Perl's Storable package" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Java serialization (java.io.ObjectInputStream)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "PHP serialization (unserialize)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Most implementations of YAML" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When using a type-directed deserialization format where the types of the " +"deserialized objects are specified by the programmer, make sure that the " +"objects which can be instantiated cannot perform any destructive actions in " +"their destructors, even when the data members have been manipulated." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"JSON decoders do not suffer from this problem. But you must not use the " +"eval function to parse JSON objects in Javascript; even" +" with the regular expression filter from RFC 4627, there are still " +"information leaks remaining." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "XML serialization" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "External references" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"XML documents can contain external references. They can occur in various " +"places." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "In the DTD declaration in the header of an XML document:" +msgstr "" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"<!DOCTYPE html PUBLIC\n" +" \"-//W3C//DTD XHTML 1.0 Transitional//EN\"\n" +" \"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd\">\n" +"\t " +msgstr "" + +#. Tag: para +#, no-c-format +msgid "In a namespace declaration:" +msgstr "" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"<xsd:schema xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\">\n" +"\t " +msgstr "" + +#. Tag: para +#, no-c-format +msgid "In an entity defintion:" +msgstr "" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"<!ENTITY sys SYSTEM \"http://www.example.com/ent.xml\">\n" +"<!ENTITY pub PUBLIC \"-//Example//Public Entity//EN\"\n" +" \"http://www.example.com/pub-ent.xml\">\n" +"\t " +msgstr "" + +#. Tag: para +#, no-c-format +msgid "In a notation:" +msgstr "" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"<!NOTATION not SYSTEM \"../not.xml\">\n" +"\t " +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Originally, these external references were intended as unique identifiers, " +"but by many XML implementations, they are used for locating the data for the" +" referenced element. This causes unwanted network traffic, and may disclose " +"file system contents or otherwise unreachable network resources, so this " +"functionality should be disabled." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Depending on the XML library, external referenced might be processed not " +"just when parsing XML, but also when generating it." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Entity expansion" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When external DTD processing is disabled, an internal DTD subset can still " +"contain entity definitions. Entity declarations can reference other " +"entities. Some XML libraries expand entities automatically, and this " +"processing cannot be switched off in some places (such as attribute values " +"or content models). Without limits on the entity nesting level, this " +"expansion results in data which can grow exponentially in length with size " +"of the input. (If there is a limit on the nesting level, the growth is still" +" polynomial, unless further limits are imposed.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Consequently, the processing internal DTD subsets should be disabled if " +"possible, and only trusted DTDs should be processed. If a particular XML " +"application does not permit such restrictions, then application-specific " +"limits are called for." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "XInclude processing" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"XInclude processing can reference file and network resources and include " +"them into the document, much like external entity references. When parsing " +"untrusted XML documents, XInclude processing should be truned off." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"XInclude processing is also fairly complex and may pull in support for the " +"XPointer and XPath specifications, considerably increasing the amount of " +"code required for XML processing." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Algorithmic complexity of XML validation" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"DTD-based XML validation uses regular expressions for content models. The " +"XML specification requires that content models are deterministic, which " +"means that efficient validation is possible. However, some implementations " +"do not enforce determinism, and require exponential (or just polynomial) " +"amount of space or time for validating some DTD/document combinations." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"XML schemas and RELAX NG (via the xsd: prefix) directly " +"support textual regular expressions which are not required to be " +"deterministic." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Using Expat for XML parsing" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"By default, Expat does not try to resolve external IDs, so no steps are " +"required to block them. However, internal entity declarations are processed." +" Installing a callback which stops parsing as soon as such entities are " +"encountered disables them, see . Expat does not perform any " +"validation, so there are no problems related to that." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Disabling XML entity processing with Expat" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"This handler must be installed when the XML_Parser object" +" is created ()." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Creating an Expat XML parser" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"It is also possible to reject internal DTD subsets altogeher, using a " +"suitable XML_StartDoctypeDeclHandler handler installed " +"with XML_SetDoctypeDeclHandler." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Using OpenJDK for XML parsing and validation" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"OpenJDK contains facilities for DOM-based, SAX-based, and StAX-based " +"document parsing. Documents can be validated against DTDs or XML schemas." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The approach taken to deal with entity expansion differs from the general " +"recommendation in . We enable the the feature flag " +"javax.xml.XMLConstants.FEATURE_SECURE_PROCESSING, which " +"enforces heuristic restrictions on the number of entity expansions. Note " +"that this flag alone does not prevent resolution of external references " +"(system IDs or public IDs), so it is slightly misnamed." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In the following sections, we use helper classes to prevent external ID " +"resolution." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Helper class to prevent DTD external entity resolution in OpenJDK" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Helper class to prevent schema resolution in OpenJDK" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +" shows the imports used by the examples." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Java imports for OpenJDK XML parsing" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "DOM-based XML parsing and DTD validation in OpenJDK" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"This approach produces a org.w3c.dom.Document object from" +" an input stream. use the data from the " +"java.io.InputStream instance in the " +"inputStream variable." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "DOM-based XML parsing in OpenJDK" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"External entity references are prohibited using the " +"NoEntityResolver class in . " +"Because external DTD references are prohibited, DTD validation (if enabled) " +"will only happen against the internal DTD subset embedded in the XML " +"document." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"To validate the document against an external DTD, use a " +"javax.xml.transform.Transformer class to add the DTD " +"reference to the document, and an entity resolver which whitelists this " +"external reference." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "XML Schema validation in OpenJDK" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +" shows how to validate a document against an XML Schema, " +"using a SAX-based approach. The XML data is read from an " +"java.io.InputStream in the inputStream" +" variable." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "SAX-based validation against an XML schema in OpenJDK" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The NoResourceResolver class is defined in ." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If you need to validate a document against an XML schema, use the code in " +" to create the document, but do not enable validation at this point." +" Then use to perform the schema-based validation on " +"the org.w3c.dom.Document instance " +"document." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Validation of a DOM document against an XML schema in OpenJDK" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Protocol Encoders" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"For protocol encoders, you should write bytes to a buffer which grows as " +"needed, using an exponential sizing policy. Explicit lengths can be patched " +"in later, once they are known. Allocating the required number of bytes " +"upfront typically requires separate code to compute the final size, which " +"must be kept in sync with the actual encoding step, or vulnerabilities may " +"result. In multi-threaded code, parts of the object being deserialized might" +" change, so that the computed size is out of date." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"You should avoid copying data directly from a received packet during " +"encoding, disregarding the format. Propagating malformed data could enable " +"attacks on other recipients of that data." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When using C or C++ and copying whole data structures directly into the " +"output, make sure that you do not leak information in padding bytes between " +"fields or at the end of the struct." +msgstr "" diff --git a/defensive-coding/vi-VN/Tasks/Temporary_Files.po b/defensive-coding/vi-VN/Tasks/Temporary_Files.po new file mode 100644 index 0000000..6d65ce0 --- /dev/null +++ b/defensive-coding/vi-VN/Tasks/Temporary_Files.po @@ -0,0 +1,309 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:45\n" +"PO-Revision-Date: 2013-03-19 15:29+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Vietnamese (http://www.transifex.com/projects/p/fedora/language/vi/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: vi\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: title +#, no-c-format +msgid "Temporary files" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In this chapter, we describe how to create temporary files and directories, " +"how to remove them, and how to work with programs which do not create files " +"in ways that a safe with a shared directory for temporary files. General " +"file system manipulation is treated in a separate chapter, ." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Secure creation of temporary files has four different aspects." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The location of the directory for temporary files must be obtained in a " +"secure manner (that is, untrusted environment variables must be ignored, see" +" )." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"A new file must be created. Reusing an existing file must be avoided (the " +"/tmp race condition). This is " +"tricky because traditionally, system-wide temporary directories shared by " +"all users are used." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The file must be created in a way that makes it impossible for other users " +"to open it." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "The descriptor for the temporary file should not leak to subprocesses." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "All functions mentioned below will take care of these aspects." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Traditionally, temporary files are often used to reduce memory usage of " +"programs. More and more systems use RAM-based file systems such as " +"tmpfs for storing temporary files, to increase " +"performance and decrease wear on Flash storage. As a result, spooling data " +"to temporary files does not result in any memory savings, and the related " +"complexity can be avoided if the data is kept in process memory." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Obtaining the location of temporary directory" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Some functions below need the location of a directory which stores temporary" +" files. For C/C++ programs, use the following steps to obtain that " +"directory:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Use secure_getenv to obtain the value of the " +"TMPDIR environment variable. If it is set, convert the " +"path to a fully-resolved absolute path, using realpath(path, " +"NULL). Check if the new path refers to a directory and is " +"writeable. In this case, use it as the temporary directory." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Fall back to /tmp." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In Python, you can use the tempfile.tempdir variable." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Java does not support SUID/SGID programs, so you can use the " +"java.lang.System.getenv(String) method to obtain the " +"value of the TMPDIR environment variable, and follow the " +"two steps described above. (Java's default directory selection does not " +"honor TMPDIR.)" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Named temporary files" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The mkostemp function creates a named temporary file. " +"You should specify the O_CLOEXEC flag to avoid file " +"descriptor leaks to subprocesses. (Applications which do not use multiple " +"threads can also use mkstemp, but libraries should use " +"mkostemp.) For determining the directory part of the " +"file name pattern, see ." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The file is not removed automatically. It is not safe to rename or delete " +"the file before processing, or transform the name in any way (for example, " +"by adding a file extension). If you need multiple temporary files, call " +"mkostemp multiple times. Do not create additional file " +"names derived from the name provided by a previous " +"mkostemp call. However, it is safe to close the " +"descriptor returned by mkostemp and reopen the file " +"using the generated name." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The Python class tempfile.NamedTemporaryFile provides " +"similar functionality, except that the file is deleted automatically by " +"default. Note that you may have to use the file attribute" +" to obtain the actual file object because some programming interfaces cannot" +" deal with file-like objects. The C function mkostemp " +"is also available as tempfile.mkstemp." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In Java, you can use the java.io.File.createTempFile(String, " +"String, File) function, using the temporary file location " +"determined according to . Do not use " +"java.io.File.deleteOnExit() to delete temporary files, " +"and do not register a shutdown hook for each temporary file you create. In " +"both cases, the deletion hint cannot be removed from the system if you " +"delete the temporary file prior to termination of the VM, causing a memory " +"leak." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Temporary files without names" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The tmpfile function creates a temporary file and " +"immediately deletes it, while keeping the file open. As a result, the file " +"lacks a name and its space is deallocated as soon as the file descriptor is " +"closed (including the implicit close when the process terminates). This " +"avoids cluttering the temporary directory with orphaned files." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Alternatively, if the maximum size of the temporary file is known " +"beforehand, the fmemopen function can be used to create" +" a FILE * object which is backed by memory." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In Python, unnamed temporary files are provided by the " +"tempfile.TemporaryFile class, and the " +"tempfile.SpooledTemporaryFile class provides a way to " +"avoid creation of small temporary files." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Java does not support unnamed temporary files." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Temporary directories" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The mkdtemp function can be used to create a temporary " +"directory. (For determining the directory part of the file name pattern, see" +" .)" +" The directory is not automatically removed. In Python, this function is " +"available as tempfile.mkdtemp. In Java 7, temporary " +"directories can be created using the " +"java.nio.file.Files.createTempDirectory(Path, String, " +"FileAttribute...) function." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When creating files in the temporary directory, use automatically generated " +"names, e.g., derived from a sequential counter. Files with externally " +"provided names could be picked up in unexpected contexts, and crafted names " +"could actually point outside of the tempoary directory (due to " +"directory traversal)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Removing a directory tree in a completely safe manner is complicated. Unless" +" there are overriding performance concerns, the " +"rm program should be used, with the " +" and options." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Compensating for unsafe file creation" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"There are two ways to make a function or program which excepts a file name " +"safe for use with temporary files. See , for details on subprocess " +"creation." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Create a temporary directory and place the file there. If possible, run the " +"program in a subprocess which uses the temporary directory as its current " +"directory, with a restricted environment. Use generated names for all files " +"in that temporary directory. (See .)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Create the temporary file and pass the generated file name to the function " +"or program. This only works if the function or program can cope with a zero-" +"length existing file. It is safe only under additional assumptions:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The function or program must not create additional files whose name is " +"derived from the specified file name or are otherwise predictable." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "The function or program must not delete the file before processing it." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "It must not access any existing files in the same directory." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"It is often difficult to check whether these additional assumptions are " +"matched, therefore this approach is not recommended." +msgstr "" diff --git a/defensive-coding/vi-VN/Tasks/snippets/Serialization-XML-Expat-Create.po b/defensive-coding/vi-VN/Tasks/snippets/Serialization-XML-Expat-Create.po new file mode 100644 index 0000000..4ed4648 --- /dev/null +++ b/defensive-coding/vi-VN/Tasks/snippets/Serialization-XML-Expat-Create.po @@ -0,0 +1,33 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:45\n" +"PO-Revision-Date: 2013-03-19 15:29+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Vietnamese (http://www.transifex.com/projects/p/fedora/language/vi/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: vi\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"XML_Parser parser = XML_ParserCreate(\"UTF-8\");\n" +"if (parser == NULL) {\n" +" fprintf(stderr, \"XML_ParserCreate failed\n" +"\");\n" +" close(fd);\n" +" exit(1);\n" +"}\n" +"// EntityDeclHandler needs a reference to the parser to stop\n" +"// parsing.\n" +"XML_SetUserData(parser, parser);\n" +"// Disable entity processing, to inhibit entity expansion.\n" +"XML_SetEntityDeclHandler(parser, EntityDeclHandler);\n" +msgstr "" diff --git a/defensive-coding/vi-VN/Tasks/snippets/Serialization-XML-Expat-EntityDeclHandler.po b/defensive-coding/vi-VN/Tasks/snippets/Serialization-XML-Expat-EntityDeclHandler.po new file mode 100644 index 0000000..98a8d0c --- /dev/null +++ b/defensive-coding/vi-VN/Tasks/snippets/Serialization-XML-Expat-EntityDeclHandler.po @@ -0,0 +1,31 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:45\n" +"PO-Revision-Date: 2013-03-19 15:30+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Vietnamese (http://www.transifex.com/projects/p/fedora/language/vi/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: vi\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Stop the parser when an entity declaration is encountered.\n" +"static void\n" +"EntityDeclHandler(void *userData,\n" +"\t\t const XML_Char *entityName, int is_parameter_entity,\n" +"\t\t const XML_Char *value, int value_length,\n" +"\t\t const XML_Char *base, const XML_Char *systemId,\n" +"\t\t const XML_Char *publicId, const XML_Char *notationName)\n" +"{\n" +" XML_StopParser((XML_Parser)userData, XML_FALSE);\n" +"}\n" +msgstr "" diff --git a/defensive-coding/vi-VN/Tasks/snippets/Serialization-XML-OpenJDK-Errors.po b/defensive-coding/vi-VN/Tasks/snippets/Serialization-XML-OpenJDK-Errors.po new file mode 100644 index 0000000..8f7100f --- /dev/null +++ b/defensive-coding/vi-VN/Tasks/snippets/Serialization-XML-OpenJDK-Errors.po @@ -0,0 +1,37 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:45\n" +"PO-Revision-Date: 2013-03-19 15:29+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Vietnamese (http://www.transifex.com/projects/p/fedora/language/vi/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: vi\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"class Errors implements ErrorHandler {\n" +" @Override\n" +" public void warning(SAXParseException exception) {\n" +" exception.printStackTrace();\n" +" }\n" +" \n" +" @Override\n" +" public void fatalError(SAXParseException exception) {\n" +" exception.printStackTrace();\n" +" }\n" +" \n" +" @Override\n" +" public void error(SAXParseException exception) {\n" +" exception.printStackTrace();\n" +" }\n" +"}\n" +msgstr "" diff --git a/defensive-coding/vi-VN/Tasks/snippets/Serialization-XML-OpenJDK-Imports.po b/defensive-coding/vi-VN/Tasks/snippets/Serialization-XML-OpenJDK-Imports.po new file mode 100644 index 0000000..14cb6f3 --- /dev/null +++ b/defensive-coding/vi-VN/Tasks/snippets/Serialization-XML-OpenJDK-Imports.po @@ -0,0 +1,42 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:45\n" +"PO-Revision-Date: 2013-03-19 15:30+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Vietnamese (http://www.transifex.com/projects/p/fedora/language/vi/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: vi\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"import javax.xml.XMLConstants;\n" +"import javax.xml.parsers.DocumentBuilder;\n" +"import javax.xml.parsers.DocumentBuilderFactory;\n" +"import javax.xml.parsers.ParserConfigurationException;\n" +"import javax.xml.parsers.SAXParser;\n" +"import javax.xml.parsers.SAXParserFactory;\n" +"import javax.xml.transform.dom.DOMSource;\n" +"import javax.xml.transform.sax.SAXSource;\n" +"import javax.xml.validation.Schema;\n" +"import javax.xml.validation.SchemaFactory;\n" +"import javax.xml.validation.Validator;\n" +"\n" +"import org.w3c.dom.Document;\n" +"import org.w3c.dom.ls.LSInput;\n" +"import org.w3c.dom.ls.LSResourceResolver;\n" +"import org.xml.sax.EntityResolver;\n" +"import org.xml.sax.ErrorHandler;\n" +"import org.xml.sax.InputSource;\n" +"import org.xml.sax.SAXException;\n" +"import org.xml.sax.SAXParseException;\n" +"import org.xml.sax.XMLReader;\n" +msgstr "" diff --git a/defensive-coding/vi-VN/Tasks/snippets/Serialization-XML-OpenJDK-NoEntityResolver.po b/defensive-coding/vi-VN/Tasks/snippets/Serialization-XML-OpenJDK-NoEntityResolver.po new file mode 100644 index 0000000..00d114f --- /dev/null +++ b/defensive-coding/vi-VN/Tasks/snippets/Serialization-XML-OpenJDK-NoEntityResolver.po @@ -0,0 +1,30 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:45\n" +"PO-Revision-Date: 2013-03-19 15:30+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Vietnamese (http://www.transifex.com/projects/p/fedora/language/vi/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: vi\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"class NoEntityResolver implements EntityResolver {\n" +" @Override\n" +" public InputSource resolveEntity(String publicId, String systemId)\n" +" throws SAXException, IOException {\n" +" // Throwing an exception stops validation.\n" +" throw new IOException(String.format(\n" +" \"attempt to resolve \\\"%s\\\" \\\"%s\\\"\", publicId, systemId));\n" +" }\n" +"}\n" +msgstr "" diff --git a/defensive-coding/vi-VN/Tasks/snippets/Serialization-XML-OpenJDK-NoResourceResolver.po b/defensive-coding/vi-VN/Tasks/snippets/Serialization-XML-OpenJDK-NoResourceResolver.po new file mode 100644 index 0000000..cba4234 --- /dev/null +++ b/defensive-coding/vi-VN/Tasks/snippets/Serialization-XML-OpenJDK-NoResourceResolver.po @@ -0,0 +1,32 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:45\n" +"PO-Revision-Date: 2013-03-19 15:29+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Vietnamese (http://www.transifex.com/projects/p/fedora/language/vi/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: vi\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"class NoResourceResolver implements LSResourceResolver {\n" +" @Override\n" +" public LSInput resolveResource(String type, String namespaceURI,\n" +" String publicId, String systemId, String baseURI) {\n" +" // Throwing an exception stops validation.\n" +" throw new RuntimeException(String.format(\n" +" \"resolution attempt: type=%s namespace=%s \" +\n" +" \"publicId=%s systemId=%s baseURI=%s\",\n" +" type, namespaceURI, publicId, systemId, baseURI));\n" +" }\n" +"}\n" +msgstr "" diff --git a/defensive-coding/vi-VN/Tasks/snippets/Serialization-XML-OpenJDK_Parse-DOM.po b/defensive-coding/vi-VN/Tasks/snippets/Serialization-XML-OpenJDK_Parse-DOM.po new file mode 100644 index 0000000..62663ba --- /dev/null +++ b/defensive-coding/vi-VN/Tasks/snippets/Serialization-XML-OpenJDK_Parse-DOM.po @@ -0,0 +1,34 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:45\n" +"PO-Revision-Date: 2013-03-19 15:29+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Vietnamese (http://www.transifex.com/projects/p/fedora/language/vi/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: vi\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();\n" +"// Impose restrictions on the complexity of the DTD.\n" +"factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);\n" +"\n" +"// Turn on validation.\n" +"// This step can be omitted if validation is not desired.\n" +"factory.setValidating(true);\n" +"\n" +"// Parse the document.\n" +"DocumentBuilder builder = factory.newDocumentBuilder();\n" +"builder.setEntityResolver(new NoEntityResolver());\n" +"builder.setErrorHandler(new Errors());\n" +"Document document = builder.parse(inputStream);\n" +msgstr "" diff --git a/defensive-coding/vi-VN/Tasks/snippets/Serialization-XML-OpenJDK_Parse-XMLSchema_DOM.po b/defensive-coding/vi-VN/Tasks/snippets/Serialization-XML-OpenJDK_Parse-XMLSchema_DOM.po new file mode 100644 index 0000000..e3d5238 --- /dev/null +++ b/defensive-coding/vi-VN/Tasks/snippets/Serialization-XML-OpenJDK_Parse-XMLSchema_DOM.po @@ -0,0 +1,38 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:45\n" +"PO-Revision-Date: 2013-03-19 15:29+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Vietnamese (http://www.transifex.com/projects/p/fedora/language/vi/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: vi\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"SchemaFactory factory = SchemaFactory.newInstance(\n" +" XMLConstants.W3C_XML_SCHEMA_NS_URI);\n" +"\n" +"// This enables restrictions on schema complexity.\n" +"factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);\n" +"\n" +"// The following line prevents resource resolution\n" +"// by the schema itself.\n" +"factory.setResourceResolver(new NoResourceResolver());\n" +"\n" +"Schema schema = factory.newSchema(schemaFile);\n" +"\n" +"Validator validator = schema.newValidator();\n" +"\n" +"// This prevents external resource resolution.\n" +"validator.setResourceResolver(new NoResourceResolver());\n" +"validator.validate(new DOMSource(document));\n" +msgstr "" diff --git a/defensive-coding/vi-VN/Tasks/snippets/Serialization-XML-OpenJDK_Parse-XMLSchema_SAX.po b/defensive-coding/vi-VN/Tasks/snippets/Serialization-XML-OpenJDK_Parse-XMLSchema_SAX.po new file mode 100644 index 0000000..9c5fbfd --- /dev/null +++ b/defensive-coding/vi-VN/Tasks/snippets/Serialization-XML-OpenJDK_Parse-XMLSchema_SAX.po @@ -0,0 +1,41 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:45\n" +"PO-Revision-Date: 2013-03-19 15:29+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Vietnamese (http://www.transifex.com/projects/p/fedora/language/vi/)\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: vi\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"SchemaFactory factory = SchemaFactory.newInstance(\n" +" XMLConstants.W3C_XML_SCHEMA_NS_URI);\n" +"\n" +"// This enables restrictions on the schema and document\n" +"// complexity.\n" +"factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);\n" +"\n" +"// This prevents resource resolution by the schema itself.\n" +"// If the schema is trusted and references additional files,\n" +"// this line must be omitted, otherwise loading these files\n" +"// will fail.\n" +"factory.setResourceResolver(new NoResourceResolver());\n" +"\n" +"Schema schema = factory.newSchema(schemaFile);\n" +"Validator validator = schema.newValidator();\n" +"\n" +"// This prevents external resource resolution.\n" +"validator.setResourceResolver(new NoResourceResolver());\n" +"\n" +"validator.validate(new SAXSource(new InputSource(inputStream)));\n" +msgstr "" diff --git a/defensive-coding/zh-CN/Author_Group.po b/defensive-coding/zh-CN/Author_Group.po new file mode 100644 index 0000000..5d93007 --- /dev/null +++ b/defensive-coding/zh-CN/Author_Group.po @@ -0,0 +1,36 @@ +# AUTHOR , YEAR. +# +# Translators: +# Christopher Meng , 2013 +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-28 02:50+0000\n" +"Last-Translator: Christopher Meng \n" +"Language-Team: Chinese (China) \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: zh_CN\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: firstname +#, no-c-format +msgid "Florian" +msgstr "Florian" + +#. Tag: surname +#, no-c-format +msgid "Weimer" +msgstr "Weimer" + +#. Tag: orgname +#, no-c-format +msgid "Red Hat" +msgstr "红帽" + +#. Tag: orgdiv +#, no-c-format +msgid "Product Security Team" +msgstr "产品安全团队" diff --git a/defensive-coding/zh-CN/Book_Info.po b/defensive-coding/zh-CN/Book_Info.po new file mode 100644 index 0000000..72c08a4 --- /dev/null +++ b/defensive-coding/zh-CN/Book_Info.po @@ -0,0 +1,39 @@ +# AUTHOR , YEAR. +# +# Translators: +# Christopher Meng , 2013 +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-28 02:50+0000\n" +"Last-Translator: Christopher Meng \n" +"Language-Team: Chinese (China) \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: zh_CN\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: title +#, no-c-format +msgid "Defensive Coding" +msgstr "防错编码" + +#. Tag: subtitle +#, no-c-format +msgid "A Guide to Improving Software Security" +msgstr "一个帮助提升软件自身安全性的指南" + +#. Tag: productname +#, no-c-format +msgid "Fedora Security Team" +msgstr "Fedora 安全团队" + +#. Tag: para +#, no-c-format +msgid "" +"This document provides guidelines for improving software security through " +"secure coding. It covers common programming languages and libraries, and " +"focuses on concrete recommendations." +msgstr "" diff --git a/defensive-coding/zh-CN/C/Allocators.po b/defensive-coding/zh-CN/C/Allocators.po new file mode 100644 index 0000000..9d29692 --- /dev/null +++ b/defensive-coding/zh-CN/C/Allocators.po @@ -0,0 +1,265 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:30+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Chinese (China) \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: zh_CN\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: title +#, no-c-format +msgid "Memory allocators" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "malloc and related functions" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The C library interfaces for memory allocation are provided by " +"malloc, free and " +"realloc, and the calloc function. " +"In addition to these generic functions, there are derived functions such as " +"strdup which perform allocation using " +"malloc internally, but do not return untyped heap " +"memory (which could be used for any object)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The C compiler knows about these functions and can use their expected " +"behavior for optimizations. For instance, the compiler assumes that an " +"existing pointer (or a pointer derived from an existing pointer by " +"arithmetic) will not point into the memory area returned by " +"malloc." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If the allocation fails, realloc does not free the old " +"pointer. Therefore, the idiom ptr = realloc(ptr, size); " +"is wrong because the memory pointed to by ptr leaks in " +"case of an error." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Use-after-free errors" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"After free, the pointer is invalid. Further pointer " +"dereferences are not allowed (and are usually detected by " +"valgrind). Less obvious is that any " +"use of the old pointer value is not allowed, either. In" +" particular, comparisons with any other pointer (or the null pointer) are " +"undefined according to the C standard." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The same rules apply to realloc if the memory area " +"cannot be enlarged in-place. For instance, the compiler may assume that a " +"comparison between the old and new pointer will always return false, so it " +"is impossible to detect movement this way." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Handling memory allocation errors" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Recovering from out-of-memory errors is often difficult or even impossible. " +"In these cases, malloc and other allocation functions " +"return a null pointer. Dereferencing this pointer lead to a crash. Such " +"dereferences can even be exploitable for code execution if the dereference " +"is combined with an array subscript." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In general, if you cannot check all allocation calls and handle failure, you" +" should abort the program on allocation failure, and not rely on the null " +"pointer dereference to terminate the process. See for related memory " +"allocation concerns." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "alloca and other forms of stack-based allocation" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Allocation on the stack is risky because stack overflow checking is " +"implicit. There is a guard page at the end of the memory area reserved for " +"the stack. If the program attempts to read from or write to this guard page," +" a SIGSEGV signal is generated and the program typically " +"terminates." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"This is sufficient for detecting typical stack overflow situations such as " +"unbounded recursion, but it fails when the stack grows in increments larger " +"than the size of the guard page. In this case, it is possible that the stack" +" pointer ends up pointing into a memory area which has been allocated for a " +"different purposes. Such misbehavior can be exploitable." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"A common source for large stack growth are calls to " +"alloca and related functions such as " +"strdupa. These functions should be avoided because of " +"the lack of error checking. (They can be used safely if the allocated size " +"is less than the page size (typically, 4096 bytes), but this case is " +"relatively rare.) Additionally, relying on alloca makes" +" it more difficult to reorgnize the code because it is not allowed to use " +"the pointer after the function calling alloca has " +"returned, even if this function has been inlined into its caller." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Similar concerns apply to variable-length arrays " +"(VLAs), a feature of the C99 standard which started as a GNU extension. For " +"large objects exceeding the page size, there is no error checking, either." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In both cases, negative or very large sizes can trigger a stack-pointer " +"wraparound, and the stack pointer and end up pointing into caller stack " +"frames, which is fatal and can be exploitable." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If you want to use alloca or VLAs for performance " +"reasons, consider using a small on-stack array (less than the page size, " +"large enough to fulfill most requests). If the requested size is small " +"enough, use the on-stack array. Otherwise, call malloc." +" When exiting the function, check if malloc had been " +"called, and free the buffer as needed." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Array allocation" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When allocating arrays, it is important to check for overflows. The " +"calloc function performs such checks." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If malloc or realloc is used, the " +"size check must be written manually. For instance, to allocate an array of " +"n elements of type T, check that the " +"requested size is not greater than n / sizeof(T)." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Custom memory allocators" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Custom memory allocates come in two forms: replacements for " +"malloc, and completely different interfaces for memory " +"management. Both approaches can reduce the effectiveness of " +"valgrind and similar tools, and the heap " +"corruption detection provided by GNU libc, so they should be avoided." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Memory allocators are difficult to write and contain many performance and " +"security pitfalls." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When computing array sizes or rounding up allocation requests (to the next " +"allocation granularity, or for alignment purposes), checks for arithmetic " +"overflow are required." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Size computations for array allocations need overflow checking. See ." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"It can be difficult to beat well-tuned general-purpose allocators. In micro-" +"benchmarks, pool allocators can show huge wins, and size-specific pools can " +"reduce internal fragmentation. But often, utilization of individual pools is" +" poor, and" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Conservative garbage collection" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Garbage collection can be an alternative to explicit memory management using" +" malloc and free. The Boehm-" +"Dehmers-Weiser allocator can be used from C programs, with minimal type " +"annotations. Performance is competitive with malloc on " +"64-bit architectures, especially for multi-threaded programs. The stop-the-" +"world pauses may be problematic for some real-time applications, though." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"However, using a conservative garbage collector may reduce opertunities for " +"code reduce because once one library in a program uses garbage collection, " +"the whole process memory needs to be subject to it, so that no pointers are " +"missed. The Boehm-Dehmers-Weiser collector also reserves certain signals for" +" internal use, so it is not fully transparent to the rest of the program." +msgstr "" diff --git a/defensive-coding/zh-CN/C/C.po b/defensive-coding/zh-CN/C/C.po new file mode 100644 index 0000000..fd5145a --- /dev/null +++ b/defensive-coding/zh-CN/C/C.po @@ -0,0 +1,21 @@ +# AUTHOR , YEAR. +# +# Translators: +# Christopher Meng , 2013 +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-28 02:50+0000\n" +"Last-Translator: Christopher Meng \n" +"Language-Team: Chinese (China) \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: zh_CN\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: title +#, no-c-format +msgid "The C Programming Language" +msgstr "《C 程序设计语言》(The C Programming Language)" diff --git a/defensive-coding/zh-CN/C/Libc.po b/defensive-coding/zh-CN/C/Libc.po new file mode 100644 index 0000000..4766242 --- /dev/null +++ b/defensive-coding/zh-CN/C/Libc.po @@ -0,0 +1,279 @@ +# AUTHOR , YEAR. +# +# Translators: +# Christopher Meng , 2013 +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-28 02:50+0000\n" +"Last-Translator: Christopher Meng \n" +"Language-Team: Chinese (China) \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: zh_CN\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: title +#, no-c-format +msgid "The C standard library" +msgstr "C 标准库" + +#. Tag: para +#, no-c-format +msgid "" +"Parts of the C standard library (and the UNIX and GNU extensions) are " +"difficult to use, so you shoud avoid them." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Please check the applicable documentation before using the recommended " +"replacements. Many of these functions allocate buffers using " +"malloc which your code must deallocate explicitly using" +" free." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Absolutely banned interfaces" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The functions listed below must not be used because they are almost always " +"unsafe. Use the indicated replacements instead." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "getsfgets" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"getwdgetcwd or " +"get_current_dir_name" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "readdir_rreaddir" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"realpath (with a non-NULL second parameter) ⟶ " +"realpath with NULL as the second parameter, or " +"canonicalize_file_name" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The constants listed below must not be used, either. Instead, code must " +"allocate memory dynamically and use interfaces with length checking." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"NAME_MAX (limit not actually enforced by the kernel)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"PATH_MAX (limit not actually enforced by the kernel)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"_PC_NAME_MAX (This limit, returned by the " +"pathconf function, is not enforced by the kernel.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"_PC_PATH_MAX (This limit, returned by the " +"pathconf function, is not enforced by the kernel.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "The following structure members must not be used." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"f_namemax in struct statvfs (limit not" +" actually enforced by the kernel, see _PC_NAME_MAX above)" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Functions to avoid" +msgstr "避免使用的函数" + +#. Tag: para +#, no-c-format +msgid "" +"The following string manipulation functions can be used securely in " +"principle, but their use should be avoided because they are difficult to use" +" correctly. Calls to these functions can be replaced with " +"asprintf or vasprintf. (For non-" +"GNU targets, these functions are available from Gnulib.) In some cases, the " +"snprintf function might be a suitable replacement, see " +"." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "sprintf" +msgstr "sprintf" + +#. Tag: para +#, no-c-format +msgid "strcat" +msgstr "strcat" + +#. Tag: para +#, no-c-format +msgid "strcpy" +msgstr "strcpy" + +#. Tag: para +#, no-c-format +msgid "vsprintf" +msgstr "vsprintf" + +#. Tag: para +#, no-c-format +msgid "Use the indicated replacements for the functions below." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"allocamalloc and " +"free (see )" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"putenv ⟶ explicit envp argument in " +"process creation (see )" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"setenv ⟶ explicit envp argument in " +"process creation (see )" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"strdupastrdup and " +"free (see )" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"strndupastrndup and " +"free (see )" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"systemposix_spawn or " +"fork/execve/ (see )" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"unsetenv ⟶ explicit envp argument in" +" process creation (see )" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "String Functions With Explicit Length Arguments" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The snprintf function provides a way to construct a " +"string in a statically-sized buffer. (If the buffer size is dynamic, use " +"asprintf instead.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The second argument to the snprintf should always be " +"the size of the buffer in the first argument (which should be a character " +"array). Complex pointer and length arithmetic can introduce errors and " +"nullify the security benefits of snprintf. If you need " +"to construct a string iteratively, by repeatedly appending fragments, " +"consider constructing the string on the heap, increasing the buffer with " +"realloc as needed. (snprintf does " +"not support overlapping the result buffer with argument strings.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If you use vsnprintf (or snprintf)" +" with a format string which is not a constant, but a function argument, it " +"is important to annotate the function with a format " +"function attribute, so that GCC can warn about misuse of your function (see " +")." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "The format function attribute" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"There are other functions which operator on NUL-terminated strings and take " +"a length argument which affects the number of bytes written to the " +"destination: strncpy, strncat, and" +" stpncpy. These functions do not ensure that the result" +" string is NUL-terminated. For strncpy, NUL termination" +" can be added this way:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Some systems support strlcpy and " +"strlcat functions which behave this way, but these " +"functions are not part of GNU libc. Using snprintf with" +" a suitable format string is a simple (albeit slightly slower) replacement." +msgstr "" diff --git a/defensive-coding/zh-CN/C/snippets/Arithmetic-add.po b/defensive-coding/zh-CN/C/snippets/Arithmetic-add.po new file mode 100644 index 0000000..44410c3 --- /dev/null +++ b/defensive-coding/zh-CN/C/snippets/Arithmetic-add.po @@ -0,0 +1,36 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:30+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Chinese (China) \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: zh_CN\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"void report_overflow(void);\n" +"\n" +"int\n" +"add(int a, int b)\n" +"{\n" +" int result = a + b;\n" +" if (a < 0 || b < 0) {\n" +" return -1;\n" +" }\n" +" // The compiler can optimize away the following if statement.\n" +" if (result < 0) {\n" +" report_overflow();\n" +" }\n" +" return result;\n" +"}\n" +msgstr "" diff --git a/defensive-coding/zh-CN/C/snippets/Arithmetic-mult.po b/defensive-coding/zh-CN/C/snippets/Arithmetic-mult.po new file mode 100644 index 0000000..00dc80c --- /dev/null +++ b/defensive-coding/zh-CN/C/snippets/Arithmetic-mult.po @@ -0,0 +1,29 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:30+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Chinese (China) \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: zh_CN\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"unsigned\n" +"mul(unsigned a, unsigned b)\n" +"{\n" +" if (b && a > ((unsigned)-1) / b) {\n" +" report_overflow();\n" +" }\n" +" return a * b;\n" +"}\n" +msgstr "" diff --git a/defensive-coding/zh-CN/C/snippets/Pointers-remaining.po b/defensive-coding/zh-CN/C/snippets/Pointers-remaining.po new file mode 100644 index 0000000..82f20dd --- /dev/null +++ b/defensive-coding/zh-CN/C/snippets/Pointers-remaining.po @@ -0,0 +1,64 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:30+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Chinese (China) \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: zh_CN\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"ssize_t\n" +"extract_strings(const char *in, size_t inlen, char **out, size_t outlen)\n" +"{\n" +" const char *inp = in;\n" +" const char *inend = in + inlen;\n" +" char **outp = out;\n" +" char **outend = out + outlen;\n" +"\n" +" while (inp != inend) {\n" +" size_t len;\n" +" char *s;\n" +" if (outp == outend) {\n" +" errno = ENOSPC;\n" +" goto err;\n" +" }\n" +" len = (unsigned char)*inp;\n" +" ++inp;\n" +" if (len > (size_t)(inend - inp)) {\n" +" errno = EINVAL;\n" +" goto err;\n" +" }\n" +" s = malloc(len + 1);\n" +" if (s == NULL) {\n" +" goto err;\n" +" }\n" +" memcpy(s, inp, len);\n" +" inp += len;\n" +" s[len] = '\\0';\n" +" *outp = s;\n" +" ++outp;\n" +" }\n" +" return outp - out;\n" +"err:\n" +" {\n" +" int errno_old = errno;\n" +" while (out != outp) {\n" +" free(*out);\n" +" ++out;\n" +" }\n" +" errno = errno_old;\n" +" }\n" +" return -1;\n" +"}\n" +msgstr "" diff --git a/defensive-coding/zh-CN/C/snippets/String-Functions-format.po b/defensive-coding/zh-CN/C/snippets/String-Functions-format.po new file mode 100644 index 0000000..0990091 --- /dev/null +++ b/defensive-coding/zh-CN/C/snippets/String-Functions-format.po @@ -0,0 +1,33 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:30+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Chinese (China) \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: zh_CN\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"void log_format(const char *format, ...) __attribute__((format(printf, 1, 2)));\n" +"\n" +"void\n" +"log_format(const char *format, ...)\n" +"{\n" +" char buf[1000];\n" +" va_list ap;\n" +" va_start(ap, format);\n" +" vsnprintf(buf, sizeof(buf), format, ap);\n" +" va_end(ap);\n" +" log_string(buf);\n" +"}\n" +msgstr "" diff --git a/defensive-coding/zh-CN/C/snippets/String-Functions-snprintf.po b/defensive-coding/zh-CN/C/snippets/String-Functions-snprintf.po new file mode 100644 index 0000000..ec93def --- /dev/null +++ b/defensive-coding/zh-CN/C/snippets/String-Functions-snprintf.po @@ -0,0 +1,23 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:30+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Chinese (China) \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: zh_CN\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"char fraction[30];\n" +"snprintf(fraction, sizeof(fraction), \"%d/%d\", numerator, denominator);\n" +msgstr "" diff --git a/defensive-coding/zh-CN/C/snippets/String-Functions-strncpy.po b/defensive-coding/zh-CN/C/snippets/String-Functions-strncpy.po new file mode 100644 index 0000000..0d8b378 --- /dev/null +++ b/defensive-coding/zh-CN/C/snippets/String-Functions-strncpy.po @@ -0,0 +1,24 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:30+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Chinese (China) \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: zh_CN\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"char buf[10];\n" +"strncpy(buf, data, sizeof(buf));\n" +"buf[sizeof(buf) - 1] = '\\0';\n" +msgstr "" diff --git a/defensive-coding/zh-CN/CXX/CXX.po b/defensive-coding/zh-CN/CXX/CXX.po new file mode 100644 index 0000000..fd065aa --- /dev/null +++ b/defensive-coding/zh-CN/CXX/CXX.po @@ -0,0 +1,21 @@ +# AUTHOR , YEAR. +# +# Translators: +# Christopher Meng , 2013 +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-28 02:50+0000\n" +"Last-Translator: Christopher Meng \n" +"Language-Team: Chinese (China) \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: zh_CN\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: title +#, no-c-format +msgid "The C++ Programming Language" +msgstr "《C++ 程序设计语言》(The C++ Programming Language)" diff --git a/defensive-coding/zh-CN/CXX/Language.po b/defensive-coding/zh-CN/CXX/Language.po new file mode 100644 index 0000000..a9e87e3 --- /dev/null +++ b/defensive-coding/zh-CN/CXX/Language.po @@ -0,0 +1,235 @@ +# AUTHOR , YEAR. +# +# Translators: +# Christopher Meng , 2013 +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-28 02:50+0000\n" +"Last-Translator: Christopher Meng \n" +"Language-Team: Chinese (China) \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: zh_CN\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: title +#, no-c-format +msgid "The core language" +msgstr "核心语言" + +#. Tag: para +#, no-c-format +msgid "" +"C++ includes a large subset of the C language. As far as the C subset is " +"used, the recommendations in " +"apply." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Array allocation with operator new[]" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"For very large values of n, an expression like " +"new T[n] can return a pointer to a heap region which is " +"too small. In other words, not all array elements are actually backed with " +"heap memory reserved to the array. Current GCC versions generate code that " +"performs a computation of the form sizeof(T) * size_t(n) + " +"cookie_size, where cookie_size is currently at " +"most 8. This computation can overflow, and GCC-generated code does not " +"detect this." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The std::vector template can be used instead an explicit " +"array allocation. (The GCC implementation detects overflow internally.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If there is no alternative to operator new[], code which " +"allocates arrays with a variable length must check for overflow manually. " +"For the new T[n] example, the size check could be " +"n || (n > 0 && n > (size_t(-1) - 8) / " +"sizeof(T)). (See .) If there are additional dimensions " +"(which must be constants according to the C++ standard), these should be " +"included as factors in the divisor." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"These countermeasures prevent out-of-bounds writes and potential code " +"execution. Very large memory allocations can still lead to a denial of " +"service. contains suggestions for mitigating this problem when " +"processing untrusted data." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"See for array" +" allocation advice for C-style memory allocation." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Overloading" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Do not overload functions with versions that have different security " +"characteristics. For instance, do not implement a function " +"strcat which works on std::string " +"arguments. Similarly, do not name methods after such functions." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "ABI compatibility and preparing for security updates" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"A stable binary interface (ABI) is vastly preferred for security updates. " +"Without a stable ABI, all reverse dependencies need recompiling, which can " +"be a lot of work and could even be impossible in some cases. Ideally, a " +"security update only updates a single dynamic shared object, and is picked " +"up automatically after restarting affected processes." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Outside of extremely performance-critical code, you should ensure that a " +"wide range of changes is possible without breaking ABI. Some very basic " +"guidelines are:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Avoid inline functions." +msgstr "避免使用内嵌函数。" + +#. Tag: para +#, no-c-format +msgid "Use the pointer-to-implementation idiom." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Try to avoid templates. Use them if the increased type safety provides a " +"benefit to the programmer." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Move security-critical code out of templated code, so that it can be patched" +" in a central place if necessary." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The KDE project publishes a document with more extensive guidelines on ABI-" +"preserving changes to C++ code, Policies/Binary" +" Compatibility Issues With C++ (d-pointer " +"refers to the pointer-to-implementation idiom)." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "C++0X and C++11 support" +msgstr "C++0X 和 C++11 支持" + +#. Tag: para +#, no-c-format +msgid "GCC offers different language compatibility modes:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid " for the original 1998 C++ standard" +msgstr " 适用于原始 1998 C++ 标准" + +#. Tag: para +#, no-c-format +msgid "" +" for the 1998 standard with the changes from the " +"TR1 technical report" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +" for the 2011 C++ standard. This option should " +"not be used." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +" for several different versions of C++11 support " +"in development, depending on the GCC version. This option should not be " +"used." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"For each of these flags, there are variants which also enable GNU extensions" +" (mostly language features also found in C99 or C11): " +", , " +". Again, should " +"not be used." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If you enable C++11 support, the ABI of the standard C++ library " +"libstdc++ will change in subtle ways. Currently, no C++ " +"libraries are compiled in C++11 mode, so if you compile your code in C++11 " +"mode, it will be incompatible with the rest of the system. Unfortunately, " +"this is also the case if you do not use any C++11 features. Currently, there" +" is no safe way to enable C++11 mode (except for freestanding applications)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The meaning of C++0X mode changed from GCC release to GCC release. Earlier " +"versions were still ABI-compatible with C++98 mode, but in the most recent " +"versions, switching to C++0X mode activates C++11 support, with its " +"compatibility problems." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Some C++11 features (or approximations thereof) are available with TR1 " +"support, that is, with or " +" and in the <tr1/*> " +"header files. This includes std::tr1::shared_ptr (from " +"<tr1/memory>) and " +"std::tr1::function (from " +"<tr1/functional>). For other C++11 features, the " +"Boost C++ library contains replacements." +msgstr "" diff --git a/defensive-coding/zh-CN/CXX/Std.po b/defensive-coding/zh-CN/CXX/Std.po new file mode 100644 index 0000000..a7484a3 --- /dev/null +++ b/defensive-coding/zh-CN/CXX/Std.po @@ -0,0 +1,56 @@ +# AUTHOR , YEAR. +# +# Translators: +# Christopher Meng , 2013 +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-28 02:50+0000\n" +"Last-Translator: Christopher Meng \n" +"Language-Team: Chinese (China) \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: zh_CN\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: title +#, no-c-format +msgid "The C++ standard library" +msgstr "C++ 标准库" + +#. Tag: para +#, no-c-format +msgid "" +"The C++ standard library includes most of its C counterpart by reference, " +"see ." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Containers and operator[]" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Many containers similar to std::vector provide both " +"operator[](size_type) and a member function " +"at(size_type). This applies to " +"std::vector itself, std::array, " +"std::string and other instances of " +"std::basic_string." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"operator[](size_type) is not required by the standard to " +"perform bounds checking (and the implementation in GCC does not). In " +"contrast, at(size_type) must perform such a check. " +"Therefore, in code which is not performance-critical, you should prefer " +"at(size_type) over " +"operator[](size_type), even though it is slightly more " +"verbose." +msgstr "" diff --git a/defensive-coding/zh-CN/Defensive_Coding.po b/defensive-coding/zh-CN/Defensive_Coding.po new file mode 100644 index 0000000..1a79259 --- /dev/null +++ b/defensive-coding/zh-CN/Defensive_Coding.po @@ -0,0 +1,30 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:18+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Chinese (China) \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: zh_CN\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: title +#, no-c-format +msgid "Programming Languages" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Specific Programming Tasks" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Implementing Security Features" +msgstr "" diff --git a/defensive-coding/zh-CN/Features/Authentication.po b/defensive-coding/zh-CN/Features/Authentication.po new file mode 100644 index 0000000..dcbfc5d --- /dev/null +++ b/defensive-coding/zh-CN/Features/Authentication.po @@ -0,0 +1,231 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:31+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Chinese (China) \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: zh_CN\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: title +#, no-c-format +msgid "Authentication and Authorization" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Authenticating servers" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When connecting to a server, a client has to make sure that it is actually " +"talking to the server it expects. There are two different aspects, securing " +"the network path, and making sure that the expected user runs the process on" +" the target host. There are several ways to ensure that:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The server uses a TLS certificate which is valid according to the web " +"browser public key infrastructure, and the client verifies the certificate " +"and the host name." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The server uses a TLS certificate which is expectedby the client (perhaps it" +" is stored in a configuration file read by the client). In this case, no " +"host name checking is required." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"On Linux, UNIX domain sockets (of the PF_UNIX protocol " +"family, sometimes called PF_LOCAL) are restricted by file" +" system permissions. If the server socket path is not world-writable, the " +"server identity cannot be spoofed by local users." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Port numbers less than 1024 (trusted ports) can only be" +" used by root, so if a UDP or TCP server is running on " +"the local host and it uses a trusted port, its identity is assured. (Not all" +" operating systems enforce the trusted ports concept, and the network might " +"not be trusted, so it is only useful on the local system.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"TLS () is the recommended way " +"for securing connections over untrusted networks." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If the server port number is 1024 is higher, a local user can impersonate " +"the process by binding to this socket, perhaps after crashing the real " +"server by exploiting a denial-of-service vulnerability." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Host-based authentication" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Host-based authentication uses access control lists (ACLs) to accept or deny" +" requests from clients. Thsis authentication method comes in two flavors: " +"IP-based (or, more generally, address-based) and name-based (with the name " +"coming from DNS or /etc/hosts). IP-based ACLs often use" +" prefix notation to extend access to entire subnets. Name-based ACLs " +"sometimes use wildcards for adding groups of hosts (from entire DNS " +"subtrees). (In the SSH context, host-based authentication means something " +"completely different and is not covered in this section.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Host-based authentication trust the network and may not offer sufficient " +"granularity, so it has to be considered a weak form of authentication. On " +"the other hand, IP-based authentication can be made extremely robust and can" +" be applied very early in input processing, so it offers an opportunity for " +"significantly reducing the number of potential attackers for many services." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The names returned by gethostbyaddr and " +"getnameinfo functions cannot be trusted. (DNS PTR " +"records can be set to arbitrary values, not just names belong to the address" +" owner.) If these names are used for ACL matching, a forward lookup using " +"gethostbyaddr or getaddrinfo has " +"to be performed. The name is only valid if the original address is found " +"among the results of the forward lookup (double-reverse " +"lookup)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"An empty ACL should deny all access (deny-by-default). If empty ACLs permits" +" all access, configuring any access list must switch to deny-by-default for " +"all unconfigured protocols, in both name-based and address-based variants." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Similarly, if an address or name is not matched by the list, it should be " +"denied. However, many implementations behave differently, so the actual " +"behavior must be documented properly." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"IPv6 addresses can embed IPv4 addresses. There is no universally correct way" +" to deal with this ambiguity. The behavior of the ACL implementation should " +"be documented." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "UNIX domain socket authentication" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"UNIX domain sockets (with address family AF_UNIX or " +"AF_LOCAL) are restricted to the local host and offer a " +"special authentication mechanism: credentials passing." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Nowadays, most systems support the SO_PEERCRED (Linux) or" +" LOCAL_PEERCRED (FreeBSD) socket options, or the " +"getpeereid (other BSDs, MacOS X). These interfaces " +"provide direct access to the (effective) user ID on the other end of a " +"domain socket connect, without cooperation from the other end." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Historically, credentials passing was implemented using ancillary data in " +"the sendmsg and recvmsg functions." +" On some systems, only credentials data that the peer has explicitly sent " +"can be received, and the kernel checks the data for correctness on the " +"sending side. This means that both peers need to deal with ancillary data. " +"Compared to that, the modern interfaces are easier to use. Both sets of " +"interfaces vary considerably among UNIX-like systems, unfortunately." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If you want to authenticate based on supplementary groups, you should obtain" +" the user ID using one of these methods, and look up the list of " +"supplementary groups using getpwuid (or " +"getpwuid_r) and getgrouplist. " +"Using the PID and information from /proc/PID/status is " +"prone to race conditions and insecure." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "AF_NETLINK authentication of origin" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Netlink messages are used as a high-performance data transfer mechanism " +"between the kernel and the userspace. Traditionally, they are used to " +"exchange information related to the network statck, such as routing table " +"entries." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When processing Netlink messages from the kernel, it is important to check " +"that these messages actually originate from the kernel, by checking that the" +" port ID (or PID) field nl_pid in the " +"sockaddr_nl structure is 0. (This " +"structure can be obtained using recvfrom or " +"recvmsg, it is different from the " +"nlmsghdr structure.) The kernel does not prevent other " +"processes from sending unicast Netlink messages, but the " +"nl_pid field in the sender's socket address will be non-" +"zero in such cases." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Applications should not use AF_NETLINK sockets as an IPC " +"mechanism among processes, but prefer UNIX domain sockets for this tasks." +msgstr "" diff --git a/defensive-coding/zh-CN/Features/TLS.po b/defensive-coding/zh-CN/Features/TLS.po new file mode 100644 index 0000000..b77c878 --- /dev/null +++ b/defensive-coding/zh-CN/Features/TLS.po @@ -0,0 +1,1120 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:31+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Chinese (China) \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: zh_CN\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: title +#, no-c-format +msgid "Transport Layer Security" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Transport Layer Security (TLS, formerly Secure Sockets Layer/SSL) is the " +"recommended way to to protect integrity and confidentiality while data is " +"transferred over an untrusted network connection, and to identify the " +"endpoint." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Common Pitfalls" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"TLS implementations are difficult to use, and most of them lack a clean API " +"design. The following sections contain implementation-specific advice, and " +"some generic pitfalls are mentioned below." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Most TLS implementations have questionable default TLS cipher suites. Most " +"of them enable anonymous Diffie-Hellman key exchange (but we generally want " +"servers to authenticate themselves). Many do not disable ciphers which are " +"subject to brute-force attacks because of restricted key lengths. Some even " +"disable all variants of AES in the default configuration." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When overriding the cipher suite defaults, it is recommended to disable all " +"cipher suites which are not present on a whitelist, instead of simply " +"enabling a list of cipher suites. This way, if an algorithm is disabled by " +"default in the TLS implementation in a future security update, the " +"application will not re-enable it." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The name which is used in certificate validation must match the name " +"provided by the user or configuration file. No host name canonicalization or" +" IP address lookup must be performed." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The TLS handshake has very poor performance if the TCP Nagle algorithm is " +"active. You should switch on the TCP_NODELAY socket " +"option (at least for the duration of the handshake), or use the Linux-" +"specific TCP_CORK option." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Deactivating the TCP Nagle algorithm" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Implementing proper session resumption decreases handshake overhead " +"considerably. This is important if the upper-layer protocol uses short-lived" +" connections (like most application of HTTPS)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Both client and server should work towards an orderly connection shutdown, " +"that is send close_notify alerts and respond to them. " +"This is especially important if the upper-layer protocol does not provide " +"means to detect connection truncation (like some uses of HTTP)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When implementing a server using event-driven programming, it is important " +"to handle the TLS handshake properly because it includes multiple network " +"round-trips which can block when an ordinary TCP accept" +" would not. Otherwise, a client which fails to complete the TLS handshake " +"for some reason will prevent the server from handling input from other " +"clients." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Unlike regular file descriptors, TLS connections cannot be passed between " +"processes. Some TLS implementations add additional restrictions, and TLS " +"connections generally cannot be used across fork " +"function calls (see )." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "OpenSSL Pitfalls" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Some OpenSSL function use tri-state return values. " +"Correct error checking is extremely important. Several functions return " +"int values with the following meaning:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The value 1 indicates success (for example, a successful " +"signature verification)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The value 0 indicates semantic failure (for example, a " +"signature verification which was unsuccessful because the signing " +"certificate was self-signed)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The value -1 indicates a low-level error in the system, " +"such as failure to allocate memory using malloc." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Treating such tri-state return values as booleans can lead to security " +"vulnerabilities. Note that some OpenSSL functions return boolean results or " +"yet another set of status indicators. Each function needs to be checked " +"individually." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Recovering precise error information is difficult. shows how to obtain a more precise " +"error code after a function call on an SSL object has " +"failed. However, there are still cases where no detailed error information " +"is available (e.g., if SSL_shutdown fails due to a " +"connection teardown by the other end)." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Obtaining OpenSSL error codes" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The OPENSSL_config function is documented to never " +"fail. In reality, it can terminate the entire process if there is a failure " +"accessing the configuration file. An error message is written to standard " +"error, but which might not be visible if the function is called from a " +"daemon process." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"OpenSSL contains two separate ASN.1 DER decoders. One set of decoders " +"operate on BIO handles (the input/output stream abstraction provided by " +"OpenSSL); their decoder function names start with d2i_ " +"and end in _fp or _bio (e.g., " +"d2i_X509_fp or d2i_X509_bio). " +"These decoders must not be used for parsing data from untrusted sources; " +"instead, the variants without the _fp and " +"_bio (e.g., d2i_X509) shall be used." +" The BIO variants have received considerably less testing and are not very " +"robust." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"For the same reason, the OpenSSL command line tools (such as " +"openssl x509) are generally generally less robust than " +"the actual library code. They use the BIO functions internally, and not the " +"more robust variants." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The command line tools do not always indicate failure in the exit status of " +"the openssl process. For instance, a verification" +" failure in openssl verify result in an exit status of " +"zero." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The OpenSSL server and client applications (openssl " +"s_client and openssl s_server) are debugging " +"tools and should never be used as generic clients. For " +"instance, the s_client tool reacts in a " +"surprisign way to lines starting with R and " +"Q." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"OpenSSL allows application code to access private key material over " +"documented interfaces. This can significantly increase the part of the code " +"base which has to undergo security certification." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "GNUTLS Pitfalls" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"libgnutls.so.26 links to " +"libpthread.so.0. Loading the threading library too late" +" causes problems, so the main program should be linked with " +"-lpthread as well. As a result, it can be difficult to " +"use GNUTLS in a plugin which is loaded with the dlopen " +"function. Another side effect is that applications which merely link against" +" GNUTLS (even without actually using it) may incur a substantial overhead " +"because other libraries automatically switch to thread-safe algorithms." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The gnutls_global_init function must be called before " +"using any functionality provided by the library. This function is not " +"thread-safe, so external locking is required, but it is not clear which lock" +" should be used. Omitting the synchronization does not just lead to a memory" +" leak, as it is suggested in the GNUTLS documentation, but to undefined " +"behavior because there is no barrier that would enforce memory ordering." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The gnutls_global_deinit function does not actually " +"deallocate all resources allocated by " +"gnutls_global_init. It is currently not thread-safe. " +"Therefore, it is best to avoid calling it altogether." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The X.509 implementation in GNUTLS is rather lenient. For example, it is " +"possible to create and process X.509 version 1 certificates which carry" +" extensions. These certificates are (correctly) rejected by other " +"implementations." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "OpenJDK Pitfalls" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The Java cryptographic framework is highly modular. As a result, when you " +"request an object implementing some cryptographic functionality, you cannot " +"be completely sure that you end up with the well-tested, reviewed " +"implementation in OpenJDK." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"OpenJDK (in the source code as published by Oracle) and other " +"implementations of the Java platform require that the system administrator " +"has installed so-called unlimited strength jurisdiction policy " +"files. Without this step, it is not possible to use the secure " +"algorithms which offer sufficient cryptographic strength. Most downstream " +"redistributors of OpenJDK remove this requirement." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Some versions of OpenJDK use /dev/random as the " +"randomness source for nonces and other random data which is needed for TLS " +"operation, but does not actually require physical randomness. As a result, " +"TLS applications can block, waiting for more bits to become available in " +"/dev/random." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "NSS Pitfalls" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"NSS was not designed to be used by other libraries which can be linked into " +"applications without modifying them. There is a lot of global state. There " +"does not seem to be a way to perform required NSS initialization without " +"race conditions." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If the NSPR descriptor is in an unexpected state, the " +"SSL_ForceHandshake function can succeed, but no TLS " +"handshake takes place, the peer is not authenticated, and subsequent data is" +" exchanged in the clear." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"NSS disables itself if it detects that the process underwent a " +"fork after the library has been initialized. This " +"behavior is required by the PKCS#11 API specification." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "TLS Clients" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Secure use of TLS in a client generally involves all of the following steps." +" (Individual instructions for specific TLS implementations follow in the " +"next sections.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The client must configure the TLS library to use a set of trusted root " +"certificates. These certificates are provided by the system in /etc/ssl/certs or files derived from it." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The client selects sufficiently strong cryptographic primitives and disables" +" insecure ones (such as no-op encryption). Compression and SSL version 2 " +"support must be disabled (including the SSLv2-compatible handshake)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The client initiates the TLS connection. The Server Name Indication " +"extension should be used if supported by the TLS implementation. Before " +"switching to the encrypted connection state, the contents of all input and " +"output buffers must be discarded." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The client needs to validate the peer certificate provided by the server, " +"that is, the client must check that there is a cryptographically protected " +"chain from a trusted root certificate to the peer certificate. (Depending on" +" the TLS implementation, a TLS handshake can succeed even if the certificate" +" cannot be validated.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The client must check that the configured or user-provided server name " +"matches the peer certificate provided by the server." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"It is safe to provide users detailed diagnostics on certificate validation " +"failures. Other causes of handshake failures and, generally speaking, any " +"details on other errors reported by the TLS implementation (particularly " +"exception tracebacks), must not be divulged in ways that make them " +"accessible to potential attackers. Otherwise, it is possible to create " +"decryption oracles." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Depending on the application, revocation checking (against certificate " +"revocations lists or via OCSP) and session resumption are important aspects " +"of production-quality client. These aspects are not yet covered." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Implementation TLS Clients With OpenSSL" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In the following code, the error handling is only exploratory. Proper error " +"handling is required for production use, especially in libraries." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The OpenSSL library needs explicit initialization (see )." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "OpenSSL library initialization" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"After that, a context object has to be created, which acts as a factory for " +"connection objects (). We use an explicit cipher list so that we do not pick up any " +"strange ciphers when OpenSSL is upgraded. The actual version requested in " +"the client hello depends on additional restrictions in the OpenSSL library. " +"If possible, you should follow the example code and use the default list of " +"trusted root certificate authorities provided by the system because you " +"would have to maintain your own set otherwise, which can be cumbersome." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "OpenSSL client context creation" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"A single context object can be used to create multiple connection objects. " +"It is safe to use the same SSL_CTX object for creating " +"connections concurrently from multiple threads, provided that the " +"SSL_CTX object is not modified (e.g., callbacks must not " +"be changed)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"After creating the TCP socket and disabling the Nagle algorithm (per ), the actual connection object " +"needs to be created, as show in . If the handshake started by " +"SSL_connect fails, the " +"ssl_print_error_and_exit function from is called." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The certificate_validity_override function provides an " +"opportunity to override the validity of the certificate in case the OpenSSL " +"check fails. If such functionality is not required, the call can be removed," +" otherwise, the application developer has to implement it." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The host name passed to the functions " +"SSL_set_tlsext_host_name and " +"X509_check_host must be the name that was passed to " +"getaddrinfo or a similar name resolution function. No " +"host name canonicalization must be performed. The " +"X509_check_host function used in the final step for " +"host name matching is currently only implemented in OpenSSL 1.1, which is " +"not released yet. In case host name matching fails, the function " +"certificate_host_name_override is called. This function" +" should check user-specific certificate store, to allow a connection even if" +" the host name does not match the certificate. This function has to be " +"provided by the application developer. Note that the override must be keyed " +"by both the certificate and the host name." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Creating a client connection using OpenSSL" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The connection object can be used for sending and receiving data, as in " +". It is " +"also possible to create a BIO object and use the " +"SSL object as the underlying transport, using " +"BIO_set_ssl." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Using an OpenSSL connection to send and receive data" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When it is time to close the connection, the " +"SSL_shutdown function needs to be called twice for an " +"orderly, synchronous connection termination (). This exchanges " +"close_notify alerts with the server. The additional logic" +" is required to deal with an unexpected close_notify from" +" the server. Note that is necessary to explicitly close the underlying " +"socket after the connection object has been freed." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Closing an OpenSSL connection in an orderly fashion" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +" shows how" +" to deallocate the context object when it is no longer needed because no " +"further TLS connections will be established." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Implementation TLS Clients With GNUTLS" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"This section describes how to implement a TLS client with full certificate " +"validation (but without certificate revocation checking). Note that the " +"error handling in is only exploratory and needs to be replaced before " +"production use." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "The GNUTLS library needs explicit initialization:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Failing to do so can result in obscure failures in Base64 decoding. See " +" for " +"additional aspects of initialization." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Before setting up TLS connections, a credentials objects has to be allocated" +" and initialized with the set of trusted root CAs ()." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Initializing a GNUTLS credentials structure" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"After the last TLS connection has been closed, this credentials object " +"should be freed:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"During its lifetime, the credentials object can be used to initialize TLS " +"session objects from multiple threads, provided that it is not changed." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Once the TCP connection has been established, the Nagle algorithm should be " +"disabled (see ). After " +"that, the socket can be associated with a new GNUTLS session object. The " +"previously allocated credentials object provides the set of root CAs. The " +"NORMAL set of cipher suites and protocols provides a " +"reasonable default. Then the TLS handshake must be initiated. This is shown " +"in ." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Establishing a TLS client connection using GNUTLS" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"After the handshake has been completed, the server certificate needs to be " +"verified (). In the example, the user-defined " +"certificate_validity_override function is called if the" +" verification fails, so that a separate, user-specific trust store can be " +"checked. This function call can be omitted if the functionality is not " +"needed." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Verifying a server certificate using GNUTLS" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In the next step (, the certificate must be matched against the host name (note the " +"unusual return value from " +"gnutls_x509_crt_check_hostname). Again, an override " +"function certificate_host_name_override is called. Note" +" that the override must be keyed to the certificate and" +" the host name. The function call can be omitted if the override is not " +"needed." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Matching the server host name and certificate in a GNUTLS client" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In newer GNUTLS versions, certificate checking and host name validation can " +"be combined using the gnutls_certificate_verify_peers3 " +"function." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"An established TLS session can be used for sending and receiving data, as in" +" ." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Using a GNUTLS session" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In order to shut down a connection in an orderly manner, you should call the" +" gnutls_bye function. Finally, the session object can " +"be deallocated using gnutls_deinit (see )." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Implementing TLS Clients With OpenJDK" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "The examples below use the following cryptographic-related classes:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If compatibility with OpenJDK 6 is required, it is necessary to use the " +"internal class sun.security.util.HostnameChecker. (The " +"public OpenJDK API does not provide any support for dissecting the subject " +"distinguished name of an X.509 certificate, so a custom-written DER parser " +"is needed—or we have to use an internal class, which we do below.) In " +"OpenJDK 7, the setEndpointIdentificationAlgorithm " +"method was added to the javax.net.ssl.SSLParameters " +"class, providing an official way to implement host name checking." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"TLS connections are established using an SSLContext " +"instance. With a properly configured OpenJDK installation, the " +"SunJSSE provider uses the system-wide set of trusted root" +" certificate authorities, so no further configuration is necessary. For " +"backwards compatibility with OpenJDK 6, the TLSv1 " +"provider has to be supported as a fall-back option. This is shown in ." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Setting up an SSLContext for OpenJDK TLS clients" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In addition to the context, a TLS parameter object will be needed which " +"adjusts the cipher suites and protocols (). Like the context, these " +"parameters can be reused for multiple TLS connections." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Setting up SSLParameters for TLS use with OpenJDK" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"As initialized above, the parameter object does not yet require host name " +"checking. This has to be enabled separately, and this is only supported by " +"OpenJDK 7 and later:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"All application protocols can use the \"HTTPS\" " +"algorithm. (The algorithms have minor differences with regard to wildcard " +"handling, which should not matter in practice.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +" shows " +"how to establish the connection. Before the handshake is initialized, the " +"protocol and cipher configuration has to be performed, by applying the " +"parameter object params. (After this point, changes to " +"params will not affect this TLS socket.) As mentioned " +"initially, host name checking requires using an internal API on OpenJDK 6." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Establishing a TLS connection with OpenJDK" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Starting with OpenJDK 7, the last lines can be omitted, provided that host " +"name verification has been enabled by calling the " +"setEndpointIdentificationAlgorithm method on the " +"params object (before it was applied to the socket)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The TLS socket can be used as a regular socket, as shown in ." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Using a TLS client socket in OpenJDK" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Overriding server certificate validation with OpenJDK 6" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Overriding certificate validation requires a custom trust manager. With " +"OpenJDK 6, the trust manager lacks information about the TLS session, and to" +" which server the connection is made. Certificate overrides have to be tied " +"to specific servers (host names). Consequently, different " +"TrustManager and SSLContext objects " +"have to be used for different servers." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In the trust manager shown in , the server certificate is identified by its " +"SHA-256 hash." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "A customer trust manager for OpenJDK TLS clients" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"This trust manager has to be passed to the init method of" +" the SSLContext object, as show in ." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Using a custom TLS trust manager with OpenJDK" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When certificate overrides are in place, host name verification should not " +"be performed because there is no security requirement that the host name in " +"the certificate matches the host name used to establish the connection (and " +"it often will not). However, without host name verification, it is not " +"possible to perform transparent fallback to certification validation using " +"the system certificate store." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The approach described above works with OpenJDK 6 and later versions. " +"Starting with OpenJDK 7, it is possible to use a custom subclass of the " +"javax.net.ssl.X509ExtendedTrustManager class. The OpenJDK" +" TLS implementation will call the new methods, passing along TLS session " +"information. This can be used to implement certificate overrides as a " +"fallback (if certificate or host name verification fails), and a trust " +"manager object can be used for multiple servers because the server address " +"is available to the trust manager." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Implementing TLS Clients With NSS" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The following code shows how to implement a simple TLS client using NSS. " +"Note that the error handling needs replacing before production use." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Using NSS needs several header files, as shown in ." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Include files for NSS" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Initializing the NSS library is a complex task (). It is not thread-safe. By default, the " +"library is in export mode, and all strong ciphers are disabled. Therefore, " +"after creating the NSSInitCContext object, we probe all " +"the strong ciphers we want to use, and check if at least one of them is " +"available. If not, we call NSS_SetDomesticPolicy to " +"switch to unrestricted policy mode. This function replaces the existing " +"global cipher suite policy, that is why we avoid calling it unless " +"absolutely necessary." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The simplest way to configured the trusted root certificates involves " +"loading the libnssckbi.so NSS module with a call to the" +" SECMOD_LoadUserModule function. The root certificates " +"are compiled into this module. (The PEM module for NSS, " +"libnsspem.so, offers a way to load trusted CA " +"certificates from a file.)" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Initializing the NSS library" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Some of the effects of the initialization can be reverted with the following" +" function calls:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"After NSS has been initialized, the TLS connection can be created (). The internal " +"PR_ImportTCPSocket function is used to turn the POSIX " +"file descriptor sockfd into an NSPR file descriptor. " +"(This function is de-facto part of the NSS public ABI, so it will not go " +"away.) Creating the TLS-capable file descriptor requires a " +"model descriptor, which is configured with the desired " +"set of protocols and ciphers. (The good_ciphers variable " +"is part of .) We cannot" +" resort to disabling ciphers not on a whitelist because by default, the AES " +"cipher suites are disabled. The model descriptor is not needed anymore after" +" TLS support has been activated for the existing connection descriptor." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The call to SSL_BadCertHook can be omitted if no " +"mechanism to override certificate verification is needed. The " +"bad_certificate function must check both the host name " +"specified for the connection and the certificate before granting the " +"override." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Triggering the actual handshake requires three function calls, " +"SSL_ResetHandshake, SSL_SetURL, " +"and SSL_ForceHandshake. (If " +"SSL_ResetHandshake is omitted, " +"SSL_ForceHandshake will succeed, but the data will not " +"be encrypted.) During the handshake, the certificate is verified and matched" +" against the host name." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Creating a TLS connection with NSS" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"After the connection has been established, shows how to use the NSPR descriptor to " +"communicate with the server." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Using NSS for sending and receiving data" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +" shows how to " +"close the connection." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Closing NSS client connections" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Implementing TLS Clients With Python" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The Python distribution provides a TLS implementation in the " +"ssl module (actually a wrapper around OpenSSL). The " +"exported interface is somewhat restricted, so that the client code shown " +"below does not fully implement the recommendations in ." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Currently, most Python function which accept https:// " +"URLs or otherwise implement HTTPS support do not perform certificate " +"validation at all. (For example, this is true for the " +"httplib and xmlrpclib modules.) If you" +" use HTTPS, you should not use the built-in HTTP clients. The " +"Curl class in the curl module, as " +"provided by the python-pycurl package implements proper " +"certificate validation." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The ssl module currently does not perform host name " +"checking on the server certificate. shows how to implement certificate " +"matching, using the parsed certificate returned by " +"getpeercert." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Implementing TLS host name checking Python (without wildcard support)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"To turn a regular, connected TCP socket into a TLS-enabled socket, use the " +"ssl.wrap_socket function. The function call in provides " +"additional arguments to override questionable defaults in OpenSSL and in the" +" Python module." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"ciphers=\"HIGH:-aNULL:-eNULL:-PSK:RC4-SHA:RC4-MD5\" " +"selects relatively strong cipher suites with certificate-based " +"authentication. (The call to check_host_name function " +"provides additional protection against anonymous cipher suites.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"ssl_version=ssl.PROTOCOL_TLSv1 disables SSL 2.0 support. " +"By default, the ssl module sends an SSL 2.0 client hello," +" which is rejected by some servers. Ideally, we would request OpenSSL to " +"negotiated the most recent TLS version supported by the server and the " +"client, but the Python module does not allow this." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"cert_reqs=ssl.CERT_REQUIRED turns on certificate " +"validation." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"ca_certs='/etc/ssl/certs/ca-bundle.crt' initializes the " +"certificate store with a set of trusted root CAs. Unfortunately, it is " +"necessary to hard-code this path into applications because the default path " +"in OpenSSL is not available through the Python ssl " +"module." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The ssl module (and OpenSSL) perform certificate " +"validation, but the certificate must be compared manually against the host " +"name, by calling the check_host_name defined above." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Establishing a TLS client connection with Python" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"After the connection has been established, the TLS socket can be used like a" +" regular socket:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Closing the TLS socket is straightforward as well:" +msgstr "" diff --git a/defensive-coding/zh-CN/Features/snippets/TLS-Client-GNUTLS-Connect.po b/defensive-coding/zh-CN/Features/snippets/TLS-Client-GNUTLS-Connect.po new file mode 100644 index 0000000..8bac54f --- /dev/null +++ b/defensive-coding/zh-CN/Features/snippets/TLS-Client-GNUTLS-Connect.po @@ -0,0 +1,71 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:33+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Chinese (China) \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: zh_CN\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Create the session object.\n" +"gnutls_session_t session;\n" +"ret = gnutls_init(&session, GNUTLS_CLIENT);\n" +"if (ret != GNUTLS_E_SUCCESS) {\n" +" fprintf(stderr, \"error: gnutls_init: %s\n" +"\",\n" +"\t gnutls_strerror(ret));\n" +" exit(1);\n" +"}\n" +"\n" +"// Configure the cipher preferences.\n" +"const char *errptr = NULL;\n" +"ret = gnutls_priority_set_direct(session, \"NORMAL\", &errptr);\n" +"if (ret != GNUTLS_E_SUCCESS) {\n" +" fprintf(stderr, \"error: gnutls_priority_set_direct: %s\n" +"\"\n" +"\t \"error: at: \\\"%s\\\"\n" +"\", gnutls_strerror(ret), errptr);\n" +" exit(1);\n" +"}\n" +"\n" +"// Install the trusted certificates.\n" +"ret = gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, cred);\n" +"if (ret != GNUTLS_E_SUCCESS) {\n" +" fprintf(stderr, \"error: gnutls_credentials_set: %s\n" +"\",\n" +"\t gnutls_strerror(ret));\n" +" exit(1);\n" +"}\n" +"\n" +"// Associate the socket with the session object and set the server\n" +"// name.\n" +"gnutls_transport_set_ptr(session, (gnutls_transport_ptr_t)(uintptr_t)sockfd);\n" +"ret = gnutls_server_name_set(session, GNUTLS_NAME_DNS,\n" +"\t\t\t host, strlen(host));\n" +"if (ret != GNUTLS_E_SUCCESS) {\n" +" fprintf(stderr, \"error: gnutls_server_name_set: %s\n" +"\",\n" +"\t gnutls_strerror(ret));\n" +" exit(1);\n" +"}\n" +"\n" +"// Establish the session.\n" +"ret = gnutls_handshake(session);\n" +"if (ret != GNUTLS_E_SUCCESS) {\n" +" fprintf(stderr, \"error: gnutls_handshake: %s\n" +"\",\n" +"\t gnutls_strerror(ret));\n" +" exit(1);\n" +"}\n" +msgstr "" diff --git a/defensive-coding/zh-CN/Features/snippets/TLS-Client-GNUTLS-Credentials.po b/defensive-coding/zh-CN/Features/snippets/TLS-Client-GNUTLS-Credentials.po new file mode 100644 index 0000000..72483e5 --- /dev/null +++ b/defensive-coding/zh-CN/Features/snippets/TLS-Client-GNUTLS-Credentials.po @@ -0,0 +1,47 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:33+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Chinese (China) \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: zh_CN\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Load the trusted CA certificates.\n" +"gnutls_certificate_credentials_t cred = NULL;\n" +"int ret = gnutls_certificate_allocate_credentials (&cred);\n" +"if (ret != GNUTLS_E_SUCCESS) {\n" +" fprintf(stderr, \"error: gnutls_certificate_allocate_credentials: %s\n" +"\",\n" +"\t gnutls_strerror(ret));\n" +" exit(1);\n" +"}\n" +"// gnutls_certificate_set_x509_system_trust needs GNUTLS version 3.0\n" +"// or newer, so we hard-code the path to the certificate store\n" +"// instead.\n" +"static const char ca_bundle[] = \"/etc/ssl/certs/ca-bundle.crt\";\n" +"ret = gnutls_certificate_set_x509_trust_file\n" +" (cred, ca_bundle, GNUTLS_X509_FMT_PEM);\n" +"if (ret == 0) {\n" +" fprintf(stderr, \"error: no certificates found in: %s\n" +"\", ca_bundle);\n" +" exit(1);\n" +"}\n" +"if (ret < 0) {\n" +" fprintf(stderr, \"error: gnutls_certificate_set_x509_trust_files(%s): %s\n" +"\",\n" +"\t ca_bundle, gnutls_strerror(ret));\n" +" exit(1);\n" +"}\n" +msgstr "" diff --git a/defensive-coding/zh-CN/Features/snippets/TLS-Client-GNUTLS-Match.po b/defensive-coding/zh-CN/Features/snippets/TLS-Client-GNUTLS-Match.po new file mode 100644 index 0000000..7cb35de --- /dev/null +++ b/defensive-coding/zh-CN/Features/snippets/TLS-Client-GNUTLS-Match.po @@ -0,0 +1,48 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:32+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Chinese (China) \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: zh_CN\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Match the peer certificate against the host name.\n" +"// We can only obtain a set of DER-encoded certificates from the\n" +"// session object, so we have to re-parse the peer certificate into\n" +"// a certificate object.\n" +"gnutls_x509_crt_t cert;\n" +"ret = gnutls_x509_crt_init(&cert);\n" +"if (ret != GNUTLS_E_SUCCESS) {\n" +" fprintf(stderr, \"error: gnutls_x509_crt_init: %s\n" +"\",\n" +"\t gnutls_strerror(ret));\n" +" exit(1);\n" +"}\n" +"// The peer certificate is the first certificate in the list.\n" +"ret = gnutls_x509_crt_import(cert, certs, GNUTLS_X509_FMT_DER);\n" +"if (ret != GNUTLS_E_SUCCESS) {\n" +" fprintf(stderr, \"error: gnutls_x509_crt_import: %s\n" +"\",\n" +"\t gnutls_strerror(ret));\n" +" exit(1);\n" +"}\n" +"ret = gnutls_x509_crt_check_hostname(cert, host);\n" +"if (ret == 0 && !certificate_host_name_override(certs[0], host)) {\n" +" fprintf(stderr, \"error: host name does not match certificate\n" +"\");\n" +" exit(1);\n" +"}\n" +"gnutls_x509_crt_deinit(cert);\n" +msgstr "" diff --git a/defensive-coding/zh-CN/Features/snippets/TLS-Client-GNUTLS-Verify.po b/defensive-coding/zh-CN/Features/snippets/TLS-Client-GNUTLS-Verify.po new file mode 100644 index 0000000..05782b3 --- /dev/null +++ b/defensive-coding/zh-CN/Features/snippets/TLS-Client-GNUTLS-Verify.po @@ -0,0 +1,61 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:33+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Chinese (China) \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: zh_CN\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Obtain the server certificate chain. The server certificate\n" +"// itself is stored in the first element of the array.\n" +"unsigned certslen = 0;\n" +"const gnutls_datum_t *const certs =\n" +" gnutls_certificate_get_peers(session, &certslen);\n" +"if (certs == NULL || certslen == 0) {\n" +" fprintf(stderr, \"error: could not obtain peer certificate\n" +"\");\n" +" exit(1);\n" +"}\n" +"\n" +"// Validate the certificate chain.\n" +"unsigned status = (unsigned)-1;\n" +"ret = gnutls_certificate_verify_peers2(session, &status);\n" +"if (ret != GNUTLS_E_SUCCESS) {\n" +" fprintf(stderr, \"error: gnutls_certificate_verify_peers2: %s\n" +"\",\n" +"\t gnutls_strerror(ret));\n" +" exit(1);\n" +"}\n" +"if (status != 0 && !certificate_validity_override(certs[0])) {\n" +" gnutls_datum_t msg;\n" +"#if GNUTLS_VERSION_AT_LEAST_3_1_4\n" +" int type = gnutls_certificate_type_get (session);\n" +" ret = gnutls_certificate_verification_status_print(status, type, &out, 0);\n" +"#else\n" +" ret = -1;\n" +"#endif\n" +" if (ret == 0) {\n" +" fprintf(stderr, \"error: %s\n" +"\", msg.data);\n" +" gnutls_free(msg.data);\n" +" exit(1);\n" +" } else {\n" +" fprintf(stderr, \"error: certificate validation failed with code 0x%x\n" +"\",\n" +"\t status);\n" +" exit(1);\n" +" }\n" +"}\n" +msgstr "" diff --git a/defensive-coding/zh-CN/Features/snippets/TLS-Client-NSS-Close.po b/defensive-coding/zh-CN/Features/snippets/TLS-Client-NSS-Close.po new file mode 100644 index 0000000..2850773 --- /dev/null +++ b/defensive-coding/zh-CN/Features/snippets/TLS-Client-NSS-Close.po @@ -0,0 +1,31 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:32+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Chinese (China) \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: zh_CN\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Send close_notify alert.\n" +"if (PR_Shutdown(nspr, PR_SHUTDOWN_BOTH) != PR_SUCCESS) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: PR_Read error %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +"}\n" +"// Closes the underlying POSIX file descriptor, too.\n" +"PR_Close(nspr);\n" +msgstr "" diff --git a/defensive-coding/zh-CN/Features/snippets/TLS-Client-NSS-Connect.po b/defensive-coding/zh-CN/Features/snippets/TLS-Client-NSS-Connect.po new file mode 100644 index 0000000..6b7cb26 --- /dev/null +++ b/defensive-coding/zh-CN/Features/snippets/TLS-Client-NSS-Connect.po @@ -0,0 +1,132 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:33+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Chinese (China) \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: zh_CN\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Wrap the POSIX file descriptor. This is an internal NSPR\n" +"// function, but it is very unlikely to change.\n" +"PRFileDesc* nspr = PR_ImportTCPSocket(sockfd);\n" +"sockfd = -1; // Has been taken over by NSPR.\n" +"\n" +"// Add the SSL layer.\n" +"{\n" +" PRFileDesc *model = PR_NewTCPSocket();\n" +" PRFileDesc *newfd = SSL_ImportFD(NULL, model);\n" +" if (newfd == NULL) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: NSPR error code %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +" }\n" +" model = newfd;\n" +" newfd = NULL;\n" +" if (SSL_OptionSet(model, SSL_ENABLE_SSL2, PR_FALSE) != SECSuccess) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: set SSL_ENABLE_SSL2 error %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +" }\n" +" if (SSL_OptionSet(model, SSL_V2_COMPATIBLE_HELLO, PR_FALSE) != SECSuccess) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: set SSL_V2_COMPATIBLE_HELLO error %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +" }\n" +" if (SSL_OptionSet(model, SSL_ENABLE_DEFLATE, PR_FALSE) != SECSuccess) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: set SSL_ENABLE_DEFLATE error %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +" }\n" +"\n" +" // Disable all ciphers (except RC4-based ciphers, for backwards\n" +" // compatibility).\n" +" const PRUint16 *const ciphers = SSL_GetImplementedCiphers();\n" +" for (unsigned i = 0; i < SSL_GetNumImplementedCiphers(); i++) {\n" +" if (ciphers[i] != SSL_RSA_WITH_RC4_128_SHA\n" +"\t && ciphers[i] != SSL_RSA_WITH_RC4_128_MD5) {\n" +"\tif (SSL_CipherPrefSet(model, ciphers[i], PR_FALSE) != SECSuccess) {\n" +"\t const PRErrorCode err = PR_GetError();\n" +"\t fprintf(stderr, \"error: disable cipher %u: error %d: %s\n" +"\",\n" +"\t\t (unsigned)ciphers[i], err, PR_ErrorToName(err));\n" +"\t exit(1);\n" +"\t}\n" +" }\n" +" }\n" +"\n" +" // Enable the strong ciphers.\n" +" for (const PRUint16 *p = good_ciphers; *p != SSL_NULL_WITH_NULL_NULL;\n" +"\t ++p) {\n" +" if (SSL_CipherPrefSet(model, *p, PR_TRUE) != SECSuccess) {\n" +"\tconst PRErrorCode err = PR_GetError();\n" +"\tfprintf(stderr, \"error: enable cipher %u: error %d: %s\n" +"\",\n" +"\t\t(unsigned)*p, err, PR_ErrorToName(err));\n" +"\texit(1);\n" +" }\n" +" }\n" +"\n" +" // Allow overriding invalid certificate.\n" +" if (SSL_BadCertHook(model, bad_certificate, (char *)host) != SECSuccess) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: SSL_BadCertHook error %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +" }\n" +"\n" +" newfd = SSL_ImportFD(model, nspr);\n" +" if (newfd == NULL) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: SSL_ImportFD error %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +" }\n" +" nspr = newfd;\n" +" PR_Close(model);\n" +"}\n" +"\n" +"// Perform the handshake.\n" +"if (SSL_ResetHandshake(nspr, PR_FALSE) != SECSuccess) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: SSL_ResetHandshake error %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +"}\n" +"if (SSL_SetURL(nspr, host) != SECSuccess) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: SSL_SetURL error %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +"}\n" +"if (SSL_ForceHandshake(nspr) != SECSuccess) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: SSL_ForceHandshake error %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +"}\n" +msgstr "" diff --git a/defensive-coding/zh-CN/Features/snippets/TLS-Client-OpenJDK-Connect.po b/defensive-coding/zh-CN/Features/snippets/TLS-Client-OpenJDK-Connect.po new file mode 100644 index 0000000..276403c --- /dev/null +++ b/defensive-coding/zh-CN/Features/snippets/TLS-Client-OpenJDK-Connect.po @@ -0,0 +1,41 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:32+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Chinese (China) \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: zh_CN\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Create the socket and connect it at the TCP layer.\n" +"SSLSocket socket = (SSLSocket) ctx.getSocketFactory()\n" +" .createSocket(host, port);\n" +"\n" +"// Disable the Nagle algorithm.\n" +"socket.setTcpNoDelay(true);\n" +"\n" +"// Adjust ciphers and protocols.\n" +"socket.setSSLParameters(params);\n" +"\n" +"// Perform the handshake.\n" +"socket.startHandshake();\n" +"\n" +"// Validate the host name. The match() method throws\n" +"// CertificateException on failure.\n" +"X509Certificate peer = (X509Certificate)\n" +" socket.getSession().getPeerCertificates()[0];\n" +"// This is the only way to perform host name checking on OpenJDK 6.\n" +"HostnameChecker.getInstance(HostnameChecker.TYPE_TLS).match(\n" +" host, peer);\n" +msgstr "" diff --git a/defensive-coding/zh-CN/Features/snippets/TLS-Client-OpenJDK-Context.po b/defensive-coding/zh-CN/Features/snippets/TLS-Client-OpenJDK-Context.po new file mode 100644 index 0000000..ea19a3c --- /dev/null +++ b/defensive-coding/zh-CN/Features/snippets/TLS-Client-OpenJDK-Context.po @@ -0,0 +1,41 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:32+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Chinese (China) \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: zh_CN\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Create the context. Specify the SunJSSE provider to avoid\n" +"// picking up third-party providers. Try the TLS 1.2 provider\n" +"// first, then fall back to TLS 1.0.\n" +"SSLContext ctx;\n" +"try {\n" +" ctx = SSLContext.getInstance(\"TLSv1.2\", \"SunJSSE\");\n" +"} catch (NoSuchAlgorithmException e) {\n" +" try {\n" +" ctx = SSLContext.getInstance(\"TLSv1\", \"SunJSSE\");\n" +" } catch (NoSuchAlgorithmException e1) {\n" +" // The TLS 1.0 provider should always be available.\n" +" throw new AssertionError(e1);\n" +" } catch (NoSuchProviderException e1) {\n" +" throw new AssertionError(e1);\n" +" } \n" +"} catch (NoSuchProviderException e) {\n" +" // The SunJSSE provider should always be available.\n" +" throw new AssertionError(e);\n" +"}\n" +"ctx.init(null, null, null);\n" +msgstr "" diff --git a/defensive-coding/zh-CN/Features/snippets/TLS-Client-OpenJDK-Context_For_Cert.po b/defensive-coding/zh-CN/Features/snippets/TLS-Client-OpenJDK-Context_For_Cert.po new file mode 100644 index 0000000..4f5ceed --- /dev/null +++ b/defensive-coding/zh-CN/Features/snippets/TLS-Client-OpenJDK-Context_For_Cert.po @@ -0,0 +1,37 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:33+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Chinese (China) \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: zh_CN\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"SSLContext ctx;\n" +"try {\n" +" ctx = SSLContext.getInstance(\"TLSv1.2\", \"SunJSSE\");\n" +"} catch (NoSuchAlgorithmException e) {\n" +" try {\n" +" ctx = SSLContext.getInstance(\"TLSv1\", \"SunJSSE\");\n" +" } catch (NoSuchAlgorithmException e1) {\n" +" throw new AssertionError(e1);\n" +" } catch (NoSuchProviderException e1) {\n" +" throw new AssertionError(e1);\n" +" }\n" +"} catch (NoSuchProviderException e) {\n" +" throw new AssertionError(e);\n" +"}\n" +"MyTrustManager tm = new MyTrustManager(certHash);\n" +"ctx.init(null, new TrustManager[] {tm}, null);\n" +msgstr "" diff --git a/defensive-coding/zh-CN/Features/snippets/TLS-Client-OpenJDK-Hostname.po b/defensive-coding/zh-CN/Features/snippets/TLS-Client-OpenJDK-Hostname.po new file mode 100644 index 0000000..cc79c81 --- /dev/null +++ b/defensive-coding/zh-CN/Features/snippets/TLS-Client-OpenJDK-Hostname.po @@ -0,0 +1,22 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:31+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Chinese (China) \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: zh_CN\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"params.setEndpointIdentificationAlgorithm(\"HTTPS\");\n" +msgstr "" diff --git a/defensive-coding/zh-CN/Features/snippets/TLS-Client-OpenJDK-Import.po b/defensive-coding/zh-CN/Features/snippets/TLS-Client-OpenJDK-Import.po new file mode 100644 index 0000000..b0c6e1f --- /dev/null +++ b/defensive-coding/zh-CN/Features/snippets/TLS-Client-OpenJDK-Import.po @@ -0,0 +1,33 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:31+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Chinese (China) \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: zh_CN\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"import java.security.NoSuchAlgorithmException;\n" +"import java.security.NoSuchProviderException;\n" +"import java.security.cert.CertificateEncodingException;\n" +"import java.security.cert.CertificateException;\n" +"import java.security.cert.X509Certificate;\n" +"import javax.net.ssl.SSLContext;\n" +"import javax.net.ssl.SSLParameters;\n" +"import javax.net.ssl.SSLSocket;\n" +"import javax.net.ssl.TrustManager;\n" +"import javax.net.ssl.X509TrustManager;\n" +"\n" +"import sun.security.util.HostnameChecker;\n" +msgstr "" diff --git a/defensive-coding/zh-CN/Features/snippets/TLS-Client-OpenJDK-MyTrustManager.po b/defensive-coding/zh-CN/Features/snippets/TLS-Client-OpenJDK-MyTrustManager.po new file mode 100644 index 0000000..e50de64 --- /dev/null +++ b/defensive-coding/zh-CN/Features/snippets/TLS-Client-OpenJDK-MyTrustManager.po @@ -0,0 +1,53 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:31+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Chinese (China) \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: zh_CN\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"public class MyTrustManager implements X509TrustManager {\n" +" private final byte[] certHash;\n" +"\n" +" public MyTrustManager(byte[] certHash) throws Exception {\n" +" this.certHash = certHash;\n" +" }\n" +"\n" +" @Override\n" +" public void checkClientTrusted(X509Certificate[] chain, String authType)\n" +" throws CertificateException {\n" +" throw new UnsupportedOperationException();\n" +" }\n" +"\n" +" @Override\n" +" public void checkServerTrusted(X509Certificate[] chain,\n" +" String authType) throws CertificateException {\n" +" byte[] digest = getCertificateDigest(chain[0]);\n" +" String digestHex = formatHex(digest);\n" +"\n" +" if (Arrays.equals(digest, certHash)) {\n" +" System.err.println(\"info: accepting certificate: \" + digestHex);\n" +" } else {\n" +" throw new CertificateException(\"certificate rejected: \" +\n" +" digestHex);\n" +" }\n" +" }\n" +"\n" +" @Override\n" +" public X509Certificate[] getAcceptedIssuers() {\n" +" return new X509Certificate[0];\n" +" }\n" +"}\n" +msgstr "" diff --git a/defensive-coding/zh-CN/Features/snippets/TLS-Client-OpenJDK-Use.po b/defensive-coding/zh-CN/Features/snippets/TLS-Client-OpenJDK-Use.po new file mode 100644 index 0000000..d95aceb --- /dev/null +++ b/defensive-coding/zh-CN/Features/snippets/TLS-Client-OpenJDK-Use.po @@ -0,0 +1,28 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:31+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Chinese (China) \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: zh_CN\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"socket.getOutputStream().write(\"GET / HTTP/1.0\\r\n" +"\\r\n" +"\"\n" +" .getBytes(Charset.forName(\"UTF-8\")));\n" +"byte[] buffer = new byte[4096];\n" +"int count = socket.getInputStream().read(buffer);\n" +"System.out.write(buffer, 0, count);\n" +msgstr "" diff --git a/defensive-coding/zh-CN/Features/snippets/TLS-Client-OpenSSL-CTX.po b/defensive-coding/zh-CN/Features/snippets/TLS-Client-OpenSSL-CTX.po new file mode 100644 index 0000000..f4ada5d --- /dev/null +++ b/defensive-coding/zh-CN/Features/snippets/TLS-Client-OpenSSL-CTX.po @@ -0,0 +1,86 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:32+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Chinese (China) \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: zh_CN\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Configure a client connection context. Send a hendshake for the\n" +"// highest supported TLS version, and disable compression.\n" +"const SSL_METHOD *const req_method = SSLv23_client_method();\n" +"SSL_CTX *const ctx = SSL_CTX_new(req_method);\n" +"if (ctx == NULL) {\n" +" ERR_print_errors(bio_err);\n" +" exit(1);\n" +"}\n" +"SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_COMPRESSION);\n" +"\n" +"// Adjust the ciphers list based on a whitelist. First enable all\n" +"// ciphers of at least medium strength, to get the list which is\n" +"// compiled into OpenSSL.\n" +"if (SSL_CTX_set_cipher_list(ctx, \"HIGH:MEDIUM\") != 1) {\n" +" ERR_print_errors(bio_err);\n" +" exit(1);\n" +"}\n" +"{\n" +" // Create a dummy SSL session to obtain the cipher list.\n" +" SSL *ssl = SSL_new(ctx);\n" +" if (ssl == NULL) {\n" +" ERR_print_errors(bio_err);\n" +" exit(1);\n" +" }\n" +" STACK_OF(SSL_CIPHER) *active_ciphers = SSL_get_ciphers(ssl);\n" +" if (active_ciphers == NULL) {\n" +" ERR_print_errors(bio_err);\n" +" exit(1);\n" +" }\n" +" // Whitelist of candidate ciphers.\n" +" static const char *const candidates[] = {\n" +" \"AES128-GCM-SHA256\", \"AES128-SHA256\", \"AES256-SHA256\", // strong ciphers\n" +" \"AES128-SHA\", \"AES256-SHA\", // strong ciphers, also in older versions\n" +" \"RC4-SHA\", \"RC4-MD5\", // backwards compatibility, supposed to be weak\n" +" \"DES-CBC3-SHA\", \"DES-CBC3-MD5\", // more backwards compatibility\n" +" NULL\n" +" };\n" +" // Actually selected ciphers.\n" +" char ciphers[300];\n" +" ciphers[0] = '\\0';\n" +" for (const char *const *c = candidates; *c; ++c) {\n" +" for (int i = 0; i < sk_SSL_CIPHER_num(active_ciphers); ++i) {\n" +"\tif (strcmp(SSL_CIPHER_get_name(sk_SSL_CIPHER_value(active_ciphers, i)),\n" +"\t\t *c) == 0) {\n" +"\t if (*ciphers) {\n" +"\t strcat(ciphers, \":\");\n" +"\t }\n" +"\t strcat(ciphers, *c);\n" +"\t break;\n" +"\t}\n" +" }\n" +" }\n" +" SSL_free(ssl);\n" +" // Apply final cipher list.\n" +" if (SSL_CTX_set_cipher_list(ctx, ciphers) != 1) {\n" +" ERR_print_errors(bio_err);\n" +" exit(1);\n" +" }\n" +"}\n" +"\n" +"// Load the set of trusted root certificates.\n" +"if (!SSL_CTX_set_default_verify_paths(ctx)) {\n" +" ERR_print_errors(bio_err);\n" +" exit(1);\n" +"}\n" +msgstr "" diff --git a/defensive-coding/zh-CN/Features/snippets/TLS-Client-OpenSSL-Connect.po b/defensive-coding/zh-CN/Features/snippets/TLS-Client-OpenSSL-Connect.po new file mode 100644 index 0000000..7c7aaa9 --- /dev/null +++ b/defensive-coding/zh-CN/Features/snippets/TLS-Client-OpenSSL-Connect.po @@ -0,0 +1,72 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:33+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Chinese (China) \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: zh_CN\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Create the connection object.\n" +"SSL *ssl = SSL_new(ctx);\n" +"if (ssl == NULL) {\n" +" ERR_print_errors(bio_err);\n" +" exit(1);\n" +"}\n" +"SSL_set_fd(ssl, sockfd);\n" +"\n" +"// Enable the ServerNameIndication extension\n" +"if (!SSL_set_tlsext_host_name(ssl, host)) {\n" +" ERR_print_errors(bio_err);\n" +" exit(1);\n" +"}\n" +"\n" +"// Perform the TLS handshake with the server.\n" +"ret = SSL_connect(ssl);\n" +"if (ret != 1) {\n" +" // Error status can be 0 or negative.\n" +" ssl_print_error_and_exit(ssl, \"SSL_connect\", ret);\n" +"}\n" +"\n" +"// Obtain the server certificate.\n" +"X509 *peercert = SSL_get_peer_certificate(ssl);\n" +"if (peercert == NULL) {\n" +" fprintf(stderr, \"peer certificate missing\");\n" +" exit(1);\n" +"}\n" +"\n" +"// Check the certificate verification result. Allow an explicit\n" +"// certificate validation override in case verification fails.\n" +"int verifystatus = SSL_get_verify_result(ssl);\n" +"if (verifystatus != X509_V_OK && !certificate_validity_override(peercert)) {\n" +" fprintf(stderr, \"SSL_connect: verify result: %s\n" +"\",\n" +"\t X509_verify_cert_error_string(verifystatus));\n" +" exit(1);\n" +"}\n" +"\n" +"// Check if the server certificate matches the host name used to\n" +"// establish the connection.\n" +"// FIXME: Currently needs OpenSSL 1.1.\n" +"if (X509_check_host(peercert, (const unsigned char *)host, strlen(host),\n" +"\t\t 0) != 1\n" +" && !certificate_host_name_override(peercert, host)) {\n" +" fprintf(stderr, \"SSL certificate does not match host name\n" +"\");\n" +" exit(1);\n" +"}\n" +"\n" +"X509_free(peercert);\n" +"\n" +msgstr "" diff --git a/defensive-coding/zh-CN/Features/snippets/TLS-Client-OpenSSL-Connection-Use.po b/defensive-coding/zh-CN/Features/snippets/TLS-Client-OpenSSL-Connection-Use.po new file mode 100644 index 0000000..f65b695 --- /dev/null +++ b/defensive-coding/zh-CN/Features/snippets/TLS-Client-OpenSSL-Connection-Use.po @@ -0,0 +1,32 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:32+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Chinese (China) \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: zh_CN\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"const char *const req = \"GET / HTTP/1.0\\r\n" +"\\r\n" +"\";\n" +"if (SSL_write(ssl, req, strlen(req)) < 0) {\n" +" ssl_print_error_and_exit(ssl, \"SSL_write\", ret);\n" +"}\n" +"char buf[4096];\n" +"ret = SSL_read(ssl, buf, sizeof(buf));\n" +"if (ret < 0) {\n" +" ssl_print_error_and_exit(ssl, \"SSL_read\", ret);\n" +"}\n" +msgstr "" diff --git a/defensive-coding/zh-CN/Features/snippets/TLS-Client-OpenSSL-Init.po b/defensive-coding/zh-CN/Features/snippets/TLS-Client-OpenSSL-Init.po new file mode 100644 index 0000000..6782a5c --- /dev/null +++ b/defensive-coding/zh-CN/Features/snippets/TLS-Client-OpenSSL-Init.po @@ -0,0 +1,28 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:32+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Chinese (China) \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: zh_CN\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// The following call prints an error message and calls exit() if\n" +"// the OpenSSL configuration file is unreadable.\n" +"OPENSSL_config(NULL);\n" +"// Provide human-readable error messages.\n" +"SSL_load_error_strings();\n" +"// Register ciphers.\n" +"SSL_library_init();\n" +msgstr "" diff --git a/defensive-coding/zh-CN/Features/snippets/TLS-Client-Python-Connect.po b/defensive-coding/zh-CN/Features/snippets/TLS-Client-Python-Connect.po new file mode 100644 index 0000000..29951d6 --- /dev/null +++ b/defensive-coding/zh-CN/Features/snippets/TLS-Client-Python-Connect.po @@ -0,0 +1,29 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:32+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Chinese (China) \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: zh_CN\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"sock = ssl.wrap_socket(sock,\n" +" ciphers=\"HIGH:-aNULL:-eNULL:-PSK:RC4-SHA:RC4-MD5\",\n" +" ssl_version=ssl.PROTOCOL_TLSv1,\n" +" cert_reqs=ssl.CERT_REQUIRED,\n" +" ca_certs='/etc/ssl/certs/ca-bundle.crt')\n" +"# getpeercert() triggers the handshake as a side effect.\n" +"if not check_host_name(sock.getpeercert(), host):\n" +" raise IOError(\"peer certificate does not match host name\")\n" +msgstr "" diff --git a/defensive-coding/zh-CN/Features/snippets/TLS-Client-Python-check_host_name.po b/defensive-coding/zh-CN/Features/snippets/TLS-Client-Python-check_host_name.po new file mode 100644 index 0000000..eb7fa66 --- /dev/null +++ b/defensive-coding/zh-CN/Features/snippets/TLS-Client-Python-check_host_name.po @@ -0,0 +1,44 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:31+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Chinese (China) \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: zh_CN\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"def check_host_name(peercert, name):\n" +" \"\"\"Simple certificate/host name checker. Returns True if the\n" +" certificate matches, False otherwise. Does not support\n" +" wildcards.\"\"\"\n" +" # Check that the peer has supplied a certificate.\n" +" # None/{} is not acceptable.\n" +" if not peercert:\n" +" return False\n" +" if peercert.has_key(\"subjectAltName\"):\n" +" for typ, val in peercert[\"subjectAltName\"]:\n" +" if typ == \"DNS\" and val == name:\n" +" return True\n" +" else:\n" +" # Only check the subject DN if there is no subject alternative\n" +" # name.\n" +" cn = None\n" +" for attr, val in peercert[\"subject\"]:\n" +" # Use most-specific (last) commonName attribute.\n" +" if attr == \"commonName\":\n" +" cn = val\n" +" if cn is not None:\n" +" return cn == name\n" +" return False\n" +msgstr "" diff --git a/defensive-coding/zh-CN/Features/snippets/TLS-GNUTLS-Credentials-Close.po b/defensive-coding/zh-CN/Features/snippets/TLS-GNUTLS-Credentials-Close.po new file mode 100644 index 0000000..7ccd288 --- /dev/null +++ b/defensive-coding/zh-CN/Features/snippets/TLS-GNUTLS-Credentials-Close.po @@ -0,0 +1,22 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:31+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Chinese (China) \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: zh_CN\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"gnutls_certificate_free_credentials(cred);\n" +msgstr "" diff --git a/defensive-coding/zh-CN/Features/snippets/TLS-GNUTLS-Disconnect.po b/defensive-coding/zh-CN/Features/snippets/TLS-GNUTLS-Disconnect.po new file mode 100644 index 0000000..1b9d7a1 --- /dev/null +++ b/defensive-coding/zh-CN/Features/snippets/TLS-GNUTLS-Disconnect.po @@ -0,0 +1,30 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:32+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Chinese (China) \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: zh_CN\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Initiate an orderly connection shutdown.\n" +"ret = gnutls_bye(session, GNUTLS_SHUT_RDWR);\n" +"if (ret < 0) {\n" +" fprintf(stderr, \"error: gnutls_bye: %s\n" +"\", gnutls_strerror(ret));\n" +" exit(1);\n" +"}\n" +"// Free the session object.\n" +"gnutls_deinit(session);\n" +msgstr "" diff --git a/defensive-coding/zh-CN/Features/snippets/TLS-GNUTLS-Init.po b/defensive-coding/zh-CN/Features/snippets/TLS-GNUTLS-Init.po new file mode 100644 index 0000000..90de9e6 --- /dev/null +++ b/defensive-coding/zh-CN/Features/snippets/TLS-GNUTLS-Init.po @@ -0,0 +1,22 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:32+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Chinese (China) \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: zh_CN\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"gnutls_global_init();\n" +msgstr "" diff --git a/defensive-coding/zh-CN/Features/snippets/TLS-GNUTLS-Use.po b/defensive-coding/zh-CN/Features/snippets/TLS-GNUTLS-Use.po new file mode 100644 index 0000000..d6f9c3b --- /dev/null +++ b/defensive-coding/zh-CN/Features/snippets/TLS-GNUTLS-Use.po @@ -0,0 +1,38 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:33+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Chinese (China) \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: zh_CN\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"char buf[4096];\n" +"snprintf(buf, sizeof(buf), \"GET / HTTP/1.0\\r\n" +"Host: %s\\r\n" +"\\r\n" +"\", host);\n" +"ret = gnutls_record_send(session, buf, strlen(buf));\n" +"if (ret < 0) {\n" +" fprintf(stderr, \"error: gnutls_record_send: %s\n" +"\", gnutls_strerror(ret));\n" +" exit(1);\n" +"}\n" +"ret = gnutls_record_recv(session, buf, sizeof(buf));\n" +"if (ret < 0) {\n" +" fprintf(stderr, \"error: gnutls_record_recv: %s\n" +"\", gnutls_strerror(ret));\n" +" exit(1);\n" +"}\n" +msgstr "" diff --git a/defensive-coding/zh-CN/Features/snippets/TLS-NSS-Close.po b/defensive-coding/zh-CN/Features/snippets/TLS-NSS-Close.po new file mode 100644 index 0000000..6042ae9 --- /dev/null +++ b/defensive-coding/zh-CN/Features/snippets/TLS-NSS-Close.po @@ -0,0 +1,23 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:31+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Chinese (China) \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: zh_CN\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"SECMOD_DestroyModule(module);\n" +"NSS_ShutdownContext(ctx);\n" +msgstr "" diff --git a/defensive-coding/zh-CN/Features/snippets/TLS-NSS-Includes.po b/defensive-coding/zh-CN/Features/snippets/TLS-NSS-Includes.po new file mode 100644 index 0000000..b0cbd96 --- /dev/null +++ b/defensive-coding/zh-CN/Features/snippets/TLS-NSS-Includes.po @@ -0,0 +1,35 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:33+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Chinese (China) \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: zh_CN\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// NSPR include files\n" +"#include <prerror.h>\n" +"#include <prinit.h>\n" +"\n" +"// NSS include files\n" +"#include <nss.h>\n" +"#include <pk11pub.h>\n" +"#include <secmod.h>\n" +"#include <ssl.h>\n" +"#include <sslproto.h>\n" +"\n" +"// Private API, no other way to turn a POSIX file descriptor into an\n" +"// NSPR handle.\n" +"NSPR_API(PRFileDesc*) PR_ImportTCPSocket(int);\n" +msgstr "" diff --git a/defensive-coding/zh-CN/Features/snippets/TLS-NSS-Init.po b/defensive-coding/zh-CN/Features/snippets/TLS-NSS-Init.po new file mode 100644 index 0000000..3967feb --- /dev/null +++ b/defensive-coding/zh-CN/Features/snippets/TLS-NSS-Init.po @@ -0,0 +1,83 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:33+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Chinese (China) \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: zh_CN\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"PR_Init(PR_USER_THREAD, PR_PRIORITY_NORMAL, 0);\n" +"NSSInitContext *const ctx =\n" +" NSS_InitContext(\"sql:/etc/pki/nssdb\", \"\", \"\", \"\", NULL,\n" +"\t\t NSS_INIT_READONLY | NSS_INIT_PK11RELOAD);\n" +"if (ctx == NULL) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: NSPR error code %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +"}\n" +"\n" +"// Ciphers to enable.\n" +"static const PRUint16 good_ciphers[] = {\n" +" TLS_RSA_WITH_AES_128_CBC_SHA,\n" +" TLS_RSA_WITH_AES_256_CBC_SHA,\n" +" SSL_RSA_WITH_3DES_EDE_CBC_SHA,\n" +" SSL_NULL_WITH_NULL_NULL // sentinel\n" +"};\n" +"\n" +"// Check if the current policy allows any strong ciphers. If it\n" +"// doesn't, switch to the \"domestic\" (unrestricted) policy. This is\n" +"// not thread-safe and has global impact. Consequently, we only do\n" +"// it if absolutely necessary.\n" +"int found_good_cipher = 0;\n" +"for (const PRUint16 *p = good_ciphers; *p != SSL_NULL_WITH_NULL_NULL;\n" +" ++p) {\n" +" PRInt32 policy;\n" +" if (SSL_CipherPolicyGet(*p, &policy) != SECSuccess) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: policy for cipher %u: error %d: %s\n" +"\",\n" +"\t (unsigned)*p, err, PR_ErrorToName(err));\n" +" exit(1);\n" +" }\n" +" if (policy == SSL_ALLOWED) {\n" +" fprintf(stderr, \"info: found cipher %x\n" +"\", (unsigned)*p);\n" +" found_good_cipher = 1;\n" +" break;\n" +" }\n" +"}\n" +"if (!found_good_cipher) {\n" +" if (NSS_SetDomesticPolicy() != SECSuccess) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: NSS_SetDomesticPolicy: error %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +" }\n" +"}\n" +"\n" +"// Initialize the trusted certificate store.\n" +"char module_name[] = \"library=libnssckbi.so name=\\\"Root Certs\\\"\";\n" +"SECMODModule *module = SECMOD_LoadUserModule(module_name, NULL, PR_FALSE);\n" +"if (module == NULL || !module->loaded) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: NSPR error code %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +"}\n" +msgstr "" diff --git a/defensive-coding/zh-CN/Features/snippets/TLS-NSS-Use.po b/defensive-coding/zh-CN/Features/snippets/TLS-NSS-Use.po new file mode 100644 index 0000000..1426111 --- /dev/null +++ b/defensive-coding/zh-CN/Features/snippets/TLS-NSS-Use.po @@ -0,0 +1,42 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:32+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Chinese (China) \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: zh_CN\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"char buf[4096];\n" +"snprintf(buf, sizeof(buf), \"GET / HTTP/1.0\\r\n" +"Host: %s\\r\n" +"\\r\n" +"\", host);\n" +"PRInt32 ret = PR_Write(nspr, buf, strlen(buf));\n" +"if (ret < 0) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: PR_Write error %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +"}\n" +"ret = PR_Read(nspr, buf, sizeof(buf));\n" +"if (ret < 0) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: PR_Read error %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +"}\n" +msgstr "" diff --git a/defensive-coding/zh-CN/Features/snippets/TLS-Nagle.po b/defensive-coding/zh-CN/Features/snippets/TLS-Nagle.po new file mode 100644 index 0000000..f24d20c --- /dev/null +++ b/defensive-coding/zh-CN/Features/snippets/TLS-Nagle.po @@ -0,0 +1,27 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:31+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Chinese (China) \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: zh_CN\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"const int val = 1;\n" +"int ret = setsockopt(sockfd, IPPROTO_TCP, TCP_NODELAY, &val, sizeof(val));\n" +"if (ret < 0) {\n" +" perror(\"setsockopt(TCP_NODELAY)\");\n" +" exit(1);\n" +"}\n" +msgstr "" diff --git a/defensive-coding/zh-CN/Features/snippets/TLS-OpenJDK-Parameters.po b/defensive-coding/zh-CN/Features/snippets/TLS-OpenJDK-Parameters.po new file mode 100644 index 0000000..5368690 --- /dev/null +++ b/defensive-coding/zh-CN/Features/snippets/TLS-OpenJDK-Parameters.po @@ -0,0 +1,42 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:33+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Chinese (China) \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: zh_CN\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Prepare TLS parameters. These have to applied to every TLS\n" +"// socket before the handshake is triggered.\n" +"SSLParameters params = ctx.getDefaultSSLParameters();\n" +"// Do not send an SSL-2.0-compatible Client Hello.\n" +"ArrayList<String> protocols = new ArrayList<String>(\n" +" Arrays.asList(params.getProtocols()));\n" +"protocols.remove(\"SSLv2Hello\");\n" +"params.setProtocols(protocols.toArray(new String[protocols.size()]));\n" +"// Adjust the supported ciphers.\n" +"ArrayList<String> ciphers = new ArrayList<String>(\n" +" Arrays.asList(params.getCipherSuites()));\n" +"ciphers.retainAll(Arrays.asList(\n" +" \"TLS_RSA_WITH_AES_128_CBC_SHA256\",\n" +" \"TLS_RSA_WITH_AES_256_CBC_SHA256\",\n" +" \"TLS_RSA_WITH_AES_256_CBC_SHA\",\n" +" \"TLS_RSA_WITH_AES_128_CBC_SHA\",\n" +" \"SSL_RSA_WITH_3DES_EDE_CBC_SHA\",\n" +" \"SSL_RSA_WITH_RC4_128_SHA1\",\n" +" \"SSL_RSA_WITH_RC4_128_MD5\",\n" +" \"TLS_EMPTY_RENEGOTIATION_INFO_SCSV\"));\n" +"params.setCipherSuites(ciphers.toArray(new String[ciphers.size()]));\n" +msgstr "" diff --git a/defensive-coding/zh-CN/Features/snippets/TLS-OpenSSL-Connection-Close.po b/defensive-coding/zh-CN/Features/snippets/TLS-OpenSSL-Connection-Close.po new file mode 100644 index 0000000..7068266 --- /dev/null +++ b/defensive-coding/zh-CN/Features/snippets/TLS-OpenSSL-Connection-Close.po @@ -0,0 +1,46 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:33+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Chinese (China) \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: zh_CN\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Send the close_notify alert.\n" +"ret = SSL_shutdown(ssl);\n" +"switch (ret) {\n" +"case 1:\n" +" // A close_notify alert has already been received.\n" +" break;\n" +"case 0:\n" +" // Wait for the close_notify alert from the peer.\n" +" ret = SSL_shutdown(ssl);\n" +" switch (ret) {\n" +" case 0:\n" +" fprintf(stderr, \"info: second SSL_shutdown returned zero\n" +"\");\n" +" break;\n" +" case 1:\n" +" break;\n" +" default:\n" +" ssl_print_error_and_exit(ssl, \"SSL_shutdown 2\", ret);\n" +" }\n" +" break;\n" +"default:\n" +" ssl_print_error_and_exit(ssl, \"SSL_shutdown 1\", ret);\n" +"}\n" +"SSL_free(ssl);\n" +"close(sockfd);\n" +msgstr "" diff --git a/defensive-coding/zh-CN/Features/snippets/TLS-OpenSSL-Context-Close.po b/defensive-coding/zh-CN/Features/snippets/TLS-OpenSSL-Context-Close.po new file mode 100644 index 0000000..815cd09 --- /dev/null +++ b/defensive-coding/zh-CN/Features/snippets/TLS-OpenSSL-Context-Close.po @@ -0,0 +1,22 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:33+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Chinese (China) \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: zh_CN\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"SSL_CTX_free(ctx);\n" +msgstr "" diff --git a/defensive-coding/zh-CN/Features/snippets/TLS-OpenSSL-Errors.po b/defensive-coding/zh-CN/Features/snippets/TLS-OpenSSL-Errors.po new file mode 100644 index 0000000..be6998b --- /dev/null +++ b/defensive-coding/zh-CN/Features/snippets/TLS-OpenSSL-Errors.po @@ -0,0 +1,51 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:32+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Chinese (China) \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: zh_CN\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"static void __attribute__((noreturn))\n" +"ssl_print_error_and_exit(SSL *ssl, const char *op, int ret)\n" +"{\n" +" int subcode = SSL_get_error(ssl, ret);\n" +" switch (subcode) {\n" +" case SSL_ERROR_NONE:\n" +" fprintf(stderr, \"error: %s: no error to report\n" +"\", op);\n" +" break;\n" +" case SSL_ERROR_WANT_READ:\n" +" case SSL_ERROR_WANT_WRITE:\n" +" case SSL_ERROR_WANT_X509_LOOKUP:\n" +" case SSL_ERROR_WANT_CONNECT:\n" +" case SSL_ERROR_WANT_ACCEPT:\n" +" fprintf(stderr, \"error: %s: invalid blocking state %d\n" +"\", op, subcode);\n" +" break;\n" +" case SSL_ERROR_SSL:\n" +" fprintf(stderr, \"error: %s: TLS layer problem\n" +"\", op);\n" +" case SSL_ERROR_SYSCALL:\n" +" fprintf(stderr, \"error: %s: system call failed: %s\n" +"\", op, strerror(errno));\n" +" break;\n" +" case SSL_ERROR_ZERO_RETURN:\n" +" fprintf(stderr, \"error: %s: zero return\n" +"\", op);\n" +" }\n" +" exit(1);\n" +"}\n" +msgstr "" diff --git a/defensive-coding/zh-CN/Features/snippets/TLS-Python-Close.po b/defensive-coding/zh-CN/Features/snippets/TLS-Python-Close.po new file mode 100644 index 0000000..c5a571f --- /dev/null +++ b/defensive-coding/zh-CN/Features/snippets/TLS-Python-Close.po @@ -0,0 +1,22 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:31+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Chinese (China) \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: zh_CN\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"sock.close()\n" +msgstr "" diff --git a/defensive-coding/zh-CN/Features/snippets/TLS-Python-Use.po b/defensive-coding/zh-CN/Features/snippets/TLS-Python-Use.po new file mode 100644 index 0000000..72464c7 --- /dev/null +++ b/defensive-coding/zh-CN/Features/snippets/TLS-Python-Use.po @@ -0,0 +1,26 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:32+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Chinese (China) \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: zh_CN\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"sock.write(\"GET / HTTP/1.1\\r\n" +"Host: \" + host + \"\\r\n" +"\\r\n" +"\")\n" +"print sock.read()\n" +msgstr "" diff --git a/defensive-coding/zh-CN/Revision_History.po b/defensive-coding/zh-CN/Revision_History.po new file mode 100644 index 0000000..120c1a9 --- /dev/null +++ b/defensive-coding/zh-CN/Revision_History.po @@ -0,0 +1,36 @@ +# AUTHOR , YEAR. +# +# Translators: +# Christopher Meng , 2013 +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-28 02:50+0000\n" +"Last-Translator: Christopher Meng \n" +"Language-Team: Chinese (China) \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: zh_CN\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: title +#, no-c-format +msgid "Revision History" +msgstr "修订历史" + +#. Tag: firstname +#, no-c-format +msgid "Eric" +msgstr "Eric" + +#. Tag: surname +#, no-c-format +msgid "Christensen" +msgstr "Christensen" + +#. Tag: member +#, no-c-format +msgid "Initial publication." +msgstr "初始版本。" diff --git a/defensive-coding/zh-CN/Tasks/Cryptography.po b/defensive-coding/zh-CN/Tasks/Cryptography.po new file mode 100644 index 0000000..781d68c --- /dev/null +++ b/defensive-coding/zh-CN/Tasks/Cryptography.po @@ -0,0 +1,199 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:29+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Chinese (China) \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: zh_CN\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: title +#, no-c-format +msgid "Cryptography" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Primitives" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Chosing from the following cryptographic primitives is recommended:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "RSA with 2048 bit keys and OAEP" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "AES-128 in CBC mode" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "SHA-256" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "HMAC-SHA-256" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "HMAC-SHA-1" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Other cryptographic algorithms can be used if they are required for " +"interoperability with existing software:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "RSA with key sizes larger than 1024 and legacy padding" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "AES-192" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "AES-256" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "3DES (triple DES, with two or three 56 bit keys)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "RC4 (but very, very strongly discouraged)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "SHA-1" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "HMAC-MD5" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Important" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"These primitives are difficult to use in a secure way. Custom implementation" +" of security protocols should be avoided. For protecting confidentiality and" +" integrity of network transmissions, TLS should be used ()." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Randomness" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The following facilities can be used to generate unpredictable and non-" +"repeating values. When these functions are used without special safeguards, " +"each individual rnadom value should be at least 12 bytes long." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"PK11_GenerateRandom in the NSS library (usable for high" +" data rates)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"RAND_bytes in the OpenSSL library (usable for high data" +" rates)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"gnutls_rnd in GNUTLS, with " +"GNUTLS_RND_RANDOM as the first argument (usable for high " +"data rates)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"java.security.SecureRandom in Java (usable for high data rates)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "os.urandom in Python" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Reading from the /dev/urandom character device" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"All these functions should be non-blocking, and they should not wait until " +"physical randomness becomes available. (Some cryptography providers for Java" +" can cause java.security.SecureRandom to block, however.) Those" +" functions which do not obtain all bits directly from " +"/dev/urandom are suitable for high data rates because " +"they do not deplete the system-wide entropy pool." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Difficult to use API" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Both RAND_bytes and " +"PK11_GenerateRandom have three-state return values " +"(with conflicting meanings). Careful error checking is required. Please " +"review the documentation when using these functions." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Other sources of randomness should be considered predictable." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Generating randomness for cryptographic keys in long-term use may need " +"different steps and is best left to cryptographic libraries." +msgstr "" diff --git a/defensive-coding/zh-CN/Tasks/Descriptors.po b/defensive-coding/zh-CN/Tasks/Descriptors.po new file mode 100644 index 0000000..44cd540 --- /dev/null +++ b/defensive-coding/zh-CN/Tasks/Descriptors.po @@ -0,0 +1,332 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:29+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Chinese (China) \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: zh_CN\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: title +#, no-c-format +msgid "File Descriptor Management" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"File descriptors underlie all input/output mechanisms offered by the system." +" They are used to implementation the FILE *-based " +"functions found in <stdio.h>, and all the file and " +"network communication facilities provided by the Python and Java " +"environments are eventually implemented in them." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"File descriptors are small, non-negative integers in userspace, and are " +"backed on the kernel side with complicated data structures which can " +"sometimes grow very large." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Closing descriptors" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If a descriptor is no longer used by a program and is not closed explicitly," +" its number cannot be reused (which is problematic in itself, see ), and the " +"kernel resources are not freed. Therefore, it is important to close all " +"descriptors at the earlierst point in time possible, but not earlier." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Error handling during descriptor close" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The close system call is always successful in the sense" +" that the passed file descriptor is never valid after the function has been " +"called. However, close still can return an error, for " +"example if there was a file system failure. But this error is not very " +"useful because the absence of an error does not mean that all caches have " +"been emptied and previous writes have been made durable. Programs which need" +" such guarantees must open files with O_SYNC or use " +"fsync or fdatasync, and may also have " +"to fsync the directory containing the file." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Closing descriptors and race conditions" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Unlike process IDs, which are recycle only gradually, the kernel always " +"allocates the lowest unused file descriptor when a new descriptor is " +"created. This means that in a multi-threaded program which constantly opens " +"and closes file descriptors, descriptors are reused very quickly. Unless " +"descriptor closing and other operations on the same file descriptor are " +"synchronized (typically, using a mutex), there will be race coniditons and " +"I/O operations will be applied to the wrong file descriptor." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Sometimes, it is necessary to close a file descriptor concurrently, while " +"another thread might be about to use it in a system call. In order to " +"support this, a program needs to create a single special file descriptor, " +"one on which all I/O operations fail. One way to achieve this is to use " +"socketpair, close one of the descriptors, and call " +"shutdown(fd, SHUTRDWR) on the other." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When a descriptor is closed concurrently, the program does not call " +"close on the descriptor. Instead it program uses " +"dup2 to replace the descriptor to be closed with the " +"dummy descriptor created earlier. This way, the kernel will not reuse the " +"descriptor, but it will carry out all other steps associated with calling a " +"descriptor (for instance, if the descriptor refers to a stream socket, the " +"peer will be notified)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"This is just a sketch, and many details are missing. Additional data " +"structures are needed to determine when it is safe to really close the " +"descriptor, and proper locking is required for that." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Lingering state after close" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"By default, closing a stream socket returns immediately, and the kernel will" +" try to send the data in the background. This means that it is impossible to" +" implement accurate accounting of network-related resource utilization from " +"userspace." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The SO_LINGER socket option alters the behavior of " +"close, so that it will return only after the lingering " +"data has been processed, either by sending it to the peer successfully, or " +"by discarding it after the configured timeout. However, there is no " +"interface which could perform this operation in the background, so a " +"separate userspace thread is needed for each close " +"call, causing scalability issues." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Currently, there is no application-level countermeasure which applies " +"universally. Mitigation is possible with iptables" +" (the connlimit match type in particular) and specialized" +" filtering devices for denial-of-service network traffic." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"These problems are not related to the TIME_WAIT state " +"commonly seen in netstat output. The kernel " +"automatically expires such sockets if necessary." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Preventing file descriptor leaks to child processes" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Child processes created with fork share the initial set" +" of file descriptors with their parent process. By default, file descriptors" +" are also preserved if a new process image is created with " +"execve (or any of the other functions such as " +"system or posix_spawn)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Usually, this behavior is not desirable. There are two ways to turn it off, " +"that is, to prevent new process images from inheriting the file descriptors " +"in the parent process:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Set the close-on-exec flag on all newly created file descriptors. " +"Traditionally, this flag is controlled by the FD_CLOEXEC " +"flag, using F_GETFD and F_SETFD " +"operations of the fcntl function." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"However, in a multi-threaded process, there is a race condition: a " +"subprocess could have been created between the time the descriptor was " +"created and the FD_CLOEXEC was set. Therefore, many " +"system calls which create descriptors (such as open and" +" openat) now accept the O_CLOEXEC " +"flag (SOCK_CLOEXEC for socket and " +"socketpair), which cause the " +"FD_CLOEXEC flag to be set for the file descriptor in an " +"atomic fashion. In addition, a few new systems calls were introduced, such " +"as pipe2 and dup3." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The downside of this approach is that every descriptor needs to receive " +"special treatment at the time of creation, otherwise it is not completely " +"effective." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"After calling fork, but before creating a new process " +"image with execve, all file descriptors which the child" +" process will not need are closed." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Traditionally, this was implemented as a loop over file descriptors ranging " +"from 3 to 255 and later " +"1023. But this is only an approximatio because it is " +"possible to create file descriptors outside this range easily (see ). Another " +"approach reads /proc/self/fd and closes the unexpected " +"descriptors listed there, but this approach is much slower." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"At present, environments which care about file descriptor leakage implement " +"the second approach. OpenJDK 6 and 7 are among them." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Dealing with the select limit" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"By default, a user is allowed to open only 1024 files in a single process, " +"but the system administrator can easily change this limit (which is " +"necessary for busy network servers). However, there is another restriction " +"which is more difficult to overcome." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The select function only supports a maximum of " +"FD_SETSIZE file descriptors (that is, the maximum " +"permitted value for a file descriptor is FD_SETSIZE - 1, " +"usually 1023.) If a process opens many files, descriptors may exceed such " +"limits. It is impossible to query such descriptors using " +"select." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If a library which creates many file descriptors is used in the same process" +" as a library which uses select, at least one of them " +"needs to be changed. Calls to select can be replaced " +"with calls to poll or another event handling mechanism." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Alternatively, the library with high descriptor usage can relocate " +"descriptors above the FD_SETSIZE limit using the " +"following procedure." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Create the file descriptor fd as usual, preferably with " +"the O_CLOEXEC flag." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Before doing anything else with the descriptor fd, " +"invoke:" +msgstr "" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"\t int newfd = fcntl(fd, F_DUPFD_CLOEXEC, (long)FD_SETSIZE);\n" +"\t" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Check that newfd result is non-negative, otherwise close " +"fd and report an error, and return." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Close fd and continue to use newfd." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The new descriptor has been allocated above the " +"FD_SETSIZE. Even though this algorithm is racy in the " +"sense that the FD_SETSIZE first descriptors could fill " +"up, a very high degree of physical parallelism is required before this " +"becomes a problem." +msgstr "" diff --git a/defensive-coding/zh-CN/Tasks/File_System.po b/defensive-coding/zh-CN/Tasks/File_System.po new file mode 100644 index 0000000..fa1df86 --- /dev/null +++ b/defensive-coding/zh-CN/Tasks/File_System.po @@ -0,0 +1,397 @@ +# AUTHOR , YEAR. +# +# Translators: +# Christopher Meng , 2013 +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-28 03:00+0000\n" +"Last-Translator: Christopher Meng \n" +"Language-Team: Chinese (China) \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: zh_CN\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: title +#, no-c-format +msgid "File system manipulation" +msgstr "文件系统操作" + +#. Tag: para +#, no-c-format +msgid "" +"In this chapter, we discuss general file system manipulation, with a focus " +"on access files and directories to which an other, potentially untrusted " +"user has write access." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Temporary files are covered in their own chapter, ." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Working with files and directories owned by other users" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Sometimes, it is necessary to operate on files and directories owned by " +"other (potentially untrusted) users. For example, a system administrator " +"could remove the home directory of a user, or a package manager could update" +" a file in a directory which is owned by an application-specific user. This " +"differs from accessing the file system as a specific user; see ." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Accessing files across trust boundaries faces several challenges, " +"particularly if an entire directory tree is being traversed:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Another user might add file names to a writable directory at any time. This " +"can interfere with file creation and the order of names returned by " +"readdir." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Merely opening and closing a file can have side effects. For instance, an " +"automounter can be triggered, or a tape device rewound. Opening a file on a " +"local file system can block indefinitely, due to mandatory file locking, " +"unless the O_NONBLOCK flag is specified." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Hard links and symbolic links can redirect the effect of file system " +"operations in unexpected ways. The O_NOFOLLOW and " +"AT_SYMLINK_NOFOLLOW variants of system calls only " +"affected final path name component." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The structure of a directory tree can change. For example, the parent " +"directory of what used to be a subdirectory within the directory tree being " +"processed could suddenly point outside that directory tree." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Files should always be created with the O_CREAT and " +"O_EXCL flags, so that creating the file will fail if it " +"already exists. This guards against the unexpected appearance of file names," +" either due to creation of a new file, or hard-linking of an existing file. " +"In multi-threaded programs, rather than manipulating the umask, create the " +"files with mode 000 if possible, and adjust it afterwards" +" with fchmod." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"To avoid issues related to symbolic links and directory tree restructuring, " +"the “at” variants of system calls have to be used (that " +"is, functions like openat, " +"fchownat, fchmodat, and " +"unlinkat, together with O_NOFOLLOW " +"or AT_SYMLINK_NOFOLLOW). Path names passed to these " +"functions must have just a single component (that is, without a slash). When" +" descending, the descriptors of parent directories must be kept open. The " +"missing opendirat function can be emulated with " +"openat (with an O_DIRECTORY flag, to " +"avoid opening special files with side effects), followed by " +"fdopendir." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If the “at” functions are not available, it is possible " +"to emulate them by changing the current directory. (Obviously, this only " +"works if the process is not multi-threaded.) fchdir has" +" to be used to change the current directory, and the descriptors of the " +"parent directories have to be kept open, just as with the " +"“at”-based approach. chdir(\"...\") is" +" unsafe because it might ascend outside the intended directory tree." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"This “at” function emulation is currently required when " +"manipulating extended attributes. In this case, the " +"lsetxattr function can be used, with a relative path " +"name consisting of a single component. This also applies to SELinux contexts" +" and the lsetfilecon function." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Currently, it is not possible to avoid opening special files " +"and changes to files with hard links if the directory " +"containing them is owned by an untrusted user. (Device nodes can be hard-" +"linked, just as regular files.) fchmodat and " +"fchownat affect files whose link count is greater than " +"one. But opening the files, checking that the link count is one with " +"fstat, and using fchmod and " +"fchown on the file descriptor may have unwanted side " +"effects, due to item 2 above. When creating directories, it is therefore " +"important to change the ownership and permissions only after it has been " +"fully created. Until that point, file names are stable, and no files with " +"unexpected hard links can be introduced." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Similarly, when just reading a directory owned by an untrusted user, it is " +"currently impossible to reliably avoid opening special files." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"There is no workaround against the instability of the file list returned by " +"readdir. Concurrent modification of the directory can " +"result in a list of files being returned which never actually existed on " +"disk." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Hard links and symbolic links can be safely deleted using " +"unlinkat without further checks because deletion only " +"affects the name within the directory tree being processed." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Accessing the file system as a different user" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"This section deals with access to the file system as a specific user. This " +"is different from accessing files and directories owned by a different, " +"potentially untrusted user; see ." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"One approach is to spawn a child process which runs under the target user " +"and group IDs (both effective and real IDs). Note that this child process " +"can block indefinitely, even when processing regular files only. For " +"example, a special FUSE file system could cause the process to hang in " +"uninterruptible sleep inside a stat system call." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"An existing process could change its user and group ID using " +"setfsuid and setfsgid. (These " +"functions are preferred over seteuid and " +"setegid because they do not allow the impersonated user" +" to send signals to the process.) These functions are not thread safe. In " +"multi-threaded processes, these operations need to be performed in a single-" +"threaded child process. Unexpected blocking may occur as well." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"It is not recommended to try to reimplement the kernel permission checks in " +"user space because the required checks are complex. It is also very " +"difficult to avoid race conditions during path name resolution." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "File system limits" +msgstr "文件系统限制" + +#. Tag: para +#, no-c-format +msgid "" +"For historical reasons, there are preprocessor constants such as " +"PATH_MAX, NAME_MAX. However, on most " +"systems, the length of canonical path names (absolute path names with all " +"symbolic links resolved, as returned by realpath or " +"canonicalize_file_name) can exceed " +"PATH_MAX bytes, and individual file name components can " +"be longer than NAME_MAX. This is also true of the " +"_PC_PATH_MAX and _PC_NAME_MAX values " +"returned by pathconf, and the " +"f_namemax member of struct statvfs. " +"Therefore, these constants should not be used. This is also reason why the " +"readdir_r should never be used (instead, use " +"readdir)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"You should not write code in a way that assumes that there is an upper limit" +" on the number of subdirectories of a directory, the number of regular files" +" in a directory, or the link count of an inode." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "File system features" +msgstr "文件系统特性" + +#. Tag: para +#, no-c-format +msgid "" +"Not all file systems support all features. This makes it very difficult to " +"write general-purpose tools for copying files. For example, a copy operation" +" intending to preserve file permissions will generally fail when copying to " +"a FAT file system." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Some file systems are case-insensitive. Most should be case-preserving, " +"though." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Name length limits vary greatly, from eight to thousands of bytes. Path " +"length limits differ as well. Most systems impose an upper bound on path " +"names passed to the kernel, but using relative path names, it is possible to" +" create and access files whose absolute path name is essentially of " +"unbounded length." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Some file systems do not store names as fairly unrestricted byte sequences, " +"as it has been traditionally the case on GNU systems. This means that some " +"byte sequences (outside the POSIX safe character set) are not valid names. " +"Conversely, names of existing files may not be representable as byte " +"sequences, and the files are thus inaccessible on GNU systems. Some file " +"systems perform Unicode canonicalization on file names. These file systems " +"preserve case, but reading the name of a just-created file using " +"readdir might still result in a different byte " +"sequence." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Permissions and owners are not universally supported (and SUID/SGID bits may" +" not be available). For example, FAT file systems assign ownership based on " +"a mount option, and generally mark all files as executable. Any attempt to " +"change permissions would result in an error." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Non-regular files (device nodes, FIFOs) are not generally available." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Only on some file systems, files can have holes, that is, not all of their " +"contents is backed by disk storage." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"ioctl support (even fairly generic functionality such " +"as FIEMAP for discovering physical file layout and holes)" +" is file-system-specific." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Not all file systems support extended attributes, ACLs and SELinux metadata." +" Size and naming restriction on extended attributes vary." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Hard links may not be supported at all (FAT) or only within the same " +"directory (AFS). Symbolic links may not be available, either. Reflinks (hard" +" links with copy-on-write semantics) are still very rare. Recent systems " +"restrict creation of hard links to users which own the target file or have " +"read/write access to it, but older systems do not." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Renaming (or moving) files using rename can fail (even " +"when stat indicates that the source and target " +"directories are located on the same file system). This system call should " +"work if the old and new paths are located in the same directory, though." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Locking semantics vary among file systems. This affects advisory and " +"mandatory locks. For example, some network file systems do not allow " +"deleting files which are opened by any process." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Resolution of time stamps varies from two seconds to nanoseconds. Not all " +"time stamps are available on all file systems. File creation time " +"(birth time) is not exposed over the " +"stat/fstat interface, even if " +"stored by the file system." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Checking free space" +msgstr "检查可用空间" + +#. Tag: para +#, no-c-format +msgid "" +"The statvfs and fstatvfs functions" +" allow programs to examine the number of available blocks and inodes, " +"through the members f_bfree, f_bavail," +" f_ffree, and f_favail of " +"struct statvfs. Some file systems return fictional values" +" in the f_ffree and f_favail fields, " +"so the only reliable way to discover if the file system still has space for " +"a file is to try to create it. The f_bfree field should " +"be reasonably accurate, though." +msgstr "" diff --git a/defensive-coding/zh-CN/Tasks/Library_Design.po b/defensive-coding/zh-CN/Tasks/Library_Design.po new file mode 100644 index 0000000..d8fb30a --- /dev/null +++ b/defensive-coding/zh-CN/Tasks/Library_Design.po @@ -0,0 +1,267 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:29+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Chinese (China) \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: zh_CN\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: title +#, no-c-format +msgid "Library Design" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Throught this section, the term client code refers to " +"applications and other libraries using the library." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "State management" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Global state" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Global state should be avoided." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If this is impossible, the global state must be protected with a lock. For " +"C/C++, you can use the pthread_mutex_lock and " +"pthread_mutex_unlock functions without linking against " +"-lpthread because the system provides stubs for non-" +"threaded processes." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"For compatibility with fork, these locks should be " +"acquired and released in helpers registered with " +"pthread_atfork. This function is not available without " +"-lpthread, so you need to use dlsym " +"or a weak symbol to obtain its address." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If you need fork protection for other reasons, you " +"should store the process ID and compare it to the value returned by " +"getpid each time you access the global state. " +"(getpid is not implemented as a system call and is " +"fast.) If the value changes, you know that you have to re-create the state " +"object. (This needs to be combined with locking, of course.)" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Handles" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Library state should be kept behind a curtain. Client code should receive " +"only a handle. In C, the handle can be a pointer to an incomplete " +"struct. In C++, the handle can be a pointer to an " +"abstract base class, or it can be hidden using the pointer-to-implementation" +" idiom." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The library should provide functions for creating and destroying handles. " +"(In C++, it is possible to use virtual destructors for the latter.) " +"Consistency between creation and destruction of handles is strongly " +"recommended: If the client code created a handle, it is the responsibility " +"of the client code to destroy it. (This is not always possible or " +"convenient, so sometimes, a transfer of ownership has to happen.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Using handles ensures that it is possible to change the way the library " +"represents state in a way that is transparent to client code. This is " +"important to facilitate security updates and many other code changes." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"It is not always necessary to protect state behind a handle with a lock. " +"This depends on the level of thread safety the library provides." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Object orientation" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Classes should be either designed as base classes, or it should be " +"impossible to use them as base classes (like final " +"classes in Java). Classes which are not designed for inheritance and are " +"used as base classes nevertheless create potential maintenance hazards " +"because it is difficult to predict how client code will react when calls to " +"virtual methods are added, reordered or removed." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Virtual member functions can be used as callbacks. See for some of the " +"challenges involved." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Callbacks" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Higher-order code is difficult to analyze for humans and computers alike, so" +" it should be avoided. Often, an iterator-based interface (a library " +"function which is called repeatedly by client code and returns a stream of " +"events) leads to a better design which is easier to document and use." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "If callbacks are unavoidable, some guidelines for them follow." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In modern C++ code, std::function objects should be used " +"for callbacks." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In older C++ code and in C code, all callbacks must have an additional " +"closure parameter of type void *, the value of which can " +"be specified by client code. If possible, the value of the closure parameter" +" should be provided by client code at the same time a specific callback is " +"registered (or specified as a function argument). If a single closure " +"parameter is shared by multiple callbacks, flexibility is greatly reduced, " +"and conflicts between different pieces of client code using the same library" +" object could be unresolvable. In some cases, it makes sense to provide a " +"de-registration callback which can be used to destroy the closure parameter " +"when the callback is no longer used." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Callbacks can throw exceptions or call longjmp. If " +"possible, all library objects should remain in a valid state. (All further " +"operations on them can fail, but it should be possible to deallocate them " +"without causing resource leaks.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The presence of callbacks raises the question if functions provided by the " +"library are reentrant. Unless a library was designed " +"for such use, bad things will happen if a callback function uses functions " +"in the same library (particularly if they are invoked on the same objects " +"and manipulate the same state). When the callback is invoked, the library " +"can be in an inconsistent state. Reentrant functions are more difficult to " +"write than thread-safe functions (by definition, simple locking would " +"immediately lead to deadlocks). It is also difficult to decide what to do " +"when destruction of an object which is currently processing a callback is " +"requested." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Process attributes" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Several attributes are global and affect all code in the process, not just " +"the library that manipulates them." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"environment variables (see )" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "umask" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "user IDs, group IDs and capabilities" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "current working directory" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "signal handlers, signal masks and signal delivery" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"file locks (especially fcntl locks behave in surprising" +" ways, not just in a multi-threaded environment)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Library code should avoid manipulating these global process attributes. It " +"should not rely on environment variables, umask, the current working " +"directory and signal masks because these attributes can be inherted from an " +"untrusted source." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In addition, there are obvious process-wide aspects such as the virtual " +"memory layout, the set of open files and dynamic shared objects, but with " +"the exception of shared objects, these can be manipulated in a relatively " +"isolated way." +msgstr "" diff --git a/defensive-coding/zh-CN/Tasks/Processes.po b/defensive-coding/zh-CN/Tasks/Processes.po new file mode 100644 index 0000000..1c9b978 --- /dev/null +++ b/defensive-coding/zh-CN/Tasks/Processes.po @@ -0,0 +1,597 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:29+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Chinese (China) \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: zh_CN\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: title +#, no-c-format +msgid "Processes" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Safe process creation" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"This section describes how to create new child processes in a safe manner. " +"In addition to the concerns addressed below, there is the possibility of " +"file descriptor leaks, see ." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Obtaining the program path and the command line template" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The name and path to the program being invoked should be hard-coded or " +"controlled by a static configuration file stored at a fixed location (at an " +"file system absolute path). The same applies to the template for generating " +"the command line." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The configured program name should be an absolute path. If it is a relative " +"path, the contents of the PATH must be obtained in s secure " +"manner (see )." +" If the PATH variable is not set or untrusted, the safe " +"default /bin:/usr/bin must be used." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If too much flexibility is provided here, it may allow invocation of " +"arbitrary programs without proper authorization." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Bypassing the shell" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Child processes should be created without involving the system shell." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"For C/C++, system should not be used. The " +"posix_spawn function can be used instead, or a " +"combination fork and execve. (In " +"some cases, it may be preferable to use vfork or the " +"Linux-specific clone system call instead of " +"fork.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In Python, the subprocess module bypasses the shell by " +"default (when the shell keyword argument is not set to " +"true). os.system should not be used." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The Java class java.lang.ProcessBuilder can be used to create " +"subprocesses without interference from the system shell." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Portability notice" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"On Windows, there is no argument vector, only a single argument string. Each" +" application is responsible for parsing this string into an argument vector." +" There is considerable variance among the quoting style recognized by " +"applications. Some of them expand shell wildcards, others do not. Extensive " +"application-specific testing is required to make this secure." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Note that some common applications (notably ssh) " +"unconditionally introduce the use of a shell, even if invoked directly " +"without a shell. It is difficult to use these applications in a secure " +"manner. In this case, untrusted data should be supplied by other means. For " +"example, standard input could be used, instead of the command line." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Specifying the process environment" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Child processes should be created with a minimal set of environment " +"variables. This is absolutely essential if there is a trust transition " +"involved, either when the parent process was created, or during the creation" +" of the child process." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In C/C++, the environment should be constructed as an array of strings and " +"passed as the envp argument to " +"posix_spawn or execve. The " +"functions setenv, unsetenv and " +"putenv should not be used. They are not thread-safe and" +" suffer from memory leaks." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Python programs need to specify a dict for the the " +"env argument of the subprocess.Popen" +" constructor. The Java class java.lang.ProcessBuilder " +"provides a environment() method, which returns a map " +"that can be manipulated." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The following list provides guidelines for selecting the set of environment " +"variables passed to the child process." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"PATH should be initialized to " +"/bin:/usr/bin." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"USER and HOME can be inhereted from the parent" +" process environment, or they can be initialized from the " +"pwent structure for the user." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The DISPLAY and XAUTHORITY variables should be" +" passed to the subprocess if it is an X program. Note that this will " +"typically not work across trust boundaries because XAUTHORITY" +" refers to a file with 0600 permissions." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The location-related environment variables LANG, " +"LANGUAGE, LC_ADDRESS, LC_ALL, " +"LC_COLLATE, LC_CTYPE, " +"LC_IDENTIFICATION, LC_MEASUREMENT, " +"LC_MESSAGES, LC_MONETARY, " +"LC_NAME, LC_NUMERIC, LC_PAPER, " +"LC_TELEPHONE and LC_TIME can be passed to the " +"subprocess if present." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The called process may need application-specific environment variables, for " +"example for passing passwords. (See .)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"All other environment variables should be dropped. Names for new environment" +" variables should not be accepted from untrusted sources." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Robust argument list processing" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When invoking a program, it is sometimes necessary to include data from " +"untrusted sources. Such data should be check against embedded " +"NUL characters because the system APIs will sliently " +"truncate argument strings at the first NUL character." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The following recommendations assume that the program being invoked uses " +"GNU-style option processing using getopt_long. This " +"convention is widely used, but it is just that, and individual programs " +"might interpret a command line in a different way." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If the untrusted data has to go into an option, use the --option-" +"name=VALUE syntax, placing the option and its value into the same " +"command line argument. This avoids any potential confusion if the data " +"starts with -." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"For positional arguments, terminate the option list with a single " +" marker after the last option, and include the data at " +"the right position. The marker terminates option " +"processing, and the data will not be treated as an option even if it starts " +"with a dash." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Passing secrets to subprocesses" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The command line (the name of the program and its argument) of a running " +"process is traditionally available to all local users. The called program " +"can overwrite this information, but only after it has run for a bit of time," +" during which the information may have been read by other processes. " +"However, on Linux, the process environment is restricted to the user who " +"runs the process. Therefore, if you need a convenient way to pass a password" +" to a child process, use an environment variable, and not a command line " +"argument. (See .)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"On some UNIX-like systems (notably Solaris), environment variables can be " +"read by any system user, just like command lines." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If the environment-based approach cannot be used due to portability " +"concerns, the data can be passed on standard input. Some programs (notably " +"gpg) use special file descriptors whose numbers " +"are specified on the command line. Temporary files are an option as well, " +"but they might give digital forensics access to sensitive data (such as " +"passphrases) because it is difficult to safely delete them in all cases." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Handling child process termination" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When child processes terminate, the parent process is signalled. A stub of " +"the terminated processes (a zombie, shown as " +"<defunct> by ps) is kept" +" around until the status information is collected " +"(reaped) by the parent process. Over the years, several" +" interfaces for this have been invented:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The parent process calls wait, " +"waitpid, waitid, " +"wait3 or wait4, without specifying" +" a process ID. This will deliver any matching process ID. This approach is " +"typically used from within event loops." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The parent process calls waitpid, " +"waitid, or wait4, with a specific " +"process ID. Only data for the specific process ID is returned. This is " +"typically used in code which spawns a single subprocess in a synchronous " +"manner." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The parent process installs a handler for the SIGCHLD " +"signal, using sigaction, and specifies to the " +"SA_NOCLDWAIT flag. This approach could be used by event " +"loops as well." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"None of these approaches can be used to wait for child process terminated in" +" a completely thread-safe manner. The parent process might execute an event " +"loop in another thread, which could pick up the termination signal. This " +"means that libraries typically cannot make free use of child processes (for " +"example, to run problematic code with reduced privileges in a separate " +"address space)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"At the moment, the parent process should explicitly wait for termination of " +"the child process using waitpid or " +"waitpid, and hope that the status is not collected by " +"an event loop first." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "SUID/SGID processes" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Programs can be marked in the file system to indicate to the kernel that a " +"trust transition should happen if the program is run. The " +"SUID file permission bit indicates that an executable " +"should run with the effective user ID equal to the owner of the executable " +"file. Similarly, with the SGID bit, the effective group " +"ID is set to the group of the executable file." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Linux supports fscaps, which can grant additional " +"capabilities to a process in a finer-grained manner. Additional mechanisms " +"can be provided by loadable security modules." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When such a trust transition has happened, the process runs in a potentially" +" hostile environment. Additional care is necessary not to rely on any " +"untrusted information. These concerns also apply to libraries which can be " +"linked into such processes." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Accessing environment variables" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The following steps are required so that a program does not accidentally " +"pick up untrusted data from environment variables." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Compile your C/C++ sources with -D_GNU_SOURCE. The " +"Autoconf macro AC_GNU_SOURCE ensures this." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Check for the presence of the secure_getenv and " +"__secure_getenv function. The Autoconf directive " +"AC_CHECK_FUNCS([__secure_getenv secure_getenv]) performs " +"these checks." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Arrange for a proper definition of the secure_getenv " +"function. See ." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Use secure_getenv instead of " +"getenv to obtain the value of critical environment " +"variables. secure_getenv will pretend the variable has " +"not bee set if the process environment is not trusted." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Critical environment variables are debugging flags, configuration file " +"locations, plug-in and log file locations, and anything else that might be " +"used to bypass security restrictions or cause a privileged process to behave" +" in an unexpected way." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Either the secure_getenv function or the " +"__secure_getenv is available from GNU libc." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Obtaining a definition for secure_getenv" +msgstr "" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"\n" +"#include <stdlib.h>\n" +"\n" +"#ifndef HAVE_SECURE_GETENV\n" +"# ifdef HAVE__SECURE_GETENV\n" +"# define secure_getenv __secure_getenv\n" +"# else\n" +"# error neither secure_getenv nor __secure_getenv are available\n" +"# endif\n" +"#endif\n" +"\n" +"\t" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Daemons" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Background processes providing system services " +"(daemons) need to decouple themselves from the " +"controlling terminal and the parent process environment:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Fork." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In the child process, call setsid. The parent process " +"can simply exit (using _exit, to avoid running clean-up" +" actions twice)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In the child process, fork again. Processing continues in the child process." +" Again, the parent process should just exit." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Replace the descriptors 0, 1, 2 with a descriptor for " +"/dev/null. Logging should be redirected to " +"syslog." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Older instructions for creating daemon processes recommended a call to " +"umask(0). This is risky because it often leads to world-" +"writable files and directories, resulting in security vulnerabilities such " +"as arbitrary process termination by untrusted local users, or log file " +"truncation. If the umask needs setting, a restrictive " +"value such as 027 or 077 is " +"recommended." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Other aspects of the process environment may have to changed as well " +"(environment variables, signal handler disposition)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"It is increasingly common that server processes do not run as background " +"processes, but as regular foreground process under a supervising master " +"process (such as systemd). Server processes " +"should offer a command line option which disables forking and replacement of" +" the standard output and standard error streams. Such an option is also " +"useful for debugging." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Semantics of command line arguments" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"After process creation and option processing, it is up to the child process " +"to interpret the arguments. Arguments can be file names, host names, or " +"URLs, and many other things. URLs can refer to the local network, some " +"server on the Internet, or to the local file system. Some applications even " +"accept arbitrary code in arguments (for example, " +"python with the option)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Similar concerns apply to environment variables, the contents of the current" +" directory and its subdirectories." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Consequently, careful analysis is required if it is safe to pass untrusted " +"data to another program." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "fork as a primitive for parallelism" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"A call to fork which is not immediately followed by a " +"call to execve (perhaps after rearranging and closing " +"file descriptors) is typically unsafe, especially from a library which does " +"not control the state of the entire process. Such use of " +"fork should be replaced with proper child processes or " +"threads." +msgstr "" diff --git a/defensive-coding/zh-CN/Tasks/Serialization.po b/defensive-coding/zh-CN/Tasks/Serialization.po new file mode 100644 index 0000000..9eb996e --- /dev/null +++ b/defensive-coding/zh-CN/Tasks/Serialization.po @@ -0,0 +1,513 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:45\n" +"PO-Revision-Date: 2013-03-19 15:29+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Chinese (China) \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: zh_CN\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: title +#, no-c-format +msgid "Serialization and Deserialization" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Protocol decoders and file format parsers are often the most-exposed part of" +" an application because they are exposed with little or no user interaction " +"and before any authentication and security checks are made. They are also " +"difficult to write robustly in languages which are not memory-safe." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Recommendations for manually written decoders" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"For C and C++, the advice in applies. In addition, avoid non-character " +"pointers directly into input buffers. Pointer misalignment causes crashes on" +" some architectures." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When reading variable-sized objects, do not allocate large amounts of data " +"solely based on the value of a size field. If possible, grow the data " +"structure as more data is read from the source, and stop when no data is " +"available. This helps to avoid denial-of-service attacks where little " +"amounts of input data results in enormous memory allocations during " +"decoding. Alternatively, you can impose reasonable bounds on memory " +"allocations, but some protocols do not permit this." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Protocol design" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Binary formats with explicit length fields are more difficult to parse " +"robustly than those where the length of dynamically-sized elements is " +"derived from sentinel values. A protocol which does not use length fields " +"and can be written in printable ASCII characters simplifies testing and " +"debugging. However, binary protocols with length fields may be more " +"efficient to parse." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Library support for deserialization" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"For some languages, generic libraries are available which allow to serialize" +" and deserialize user-defined objects. The deserialization part comes in one" +" of two flavors, depending on the library. The first kind uses type " +"information in the data stream to control which objects are instantiated. " +"The second kind uses type definitions supplied by the programmer. The first " +"one allows arbitrary object instantiation, the second one generally does " +"not." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The following serialization frameworks are in the first category, are known " +"to be unsafe, and must not be used for untrusted data:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Python's pickle and cPickle modules" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Perl's Storable package" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Java serialization (java.io.ObjectInputStream)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "PHP serialization (unserialize)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Most implementations of YAML" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When using a type-directed deserialization format where the types of the " +"deserialized objects are specified by the programmer, make sure that the " +"objects which can be instantiated cannot perform any destructive actions in " +"their destructors, even when the data members have been manipulated." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"JSON decoders do not suffer from this problem. But you must not use the " +"eval function to parse JSON objects in Javascript; even" +" with the regular expression filter from RFC 4627, there are still " +"information leaks remaining." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "XML serialization" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "External references" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"XML documents can contain external references. They can occur in various " +"places." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "In the DTD declaration in the header of an XML document:" +msgstr "" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"<!DOCTYPE html PUBLIC\n" +" \"-//W3C//DTD XHTML 1.0 Transitional//EN\"\n" +" \"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd\">\n" +"\t " +msgstr "" + +#. Tag: para +#, no-c-format +msgid "In a namespace declaration:" +msgstr "" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"<xsd:schema xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\">\n" +"\t " +msgstr "" + +#. Tag: para +#, no-c-format +msgid "In an entity defintion:" +msgstr "" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"<!ENTITY sys SYSTEM \"http://www.example.com/ent.xml\">\n" +"<!ENTITY pub PUBLIC \"-//Example//Public Entity//EN\"\n" +" \"http://www.example.com/pub-ent.xml\">\n" +"\t " +msgstr "" + +#. Tag: para +#, no-c-format +msgid "In a notation:" +msgstr "" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"<!NOTATION not SYSTEM \"../not.xml\">\n" +"\t " +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Originally, these external references were intended as unique identifiers, " +"but by many XML implementations, they are used for locating the data for the" +" referenced element. This causes unwanted network traffic, and may disclose " +"file system contents or otherwise unreachable network resources, so this " +"functionality should be disabled." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Depending on the XML library, external referenced might be processed not " +"just when parsing XML, but also when generating it." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Entity expansion" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When external DTD processing is disabled, an internal DTD subset can still " +"contain entity definitions. Entity declarations can reference other " +"entities. Some XML libraries expand entities automatically, and this " +"processing cannot be switched off in some places (such as attribute values " +"or content models). Without limits on the entity nesting level, this " +"expansion results in data which can grow exponentially in length with size " +"of the input. (If there is a limit on the nesting level, the growth is still" +" polynomial, unless further limits are imposed.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Consequently, the processing internal DTD subsets should be disabled if " +"possible, and only trusted DTDs should be processed. If a particular XML " +"application does not permit such restrictions, then application-specific " +"limits are called for." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "XInclude processing" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"XInclude processing can reference file and network resources and include " +"them into the document, much like external entity references. When parsing " +"untrusted XML documents, XInclude processing should be truned off." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"XInclude processing is also fairly complex and may pull in support for the " +"XPointer and XPath specifications, considerably increasing the amount of " +"code required for XML processing." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Algorithmic complexity of XML validation" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"DTD-based XML validation uses regular expressions for content models. The " +"XML specification requires that content models are deterministic, which " +"means that efficient validation is possible. However, some implementations " +"do not enforce determinism, and require exponential (or just polynomial) " +"amount of space or time for validating some DTD/document combinations." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"XML schemas and RELAX NG (via the xsd: prefix) directly " +"support textual regular expressions which are not required to be " +"deterministic." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Using Expat for XML parsing" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"By default, Expat does not try to resolve external IDs, so no steps are " +"required to block them. However, internal entity declarations are processed." +" Installing a callback which stops parsing as soon as such entities are " +"encountered disables them, see . Expat does not perform any " +"validation, so there are no problems related to that." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Disabling XML entity processing with Expat" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"This handler must be installed when the XML_Parser object" +" is created ()." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Creating an Expat XML parser" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"It is also possible to reject internal DTD subsets altogeher, using a " +"suitable XML_StartDoctypeDeclHandler handler installed " +"with XML_SetDoctypeDeclHandler." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Using OpenJDK for XML parsing and validation" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"OpenJDK contains facilities for DOM-based, SAX-based, and StAX-based " +"document parsing. Documents can be validated against DTDs or XML schemas." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The approach taken to deal with entity expansion differs from the general " +"recommendation in . We enable the the feature flag " +"javax.xml.XMLConstants.FEATURE_SECURE_PROCESSING, which " +"enforces heuristic restrictions on the number of entity expansions. Note " +"that this flag alone does not prevent resolution of external references " +"(system IDs or public IDs), so it is slightly misnamed." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In the following sections, we use helper classes to prevent external ID " +"resolution." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Helper class to prevent DTD external entity resolution in OpenJDK" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Helper class to prevent schema resolution in OpenJDK" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +" shows the imports used by the examples." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Java imports for OpenJDK XML parsing" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "DOM-based XML parsing and DTD validation in OpenJDK" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"This approach produces a org.w3c.dom.Document object from" +" an input stream. use the data from the " +"java.io.InputStream instance in the " +"inputStream variable." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "DOM-based XML parsing in OpenJDK" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"External entity references are prohibited using the " +"NoEntityResolver class in . " +"Because external DTD references are prohibited, DTD validation (if enabled) " +"will only happen against the internal DTD subset embedded in the XML " +"document." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"To validate the document against an external DTD, use a " +"javax.xml.transform.Transformer class to add the DTD " +"reference to the document, and an entity resolver which whitelists this " +"external reference." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "XML Schema validation in OpenJDK" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +" shows how to validate a document against an XML Schema, " +"using a SAX-based approach. The XML data is read from an " +"java.io.InputStream in the inputStream" +" variable." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "SAX-based validation against an XML schema in OpenJDK" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The NoResourceResolver class is defined in ." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If you need to validate a document against an XML schema, use the code in " +" to create the document, but do not enable validation at this point." +" Then use to perform the schema-based validation on " +"the org.w3c.dom.Document instance " +"document." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Validation of a DOM document against an XML schema in OpenJDK" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Protocol Encoders" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"For protocol encoders, you should write bytes to a buffer which grows as " +"needed, using an exponential sizing policy. Explicit lengths can be patched " +"in later, once they are known. Allocating the required number of bytes " +"upfront typically requires separate code to compute the final size, which " +"must be kept in sync with the actual encoding step, or vulnerabilities may " +"result. In multi-threaded code, parts of the object being deserialized might" +" change, so that the computed size is out of date." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"You should avoid copying data directly from a received packet during " +"encoding, disregarding the format. Propagating malformed data could enable " +"attacks on other recipients of that data." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When using C or C++ and copying whole data structures directly into the " +"output, make sure that you do not leak information in padding bytes between " +"fields or at the end of the struct." +msgstr "" diff --git a/defensive-coding/zh-CN/Tasks/Temporary_Files.po b/defensive-coding/zh-CN/Tasks/Temporary_Files.po new file mode 100644 index 0000000..d256df0 --- /dev/null +++ b/defensive-coding/zh-CN/Tasks/Temporary_Files.po @@ -0,0 +1,309 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:45\n" +"PO-Revision-Date: 2013-03-19 15:29+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Chinese (China) \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: zh_CN\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: title +#, no-c-format +msgid "Temporary files" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In this chapter, we describe how to create temporary files and directories, " +"how to remove them, and how to work with programs which do not create files " +"in ways that a safe with a shared directory for temporary files. General " +"file system manipulation is treated in a separate chapter, ." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Secure creation of temporary files has four different aspects." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The location of the directory for temporary files must be obtained in a " +"secure manner (that is, untrusted environment variables must be ignored, see" +" )." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"A new file must be created. Reusing an existing file must be avoided (the " +"/tmp race condition). This is " +"tricky because traditionally, system-wide temporary directories shared by " +"all users are used." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The file must be created in a way that makes it impossible for other users " +"to open it." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "The descriptor for the temporary file should not leak to subprocesses." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "All functions mentioned below will take care of these aspects." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Traditionally, temporary files are often used to reduce memory usage of " +"programs. More and more systems use RAM-based file systems such as " +"tmpfs for storing temporary files, to increase " +"performance and decrease wear on Flash storage. As a result, spooling data " +"to temporary files does not result in any memory savings, and the related " +"complexity can be avoided if the data is kept in process memory." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Obtaining the location of temporary directory" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Some functions below need the location of a directory which stores temporary" +" files. For C/C++ programs, use the following steps to obtain that " +"directory:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Use secure_getenv to obtain the value of the " +"TMPDIR environment variable. If it is set, convert the " +"path to a fully-resolved absolute path, using realpath(path, " +"NULL). Check if the new path refers to a directory and is " +"writeable. In this case, use it as the temporary directory." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Fall back to /tmp." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In Python, you can use the tempfile.tempdir variable." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Java does not support SUID/SGID programs, so you can use the " +"java.lang.System.getenv(String) method to obtain the " +"value of the TMPDIR environment variable, and follow the " +"two steps described above. (Java's default directory selection does not " +"honor TMPDIR.)" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Named temporary files" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The mkostemp function creates a named temporary file. " +"You should specify the O_CLOEXEC flag to avoid file " +"descriptor leaks to subprocesses. (Applications which do not use multiple " +"threads can also use mkstemp, but libraries should use " +"mkostemp.) For determining the directory part of the " +"file name pattern, see ." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The file is not removed automatically. It is not safe to rename or delete " +"the file before processing, or transform the name in any way (for example, " +"by adding a file extension). If you need multiple temporary files, call " +"mkostemp multiple times. Do not create additional file " +"names derived from the name provided by a previous " +"mkostemp call. However, it is safe to close the " +"descriptor returned by mkostemp and reopen the file " +"using the generated name." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The Python class tempfile.NamedTemporaryFile provides " +"similar functionality, except that the file is deleted automatically by " +"default. Note that you may have to use the file attribute" +" to obtain the actual file object because some programming interfaces cannot" +" deal with file-like objects. The C function mkostemp " +"is also available as tempfile.mkstemp." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In Java, you can use the java.io.File.createTempFile(String, " +"String, File) function, using the temporary file location " +"determined according to . Do not use " +"java.io.File.deleteOnExit() to delete temporary files, " +"and do not register a shutdown hook for each temporary file you create. In " +"both cases, the deletion hint cannot be removed from the system if you " +"delete the temporary file prior to termination of the VM, causing a memory " +"leak." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Temporary files without names" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The tmpfile function creates a temporary file and " +"immediately deletes it, while keeping the file open. As a result, the file " +"lacks a name and its space is deallocated as soon as the file descriptor is " +"closed (including the implicit close when the process terminates). This " +"avoids cluttering the temporary directory with orphaned files." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Alternatively, if the maximum size of the temporary file is known " +"beforehand, the fmemopen function can be used to create" +" a FILE * object which is backed by memory." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In Python, unnamed temporary files are provided by the " +"tempfile.TemporaryFile class, and the " +"tempfile.SpooledTemporaryFile class provides a way to " +"avoid creation of small temporary files." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Java does not support unnamed temporary files." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Temporary directories" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The mkdtemp function can be used to create a temporary " +"directory. (For determining the directory part of the file name pattern, see" +" .)" +" The directory is not automatically removed. In Python, this function is " +"available as tempfile.mkdtemp. In Java 7, temporary " +"directories can be created using the " +"java.nio.file.Files.createTempDirectory(Path, String, " +"FileAttribute...) function." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When creating files in the temporary directory, use automatically generated " +"names, e.g., derived from a sequential counter. Files with externally " +"provided names could be picked up in unexpected contexts, and crafted names " +"could actually point outside of the tempoary directory (due to " +"directory traversal)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Removing a directory tree in a completely safe manner is complicated. Unless" +" there are overriding performance concerns, the " +"rm program should be used, with the " +" and options." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Compensating for unsafe file creation" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"There are two ways to make a function or program which excepts a file name " +"safe for use with temporary files. See , for details on subprocess " +"creation." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Create a temporary directory and place the file there. If possible, run the " +"program in a subprocess which uses the temporary directory as its current " +"directory, with a restricted environment. Use generated names for all files " +"in that temporary directory. (See .)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Create the temporary file and pass the generated file name to the function " +"or program. This only works if the function or program can cope with a zero-" +"length existing file. It is safe only under additional assumptions:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The function or program must not create additional files whose name is " +"derived from the specified file name or are otherwise predictable." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "The function or program must not delete the file before processing it." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "It must not access any existing files in the same directory." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"It is often difficult to check whether these additional assumptions are " +"matched, therefore this approach is not recommended." +msgstr "" diff --git a/defensive-coding/zh-CN/Tasks/snippets/Serialization-XML-Expat-Create.po b/defensive-coding/zh-CN/Tasks/snippets/Serialization-XML-Expat-Create.po new file mode 100644 index 0000000..659ff7a --- /dev/null +++ b/defensive-coding/zh-CN/Tasks/snippets/Serialization-XML-Expat-Create.po @@ -0,0 +1,33 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:45\n" +"PO-Revision-Date: 2013-03-19 15:29+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Chinese (China) \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: zh_CN\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"XML_Parser parser = XML_ParserCreate(\"UTF-8\");\n" +"if (parser == NULL) {\n" +" fprintf(stderr, \"XML_ParserCreate failed\n" +"\");\n" +" close(fd);\n" +" exit(1);\n" +"}\n" +"// EntityDeclHandler needs a reference to the parser to stop\n" +"// parsing.\n" +"XML_SetUserData(parser, parser);\n" +"// Disable entity processing, to inhibit entity expansion.\n" +"XML_SetEntityDeclHandler(parser, EntityDeclHandler);\n" +msgstr "" diff --git a/defensive-coding/zh-CN/Tasks/snippets/Serialization-XML-Expat-EntityDeclHandler.po b/defensive-coding/zh-CN/Tasks/snippets/Serialization-XML-Expat-EntityDeclHandler.po new file mode 100644 index 0000000..10b875b --- /dev/null +++ b/defensive-coding/zh-CN/Tasks/snippets/Serialization-XML-Expat-EntityDeclHandler.po @@ -0,0 +1,31 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:45\n" +"PO-Revision-Date: 2013-03-19 15:30+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Chinese (China) \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: zh_CN\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Stop the parser when an entity declaration is encountered.\n" +"static void\n" +"EntityDeclHandler(void *userData,\n" +"\t\t const XML_Char *entityName, int is_parameter_entity,\n" +"\t\t const XML_Char *value, int value_length,\n" +"\t\t const XML_Char *base, const XML_Char *systemId,\n" +"\t\t const XML_Char *publicId, const XML_Char *notationName)\n" +"{\n" +" XML_StopParser((XML_Parser)userData, XML_FALSE);\n" +"}\n" +msgstr "" diff --git a/defensive-coding/zh-CN/Tasks/snippets/Serialization-XML-OpenJDK-Errors.po b/defensive-coding/zh-CN/Tasks/snippets/Serialization-XML-OpenJDK-Errors.po new file mode 100644 index 0000000..7dbc577 --- /dev/null +++ b/defensive-coding/zh-CN/Tasks/snippets/Serialization-XML-OpenJDK-Errors.po @@ -0,0 +1,37 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:45\n" +"PO-Revision-Date: 2013-03-19 15:29+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Chinese (China) \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: zh_CN\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"class Errors implements ErrorHandler {\n" +" @Override\n" +" public void warning(SAXParseException exception) {\n" +" exception.printStackTrace();\n" +" }\n" +" \n" +" @Override\n" +" public void fatalError(SAXParseException exception) {\n" +" exception.printStackTrace();\n" +" }\n" +" \n" +" @Override\n" +" public void error(SAXParseException exception) {\n" +" exception.printStackTrace();\n" +" }\n" +"}\n" +msgstr "" diff --git a/defensive-coding/zh-CN/Tasks/snippets/Serialization-XML-OpenJDK-Imports.po b/defensive-coding/zh-CN/Tasks/snippets/Serialization-XML-OpenJDK-Imports.po new file mode 100644 index 0000000..bd13ba5 --- /dev/null +++ b/defensive-coding/zh-CN/Tasks/snippets/Serialization-XML-OpenJDK-Imports.po @@ -0,0 +1,42 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:45\n" +"PO-Revision-Date: 2013-03-19 15:30+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Chinese (China) \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: zh_CN\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"import javax.xml.XMLConstants;\n" +"import javax.xml.parsers.DocumentBuilder;\n" +"import javax.xml.parsers.DocumentBuilderFactory;\n" +"import javax.xml.parsers.ParserConfigurationException;\n" +"import javax.xml.parsers.SAXParser;\n" +"import javax.xml.parsers.SAXParserFactory;\n" +"import javax.xml.transform.dom.DOMSource;\n" +"import javax.xml.transform.sax.SAXSource;\n" +"import javax.xml.validation.Schema;\n" +"import javax.xml.validation.SchemaFactory;\n" +"import javax.xml.validation.Validator;\n" +"\n" +"import org.w3c.dom.Document;\n" +"import org.w3c.dom.ls.LSInput;\n" +"import org.w3c.dom.ls.LSResourceResolver;\n" +"import org.xml.sax.EntityResolver;\n" +"import org.xml.sax.ErrorHandler;\n" +"import org.xml.sax.InputSource;\n" +"import org.xml.sax.SAXException;\n" +"import org.xml.sax.SAXParseException;\n" +"import org.xml.sax.XMLReader;\n" +msgstr "" diff --git a/defensive-coding/zh-CN/Tasks/snippets/Serialization-XML-OpenJDK-NoEntityResolver.po b/defensive-coding/zh-CN/Tasks/snippets/Serialization-XML-OpenJDK-NoEntityResolver.po new file mode 100644 index 0000000..77ff92b --- /dev/null +++ b/defensive-coding/zh-CN/Tasks/snippets/Serialization-XML-OpenJDK-NoEntityResolver.po @@ -0,0 +1,30 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:45\n" +"PO-Revision-Date: 2013-03-19 15:30+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Chinese (China) \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: zh_CN\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"class NoEntityResolver implements EntityResolver {\n" +" @Override\n" +" public InputSource resolveEntity(String publicId, String systemId)\n" +" throws SAXException, IOException {\n" +" // Throwing an exception stops validation.\n" +" throw new IOException(String.format(\n" +" \"attempt to resolve \\\"%s\\\" \\\"%s\\\"\", publicId, systemId));\n" +" }\n" +"}\n" +msgstr "" diff --git a/defensive-coding/zh-CN/Tasks/snippets/Serialization-XML-OpenJDK-NoResourceResolver.po b/defensive-coding/zh-CN/Tasks/snippets/Serialization-XML-OpenJDK-NoResourceResolver.po new file mode 100644 index 0000000..568b1d8 --- /dev/null +++ b/defensive-coding/zh-CN/Tasks/snippets/Serialization-XML-OpenJDK-NoResourceResolver.po @@ -0,0 +1,32 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:45\n" +"PO-Revision-Date: 2013-03-19 15:29+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Chinese (China) \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: zh_CN\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"class NoResourceResolver implements LSResourceResolver {\n" +" @Override\n" +" public LSInput resolveResource(String type, String namespaceURI,\n" +" String publicId, String systemId, String baseURI) {\n" +" // Throwing an exception stops validation.\n" +" throw new RuntimeException(String.format(\n" +" \"resolution attempt: type=%s namespace=%s \" +\n" +" \"publicId=%s systemId=%s baseURI=%s\",\n" +" type, namespaceURI, publicId, systemId, baseURI));\n" +" }\n" +"}\n" +msgstr "" diff --git a/defensive-coding/zh-CN/Tasks/snippets/Serialization-XML-OpenJDK_Parse-DOM.po b/defensive-coding/zh-CN/Tasks/snippets/Serialization-XML-OpenJDK_Parse-DOM.po new file mode 100644 index 0000000..428c376 --- /dev/null +++ b/defensive-coding/zh-CN/Tasks/snippets/Serialization-XML-OpenJDK_Parse-DOM.po @@ -0,0 +1,34 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:45\n" +"PO-Revision-Date: 2013-03-19 15:29+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Chinese (China) \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: zh_CN\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();\n" +"// Impose restrictions on the complexity of the DTD.\n" +"factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);\n" +"\n" +"// Turn on validation.\n" +"// This step can be omitted if validation is not desired.\n" +"factory.setValidating(true);\n" +"\n" +"// Parse the document.\n" +"DocumentBuilder builder = factory.newDocumentBuilder();\n" +"builder.setEntityResolver(new NoEntityResolver());\n" +"builder.setErrorHandler(new Errors());\n" +"Document document = builder.parse(inputStream);\n" +msgstr "" diff --git a/defensive-coding/zh-CN/Tasks/snippets/Serialization-XML-OpenJDK_Parse-XMLSchema_DOM.po b/defensive-coding/zh-CN/Tasks/snippets/Serialization-XML-OpenJDK_Parse-XMLSchema_DOM.po new file mode 100644 index 0000000..1ef24c7 --- /dev/null +++ b/defensive-coding/zh-CN/Tasks/snippets/Serialization-XML-OpenJDK_Parse-XMLSchema_DOM.po @@ -0,0 +1,38 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:45\n" +"PO-Revision-Date: 2013-03-19 15:29+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Chinese (China) \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: zh_CN\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"SchemaFactory factory = SchemaFactory.newInstance(\n" +" XMLConstants.W3C_XML_SCHEMA_NS_URI);\n" +"\n" +"// This enables restrictions on schema complexity.\n" +"factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);\n" +"\n" +"// The following line prevents resource resolution\n" +"// by the schema itself.\n" +"factory.setResourceResolver(new NoResourceResolver());\n" +"\n" +"Schema schema = factory.newSchema(schemaFile);\n" +"\n" +"Validator validator = schema.newValidator();\n" +"\n" +"// This prevents external resource resolution.\n" +"validator.setResourceResolver(new NoResourceResolver());\n" +"validator.validate(new DOMSource(document));\n" +msgstr "" diff --git a/defensive-coding/zh-CN/Tasks/snippets/Serialization-XML-OpenJDK_Parse-XMLSchema_SAX.po b/defensive-coding/zh-CN/Tasks/snippets/Serialization-XML-OpenJDK_Parse-XMLSchema_SAX.po new file mode 100644 index 0000000..0922695 --- /dev/null +++ b/defensive-coding/zh-CN/Tasks/snippets/Serialization-XML-OpenJDK_Parse-XMLSchema_SAX.po @@ -0,0 +1,41 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:45\n" +"PO-Revision-Date: 2013-03-19 15:29+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Chinese (China) \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: zh_CN\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"SchemaFactory factory = SchemaFactory.newInstance(\n" +" XMLConstants.W3C_XML_SCHEMA_NS_URI);\n" +"\n" +"// This enables restrictions on the schema and document\n" +"// complexity.\n" +"factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);\n" +"\n" +"// This prevents resource resolution by the schema itself.\n" +"// If the schema is trusted and references additional files,\n" +"// this line must be omitted, otherwise loading these files\n" +"// will fail.\n" +"factory.setResourceResolver(new NoResourceResolver());\n" +"\n" +"Schema schema = factory.newSchema(schemaFile);\n" +"Validator validator = schema.newValidator();\n" +"\n" +"// This prevents external resource resolution.\n" +"validator.setResourceResolver(new NoResourceResolver());\n" +"\n" +"validator.validate(new SAXSource(new InputSource(inputStream)));\n" +msgstr "" diff --git a/defensive-coding/zh-TW/Author_Group.po b/defensive-coding/zh-TW/Author_Group.po new file mode 100644 index 0000000..d20930d --- /dev/null +++ b/defensive-coding/zh-TW/Author_Group.po @@ -0,0 +1,35 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-12 04:18+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Chinese (Taiwan) \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: zh_TW\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: firstname +#, no-c-format +msgid "Florian" +msgstr "" + +#. Tag: surname +#, no-c-format +msgid "Weimer" +msgstr "" + +#. Tag: orgname +#, no-c-format +msgid "Red Hat" +msgstr "" + +#. Tag: orgdiv +#, no-c-format +msgid "Product Security Team" +msgstr "" diff --git a/defensive-coding/zh-TW/Book_Info.po b/defensive-coding/zh-TW/Book_Info.po new file mode 100644 index 0000000..cf74dae --- /dev/null +++ b/defensive-coding/zh-TW/Book_Info.po @@ -0,0 +1,38 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-12 04:19+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Chinese (Taiwan) \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: zh_TW\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: title +#, no-c-format +msgid "Defensive Coding" +msgstr "" + +#. Tag: subtitle +#, no-c-format +msgid "A Guide to Improving Software Security" +msgstr "" + +#. Tag: productname +#, no-c-format +msgid "Fedora Security Team" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"This document provides guidelines for improving software security through " +"secure coding. It covers common programming languages and libraries, and " +"focuses on concrete recommendations." +msgstr "" diff --git a/defensive-coding/zh-TW/C/Allocators.po b/defensive-coding/zh-TW/C/Allocators.po new file mode 100644 index 0000000..430548f --- /dev/null +++ b/defensive-coding/zh-TW/C/Allocators.po @@ -0,0 +1,265 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:30+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Chinese (Taiwan) \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: zh_TW\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: title +#, no-c-format +msgid "Memory allocators" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "malloc and related functions" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The C library interfaces for memory allocation are provided by " +"malloc, free and " +"realloc, and the calloc function. " +"In addition to these generic functions, there are derived functions such as " +"strdup which perform allocation using " +"malloc internally, but do not return untyped heap " +"memory (which could be used for any object)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The C compiler knows about these functions and can use their expected " +"behavior for optimizations. For instance, the compiler assumes that an " +"existing pointer (or a pointer derived from an existing pointer by " +"arithmetic) will not point into the memory area returned by " +"malloc." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If the allocation fails, realloc does not free the old " +"pointer. Therefore, the idiom ptr = realloc(ptr, size); " +"is wrong because the memory pointed to by ptr leaks in " +"case of an error." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Use-after-free errors" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"After free, the pointer is invalid. Further pointer " +"dereferences are not allowed (and are usually detected by " +"valgrind). Less obvious is that any " +"use of the old pointer value is not allowed, either. In" +" particular, comparisons with any other pointer (or the null pointer) are " +"undefined according to the C standard." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The same rules apply to realloc if the memory area " +"cannot be enlarged in-place. For instance, the compiler may assume that a " +"comparison between the old and new pointer will always return false, so it " +"is impossible to detect movement this way." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Handling memory allocation errors" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Recovering from out-of-memory errors is often difficult or even impossible. " +"In these cases, malloc and other allocation functions " +"return a null pointer. Dereferencing this pointer lead to a crash. Such " +"dereferences can even be exploitable for code execution if the dereference " +"is combined with an array subscript." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In general, if you cannot check all allocation calls and handle failure, you" +" should abort the program on allocation failure, and not rely on the null " +"pointer dereference to terminate the process. See for related memory " +"allocation concerns." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "alloca and other forms of stack-based allocation" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Allocation on the stack is risky because stack overflow checking is " +"implicit. There is a guard page at the end of the memory area reserved for " +"the stack. If the program attempts to read from or write to this guard page," +" a SIGSEGV signal is generated and the program typically " +"terminates." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"This is sufficient for detecting typical stack overflow situations such as " +"unbounded recursion, but it fails when the stack grows in increments larger " +"than the size of the guard page. In this case, it is possible that the stack" +" pointer ends up pointing into a memory area which has been allocated for a " +"different purposes. Such misbehavior can be exploitable." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"A common source for large stack growth are calls to " +"alloca and related functions such as " +"strdupa. These functions should be avoided because of " +"the lack of error checking. (They can be used safely if the allocated size " +"is less than the page size (typically, 4096 bytes), but this case is " +"relatively rare.) Additionally, relying on alloca makes" +" it more difficult to reorgnize the code because it is not allowed to use " +"the pointer after the function calling alloca has " +"returned, even if this function has been inlined into its caller." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Similar concerns apply to variable-length arrays " +"(VLAs), a feature of the C99 standard which started as a GNU extension. For " +"large objects exceeding the page size, there is no error checking, either." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In both cases, negative or very large sizes can trigger a stack-pointer " +"wraparound, and the stack pointer and end up pointing into caller stack " +"frames, which is fatal and can be exploitable." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If you want to use alloca or VLAs for performance " +"reasons, consider using a small on-stack array (less than the page size, " +"large enough to fulfill most requests). If the requested size is small " +"enough, use the on-stack array. Otherwise, call malloc." +" When exiting the function, check if malloc had been " +"called, and free the buffer as needed." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Array allocation" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When allocating arrays, it is important to check for overflows. The " +"calloc function performs such checks." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If malloc or realloc is used, the " +"size check must be written manually. For instance, to allocate an array of " +"n elements of type T, check that the " +"requested size is not greater than n / sizeof(T)." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Custom memory allocators" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Custom memory allocates come in two forms: replacements for " +"malloc, and completely different interfaces for memory " +"management. Both approaches can reduce the effectiveness of " +"valgrind and similar tools, and the heap " +"corruption detection provided by GNU libc, so they should be avoided." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Memory allocators are difficult to write and contain many performance and " +"security pitfalls." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When computing array sizes or rounding up allocation requests (to the next " +"allocation granularity, or for alignment purposes), checks for arithmetic " +"overflow are required." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Size computations for array allocations need overflow checking. See ." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"It can be difficult to beat well-tuned general-purpose allocators. In micro-" +"benchmarks, pool allocators can show huge wins, and size-specific pools can " +"reduce internal fragmentation. But often, utilization of individual pools is" +" poor, and" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Conservative garbage collection" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Garbage collection can be an alternative to explicit memory management using" +" malloc and free. The Boehm-" +"Dehmers-Weiser allocator can be used from C programs, with minimal type " +"annotations. Performance is competitive with malloc on " +"64-bit architectures, especially for multi-threaded programs. The stop-the-" +"world pauses may be problematic for some real-time applications, though." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"However, using a conservative garbage collector may reduce opertunities for " +"code reduce because once one library in a program uses garbage collection, " +"the whole process memory needs to be subject to it, so that no pointers are " +"missed. The Boehm-Dehmers-Weiser collector also reserves certain signals for" +" internal use, so it is not fully transparent to the rest of the program." +msgstr "" diff --git a/defensive-coding/zh-TW/C/C.po b/defensive-coding/zh-TW/C/C.po new file mode 100644 index 0000000..cbe16d0 --- /dev/null +++ b/defensive-coding/zh-TW/C/C.po @@ -0,0 +1,20 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:30+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Chinese (Taiwan) \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: zh_TW\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: title +#, no-c-format +msgid "The C Programming Language" +msgstr "" diff --git a/defensive-coding/zh-TW/C/Libc.po b/defensive-coding/zh-TW/C/Libc.po new file mode 100644 index 0000000..c32d4dc --- /dev/null +++ b/defensive-coding/zh-TW/C/Libc.po @@ -0,0 +1,278 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:30+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Chinese (Taiwan) \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: zh_TW\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: title +#, no-c-format +msgid "The C standard library" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Parts of the C standard library (and the UNIX and GNU extensions) are " +"difficult to use, so you shoud avoid them." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Please check the applicable documentation before using the recommended " +"replacements. Many of these functions allocate buffers using " +"malloc which your code must deallocate explicitly using" +" free." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Absolutely banned interfaces" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The functions listed below must not be used because they are almost always " +"unsafe. Use the indicated replacements instead." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "getsfgets" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"getwdgetcwd or " +"get_current_dir_name" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "readdir_rreaddir" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"realpath (with a non-NULL second parameter) ⟶ " +"realpath with NULL as the second parameter, or " +"canonicalize_file_name" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The constants listed below must not be used, either. Instead, code must " +"allocate memory dynamically and use interfaces with length checking." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"NAME_MAX (limit not actually enforced by the kernel)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"PATH_MAX (limit not actually enforced by the kernel)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"_PC_NAME_MAX (This limit, returned by the " +"pathconf function, is not enforced by the kernel.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"_PC_PATH_MAX (This limit, returned by the " +"pathconf function, is not enforced by the kernel.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "The following structure members must not be used." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"f_namemax in struct statvfs (limit not" +" actually enforced by the kernel, see _PC_NAME_MAX above)" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Functions to avoid" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The following string manipulation functions can be used securely in " +"principle, but their use should be avoided because they are difficult to use" +" correctly. Calls to these functions can be replaced with " +"asprintf or vasprintf. (For non-" +"GNU targets, these functions are available from Gnulib.) In some cases, the " +"snprintf function might be a suitable replacement, see " +"." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "sprintf" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "strcat" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "strcpy" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "vsprintf" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Use the indicated replacements for the functions below." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"allocamalloc and " +"free (see )" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"putenv ⟶ explicit envp argument in " +"process creation (see )" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"setenv ⟶ explicit envp argument in " +"process creation (see )" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"strdupastrdup and " +"free (see )" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"strndupastrndup and " +"free (see )" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"systemposix_spawn or " +"fork/execve/ (see )" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"unsetenv ⟶ explicit envp argument in" +" process creation (see )" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "String Functions With Explicit Length Arguments" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The snprintf function provides a way to construct a " +"string in a statically-sized buffer. (If the buffer size is dynamic, use " +"asprintf instead.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The second argument to the snprintf should always be " +"the size of the buffer in the first argument (which should be a character " +"array). Complex pointer and length arithmetic can introduce errors and " +"nullify the security benefits of snprintf. If you need " +"to construct a string iteratively, by repeatedly appending fragments, " +"consider constructing the string on the heap, increasing the buffer with " +"realloc as needed. (snprintf does " +"not support overlapping the result buffer with argument strings.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If you use vsnprintf (or snprintf)" +" with a format string which is not a constant, but a function argument, it " +"is important to annotate the function with a format " +"function attribute, so that GCC can warn about misuse of your function (see " +")." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "The format function attribute" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"There are other functions which operator on NUL-terminated strings and take " +"a length argument which affects the number of bytes written to the " +"destination: strncpy, strncat, and" +" stpncpy. These functions do not ensure that the result" +" string is NUL-terminated. For strncpy, NUL termination" +" can be added this way:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Some systems support strlcpy and " +"strlcat functions which behave this way, but these " +"functions are not part of GNU libc. Using snprintf with" +" a suitable format string is a simple (albeit slightly slower) replacement." +msgstr "" diff --git a/defensive-coding/zh-TW/C/snippets/Arithmetic-add.po b/defensive-coding/zh-TW/C/snippets/Arithmetic-add.po new file mode 100644 index 0000000..8c0b567 --- /dev/null +++ b/defensive-coding/zh-TW/C/snippets/Arithmetic-add.po @@ -0,0 +1,36 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:30+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Chinese (Taiwan) \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: zh_TW\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"void report_overflow(void);\n" +"\n" +"int\n" +"add(int a, int b)\n" +"{\n" +" int result = a + b;\n" +" if (a < 0 || b < 0) {\n" +" return -1;\n" +" }\n" +" // The compiler can optimize away the following if statement.\n" +" if (result < 0) {\n" +" report_overflow();\n" +" }\n" +" return result;\n" +"}\n" +msgstr "" diff --git a/defensive-coding/zh-TW/C/snippets/Arithmetic-mult.po b/defensive-coding/zh-TW/C/snippets/Arithmetic-mult.po new file mode 100644 index 0000000..b74b9b9 --- /dev/null +++ b/defensive-coding/zh-TW/C/snippets/Arithmetic-mult.po @@ -0,0 +1,29 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:30+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Chinese (Taiwan) \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: zh_TW\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"unsigned\n" +"mul(unsigned a, unsigned b)\n" +"{\n" +" if (b && a > ((unsigned)-1) / b) {\n" +" report_overflow();\n" +" }\n" +" return a * b;\n" +"}\n" +msgstr "" diff --git a/defensive-coding/zh-TW/C/snippets/Pointers-remaining.po b/defensive-coding/zh-TW/C/snippets/Pointers-remaining.po new file mode 100644 index 0000000..39f97f8 --- /dev/null +++ b/defensive-coding/zh-TW/C/snippets/Pointers-remaining.po @@ -0,0 +1,64 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:30+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Chinese (Taiwan) \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: zh_TW\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"ssize_t\n" +"extract_strings(const char *in, size_t inlen, char **out, size_t outlen)\n" +"{\n" +" const char *inp = in;\n" +" const char *inend = in + inlen;\n" +" char **outp = out;\n" +" char **outend = out + outlen;\n" +"\n" +" while (inp != inend) {\n" +" size_t len;\n" +" char *s;\n" +" if (outp == outend) {\n" +" errno = ENOSPC;\n" +" goto err;\n" +" }\n" +" len = (unsigned char)*inp;\n" +" ++inp;\n" +" if (len > (size_t)(inend - inp)) {\n" +" errno = EINVAL;\n" +" goto err;\n" +" }\n" +" s = malloc(len + 1);\n" +" if (s == NULL) {\n" +" goto err;\n" +" }\n" +" memcpy(s, inp, len);\n" +" inp += len;\n" +" s[len] = '\\0';\n" +" *outp = s;\n" +" ++outp;\n" +" }\n" +" return outp - out;\n" +"err:\n" +" {\n" +" int errno_old = errno;\n" +" while (out != outp) {\n" +" free(*out);\n" +" ++out;\n" +" }\n" +" errno = errno_old;\n" +" }\n" +" return -1;\n" +"}\n" +msgstr "" diff --git a/defensive-coding/zh-TW/C/snippets/String-Functions-format.po b/defensive-coding/zh-TW/C/snippets/String-Functions-format.po new file mode 100644 index 0000000..e1eafee --- /dev/null +++ b/defensive-coding/zh-TW/C/snippets/String-Functions-format.po @@ -0,0 +1,33 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:30+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Chinese (Taiwan) \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: zh_TW\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"void log_format(const char *format, ...) __attribute__((format(printf, 1, 2)));\n" +"\n" +"void\n" +"log_format(const char *format, ...)\n" +"{\n" +" char buf[1000];\n" +" va_list ap;\n" +" va_start(ap, format);\n" +" vsnprintf(buf, sizeof(buf), format, ap);\n" +" va_end(ap);\n" +" log_string(buf);\n" +"}\n" +msgstr "" diff --git a/defensive-coding/zh-TW/C/snippets/String-Functions-snprintf.po b/defensive-coding/zh-TW/C/snippets/String-Functions-snprintf.po new file mode 100644 index 0000000..29e2685 --- /dev/null +++ b/defensive-coding/zh-TW/C/snippets/String-Functions-snprintf.po @@ -0,0 +1,23 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:30+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Chinese (Taiwan) \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: zh_TW\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"char fraction[30];\n" +"snprintf(fraction, sizeof(fraction), \"%d/%d\", numerator, denominator);\n" +msgstr "" diff --git a/defensive-coding/zh-TW/C/snippets/String-Functions-strncpy.po b/defensive-coding/zh-TW/C/snippets/String-Functions-strncpy.po new file mode 100644 index 0000000..9cf377b --- /dev/null +++ b/defensive-coding/zh-TW/C/snippets/String-Functions-strncpy.po @@ -0,0 +1,24 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:30+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Chinese (Taiwan) \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: zh_TW\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"char buf[10];\n" +"strncpy(buf, data, sizeof(buf));\n" +"buf[sizeof(buf) - 1] = '\\0';\n" +msgstr "" diff --git a/defensive-coding/zh-TW/CXX/CXX.po b/defensive-coding/zh-TW/CXX/CXX.po new file mode 100644 index 0000000..48745f4 --- /dev/null +++ b/defensive-coding/zh-TW/CXX/CXX.po @@ -0,0 +1,20 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:31+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Chinese (Taiwan) \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: zh_TW\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: title +#, no-c-format +msgid "The C++ Programming Language" +msgstr "" diff --git a/defensive-coding/zh-TW/CXX/Language.po b/defensive-coding/zh-TW/CXX/Language.po new file mode 100644 index 0000000..c943e22 --- /dev/null +++ b/defensive-coding/zh-TW/CXX/Language.po @@ -0,0 +1,234 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:18+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Chinese (Taiwan) \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: zh_TW\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: title +#, no-c-format +msgid "The core language" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"C++ includes a large subset of the C language. As far as the C subset is " +"used, the recommendations in " +"apply." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Array allocation with operator new[]" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"For very large values of n, an expression like " +"new T[n] can return a pointer to a heap region which is " +"too small. In other words, not all array elements are actually backed with " +"heap memory reserved to the array. Current GCC versions generate code that " +"performs a computation of the form sizeof(T) * size_t(n) + " +"cookie_size, where cookie_size is currently at " +"most 8. This computation can overflow, and GCC-generated code does not " +"detect this." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The std::vector template can be used instead an explicit " +"array allocation. (The GCC implementation detects overflow internally.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If there is no alternative to operator new[], code which " +"allocates arrays with a variable length must check for overflow manually. " +"For the new T[n] example, the size check could be " +"n || (n > 0 && n > (size_t(-1) - 8) / " +"sizeof(T)). (See .) If there are additional dimensions " +"(which must be constants according to the C++ standard), these should be " +"included as factors in the divisor." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"These countermeasures prevent out-of-bounds writes and potential code " +"execution. Very large memory allocations can still lead to a denial of " +"service. contains suggestions for mitigating this problem when " +"processing untrusted data." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"See for array" +" allocation advice for C-style memory allocation." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Overloading" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Do not overload functions with versions that have different security " +"characteristics. For instance, do not implement a function " +"strcat which works on std::string " +"arguments. Similarly, do not name methods after such functions." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "ABI compatibility and preparing for security updates" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"A stable binary interface (ABI) is vastly preferred for security updates. " +"Without a stable ABI, all reverse dependencies need recompiling, which can " +"be a lot of work and could even be impossible in some cases. Ideally, a " +"security update only updates a single dynamic shared object, and is picked " +"up automatically after restarting affected processes." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Outside of extremely performance-critical code, you should ensure that a " +"wide range of changes is possible without breaking ABI. Some very basic " +"guidelines are:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Avoid inline functions." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Use the pointer-to-implementation idiom." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Try to avoid templates. Use them if the increased type safety provides a " +"benefit to the programmer." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Move security-critical code out of templated code, so that it can be patched" +" in a central place if necessary." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The KDE project publishes a document with more extensive guidelines on ABI-" +"preserving changes to C++ code, Policies/Binary" +" Compatibility Issues With C++ (d-pointer " +"refers to the pointer-to-implementation idiom)." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "C++0X and C++11 support" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "GCC offers different language compatibility modes:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid " for the original 1998 C++ standard" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +" for the 1998 standard with the changes from the " +"TR1 technical report" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +" for the 2011 C++ standard. This option should " +"not be used." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +" for several different versions of C++11 support " +"in development, depending on the GCC version. This option should not be " +"used." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"For each of these flags, there are variants which also enable GNU extensions" +" (mostly language features also found in C99 or C11): " +", , " +". Again, should " +"not be used." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If you enable C++11 support, the ABI of the standard C++ library " +"libstdc++ will change in subtle ways. Currently, no C++ " +"libraries are compiled in C++11 mode, so if you compile your code in C++11 " +"mode, it will be incompatible with the rest of the system. Unfortunately, " +"this is also the case if you do not use any C++11 features. Currently, there" +" is no safe way to enable C++11 mode (except for freestanding applications)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The meaning of C++0X mode changed from GCC release to GCC release. Earlier " +"versions were still ABI-compatible with C++98 mode, but in the most recent " +"versions, switching to C++0X mode activates C++11 support, with its " +"compatibility problems." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Some C++11 features (or approximations thereof) are available with TR1 " +"support, that is, with or " +" and in the <tr1/*> " +"header files. This includes std::tr1::shared_ptr (from " +"<tr1/memory>) and " +"std::tr1::function (from " +"<tr1/functional>). For other C++11 features, the " +"Boost C++ library contains replacements." +msgstr "" diff --git a/defensive-coding/zh-TW/CXX/Std.po b/defensive-coding/zh-TW/CXX/Std.po new file mode 100644 index 0000000..13f5b59 --- /dev/null +++ b/defensive-coding/zh-TW/CXX/Std.po @@ -0,0 +1,55 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:30+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Chinese (Taiwan) \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: zh_TW\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: title +#, no-c-format +msgid "The C++ standard library" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The C++ standard library includes most of its C counterpart by reference, " +"see ." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Containers and operator[]" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Many containers similar to std::vector provide both " +"operator[](size_type) and a member function " +"at(size_type). This applies to " +"std::vector itself, std::array, " +"std::string and other instances of " +"std::basic_string." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"operator[](size_type) is not required by the standard to " +"perform bounds checking (and the implementation in GCC does not). In " +"contrast, at(size_type) must perform such a check. " +"Therefore, in code which is not performance-critical, you should prefer " +"at(size_type) over " +"operator[](size_type), even though it is slightly more " +"verbose." +msgstr "" diff --git a/defensive-coding/zh-TW/Defensive_Coding.po b/defensive-coding/zh-TW/Defensive_Coding.po new file mode 100644 index 0000000..71685d5 --- /dev/null +++ b/defensive-coding/zh-TW/Defensive_Coding.po @@ -0,0 +1,30 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:18+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Chinese (Taiwan) \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: zh_TW\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: title +#, no-c-format +msgid "Programming Languages" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Specific Programming Tasks" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Implementing Security Features" +msgstr "" diff --git a/defensive-coding/zh-TW/Features/Authentication.po b/defensive-coding/zh-TW/Features/Authentication.po new file mode 100644 index 0000000..1fd82e0 --- /dev/null +++ b/defensive-coding/zh-TW/Features/Authentication.po @@ -0,0 +1,231 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:31+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Chinese (Taiwan) \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: zh_TW\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: title +#, no-c-format +msgid "Authentication and Authorization" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Authenticating servers" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When connecting to a server, a client has to make sure that it is actually " +"talking to the server it expects. There are two different aspects, securing " +"the network path, and making sure that the expected user runs the process on" +" the target host. There are several ways to ensure that:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The server uses a TLS certificate which is valid according to the web " +"browser public key infrastructure, and the client verifies the certificate " +"and the host name." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The server uses a TLS certificate which is expectedby the client (perhaps it" +" is stored in a configuration file read by the client). In this case, no " +"host name checking is required." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"On Linux, UNIX domain sockets (of the PF_UNIX protocol " +"family, sometimes called PF_LOCAL) are restricted by file" +" system permissions. If the server socket path is not world-writable, the " +"server identity cannot be spoofed by local users." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Port numbers less than 1024 (trusted ports) can only be" +" used by root, so if a UDP or TCP server is running on " +"the local host and it uses a trusted port, its identity is assured. (Not all" +" operating systems enforce the trusted ports concept, and the network might " +"not be trusted, so it is only useful on the local system.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"TLS () is the recommended way " +"for securing connections over untrusted networks." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If the server port number is 1024 is higher, a local user can impersonate " +"the process by binding to this socket, perhaps after crashing the real " +"server by exploiting a denial-of-service vulnerability." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Host-based authentication" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Host-based authentication uses access control lists (ACLs) to accept or deny" +" requests from clients. Thsis authentication method comes in two flavors: " +"IP-based (or, more generally, address-based) and name-based (with the name " +"coming from DNS or /etc/hosts). IP-based ACLs often use" +" prefix notation to extend access to entire subnets. Name-based ACLs " +"sometimes use wildcards for adding groups of hosts (from entire DNS " +"subtrees). (In the SSH context, host-based authentication means something " +"completely different and is not covered in this section.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Host-based authentication trust the network and may not offer sufficient " +"granularity, so it has to be considered a weak form of authentication. On " +"the other hand, IP-based authentication can be made extremely robust and can" +" be applied very early in input processing, so it offers an opportunity for " +"significantly reducing the number of potential attackers for many services." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The names returned by gethostbyaddr and " +"getnameinfo functions cannot be trusted. (DNS PTR " +"records can be set to arbitrary values, not just names belong to the address" +" owner.) If these names are used for ACL matching, a forward lookup using " +"gethostbyaddr or getaddrinfo has " +"to be performed. The name is only valid if the original address is found " +"among the results of the forward lookup (double-reverse " +"lookup)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"An empty ACL should deny all access (deny-by-default). If empty ACLs permits" +" all access, configuring any access list must switch to deny-by-default for " +"all unconfigured protocols, in both name-based and address-based variants." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Similarly, if an address or name is not matched by the list, it should be " +"denied. However, many implementations behave differently, so the actual " +"behavior must be documented properly." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"IPv6 addresses can embed IPv4 addresses. There is no universally correct way" +" to deal with this ambiguity. The behavior of the ACL implementation should " +"be documented." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "UNIX domain socket authentication" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"UNIX domain sockets (with address family AF_UNIX or " +"AF_LOCAL) are restricted to the local host and offer a " +"special authentication mechanism: credentials passing." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Nowadays, most systems support the SO_PEERCRED (Linux) or" +" LOCAL_PEERCRED (FreeBSD) socket options, or the " +"getpeereid (other BSDs, MacOS X). These interfaces " +"provide direct access to the (effective) user ID on the other end of a " +"domain socket connect, without cooperation from the other end." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Historically, credentials passing was implemented using ancillary data in " +"the sendmsg and recvmsg functions." +" On some systems, only credentials data that the peer has explicitly sent " +"can be received, and the kernel checks the data for correctness on the " +"sending side. This means that both peers need to deal with ancillary data. " +"Compared to that, the modern interfaces are easier to use. Both sets of " +"interfaces vary considerably among UNIX-like systems, unfortunately." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If you want to authenticate based on supplementary groups, you should obtain" +" the user ID using one of these methods, and look up the list of " +"supplementary groups using getpwuid (or " +"getpwuid_r) and getgrouplist. " +"Using the PID and information from /proc/PID/status is " +"prone to race conditions and insecure." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "AF_NETLINK authentication of origin" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Netlink messages are used as a high-performance data transfer mechanism " +"between the kernel and the userspace. Traditionally, they are used to " +"exchange information related to the network statck, such as routing table " +"entries." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When processing Netlink messages from the kernel, it is important to check " +"that these messages actually originate from the kernel, by checking that the" +" port ID (or PID) field nl_pid in the " +"sockaddr_nl structure is 0. (This " +"structure can be obtained using recvfrom or " +"recvmsg, it is different from the " +"nlmsghdr structure.) The kernel does not prevent other " +"processes from sending unicast Netlink messages, but the " +"nl_pid field in the sender's socket address will be non-" +"zero in such cases." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Applications should not use AF_NETLINK sockets as an IPC " +"mechanism among processes, but prefer UNIX domain sockets for this tasks." +msgstr "" diff --git a/defensive-coding/zh-TW/Features/TLS.po b/defensive-coding/zh-TW/Features/TLS.po new file mode 100644 index 0000000..ceeedb7 --- /dev/null +++ b/defensive-coding/zh-TW/Features/TLS.po @@ -0,0 +1,1120 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:31+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Chinese (Taiwan) \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: zh_TW\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: title +#, no-c-format +msgid "Transport Layer Security" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Transport Layer Security (TLS, formerly Secure Sockets Layer/SSL) is the " +"recommended way to to protect integrity and confidentiality while data is " +"transferred over an untrusted network connection, and to identify the " +"endpoint." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Common Pitfalls" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"TLS implementations are difficult to use, and most of them lack a clean API " +"design. The following sections contain implementation-specific advice, and " +"some generic pitfalls are mentioned below." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Most TLS implementations have questionable default TLS cipher suites. Most " +"of them enable anonymous Diffie-Hellman key exchange (but we generally want " +"servers to authenticate themselves). Many do not disable ciphers which are " +"subject to brute-force attacks because of restricted key lengths. Some even " +"disable all variants of AES in the default configuration." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When overriding the cipher suite defaults, it is recommended to disable all " +"cipher suites which are not present on a whitelist, instead of simply " +"enabling a list of cipher suites. This way, if an algorithm is disabled by " +"default in the TLS implementation in a future security update, the " +"application will not re-enable it." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The name which is used in certificate validation must match the name " +"provided by the user or configuration file. No host name canonicalization or" +" IP address lookup must be performed." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The TLS handshake has very poor performance if the TCP Nagle algorithm is " +"active. You should switch on the TCP_NODELAY socket " +"option (at least for the duration of the handshake), or use the Linux-" +"specific TCP_CORK option." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Deactivating the TCP Nagle algorithm" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Implementing proper session resumption decreases handshake overhead " +"considerably. This is important if the upper-layer protocol uses short-lived" +" connections (like most application of HTTPS)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Both client and server should work towards an orderly connection shutdown, " +"that is send close_notify alerts and respond to them. " +"This is especially important if the upper-layer protocol does not provide " +"means to detect connection truncation (like some uses of HTTP)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When implementing a server using event-driven programming, it is important " +"to handle the TLS handshake properly because it includes multiple network " +"round-trips which can block when an ordinary TCP accept" +" would not. Otherwise, a client which fails to complete the TLS handshake " +"for some reason will prevent the server from handling input from other " +"clients." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Unlike regular file descriptors, TLS connections cannot be passed between " +"processes. Some TLS implementations add additional restrictions, and TLS " +"connections generally cannot be used across fork " +"function calls (see )." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "OpenSSL Pitfalls" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Some OpenSSL function use tri-state return values. " +"Correct error checking is extremely important. Several functions return " +"int values with the following meaning:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The value 1 indicates success (for example, a successful " +"signature verification)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The value 0 indicates semantic failure (for example, a " +"signature verification which was unsuccessful because the signing " +"certificate was self-signed)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The value -1 indicates a low-level error in the system, " +"such as failure to allocate memory using malloc." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Treating such tri-state return values as booleans can lead to security " +"vulnerabilities. Note that some OpenSSL functions return boolean results or " +"yet another set of status indicators. Each function needs to be checked " +"individually." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Recovering precise error information is difficult. shows how to obtain a more precise " +"error code after a function call on an SSL object has " +"failed. However, there are still cases where no detailed error information " +"is available (e.g., if SSL_shutdown fails due to a " +"connection teardown by the other end)." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Obtaining OpenSSL error codes" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The OPENSSL_config function is documented to never " +"fail. In reality, it can terminate the entire process if there is a failure " +"accessing the configuration file. An error message is written to standard " +"error, but which might not be visible if the function is called from a " +"daemon process." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"OpenSSL contains two separate ASN.1 DER decoders. One set of decoders " +"operate on BIO handles (the input/output stream abstraction provided by " +"OpenSSL); their decoder function names start with d2i_ " +"and end in _fp or _bio (e.g., " +"d2i_X509_fp or d2i_X509_bio). " +"These decoders must not be used for parsing data from untrusted sources; " +"instead, the variants without the _fp and " +"_bio (e.g., d2i_X509) shall be used." +" The BIO variants have received considerably less testing and are not very " +"robust." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"For the same reason, the OpenSSL command line tools (such as " +"openssl x509) are generally generally less robust than " +"the actual library code. They use the BIO functions internally, and not the " +"more robust variants." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The command line tools do not always indicate failure in the exit status of " +"the openssl process. For instance, a verification" +" failure in openssl verify result in an exit status of " +"zero." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The OpenSSL server and client applications (openssl " +"s_client and openssl s_server) are debugging " +"tools and should never be used as generic clients. For " +"instance, the s_client tool reacts in a " +"surprisign way to lines starting with R and " +"Q." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"OpenSSL allows application code to access private key material over " +"documented interfaces. This can significantly increase the part of the code " +"base which has to undergo security certification." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "GNUTLS Pitfalls" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"libgnutls.so.26 links to " +"libpthread.so.0. Loading the threading library too late" +" causes problems, so the main program should be linked with " +"-lpthread as well. As a result, it can be difficult to " +"use GNUTLS in a plugin which is loaded with the dlopen " +"function. Another side effect is that applications which merely link against" +" GNUTLS (even without actually using it) may incur a substantial overhead " +"because other libraries automatically switch to thread-safe algorithms." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The gnutls_global_init function must be called before " +"using any functionality provided by the library. This function is not " +"thread-safe, so external locking is required, but it is not clear which lock" +" should be used. Omitting the synchronization does not just lead to a memory" +" leak, as it is suggested in the GNUTLS documentation, but to undefined " +"behavior because there is no barrier that would enforce memory ordering." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The gnutls_global_deinit function does not actually " +"deallocate all resources allocated by " +"gnutls_global_init. It is currently not thread-safe. " +"Therefore, it is best to avoid calling it altogether." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The X.509 implementation in GNUTLS is rather lenient. For example, it is " +"possible to create and process X.509 version 1 certificates which carry" +" extensions. These certificates are (correctly) rejected by other " +"implementations." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "OpenJDK Pitfalls" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The Java cryptographic framework is highly modular. As a result, when you " +"request an object implementing some cryptographic functionality, you cannot " +"be completely sure that you end up with the well-tested, reviewed " +"implementation in OpenJDK." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"OpenJDK (in the source code as published by Oracle) and other " +"implementations of the Java platform require that the system administrator " +"has installed so-called unlimited strength jurisdiction policy " +"files. Without this step, it is not possible to use the secure " +"algorithms which offer sufficient cryptographic strength. Most downstream " +"redistributors of OpenJDK remove this requirement." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Some versions of OpenJDK use /dev/random as the " +"randomness source for nonces and other random data which is needed for TLS " +"operation, but does not actually require physical randomness. As a result, " +"TLS applications can block, waiting for more bits to become available in " +"/dev/random." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "NSS Pitfalls" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"NSS was not designed to be used by other libraries which can be linked into " +"applications without modifying them. There is a lot of global state. There " +"does not seem to be a way to perform required NSS initialization without " +"race conditions." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If the NSPR descriptor is in an unexpected state, the " +"SSL_ForceHandshake function can succeed, but no TLS " +"handshake takes place, the peer is not authenticated, and subsequent data is" +" exchanged in the clear." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"NSS disables itself if it detects that the process underwent a " +"fork after the library has been initialized. This " +"behavior is required by the PKCS#11 API specification." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "TLS Clients" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Secure use of TLS in a client generally involves all of the following steps." +" (Individual instructions for specific TLS implementations follow in the " +"next sections.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The client must configure the TLS library to use a set of trusted root " +"certificates. These certificates are provided by the system in /etc/ssl/certs or files derived from it." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The client selects sufficiently strong cryptographic primitives and disables" +" insecure ones (such as no-op encryption). Compression and SSL version 2 " +"support must be disabled (including the SSLv2-compatible handshake)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The client initiates the TLS connection. The Server Name Indication " +"extension should be used if supported by the TLS implementation. Before " +"switching to the encrypted connection state, the contents of all input and " +"output buffers must be discarded." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The client needs to validate the peer certificate provided by the server, " +"that is, the client must check that there is a cryptographically protected " +"chain from a trusted root certificate to the peer certificate. (Depending on" +" the TLS implementation, a TLS handshake can succeed even if the certificate" +" cannot be validated.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The client must check that the configured or user-provided server name " +"matches the peer certificate provided by the server." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"It is safe to provide users detailed diagnostics on certificate validation " +"failures. Other causes of handshake failures and, generally speaking, any " +"details on other errors reported by the TLS implementation (particularly " +"exception tracebacks), must not be divulged in ways that make them " +"accessible to potential attackers. Otherwise, it is possible to create " +"decryption oracles." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Depending on the application, revocation checking (against certificate " +"revocations lists or via OCSP) and session resumption are important aspects " +"of production-quality client. These aspects are not yet covered." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Implementation TLS Clients With OpenSSL" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In the following code, the error handling is only exploratory. Proper error " +"handling is required for production use, especially in libraries." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The OpenSSL library needs explicit initialization (see )." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "OpenSSL library initialization" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"After that, a context object has to be created, which acts as a factory for " +"connection objects (). We use an explicit cipher list so that we do not pick up any " +"strange ciphers when OpenSSL is upgraded. The actual version requested in " +"the client hello depends on additional restrictions in the OpenSSL library. " +"If possible, you should follow the example code and use the default list of " +"trusted root certificate authorities provided by the system because you " +"would have to maintain your own set otherwise, which can be cumbersome." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "OpenSSL client context creation" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"A single context object can be used to create multiple connection objects. " +"It is safe to use the same SSL_CTX object for creating " +"connections concurrently from multiple threads, provided that the " +"SSL_CTX object is not modified (e.g., callbacks must not " +"be changed)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"After creating the TCP socket and disabling the Nagle algorithm (per ), the actual connection object " +"needs to be created, as show in . If the handshake started by " +"SSL_connect fails, the " +"ssl_print_error_and_exit function from is called." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The certificate_validity_override function provides an " +"opportunity to override the validity of the certificate in case the OpenSSL " +"check fails. If such functionality is not required, the call can be removed," +" otherwise, the application developer has to implement it." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The host name passed to the functions " +"SSL_set_tlsext_host_name and " +"X509_check_host must be the name that was passed to " +"getaddrinfo or a similar name resolution function. No " +"host name canonicalization must be performed. The " +"X509_check_host function used in the final step for " +"host name matching is currently only implemented in OpenSSL 1.1, which is " +"not released yet. In case host name matching fails, the function " +"certificate_host_name_override is called. This function" +" should check user-specific certificate store, to allow a connection even if" +" the host name does not match the certificate. This function has to be " +"provided by the application developer. Note that the override must be keyed " +"by both the certificate and the host name." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Creating a client connection using OpenSSL" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The connection object can be used for sending and receiving data, as in " +". It is " +"also possible to create a BIO object and use the " +"SSL object as the underlying transport, using " +"BIO_set_ssl." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Using an OpenSSL connection to send and receive data" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When it is time to close the connection, the " +"SSL_shutdown function needs to be called twice for an " +"orderly, synchronous connection termination (). This exchanges " +"close_notify alerts with the server. The additional logic" +" is required to deal with an unexpected close_notify from" +" the server. Note that is necessary to explicitly close the underlying " +"socket after the connection object has been freed." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Closing an OpenSSL connection in an orderly fashion" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +" shows how" +" to deallocate the context object when it is no longer needed because no " +"further TLS connections will be established." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Implementation TLS Clients With GNUTLS" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"This section describes how to implement a TLS client with full certificate " +"validation (but without certificate revocation checking). Note that the " +"error handling in is only exploratory and needs to be replaced before " +"production use." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "The GNUTLS library needs explicit initialization:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Failing to do so can result in obscure failures in Base64 decoding. See " +" for " +"additional aspects of initialization." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Before setting up TLS connections, a credentials objects has to be allocated" +" and initialized with the set of trusted root CAs ()." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Initializing a GNUTLS credentials structure" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"After the last TLS connection has been closed, this credentials object " +"should be freed:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"During its lifetime, the credentials object can be used to initialize TLS " +"session objects from multiple threads, provided that it is not changed." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Once the TCP connection has been established, the Nagle algorithm should be " +"disabled (see ). After " +"that, the socket can be associated with a new GNUTLS session object. The " +"previously allocated credentials object provides the set of root CAs. The " +"NORMAL set of cipher suites and protocols provides a " +"reasonable default. Then the TLS handshake must be initiated. This is shown " +"in ." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Establishing a TLS client connection using GNUTLS" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"After the handshake has been completed, the server certificate needs to be " +"verified (). In the example, the user-defined " +"certificate_validity_override function is called if the" +" verification fails, so that a separate, user-specific trust store can be " +"checked. This function call can be omitted if the functionality is not " +"needed." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Verifying a server certificate using GNUTLS" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In the next step (, the certificate must be matched against the host name (note the " +"unusual return value from " +"gnutls_x509_crt_check_hostname). Again, an override " +"function certificate_host_name_override is called. Note" +" that the override must be keyed to the certificate and" +" the host name. The function call can be omitted if the override is not " +"needed." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Matching the server host name and certificate in a GNUTLS client" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In newer GNUTLS versions, certificate checking and host name validation can " +"be combined using the gnutls_certificate_verify_peers3 " +"function." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"An established TLS session can be used for sending and receiving data, as in" +" ." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Using a GNUTLS session" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In order to shut down a connection in an orderly manner, you should call the" +" gnutls_bye function. Finally, the session object can " +"be deallocated using gnutls_deinit (see )." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Implementing TLS Clients With OpenJDK" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "The examples below use the following cryptographic-related classes:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If compatibility with OpenJDK 6 is required, it is necessary to use the " +"internal class sun.security.util.HostnameChecker. (The " +"public OpenJDK API does not provide any support for dissecting the subject " +"distinguished name of an X.509 certificate, so a custom-written DER parser " +"is needed—or we have to use an internal class, which we do below.) In " +"OpenJDK 7, the setEndpointIdentificationAlgorithm " +"method was added to the javax.net.ssl.SSLParameters " +"class, providing an official way to implement host name checking." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"TLS connections are established using an SSLContext " +"instance. With a properly configured OpenJDK installation, the " +"SunJSSE provider uses the system-wide set of trusted root" +" certificate authorities, so no further configuration is necessary. For " +"backwards compatibility with OpenJDK 6, the TLSv1 " +"provider has to be supported as a fall-back option. This is shown in ." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Setting up an SSLContext for OpenJDK TLS clients" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In addition to the context, a TLS parameter object will be needed which " +"adjusts the cipher suites and protocols (). Like the context, these " +"parameters can be reused for multiple TLS connections." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Setting up SSLParameters for TLS use with OpenJDK" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"As initialized above, the parameter object does not yet require host name " +"checking. This has to be enabled separately, and this is only supported by " +"OpenJDK 7 and later:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"All application protocols can use the \"HTTPS\" " +"algorithm. (The algorithms have minor differences with regard to wildcard " +"handling, which should not matter in practice.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +" shows " +"how to establish the connection. Before the handshake is initialized, the " +"protocol and cipher configuration has to be performed, by applying the " +"parameter object params. (After this point, changes to " +"params will not affect this TLS socket.) As mentioned " +"initially, host name checking requires using an internal API on OpenJDK 6." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Establishing a TLS connection with OpenJDK" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Starting with OpenJDK 7, the last lines can be omitted, provided that host " +"name verification has been enabled by calling the " +"setEndpointIdentificationAlgorithm method on the " +"params object (before it was applied to the socket)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The TLS socket can be used as a regular socket, as shown in ." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Using a TLS client socket in OpenJDK" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Overriding server certificate validation with OpenJDK 6" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Overriding certificate validation requires a custom trust manager. With " +"OpenJDK 6, the trust manager lacks information about the TLS session, and to" +" which server the connection is made. Certificate overrides have to be tied " +"to specific servers (host names). Consequently, different " +"TrustManager and SSLContext objects " +"have to be used for different servers." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In the trust manager shown in , the server certificate is identified by its " +"SHA-256 hash." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "A customer trust manager for OpenJDK TLS clients" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"This trust manager has to be passed to the init method of" +" the SSLContext object, as show in ." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Using a custom TLS trust manager with OpenJDK" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When certificate overrides are in place, host name verification should not " +"be performed because there is no security requirement that the host name in " +"the certificate matches the host name used to establish the connection (and " +"it often will not). However, without host name verification, it is not " +"possible to perform transparent fallback to certification validation using " +"the system certificate store." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The approach described above works with OpenJDK 6 and later versions. " +"Starting with OpenJDK 7, it is possible to use a custom subclass of the " +"javax.net.ssl.X509ExtendedTrustManager class. The OpenJDK" +" TLS implementation will call the new methods, passing along TLS session " +"information. This can be used to implement certificate overrides as a " +"fallback (if certificate or host name verification fails), and a trust " +"manager object can be used for multiple servers because the server address " +"is available to the trust manager." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Implementing TLS Clients With NSS" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The following code shows how to implement a simple TLS client using NSS. " +"Note that the error handling needs replacing before production use." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Using NSS needs several header files, as shown in ." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Include files for NSS" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Initializing the NSS library is a complex task (). It is not thread-safe. By default, the " +"library is in export mode, and all strong ciphers are disabled. Therefore, " +"after creating the NSSInitCContext object, we probe all " +"the strong ciphers we want to use, and check if at least one of them is " +"available. If not, we call NSS_SetDomesticPolicy to " +"switch to unrestricted policy mode. This function replaces the existing " +"global cipher suite policy, that is why we avoid calling it unless " +"absolutely necessary." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The simplest way to configured the trusted root certificates involves " +"loading the libnssckbi.so NSS module with a call to the" +" SECMOD_LoadUserModule function. The root certificates " +"are compiled into this module. (The PEM module for NSS, " +"libnsspem.so, offers a way to load trusted CA " +"certificates from a file.)" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Initializing the NSS library" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Some of the effects of the initialization can be reverted with the following" +" function calls:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"After NSS has been initialized, the TLS connection can be created (). The internal " +"PR_ImportTCPSocket function is used to turn the POSIX " +"file descriptor sockfd into an NSPR file descriptor. " +"(This function is de-facto part of the NSS public ABI, so it will not go " +"away.) Creating the TLS-capable file descriptor requires a " +"model descriptor, which is configured with the desired " +"set of protocols and ciphers. (The good_ciphers variable " +"is part of .) We cannot" +" resort to disabling ciphers not on a whitelist because by default, the AES " +"cipher suites are disabled. The model descriptor is not needed anymore after" +" TLS support has been activated for the existing connection descriptor." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The call to SSL_BadCertHook can be omitted if no " +"mechanism to override certificate verification is needed. The " +"bad_certificate function must check both the host name " +"specified for the connection and the certificate before granting the " +"override." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Triggering the actual handshake requires three function calls, " +"SSL_ResetHandshake, SSL_SetURL, " +"and SSL_ForceHandshake. (If " +"SSL_ResetHandshake is omitted, " +"SSL_ForceHandshake will succeed, but the data will not " +"be encrypted.) During the handshake, the certificate is verified and matched" +" against the host name." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Creating a TLS connection with NSS" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"After the connection has been established, shows how to use the NSPR descriptor to " +"communicate with the server." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Using NSS for sending and receiving data" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +" shows how to " +"close the connection." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Closing NSS client connections" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Implementing TLS Clients With Python" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The Python distribution provides a TLS implementation in the " +"ssl module (actually a wrapper around OpenSSL). The " +"exported interface is somewhat restricted, so that the client code shown " +"below does not fully implement the recommendations in ." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Currently, most Python function which accept https:// " +"URLs or otherwise implement HTTPS support do not perform certificate " +"validation at all. (For example, this is true for the " +"httplib and xmlrpclib modules.) If you" +" use HTTPS, you should not use the built-in HTTP clients. The " +"Curl class in the curl module, as " +"provided by the python-pycurl package implements proper " +"certificate validation." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The ssl module currently does not perform host name " +"checking on the server certificate. shows how to implement certificate " +"matching, using the parsed certificate returned by " +"getpeercert." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Implementing TLS host name checking Python (without wildcard support)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"To turn a regular, connected TCP socket into a TLS-enabled socket, use the " +"ssl.wrap_socket function. The function call in provides " +"additional arguments to override questionable defaults in OpenSSL and in the" +" Python module." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"ciphers=\"HIGH:-aNULL:-eNULL:-PSK:RC4-SHA:RC4-MD5\" " +"selects relatively strong cipher suites with certificate-based " +"authentication. (The call to check_host_name function " +"provides additional protection against anonymous cipher suites.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"ssl_version=ssl.PROTOCOL_TLSv1 disables SSL 2.0 support. " +"By default, the ssl module sends an SSL 2.0 client hello," +" which is rejected by some servers. Ideally, we would request OpenSSL to " +"negotiated the most recent TLS version supported by the server and the " +"client, but the Python module does not allow this." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"cert_reqs=ssl.CERT_REQUIRED turns on certificate " +"validation." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"ca_certs='/etc/ssl/certs/ca-bundle.crt' initializes the " +"certificate store with a set of trusted root CAs. Unfortunately, it is " +"necessary to hard-code this path into applications because the default path " +"in OpenSSL is not available through the Python ssl " +"module." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The ssl module (and OpenSSL) perform certificate " +"validation, but the certificate must be compared manually against the host " +"name, by calling the check_host_name defined above." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Establishing a TLS client connection with Python" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"After the connection has been established, the TLS socket can be used like a" +" regular socket:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Closing the TLS socket is straightforward as well:" +msgstr "" diff --git a/defensive-coding/zh-TW/Features/snippets/TLS-Client-GNUTLS-Connect.po b/defensive-coding/zh-TW/Features/snippets/TLS-Client-GNUTLS-Connect.po new file mode 100644 index 0000000..07d74ac --- /dev/null +++ b/defensive-coding/zh-TW/Features/snippets/TLS-Client-GNUTLS-Connect.po @@ -0,0 +1,71 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:33+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Chinese (Taiwan) \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: zh_TW\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Create the session object.\n" +"gnutls_session_t session;\n" +"ret = gnutls_init(&session, GNUTLS_CLIENT);\n" +"if (ret != GNUTLS_E_SUCCESS) {\n" +" fprintf(stderr, \"error: gnutls_init: %s\n" +"\",\n" +"\t gnutls_strerror(ret));\n" +" exit(1);\n" +"}\n" +"\n" +"// Configure the cipher preferences.\n" +"const char *errptr = NULL;\n" +"ret = gnutls_priority_set_direct(session, \"NORMAL\", &errptr);\n" +"if (ret != GNUTLS_E_SUCCESS) {\n" +" fprintf(stderr, \"error: gnutls_priority_set_direct: %s\n" +"\"\n" +"\t \"error: at: \\\"%s\\\"\n" +"\", gnutls_strerror(ret), errptr);\n" +" exit(1);\n" +"}\n" +"\n" +"// Install the trusted certificates.\n" +"ret = gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, cred);\n" +"if (ret != GNUTLS_E_SUCCESS) {\n" +" fprintf(stderr, \"error: gnutls_credentials_set: %s\n" +"\",\n" +"\t gnutls_strerror(ret));\n" +" exit(1);\n" +"}\n" +"\n" +"// Associate the socket with the session object and set the server\n" +"// name.\n" +"gnutls_transport_set_ptr(session, (gnutls_transport_ptr_t)(uintptr_t)sockfd);\n" +"ret = gnutls_server_name_set(session, GNUTLS_NAME_DNS,\n" +"\t\t\t host, strlen(host));\n" +"if (ret != GNUTLS_E_SUCCESS) {\n" +" fprintf(stderr, \"error: gnutls_server_name_set: %s\n" +"\",\n" +"\t gnutls_strerror(ret));\n" +" exit(1);\n" +"}\n" +"\n" +"// Establish the session.\n" +"ret = gnutls_handshake(session);\n" +"if (ret != GNUTLS_E_SUCCESS) {\n" +" fprintf(stderr, \"error: gnutls_handshake: %s\n" +"\",\n" +"\t gnutls_strerror(ret));\n" +" exit(1);\n" +"}\n" +msgstr "" diff --git a/defensive-coding/zh-TW/Features/snippets/TLS-Client-GNUTLS-Credentials.po b/defensive-coding/zh-TW/Features/snippets/TLS-Client-GNUTLS-Credentials.po new file mode 100644 index 0000000..dbc8311 --- /dev/null +++ b/defensive-coding/zh-TW/Features/snippets/TLS-Client-GNUTLS-Credentials.po @@ -0,0 +1,47 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:33+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Chinese (Taiwan) \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: zh_TW\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Load the trusted CA certificates.\n" +"gnutls_certificate_credentials_t cred = NULL;\n" +"int ret = gnutls_certificate_allocate_credentials (&cred);\n" +"if (ret != GNUTLS_E_SUCCESS) {\n" +" fprintf(stderr, \"error: gnutls_certificate_allocate_credentials: %s\n" +"\",\n" +"\t gnutls_strerror(ret));\n" +" exit(1);\n" +"}\n" +"// gnutls_certificate_set_x509_system_trust needs GNUTLS version 3.0\n" +"// or newer, so we hard-code the path to the certificate store\n" +"// instead.\n" +"static const char ca_bundle[] = \"/etc/ssl/certs/ca-bundle.crt\";\n" +"ret = gnutls_certificate_set_x509_trust_file\n" +" (cred, ca_bundle, GNUTLS_X509_FMT_PEM);\n" +"if (ret == 0) {\n" +" fprintf(stderr, \"error: no certificates found in: %s\n" +"\", ca_bundle);\n" +" exit(1);\n" +"}\n" +"if (ret < 0) {\n" +" fprintf(stderr, \"error: gnutls_certificate_set_x509_trust_files(%s): %s\n" +"\",\n" +"\t ca_bundle, gnutls_strerror(ret));\n" +" exit(1);\n" +"}\n" +msgstr "" diff --git a/defensive-coding/zh-TW/Features/snippets/TLS-Client-GNUTLS-Match.po b/defensive-coding/zh-TW/Features/snippets/TLS-Client-GNUTLS-Match.po new file mode 100644 index 0000000..177da16 --- /dev/null +++ b/defensive-coding/zh-TW/Features/snippets/TLS-Client-GNUTLS-Match.po @@ -0,0 +1,48 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:32+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Chinese (Taiwan) \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: zh_TW\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Match the peer certificate against the host name.\n" +"// We can only obtain a set of DER-encoded certificates from the\n" +"// session object, so we have to re-parse the peer certificate into\n" +"// a certificate object.\n" +"gnutls_x509_crt_t cert;\n" +"ret = gnutls_x509_crt_init(&cert);\n" +"if (ret != GNUTLS_E_SUCCESS) {\n" +" fprintf(stderr, \"error: gnutls_x509_crt_init: %s\n" +"\",\n" +"\t gnutls_strerror(ret));\n" +" exit(1);\n" +"}\n" +"// The peer certificate is the first certificate in the list.\n" +"ret = gnutls_x509_crt_import(cert, certs, GNUTLS_X509_FMT_DER);\n" +"if (ret != GNUTLS_E_SUCCESS) {\n" +" fprintf(stderr, \"error: gnutls_x509_crt_import: %s\n" +"\",\n" +"\t gnutls_strerror(ret));\n" +" exit(1);\n" +"}\n" +"ret = gnutls_x509_crt_check_hostname(cert, host);\n" +"if (ret == 0 && !certificate_host_name_override(certs[0], host)) {\n" +" fprintf(stderr, \"error: host name does not match certificate\n" +"\");\n" +" exit(1);\n" +"}\n" +"gnutls_x509_crt_deinit(cert);\n" +msgstr "" diff --git a/defensive-coding/zh-TW/Features/snippets/TLS-Client-GNUTLS-Verify.po b/defensive-coding/zh-TW/Features/snippets/TLS-Client-GNUTLS-Verify.po new file mode 100644 index 0000000..b107f56 --- /dev/null +++ b/defensive-coding/zh-TW/Features/snippets/TLS-Client-GNUTLS-Verify.po @@ -0,0 +1,61 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:33+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Chinese (Taiwan) \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: zh_TW\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Obtain the server certificate chain. The server certificate\n" +"// itself is stored in the first element of the array.\n" +"unsigned certslen = 0;\n" +"const gnutls_datum_t *const certs =\n" +" gnutls_certificate_get_peers(session, &certslen);\n" +"if (certs == NULL || certslen == 0) {\n" +" fprintf(stderr, \"error: could not obtain peer certificate\n" +"\");\n" +" exit(1);\n" +"}\n" +"\n" +"// Validate the certificate chain.\n" +"unsigned status = (unsigned)-1;\n" +"ret = gnutls_certificate_verify_peers2(session, &status);\n" +"if (ret != GNUTLS_E_SUCCESS) {\n" +" fprintf(stderr, \"error: gnutls_certificate_verify_peers2: %s\n" +"\",\n" +"\t gnutls_strerror(ret));\n" +" exit(1);\n" +"}\n" +"if (status != 0 && !certificate_validity_override(certs[0])) {\n" +" gnutls_datum_t msg;\n" +"#if GNUTLS_VERSION_AT_LEAST_3_1_4\n" +" int type = gnutls_certificate_type_get (session);\n" +" ret = gnutls_certificate_verification_status_print(status, type, &out, 0);\n" +"#else\n" +" ret = -1;\n" +"#endif\n" +" if (ret == 0) {\n" +" fprintf(stderr, \"error: %s\n" +"\", msg.data);\n" +" gnutls_free(msg.data);\n" +" exit(1);\n" +" } else {\n" +" fprintf(stderr, \"error: certificate validation failed with code 0x%x\n" +"\",\n" +"\t status);\n" +" exit(1);\n" +" }\n" +"}\n" +msgstr "" diff --git a/defensive-coding/zh-TW/Features/snippets/TLS-Client-NSS-Close.po b/defensive-coding/zh-TW/Features/snippets/TLS-Client-NSS-Close.po new file mode 100644 index 0000000..9eda155 --- /dev/null +++ b/defensive-coding/zh-TW/Features/snippets/TLS-Client-NSS-Close.po @@ -0,0 +1,31 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:32+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Chinese (Taiwan) \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: zh_TW\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Send close_notify alert.\n" +"if (PR_Shutdown(nspr, PR_SHUTDOWN_BOTH) != PR_SUCCESS) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: PR_Read error %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +"}\n" +"// Closes the underlying POSIX file descriptor, too.\n" +"PR_Close(nspr);\n" +msgstr "" diff --git a/defensive-coding/zh-TW/Features/snippets/TLS-Client-NSS-Connect.po b/defensive-coding/zh-TW/Features/snippets/TLS-Client-NSS-Connect.po new file mode 100644 index 0000000..0ef94da --- /dev/null +++ b/defensive-coding/zh-TW/Features/snippets/TLS-Client-NSS-Connect.po @@ -0,0 +1,132 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:33+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Chinese (Taiwan) \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: zh_TW\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Wrap the POSIX file descriptor. This is an internal NSPR\n" +"// function, but it is very unlikely to change.\n" +"PRFileDesc* nspr = PR_ImportTCPSocket(sockfd);\n" +"sockfd = -1; // Has been taken over by NSPR.\n" +"\n" +"// Add the SSL layer.\n" +"{\n" +" PRFileDesc *model = PR_NewTCPSocket();\n" +" PRFileDesc *newfd = SSL_ImportFD(NULL, model);\n" +" if (newfd == NULL) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: NSPR error code %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +" }\n" +" model = newfd;\n" +" newfd = NULL;\n" +" if (SSL_OptionSet(model, SSL_ENABLE_SSL2, PR_FALSE) != SECSuccess) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: set SSL_ENABLE_SSL2 error %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +" }\n" +" if (SSL_OptionSet(model, SSL_V2_COMPATIBLE_HELLO, PR_FALSE) != SECSuccess) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: set SSL_V2_COMPATIBLE_HELLO error %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +" }\n" +" if (SSL_OptionSet(model, SSL_ENABLE_DEFLATE, PR_FALSE) != SECSuccess) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: set SSL_ENABLE_DEFLATE error %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +" }\n" +"\n" +" // Disable all ciphers (except RC4-based ciphers, for backwards\n" +" // compatibility).\n" +" const PRUint16 *const ciphers = SSL_GetImplementedCiphers();\n" +" for (unsigned i = 0; i < SSL_GetNumImplementedCiphers(); i++) {\n" +" if (ciphers[i] != SSL_RSA_WITH_RC4_128_SHA\n" +"\t && ciphers[i] != SSL_RSA_WITH_RC4_128_MD5) {\n" +"\tif (SSL_CipherPrefSet(model, ciphers[i], PR_FALSE) != SECSuccess) {\n" +"\t const PRErrorCode err = PR_GetError();\n" +"\t fprintf(stderr, \"error: disable cipher %u: error %d: %s\n" +"\",\n" +"\t\t (unsigned)ciphers[i], err, PR_ErrorToName(err));\n" +"\t exit(1);\n" +"\t}\n" +" }\n" +" }\n" +"\n" +" // Enable the strong ciphers.\n" +" for (const PRUint16 *p = good_ciphers; *p != SSL_NULL_WITH_NULL_NULL;\n" +"\t ++p) {\n" +" if (SSL_CipherPrefSet(model, *p, PR_TRUE) != SECSuccess) {\n" +"\tconst PRErrorCode err = PR_GetError();\n" +"\tfprintf(stderr, \"error: enable cipher %u: error %d: %s\n" +"\",\n" +"\t\t(unsigned)*p, err, PR_ErrorToName(err));\n" +"\texit(1);\n" +" }\n" +" }\n" +"\n" +" // Allow overriding invalid certificate.\n" +" if (SSL_BadCertHook(model, bad_certificate, (char *)host) != SECSuccess) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: SSL_BadCertHook error %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +" }\n" +"\n" +" newfd = SSL_ImportFD(model, nspr);\n" +" if (newfd == NULL) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: SSL_ImportFD error %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +" }\n" +" nspr = newfd;\n" +" PR_Close(model);\n" +"}\n" +"\n" +"// Perform the handshake.\n" +"if (SSL_ResetHandshake(nspr, PR_FALSE) != SECSuccess) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: SSL_ResetHandshake error %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +"}\n" +"if (SSL_SetURL(nspr, host) != SECSuccess) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: SSL_SetURL error %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +"}\n" +"if (SSL_ForceHandshake(nspr) != SECSuccess) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: SSL_ForceHandshake error %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +"}\n" +msgstr "" diff --git a/defensive-coding/zh-TW/Features/snippets/TLS-Client-OpenJDK-Connect.po b/defensive-coding/zh-TW/Features/snippets/TLS-Client-OpenJDK-Connect.po new file mode 100644 index 0000000..a8685e6 --- /dev/null +++ b/defensive-coding/zh-TW/Features/snippets/TLS-Client-OpenJDK-Connect.po @@ -0,0 +1,41 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:32+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Chinese (Taiwan) \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: zh_TW\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Create the socket and connect it at the TCP layer.\n" +"SSLSocket socket = (SSLSocket) ctx.getSocketFactory()\n" +" .createSocket(host, port);\n" +"\n" +"// Disable the Nagle algorithm.\n" +"socket.setTcpNoDelay(true);\n" +"\n" +"// Adjust ciphers and protocols.\n" +"socket.setSSLParameters(params);\n" +"\n" +"// Perform the handshake.\n" +"socket.startHandshake();\n" +"\n" +"// Validate the host name. The match() method throws\n" +"// CertificateException on failure.\n" +"X509Certificate peer = (X509Certificate)\n" +" socket.getSession().getPeerCertificates()[0];\n" +"// This is the only way to perform host name checking on OpenJDK 6.\n" +"HostnameChecker.getInstance(HostnameChecker.TYPE_TLS).match(\n" +" host, peer);\n" +msgstr "" diff --git a/defensive-coding/zh-TW/Features/snippets/TLS-Client-OpenJDK-Context.po b/defensive-coding/zh-TW/Features/snippets/TLS-Client-OpenJDK-Context.po new file mode 100644 index 0000000..b259460 --- /dev/null +++ b/defensive-coding/zh-TW/Features/snippets/TLS-Client-OpenJDK-Context.po @@ -0,0 +1,41 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:32+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Chinese (Taiwan) \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: zh_TW\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Create the context. Specify the SunJSSE provider to avoid\n" +"// picking up third-party providers. Try the TLS 1.2 provider\n" +"// first, then fall back to TLS 1.0.\n" +"SSLContext ctx;\n" +"try {\n" +" ctx = SSLContext.getInstance(\"TLSv1.2\", \"SunJSSE\");\n" +"} catch (NoSuchAlgorithmException e) {\n" +" try {\n" +" ctx = SSLContext.getInstance(\"TLSv1\", \"SunJSSE\");\n" +" } catch (NoSuchAlgorithmException e1) {\n" +" // The TLS 1.0 provider should always be available.\n" +" throw new AssertionError(e1);\n" +" } catch (NoSuchProviderException e1) {\n" +" throw new AssertionError(e1);\n" +" } \n" +"} catch (NoSuchProviderException e) {\n" +" // The SunJSSE provider should always be available.\n" +" throw new AssertionError(e);\n" +"}\n" +"ctx.init(null, null, null);\n" +msgstr "" diff --git a/defensive-coding/zh-TW/Features/snippets/TLS-Client-OpenJDK-Context_For_Cert.po b/defensive-coding/zh-TW/Features/snippets/TLS-Client-OpenJDK-Context_For_Cert.po new file mode 100644 index 0000000..0adf47b --- /dev/null +++ b/defensive-coding/zh-TW/Features/snippets/TLS-Client-OpenJDK-Context_For_Cert.po @@ -0,0 +1,37 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:33+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Chinese (Taiwan) \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: zh_TW\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"SSLContext ctx;\n" +"try {\n" +" ctx = SSLContext.getInstance(\"TLSv1.2\", \"SunJSSE\");\n" +"} catch (NoSuchAlgorithmException e) {\n" +" try {\n" +" ctx = SSLContext.getInstance(\"TLSv1\", \"SunJSSE\");\n" +" } catch (NoSuchAlgorithmException e1) {\n" +" throw new AssertionError(e1);\n" +" } catch (NoSuchProviderException e1) {\n" +" throw new AssertionError(e1);\n" +" }\n" +"} catch (NoSuchProviderException e) {\n" +" throw new AssertionError(e);\n" +"}\n" +"MyTrustManager tm = new MyTrustManager(certHash);\n" +"ctx.init(null, new TrustManager[] {tm}, null);\n" +msgstr "" diff --git a/defensive-coding/zh-TW/Features/snippets/TLS-Client-OpenJDK-Hostname.po b/defensive-coding/zh-TW/Features/snippets/TLS-Client-OpenJDK-Hostname.po new file mode 100644 index 0000000..693f1c8 --- /dev/null +++ b/defensive-coding/zh-TW/Features/snippets/TLS-Client-OpenJDK-Hostname.po @@ -0,0 +1,22 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:31+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Chinese (Taiwan) \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: zh_TW\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"params.setEndpointIdentificationAlgorithm(\"HTTPS\");\n" +msgstr "" diff --git a/defensive-coding/zh-TW/Features/snippets/TLS-Client-OpenJDK-Import.po b/defensive-coding/zh-TW/Features/snippets/TLS-Client-OpenJDK-Import.po new file mode 100644 index 0000000..cf12a39 --- /dev/null +++ b/defensive-coding/zh-TW/Features/snippets/TLS-Client-OpenJDK-Import.po @@ -0,0 +1,33 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:31+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Chinese (Taiwan) \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: zh_TW\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"import java.security.NoSuchAlgorithmException;\n" +"import java.security.NoSuchProviderException;\n" +"import java.security.cert.CertificateEncodingException;\n" +"import java.security.cert.CertificateException;\n" +"import java.security.cert.X509Certificate;\n" +"import javax.net.ssl.SSLContext;\n" +"import javax.net.ssl.SSLParameters;\n" +"import javax.net.ssl.SSLSocket;\n" +"import javax.net.ssl.TrustManager;\n" +"import javax.net.ssl.X509TrustManager;\n" +"\n" +"import sun.security.util.HostnameChecker;\n" +msgstr "" diff --git a/defensive-coding/zh-TW/Features/snippets/TLS-Client-OpenJDK-MyTrustManager.po b/defensive-coding/zh-TW/Features/snippets/TLS-Client-OpenJDK-MyTrustManager.po new file mode 100644 index 0000000..1fe088a --- /dev/null +++ b/defensive-coding/zh-TW/Features/snippets/TLS-Client-OpenJDK-MyTrustManager.po @@ -0,0 +1,53 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:31+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Chinese (Taiwan) \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: zh_TW\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"public class MyTrustManager implements X509TrustManager {\n" +" private final byte[] certHash;\n" +"\n" +" public MyTrustManager(byte[] certHash) throws Exception {\n" +" this.certHash = certHash;\n" +" }\n" +"\n" +" @Override\n" +" public void checkClientTrusted(X509Certificate[] chain, String authType)\n" +" throws CertificateException {\n" +" throw new UnsupportedOperationException();\n" +" }\n" +"\n" +" @Override\n" +" public void checkServerTrusted(X509Certificate[] chain,\n" +" String authType) throws CertificateException {\n" +" byte[] digest = getCertificateDigest(chain[0]);\n" +" String digestHex = formatHex(digest);\n" +"\n" +" if (Arrays.equals(digest, certHash)) {\n" +" System.err.println(\"info: accepting certificate: \" + digestHex);\n" +" } else {\n" +" throw new CertificateException(\"certificate rejected: \" +\n" +" digestHex);\n" +" }\n" +" }\n" +"\n" +" @Override\n" +" public X509Certificate[] getAcceptedIssuers() {\n" +" return new X509Certificate[0];\n" +" }\n" +"}\n" +msgstr "" diff --git a/defensive-coding/zh-TW/Features/snippets/TLS-Client-OpenJDK-Use.po b/defensive-coding/zh-TW/Features/snippets/TLS-Client-OpenJDK-Use.po new file mode 100644 index 0000000..f40f6c2 --- /dev/null +++ b/defensive-coding/zh-TW/Features/snippets/TLS-Client-OpenJDK-Use.po @@ -0,0 +1,28 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:31+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Chinese (Taiwan) \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: zh_TW\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"socket.getOutputStream().write(\"GET / HTTP/1.0\\r\n" +"\\r\n" +"\"\n" +" .getBytes(Charset.forName(\"UTF-8\")));\n" +"byte[] buffer = new byte[4096];\n" +"int count = socket.getInputStream().read(buffer);\n" +"System.out.write(buffer, 0, count);\n" +msgstr "" diff --git a/defensive-coding/zh-TW/Features/snippets/TLS-Client-OpenSSL-CTX.po b/defensive-coding/zh-TW/Features/snippets/TLS-Client-OpenSSL-CTX.po new file mode 100644 index 0000000..252dcb7 --- /dev/null +++ b/defensive-coding/zh-TW/Features/snippets/TLS-Client-OpenSSL-CTX.po @@ -0,0 +1,86 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:32+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Chinese (Taiwan) \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: zh_TW\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Configure a client connection context. Send a hendshake for the\n" +"// highest supported TLS version, and disable compression.\n" +"const SSL_METHOD *const req_method = SSLv23_client_method();\n" +"SSL_CTX *const ctx = SSL_CTX_new(req_method);\n" +"if (ctx == NULL) {\n" +" ERR_print_errors(bio_err);\n" +" exit(1);\n" +"}\n" +"SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_COMPRESSION);\n" +"\n" +"// Adjust the ciphers list based on a whitelist. First enable all\n" +"// ciphers of at least medium strength, to get the list which is\n" +"// compiled into OpenSSL.\n" +"if (SSL_CTX_set_cipher_list(ctx, \"HIGH:MEDIUM\") != 1) {\n" +" ERR_print_errors(bio_err);\n" +" exit(1);\n" +"}\n" +"{\n" +" // Create a dummy SSL session to obtain the cipher list.\n" +" SSL *ssl = SSL_new(ctx);\n" +" if (ssl == NULL) {\n" +" ERR_print_errors(bio_err);\n" +" exit(1);\n" +" }\n" +" STACK_OF(SSL_CIPHER) *active_ciphers = SSL_get_ciphers(ssl);\n" +" if (active_ciphers == NULL) {\n" +" ERR_print_errors(bio_err);\n" +" exit(1);\n" +" }\n" +" // Whitelist of candidate ciphers.\n" +" static const char *const candidates[] = {\n" +" \"AES128-GCM-SHA256\", \"AES128-SHA256\", \"AES256-SHA256\", // strong ciphers\n" +" \"AES128-SHA\", \"AES256-SHA\", // strong ciphers, also in older versions\n" +" \"RC4-SHA\", \"RC4-MD5\", // backwards compatibility, supposed to be weak\n" +" \"DES-CBC3-SHA\", \"DES-CBC3-MD5\", // more backwards compatibility\n" +" NULL\n" +" };\n" +" // Actually selected ciphers.\n" +" char ciphers[300];\n" +" ciphers[0] = '\\0';\n" +" for (const char *const *c = candidates; *c; ++c) {\n" +" for (int i = 0; i < sk_SSL_CIPHER_num(active_ciphers); ++i) {\n" +"\tif (strcmp(SSL_CIPHER_get_name(sk_SSL_CIPHER_value(active_ciphers, i)),\n" +"\t\t *c) == 0) {\n" +"\t if (*ciphers) {\n" +"\t strcat(ciphers, \":\");\n" +"\t }\n" +"\t strcat(ciphers, *c);\n" +"\t break;\n" +"\t}\n" +" }\n" +" }\n" +" SSL_free(ssl);\n" +" // Apply final cipher list.\n" +" if (SSL_CTX_set_cipher_list(ctx, ciphers) != 1) {\n" +" ERR_print_errors(bio_err);\n" +" exit(1);\n" +" }\n" +"}\n" +"\n" +"// Load the set of trusted root certificates.\n" +"if (!SSL_CTX_set_default_verify_paths(ctx)) {\n" +" ERR_print_errors(bio_err);\n" +" exit(1);\n" +"}\n" +msgstr "" diff --git a/defensive-coding/zh-TW/Features/snippets/TLS-Client-OpenSSL-Connect.po b/defensive-coding/zh-TW/Features/snippets/TLS-Client-OpenSSL-Connect.po new file mode 100644 index 0000000..70afc80 --- /dev/null +++ b/defensive-coding/zh-TW/Features/snippets/TLS-Client-OpenSSL-Connect.po @@ -0,0 +1,72 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:33+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Chinese (Taiwan) \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: zh_TW\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Create the connection object.\n" +"SSL *ssl = SSL_new(ctx);\n" +"if (ssl == NULL) {\n" +" ERR_print_errors(bio_err);\n" +" exit(1);\n" +"}\n" +"SSL_set_fd(ssl, sockfd);\n" +"\n" +"// Enable the ServerNameIndication extension\n" +"if (!SSL_set_tlsext_host_name(ssl, host)) {\n" +" ERR_print_errors(bio_err);\n" +" exit(1);\n" +"}\n" +"\n" +"// Perform the TLS handshake with the server.\n" +"ret = SSL_connect(ssl);\n" +"if (ret != 1) {\n" +" // Error status can be 0 or negative.\n" +" ssl_print_error_and_exit(ssl, \"SSL_connect\", ret);\n" +"}\n" +"\n" +"// Obtain the server certificate.\n" +"X509 *peercert = SSL_get_peer_certificate(ssl);\n" +"if (peercert == NULL) {\n" +" fprintf(stderr, \"peer certificate missing\");\n" +" exit(1);\n" +"}\n" +"\n" +"// Check the certificate verification result. Allow an explicit\n" +"// certificate validation override in case verification fails.\n" +"int verifystatus = SSL_get_verify_result(ssl);\n" +"if (verifystatus != X509_V_OK && !certificate_validity_override(peercert)) {\n" +" fprintf(stderr, \"SSL_connect: verify result: %s\n" +"\",\n" +"\t X509_verify_cert_error_string(verifystatus));\n" +" exit(1);\n" +"}\n" +"\n" +"// Check if the server certificate matches the host name used to\n" +"// establish the connection.\n" +"// FIXME: Currently needs OpenSSL 1.1.\n" +"if (X509_check_host(peercert, (const unsigned char *)host, strlen(host),\n" +"\t\t 0) != 1\n" +" && !certificate_host_name_override(peercert, host)) {\n" +" fprintf(stderr, \"SSL certificate does not match host name\n" +"\");\n" +" exit(1);\n" +"}\n" +"\n" +"X509_free(peercert);\n" +"\n" +msgstr "" diff --git a/defensive-coding/zh-TW/Features/snippets/TLS-Client-OpenSSL-Connection-Use.po b/defensive-coding/zh-TW/Features/snippets/TLS-Client-OpenSSL-Connection-Use.po new file mode 100644 index 0000000..64f0608 --- /dev/null +++ b/defensive-coding/zh-TW/Features/snippets/TLS-Client-OpenSSL-Connection-Use.po @@ -0,0 +1,32 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:32+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Chinese (Taiwan) \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: zh_TW\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"const char *const req = \"GET / HTTP/1.0\\r\n" +"\\r\n" +"\";\n" +"if (SSL_write(ssl, req, strlen(req)) < 0) {\n" +" ssl_print_error_and_exit(ssl, \"SSL_write\", ret);\n" +"}\n" +"char buf[4096];\n" +"ret = SSL_read(ssl, buf, sizeof(buf));\n" +"if (ret < 0) {\n" +" ssl_print_error_and_exit(ssl, \"SSL_read\", ret);\n" +"}\n" +msgstr "" diff --git a/defensive-coding/zh-TW/Features/snippets/TLS-Client-OpenSSL-Init.po b/defensive-coding/zh-TW/Features/snippets/TLS-Client-OpenSSL-Init.po new file mode 100644 index 0000000..09a3ae6 --- /dev/null +++ b/defensive-coding/zh-TW/Features/snippets/TLS-Client-OpenSSL-Init.po @@ -0,0 +1,28 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:32+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Chinese (Taiwan) \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: zh_TW\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// The following call prints an error message and calls exit() if\n" +"// the OpenSSL configuration file is unreadable.\n" +"OPENSSL_config(NULL);\n" +"// Provide human-readable error messages.\n" +"SSL_load_error_strings();\n" +"// Register ciphers.\n" +"SSL_library_init();\n" +msgstr "" diff --git a/defensive-coding/zh-TW/Features/snippets/TLS-Client-Python-Connect.po b/defensive-coding/zh-TW/Features/snippets/TLS-Client-Python-Connect.po new file mode 100644 index 0000000..317e5a0 --- /dev/null +++ b/defensive-coding/zh-TW/Features/snippets/TLS-Client-Python-Connect.po @@ -0,0 +1,29 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:32+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Chinese (Taiwan) \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: zh_TW\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"sock = ssl.wrap_socket(sock,\n" +" ciphers=\"HIGH:-aNULL:-eNULL:-PSK:RC4-SHA:RC4-MD5\",\n" +" ssl_version=ssl.PROTOCOL_TLSv1,\n" +" cert_reqs=ssl.CERT_REQUIRED,\n" +" ca_certs='/etc/ssl/certs/ca-bundle.crt')\n" +"# getpeercert() triggers the handshake as a side effect.\n" +"if not check_host_name(sock.getpeercert(), host):\n" +" raise IOError(\"peer certificate does not match host name\")\n" +msgstr "" diff --git a/defensive-coding/zh-TW/Features/snippets/TLS-Client-Python-check_host_name.po b/defensive-coding/zh-TW/Features/snippets/TLS-Client-Python-check_host_name.po new file mode 100644 index 0000000..7ba7525 --- /dev/null +++ b/defensive-coding/zh-TW/Features/snippets/TLS-Client-Python-check_host_name.po @@ -0,0 +1,44 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:31+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Chinese (Taiwan) \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: zh_TW\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"def check_host_name(peercert, name):\n" +" \"\"\"Simple certificate/host name checker. Returns True if the\n" +" certificate matches, False otherwise. Does not support\n" +" wildcards.\"\"\"\n" +" # Check that the peer has supplied a certificate.\n" +" # None/{} is not acceptable.\n" +" if not peercert:\n" +" return False\n" +" if peercert.has_key(\"subjectAltName\"):\n" +" for typ, val in peercert[\"subjectAltName\"]:\n" +" if typ == \"DNS\" and val == name:\n" +" return True\n" +" else:\n" +" # Only check the subject DN if there is no subject alternative\n" +" # name.\n" +" cn = None\n" +" for attr, val in peercert[\"subject\"]:\n" +" # Use most-specific (last) commonName attribute.\n" +" if attr == \"commonName\":\n" +" cn = val\n" +" if cn is not None:\n" +" return cn == name\n" +" return False\n" +msgstr "" diff --git a/defensive-coding/zh-TW/Features/snippets/TLS-GNUTLS-Credentials-Close.po b/defensive-coding/zh-TW/Features/snippets/TLS-GNUTLS-Credentials-Close.po new file mode 100644 index 0000000..bbda2f3 --- /dev/null +++ b/defensive-coding/zh-TW/Features/snippets/TLS-GNUTLS-Credentials-Close.po @@ -0,0 +1,22 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:31+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Chinese (Taiwan) \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: zh_TW\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"gnutls_certificate_free_credentials(cred);\n" +msgstr "" diff --git a/defensive-coding/zh-TW/Features/snippets/TLS-GNUTLS-Disconnect.po b/defensive-coding/zh-TW/Features/snippets/TLS-GNUTLS-Disconnect.po new file mode 100644 index 0000000..f62a4ec --- /dev/null +++ b/defensive-coding/zh-TW/Features/snippets/TLS-GNUTLS-Disconnect.po @@ -0,0 +1,30 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:32+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Chinese (Taiwan) \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: zh_TW\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Initiate an orderly connection shutdown.\n" +"ret = gnutls_bye(session, GNUTLS_SHUT_RDWR);\n" +"if (ret < 0) {\n" +" fprintf(stderr, \"error: gnutls_bye: %s\n" +"\", gnutls_strerror(ret));\n" +" exit(1);\n" +"}\n" +"// Free the session object.\n" +"gnutls_deinit(session);\n" +msgstr "" diff --git a/defensive-coding/zh-TW/Features/snippets/TLS-GNUTLS-Init.po b/defensive-coding/zh-TW/Features/snippets/TLS-GNUTLS-Init.po new file mode 100644 index 0000000..eea6919 --- /dev/null +++ b/defensive-coding/zh-TW/Features/snippets/TLS-GNUTLS-Init.po @@ -0,0 +1,22 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:32+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Chinese (Taiwan) \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: zh_TW\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"gnutls_global_init();\n" +msgstr "" diff --git a/defensive-coding/zh-TW/Features/snippets/TLS-GNUTLS-Use.po b/defensive-coding/zh-TW/Features/snippets/TLS-GNUTLS-Use.po new file mode 100644 index 0000000..aed28fe --- /dev/null +++ b/defensive-coding/zh-TW/Features/snippets/TLS-GNUTLS-Use.po @@ -0,0 +1,38 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:33+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Chinese (Taiwan) \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: zh_TW\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"char buf[4096];\n" +"snprintf(buf, sizeof(buf), \"GET / HTTP/1.0\\r\n" +"Host: %s\\r\n" +"\\r\n" +"\", host);\n" +"ret = gnutls_record_send(session, buf, strlen(buf));\n" +"if (ret < 0) {\n" +" fprintf(stderr, \"error: gnutls_record_send: %s\n" +"\", gnutls_strerror(ret));\n" +" exit(1);\n" +"}\n" +"ret = gnutls_record_recv(session, buf, sizeof(buf));\n" +"if (ret < 0) {\n" +" fprintf(stderr, \"error: gnutls_record_recv: %s\n" +"\", gnutls_strerror(ret));\n" +" exit(1);\n" +"}\n" +msgstr "" diff --git a/defensive-coding/zh-TW/Features/snippets/TLS-NSS-Close.po b/defensive-coding/zh-TW/Features/snippets/TLS-NSS-Close.po new file mode 100644 index 0000000..0401623 --- /dev/null +++ b/defensive-coding/zh-TW/Features/snippets/TLS-NSS-Close.po @@ -0,0 +1,23 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:31+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Chinese (Taiwan) \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: zh_TW\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"SECMOD_DestroyModule(module);\n" +"NSS_ShutdownContext(ctx);\n" +msgstr "" diff --git a/defensive-coding/zh-TW/Features/snippets/TLS-NSS-Includes.po b/defensive-coding/zh-TW/Features/snippets/TLS-NSS-Includes.po new file mode 100644 index 0000000..4867e09 --- /dev/null +++ b/defensive-coding/zh-TW/Features/snippets/TLS-NSS-Includes.po @@ -0,0 +1,35 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:33+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Chinese (Taiwan) \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: zh_TW\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// NSPR include files\n" +"#include <prerror.h>\n" +"#include <prinit.h>\n" +"\n" +"// NSS include files\n" +"#include <nss.h>\n" +"#include <pk11pub.h>\n" +"#include <secmod.h>\n" +"#include <ssl.h>\n" +"#include <sslproto.h>\n" +"\n" +"// Private API, no other way to turn a POSIX file descriptor into an\n" +"// NSPR handle.\n" +"NSPR_API(PRFileDesc*) PR_ImportTCPSocket(int);\n" +msgstr "" diff --git a/defensive-coding/zh-TW/Features/snippets/TLS-NSS-Init.po b/defensive-coding/zh-TW/Features/snippets/TLS-NSS-Init.po new file mode 100644 index 0000000..cbd973d --- /dev/null +++ b/defensive-coding/zh-TW/Features/snippets/TLS-NSS-Init.po @@ -0,0 +1,83 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:33+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Chinese (Taiwan) \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: zh_TW\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"PR_Init(PR_USER_THREAD, PR_PRIORITY_NORMAL, 0);\n" +"NSSInitContext *const ctx =\n" +" NSS_InitContext(\"sql:/etc/pki/nssdb\", \"\", \"\", \"\", NULL,\n" +"\t\t NSS_INIT_READONLY | NSS_INIT_PK11RELOAD);\n" +"if (ctx == NULL) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: NSPR error code %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +"}\n" +"\n" +"// Ciphers to enable.\n" +"static const PRUint16 good_ciphers[] = {\n" +" TLS_RSA_WITH_AES_128_CBC_SHA,\n" +" TLS_RSA_WITH_AES_256_CBC_SHA,\n" +" SSL_RSA_WITH_3DES_EDE_CBC_SHA,\n" +" SSL_NULL_WITH_NULL_NULL // sentinel\n" +"};\n" +"\n" +"// Check if the current policy allows any strong ciphers. If it\n" +"// doesn't, switch to the \"domestic\" (unrestricted) policy. This is\n" +"// not thread-safe and has global impact. Consequently, we only do\n" +"// it if absolutely necessary.\n" +"int found_good_cipher = 0;\n" +"for (const PRUint16 *p = good_ciphers; *p != SSL_NULL_WITH_NULL_NULL;\n" +" ++p) {\n" +" PRInt32 policy;\n" +" if (SSL_CipherPolicyGet(*p, &policy) != SECSuccess) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: policy for cipher %u: error %d: %s\n" +"\",\n" +"\t (unsigned)*p, err, PR_ErrorToName(err));\n" +" exit(1);\n" +" }\n" +" if (policy == SSL_ALLOWED) {\n" +" fprintf(stderr, \"info: found cipher %x\n" +"\", (unsigned)*p);\n" +" found_good_cipher = 1;\n" +" break;\n" +" }\n" +"}\n" +"if (!found_good_cipher) {\n" +" if (NSS_SetDomesticPolicy() != SECSuccess) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: NSS_SetDomesticPolicy: error %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +" }\n" +"}\n" +"\n" +"// Initialize the trusted certificate store.\n" +"char module_name[] = \"library=libnssckbi.so name=\\\"Root Certs\\\"\";\n" +"SECMODModule *module = SECMOD_LoadUserModule(module_name, NULL, PR_FALSE);\n" +"if (module == NULL || !module->loaded) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: NSPR error code %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +"}\n" +msgstr "" diff --git a/defensive-coding/zh-TW/Features/snippets/TLS-NSS-Use.po b/defensive-coding/zh-TW/Features/snippets/TLS-NSS-Use.po new file mode 100644 index 0000000..a2e9027 --- /dev/null +++ b/defensive-coding/zh-TW/Features/snippets/TLS-NSS-Use.po @@ -0,0 +1,42 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:32+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Chinese (Taiwan) \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: zh_TW\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"char buf[4096];\n" +"snprintf(buf, sizeof(buf), \"GET / HTTP/1.0\\r\n" +"Host: %s\\r\n" +"\\r\n" +"\", host);\n" +"PRInt32 ret = PR_Write(nspr, buf, strlen(buf));\n" +"if (ret < 0) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: PR_Write error %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +"}\n" +"ret = PR_Read(nspr, buf, sizeof(buf));\n" +"if (ret < 0) {\n" +" const PRErrorCode err = PR_GetError();\n" +" fprintf(stderr, \"error: PR_Read error %d: %s\n" +"\",\n" +"\t err, PR_ErrorToName(err));\n" +" exit(1);\n" +"}\n" +msgstr "" diff --git a/defensive-coding/zh-TW/Features/snippets/TLS-Nagle.po b/defensive-coding/zh-TW/Features/snippets/TLS-Nagle.po new file mode 100644 index 0000000..c95419d --- /dev/null +++ b/defensive-coding/zh-TW/Features/snippets/TLS-Nagle.po @@ -0,0 +1,27 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:31+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Chinese (Taiwan) \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: zh_TW\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"const int val = 1;\n" +"int ret = setsockopt(sockfd, IPPROTO_TCP, TCP_NODELAY, &val, sizeof(val));\n" +"if (ret < 0) {\n" +" perror(\"setsockopt(TCP_NODELAY)\");\n" +" exit(1);\n" +"}\n" +msgstr "" diff --git a/defensive-coding/zh-TW/Features/snippets/TLS-OpenJDK-Parameters.po b/defensive-coding/zh-TW/Features/snippets/TLS-OpenJDK-Parameters.po new file mode 100644 index 0000000..5931ac5 --- /dev/null +++ b/defensive-coding/zh-TW/Features/snippets/TLS-OpenJDK-Parameters.po @@ -0,0 +1,42 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:33+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Chinese (Taiwan) \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: zh_TW\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Prepare TLS parameters. These have to applied to every TLS\n" +"// socket before the handshake is triggered.\n" +"SSLParameters params = ctx.getDefaultSSLParameters();\n" +"// Do not send an SSL-2.0-compatible Client Hello.\n" +"ArrayList<String> protocols = new ArrayList<String>(\n" +" Arrays.asList(params.getProtocols()));\n" +"protocols.remove(\"SSLv2Hello\");\n" +"params.setProtocols(protocols.toArray(new String[protocols.size()]));\n" +"// Adjust the supported ciphers.\n" +"ArrayList<String> ciphers = new ArrayList<String>(\n" +" Arrays.asList(params.getCipherSuites()));\n" +"ciphers.retainAll(Arrays.asList(\n" +" \"TLS_RSA_WITH_AES_128_CBC_SHA256\",\n" +" \"TLS_RSA_WITH_AES_256_CBC_SHA256\",\n" +" \"TLS_RSA_WITH_AES_256_CBC_SHA\",\n" +" \"TLS_RSA_WITH_AES_128_CBC_SHA\",\n" +" \"SSL_RSA_WITH_3DES_EDE_CBC_SHA\",\n" +" \"SSL_RSA_WITH_RC4_128_SHA1\",\n" +" \"SSL_RSA_WITH_RC4_128_MD5\",\n" +" \"TLS_EMPTY_RENEGOTIATION_INFO_SCSV\"));\n" +"params.setCipherSuites(ciphers.toArray(new String[ciphers.size()]));\n" +msgstr "" diff --git a/defensive-coding/zh-TW/Features/snippets/TLS-OpenSSL-Connection-Close.po b/defensive-coding/zh-TW/Features/snippets/TLS-OpenSSL-Connection-Close.po new file mode 100644 index 0000000..5c21291 --- /dev/null +++ b/defensive-coding/zh-TW/Features/snippets/TLS-OpenSSL-Connection-Close.po @@ -0,0 +1,46 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:33+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Chinese (Taiwan) \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: zh_TW\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Send the close_notify alert.\n" +"ret = SSL_shutdown(ssl);\n" +"switch (ret) {\n" +"case 1:\n" +" // A close_notify alert has already been received.\n" +" break;\n" +"case 0:\n" +" // Wait for the close_notify alert from the peer.\n" +" ret = SSL_shutdown(ssl);\n" +" switch (ret) {\n" +" case 0:\n" +" fprintf(stderr, \"info: second SSL_shutdown returned zero\n" +"\");\n" +" break;\n" +" case 1:\n" +" break;\n" +" default:\n" +" ssl_print_error_and_exit(ssl, \"SSL_shutdown 2\", ret);\n" +" }\n" +" break;\n" +"default:\n" +" ssl_print_error_and_exit(ssl, \"SSL_shutdown 1\", ret);\n" +"}\n" +"SSL_free(ssl);\n" +"close(sockfd);\n" +msgstr "" diff --git a/defensive-coding/zh-TW/Features/snippets/TLS-OpenSSL-Context-Close.po b/defensive-coding/zh-TW/Features/snippets/TLS-OpenSSL-Context-Close.po new file mode 100644 index 0000000..c96cef8 --- /dev/null +++ b/defensive-coding/zh-TW/Features/snippets/TLS-OpenSSL-Context-Close.po @@ -0,0 +1,22 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:33+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Chinese (Taiwan) \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: zh_TW\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"SSL_CTX_free(ctx);\n" +msgstr "" diff --git a/defensive-coding/zh-TW/Features/snippets/TLS-OpenSSL-Errors.po b/defensive-coding/zh-TW/Features/snippets/TLS-OpenSSL-Errors.po new file mode 100644 index 0000000..c68b78c --- /dev/null +++ b/defensive-coding/zh-TW/Features/snippets/TLS-OpenSSL-Errors.po @@ -0,0 +1,51 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:32+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Chinese (Taiwan) \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: zh_TW\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"static void __attribute__((noreturn))\n" +"ssl_print_error_and_exit(SSL *ssl, const char *op, int ret)\n" +"{\n" +" int subcode = SSL_get_error(ssl, ret);\n" +" switch (subcode) {\n" +" case SSL_ERROR_NONE:\n" +" fprintf(stderr, \"error: %s: no error to report\n" +"\", op);\n" +" break;\n" +" case SSL_ERROR_WANT_READ:\n" +" case SSL_ERROR_WANT_WRITE:\n" +" case SSL_ERROR_WANT_X509_LOOKUP:\n" +" case SSL_ERROR_WANT_CONNECT:\n" +" case SSL_ERROR_WANT_ACCEPT:\n" +" fprintf(stderr, \"error: %s: invalid blocking state %d\n" +"\", op, subcode);\n" +" break;\n" +" case SSL_ERROR_SSL:\n" +" fprintf(stderr, \"error: %s: TLS layer problem\n" +"\", op);\n" +" case SSL_ERROR_SYSCALL:\n" +" fprintf(stderr, \"error: %s: system call failed: %s\n" +"\", op, strerror(errno));\n" +" break;\n" +" case SSL_ERROR_ZERO_RETURN:\n" +" fprintf(stderr, \"error: %s: zero return\n" +"\", op);\n" +" }\n" +" exit(1);\n" +"}\n" +msgstr "" diff --git a/defensive-coding/zh-TW/Features/snippets/TLS-Python-Close.po b/defensive-coding/zh-TW/Features/snippets/TLS-Python-Close.po new file mode 100644 index 0000000..0d04d5f --- /dev/null +++ b/defensive-coding/zh-TW/Features/snippets/TLS-Python-Close.po @@ -0,0 +1,22 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:31+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Chinese (Taiwan) \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: zh_TW\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"sock.close()\n" +msgstr "" diff --git a/defensive-coding/zh-TW/Features/snippets/TLS-Python-Use.po b/defensive-coding/zh-TW/Features/snippets/TLS-Python-Use.po new file mode 100644 index 0000000..54a000a --- /dev/null +++ b/defensive-coding/zh-TW/Features/snippets/TLS-Python-Use.po @@ -0,0 +1,26 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:32+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Chinese (Taiwan) \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: zh_TW\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"sock.write(\"GET / HTTP/1.1\\r\n" +"Host: \" + host + \"\\r\n" +"\\r\n" +"\")\n" +"print sock.read()\n" +msgstr "" diff --git a/defensive-coding/zh-TW/Revision_History.po b/defensive-coding/zh-TW/Revision_History.po new file mode 100644 index 0000000..896352a --- /dev/null +++ b/defensive-coding/zh-TW/Revision_History.po @@ -0,0 +1,35 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:18+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Chinese (Taiwan) \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: zh_TW\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: title +#, no-c-format +msgid "Revision History" +msgstr "" + +#. Tag: firstname +#, no-c-format +msgid "Eric" +msgstr "" + +#. Tag: surname +#, no-c-format +msgid "Christensen" +msgstr "" + +#. Tag: member +#, no-c-format +msgid "Initial publication." +msgstr "" diff --git a/defensive-coding/zh-TW/Tasks/Cryptography.po b/defensive-coding/zh-TW/Tasks/Cryptography.po new file mode 100644 index 0000000..cd25403 --- /dev/null +++ b/defensive-coding/zh-TW/Tasks/Cryptography.po @@ -0,0 +1,199 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:29+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Chinese (Taiwan) \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: zh_TW\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: title +#, no-c-format +msgid "Cryptography" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Primitives" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Chosing from the following cryptographic primitives is recommended:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "RSA with 2048 bit keys and OAEP" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "AES-128 in CBC mode" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "SHA-256" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "HMAC-SHA-256" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "HMAC-SHA-1" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Other cryptographic algorithms can be used if they are required for " +"interoperability with existing software:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "RSA with key sizes larger than 1024 and legacy padding" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "AES-192" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "AES-256" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "3DES (triple DES, with two or three 56 bit keys)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "RC4 (but very, very strongly discouraged)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "SHA-1" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "HMAC-MD5" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Important" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"These primitives are difficult to use in a secure way. Custom implementation" +" of security protocols should be avoided. For protecting confidentiality and" +" integrity of network transmissions, TLS should be used ()." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Randomness" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The following facilities can be used to generate unpredictable and non-" +"repeating values. When these functions are used without special safeguards, " +"each individual rnadom value should be at least 12 bytes long." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"PK11_GenerateRandom in the NSS library (usable for high" +" data rates)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"RAND_bytes in the OpenSSL library (usable for high data" +" rates)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"gnutls_rnd in GNUTLS, with " +"GNUTLS_RND_RANDOM as the first argument (usable for high " +"data rates)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"java.security.SecureRandom in Java (usable for high data rates)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "os.urandom in Python" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Reading from the /dev/urandom character device" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"All these functions should be non-blocking, and they should not wait until " +"physical randomness becomes available. (Some cryptography providers for Java" +" can cause java.security.SecureRandom to block, however.) Those" +" functions which do not obtain all bits directly from " +"/dev/urandom are suitable for high data rates because " +"they do not deplete the system-wide entropy pool." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Difficult to use API" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Both RAND_bytes and " +"PK11_GenerateRandom have three-state return values " +"(with conflicting meanings). Careful error checking is required. Please " +"review the documentation when using these functions." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Other sources of randomness should be considered predictable." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Generating randomness for cryptographic keys in long-term use may need " +"different steps and is best left to cryptographic libraries." +msgstr "" diff --git a/defensive-coding/zh-TW/Tasks/Descriptors.po b/defensive-coding/zh-TW/Tasks/Descriptors.po new file mode 100644 index 0000000..49a551d --- /dev/null +++ b/defensive-coding/zh-TW/Tasks/Descriptors.po @@ -0,0 +1,332 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:29+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Chinese (Taiwan) \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: zh_TW\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: title +#, no-c-format +msgid "File Descriptor Management" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"File descriptors underlie all input/output mechanisms offered by the system." +" They are used to implementation the FILE *-based " +"functions found in <stdio.h>, and all the file and " +"network communication facilities provided by the Python and Java " +"environments are eventually implemented in them." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"File descriptors are small, non-negative integers in userspace, and are " +"backed on the kernel side with complicated data structures which can " +"sometimes grow very large." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Closing descriptors" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If a descriptor is no longer used by a program and is not closed explicitly," +" its number cannot be reused (which is problematic in itself, see ), and the " +"kernel resources are not freed. Therefore, it is important to close all " +"descriptors at the earlierst point in time possible, but not earlier." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Error handling during descriptor close" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The close system call is always successful in the sense" +" that the passed file descriptor is never valid after the function has been " +"called. However, close still can return an error, for " +"example if there was a file system failure. But this error is not very " +"useful because the absence of an error does not mean that all caches have " +"been emptied and previous writes have been made durable. Programs which need" +" such guarantees must open files with O_SYNC or use " +"fsync or fdatasync, and may also have " +"to fsync the directory containing the file." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Closing descriptors and race conditions" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Unlike process IDs, which are recycle only gradually, the kernel always " +"allocates the lowest unused file descriptor when a new descriptor is " +"created. This means that in a multi-threaded program which constantly opens " +"and closes file descriptors, descriptors are reused very quickly. Unless " +"descriptor closing and other operations on the same file descriptor are " +"synchronized (typically, using a mutex), there will be race coniditons and " +"I/O operations will be applied to the wrong file descriptor." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Sometimes, it is necessary to close a file descriptor concurrently, while " +"another thread might be about to use it in a system call. In order to " +"support this, a program needs to create a single special file descriptor, " +"one on which all I/O operations fail. One way to achieve this is to use " +"socketpair, close one of the descriptors, and call " +"shutdown(fd, SHUTRDWR) on the other." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When a descriptor is closed concurrently, the program does not call " +"close on the descriptor. Instead it program uses " +"dup2 to replace the descriptor to be closed with the " +"dummy descriptor created earlier. This way, the kernel will not reuse the " +"descriptor, but it will carry out all other steps associated with calling a " +"descriptor (for instance, if the descriptor refers to a stream socket, the " +"peer will be notified)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"This is just a sketch, and many details are missing. Additional data " +"structures are needed to determine when it is safe to really close the " +"descriptor, and proper locking is required for that." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Lingering state after close" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"By default, closing a stream socket returns immediately, and the kernel will" +" try to send the data in the background. This means that it is impossible to" +" implement accurate accounting of network-related resource utilization from " +"userspace." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The SO_LINGER socket option alters the behavior of " +"close, so that it will return only after the lingering " +"data has been processed, either by sending it to the peer successfully, or " +"by discarding it after the configured timeout. However, there is no " +"interface which could perform this operation in the background, so a " +"separate userspace thread is needed for each close " +"call, causing scalability issues." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Currently, there is no application-level countermeasure which applies " +"universally. Mitigation is possible with iptables" +" (the connlimit match type in particular) and specialized" +" filtering devices for denial-of-service network traffic." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"These problems are not related to the TIME_WAIT state " +"commonly seen in netstat output. The kernel " +"automatically expires such sockets if necessary." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Preventing file descriptor leaks to child processes" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Child processes created with fork share the initial set" +" of file descriptors with their parent process. By default, file descriptors" +" are also preserved if a new process image is created with " +"execve (or any of the other functions such as " +"system or posix_spawn)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Usually, this behavior is not desirable. There are two ways to turn it off, " +"that is, to prevent new process images from inheriting the file descriptors " +"in the parent process:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Set the close-on-exec flag on all newly created file descriptors. " +"Traditionally, this flag is controlled by the FD_CLOEXEC " +"flag, using F_GETFD and F_SETFD " +"operations of the fcntl function." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"However, in a multi-threaded process, there is a race condition: a " +"subprocess could have been created between the time the descriptor was " +"created and the FD_CLOEXEC was set. Therefore, many " +"system calls which create descriptors (such as open and" +" openat) now accept the O_CLOEXEC " +"flag (SOCK_CLOEXEC for socket and " +"socketpair), which cause the " +"FD_CLOEXEC flag to be set for the file descriptor in an " +"atomic fashion. In addition, a few new systems calls were introduced, such " +"as pipe2 and dup3." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The downside of this approach is that every descriptor needs to receive " +"special treatment at the time of creation, otherwise it is not completely " +"effective." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"After calling fork, but before creating a new process " +"image with execve, all file descriptors which the child" +" process will not need are closed." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Traditionally, this was implemented as a loop over file descriptors ranging " +"from 3 to 255 and later " +"1023. But this is only an approximatio because it is " +"possible to create file descriptors outside this range easily (see ). Another " +"approach reads /proc/self/fd and closes the unexpected " +"descriptors listed there, but this approach is much slower." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"At present, environments which care about file descriptor leakage implement " +"the second approach. OpenJDK 6 and 7 are among them." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Dealing with the select limit" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"By default, a user is allowed to open only 1024 files in a single process, " +"but the system administrator can easily change this limit (which is " +"necessary for busy network servers). However, there is another restriction " +"which is more difficult to overcome." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The select function only supports a maximum of " +"FD_SETSIZE file descriptors (that is, the maximum " +"permitted value for a file descriptor is FD_SETSIZE - 1, " +"usually 1023.) If a process opens many files, descriptors may exceed such " +"limits. It is impossible to query such descriptors using " +"select." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If a library which creates many file descriptors is used in the same process" +" as a library which uses select, at least one of them " +"needs to be changed. Calls to select can be replaced " +"with calls to poll or another event handling mechanism." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Alternatively, the library with high descriptor usage can relocate " +"descriptors above the FD_SETSIZE limit using the " +"following procedure." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Create the file descriptor fd as usual, preferably with " +"the O_CLOEXEC flag." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Before doing anything else with the descriptor fd, " +"invoke:" +msgstr "" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"\t int newfd = fcntl(fd, F_DUPFD_CLOEXEC, (long)FD_SETSIZE);\n" +"\t" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Check that newfd result is non-negative, otherwise close " +"fd and report an error, and return." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Close fd and continue to use newfd." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The new descriptor has been allocated above the " +"FD_SETSIZE. Even though this algorithm is racy in the " +"sense that the FD_SETSIZE first descriptors could fill " +"up, a very high degree of physical parallelism is required before this " +"becomes a problem." +msgstr "" diff --git a/defensive-coding/zh-TW/Tasks/File_System.po b/defensive-coding/zh-TW/Tasks/File_System.po new file mode 100644 index 0000000..f6454cc --- /dev/null +++ b/defensive-coding/zh-TW/Tasks/File_System.po @@ -0,0 +1,396 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:25+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Chinese (Taiwan) \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: zh_TW\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: title +#, no-c-format +msgid "File system manipulation" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In this chapter, we discuss general file system manipulation, with a focus " +"on access files and directories to which an other, potentially untrusted " +"user has write access." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Temporary files are covered in their own chapter, ." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Working with files and directories owned by other users" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Sometimes, it is necessary to operate on files and directories owned by " +"other (potentially untrusted) users. For example, a system administrator " +"could remove the home directory of a user, or a package manager could update" +" a file in a directory which is owned by an application-specific user. This " +"differs from accessing the file system as a specific user; see ." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Accessing files across trust boundaries faces several challenges, " +"particularly if an entire directory tree is being traversed:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Another user might add file names to a writable directory at any time. This " +"can interfere with file creation and the order of names returned by " +"readdir." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Merely opening and closing a file can have side effects. For instance, an " +"automounter can be triggered, or a tape device rewound. Opening a file on a " +"local file system can block indefinitely, due to mandatory file locking, " +"unless the O_NONBLOCK flag is specified." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Hard links and symbolic links can redirect the effect of file system " +"operations in unexpected ways. The O_NOFOLLOW and " +"AT_SYMLINK_NOFOLLOW variants of system calls only " +"affected final path name component." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The structure of a directory tree can change. For example, the parent " +"directory of what used to be a subdirectory within the directory tree being " +"processed could suddenly point outside that directory tree." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Files should always be created with the O_CREAT and " +"O_EXCL flags, so that creating the file will fail if it " +"already exists. This guards against the unexpected appearance of file names," +" either due to creation of a new file, or hard-linking of an existing file. " +"In multi-threaded programs, rather than manipulating the umask, create the " +"files with mode 000 if possible, and adjust it afterwards" +" with fchmod." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"To avoid issues related to symbolic links and directory tree restructuring, " +"the “at” variants of system calls have to be used (that " +"is, functions like openat, " +"fchownat, fchmodat, and " +"unlinkat, together with O_NOFOLLOW " +"or AT_SYMLINK_NOFOLLOW). Path names passed to these " +"functions must have just a single component (that is, without a slash). When" +" descending, the descriptors of parent directories must be kept open. The " +"missing opendirat function can be emulated with " +"openat (with an O_DIRECTORY flag, to " +"avoid opening special files with side effects), followed by " +"fdopendir." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If the “at” functions are not available, it is possible " +"to emulate them by changing the current directory. (Obviously, this only " +"works if the process is not multi-threaded.) fchdir has" +" to be used to change the current directory, and the descriptors of the " +"parent directories have to be kept open, just as with the " +"“at”-based approach. chdir(\"...\") is" +" unsafe because it might ascend outside the intended directory tree." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"This “at” function emulation is currently required when " +"manipulating extended attributes. In this case, the " +"lsetxattr function can be used, with a relative path " +"name consisting of a single component. This also applies to SELinux contexts" +" and the lsetfilecon function." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Currently, it is not possible to avoid opening special files " +"and changes to files with hard links if the directory " +"containing them is owned by an untrusted user. (Device nodes can be hard-" +"linked, just as regular files.) fchmodat and " +"fchownat affect files whose link count is greater than " +"one. But opening the files, checking that the link count is one with " +"fstat, and using fchmod and " +"fchown on the file descriptor may have unwanted side " +"effects, due to item 2 above. When creating directories, it is therefore " +"important to change the ownership and permissions only after it has been " +"fully created. Until that point, file names are stable, and no files with " +"unexpected hard links can be introduced." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Similarly, when just reading a directory owned by an untrusted user, it is " +"currently impossible to reliably avoid opening special files." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"There is no workaround against the instability of the file list returned by " +"readdir. Concurrent modification of the directory can " +"result in a list of files being returned which never actually existed on " +"disk." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Hard links and symbolic links can be safely deleted using " +"unlinkat without further checks because deletion only " +"affects the name within the directory tree being processed." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Accessing the file system as a different user" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"This section deals with access to the file system as a specific user. This " +"is different from accessing files and directories owned by a different, " +"potentially untrusted user; see ." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"One approach is to spawn a child process which runs under the target user " +"and group IDs (both effective and real IDs). Note that this child process " +"can block indefinitely, even when processing regular files only. For " +"example, a special FUSE file system could cause the process to hang in " +"uninterruptible sleep inside a stat system call." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"An existing process could change its user and group ID using " +"setfsuid and setfsgid. (These " +"functions are preferred over seteuid and " +"setegid because they do not allow the impersonated user" +" to send signals to the process.) These functions are not thread safe. In " +"multi-threaded processes, these operations need to be performed in a single-" +"threaded child process. Unexpected blocking may occur as well." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"It is not recommended to try to reimplement the kernel permission checks in " +"user space because the required checks are complex. It is also very " +"difficult to avoid race conditions during path name resolution." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "File system limits" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"For historical reasons, there are preprocessor constants such as " +"PATH_MAX, NAME_MAX. However, on most " +"systems, the length of canonical path names (absolute path names with all " +"symbolic links resolved, as returned by realpath or " +"canonicalize_file_name) can exceed " +"PATH_MAX bytes, and individual file name components can " +"be longer than NAME_MAX. This is also true of the " +"_PC_PATH_MAX and _PC_NAME_MAX values " +"returned by pathconf, and the " +"f_namemax member of struct statvfs. " +"Therefore, these constants should not be used. This is also reason why the " +"readdir_r should never be used (instead, use " +"readdir)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"You should not write code in a way that assumes that there is an upper limit" +" on the number of subdirectories of a directory, the number of regular files" +" in a directory, or the link count of an inode." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "File system features" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Not all file systems support all features. This makes it very difficult to " +"write general-purpose tools for copying files. For example, a copy operation" +" intending to preserve file permissions will generally fail when copying to " +"a FAT file system." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Some file systems are case-insensitive. Most should be case-preserving, " +"though." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Name length limits vary greatly, from eight to thousands of bytes. Path " +"length limits differ as well. Most systems impose an upper bound on path " +"names passed to the kernel, but using relative path names, it is possible to" +" create and access files whose absolute path name is essentially of " +"unbounded length." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Some file systems do not store names as fairly unrestricted byte sequences, " +"as it has been traditionally the case on GNU systems. This means that some " +"byte sequences (outside the POSIX safe character set) are not valid names. " +"Conversely, names of existing files may not be representable as byte " +"sequences, and the files are thus inaccessible on GNU systems. Some file " +"systems perform Unicode canonicalization on file names. These file systems " +"preserve case, but reading the name of a just-created file using " +"readdir might still result in a different byte " +"sequence." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Permissions and owners are not universally supported (and SUID/SGID bits may" +" not be available). For example, FAT file systems assign ownership based on " +"a mount option, and generally mark all files as executable. Any attempt to " +"change permissions would result in an error." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Non-regular files (device nodes, FIFOs) are not generally available." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Only on some file systems, files can have holes, that is, not all of their " +"contents is backed by disk storage." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"ioctl support (even fairly generic functionality such " +"as FIEMAP for discovering physical file layout and holes)" +" is file-system-specific." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Not all file systems support extended attributes, ACLs and SELinux metadata." +" Size and naming restriction on extended attributes vary." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Hard links may not be supported at all (FAT) or only within the same " +"directory (AFS). Symbolic links may not be available, either. Reflinks (hard" +" links with copy-on-write semantics) are still very rare. Recent systems " +"restrict creation of hard links to users which own the target file or have " +"read/write access to it, but older systems do not." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Renaming (or moving) files using rename can fail (even " +"when stat indicates that the source and target " +"directories are located on the same file system). This system call should " +"work if the old and new paths are located in the same directory, though." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Locking semantics vary among file systems. This affects advisory and " +"mandatory locks. For example, some network file systems do not allow " +"deleting files which are opened by any process." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Resolution of time stamps varies from two seconds to nanoseconds. Not all " +"time stamps are available on all file systems. File creation time " +"(birth time) is not exposed over the " +"stat/fstat interface, even if " +"stored by the file system." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Checking free space" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The statvfs and fstatvfs functions" +" allow programs to examine the number of available blocks and inodes, " +"through the members f_bfree, f_bavail," +" f_ffree, and f_favail of " +"struct statvfs. Some file systems return fictional values" +" in the f_ffree and f_favail fields, " +"so the only reliable way to discover if the file system still has space for " +"a file is to try to create it. The f_bfree field should " +"be reasonably accurate, though." +msgstr "" diff --git a/defensive-coding/zh-TW/Tasks/Library_Design.po b/defensive-coding/zh-TW/Tasks/Library_Design.po new file mode 100644 index 0000000..adcd504 --- /dev/null +++ b/defensive-coding/zh-TW/Tasks/Library_Design.po @@ -0,0 +1,267 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:29+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Chinese (Taiwan) \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: zh_TW\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: title +#, no-c-format +msgid "Library Design" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Throught this section, the term client code refers to " +"applications and other libraries using the library." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "State management" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Global state" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Global state should be avoided." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If this is impossible, the global state must be protected with a lock. For " +"C/C++, you can use the pthread_mutex_lock and " +"pthread_mutex_unlock functions without linking against " +"-lpthread because the system provides stubs for non-" +"threaded processes." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"For compatibility with fork, these locks should be " +"acquired and released in helpers registered with " +"pthread_atfork. This function is not available without " +"-lpthread, so you need to use dlsym " +"or a weak symbol to obtain its address." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If you need fork protection for other reasons, you " +"should store the process ID and compare it to the value returned by " +"getpid each time you access the global state. " +"(getpid is not implemented as a system call and is " +"fast.) If the value changes, you know that you have to re-create the state " +"object. (This needs to be combined with locking, of course.)" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Handles" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Library state should be kept behind a curtain. Client code should receive " +"only a handle. In C, the handle can be a pointer to an incomplete " +"struct. In C++, the handle can be a pointer to an " +"abstract base class, or it can be hidden using the pointer-to-implementation" +" idiom." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The library should provide functions for creating and destroying handles. " +"(In C++, it is possible to use virtual destructors for the latter.) " +"Consistency between creation and destruction of handles is strongly " +"recommended: If the client code created a handle, it is the responsibility " +"of the client code to destroy it. (This is not always possible or " +"convenient, so sometimes, a transfer of ownership has to happen.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Using handles ensures that it is possible to change the way the library " +"represents state in a way that is transparent to client code. This is " +"important to facilitate security updates and many other code changes." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"It is not always necessary to protect state behind a handle with a lock. " +"This depends on the level of thread safety the library provides." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Object orientation" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Classes should be either designed as base classes, or it should be " +"impossible to use them as base classes (like final " +"classes in Java). Classes which are not designed for inheritance and are " +"used as base classes nevertheless create potential maintenance hazards " +"because it is difficult to predict how client code will react when calls to " +"virtual methods are added, reordered or removed." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Virtual member functions can be used as callbacks. See for some of the " +"challenges involved." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Callbacks" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Higher-order code is difficult to analyze for humans and computers alike, so" +" it should be avoided. Often, an iterator-based interface (a library " +"function which is called repeatedly by client code and returns a stream of " +"events) leads to a better design which is easier to document and use." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "If callbacks are unavoidable, some guidelines for them follow." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In modern C++ code, std::function objects should be used " +"for callbacks." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In older C++ code and in C code, all callbacks must have an additional " +"closure parameter of type void *, the value of which can " +"be specified by client code. If possible, the value of the closure parameter" +" should be provided by client code at the same time a specific callback is " +"registered (or specified as a function argument). If a single closure " +"parameter is shared by multiple callbacks, flexibility is greatly reduced, " +"and conflicts between different pieces of client code using the same library" +" object could be unresolvable. In some cases, it makes sense to provide a " +"de-registration callback which can be used to destroy the closure parameter " +"when the callback is no longer used." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Callbacks can throw exceptions or call longjmp. If " +"possible, all library objects should remain in a valid state. (All further " +"operations on them can fail, but it should be possible to deallocate them " +"without causing resource leaks.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The presence of callbacks raises the question if functions provided by the " +"library are reentrant. Unless a library was designed " +"for such use, bad things will happen if a callback function uses functions " +"in the same library (particularly if they are invoked on the same objects " +"and manipulate the same state). When the callback is invoked, the library " +"can be in an inconsistent state. Reentrant functions are more difficult to " +"write than thread-safe functions (by definition, simple locking would " +"immediately lead to deadlocks). It is also difficult to decide what to do " +"when destruction of an object which is currently processing a callback is " +"requested." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Process attributes" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Several attributes are global and affect all code in the process, not just " +"the library that manipulates them." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"environment variables (see )" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "umask" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "user IDs, group IDs and capabilities" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "current working directory" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "signal handlers, signal masks and signal delivery" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"file locks (especially fcntl locks behave in surprising" +" ways, not just in a multi-threaded environment)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Library code should avoid manipulating these global process attributes. It " +"should not rely on environment variables, umask, the current working " +"directory and signal masks because these attributes can be inherted from an " +"untrusted source." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In addition, there are obvious process-wide aspects such as the virtual " +"memory layout, the set of open files and dynamic shared objects, but with " +"the exception of shared objects, these can be manipulated in a relatively " +"isolated way." +msgstr "" diff --git a/defensive-coding/zh-TW/Tasks/Processes.po b/defensive-coding/zh-TW/Tasks/Processes.po new file mode 100644 index 0000000..a371c49 --- /dev/null +++ b/defensive-coding/zh-TW/Tasks/Processes.po @@ -0,0 +1,597 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:44\n" +"PO-Revision-Date: 2013-03-19 15:29+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Chinese (Taiwan) \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: zh_TW\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: title +#, no-c-format +msgid "Processes" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Safe process creation" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"This section describes how to create new child processes in a safe manner. " +"In addition to the concerns addressed below, there is the possibility of " +"file descriptor leaks, see ." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Obtaining the program path and the command line template" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The name and path to the program being invoked should be hard-coded or " +"controlled by a static configuration file stored at a fixed location (at an " +"file system absolute path). The same applies to the template for generating " +"the command line." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The configured program name should be an absolute path. If it is a relative " +"path, the contents of the PATH must be obtained in s secure " +"manner (see )." +" If the PATH variable is not set or untrusted, the safe " +"default /bin:/usr/bin must be used." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If too much flexibility is provided here, it may allow invocation of " +"arbitrary programs without proper authorization." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Bypassing the shell" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Child processes should be created without involving the system shell." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"For C/C++, system should not be used. The " +"posix_spawn function can be used instead, or a " +"combination fork and execve. (In " +"some cases, it may be preferable to use vfork or the " +"Linux-specific clone system call instead of " +"fork.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In Python, the subprocess module bypasses the shell by " +"default (when the shell keyword argument is not set to " +"true). os.system should not be used." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The Java class java.lang.ProcessBuilder can be used to create " +"subprocesses without interference from the system shell." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Portability notice" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"On Windows, there is no argument vector, only a single argument string. Each" +" application is responsible for parsing this string into an argument vector." +" There is considerable variance among the quoting style recognized by " +"applications. Some of them expand shell wildcards, others do not. Extensive " +"application-specific testing is required to make this secure." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Note that some common applications (notably ssh) " +"unconditionally introduce the use of a shell, even if invoked directly " +"without a shell. It is difficult to use these applications in a secure " +"manner. In this case, untrusted data should be supplied by other means. For " +"example, standard input could be used, instead of the command line." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Specifying the process environment" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Child processes should be created with a minimal set of environment " +"variables. This is absolutely essential if there is a trust transition " +"involved, either when the parent process was created, or during the creation" +" of the child process." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In C/C++, the environment should be constructed as an array of strings and " +"passed as the envp argument to " +"posix_spawn or execve. The " +"functions setenv, unsetenv and " +"putenv should not be used. They are not thread-safe and" +" suffer from memory leaks." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Python programs need to specify a dict for the the " +"env argument of the subprocess.Popen" +" constructor. The Java class java.lang.ProcessBuilder " +"provides a environment() method, which returns a map " +"that can be manipulated." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The following list provides guidelines for selecting the set of environment " +"variables passed to the child process." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"PATH should be initialized to " +"/bin:/usr/bin." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"USER and HOME can be inhereted from the parent" +" process environment, or they can be initialized from the " +"pwent structure for the user." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The DISPLAY and XAUTHORITY variables should be" +" passed to the subprocess if it is an X program. Note that this will " +"typically not work across trust boundaries because XAUTHORITY" +" refers to a file with 0600 permissions." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The location-related environment variables LANG, " +"LANGUAGE, LC_ADDRESS, LC_ALL, " +"LC_COLLATE, LC_CTYPE, " +"LC_IDENTIFICATION, LC_MEASUREMENT, " +"LC_MESSAGES, LC_MONETARY, " +"LC_NAME, LC_NUMERIC, LC_PAPER, " +"LC_TELEPHONE and LC_TIME can be passed to the " +"subprocess if present." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The called process may need application-specific environment variables, for " +"example for passing passwords. (See .)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"All other environment variables should be dropped. Names for new environment" +" variables should not be accepted from untrusted sources." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Robust argument list processing" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When invoking a program, it is sometimes necessary to include data from " +"untrusted sources. Such data should be check against embedded " +"NUL characters because the system APIs will sliently " +"truncate argument strings at the first NUL character." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The following recommendations assume that the program being invoked uses " +"GNU-style option processing using getopt_long. This " +"convention is widely used, but it is just that, and individual programs " +"might interpret a command line in a different way." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If the untrusted data has to go into an option, use the --option-" +"name=VALUE syntax, placing the option and its value into the same " +"command line argument. This avoids any potential confusion if the data " +"starts with -." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"For positional arguments, terminate the option list with a single " +" marker after the last option, and include the data at " +"the right position. The marker terminates option " +"processing, and the data will not be treated as an option even if it starts " +"with a dash." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Passing secrets to subprocesses" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The command line (the name of the program and its argument) of a running " +"process is traditionally available to all local users. The called program " +"can overwrite this information, but only after it has run for a bit of time," +" during which the information may have been read by other processes. " +"However, on Linux, the process environment is restricted to the user who " +"runs the process. Therefore, if you need a convenient way to pass a password" +" to a child process, use an environment variable, and not a command line " +"argument. (See .)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"On some UNIX-like systems (notably Solaris), environment variables can be " +"read by any system user, just like command lines." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If the environment-based approach cannot be used due to portability " +"concerns, the data can be passed on standard input. Some programs (notably " +"gpg) use special file descriptors whose numbers " +"are specified on the command line. Temporary files are an option as well, " +"but they might give digital forensics access to sensitive data (such as " +"passphrases) because it is difficult to safely delete them in all cases." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Handling child process termination" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When child processes terminate, the parent process is signalled. A stub of " +"the terminated processes (a zombie, shown as " +"<defunct> by ps) is kept" +" around until the status information is collected " +"(reaped) by the parent process. Over the years, several" +" interfaces for this have been invented:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The parent process calls wait, " +"waitpid, waitid, " +"wait3 or wait4, without specifying" +" a process ID. This will deliver any matching process ID. This approach is " +"typically used from within event loops." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The parent process calls waitpid, " +"waitid, or wait4, with a specific " +"process ID. Only data for the specific process ID is returned. This is " +"typically used in code which spawns a single subprocess in a synchronous " +"manner." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The parent process installs a handler for the SIGCHLD " +"signal, using sigaction, and specifies to the " +"SA_NOCLDWAIT flag. This approach could be used by event " +"loops as well." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"None of these approaches can be used to wait for child process terminated in" +" a completely thread-safe manner. The parent process might execute an event " +"loop in another thread, which could pick up the termination signal. This " +"means that libraries typically cannot make free use of child processes (for " +"example, to run problematic code with reduced privileges in a separate " +"address space)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"At the moment, the parent process should explicitly wait for termination of " +"the child process using waitpid or " +"waitpid, and hope that the status is not collected by " +"an event loop first." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "SUID/SGID processes" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Programs can be marked in the file system to indicate to the kernel that a " +"trust transition should happen if the program is run. The " +"SUID file permission bit indicates that an executable " +"should run with the effective user ID equal to the owner of the executable " +"file. Similarly, with the SGID bit, the effective group " +"ID is set to the group of the executable file." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Linux supports fscaps, which can grant additional " +"capabilities to a process in a finer-grained manner. Additional mechanisms " +"can be provided by loadable security modules." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When such a trust transition has happened, the process runs in a potentially" +" hostile environment. Additional care is necessary not to rely on any " +"untrusted information. These concerns also apply to libraries which can be " +"linked into such processes." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Accessing environment variables" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The following steps are required so that a program does not accidentally " +"pick up untrusted data from environment variables." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Compile your C/C++ sources with -D_GNU_SOURCE. The " +"Autoconf macro AC_GNU_SOURCE ensures this." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Check for the presence of the secure_getenv and " +"__secure_getenv function. The Autoconf directive " +"AC_CHECK_FUNCS([__secure_getenv secure_getenv]) performs " +"these checks." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Arrange for a proper definition of the secure_getenv " +"function. See ." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Use secure_getenv instead of " +"getenv to obtain the value of critical environment " +"variables. secure_getenv will pretend the variable has " +"not bee set if the process environment is not trusted." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Critical environment variables are debugging flags, configuration file " +"locations, plug-in and log file locations, and anything else that might be " +"used to bypass security restrictions or cause a privileged process to behave" +" in an unexpected way." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Either the secure_getenv function or the " +"__secure_getenv is available from GNU libc." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Obtaining a definition for secure_getenv" +msgstr "" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"\n" +"#include <stdlib.h>\n" +"\n" +"#ifndef HAVE_SECURE_GETENV\n" +"# ifdef HAVE__SECURE_GETENV\n" +"# define secure_getenv __secure_getenv\n" +"# else\n" +"# error neither secure_getenv nor __secure_getenv are available\n" +"# endif\n" +"#endif\n" +"\n" +"\t" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Daemons" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Background processes providing system services " +"(daemons) need to decouple themselves from the " +"controlling terminal and the parent process environment:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Fork." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In the child process, call setsid. The parent process " +"can simply exit (using _exit, to avoid running clean-up" +" actions twice)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In the child process, fork again. Processing continues in the child process." +" Again, the parent process should just exit." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Replace the descriptors 0, 1, 2 with a descriptor for " +"/dev/null. Logging should be redirected to " +"syslog." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Older instructions for creating daemon processes recommended a call to " +"umask(0). This is risky because it often leads to world-" +"writable files and directories, resulting in security vulnerabilities such " +"as arbitrary process termination by untrusted local users, or log file " +"truncation. If the umask needs setting, a restrictive " +"value such as 027 or 077 is " +"recommended." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Other aspects of the process environment may have to changed as well " +"(environment variables, signal handler disposition)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"It is increasingly common that server processes do not run as background " +"processes, but as regular foreground process under a supervising master " +"process (such as systemd). Server processes " +"should offer a command line option which disables forking and replacement of" +" the standard output and standard error streams. Such an option is also " +"useful for debugging." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Semantics of command line arguments" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"After process creation and option processing, it is up to the child process " +"to interpret the arguments. Arguments can be file names, host names, or " +"URLs, and many other things. URLs can refer to the local network, some " +"server on the Internet, or to the local file system. Some applications even " +"accept arbitrary code in arguments (for example, " +"python with the option)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Similar concerns apply to environment variables, the contents of the current" +" directory and its subdirectories." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Consequently, careful analysis is required if it is safe to pass untrusted " +"data to another program." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "fork as a primitive for parallelism" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"A call to fork which is not immediately followed by a " +"call to execve (perhaps after rearranging and closing " +"file descriptors) is typically unsafe, especially from a library which does " +"not control the state of the entire process. Such use of " +"fork should be replaced with proper child processes or " +"threads." +msgstr "" diff --git a/defensive-coding/zh-TW/Tasks/Serialization.po b/defensive-coding/zh-TW/Tasks/Serialization.po new file mode 100644 index 0000000..bb66883 --- /dev/null +++ b/defensive-coding/zh-TW/Tasks/Serialization.po @@ -0,0 +1,513 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:45\n" +"PO-Revision-Date: 2013-03-19 15:29+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Chinese (Taiwan) \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: zh_TW\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: title +#, no-c-format +msgid "Serialization and Deserialization" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Protocol decoders and file format parsers are often the most-exposed part of" +" an application because they are exposed with little or no user interaction " +"and before any authentication and security checks are made. They are also " +"difficult to write robustly in languages which are not memory-safe." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Recommendations for manually written decoders" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"For C and C++, the advice in applies. In addition, avoid non-character " +"pointers directly into input buffers. Pointer misalignment causes crashes on" +" some architectures." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When reading variable-sized objects, do not allocate large amounts of data " +"solely based on the value of a size field. If possible, grow the data " +"structure as more data is read from the source, and stop when no data is " +"available. This helps to avoid denial-of-service attacks where little " +"amounts of input data results in enormous memory allocations during " +"decoding. Alternatively, you can impose reasonable bounds on memory " +"allocations, but some protocols do not permit this." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Protocol design" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Binary formats with explicit length fields are more difficult to parse " +"robustly than those where the length of dynamically-sized elements is " +"derived from sentinel values. A protocol which does not use length fields " +"and can be written in printable ASCII characters simplifies testing and " +"debugging. However, binary protocols with length fields may be more " +"efficient to parse." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Library support for deserialization" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"For some languages, generic libraries are available which allow to serialize" +" and deserialize user-defined objects. The deserialization part comes in one" +" of two flavors, depending on the library. The first kind uses type " +"information in the data stream to control which objects are instantiated. " +"The second kind uses type definitions supplied by the programmer. The first " +"one allows arbitrary object instantiation, the second one generally does " +"not." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The following serialization frameworks are in the first category, are known " +"to be unsafe, and must not be used for untrusted data:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Python's pickle and cPickle modules" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Perl's Storable package" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Java serialization (java.io.ObjectInputStream)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "PHP serialization (unserialize)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Most implementations of YAML" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When using a type-directed deserialization format where the types of the " +"deserialized objects are specified by the programmer, make sure that the " +"objects which can be instantiated cannot perform any destructive actions in " +"their destructors, even when the data members have been manipulated." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"JSON decoders do not suffer from this problem. But you must not use the " +"eval function to parse JSON objects in Javascript; even" +" with the regular expression filter from RFC 4627, there are still " +"information leaks remaining." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "XML serialization" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "External references" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"XML documents can contain external references. They can occur in various " +"places." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "In the DTD declaration in the header of an XML document:" +msgstr "" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"<!DOCTYPE html PUBLIC\n" +" \"-//W3C//DTD XHTML 1.0 Transitional//EN\"\n" +" \"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd\">\n" +"\t " +msgstr "" + +#. Tag: para +#, no-c-format +msgid "In a namespace declaration:" +msgstr "" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"<xsd:schema xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\">\n" +"\t " +msgstr "" + +#. Tag: para +#, no-c-format +msgid "In an entity defintion:" +msgstr "" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"<!ENTITY sys SYSTEM \"http://www.example.com/ent.xml\">\n" +"<!ENTITY pub PUBLIC \"-//Example//Public Entity//EN\"\n" +" \"http://www.example.com/pub-ent.xml\">\n" +"\t " +msgstr "" + +#. Tag: para +#, no-c-format +msgid "In a notation:" +msgstr "" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"<!NOTATION not SYSTEM \"../not.xml\">\n" +"\t " +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Originally, these external references were intended as unique identifiers, " +"but by many XML implementations, they are used for locating the data for the" +" referenced element. This causes unwanted network traffic, and may disclose " +"file system contents or otherwise unreachable network resources, so this " +"functionality should be disabled." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Depending on the XML library, external referenced might be processed not " +"just when parsing XML, but also when generating it." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Entity expansion" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When external DTD processing is disabled, an internal DTD subset can still " +"contain entity definitions. Entity declarations can reference other " +"entities. Some XML libraries expand entities automatically, and this " +"processing cannot be switched off in some places (such as attribute values " +"or content models). Without limits on the entity nesting level, this " +"expansion results in data which can grow exponentially in length with size " +"of the input. (If there is a limit on the nesting level, the growth is still" +" polynomial, unless further limits are imposed.)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Consequently, the processing internal DTD subsets should be disabled if " +"possible, and only trusted DTDs should be processed. If a particular XML " +"application does not permit such restrictions, then application-specific " +"limits are called for." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "XInclude processing" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"XInclude processing can reference file and network resources and include " +"them into the document, much like external entity references. When parsing " +"untrusted XML documents, XInclude processing should be truned off." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"XInclude processing is also fairly complex and may pull in support for the " +"XPointer and XPath specifications, considerably increasing the amount of " +"code required for XML processing." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Algorithmic complexity of XML validation" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"DTD-based XML validation uses regular expressions for content models. The " +"XML specification requires that content models are deterministic, which " +"means that efficient validation is possible. However, some implementations " +"do not enforce determinism, and require exponential (or just polynomial) " +"amount of space or time for validating some DTD/document combinations." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"XML schemas and RELAX NG (via the xsd: prefix) directly " +"support textual regular expressions which are not required to be " +"deterministic." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Using Expat for XML parsing" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"By default, Expat does not try to resolve external IDs, so no steps are " +"required to block them. However, internal entity declarations are processed." +" Installing a callback which stops parsing as soon as such entities are " +"encountered disables them, see . Expat does not perform any " +"validation, so there are no problems related to that." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Disabling XML entity processing with Expat" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"This handler must be installed when the XML_Parser object" +" is created ()." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Creating an Expat XML parser" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"It is also possible to reject internal DTD subsets altogeher, using a " +"suitable XML_StartDoctypeDeclHandler handler installed " +"with XML_SetDoctypeDeclHandler." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Using OpenJDK for XML parsing and validation" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"OpenJDK contains facilities for DOM-based, SAX-based, and StAX-based " +"document parsing. Documents can be validated against DTDs or XML schemas." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The approach taken to deal with entity expansion differs from the general " +"recommendation in . We enable the the feature flag " +"javax.xml.XMLConstants.FEATURE_SECURE_PROCESSING, which " +"enforces heuristic restrictions on the number of entity expansions. Note " +"that this flag alone does not prevent resolution of external references " +"(system IDs or public IDs), so it is slightly misnamed." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In the following sections, we use helper classes to prevent external ID " +"resolution." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Helper class to prevent DTD external entity resolution in OpenJDK" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Helper class to prevent schema resolution in OpenJDK" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +" shows the imports used by the examples." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Java imports for OpenJDK XML parsing" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "DOM-based XML parsing and DTD validation in OpenJDK" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"This approach produces a org.w3c.dom.Document object from" +" an input stream. use the data from the " +"java.io.InputStream instance in the " +"inputStream variable." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "DOM-based XML parsing in OpenJDK" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"External entity references are prohibited using the " +"NoEntityResolver class in . " +"Because external DTD references are prohibited, DTD validation (if enabled) " +"will only happen against the internal DTD subset embedded in the XML " +"document." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"To validate the document against an external DTD, use a " +"javax.xml.transform.Transformer class to add the DTD " +"reference to the document, and an entity resolver which whitelists this " +"external reference." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "XML Schema validation in OpenJDK" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +" shows how to validate a document against an XML Schema, " +"using a SAX-based approach. The XML data is read from an " +"java.io.InputStream in the inputStream" +" variable." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "SAX-based validation against an XML schema in OpenJDK" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The NoResourceResolver class is defined in ." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"If you need to validate a document against an XML schema, use the code in " +" to create the document, but do not enable validation at this point." +" Then use to perform the schema-based validation on " +"the org.w3c.dom.Document instance " +"document." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Validation of a DOM document against an XML schema in OpenJDK" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Protocol Encoders" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"For protocol encoders, you should write bytes to a buffer which grows as " +"needed, using an exponential sizing policy. Explicit lengths can be patched " +"in later, once they are known. Allocating the required number of bytes " +"upfront typically requires separate code to compute the final size, which " +"must be kept in sync with the actual encoding step, or vulnerabilities may " +"result. In multi-threaded code, parts of the object being deserialized might" +" change, so that the computed size is out of date." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"You should avoid copying data directly from a received packet during " +"encoding, disregarding the format. Propagating malformed data could enable " +"attacks on other recipients of that data." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When using C or C++ and copying whole data structures directly into the " +"output, make sure that you do not leak information in padding bytes between " +"fields or at the end of the struct." +msgstr "" diff --git a/defensive-coding/zh-TW/Tasks/Temporary_Files.po b/defensive-coding/zh-TW/Tasks/Temporary_Files.po new file mode 100644 index 0000000..a8a364d --- /dev/null +++ b/defensive-coding/zh-TW/Tasks/Temporary_Files.po @@ -0,0 +1,309 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:45\n" +"PO-Revision-Date: 2013-03-19 15:29+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Chinese (Taiwan) \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: zh_TW\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: title +#, no-c-format +msgid "Temporary files" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In this chapter, we describe how to create temporary files and directories, " +"how to remove them, and how to work with programs which do not create files " +"in ways that a safe with a shared directory for temporary files. General " +"file system manipulation is treated in a separate chapter, ." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Secure creation of temporary files has four different aspects." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The location of the directory for temporary files must be obtained in a " +"secure manner (that is, untrusted environment variables must be ignored, see" +" )." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"A new file must be created. Reusing an existing file must be avoided (the " +"/tmp race condition). This is " +"tricky because traditionally, system-wide temporary directories shared by " +"all users are used." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The file must be created in a way that makes it impossible for other users " +"to open it." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "The descriptor for the temporary file should not leak to subprocesses." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "All functions mentioned below will take care of these aspects." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Traditionally, temporary files are often used to reduce memory usage of " +"programs. More and more systems use RAM-based file systems such as " +"tmpfs for storing temporary files, to increase " +"performance and decrease wear on Flash storage. As a result, spooling data " +"to temporary files does not result in any memory savings, and the related " +"complexity can be avoided if the data is kept in process memory." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Obtaining the location of temporary directory" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Some functions below need the location of a directory which stores temporary" +" files. For C/C++ programs, use the following steps to obtain that " +"directory:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Use secure_getenv to obtain the value of the " +"TMPDIR environment variable. If it is set, convert the " +"path to a fully-resolved absolute path, using realpath(path, " +"NULL). Check if the new path refers to a directory and is " +"writeable. In this case, use it as the temporary directory." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Fall back to /tmp." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In Python, you can use the tempfile.tempdir variable." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Java does not support SUID/SGID programs, so you can use the " +"java.lang.System.getenv(String) method to obtain the " +"value of the TMPDIR environment variable, and follow the " +"two steps described above. (Java's default directory selection does not " +"honor TMPDIR.)" +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Named temporary files" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The mkostemp function creates a named temporary file. " +"You should specify the O_CLOEXEC flag to avoid file " +"descriptor leaks to subprocesses. (Applications which do not use multiple " +"threads can also use mkstemp, but libraries should use " +"mkostemp.) For determining the directory part of the " +"file name pattern, see ." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The file is not removed automatically. It is not safe to rename or delete " +"the file before processing, or transform the name in any way (for example, " +"by adding a file extension). If you need multiple temporary files, call " +"mkostemp multiple times. Do not create additional file " +"names derived from the name provided by a previous " +"mkostemp call. However, it is safe to close the " +"descriptor returned by mkostemp and reopen the file " +"using the generated name." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The Python class tempfile.NamedTemporaryFile provides " +"similar functionality, except that the file is deleted automatically by " +"default. Note that you may have to use the file attribute" +" to obtain the actual file object because some programming interfaces cannot" +" deal with file-like objects. The C function mkostemp " +"is also available as tempfile.mkstemp." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In Java, you can use the java.io.File.createTempFile(String, " +"String, File) function, using the temporary file location " +"determined according to . Do not use " +"java.io.File.deleteOnExit() to delete temporary files, " +"and do not register a shutdown hook for each temporary file you create. In " +"both cases, the deletion hint cannot be removed from the system if you " +"delete the temporary file prior to termination of the VM, causing a memory " +"leak." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Temporary files without names" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The tmpfile function creates a temporary file and " +"immediately deletes it, while keeping the file open. As a result, the file " +"lacks a name and its space is deallocated as soon as the file descriptor is " +"closed (including the implicit close when the process terminates). This " +"avoids cluttering the temporary directory with orphaned files." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Alternatively, if the maximum size of the temporary file is known " +"beforehand, the fmemopen function can be used to create" +" a FILE * object which is backed by memory." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"In Python, unnamed temporary files are provided by the " +"tempfile.TemporaryFile class, and the " +"tempfile.SpooledTemporaryFile class provides a way to " +"avoid creation of small temporary files." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "Java does not support unnamed temporary files." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Temporary directories" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The mkdtemp function can be used to create a temporary " +"directory. (For determining the directory part of the file name pattern, see" +" .)" +" The directory is not automatically removed. In Python, this function is " +"available as tempfile.mkdtemp. In Java 7, temporary " +"directories can be created using the " +"java.nio.file.Files.createTempDirectory(Path, String, " +"FileAttribute...) function." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"When creating files in the temporary directory, use automatically generated " +"names, e.g., derived from a sequential counter. Files with externally " +"provided names could be picked up in unexpected contexts, and crafted names " +"could actually point outside of the tempoary directory (due to " +"directory traversal)." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Removing a directory tree in a completely safe manner is complicated. Unless" +" there are overriding performance concerns, the " +"rm program should be used, with the " +" and options." +msgstr "" + +#. Tag: title +#, no-c-format +msgid "Compensating for unsafe file creation" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"There are two ways to make a function or program which excepts a file name " +"safe for use with temporary files. See , for details on subprocess " +"creation." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Create a temporary directory and place the file there. If possible, run the " +"program in a subprocess which uses the temporary directory as its current " +"directory, with a restricted environment. Use generated names for all files " +"in that temporary directory. (See .)" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"Create the temporary file and pass the generated file name to the function " +"or program. This only works if the function or program can cope with a zero-" +"length existing file. It is safe only under additional assumptions:" +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"The function or program must not create additional files whose name is " +"derived from the specified file name or are otherwise predictable." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "The function or program must not delete the file before processing it." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "It must not access any existing files in the same directory." +msgstr "" + +#. Tag: para +#, no-c-format +msgid "" +"It is often difficult to check whether these additional assumptions are " +"matched, therefore this approach is not recommended." +msgstr "" diff --git a/defensive-coding/zh-TW/Tasks/snippets/Serialization-XML-Expat-Create.po b/defensive-coding/zh-TW/Tasks/snippets/Serialization-XML-Expat-Create.po new file mode 100644 index 0000000..557d37e --- /dev/null +++ b/defensive-coding/zh-TW/Tasks/snippets/Serialization-XML-Expat-Create.po @@ -0,0 +1,33 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:45\n" +"PO-Revision-Date: 2013-03-19 15:29+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Chinese (Taiwan) \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: zh_TW\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"XML_Parser parser = XML_ParserCreate(\"UTF-8\");\n" +"if (parser == NULL) {\n" +" fprintf(stderr, \"XML_ParserCreate failed\n" +"\");\n" +" close(fd);\n" +" exit(1);\n" +"}\n" +"// EntityDeclHandler needs a reference to the parser to stop\n" +"// parsing.\n" +"XML_SetUserData(parser, parser);\n" +"// Disable entity processing, to inhibit entity expansion.\n" +"XML_SetEntityDeclHandler(parser, EntityDeclHandler);\n" +msgstr "" diff --git a/defensive-coding/zh-TW/Tasks/snippets/Serialization-XML-Expat-EntityDeclHandler.po b/defensive-coding/zh-TW/Tasks/snippets/Serialization-XML-Expat-EntityDeclHandler.po new file mode 100644 index 0000000..5b31f64 --- /dev/null +++ b/defensive-coding/zh-TW/Tasks/snippets/Serialization-XML-Expat-EntityDeclHandler.po @@ -0,0 +1,31 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:45\n" +"PO-Revision-Date: 2013-03-19 15:30+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Chinese (Taiwan) \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: zh_TW\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"// Stop the parser when an entity declaration is encountered.\n" +"static void\n" +"EntityDeclHandler(void *userData,\n" +"\t\t const XML_Char *entityName, int is_parameter_entity,\n" +"\t\t const XML_Char *value, int value_length,\n" +"\t\t const XML_Char *base, const XML_Char *systemId,\n" +"\t\t const XML_Char *publicId, const XML_Char *notationName)\n" +"{\n" +" XML_StopParser((XML_Parser)userData, XML_FALSE);\n" +"}\n" +msgstr "" diff --git a/defensive-coding/zh-TW/Tasks/snippets/Serialization-XML-OpenJDK-Errors.po b/defensive-coding/zh-TW/Tasks/snippets/Serialization-XML-OpenJDK-Errors.po new file mode 100644 index 0000000..efa52a9 --- /dev/null +++ b/defensive-coding/zh-TW/Tasks/snippets/Serialization-XML-OpenJDK-Errors.po @@ -0,0 +1,37 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:45\n" +"PO-Revision-Date: 2013-03-19 15:29+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Chinese (Taiwan) \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: zh_TW\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"class Errors implements ErrorHandler {\n" +" @Override\n" +" public void warning(SAXParseException exception) {\n" +" exception.printStackTrace();\n" +" }\n" +" \n" +" @Override\n" +" public void fatalError(SAXParseException exception) {\n" +" exception.printStackTrace();\n" +" }\n" +" \n" +" @Override\n" +" public void error(SAXParseException exception) {\n" +" exception.printStackTrace();\n" +" }\n" +"}\n" +msgstr "" diff --git a/defensive-coding/zh-TW/Tasks/snippets/Serialization-XML-OpenJDK-Imports.po b/defensive-coding/zh-TW/Tasks/snippets/Serialization-XML-OpenJDK-Imports.po new file mode 100644 index 0000000..373f6e7 --- /dev/null +++ b/defensive-coding/zh-TW/Tasks/snippets/Serialization-XML-OpenJDK-Imports.po @@ -0,0 +1,42 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:45\n" +"PO-Revision-Date: 2013-03-19 15:30+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Chinese (Taiwan) \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: zh_TW\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"import javax.xml.XMLConstants;\n" +"import javax.xml.parsers.DocumentBuilder;\n" +"import javax.xml.parsers.DocumentBuilderFactory;\n" +"import javax.xml.parsers.ParserConfigurationException;\n" +"import javax.xml.parsers.SAXParser;\n" +"import javax.xml.parsers.SAXParserFactory;\n" +"import javax.xml.transform.dom.DOMSource;\n" +"import javax.xml.transform.sax.SAXSource;\n" +"import javax.xml.validation.Schema;\n" +"import javax.xml.validation.SchemaFactory;\n" +"import javax.xml.validation.Validator;\n" +"\n" +"import org.w3c.dom.Document;\n" +"import org.w3c.dom.ls.LSInput;\n" +"import org.w3c.dom.ls.LSResourceResolver;\n" +"import org.xml.sax.EntityResolver;\n" +"import org.xml.sax.ErrorHandler;\n" +"import org.xml.sax.InputSource;\n" +"import org.xml.sax.SAXException;\n" +"import org.xml.sax.SAXParseException;\n" +"import org.xml.sax.XMLReader;\n" +msgstr "" diff --git a/defensive-coding/zh-TW/Tasks/snippets/Serialization-XML-OpenJDK-NoEntityResolver.po b/defensive-coding/zh-TW/Tasks/snippets/Serialization-XML-OpenJDK-NoEntityResolver.po new file mode 100644 index 0000000..0fe6dea --- /dev/null +++ b/defensive-coding/zh-TW/Tasks/snippets/Serialization-XML-OpenJDK-NoEntityResolver.po @@ -0,0 +1,30 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:45\n" +"PO-Revision-Date: 2013-03-19 15:30+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Chinese (Taiwan) \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: zh_TW\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"class NoEntityResolver implements EntityResolver {\n" +" @Override\n" +" public InputSource resolveEntity(String publicId, String systemId)\n" +" throws SAXException, IOException {\n" +" // Throwing an exception stops validation.\n" +" throw new IOException(String.format(\n" +" \"attempt to resolve \\\"%s\\\" \\\"%s\\\"\", publicId, systemId));\n" +" }\n" +"}\n" +msgstr "" diff --git a/defensive-coding/zh-TW/Tasks/snippets/Serialization-XML-OpenJDK-NoResourceResolver.po b/defensive-coding/zh-TW/Tasks/snippets/Serialization-XML-OpenJDK-NoResourceResolver.po new file mode 100644 index 0000000..443ec9e --- /dev/null +++ b/defensive-coding/zh-TW/Tasks/snippets/Serialization-XML-OpenJDK-NoResourceResolver.po @@ -0,0 +1,32 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:45\n" +"PO-Revision-Date: 2013-03-19 15:29+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Chinese (Taiwan) \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: zh_TW\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"class NoResourceResolver implements LSResourceResolver {\n" +" @Override\n" +" public LSInput resolveResource(String type, String namespaceURI,\n" +" String publicId, String systemId, String baseURI) {\n" +" // Throwing an exception stops validation.\n" +" throw new RuntimeException(String.format(\n" +" \"resolution attempt: type=%s namespace=%s \" +\n" +" \"publicId=%s systemId=%s baseURI=%s\",\n" +" type, namespaceURI, publicId, systemId, baseURI));\n" +" }\n" +"}\n" +msgstr "" diff --git a/defensive-coding/zh-TW/Tasks/snippets/Serialization-XML-OpenJDK_Parse-DOM.po b/defensive-coding/zh-TW/Tasks/snippets/Serialization-XML-OpenJDK_Parse-DOM.po new file mode 100644 index 0000000..7e95055 --- /dev/null +++ b/defensive-coding/zh-TW/Tasks/snippets/Serialization-XML-OpenJDK_Parse-DOM.po @@ -0,0 +1,34 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:45\n" +"PO-Revision-Date: 2013-03-19 15:29+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Chinese (Taiwan) \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: zh_TW\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();\n" +"// Impose restrictions on the complexity of the DTD.\n" +"factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);\n" +"\n" +"// Turn on validation.\n" +"// This step can be omitted if validation is not desired.\n" +"factory.setValidating(true);\n" +"\n" +"// Parse the document.\n" +"DocumentBuilder builder = factory.newDocumentBuilder();\n" +"builder.setEntityResolver(new NoEntityResolver());\n" +"builder.setErrorHandler(new Errors());\n" +"Document document = builder.parse(inputStream);\n" +msgstr "" diff --git a/defensive-coding/zh-TW/Tasks/snippets/Serialization-XML-OpenJDK_Parse-XMLSchema_DOM.po b/defensive-coding/zh-TW/Tasks/snippets/Serialization-XML-OpenJDK_Parse-XMLSchema_DOM.po new file mode 100644 index 0000000..70d9add --- /dev/null +++ b/defensive-coding/zh-TW/Tasks/snippets/Serialization-XML-OpenJDK_Parse-XMLSchema_DOM.po @@ -0,0 +1,38 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:45\n" +"PO-Revision-Date: 2013-03-19 15:29+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Chinese (Taiwan) \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: zh_TW\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"SchemaFactory factory = SchemaFactory.newInstance(\n" +" XMLConstants.W3C_XML_SCHEMA_NS_URI);\n" +"\n" +"// This enables restrictions on schema complexity.\n" +"factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);\n" +"\n" +"// The following line prevents resource resolution\n" +"// by the schema itself.\n" +"factory.setResourceResolver(new NoResourceResolver());\n" +"\n" +"Schema schema = factory.newSchema(schemaFile);\n" +"\n" +"Validator validator = schema.newValidator();\n" +"\n" +"// This prevents external resource resolution.\n" +"validator.setResourceResolver(new NoResourceResolver());\n" +"validator.validate(new DOMSource(document));\n" +msgstr "" diff --git a/defensive-coding/zh-TW/Tasks/snippets/Serialization-XML-OpenJDK_Parse-XMLSchema_SAX.po b/defensive-coding/zh-TW/Tasks/snippets/Serialization-XML-OpenJDK_Parse-XMLSchema_SAX.po new file mode 100644 index 0000000..0e50364 --- /dev/null +++ b/defensive-coding/zh-TW/Tasks/snippets/Serialization-XML-OpenJDK_Parse-XMLSchema_SAX.po @@ -0,0 +1,41 @@ +# AUTHOR , YEAR. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: Defensive Coding Guide\n" +"POT-Creation-Date: 2013-03-12T03:19:45\n" +"PO-Revision-Date: 2013-03-19 15:29+0000\n" +"Last-Translator: Automatically generated\n" +"Language-Team: Chinese (Taiwan) \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: zh_TW\n" +"Plural-Forms: nplurals=1; plural=0;\n" + +#. Tag: programlisting +#, no-c-format +msgid "" +"\n" +"SchemaFactory factory = SchemaFactory.newInstance(\n" +" XMLConstants.W3C_XML_SCHEMA_NS_URI);\n" +"\n" +"// This enables restrictions on the schema and document\n" +"// complexity.\n" +"factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);\n" +"\n" +"// This prevents resource resolution by the schema itself.\n" +"// If the schema is trusted and references additional files,\n" +"// this line must be omitted, otherwise loading these files\n" +"// will fail.\n" +"factory.setResourceResolver(new NoResourceResolver());\n" +"\n" +"Schema schema = factory.newSchema(schemaFile);\n" +"Validator validator = schema.newValidator();\n" +"\n" +"// This prevents external resource resolution.\n" +"validator.setResourceResolver(new NoResourceResolver());\n" +"\n" +"validator.validate(new SAXSource(new InputSource(inputStream)));\n" +msgstr ""