Docs/defensive-coding-guide
2
0
Fork 0
Code Issues 3 Pull requests 1 Projects Releases Packages Wiki Activity Actions

Remove old POTs

Browse source
This commit is contained in:
Petr Bokoc 2022-01-13 21:11:32 +01:00
parent f531cc17b8
commit 6bb2770bc9
188 changed files with 0 additions and 14080 deletions
Download patch file Download diff file Expand all files Collapse all files

133
modules/ROOT/pages/programming-languages/CXX-Language.adoc
View file

@ -1,133 +0,0 @@
:experimental:
[[sect-Defensive_Coding-CXX-Language]]
== The Core Language
C++ includes a large subset of the C language. As far as the C
subset is used, the recommendations in xref:../programming-languages/C.adoc#chap-Defensive_Coding-C[Defensive Coding in C] apply.
=== Array Allocation with `operator new[]`
For very large values of `n`, an expression
like `new T[n]` can return a pointer to a heap
region which is too small. In other words, not all array
elements are actually backed with heap memory reserved to the
array. Current GCC versions generate code that performs a
computation of the form `sizeof(T) * size_t(n) +
cookie_size`, where `cookie_size` is
currently at most 8. This computation can overflow, and GCC
versions prior to 4.8 generated code which did not detect this.
(Fedora 18 was the first release which fixed this in GCC.)
The `std::vector` template can be used instead
an explicit array allocation. (The GCC implementation detects
overflow internally.)
If there is no alternative to `operator new[]`
and the sources will be compiled with older GCC versions, code
which allocates arrays with a variable length must check for
overflow manually. For the `new T[n]` example,
the size check could be `n || (n > 0 && n >
(size_t(-1) - 8) / sizeof(T))`. (See xref:../programming-languages/C-Language.adoc#sect-Defensive_Coding-C-Arithmetic[Recommendations for Integer Arithmetic]) If there are
additional dimensions (which must be constants according to the
{cpp} standard), these should be included as factors in the
divisor.
These countermeasures prevent out-of-bounds writes and potential
code execution. Very large memory allocations can still lead to
a denial of service. xref:../tasks/Tasks-Serialization.adoc#sect-Defensive_Coding-Tasks-Serialization-Decoders[Recommendations for Manually-written Decoders]
contains suggestions for mitigating this problem when processing
untrusted data.
See xref:../tasks/programming-languages/C-Allocators.adoc#sect-Defensive_Coding-C-Allocators-Arrays[Array Allocation]
for array allocation advice for C-style memory allocation.
=== Overloading
Do not overload functions with versions that have different
security characteristics. For instance, do not implement a
function `strcat` which works on
`std::string` arguments. Similarly, do not name
methods after such functions.
=== ABI compatibility and preparing for security updates
A stable binary interface (ABI) is vastly preferred for security
updates. Without a stable ABI, all reverse dependencies need
recompiling, which can be a lot of work and could even be
impossible in some cases. Ideally, a security update only
updates a single dynamic shared object, and is picked up
automatically after restarting affected processes.
Outside of extremely performance-critical code, you should
ensure that a wide range of changes is possible without breaking
ABI. Some very basic guidelines are:
* Avoid inline functions.
* Use the pointer-to-implementation idiom.
* Try to avoid templates. Use them if the increased type
safety provides a benefit to the programmer.
* Move security-critical code out of templated code, so that
it can be patched in a central place if necessary.
The KDE project publishes a document with more extensive
guidelines on ABI-preserving changes to {cpp} code, link:++https://community.kde.org/Policies/Binary_Compatibility_Issues_With_C%2B%2B++[Policies/Binary
Compatibility Issues With {cpp}]
(*d-pointer* refers to the
pointer-to-implementation idiom).
[[sect-Defensive_Coding-CXX-Language-CXX11]]
=== {cpp}0X and {cpp}11 Support
GCC offers different language compatibility modes:
* [option]`-std=c++98` for the original 1998 {cpp}
standard
* [option]`-std=c++03` for the 1998 standard with the
changes from the TR1 technical report
* [option]`-std=c++11` for the 2011 {cpp} standard. This
option should not be used.
* [option]`-std=c++0x` for several different versions
of {cpp}11 support in development, depending on the GCC
version. This option should not be used.
For each of these flags, there are variants which also enable
GNU extensions (mostly language features also found in C99 or
C11):
* [option]`-std=gnu++98`
* [option]`-std=gnu++03`
* [option]`-std=gnu++11`
Again, [option]`-std=gnu++11` should not be used.
If you enable {cpp}11 support, the ABI of the standard {cpp} library
`libstdc++` will change in subtle ways.
Currently, no {cpp} libraries are compiled in {cpp}11 mode, so if
you compile your code in {cpp}11 mode, it will be incompatible
with the rest of the system. Unfortunately, this is also the
case if you do not use any {cpp}11 features. Currently, there is
no safe way to enable {cpp}11 mode (except for freestanding
applications).
The meaning of {cpp}0X mode changed from GCC release to GCC
release. Earlier versions were still ABI-compatible with {cpp}98
mode, but in the most recent versions, switching to {cpp}0X mode
activates {cpp}11 support, with its compatibility problems.
Some {cpp}11 features (or approximations thereof) are available
with TR1 support, that is, with [option]`-std=c++03` or
[option]`-std=gnu++03` and in the
`<tr1/*>` header files. This includes
`std::tr1::shared_ptr` (from
`<tr1/memory>`) and
`std::tr1::function` (from
`<tr1/functional>`). For other {cpp}11
features, the Boost {cpp} library contains replacements.

190
modules/ROOT/pages/programming-languages/CXX-Std.adoc
View file

@ -1,190 +0,0 @@
:experimental:
[[sect-Defensive_Coding-CXX-Std]]
== The C++ Standard Library
The C++ standard library includes most of its C counterpart
by reference, see xref:../programming-languages/C.adoc#chap-Defensive_Coding-C[Defensive Coding in C.
[[sect-Defensive_Coding-CXX-Std-Functions]]
=== Functions That Are Difficult to Use
This section collects functions and function templates which are
part of the standard library and are difficult to use.
[[sect-Defensive_Coding-CXX-Std-Functions-Unpaired_Iterators]]
==== Unpaired Iterators
Functions which use output operators or iterators which do not
come in pairs (denoting ranges) cannot perform iterator range
checking.
(See <<sect-Defensive_Coding-CXX-Std-Iterators>>)
Function templates which involve output iterators are
particularly dangerous:
* `std::copy`
* `std::copy_backward`
* `std::copy_if`
* `std::move` (three-argument variant)
* `std::move_backward`
* `std::partition_copy_if`
* `std::remove_copy`
* `std::remove_copy_if`
* `std::replace_copy`
* `std::replace_copy_if`
* `std::swap_ranges`
* `std::transform`
In addition, `std::copy_n`,
`std::fill_n` and
`std::generate_n` do not perform iterator
checking, either, but there is an explicit count which has to be
supplied by the caller, as opposed to an implicit length
indicator in the form of a pair of forward iterators.
These output-iterator-expecting functions should only be used
with unlimited-range output iterators, such as iterators
obtained with the `std::back_inserter`
function.
Other functions use single input or forward iterators, which can
read beyond the end of the input range if the caller is not careful:
* `std::equal`
* `std::is_permutation`
* `std::mismatch`
[[sect-Defensive_Coding-CXX-Std-String]]
=== String Handling with `std::string`
The `std::string` class provides a convenient
way to handle strings. Unlike C strings,
`std::string` objects have an explicit length
(and can contain embedded NUL characters), and storage for its
characters is managed automatically. This section discusses
`std::string`, but these observations also
apply to other instances of the
`std::basic_string` template.
The pointer returned by the `data()` member
function does not necessarily point to a NUL-terminated string.
To obtain a C-compatible string pointer, use
`c_str()` instead, which adds the NUL
terminator.
The pointers returned by the `data()` and
`c_str()` functions and iterators are only
valid until certain events happen. It is required that the
exact `std::string` object still exists (even
if it was initially created as a copy of another string object).
Pointers and iterators are also invalidated when non-const
member functions are called, or functions with a non-const
reference parameter. The behavior of the GCC implementation
deviates from that required by the {cpp} standard if multiple
threads are present. In general, only the first call to a
non-const member function after a structural modification of the
string (such as appending a character) is invalidating, but this
also applies to member function such as the non-const version of
`begin()`, in violation of the {cpp} standard.
Particular care is necessary when invoking the
`c_str()` member function on a temporary
object. This is convenient for calling C functions, but the
pointer will turn invalid as soon as the temporary object is
destroyed, which generally happens when the outermost expression
enclosing the expression on which `c_str()`
is called completes evaluation. Passing the result of
`c_str()` to a function which does not store
or otherwise leak that pointer is safe, though.
Like with `std::vector` and
`std::array`, subscribing with
`operator[]` does not perform bounds checks.
Use the `at(size_type)` member function
instead. See <<sect-Defensive_Coding-CXX-Std-Subscript>>.
Furthermore, accessing the terminating NUL character using
`operator[]` is not possible. (In some
implementations, the `c_str()` member function
writes the NUL character on demand.)
Never write to the pointers returned by
`data()` or `c_str()`
after casting away `const`. If you need a
C-style writable string, use a
`std::vector<char>` object and its
`data()` member function. In this case, you
have to explicitly add the terminating NUL character.
GCC's implementation of `std::string` is
currently based on reference counting. It is expected that a
future version will remove the reference counting, due to
performance and conformance issues. As a result, code that
implicitly assumes sharing by holding to pointers or iterators
for too long will break, resulting in run-time crashes or worse.
On the other hand, non-const iterator-returning functions will
no longer give other threads an opportunity for invalidating
existing iterators and pointers because iterator invalidation
does not depend on sharing of the internal character array
object anymore.
[[sect-Defensive_Coding-CXX-Std-Subscript]]
=== Containers and `operator[]`
Many sequence containers similar to `std::vector`
provide both `operator[](size_type)` and a
member function `at(size_type)`. This applies
to `std::vector` itself,
`std::array`, `std::string`
and other instances of `std::basic_string`.
`operator[](size_type)` is not required by the
standard to perform bounds checking (and the implementation in
GCC does not). In contrast, `at(size_type)`
must perform such a check. Therefore, in code which is not
performance-critical, you should prefer
`at(size_type)` over
`operator[](size_type)`, even though it is
slightly more verbose.
The `front()` and `back()`
member functions are undefined if a vector object is empty. You
can use `vec.at(0)` and
`vec.at(vec.size() - 1)` as checked
replacements. For an empty vector, `data()` is
defined; it returns an arbitrary pointer, but not necessarily
the NULL pointer.
[[sect-Defensive_Coding-CXX-Std-Iterators]]
=== Iterators
Iterators do not perform any bounds checking. Therefore, all
functions that work on iterators should accept them in pairs,
denoting a range, and make sure that iterators are not moved
outside that range. For forward iterators and bidirectional
iterators, you need to check for equality before moving the
first or last iterator in the range. For random-access
iterators, you need to compute the difference before adding or
subtracting an offset. It is not possible to perform the
operation and check for an invalid operator afterwards.
Output iterators cannot be compared for equality. Therefore, it
is impossible to write code that detects that it has been
supplied an output area that is too small, and their use should
be avoided.
These issues make some of the standard library functions
difficult to use correctly, see <<sect-Defensive_Coding-CXX-Std-Functions-Unpaired_Iterators>>.

34
pot/Author_Group.pot
View file

@ -1,34 +0,0 @@
#
# AUTHOR <EMAIL@ADDRESS>, YEAR.
#
msgid ""
msgstr ""
"Project-Id-Version: 0\n"
"POT-Creation-Date: 2013-09-18T00:49:42\n"
"PO-Revision-Date: 2013-09-18T00:49:42\n"
"Last-Translator: Automatically generated\n"
"Language-Team: None\n"
"MIME-Version: 1.0\n"
"Content-Type: application/x-publican; charset=UTF-8\n"
"Content-Transfer-Encoding: 8bit\n"
#. Tag: firstname
#, no-c-format
msgid "Florian"
msgstr ""
#. Tag: surname
#, no-c-format
msgid "Weimer"
msgstr ""
#. Tag: orgname
#, no-c-format
msgid "Red Hat"
msgstr ""
#. Tag: orgdiv
#, no-c-format
msgid "Product Security Team"
msgstr ""

34
pot/Book_Info.pot
View file

@ -1,34 +0,0 @@
#
# AUTHOR <EMAIL@ADDRESS>, YEAR.
#
msgid ""
msgstr ""
"Project-Id-Version: 0\n"
"POT-Creation-Date: 2013-09-18T00:49:42\n"
"PO-Revision-Date: 2013-09-18T00:49:42\n"
"Last-Translator: Automatically generated\n"
"Language-Team: None\n"
"MIME-Version: 1.0\n"
"Content-Type: application/x-publican; charset=UTF-8\n"
"Content-Transfer-Encoding: 8bit\n"
#. Tag: title
#, no-c-format
msgid "Defensive Coding"
msgstr ""
#. Tag: subtitle
#, no-c-format
msgid "A Guide to Improving Software Security"
msgstr ""
#. Tag: productname
#, no-c-format
msgid "Fedora Security Team"
msgstr ""
#. Tag: para
#, no-c-format
msgid "This document provides guidelines for improving software security through secure coding. It covers common programming languages and libraries, and focuses on concrete recommendations."
msgstr ""

164
pot/C-Allocators.pot
View file

@ -1,164 +0,0 @@
#
# AUTHOR <EMAIL@ADDRESS>, YEAR.
#
msgid ""
msgstr ""
"Project-Id-Version: 0\n"
"POT-Creation-Date: 2013-09-18T00:49:42\n"
"PO-Revision-Date: 2013-09-18T00:49:42\n"
"Last-Translator: Automatically generated\n"
"Language-Team: None\n"
"MIME-Version: 1.0\n"
"Content-Type: application/x-publican; charset=UTF-8\n"
"Content-Transfer-Encoding: 8bit\n"
#. Tag: title
#, no-c-format
msgid "Memory allocators"
msgstr ""
#. Tag: title
#, no-c-format
msgid "<function>malloc</function> and related functions"
msgstr ""
#. Tag: para
#, no-c-format
msgid "The C library interfaces for memory allocation are provided by <function>malloc</function>, <function>free</function> and <function>realloc</function>, and the <function>calloc</function> function. In addition to these generic functions, there are derived functions such as <function>strdup</function> which perform allocation using <function>malloc</function> internally, but do not return untyped heap memory (which could be used for any object)."
msgstr ""
#. Tag: para
#, no-c-format
msgid "The C compiler knows about these functions and can use their expected behavior for optimizations. For instance, the compiler assumes that an existing pointer (or a pointer derived from an existing pointer by arithmetic) will not point into the memory area returned by <function>malloc</function>."
msgstr ""
#. Tag: para
#, no-c-format
msgid "If the allocation fails, <function>realloc</function> does not free the old pointer. Therefore, the idiom <literal>ptr = realloc(ptr, size);</literal> is wrong because the memory pointed to by <literal>ptr</literal> leaks in case of an error."
msgstr ""
#. Tag: title
#, no-c-format
msgid "Use-after-free errors"
msgstr ""
#. Tag: para
#, no-c-format
msgid "After <function>free</function>, the pointer is invalid. Further pointer dereferences are not allowed (and are usually detected by <application>valgrind</application>). Less obvious is that any <emphasis>use</emphasis> of the old pointer value is not allowed, either. In particular, comparisons with any other pointer (or the null pointer) are undefined according to the C standard."
msgstr ""
#. Tag: para
#, no-c-format
msgid "The same rules apply to <function>realloc</function> if the memory area cannot be enlarged in-place. For instance, the compiler may assume that a comparison between the old and new pointer will always return false, so it is impossible to detect movement this way."
msgstr ""
#. Tag: title
#, no-c-format
msgid "Handling memory allocation errors"
msgstr ""
#. Tag: para
#, no-c-format
msgid "Recovering from out-of-memory errors is often difficult or even impossible. In these cases, <function>malloc</function> and other allocation functions return a null pointer. Dereferencing this pointer lead to a crash. Such dereferences can even be exploitable for code execution if the dereference is combined with an array subscript."
msgstr ""
#. Tag: para
#, no-c-format
msgid "In general, if you cannot check all allocation calls and handle failure, you should abort the program on allocation failure, and not rely on the null pointer dereference to terminate the process. See <xref linkend=\"sect-Defensive_Coding-Tasks-Serialization-Decoders\" /> for related memory allocation concerns."
msgstr ""
#. Tag: title
#, no-c-format
msgid "<function>alloca</function> and other forms of stack-based allocation"
msgstr ""
#. Tag: para
#, no-c-format
msgid "Allocation on the stack is risky because stack overflow checking is implicit. There is a guard page at the end of the memory area reserved for the stack. If the program attempts to read from or write to this guard page, a <literal>SIGSEGV</literal> signal is generated and the program typically terminates."
msgstr ""
#. Tag: para
#, no-c-format
msgid "This is sufficient for detecting typical stack overflow situations such as unbounded recursion, but it fails when the stack grows in increments larger than the size of the guard page. In this case, it is possible that the stack pointer ends up pointing into a memory area which has been allocated for a different purposes. Such misbehavior can be exploitable."
msgstr ""
#. Tag: para
#, no-c-format
msgid "A common source for large stack growth are calls to <function>alloca</function> and related functions such as <function>strdupa</function>. These functions should be avoided because of the lack of error checking. (They can be used safely if the allocated size is less than the page size (typically, 4096 bytes), but this case is relatively rare.) Additionally, relying on <function>alloca</function> makes it more difficult to reorgnize the code because it is not allowed to use the pointer after the function calling <function>alloca</function> has returned, even if this function has been inlined into its caller."
msgstr ""
#. Tag: para
#, no-c-format
msgid "Similar concerns apply to <emphasis>variable-length arrays</emphasis> (VLAs), a feature of the C99 standard which started as a GNU extension. For large objects exceeding the page size, there is no error checking, either."
msgstr ""
#. Tag: para
#, no-c-format
msgid "In both cases, negative or very large sizes can trigger a stack-pointer wraparound, and the stack pointer and end up pointing into caller stack frames, which is fatal and can be exploitable."
msgstr ""
#. Tag: para
#, no-c-format
msgid "If you want to use <function>alloca</function> or VLAs for performance reasons, consider using a small on-stack array (less than the page size, large enough to fulfill most requests). If the requested size is small enough, use the on-stack array. Otherwise, call <function>malloc</function>. When exiting the function, check if <function>malloc</function> had been called, and free the buffer as needed."
msgstr ""
#. Tag: title
#, no-c-format
msgid "Array allocation"
msgstr ""
#. Tag: para
#, no-c-format
msgid "When allocating arrays, it is important to check for overflows. The <function>calloc</function> function performs such checks."
msgstr ""
#. Tag: para
#, no-c-format
msgid "If <function>malloc</function> or <function>realloc</function> is used, the size check must be written manually. For instance, to allocate an array of <literal>n</literal> elements of type <literal>T</literal>, check that the requested size is not greater than <literal>((size_t) -1) / sizeof(T)</literal>. See <xref linkend=\"sect-Defensive_Coding-C-Arithmetic\" />."
msgstr ""
#. Tag: title
#, no-c-format
msgid "Custom memory allocators"
msgstr ""
#. Tag: para
#, no-c-format
msgid "Custom memory allocates come in two forms: replacements for <function>malloc</function>, and completely different interfaces for memory management. Both approaches can reduce the effectiveness of <application>valgrind</application> and similar tools, and the heap corruption detection provided by GNU libc, so they should be avoided."
msgstr ""
#. Tag: para
#, no-c-format
msgid "Memory allocators are difficult to write and contain many performance and security pitfalls."
msgstr ""
#. Tag: para
#, no-c-format
msgid "When computing array sizes or rounding up allocation requests (to the next allocation granularity, or for alignment purposes), checks for arithmetic overflow are required."
msgstr ""
#. Tag: para
#, no-c-format
msgid "Size computations for array allocations need overflow checking. See <xref linkend=\"sect-Defensive_Coding-C-Allocators-Arrays\" />."
msgstr ""
#. Tag: para
#, no-c-format
msgid "It can be difficult to beat well-tuned general-purpose allocators. In micro-benchmarks, pool allocators can show huge wins, and size-specific pools can reduce internal fragmentation. But often, utilization of individual pools is poor, and"
msgstr ""
#. Tag: title
#, no-c-format
msgid "Conservative garbage collection"
msgstr ""
#. Tag: para
#, no-c-format
msgid "Garbage collection can be an alternative to explicit memory management using <function>malloc</function> and <function>free</function>. The Boehm-Dehmers-Weiser allocator can be used from C programs, with minimal type annotations. Performance is competitive with <function>malloc</function> on 64-bit architectures, especially for multi-threaded programs. The stop-the-world pauses may be problematic for some real-time applications, though."
msgstr ""
#. Tag: para
#, no-c-format
msgid "However, using a conservative garbage collector may reduce opertunities for code reduce because once one library in a program uses garbage collection, the whole process memory needs to be subject to it, so that no pointers are missed. The Boehm-Dehmers-Weiser collector also reserves certain signals for internal use, so it is not fully transparent to the rest of the program."
msgstr ""

164
pot/C-Language.pot
View file

@ -1,164 +0,0 @@
#
# AUTHOR <EMAIL@ADDRESS>, YEAR.
#
msgid ""
msgstr ""
"Project-Id-Version: 0\n"
"POT-Creation-Date: 2013-09-18T00:49:42\n"
"PO-Revision-Date: 2013-09-18T00:49:42\n"
"Last-Translator: Automatically generated\n"
"Language-Team: None\n"
"MIME-Version: 1.0\n"
"Content-Type: application/x-publican; charset=UTF-8\n"
"Content-Transfer-Encoding: 8bit\n"
#. Tag: title
#, no-c-format
msgid "The core language"
msgstr ""
#. Tag: para
#, no-c-format
msgid "C provides no memory safety. Most recommendations in this section deal with this aspect of the language."
msgstr ""
#. Tag: title
#, no-c-format
msgid "Undefined behavior"
msgstr ""
#. Tag: para
#, no-c-format
msgid "Some C constructs are defined to be undefined by the C standard. This does not only mean that the standard does not describe what happens when the construct is executed. It also allows optimizing compilers such as GCC to assume that this particular construct is never reached. In some cases, this has caused GCC to optimize security checks away. (This is not a flaw in GCC or the C language. But C certainly has some areas which are more difficult to use than others.)"
msgstr ""
#. Tag: para
#, no-c-format
msgid "Common sources of undefined behavior are:"
msgstr ""
#. Tag: para
#, no-c-format
msgid "out-of-bounds array accesses"
msgstr ""
#. Tag: para
#, no-c-format
msgid "null pointer dereferences"
msgstr ""
#. Tag: para
#, no-c-format
msgid "overflow in signed integer arithmetic"
msgstr ""
#. Tag: title
#, no-c-format
msgid "Recommendations for pointers and array handling"
msgstr ""
#. Tag: para
#, no-c-format
msgid "Always keep track of the size of the array you are working with. Often, code is more obviously correct when you keep a pointer past the last element of the array, and calculate the number of remaining elements by substracting the current position from that pointer. The alternative, updating a separate variable every time when the position is advanced, is usually less obviously correct."
msgstr ""
#. Tag: para
#, no-c-format
msgid "<xref linkend=\"ex-Defensive_Coding-C-Pointers-remaining\" /> shows how to extract Pascal-style strings from a character buffer. The two pointers kept for length checks are <varname>inend</varname> and <varname>outend</varname>. <varname>inp</varname> and <varname>outp</varname> are the respective positions. The number of input bytes is checked using the expression <literal>len &gt; (size_t)(inend - inp)</literal>. The cast silences a compiler warning; <varname>inend</varname> is always larger than <varname>inp</varname>."
msgstr ""
#. Tag: title
#, no-c-format
msgid "Array processing in C"
msgstr ""
#. Tag: para
#, no-c-format
msgid "It is important that the length checks always have the form <literal>len &gt; (size_t)(inend - inp)</literal>, where <varname>len</varname> is a variable of type <type>size_t</type> which denotes the <emphasis>total</emphasis> number of bytes which are about to be read or written next. In general, it is not safe to fold multiple such checks into one, as in <literal>len1 + len2 &gt; (size_t)(inend - inp)</literal>, because the expression on the left can overflow or wrap around (see <xref linkend=\"sect-Defensive_Coding-C-Arithmetic\" />), and it no longer reflects the number of bytes to be processed."
msgstr ""
#. Tag: title
#, no-c-format
msgid "Recommendations for integer arithmetic"
msgstr ""
#. Tag: para
#, no-c-format
msgid "Overflow in signed integer arithmetic is undefined. This means that it is not possible to check for overflow after it happened, see <xref linkend=\"ex-Defensive_Coding-C-Arithmetic-bad\" />."
msgstr ""
#. Tag: title
#, no-c-format
msgid "Incorrect overflow detection in C"
msgstr ""
#. Tag: para
#, no-c-format
msgid "The following approaches can be used to check for overflow, without actually causing it."
msgstr ""
#. Tag: para
#, no-c-format
msgid "Use a wider type to perform the calculation, check that the result is within bounds, and convert the result to the original type. All intermediate results must be checked in this way."
msgstr ""
#. Tag: para
#, no-c-format
msgid "Perform the calculation in the corresponding unsigned type and use bit fiddling to detect the overflow."
msgstr ""
#. Tag: para
#, no-c-format
msgid "Compute bounds for acceptable input values which are known to avoid overflow, and reject other values. This is the preferred way for overflow checking on multiplications, see <xref linkend=\"ex-Defensive_Coding-C-Arithmetic-mult\" />."
msgstr ""
#. Tag: title
#, no-c-format
msgid "Overflow checking for unsigned multiplication"
msgstr ""
#. Tag: para
#, no-c-format
msgid "Basic arithmetic operations a commutative, so for bounds checks, there are two different but mathematically equivalent expressions. Sometimes, one of the expressions results in better code because parts of it can be reduced to a constant. This applies to overflow checks for multiplication <literal>a * b</literal> involving a constant <literal>a</literal>, where the expression is reduced to <literal>b &gt; C</literal> for some constant <literal>C</literal> determined at compile time. The other expression, <literal>b &amp;&amp; a &gt; ((unsigned)-1) / b</literal>, is more difficult to optimize at compile time."
msgstr ""
#. Tag: para
#, no-c-format
msgid "When a value is converted to a signed integer, GCC always chooses the result based on 2's complement arithmetic. This GCC extension (which is also implemented by other compilers) helps a lot when implementing overflow checks."
msgstr ""
#. Tag: para
#, no-c-format
msgid "Legacy code should be compiled with the <option>-fwrapv</option> GCC option. As a result, GCC will provide 2's complement semantics for integer arithmetic, including defined behavior on integer overflow."
msgstr ""
#. Tag: title
#, no-c-format
msgid "Global variables"
msgstr ""
#. Tag: para
#, no-c-format
msgid "Global variables should be avoided because they usually lead to thread safety hazards. In any case, they should be declared <literal>static</literal>, so that access is restricted to a single translation unit."
msgstr ""
#. Tag: para
#, no-c-format
msgid "Global constants are not a problem, but declaring them can be tricky. <xref linkend=\"ex-Defensive_Coding-C-Globals-String_Array\" /> shows how to declare a constant array of constant strings. The second <literal>const</literal> is needed to make the array constant, and not just the strings. It must be placed after the <literal>*</literal>, and not before it."
msgstr ""
#. Tag: title
#, no-c-format
msgid "Declaring a constant array of constant strings"
msgstr ""
#. Tag: para
#, no-c-format
msgid "Sometimes, static variables local to functions are used as a replacement for proper memory management. Unlike non-static local variables, it is possible to return a pointer to static local variables to the caller. But such variables are well-hidden, but effectively global (just as static variables at file scope). It is difficult to add thread safety afterwards if such interfaces are used. Merely dropping the <literal>static</literal> keyword in such cases leads to undefined behavior."
msgstr ""
#. Tag: para
#, no-c-format
msgid "Another source for static local variables is a desire to reduce stack space usage on embedded platforms, where the stack may span only a few hundred bytes. If this is the only reason why the <literal>static</literal> keyword is used, it can just be dropped, unless the object is very large (larger than 128 kilobytes on 32 bit platforms). In the latter case, it is recommended to allocate the object using <literal>malloc</literal>, to obtain proper array checking, for the same reasons outlined in <xref linkend=\"sect-Defensive_Coding-C-Allocators-alloca\" />."
msgstr ""

304
pot/C-Libc.pot
View file

@ -1,304 +0,0 @@
#
# AUTHOR <EMAIL@ADDRESS>, YEAR.
#
msgid ""
msgstr ""
"Project-Id-Version: 0\n"
"POT-Creation-Date: 2013-09-18T00:49:42\n"
"PO-Revision-Date: 2013-09-18T00:49:42\n"
"Last-Translator: Automatically generated\n"
"Language-Team: None\n"
"MIME-Version: 1.0\n"
"Content-Type: application/x-publican; charset=UTF-8\n"
"Content-Transfer-Encoding: 8bit\n"
#. Tag: title
#, no-c-format
msgid "The C standard library"
msgstr ""
#. Tag: para
#, no-c-format
msgid "Parts of the C standard library (and the UNIX and GNU extensions) are difficult to use, so you shoud avoid them."
msgstr ""
#. Tag: para
#, no-c-format
msgid "Please check the applicable documentation before using the recommended replacements. Many of these functions allocate buffers using <function>malloc</function> which your code must deallocate explicitly using <function>free</function>."
msgstr ""
#. Tag: title
#, no-c-format
msgid "Absolutely banned interfaces"
msgstr ""
#. Tag: para
#, no-c-format
msgid "The functions listed below must not be used because they are almost always unsafe. Use the indicated replacements instead."
msgstr ""
#. Tag: para
#, no-c-format
msgid "<function>gets</function> ⟶ <function>fgets</function>"
msgstr ""
#. Tag: para
#, no-c-format
msgid "<function>getwd</function> ⟶ <function>getcwd</function> or <function>get_current_dir_name</function>"
msgstr ""
#. Tag: para
#, no-c-format
msgid "<function>readdir_r</function> ⟶ <function>readdir</function>"
msgstr ""
#. Tag: para
#, no-c-format
msgid "<function>realpath</function> (with a non-NULL second parameter) ⟶ <function>realpath</function> with NULL as the second parameter, or <function>canonicalize_file_name</function>"
msgstr ""
#. Tag: para
#, no-c-format
msgid "The constants listed below must not be used, either. Instead, code must allocate memory dynamically and use interfaces with length checking."
msgstr ""
#. Tag: para
#, no-c-format
msgid "<literal>NAME_MAX</literal> (limit not actually enforced by the kernel)"
msgstr ""
#. Tag: para
#, no-c-format
msgid "<literal>PATH_MAX</literal> (limit not actually enforced by the kernel)"
msgstr ""
#. Tag: para
#, no-c-format
msgid "<literal>_PC_NAME_MAX</literal> (This limit, returned by the <function>pathconf</function> function, is not enforced by the kernel.)"
msgstr ""
#. Tag: para
#, no-c-format
msgid "<literal>_PC_PATH_MAX</literal> (This limit, returned by the <function>pathconf</function> function, is not enforced by the kernel.)"
msgstr ""
#. Tag: para
#, no-c-format
msgid "The following structure members must not be used."
msgstr ""
#. Tag: para
#, no-c-format
msgid "<literal>f_namemax</literal> in <literal>struct statvfs</literal> (limit not actually enforced by the kernel, see <literal>_PC_NAME_MAX</literal> above)"
msgstr ""
#. Tag: title
#, no-c-format
msgid "Functions to avoid"
msgstr ""
#. Tag: para
#, no-c-format
msgid "The following string manipulation functions can be used securely in principle, but their use should be avoided because they are difficult to use correctly. Calls to these functions can be replaced with <function>asprintf</function> or <function>vasprintf</function>. (For non-GNU targets, these functions are available from Gnulib.) In some cases, the <function>snprintf</function> function might be a suitable replacement, see <xref linkend=\"sect-Defensive_Coding-C-String-Functions-Length\" />."
msgstr ""
#. Tag: para
#, no-c-format
msgid "<function>sprintf</function>"
msgstr ""
#. Tag: para
#, no-c-format
msgid "<function>strcat</function>"
msgstr ""
#. Tag: para
#, no-c-format
msgid "<function>strcpy</function>"
msgstr ""
#. Tag: para
#, no-c-format
msgid "<function>vsprintf</function>"
msgstr ""
#. Tag: para
#, no-c-format
msgid "Use the indicated replacements for the functions below."
msgstr ""
#. Tag: para
#, no-c-format
msgid "<function>alloca</function> ⟶ <function>malloc</function> and <function>free</function> (see <xref linkend=\"sect-Defensive_Coding-C-Allocators-alloca\" />)"
msgstr ""
#. Tag: para
#, no-c-format
msgid "<function>putenv</function> ⟶ explicit <varname>envp</varname> argument in process creation (see <xref linkend=\"sect-Defensive_Coding-Tasks-Processes-environ\" />)"
msgstr ""
#. Tag: para
#, no-c-format
msgid "<function>setenv</function> ⟶ explicit <varname>envp</varname> argument in process creation (see <xref linkend=\"sect-Defensive_Coding-Tasks-Processes-environ\" />)"
msgstr ""
#. Tag: para
#, no-c-format
msgid "<function>strdupa</function> ⟶ <function>strdup</function> and <function>free</function> (see <xref linkend=\"sect-Defensive_Coding-C-Allocators-alloca\" />)"
msgstr ""
#. Tag: para
#, no-c-format
msgid "<function>strndupa</function> ⟶ <function>strndup</function> and <function>free</function> (see <xref linkend=\"sect-Defensive_Coding-C-Allocators-alloca\" />)"
msgstr ""
#. Tag: para
#, no-c-format
msgid "<function>system</function> ⟶ <function>posix_spawn</function> or <function>fork</function>/<function>execve</function>/ (see <xref linkend=\"sect-Defensive_Coding-Tasks-Processes-execve\" />)"
msgstr ""
#. Tag: para
#, no-c-format
msgid "<function>unsetenv</function> ⟶ explicit <varname>envp</varname> argument in process creation (see <xref linkend=\"sect-Defensive_Coding-Tasks-Processes-environ\" />)"
msgstr ""
#. Tag: title
#, no-c-format
msgid "String Functions With Explicit Length Arguments"
msgstr ""
#. Tag: para
#, no-c-format
msgid "The C run-time library provides string manipulation functions which not just look for NUL characters for string termination, but also honor explicit lengths provided by the caller. However, these functions evolved over a long period of time, and the lengths mean different things depending on the function."
msgstr ""
#. Tag: title
#, no-c-format
msgid "<literal>snprintf</literal>"
msgstr ""
#. Tag: para
#, no-c-format
msgid "The <function>snprintf</function> function provides a way to construct a string in a statically-sized buffer. (If the buffer size is allocated on the heap, consider use <function>asprintf</function> instead.)"
msgstr ""
#. Tag: para
#, no-c-format
msgid "The second argument to the <function>snprintf</function> call should always be the size of the buffer in the first argument (which should be a character array). Elaborate pointer and length arithmetic can introduce errors and nullify the security benefits of <function>snprintf</function>."
msgstr ""
#. Tag: para
#, no-c-format
msgid "In particular, <literal>snprintf</literal> is not well-suited to constructing a string iteratively, by appending to an existing buffer. <function>snprintf</function> returns one of two values, <literal>-1</literal> on errors, or the number of characters which <emphasis>would have been written to the buffer if the buffer were large enough</emphasis>. This means that adding the result of <function>snprintf</function> to the buffer pointer to skip over the characters just written is incorrect and risky. However, as long as the length argument is not zero, the buffer will remain NUL-terminated. <xref linkend=\"ex-Defensive_Coding-C-String-Functions-snprintf-incremental\" /> works because <literal>end -current &gt; 0</literal> is a loop invariant. After the loop, the result string is in the <varname>buf</varname> variable."
msgstr ""
#. Tag: title
#, no-c-format
msgid "Repeatedly writing to a buffer using <function>snprintf</function>"
msgstr ""
#. Tag: para
#, no-c-format
msgid "If you want to avoid the call to <function>strlen</function> for performance reasons, you have to check for a negative return value from <function>snprintf</function> and also check if the return value is equal to the specified buffer length or larger. Only if neither condition applies, you may advance the pointer to the start of the write buffer by the number return by <function>snprintf</function>. However, this optimization is rarely worthwhile."
msgstr ""
#. Tag: para
#, no-c-format
msgid "Note that it is not permitted to use the same buffer both as the destination and as a source argument."
msgstr ""
#. Tag: title
#, no-c-format
msgid "<literal>vsnprintf</literal> and format strings"
msgstr ""
#. Tag: para
#, no-c-format
msgid "If you use <function>vsnprintf</function> (or <function>vasprintf</function> or even <function>snprintf</function>) with a format string which is not a constant, but a function argument, it is important to annotate the function with a <literal>format</literal> function attribute, so that GCC can warn about misuse of your function (see <xref linkend=\"ex-Defensive_Coding-C-String-Functions-format-Attribute\" />)."
msgstr ""
#. Tag: title
#, no-c-format
msgid "The <literal>format</literal> function attribute"
msgstr ""
#. Tag: title
#, no-c-format
msgid "<function>strncpy</function>"
msgstr ""
#. Tag: para
#, no-c-format
msgid "The <function>strncpy</function> function does not ensure that the target buffer is NUL-terminated. A common idiom for ensuring NUL termination is:"
msgstr ""
#. Tag: para
#, no-c-format
msgid "Another approach uses the <function>strncat</function> function for this purpose:"
msgstr ""
#. Tag: title
#, no-c-format
msgid "<function>strncat</function>"
msgstr ""
#. Tag: para
#, no-c-format
msgid "The length argument of the <function>strncat</function> function specifies the maximum number of characters copied from the source buffer, excluding the terminating NUL character. This means that the required number of bytes in the destination buffer is the length of the original string, plus the length argument in the <function>strncat</function> call, plus one. Consequently, this function is rarely appropriate for performing a length-checked string operation, with the notable exception of the <function>strcpy</function> emulation described in <xref linkend=\"sect-Defensive_Coding-C-Libc-strncpy\" />."
msgstr ""
#. Tag: para
#, no-c-format
msgid "To implement a length-checked string append, you can use an approach similar to <xref linkend=\"ex-Defensive_Coding-C-String-Functions-snprintf-incremental\" />:"
msgstr ""
#. Tag: para
#, no-c-format
msgid "In many cases, including this one, the string concatenation can be avoided by combining everything into a single format string:"
msgstr ""
#. Tag: para
#, no-c-format
msgid "But you should must not dynamically construct format strings to avoid concatenation because this would prevent GCC from type-checking the argument lists."
msgstr ""
#. Tag: para
#, no-c-format
msgid "It is not possible to use format strings like <literal>\"%s%s\"</literal> to implement concatenation, unless you use separate buffers. <function>snprintf</function> does not support overlapping source and target strings."
msgstr ""
#. Tag: title
#, no-c-format
msgid "<function>strlcpy</function> and <function>strlcat</function>"
msgstr ""
#. Tag: para
#, no-c-format
msgid "Some systems support <function>strlcpy</function> and <function>strlcat</function> functions which behave this way, but these functions are not part of GNU libc. <function>strlcpy</function> is often replaced with <function>snprintf</function> with a <literal>\"%s\"</literal> format string. See <xref linkend=\"sect-Defensive_Coding-C-Libc-strncpy\" /> for a caveat related to the <function>snprintf</function> return value."
msgstr ""
#. Tag: para
#, no-c-format
msgid "To emulate <function>strlcat</function>, use the approach described in <xref linkend=\"sect-Defensive_Coding-C-Libc-strncat\" />."
msgstr ""
#. Tag: title
#, no-c-format
msgid "ISO C11 Annex K *<function>_s</function> functions"
msgstr ""
#. Tag: para
#, no-c-format
msgid "ISO C11 adds another set of length-checking functions, but GNU libc currently does not implement them."
msgstr ""
#. Tag: title
#, no-c-format
msgid "Other <function>strn</function>* and <function>stpn</function>* functions"
msgstr ""
#. Tag: para
#, no-c-format
msgid "GNU libc contains additional functions with different variants of length checking. Consult the documentation before using them to find out what the length actually means."
msgstr ""

59
pot/C-Other.pot
View file

@ -1,59 +0,0 @@
#
# AUTHOR <EMAIL@ADDRESS>, YEAR.
#
msgid ""
msgstr ""
"Project-Id-Version: 0\n"
"POT-Creation-Date: 2013-09-18T00:49:42\n"
"PO-Revision-Date: 2013-09-18T00:49:42\n"
"Last-Translator: Automatically generated\n"
"Language-Team: None\n"
"MIME-Version: 1.0\n"
"Content-Type: application/x-publican; charset=UTF-8\n"
"Content-Transfer-Encoding: 8bit\n"
#. Tag: title
#, no-c-format
msgid "Other C-related topics"
msgstr ""
#. Tag: title
#, no-c-format
msgid "Wrapper functions"
msgstr ""
#. Tag: para
#, no-c-format
msgid "Some libraries provide wrappers for standard library functions. Common cases include allocation functions such as <function>xmalloc</function> which abort the process on allocation failure (instead of returning a <literal>NULL</literal> pointer), or alternatives to relatively recent library additions such as <function>snprintf</function> (along with implementations for systems which lack them)."
msgstr ""
#. Tag: para
#, no-c-format
msgid "In general, such wrappers are a bad idea, particularly if they are not implemented as inline functions or preprocessor macros. The compiler lacks knowledge of such wrappers outside the translation unit which defines them, which means that some optimizations and security checks are not performed. Adding <literal>__attribute__</literal> annotations to function declarations can remedy this to some extent, but these annotations have to be maintained carefully for feature parity with the standard implementation."
msgstr ""
#. Tag: para
#, no-c-format
msgid "At the minimum, you should apply these attributes:"
msgstr ""
#. Tag: para
#, no-c-format
msgid "If you wrap function which accepts are GCC-recognized format string (for example, a <function>printf</function>-style function used for logging), you should add a suitable <literal>format</literal> attribute, as in <xref linkend=\"ex-Defensive_Coding-C-String-Functions-format-Attribute\" />."
msgstr ""
#. Tag: para
#, no-c-format
msgid "If you wrap a function which carries a <literal>warn_unused_result</literal> attribute and you propagate its return value, your wrapper should be declared with <literal>warn_unused_result</literal> as well."
msgstr ""
#. Tag: para
#, no-c-format
msgid "Duplicating the buffer length checks based on the <function>__builtin_object_size</function> GCC builtin is desirable if the wrapper processes arrays. (This functionality is used by the <literal>-D_FORTIFY_SOURCE=2</literal> checks to guard against static buffer overflows.) However, designing appropriate interfaces and implementing the checks may not be entirely straightforward."
msgstr ""
#. Tag: para
#, no-c-format
msgid "For other attributes (such as <literal>malloc</literal>), careful analysis and comparison with the compiler documentation is required to check if propagating the attribute is appropriate. Incorrectly applied attributes can result in undesired behavioral changes in the compiled code."
msgstr ""

19
pot/C.pot
View file

@ -1,19 +0,0 @@
#
# AUTHOR <EMAIL@ADDRESS>, YEAR.
#
msgid ""
msgstr ""
"Project-Id-Version: 0\n"
"POT-Creation-Date: 2013-09-18T00:49:42\n"
"PO-Revision-Date: 2013-09-18T00:49:42\n"
"Last-Translator: Automatically generated\n"
"Language-Team: None\n"
"MIME-Version: 1.0\n"
"Content-Type: application/x-publican; charset=UTF-8\n"
"Content-Transfer-Encoding: 8bit\n"
#. Tag: title
#, no-c-format
msgid "The C Programming Language"
msgstr ""

164
pot/C/Allocators.pot
View file

@ -1,164 +0,0 @@
#
# AUTHOR <EMAIL@ADDRESS>, YEAR.
#
msgid ""
msgstr ""
"Project-Id-Version: 0\n"
"POT-Creation-Date: 2013-08-13T01:54:52\n"
"PO-Revision-Date: 2013-08-13T01:54:52\n"
"Last-Translator: Automatically generated\n"
"Language-Team: None\n"
"MIME-Version: 1.0\n"
"Content-Type: application/x-publican; charset=UTF-8\n"
"Content-Transfer-Encoding: 8bit\n"
#. Tag: title
#, no-c-format
msgid "Memory allocators"
msgstr ""
#. Tag: title
#, no-c-format
msgid "<function>malloc</function> and related functions"
msgstr ""
#. Tag: para
#, no-c-format
msgid "The C library interfaces for memory allocation are provided by <function>malloc</function>, <function>free</function> and <function>realloc</function>, and the <function>calloc</function> function. In addition to these generic functions, there are derived functions such as <function>strdup</function> which perform allocation using <function>malloc</function> internally, but do not return untyped heap memory (which could be used for any object)."
msgstr ""
#. Tag: para
#, no-c-format
msgid "The C compiler knows about these functions and can use their expected behavior for optimizations. For instance, the compiler assumes that an existing pointer (or a pointer derived from an existing pointer by arithmetic) will not point into the memory area returned by <function>malloc</function>."
msgstr ""
#. Tag: para
#, no-c-format
msgid "If the allocation fails, <function>realloc</function> does not free the old pointer. Therefore, the idiom <literal>ptr = realloc(ptr, size);</literal> is wrong because the memory pointed to by <literal>ptr</literal> leaks in case of an error."
msgstr ""
#. Tag: title
#, no-c-format
msgid "Use-after-free errors"
msgstr ""
#. Tag: para
#, no-c-format
msgid "After <function>free</function>, the pointer is invalid. Further pointer dereferences are not allowed (and are usually detected by <application>valgrind</application>). Less obvious is that any <emphasis>use</emphasis> of the old pointer value is not allowed, either. In particular, comparisons with any other pointer (or the null pointer) are undefined according to the C standard."
msgstr ""
#. Tag: para
#, no-c-format
msgid "The same rules apply to <function>realloc</function> if the memory area cannot be enlarged in-place. For instance, the compiler may assume that a comparison between the old and new pointer will always return false, so it is impossible to detect movement this way."
msgstr ""
#. Tag: title
#, no-c-format
msgid "Handling memory allocation errors"
msgstr ""
#. Tag: para
#, no-c-format
msgid "Recovering from out-of-memory errors is often difficult or even impossible. In these cases, <function>malloc</function> and other allocation functions return a null pointer. Dereferencing this pointer lead to a crash. Such dereferences can even be exploitable for code execution if the dereference is combined with an array subscript."
msgstr ""
#. Tag: para
#, no-c-format
msgid "In general, if you cannot check all allocation calls and handle failure, you should abort the program on allocation failure, and not rely on the null pointer dereference to terminate the process. See <xref linkend=\"sect-Defensive_Coding-Tasks-Serialization-Decoders\" /> for related memory allocation concerns."
msgstr ""
#. Tag: title
#, no-c-format
msgid "<function>alloca</function> and other forms of stack-based allocation"
msgstr ""
#. Tag: para
#, no-c-format
msgid "Allocation on the stack is risky because stack overflow checking is implicit. There is a guard page at the end of the memory area reserved for the stack. If the program attempts to read from or write to this guard page, a <literal>SIGSEGV</literal> signal is generated and the program typically terminates."
msgstr ""
#. Tag: para
#, no-c-format
msgid "This is sufficient for detecting typical stack overflow situations such as unbounded recursion, but it fails when the stack grows in increments larger than the size of the guard page. In this case, it is possible that the stack pointer ends up pointing into a memory area which has been allocated for a different purposes. Such misbehavior can be exploitable."
msgstr ""
#. Tag: para
#, no-c-format
msgid "A common source for large stack growth are calls to <function>alloca</function> and related functions such as <function>strdupa</function>. These functions should be avoided because of the lack of error checking. (They can be used safely if the allocated size is less than the page size (typically, 4096 bytes), but this case is relatively rare.) Additionally, relying on <function>alloca</function> makes it more difficult to reorgnize the code because it is not allowed to use the pointer after the function calling <function>alloca</function> has returned, even if this function has been inlined into its caller."
msgstr ""
#. Tag: para
#, no-c-format
msgid "Similar concerns apply to <emphasis>variable-length arrays</emphasis> (VLAs), a feature of the C99 standard which started as a GNU extension. For large objects exceeding the page size, there is no error checking, either."
msgstr ""
#. Tag: para
#, no-c-format
msgid "In both cases, negative or very large sizes can trigger a stack-pointer wraparound, and the stack pointer and end up pointing into caller stack frames, which is fatal and can be exploitable."
msgstr ""
#. Tag: para
#, no-c-format
msgid "If you want to use <function>alloca</function> or VLAs for performance reasons, consider using a small on-stack array (less than the page size, large enough to fulfill most requests). If the requested size is small enough, use the on-stack array. Otherwise, call <function>malloc</function>. When exiting the function, check if <function>malloc</function> had been called, and free the buffer as needed."
msgstr ""
#. Tag: title
#, no-c-format
msgid "Array allocation"
msgstr ""
#. Tag: para
#, no-c-format
msgid "When allocating arrays, it is important to check for overflows. The <function>calloc</function> function performs such checks."
msgstr ""
#. Tag: para
#, no-c-format
msgid "If <function>malloc</function> or <function>realloc</function> is used, the size check must be written manually. For instance, to allocate an array of <literal>n</literal> elements of type <literal>T</literal>, check that the requested size is not greater than <literal>n / sizeof(T)</literal>. See <xref linkend=\"sect-Defensive_Coding-C-Arithmetic\" />."
msgstr ""
#. Tag: title
#, no-c-format
msgid "Custom memory allocators"
msgstr ""
#. Tag: para
#, no-c-format
msgid "Custom memory allocates come in two forms: replacements for <function>malloc</function>, and completely different interfaces for memory management. Both approaches can reduce the effectiveness of <application>valgrind</application> and similar tools, and the heap corruption detection provided by GNU libc, so they should be avoided."
msgstr ""
#. Tag: para
#, no-c-format
msgid "Memory allocators are difficult to write and contain many performance and security pitfalls."
msgstr ""
#. Tag: para
#, no-c-format
msgid "When computing array sizes or rounding up allocation requests (to the next allocation granularity, or for alignment purposes), checks for arithmetic overflow are required."
msgstr ""
#. Tag: para
#, no-c-format
msgid "Size computations for array allocations need overflow checking. See <xref linkend=\"sect-Defensive_Coding-C-Allocators-Arrays\" />."
msgstr ""
#. Tag: para
#, no-c-format
msgid "It can be difficult to beat well-tuned general-purpose allocators. In micro-benchmarks, pool allocators can show huge wins, and size-specific pools can reduce internal fragmentation. But often, utilization of individual pools is poor, and"
msgstr ""
#. Tag: title
#, no-c-format
msgid "Conservative garbage collection"
msgstr ""
#. Tag: para
#, no-c-format
msgid "Garbage collection can be an alternative to explicit memory management using <function>malloc</function> and <function>free</function>. The Boehm-Dehmers-Weiser allocator can be used from C programs, with minimal type annotations. Performance is competitive with <function>malloc</function> on 64-bit architectures, especially for multi-threaded programs. The stop-the-world pauses may be problematic for some real-time applications, though."
msgstr ""
#. Tag: para
#, no-c-format
msgid "However, using a conservative garbage collector may reduce opertunities for code reduce because once one library in a program uses garbage collection, the whole process memory needs to be subject to it, so that no pointers are missed. The Boehm-Dehmers-Weiser collector also reserves certain signals for internal use, so it is not fully transparent to the rest of the program."
msgstr ""

19
pot/C/C.pot
View file

@ -1,19 +0,0 @@
#
# AUTHOR <EMAIL@ADDRESS>, YEAR.
#
msgid ""
msgstr ""
"Project-Id-Version: 0\n"
"POT-Creation-Date: 2013-08-13T01:54:52\n"
"PO-Revision-Date: 2013-08-13T01:54:52\n"
"Last-Translator: Automatically generated\n"
"Language-Team: None\n"
"MIME-Version: 1.0\n"
"Content-Type: application/x-publican; charset=UTF-8\n"
"Content-Transfer-Encoding: 8bit\n"
#. Tag: title
#, no-c-format
msgid "The C Programming Language"
msgstr ""

134
pot/C/Language.pot
View file

@ -1,134 +0,0 @@
#
# AUTHOR <EMAIL@ADDRESS>, YEAR.
#
msgid ""
msgstr ""
"Project-Id-Version: 0\n"
"POT-Creation-Date: 2013-08-13T01:54:52\n"
"PO-Revision-Date: 2013-08-13T01:54:52\n"
"Last-Translator: Automatically generated\n"
"Language-Team: None\n"
"MIME-Version: 1.0\n"
"Content-Type: application/x-publican; charset=UTF-8\n"
"Content-Transfer-Encoding: 8bit\n"
#. Tag: title
#, no-c-format
msgid "The core language"
msgstr ""
#. Tag: para
#, no-c-format
msgid "C provides no memory safety. Most recommendations in this section deal with this aspect of the language."
msgstr ""
#. Tag: title
#, no-c-format
msgid "Undefined behavior"
msgstr ""
#. Tag: para
#, no-c-format
msgid "Some C constructs are defined to be undefined by the C standard. This does not only mean that the standard does not describe what happens when the construct is executed. It also allows optimizing compilers such as GCC to assume that this particular construct is never reached. In some cases, this has caused GCC to optimize security checks away. (This is not a flaw in GCC or the C language. But C certainly has some areas which are more difficult to use than others.)"
msgstr ""
#. Tag: para
#, no-c-format
msgid "Common sources of undefined behavior are:"
msgstr ""
#. Tag: para
#, no-c-format
msgid "out-of-bounds array accesses"
msgstr ""
#. Tag: para
#, no-c-format
msgid "null pointer dereferences"
msgstr ""
#. Tag: para
#, no-c-format
msgid "overflow in signed integer arithmetic"
msgstr ""
#. Tag: title
#, no-c-format
msgid "Recommendations for pointers and array handling"
msgstr ""
#. Tag: para
#, no-c-format
msgid "Always keep track of the size of the array you are working with. Often, code is more obviously correct when you keep a pointer past the last element of the array, and calculate the number of remaining elements by substracting the current position from that pointer. The alternative, updating a separate variable every time when the position is advanced, is usually less obviously correct."
msgstr ""
#. Tag: para
#, no-c-format
msgid "<xref linkend=\"ex-Defensive_Coding-C-Pointers-remaining\" /> shows how to extract Pascal-style strings from a character buffer. The two pointers kept for length checks are <varname>inend</varname> and <varname>outend</varname>. <varname>inp</varname> and <varname>outp</varname> are the respective positions. The number of input bytes is checked using the expression <literal>len &gt; (size_t)(inend - inp)</literal>. The cast silences a compiler warning; <varname>inend</varname> is always larger than <varname>inp</varname>."
msgstr ""
#. Tag: title
#, no-c-format
msgid "Array processing in C"
msgstr ""
#. Tag: para
#, no-c-format
msgid "It is important that the length checks always have the form <literal>len &gt; (size_t)(inend - inp)</literal>, where <varname>len</varname> is a variable of type <type>size_t</type> which denotes the <emphasis>total</emphasis> number of bytes which are about to be read or written next. In general, it is not safe to fold multiple such checks into one, as in <literal>len1 + len2 &gt; (size_t)(inend - inp)</literal>, because the expression on the left can overflow or wrap around (see <xref linkend=\"sect-Defensive_Coding-C-Arithmetic\" />), and it no longer reflects the number of bytes to be processed."
msgstr ""
#. Tag: title
#, no-c-format
msgid "Recommendations for integer arithmetic"
msgstr ""
#. Tag: para
#, no-c-format
msgid "Overflow in signed integer arithmetic is undefined. This means that it is not possible to check for overflow after it happened, see <xref linkend=\"ex-Defensive_Coding-C-Arithmetic-bad\" />."
msgstr ""
#. Tag: title
#, no-c-format
msgid "Incorrect overflow detection in C"
msgstr ""
#. Tag: para
#, no-c-format
msgid "The following approaches can be used to check for overflow, without actually causing it."
msgstr ""
#. Tag: para
#, no-c-format
msgid "Use a wider type to perform the calculation, check that the result is within bounds, and convert the result to the original type. All intermediate results must be checked in this way."
msgstr ""
#. Tag: para
#, no-c-format
msgid "Perform the calculation in the corresponding unsigned type and use bit fiddling to detect the overflow."
msgstr ""
#. Tag: para
#, no-c-format
msgid "Compute bounds for acceptable input values which are known to avoid overflow, and reject other values. This is the preferred way for overflow checking on multiplications, see <xref linkend=\"ex-Defensive_Coding-C-Arithmetic-mult\" />."
msgstr ""
#. Tag: title
#, no-c-format
msgid "Overflow checking for unsigned multiplication"
msgstr ""
#. Tag: para
#, no-c-format
msgid "Basic arithmetic operations a commutative, so for bounds checks, there are two different but mathematically equivalent expressions. Sometimes, one of the expressions results in better code because parts of it can be reduced to a constant. This applies to overflow checks for multiplication <literal>a * b</literal> involving a constant <literal>a</literal>, where the expression is reduced to <literal>b &gt; C</literal> for some constant <literal>C</literal> determined at compile time. The other expression, <literal>b &amp;&amp; a &gt; ((unsigned)-1) / b</literal>, is more difficult to optimize at compile time."
msgstr ""
#. Tag: para
#, no-c-format
msgid "When a value is converted to a signed integer, GCC always chooses the result based on 2's complement arithmetic. This GCC extension (which is also implemented by other compilers) helps a lot when implementing overflow checks."
msgstr ""
#. Tag: para
#, no-c-format
msgid "Legacy code should be compiled with the <option>-fwrapv</option> GCC option. As a result, GCC will provide 2's complement semantics for integer arithmetic, including defined behavior on integer overflow."
msgstr ""

304
pot/C/Libc.pot
View file

@ -1,304 +0,0 @@
#
# AUTHOR <EMAIL@ADDRESS>, YEAR.
#
msgid ""
msgstr ""
"Project-Id-Version: 0\n"
"POT-Creation-Date: 2013-08-13T01:54:52\n"
"PO-Revision-Date: 2013-08-13T01:54:52\n"
"Last-Translator: Automatically generated\n"
"Language-Team: None\n"
"MIME-Version: 1.0\n"
"Content-Type: application/x-publican; charset=UTF-8\n"
"Content-Transfer-Encoding: 8bit\n"
#. Tag: title
#, no-c-format
msgid "The C standard library"
msgstr ""
#. Tag: para
#, no-c-format
msgid "Parts of the C standard library (and the UNIX and GNU extensions) are difficult to use, so you shoud avoid them."
msgstr ""
#. Tag: para
#, no-c-format
msgid "Please check the applicable documentation before using the recommended replacements. Many of these functions allocate buffers using <function>malloc</function> which your code must deallocate explicitly using <function>free</function>."
msgstr ""
#. Tag: title
#, no-c-format
msgid "Absolutely banned interfaces"
msgstr ""
#. Tag: para
#, no-c-format
msgid "The functions listed below must not be used because they are almost always unsafe. Use the indicated replacements instead."
msgstr ""
#. Tag: para
#, no-c-format
msgid "<function>gets</function> ⟶ <function>fgets</function>"
msgstr ""
#. Tag: para
#, no-c-format
msgid "<function>getwd</function> ⟶ <function>getcwd</function> or <function>get_current_dir_name</function>"
msgstr ""
#. Tag: para
#, no-c-format
msgid "<function>readdir_r</function> ⟶ <function>readdir</function>"
msgstr ""
#. Tag: para
#, no-c-format
msgid "<function>realpath</function> (with a non-NULL second parameter) ⟶ <function>realpath</function> with NULL as the second parameter, or <function>canonicalize_file_name</function>"
msgstr ""
#. Tag: para
#, no-c-format
msgid "The constants listed below must not be used, either. Instead, code must allocate memory dynamically and use interfaces with length checking."
msgstr ""
#. Tag: para
#, no-c-format
msgid "<literal>NAME_MAX</literal> (limit not actually enforced by the kernel)"
msgstr ""
#. Tag: para
#, no-c-format
msgid "<literal>PATH_MAX</literal> (limit not actually enforced by the kernel)"
msgstr ""
#. Tag: para
#, no-c-format
msgid "<literal>_PC_NAME_MAX</literal> (This limit, returned by the <function>pathconf</function> function, is not enforced by the kernel.)"
msgstr ""
#. Tag: para
#, no-c-format
msgid "<literal>_PC_PATH_MAX</literal> (This limit, returned by the <function>pathconf</function> function, is not enforced by the kernel.)"
msgstr ""
#. Tag: para
#, no-c-format
msgid "The following structure members must not be used."
msgstr ""
#. Tag: para
#, no-c-format
msgid "<literal>f_namemax</literal> in <literal>struct statvfs</literal> (limit not actually enforced by the kernel, see <literal>_PC_NAME_MAX</literal> above)"
msgstr ""
#. Tag: title
#, no-c-format
msgid "Functions to avoid"
msgstr ""
#. Tag: para
#, no-c-format
msgid "The following string manipulation functions can be used securely in principle, but their use should be avoided because they are difficult to use correctly. Calls to these functions can be replaced with <function>asprintf</function> or <function>vasprintf</function>. (For non-GNU targets, these functions are available from Gnulib.) In some cases, the <function>snprintf</function> function might be a suitable replacement, see <xref linkend=\"sect-Defensive_Coding-C-String-Functions-Length\" />."
msgstr ""
#. Tag: para
#, no-c-format
msgid "<function>sprintf</function>"
msgstr ""
#. Tag: para
#, no-c-format
msgid "<function>strcat</function>"
msgstr ""
#. Tag: para
#, no-c-format
msgid "<function>strcpy</function>"
msgstr ""
#. Tag: para
#, no-c-format
msgid "<function>vsprintf</function>"
msgstr ""
#. Tag: para
#, no-c-format
msgid "Use the indicated replacements for the functions below."
msgstr ""
#. Tag: para
#, no-c-format
msgid "<function>alloca</function> ⟶ <function>malloc</function> and <function>free</function> (see <xref linkend=\"sect-Defensive_Coding-C-Allocators-alloca\" />)"
msgstr ""
#. Tag: para
#, no-c-format
msgid "<function>putenv</function> ⟶ explicit <varname>envp</varname> argument in process creation (see <xref linkend=\"sect-Defensive_Coding-Tasks-Processes-environ\" />)"
msgstr ""
#. Tag: para
#, no-c-format
msgid "<function>setenv</function> ⟶ explicit <varname>envp</varname> argument in process creation (see <xref linkend=\"sect-Defensive_Coding-Tasks-Processes-environ\" />)"
msgstr ""
#. Tag: para
#, no-c-format
msgid "<function>strdupa</function> ⟶ <function>strdup</function> and <function>free</function> (see <xref linkend=\"sect-Defensive_Coding-C-Allocators-alloca\" />)"
msgstr ""
#. Tag: para
#, no-c-format
msgid "<function>strndupa</function> ⟶ <function>strndup</function> and <function>free</function> (see <xref linkend=\"sect-Defensive_Coding-C-Allocators-alloca\" />)"
msgstr ""
#. Tag: para
#, no-c-format
msgid "<function>system</function> ⟶ <function>posix_spawn</function> or <function>fork</function>/<function>execve</function>/ (see <xref linkend=\"sect-Defensive_Coding-Tasks-Processes-execve\" />)"
msgstr ""
#. Tag: para
#, no-c-format
msgid "<function>unsetenv</function> ⟶ explicit <varname>envp</varname> argument in process creation (see <xref linkend=\"sect-Defensive_Coding-Tasks-Processes-environ\" />)"
msgstr ""
#. Tag: title
#, no-c-format
msgid "String Functions With Explicit Length Arguments"
msgstr ""
#. Tag: para
#, no-c-format
msgid "The C run-time library provides string manipulation functions which not just look for NUL characters for string termination, but also honor explicit lengths provided by the caller. However, these functions evolved over a long period of time, and the lengths mean different things depending on the function."
msgstr ""
#. Tag: title
#, no-c-format
msgid "<literal>snprintf</literal>"
msgstr ""
#. Tag: para
#, no-c-format
msgid "The <function>snprintf</function> function provides a way to construct a string in a statically-sized buffer. (If the buffer size is allocated on the heap, consider use <function>asprintf</function> instead.)"
msgstr ""
#. Tag: para
#, no-c-format
msgid "The second argument to the <function>snprintf</function> call should always be the size of the buffer in the first argument (which should be a character array). Elaborate pointer and length arithmetic can introduce errors and nullify the security benefits of <function>snprintf</function>."
msgstr ""
#. Tag: para
#, no-c-format
msgid "In particular, <literal>snprintf</literal> is not well-suited to constructing a string iteratively, by appending to an existing buffer. <function>snprintf</function> returns one of two values, <literal>-1</literal> on errors, or the number of characters which <emphasis>would have been written to the buffer if the buffer were large enough</emphasis>. This means that adding the result of <function>snprintf</function> to the buffer pointer to skip over the characters just written is incorrect and risky. However, as long as the length argument is not zero, the buffer will remain NUL-terminated. <xref linkend=\"ex-Defensive_Coding-C-String-Functions-snprintf-incremental\" /> works because <literal>end -current &gt; 0</literal> is a loop invariant. After the loop, the result string is in the <varname>buf</varname> variable."
msgstr ""
#. Tag: title
#, no-c-format
msgid "Repeatedly writing to a buffer using <function>snprintf</function>"
msgstr ""
#. Tag: para
#, no-c-format
msgid "If you want to avoid the call to <function>strlen</function> for performance reasons, you have to check for a negative return value from <function>snprintf</function> and also check if the return value is equal to the specified buffer length or larger. Only if neither condition applies, you may advance the pointer to the start of the write buffer by the number return by <function>snprintf</function>. However, this optimization is rarely worthwhile."
msgstr ""
#. Tag: para
#, no-c-format
msgid "Note that it is not permitted to use the same buffer both as the destination and as a source argument."
msgstr ""
#. Tag: title
#, no-c-format
msgid "<literal>vsnprintf</literal> and format strings"
msgstr ""
#. Tag: para
#, no-c-format
msgid "If you use <function>vsnprintf</function> (or <function>vasprintf</function> or even <function>snprintf</function>) with a format string which is not a constant, but a function argument, it is important to annotate the function with a <literal>format</literal> function attribute, so that GCC can warn about misuse of your function (see <xref linkend=\"ex-Defensive_Coding-C-String-Functions-format-Attribute\" />)."
msgstr ""
#. Tag: title
#, no-c-format
msgid "The <literal>format</literal> function attribute"
msgstr ""
#. Tag: title
#, no-c-format
msgid "<function>strncpy</function>"
msgstr ""
#. Tag: para
#, no-c-format
msgid "The <function>strncpy</function> function does not ensure that the target buffer is NUL-terminated. A common idiom for ensuring NUL termination is:"
msgstr ""
#. Tag: para
#, no-c-format
msgid "Another approach uses the <function>strncat</function> function for this purpose:"
msgstr ""
#. Tag: title
#, no-c-format
msgid "<function>strncat</function>"
msgstr ""
#. Tag: para
#, no-c-format
msgid "The length argument of the <function>strncat</function> function specifies the maximum number of characters copied from the source buffer, excluding the terminating NUL character. This means that the required number of bytes in the destination buffer is the length of the original string, plus the length argument in the <function>strncat</function> call, plus one. Consequently, this function is rarely appropriate for performing a length-checked string operation, with the notable exception of the <function>strcpy</function> emulation described in <xref linkend=\"sect-Defensive_Coding-C-Libc-strncpy\" />."
msgstr ""
#. Tag: para
#, no-c-format
msgid "To implement a length-checked string append, you can use an approach similar to <xref linkend=\"ex-Defensive_Coding-C-String-Functions-snprintf-incremental\" />:"
msgstr ""
#. Tag: para
#, no-c-format
msgid "In many cases, including this one, the string concatenation can be avoided by combining everything into a single format string:"
msgstr ""
#. Tag: para
#, no-c-format
msgid "But you should must not dynamically construct format strings to avoid concatenation because this would prevent GCC from type-checking the argument lists."
msgstr ""
#. Tag: para
#, no-c-format
msgid "It is not possible to use format strings like <literal>\"%s%s\"</literal> to implement concatenation, unless you use separate buffers. <function>snprintf</function> does not support overlapping source and target strings."
msgstr ""
#. Tag: title
#, no-c-format
msgid "<function>strlcpy</function> and <function>strlcat</function>"
msgstr ""
#. Tag: para
#, no-c-format
msgid "Some systems support <function>strlcpy</function> and <function>strlcat</function> functions which behave this way, but these functions are not part of GNU libc. <function>strlcpy</function> is often replaced with <function>snprintf</function> with a <literal>\"%s\"</literal> format string. See <xref linkend=\"sect-Defensive_Coding-C-Libc-strncpy\" /> for a caveat related to the <function>snprintf</function> return value."
msgstr ""
#. Tag: para
#, no-c-format
msgid "To emulate <function>strlcat</function>, use the approach described in <xref linkend=\"sect-Defensive_Coding-C-Libc-strncat\" />."
msgstr ""
#. Tag: title
#, no-c-format
msgid "ISO C11 Annex K *<function>_s</function> functions"
msgstr ""
#. Tag: para
#, no-c-format
msgid "ISO C11 adds another set of length-checking functions, but GNU libc currently does not implement them."
msgstr ""
#. Tag: title
#, no-c-format
msgid "Other <function>strn</function>* and <function>stpn</function>* functions"
msgstr ""
#. Tag: para
#, no-c-format
msgid "GNU libc contains additional functions with different variants of length checking. Consult the documentation before using them to find out what the length actually means."
msgstr ""

59
pot/C/Other.pot
View file

@ -1,59 +0,0 @@
#
# AUTHOR <EMAIL@ADDRESS>, YEAR.
#
msgid ""
msgstr ""
"Project-Id-Version: 0\n"
"POT-Creation-Date: 2013-08-13T01:54:52\n"
"PO-Revision-Date: 2013-08-13T01:54:52\n"
"Last-Translator: Automatically generated\n"
"Language-Team: None\n"
"MIME-Version: 1.0\n"
"Content-Type: application/x-publican; charset=UTF-8\n"
"Content-Transfer-Encoding: 8bit\n"
#. Tag: title
#, no-c-format
msgid "Other C-related topics"
msgstr ""
#. Tag: title
#, no-c-format
msgid "Wrapper functions"
msgstr ""
#. Tag: para
#, no-c-format
msgid "Some libraries provide wrappers for standard library functions. Common cases include allocation functions such as <function>xmalloc</function> which abort the process on allocation failure (instead of returning a <literal>NULL</literal> pointer), or alternatives to relatively recent library additions such as <function>snprintf</function> (along with implementations for systems which lack them)."
msgstr ""
#. Tag: para
#, no-c-format
msgid "In general, such wrappers are a bad idea, particularly if they are not implemented as inline functions or preprocessor macros. The compiler lacks knowledge of such wrappers outside the translation unit which defines them, which means that some optimizations and security checks are not performed. Adding <literal>__attribute__</literal> annotations to function declarations can remedy this to some extent, but these annotations have to be maintained carefully for feature parity with the standard implementation."
msgstr ""
#. Tag: para
#, no-c-format
msgid "At the minimum, you should apply these attributes:"
msgstr ""
#. Tag: para
#, no-c-format
msgid "If you wrap function which accepts are GCC-recognized format string (for example, a <function>printf</function>-style function used for logging), you should add a suitable <literal>format</literal> attribute, as in <xref linkend=\"ex-Defensive_Coding-C-String-Functions-format-Attribute\" />."
msgstr ""
#. Tag: para
#, no-c-format
msgid "If you wrap a function which carries a <literal>warn_unused_result</literal> attribute and you propagate its return value, your wrapper should be declared with <literal>warn_unused_result</literal> as well."
msgstr ""
#. Tag: para
#, no-c-format
msgid "Duplicating the buffer length checks based on the <function>__builtin_object_size</function> GCC builtin is desirable if the wrapper processes arrays. (This functionality is used by the <literal>-D_FORTIFY_SOURCE=2</literal> checks to guard against static buffer overflows.) However, designing appropriate interfaces and implementing the checks may not be entirely straightforward."
msgstr ""
#. Tag: para
#, no-c-format
msgid "For other attributes (such as <literal>malloc</literal>), careful analysis and comparison with the compiler documentation is required to check if propagating the attribute is appropriate. Incorrectly applied attributes can result in undesired behavioral changes in the compiled code."
msgstr ""

14
pot/C/schemas.pot
View file

@ -1,14 +0,0 @@
#
# AUTHOR <EMAIL@ADDRESS>, YEAR.
#
msgid ""
msgstr ""
"Project-Id-Version: 0\n"
"POT-Creation-Date: 2013-08-13T01:54:52\n"
"PO-Revision-Date: 2013-08-13T01:54:52\n"
"Last-Translator: Automatically generated\n"
"Language-Team: None\n"
"MIME-Version: 1.0\n"
"Content-Type: application/x-publican; charset=UTF-8\n"
"Content-Transfer-Encoding: 8bit\n"

35
pot/C/snippets/Arithmetic-add.pot
View file

@ -1,35 +0,0 @@
#
# AUTHOR <EMAIL@ADDRESS>, YEAR.
#
msgid ""
msgstr ""
"Project-Id-Version: 0\n"
"POT-Creation-Date: 2013-08-13T01:54:52\n"
"PO-Revision-Date: 2013-08-13T01:54:52\n"
"Last-Translator: Automatically generated\n"
"Language-Team: None\n"
"MIME-Version: 1.0\n"
"Content-Type: application/x-publican; charset=UTF-8\n"
"Content-Transfer-Encoding: 8bit\n"
#. Tag: programlisting
#, no-c-format
msgid "\n"
"void report_overflow(void);\n"
"\n"
"int\n"
"add(int a, int b)\n"
"{\n"
" int result = a + b;\n"
" if (a &lt; 0 || b &lt; 0) {\n"
" return -1;\n"
" }\n"
" // The compiler can optimize away the following if statement.\n"
" if (result &lt; 0) {\n"
" report_overflow();\n"
" }\n"
" return result;\n"
"}\n"
""
msgstr ""

28
pot/C/snippets/Arithmetic-mult.pot
View file

@ -1,28 +0,0 @@
#
# AUTHOR <EMAIL@ADDRESS>, YEAR.
#
msgid ""
msgstr ""
"Project-Id-Version: 0\n"
"POT-Creation-Date: 2013-08-13T01:54:52\n"
"PO-Revision-Date: 2013-08-13T01:54:52\n"
"Last-Translator: Automatically generated\n"
"Language-Team: None\n"
"MIME-Version: 1.0\n"
"Content-Type: application/x-publican; charset=UTF-8\n"
"Content-Transfer-Encoding: 8bit\n"
#. Tag: programlisting
#, no-c-format
msgid "\n"
"unsigned\n"
"mul(unsigned a, unsigned b)\n"
"{\n"
" if (b &amp;&amp; a &gt; ((unsigned)-1) / b) {\n"
" report_overflow();\n"
" }\n"
" return a * b;\n"
"}\n"
""
msgstr ""

63
pot/C/snippets/Pointers-remaining.pot
View file

@ -1,63 +0,0 @@
#
# AUTHOR <EMAIL@ADDRESS>, YEAR.
#
msgid ""
msgstr ""
"Project-Id-Version: 0\n"
"POT-Creation-Date: 2013-08-13T01:54:52\n"
"PO-Revision-Date: 2013-08-13T01:54:52\n"
"Last-Translator: Automatically generated\n"
"Language-Team: None\n"
"MIME-Version: 1.0\n"
"Content-Type: application/x-publican; charset=UTF-8\n"
"Content-Transfer-Encoding: 8bit\n"
#. Tag: programlisting
#, no-c-format
msgid "\n"
"ssize_t\n"
"extract_strings(const char *in, size_t inlen, char **out, size_t outlen)\n"
"{\n"
" const char *inp = in;\n"
" const char *inend = in + inlen;\n"
" char **outp = out;\n"
" char **outend = out + outlen;\n"
"\n"
" while (inp != inend) {\n"
" size_t len;\n"
" char *s;\n"
" if (outp == outend) {\n"
" errno = ENOSPC;\n"
" goto err;\n"
" }\n"
" len = (unsigned char)*inp;\n"
" ++inp;\n"
" if (len &gt; (size_t)(inend - inp)) {\n"
" errno = EINVAL;\n"
" goto err;\n"
" }\n"
" s = malloc(len + 1);\n"
" if (s == NULL) {\n"
" goto err;\n"
" }\n"
" memcpy(s, inp, len);\n"
" inp += len;\n"
" s[len] = '\\0';\n"
" *outp = s;\n"
" ++outp;\n"
" }\n"
" return outp - out;\n"
"err:\n"
" {\n"
" int errno_old = errno;\n"
" while (out != outp) {\n"
" free(*out);\n"
" ++out;\n"
" }\n"
" errno = errno_old;\n"
" }\n"
" return -1;\n"
"}\n"
""
msgstr ""

32
pot/C/snippets/String-Functions-format.pot
View file

@ -1,32 +0,0 @@
#
# AUTHOR <EMAIL@ADDRESS>, YEAR.
#
msgid ""
msgstr ""
"Project-Id-Version: 0\n"
"POT-Creation-Date: 2013-08-13T01:54:52\n"
"PO-Revision-Date: 2013-08-13T01:54:52\n"
"Last-Translator: Automatically generated\n"
"Language-Team: None\n"
"MIME-Version: 1.0\n"
"Content-Type: application/x-publican; charset=UTF-8\n"
"Content-Transfer-Encoding: 8bit\n"
#. Tag: programlisting
#, no-c-format
msgid "\n"
"void log_format(const char *format, ...) __attribute__((format(printf, 1, 2)));\n"
"\n"
"void\n"
"log_format(const char *format, ...)\n"
"{\n"
" char buf[1000];\n"
" va_list ap;\n"
" va_start(ap, format);\n"
" vsnprintf(buf, sizeof(buf), format, ap);\n"
" va_end(ap);\n"
" log_string(buf);\n"
"}\n"
""
msgstr ""

28
pot/C/snippets/String-Functions-snprintf-incremental.pot
View file

@ -1,28 +0,0 @@
#
# AUTHOR <EMAIL@ADDRESS>, YEAR.
#
msgid ""
msgstr ""
"Project-Id-Version: 0\n"
"POT-Creation-Date: 2013-08-13T01:54:52\n"
"PO-Revision-Date: 2013-08-13T01:54:52\n"
"Last-Translator: Automatically generated\n"
"Language-Team: None\n"
"MIME-Version: 1.0\n"
"Content-Type: application/x-publican; charset=UTF-8\n"
"Content-Transfer-Encoding: 8bit\n"
#. Tag: programlisting
#, no-c-format
msgid "\n"
"char buf[512];\n"
"char *current = buf;\n"
"const char *const end = buf + sizeof(buf);\n"
"for (struct item *it = data; it-&gt;key; ++it) {\n"
" snprintf(current, end - current, \"%s%s=%d\",\n"
" current == buf ? \"\" : \", \", it-&gt;key, it-&gt;value);\n"
" current += strlen(current);\n"
"}\n"
""
msgstr ""

22
pot/C/snippets/String-Functions-snprintf.pot
View file

@ -1,22 +0,0 @@
#
# AUTHOR <EMAIL@ADDRESS>, YEAR.
#
msgid ""
msgstr ""
"Project-Id-Version: 0\n"
"POT-Creation-Date: 2013-08-13T01:54:52\n"
"PO-Revision-Date: 2013-08-13T01:54:52\n"
"Last-Translator: Automatically generated\n"
"Language-Team: None\n"
"MIME-Version: 1.0\n"
"Content-Type: application/x-publican; charset=UTF-8\n"
"Content-Transfer-Encoding: 8bit\n"
#. Tag: programlisting
#, no-c-format
msgid "\n"
"char fraction[30];\n"
"snprintf(fraction, sizeof(fraction), \"%d/%d\", numerator, denominator);\n"
""
msgstr ""

22
pot/C/snippets/String-Functions-strncat-as-strncpy.pot
View file

@ -1,22 +0,0 @@
#
# AUTHOR <EMAIL@ADDRESS>, YEAR.
#
msgid ""
msgstr ""
"Project-Id-Version: 0\n"
"POT-Creation-Date: 2013-08-13T01:54:52\n"
"PO-Revision-Date: 2013-08-13T01:54:52\n"
"Last-Translator: Automatically generated\n"
"Language-Team: None\n"
"MIME-Version: 1.0\n"
"Content-Type: application/x-publican; charset=UTF-8\n"
"Content-Transfer-Encoding: 8bit\n"
#. Tag: programlisting
#, no-c-format
msgid "\n"
"buf[0] = '\\0';\n"
"strncpy(buf, data, sizeof(buf) - 1);\n"
""
msgstr ""

23
pot/C/snippets/String-Functions-strncat-emulation.pot
View file

@ -1,23 +0,0 @@
#
# AUTHOR <EMAIL@ADDRESS>, YEAR.
#
msgid ""
msgstr ""
"Project-Id-Version: 0\n"
"POT-Creation-Date: 2013-08-13T01:54:52\n"
"PO-Revision-Date: 2013-08-13T01:54:52\n"
"Last-Translator: Automatically generated\n"
"Language-Team: None\n"
"MIME-Version: 1.0\n"
"Content-Type: application/x-publican; charset=UTF-8\n"
"Content-Transfer-Encoding: 8bit\n"
#. Tag: programlisting
#, no-c-format
msgid "\n"
"char buf[10];\n"
"snprintf(buf, sizeof(buf), \"%s\", prefix);\n"
"snprintf(buf + strlen(buf), sizeof(buf) - strlen(buf), \"%s\", data);\n"
""
msgstr ""

21
pot/C/snippets/String-Functions-strncat-merged.pot
View file

@ -1,21 +0,0 @@
#
# AUTHOR <EMAIL@ADDRESS>, YEAR.
#
msgid ""
msgstr ""
"Project-Id-Version: 0\n"
"POT-Creation-Date: 2013-08-13T01:54:52\n"
"PO-Revision-Date: 2013-08-13T01:54:52\n"
"Last-Translator: Automatically generated\n"
"Language-Team: None\n"
"MIME-Version: 1.0\n"
"Content-Type: application/x-publican; charset=UTF-8\n"
"Content-Transfer-Encoding: 8bit\n"
#. Tag: programlisting
#, no-c-format
msgid "\n"
"snprintf(buf, sizeof(buf), \"%s%s\", prefix, data);\n"
""
msgstr ""

23
pot/C/snippets/String-Functions-strncpy.pot
View file

@ -1,23 +0,0 @@
#
# AUTHOR <EMAIL@ADDRESS>, YEAR.
#
msgid ""
msgstr ""
"Project-Id-Version: 0\n"
"POT-Creation-Date: 2013-08-13T01:54:52\n"
"PO-Revision-Date: 2013-08-13T01:54:52\n"
"Last-Translator: Automatically generated\n"
"Language-Team: None\n"
"MIME-Version: 1.0\n"
"Content-Type: application/x-publican; charset=UTF-8\n"
"Content-Transfer-Encoding: 8bit\n"
#. Tag: programlisting
#, no-c-format
msgid "\n"
"char buf[10];\n"
"strncpy(buf, data, sizeof(buf));\n"
"buf[sizeof(buf) - 1] = '\\0';\n"
""
msgstr ""

154
pot/CXX-Language.pot
View file

@ -1,154 +0,0 @@
#
# AUTHOR <EMAIL@ADDRESS>, YEAR.
#
msgid ""
msgstr ""
"Project-Id-Version: 0\n"
"POT-Creation-Date: 2013-09-18T00:49:42\n"
"PO-Revision-Date: 2013-09-18T00:49:42\n"
"Last-Translator: Automatically generated\n"
"Language-Team: None\n"
"MIME-Version: 1.0\n"
"Content-Type: application/x-publican; charset=UTF-8\n"
"Content-Transfer-Encoding: 8bit\n"
#. Tag: title
#, no-c-format
msgid "The core language"
msgstr ""
#. Tag: para
#, no-c-format
msgid "C++ includes a large subset of the C language. As far as the C subset is used, the recommendations in <xref linkend=\"chap-Defensive_Coding-C\" /> apply."
msgstr ""
#. Tag: title
#, no-c-format
msgid "Array allocation with <literal>operator new[]</literal>"
msgstr ""
#. Tag: para
#, no-c-format
msgid "For very large values of <literal>n</literal>, an expression like <literal>new T[n]</literal> can return a pointer to a heap region which is too small. In other words, not all array elements are actually backed with heap memory reserved to the array. Current GCC versions generate code that performs a computation of the form <literal>sizeof(T) * size_t(n) + cookie_size</literal>, where <literal>cookie_size</literal> is currently at most 8. This computation can overflow, and GCC versions prior to 4.8 generated code which did not detect this. (Fedora 18 was the first release which fixed this in GCC.)"
msgstr ""
#. Tag: para
#, no-c-format
msgid "The <literal>std::vector</literal> template can be used instead an explicit array allocation. (The GCC implementation detects overflow internally.)"
msgstr ""
#. Tag: para
#, no-c-format
msgid "If there is no alternative to <literal>operator new[]</literal> and the sources will be compiled with older GCC versions, code which allocates arrays with a variable length must check for overflow manually. For the <literal>new T[n]</literal> example, the size check could be <literal>n || (n &gt; 0 &amp;&amp; n &gt; (size_t(-1) - 8) / sizeof(T))</literal>. (See <xref linkend=\"sect-Defensive_Coding-C-Arithmetic\" />.) If there are additional dimensions (which must be constants according to the C++ standard), these should be included as factors in the divisor."
msgstr ""
#. Tag: para
#, no-c-format
msgid "These countermeasures prevent out-of-bounds writes and potential code execution. Very large memory allocations can still lead to a denial of service. <xref linkend=\"sect-Defensive_Coding-Tasks-Serialization-Decoders\" /> contains suggestions for mitigating this problem when processing untrusted data."
msgstr ""
#. Tag: para
#, no-c-format
msgid "See <xref linkend=\"sect-Defensive_Coding-C-Allocators-Arrays\" /> for array allocation advice for C-style memory allocation."
msgstr ""
#. Tag: title
#, no-c-format
msgid "Overloading"
msgstr ""
#. Tag: para
#, no-c-format
msgid "Do not overload functions with versions that have different security characteristics. For instance, do not implement a function <function>strcat</function> which works on <type>std::string</type> arguments. Similarly, do not name methods after such functions."
msgstr ""
#. Tag: title
#, no-c-format
msgid "ABI compatibility and preparing for security updates"
msgstr ""
#. Tag: para
#, no-c-format
msgid "A stable binary interface (ABI) is vastly preferred for security updates. Without a stable ABI, all reverse dependencies need recompiling, which can be a lot of work and could even be impossible in some cases. Ideally, a security update only updates a single dynamic shared object, and is picked up automatically after restarting affected processes."
msgstr ""
#. Tag: para
#, no-c-format
msgid "Outside of extremely performance-critical code, you should ensure that a wide range of changes is possible without breaking ABI. Some very basic guidelines are:"
msgstr ""
#. Tag: para
#, no-c-format
msgid "Avoid inline functions."
msgstr ""
#. Tag: para
#, no-c-format
msgid "Use the pointer-to-implementation idiom."
msgstr ""
#. Tag: para
#, no-c-format
msgid "Try to avoid templates. Use them if the increased type safety provides a benefit to the programmer."
msgstr ""
#. Tag: para
#, no-c-format
msgid "Move security-critical code out of templated code, so that it can be patched in a central place if necessary."
msgstr ""
#. Tag: para
#, no-c-format
msgid "The KDE project publishes a document with more extensive guidelines on ABI-preserving changes to C++ code, <ulink url=\"http://techbase.kde.org/Policies/Binary_Compatibility_Issues_With_C++\">Policies/Binary Compatibility Issues With C++</ulink> (<emphasis>d-pointer</emphasis> refers to the pointer-to-implementation idiom)."
msgstr ""
#. Tag: title
#, no-c-format
msgid "C++0X and C++11 support"
msgstr ""
#. Tag: para
#, no-c-format
msgid "GCC offers different language compatibility modes:"
msgstr ""
#. Tag: para
#, no-c-format
msgid "<option>-std=c++98</option> for the original 1998 C++ standard"
msgstr ""
#. Tag: para
#, no-c-format
msgid "<option>-std=c++03</option> for the 1998 standard with the changes from the TR1 technical report"
msgstr ""
#. Tag: para
#, no-c-format
msgid "<option>-std=c++11</option> for the 2011 C++ standard. This option should not be used."
msgstr ""
#. Tag: para
#, no-c-format
msgid "<option>-std=c++0x</option> for several different versions of C++11 support in development, depending on the GCC version. This option should not be used."
msgstr ""
#. Tag: para
#, no-c-format
msgid "For each of these flags, there are variants which also enable GNU extensions (mostly language features also found in C99 or C11): <option>-std=gnu++98</option>, <option>-std=gnu++03</option>, <option>-std=gnu++11</option>. Again, <option>-std=gnu++11</option> should not be used."
msgstr ""
#. Tag: para
#, no-c-format
msgid "If you enable C++11 support, the ABI of the standard C++ library <literal>libstdc++</literal> will change in subtle ways. Currently, no C++ libraries are compiled in C++11 mode, so if you compile your code in C++11 mode, it will be incompatible with the rest of the system. Unfortunately, this is also the case if you do not use any C++11 features. Currently, there is no safe way to enable C++11 mode (except for freestanding applications)."
msgstr ""
#. Tag: para
#, no-c-format
msgid "The meaning of C++0X mode changed from GCC release to GCC release. Earlier versions were still ABI-compatible with C++98 mode, but in the most recent versions, switching to C++0X mode activates C++11 support, with its compatibility problems."
msgstr ""
#. Tag: para
#, no-c-format
msgid "Some C++11 features (or approximations thereof) are available with TR1 support, that is, with <option>-std=c++03</option> or <option>-std=gnu++03</option> and in the <literal>&lt;tr1/*&gt;</literal> header files. This includes <literal>std::tr1::shared_ptr</literal> (from <literal>&lt;tr1/memory&gt;</literal>) and <literal>std::tr1::function</literal> (from <literal>&lt;tr1/functional&gt;</literal>). For other C++11 features, the Boost C++ library contains replacements."
msgstr ""

209
pot/CXX-Std.pot
View file

@ -1,209 +0,0 @@
#
# AUTHOR <EMAIL@ADDRESS>, YEAR.
#
msgid ""
msgstr ""
"Project-Id-Version: 0\n"
"POT-Creation-Date: 2013-09-18T00:49:42\n"
"PO-Revision-Date: 2013-09-18T00:49:42\n"
"Last-Translator: Automatically generated\n"
"Language-Team: None\n"
"MIME-Version: 1.0\n"
"Content-Type: application/x-publican; charset=UTF-8\n"
"Content-Transfer-Encoding: 8bit\n"
#. Tag: title
#, no-c-format
msgid "The C++ standard library"
msgstr ""
#. Tag: para
#, no-c-format
msgid "The C++ standard library includes most of its C counterpart by reference, see <xref linkend=\"sect-Defensive_Coding-C-Libc\" />."
msgstr ""
#. Tag: title
#, no-c-format
msgid "Functions that are difficult to use"
msgstr ""
#. Tag: para
#, no-c-format
msgid "This section collects functions and function templates which are part of the standard library and are difficult to use."
msgstr ""
#. Tag: title
#, no-c-format
msgid "Unpaired iterators"
msgstr ""
#. Tag: para
#, no-c-format
msgid "Functions which use output operators or iterators which do not come in pairs (denoting ranges) cannot perform iterator range checking. (See <xref linkend=\"sect-Defensive_Coding-CXX-Std-Iterators\" />) Function templates which involve output iterators are particularly dangerous:"
msgstr ""
#. Tag: para
#, no-c-format
msgid "<function>std::copy</function>"
msgstr ""
#. Tag: para
#, no-c-format
msgid "<function>std::copy_backward</function>"
msgstr ""
#. Tag: para
#, no-c-format
msgid "<function>std::copy_if</function>"
msgstr ""
#. Tag: para
#, no-c-format
msgid "<function>std::move</function> (three-argument variant)"
msgstr ""
#. Tag: para
#, no-c-format
msgid "<function>std::move_backward</function>"
msgstr ""
#. Tag: para
#, no-c-format
msgid "<function>std::partition_copy_if</function>"
msgstr ""
#. Tag: para
#, no-c-format
msgid "<function>std::remove_copy</function>"
msgstr ""
#. Tag: para
#, no-c-format
msgid "<function>std::remove_copy_if</function>"
msgstr ""
#. Tag: para
#, no-c-format
msgid "<function>std::replace_copy</function>"
msgstr ""
#. Tag: para
#, no-c-format
msgid "<function>std::replace_copy_if</function>"
msgstr ""
#. Tag: para
#, no-c-format
msgid "<function>std::swap_ranges</function>"
msgstr ""
#. Tag: para
#, no-c-format
msgid "<function>std::transform</function>"
msgstr ""
#. Tag: para
#, no-c-format
msgid "In addition, <function>std::copy_n</function>, <function>std::fill_n</function> and <function>std::generate_n</function> do not perform iterator checking, either, but there is an explicit count which has to be supplied by the caller, as opposed to an implicit length indicator in the form of a pair of forward iterators."
msgstr ""
#. Tag: para
#, no-c-format
msgid "These output-iterator-expecting functions should only be used with unlimited-range output iterators, such as iterators obtained with the <function>std::back_inserter</function> function."
msgstr ""
#. Tag: para
#, no-c-format
msgid "Other functions use single input or forward iterators, which can read beyond the end of the input range if the caller is not careful:"
msgstr ""
#. Tag: para
#, no-c-format
msgid "<function>std::equal</function>"
msgstr ""
#. Tag: para
#, no-c-format
msgid "<function>std::is_permutation</function>"
msgstr ""
#. Tag: para
#, no-c-format
msgid "<function>std::mismatch</function>"
msgstr ""
#. Tag: title
#, no-c-format
msgid "String handling with <literal>std::string</literal>"
msgstr ""
#. Tag: para
#, no-c-format
msgid "The <literal>std::string</literal> class provides a convenient way to handle strings. Unlike C strings, <literal>std::string</literal> objects have an explicit length (and can contain embedded NUL characters), and storage for its characters is managed automatically. This section discusses <literal>std::string</literal>, but these observations also apply to other instances of the <literal>std::basic_string</literal> template."
msgstr ""
#. Tag: para
#, no-c-format
msgid "The pointer returned by the <function>data()</function> member function does not necessarily point to a NUL-terminated string. To obtain a C-compatible string pointer, use <function>c_str()</function> instead, which adds the NUL terminator."
msgstr ""
#. Tag: para
#, no-c-format
msgid "The pointers returned by the <function>data()</function> and <function>c_str()</function> functions and iterators are only valid until certain events happen. It is required that the exact <literal>std::string</literal> object still exists (even if it was initially created as a copy of another string object). Pointers and iterators are also invalidated when non-const member functions are called, or functions with a non-const reference parameter. The behavior of the GCC implementation deviates from that required by the C++ standard if multiple threads are present. In general, only the first call to a non-const member function after a structural modification of the string (such as appending a character) is invalidating, but this also applies to member function such as the non-const version of <function>begin()</function>, in violation of the C++ standard."
msgstr ""
#. Tag: para
#, no-c-format
msgid "Particular care is necessary when invoking the <function>c_str()</function> member function on a temporary object. This is convenient for calling C functions, but the pointer will turn invalid as soon as the temporary object is destroyed, which generally happens when the outermost expression enclosing the expression on which <function>c_str()</function> is called completes evaluation. Passing the result of <function>c_str()</function> to a function which does not store or otherwise leak that pointer is safe, though."
msgstr ""
#. Tag: para
#, no-c-format
msgid "Like with <literal>std::vector</literal> and <literal>std::array</literal>, subscribing with <literal>operator[]</literal> does not perform bounds checks. Use the <function>at(size_type)</function> member function instead. See <xref linkend=\"sect-Defensive_Coding-CXX-Std-Subscript\" />."
msgstr ""
#. Tag: para
#, no-c-format
msgid "Never write to the pointers returned by <function>data()</function> or <function>c_str()</function> after casting away <literal>const</literal>. If you need a C-style writable string, use a <literal>std::vector&lt;char&gt;</literal> object and its <function>data()</function> member function. In this case, you have to explicitly add the terminating NUL character."
msgstr ""
#. Tag: para
#, no-c-format
msgid "GCC's implementation of <literal>std::string</literal> is currently based on reference counting. It is expected that a future version will remove the reference counting, due to performance and conformance issues. As a result, code that implicitly assumes sharing by holding to pointers or iterators for too long will break, resulting in run-time crashes or worse. On the other hand, non-const iterator-returning functions will no longer give other threads an opportunity for invalidating existing iterators and pointers because iterator invalidation does not depend on sharing of the internal character array object anymore."
msgstr ""
#. Tag: title
#, no-c-format
msgid "Containers and <literal>operator[]</literal>"
msgstr ""
#. Tag: para
#, no-c-format
msgid "Many sequence containers similar to <literal>std::vector</literal> provide both <literal>operator[](size_type)</literal> and a member function <literal>at(size_type)</literal>. This applies to <literal>std::vector</literal> itself, <literal>std::array</literal>, <literal>std::string</literal> and other instances of <literal>std::basic_string</literal>."
msgstr ""
#. Tag: para
#, no-c-format
msgid "<literal>operator[](size_type)</literal> is not required by the standard to perform bounds checking (and the implementation in GCC does not). In contrast, <literal>at(size_type)</literal> must perform such a check. Therefore, in code which is not performance-critical, you should prefer <literal>at(size_type)</literal> over <literal>operator[](size_type)</literal>, even though it is slightly more verbose."
msgstr ""
#. Tag: title
#, no-c-format
msgid "Iterators"
msgstr ""
#. Tag: para
#, no-c-format
msgid "Iterators do not perform any bounds checking. Therefore, all functions that work on iterators should accept them in pairs, denoting a range, and make sure that iterators are not moved outside that range. For forward iterators and bidirectional iterators, you need to check for equality before moving the first or last iterator in the range. For random-access iterators, you need to compute the difference before adding or subtracting an offset. It is not possible to perform the operation and check for an invalid operator afterwards."
msgstr ""
#. Tag: para
#, no-c-format
msgid "Output iterators cannot be compared for equality. Therefore, it is impossible to write code that detects that it has been supplied an output area that is too small, and their use should be avoided."
msgstr ""
#. Tag: para
#, no-c-format
msgid "These issues make some of the standard library functions difficult to use correctly, see <xref linkend=\"sect-Defensive_Coding-CXX-Std-Functions-Unpaired_Iterators\" />."
msgstr ""

19
pot/CXX.pot
View file

@ -1,19 +0,0 @@
#
# AUTHOR <EMAIL@ADDRESS>, YEAR.
#
msgid ""
msgstr ""
"Project-Id-Version: 0\n"
"POT-Creation-Date: 2013-09-18T00:49:42\n"
"PO-Revision-Date: 2013-09-18T00:49:42\n"
"Last-Translator: Automatically generated\n"
"Language-Team: None\n"
"MIME-Version: 1.0\n"
"Content-Type: application/x-publican; charset=UTF-8\n"
"Content-Transfer-Encoding: 8bit\n"
#. Tag: title
#, no-c-format
msgid "The C++ Programming Language"
msgstr ""

19
pot/CXX/CXX.pot
View file

@ -1,19 +0,0 @@
#
# AUTHOR <EMAIL@ADDRESS>, YEAR.
#
msgid ""
msgstr ""
"Project-Id-Version: 0\n"
"POT-Creation-Date: 2013-08-13T01:54:52\n"
"PO-Revision-Date: 2013-08-13T01:54:52\n"
"Last-Translator: Automatically generated\n"
"Language-Team: None\n"
"MIME-Version: 1.0\n"
"Content-Type: application/x-publican; charset=UTF-8\n"
"Content-Transfer-Encoding: 8bit\n"
#. Tag: title
#, no-c-format
msgid "The C++ Programming Language"
msgstr ""

154
pot/CXX/Language.pot
View file

@ -1,154 +0,0 @@
#
# AUTHOR <EMAIL@ADDRESS>, YEAR.
#
msgid ""
msgstr ""
"Project-Id-Version: 0\n"
"POT-Creation-Date: 2013-08-13T01:54:52\n"
"PO-Revision-Date: 2013-08-13T01:54:52\n"
"Last-Translator: Automatically generated\n"
"Language-Team: None\n"
"MIME-Version: 1.0\n"
"Content-Type: application/x-publican; charset=UTF-8\n"
"Content-Transfer-Encoding: 8bit\n"
#. Tag: title
#, no-c-format
msgid "The core language"
msgstr ""
#. Tag: para
#, no-c-format
msgid "C++ includes a large subset of the C language. As far as the C subset is used, the recommendations in <xref linkend=\"chap-Defensive_Coding-C\" /> apply."
msgstr ""
#. Tag: title
#, no-c-format
msgid "Array allocation with <literal>operator new[]</literal>"
msgstr ""
#. Tag: para
#, no-c-format
msgid "For very large values of <literal>n</literal>, an expression like <literal>new T[n]</literal> can return a pointer to a heap region which is too small. In other words, not all array elements are actually backed with heap memory reserved to the array. Current GCC versions generate code that performs a computation of the form <literal>sizeof(T) * size_t(n) + cookie_size</literal>, where <literal>cookie_size</literal> is currently at most 8. This computation can overflow, and GCC-generated code does not detect this."
msgstr ""
#. Tag: para
#, no-c-format
msgid "The <literal>std::vector</literal> template can be used instead an explicit array allocation. (The GCC implementation detects overflow internally.)"
msgstr ""
#. Tag: para
#, no-c-format
msgid "If there is no alternative to <literal>operator new[]</literal>, code which allocates arrays with a variable length must check for overflow manually. For the <literal>new T[n]</literal> example, the size check could be <literal>n || (n &gt; 0 &amp;&amp; n &gt; (size_t(-1) - 8) / sizeof(T))</literal>. (See <xref linkend=\"sect-Defensive_Coding-C-Arithmetic\" />.) If there are additional dimensions (which must be constants according to the C++ standard), these should be included as factors in the divisor."
msgstr ""
#. Tag: para
#, no-c-format
msgid "These countermeasures prevent out-of-bounds writes and potential code execution. Very large memory allocations can still lead to a denial of service. <xref linkend=\"sect-Defensive_Coding-Tasks-Serialization-Decoders\" /> contains suggestions for mitigating this problem when processing untrusted data."
msgstr ""
#. Tag: para
#, no-c-format
msgid "See <xref linkend=\"sect-Defensive_Coding-C-Allocators-Arrays\" /> for array allocation advice for C-style memory allocation."
msgstr ""
#. Tag: title
#, no-c-format
msgid "Overloading"
msgstr ""
#. Tag: para
#, no-c-format
msgid "Do not overload functions with versions that have different security characteristics. For instance, do not implement a function <function>strcat</function> which works on <type>std::string</type> arguments. Similarly, do not name methods after such functions."
msgstr ""
#. Tag: title
#, no-c-format
msgid "ABI compatibility and preparing for security updates"
msgstr ""
#. Tag: para
#, no-c-format
msgid "A stable binary interface (ABI) is vastly preferred for security updates. Without a stable ABI, all reverse dependencies need recompiling, which can be a lot of work and could even be impossible in some cases. Ideally, a security update only updates a single dynamic shared object, and is picked up automatically after restarting affected processes."
msgstr ""
#. Tag: para
#, no-c-format
msgid "Outside of extremely performance-critical code, you should ensure that a wide range of changes is possible without breaking ABI. Some very basic guidelines are:"
msgstr ""
#. Tag: para
#, no-c-format
msgid "Avoid inline functions."
msgstr ""
#. Tag: para
#, no-c-format
msgid "Use the pointer-to-implementation idiom."
msgstr ""
#. Tag: para
#, no-c-format
msgid "Try to avoid templates. Use them if the increased type safety provides a benefit to the programmer."
msgstr ""
#. Tag: para
#, no-c-format
msgid "Move security-critical code out of templated code, so that it can be patched in a central place if necessary."
msgstr ""
#. Tag: para
#, no-c-format
msgid "The KDE project publishes a document with more extensive guidelines on ABI-preserving changes to C++ code, <ulink url=\"http://techbase.kde.org/Policies/Binary_Compatibility_Issues_With_C++\">Policies/Binary Compatibility Issues With C++</ulink> (<emphasis>d-pointer</emphasis> refers to the pointer-to-implementation idiom)."
msgstr ""
#. Tag: title
#, no-c-format
msgid "C++0X and C++11 support"
msgstr ""
#. Tag: para
#, no-c-format
msgid "GCC offers different language compatibility modes:"
msgstr ""
#. Tag: para
#, no-c-format
msgid "<option>-std=c++98</option> for the original 1998 C++ standard"
msgstr ""
#. Tag: para
#, no-c-format
msgid "<option>-std=c++03</option> for the 1998 standard with the changes from the TR1 technical report"
msgstr ""
#. Tag: para
#, no-c-format
msgid "<option>-std=c++11</option> for the 2011 C++ standard. This option should not be used."
msgstr ""
#. Tag: para
#, no-c-format
msgid "<option>-std=c++0x</option> for several different versions of C++11 support in development, depending on the GCC version. This option should not be used."
msgstr ""
#. Tag: para
#, no-c-format
msgid "For each of these flags, there are variants which also enable GNU extensions (mostly language features also found in C99 or C11): <option>-std=gnu++98</option>, <option>-std=gnu++03</option>, <option>-std=gnu++11</option>. Again, <option>-std=gnu++11</option> should not be used."
msgstr ""
#. Tag: para
#, no-c-format
msgid "If you enable C++11 support, the ABI of the standard C++ library <literal>libstdc++</literal> will change in subtle ways. Currently, no C++ libraries are compiled in C++11 mode, so if you compile your code in C++11 mode, it will be incompatible with the rest of the system. Unfortunately, this is also the case if you do not use any C++11 features. Currently, there is no safe way to enable C++11 mode (except for freestanding applications)."
msgstr ""
#. Tag: para
#, no-c-format
msgid "The meaning of C++0X mode changed from GCC release to GCC release. Earlier versions were still ABI-compatible with C++98 mode, but in the most recent versions, switching to C++0X mode activates C++11 support, with its compatibility problems."
msgstr ""
#. Tag: para
#, no-c-format
msgid "Some C++11 features (or approximations thereof) are available with TR1 support, that is, with <option>-std=c++03</option> or <option>-std=gnu++03</option> and in the <literal>&lt;tr1/*&gt;</literal> header files. This includes <literal>std::tr1::shared_ptr</literal> (from <literal>&lt;tr1/memory&gt;</literal>) and <literal>std::tr1::function</literal> (from <literal>&lt;tr1/functional&gt;</literal>). For other C++11 features, the Boost C++ library contains replacements."
msgstr ""

39
pot/CXX/Std.pot
View file

@ -1,39 +0,0 @@
#
# AUTHOR <EMAIL@ADDRESS>, YEAR.
#
msgid ""
msgstr ""
"Project-Id-Version: 0\n"
"POT-Creation-Date: 2013-08-13T01:54:52\n"
"PO-Revision-Date: 2013-08-13T01:54:52\n"
"Last-Translator: Automatically generated\n"
"Language-Team: None\n"
"MIME-Version: 1.0\n"
"Content-Type: application/x-publican; charset=UTF-8\n"
"Content-Transfer-Encoding: 8bit\n"
#. Tag: title
#, no-c-format
msgid "The C++ standard library"
msgstr ""
#. Tag: para
#, no-c-format
msgid "The C++ standard library includes most of its C counterpart by reference, see <xref linkend=\"sect-Defensive_Coding-C-Libc\" />."
msgstr ""
#. Tag: title
#, no-c-format
msgid "Containers and <literal>operator[]</literal>"
msgstr ""
#. Tag: para
#, no-c-format
msgid "Many containers similar to <literal>std::vector</literal> provide both <literal>operator[](size_type)</literal> and a member function <literal>at(size_type)</literal>. This applies to <literal>std::vector</literal> itself, <literal>std::array</literal>, <literal>std::string</literal> and other instances of <literal>std::basic_string</literal>."
msgstr ""
#. Tag: para
#, no-c-format
msgid "<literal>operator[](size_type)</literal> is not required by the standard to perform bounds checking (and the implementation in GCC does not). In contrast, <literal>at(size_type)</literal> must perform such a check. Therefore, in code which is not performance-critical, you should prefer <literal>at(size_type)</literal> over <literal>operator[](size_type)</literal>, even though it is slightly more verbose."
msgstr ""

14
pot/CXX/schemas.pot
View file

@ -1,14 +0,0 @@
#
# AUTHOR <EMAIL@ADDRESS>, YEAR.
#
msgid ""
msgstr ""
"Project-Id-Version: 0\n"
"POT-Creation-Date: 2013-08-13T01:54:52\n"
"PO-Revision-Date: 2013-08-13T01:54:52\n"
"Last-Translator: Automatically generated\n"
"Language-Team: None\n"
"MIME-Version: 1.0\n"
"Content-Type: application/x-publican; charset=UTF-8\n"
"Content-Transfer-Encoding: 8bit\n"

29
pot/Defensive_Coding.pot
View file

@ -1,29 +0,0 @@
#
# AUTHOR <EMAIL@ADDRESS>, YEAR.
#
msgid ""
msgstr ""
"Project-Id-Version: 0\n"
"POT-Creation-Date: 2013-09-18T00:49:42\n"
"PO-Revision-Date: 2013-09-18T00:49:42\n"
"Last-Translator: Automatically generated\n"
"Language-Team: None\n"
"MIME-Version: 1.0\n"
"Content-Type: application/x-publican; charset=UTF-8\n"
"Content-Transfer-Encoding: 8bit\n"
#. Tag: title
#, no-c-format
msgid "Programming Languages"
msgstr ""
#. Tag: title
#, no-c-format
msgid "Specific Programming Tasks"
msgstr ""
#. Tag: title
#, no-c-format
msgid "Implementing Security Features"
msgstr ""

139
pot/Features-Authentication.pot
View file

@ -1,139 +0,0 @@
#
# AUTHOR <EMAIL@ADDRESS>, YEAR.
#
msgid ""
msgstr ""
"Project-Id-Version: 0\n"
"POT-Creation-Date: 2013-09-18T00:49:42\n"
"PO-Revision-Date: 2013-09-18T00:49:42\n"
"Last-Translator: Automatically generated\n"
"Language-Team: None\n"
"MIME-Version: 1.0\n"
"Content-Type: application/x-publican; charset=UTF-8\n"
"Content-Transfer-Encoding: 8bit\n"
#. Tag: title
#, no-c-format
msgid "Authentication and Authorization"
msgstr ""
#. Tag: title
#, no-c-format
msgid "Authenticating servers"
msgstr ""
#. Tag: para
#, no-c-format
msgid "When connecting to a server, a client has to make sure that it is actually talking to the server it expects. There are two different aspects, securing the network path, and making sure that the expected user runs the process on the target host. There are several ways to ensure that:"
msgstr ""
#. Tag: para
#, no-c-format
msgid "The server uses a TLS certificate which is valid according to the web browser public key infrastructure, and the client verifies the certificate and the host name."
msgstr ""
#. Tag: para
#, no-c-format
msgid "The server uses a TLS certificate which is expectedby the client (perhaps it is stored in a configuration file read by the client). In this case, no host name checking is required."
msgstr ""
#. Tag: para
#, no-c-format
msgid "On Linux, UNIX domain sockets (of the <literal>PF_UNIX</literal> protocol family, sometimes called <literal>PF_LOCAL</literal>) are restricted by file system permissions. If the server socket path is not world-writable, the server identity cannot be spoofed by local users."
msgstr ""
#. Tag: para
#, no-c-format
msgid "Port numbers less than 1024 (<emphasis>trusted ports</emphasis>) can only be used by <literal>root</literal>, so if a UDP or TCP server is running on the local host and it uses a trusted port, its identity is assured. (Not all operating systems enforce the trusted ports concept, and the network might not be trusted, so it is only useful on the local system.)"
msgstr ""
#. Tag: para
#, no-c-format
msgid "TLS (<xref linkend=\"chap-Defensive_Coding-TLS\" />) is the recommended way for securing connections over untrusted networks."
msgstr ""
#. Tag: para
#, no-c-format
msgid "If the server port number is 1024 is higher, a local user can impersonate the process by binding to this socket, perhaps after crashing the real server by exploiting a denial-of-service vulnerability."
msgstr ""
#. Tag: title
#, no-c-format
msgid "Host-based authentication"
msgstr ""
#. Tag: para
#, no-c-format
msgid "Host-based authentication uses access control lists (ACLs) to accept or deny requests from clients. Thsis authentication method comes in two flavors: IP-based (or, more generally, address-based) and name-based (with the name coming from DNS or <filename>/etc/hosts</filename>). IP-based ACLs often use prefix notation to extend access to entire subnets. Name-based ACLs sometimes use wildcards for adding groups of hosts (from entire DNS subtrees). (In the SSH context, host-based authentication means something completely different and is not covered in this section.)"
msgstr ""
#. Tag: para
#, no-c-format
msgid "Host-based authentication trust the network and may not offer sufficient granularity, so it has to be considered a weak form of authentication. On the other hand, IP-based authentication can be made extremely robust and can be applied very early in input processing, so it offers an opportunity for significantly reducing the number of potential attackers for many services."
msgstr ""
#. Tag: para
#, no-c-format
msgid "The names returned by <function>gethostbyaddr</function> and <function>getnameinfo</function> functions cannot be trusted. (DNS PTR records can be set to arbitrary values, not just names belong to the address owner.) If these names are used for ACL matching, a forward lookup using <function>gethostbyaddr</function> or <function>getaddrinfo</function> has to be performed. The name is only valid if the original address is found among the results of the forward lookup (<emphasis>double-reverse lookup</emphasis>)."
msgstr ""
#. Tag: para
#, no-c-format
msgid "An empty ACL should deny all access (deny-by-default). If empty ACLs permits all access, configuring any access list must switch to deny-by-default for all unconfigured protocols, in both name-based and address-based variants."
msgstr ""
#. Tag: para
#, no-c-format
msgid "Similarly, if an address or name is not matched by the list, it should be denied. However, many implementations behave differently, so the actual behavior must be documented properly."
msgstr ""
#. Tag: para
#, no-c-format
msgid "IPv6 addresses can embed IPv4 addresses. There is no universally correct way to deal with this ambiguity. The behavior of the ACL implementation should be documented."
msgstr ""
#. Tag: title
#, no-c-format
msgid "UNIX domain socket authentication"
msgstr ""
#. Tag: para
#, no-c-format
msgid "UNIX domain sockets (with address family <literal>AF_UNIX</literal> or <literal>AF_LOCAL</literal>) are restricted to the local host and offer a special authentication mechanism: credentials passing."
msgstr ""
#. Tag: para
#, no-c-format
msgid "Nowadays, most systems support the <literal>SO_PEERCRED</literal> (Linux) or <literal>LOCAL_PEERCRED</literal> (FreeBSD) socket options, or the <function>getpeereid</function> (other BSDs, MacOS X). These interfaces provide direct access to the (effective) user ID on the other end of a domain socket connect, without cooperation from the other end."
msgstr ""
#. Tag: para
#, no-c-format
msgid "Historically, credentials passing was implemented using ancillary data in the <function>sendmsg</function> and <function>recvmsg</function> functions. On some systems, only credentials data that the peer has explicitly sent can be received, and the kernel checks the data for correctness on the sending side. This means that both peers need to deal with ancillary data. Compared to that, the modern interfaces are easier to use. Both sets of interfaces vary considerably among UNIX-like systems, unfortunately."
msgstr ""
#. Tag: para
#, no-c-format
msgid "If you want to authenticate based on supplementary groups, you should obtain the user ID using one of these methods, and look up the list of supplementary groups using <function>getpwuid</function> (or <function>getpwuid_r</function>) and <function>getgrouplist</function>. Using the PID and information from <filename>/proc/PID/status</filename> is prone to race conditions and insecure."
msgstr ""
#. Tag: title
#, no-c-format
msgid "<literal>AF_NETLINK</literal> authentication of origin"
msgstr ""
#. Tag: para
#, no-c-format
msgid "Netlink messages are used as a high-performance data transfer mechanism between the kernel and the userspace. Traditionally, they are used to exchange information related to the network statck, such as routing table entries."
msgstr ""
#. Tag: para
#, no-c-format
msgid "When processing Netlink messages from the kernel, it is important to check that these messages actually originate from the kernel, by checking that the port ID (or PID) field <literal>nl_pid</literal> in the <literal>sockaddr_nl</literal> structure is <literal>0</literal>. (This structure can be obtained using <function>recvfrom</function> or <function>recvmsg</function>, it is different from the <literal>nlmsghdr</literal> structure.) The kernel does not prevent other processes from sending unicast Netlink messages, but the <literal>nl_pid</literal> field in the sender's socket address will be non-zero in such cases."
msgstr ""
#. Tag: para
#, no-c-format
msgid "Applications should not use <literal>AF_NETLINK</literal> sockets as an IPC mechanism among processes, but prefer UNIX domain sockets for this tasks."
msgstr ""

694
pot/Features-TLS.pot
View file

@ -1,694 +0,0 @@
#
# AUTHOR <EMAIL@ADDRESS>, YEAR.
#
msgid ""
msgstr ""
"Project-Id-Version: 0\n"
"POT-Creation-Date: 2013-09-18T00:49:42\n"
"PO-Revision-Date: 2013-09-18T00:49:42\n"
"Last-Translator: Automatically generated\n"
"Language-Team: None\n"
"MIME-Version: 1.0\n"
"Content-Type: application/x-publican; charset=UTF-8\n"
"Content-Transfer-Encoding: 8bit\n"
#. Tag: title
#, no-c-format
msgid "Transport Layer Security"
msgstr ""
#. Tag: para
#, no-c-format
msgid "Transport Layer Security (TLS, formerly Secure Sockets Layer/SSL) is the recommended way to to protect integrity and confidentiality while data is transferred over an untrusted network connection, and to identify the endpoint."
msgstr ""
#. Tag: title
#, no-c-format
msgid "Common Pitfalls"
msgstr ""
#. Tag: para
#, no-c-format
msgid "TLS implementations are difficult to use, and most of them lack a clean API design. The following sections contain implementation-specific advice, and some generic pitfalls are mentioned below."
msgstr ""
#. Tag: para
#, no-c-format
msgid "Most TLS implementations have questionable default TLS cipher suites. Most of them enable anonymous Diffie-Hellman key exchange (but we generally want servers to authenticate themselves). Many do not disable ciphers which are subject to brute-force attacks because of restricted key lengths. Some even disable all variants of AES in the default configuration."
msgstr ""
#. Tag: para
#, no-c-format
msgid "When overriding the cipher suite defaults, it is recommended to disable all cipher suites which are not present on a whitelist, instead of simply enabling a list of cipher suites. This way, if an algorithm is disabled by default in the TLS implementation in a future security update, the application will not re-enable it."
msgstr ""
#. Tag: para
#, no-c-format
msgid "The name which is used in certificate validation must match the name provided by the user or configuration file. No host name canonicalization or IP address lookup must be performed."
msgstr ""
#. Tag: para
#, no-c-format
msgid "The TLS handshake has very poor performance if the TCP Nagle algorithm is active. You should switch on the <literal>TCP_NODELAY</literal> socket option (at least for the duration of the handshake), or use the Linux-specific <literal>TCP_CORK</literal> option."
msgstr ""
#. Tag: title
#, no-c-format
msgid "Deactivating the TCP Nagle algorithm"
msgstr ""
#. Tag: para
#, no-c-format
msgid "Implementing proper session resumption decreases handshake overhead considerably. This is important if the upper-layer protocol uses short-lived connections (like most application of HTTPS)."
msgstr ""
#. Tag: para
#, no-c-format
msgid "Both client and server should work towards an orderly connection shutdown, that is send <literal>close_notify</literal> alerts and respond to them. This is especially important if the upper-layer protocol does not provide means to detect connection truncation (like some uses of HTTP)."
msgstr ""
#. Tag: para
#, no-c-format
msgid "When implementing a server using event-driven programming, it is important to handle the TLS handshake properly because it includes multiple network round-trips which can block when an ordinary TCP <function>accept</function> would not. Otherwise, a client which fails to complete the TLS handshake for some reason will prevent the server from handling input from other clients."
msgstr ""
#. Tag: para
#, no-c-format
msgid "Unlike regular file descriptors, TLS connections cannot be passed between processes. Some TLS implementations add additional restrictions, and TLS connections generally cannot be used across <function>fork</function> function calls (see <xref linkend=\"sect-Defensive_Coding-Tasks-Processes-Fork-Parallel\" />)."
msgstr ""
#. Tag: title
#, no-c-format
msgid "OpenSSL Pitfalls"
msgstr ""
#. Tag: para
#, no-c-format
msgid "Some OpenSSL function use <emphasis>tri-state return values</emphasis>. Correct error checking is extremely important. Several functions return <literal>int</literal> values with the following meaning:"
msgstr ""
#. Tag: para
#, no-c-format
msgid "The value <literal>1</literal> indicates success (for example, a successful signature verification)."
msgstr ""
#. Tag: para
#, no-c-format
msgid "The value <literal>0</literal> indicates semantic failure (for example, a signature verification which was unsuccessful because the signing certificate was self-signed)."
msgstr ""
#. Tag: para
#, no-c-format
msgid "The value <literal>-1</literal> indicates a low-level error in the system, such as failure to allocate memory using <function>malloc</function>."
msgstr ""
#. Tag: para
#, no-c-format
msgid "Treating such tri-state return values as booleans can lead to security vulnerabilities. Note that some OpenSSL functions return boolean results or yet another set of status indicators. Each function needs to be checked individually."
msgstr ""
#. Tag: para
#, no-c-format
msgid "Recovering precise error information is difficult. <xref linkend=\"ex-Defensive_Coding-TLS-OpenSSL-Errors\" /> shows how to obtain a more precise error code after a function call on an <literal>SSL</literal> object has failed. However, there are still cases where no detailed error information is available (e.g., if <function>SSL_shutdown</function> fails due to a connection teardown by the other end)."
msgstr ""
#. Tag: title
#, no-c-format
msgid "Obtaining OpenSSL error codes"
msgstr ""
#. Tag: para
#, no-c-format
msgid "The <function>OPENSSL_config</function> function is documented to never fail. In reality, it can terminate the entire process if there is a failure accessing the configuration file. An error message is written to standard error, but which might not be visible if the function is called from a daemon process."
msgstr ""
#. Tag: para
#, no-c-format
msgid "OpenSSL contains two separate ASN.1 DER decoders. One set of decoders operate on BIO handles (the input/output stream abstraction provided by OpenSSL); their decoder function names start with <literal>d2i_</literal> and end in <literal>_fp</literal> or <literal>_bio</literal> (e.g., <function>d2i_X509_fp</function> or <function>d2i_X509_bio</function>). These decoders must not be used for parsing data from untrusted sources; instead, the variants without the <literal>_fp</literal> and <literal>_bio</literal> (e.g., <function>d2i_X509</function>) shall be used. The BIO variants have received considerably less testing and are not very robust."
msgstr ""
#. Tag: para
#, no-c-format
msgid "For the same reason, the OpenSSL command line tools (such as <command>openssl x509</command>) are generally generally less robust than the actual library code. They use the BIO functions internally, and not the more robust variants."
msgstr ""
#. Tag: para
#, no-c-format
msgid "The command line tools do not always indicate failure in the exit status of the <application>openssl</application> process. For instance, a verification failure in <command>openssl verify</command> result in an exit status of zero."
msgstr ""
#. Tag: para
#, no-c-format
msgid "The OpenSSL server and client applications (<command>openssl s_client</command> and <command>openssl s_server</command>) are debugging tools and should <emphasis>never</emphasis> be used as generic clients. For instance, the <application>s_client</application> tool reacts in a surprisign way to lines starting with <literal>R</literal> and <literal>Q</literal>."
msgstr ""
#. Tag: para
#, no-c-format
msgid "OpenSSL allows application code to access private key material over documented interfaces. This can significantly increase the part of the code base which has to undergo security certification."
msgstr ""
#. Tag: title
#, no-c-format
msgid "GNUTLS Pitfalls"
msgstr ""
#. Tag: para
#, no-c-format
msgid "<filename>libgnutls.so.26</filename> links to <filename>libpthread.so.0</filename>. Loading the threading library too late causes problems, so the main program should be linked with <literal>-lpthread</literal> as well. As a result, it can be difficult to use GNUTLS in a plugin which is loaded with the <function>dlopen</function> function. Another side effect is that applications which merely link against GNUTLS (even without actually using it) may incur a substantial overhead because other libraries automatically switch to thread-safe algorithms."
msgstr ""
#. Tag: para
#, no-c-format
msgid "The <function>gnutls_global_init</function> function must be called before using any functionality provided by the library. This function is not thread-safe, so external locking is required, but it is not clear which lock should be used. Omitting the synchronization does not just lead to a memory leak, as it is suggested in the GNUTLS documentation, but to undefined behavior because there is no barrier that would enforce memory ordering."
msgstr ""
#. Tag: para
#, no-c-format
msgid "The <function>gnutls_global_deinit</function> function does not actually deallocate all resources allocated by <function>gnutls_global_init</function>. It is currently not thread-safe. Therefore, it is best to avoid calling it altogether."
msgstr ""
#. Tag: para
#, no-c-format
msgid "The X.509 implementation in GNUTLS is rather lenient. For example, it is possible to create and process X.509 version&nbsp;1 certificates which carry extensions. These certificates are (correctly) rejected by other implementations."
msgstr ""
#. Tag: title
#, no-c-format
msgid "OpenJDK Pitfalls"
msgstr ""
#. Tag: para
#, no-c-format
msgid "The Java cryptographic framework is highly modular. As a result, when you request an object implementing some cryptographic functionality, you cannot be completely sure that you end up with the well-tested, reviewed implementation in OpenJDK."
msgstr ""
#. Tag: para
#, no-c-format
msgid "OpenJDK (in the source code as published by Oracle) and other implementations of the Java platform require that the system administrator has installed so-called <emphasis>unlimited strength jurisdiction policy files</emphasis>. Without this step, it is not possible to use the secure algorithms which offer sufficient cryptographic strength. Most downstream redistributors of OpenJDK remove this requirement."
msgstr ""
#. Tag: para
#, no-c-format
msgid "Some versions of OpenJDK use <filename>/dev/random</filename> as the randomness source for nonces and other random data which is needed for TLS operation, but does not actually require physical randomness. As a result, TLS applications can block, waiting for more bits to become available in <filename>/dev/random</filename>."
msgstr ""
#. Tag: title
#, no-c-format
msgid "NSS Pitfalls"
msgstr ""
#. Tag: para
#, no-c-format
msgid "NSS was not designed to be used by other libraries which can be linked into applications without modifying them. There is a lot of global state. There does not seem to be a way to perform required NSS initialization without race conditions."
msgstr ""
#. Tag: para
#, no-c-format
msgid "If the NSPR descriptor is in an unexpected state, the <function>SSL_ForceHandshake</function> function can succeed, but no TLS handshake takes place, the peer is not authenticated, and subsequent data is exchanged in the clear."
msgstr ""
#. Tag: para
#, no-c-format
msgid "NSS disables itself if it detects that the process underwent a <function>fork</function> after the library has been initialized. This behavior is required by the PKCS#11 API specification."
msgstr ""
#. Tag: title
#, no-c-format
msgid "TLS Clients"
msgstr ""
#. Tag: para
#, no-c-format
msgid "Secure use of TLS in a client generally involves all of the following steps. (Individual instructions for specific TLS implementations follow in the next sections.)"
msgstr ""
#. Tag: para
#, no-c-format
msgid "The client must configure the TLS library to use a set of trusted root certificates. These certificates are provided by the system in <filename class=\"directory\">/etc/ssl/certs</filename> or files derived from it."
msgstr ""
#. Tag: para
#, no-c-format
msgid "The client selects sufficiently strong cryptographic primitives and disables insecure ones (such as no-op encryption). Compression and SSL version 2 support must be disabled (including the SSLv2-compatible handshake)."
msgstr ""
#. Tag: para
#, no-c-format
msgid "The client initiates the TLS connection. The Server Name Indication extension should be used if supported by the TLS implementation. Before switching to the encrypted connection state, the contents of all input and output buffers must be discarded."
msgstr ""
#. Tag: para
#, no-c-format
msgid "The client needs to validate the peer certificate provided by the server, that is, the client must check that there is a cryptographically protected chain from a trusted root certificate to the peer certificate. (Depending on the TLS implementation, a TLS handshake can succeed even if the certificate cannot be validated.)"
msgstr ""
#. Tag: para
#, no-c-format
msgid "The client must check that the configured or user-provided server name matches the peer certificate provided by the server."
msgstr ""
#. Tag: para
#, no-c-format
msgid "It is safe to provide users detailed diagnostics on certificate validation failures. Other causes of handshake failures and, generally speaking, any details on other errors reported by the TLS implementation (particularly exception tracebacks), must not be divulged in ways that make them accessible to potential attackers. Otherwise, it is possible to create decryption oracles."
msgstr ""
#. Tag: para
#, no-c-format
msgid "Depending on the application, revocation checking (against certificate revocations lists or via OCSP) and session resumption are important aspects of production-quality client. These aspects are not yet covered."
msgstr ""
#. Tag: title
#, no-c-format
msgid "Implementation TLS Clients With OpenSSL"
msgstr ""
#. Tag: para
#, no-c-format
msgid "In the following code, the error handling is only exploratory. Proper error handling is required for production use, especially in libraries."
msgstr ""
#. Tag: para
#, no-c-format
msgid "The OpenSSL library needs explicit initialization (see <xref linkend=\"ex-Defensive_Coding-TLS-OpenSSL-Init\" />)."
msgstr ""
#. Tag: title
#, no-c-format
msgid "OpenSSL library initialization"
msgstr ""
#. Tag: para
#, no-c-format
msgid "After that, a context object has to be created, which acts as a factory for connection objects (<xref linkend=\"ex-Defensive_Coding-TLS-Client-OpenSSL-CTX\" />). We use an explicit cipher list so that we do not pick up any strange ciphers when OpenSSL is upgraded. The actual version requested in the client hello depends on additional restrictions in the OpenSSL library. If possible, you should follow the example code and use the default list of trusted root certificate authorities provided by the system because you would have to maintain your own set otherwise, which can be cumbersome."
msgstr ""
#. Tag: title
#, no-c-format
msgid "OpenSSL client context creation"
msgstr ""
#. Tag: para
#, no-c-format
msgid "A single context object can be used to create multiple connection objects. It is safe to use the same <literal>SSL_CTX</literal> object for creating connections concurrently from multiple threads, provided that the <literal>SSL_CTX</literal> object is not modified (e.g., callbacks must not be changed)."
msgstr ""
#. Tag: para
#, no-c-format
msgid "After creating the TCP socket and disabling the Nagle algorithm (per <xref linkend=\"ex-Defensive_Coding-TLS-Nagle\" />), the actual connection object needs to be created, as show in <xref linkend=\"ex-Defensive_Coding-TLS-Client-OpenSSL-CTX\" />. If the handshake started by <function>SSL_connect</function> fails, the <function>ssl_print_error_and_exit</function> function from <xref linkend=\"ex-Defensive_Coding-TLS-OpenSSL-Errors\" /> is called."
msgstr ""
#. Tag: para
#, no-c-format
msgid "The <function>certificate_validity_override</function> function provides an opportunity to override the validity of the certificate in case the OpenSSL check fails. If such functionality is not required, the call can be removed, otherwise, the application developer has to implement it."
msgstr ""
#. Tag: para
#, no-c-format
msgid "The host name passed to the functions <function>SSL_set_tlsext_host_name</function> and <function>X509_check_host</function> must be the name that was passed to <function>getaddrinfo</function> or a similar name resolution function. No host name canonicalization must be performed. The <function>X509_check_host</function> function used in the final step for host name matching is currently only implemented in OpenSSL 1.1, which is not released yet. In case host name matching fails, the function <function>certificate_host_name_override</function> is called. This function should check user-specific certificate store, to allow a connection even if the host name does not match the certificate. This function has to be provided by the application developer. Note that the override must be keyed by both the certificate <emphasis>and</emphasis> the host name."
msgstr ""
#. Tag: title
#, no-c-format
msgid "Creating a client connection using OpenSSL"
msgstr ""
#. Tag: para
#, no-c-format
msgid "The connection object can be used for sending and receiving data, as in <xref linkend=\"ex-Defensive_Coding-TLS-OpenSSL-Connection-Use\" />. It is also possible to create a <literal>BIO</literal> object and use the <literal>SSL</literal> object as the underlying transport, using <function>BIO_set_ssl</function>."
msgstr ""
#. Tag: title
#, no-c-format
msgid "Using an OpenSSL connection to send and receive data"
msgstr ""
#. Tag: para
#, no-c-format
msgid "When it is time to close the connection, the <function>SSL_shutdown</function> function needs to be called twice for an orderly, synchronous connection termination (<xref linkend=\"ex-Defensive_Coding-TLS-OpenSSL-Connection-Close\" />). This exchanges <literal>close_notify</literal> alerts with the server. The additional logic is required to deal with an unexpected <literal>close_notify</literal> from the server. Note that is necessary to explicitly close the underlying socket after the connection object has been freed."
msgstr ""
#. Tag: title
#, no-c-format
msgid "Closing an OpenSSL connection in an orderly fashion"
msgstr ""
#. Tag: para
#, no-c-format
msgid "<xref linkend=\"ex-Defensive_Coding-TLS-OpenSSL-Context-Close\" /> shows how to deallocate the context object when it is no longer needed because no further TLS connections will be established."
msgstr ""
#. Tag: title
#, no-c-format
msgid "Implementation TLS Clients With GNUTLS"
msgstr ""
#. Tag: para
#, no-c-format
msgid "This section describes how to implement a TLS client with full certificate validation (but without certificate revocation checking). Note that the error handling in is only exploratory and needs to be replaced before production use."
msgstr ""
#. Tag: para
#, no-c-format
msgid "The GNUTLS library needs explicit initialization:"
msgstr ""
#. Tag: para
#, no-c-format
msgid "Failing to do so can result in obscure failures in Base64 decoding. See <xref linkend=\"sect-Defensive_Coding-TLS-Pitfalls-GNUTLS\" /> for additional aspects of initialization."
msgstr ""
#. Tag: para
#, no-c-format
msgid "Before setting up TLS connections, a credentials objects has to be allocated and initialized with the set of trusted root CAs (<xref linkend=\"ex-Defensive_Coding-TLS-Client-GNUTLS-Credentials\" />)."
msgstr ""
#. Tag: title
#, no-c-format
msgid "Initializing a GNUTLS credentials structure"
msgstr ""
#. Tag: para
#, no-c-format
msgid "After the last TLS connection has been closed, this credentials object should be freed:"
msgstr ""
#. Tag: para
#, no-c-format
msgid "During its lifetime, the credentials object can be used to initialize TLS session objects from multiple threads, provided that it is not changed."
msgstr ""
#. Tag: para
#, no-c-format
msgid "Once the TCP connection has been established, the Nagle algorithm should be disabled (see <xref linkend=\"ex-Defensive_Coding-TLS-Nagle\" />). After that, the socket can be associated with a new GNUTLS session object. The previously allocated credentials object provides the set of root CAs. The <literal>NORMAL</literal> set of cipher suites and protocols provides a reasonable default. Then the TLS handshake must be initiated. This is shown in <xref linkend=\"ex-Defensive_Coding-TLS-Client-GNUTLS-Connect\" />."
msgstr ""
#. Tag: title
#, no-c-format
msgid "Establishing a TLS client connection using GNUTLS"
msgstr ""
#. Tag: para
#, no-c-format
msgid "After the handshake has been completed, the server certificate needs to be verified (<xref linkend=\"ex-Defensive_Coding-TLS-Client-GNUTLS-Verify\" />). In the example, the user-defined <function>certificate_validity_override</function> function is called if the verification fails, so that a separate, user-specific trust store can be checked. This function call can be omitted if the functionality is not needed."
msgstr ""
#. Tag: title
#, no-c-format
msgid "Verifying a server certificate using GNUTLS"
msgstr ""
#. Tag: para
#, no-c-format
msgid "In the next step (<xref linkend=\"ex-Defensive_Coding-TLS-Client-GNUTLS-Match\" />, the certificate must be matched against the host name (note the unusual return value from <function>gnutls_x509_crt_check_hostname</function>). Again, an override function <function>certificate_host_name_override</function> is called. Note that the override must be keyed to the certificate <emphasis>and</emphasis> the host name. The function call can be omitted if the override is not needed."
msgstr ""
#. Tag: title
#, no-c-format
msgid "Matching the server host name and certificate in a GNUTLS client"
msgstr ""
#. Tag: para
#, no-c-format
msgid "In newer GNUTLS versions, certificate checking and host name validation can be combined using the <function>gnutls_certificate_verify_peers3</function> function."
msgstr ""
#. Tag: para
#, no-c-format
msgid "An established TLS session can be used for sending and receiving data, as in <xref linkend=\"ex-Defensive_Coding-TLS-GNUTLS-Use\" />."
msgstr ""
#. Tag: title
#, no-c-format
msgid "Using a GNUTLS session"
msgstr ""
#. Tag: para
#, no-c-format
msgid "In order to shut down a connection in an orderly manner, you should call the <function>gnutls_bye</function> function. Finally, the session object can be deallocated using <function>gnutls_deinit</function> (see <xref linkend=\"ex-Defensive_Coding-TLS-GNUTLS-Disconnect\" />)."
msgstr ""
#. Tag: title
#, no-c-format
msgid "Implementing TLS Clients With OpenJDK"
msgstr ""
#. Tag: para
#, no-c-format
msgid "The examples below use the following cryptographic-related classes:"
msgstr ""
#. Tag: para
#, no-c-format
msgid "If compatibility with OpenJDK 6 is required, it is necessary to use the internal class <literal>sun.security.util.HostnameChecker</literal>. (The public OpenJDK API does not provide any support for dissecting the subject distinguished name of an X.509 certificate, so a custom-written DER parser is needed—or we have to use an internal class, which we do below.) In OpenJDK 7, the <function>setEndpointIdentificationAlgorithm</function> method was added to the <literal>javax.net.ssl.SSLParameters</literal> class, providing an official way to implement host name checking."
msgstr ""
#. Tag: para
#, no-c-format
msgid "TLS connections are established using an <literal>SSLContext</literal> instance. With a properly configured OpenJDK installation, the <literal>SunJSSE</literal> provider uses the system-wide set of trusted root certificate authorities, so no further configuration is necessary. For backwards compatibility with OpenJDK&nbsp;6, the <literal>TLSv1</literal> provider has to be supported as a fall-back option. This is shown in <xref linkend=\"ex-Defensive_Coding-TLS-Client-OpenJDK-Context\" />."
msgstr ""
#. Tag: title
#, no-c-format
msgid "Setting up an <literal>SSLContext</literal> for OpenJDK TLS clients"
msgstr ""
#. Tag: para
#, no-c-format
msgid "In addition to the context, a TLS parameter object will be needed which adjusts the cipher suites and protocols (<xref linkend=\"ex-Defensive_Coding-TLS-OpenJDK-Parameters\" />). Like the context, these parameters can be reused for multiple TLS connections."
msgstr ""
#. Tag: title
#, no-c-format
msgid "Setting up <literal>SSLParameters</literal> for TLS use with OpenJDK"
msgstr ""
#. Tag: para
#, no-c-format
msgid "As initialized above, the parameter object does not yet require host name checking. This has to be enabled separately, and this is only supported by OpenJDK 7 and later:"
msgstr ""
#. Tag: para
#, no-c-format
msgid "All application protocols can use the <literal>\"HTTPS\"</literal> algorithm. (The algorithms have minor differences with regard to wildcard handling, which should not matter in practice.)"
msgstr ""
#. Tag: para
#, no-c-format
msgid "<xref linkend=\"ex-Defensive_Coding-TLS-Client-OpenJDK-Connect\" /> shows how to establish the connection. Before the handshake is initialized, the protocol and cipher configuration has to be performed, by applying the parameter object <literal>params</literal>. (After this point, changes to <literal>params</literal> will not affect this TLS socket.) As mentioned initially, host name checking requires using an internal API on OpenJDK 6."
msgstr ""
#. Tag: title
#, no-c-format
msgid "Establishing a TLS connection with OpenJDK"
msgstr ""
#. Tag: para
#, no-c-format
msgid "Starting with OpenJDK 7, the last lines can be omitted, provided that host name verification has been enabled by calling the <function>setEndpointIdentificationAlgorithm</function> method on the <literal>params</literal> object (before it was applied to the socket)."
msgstr ""
#. Tag: para
#, no-c-format
msgid "The TLS socket can be used as a regular socket, as shown in <xref linkend=\"ex-Defensive_Coding-TLS-Client-OpenJDK-Use\" />."
msgstr ""
#. Tag: title
#, no-c-format
msgid "Using a TLS client socket in OpenJDK"
msgstr ""
#. Tag: title
#, no-c-format
msgid "Overriding server certificate validation with OpenJDK 6"
msgstr ""
#. Tag: para
#, no-c-format
msgid "Overriding certificate validation requires a custom trust manager. With OpenJDK 6, the trust manager lacks information about the TLS session, and to which server the connection is made. Certificate overrides have to be tied to specific servers (host names). Consequently, different <literal>TrustManager</literal> and <literal>SSLContext</literal> objects have to be used for different servers."
msgstr ""
#. Tag: para
#, no-c-format
msgid "In the trust manager shown in <xref linkend=\"ex-Defensive_Coding-TLS-Client-MyTrustManager\" />, the server certificate is identified by its SHA-256 hash."
msgstr ""
#. Tag: title
#, no-c-format
msgid "A customer trust manager for OpenJDK TLS clients"
msgstr ""
#. Tag: para
#, no-c-format
msgid "This trust manager has to be passed to the <literal>init</literal> method of the <literal>SSLContext</literal> object, as show in <xref linkend=\"ex-Defensive_Coding-TLS-Client-Context_For_Cert\" />."
msgstr ""
#. Tag: title
#, no-c-format
msgid "Using a custom TLS trust manager with OpenJDK"
msgstr ""
#. Tag: para
#, no-c-format
msgid "When certificate overrides are in place, host name verification should not be performed because there is no security requirement that the host name in the certificate matches the host name used to establish the connection (and it often will not). However, without host name verification, it is not possible to perform transparent fallback to certification validation using the system certificate store."
msgstr ""
#. Tag: para
#, no-c-format
msgid "The approach described above works with OpenJDK 6 and later versions. Starting with OpenJDK 7, it is possible to use a custom subclass of the <literal>javax.net.ssl.X509ExtendedTrustManager</literal> class. The OpenJDK TLS implementation will call the new methods, passing along TLS session information. This can be used to implement certificate overrides as a fallback (if certificate or host name verification fails), and a trust manager object can be used for multiple servers because the server address is available to the trust manager."
msgstr ""
#. Tag: title
#, no-c-format
msgid "Implementing TLS Clients With NSS"
msgstr ""
#. Tag: para
#, no-c-format
msgid "The following code shows how to implement a simple TLS client using NSS. These instructions apply to NSS version 3.14 and later. Versions before 3.14 need different initialization code."
msgstr ""
#. Tag: para
#, no-c-format
msgid "Keep in mind that the error handling needs to be improved before the code can be used in production."
msgstr ""
#. Tag: para
#, no-c-format
msgid "Using NSS needs several header files, as shown in <xref linkend=\"ex-Defensive_Coding-TLS-NSS-Includes\" />."
msgstr ""
#. Tag: title
#, no-c-format
msgid "Include files for NSS"
msgstr ""
#. Tag: para
#, no-c-format
msgid "Initializing the NSS library is shown in <xref linkend=\"ex-Defensive_Coding-TLS-NSS-Init\" />. This initialization procedure overrides global state. We only call <function>NSS_SetDomesticPolicy</function> if there are no strong ciphers available, assuming that it has already been called otherwise. This avoids overriding the process-wide cipher suite policy unnecessarily."
msgstr ""
#. Tag: para
#, no-c-format
msgid "The simplest way to configured the trusted root certificates involves loading the <filename>libnssckbi.so</filename> NSS module with a call to the <function>SECMOD_LoadUserModule</function> function. The root certificates are compiled into this module. (The PEM module for NSS, <filename>libnsspem.so</filename>, offers a way to load trusted CA certificates from a file.)"
msgstr ""
#. Tag: title
#, no-c-format
msgid "Initializing the NSS library"
msgstr ""
#. Tag: para
#, no-c-format
msgid "Some of the effects of the initialization can be reverted with the following function calls:"
msgstr ""
#. Tag: para
#, no-c-format
msgid "After NSS has been initialized, the TLS connection can be created (<xref linkend=\"ex-Defensive_Coding-TLS-Client-NSS-Connect\" />). The internal <function>PR_ImportTCPSocket</function> function is used to turn the POSIX file descriptor <literal>sockfd</literal> into an NSPR file descriptor. (This function is de-facto part of the NSS public ABI, so it will not go away.) Creating the TLS-capable file descriptor requires a <emphasis>model</emphasis> descriptor, which is configured with the desired set of protocols. The model descriptor is not needed anymore after TLS support has been activated for the existing connection descriptor."
msgstr ""
#. Tag: para
#, no-c-format
msgid "The call to <function>SSL_BadCertHook</function> can be omitted if no mechanism to override certificate verification is needed. The <literal>bad_certificate</literal> function must check both the host name specified for the connection and the certificate before granting the override."
msgstr ""
#. Tag: para
#, no-c-format
msgid "Triggering the actual handshake requires three function calls, <function>SSL_ResetHandshake</function>, <function>SSL_SetURL</function>, and <function>SSL_ForceHandshake</function>. (If <function>SSL_ResetHandshake</function> is omitted, <function>SSL_ForceHandshake</function> will succeed, but the data will not be encrypted.) During the handshake, the certificate is verified and matched against the host name."
msgstr ""
#. Tag: title
#, no-c-format
msgid "Creating a TLS connection with NSS"
msgstr ""
#. Tag: para
#, no-c-format
msgid "After the connection has been established, <xref linkend=\"ex-Defensive_Coding-TLS-NSS-Use\" /> shows how to use the NSPR descriptor to communicate with the server."
msgstr ""
#. Tag: title
#, no-c-format
msgid "Using NSS for sending and receiving data"
msgstr ""
#. Tag: para
#, no-c-format
msgid "<xref linkend=\"ex-Defensive_Coding-TLS-Client-NSS-Close\" /> shows how to close the connection."
msgstr ""
#. Tag: title
#, no-c-format
msgid "Closing NSS client connections"
msgstr ""
#. Tag: title
#, no-c-format
msgid "Implementing TLS Clients With Python"
msgstr ""
#. Tag: para
#, no-c-format
msgid "The Python distribution provides a TLS implementation in the <literal>ssl</literal> module (actually a wrapper around OpenSSL). The exported interface is somewhat restricted, so that the client code shown below does not fully implement the recommendations in <xref linkend=\"sect-Defensive_Coding-TLS-OpenSSL\" />."
msgstr ""
#. Tag: para
#, no-c-format
msgid "Currently, most Python function which accept <literal>https://</literal> URLs or otherwise implement HTTPS support do not perform certificate validation at all. (For example, this is true for the <literal>httplib</literal> and <literal>xmlrpclib</literal> modules.) If you use HTTPS, you should not use the built-in HTTP clients. The <literal>Curl</literal> class in the <literal>curl</literal> module, as provided by the <literal>python-pycurl</literal> package implements proper certificate validation."
msgstr ""
#. Tag: para
#, no-c-format
msgid "The <literal>ssl</literal> module currently does not perform host name checking on the server certificate. <xref linkend=\"ex-Defensive_Coding-TLS-Client-Python-check_host_name\" /> shows how to implement certificate matching, using the parsed certificate returned by <function>getpeercert</function>."
msgstr ""
#. Tag: title
#, no-c-format
msgid "Implementing TLS host name checking Python (without wildcard support)"
msgstr ""
#. Tag: para
#, no-c-format
msgid "To turn a regular, connected TCP socket into a TLS-enabled socket, use the <function>ssl.wrap_socket</function> function. The function call in <xref linkend=\"ex-Defensive_Coding-TLS-Client-Python-Connect\" /> provides additional arguments to override questionable defaults in OpenSSL and in the Python module."
msgstr ""
#. Tag: para
#, no-c-format
msgid "<literal>ciphers=\"HIGH:-aNULL:-eNULL:-PSK:RC4-SHA:RC4-MD5\"</literal> selects relatively strong cipher suites with certificate-based authentication. (The call to <function>check_host_name</function> function provides additional protection against anonymous cipher suites.)"
msgstr ""
#. Tag: para
#, no-c-format
msgid "<literal>ssl_version=ssl.PROTOCOL_TLSv1</literal> disables SSL 2.0 support. By default, the <literal>ssl</literal> module sends an SSL 2.0 client hello, which is rejected by some servers. Ideally, we would request OpenSSL to negotiated the most recent TLS version supported by the server and the client, but the Python module does not allow this."
msgstr ""
#. Tag: para
#, no-c-format
msgid "<literal>cert_reqs=ssl.CERT_REQUIRED</literal> turns on certificate validation."
msgstr ""
#. Tag: para
#, no-c-format
msgid "<literal>ca_certs='/etc/ssl/certs/ca-bundle.crt'</literal> initializes the certificate store with a set of trusted root CAs. Unfortunately, it is necessary to hard-code this path into applications because the default path in OpenSSL is not available through the Python <literal>ssl</literal> module."
msgstr ""
#. Tag: para
#, no-c-format
msgid "The <literal>ssl</literal> module (and OpenSSL) perform certificate validation, but the certificate must be compared manually against the host name, by calling the <function>check_host_name</function> defined above."
msgstr ""
#. Tag: title
#, no-c-format
msgid "Establishing a TLS client connection with Python"
msgstr ""
#. Tag: para
#, no-c-format
msgid "After the connection has been established, the TLS socket can be used like a regular socket:"
msgstr ""
#. Tag: para
#, no-c-format
msgid "Closing the TLS socket is straightforward as well:"
msgstr ""

139
pot/Features/Authentication.pot
View file

@ -1,139 +0,0 @@
#
# AUTHOR <EMAIL@ADDRESS>, YEAR.
#
msgid ""
msgstr ""
"Project-Id-Version: 0\n"
"POT-Creation-Date: 2013-08-13T01:54:52\n"
"PO-Revision-Date: 2013-08-13T01:54:52\n"
"Last-Translator: Automatically generated\n"
"Language-Team: None\n"
"MIME-Version: 1.0\n"
"Content-Type: application/x-publican; charset=UTF-8\n"
"Content-Transfer-Encoding: 8bit\n"
#. Tag: title
#, no-c-format
msgid "Authentication and Authorization"
msgstr ""
#. Tag: title
#, no-c-format
msgid "Authenticating servers"
msgstr ""
#. Tag: para
#, no-c-format
msgid "When connecting to a server, a client has to make sure that it is actually talking to the server it expects. There are two different aspects, securing the network path, and making sure that the expected user runs the process on the target host. There are several ways to ensure that:"
msgstr ""
#. Tag: para
#, no-c-format
msgid "The server uses a TLS certificate which is valid according to the web browser public key infrastructure, and the client verifies the certificate and the host name."
msgstr ""
#. Tag: para
#, no-c-format
msgid "The server uses a TLS certificate which is expectedby the client (perhaps it is stored in a configuration file read by the client). In this case, no host name checking is required."
msgstr ""
#. Tag: para
#, no-c-format
msgid "On Linux, UNIX domain sockets (of the <literal>PF_UNIX</literal> protocol family, sometimes called <literal>PF_LOCAL</literal>) are restricted by file system permissions. If the server socket path is not world-writable, the server identity cannot be spoofed by local users."
msgstr ""
#. Tag: para
#, no-c-format
msgid "Port numbers less than 1024 (<emphasis>trusted ports</emphasis>) can only be used by <literal>root</literal>, so if a UDP or TCP server is running on the local host and it uses a trusted port, its identity is assured. (Not all operating systems enforce the trusted ports concept, and the network might not be trusted, so it is only useful on the local system.)"
msgstr ""
#. Tag: para
#, no-c-format
msgid "TLS (<xref linkend=\"chap-Defensive_Coding-TLS\" />) is the recommended way for securing connections over untrusted networks."
msgstr ""
#. Tag: para
#, no-c-format
msgid "If the server port number is 1024 is higher, a local user can impersonate the process by binding to this socket, perhaps after crashing the real server by exploiting a denial-of-service vulnerability."
msgstr ""
#. Tag: title
#, no-c-format
msgid "Host-based authentication"
msgstr ""
#. Tag: para
#, no-c-format
msgid "Host-based authentication uses access control lists (ACLs) to accept or deny requests from clients. Thsis authentication method comes in two flavors: IP-based (or, more generally, address-based) and name-based (with the name coming from DNS or <filename>/etc/hosts</filename>). IP-based ACLs often use prefix notation to extend access to entire subnets. Name-based ACLs sometimes use wildcards for adding groups of hosts (from entire DNS subtrees). (In the SSH context, host-based authentication means something completely different and is not covered in this section.)"
msgstr ""
#. Tag: para
#, no-c-format
msgid "Host-based authentication trust the network and may not offer sufficient granularity, so it has to be considered a weak form of authentication. On the other hand, IP-based authentication can be made extremely robust and can be applied very early in input processing, so it offers an opportunity for significantly reducing the number of potential attackers for many services."
msgstr ""
#. Tag: para
#, no-c-format
msgid "The names returned by <function>gethostbyaddr</function> and <function>getnameinfo</function> functions cannot be trusted. (DNS PTR records can be set to arbitrary values, not just names belong to the address owner.) If these names are used for ACL matching, a forward lookup using <function>gethostbyaddr</function> or <function>getaddrinfo</function> has to be performed. The name is only valid if the original address is found among the results of the forward lookup (<emphasis>double-reverse lookup</emphasis>)."
msgstr ""
#. Tag: para
#, no-c-format
msgid "An empty ACL should deny all access (deny-by-default). If empty ACLs permits all access, configuring any access list must switch to deny-by-default for all unconfigured protocols, in both name-based and address-based variants."
msgstr ""
#. Tag: para
#, no-c-format
msgid "Similarly, if an address or name is not matched by the list, it should be denied. However, many implementations behave differently, so the actual behavior must be documented properly."
msgstr ""
#. Tag: para
#, no-c-format
msgid "IPv6 addresses can embed IPv4 addresses. There is no universally correct way to deal with this ambiguity. The behavior of the ACL implementation should be documented."
msgstr ""
#. Tag: title
#, no-c-format
msgid "UNIX domain socket authentication"
msgstr ""
#. Tag: para
#, no-c-format
msgid "UNIX domain sockets (with address family <literal>AF_UNIX</literal> or <literal>AF_LOCAL</literal>) are restricted to the local host and offer a special authentication mechanism: credentials passing."
msgstr ""
#. Tag: para
#, no-c-format
msgid "Nowadays, most systems support the <literal>SO_PEERCRED</literal> (Linux) or <literal>LOCAL_PEERCRED</literal> (FreeBSD) socket options, or the <function>getpeereid</function> (other BSDs, MacOS X). These interfaces provide direct access to the (effective) user ID on the other end of a domain socket connect, without cooperation from the other end."
msgstr ""
#. Tag: para
#, no-c-format
msgid "Historically, credentials passing was implemented using ancillary data in the <function>sendmsg</function> and <function>recvmsg</function> functions. On some systems, only credentials data that the peer has explicitly sent can be received, and the kernel checks the data for correctness on the sending side. This means that both peers need to deal with ancillary data. Compared to that, the modern interfaces are easier to use. Both sets of interfaces vary considerably among UNIX-like systems, unfortunately."
msgstr ""
#. Tag: para
#, no-c-format
msgid "If you want to authenticate based on supplementary groups, you should obtain the user ID using one of these methods, and look up the list of supplementary groups using <function>getpwuid</function> (or <function>getpwuid_r</function>) and <function>getgrouplist</function>. Using the PID and information from <filename>/proc/PID/status</filename> is prone to race conditions and insecure."
msgstr ""
#. Tag: title
#, no-c-format
msgid "<literal>AF_NETLINK</literal> authentication of origin"
msgstr ""
#. Tag: para
#, no-c-format
msgid "Netlink messages are used as a high-performance data transfer mechanism between the kernel and the userspace. Traditionally, they are used to exchange information related to the network statck, such as routing table entries."
msgstr ""
#. Tag: para
#, no-c-format
msgid "When processing Netlink messages from the kernel, it is important to check that these messages actually originate from the kernel, by checking that the port ID (or PID) field <literal>nl_pid</literal> in the <literal>sockaddr_nl</literal> structure is <literal>0</literal>. (This structure can be obtained using <function>recvfrom</function> or <function>recvmsg</function>, it is different from the <literal>nlmsghdr</literal> structure.) The kernel does not prevent other processes from sending unicast Netlink messages, but the <literal>nl_pid</literal> field in the sender's socket address will be non-zero in such cases."
msgstr ""
#. Tag: para
#, no-c-format
msgid "Applications should not use <literal>AF_NETLINK</literal> sockets as an IPC mechanism among processes, but prefer UNIX domain sockets for this tasks."
msgstr ""

694
pot/Features/TLS.pot
View file

@ -1,694 +0,0 @@
#
# AUTHOR <EMAIL@ADDRESS>, YEAR.
#
msgid ""
msgstr ""
"Project-Id-Version: 0\n"
"POT-Creation-Date: 2013-08-13T01:54:52\n"
"PO-Revision-Date: 2013-08-13T01:54:52\n"
"Last-Translator: Automatically generated\n"
"Language-Team: None\n"
"MIME-Version: 1.0\n"
"Content-Type: application/x-publican; charset=UTF-8\n"
"Content-Transfer-Encoding: 8bit\n"
#. Tag: title
#, no-c-format
msgid "Transport Layer Security"
msgstr ""
#. Tag: para
#, no-c-format
msgid "Transport Layer Security (TLS, formerly Secure Sockets Layer/SSL) is the recommended way to to protect integrity and confidentiality while data is transferred over an untrusted network connection, and to identify the endpoint."
msgstr ""
#. Tag: title
#, no-c-format
msgid "Common Pitfalls"
msgstr ""
#. Tag: para
#, no-c-format
msgid "TLS implementations are difficult to use, and most of them lack a clean API design. The following sections contain implementation-specific advice, and some generic pitfalls are mentioned below."
msgstr ""
#. Tag: para
#, no-c-format
msgid "Most TLS implementations have questionable default TLS cipher suites. Most of them enable anonymous Diffie-Hellman key exchange (but we generally want servers to authenticate themselves). Many do not disable ciphers which are subject to brute-force attacks because of restricted key lengths. Some even disable all variants of AES in the default configuration."
msgstr ""
#. Tag: para
#, no-c-format
msgid "When overriding the cipher suite defaults, it is recommended to disable all cipher suites which are not present on a whitelist, instead of simply enabling a list of cipher suites. This way, if an algorithm is disabled by default in the TLS implementation in a future security update, the application will not re-enable it."
msgstr ""
#. Tag: para
#, no-c-format
msgid "The name which is used in certificate validation must match the name provided by the user or configuration file. No host name canonicalization or IP address lookup must be performed."
msgstr ""
#. Tag: para
#, no-c-format
msgid "The TLS handshake has very poor performance if the TCP Nagle algorithm is active. You should switch on the <literal>TCP_NODELAY</literal> socket option (at least for the duration of the handshake), or use the Linux-specific <literal>TCP_CORK</literal> option."
msgstr ""
#. Tag: title
#, no-c-format
msgid "Deactivating the TCP Nagle algorithm"
msgstr ""
#. Tag: para
#, no-c-format
msgid "Implementing proper session resumption decreases handshake overhead considerably. This is important if the upper-layer protocol uses short-lived connections (like most application of HTTPS)."
msgstr ""
#. Tag: para
#, no-c-format
msgid "Both client and server should work towards an orderly connection shutdown, that is send <literal>close_notify</literal> alerts and respond to them. This is especially important if the upper-layer protocol does not provide means to detect connection truncation (like some uses of HTTP)."
msgstr ""
#. Tag: para
#, no-c-format
msgid "When implementing a server using event-driven programming, it is important to handle the TLS handshake properly because it includes multiple network round-trips which can block when an ordinary TCP <function>accept</function> would not. Otherwise, a client which fails to complete the TLS handshake for some reason will prevent the server from handling input from other clients."
msgstr ""
#. Tag: para
#, no-c-format
msgid "Unlike regular file descriptors, TLS connections cannot be passed between processes. Some TLS implementations add additional restrictions, and TLS connections generally cannot be used across <function>fork</function> function calls (see <xref linkend=\"sect-Defensive_Coding-Tasks-Processes-Fork-Parallel\" />)."
msgstr ""
#. Tag: title
#, no-c-format
msgid "OpenSSL Pitfalls"
msgstr ""
#. Tag: para
#, no-c-format
msgid "Some OpenSSL function use <emphasis>tri-state return values</emphasis>. Correct error checking is extremely important. Several functions return <literal>int</literal> values with the following meaning:"
msgstr ""
#. Tag: para
#, no-c-format
msgid "The value <literal>1</literal> indicates success (for example, a successful signature verification)."
msgstr ""
#. Tag: para
#, no-c-format
msgid "The value <literal>0</literal> indicates semantic failure (for example, a signature verification which was unsuccessful because the signing certificate was self-signed)."
msgstr ""
#. Tag: para
#, no-c-format
msgid "The value <literal>-1</literal> indicates a low-level error in the system, such as failure to allocate memory using <function>malloc</function>."
msgstr ""
#. Tag: para
#, no-c-format
msgid "Treating such tri-state return values as booleans can lead to security vulnerabilities. Note that some OpenSSL functions return boolean results or yet another set of status indicators. Each function needs to be checked individually."
msgstr ""
#. Tag: para
#, no-c-format
msgid "Recovering precise error information is difficult. <xref linkend=\"ex-Defensive_Coding-TLS-OpenSSL-Errors\" /> shows how to obtain a more precise error code after a function call on an <literal>SSL</literal> object has failed. However, there are still cases where no detailed error information is available (e.g., if <function>SSL_shutdown</function> fails due to a connection teardown by the other end)."
msgstr ""
#. Tag: title
#, no-c-format
msgid "Obtaining OpenSSL error codes"
msgstr ""
#. Tag: para
#, no-c-format
msgid "The <function>OPENSSL_config</function> function is documented to never fail. In reality, it can terminate the entire process if there is a failure accessing the configuration file. An error message is written to standard error, but which might not be visible if the function is called from a daemon process."
msgstr ""
#. Tag: para
#, no-c-format
msgid "OpenSSL contains two separate ASN.1 DER decoders. One set of decoders operate on BIO handles (the input/output stream abstraction provided by OpenSSL); their decoder function names start with <literal>d2i_</literal> and end in <literal>_fp</literal> or <literal>_bio</literal> (e.g., <function>d2i_X509_fp</function> or <function>d2i_X509_bio</function>). These decoders must not be used for parsing data from untrusted sources; instead, the variants without the <literal>_fp</literal> and <literal>_bio</literal> (e.g., <function>d2i_X509</function>) shall be used. The BIO variants have received considerably less testing and are not very robust."
msgstr ""
#. Tag: para
#, no-c-format
msgid "For the same reason, the OpenSSL command line tools (such as <command>openssl x509</command>) are generally generally less robust than the actual library code. They use the BIO functions internally, and not the more robust variants."
msgstr ""
#. Tag: para
#, no-c-format
msgid "The command line tools do not always indicate failure in the exit status of the <application>openssl</application> process. For instance, a verification failure in <command>openssl verify</command> result in an exit status of zero."
msgstr ""
#. Tag: para
#, no-c-format
msgid "The OpenSSL server and client applications (<command>openssl s_client</command> and <command>openssl s_server</command>) are debugging tools and should <emphasis>never</emphasis> be used as generic clients. For instance, the <application>s_client</application> tool reacts in a surprisign way to lines starting with <literal>R</literal> and <literal>Q</literal>."
msgstr ""
#. Tag: para
#, no-c-format
msgid "OpenSSL allows application code to access private key material over documented interfaces. This can significantly increase the part of the code base which has to undergo security certification."
msgstr ""
#. Tag: title
#, no-c-format
msgid "GNUTLS Pitfalls"
msgstr ""
#. Tag: para
#, no-c-format
msgid "<filename>libgnutls.so.26</filename> links to <filename>libpthread.so.0</filename>. Loading the threading library too late causes problems, so the main program should be linked with <literal>-lpthread</literal> as well. As a result, it can be difficult to use GNUTLS in a plugin which is loaded with the <function>dlopen</function> function. Another side effect is that applications which merely link against GNUTLS (even without actually using it) may incur a substantial overhead because other libraries automatically switch to thread-safe algorithms."
msgstr ""
#. Tag: para
#, no-c-format
msgid "The <function>gnutls_global_init</function> function must be called before using any functionality provided by the library. This function is not thread-safe, so external locking is required, but it is not clear which lock should be used. Omitting the synchronization does not just lead to a memory leak, as it is suggested in the GNUTLS documentation, but to undefined behavior because there is no barrier that would enforce memory ordering."
msgstr ""
#. Tag: para
#, no-c-format
msgid "The <function>gnutls_global_deinit</function> function does not actually deallocate all resources allocated by <function>gnutls_global_init</function>. It is currently not thread-safe. Therefore, it is best to avoid calling it altogether."
msgstr ""
#. Tag: para
#, no-c-format
msgid "The X.509 implementation in GNUTLS is rather lenient. For example, it is possible to create and process X.509 version&nbsp;1 certificates which carry extensions. These certificates are (correctly) rejected by other implementations."
msgstr ""
#. Tag: title
#, no-c-format
msgid "OpenJDK Pitfalls"
msgstr ""
#. Tag: para
#, no-c-format
msgid "The Java cryptographic framework is highly modular. As a result, when you request an object implementing some cryptographic functionality, you cannot be completely sure that you end up with the well-tested, reviewed implementation in OpenJDK."
msgstr ""
#. Tag: para
#, no-c-format
msgid "OpenJDK (in the source code as published by Oracle) and other implementations of the Java platform require that the system administrator has installed so-called <emphasis>unlimited strength jurisdiction policy files</emphasis>. Without this step, it is not possible to use the secure algorithms which offer sufficient cryptographic strength. Most downstream redistributors of OpenJDK remove this requirement."
msgstr ""
#. Tag: para
#, no-c-format
msgid "Some versions of OpenJDK use <filename>/dev/random</filename> as the randomness source for nonces and other random data which is needed for TLS operation, but does not actually require physical randomness. As a result, TLS applications can block, waiting for more bits to become available in <filename>/dev/random</filename>."
msgstr ""
#. Tag: title
#, no-c-format
msgid "NSS Pitfalls"
msgstr ""
#. Tag: para
#, no-c-format
msgid "NSS was not designed to be used by other libraries which can be linked into applications without modifying them. There is a lot of global state. There does not seem to be a way to perform required NSS initialization without race conditions."
msgstr ""
#. Tag: para
#, no-c-format
msgid "If the NSPR descriptor is in an unexpected state, the <function>SSL_ForceHandshake</function> function can succeed, but no TLS handshake takes place, the peer is not authenticated, and subsequent data is exchanged in the clear."
msgstr ""
#. Tag: para
#, no-c-format
msgid "NSS disables itself if it detects that the process underwent a <function>fork</function> after the library has been initialized. This behavior is required by the PKCS#11 API specification."
msgstr ""
#. Tag: title
#, no-c-format
msgid "TLS Clients"
msgstr ""
#. Tag: para
#, no-c-format
msgid "Secure use of TLS in a client generally involves all of the following steps. (Individual instructions for specific TLS implementations follow in the next sections.)"
msgstr ""
#. Tag: para
#, no-c-format
msgid "The client must configure the TLS library to use a set of trusted root certificates. These certificates are provided by the system in <filename class=\"directory\">/etc/ssl/certs</filename> or files derived from it."
msgstr ""
#. Tag: para
#, no-c-format
msgid "The client selects sufficiently strong cryptographic primitives and disables insecure ones (such as no-op encryption). Compression and SSL version 2 support must be disabled (including the SSLv2-compatible handshake)."
msgstr ""
#. Tag: para
#, no-c-format
msgid "The client initiates the TLS connection. The Server Name Indication extension should be used if supported by the TLS implementation. Before switching to the encrypted connection state, the contents of all input and output buffers must be discarded."
msgstr ""
#. Tag: para
#, no-c-format
msgid "The client needs to validate the peer certificate provided by the server, that is, the client must check that there is a cryptographically protected chain from a trusted root certificate to the peer certificate. (Depending on the TLS implementation, a TLS handshake can succeed even if the certificate cannot be validated.)"
msgstr ""
#. Tag: para
#, no-c-format
msgid "The client must check that the configured or user-provided server name matches the peer certificate provided by the server."
msgstr ""
#. Tag: para
#, no-c-format
msgid "It is safe to provide users detailed diagnostics on certificate validation failures. Other causes of handshake failures and, generally speaking, any details on other errors reported by the TLS implementation (particularly exception tracebacks), must not be divulged in ways that make them accessible to potential attackers. Otherwise, it is possible to create decryption oracles."
msgstr ""
#. Tag: para
#, no-c-format
msgid "Depending on the application, revocation checking (against certificate revocations lists or via OCSP) and session resumption are important aspects of production-quality client. These aspects are not yet covered."
msgstr ""
#. Tag: title
#, no-c-format
msgid "Implementation TLS Clients With OpenSSL"
msgstr ""
#. Tag: para
#, no-c-format
msgid "In the following code, the error handling is only exploratory. Proper error handling is required for production use, especially in libraries."
msgstr ""
#. Tag: para
#, no-c-format
msgid "The OpenSSL library needs explicit initialization (see <xref linkend=\"ex-Defensive_Coding-TLS-OpenSSL-Init\" />)."
msgstr ""
#. Tag: title
#, no-c-format
msgid "OpenSSL library initialization"
msgstr ""
#. Tag: para
#, no-c-format
msgid "After that, a context object has to be created, which acts as a factory for connection objects (<xref linkend=\"ex-Defensive_Coding-TLS-Client-OpenSSL-CTX\" />). We use an explicit cipher list so that we do not pick up any strange ciphers when OpenSSL is upgraded. The actual version requested in the client hello depends on additional restrictions in the OpenSSL library. If possible, you should follow the example code and use the default list of trusted root certificate authorities provided by the system because you would have to maintain your own set otherwise, which can be cumbersome."
msgstr ""
#. Tag: title
#, no-c-format
msgid "OpenSSL client context creation"
msgstr ""
#. Tag: para
#, no-c-format
msgid "A single context object can be used to create multiple connection objects. It is safe to use the same <literal>SSL_CTX</literal> object for creating connections concurrently from multiple threads, provided that the <literal>SSL_CTX</literal> object is not modified (e.g., callbacks must not be changed)."
msgstr ""
#. Tag: para
#, no-c-format
msgid "After creating the TCP socket and disabling the Nagle algorithm (per <xref linkend=\"ex-Defensive_Coding-TLS-Nagle\" />), the actual connection object needs to be created, as show in <xref linkend=\"ex-Defensive_Coding-TLS-Client-OpenSSL-CTX\" />. If the handshake started by <function>SSL_connect</function> fails, the <function>ssl_print_error_and_exit</function> function from <xref linkend=\"ex-Defensive_Coding-TLS-OpenSSL-Errors\" /> is called."
msgstr ""
#. Tag: para
#, no-c-format
msgid "The <function>certificate_validity_override</function> function provides an opportunity to override the validity of the certificate in case the OpenSSL check fails. If such functionality is not required, the call can be removed, otherwise, the application developer has to implement it."
msgstr ""
#. Tag: para
#, no-c-format
msgid "The host name passed to the functions <function>SSL_set_tlsext_host_name</function> and <function>X509_check_host</function> must be the name that was passed to <function>getaddrinfo</function> or a similar name resolution function. No host name canonicalization must be performed. The <function>X509_check_host</function> function used in the final step for host name matching is currently only implemented in OpenSSL 1.1, which is not released yet. In case host name matching fails, the function <function>certificate_host_name_override</function> is called. This function should check user-specific certificate store, to allow a connection even if the host name does not match the certificate. This function has to be provided by the application developer. Note that the override must be keyed by both the certificate <emphasis>and</emphasis> the host name."
msgstr ""
#. Tag: title
#, no-c-format
msgid "Creating a client connection using OpenSSL"
msgstr ""
#. Tag: para
#, no-c-format
msgid "The connection object can be used for sending and receiving data, as in <xref linkend=\"ex-Defensive_Coding-TLS-OpenSSL-Connection-Use\" />. It is also possible to create a <literal>BIO</literal> object and use the <literal>SSL</literal> object as the underlying transport, using <function>BIO_set_ssl</function>."
msgstr ""
#. Tag: title
#, no-c-format
msgid "Using an OpenSSL connection to send and receive data"
msgstr ""
#. Tag: para
#, no-c-format
msgid "When it is time to close the connection, the <function>SSL_shutdown</function> function needs to be called twice for an orderly, synchronous connection termination (<xref linkend=\"ex-Defensive_Coding-TLS-OpenSSL-Connection-Close\" />). This exchanges <literal>close_notify</literal> alerts with the server. The additional logic is required to deal with an unexpected <literal>close_notify</literal> from the server. Note that is necessary to explicitly close the underlying socket after the connection object has been freed."
msgstr ""
#. Tag: title
#, no-c-format
msgid "Closing an OpenSSL connection in an orderly fashion"
msgstr ""
#. Tag: para
#, no-c-format
msgid "<xref linkend=\"ex-Defensive_Coding-TLS-OpenSSL-Context-Close\" /> shows how to deallocate the context object when it is no longer needed because no further TLS connections will be established."
msgstr ""
#. Tag: title
#, no-c-format
msgid "Implementation TLS Clients With GNUTLS"
msgstr ""
#. Tag: para
#, no-c-format
msgid "This section describes how to implement a TLS client with full certificate validation (but without certificate revocation checking). Note that the error handling in is only exploratory and needs to be replaced before production use."
msgstr ""
#. Tag: para
#, no-c-format
msgid "The GNUTLS library needs explicit initialization:"
msgstr ""
#. Tag: para
#, no-c-format
msgid "Failing to do so can result in obscure failures in Base64 decoding. See <xref linkend=\"sect-Defensive_Coding-TLS-Pitfalls-GNUTLS\" /> for additional aspects of initialization."
msgstr ""
#. Tag: para
#, no-c-format
msgid "Before setting up TLS connections, a credentials objects has to be allocated and initialized with the set of trusted root CAs (<xref linkend=\"ex-Defensive_Coding-TLS-Client-GNUTLS-Credentials\" />)."
msgstr ""
#. Tag: title
#, no-c-format
msgid "Initializing a GNUTLS credentials structure"
msgstr ""
#. Tag: para
#, no-c-format
msgid "After the last TLS connection has been closed, this credentials object should be freed:"
msgstr ""
#. Tag: para
#, no-c-format
msgid "During its lifetime, the credentials object can be used to initialize TLS session objects from multiple threads, provided that it is not changed."
msgstr ""
#. Tag: para
#, no-c-format
msgid "Once the TCP connection has been established, the Nagle algorithm should be disabled (see <xref linkend=\"ex-Defensive_Coding-TLS-Nagle\" />). After that, the socket can be associated with a new GNUTLS session object. The previously allocated credentials object provides the set of root CAs. The <literal>NORMAL</literal> set of cipher suites and protocols provides a reasonable default. Then the TLS handshake must be initiated. This is shown in <xref linkend=\"ex-Defensive_Coding-TLS-Client-GNUTLS-Connect\" />."
msgstr ""
#. Tag: title
#, no-c-format
msgid "Establishing a TLS client connection using GNUTLS"
msgstr ""
#. Tag: para
#, no-c-format
msgid "After the handshake has been completed, the server certificate needs to be verified (<xref linkend=\"ex-Defensive_Coding-TLS-Client-GNUTLS-Verify\" />). In the example, the user-defined <function>certificate_validity_override</function> function is called if the verification fails, so that a separate, user-specific trust store can be checked. This function call can be omitted if the functionality is not needed."
msgstr ""
#. Tag: title
#, no-c-format
msgid "Verifying a server certificate using GNUTLS"
msgstr ""
#. Tag: para
#, no-c-format
msgid "In the next step (<xref linkend=\"ex-Defensive_Coding-TLS-Client-GNUTLS-Match\" />, the certificate must be matched against the host name (note the unusual return value from <function>gnutls_x509_crt_check_hostname</function>). Again, an override function <function>certificate_host_name_override</function> is called. Note that the override must be keyed to the certificate <emphasis>and</emphasis> the host name. The function call can be omitted if the override is not needed."
msgstr ""
#. Tag: title
#, no-c-format
msgid "Matching the server host name and certificate in a GNUTLS client"
msgstr ""
#. Tag: para
#, no-c-format
msgid "In newer GNUTLS versions, certificate checking and host name validation can be combined using the <function>gnutls_certificate_verify_peers3</function> function."
msgstr ""
#. Tag: para
#, no-c-format
msgid "An established TLS session can be used for sending and receiving data, as in <xref linkend=\"ex-Defensive_Coding-TLS-GNUTLS-Use\" />."
msgstr ""
#. Tag: title
#, no-c-format
msgid "Using a GNUTLS session"
msgstr ""
#. Tag: para
#, no-c-format
msgid "In order to shut down a connection in an orderly manner, you should call the <function>gnutls_bye</function> function. Finally, the session object can be deallocated using <function>gnutls_deinit</function> (see <xref linkend=\"ex-Defensive_Coding-TLS-GNUTLS-Disconnect\" />)."
msgstr ""
#. Tag: title
#, no-c-format
msgid "Implementing TLS Clients With OpenJDK"
msgstr ""
#. Tag: para
#, no-c-format
msgid "The examples below use the following cryptographic-related classes:"
msgstr ""
#. Tag: para
#, no-c-format
msgid "If compatibility with OpenJDK 6 is required, it is necessary to use the internal class <literal>sun.security.util.HostnameChecker</literal>. (The public OpenJDK API does not provide any support for dissecting the subject distinguished name of an X.509 certificate, so a custom-written DER parser is needed—or we have to use an internal class, which we do below.) In OpenJDK 7, the <function>setEndpointIdentificationAlgorithm</function> method was added to the <literal>javax.net.ssl.SSLParameters</literal> class, providing an official way to implement host name checking."
msgstr ""
#. Tag: para
#, no-c-format
msgid "TLS connections are established using an <literal>SSLContext</literal> instance. With a properly configured OpenJDK installation, the <literal>SunJSSE</literal> provider uses the system-wide set of trusted root certificate authorities, so no further configuration is necessary. For backwards compatibility with OpenJDK&nbsp;6, the <literal>TLSv1</literal> provider has to be supported as a fall-back option. This is shown in <xref linkend=\"ex-Defensive_Coding-TLS-Client-OpenJDK-Context\" />."
msgstr ""
#. Tag: title
#, no-c-format
msgid "Setting up an <literal>SSLContext</literal> for OpenJDK TLS clients"
msgstr ""
#. Tag: para
#, no-c-format
msgid "In addition to the context, a TLS parameter object will be needed which adjusts the cipher suites and protocols (<xref linkend=\"ex-Defensive_Coding-TLS-OpenJDK-Parameters\" />). Like the context, these parameters can be reused for multiple TLS connections."
msgstr ""
#. Tag: title
#, no-c-format
msgid "Setting up <literal>SSLParameters</literal> for TLS use with OpenJDK"
msgstr ""
#. Tag: para
#, no-c-format
msgid "As initialized above, the parameter object does not yet require host name checking. This has to be enabled separately, and this is only supported by OpenJDK 7 and later:"
msgstr ""
#. Tag: para
#, no-c-format
msgid "All application protocols can use the <literal>\"HTTPS\"</literal> algorithm. (The algorithms have minor differences with regard to wildcard handling, which should not matter in practice.)"
msgstr ""
#. Tag: para
#, no-c-format
msgid "<xref linkend=\"ex-Defensive_Coding-TLS-Client-OpenJDK-Connect\" /> shows how to establish the connection. Before the handshake is initialized, the protocol and cipher configuration has to be performed, by applying the parameter object <literal>params</literal>. (After this point, changes to <literal>params</literal> will not affect this TLS socket.) As mentioned initially, host name checking requires using an internal API on OpenJDK 6."
msgstr ""
#. Tag: title
#, no-c-format
msgid "Establishing a TLS connection with OpenJDK"
msgstr ""
#. Tag: para
#, no-c-format
msgid "Starting with OpenJDK 7, the last lines can be omitted, provided that host name verification has been enabled by calling the <function>setEndpointIdentificationAlgorithm</function> method on the <literal>params</literal> object (before it was applied to the socket)."
msgstr ""
#. Tag: para
#, no-c-format
msgid "The TLS socket can be used as a regular socket, as shown in <xref linkend=\"ex-Defensive_Coding-TLS-Client-OpenJDK-Use\" />."
msgstr ""
#. Tag: title
#, no-c-format
msgid "Using a TLS client socket in OpenJDK"
msgstr ""
#. Tag: title
#, no-c-format
msgid "Overriding server certificate validation with OpenJDK 6"
msgstr ""
#. Tag: para
#, no-c-format
msgid "Overriding certificate validation requires a custom trust manager. With OpenJDK 6, the trust manager lacks information about the TLS session, and to which server the connection is made. Certificate overrides have to be tied to specific servers (host names). Consequently, different <literal>TrustManager</literal> and <literal>SSLContext</literal> objects have to be used for different servers."
msgstr ""
#. Tag: para
#, no-c-format
msgid "In the trust manager shown in <xref linkend=\"ex-Defensive_Coding-TLS-Client-MyTrustManager\" />, the server certificate is identified by its SHA-256 hash."
msgstr ""
#. Tag: title
#, no-c-format
msgid "A customer trust manager for OpenJDK TLS clients"
msgstr ""
#. Tag: para
#, no-c-format
msgid "This trust manager has to be passed to the <literal>init</literal> method of the <literal>SSLContext</literal> object, as show in <xref linkend=\"ex-Defensive_Coding-TLS-Client-Context_For_Cert\" />."
msgstr ""
#. Tag: title
#, no-c-format
msgid "Using a custom TLS trust manager with OpenJDK"
msgstr ""
#. Tag: para
#, no-c-format
msgid "When certificate overrides are in place, host name verification should not be performed because there is no security requirement that the host name in the certificate matches the host name used to establish the connection (and it often will not). However, without host name verification, it is not possible to perform transparent fallback to certification validation using the system certificate store."
msgstr ""
#. Tag: para
#, no-c-format
msgid "The approach described above works with OpenJDK 6 and later versions. Starting with OpenJDK 7, it is possible to use a custom subclass of the <literal>javax.net.ssl.X509ExtendedTrustManager</literal> class. The OpenJDK TLS implementation will call the new methods, passing along TLS session information. This can be used to implement certificate overrides as a fallback (if certificate or host name verification fails), and a trust manager object can be used for multiple servers because the server address is available to the trust manager."
msgstr ""
#. Tag: title
#, no-c-format
msgid "Implementing TLS Clients With NSS"
msgstr ""
#. Tag: para
#, no-c-format
msgid "The following code shows how to implement a simple TLS client using NSS. These instructions apply to NSS version 3.14 and later. Versions before 3.14 need different initialization code."
msgstr ""
#. Tag: para
#, no-c-format
msgid "Keep in mind that the error handling needs to be improved before the code can be used in production."
msgstr ""
#. Tag: para
#, no-c-format
msgid "Using NSS needs several header files, as shown in <xref linkend=\"ex-Defensive_Coding-TLS-NSS-Includes\" />."
msgstr ""
#. Tag: title
#, no-c-format
msgid "Include files for NSS"
msgstr ""
#. Tag: para
#, no-c-format
msgid "Initializing the NSS library is shown in <xref linkend=\"ex-Defensive_Coding-TLS-NSS-Init\" />. This initialization procedure overrides global state. We only call <function>NSS_SetDomesticPolicy</function> if there are no strong ciphers available, assuming that it has already been called otherwise. This avoids overriding the process-wide cipher suite policy unnecessarily."
msgstr ""
#. Tag: para
#, no-c-format
msgid "The simplest way to configured the trusted root certificates involves loading the <filename>libnssckbi.so</filename> NSS module with a call to the <function>SECMOD_LoadUserModule</function> function. The root certificates are compiled into this module. (The PEM module for NSS, <filename>libnsspem.so</filename>, offers a way to load trusted CA certificates from a file.)"
msgstr ""
#. Tag: title
#, no-c-format
msgid "Initializing the NSS library"
msgstr ""
#. Tag: para
#, no-c-format
msgid "Some of the effects of the initialization can be reverted with the following function calls:"
msgstr ""
#. Tag: para
#, no-c-format
msgid "After NSS has been initialized, the TLS connection can be created (<xref linkend=\"ex-Defensive_Coding-TLS-Client-NSS-Connect\" />). The internal <function>PR_ImportTCPSocket</function> function is used to turn the POSIX file descriptor <literal>sockfd</literal> into an NSPR file descriptor. (This function is de-facto part of the NSS public ABI, so it will not go away.) Creating the TLS-capable file descriptor requires a <emphasis>model</emphasis> descriptor, which is configured with the desired set of protocols. The model descriptor is not needed anymore after TLS support has been activated for the existing connection descriptor."
msgstr ""
#. Tag: para
#, no-c-format
msgid "The call to <function>SSL_BadCertHook</function> can be omitted if no mechanism to override certificate verification is needed. The <literal>bad_certificate</literal> function must check both the host name specified for the connection and the certificate before granting the override."
msgstr ""
#. Tag: para
#, no-c-format
msgid "Triggering the actual handshake requires three function calls, <function>SSL_ResetHandshake</function>, <function>SSL_SetURL</function>, and <function>SSL_ForceHandshake</function>. (If <function>SSL_ResetHandshake</function> is omitted, <function>SSL_ForceHandshake</function> will succeed, but the data will not be encrypted.) During the handshake, the certificate is verified and matched against the host name."
msgstr ""
#. Tag: title
#, no-c-format
msgid "Creating a TLS connection with NSS"
msgstr ""
#. Tag: para
#, no-c-format
msgid "After the connection has been established, <xref linkend=\"ex-Defensive_Coding-TLS-NSS-Use\" /> shows how to use the NSPR descriptor to communicate with the server."
msgstr ""
#. Tag: title
#, no-c-format
msgid "Using NSS for sending and receiving data"
msgstr ""
#. Tag: para
#, no-c-format
msgid "<xref linkend=\"ex-Defensive_Coding-TLS-Client-NSS-Close\" /> shows how to close the connection."
msgstr ""
#. Tag: title
#, no-c-format
msgid "Closing NSS client connections"
msgstr ""
#. Tag: title
#, no-c-format
msgid "Implementing TLS Clients With Python"
msgstr ""
#. Tag: para
#, no-c-format
msgid "The Python distribution provides a TLS implementation in the <literal>ssl</literal> module (actually a wrapper around OpenSSL). The exported interface is somewhat restricted, so that the client code shown below does not fully implement the recommendations in <xref linkend=\"sect-Defensive_Coding-TLS-OpenSSL\" />."
msgstr ""
#. Tag: para
#, no-c-format
msgid "Currently, most Python function which accept <literal>https://</literal> URLs or otherwise implement HTTPS support do not perform certificate validation at all. (For example, this is true for the <literal>httplib</literal> and <literal>xmlrpclib</literal> modules.) If you use HTTPS, you should not use the built-in HTTP clients. The <literal>Curl</literal> class in the <literal>curl</literal> module, as provided by the <literal>python-pycurl</literal> package implements proper certificate validation."
msgstr ""
#. Tag: para
#, no-c-format
msgid "The <literal>ssl</literal> module currently does not perform host name checking on the server certificate. <xref linkend=\"ex-Defensive_Coding-TLS-Client-Python-check_host_name\" /> shows how to implement certificate matching, using the parsed certificate returned by <function>getpeercert</function>."
msgstr ""
#. Tag: title
#, no-c-format
msgid "Implementing TLS host name checking Python (without wildcard support)"
msgstr ""
#. Tag: para
#, no-c-format
msgid "To turn a regular, connected TCP socket into a TLS-enabled socket, use the <function>ssl.wrap_socket</function> function. The function call in <xref linkend=\"ex-Defensive_Coding-TLS-Client-Python-Connect\" /> provides additional arguments to override questionable defaults in OpenSSL and in the Python module."
msgstr ""
#. Tag: para
#, no-c-format
msgid "<literal>ciphers=\"HIGH:-aNULL:-eNULL:-PSK:RC4-SHA:RC4-MD5\"</literal> selects relatively strong cipher suites with certificate-based authentication. (The call to <function>check_host_name</function> function provides additional protection against anonymous cipher suites.)"
msgstr ""
#. Tag: para
#, no-c-format
msgid "<literal>ssl_version=ssl.PROTOCOL_TLSv1</literal> disables SSL 2.0 support. By default, the <literal>ssl</literal> module sends an SSL 2.0 client hello, which is rejected by some servers. Ideally, we would request OpenSSL to negotiated the most recent TLS version supported by the server and the client, but the Python module does not allow this."
msgstr ""
#. Tag: para
#, no-c-format
msgid "<literal>cert_reqs=ssl.CERT_REQUIRED</literal> turns on certificate validation."
msgstr ""
#. Tag: para
#, no-c-format
msgid "<literal>ca_certs='/etc/ssl/certs/ca-bundle.crt'</literal> initializes the certificate store with a set of trusted root CAs. Unfortunately, it is necessary to hard-code this path into applications because the default path in OpenSSL is not available through the Python <literal>ssl</literal> module."
msgstr ""
#. Tag: para
#, no-c-format
msgid "The <literal>ssl</literal> module (and OpenSSL) perform certificate validation, but the certificate must be compared manually against the host name, by calling the <function>check_host_name</function> defined above."
msgstr ""
#. Tag: title
#, no-c-format
msgid "Establishing a TLS client connection with Python"
msgstr ""
#. Tag: para
#, no-c-format
msgid "After the connection has been established, the TLS socket can be used like a regular socket:"
msgstr ""
#. Tag: para
#, no-c-format
msgid "Closing the TLS socket is straightforward as well:"
msgstr ""

14
pot/Features/schemas.pot
View file

@ -1,14 +0,0 @@
#
# AUTHOR <EMAIL@ADDRESS>, YEAR.
#
msgid ""
msgstr ""
"Project-Id-Version: 0\n"
"POT-Creation-Date: 2013-08-13T01:54:52\n"
"PO-Revision-Date: 2013-08-13T01:54:52\n"
"Last-Translator: Automatically generated\n"
"Language-Team: None\n"
"MIME-Version: 1.0\n"
"Content-Type: application/x-publican; charset=UTF-8\n"
"Content-Transfer-Encoding: 8bit\n"

70
pot/Features/snippets/TLS-Client-GNUTLS-Connect.pot
View file

@ -1,70 +0,0 @@
#
# AUTHOR <EMAIL@ADDRESS>, YEAR.
#
msgid ""
msgstr ""
"Project-Id-Version: 0\n"
"POT-Creation-Date: 2013-08-13T01:54:52\n"
"PO-Revision-Date: 2013-08-13T01:54:52\n"
"Last-Translator: Automatically generated\n"
"Language-Team: None\n"
"MIME-Version: 1.0\n"
"Content-Type: application/x-publican; charset=UTF-8\n"
"Content-Transfer-Encoding: 8bit\n"
#. Tag: programlisting
#, no-c-format
msgid "\n"
"// Create the session object.\n"
"gnutls_session_t session;\n"
"ret = gnutls_init(&amp;session, GNUTLS_CLIENT);\n"
"if (ret != GNUTLS_E_SUCCESS) {\n"
" fprintf(stderr, \"error: gnutls_init: %s\n"
"\",\n"
" gnutls_strerror(ret));\n"
" exit(1);\n"
"}\n"
"\n"
"// Configure the cipher preferences.\n"
"const char *errptr = NULL;\n"
"ret = gnutls_priority_set_direct(session, \"NORMAL\", &amp;errptr);\n"
"if (ret != GNUTLS_E_SUCCESS) {\n"
" fprintf(stderr, \"error: gnutls_priority_set_direct: %s\n"
"\"\n"
" \"error: at: \\\"%s\\\"\n"
"\", gnutls_strerror(ret), errptr);\n"
" exit(1);\n"
"}\n"
"\n"
"// Install the trusted certificates.\n"
"ret = gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, cred);\n"
"if (ret != GNUTLS_E_SUCCESS) {\n"
" fprintf(stderr, \"error: gnutls_credentials_set: %s\n"
"\",\n"
" gnutls_strerror(ret));\n"
" exit(1);\n"
"}\n"
"\n"
"// Associate the socket with the session object and set the server\n"
"// name.\n"
"gnutls_transport_set_ptr(session, (gnutls_transport_ptr_t)(uintptr_t)sockfd);\n"
"ret = gnutls_server_name_set(session, GNUTLS_NAME_DNS,\n"
" host, strlen(host));\n"
"if (ret != GNUTLS_E_SUCCESS) {\n"
" fprintf(stderr, \"error: gnutls_server_name_set: %s\n"
"\",\n"
" gnutls_strerror(ret));\n"
" exit(1);\n"
"}\n"
"\n"
"// Establish the session.\n"
"ret = gnutls_handshake(session);\n"
"if (ret != GNUTLS_E_SUCCESS) {\n"
" fprintf(stderr, \"error: gnutls_handshake: %s\n"
"\",\n"
" gnutls_strerror(ret));\n"
" exit(1);\n"
"}\n"
""
msgstr ""

46
pot/Features/snippets/TLS-Client-GNUTLS-Credentials.pot
View file

@ -1,46 +0,0 @@
#
# AUTHOR <EMAIL@ADDRESS>, YEAR.
#
msgid ""
msgstr ""
"Project-Id-Version: 0\n"
"POT-Creation-Date: 2013-08-13T01:54:52\n"
"PO-Revision-Date: 2013-08-13T01:54:52\n"
"Last-Translator: Automatically generated\n"
"Language-Team: None\n"
"MIME-Version: 1.0\n"
"Content-Type: application/x-publican; charset=UTF-8\n"
"Content-Transfer-Encoding: 8bit\n"
#. Tag: programlisting
#, no-c-format
msgid "\n"
"// Load the trusted CA certificates.\n"
"gnutls_certificate_credentials_t cred = NULL;\n"
"int ret = gnutls_certificate_allocate_credentials (&amp;cred);\n"
"if (ret != GNUTLS_E_SUCCESS) {\n"
" fprintf(stderr, \"error: gnutls_certificate_allocate_credentials: %s\n"
"\",\n"
" gnutls_strerror(ret));\n"
" exit(1);\n"
"}\n"
"// gnutls_certificate_set_x509_system_trust needs GNUTLS version 3.0\n"
"// or newer, so we hard-code the path to the certificate store\n"
"// instead.\n"
"static const char ca_bundle[] = \"/etc/ssl/certs/ca-bundle.crt\";\n"
"ret = gnutls_certificate_set_x509_trust_file\n"
" (cred, ca_bundle, GNUTLS_X509_FMT_PEM);\n"
"if (ret == 0) {\n"
" fprintf(stderr, \"error: no certificates found in: %s\n"
"\", ca_bundle);\n"
" exit(1);\n"
"}\n"
"if (ret &lt; 0) {\n"
" fprintf(stderr, \"error: gnutls_certificate_set_x509_trust_files(%s): %s\n"
"\",\n"
" ca_bundle, gnutls_strerror(ret));\n"
" exit(1);\n"
"}\n"
""
msgstr ""

47
pot/Features/snippets/TLS-Client-GNUTLS-Match.pot
View file

@ -1,47 +0,0 @@
#
# AUTHOR <EMAIL@ADDRESS>, YEAR.
#
msgid ""
msgstr ""
"Project-Id-Version: 0\n"
"POT-Creation-Date: 2013-08-13T01:54:52\n"
"PO-Revision-Date: 2013-08-13T01:54:52\n"
"Last-Translator: Automatically generated\n"
"Language-Team: None\n"
"MIME-Version: 1.0\n"
"Content-Type: application/x-publican; charset=UTF-8\n"
"Content-Transfer-Encoding: 8bit\n"
#. Tag: programlisting
#, no-c-format
msgid "\n"
"// Match the peer certificate against the host name.\n"
"// We can only obtain a set of DER-encoded certificates from the\n"
"// session object, so we have to re-parse the peer certificate into\n"
"// a certificate object.\n"
"gnutls_x509_crt_t cert;\n"
"ret = gnutls_x509_crt_init(&amp;cert);\n"
"if (ret != GNUTLS_E_SUCCESS) {\n"
" fprintf(stderr, \"error: gnutls_x509_crt_init: %s\n"
"\",\n"
" gnutls_strerror(ret));\n"
" exit(1);\n"
"}\n"
"// The peer certificate is the first certificate in the list.\n"
"ret = gnutls_x509_crt_import(cert, certs, GNUTLS_X509_FMT_DER);\n"
"if (ret != GNUTLS_E_SUCCESS) {\n"
" fprintf(stderr, \"error: gnutls_x509_crt_import: %s\n"
"\",\n"
" gnutls_strerror(ret));\n"
" exit(1);\n"
"}\n"
"ret = gnutls_x509_crt_check_hostname(cert, host);\n"
"if (ret == 0 &amp;&amp; !certificate_host_name_override(certs[0], host)) {\n"
" fprintf(stderr, \"error: host name does not match certificate\n"
"\");\n"
" exit(1);\n"
"}\n"
"gnutls_x509_crt_deinit(cert);\n"
""
msgstr ""

60
pot/Features/snippets/TLS-Client-GNUTLS-Verify.pot
View file

@ -1,60 +0,0 @@
#
# AUTHOR <EMAIL@ADDRESS>, YEAR.
#
msgid ""
msgstr ""
"Project-Id-Version: 0\n"
"POT-Creation-Date: 2013-08-13T01:54:52\n"
"PO-Revision-Date: 2013-08-13T01:54:52\n"
"Last-Translator: Automatically generated\n"
"Language-Team: None\n"
"MIME-Version: 1.0\n"
"Content-Type: application/x-publican; charset=UTF-8\n"
"Content-Transfer-Encoding: 8bit\n"
#. Tag: programlisting
#, no-c-format
msgid "\n"
"// Obtain the server certificate chain. The server certificate\n"
"// itself is stored in the first element of the array.\n"
"unsigned certslen = 0;\n"
"const gnutls_datum_t *const certs =\n"
" gnutls_certificate_get_peers(session, &amp;certslen);\n"
"if (certs == NULL || certslen == 0) {\n"
" fprintf(stderr, \"error: could not obtain peer certificate\n"
"\");\n"
" exit(1);\n"
"}\n"
"\n"
"// Validate the certificate chain.\n"
"unsigned status = (unsigned)-1;\n"
"ret = gnutls_certificate_verify_peers2(session, &amp;status);\n"
"if (ret != GNUTLS_E_SUCCESS) {\n"
" fprintf(stderr, \"error: gnutls_certificate_verify_peers2: %s\n"
"\",\n"
" gnutls_strerror(ret));\n"
" exit(1);\n"
"}\n"
"if (status != 0 &amp;&amp; !certificate_validity_override(certs[0])) {\n"
" gnutls_datum_t msg;\n"
"#if GNUTLS_VERSION_AT_LEAST_3_1_4\n"
" int type = gnutls_certificate_type_get (session);\n"
" ret = gnutls_certificate_verification_status_print(status, type, &amp;out, 0);\n"
"#else\n"
" ret = -1;\n"
"#endif\n"
" if (ret == 0) {\n"
" fprintf(stderr, \"error: %s\n"
"\", msg.data);\n"
" gnutls_free(msg.data);\n"
" exit(1);\n"
" } else {\n"
" fprintf(stderr, \"error: certificate validation failed with code 0x%x\n"
"\",\n"
" status);\n"
" exit(1);\n"
" }\n"
"}\n"
""
msgstr ""

30
pot/Features/snippets/TLS-Client-NSS-Close.pot
View file

@ -1,30 +0,0 @@
#
# AUTHOR <EMAIL@ADDRESS>, YEAR.
#
msgid ""
msgstr ""
"Project-Id-Version: 0\n"
"POT-Creation-Date: 2013-08-13T01:54:52\n"
"PO-Revision-Date: 2013-08-13T01:54:52\n"
"Last-Translator: Automatically generated\n"
"Language-Team: None\n"
"MIME-Version: 1.0\n"
"Content-Type: application/x-publican; charset=UTF-8\n"
"Content-Transfer-Encoding: 8bit\n"
#. Tag: programlisting
#, no-c-format
msgid "\n"
"// Send close_notify alert.\n"
"if (PR_Shutdown(nspr, PR_SHUTDOWN_BOTH) != PR_SUCCESS) {\n"
" const PRErrorCode err = PR_GetError();\n"
" fprintf(stderr, \"error: PR_Read error %d: %s\n"
"\",\n"
" err, PR_ErrorToName(err));\n"
" exit(1);\n"
"}\n"
"// Closes the underlying POSIX file descriptor, too.\n"
"PR_Close(nspr);\n"
""
msgstr ""

103
pot/Features/snippets/TLS-Client-NSS-Connect.pot
View file

@ -1,103 +0,0 @@
#
# AUTHOR <EMAIL@ADDRESS>, YEAR.
#
msgid ""
msgstr ""
"Project-Id-Version: 0\n"
"POT-Creation-Date: 2013-08-13T01:54:52\n"
"PO-Revision-Date: 2013-08-13T01:54:52\n"
"Last-Translator: Automatically generated\n"
"Language-Team: None\n"
"MIME-Version: 1.0\n"
"Content-Type: application/x-publican; charset=UTF-8\n"
"Content-Transfer-Encoding: 8bit\n"
#. Tag: programlisting
#, no-c-format
msgid "\n"
"// Wrap the POSIX file descriptor. This is an internal NSPR\n"
"// function, but it is very unlikely to change.\n"
"PRFileDesc* nspr = PR_ImportTCPSocket(sockfd);\n"
"sockfd = -1; // Has been taken over by NSPR.\n"
"\n"
"// Add the SSL layer.\n"
"{\n"
" PRFileDesc *model = PR_NewTCPSocket();\n"
" PRFileDesc *newfd = SSL_ImportFD(NULL, model);\n"
" if (newfd == NULL) {\n"
" const PRErrorCode err = PR_GetError();\n"
" fprintf(stderr, \"error: NSPR error code %d: %s\n"
"\",\n"
" err, PR_ErrorToName(err));\n"
" exit(1);\n"
" }\n"
" model = newfd;\n"
" newfd = NULL;\n"
" if (SSL_OptionSet(model, SSL_ENABLE_SSL2, PR_FALSE) != SECSuccess) {\n"
" const PRErrorCode err = PR_GetError();\n"
" fprintf(stderr, \"error: set SSL_ENABLE_SSL2 error %d: %s\n"
"\",\n"
" err, PR_ErrorToName(err));\n"
" exit(1);\n"
" }\n"
" if (SSL_OptionSet(model, SSL_V2_COMPATIBLE_HELLO, PR_FALSE) != SECSuccess) {\n"
" const PRErrorCode err = PR_GetError();\n"
" fprintf(stderr, \"error: set SSL_V2_COMPATIBLE_HELLO error %d: %s\n"
"\",\n"
" err, PR_ErrorToName(err));\n"
" exit(1);\n"
" }\n"
" if (SSL_OptionSet(model, SSL_ENABLE_DEFLATE, PR_FALSE) != SECSuccess) {\n"
" const PRErrorCode err = PR_GetError();\n"
" fprintf(stderr, \"error: set SSL_ENABLE_DEFLATE error %d: %s\n"
"\",\n"
" err, PR_ErrorToName(err));\n"
" exit(1);\n"
" }\n"
"\n"
" // Allow overriding invalid certificate.\n"
" if (SSL_BadCertHook(model, bad_certificate, (char *)host) != SECSuccess) {\n"
" const PRErrorCode err = PR_GetError();\n"
" fprintf(stderr, \"error: SSL_BadCertHook error %d: %s\n"
"\",\n"
" err, PR_ErrorToName(err));\n"
" exit(1);\n"
" }\n"
"\n"
" newfd = SSL_ImportFD(model, nspr);\n"
" if (newfd == NULL) {\n"
" const PRErrorCode err = PR_GetError();\n"
" fprintf(stderr, \"error: SSL_ImportFD error %d: %s\n"
"\",\n"
" err, PR_ErrorToName(err));\n"
" exit(1);\n"
" }\n"
" nspr = newfd;\n"
" PR_Close(model);\n"
"}\n"
"\n"
"// Perform the handshake.\n"
"if (SSL_ResetHandshake(nspr, PR_FALSE) != SECSuccess) {\n"
" const PRErrorCode err = PR_GetError();\n"
" fprintf(stderr, \"error: SSL_ResetHandshake error %d: %s\n"
"\",\n"
" err, PR_ErrorToName(err));\n"
" exit(1);\n"
"}\n"
"if (SSL_SetURL(nspr, host) != SECSuccess) {\n"
" const PRErrorCode err = PR_GetError();\n"
" fprintf(stderr, \"error: SSL_SetURL error %d: %s\n"
"\",\n"
" err, PR_ErrorToName(err));\n"
" exit(1);\n"
"}\n"
"if (SSL_ForceHandshake(nspr) != SECSuccess) {\n"
" const PRErrorCode err = PR_GetError();\n"
" fprintf(stderr, \"error: SSL_ForceHandshake error %d: %s\n"
"\",\n"
" err, PR_ErrorToName(err));\n"
" exit(1);\n"
"}\n"
""
msgstr ""

40
pot/Features/snippets/TLS-Client-OpenJDK-Connect.pot
View file

@ -1,40 +0,0 @@
#
# AUTHOR <EMAIL@ADDRESS>, YEAR.
#
msgid ""
msgstr ""
"Project-Id-Version: 0\n"
"POT-Creation-Date: 2013-08-13T01:54:52\n"
"PO-Revision-Date: 2013-08-13T01:54:52\n"
"Last-Translator: Automatically generated\n"
"Language-Team: None\n"
"MIME-Version: 1.0\n"
"Content-Type: application/x-publican; charset=UTF-8\n"
"Content-Transfer-Encoding: 8bit\n"
#. Tag: programlisting
#, no-c-format
msgid "\n"
"// Create the socket and connect it at the TCP layer.\n"
"SSLSocket socket = (SSLSocket) ctx.getSocketFactory()\n"
" .createSocket(host, port);\n"
"\n"
"// Disable the Nagle algorithm.\n"
"socket.setTcpNoDelay(true);\n"
"\n"
"// Adjust ciphers and protocols.\n"
"socket.setSSLParameters(params);\n"
"\n"
"// Perform the handshake.\n"
"socket.startHandshake();\n"
"\n"
"// Validate the host name. The match() method throws\n"
"// CertificateException on failure.\n"
"X509Certificate peer = (X509Certificate)\n"
" socket.getSession().getPeerCertificates()[0];\n"
"// This is the only way to perform host name checking on OpenJDK 6.\n"
"HostnameChecker.getInstance(HostnameChecker.TYPE_TLS).match(\n"
" host, peer);\n"
""
msgstr ""

40
pot/Features/snippets/TLS-Client-OpenJDK-Context.pot
View file

@ -1,40 +0,0 @@
#
# AUTHOR <EMAIL@ADDRESS>, YEAR.
#
msgid ""
msgstr ""
"Project-Id-Version: 0\n"
"POT-Creation-Date: 2013-08-13T01:54:52\n"
"PO-Revision-Date: 2013-08-13T01:54:52\n"
"Last-Translator: Automatically generated\n"
"Language-Team: None\n"
"MIME-Version: 1.0\n"
"Content-Type: application/x-publican; charset=UTF-8\n"
"Content-Transfer-Encoding: 8bit\n"
#. Tag: programlisting
#, no-c-format
msgid "\n"
"// Create the context. Specify the SunJSSE provider to avoid\n"
"// picking up third-party providers. Try the TLS 1.2 provider\n"
"// first, then fall back to TLS 1.0.\n"
"SSLContext ctx;\n"
"try {\n"
" ctx = SSLContext.getInstance(\"TLSv1.2\", \"SunJSSE\");\n"
"} catch (NoSuchAlgorithmException e) {\n"
" try {\n"
" ctx = SSLContext.getInstance(\"TLSv1\", \"SunJSSE\");\n"
" } catch (NoSuchAlgorithmException e1) {\n"
" // The TLS 1.0 provider should always be available.\n"
" throw new AssertionError(e1);\n"
" } catch (NoSuchProviderException e1) {\n"
" throw new AssertionError(e1);\n"
" } \n"
"} catch (NoSuchProviderException e) {\n"
" // The SunJSSE provider should always be available.\n"
" throw new AssertionError(e);\n"
"}\n"
"ctx.init(null, null, null);\n"
""
msgstr ""

36
pot/Features/snippets/TLS-Client-OpenJDK-Context_For_Cert.pot
View file

@ -1,36 +0,0 @@
#
# AUTHOR <EMAIL@ADDRESS>, YEAR.
#
msgid ""
msgstr ""
"Project-Id-Version: 0\n"
"POT-Creation-Date: 2013-08-13T01:54:52\n"
"PO-Revision-Date: 2013-08-13T01:54:52\n"
"Last-Translator: Automatically generated\n"
"Language-Team: None\n"
"MIME-Version: 1.0\n"
"Content-Type: application/x-publican; charset=UTF-8\n"
"Content-Transfer-Encoding: 8bit\n"
#. Tag: programlisting
#, no-c-format
msgid "\n"
"SSLContext ctx;\n"
"try {\n"
" ctx = SSLContext.getInstance(\"TLSv1.2\", \"SunJSSE\");\n"
"} catch (NoSuchAlgorithmException e) {\n"
" try {\n"
" ctx = SSLContext.getInstance(\"TLSv1\", \"SunJSSE\");\n"
" } catch (NoSuchAlgorithmException e1) {\n"
" throw new AssertionError(e1);\n"
" } catch (NoSuchProviderException e1) {\n"
" throw new AssertionError(e1);\n"
" }\n"
"} catch (NoSuchProviderException e) {\n"
" throw new AssertionError(e);\n"
"}\n"
"MyTrustManager tm = new MyTrustManager(certHash);\n"
"ctx.init(null, new TrustManager[] {tm}, null);\n"
""
msgstr ""

21
pot/Features/snippets/TLS-Client-OpenJDK-Hostname.pot
View file

@ -1,21 +0,0 @@
#
# AUTHOR <EMAIL@ADDRESS>, YEAR.
#
msgid ""
msgstr ""
"Project-Id-Version: 0\n"
"POT-Creation-Date: 2013-08-13T01:54:52\n"
"PO-Revision-Date: 2013-08-13T01:54:52\n"
"Last-Translator: Automatically generated\n"
"Language-Team: None\n"
"MIME-Version: 1.0\n"
"Content-Type: application/x-publican; charset=UTF-8\n"
"Content-Transfer-Encoding: 8bit\n"
#. Tag: programlisting
#, no-c-format
msgid "\n"
"params.setEndpointIdentificationAlgorithm(\"HTTPS\");\n"
""
msgstr ""

32
pot/Features/snippets/TLS-Client-OpenJDK-Import.pot
View file

@ -1,32 +0,0 @@
#
# AUTHOR <EMAIL@ADDRESS>, YEAR.
#
msgid ""
msgstr ""
"Project-Id-Version: 0\n"
"POT-Creation-Date: 2013-08-13T01:54:52\n"
"PO-Revision-Date: 2013-08-13T01:54:52\n"
"Last-Translator: Automatically generated\n"
"Language-Team: None\n"
"MIME-Version: 1.0\n"
"Content-Type: application/x-publican; charset=UTF-8\n"
"Content-Transfer-Encoding: 8bit\n"
#. Tag: programlisting
#, no-c-format
msgid "\n"
"import java.security.NoSuchAlgorithmException;\n"
"import java.security.NoSuchProviderException;\n"
"import java.security.cert.CertificateEncodingException;\n"
"import java.security.cert.CertificateException;\n"
"import java.security.cert.X509Certificate;\n"
"import javax.net.ssl.SSLContext;\n"
"import javax.net.ssl.SSLParameters;\n"
"import javax.net.ssl.SSLSocket;\n"
"import javax.net.ssl.TrustManager;\n"
"import javax.net.ssl.X509TrustManager;\n"
"\n"
"import sun.security.util.HostnameChecker;\n"
""
msgstr ""

52
pot/Features/snippets/TLS-Client-OpenJDK-MyTrustManager.pot
View file

@ -1,52 +0,0 @@
#
# AUTHOR <EMAIL@ADDRESS>, YEAR.
#
msgid ""
msgstr ""
"Project-Id-Version: 0\n"
"POT-Creation-Date: 2013-08-13T01:54:52\n"
"PO-Revision-Date: 2013-08-13T01:54:52\n"
"Last-Translator: Automatically generated\n"
"Language-Team: None\n"
"MIME-Version: 1.0\n"
"Content-Type: application/x-publican; charset=UTF-8\n"
"Content-Transfer-Encoding: 8bit\n"
#. Tag: programlisting
#, no-c-format
msgid "\n"
"public class MyTrustManager implements X509TrustManager {\n"
" private final byte[] certHash;\n"
"\n"
" public MyTrustManager(byte[] certHash) throws Exception {\n"
" this.certHash = certHash;\n"
" }\n"
"\n"
" @Override\n"
" public void checkClientTrusted(X509Certificate[] chain, String authType)\n"
" throws CertificateException {\n"
" throw new UnsupportedOperationException();\n"
" }\n"
"\n"
" @Override\n"
" public void checkServerTrusted(X509Certificate[] chain,\n"
" String authType) throws CertificateException {\n"
" byte[] digest = getCertificateDigest(chain[0]);\n"
" String digestHex = formatHex(digest);\n"
"\n"
" if (Arrays.equals(digest, certHash)) {\n"
" System.err.println(\"info: accepting certificate: \" + digestHex);\n"
" } else {\n"
" throw new CertificateException(\"certificate rejected: \" +\n"
" digestHex);\n"
" }\n"
" }\n"
"\n"
" @Override\n"
" public X509Certificate[] getAcceptedIssuers() {\n"
" return new X509Certificate[0];\n"
" }\n"
"}\n"
""
msgstr ""

27
pot/Features/snippets/TLS-Client-OpenJDK-Use.pot
View file

@ -1,27 +0,0 @@
#
# AUTHOR <EMAIL@ADDRESS>, YEAR.
#
msgid ""
msgstr ""
"Project-Id-Version: 0\n"
"POT-Creation-Date: 2013-08-13T01:54:52\n"
"PO-Revision-Date: 2013-08-13T01:54:52\n"
"Last-Translator: Automatically generated\n"
"Language-Team: None\n"
"MIME-Version: 1.0\n"
"Content-Type: application/x-publican; charset=UTF-8\n"
"Content-Transfer-Encoding: 8bit\n"
#. Tag: programlisting
#, no-c-format
msgid "\n"
"socket.getOutputStream().write(\"GET / HTTP/1.0\\r\n"
"\\r\n"
"\"\n"
" .getBytes(Charset.forName(\"UTF-8\")));\n"
"byte[] buffer = new byte[4096];\n"
"int count = socket.getInputStream().read(buffer);\n"
"System.out.write(buffer, 0, count);\n"
""
msgstr ""

85
pot/Features/snippets/TLS-Client-OpenSSL-CTX.pot
View file

@ -1,85 +0,0 @@
#
# AUTHOR <EMAIL@ADDRESS>, YEAR.
#
msgid ""
msgstr ""
"Project-Id-Version: 0\n"
"POT-Creation-Date: 2013-08-13T01:54:52\n"
"PO-Revision-Date: 2013-08-13T01:54:52\n"
"Last-Translator: Automatically generated\n"
"Language-Team: None\n"
"MIME-Version: 1.0\n"
"Content-Type: application/x-publican; charset=UTF-8\n"
"Content-Transfer-Encoding: 8bit\n"
#. Tag: programlisting
#, no-c-format
msgid "\n"
"// Configure a client connection context. Send a hendshake for the\n"
"// highest supported TLS version, and disable compression.\n"
"const SSL_METHOD *const req_method = SSLv23_client_method();\n"
"SSL_CTX *const ctx = SSL_CTX_new(req_method);\n"
"if (ctx == NULL) {\n"
" ERR_print_errors(bio_err);\n"
" exit(1);\n"
"}\n"
"SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_COMPRESSION);\n"
"\n"
"// Adjust the ciphers list based on a whitelist. First enable all\n"
"// ciphers of at least medium strength, to get the list which is\n"
"// compiled into OpenSSL.\n"
"if (SSL_CTX_set_cipher_list(ctx, \"HIGH:MEDIUM\") != 1) {\n"
" ERR_print_errors(bio_err);\n"
" exit(1);\n"
"}\n"
"{\n"
" // Create a dummy SSL session to obtain the cipher list.\n"
" SSL *ssl = SSL_new(ctx);\n"
" if (ssl == NULL) {\n"
" ERR_print_errors(bio_err);\n"
" exit(1);\n"
" }\n"
" STACK_OF(SSL_CIPHER) *active_ciphers = SSL_get_ciphers(ssl);\n"
" if (active_ciphers == NULL) {\n"
" ERR_print_errors(bio_err);\n"
" exit(1);\n"
" }\n"
" // Whitelist of candidate ciphers.\n"
" static const char *const candidates[] = {\n"
" \"AES128-GCM-SHA256\", \"AES128-SHA256\", \"AES256-SHA256\", // strong ciphers\n"
" \"AES128-SHA\", \"AES256-SHA\", // strong ciphers, also in older versions\n"
" \"RC4-SHA\", \"RC4-MD5\", // backwards compatibility, supposed to be weak\n"
" \"DES-CBC3-SHA\", \"DES-CBC3-MD5\", // more backwards compatibility\n"
" NULL\n"
" };\n"
" // Actually selected ciphers.\n"
" char ciphers[300];\n"
" ciphers[0] = '\\0';\n"
" for (const char *const *c = candidates; *c; ++c) {\n"
" for (int i = 0; i &lt; sk_SSL_CIPHER_num(active_ciphers); ++i) {\n"
" if (strcmp(SSL_CIPHER_get_name(sk_SSL_CIPHER_value(active_ciphers, i)),\n"
" *c) == 0) {\n"
" if (*ciphers) {\n"
" strcat(ciphers, \":\");\n"
" }\n"
" strcat(ciphers, *c);\n"
" break;\n"
" }\n"
" }\n"
" }\n"
" SSL_free(ssl);\n"
" // Apply final cipher list.\n"
" if (SSL_CTX_set_cipher_list(ctx, ciphers) != 1) {\n"
" ERR_print_errors(bio_err);\n"
" exit(1);\n"
" }\n"
"}\n"
"\n"
"// Load the set of trusted root certificates.\n"
"if (!SSL_CTX_set_default_verify_paths(ctx)) {\n"
" ERR_print_errors(bio_err);\n"
" exit(1);\n"
"}\n"
""
msgstr ""

71
pot/Features/snippets/TLS-Client-OpenSSL-Connect.pot
View file

@ -1,71 +0,0 @@
#
# AUTHOR <EMAIL@ADDRESS>, YEAR.
#
msgid ""
msgstr ""
"Project-Id-Version: 0\n"
"POT-Creation-Date: 2013-08-13T01:54:52\n"
"PO-Revision-Date: 2013-08-13T01:54:52\n"
"Last-Translator: Automatically generated\n"
"Language-Team: None\n"
"MIME-Version: 1.0\n"
"Content-Type: application/x-publican; charset=UTF-8\n"
"Content-Transfer-Encoding: 8bit\n"
#. Tag: programlisting
#, no-c-format
msgid "\n"
"// Create the connection object.\n"
"SSL *ssl = SSL_new(ctx);\n"
"if (ssl == NULL) {\n"
" ERR_print_errors(bio_err);\n"
" exit(1);\n"
"}\n"
"SSL_set_fd(ssl, sockfd);\n"
"\n"
"// Enable the ServerNameIndication extension\n"
"if (!SSL_set_tlsext_host_name(ssl, host)) {\n"
" ERR_print_errors(bio_err);\n"
" exit(1);\n"
"}\n"
"\n"
"// Perform the TLS handshake with the server.\n"
"ret = SSL_connect(ssl);\n"
"if (ret != 1) {\n"
" // Error status can be 0 or negative.\n"
" ssl_print_error_and_exit(ssl, \"SSL_connect\", ret);\n"
"}\n"
"\n"
"// Obtain the server certificate.\n"
"X509 *peercert = SSL_get_peer_certificate(ssl);\n"
"if (peercert == NULL) {\n"
" fprintf(stderr, \"peer certificate missing\");\n"
" exit(1);\n"
"}\n"
"\n"
"// Check the certificate verification result. Allow an explicit\n"
"// certificate validation override in case verification fails.\n"
"int verifystatus = SSL_get_verify_result(ssl);\n"
"if (verifystatus != X509_V_OK &amp;&amp; !certificate_validity_override(peercert)) {\n"
" fprintf(stderr, \"SSL_connect: verify result: %s\n"
"\",\n"
" X509_verify_cert_error_string(verifystatus));\n"
" exit(1);\n"
"}\n"
"\n"
"// Check if the server certificate matches the host name used to\n"
"// establish the connection.\n"
"// FIXME: Currently needs OpenSSL 1.1.\n"
"if (X509_check_host(peercert, (const unsigned char *)host, strlen(host),\n"
" 0) != 1\n"
" &amp;&amp; !certificate_host_name_override(peercert, host)) {\n"
" fprintf(stderr, \"SSL certificate does not match host name\n"
"\");\n"
" exit(1);\n"
"}\n"
"\n"
"X509_free(peercert);\n"
"\n"
""
msgstr ""

31
pot/Features/snippets/TLS-Client-OpenSSL-Connection-Use.pot
View file

@ -1,31 +0,0 @@
#
# AUTHOR <EMAIL@ADDRESS>, YEAR.
#
msgid ""
msgstr ""
"Project-Id-Version: 0\n"
"POT-Creation-Date: 2013-08-13T01:54:52\n"
"PO-Revision-Date: 2013-08-13T01:54:52\n"
"Last-Translator: Automatically generated\n"
"Language-Team: None\n"
"MIME-Version: 1.0\n"
"Content-Type: application/x-publican; charset=UTF-8\n"
"Content-Transfer-Encoding: 8bit\n"
#. Tag: programlisting
#, no-c-format
msgid "\n"
"const char *const req = \"GET / HTTP/1.0\\r\n"
"\\r\n"
"\";\n"
"if (SSL_write(ssl, req, strlen(req)) &lt; 0) {\n"
" ssl_print_error_and_exit(ssl, \"SSL_write\", ret);\n"
"}\n"
"char buf[4096];\n"
"ret = SSL_read(ssl, buf, sizeof(buf));\n"
"if (ret &lt; 0) {\n"
" ssl_print_error_and_exit(ssl, \"SSL_read\", ret);\n"
"}\n"
""
msgstr ""

27
pot/Features/snippets/TLS-Client-OpenSSL-Init.pot
View file

@ -1,27 +0,0 @@
#
# AUTHOR <EMAIL@ADDRESS>, YEAR.
#
msgid ""
msgstr ""
"Project-Id-Version: 0\n"
"POT-Creation-Date: 2013-08-13T01:54:52\n"
"PO-Revision-Date: 2013-08-13T01:54:52\n"
"Last-Translator: Automatically generated\n"
"Language-Team: None\n"
"MIME-Version: 1.0\n"
"Content-Type: application/x-publican; charset=UTF-8\n"
"Content-Transfer-Encoding: 8bit\n"
#. Tag: programlisting
#, no-c-format
msgid "\n"
"// The following call prints an error message and calls exit() if\n"
"// the OpenSSL configuration file is unreadable.\n"
"OPENSSL_config(NULL);\n"
"// Provide human-readable error messages.\n"
"SSL_load_error_strings();\n"
"// Register ciphers.\n"
"SSL_library_init();\n"
""
msgstr ""

28
pot/Features/snippets/TLS-Client-Python-Connect.pot
View file

@ -1,28 +0,0 @@
#
# AUTHOR <EMAIL@ADDRESS>, YEAR.
#
msgid ""
msgstr ""
"Project-Id-Version: 0\n"
"POT-Creation-Date: 2013-08-13T01:54:52\n"
"PO-Revision-Date: 2013-08-13T01:54:52\n"
"Last-Translator: Automatically generated\n"
"Language-Team: None\n"
"MIME-Version: 1.0\n"
"Content-Type: application/x-publican; charset=UTF-8\n"
"Content-Transfer-Encoding: 8bit\n"
#. Tag: programlisting
#, no-c-format
msgid "\n"
"sock = ssl.wrap_socket(sock,\n"
" ciphers=\"HIGH:-aNULL:-eNULL:-PSK:RC4-SHA:RC4-MD5\",\n"
" ssl_version=ssl.PROTOCOL_TLSv1,\n"
" cert_reqs=ssl.CERT_REQUIRED,\n"
" ca_certs='/etc/ssl/certs/ca-bundle.crt')\n"
"# getpeercert() triggers the handshake as a side effect.\n"
"if not check_host_name(sock.getpeercert(), host):\n"
" raise IOError(\"peer certificate does not match host name\")\n"
""
msgstr ""

43
pot/Features/snippets/TLS-Client-Python-check_host_name.pot
View file

@ -1,43 +0,0 @@
#
# AUTHOR <EMAIL@ADDRESS>, YEAR.
#
msgid ""
msgstr ""
"Project-Id-Version: 0\n"
"POT-Creation-Date: 2013-08-13T01:54:52\n"
"PO-Revision-Date: 2013-08-13T01:54:52\n"
"Last-Translator: Automatically generated\n"
"Language-Team: None\n"
"MIME-Version: 1.0\n"
"Content-Type: application/x-publican; charset=UTF-8\n"
"Content-Transfer-Encoding: 8bit\n"
#. Tag: programlisting
#, no-c-format
msgid "\n"
"def check_host_name(peercert, name):\n"
" \"\"\"Simple certificate/host name checker. Returns True if the\n"
" certificate matches, False otherwise. Does not support\n"
" wildcards.\"\"\"\n"
" # Check that the peer has supplied a certificate.\n"
" # None/{} is not acceptable.\n"
" if not peercert:\n"
" return False\n"
" if peercert.has_key(\"subjectAltName\"):\n"
" for typ, val in peercert[\"subjectAltName\"]:\n"
" if typ == \"DNS\" and val == name:\n"
" return True\n"
" else:\n"
" # Only check the subject DN if there is no subject alternative\n"
" # name.\n"
" cn = None\n"
" for attr, val in peercert[\"subject\"]:\n"
" # Use most-specific (last) commonName attribute.\n"
" if attr == \"commonName\":\n"
" cn = val\n"
" if cn is not None:\n"
" return cn == name\n"
" return False\n"
""
msgstr ""

21
pot/Features/snippets/TLS-GNUTLS-Credentials-Close.pot
View file

@ -1,21 +0,0 @@
#
# AUTHOR <EMAIL@ADDRESS>, YEAR.
#
msgid ""
msgstr ""
"Project-Id-Version: 0\n"
"POT-Creation-Date: 2013-08-13T01:54:52\n"
"PO-Revision-Date: 2013-08-13T01:54:52\n"
"Last-Translator: Automatically generated\n"
"Language-Team: None\n"
"MIME-Version: 1.0\n"
"Content-Type: application/x-publican; charset=UTF-8\n"
"Content-Transfer-Encoding: 8bit\n"
#. Tag: programlisting
#, no-c-format
msgid "\n"
"gnutls_certificate_free_credentials(cred);\n"
""
msgstr ""

29
pot/Features/snippets/TLS-GNUTLS-Disconnect.pot
View file

@ -1,29 +0,0 @@
#
# AUTHOR <EMAIL@ADDRESS>, YEAR.
#
msgid ""
msgstr ""
"Project-Id-Version: 0\n"
"POT-Creation-Date: 2013-08-13T01:54:52\n"
"PO-Revision-Date: 2013-08-13T01:54:52\n"
"Last-Translator: Automatically generated\n"
"Language-Team: None\n"
"MIME-Version: 1.0\n"
"Content-Type: application/x-publican; charset=UTF-8\n"
"Content-Transfer-Encoding: 8bit\n"
#. Tag: programlisting
#, no-c-format
msgid "\n"
"// Initiate an orderly connection shutdown.\n"
"ret = gnutls_bye(session, GNUTLS_SHUT_RDWR);\n"
"if (ret &lt; 0) {\n"
" fprintf(stderr, \"error: gnutls_bye: %s\n"
"\", gnutls_strerror(ret));\n"
" exit(1);\n"
"}\n"
"// Free the session object.\n"
"gnutls_deinit(session);\n"
""
msgstr ""

21
pot/Features/snippets/TLS-GNUTLS-Init.pot
View file

@ -1,21 +0,0 @@
#
# AUTHOR <EMAIL@ADDRESS>, YEAR.
#
msgid ""
msgstr ""
"Project-Id-Version: 0\n"
"POT-Creation-Date: 2013-08-13T01:54:52\n"
"PO-Revision-Date: 2013-08-13T01:54:52\n"
"Last-Translator: Automatically generated\n"
"Language-Team: None\n"
"MIME-Version: 1.0\n"
"Content-Type: application/x-publican; charset=UTF-8\n"
"Content-Transfer-Encoding: 8bit\n"
#. Tag: programlisting
#, no-c-format
msgid "\n"
"gnutls_global_init();\n"
""
msgstr ""

37
pot/Features/snippets/TLS-GNUTLS-Use.pot
View file

@ -1,37 +0,0 @@
#
# AUTHOR <EMAIL@ADDRESS>, YEAR.
#
msgid ""
msgstr ""
"Project-Id-Version: 0\n"
"POT-Creation-Date: 2013-08-13T01:54:52\n"
"PO-Revision-Date: 2013-08-13T01:54:52\n"
"Last-Translator: Automatically generated\n"
"Language-Team: None\n"
"MIME-Version: 1.0\n"
"Content-Type: application/x-publican; charset=UTF-8\n"
"Content-Transfer-Encoding: 8bit\n"
#. Tag: programlisting
#, no-c-format
msgid "\n"
"char buf[4096];\n"
"snprintf(buf, sizeof(buf), \"GET / HTTP/1.0\\r\n"
"Host: %s\\r\n"
"\\r\n"
"\", host);\n"
"ret = gnutls_record_send(session, buf, strlen(buf));\n"
"if (ret &lt; 0) {\n"
" fprintf(stderr, \"error: gnutls_record_send: %s\n"
"\", gnutls_strerror(ret));\n"
" exit(1);\n"
"}\n"
"ret = gnutls_record_recv(session, buf, sizeof(buf));\n"
"if (ret &lt; 0) {\n"
" fprintf(stderr, \"error: gnutls_record_recv: %s\n"
"\", gnutls_strerror(ret));\n"
" exit(1);\n"
"}\n"
""
msgstr ""

22
pot/Features/snippets/TLS-NSS-Close.pot
View file

@ -1,22 +0,0 @@
#
# AUTHOR <EMAIL@ADDRESS>, YEAR.
#
msgid ""
msgstr ""
"Project-Id-Version: 0\n"
"POT-Creation-Date: 2013-08-13T01:54:52\n"
"PO-Revision-Date: 2013-08-13T01:54:52\n"
"Last-Translator: Automatically generated\n"
"Language-Team: None\n"
"MIME-Version: 1.0\n"
"Content-Type: application/x-publican; charset=UTF-8\n"
"Content-Transfer-Encoding: 8bit\n"
#. Tag: programlisting
#, no-c-format
msgid "\n"
"SECMOD_DestroyModule(module);\n"
"NSS_ShutdownContext(ctx);\n"
""
msgstr ""

34
pot/Features/snippets/TLS-NSS-Includes.pot
View file

@ -1,34 +0,0 @@
#
# AUTHOR <EMAIL@ADDRESS>, YEAR.
#
msgid ""
msgstr ""
"Project-Id-Version: 0\n"
"POT-Creation-Date: 2013-08-13T01:54:52\n"
"PO-Revision-Date: 2013-08-13T01:54:52\n"
"Last-Translator: Automatically generated\n"
"Language-Team: None\n"
"MIME-Version: 1.0\n"
"Content-Type: application/x-publican; charset=UTF-8\n"
"Content-Transfer-Encoding: 8bit\n"
#. Tag: programlisting
#, no-c-format
msgid "\n"
"// NSPR include files\n"
"#include &lt;prerror.h&gt;\n"
"#include &lt;prinit.h&gt;\n"
"\n"
"// NSS include files\n"
"#include &lt;nss.h&gt;\n"
"#include &lt;pk11pub.h&gt;\n"
"#include &lt;secmod.h&gt;\n"
"#include &lt;ssl.h&gt;\n"
"#include &lt;sslproto.h&gt;\n"
"\n"
"// Private API, no other way to turn a POSIX file descriptor into an\n"
"// NSPR handle.\n"
"NSPR_API(PRFileDesc*) PR_ImportTCPSocket(int);\n"
""
msgstr ""

82
pot/Features/snippets/TLS-NSS-Init.pot
View file

@ -1,82 +0,0 @@
#
# AUTHOR <EMAIL@ADDRESS>, YEAR.
#
msgid ""
msgstr ""
"Project-Id-Version: 0\n"
"POT-Creation-Date: 2013-08-13T01:54:52\n"
"PO-Revision-Date: 2013-08-13T01:54:52\n"
"Last-Translator: Automatically generated\n"
"Language-Team: None\n"
"MIME-Version: 1.0\n"
"Content-Type: application/x-publican; charset=UTF-8\n"
"Content-Transfer-Encoding: 8bit\n"
#. Tag: programlisting
#, no-c-format
msgid "\n"
"PR_Init(PR_USER_THREAD, PR_PRIORITY_NORMAL, 0);\n"
"NSSInitContext *const ctx =\n"
" NSS_InitContext(\"sql:/etc/pki/nssdb\", \"\", \"\", \"\", NULL,\n"
" NSS_INIT_READONLY | NSS_INIT_PK11RELOAD);\n"
"if (ctx == NULL) {\n"
" const PRErrorCode err = PR_GetError();\n"
" fprintf(stderr, \"error: NSPR error code %d: %s\n"
"\",\n"
" err, PR_ErrorToName(err));\n"
" exit(1);\n"
"}\n"
"\n"
"// Ciphers to enable.\n"
"static const PRUint16 good_ciphers[] = {\n"
" TLS_RSA_WITH_AES_128_CBC_SHA,\n"
" TLS_RSA_WITH_AES_256_CBC_SHA,\n"
" SSL_RSA_WITH_3DES_EDE_CBC_SHA,\n"
" SSL_NULL_WITH_NULL_NULL // sentinel\n"
"};\n"
"\n"
"// Check if the current policy allows any strong ciphers. If it\n"
"// doesn't, set the cipher suite policy. This is not thread-safe\n"
"// and has global impact. Consequently, we only do it if absolutely\n"
"// necessary.\n"
"int found_good_cipher = 0;\n"
"for (const PRUint16 *p = good_ciphers; *p != SSL_NULL_WITH_NULL_NULL;\n"
" ++p) {\n"
" PRInt32 policy;\n"
" if (SSL_CipherPolicyGet(*p, &amp;policy) != SECSuccess) {\n"
" const PRErrorCode err = PR_GetError();\n"
" fprintf(stderr, \"error: policy for cipher %u: error %d: %s\n"
"\",\n"
" (unsigned)*p, err, PR_ErrorToName(err));\n"
" exit(1);\n"
" }\n"
" if (policy == SSL_ALLOWED) {\n"
" fprintf(stderr, \"info: found cipher %x\n"
"\", (unsigned)*p);\n"
" found_good_cipher = 1;\n"
" break;\n"
" }\n"
"}\n"
"if (!found_good_cipher) {\n"
" if (NSS_SetDomesticPolicy() != SECSuccess) {\n"
" const PRErrorCode err = PR_GetError();\n"
" fprintf(stderr, \"error: NSS_SetDomesticPolicy: error %d: %s\n"
"\",\n"
" err, PR_ErrorToName(err));\n"
" exit(1);\n"
" }\n"
"}\n"
"\n"
"// Initialize the trusted certificate store.\n"
"char module_name[] = \"library=libnssckbi.so name=\\\"Root Certs\\\"\";\n"
"SECMODModule *module = SECMOD_LoadUserModule(module_name, NULL, PR_FALSE);\n"
"if (module == NULL || !module-&gt;loaded) {\n"
" const PRErrorCode err = PR_GetError();\n"
" fprintf(stderr, \"error: NSPR error code %d: %s\n"
"\",\n"
" err, PR_ErrorToName(err));\n"
" exit(1);\n"
"}\n"
""
msgstr ""

41
pot/Features/snippets/TLS-NSS-Use.pot
View file

@ -1,41 +0,0 @@
#
# AUTHOR <EMAIL@ADDRESS>, YEAR.
#
msgid ""
msgstr ""
"Project-Id-Version: 0\n"
"POT-Creation-Date: 2013-08-13T01:54:52\n"
"PO-Revision-Date: 2013-08-13T01:54:52\n"
"Last-Translator: Automatically generated\n"
"Language-Team: None\n"
"MIME-Version: 1.0\n"
"Content-Type: application/x-publican; charset=UTF-8\n"
"Content-Transfer-Encoding: 8bit\n"
#. Tag: programlisting
#, no-c-format
msgid "\n"
"char buf[4096];\n"
"snprintf(buf, sizeof(buf), \"GET / HTTP/1.0\\r\n"
"Host: %s\\r\n"
"\\r\n"
"\", host);\n"
"PRInt32 ret = PR_Write(nspr, buf, strlen(buf));\n"
"if (ret &lt; 0) {\n"
" const PRErrorCode err = PR_GetError();\n"
" fprintf(stderr, \"error: PR_Write error %d: %s\n"
"\",\n"
" err, PR_ErrorToName(err));\n"
" exit(1);\n"
"}\n"
"ret = PR_Read(nspr, buf, sizeof(buf));\n"
"if (ret &lt; 0) {\n"
" const PRErrorCode err = PR_GetError();\n"
" fprintf(stderr, \"error: PR_Read error %d: %s\n"
"\",\n"
" err, PR_ErrorToName(err));\n"
" exit(1);\n"
"}\n"
""
msgstr ""

26
pot/Features/snippets/TLS-Nagle.pot
View file

@ -1,26 +0,0 @@
#
# AUTHOR <EMAIL@ADDRESS>, YEAR.
#
msgid ""
msgstr ""
"Project-Id-Version: 0\n"
"POT-Creation-Date: 2013-08-13T01:54:52\n"
"PO-Revision-Date: 2013-08-13T01:54:52\n"
"Last-Translator: Automatically generated\n"
"Language-Team: None\n"
"MIME-Version: 1.0\n"
"Content-Type: application/x-publican; charset=UTF-8\n"
"Content-Transfer-Encoding: 8bit\n"
#. Tag: programlisting
#, no-c-format
msgid "\n"
"const int val = 1;\n"
"int ret = setsockopt(sockfd, IPPROTO_TCP, TCP_NODELAY, &amp;val, sizeof(val));\n"
"if (ret &lt; 0) {\n"
" perror(\"setsockopt(TCP_NODELAY)\");\n"
" exit(1);\n"
"}\n"
""
msgstr ""

41
pot/Features/snippets/TLS-OpenJDK-Parameters.pot
View file

@ -1,41 +0,0 @@
#
# AUTHOR <EMAIL@ADDRESS>, YEAR.
#
msgid ""
msgstr ""
"Project-Id-Version: 0\n"
"POT-Creation-Date: 2013-08-13T01:54:52\n"
"PO-Revision-Date: 2013-08-13T01:54:52\n"
"Last-Translator: Automatically generated\n"
"Language-Team: None\n"
"MIME-Version: 1.0\n"
"Content-Type: application/x-publican; charset=UTF-8\n"
"Content-Transfer-Encoding: 8bit\n"
#. Tag: programlisting
#, no-c-format
msgid "\n"
"// Prepare TLS parameters. These have to applied to every TLS\n"
"// socket before the handshake is triggered.\n"
"SSLParameters params = ctx.getDefaultSSLParameters();\n"
"// Do not send an SSL-2.0-compatible Client Hello.\n"
"ArrayList&lt;String&gt; protocols = new ArrayList&lt;String&gt;(\n"
" Arrays.asList(params.getProtocols()));\n"
"protocols.remove(\"SSLv2Hello\");\n"
"params.setProtocols(protocols.toArray(new String[protocols.size()]));\n"
"// Adjust the supported ciphers.\n"
"ArrayList&lt;String&gt; ciphers = new ArrayList&lt;String&gt;(\n"
" Arrays.asList(params.getCipherSuites()));\n"
"ciphers.retainAll(Arrays.asList(\n"
" \"TLS_RSA_WITH_AES_128_CBC_SHA256\",\n"
" \"TLS_RSA_WITH_AES_256_CBC_SHA256\",\n"
" \"TLS_RSA_WITH_AES_256_CBC_SHA\",\n"
" \"TLS_RSA_WITH_AES_128_CBC_SHA\",\n"
" \"SSL_RSA_WITH_3DES_EDE_CBC_SHA\",\n"
" \"SSL_RSA_WITH_RC4_128_SHA1\",\n"
" \"SSL_RSA_WITH_RC4_128_MD5\",\n"
" \"TLS_EMPTY_RENEGOTIATION_INFO_SCSV\"));\n"
"params.setCipherSuites(ciphers.toArray(new String[ciphers.size()]));\n"
""
msgstr ""

45
pot/Features/snippets/TLS-OpenSSL-Connection-Close.pot
View file

@ -1,45 +0,0 @@
#
# AUTHOR <EMAIL@ADDRESS>, YEAR.
#
msgid ""
msgstr ""
"Project-Id-Version: 0\n"
"POT-Creation-Date: 2013-08-13T01:54:52\n"
"PO-Revision-Date: 2013-08-13T01:54:52\n"
"Last-Translator: Automatically generated\n"
"Language-Team: None\n"
"MIME-Version: 1.0\n"
"Content-Type: application/x-publican; charset=UTF-8\n"
"Content-Transfer-Encoding: 8bit\n"
#. Tag: programlisting
#, no-c-format
msgid "\n"
"// Send the close_notify alert.\n"
"ret = SSL_shutdown(ssl);\n"
"switch (ret) {\n"
"case 1:\n"
" // A close_notify alert has already been received.\n"
" break;\n"
"case 0:\n"
" // Wait for the close_notify alert from the peer.\n"
" ret = SSL_shutdown(ssl);\n"
" switch (ret) {\n"
" case 0:\n"
" fprintf(stderr, \"info: second SSL_shutdown returned zero\n"
"\");\n"
" break;\n"
" case 1:\n"
" break;\n"
" default:\n"
" ssl_print_error_and_exit(ssl, \"SSL_shutdown 2\", ret);\n"
" }\n"
" break;\n"
"default:\n"
" ssl_print_error_and_exit(ssl, \"SSL_shutdown 1\", ret);\n"
"}\n"
"SSL_free(ssl);\n"
"close(sockfd);\n"
""
msgstr ""

21
pot/Features/snippets/TLS-OpenSSL-Context-Close.pot
View file

@ -1,21 +0,0 @@
#
# AUTHOR <EMAIL@ADDRESS>, YEAR.
#
msgid ""
msgstr ""
"Project-Id-Version: 0\n"
"POT-Creation-Date: 2013-08-13T01:54:52\n"
"PO-Revision-Date: 2013-08-13T01:54:52\n"
"Last-Translator: Automatically generated\n"
"Language-Team: None\n"
"MIME-Version: 1.0\n"
"Content-Type: application/x-publican; charset=UTF-8\n"
"Content-Transfer-Encoding: 8bit\n"
#. Tag: programlisting
#, no-c-format
msgid "\n"
"SSL_CTX_free(ctx);\n"
""
msgstr ""

50
pot/Features/snippets/TLS-OpenSSL-Errors.pot
View file

@ -1,50 +0,0 @@
#
# AUTHOR <EMAIL@ADDRESS>, YEAR.
#
msgid ""
msgstr ""
"Project-Id-Version: 0\n"
"POT-Creation-Date: 2013-08-13T01:54:52\n"
"PO-Revision-Date: 2013-08-13T01:54:52\n"
"Last-Translator: Automatically generated\n"
"Language-Team: None\n"
"MIME-Version: 1.0\n"
"Content-Type: application/x-publican; charset=UTF-8\n"
"Content-Transfer-Encoding: 8bit\n"
#. Tag: programlisting
#, no-c-format
msgid "\n"
"static void __attribute__((noreturn))\n"
"ssl_print_error_and_exit(SSL *ssl, const char *op, int ret)\n"
"{\n"
" int subcode = SSL_get_error(ssl, ret);\n"
" switch (subcode) {\n"
" case SSL_ERROR_NONE:\n"
" fprintf(stderr, \"error: %s: no error to report\n"
"\", op);\n"
" break;\n"
" case SSL_ERROR_WANT_READ:\n"
" case SSL_ERROR_WANT_WRITE:\n"
" case SSL_ERROR_WANT_X509_LOOKUP:\n"
" case SSL_ERROR_WANT_CONNECT:\n"
" case SSL_ERROR_WANT_ACCEPT:\n"
" fprintf(stderr, \"error: %s: invalid blocking state %d\n"
"\", op, subcode);\n"
" break;\n"
" case SSL_ERROR_SSL:\n"
" fprintf(stderr, \"error: %s: TLS layer problem\n"
"\", op);\n"
" case SSL_ERROR_SYSCALL:\n"
" fprintf(stderr, \"error: %s: system call failed: %s\n"
"\", op, strerror(errno));\n"
" break;\n"
" case SSL_ERROR_ZERO_RETURN:\n"
" fprintf(stderr, \"error: %s: zero return\n"
"\", op);\n"
" }\n"
" exit(1);\n"
"}\n"
""
msgstr ""

21
pot/Features/snippets/TLS-Python-Close.pot
View file

@ -1,21 +0,0 @@
#
# AUTHOR <EMAIL@ADDRESS>, YEAR.
#
msgid ""
msgstr ""
"Project-Id-Version: 0\n"
"POT-Creation-Date: 2013-08-13T01:54:52\n"
"PO-Revision-Date: 2013-08-13T01:54:52\n"
"Last-Translator: Automatically generated\n"
"Language-Team: None\n"
"MIME-Version: 1.0\n"
"Content-Type: application/x-publican; charset=UTF-8\n"
"Content-Transfer-Encoding: 8bit\n"
#. Tag: programlisting
#, no-c-format
msgid "\n"
"sock.close()\n"
""
msgstr ""

25
pot/Features/snippets/TLS-Python-Use.pot
View file

@ -1,25 +0,0 @@
#
# AUTHOR <EMAIL@ADDRESS>, YEAR.
#
msgid ""
msgstr ""
"Project-Id-Version: 0\n"
"POT-Creation-Date: 2013-08-13T01:54:52\n"
"PO-Revision-Date: 2013-08-13T01:54:52\n"
"Last-Translator: Automatically generated\n"
"Language-Team: None\n"
"MIME-Version: 1.0\n"
"Content-Type: application/x-publican; charset=UTF-8\n"
"Content-Transfer-Encoding: 8bit\n"
#. Tag: programlisting
#, no-c-format
msgid "\n"
"sock.write(\"GET / HTTP/1.1\\r\n"
"Host: \" + host + \"\\r\n"
"\\r\n"
"\")\n"
"print sock.read()\n"
""
msgstr ""

214
pot/Java-Language.pot
View file

@ -1,214 +0,0 @@
#
# AUTHOR <EMAIL@ADDRESS>, YEAR.
#
msgid ""
msgstr ""
"Project-Id-Version: 0\n"
"POT-Creation-Date: 2013-09-18T00:49:42\n"
"PO-Revision-Date: 2013-09-18T00:49:42\n"
"Last-Translator: Automatically generated\n"
"Language-Team: None\n"
"MIME-Version: 1.0\n"
"Content-Type: application/x-publican; charset=UTF-8\n"
"Content-Transfer-Encoding: 8bit\n"
#. Tag: title
#, no-c-format
msgid "The core language"
msgstr ""
#. Tag: para
#, no-c-format
msgid "Implementations of the Java programming language provide strong memory safety, even in the presence of data races in concurrent code. This prevents a large range of security vulnerabilities from occurring, unless certain low-level features are used; see <xref linkend=\"sect-Defensive_Coding-Java-LowLevel\" />."
msgstr ""
#. Tag: title
#, no-c-format
msgid "Inceasing robustness when reading arrays"
msgstr ""
#. Tag: para
#, no-c-format
msgid "External data formats often include arrays, and the data is stored as an integer indicating the number of array elements, followed by this number of elements in the file or protocol data unit. This length specified can be much larger than what is actually available in the data source."
msgstr ""
#. Tag: para
#, no-c-format
msgid "To avoid allocating extremely large amounts of data, you can allocate a small array initially and grow it as you read more data, implementing an exponential growth policy. See the <function>readBytes(InputStream, int)</function> function in <xref linkend=\"ex-Defensive_Coding-Java-Language-ReadArray\" />."
msgstr ""
#. Tag: title
#, no-c-format
msgid "Incrementally reading a byte array"
msgstr ""
#. Tag: para
#, no-c-format
msgid "When reading data into arrays, hash maps or hash sets, use the default constructor and do not specify a size hint. You can simply add the elements to the collection as you read them."
msgstr ""
#. Tag: title
#, no-c-format
msgid "Resource management"
msgstr ""
#. Tag: para
#, no-c-format
msgid "Unlike C++, Java does not offer destructors which can deallocate resources in a predictable fashion. All resource management has to be manual, at the usage site. (Finalizers are generally not usable for resource management, especially in high-performance code; see <xref linkend=\"sect-Defensive_Coding-Java-Language-Finalizers\" />.)"
msgstr ""
#. Tag: para
#, no-c-format
msgid "The first option is the <literal>try</literal>-<literal>finally</literal> construct, as shown in <xref linkend=\"ex-Defensive_Coding-Java-Language-Finally\" />. The code in the <literal>finally</literal> block should be as short as possible and should not throw any exceptions."
msgstr ""
#. Tag: title
#, no-c-format
msgid "Resource management with a <literal>try</literal>-<literal>finally</literal> block"
msgstr ""
#. Tag: para
#, no-c-format
msgid "Note that the resource allocation happens <emphasis>outside</emphasis> the <literal>try</literal> block, and that there is no <literal>null</literal> check in the <literal>finally</literal> block. (Both are common artifacts stemming from IDE code templates.)"
msgstr ""
#. Tag: para
#, no-c-format
msgid "If the resource object is created freshly and implements the <literal>java.lang.AutoCloseable</literal> interface, the code in <xref linkend=\"ex-Defensive_Coding-Java-Language-TryWithResource\" /> can be used instead. The Java compiler will automatically insert the <function>close()</function> method call in a synthetic <literal>finally</literal> block."
msgstr ""
#. Tag: title
#, no-c-format
msgid "Resource management using the <literal>try</literal>-with-resource construct"
msgstr ""
#. Tag: para
#, no-c-format
msgid "To be compatible with the <literal>try</literal>-with-resource construct, new classes should name the resource deallocation method <function>close()</function>, and implement the <literal>AutoCloseable</literal> interface (the latter breaking backwards compatibility with Java 6). However, using the <literal>try</literal>-with-resource construct with objects that are not freshly allocated is at best awkward, and an explicit <literal>finally</literal> block is usually the better approach."
msgstr ""
#. Tag: para
#, no-c-format
msgid "In general, it is best to design the programming interface in such a way that resource deallocation methods like <function>close()</function> cannot throw any (checked or unchecked) exceptions, but this should not be a reason to ignore any actual error conditions."
msgstr ""
#. Tag: title
#, no-c-format
msgid "Finalizers"
msgstr ""
#. Tag: para
#, no-c-format
msgid "Finalizers can be used a last-resort approach to free resources which would otherwise leak. Finalization is unpredictable, costly, and there can be a considerable delay between the last reference to an object going away and the execution of the finalizer. Generally, manual resource management is required; see <xref linkend=\"sect-Defensive_Coding-Java-Language-Resources\" />."
msgstr ""
#. Tag: para
#, no-c-format
msgid "Finalizers should be very short and should only deallocate native or other external resources held directly by the object being finalized. In general, they must use synchronization: Finalization necessarily happens on a separate thread because it is inherently concurrent. There can be multiple finalization threads, and despite each object being finalized at most once, the finalizer must not assume that it has exclusive access to the object being finalized (in the <literal>this</literal> pointer)."
msgstr ""
#. Tag: para
#, no-c-format
msgid "Finalizers should not deallocate resources held by other objects, especially if those objects have finalizers on their own. In particular, it is a very bad idea to define a finalizer just to invoke the resource deallocation method of another object, or overwrite some pointer fields."
msgstr ""
#. Tag: para
#, no-c-format
msgid "Finalizers are not guaranteed to run at all. For instance, the virtual machine (or the machine underneath) might crash, preventing their execution."
msgstr ""
#. Tag: para
#, no-c-format
msgid "Objects with finalizers are garbage-collected much later than objects without them, so using finalizers to zero out key material (to reduce its undecrypted lifetime in memory) may have the opposite effect, keeping objects around for much longer and prevent them from being overwritten in the normal course of program execution."
msgstr ""
#. Tag: para
#, no-c-format
msgid "For the same reason, code which allocates objects with finalizers at a high rate will eventually fail (likely with a <literal>java.lang.OutOfMemoryError</literal> exception) because the virtual machine has finite resources for keeping track of objects pending finalization. To deal with that, it may be necessary to recycle objects with finalizers."
msgstr ""
#. Tag: para
#, no-c-format
msgid "The remarks in this section apply to finalizers which are implemented by overriding the <function>finalize()</function> method, and to custom finalization using reference queues."
msgstr ""
#. Tag: title
#, no-c-format
msgid "Recovering from exceptions and errors"
msgstr ""
#. Tag: para
#, no-c-format
msgid "Java exceptions come in three kinds, all ultimately deriving from <literal>java.lang.Throwable</literal>:"
msgstr ""
#. Tag: para
#, no-c-format
msgid "<emphasis>Run-time exceptions</emphasis> do not have to be declared explicitly and can be explicitly thrown from any code, by calling code which throws them, or by triggering an error condition at run time, like division by zero, or an attempt at an out-of-bounds array access. These exceptions derive from from the <literal>java.lang.RuntimeException</literal> class (perhaps indirectly)."
msgstr ""
#. Tag: para
#, no-c-format
msgid "<emphasis>Checked exceptions</emphasis> have to be declared explicitly by functions that throw or propagate them. They are similar to run-time exceptions in other regards, except that there is no language construct to throw them (except the <literal>throw</literal> statement itself). Checked exceptions are only present at the Java language level and are only enforced at compile time. At run time, the virtual machine does not know about them and permits throwing exceptions from any code. Checked exceptions must derive (perhaps indirectly) from the <literal>java.lang.Exception</literal> class, but not from <literal>java.lang.RuntimeException</literal>."
msgstr ""
#. Tag: para
#, no-c-format
msgid "<emphasis>Errors</emphasis> are exceptions which typically reflect serious error conditions. They can be thrown at any point in the program, and do not have to be declared (unlike checked exceptions). In general, it is not possible to recover from such errors; more on that below, in <xref linkend=\"sect-Defensive_Coding-Java-Language-Exceptions-Errors\" />. Error classes derive (perhaps indirectly) from <literal>java.lang.Error</literal>, or from <literal>java.lang.Throwable</literal>, but not from <literal>java.lang.Exception</literal>."
msgstr ""
#. Tag: para
#, no-c-format
msgid "The general expection is that run-time errors are avoided by careful programming (e.g., not dividing by zero). Checked exception are expected to be caught as they happen (e.g., when an input file is unexpectedly missing). Errors are impossible to predict and can happen at any point and reflect that something went wrong beyond all expectations."
msgstr ""
#. Tag: title
#, no-c-format
msgid "The difficulty of catching errors"
msgstr ""
#. Tag: para
#, no-c-format
msgid "Errors (that is, exceptions which do not (indirectly) derive from <literal>java.lang.Exception</literal>), have the peculiar property that catching them is problematic. There are several reasons for this:"
msgstr ""
#. Tag: para
#, no-c-format
msgid "The error reflects a failed consistenty check, for example, <literal>java.lang.AssertionError</literal>."
msgstr ""
#. Tag: para
#, no-c-format
msgid "The error can happen at any point, resulting in inconsistencies due to half-updated objects. Examples are <literal>java.lang.ThreadDeath</literal>, <literal>java.lang.OutOfMemoryError</literal> and <literal>java.lang.StackOverflowError</literal>."
msgstr ""
#. Tag: para
#, no-c-format
msgid "The error indicates that virtual machine failed to provide some semantic guarantees by the Java programming language. <literal>java.lang.ExceptionInInitializerError</literal> is an example—it can leave behind a half-initialized class."
msgstr ""
#. Tag: para
#, no-c-format
msgid "In general, if an error is thrown, the virtual machine should be restarted as soon as possible because it is in an inconsistent state. Continuing running as before can have unexpected consequences. However, there are legitimate reasons for catching errors because not doing so leads to even greater problems."
msgstr ""
#. Tag: para
#, no-c-format
msgid "Code should be written in a way that avoids triggering errors. See <xref linkend=\"sect-Defensive_Coding-Java-Language-ReadArray\" /> for an example."
msgstr ""
#. Tag: para
#, no-c-format
msgid "It is usually necessary to log errors. Otherwise, no trace of the problem might be left anywhere, making it very difficult to diagnose realted failures. Consequently, if you catch <literal>java.lang.Exception</literal> to log and suppress all unexpected exceptions (for example, in a request dispatching loop), you should consider switching to <literal>java.lang.Throwable</literal> instead, to also cover errors."
msgstr ""
#. Tag: para
#, no-c-format
msgid "The other reason mainly applies to such request dispatching loops: If you do not catch errors, the loop stops looping, resulting in a denial of service."
msgstr ""
#. Tag: para
#, no-c-format
msgid "However, if possible, catching errors should be coupled with a way to signal the requirement of a virtual machine restart."
msgstr ""

119
pot/Java-LowLevel.pot
View file

@ -1,119 +0,0 @@
#
# AUTHOR <EMAIL@ADDRESS>, YEAR.
#
msgid ""
msgstr ""
"Project-Id-Version: 0\n"
"POT-Creation-Date: 2013-09-18T00:49:43\n"
"PO-Revision-Date: 2013-09-18T00:49:43\n"
"Last-Translator: Automatically generated\n"
"Language-Team: None\n"
"MIME-Version: 1.0\n"
"Content-Type: application/x-publican; charset=UTF-8\n"
"Content-Transfer-Encoding: 8bit\n"
#. Tag: title
#, no-c-format
msgid "Low-level features of the virtual machine"
msgstr ""
#. Tag: title
#, no-c-format
msgid "<literal>Reflection and private parts</literal>"
msgstr ""
#. Tag: para
#, no-c-format
msgid "The <function>setAccessible(boolean)</function> method of the <literal>java.lang.reflect.AccessibleObject</literal> class allows a program to disable language-defined access rules for specific constructors, methods, or fields. Once the access checks are disabled, any code can use the <literal>java.lang.reflect.Constructor</literal>, <literal>java.lang.reflect.Method</literal>, or <literal>java.lang.reflect.Field</literal> object to access the underlying Java entity, without further permission checks. This breaks encapsulation and can undermine the stability of the virtual machine. (In contrast, without using the <function>setAccessible(boolean)</function> method, this should not happen because all the language-defined checks still apply.)"
msgstr ""
#. Tag: para
#, no-c-format
msgid "This feature should be avoided if possible."
msgstr ""
#. Tag: title
#, no-c-format
msgid "Java Native Interface (JNI)"
msgstr ""
#. Tag: para
#, no-c-format
msgid "The Java Native Interface allows calling from Java code functions specifically written for this purpose, usually in C or C++."
msgstr ""
#. Tag: para
#, no-c-format
msgid "The transition between the Java world and the C world is not fully type-checked, and the C code can easily break the Java virtual machine semantics. Therefore, extra care is needed when using this functionality."
msgstr ""
#. Tag: para
#, no-c-format
msgid "To provide a moderate amount of type safety, it is recommended to recreate the class-specific header file using <application>javah</application> during the build process, include it in the implementation, and use the <option>-Wmissing-declarations</option> option."
msgstr ""
#. Tag: para
#, no-c-format
msgid "Ideally, the required data is directly passed to static JNI methods and returned from them, and the code and the C side does not have to deal with accessing Java fields (or even methods)."
msgstr ""
#. Tag: para
#, no-c-format
msgid "When using <function>GetPrimitiveArrayCritical</function> or <function>GetStringCritical</function>, make sure that you only perform very little processing between the get and release operations. Do not access the file system or the network, and not perform locking, because that might introduce blocking. When processing large strings or arrays, consider splitting the computation into multiple sub-chunks, so that you do not prevent the JVM from reaching a safepoint for extended periods of time."
msgstr ""
#. Tag: para
#, no-c-format
msgid "If necessary, you can use the Java <literal>long</literal> type to store a C pointer in a field of a Java class. On the C side, when casting between the <literal>jlong</literal> value and the pointer on the C side,"
msgstr ""
#. Tag: para
#, no-c-format
msgid "You should not try to perform pointer arithmetic on the Java side (that is, you should treat pointer-carrying <literal>long</literal> values as opaque). When passing a slice of an array to the native code, follow the Java convention and pass it as the base array, the integer offset of the start of the slice, and the integer length of the slice. On the native side, check the offset/length combination against the actual array length, and use the offset to compute the pointer to the beginning of the array."
msgstr ""
#. Tag: title
#, no-c-format
msgid "Array length checking in JNI code"
msgstr ""
#. Tag: para
#, no-c-format
msgid "In any case, classes referring to native resources must be declared <literal>final</literal>, and must not be serializeable or cloneable. Initialization and mutation of the state used by the native side must be controlled carefully. Otherwise, it might be possible to create an object with inconsistent native state which results in a crash (or worse) when used (or perhaps only finalized) later. If you need both Java inheritance and native resources, you should consider moving the native state to a separate class, and only keep a reference to objects of that class. This way, cloning and serialization issues can be avoided in most cases."
msgstr ""
#. Tag: para
#, no-c-format
msgid "If there are native resources associated with an object, the class should have an explicit resource deallocation method (<xref linkend=\"sect-Defensive_Coding-Java-Language-Resources\" />) and a finalizer (<xref linkend=\"sect-Defensive_Coding-Java-Language-Finalizers\" />) as a last resort. The need for finalization means that a minimum amount of synchronization is needed. Code on the native side should check that the object is not in a closed/freed state."
msgstr ""
#. Tag: para
#, no-c-format
msgid "Many JNI functions create local references. By default, these persist until the JNI-implemented method returns. If you create many such references (e.g., in a loop), you may have to free them using <function>DeleteLocalRef</function>, or start using <function>PushLocalFrame</function> and <function>PopLocalFrame</function>. Global references must be deallocated with <function>DeleteGlobalRef</function>, otherwise there will be a memory leak, just as with <function>malloc</function> and <function>free</function>."
msgstr ""
#. Tag: para
#, no-c-format
msgid "When throwing exceptions using <function>Throw</function> or <function>ThrowNew</function>, be aware that these functions return regularly. You have to return control manually to the JVM."
msgstr ""
#. Tag: para
#, no-c-format
msgid "Technically, the <literal>JNIEnv</literal> pointer is not necessarily constant during the lifetime of your JNI module. Storing it in a global variable is therefore incorrect. Particularly if you are dealing with callbacks, you may have to store the pointer in a thread-local variable (defined with <literal>__thread</literal>). It is, however, best to avoid the complexity of calling back into Java code."
msgstr ""
#. Tag: para
#, no-c-format
msgid "Keep in mind that C/C++ and Java are different languages, despite very similar syntax for expressions. The Java memory model is much more strict than the C or C++ memory models, and native code needs more synchronization, usually using JVM facilities or POSIX threads mutexes. Integer overflow in Java is defined, but in C/C++ it is not (for the <literal>jint</literal> and <literal>jlong</literal> types)."
msgstr ""
#. Tag: title
#, no-c-format
msgid "<literal>sun.misc.Unsafe</literal>"
msgstr ""
#. Tag: para
#, no-c-format
msgid "The <literal>sun.misc.Unsafe</literal> class is unportable and contains many functions explicitly designed to break Java memory safety (for performance and debugging). If possible, avoid using this class."
msgstr ""

228
pot/Java-SecurityManager.pot
View file

@ -1,228 +0,0 @@
#
# AUTHOR <EMAIL@ADDRESS>, YEAR.
#
msgid ""
msgstr ""
"Project-Id-Version: 0\n"
"POT-Creation-Date: 2013-09-18T00:49:43\n"
"PO-Revision-Date: 2013-09-18T00:49:43\n"
"Last-Translator: Automatically generated\n"
"Language-Team: None\n"
"MIME-Version: 1.0\n"
"Content-Type: application/x-publican; charset=UTF-8\n"
"Content-Transfer-Encoding: 8bit\n"
#. Tag: title
#, no-c-format
msgid "Interacting with the security manager"
msgstr ""
#. Tag: para
#, no-c-format
msgid "The Java platform is largely implemented in the Java language itself. Therefore, within the same JVM, code runs which is part of the Java installation and which is trusted, but there might also be code which comes from untrusted sources and is restricted by the Java sandbox (to varying degrees). The <emphasis>security manager</emphasis> draws a line between fully trusted, partially trusted and untrusted code."
msgstr ""
#. Tag: para
#, no-c-format
msgid "The type safety and accessibility checks provided by the Java language and JVM would be sufficient to implement a sandbox. However, only some Java APIs employ such a capabilities-based approach. (The Java SE library contains many public classes with public constructors which can break any security policy, such as <literal>java.io.FileOutputStream</literal>.) Instead, critical functionality is protected by <emphasis>stack inspection</emphasis>: At a security check, the stack is walked from top (most-nested) to bottom. The security check fails if a stack frame for a method is encountered whose class lacks the permission which the security check requires."
msgstr ""
#. Tag: para
#, no-c-format
msgid "This simple approach would not allow untrusted code (which lacks certain permissions) to call into trusted code while the latter retains trust. Such trust transitions are desirable because they enable Java as an implementation language for most parts of the Java platform, including security-relevant code. Therefore, there is a mechanism to mark certain stack frames as trusted (<xref linkend=\"sect-Defensive_Coding-Java-SecurityManager-Privileged\" />)."
msgstr ""
#. Tag: para
#, no-c-format
msgid "In theory, it is possible to run a Java virtual machine with a security manager that acts very differently from this approach, but a lot of code expects behavior very close to the platform default (including many classes which are part of the OpenJDK implementation)."
msgstr ""
#. Tag: title
#, no-c-format
msgid "Security manager compatibility"
msgstr ""
#. Tag: para
#, no-c-format
msgid "A lot of code can run without any additional permissions at all, with little changes. The following guidelines should help to increase compatibility with a restrictive security manager."
msgstr ""
#. Tag: para
#, no-c-format
msgid "When retrieving system properties using <function>System.getProperty(String)</function> or similar methods, catch <literal>SecurityException</literal> exceptions and treat the property as unset."
msgstr ""
#. Tag: para
#, no-c-format
msgid "Avoid unnecessary file system or network access."
msgstr ""
#. Tag: para
#, no-c-format
msgid "Avoid explicit class loading. Access to a suitable class loader might not be available when executing as untrusted code."
msgstr ""
#. Tag: para
#, no-c-format
msgid "If the functionality you are implementing absolutely requires privileged access and this functionality has to be used from untrusted code (hopefully in a restricted and secure manner), see <xref linkend=\"sect-Defensive_Coding-Java-SecurityManager-Privileged\" />."
msgstr ""
#. Tag: title
#, no-c-format
msgid "Activating the security manager"
msgstr ""
#. Tag: para
#, no-c-format
msgid "The usual command to launch a Java application, <command>java</command>, does not activate the security manager. Therefore, the virtual machine does not enforce any sandboxing restrictions, even if explicitly requested by the code (for example, as described in <xref linkend=\"sect-Defensive_Coding-Java-SecurityManager-Unprivileged\" />)."
msgstr ""
#. Tag: para
#, no-c-format
msgid "The <option>-Djava.security.manager</option> option activates the security manager, with the fairly restrictive default policy. With a very permissive policy, most Java code will run unchanged. Assuming the policy in <xref linkend=\"ex-Defensive_Coding-Java-SecurityManager-GrantAll\" /> has been saved in a file <filename>grant-all.policy</filename>, this policy can be activated using the option <option>-Djava.security.policy=grant-all.policy</option> (in addition to the <option>-Djava.security.manager</option> option)."
msgstr ""
#. Tag: title
#, no-c-format
msgid "Most permissve OpenJDK policy file"
msgstr ""
#. Tag: programlisting
#, no-c-format
msgid "\n"
"grant {\n"
" permission java.security.AllPermission;\n"
"};\n"
""
msgstr ""
#. Tag: para
#, no-c-format
msgid "With this most permissive policy, the security manager is still active, and explicit requests to drop privileges will be honored."
msgstr ""
#. Tag: title
#, no-c-format
msgid "Reducing trust in code"
msgstr ""
#. Tag: para
#, no-c-format
msgid "<xref linkend=\"ex-Defensive_Coding-Java-SecurityManager-Unprivileged\" /> shows how to run a piece code of with reduced privileges."
msgstr ""
#. Tag: title
#, no-c-format
msgid "Using the security manager to run code with reduced privileges"
msgstr ""
#. Tag: para
#, no-c-format
msgid "The example above does not add any additional permissions to the <literal>permissions</literal> object. If such permissions are necessary, code like the following (which grants read permission on all files in the current directory) can be used:"
msgstr ""
#. Tag: para
#, no-c-format
msgid "Calls to the <function>java.security.AccessController.doPrivileged()</function> methods do not enforce any additional restriction if no security manager has been set. Except for a few special exceptions, the restrictions no longer apply if the <function>doPrivileged()</function> has returned, even to objects created by the code which ran with reduced privileges. (This applies to object finalization in particular.)"
msgstr ""
#. Tag: para
#, no-c-format
msgid "The example code above does not prevent the called code from calling the <function>java.security.AccessController.doPrivileged()</function> methods. This mechanism should be considered an additional safety net, but it still can be used to prevent unexpected behavior of trusted code. As long as the executed code is not dynamic and came with the original application or library, the sandbox is fairly effective."
msgstr ""
#. Tag: para
#, no-c-format
msgid "The <literal>context</literal> argument in <xref linkend=\"ex-Defensive_Coding-Java-SecurityManager-Unprivileged\" /> is extremely important—otherwise, this code would increase privileges instead of reducing them."
msgstr ""
#. Tag: para
#, no-c-format
msgid "For activating the security manager, see <xref linkend=\"sect-Defensive_Coding-Java-SecurityManager-Activate\" />. Unfortunately, this affects the virtual machine as a whole, so it is not possible to do this from a library."
msgstr ""
#. Tag: title
#, no-c-format
msgid "Re-gaining privileges"
msgstr ""
#. Tag: para
#, no-c-format
msgid "Ordinarily, when trusted code is called from untrusted code, it loses its privileges (because of the untrusted stack frames visible to stack inspection). The <function>java.security.AccessController.doPrivileged()</function> family of methods provides a controlled backdoor from untrusted to trusted code."
msgstr ""
#. Tag: para
#, no-c-format
msgid "By design, this feature can undermine the Java security model and the sandbox. It has to be used very carefully. Most sandbox vulnerabilities can be traced back to its misuse."
msgstr ""
#. Tag: para
#, no-c-format
msgid "In essence, the <function>doPrivileged()</function> methods cause the stack inspection to end at their call site. Untrusted code further down the call stack becomes invisible to security checks."
msgstr ""
#. Tag: para
#, no-c-format
msgid "The following operations are common and safe to perform with elevated privileges."
msgstr ""
#. Tag: para
#, no-c-format
msgid "Reading custom system properties with fixed names, especially if the value is not propagated to untrusted code. (File system paths including installation paths, host names and user names are sometimes considered private information and need to be protected.)"
msgstr ""
#. Tag: para
#, no-c-format
msgid "Reading from the file system at fixed paths, either determined at compile time or by a system property. Again, leaking the file contents to the caller can be problematic."
msgstr ""
#. Tag: para
#, no-c-format
msgid "Accessing network resources under a fixed address, name or URL, derived from a system property or configuration file, information leaks not withstanding."
msgstr ""
#. Tag: para
#, no-c-format
msgid "<xref linkend=\"ex-Defensive_Coding-Java-SecurityManager-Privileged\" /> shows how to request additional privileges."
msgstr ""
#. Tag: title
#, no-c-format
msgid "Using the security manager to run code with increased privileges"
msgstr ""
#. Tag: para
#, no-c-format
msgid "Obviously, this only works if the class containing the call to <function>doPrivileged()</function> is marked trusted (usually because it is loaded from a trusted class loader)."
msgstr ""
#. Tag: para
#, no-c-format
msgid "When writing code that runs with elevated privileges, make sure that you follow the rules below."
msgstr ""
#. Tag: para
#, no-c-format
msgid "Make the privileged code as small as possible. Perform as many computations as possible before and after the privileged code section, even if it means that you have to define a new class to pass the data around."
msgstr ""
#. Tag: para
#, no-c-format
msgid "Make sure that you either control the inputs to the privileged code, or that the inputs are harmless and cannot affect security properties of the privileged code."
msgstr ""
#. Tag: para
#, no-c-format
msgid "Data that is returned from or written by the privileged code must either be restricted (that is, it cannot be accessed by untrusted code), or must be harmless. Otherwise, privacy leaks or information disclosures which affect security properties can be the result."
msgstr ""
#. Tag: para
#, no-c-format
msgid "If the code calls back into untrusted code at a later stage (or performs other actions under control from the untrusted caller), you must obtain the original security context and restore it before performing the callback, as in <xref linkend=\"ex-Defensive_Coding-Java-SecurityManager-Callback\" />. (In this example, it would be much better to move the callback invocation out of the privileged code section, of course.)"
msgstr ""
#. Tag: title
#, no-c-format
msgid "Restoring privileges when invoking callbacks"
msgstr ""

19
pot/Java.pot
View file

@ -1,19 +0,0 @@
#
# AUTHOR <EMAIL@ADDRESS>, YEAR.
#
msgid ""
msgstr ""
"Project-Id-Version: 0\n"
"POT-Creation-Date: 2013-09-18T00:49:43\n"
"PO-Revision-Date: 2013-09-18T00:49:43\n"
"Last-Translator: Automatically generated\n"
"Language-Team: None\n"
"MIME-Version: 1.0\n"
"Content-Type: application/x-publican; charset=UTF-8\n"
"Content-Transfer-Encoding: 8bit\n"
#. Tag: title
#, no-c-format
msgid "The Java Programming Language"
msgstr ""

19
pot/Java/Java.pot
View file

@ -1,19 +0,0 @@
#
# AUTHOR <EMAIL@ADDRESS>, YEAR.
#
msgid ""
msgstr ""
"Project-Id-Version: 0\n"
"POT-Creation-Date: 2013-08-13T01:54:52\n"
"PO-Revision-Date: 2013-08-13T01:54:52\n"
"Last-Translator: Automatically generated\n"
"Language-Team: None\n"
"MIME-Version: 1.0\n"
"Content-Type: application/x-publican; charset=UTF-8\n"
"Content-Transfer-Encoding: 8bit\n"
#. Tag: title
#, no-c-format
msgid "The Java Programming Language"
msgstr ""

214
pot/Java/Language.pot
View file

@ -1,214 +0,0 @@
#
# AUTHOR <EMAIL@ADDRESS>, YEAR.
#
msgid ""
msgstr ""
"Project-Id-Version: 0\n"
"POT-Creation-Date: 2013-08-13T01:54:52\n"
"PO-Revision-Date: 2013-08-13T01:54:52\n"
"Last-Translator: Automatically generated\n"
"Language-Team: None\n"
"MIME-Version: 1.0\n"
"Content-Type: application/x-publican; charset=UTF-8\n"
"Content-Transfer-Encoding: 8bit\n"
#. Tag: title
#, no-c-format
msgid "The core language"
msgstr ""
#. Tag: para
#, no-c-format
msgid "Implementations of the Java programming language provide strong memory safety, even in the presence of data races in concurrent code. This prevents a large range of security vulnerabilities from occurring, unless certain low-level features are used; see <xref linkend=\"sect-Defensive_Coding-Java-LowLevel\" />."
msgstr ""
#. Tag: title
#, no-c-format
msgid "Inceasing robustness when reading arrays"
msgstr ""
#. Tag: para
#, no-c-format
msgid "External data formats often include arrays, and the data is stored as an integer indicating the number of array elements, followed by this number of elements in the file or protocol data unit. This length specified can be much larger than what is actually available in the data source."
msgstr ""
#. Tag: para
#, no-c-format
msgid "To avoid allocating extremely large amounts of data, you can allocate a small array initially and grow it as you read more data, implementing an exponential growth policy. See the <function>readBytes(InputStream, int)</function> function in <xref linkend=\"ex-Defensive_Coding-Java-Language-ReadArray\" />."
msgstr ""
#. Tag: title
#, no-c-format
msgid "Incrementally reading a byte array"
msgstr ""
#. Tag: para
#, no-c-format
msgid "When reading data into arrays, hash maps or hash sets, use the default constructor and do not specify a size hint. You can simply add the elements to the collection as you read them."
msgstr ""
#. Tag: title
#, no-c-format
msgid "Resource management"
msgstr ""
#. Tag: para
#, no-c-format
msgid "Unlike C++, Java does not offer destructors which can deallocate resources in a predictable fashion. All resource management has to be manual, at the usage site. (Finalizers are generally not usable for resource management, especially in high-performance code; see <xref linkend=\"sect-Defensive_Coding-Java-Language-Finalizers\" />.)"
msgstr ""
#. Tag: para
#, no-c-format
msgid "The first option is the <literal>try</literal>-<literal>finally</literal> construct, as shown in <xref linkend=\"ex-Defensive_Coding-Java-Language-Finally\" />. The code in the <literal>finally</literal> block should be as short as possible and should not throw any exceptions."
msgstr ""
#. Tag: title
#, no-c-format
msgid "Resource management with a <literal>try</literal>-<literal>finally</literal> block"
msgstr ""
#. Tag: para
#, no-c-format
msgid "Note that the resource allocation happens <emphasis>outside</emphasis> the <literal>try</literal> block, and that there is no <literal>null</literal> check in the <literal>finally</literal> block. (Both are common artifacts stemming from IDE code templates.)"
msgstr ""
#. Tag: para
#, no-c-format
msgid "If the resource object is created freshly and implements the <literal>java.lang.AutoCloseable</literal> interface, the code in <xref linkend=\"ex-Defensive_Coding-Java-Language-TryWithResource\" /> can be used instead. The Java compiler will automatically insert the <function>close()</function> method call in a synthetic <literal>finally</literal> block."
msgstr ""
#. Tag: title
#, no-c-format
msgid "Resource management using the <literal>try</literal>-with-resource construct"
msgstr ""
#. Tag: para
#, no-c-format
msgid "To be compatible with the <literal>try</literal>-with-resource construct, new classes should name the resource deallocation method <function>close()</function>, and implement the <literal>AutoCloseable</literal> interface (the latter breaking backwards compatibility with Java 6). However, using the <literal>try</literal>-with-resource construct with objects that are not freshly allocated is at best awkward, and an explicit <literal>finally</literal> block is usually the better approach."
msgstr ""
#. Tag: para
#, no-c-format
msgid "In general, it is best to design the programming interface in such a way that resource deallocation methods like <function>close()</function> cannot throw any (checked or unchecked) exceptions, but this should not be a reason to ignore any actual error conditions."
msgstr ""
#. Tag: title
#, no-c-format
msgid "Finalizers"
msgstr ""
#. Tag: para
#, no-c-format
msgid "Finalizers can be used a last-resort approach to free resources which would otherwise leak. Finalization is unpredictable, costly, and there can be a considerable delay between the last reference to an object going away and the execution of the finalizer. Generally, manual resource management is required; see <xref linkend=\"sect-Defensive_Coding-Java-Language-Resources\" />."
msgstr ""
#. Tag: para
#, no-c-format
msgid "Finalizers should be very short and should only deallocate native or other external resources held directly by the object being finalized. In general, they must use synchronization: Finalization necessarily happens on a separate thread because it is inherently concurrent. There can be multiple finalization threads, and despite each object being finalized at most once, the finalizer must not assume that it has exclusive access to the object being finalized (in the <literal>this</literal> pointer)."
msgstr ""
#. Tag: para
#, no-c-format
msgid "Finalizers should not deallocate resources held by other objects, especially if those objects have finalizers on their own. In particular, it is a very bad idea to define a finalizer just to invoke the resource deallocation method of another object, or overwrite some pointer fields."
msgstr ""
#. Tag: para
#, no-c-format
msgid "Finalizers are not guaranteed to run at all. For instance, the virtual machine (or the machine underneath) might crash, preventing their execution."
msgstr ""
#. Tag: para
#, no-c-format
msgid "Objects with finalizers are garbage-collected much later than objects without them, so using finalizers to zero out key material (to reduce its undecrypted lifetime in memory) may have the opposite effect, keeping objects around for much longer and prevent them from being overwritten in the normal course of program execution."
msgstr ""
#. Tag: para
#, no-c-format
msgid "For the same reason, code which allocates objects with finalizers at a high rate will eventually fail (likely with a <literal>java.lang.OutOfMemoryError</literal> exception) because the virtual machine has finite resources for keeping track of objects pending finalization. To deal with that, it may be necessary to recycle objects with finalizers."
msgstr ""
#. Tag: para
#, no-c-format
msgid "The remarks in this section apply to finalizers which are implemented by overriding the <function>finalize()</function> method, and to custom finalization using reference queues."
msgstr ""
#. Tag: title
#, no-c-format
msgid "Recovering from exceptions and errors"
msgstr ""
#. Tag: para
#, no-c-format
msgid "Java exceptions come in three kinds, all ultimately deriving from <literal>java.lang.Throwable</literal>:"
msgstr ""
#. Tag: para
#, no-c-format
msgid "<emphasis>Run-time exceptions</emphasis> do not have to be declared explicitly and can be explicitly thrown from any code, by calling code which throws them, or by triggering an error condition at run time, like division by zero, or an attempt at an out-of-bounds array access. These exceptions derive from from the <literal>java.lang.RuntimeException</literal> class (perhaps indirectly)."
msgstr ""
#. Tag: para
#, no-c-format
msgid "<emphasis>Checked exceptions</emphasis> have to be declared explicitly by functions that throw or propagate them. They are similar to run-time exceptions in other regards, except that there is no language construct to throw them (except the <literal>throw</literal> statement itself). Checked exceptions are only present at the Java language level and are only enforced at compile time. At run time, the virtual machine does not know about them and permits throwing exceptions from any code. Checked exceptions must derive (perhaps indirectly) from the <literal>java.lang.Exception</literal> class, but not from <literal>java.lang.RuntimeException</literal>."
msgstr ""
#. Tag: para
#, no-c-format
msgid "<emphasis>Errors</emphasis> are exceptions which typically reflect serious error conditions. They can be thrown at any point in the program, and do not have to be declared (unlike checked exceptions). In general, it is not possible to recover from such errors; more on that below, in <xref linkend=\"sect-Defensive_Coding-Java-Language-Exceptions-Errors\" />. Error classes derive (perhaps indirectly) from <literal>java.lang.Error</literal>, or from <literal>java.lang.Throwable</literal>, but not from <literal>java.lang.Exception</literal>."
msgstr ""
#. Tag: para
#, no-c-format
msgid "The general expection is that run-time errors are avoided by careful programming (e.g., not dividing by zero). Checked exception are expected to be caught as they happen (e.g., when an input file is unexpectedly missing). Errors are impossible to predict and can happen at any point and reflect that something went wrong beyond all expectations."
msgstr ""
#. Tag: title
#, no-c-format
msgid "The difficulty of catching errors"
msgstr ""
#. Tag: para
#, no-c-format
msgid "Errors (that is, exceptions which do not (indirectly) derive from <literal>java.lang.Exception</literal>), have the peculiar property that catching them is problematic. There are several reasons for this:"
msgstr ""
#. Tag: para
#, no-c-format
msgid "The error reflects a failed consistenty check, for example, <literal>java.lang.AssertionError</literal>."
msgstr ""
#. Tag: para
#, no-c-format
msgid "The error can happen at any point, resulting in inconsistencies due to half-updated objects. Examples are <literal>java.lang.ThreadDeath</literal>, <literal>java.lang.OutOfMemoryError</literal> and <literal>java.lang.StackOverflowError</literal>."
msgstr ""
#. Tag: para
#, no-c-format
msgid "The error indicates that virtual machine failed to provide some semantic guarantees by the Java programming language. <literal>java.lang.ExceptionInInitializerError</literal> is an example—it can leave behind a half-initialized class."
msgstr ""
#. Tag: para
#, no-c-format
msgid "In general, if an error is thrown, the virtual machine should be restarted as soon as possible because it is in an inconsistent state. Continuing running as before can have unexpected consequences. However, there are legitimate reasons for catching errors because not doing so leads to even greater problems."
msgstr ""
#. Tag: para
#, no-c-format
msgid "Code should be written in a way that avoids triggering errors. See <xref linkend=\"sect-Defensive_Coding-Java-Language-ReadArray\" /> for an example."
msgstr ""
#. Tag: para
#, no-c-format
msgid "It is usually necessary to log errors. Otherwise, no trace of the problem might be left anywhere, making it very difficult to diagnose realted failures. Consequently, if you catch <literal>java.lang.Exception</literal> to log and suppress all unexpected exceptions (for example, in a request dispatching loop), you should consider switching to <literal>java.lang.Throwable</literal> instead, to also cover errors."
msgstr ""
#. Tag: para
#, no-c-format
msgid "The other reason mainly applies to such request dispatching loops: If you do not catch errors, the loop stops looping, resulting in a denial of service."
msgstr ""
#. Tag: para
#, no-c-format
msgid "However, if possible, catching errors should be coupled with a way to signal the requirement of a virtual machine restart."
msgstr ""

119
pot/Java/LowLevel.pot
View file

@ -1,119 +0,0 @@
#
# AUTHOR <EMAIL@ADDRESS>, YEAR.
#
msgid ""
msgstr ""
"Project-Id-Version: 0\n"
"POT-Creation-Date: 2013-08-13T01:54:52\n"
"PO-Revision-Date: 2013-08-13T01:54:52\n"
"Last-Translator: Automatically generated\n"
"Language-Team: None\n"
"MIME-Version: 1.0\n"
"Content-Type: application/x-publican; charset=UTF-8\n"
"Content-Transfer-Encoding: 8bit\n"
#. Tag: title
#, no-c-format
msgid "Low-level features of the virtual machine"
msgstr ""
#. Tag: title
#, no-c-format
msgid "<literal>Reflection and private parts</literal>"
msgstr ""
#. Tag: para
#, no-c-format
msgid "The <function>setAccessible(boolean)</function> method of the <literal>java.lang.reflect.AccessibleObject</literal> class allows a program to disable language-defined access rules for specific constructors, methods, or fields. Once the access checks are disabled, any code can use the <literal>java.lang.reflect.Constructor</literal>, <literal>java.lang.reflect.Method</literal>, or <literal>java.lang.reflect.Field</literal> object to access the underlying Java entity, without further permission checks. This breaks encapsulation and can undermine the stability of the virtual machine. (In contrast, without using the <function>setAccessible(boolean)</function> method, this should not happen because all the language-defined checks still apply.)"
msgstr ""
#. Tag: para
#, no-c-format
msgid "This feature should be avoided if possible."
msgstr ""
#. Tag: title
#, no-c-format
msgid "Java Native Interface (JNI)"
msgstr ""
#. Tag: para
#, no-c-format
msgid "The Java Native Interface allows calling from Java code functions specifically written for this purpose, usually in C or C++."
msgstr ""
#. Tag: para
#, no-c-format
msgid "The transition between the Java world and the C world is not fully type-checked, and the C code can easily break the Java virtual machine semantics. Therefore, extra care is needed when using this functionality."
msgstr ""
#. Tag: para
#, no-c-format
msgid "To provide a moderate amount of type safety, it is recommended to recreate the class-specific header file using <application>javah</application> during the build process, include it in the implementation, and use the <option>-Wmissing-declarations</option> option."
msgstr ""
#. Tag: para
#, no-c-format
msgid "Ideally, the required data is directly passed to static JNI methods and returned from them, and the code and the C side does not have to deal with accessing Java fields (or even methods)."
msgstr ""
#. Tag: para
#, no-c-format
msgid "When using <function>GetPrimitiveArrayCritical</function> or <function>GetStringCritical</function>, make sure that you only perform very little processing between the get and release operations. Do not access the file system or the network, and not perform locking, because that might introduce blocking. When processing large strings or arrays, consider splitting the computation into multiple sub-chunks, so that you do not prevent the JVM from reaching a safepoint for extended periods of time."
msgstr ""
#. Tag: para
#, no-c-format
msgid "If necessary, you can use the Java <literal>long</literal> type to store a C pointer in a field of a Java class. On the C side, when casting between the <literal>jlong</literal> value and the pointer on the C side,"
msgstr ""
#. Tag: para
#, no-c-format
msgid "You should not try to perform pointer arithmetic on the Java side (that is, you should treat pointer-carrying <literal>long</literal> values as opaque). When passing a slice of an array to the native code, follow the Java convention and pass it as the base array, the integer offset of the start of the slice, and the integer length of the slice. On the native side, check the offset/length combination against the actual array length, and use the offset to compute the pointer to the beginning of the array."
msgstr ""
#. Tag: title
#, no-c-format
msgid "Array length checking in JNI code"
msgstr ""
#. Tag: para
#, no-c-format
msgid "In any case, classes referring to native resources must be declared <literal>final</literal>, and must not be serializeable or cloneable. Initialization and mutation of the state used by the native side must be controlled carefully. Otherwise, it might be possible to create an object with inconsistent native state which results in a crash (or worse) when used (or perhaps only finalized) later. If you need both Java inheritance and native resources, you should consider moving the native state to a separate class, and only keep a reference to objects of that class. This way, cloning and serialization issues can be avoided in most cases."
msgstr ""
#. Tag: para
#, no-c-format
msgid "If there are native resources associated with an object, the class should have an explicit resource deallocation method (<xref linkend=\"sect-Defensive_Coding-Java-Language-Resources\" />) and a finalizer (<xref linkend=\"sect-Defensive_Coding-Java-Language-Finalizers\" />) as a last resort. The need for finalization means that a minimum amount of synchronization is needed. Code on the native side should check that the object is not in a closed/freed state."
msgstr ""
#. Tag: para
#, no-c-format
msgid "Many JNI functions create local references. By default, these persist until the JNI-implemented method returns. If you create many such references (e.g., in a loop), you may have to free them using <function>DeleteLocalRef</function>, or start using <function>PushLocalFrame</function> and <function>PopLocalFrame</function>. Global references must be deallocated with <function>DeleteGlobalRef</function>, otherwise there will be a memory leak, just as with <function>malloc</function> and <function>free</function>."
msgstr ""
#. Tag: para
#, no-c-format
msgid "When throwing exceptions using <function>Throw</function> or <function>ThrowNew</function>, be aware that these functions return regularly. You have to return control manually to the JVM."
msgstr ""
#. Tag: para
#, no-c-format
msgid "Technically, the <literal>JNIEnv</literal> pointer is not necessarily constant during the lifetime of your JNI module. Storing it in a global variable is therefore incorrect. Particularly if you are dealing with callbacks, you may have to store the pointer in a thread-local variable (defined with <literal>__thread</literal>). It is, however, best to avoid the complexity of calling back into Java code."
msgstr ""
#. Tag: para
#, no-c-format
msgid "Keep in mind that C/C++ and Java are different languages, despite very similar syntax for expressions. The Java memory model is much more strict than the C or C++ memory models, and native code needs more synchronization, usually using JVM facilities or POSIX threads mutexes. Integer overflow in Java is defined, but in C/C++ it is not (for the <literal>jint</literal> and <literal>jlong</literal> types)."
msgstr ""
#. Tag: title
#, no-c-format
msgid "<literal>sun.misc.Unsafe</literal>"
msgstr ""
#. Tag: para
#, no-c-format
msgid "The <literal>sun.misc.Unsafe</literal> class is unportable and contains many functions explicitly designed to break Java memory safety (for performance and debugging). If possible, avoid using this class."
msgstr ""

228
pot/Java/SecurityManager.pot
View file

@ -1,228 +0,0 @@
#
# AUTHOR <EMAIL@ADDRESS>, YEAR.
#
msgid ""
msgstr ""
"Project-Id-Version: 0\n"
"POT-Creation-Date: 2013-08-13T01:54:52\n"
"PO-Revision-Date: 2013-08-13T01:54:52\n"
"Last-Translator: Automatically generated\n"
"Language-Team: None\n"
"MIME-Version: 1.0\n"
"Content-Type: application/x-publican; charset=UTF-8\n"
"Content-Transfer-Encoding: 8bit\n"
#. Tag: title
#, no-c-format
msgid "Interacting with the security manager"
msgstr ""
#. Tag: para
#, no-c-format
msgid "The Java platform is largely implemented in the Java language itself. Therefore, within the same JVM, code runs which is part of the Java installation and which is trusted, but there might also be code which comes from untrusted sources and is restricted by the Java sandbox (to varying degrees). The <emphasis>security manager</emphasis> draws a line between fully trusted, partially trusted and untrusted code."
msgstr ""
#. Tag: para
#, no-c-format
msgid "The type safety and accessibility checks provided by the Java language and JVM would be sufficient to implement a sandbox. However, only some Java APIs employ such a capabilities-based approach. (The Java SE library contains many public classes with public constructors which can break any security policy, such as <literal>java.io.FileOutputStream</literal>.) Instead, critical functionality is protected by <emphasis>stack inspection</emphasis>: At a security check, the stack is walked from top (most-nested) to bottom. The security check fails if a stack frame for a method is encountered whose class lacks the permission which the security check requires."
msgstr ""
#. Tag: para
#, no-c-format
msgid "This simple approach would not allow untrusted code (which lacks certain permissions) to call into trusted code while the latter retains trust. Such trust transitions are desirable because they enable Java as an implementation language for most parts of the Java platform, including security-relevant code. Therefore, there is a mechanism to mark certain stack frames as trusted (<xref linkend=\"sect-Defensive_Coding-Java-SecurityManager-Privileged\" />)."
msgstr ""
#. Tag: para
#, no-c-format
msgid "In theory, it is possible to run a Java virtual machine with a security manager that acts very differently from this approach, but a lot of code expects behavior very close to the platform default (including many classes which are part of the OpenJDK implementation)."
msgstr ""
#. Tag: title
#, no-c-format
msgid "Security manager compatibility"
msgstr ""
#. Tag: para
#, no-c-format
msgid "A lot of code can run without any additional permissions at all, with little changes. The following guidelines should help to increase compatibility with a restrictive security manager."
msgstr ""
#. Tag: para
#, no-c-format
msgid "When retrieving system properties using <function>System.getProperty(String)</function> or similar methods, catch <literal>SecurityException</literal> exceptions and treat the property as unset."
msgstr ""
#. Tag: para
#, no-c-format
msgid "Avoid unnecessary file system or network access."
msgstr ""
#. Tag: para
#, no-c-format
msgid "Avoid explicit class loading. Access to a suitable class loader might not be available when executing as untrusted code."
msgstr ""
#. Tag: para
#, no-c-format
msgid "If the functionality you are implementing absolutely requires privileged access and this functionality has to be used from untrusted code (hopefully in a restricted and secure manner), see <xref linkend=\"sect-Defensive_Coding-Java-SecurityManager-Privileged\" />."
msgstr ""
#. Tag: title
#, no-c-format
msgid "Activating the security manager"
msgstr ""
#. Tag: para
#, no-c-format
msgid "The usual command to launch a Java application, <command>java</command>, does not activate the security manager. Therefore, the virtual machine does not enforce any sandboxing restrictions, even if explicitly requested by the code (for example, as described in <xref linkend=\"sect-Defensive_Coding-Java-SecurityManager-Unprivileged\" />)."
msgstr ""
#. Tag: para
#, no-c-format
msgid "The <option>-Djava.security.manager</option> option activates the security manager, with the fairly restrictive default policy. With a very permissive policy, most Java code will run unchanged. Assuming the policy in <xref linkend=\"ex-Defensive_Coding-Java-SecurityManager-GrantAll\" /> has been saved in a file <filename>grant-all.policy</filename>, this policy can be activated using the option <option>-Djava.security.policy=grant-all.policy</option> (in addition to the <option>-Djava.security.manager</option> option)."
msgstr ""
#. Tag: title
#, no-c-format
msgid "Most permissve OpenJDK policy file"
msgstr ""
#. Tag: programlisting
#, no-c-format
msgid "\n"
"grant {\n"
" permission java.security.AllPermission;\n"
"};\n"
""
msgstr ""
#. Tag: para
#, no-c-format
msgid "With this most permissive policy, the security manager is still active, and explicit requests to drop privileges will be honored."
msgstr ""
#. Tag: title
#, no-c-format
msgid "Reducing trust in code"
msgstr ""
#. Tag: para
#, no-c-format
msgid "<xref linkend=\"ex-Defensive_Coding-Java-SecurityManager-Unprivileged\" /> shows how to run a piece code of with reduced privileges."
msgstr ""
#. Tag: title
#, no-c-format
msgid "Using the security manager to run code with reduced privileges"
msgstr ""
#. Tag: para
#, no-c-format
msgid "The example above does not add any additional permissions to the <literal>permissions</literal> object. If such permissions are necessary, code like the following (which grants read permission on all files in the current directory) can be used:"
msgstr ""
#. Tag: para
#, no-c-format
msgid "Calls to the <function>java.security.AccessController.doPrivileged()</function> methods do not enforce any additional restriction if no security manager has been set. Except for a few special exceptions, the restrictions no longer apply if the <function>doPrivileged()</function> has returned, even to objects created by the code which ran with reduced privileges. (This applies to object finalization in particular.)"
msgstr ""
#. Tag: para
#, no-c-format
msgid "The example code above does not prevent the called code from calling the <function>java.security.AccessController.doPrivileged()</function> methods. This mechanism should be considered an additional safety net, but it still can be used to prevent unexpected behavior of trusted code. As long as the executed code is not dynamic and came with the original application or library, the sandbox is fairly effective."
msgstr ""
#. Tag: para
#, no-c-format
msgid "The <literal>context</literal> argument in <xref linkend=\"ex-Defensive_Coding-Java-SecurityManager-Unprivileged\" /> is extremely important—otherwise, this code would increase privileges instead of reducing them."
msgstr ""
#. Tag: para
#, no-c-format
msgid "For activating the security manager, see <xref linkend=\"sect-Defensive_Coding-Java-SecurityManager-Activate\" />. Unfortunately, this affects the virtual machine as a whole, so it is not possible to do this from a library."
msgstr ""
#. Tag: title
#, no-c-format
msgid "Re-gaining privileges"
msgstr ""
#. Tag: para
#, no-c-format
msgid "Ordinarily, when trusted code is called from untrusted code, it loses its privileges (because of the untrusted stack frames visible to stack inspection). The <function>java.security.AccessController.doPrivileged()</function> family of methods provides a controlled backdoor from untrusted to trusted code."
msgstr ""
#. Tag: para
#, no-c-format
msgid "By design, this feature can undermine the Java security model and the sandbox. It has to be used very carefully. Most sandbox vulnerabilities can be traced back to its misuse."
msgstr ""
#. Tag: para
#, no-c-format
msgid "In essence, the <function>doPrivileged()</function> methods cause the stack inspection to end at their call site. Untrusted code further down the call stack becomes invisible to security checks."
msgstr ""
#. Tag: para
#, no-c-format
msgid "The following operations are common and safe to perform with elevated privileges."
msgstr ""
#. Tag: para
#, no-c-format
msgid "Reading custom system properties with fixed names, especially if the value is not propagated to untrusted code. (File system paths including installation paths, host names and user names are sometimes considered private information and need to be protected.)"
msgstr ""
#. Tag: para
#, no-c-format
msgid "Reading from the file system at fixed paths, either determined at compile time or by a system property. Again, leaking the file contents to the caller can be problematic."
msgstr ""
#. Tag: para
#, no-c-format
msgid "Accessing network resources under a fixed address, name or URL, derived from a system property or configuration file, information leaks not withstanding."
msgstr ""
#. Tag: para
#, no-c-format
msgid "<xref linkend=\"ex-Defensive_Coding-Java-SecurityManager-Privileged\" /> shows how to request additional privileges."
msgstr ""
#. Tag: title
#, no-c-format
msgid "Using the security manager to run code with increased privileges"
msgstr ""
#. Tag: para
#, no-c-format
msgid "Obviously, this only works if the class containing the call to <function>doPrivileged()</function> is marked trusted (usually because it is loaded from a trusted class loader)."
msgstr ""
#. Tag: para
#, no-c-format
msgid "When writing code that runs with elevated privileges, make sure that you follow the rules below."
msgstr ""
#. Tag: para
#, no-c-format
msgid "Make the privileged code as small as possible. Perform as many computations as possible before and after the privileged code section, even if it means that you have to define a new class to pass the data around."
msgstr ""
#. Tag: para
#, no-c-format
msgid "Make sure that you either control the inputs to the privileged code, or that the inputs are harmless and cannot affect security properties of the privileged code."
msgstr ""
#. Tag: para
#, no-c-format
msgid "Data that is returned from or written by the privileged code must either be restricted (that is, it cannot be accessed by untrusted code), or must be harmless. Otherwise, privacy leaks or information disclosures which affect security properties can be the result."
msgstr ""
#. Tag: para
#, no-c-format
msgid "If the code calls back into untrusted code at a later stage (or performs other actions under control from the untrusted caller), you must obtain the original security context and restore it before performing the callback, as in <xref linkend=\"ex-Defensive_Coding-Java-SecurityManager-Callback\" />. (In this example, it would be much better to move the callback invocation out of the privileged code section, of course.)"
msgstr ""
#. Tag: title
#, no-c-format
msgid "Restoring privileges when invoking callbacks"
msgstr ""

14
pot/Java/schemas.pot
View file

@ -1,14 +0,0 @@
#
# AUTHOR <EMAIL@ADDRESS>, YEAR.
#
msgid ""
msgstr ""
"Project-Id-Version: 0\n"
"POT-Creation-Date: 2013-08-13T01:54:52\n"
"PO-Revision-Date: 2013-08-13T01:54:52\n"
"Last-Translator: Automatically generated\n"
"Language-Team: None\n"
"MIME-Version: 1.0\n"
"Content-Type: application/x-publican; charset=UTF-8\n"
"Content-Transfer-Encoding: 8bit\n"

26
pot/Java/snippets/Finally.pot
View file

@ -1,26 +0,0 @@
#
# AUTHOR <EMAIL@ADDRESS>, YEAR.
#
msgid ""
msgstr ""
"Project-Id-Version: 0\n"
"POT-Creation-Date: 2013-08-13T01:54:52\n"
"PO-Revision-Date: 2013-08-13T01:54:52\n"
"Last-Translator: Automatically generated\n"
"Language-Team: None\n"
"MIME-Version: 1.0\n"
"Content-Type: application/x-publican; charset=UTF-8\n"
"Content-Transfer-Encoding: 8bit\n"
#. Tag: programlisting
#, no-c-format
msgid "\n"
"InputStream in = new BufferedInputStream(new FileInputStream(path));\n"
"try {\n"
" readFile(in);\n"
"} finally {\n"
" in.close();\n"
"}\n"
""
msgstr ""

50
pot/Java/snippets/JNI-Pointers.pot
View file

@ -1,50 +0,0 @@
#
# AUTHOR <EMAIL@ADDRESS>, YEAR.
#
msgid ""
msgstr ""
"Project-Id-Version: 0\n"
"POT-Creation-Date: 2013-08-13T01:54:52\n"
"PO-Revision-Date: 2013-08-13T01:54:52\n"
"Last-Translator: Automatically generated\n"
"Language-Team: None\n"
"MIME-Version: 1.0\n"
"Content-Type: application/x-publican; charset=UTF-8\n"
"Content-Transfer-Encoding: 8bit\n"
#. Tag: programlisting
#, no-c-format
msgid "\n"
"JNIEXPORT jint JNICALL Java_sum\n"
" (JNIEnv *jEnv, jclass clazz, jbyteArray buffer, jint offset, jint length)\n"
"{\n"
" assert(sizeof(jint) == sizeof(unsigned));\n"
" if (offset &lt; 0 || length &lt; 0) {\n"
" (*jEnv)-&gt;ThrowNew(jEnv, arrayIndexOutOfBoundsExceptionClass,\n"
" \"negative offset/length\");\n"
" return 0;\n"
" }\n"
" unsigned uoffset = offset;\n"
" unsigned ulength = length;\n"
" // This cannot overflow because of the check above.\n"
" unsigned totallength = uoffset + ulength;\n"
" unsigned actuallength = (*jEnv)-&gt;GetArrayLength(jEnv, buffer);\n"
" if (totallength &gt; actuallength) {\n"
" (*jEnv)-&gt;ThrowNew(jEnv, arrayIndexOutOfBoundsExceptionClass,\n"
" \"offset + length too large\");\n"
" return 0;\n"
" }\n"
" unsigned char *ptr = (*jEnv)-&gt;GetPrimitiveArrayCritical(jEnv, buffer, 0);\n"
" if (ptr == NULL) {\n"
" return 0;\n"
" }\n"
" unsigned long long sum = 0;\n"
" for (unsigned char *p = ptr + uoffset, *end = p + ulength; p != end; ++p) {\n"
" sum += *p;\n"
" }\n"
" (*jEnv)-&gt;ReleasePrimitiveArrayCritical(jEnv, buffer, ptr, 0);\n"
" return sum;\n"
"}\n"
""
msgstr ""

53
pot/Java/snippets/Language-ReadArray.pot
View file

@ -1,53 +0,0 @@
#
# AUTHOR <EMAIL@ADDRESS>, YEAR.
#
msgid ""
msgstr ""
"Project-Id-Version: 0\n"
"POT-Creation-Date: 2013-08-13T01:54:52\n"
"PO-Revision-Date: 2013-08-13T01:54:52\n"
"Last-Translator: Automatically generated\n"
"Language-Team: None\n"
"MIME-Version: 1.0\n"
"Content-Type: application/x-publican; charset=UTF-8\n"
"Content-Transfer-Encoding: 8bit\n"
#. Tag: programlisting
#, no-c-format
msgid "\n"
"static byte[] readBytes(InputStream in, int length) throws IOException {\n"
" final int startSize = 65536;\n"
" byte[] b = new byte[Math.min(length, startSize)];\n"
" int filled = 0;\n"
" while (true) {\n"
" int remaining = b.length - filled;\n"
" readFully(in, b, filled, remaining);\n"
" if (b.length == length) {\n"
" break;\n"
" }\n"
" filled = b.length;\n"
" if (length - b.length &lt;= b.length) {\n"
" // Allocate final length. Condition avoids overflow.\n"
" b = Arrays.copyOf(b, length);\n"
" } else {\n"
" b = Arrays.copyOf(b, b.length * 2);\n"
" }\n"
" }\n"
" return b;\n"
"}\n"
"\n"
"static void readFully(InputStream in,byte[] b, int off, int len)\n"
" throws IOException {\n"
" int startlen = len;\n"
" while (len &gt; 0) {\n"
" int count = in.read(b, off, len);\n"
" if (count &lt; 0) {\n"
" throw new EOFException();\n"
" }\n"
" off += count;\n"
" len -= count;\n"
" }\n"
"}\n"
""
msgstr ""

54
pot/Java/snippets/SecurityManager-Callback.pot
View file

@ -1,54 +0,0 @@
#
# AUTHOR <EMAIL@ADDRESS>, YEAR.
#
msgid ""
msgstr ""
"Project-Id-Version: 0\n"
"POT-Creation-Date: 2013-08-13T01:54:52\n"
"PO-Revision-Date: 2013-08-13T01:54:52\n"
"Last-Translator: Automatically generated\n"
"Language-Team: None\n"
"MIME-Version: 1.0\n"
"Content-Type: application/x-publican; charset=UTF-8\n"
"Content-Transfer-Encoding: 8bit\n"
#. Tag: programlisting
#, no-c-format
msgid "\n"
"interface Callback&lt;T&gt; {\n"
" T call(boolean flag);\n"
"}\n"
"\n"
"class CallbackInvoker&lt;T&gt; {\n"
" private final AccessControlContext context;\n"
" Callback&lt;T&gt; callback;\n"
"\n"
" CallbackInvoker(Callback&lt;T&gt; callback) {\n"
" context = AccessController.getContext();\n"
" this.callback = callback;\n"
" }\n"
"\n"
" public T invoke() {\n"
" // Obtain increased privileges.\n"
" return AccessController.doPrivileged(new PrivilegedAction&lt;T&gt;() {\n"
" @Override\n"
" public T run() {\n"
" // This operation would fail without\n"
" // additional privileges.\n"
" final boolean flag = Boolean.getBoolean(\"some.property\");\n"
"\n"
" // Restore the original privileges.\n"
" return AccessController.doPrivileged(\n"
" new PrivilegedAction&lt;T&gt;() {\n"
" @Override\n"
" public T run() {\n"
" return callback.call(flag);\n"
" }\n"
" }, context);\n"
" }\n"
" });\n"
" }\n"
"}\n"
""
msgstr ""

22
pot/Java/snippets/SecurityManager-CurrentDirectory.pot
View file

@ -1,22 +0,0 @@
#
# AUTHOR <EMAIL@ADDRESS>, YEAR.
#
msgid ""
msgstr ""
"Project-Id-Version: 0\n"
"POT-Creation-Date: 2013-08-13T01:54:52\n"
"PO-Revision-Date: 2013-08-13T01:54:52\n"
"Last-Translator: Automatically generated\n"
"Language-Team: None\n"
"MIME-Version: 1.0\n"
"Content-Type: application/x-publican; charset=UTF-8\n"
"Content-Transfer-Encoding: 8bit\n"
#. Tag: programlisting
#, no-c-format
msgid "\n"
"permissions.add(new FilePermission(\n"
" System.getProperty(\"user.dir\") + \"/-\", \"read\"));\n"
""
msgstr ""

33
pot/Java/snippets/SecurityManager-Privileged.pot
View file

@ -1,33 +0,0 @@
#
# AUTHOR <EMAIL@ADDRESS>, YEAR.
#
msgid ""
msgstr ""
"Project-Id-Version: 0\n"
"POT-Creation-Date: 2013-08-13T01:54:52\n"
"PO-Revision-Date: 2013-08-13T01:54:52\n"
"Last-Translator: Automatically generated\n"
"Language-Team: None\n"
"MIME-Version: 1.0\n"
"Content-Type: application/x-publican; charset=UTF-8\n"
"Content-Transfer-Encoding: 8bit\n"
#. Tag: programlisting
#, no-c-format
msgid "\n"
"// This is expected to fail.\n"
"try {\n"
" System.out.println(System.getProperty(\"user.home\"));\n"
"} catch (SecurityException e) {\n"
" e.printStackTrace(System.err);\n"
"}\n"
"AccessController.doPrivileged(new PrivilegedAction&lt;Void&gt;() {\n"
" public Void run() {\n"
" // This should work.\n"
" System.out.println(System.getProperty(\"user.home\"));\n"
" return null;\n"
" }\n"
" });\n"
""
msgstr ""

42
pot/Java/snippets/SecurityManager-Unprivileged.pot
View file

@ -1,42 +0,0 @@
#
# AUTHOR <EMAIL@ADDRESS>, YEAR.
#
msgid ""
msgstr ""
"Project-Id-Version: 0\n"
"POT-Creation-Date: 2013-08-13T01:54:52\n"
"PO-Revision-Date: 2013-08-13T01:54:52\n"
"Last-Translator: Automatically generated\n"
"Language-Team: None\n"
"MIME-Version: 1.0\n"
"Content-Type: application/x-publican; charset=UTF-8\n"
"Content-Transfer-Encoding: 8bit\n"
#. Tag: programlisting
#, no-c-format
msgid "\n"
"Permissions permissions = new Permissions();\n"
" ProtectionDomain protectionDomain =\n"
" new ProtectionDomain(null, permissions);\n"
" AccessControlContext context = new AccessControlContext(\n"
" new ProtectionDomain[] { protectionDomain });\n"
"\n"
"// This is expected to succeed.\n"
"try (FileInputStream in = new FileInputStream(path)) {\n"
" System.out.format(\"FileInputStream: %s%n\", in);\n"
"}\n"
"\n"
"AccessController.doPrivileged(new PrivilegedExceptionAction&lt;Void&gt;() {\n"
" @Override\n"
" public Void run() throws Exception {\n"
" // This code runs with reduced privileges and is\n"
" // expected to fail.\n"
" try (FileInputStream in = new FileInputStream(path)) {\n"
" System.out.format(\"FileInputStream: %s%n\", in);\n"
" }\n"
" return null;\n"
" }\n"
" }, context);\n"
""
msgstr ""

23
pot/Java/snippets/TryWithResource.pot
View file

@ -1,23 +0,0 @@
#
# AUTHOR <EMAIL@ADDRESS>, YEAR.
#
msgid ""
msgstr ""
"Project-Id-Version: 0\n"
"POT-Creation-Date: 2013-08-13T01:54:52\n"
"PO-Revision-Date: 2013-08-13T01:54:52\n"
"Last-Translator: Automatically generated\n"
"Language-Team: None\n"
"MIME-Version: 1.0\n"
"Content-Type: application/x-publican; charset=UTF-8\n"
"Content-Transfer-Encoding: 8bit\n"
#. Tag: programlisting
#, no-c-format
msgid "\n"
"try (InputStream in = new BufferedInputStream(new FileInputStream(path))) {\n"
" readFile(in);\n"
"}\n"
""
msgstr ""

104
pot/Python.pot
View file

@ -1,104 +0,0 @@
#
# AUTHOR <EMAIL@ADDRESS>, YEAR.
#
msgid ""
msgstr ""
"Project-Id-Version: 0\n"
"POT-Creation-Date: 2013-09-18T00:49:43\n"
"PO-Revision-Date: 2013-09-18T00:49:43\n"
"Last-Translator: Automatically generated\n"
"Language-Team: None\n"
"MIME-Version: 1.0\n"
"Content-Type: application/x-publican; charset=UTF-8\n"
"Content-Transfer-Encoding: 8bit\n"
#. Tag: title
#, no-c-format
msgid "The Python Programming Language"
msgstr ""
#. Tag: para
#, no-c-format
msgid "Python provides memory safety by default, so low-level security vulnerabilities are rare and typically needs fixing the Python interpreter or standard library itself."
msgstr ""
#. Tag: para
#, no-c-format
msgid "Other sections with Python-specific advice include:"
msgstr ""
#. Tag: para
#, no-c-format
msgid "<xref linkend=\"chap-Defensive_Coding-Tasks-Temporary_Files\" />"
msgstr ""
#. Tag: para
#, no-c-format
msgid "<xref linkend=\"sect-Defensive_Coding-Tasks-Processes-Creation\" />"
msgstr ""
#. Tag: para
#, no-c-format
msgid "<xref linkend=\"chap-Defensive_Coding-Tasks-Serialization\" />, in particular <xref linkend=\"sect-Defensive_Coding-Tasks-Serialization-Library\" />"
msgstr ""
#. Tag: para
#, no-c-format
msgid "<xref linkend=\"sect-Defensive_Coding-Tasks-Cryptography-Randomness\" />"
msgstr ""
#. Tag: title
#, no-c-format
msgid "Dangerous standard library features"
msgstr ""
#. Tag: para
#, no-c-format
msgid "Some areas of the standard library, notably the <literal>ctypes</literal> module, do not provide memory safety guarantees comparable to the rest of Python. If such functionality is used, the advice in <xref linkend=\"sect-Defensive_Coding-C-Language\" /> should be followed."
msgstr ""
#. Tag: title
#, no-c-format
msgid "Run-time compilation and code generation"
msgstr ""
#. Tag: para
#, no-c-format
msgid "The following Python functions and statements related to code execution should be avoided:"
msgstr ""
#. Tag: para
#, no-c-format
msgid "<function>compile</function>"
msgstr ""
#. Tag: para
#, no-c-format
msgid "<function>eval</function>"
msgstr ""
#. Tag: para
#, no-c-format
msgid "<literal>exec</literal>"
msgstr ""
#. Tag: para
#, no-c-format
msgid "<function>execfile</function>"
msgstr ""
#. Tag: para
#, no-c-format
msgid "If you need to parse integers or floating point values, use the <function>int</function> and <function>float</function> functions instead of <function>eval</function>. Sandboxing untrusted Python code does not work reliably."
msgstr ""
#. Tag: title
#, no-c-format
msgid "Sandboxing"
msgstr ""
#. Tag: para
#, no-c-format
msgid "The <literal>rexec</literal> Python module cannot safely sandbox untrusted code and should not be used. The standard CPython implementation is not suitable for sandboxing."
msgstr ""

104
pot/Python/Language.pot
View file

@ -1,104 +0,0 @@
#
# AUTHOR <EMAIL@ADDRESS>, YEAR.
#
msgid ""
msgstr ""
"Project-Id-Version: 0\n"
"POT-Creation-Date: 2013-08-13T01:54:52\n"
"PO-Revision-Date: 2013-08-13T01:54:52\n"
"Last-Translator: Automatically generated\n"
"Language-Team: None\n"
"MIME-Version: 1.0\n"
"Content-Type: application/x-publican; charset=UTF-8\n"
"Content-Transfer-Encoding: 8bit\n"
#. Tag: title
#, no-c-format
msgid "The Python Programming Language"
msgstr ""
#. Tag: para
#, no-c-format
msgid "Python provides memory safety by default, so low-level security vulnerabilities are rare and typically needs fixing the Python interpreter or standard library itself."
msgstr ""
#. Tag: para
#, no-c-format
msgid "Other sections with Python-specific advice include:"
msgstr ""
#. Tag: para
#, no-c-format
msgid "<xref linkend=\"chap-Defensive_Coding-Tasks-Temporary_Files\" />"
msgstr ""
#. Tag: para
#, no-c-format
msgid "<xref linkend=\"sect-Defensive_Coding-Tasks-Processes-Creation\" />"
msgstr ""
#. Tag: para
#, no-c-format
msgid "<xref linkend=\"chap-Defensive_Coding-Tasks-Serialization\" />, in particular <xref linkend=\"sect-Defensive_Coding-Tasks-Serialization-Library\" />"
msgstr ""
#. Tag: para
#, no-c-format
msgid "<xref linkend=\"sect-Defensive_Coding-Tasks-Cryptography-Randomness\" />"
msgstr ""
#. Tag: title
#, no-c-format
msgid "Dangerous standard library features"
msgstr ""
#. Tag: para
#, no-c-format
msgid "Some areas of the standard library, notably the <literal>ctypes</literal> module, do not provide memory safety guarantees comparable to the rest of Python. If such functionality is used, the advice in <xref linkend=\"sect-Defensive_Coding-C-Language\" /> should be followed."
msgstr ""
#. Tag: title
#, no-c-format
msgid "Run-time compilation and code generation"
msgstr ""
#. Tag: para
#, no-c-format
msgid "The following Python functions and statements related to code execution should be avoided:"
msgstr ""
#. Tag: para
#, no-c-format
msgid "<function>compile</function>"
msgstr ""
#. Tag: para
#, no-c-format
msgid "<function>eval</function>"
msgstr ""
#. Tag: para
#, no-c-format
msgid "<literal>exec</literal>"
msgstr ""
#. Tag: para
#, no-c-format
msgid "<function>execfile</function>"
msgstr ""
#. Tag: para
#, no-c-format
msgid "If you need to parse integers or floating point values, use the <function>int</function> and <function>float</function> functions instead of <function>eval</function>. Sandboxing untrusted Python code does not work reliably."
msgstr ""
#. Tag: title
#, no-c-format
msgid "Sandboxing"
msgstr ""
#. Tag: para
#, no-c-format
msgid "The <literal>rexec</literal> Python module cannot safely sandbox untrusted code and should not be used. The standard CPython implementation is not suitable for sandboxing."
msgstr ""

14
pot/Python/schemas.pot
View file

@ -1,14 +0,0 @@
#
# AUTHOR <EMAIL@ADDRESS>, YEAR.
#
msgid ""
msgstr ""
"Project-Id-Version: 0\n"
"POT-Creation-Date: 2013-08-13T01:54:52\n"
"PO-Revision-Date: 2013-08-13T01:54:52\n"
"Last-Translator: Automatically generated\n"
"Language-Team: None\n"
"MIME-Version: 1.0\n"
"Content-Type: application/x-publican; charset=UTF-8\n"
"Content-Transfer-Encoding: 8bit\n"

64
pot/Revision_History.pot
View file

@ -1,64 +0,0 @@
#
# AUTHOR <EMAIL@ADDRESS>, YEAR.
#
msgid ""
msgstr ""
"Project-Id-Version: 0\n"
"POT-Creation-Date: 2013-09-18T00:49:43\n"
"PO-Revision-Date: 2013-09-18T00:49:43\n"
"Last-Translator: Automatically generated\n"
"Language-Team: None\n"
"MIME-Version: 1.0\n"
"Content-Type: application/x-publican; charset=UTF-8\n"
"Content-Transfer-Encoding: 8bit\n"
#. Tag: title
#, no-c-format
msgid "Revision History"
msgstr ""
#. Tag: firstname
#, no-c-format
msgid "Eric"
msgstr ""
#. Tag: surname
#, no-c-format
msgid "Christensen"
msgstr ""
#. Tag: member
#, no-c-format
msgid "Add a chapter which covers some Java topics."
msgstr ""
#. Tag: member
#, no-c-format
msgid "Deserialization: Warn about Java's java.beans.XMLDecoder."
msgstr ""
#. Tag: member
#, no-c-format
msgid "C: Correct the advice on array allocation (<ulink url=\"https://bugzilla.redhat.com/show_bug.cgi?id=995595\">bug 995595</ulink>)."
msgstr ""
#. Tag: member
#, no-c-format
msgid "C: Add material on global variables."
msgstr ""
#. Tag: member
#, no-c-format
msgid "Added more C and C++ examples."
msgstr ""
#. Tag: member
#, no-c-format
msgid "TLS Client NSS: Rely on NSS 3.14 cipher suite defaults."
msgstr ""
#. Tag: member
#, no-c-format
msgid "Initial publication."
msgstr ""

169
pot/Tasks-Cryptography.pot
View file

@ -1,169 +0,0 @@
#
# AUTHOR <EMAIL@ADDRESS>, YEAR.
#
msgid ""
msgstr ""
"Project-Id-Version: 0\n"
"POT-Creation-Date: 2013-09-18T00:49:43\n"
"PO-Revision-Date: 2013-09-18T00:49:43\n"
"Last-Translator: Automatically generated\n"
"Language-Team: None\n"
"MIME-Version: 1.0\n"
"Content-Type: application/x-publican; charset=UTF-8\n"
"Content-Transfer-Encoding: 8bit\n"
#. Tag: title
#, no-c-format
msgid "Cryptography"
msgstr ""
#. Tag: title
#, no-c-format
msgid "Primitives"
msgstr ""
#. Tag: para
#, no-c-format
msgid "Choosing from the following cryptographic primitives is recommended:"
msgstr ""
#. Tag: para
#, no-c-format
msgid "RSA with 2048 bit keys and OAEP"
msgstr ""
#. Tag: para
#, no-c-format
msgid "AES-128 in CBC mode"
msgstr ""
#. Tag: para
#, no-c-format
msgid "SHA-256"
msgstr ""
#. Tag: para
#, no-c-format
msgid "HMAC-SHA-256"
msgstr ""
#. Tag: para
#, no-c-format
msgid "HMAC-SHA-1"
msgstr ""
#. Tag: para
#, no-c-format
msgid "Other cryptographic algorithms can be used if they are required for interoperability with existing software:"
msgstr ""
#. Tag: para
#, no-c-format
msgid "RSA with key sizes larger than 1024 and legacy padding"
msgstr ""
#. Tag: para
#, no-c-format
msgid "AES-192"
msgstr ""
#. Tag: para
#, no-c-format
msgid "AES-256"
msgstr ""
#. Tag: para
#, no-c-format
msgid "3DES (triple DES, with two or three 56 bit keys)"
msgstr ""
#. Tag: para
#, no-c-format
msgid "RC4 (but very, very strongly discouraged)"
msgstr ""
#. Tag: para
#, no-c-format
msgid "SHA-1"
msgstr ""
#. Tag: para
#, no-c-format
msgid "HMAC-MD5"
msgstr ""
#. Tag: title
#, no-c-format
msgid "Important"
msgstr ""
#. Tag: para
#, no-c-format
msgid "These primitives are difficult to use in a secure way. Custom implementation of security protocols should be avoided. For protecting confidentiality and integrity of network transmissions, TLS should be used (<xref linkend=\"chap-Defensive_Coding-TLS\" />)."
msgstr ""
#. Tag: title
#, no-c-format
msgid "Randomness"
msgstr ""
#. Tag: para
#, no-c-format
msgid "The following facilities can be used to generate unpredictable and non-repeating values. When these functions are used without special safeguards, each individual random value should be at least 12 bytes long."
msgstr ""
#. Tag: para
#, no-c-format
msgid "<function>PK11_GenerateRandom</function> in the NSS library (usable for high data rates)"
msgstr ""
#. Tag: para
#, no-c-format
msgid "<function>RAND_bytes</function> in the OpenSSL library (usable for high data rates)"
msgstr ""
#. Tag: para
#, no-c-format
msgid "<function>gnutls_rnd</function> in GNUTLS, with <literal>GNUTLS_RND_RANDOM</literal> as the first argument (usable for high data rates)"
msgstr ""
#. Tag: para
#, no-c-format
msgid "<type>java.security.SecureRandom</type> in Java (usable for high data rates)"
msgstr ""
#. Tag: para
#, no-c-format
msgid "<function>os.urandom</function> in Python"
msgstr ""
#. Tag: para
#, no-c-format
msgid "Reading from the <filename>/dev/urandom</filename> character device"
msgstr ""
#. Tag: para
#, no-c-format
msgid "All these functions should be non-blocking, and they should not wait until physical randomness becomes available. (Some cryptography providers for Java can cause <type>java.security.SecureRandom</type> to block, however.) Those functions which do not obtain all bits directly from <filename>/dev/urandom</filename> are suitable for high data rates because they do not deplete the system-wide entropy pool."
msgstr ""
#. Tag: title
#, no-c-format
msgid "Difficult to use API"
msgstr ""
#. Tag: para
#, no-c-format
msgid "Both <function>RAND_bytes</function> and <function>PK11_GenerateRandom</function> have three-state return values (with conflicting meanings). Careful error checking is required. Please review the documentation when using these functions."
msgstr ""
#. Tag: para
#, no-c-format
msgid "Other sources of randomness should be considered predictable."
msgstr ""
#. Tag: para
#, no-c-format
msgid "Generating randomness for cryptographic keys in long-term use may need different steps and is best left to cryptographic libraries."
msgstr ""

201
pot/Tasks-Descriptors.pot
View file

@ -1,201 +0,0 @@
#
# AUTHOR <EMAIL@ADDRESS>, YEAR.
#
msgid ""
msgstr ""
"Project-Id-Version: 0\n"
"POT-Creation-Date: 2013-09-18T00:49:43\n"
"PO-Revision-Date: 2013-09-18T00:49:43\n"
"Last-Translator: Automatically generated\n"
"Language-Team: None\n"
"MIME-Version: 1.0\n"
"Content-Type: application/x-publican; charset=UTF-8\n"
"Content-Transfer-Encoding: 8bit\n"
#. Tag: title
#, no-c-format
msgid "File Descriptor Management"
msgstr ""
#. Tag: para
#, no-c-format
msgid "File descriptors underlie all input/output mechanisms offered by the system. They are used to implementation the <literal>FILE *</literal>-based functions found in <literal>&lt;stdio.h&gt;</literal>, and all the file and network communication facilities provided by the Python and Java environments are eventually implemented in them."
msgstr ""
#. Tag: para
#, no-c-format
msgid "File descriptors are small, non-negative integers in userspace, and are backed on the kernel side with complicated data structures which can sometimes grow very large."
msgstr ""
#. Tag: title
#, no-c-format
msgid "Closing descriptors"
msgstr ""
#. Tag: para
#, no-c-format
msgid "If a descriptor is no longer used by a program and is not closed explicitly, its number cannot be reused (which is problematic in itself, see <xref linkend=\"sect-Defensive_Coding-Tasks-Descriptors-Limit\" />), and the kernel resources are not freed. Therefore, it is important to close all descriptors at the earlierst point in time possible, but not earlier."
msgstr ""
#. Tag: title
#, no-c-format
msgid "Error handling during descriptor close"
msgstr ""
#. Tag: para
#, no-c-format
msgid "The <function>close</function> system call is always successful in the sense that the passed file descriptor is never valid after the function has been called. However, <function>close</function> still can return an error, for example if there was a file system failure. But this error is not very useful because the absence of an error does not mean that all caches have been emptied and previous writes have been made durable. Programs which need such guarantees must open files with <literal>O_SYNC</literal> or use <literal>fsync</literal> or <literal>fdatasync</literal>, and may also have to <literal>fsync</literal> the directory containing the file."
msgstr ""
#. Tag: title
#, no-c-format
msgid "Closing descriptors and race conditions"
msgstr ""
#. Tag: para
#, no-c-format
msgid "Unlike process IDs, which are recycle only gradually, the kernel always allocates the lowest unused file descriptor when a new descriptor is created. This means that in a multi-threaded program which constantly opens and closes file descriptors, descriptors are reused very quickly. Unless descriptor closing and other operations on the same file descriptor are synchronized (typically, using a mutex), there will be race coniditons and I/O operations will be applied to the wrong file descriptor."
msgstr ""
#. Tag: para
#, no-c-format
msgid "Sometimes, it is necessary to close a file descriptor concurrently, while another thread might be about to use it in a system call. In order to support this, a program needs to create a single special file descriptor, one on which all I/O operations fail. One way to achieve this is to use <function>socketpair</function>, close one of the descriptors, and call <literal>shutdown(fd, SHUTRDWR)</literal> on the other."
msgstr ""
#. Tag: para
#, no-c-format
msgid "When a descriptor is closed concurrently, the program does not call <function>close</function> on the descriptor. Instead it program uses <function>dup2</function> to replace the descriptor to be closed with the dummy descriptor created earlier. This way, the kernel will not reuse the descriptor, but it will carry out all other steps associated with calling a descriptor (for instance, if the descriptor refers to a stream socket, the peer will be notified)."
msgstr ""
#. Tag: para
#, no-c-format
msgid "This is just a sketch, and many details are missing. Additional data structures are needed to determine when it is safe to really close the descriptor, and proper locking is required for that."
msgstr ""
#. Tag: title
#, no-c-format
msgid "Lingering state after close"
msgstr ""
#. Tag: para
#, no-c-format
msgid "By default, closing a stream socket returns immediately, and the kernel will try to send the data in the background. This means that it is impossible to implement accurate accounting of network-related resource utilization from userspace."
msgstr ""
#. Tag: para
#, no-c-format
msgid "The <literal>SO_LINGER</literal> socket option alters the behavior of <function>close</function>, so that it will return only after the lingering data has been processed, either by sending it to the peer successfully, or by discarding it after the configured timeout. However, there is no interface which could perform this operation in the background, so a separate userspace thread is needed for each <function>close</function> call, causing scalability issues."
msgstr ""
#. Tag: para
#, no-c-format
msgid "Currently, there is no application-level countermeasure which applies universally. Mitigation is possible with <application>iptables</application> (the <literal>connlimit</literal> match type in particular) and specialized filtering devices for denial-of-service network traffic."
msgstr ""
#. Tag: para
#, no-c-format
msgid "These problems are not related to the <literal>TIME_WAIT</literal> state commonly seen in <application>netstat</application> output. The kernel automatically expires such sockets if necessary."
msgstr ""
#. Tag: title
#, no-c-format
msgid "Preventing file descriptor leaks to child processes"
msgstr ""
#. Tag: para
#, no-c-format
msgid "Child processes created with <function>fork</function> share the initial set of file descriptors with their parent process. By default, file descriptors are also preserved if a new process image is created with <function>execve</function> (or any of the other functions such as <function>system</function> or <function>posix_spawn</function>)."
msgstr ""
#. Tag: para
#, no-c-format
msgid "Usually, this behavior is not desirable. There are two ways to turn it off, that is, to prevent new process images from inheriting the file descriptors in the parent process:"
msgstr ""
#. Tag: para
#, no-c-format
msgid "Set the close-on-exec flag on all newly created file descriptors. Traditionally, this flag is controlled by the <literal>FD_CLOEXEC</literal> flag, using <literal>F_GETFD</literal> and <literal>F_SETFD</literal> operations of the <function>fcntl</function> function."
msgstr ""
#. Tag: para
#, no-c-format
msgid "However, in a multi-threaded process, there is a race condition: a subprocess could have been created between the time the descriptor was created and the <literal>FD_CLOEXEC</literal> was set. Therefore, many system calls which create descriptors (such as <function>open</function> and <function>openat</function>) now accept the <function>O_CLOEXEC</function> flag (<function>SOCK_CLOEXEC</function> for <function>socket</function> and <function>socketpair</function>), which cause the <literal>FD_CLOEXEC</literal> flag to be set for the file descriptor in an atomic fashion. In addition, a few new systems calls were introduced, such as <function>pipe2</function> and <function>dup3</function>."
msgstr ""
#. Tag: para
#, no-c-format
msgid "The downside of this approach is that every descriptor needs to receive special treatment at the time of creation, otherwise it is not completely effective."
msgstr ""
#. Tag: para
#, no-c-format
msgid "After calling <function>fork</function>, but before creating a new process image with <function>execve</function>, all file descriptors which the child process will not need are closed."
msgstr ""
#. Tag: para
#, no-c-format
msgid "Traditionally, this was implemented as a loop over file descriptors ranging from <literal>3</literal> to <literal>255</literal> and later <literal>1023</literal>. But this is only an approximatio because it is possible to create file descriptors outside this range easily (see <xref linkend=\"sect-Defensive_Coding-Tasks-Descriptors-Limit\" />). Another approach reads <filename>/proc/self/fd</filename> and closes the unexpected descriptors listed there, but this approach is much slower."
msgstr ""
#. Tag: para
#, no-c-format
msgid "At present, environments which care about file descriptor leakage implement the second approach. OpenJDK 6 and 7 are among them."
msgstr ""
#. Tag: title
#, no-c-format
msgid "Dealing with the <function>select</function> limit"
msgstr ""
#. Tag: para
#, no-c-format
msgid "By default, a user is allowed to open only 1024 files in a single process, but the system administrator can easily change this limit (which is necessary for busy network servers). However, there is another restriction which is more difficult to overcome."
msgstr ""
#. Tag: para
#, no-c-format
msgid "The <function>select</function> function only supports a maximum of <literal>FD_SETSIZE</literal> file descriptors (that is, the maximum permitted value for a file descriptor is <literal>FD_SETSIZE - 1</literal>, usually 1023.) If a process opens many files, descriptors may exceed such limits. It is impossible to query such descriptors using <function>select</function>."
msgstr ""
#. Tag: para
#, no-c-format
msgid "If a library which creates many file descriptors is used in the same process as a library which uses <function>select</function>, at least one of them needs to be changed. Calls to <function>select</function> can be replaced with calls to <function>poll</function> or another event handling mechanism. Replacing the <function>select</function> function is the recommended approach."
msgstr ""
#. Tag: para
#, no-c-format
msgid "Alternatively, the library with high descriptor usage can relocate descriptors above the <literal>FD_SETSIZE</literal> limit using the following procedure."
msgstr ""
#. Tag: para
#, no-c-format
msgid "Create the file descriptor <literal>fd</literal> as usual, preferably with the <literal>O_CLOEXEC</literal> flag."
msgstr ""
#. Tag: para
#, no-c-format
msgid "Before doing anything else with the descriptor <literal>fd</literal>, invoke:"
msgstr ""
#. Tag: programlisting
#, no-c-format
msgid "\n"
" int newfd = fcntl(fd, F_DUPFD_CLOEXEC, (long)FD_SETSIZE);\n"
" "
msgstr ""
#. Tag: para
#, no-c-format
msgid "Check that <literal>newfd</literal> result is non-negative, otherwise close <literal>fd</literal> and report an error, and return."
msgstr ""
#. Tag: para
#, no-c-format
msgid "Close <literal>fd</literal> and continue to use <literal>newfd</literal>."
msgstr ""
#. Tag: para
#, no-c-format
msgid "The new descriptor has been allocated above the <literal>FD_SETSIZE</literal>. Even though this algorithm is racy in the sense that the <literal>FD_SETSIZE</literal> first descriptors could fill up, a very high degree of physical parallelism is required before this becomes a problem."
msgstr ""

224
pot/Tasks-File_System.pot
View file

@ -1,224 +0,0 @@
#
# AUTHOR <EMAIL@ADDRESS>, YEAR.
#
msgid ""
msgstr ""
"Project-Id-Version: 0\n"
"POT-Creation-Date: 2013-09-18T00:49:43\n"
"PO-Revision-Date: 2013-09-18T00:49:43\n"
"Last-Translator: Automatically generated\n"
"Language-Team: None\n"
"MIME-Version: 1.0\n"
"Content-Type: application/x-publican; charset=UTF-8\n"
"Content-Transfer-Encoding: 8bit\n"
#. Tag: title
#, no-c-format
msgid "File system manipulation"
msgstr ""
#. Tag: para
#, no-c-format
msgid "In this chapter, we discuss general file system manipulation, with a focus on access files and directories to which an other, potentially untrusted user has write access."
msgstr ""
#. Tag: para
#, no-c-format
msgid "Temporary files are covered in their own chapter, <xref linkend=\"chap-Defensive_Coding-Tasks-Temporary_Files\" />."
msgstr ""
#. Tag: title
#, no-c-format
msgid "Working with files and directories owned by other users"
msgstr ""
#. Tag: para
#, no-c-format
msgid "Sometimes, it is necessary to operate on files and directories owned by other (potentially untrusted) users. For example, a system administrator could remove the home directory of a user, or a package manager could update a file in a directory which is owned by an application-specific user. This differs from accessing the file system as a specific user; see <xref linkend=\"sect-Defensive_Coding-Tasks-File_System-Foreign\" />."
msgstr ""
#. Tag: para
#, no-c-format
msgid "Accessing files across trust boundaries faces several challenges, particularly if an entire directory tree is being traversed:"
msgstr ""
#. Tag: para
#, no-c-format
msgid "Another user might add file names to a writable directory at any time. This can interfere with file creation and the order of names returned by <function>readdir</function>."
msgstr ""
#. Tag: para
#, no-c-format
msgid "Merely opening and closing a file can have side effects. For instance, an automounter can be triggered, or a tape device rewound. Opening a file on a local file system can block indefinitely, due to mandatory file locking, unless the <literal>O_NONBLOCK</literal> flag is specified."
msgstr ""
#. Tag: para
#, no-c-format
msgid "Hard links and symbolic links can redirect the effect of file system operations in unexpected ways. The <literal>O_NOFOLLOW</literal> and <literal>AT_SYMLINK_NOFOLLOW</literal> variants of system calls only affected final path name component."
msgstr ""
#. Tag: para
#, no-c-format
msgid "The structure of a directory tree can change. For example, the parent directory of what used to be a subdirectory within the directory tree being processed could suddenly point outside that directory tree."
msgstr ""
#. Tag: para
#, no-c-format
msgid "Files should always be created with the <literal>O_CREAT</literal> and <literal>O_EXCL</literal> flags, so that creating the file will fail if it already exists. This guards against the unexpected appearance of file names, either due to creation of a new file, or hard-linking of an existing file. In multi-threaded programs, rather than manipulating the umask, create the files with mode <literal>000</literal> if possible, and adjust it afterwards with <function>fchmod</function>."
msgstr ""
#. Tag: para
#, no-c-format
msgid "To avoid issues related to symbolic links and directory tree restructuring, the “<literal>at</literal>” variants of system calls have to be used (that is, functions like <function>openat</function>, <function>fchownat</function>, <function>fchmodat</function>, and <function>unlinkat</function>, together with <literal>O_NOFOLLOW</literal> or <literal>AT_SYMLINK_NOFOLLOW</literal>). Path names passed to these functions must have just a single component (that is, without a slash). When descending, the descriptors of parent directories must be kept open. The missing <literal>opendirat</literal> function can be emulated with <literal>openat</literal> (with an <literal>O_DIRECTORY</literal> flag, to avoid opening special files with side effects), followed by <literal>fdopendir</literal>."
msgstr ""
#. Tag: para
#, no-c-format
msgid "If the “<literal>at</literal>” functions are not available, it is possible to emulate them by changing the current directory. (Obviously, this only works if the process is not multi-threaded.) <function>fchdir</function> has to be used to change the current directory, and the descriptors of the parent directories have to be kept open, just as with the “<literal>at</literal>”-based approach. <literal>chdir(\"...\")</literal> is unsafe because it might ascend outside the intended directory tree."
msgstr ""
#. Tag: para
#, no-c-format
msgid "This “<literal>at</literal>” function emulation is currently required when manipulating extended attributes. In this case, the <function>lsetxattr</function> function can be used, with a relative path name consisting of a single component. This also applies to SELinux contexts and the <function>lsetfilecon</function> function."
msgstr ""
#. Tag: para
#, no-c-format
msgid "Currently, it is not possible to avoid opening special files <emphasis>and</emphasis> changes to files with hard links if the directory containing them is owned by an untrusted user. (Device nodes can be hard-linked, just as regular files.) <function>fchmodat</function> and <function>fchownat</function> affect files whose link count is greater than one. But opening the files, checking that the link count is one with <function>fstat</function>, and using <function>fchmod</function> and <function>fchown</function> on the file descriptor may have unwanted side effects, due to item 2 above. When creating directories, it is therefore important to change the ownership and permissions only after it has been fully created. Until that point, file names are stable, and no files with unexpected hard links can be introduced."
msgstr ""
#. Tag: para
#, no-c-format
msgid "Similarly, when just reading a directory owned by an untrusted user, it is currently impossible to reliably avoid opening special files."
msgstr ""
#. Tag: para
#, no-c-format
msgid "There is no workaround against the instability of the file list returned by <function>readdir</function>. Concurrent modification of the directory can result in a list of files being returned which never actually existed on disk."
msgstr ""
#. Tag: para
#, no-c-format
msgid "Hard links and symbolic links can be safely deleted using <function>unlinkat</function> without further checks because deletion only affects the name within the directory tree being processed."
msgstr ""
#. Tag: title
#, no-c-format
msgid "Accessing the file system as a different user"
msgstr ""
#. Tag: para
#, no-c-format
msgid "This section deals with access to the file system as a specific user. This is different from accessing files and directories owned by a different, potentially untrusted user; see <xref linkend=\"sect-Defensive_Coding-Tasks-File_System-Foreign\" />."
msgstr ""
#. Tag: para
#, no-c-format
msgid "One approach is to spawn a child process which runs under the target user and group IDs (both effective and real IDs). Note that this child process can block indefinitely, even when processing regular files only. For example, a special FUSE file system could cause the process to hang in uninterruptible sleep inside a <function>stat</function> system call."
msgstr ""
#. Tag: para
#, no-c-format
msgid "An existing process could change its user and group ID using <function>setfsuid</function> and <function>setfsgid</function>. (These functions are preferred over <function>seteuid</function> and <function>setegid</function> because they do not allow the impersonated user to send signals to the process.) These functions are not thread safe. In multi-threaded processes, these operations need to be performed in a single-threaded child process. Unexpected blocking may occur as well."
msgstr ""
#. Tag: para
#, no-c-format
msgid "It is not recommended to try to reimplement the kernel permission checks in user space because the required checks are complex. It is also very difficult to avoid race conditions during path name resolution."
msgstr ""
#. Tag: title
#, no-c-format
msgid "File system limits"
msgstr ""
#. Tag: para
#, no-c-format
msgid "For historical reasons, there are preprocessor constants such as <literal>PATH_MAX</literal>, <literal>NAME_MAX</literal>. However, on most systems, the length of canonical path names (absolute path names with all symbolic links resolved, as returned by <function>realpath</function> or <function>canonicalize_file_name</function>) can exceed <literal>PATH_MAX</literal> bytes, and individual file name components can be longer than <literal>NAME_MAX</literal>. This is also true of the <literal>_PC_PATH_MAX</literal> and <literal>_PC_NAME_MAX</literal> values returned by <function>pathconf</function>, and the <literal>f_namemax</literal> member of <literal>struct statvfs</literal>. Therefore, these constants should not be used. This is also reason why the <function>readdir_r</function> should never be used (instead, use <function>readdir</function>)."
msgstr ""
#. Tag: para
#, no-c-format
msgid "You should not write code in a way that assumes that there is an upper limit on the number of subdirectories of a directory, the number of regular files in a directory, or the link count of an inode."
msgstr ""
#. Tag: title
#, no-c-format
msgid "File system features"
msgstr ""
#. Tag: para
#, no-c-format
msgid "Not all file systems support all features. This makes it very difficult to write general-purpose tools for copying files. For example, a copy operation intending to preserve file permissions will generally fail when copying to a FAT file system."
msgstr ""
#. Tag: para
#, no-c-format
msgid "Some file systems are case-insensitive. Most should be case-preserving, though."
msgstr ""
#. Tag: para
#, no-c-format
msgid "Name length limits vary greatly, from eight to thousands of bytes. Path length limits differ as well. Most systems impose an upper bound on path names passed to the kernel, but using relative path names, it is possible to create and access files whose absolute path name is essentially of unbounded length."
msgstr ""
#. Tag: para
#, no-c-format
msgid "Some file systems do not store names as fairly unrestricted byte sequences, as it has been traditionally the case on GNU systems. This means that some byte sequences (outside the POSIX safe character set) are not valid names. Conversely, names of existing files may not be representable as byte sequences, and the files are thus inaccessible on GNU systems. Some file systems perform Unicode canonicalization on file names. These file systems preserve case, but reading the name of a just-created file using <function>readdir</function> might still result in a different byte sequence."
msgstr ""
#. Tag: para
#, no-c-format
msgid "Permissions and owners are not universally supported (and SUID/SGID bits may not be available). For example, FAT file systems assign ownership based on a mount option, and generally mark all files as executable. Any attempt to change permissions would result in an error."
msgstr ""
#. Tag: para
#, no-c-format
msgid "Non-regular files (device nodes, FIFOs) are not generally available."
msgstr ""
#. Tag: para
#, no-c-format
msgid "Only on some file systems, files can have holes, that is, not all of their contents is backed by disk storage."
msgstr ""
#. Tag: para
#, no-c-format
msgid "<function>ioctl</function> support (even fairly generic functionality such as <literal>FIEMAP</literal> for discovering physical file layout and holes) is file-system-specific."
msgstr ""
#. Tag: para
#, no-c-format
msgid "Not all file systems support extended attributes, ACLs and SELinux metadata. Size and naming restriction on extended attributes vary."
msgstr ""
#. Tag: para
#, no-c-format
msgid "Hard links may not be supported at all (FAT) or only within the same directory (AFS). Symbolic links may not be available, either. Reflinks (hard links with copy-on-write semantics) are still very rare. Recent systems restrict creation of hard links to users which own the target file or have read/write access to it, but older systems do not."
msgstr ""
#. Tag: para
#, no-c-format
msgid "Renaming (or moving) files using <function>rename</function> can fail (even when <function>stat</function> indicates that the source and target directories are located on the same file system). This system call should work if the old and new paths are located in the same directory, though."
msgstr ""
#. Tag: para
#, no-c-format
msgid "Locking semantics vary among file systems. This affects advisory and mandatory locks. For example, some network file systems do not allow deleting files which are opened by any process."
msgstr ""
#. Tag: para
#, no-c-format
msgid "Resolution of time stamps varies from two seconds to nanoseconds. Not all time stamps are available on all file systems. File creation time (<emphasis>birth time</emphasis>) is not exposed over the <function>stat</function>/<function>fstat</function> interface, even if stored by the file system."
msgstr ""
#. Tag: title
#, no-c-format
msgid "Checking free space"
msgstr ""
#. Tag: para
#, no-c-format
msgid "The <function>statvfs</function> and <function>fstatvfs</function> functions allow programs to examine the number of available blocks and inodes, through the members <literal>f_bfree</literal>, <literal>f_bavail</literal>, <literal>f_ffree</literal>, and <literal>f_favail</literal> of <literal>struct statvfs</literal>. Some file systems return fictional values in the <literal>f_ffree</literal> and <literal>f_favail</literal> fields, so the only reliable way to discover if the file system still has space for a file is to try to create it. The <literal>f_bfree</literal> field should be reasonably accurate, though."
msgstr ""

179
pot/Tasks-Library_Design.pot
View file

@ -1,179 +0,0 @@
#
# AUTHOR <EMAIL@ADDRESS>, YEAR.
#
msgid ""
msgstr ""
"Project-Id-Version: 0\n"
"POT-Creation-Date: 2013-09-18T00:49:43\n"
"PO-Revision-Date: 2013-09-18T00:49:43\n"
"Last-Translator: Automatically generated\n"
"Language-Team: None\n"
"MIME-Version: 1.0\n"
"Content-Type: application/x-publican; charset=UTF-8\n"
"Content-Transfer-Encoding: 8bit\n"
#. Tag: title
#, no-c-format
msgid "Library Design"
msgstr ""
#. Tag: para
#, no-c-format
msgid "Throught this section, the term <emphasis>client code</emphasis> refers to applications and other libraries using the library."
msgstr ""
#. Tag: title
#, no-c-format
msgid "State management"
msgstr ""
#. Tag: title
#, no-c-format
msgid "Global state"
msgstr ""
#. Tag: para
#, no-c-format
msgid "Global state should be avoided."
msgstr ""
#. Tag: para
#, no-c-format
msgid "If this is impossible, the global state must be protected with a lock. For C/C++, you can use the <function>pthread_mutex_lock</function> and <function>pthread_mutex_unlock</function> functions without linking against <literal>-lpthread</literal> because the system provides stubs for non-threaded processes."
msgstr ""
#. Tag: para
#, no-c-format
msgid "For compatibility with <function>fork</function>, these locks should be acquired and released in helpers registered with <function>pthread_atfork</function>. This function is not available without <literal>-lpthread</literal>, so you need to use <function>dlsym</function> or a weak symbol to obtain its address."
msgstr ""
#. Tag: para
#, no-c-format
msgid "If you need <function>fork</function> protection for other reasons, you should store the process ID and compare it to the value returned by <function>getpid</function> each time you access the global state. (<function>getpid</function> is not implemented as a system call and is fast.) If the value changes, you know that you have to re-create the state object. (This needs to be combined with locking, of course.)"
msgstr ""
#. Tag: title
#, no-c-format
msgid "Handles"
msgstr ""
#. Tag: para
#, no-c-format
msgid "Library state should be kept behind a curtain. Client code should receive only a handle. In C, the handle can be a pointer to an incomplete <literal>struct</literal>. In C++, the handle can be a pointer to an abstract base class, or it can be hidden using the pointer-to-implementation idiom."
msgstr ""
#. Tag: para
#, no-c-format
msgid "The library should provide functions for creating and destroying handles. (In C++, it is possible to use virtual destructors for the latter.) Consistency between creation and destruction of handles is strongly recommended: If the client code created a handle, it is the responsibility of the client code to destroy it. (This is not always possible or convenient, so sometimes, a transfer of ownership has to happen.)"
msgstr ""
#. Tag: para
#, no-c-format
msgid "Using handles ensures that it is possible to change the way the library represents state in a way that is transparent to client code. This is important to facilitate security updates and many other code changes."
msgstr ""
#. Tag: para
#, no-c-format
msgid "It is not always necessary to protect state behind a handle with a lock. This depends on the level of thread safety the library provides."
msgstr ""
#. Tag: title
#, no-c-format
msgid "Object orientation"
msgstr ""
#. Tag: para
#, no-c-format
msgid "Classes should be either designed as base classes, or it should be impossible to use them as base classes (like <literal>final</literal> classes in Java). Classes which are not designed for inheritance and are used as base classes nevertheless create potential maintenance hazards because it is difficult to predict how client code will react when calls to virtual methods are added, reordered or removed."
msgstr ""
#. Tag: para
#, no-c-format
msgid "Virtual member functions can be used as callbacks. See <xref linkend=\"sect-Defensive_Coding-Tasks-Library_Design-Callbacks\" /> for some of the challenges involved."
msgstr ""
#. Tag: title
#, no-c-format
msgid "Callbacks"
msgstr ""
#. Tag: para
#, no-c-format
msgid "Higher-order code is difficult to analyze for humans and computers alike, so it should be avoided. Often, an iterator-based interface (a library function which is called repeatedly by client code and returns a stream of events) leads to a better design which is easier to document and use."
msgstr ""
#. Tag: para
#, no-c-format
msgid "If callbacks are unavoidable, some guidelines for them follow."
msgstr ""
#. Tag: para
#, no-c-format
msgid "In modern C++ code, <literal>std::function</literal> objects should be used for callbacks."
msgstr ""
#. Tag: para
#, no-c-format
msgid "In older C++ code and in C code, all callbacks must have an additional closure parameter of type <literal>void *</literal>, the value of which can be specified by client code. If possible, the value of the closure parameter should be provided by client code at the same time a specific callback is registered (or specified as a function argument). If a single closure parameter is shared by multiple callbacks, flexibility is greatly reduced, and conflicts between different pieces of client code using the same library object could be unresolvable. In some cases, it makes sense to provide a de-registration callback which can be used to destroy the closure parameter when the callback is no longer used."
msgstr ""
#. Tag: para
#, no-c-format
msgid "Callbacks can throw exceptions or call <function>longjmp</function>. If possible, all library objects should remain in a valid state. (All further operations on them can fail, but it should be possible to deallocate them without causing resource leaks.)"
msgstr ""
#. Tag: para
#, no-c-format
msgid "The presence of callbacks raises the question if functions provided by the library are <emphasis>reentrant</emphasis>. Unless a library was designed for such use, bad things will happen if a callback function uses functions in the same library (particularly if they are invoked on the same objects and manipulate the same state). When the callback is invoked, the library can be in an inconsistent state. Reentrant functions are more difficult to write than thread-safe functions (by definition, simple locking would immediately lead to deadlocks). It is also difficult to decide what to do when destruction of an object which is currently processing a callback is requested."
msgstr ""
#. Tag: title
#, no-c-format
msgid "Process attributes"
msgstr ""
#. Tag: para
#, no-c-format
msgid "Several attributes are global and affect all code in the process, not just the library that manipulates them."
msgstr ""
#. Tag: para
#, no-c-format
msgid "environment variables (see <xref linkend=\"sect-Defensive_Coding-Tasks-secure_getenv\" />)"
msgstr ""
#. Tag: para
#, no-c-format
msgid "umask"
msgstr ""
#. Tag: para
#, no-c-format
msgid "user IDs, group IDs and capabilities"
msgstr ""
#. Tag: para
#, no-c-format
msgid "current working directory"
msgstr ""
#. Tag: para
#, no-c-format
msgid "signal handlers, signal masks and signal delivery"
msgstr ""
#. Tag: para
#, no-c-format
msgid "file locks (especially <function>fcntl</function> locks behave in surprising ways, not just in a multi-threaded environment)"
msgstr ""
#. Tag: para
#, no-c-format
msgid "Library code should avoid manipulating these global process attributes. It should not rely on environment variables, umask, the current working directory and signal masks because these attributes can be inherted from an untrusted source."
msgstr ""
#. Tag: para
#, no-c-format
msgid "In addition, there are obvious process-wide aspects such as the virtual memory layout, the set of open files and dynamic shared objects, but with the exception of shared objects, these can be manipulated in a relatively isolated way."
msgstr ""

14
pot/Tasks-Locking.pot
View file

@ -1,14 +0,0 @@
#
# AUTHOR <EMAIL@ADDRESS>, YEAR.
#
msgid ""
msgstr ""
"Project-Id-Version: 0\n"
"POT-Creation-Date: 2013-09-18T00:49:43\n"
"PO-Revision-Date: 2013-09-18T00:49:43\n"
"Last-Translator: Automatically generated\n"
"Language-Team: None\n"
"MIME-Version: 1.0\n"
"Content-Type: application/x-publican; charset=UTF-8\n"
"Content-Transfer-Encoding: 8bit\n"

381
pot/Tasks-Processes.pot
View file

@ -1,381 +0,0 @@
#
# AUTHOR <EMAIL@ADDRESS>, YEAR.
#
msgid ""
msgstr ""
"Project-Id-Version: 0\n"
"POT-Creation-Date: 2013-09-18T00:49:43\n"
"PO-Revision-Date: 2013-09-18T00:49:43\n"
"Last-Translator: Automatically generated\n"
"Language-Team: None\n"
"MIME-Version: 1.0\n"
"Content-Type: application/x-publican; charset=UTF-8\n"
"Content-Transfer-Encoding: 8bit\n"
#. Tag: title
#, no-c-format
msgid "Processes"
msgstr ""
#. Tag: title
#, no-c-format
msgid "Safe process creation"
msgstr ""
#. Tag: para
#, no-c-format
msgid "This section describes how to create new child processes in a safe manner. In addition to the concerns addressed below, there is the possibility of file descriptor leaks, see <xref linkend=\"sect-Defensive_Coding-Tasks-Descriptors-Child_Processes\" />."
msgstr ""
#. Tag: title
#, no-c-format
msgid "Obtaining the program path and the command line template"
msgstr ""
#. Tag: para
#, no-c-format
msgid "The name and path to the program being invoked should be hard-coded or controlled by a static configuration file stored at a fixed location (at an file system absolute path). The same applies to the template for generating the command line."
msgstr ""
#. Tag: para
#, no-c-format
msgid "The configured program name should be an absolute path. If it is a relative path, the contents of the <envar>PATH</envar> must be obtained in s secure manner (see <xref linkend=\"sect-Defensive_Coding-Tasks-secure_getenv\" />). If the <envar>PATH</envar> variable is not set or untrusted, the safe default <literal>/bin:/usr/bin</literal> must be used."
msgstr ""
#. Tag: para
#, no-c-format
msgid "If too much flexibility is provided here, it may allow invocation of arbitrary programs without proper authorization."
msgstr ""
#. Tag: title
#, no-c-format
msgid "Bypassing the shell"
msgstr ""
#. Tag: para
#, no-c-format
msgid "Child processes should be created without involving the system shell."
msgstr ""
#. Tag: para
#, no-c-format
msgid "For C/C++, <function>system</function> should not be used. The <function>posix_spawn</function> function can be used instead, or a combination <function>fork</function> and <function>execve</function>. (In some cases, it may be preferable to use <function>vfork</function> or the Linux-specific <function>clone</function> system call instead of <function>fork</function>.)"
msgstr ""
#. Tag: para
#, no-c-format
msgid "In Python, the <literal>subprocess</literal> module bypasses the shell by default (when the <literal>shell</literal> keyword argument is not set to true). <function>os.system</function> should not be used."
msgstr ""
#. Tag: para
#, no-c-format
msgid "The Java class <type>java.lang.ProcessBuilder</type> can be used to create subprocesses without interference from the system shell."
msgstr ""
#. Tag: title
#, no-c-format
msgid "Portability notice"
msgstr ""
#. Tag: para
#, no-c-format
msgid "On Windows, there is no argument vector, only a single argument string. Each application is responsible for parsing this string into an argument vector. There is considerable variance among the quoting style recognized by applications. Some of them expand shell wildcards, others do not. Extensive application-specific testing is required to make this secure."
msgstr ""
#. Tag: para
#, no-c-format
msgid "Note that some common applications (notably <application>ssh</application>) unconditionally introduce the use of a shell, even if invoked directly without a shell. It is difficult to use these applications in a secure manner. In this case, untrusted data should be supplied by other means. For example, standard input could be used, instead of the command line."
msgstr ""
#. Tag: title
#, no-c-format
msgid "Specifying the process environment"
msgstr ""
#. Tag: para
#, no-c-format
msgid "Child processes should be created with a minimal set of environment variables. This is absolutely essential if there is a trust transition involved, either when the parent process was created, or during the creation of the child process."
msgstr ""
#. Tag: para
#, no-c-format
msgid "In C/C++, the environment should be constructed as an array of strings and passed as the <varname>envp</varname> argument to <function>posix_spawn</function> or <function>execve</function>. The functions <function>setenv</function>, <function>unsetenv</function> and <function>putenv</function> should not be used. They are not thread-safe and suffer from memory leaks."
msgstr ""
#. Tag: para
#, no-c-format
msgid "Python programs need to specify a <literal>dict</literal> for the the <varname>env</varname> argument of the <function>subprocess.Popen</function> constructor. The Java class <literal>java.lang.ProcessBuilder</literal> provides a <function>environment()</function> method, which returns a map that can be manipulated."
msgstr ""
#. Tag: para
#, no-c-format
msgid "The following list provides guidelines for selecting the set of environment variables passed to the child process."
msgstr ""
#. Tag: para
#, no-c-format
msgid "<envar>PATH</envar> should be initialized to <literal>/bin:/usr/bin</literal>."
msgstr ""
#. Tag: para
#, no-c-format
msgid "<envar>USER</envar> and <envar>HOME</envar> can be inhereted from the parent process environment, or they can be initialized from the <literal>pwent</literal> structure for the user."
msgstr ""
#. Tag: para
#, no-c-format
msgid "The <envar>DISPLAY</envar> and <envar>XAUTHORITY</envar> variables should be passed to the subprocess if it is an X program. Note that this will typically not work across trust boundaries because <envar>XAUTHORITY</envar> refers to a file with <literal>0600</literal> permissions."
msgstr ""
#. Tag: para
#, no-c-format
msgid "The location-related environment variables <envar>LANG</envar>, <envar>LANGUAGE</envar>, <envar>LC_ADDRESS</envar>, <envar>LC_ALL</envar>, <envar>LC_COLLATE</envar>, <envar>LC_CTYPE</envar>, <envar>LC_IDENTIFICATION</envar>, <envar>LC_MEASUREMENT</envar>, <envar>LC_MESSAGES</envar>, <envar>LC_MONETARY</envar>, <envar>LC_NAME</envar>, <envar>LC_NUMERIC</envar>, <envar>LC_PAPER</envar>, <envar>LC_TELEPHONE</envar> and <envar>LC_TIME</envar> can be passed to the subprocess if present."
msgstr ""
#. Tag: para
#, no-c-format
msgid "The called process may need application-specific environment variables, for example for passing passwords. (See <xref linkend=\"sect-Defensive_Coding-Tasks-Processes-Command_Line_Visibility\" />.)"
msgstr ""
#. Tag: para
#, no-c-format
msgid "All other environment variables should be dropped. Names for new environment variables should not be accepted from untrusted sources."
msgstr ""
#. Tag: title
#, no-c-format
msgid "Robust argument list processing"
msgstr ""
#. Tag: para
#, no-c-format
msgid "When invoking a program, it is sometimes necessary to include data from untrusted sources. Such data should be check against embedded <literal>NUL</literal> characters because the system APIs will sliently truncate argument strings at the first <literal>NUL</literal> character."
msgstr ""
#. Tag: para
#, no-c-format
msgid "The following recommendations assume that the program being invoked uses GNU-style option processing using <function>getopt_long</function>. This convention is widely used, but it is just that, and individual programs might interpret a command line in a different way."
msgstr ""
#. Tag: para
#, no-c-format
msgid "If the untrusted data has to go into an option, use the <literal>--option-name=VALUE</literal> syntax, placing the option and its value into the same command line argument. This avoids any potential confusion if the data starts with <literal>-</literal>."
msgstr ""
#. Tag: para
#, no-c-format
msgid "For positional arguments, terminate the option list with a single <option>--</option> marker after the last option, and include the data at the right position. The <option>--</option> marker terminates option processing, and the data will not be treated as an option even if it starts with a dash."
msgstr ""
#. Tag: title
#, no-c-format
msgid "Passing secrets to subprocesses"
msgstr ""
#. Tag: para
#, no-c-format
msgid "The command line (the name of the program and its argument) of a running process is traditionally available to all local users. The called program can overwrite this information, but only after it has run for a bit of time, during which the information may have been read by other processes. However, on Linux, the process environment is restricted to the user who runs the process. Therefore, if you need a convenient way to pass a password to a child process, use an environment variable, and not a command line argument. (See <xref linkend=\"sect-Defensive_Coding-Tasks-Processes-environ\" />.)"
msgstr ""
#. Tag: para
#, no-c-format
msgid "On some UNIX-like systems (notably Solaris), environment variables can be read by any system user, just like command lines."
msgstr ""
#. Tag: para
#, no-c-format
msgid "If the environment-based approach cannot be used due to portability concerns, the data can be passed on standard input. Some programs (notably <application>gpg</application>) use special file descriptors whose numbers are specified on the command line. Temporary files are an option as well, but they might give digital forensics access to sensitive data (such as passphrases) because it is difficult to safely delete them in all cases."
msgstr ""
#. Tag: title
#, no-c-format
msgid "Handling child process termination"
msgstr ""
#. Tag: para
#, no-c-format
msgid "When child processes terminate, the parent process is signalled. A stub of the terminated processes (a <emphasis>zombie</emphasis>, shown as <literal>&lt;defunct&gt;</literal> by <application>ps</application>) is kept around until the status information is collected (<emphasis>reaped</emphasis>) by the parent process. Over the years, several interfaces for this have been invented:"
msgstr ""
#. Tag: para
#, no-c-format
msgid "The parent process calls <function>wait</function>, <function>waitpid</function>, <function>waitid</function>, <function>wait3</function> or <function>wait4</function>, without specifying a process ID. This will deliver any matching process ID. This approach is typically used from within event loops."
msgstr ""
#. Tag: para
#, no-c-format
msgid "The parent process calls <function>waitpid</function>, <function>waitid</function>, or <function>wait4</function>, with a specific process ID. Only data for the specific process ID is returned. This is typically used in code which spawns a single subprocess in a synchronous manner."
msgstr ""
#. Tag: para
#, no-c-format
msgid "The parent process installs a handler for the <literal>SIGCHLD</literal> signal, using <function>sigaction</function>, and specifies to the <literal>SA_NOCLDWAIT</literal> flag. This approach could be used by event loops as well."
msgstr ""
#. Tag: para
#, no-c-format
msgid "None of these approaches can be used to wait for child process terminated in a completely thread-safe manner. The parent process might execute an event loop in another thread, which could pick up the termination signal. This means that libraries typically cannot make free use of child processes (for example, to run problematic code with reduced privileges in a separate address space)."
msgstr ""
#. Tag: para
#, no-c-format
msgid "At the moment, the parent process should explicitly wait for termination of the child process using <function>waitpid</function> or <function>waitpid</function>, and hope that the status is not collected by an event loop first."
msgstr ""
#. Tag: title
#, no-c-format
msgid "<literal>SUID</literal>/<literal>SGID</literal> processes"
msgstr ""
#. Tag: para
#, no-c-format
msgid "Programs can be marked in the file system to indicate to the kernel that a trust transition should happen if the program is run. The <literal>SUID</literal> file permission bit indicates that an executable should run with the effective user ID equal to the owner of the executable file. Similarly, with the <literal>SGID</literal> bit, the effective group ID is set to the group of the executable file."
msgstr ""
#. Tag: para
#, no-c-format
msgid "Linux supports <emphasis>fscaps</emphasis>, which can grant additional capabilities to a process in a finer-grained manner. Additional mechanisms can be provided by loadable security modules."
msgstr ""
#. Tag: para
#, no-c-format
msgid "When such a trust transition has happened, the process runs in a potentially hostile environment. Additional care is necessary not to rely on any untrusted information. These concerns also apply to libraries which can be linked into such processes."
msgstr ""
#. Tag: title
#, no-c-format
msgid "Accessing environment variables"
msgstr ""
#. Tag: para
#, no-c-format
msgid "The following steps are required so that a program does not accidentally pick up untrusted data from environment variables."
msgstr ""
#. Tag: para
#, no-c-format
msgid "Compile your C/C++ sources with <literal>-D_GNU_SOURCE</literal>. The Autoconf macro <literal>AC_GNU_SOURCE</literal> ensures this."
msgstr ""
#. Tag: para
#, no-c-format
msgid "Check for the presence of the <function>secure_getenv</function> and <function>__secure_getenv</function> function. The Autoconf directive <literal>AC_CHECK_FUNCS([__secure_getenv secure_getenv])</literal> performs these checks."
msgstr ""
#. Tag: para
#, no-c-format
msgid "Arrange for a proper definition of the <function>secure_getenv</function> function. See <xref linkend=\"ex-Defensive_Coding-Tasks-secure_getenv\" />."
msgstr ""
#. Tag: para
#, no-c-format
msgid "Use <function>secure_getenv</function> instead of <function>getenv</function> to obtain the value of critical environment variables. <function>secure_getenv</function> will pretend the variable has not bee set if the process environment is not trusted."
msgstr ""
#. Tag: para
#, no-c-format
msgid "Critical environment variables are debugging flags, configuration file locations, plug-in and log file locations, and anything else that might be used to bypass security restrictions or cause a privileged process to behave in an unexpected way."
msgstr ""
#. Tag: para
#, no-c-format
msgid "Either the <function>secure_getenv</function> function or the <function>__secure_getenv</function> is available from GNU libc."
msgstr ""
#. Tag: title
#, no-c-format
msgid "Obtaining a definition for <function>secure_getenv</function>"
msgstr ""
#. Tag: programlisting
#, no-c-format
msgid "\n"
"\n"
"#include &lt;stdlib.h&gt;\n"
"\n"
"#ifndef HAVE_SECURE_GETENV\n"
"# ifdef HAVE__SECURE_GETENV\n"
"# define secure_getenv __secure_getenv\n"
"# else\n"
"# error neither secure_getenv nor __secure_getenv are available\n"
"# endif\n"
"#endif\n"
"\n"
" "
msgstr ""
#. Tag: title
#, no-c-format
msgid "Daemons"
msgstr ""
#. Tag: para
#, no-c-format
msgid "Background processes providing system services (<emphasis>daemons</emphasis>) need to decouple themselves from the controlling terminal and the parent process environment:"
msgstr ""
#. Tag: para
#, no-c-format
msgid "Fork."
msgstr ""
#. Tag: para
#, no-c-format
msgid "In the child process, call <function>setsid</function>. The parent process can simply exit (using <function>_exit</function>, to avoid running clean-up actions twice)."
msgstr ""
#. Tag: para
#, no-c-format
msgid "In the child process, fork again. Processing continues in the child process. Again, the parent process should just exit."
msgstr ""
#. Tag: para
#, no-c-format
msgid "Replace the descriptors 0, 1, 2 with a descriptor for <filename>/dev/null</filename>. Logging should be redirected to <application>syslog</application>."
msgstr ""
#. Tag: para
#, no-c-format
msgid "Older instructions for creating daemon processes recommended a call to <literal>umask(0)</literal>. This is risky because it often leads to world-writable files and directories, resulting in security vulnerabilities such as arbitrary process termination by untrusted local users, or log file truncation. If the <emphasis>umask</emphasis> needs setting, a restrictive value such as <literal>027</literal> or <literal>077</literal> is recommended."
msgstr ""
#. Tag: para
#, no-c-format
msgid "Other aspects of the process environment may have to changed as well (environment variables, signal handler disposition)."
msgstr ""
#. Tag: para
#, no-c-format
msgid "It is increasingly common that server processes do not run as background processes, but as regular foreground process under a supervising master process (such as <application>systemd</application>). Server processes should offer a command line option which disables forking and replacement of the standard output and standard error streams. Such an option is also useful for debugging."
msgstr ""
#. Tag: title
#, no-c-format
msgid "Semantics of command line arguments"
msgstr ""
#. Tag: para
#, no-c-format
msgid "After process creation and option processing, it is up to the child process to interpret the arguments. Arguments can be file names, host names, or URLs, and many other things. URLs can refer to the local network, some server on the Internet, or to the local file system. Some applications even accept arbitrary code in arguments (for example, <application>python</application> with the <option>-c</option> option)."
msgstr ""
#. Tag: para
#, no-c-format
msgid "Similar concerns apply to environment variables, the contents of the current directory and its subdirectories."
msgstr ""
#. Tag: para
#, no-c-format
msgid "Consequently, careful analysis is required if it is safe to pass untrusted data to another program."
msgstr ""
#. Tag: title
#, no-c-format
msgid "<function>fork</function> as a primitive for parallelism"
msgstr ""
#. Tag: para
#, no-c-format
msgid "A call to <function>fork</function> which is not immediately followed by a call to <function>execve</function> (perhaps after rearranging and closing file descriptors) is typically unsafe, especially from a library which does not control the state of the entire process. Such use of <function>fork</function> should be replaced with proper child processes or threads."
msgstr ""

421
pot/Tasks-Serialization.pot
View file

@ -1,421 +0,0 @@
#
# AUTHOR <EMAIL@ADDRESS>, YEAR.
#
msgid ""
msgstr ""
"Project-Id-Version: 0\n"
"POT-Creation-Date: 2013-09-18T00:49:43\n"
"PO-Revision-Date: 2013-09-18T00:49:43\n"
"Last-Translator: Automatically generated\n"
"Language-Team: None\n"
"MIME-Version: 1.0\n"
"Content-Type: application/x-publican; charset=UTF-8\n"
"Content-Transfer-Encoding: 8bit\n"
#. Tag: title
#, no-c-format
msgid "Serialization and Deserialization"
msgstr ""
#. Tag: para
#, no-c-format
msgid "Protocol decoders and file format parsers are often the most-exposed part of an application because they are exposed with little or no user interaction and before any authentication and security checks are made. They are also difficult to write robustly in languages which are not memory-safe."
msgstr ""
#. Tag: title
#, no-c-format
msgid "Recommendations for manually written decoders"
msgstr ""
#. Tag: para
#, no-c-format
msgid "For C and C++, the advice in <xref linkend=\"sect-Defensive_Coding-C-Pointers\" /> applies. In addition, avoid non-character pointers directly into input buffers. Pointer misalignment causes crashes on some architectures."
msgstr ""
#. Tag: para
#, no-c-format
msgid "When reading variable-sized objects, do not allocate large amounts of data solely based on the value of a size field. If possible, grow the data structure as more data is read from the source, and stop when no data is available. This helps to avoid denial-of-service attacks where little amounts of input data results in enormous memory allocations during decoding. Alternatively, you can impose reasonable bounds on memory allocations, but some protocols do not permit this."
msgstr ""
#. Tag: title
#, no-c-format
msgid "Protocol design"
msgstr ""
#. Tag: para
#, no-c-format
msgid "Binary formats with explicit length fields are more difficult to parse robustly than those where the length of dynamically-sized elements is derived from sentinel values. A protocol which does not use length fields and can be written in printable ASCII characters simplifies testing and debugging. However, binary protocols with length fields may be more efficient to parse."
msgstr ""
#. Tag: title
#, no-c-format
msgid "Library support for deserialization"
msgstr ""
#. Tag: para
#, no-c-format
msgid "For some languages, generic libraries are available which allow to serialize and deserialize user-defined objects. The deserialization part comes in one of two flavors, depending on the library. The first kind uses type information in the data stream to control which objects are instantiated. The second kind uses type definitions supplied by the programmer. The first one allows arbitrary object instantiation, the second one generally does not."
msgstr ""
#. Tag: para
#, no-c-format
msgid "The following serialization frameworks are in the first category, are known to be unsafe, and must not be used for untrusted data:"
msgstr ""
#. Tag: para
#, no-c-format
msgid "Python's <package>pickle</package> and <package>cPickle</package> modules, and wrappers such as <package>shelve</package>"
msgstr ""
#. Tag: para
#, no-c-format
msgid "Perl's <package>Storable</package> package"
msgstr ""
#. Tag: para
#, no-c-format
msgid "Java serialization (<type>java.io.ObjectInputStream</type>), even if encoded in other formats (as with <type>java.beans.XMLDecoder</type>)"
msgstr ""
#. Tag: para
#, no-c-format
msgid "PHP serialization (<function>unserialize</function>)"
msgstr ""
#. Tag: para
#, no-c-format
msgid "Most implementations of YAML"
msgstr ""
#. Tag: para
#, no-c-format
msgid "When using a type-directed deserialization format where the types of the deserialized objects are specified by the programmer, make sure that the objects which can be instantiated cannot perform any destructive actions in their destructors, even when the data members have been manipulated."
msgstr ""
#. Tag: para
#, no-c-format
msgid "In general, JSON decoders do not suffer from this problem. But you must not use the <function>eval</function> function to parse JSON objects in Javascript; even with the regular expression filter from RFC 4627, there are still information leaks remaining. JSON-based formats can still turn out risky if they serve as an encoding form for any if the serialization frameworks listed above."
msgstr ""
#. Tag: title
#, no-c-format
msgid "XML serialization"
msgstr ""
#. Tag: title
#, no-c-format
msgid "External references"
msgstr ""
#. Tag: para
#, no-c-format
msgid "XML documents can contain external references. They can occur in various places."
msgstr ""
#. Tag: para
#, no-c-format
msgid "In the DTD declaration in the header of an XML document:"
msgstr ""
#. Tag: programlisting
#, no-c-format
msgid "\n"
"&lt;!DOCTYPE html PUBLIC\n"
" \"-//W3C//DTD XHTML 1.0 Transitional//EN\"\n"
" \"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd\"&gt;\n"
" "
msgstr ""
#. Tag: para
#, no-c-format
msgid "In a namespace declaration:"
msgstr ""
#. Tag: programlisting
#, no-c-format
msgid "\n"
"&lt;xsd:schema xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\"&gt;\n"
" "
msgstr ""
#. Tag: para
#, no-c-format
msgid "In an entity defintion:"
msgstr ""
#. Tag: programlisting
#, no-c-format
msgid "\n"
"&lt;!ENTITY sys SYSTEM \"http://www.example.com/ent.xml\"&gt;\n"
"&lt;!ENTITY pub PUBLIC \"-//Example//Public Entity//EN\"\n"
" \"http://www.example.com/pub-ent.xml\"&gt;\n"
" "
msgstr ""
#. Tag: para
#, no-c-format
msgid "In a notation:"
msgstr ""
#. Tag: programlisting
#, no-c-format
msgid "\n"
"&lt;!NOTATION not SYSTEM \"../not.xml\"&gt;\n"
" "
msgstr ""
#. Tag: para
#, no-c-format
msgid "Originally, these external references were intended as unique identifiers, but by many XML implementations, they are used for locating the data for the referenced element. This causes unwanted network traffic, and may disclose file system contents or otherwise unreachable network resources, so this functionality should be disabled."
msgstr ""
#. Tag: para
#, no-c-format
msgid "Depending on the XML library, external referenced might be processed not just when parsing XML, but also when generating it."
msgstr ""
#. Tag: title
#, no-c-format
msgid "Entity expansion"
msgstr ""
#. Tag: para
#, no-c-format
msgid "When external DTD processing is disabled, an internal DTD subset can still contain entity definitions. Entity declarations can reference other entities. Some XML libraries expand entities automatically, and this processing cannot be switched off in some places (such as attribute values or content models). Without limits on the entity nesting level, this expansion results in data which can grow exponentially in length with size of the input. (If there is a limit on the nesting level, the growth is still polynomial, unless further limits are imposed.)"
msgstr ""
#. Tag: para
#, no-c-format
msgid "Consequently, the processing internal DTD subsets should be disabled if possible, and only trusted DTDs should be processed. If a particular XML application does not permit such restrictions, then application-specific limits are called for."
msgstr ""
#. Tag: title
#, no-c-format
msgid "XInclude processing"
msgstr ""
#. Tag: para
#, no-c-format
msgid "XInclude processing can reference file and network resources and include them into the document, much like external entity references. When parsing untrusted XML documents, XInclude processing should be truned off."
msgstr ""
#. Tag: para
#, no-c-format
msgid "XInclude processing is also fairly complex and may pull in support for the XPointer and XPath specifications, considerably increasing the amount of code required for XML processing."
msgstr ""
#. Tag: title
#, no-c-format
msgid "Algorithmic complexity of XML validation"
msgstr ""
#. Tag: para
#, no-c-format
msgid "DTD-based XML validation uses regular expressions for content models. The XML specification requires that content models are deterministic, which means that efficient validation is possible. However, some implementations do not enforce determinism, and require exponential (or just polynomial) amount of space or time for validating some DTD/document combinations."
msgstr ""
#. Tag: para
#, no-c-format
msgid "XML schemas and RELAX NG (via the <literal>xsd:</literal> prefix) directly support textual regular expressions which are not required to be deterministic."
msgstr ""
#. Tag: title
#, no-c-format
msgid "Using Expat for XML parsing"
msgstr ""
#. Tag: para
#, no-c-format
msgid "By default, Expat does not try to resolve external IDs, so no steps are required to block them. However, internal entity declarations are processed. Installing a callback which stops parsing as soon as such entities are encountered disables them, see <xref linkend=\"ex-Defensive_Coding-Tasks-Serialization-XML-Expat-EntityDeclHandler\" />. Expat does not perform any validation, so there are no problems related to that."
msgstr ""
#. Tag: title
#, no-c-format
msgid "Disabling XML entity processing with Expat"
msgstr ""
#. Tag: para
#, no-c-format
msgid "This handler must be installed when the <literal>XML_Parser</literal> object is created (<xref linkend=\"ex-Defensive_Coding-Tasks-Serialization-XML-Expat-Create\" />)."
msgstr ""
#. Tag: title
#, no-c-format
msgid "Creating an Expat XML parser"
msgstr ""
#. Tag: para
#, no-c-format
msgid "It is also possible to reject internal DTD subsets altogeher, using a suitable <literal>XML_StartDoctypeDeclHandler</literal> handler installed with <function>XML_SetDoctypeDeclHandler</function>."
msgstr ""
#. Tag: title
#, no-c-format
msgid "Using Qt for XML parsing"
msgstr ""
#. Tag: para
#, no-c-format
msgid "The XML component of Qt, QtXml, does not resolve external IDs by default, so it is not requred to prevent such resolution. Internal entities are processed, though. To change that, a custom <literal>QXmlDeclHandler</literal> and <literal>QXmlSimpleReader</literal> subclasses are needed. It is not possible to use the <function>QDomDocument::setContent(const QByteArray &amp;)</function> convenience methods."
msgstr ""
#. Tag: para
#, no-c-format
msgid "<xref linkend=\"ex-Defensive_Coding-Tasks-Serialization-XML-Qt-NoEntityHandler\" /> shows an entity handler which always returns errors, causing parsing to stop when encountering entity declarations."
msgstr ""
#. Tag: title
#, no-c-format
msgid "A QtXml entity handler which blocks entity processing"
msgstr ""
#. Tag: para
#, no-c-format
msgid "This handler is used in the custom <literal>QXmlReader</literal> subclass in <xref linkend=\"ex-Defensive_Coding-Tasks-Serialization-XML-Qt-NoEntityReader\" />. Some parts of QtXml will call the <function>setDeclHandler(QXmlDeclHandler *)</function> method. Consequently, we prevent overriding our custom handler by providing a definition of this method which does nothing. In the constructor, we activate namespace processing; this part may need adjusting."
msgstr ""
#. Tag: title
#, no-c-format
msgid "A QtXml XML reader which blocks entity processing"
msgstr ""
#. Tag: para
#, no-c-format
msgid "Our <literal>NoEntityReader</literal> class can be used with one of the overloaded <function>QDomDocument::setContent</function> methods. <xref linkend=\"ex-Defensive_Coding-Tasks-Serialization-XML-Qt-QDomDocument\" /> shows how the <literal>buffer</literal> object (of type <literal>QByteArray</literal>) is wrapped as a <literal>QXmlInputSource</literal>. After calling the <function>setContent</function> method, you should check the return value and report any error."
msgstr ""
#. Tag: title
#, no-c-format
msgid "Parsing an XML document with QDomDocument, without entity expansion"
msgstr ""
#. Tag: title
#, no-c-format
msgid "Using OpenJDK for XML parsing and validation"
msgstr ""
#. Tag: para
#, no-c-format
msgid "OpenJDK contains facilities for DOM-based, SAX-based, and StAX-based document parsing. Documents can be validated against DTDs or XML schemas."
msgstr ""
#. Tag: para
#, no-c-format
msgid "The approach taken to deal with entity expansion differs from the general recommendation in <xref linkend=\"sect-Defensive_Coding-Tasks-Serialization-XML-Entities\" />. We enable the the feature flag <literal>javax.xml.XMLConstants.FEATURE_SECURE_PROCESSING</literal>, which enforces heuristic restrictions on the number of entity expansions. Note that this flag alone does not prevent resolution of external references (system IDs or public IDs), so it is slightly misnamed."
msgstr ""
#. Tag: para
#, no-c-format
msgid "In the following sections, we use helper classes to prevent external ID resolution."
msgstr ""
#. Tag: title
#, no-c-format
msgid "Helper class to prevent DTD external entity resolution in OpenJDK"
msgstr ""
#. Tag: title
#, no-c-format
msgid "Helper class to prevent schema resolution in OpenJDK"
msgstr ""
#. Tag: para
#, no-c-format
msgid "<xref linkend=\"ex-Defensive_Coding-Tasks-Serialization-XML-OpenJDK-Imports\" /> shows the imports used by the examples."
msgstr ""
#. Tag: title
#, no-c-format
msgid "Java imports for OpenJDK XML parsing"
msgstr ""
#. Tag: title
#, no-c-format
msgid "DOM-based XML parsing and DTD validation in OpenJDK"
msgstr ""
#. Tag: para
#, no-c-format
msgid "This approach produces a <literal>org.w3c.dom.Document</literal> object from an input stream. <xref linkend=\"ex-Defensive_Coding-Tasks-Serialization-XML-OpenJDK_Parse-DOM\" /> use the data from the <literal>java.io.InputStream</literal> instance in the <literal>inputStream</literal> variable."
msgstr ""
#. Tag: title
#, no-c-format
msgid "DOM-based XML parsing in OpenJDK"
msgstr ""
#. Tag: para
#, no-c-format
msgid "External entity references are prohibited using the <literal>NoEntityResolver</literal> class in <xref linkend=\"ex-Defensive_Coding-Tasks-Serialization-XML-OpenJDK-NoEntityResolver\" />. Because external DTD references are prohibited, DTD validation (if enabled) will only happen against the internal DTD subset embedded in the XML document."
msgstr ""
#. Tag: para
#, no-c-format
msgid "To validate the document against an external DTD, use a <literal>javax.xml.transform.Transformer</literal> class to add the DTD reference to the document, and an entity resolver which whitelists this external reference."
msgstr ""
#. Tag: title
#, no-c-format
msgid "XML Schema validation in OpenJDK"
msgstr ""
#. Tag: para
#, no-c-format
msgid "<xref linkend=\"ex-Defensive_Coding-Tasks-Serialization-XML-OpenJDK_Parse-XMLSchema_SAX\" /> shows how to validate a document against an XML Schema, using a SAX-based approach. The XML data is read from an <literal>java.io.InputStream</literal> in the <literal>inputStream</literal> variable."
msgstr ""
#. Tag: title
#, no-c-format
msgid "SAX-based validation against an XML schema in OpenJDK"
msgstr ""
#. Tag: para
#, no-c-format
msgid "The <literal>NoResourceResolver</literal> class is defined in <xref linkend=\"ex-Defensive_Coding-Tasks-Serialization-XML-OpenJDK-NoResourceResolver\" />."
msgstr ""
#. Tag: para
#, no-c-format
msgid "If you need to validate a document against an XML schema, use the code in <xref linkend=\"ex-Defensive_Coding-Tasks-Serialization-XML-OpenJDK_Parse-DOM\" /> to create the document, but do not enable validation at this point. Then use <xref linkend=\"ex-Defensive_Coding-Tasks-Serialization-XML-OpenJDK_Parse-XMLSchema_DOM\" /> to perform the schema-based validation on the <literal>org.w3c.dom.Document</literal> instance <literal>document</literal>."
msgstr ""
#. Tag: title
#, no-c-format
msgid "Validation of a DOM document against an XML schema in OpenJDK"
msgstr ""
#. Tag: title
#, no-c-format
msgid "Other XML parsers in OpenJDK"
msgstr ""
#. Tag: para
#, no-c-format
msgid "OpenJDK contains additional XML parsing and processing facilities. Some of them are insecure."
msgstr ""
#. Tag: para
#, no-c-format
msgid "The class <type>java.beans.XMLDecoder</type> acts as a bridge between the Java object serialization format and XML. It is close to impossible to securely deserialize Java objects in this format from untrusted inputs, so its use is not recommended, as with the Java object serialization format itself. See <xref linkend=\"sect-Defensive_Coding-Tasks-Serialization-Library\" />."
msgstr ""
#. Tag: title
#, no-c-format
msgid "Protocol Encoders"
msgstr ""
#. Tag: para
#, no-c-format
msgid "For protocol encoders, you should write bytes to a buffer which grows as needed, using an exponential sizing policy. Explicit lengths can be patched in later, once they are known. Allocating the required number of bytes upfront typically requires separate code to compute the final size, which must be kept in sync with the actual encoding step, or vulnerabilities may result. In multi-threaded code, parts of the object being deserialized might change, so that the computed size is out of date."
msgstr ""
#. Tag: para
#, no-c-format
msgid "You should avoid copying data directly from a received packet during encoding, disregarding the format. Propagating malformed data could enable attacks on other recipients of that data."
msgstr ""
#. Tag: para
#, no-c-format
msgid "When using C or C++ and copying whole data structures directly into the output, make sure that you do not leak information in padding bytes between fields or at the end of the <literal>struct</literal>."
msgstr ""

Some files were not shown because too many files have changed in this diff Show more