Fwd: Re: rsabase.dll - wine-devel

29 Jul 2004


      I'm sorry, if this mail appears three times on the wine-devel list. I've sent 
it twice already, but it doesn't seem to get forwarded to the wine-devel 
list. Is there a problem with the mailing list? Rob, could you give me a 
short notificaton, if you have received those mails?
Thank,
Michael
----------  Forwarded Message  ----------
Subject: Re: rsabase.dll
Date: Tuesday 27 July 2004 10:08
From: Michael Jung mjung@iss.tu-darmstadt.de
To: wine-devel@winehq.org
Cc: rob@codeweavers.com
Rob,
...
I think there are many reasons to favour "real handles": If a long running
process is using rsabase (e.g. a webserver serving https: requests) with
many temporary connections and many keys, resource leakage is an issue.
Furthermore, since rsabase is a cryptographic service provider, it might be
important that a key, which is not referenced anymore is in fact destroyed
(and the
corresponding  memory be nulled). I would think that otherwise you  will
over time accumulate a lot of keys in your address space, which is probably
a security problem. Now, I'm aware that wine is not in a state today  to be
used for security critical applications and first rsabase implementations
will probably have security issues more severe than this. However, sometime
I think rsabase will have to use real handles. Why not right from the
start?
I've thought about this statement again and realized that I'm wrong and that
 I probably misunderstood you. I realized that one doesn't need "real
 handles" in user mode code at all to implement correct resource management.
 And I think I understand that one does need them in the kernel (aka
 wineserver) for objects, which are accessed from multiple threads.
However, there are some instances of "real handle" implementations outside
wineserver in wine (e.g. dlls/msi/handle.c). Do you (or anybody else on the
mailing list) now what for? Some things, which I could imagine would still be
easier to implement correctly with "real handles", are the
INVALID_HANDLE_VALUE value, checking that a thread does not access a resource
via an already released handle and in general checking in a precise manner if
a handle value is valid (which, as I understand it, is often done in wine
with a magic value at the beginning of the object.)
Greetings,
Michael
-- 
Michael Jung, MSc                               Be liberal in what you accept,
Integrated Circuits and Systems Lab         and conservative in what you send. 
University of Technology, Darmstadt       -- Jonathan Postel, Internet Pioneer
phone: +49(6151)16-6692 / email: mjung@iss.tu-darmstadt.de