Re: [Passwordsafe-devel] Concerns with use of security enhanced string functions
Popular easy-to-use and secure password manager
Brought to you by:
ronys
Menu
▾
▴
Re: [Passwordsafe-devel] Concerns with use of security enhanced string functions
|
From: Steffen R. <ste...@hp...> - 2007-03-06 13:24:41
|
Hi, Rony Shapiro wrote: > Using the _s versions of library functions seems to me a Good Thing, [...] > > Therefore, I think they should be used where possible. It would be nice to > have some wrappers around them, though, to eliminate the #ifdefs sprinkled > throughout the code... > agreed, I think I can implement this soon. For now, I took the easy way and corrected the #ifdefs only. Would PWSUtil be a suitable place for these wrappers? Thanks for your comments, Steffen > -----Original Message----- > From: pas...@li... > [mailto:pas...@li...] On Behalf Of > Steffen Ryll > Sent: Friday, February 23, 2007 12:17 AM > To: pas...@li... > Subject: [Passwordsafe-devel] Concerns with use of security enhanced > stringfunctions > > Hi, > > recently I decided to dedicate myself to helping with porting pwsafe to > PocketPC. > So far, I managed to configure the build environment correctly (at least > I hope it is) for PocketPC compilation. The trouble is now, that only in > the corelib project 244 compile errors are raised, much of them > referring to security enhanced string functions introduced with CRT 8.0/ > VS2005 (e.g. _stprintf_s is used instead of _stprintf earlier). > Though these function calls are in #ifdef blocks testing for VS2005 or > newer, this doesn't seem to be good enough. I suppose, these new > functions are available only in the native Win32 C library, not in the > PocketPC versions. > > Additionally, there seem to be backwards compatibility issues with some > of these functions. According to, for instance > http://msdn2.microsoft.com/en-us/library/ce3zzk1k(VS.80).aspx , > _stprintf_s is identical to swprintf_s, but this is not supported by Win9x. > > Thus, I want to raise the question, whether it is a good idea to make > use of these security enhanced functions, in our opinion. > I can see two possible solutions for that: > > 1. Leave these new functions aside and stick to ANSI C string operations. > > 2. Use the new functions where ever possible. To improve code then, the > differentiation between old and new functions should be encapsulated in > one class. On the other hand, this wouldn't solve backwards > compatibility issues. > > I'm personally more in favour of the first approach, because it makes > porting to other platforms and OSs easier. > > > One point concerning the port the PocketPC: Don't expect so much > progress soon, as I'm not so much familiar with C++ and with pwsafe's > source code. This forces to read a lot first :-) > However, I'm planning to post a few questions and ideas soon, continuing > the discussion Robert Altmann kicked off last year. But I'm not ready > with these yet. > > > Any comments? > > Cheers, > > Steffen > |
