GnuTLS (libgrypt really) and Postfix
Steven M. Bellovin
smb at cs.columbia.edu
Tue Feb 14 13:00:33 EST 2006
In message <43F14417.1000307 at echeque.com>, "James A. Donald" writes:
> --
>
> >>Libgcrypt tries to minimize these coding errors; for example there
> >>are no error returns for the RNG - if one calls for 16 bytes of
> >>random one can be sure that the buffer is filled with 16 bytes of
> >>random. Now, if the environment is not okay and Libgcrypt can't
> >>produce that random - what shall we do else than abort the process.
> >>This way the errors will be detected before major harm might occur.
>
> > I'm afraid I consider it instead a weakness in your API design
> > that you
> > have no way to indicate an error return from a function that may
> > fail.
>
>The correct mechanism is exception handling.
>
>If caller has provided a mechanism to handle the failure, that
>mechanism should catch the library generated exception. If the caller
>has provided no such mechanism, his program should terminate
>ungracefully.
>
>Unfortunately, there is no very portable support for exception
>handling in C. There is however support in C++, Corn, D, Delphi,
>Objective-C, Java, Eiffel, Ocaml, Python, Common Lisp, SML, PHP and
>all .NET CLS-compliant languages.
>
>Absent exception handling, mission critical tasks should have no
>exceptions, which is best accomplished by the die-on-error standard.
>
Precisely. I was preparing a post of my own, saying the same thing;
you beat me to it.
We all agree that critical errors like this should be caught; the only
question is at what layer the action should take place. I'm an
adherent to the Unix philosophy -- when a decision is made at a lower
level, it takes away the ability of the higher level to do something
different if appropriate, and this loss of flexibility is a bad thing.
As noted, the best answer is a modern language that supports
exceptions. (Sorry, SIGABRT and setjmp/longjmp just don't cut it.)
Let me suggest a C-compatible possibility: pass an extra parameter to
the library routines, specifying a procedure to call if serious errors
occur. If that pointer is null, the library can abort.
--Steven M. Bellovin, http://www.cs.columbia.edu/~smb
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list