GnuTLS (libgrypt really) and Postfix

Steven M. Bellovin smb at cs.columbia.edu
Tue Feb 14 13:00:33 EST 2006 

In message <43F14417.1000307 at echeque.com>, "James A. Donald" writes:
>     --
>
> >>Libgcrypt tries to minimize these coding errors; for example there
> >>are no error returns for the RNG - if one calls for 16 bytes of
> >>random one can be sure that the buffer is filled with 16 bytes of
> >>random.  Now, if the environment is not okay and Libgcrypt can't
> >>produce that random - what shall we do else than abort the process.
> >>This way the errors will be detected before major harm might occur.
>
> >   I'm afraid I consider it instead a weakness in your API design
> >   that you
> > have no way to indicate an error return from a function that may
> > fail.
>
>The correct mechanism is exception handling.
>
>If caller has provided a mechanism to handle the failure, that
>mechanism should catch the library generated exception.  If the caller
>has provided no such mechanism, his program should terminate
>ungracefully.
>
>Unfortunately, there is no very portable support for exception
>handling in C.   There is however support in C++, Corn, D, Delphi,
>Objective-C, Java, Eiffel, Ocaml, Python, Common Lisp, SML, PHP and
>all .NET CLS-compliant languages.
>
>Absent exception handling, mission critical tasks should have no
>exceptions, which is best accomplished by the die-on-error standard.
>

Precisely.  I was preparing a post of my own, saying the same thing; 
you beat me to it.

We all agree that critical errors like this should be caught; the only 
question is at what layer the action should take place.  I'm an 
adherent to the Unix philosophy -- when a decision is made at a lower 
level, it takes away the ability of the higher level to do something 
different if appropriate, and this loss of flexibility is a bad thing.

As noted, the best answer is a modern language that supports 
exceptions.  (Sorry, SIGABRT and setjmp/longjmp just don't cut it.)  
Let me suggest a C-compatible possibility: pass an extra parameter to 
the library routines, specifying a procedure to call if serious errors 
occur.  If that pointer is null, the library can abort.

		--Steven M. Bellovin, http://www.cs.columbia.edu/~smb



---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list