[Cryptography] GnuTLS -- time to look at the diff.

Peter Gutmann pgut001 at cs.auckland.ac.nz
Thu Mar 6 05:30:41 EST 2014

=?UTF-8?Q?Lodewijk_andr=C3=A9_de_la_porte?= <l at odewijk.nl> writes:

>What's up with using GOTO in very secure applications?  [...] I'd just like
>some thoughts from people who worked with this sort of software. An answer to
>the question "Isn't there some big way to do things such that it will be
>easier to know if it's fully correct now". (this is not about functional vs
>imperative programming, just about validatable style)

The fact that both of the publicised problems that have just been noticed is 
because of a 'goto fail' doesn't necessarily point to a goto crisis, since 
it's an arbitrary coding choice I doubt there's any more, or less, goto-ing in 
secure apps than in anything else (see the example Viktor Dukhovni's post from 
a few days ago showing the range, from thousands of gotos used in OpenSSL to 
zero in Postfix).  I've just grepped my cert-checking code, all 1.5MB of it 
[0], and there's a single location that uses gotos, to break out of the middle 
of a really complex state machine that handles the parsing of 
nested/overridden ASN.1 tags [1].

OTOH the goto mess in the Apple/GnuTLS code is really a sign of a much larger 
problem in the way that the coding is being done.  If you look through the 
posted GnuTLS code for example it seems pretty undisciplined, hardcoded 
explicit values, confusion over return values, and all sorts of other things.  
Using an example I'm pretty familiar with, in my code for reporting status 
values I have a global set of fixed, well-defined status values, a universal 
macro cryptStatusError() that checks whether a function failed, and I use 
compiler-enforced checking (and three different static analyzers) to make sure 
that a function status check isn't skipped.

So it's not a simple "goto = bad", it's excessive use of gotos being one (of 
many) signs of what appear to be bad/unsafe coding practices.


[0] That's more than the code needed to implement SSL/TLS, SSH, PGP, and PKCS
    #7/CMS/SMIME combined.
[1] If anyone thinks they can refactor this in a cleaner way with no gotos,
    I'll send them the code.  I'm sceptical...

More information about the cryptography mailing list