[gnutls-dev] External signing API
Alon Bar-Lev
alon.barlev at gmail.com
Fri Aug 10 16:25:41 CEST 2007
On 8/10/07, Simon Josefsson <simon at josefsson.org> wrote:
> Hi! The userdata is passed to the callback, see the prototype. Do you
> think another function is needed anyway?
Yes.
During cleanup the user data should be accessible in order to
optionally free it.
> > Please also add something like:
> > #define GNUTLS_E_LIBEXTESION_DEFINED_BASE -2000
> > #define GNUTLS_E_USER_DEFINED_BASE -3000
> >
> > So that external library/user may define its own set of codes.
>
> Hm, exactly what use do you see for this? Returning various different
> PKCS#11 errors? That makes sense...
Right.
> However, the return code from the signing callback influence the TLS
> handshake logic, some return codes leads to disconnect, some don't
> (although I'm having a hard time understanding how the state machine
> would recover). See gnutls_error_is_fatal. Looking at that function,
> it seems it has the wrong default: if an error code isn't known to
> gnutls, it is classified as non-fatal. That is likely incorrect, the
> internal logic needs to understand how to recover from non-fatal error
> cases, and will thus need to know about the error code. I've changed
> this.
True...
Unknown errors should be fatal.
Best Regards,
Alon Bar-Lev.
More information about the Gnutls-dev
mailing list