[gnutls-dev] sign callback for certificate authentication

Simon Josefsson simon at josefsson.org
Mon Apr 16 15:10:44 CEST 2007


ludovic.courtes at laas.fr (Ludovic Courtès) writes:

> However, in your patch, you defined signing functions as:
>
>   typedef int gnutls_certificate_client_sign_function (gnutls_session_t session,
>                                                        gnutls_datum_t * cert,
>                                                        gnutls_certificate_type_t cert_type,
>                                                        const gnutls_datum_t *hash_concat,
>                                                        gnutls_datum_t *
>                                                        signature);
>
> I think this suffers from the same shortcomings as most call-backs
> defined in GnuTLS: one cannot attach additional data to be passed along
> to the sign function.
>
> Thus, I would instead recommend adding a `void *' parameter to
> `gnutls_certificate_client_sign_function'; the
> `gnutls_certificate_client_set_sign_function ()' needs to be modified
> accordingly:
>
>   void gnutls_certificate_client_set_sign_function
>     (gnutls_certificate_credentials_t cred,
>      gnutls_certificate_client_sign_function * func,
>      void *user_data);
>
> This way, USER_DATA would be passed as the last argument of FUNC each
> time it is called.
>
>
> Call-back APIs that fail to provide this make it hard to communicate
> information to call-backs in a "safe" way: one has to resort to global
> variables or some such, which makes code harder to read and is not
> recommended in multi-threaded applications.  Likewise, it makes it hard
> to implement bindings for higher-level languages.

In general, I agree, and we should make it easier to use callbacks.

However, what do you think about doing this via the 'session'
parameter, rather than having to change the signatures of the
callback-related functions?  I'm thinking:

void
gnutls_session_set_appdata (gnutls_session_t session, void *p);
void *p
gnutls_session_get_appdata (gnutls_session_t session);

Perhaps more than one such pointer is necessary, and if so, how about:

void
gnutls_session_set_appdata (gnutls_session_t session, void *p, size_t n);
void *p
gnutls_session_get_appdata (gnutls_session_t session, size_t n);

What do you think?

The advantage with this approach is that it should be possible to use
in existing callbacks, and consistency between various callbacks is
good.

/Simon




More information about the Gnutls-devel mailing list