[gnutls-dev] sign callback for certificate authentication

Ludovic Courtès ludovic.courtes at laas.fr
Mon Apr 16 16:14:41 CEST 2007


Hi,

Simon Josefsson <simon at josefsson.org> writes:

> void
> gnutls_session_set_appdata (gnutls_session_t session, void *p);
> void *p
> gnutls_session_get_appdata (gnutls_session_t session);

`gnutls_session_set_ptr ()' is session-global, making it inconvenient,
at best.  For instance, one call-back may need a specific type of
information, while another needs something completely different.  In
some cases, it might be possible to devise a big structure that
encompasses all these needs and pass this to `gnutls_session_set_ptr ()'.
Call-backs would then `get_ptr ()' and extract the relevant
information.

However, that leads to complex code where all call-backs have to be
aware of each other.  Or there must be an indirection hiding that.
Overall, it may prove inconvenient

> Perhaps more than one such pointer is necessary, and if so, how about:
>
> void
> gnutls_session_set_appdata (gnutls_session_t session, void *p, size_t n);
> void *p
> gnutls_session_get_appdata (gnutls_session_t session, size_t n);
>
> What do you think?
>
> The advantage with this approach is that it should be possible to use
> in existing callbacks, and consistency between various callbacks is
> good.

Yes, this approach is nicer, and avoiding breaking the API/ABI is always
cool.  ;-)

I'd suggest something like this:

  /* Attributes.  In practice, they could be indices into a `void *'
     array.  */
  typedef void *gnutls_object_attribute_t;

  /* Return a new attribute for SESSION.  */
  extern gnutls_object_attribute_t
  gnutls_session_allocate_attribute (gnutls_session_t SESSION);

  /* Store P as attribute ATTR of SESSION.  */
  extern int
  gnutls_session_set_attribute (gnutls_session_t session,
                                gnutls_object_attribute_t attr,
                                void *p);

  /* Retrieve in P the value of attribute ATTR of SESSION.  */
  extern int
  gnutls_session_get_attribute (gnutls_session_t session,
                                gnutls_object_attribute_t attr,
                                void **p);
  

The issue is that, for instance, the proposed sign call-back is attached
to a certificate, not a session.  Thus, a similar API would need to be
provided for `gnutls_certificate_t' as well, and potentially for all
other types where call-backs may be used (maybe there aren't so many of
them, though).

(If we were to start from scratch, I'd prefer the classic approach
outlined in my previous message.)

Thanks,
Ludovic.





More information about the Gnutls-devel mailing list