[gnutls-dev] External signing API

Alon Bar-Lev alon.barlev at gmail.com
Fri Aug 10 16:25:41 CEST 2007

On 8/10/07, Simon Josefsson <simon at josefsson.org> wrote:
> Hi!  The userdata is passed to the callback, see the prototype.  Do you
> think another function is needed anyway?

During cleanup the user data should be accessible in order to
optionally free it.

> > Please also add something like:
> > #define GNUTLS_E_USER_DEFINED_BASE -3000
> >
> > So that external library/user may define its own set of codes.
> Hm, exactly what use do you see for this?  Returning various different
> PKCS#11 errors?  That makes sense...


> However, the return code from the signing callback influence the TLS
> handshake logic, some return codes leads to disconnect, some don't
> (although I'm having a hard time understanding how the state machine
> would recover).  See gnutls_error_is_fatal.  Looking at that function,
> it seems it has the wrong default: if an error code isn't known to
> gnutls, it is classified as non-fatal.  That is likely incorrect, the
> internal logic needs to understand how to recover from non-fatal error
> cases, and will thus need to know about the error code.  I've changed
> this.

Unknown errors should be fatal.

Best Regards,
Alon Bar-Lev.

More information about the Gnutls-devel mailing list