[Swan-dev] why do we bother checking out_raw() et.al.'s result?
D. Hugh Redelmeier
hugh at mimosa.com
Sat Sep 22 16:07:40 UTC 2018
| From: Andrew Cagney <andrew.cagney at gmail.com>
| I'm wondering why we bother to write code like:
| return ikev1_out_generic(np, &isakmp_keyex_desc, outs, &z) &&
| out_zero(g->len, &z, "fake g^x") &&
| (close_output_pbs(&z), TRUE);
| that goes out of its way to terminate the construction of a packet the
| moment there is a whiff of a problem
There are no good exception mechnisms.
In security code, it is good to stop when things are going wrong. Not
get further into the weeds.
Simple abstraction: If I'm here in the code, nothing has gone wrong so
Harder abstraction: If I'm here in the code, anything that's gone
wrong will show up eventually (and isn't going to cause me problems).
We've proven time and again, any subtlety in our code is an
invitation to future breakage.
More information about the Swan-dev