From: Ian Jackson <ijackson@chiark.greenend.org.uk>
Date: Sat, 18 May 2019 00:42:55 +0000 (+0100)
Subject: random: Admit that we will never add error checking everywhere
X-Git-Tag: v0.4.4~5
X-Git-Url: http://www.chiark.greenend.org.uk/ucgi/~ianmdlvl/git?p=secnet.git;a=commitdiff_plain;h=e3f1375768e53a28a4b5e7b965f2f9f3472aab42

random: Admit that we will never add error checking everywhere

Literally no-one checks this return value.  Abolish it.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
---
v2: New patch
---

diff --git a/random.c b/random.c
index cdb0dfd..323fffd 100644
--- a/random.c
+++ b/random.c
@@ -33,7 +33,7 @@ struct rgen_data {
 };
 
 static random_fn random_generate;
-static bool_t random_generate(void *data, int32_t bytes, uint8_t *buff)
+static void random_generate(void *data, int32_t bytes, uint8_t *buff)
 {
     struct rgen_data *st=data;
     int r;
@@ -41,26 +41,10 @@ static bool_t random_generate(void *data, int32_t bytes, uint8_t *buff)
     r= read(st->fd,buff,bytes);
 
     assert(r == bytes);
-    /* This is totally crap error checking, but AFAICT many callers of
-     * this function do not check the return value.  This is a minimal
-     * change to make the code not fail silently-but-insecurely.
-     *
-     * A proper fix requires either:
-     *  - Declare all random number generation failures as fatal
-     *    errors, and make this return void, and fix all callers,
-     *    and make this call some appropriate function if it fails.
-     *  - Make this have proper error checking (and reporting!)
-     *    and make all callers check the error (and report!);
-     *    this will be tricky, I think, because you have to report
-     *    the errno somewhere.
-     *
-     * There's also the issue that this is only one possible
-     * implementation of a random number source; others may not rely
-     * on reading from a file descriptor, and may not produce
-     * appropriate settings of errno.
+    /* This is totally crap error checking, but callers of
+     * this function do not check the return value and dealing
+     * with failure of this everywhere would be very inconvenient.
      */
-
-    return True;
 }
 
 static list_t *random_apply(closure_t *self, struct cloc loc,
diff --git a/secnet.h b/secnet.h
index e253a14..818e946 100644
--- a/secnet.h
+++ b/secnet.h
@@ -402,8 +402,8 @@ struct resolver_if {
 
 /* RANDOMSRC interface */
 
-/* Return some random data. Returns TRUE for success. */
-typedef bool_t random_fn(void *st, int32_t bytes, uint8_t *buff);
+/* Return some random data. Cannot fail. */
+typedef void random_fn(void *st, int32_t bytes, uint8_t *buff);
 
 struct random_if {
     void *st;