Nikos Mavrogiannopoulos <[email protected]> writes: > That is > pretty dangerous with the changes of parameters in functions in nettle > 3. The issue is the compiler will not warn for serious errors such as > different function type. An example macro is GCM_ENCRYPT. > > #define GCM_ENCRYPT(ctx, encrypt, length, dst, src) \ > (0 ? (encrypt)(&(ctx)->cipher, 0, (void *)0, (void *)0) \ > : gcm_encrypt(&(ctx)->gcm, &(ctx)->key, &(ctx)->cipher, \ > (nettle_cipher_func *) (encrypt), \ > (length), (dst), (src)))
The idea of this macro is that 1. It should be possible to pass a context with the cipher element typed as a struct aes128_ctx, and encrypt as the function aes128_encrypt, without errors or warnings. To have the cast in one place, instead of sprinkled throughout application code. 2. The expression after the 0 ? should give some additional typechecking, so that, e.g, having a ctx->cipher of type aes128_ctx and encrypt as the function camellia128_crypt, you will get a warning from the compiler about bad first argument to camellia128_crypt. If you pass an encrypt function of type nettle_cipher_func (with a const void *) first argument, you get less type checking, but at least you should get a check on number of arguments, and integers vs pointers. Can you give an example usage where you'd want to get a compiler warning, but you don't get one? BTW, a minor improvement to type checking would be to change the (void*) 0 expressions above to (uint8_t *) 0 and (const uint8_t *) 0. Regards, /Niels -- Niels Möller. PGP-encrypted email is preferred. Keyid C0B98E26. Internet email is subject to wholesale government surveillance. _______________________________________________ nettle-bugs mailing list [email protected] http://lists.lysator.liu.se/mailman/listinfo/nettle-bugs
