Merge "Standardise safety comments for unsafe blocks." into main
This commit is contained in:
Treehugger Robot
Gerrit Code Review
commit
51b4e481ed
3 changed files with 33 additions and 31 deletions
|
|
@ -48,9 +48,9 @@ pub fn bcc_format_config_descriptor(
|
|||
};
|
||||
|
||||
let mut buffer_size = 0;
|
||||
// SAFETY: The function writes to the buffer, within the given bounds, and only reads the
|
||||
// input values. It writes its result to buffer_size.
|
||||
check_result(
|
||||
// SAFETY: The function writes to the buffer, within the given bounds, and only reads the
|
||||
// input values. It writes its result to buffer_size.
|
||||
unsafe {
|
||||
BccFormatConfigDescriptor(&values, buffer.len(), buffer.as_mut_ptr(), &mut buffer_size)
|
||||
},
|
||||
|
|
@ -72,11 +72,11 @@ pub fn bcc_main_flow(
|
|||
next_bcc: &mut [u8],
|
||||
) -> Result<usize> {
|
||||
let mut next_bcc_size = 0;
|
||||
// SAFETY: `BccMainFlow` only reads the current `bcc` and CDI values and writes
|
||||
// to `next_bcc` and next CDI values within its bounds. It also reads
|
||||
// `input_values` as a constant input and doesn't store any pointer.
|
||||
// The first argument can be null and is not used in the current implementation.
|
||||
check_result(
|
||||
// SAFETY: `BccMainFlow` only reads the current `bcc` and CDI values and writes
|
||||
// to `next_bcc` and next CDI values within its bounds. It also reads
|
||||
// `input_values` as a constant input and doesn't store any pointer.
|
||||
// The first argument can be null and is not used in the current implementation.
|
||||
unsafe {
|
||||
BccMainFlow(
|
||||
ptr::null_mut(), // context
|
||||
|
|
@ -108,11 +108,11 @@ pub fn bcc_handover_main_flow(
|
|||
next_bcc_handover: &mut [u8],
|
||||
) -> Result<usize> {
|
||||
let mut next_bcc_handover_size = 0;
|
||||
// SAFETY - The function only reads `current_bcc_handover` and writes to `next_bcc_handover`
|
||||
// within its bounds,
|
||||
// It also reads `input_values` as a constant input and doesn't store any pointer.
|
||||
// The first argument can be null and is not used in the current implementation.
|
||||
check_result(
|
||||
// SAFETY: The function only reads `current_bcc_handover` and writes to `next_bcc_handover`
|
||||
// within its bounds,
|
||||
// It also reads `input_values` as a constant input and doesn't store any pointer.
|
||||
// The first argument can be null and is not used in the current implementation.
|
||||
unsafe {
|
||||
BccHandoverMainFlow(
|
||||
ptr::null_mut(), // context
|
||||
|
|
@ -165,9 +165,9 @@ pub fn bcc_handover_parse(bcc_handover: &[u8]) -> Result<BccHandover> {
|
|||
let mut cdi_seal: *const u8 = ptr::null();
|
||||
let mut bcc: *const u8 = ptr::null();
|
||||
let mut bcc_size = 0;
|
||||
// SAFETY: The `bcc_handover` is only read and never stored and the returned pointers should all
|
||||
// point within the address range of the `bcc_handover` or be NULL.
|
||||
check_result(
|
||||
// SAFETY: The `bcc_handover` is only read and never stored and the returned pointers should
|
||||
// all point within the address range of the `bcc_handover` or be NULL.
|
||||
unsafe {
|
||||
BccHandoverParse(
|
||||
bcc_handover.as_ptr(),
|
||||
|
|
|
|||
|
|
@ -217,9 +217,9 @@ impl<'a> InputValues<'a> {
|
|||
/// Derives a CDI private key seed from a `cdi_attest` value.
|
||||
pub fn derive_cdi_private_key_seed(cdi_attest: &Cdi) -> Result<PrivateKeySeed> {
|
||||
let mut seed = PrivateKeySeed::default();
|
||||
// SAFETY: The function writes to the buffer within the given bounds, and only reads the
|
||||
// input values. The first argument context is not used in this function.
|
||||
check_result(
|
||||
// SAFETY: The function writes to the buffer within the given bounds, and only reads the
|
||||
// input values. The first argument context is not used in this function.
|
||||
unsafe {
|
||||
DiceDeriveCdiPrivateKeySeed(
|
||||
ptr::null_mut(), // context
|
||||
|
|
@ -235,9 +235,9 @@ pub fn derive_cdi_private_key_seed(cdi_attest: &Cdi) -> Result<PrivateKeySeed> {
|
|||
/// Derives an ID from the given `cdi_public_key` value.
|
||||
pub fn derive_cdi_certificate_id(cdi_public_key: &[u8]) -> Result<DiceId> {
|
||||
let mut id = [0u8; ID_SIZE];
|
||||
// SAFETY: The function writes to the buffer within the given bounds, and only reads the
|
||||
// input values. The first argument context is not used in this function.
|
||||
check_result(
|
||||
// SAFETY: The function writes to the buffer within the given bounds, and only reads the
|
||||
// input values. The first argument context is not used in this function.
|
||||
unsafe {
|
||||
DiceDeriveCdiCertificateId(
|
||||
ptr::null_mut(), // context
|
||||
|
|
@ -264,10 +264,10 @@ pub fn dice_main_flow(
|
|||
next_cdi_values: &mut CdiValues,
|
||||
) -> Result<usize> {
|
||||
let mut next_cdi_certificate_actual_size = 0;
|
||||
// SAFETY: The function only reads the current CDI values and inputs and writes
|
||||
// to `next_cdi_certificate` and next CDI values within its bounds.
|
||||
// The first argument can be null and is not used in the current implementation.
|
||||
check_result(
|
||||
// SAFETY: The function only reads the current CDI values and inputs and writes
|
||||
// to `next_cdi_certificate` and next CDI values within its bounds.
|
||||
// The first argument can be null and is not used in the current implementation.
|
||||
unsafe {
|
||||
DiceMainFlow(
|
||||
ptr::null_mut(), // context
|
||||
|
|
|
|||
|
|
@ -29,9 +29,9 @@ use std::ptr;
|
|||
/// Hashes the provided input using DICE's hash function `DiceHash`.
|
||||
pub fn hash(input: &[u8]) -> Result<Hash> {
|
||||
let mut output: Hash = [0; HASH_SIZE];
|
||||
// SAFETY: DiceHash takes a sized input buffer and writes to a constant-sized output buffer.
|
||||
// The first argument context is not used in this function.
|
||||
check_result(
|
||||
// SAFETY: DiceHash takes a sized input buffer and writes to a constant-sized output buffer.
|
||||
// The first argument context is not used in this function.
|
||||
unsafe {
|
||||
DiceHash(
|
||||
ptr::null_mut(), // context
|
||||
|
|
@ -48,9 +48,9 @@ pub fn hash(input: &[u8]) -> Result<Hash> {
|
|||
/// An implementation of HKDF-SHA512. Derives a key of `derived_key.len()` bytes from `ikm`, `salt`,
|
||||
/// and `info`. The derived key is written to the `derived_key`.
|
||||
pub fn kdf(ikm: &[u8], salt: &[u8], info: &[u8], derived_key: &mut [u8]) -> Result<()> {
|
||||
// SAFETY: The function writes to the `derived_key`, within the given bounds, and only reads the
|
||||
// input values. The first argument context is not used in this function.
|
||||
check_result(
|
||||
// SAFETY: The function writes to the `derived_key`, within the given bounds, and only reads
|
||||
// the input values. The first argument context is not used in this function.
|
||||
unsafe {
|
||||
DiceKdf(
|
||||
ptr::null_mut(), // context
|
||||
|
|
@ -74,9 +74,10 @@ pub fn kdf(ikm: &[u8], salt: &[u8], info: &[u8], derived_key: &mut [u8]) -> Resu
|
|||
pub fn keypair_from_seed(seed: &[u8; PRIVATE_KEY_SEED_SIZE]) -> Result<(PublicKey, PrivateKey)> {
|
||||
let mut public_key = [0u8; PUBLIC_KEY_SIZE];
|
||||
let mut private_key = PrivateKey::default();
|
||||
// SAFETY: The function writes to the `public_key` and `private_key` within the given bounds,
|
||||
// and only reads the `seed`. The first argument context is not used in this function.
|
||||
check_result(
|
||||
// SAFETY: The function writes to the `public_key` and `private_key` within the given
|
||||
// bounds, and only reads the `seed`. The first argument context is not used in this
|
||||
// function.
|
||||
unsafe {
|
||||
DiceKeypairFromSeed(
|
||||
ptr::null_mut(), // context
|
||||
|
|
@ -93,9 +94,9 @@ pub fn keypair_from_seed(seed: &[u8; PRIVATE_KEY_SEED_SIZE]) -> Result<(PublicKe
|
|||
/// Signs the `message` with the give `private_key` using `DiceSign`.
|
||||
pub fn sign(message: &[u8], private_key: &[u8; PRIVATE_KEY_SIZE]) -> Result<Signature> {
|
||||
let mut signature = [0u8; SIGNATURE_SIZE];
|
||||
// SAFETY: The function writes to the `signature` within the given bounds, and only reads the
|
||||
// message and the private key. The first argument context is not used in this function.
|
||||
check_result(
|
||||
// SAFETY: The function writes to the `signature` within the given bounds, and only reads
|
||||
// the message and the private key. The first argument context is not used in this function.
|
||||
unsafe {
|
||||
DiceSign(
|
||||
ptr::null_mut(), // context
|
||||
|
|
@ -112,9 +113,9 @@ pub fn sign(message: &[u8], private_key: &[u8; PRIVATE_KEY_SIZE]) -> Result<Sign
|
|||
|
||||
/// Verifies the `signature` of the `message` with the given `public_key` using `DiceVerify`.
|
||||
pub fn verify(message: &[u8], signature: &Signature, public_key: &PublicKey) -> Result<()> {
|
||||
// SAFETY: only reads the messages, signature and public key as constant values.
|
||||
// The first argument context is not used in this function.
|
||||
check_result(
|
||||
// SAFETY: only reads the messages, signature and public key as constant values.
|
||||
// The first argument context is not used in this function.
|
||||
unsafe {
|
||||
DiceVerify(
|
||||
ptr::null_mut(), // context
|
||||
|
|
@ -140,9 +141,10 @@ pub fn generate_certificate(
|
|||
certificate: &mut [u8],
|
||||
) -> Result<usize> {
|
||||
let mut certificate_actual_size = 0;
|
||||
// SAFETY: The function writes to the `certificate` within the given bounds, and only reads the
|
||||
// input values and the key seeds. The first argument context is not used in this function.
|
||||
check_result(
|
||||
// SAFETY: The function writes to the `certificate` within the given bounds, and only reads
|
||||
// the input values and the key seeds. The first argument context is not used in this
|
||||
// function.
|
||||
unsafe {
|
||||
DiceGenerateCertificate(
|
||||
ptr::null_mut(), // context
|
||||
|
|
|
|||
Loading…
Reference in a new issue