Uncommon: the xor_into is unsafe (doesn't do bounds checks), make tha…

…t explicit
mirage · Jun 11, 2024 · 98f01b1 · 98f01b1
1 parent 85e7809
commit 98f01b1
Show file tree

Hide file tree

Showing 4 changed files with 8 additions and 8 deletions.
diff --git a/pk/rsa.ml b/pk/rsa.ml
@@ -316,7 +316,7 @@ module MGF1 (H : Digestif.S) = struct
 
   let mask ~seed buf =
     let mgf_data = mgf ~seed (String.length buf) in
-    xor_into buf ~src_off:0 mgf_data ~dst_off:0 (String.length buf);
+    unsafe_xor_into buf ~src_off:0 mgf_data ~dst_off:0 (String.length buf);
     mgf_data
 end
 

diff --git a/src/ccm.ml b/src/ccm.ml
@@ -89,7 +89,7 @@ let crypto_core ~cipher ~mode ~key ~nonce ~maclen ~adata data =
   in
 
   let cbc iv src_off block dst_off =
-    xor_into iv ~src_off block ~dst_off block_size ;
+    unsafe_xor_into iv ~src_off block ~dst_off block_size ;
     cipher ~key (Bytes.unsafe_to_string block) ~src_off:dst_off block ~dst_off
   in
 
@@ -117,14 +117,14 @@ let crypto_core ~cipher ~mode ~key ~nonce ~maclen ~adata data =
       Bytes.unsafe_blit dst dst_off buf 0 x;
       ctrblock ctr buf ;
       Bytes.unsafe_blit buf 0 dst dst_off x ;
-      xor_into src ~src_off dst ~dst_off x ;
+      unsafe_xor_into src ~src_off dst ~dst_off x ;
       Bytes.unsafe_blit_string cbcblock cbc_off buf 0 x;
       Bytes.unsafe_fill buf x (block_size - x) '\x00';
       cbc (Bytes.unsafe_to_string buf) cbc_off iv 0 ;
       iv
     | _ ->
       ctrblock ctr dst ;
-      xor_into src ~src_off dst ~dst_off block_size ;
+      unsafe_xor_into src ~src_off dst ~dst_off block_size ;
       cbc cbcblock cbc_off iv 0 ;
       loop iv (succ ctr) src (src_off + block_size) dst (dst_off + block_size)
   in
@@ -135,7 +135,7 @@ let crypto_core ~cipher ~mode ~key ~nonce ~maclen ~adata data =
 let crypto_t t nonce cipher key =
   let ctr = gen_ctr nonce 0 in
   cipher ~key (Bytes.unsafe_to_string ctr) ~src_off:0 ctr ~dst_off:0 ;
-  xor_into (Bytes.unsafe_to_string ctr) ~src_off:0 t ~dst_off:0 (Bytes.length t)
+  unsafe_xor_into (Bytes.unsafe_to_string ctr) ~src_off:0 t ~dst_off:0 (Bytes.length t)
 
 let valid_nonce nonce =
   let nsize = String.length nonce in

diff --git a/src/mirage_crypto.mli b/src/mirage_crypto.mli
@@ -35,7 +35,7 @@ module Uncommon : sig
   val iter3 : 'a -> 'a -> 'a -> ('a -> unit) -> unit
 
   val xor : string -> string -> string
-  val xor_into : string -> src_off:int -> bytes -> dst_off:int -> int -> unit
+  val unsafe_xor_into : string -> src_off:int -> bytes -> dst_off:int -> int -> unit
 
   val invalid_arg : ('a, Format.formatter, unit, unit, unit, 'b) format6 -> 'a
 end

diff --git a/src/uncommon.ml b/src/uncommon.ml
@@ -17,11 +17,11 @@ type 'a iter = ('a -> unit) -> unit
 let iter2 a b   f = f a; f b
 let iter3 a b c f = f a; f b; f c
 
-let xor_into src ~src_off dst ~dst_off n =
+let unsafe_xor_into src ~src_off dst ~dst_off n =
   Native.xor_into_bytes src src_off dst dst_off n
 
 let xor a b =
   assert (String.length a = String.length b);
   let b' = Bytes.of_string b in
-  xor_into a ~src_off:0 b' ~dst_off:0 (Bytes.length b');
+  unsafe_xor_into a ~src_off:0 b' ~dst_off:0 (Bytes.length b');
   Bytes.unsafe_to_string b'