Generate dummy mlkem bindings if mlkem.h is missing#471
Generate dummy mlkem bindings if mlkem.h is missing#471
Conversation
boring-sys/src/mlkem_dummy.rs
Outdated
|
|
||
| fn fail() { | ||
| unsafe { | ||
| ERR_put_error( |
There was a problem hiding this comment.
This only records an error, right? Doesn't halt the execution.
There was a problem hiding this comment.
Yeah. I've renamed it to just put_error.
There was a problem hiding this comment.
Shouldn't we panic and halt execution to prevent the thing you worried about?
There was a problem hiding this comment.
The void functions I'm worried about panic via unimplemented!(), which will halt the execution one way or another (unwind or abort). Other functions that can report errors do it in the normal way by pushing an error on the stack and returning a failure code (these functions are documented to return 1 on success and 0 otherwise). I wanted this to be most gracefully-degrading as possible.
kornelski
force-pushed
the
dummy-mlkem
branch
4 times, most recently
from
36a547e to
fb69e23
Compare
kornelski
force-pushed
the
dummy-mlkem
branch
from
fb69e23 to
d636b97
Compare
boring-sys/src/mlkem_dummy.rs
Outdated
| _seed: *const u8, | ||
| _seed_len: usize, | ||
| ) -> ::std::os::raw::c_int { | ||
| put_error(); |
There was a problem hiding this comment.
We should panic here too because MLKEM1024_private_key_from_seed doesn't error if you give it the right parameters and so an error check could be omitted.
There was a problem hiding this comment.
Sigh, another C API being one cut corner away from UB and vulnerabilities. I've slapped abort() on all of them.
boring-sys/src/mlkem_dummy.rs
Outdated
| _ciphertext_len: usize, | ||
| _private_key: *const MLKEM1024_private_key, | ||
| ) -> ::std::os::raw::c_int { | ||
| put_error(); |
boring-sys/src/mlkem_dummy.rs
Outdated
| _seed_len: usize, | ||
| ) -> ::std::os::raw::c_int { | ||
| put_error(); | ||
| 0 |
boring-sys/src/mlkem_dummy.rs
Outdated
| _private_key: *const MLKEM768_private_key, | ||
| ) -> ::std::os::raw::c_int { | ||
| put_error(); | ||
| 0 |
boring-sys/src/mlkem_dummy.rs
Outdated
| public_key: *const MLKEM768_public_key, | ||
| ) -> ::std::os::raw::c_int { | ||
| put_error(); | ||
| 0 |
boring-sys/src/mlkem_dummy.rs
Outdated
| public_key: *const MLKEM1024_public_key, | ||
| ) -> ::std::os::raw::c_int { | ||
| put_error(); | ||
| 0 |
kornelski
force-pushed
the
dummy-mlkem
branch
from
d636b97 to
d3fb091
Compare
kornelski
force-pushed
the
dummy-mlkem
branch
from
d3fb091 to
b8a20c8
Compare
2 participants
Includes #470
If C lacks MLKEM APIs, and the
mlkemCargo feature isn't requiring a real MLKEM support,boring-syswill inject an always-failing fallback to allow Rust bindings to fail at run time instead of compile time.It uses a glob to add the fallback, because Rust always prefers real definitions over globs, so the real definitions will be used if they're available.