1. Patchew
  2. Xen
  3. View series

[PATCH] crypto/vmac: adjust for Misra C:2012 rule 17.5

Jan Beulich posted 1 patch 2 weeks, 2 days ago
Failed in applying to current master (apply log)
[PATCH] crypto/vmac: adjust for Misra C:2012 rule 17.5
Posted by Jan Beulich 2 weeks, 2 days ago 
... ("The function argument corresponding to a parameter declared to have
an array type shall have an appropriate number of elements"). Instead of
casts, (ab)use unions.

Signed-off-by: Jan Beulich <jbeulich@suse.com>
---
https://gitlab.com/xen-project/hardware/xen-staging/-/jobs/14354119193
(also covering the 20.12 patch)

There are also two cautions (in vmac()), which aren't dealt with for now.

--- a/xen/crypto/vmac.c
+++ b/xen/crypto/vmac.c
@@ -926,41 +926,41 @@ uint64_t vmac(unsigned char m[],
 
 void vmac_set_key(const unsigned char user_key[], vmac_ctx_t *ctx)
 {
-    uint64_t in[2] = {0}, out[2];
+    union {
+        uint64_t q[2];
+        uint8_t b[16];
+    } in, out;
     unsigned i;
     aes_key_setup(user_key, &ctx->cipher_key);
     
     /* Fill nh key */
-    ((unsigned char *)in)[0] = 0x80; 
+    in = (typeof(in)){ .b[0] = 0x80 };
     for (i = 0; i < sizeof(ctx->nhkey)/8; i+=2) {
-        aes_encryption((unsigned char *)in, (unsigned char *)out,
-                                                         &ctx->cipher_key);
-        ctx->nhkey[i  ] = get64BE(out);
-        ctx->nhkey[i+1] = get64BE(out+1);
-        ((unsigned char *)in)[15] += 1;
+        aes_encryption(in.b, out.b, &ctx->cipher_key);
+        ctx->nhkey[i  ] = get64BE(out.q);
+        ctx->nhkey[i+1] = get64BE(out.q + 1);
+        in.b[15] += 1;
     }
 
     /* Fill poly key */
-    ((unsigned char *)in)[0] = 0xC0; 
-    in[1] = 0;
+    in.b[0] = 0xC0;
+    in.q[1] = 0;
     for (i = 0; i < sizeof(ctx->polykey)/8; i+=2) {
-        aes_encryption((unsigned char *)in, (unsigned char *)out,
-                                                         &ctx->cipher_key);
-        ctx->polytmp[i  ] = ctx->polykey[i  ] = get64BE(out) & mpoly;
-        ctx->polytmp[i+1] = ctx->polykey[i+1] = get64BE(out+1) & mpoly;
-        ((unsigned char *)in)[15] += 1;
+        aes_encryption(in.b, out.b, &ctx->cipher_key);
+        ctx->polytmp[i  ] = ctx->polykey[i  ] = get64BE(out.q) & mpoly;
+        ctx->polytmp[i+1] = ctx->polykey[i+1] = get64BE(out.q + 1) & mpoly;
+        in.b[15] += 1;
     }
 
     /* Fill ip key */
-    ((unsigned char *)in)[0] = 0xE0;
-    in[1] = 0;
+    in.b[0] = 0xE0;
+    in.q[1] = 0;
     for (i = 0; i < sizeof(ctx->l3key)/8; i+=2) {
         do {
-            aes_encryption((unsigned char *)in, (unsigned char *)out,
-                                                         &ctx->cipher_key);
-            ctx->l3key[i  ] = get64BE(out);
-            ctx->l3key[i+1] = get64BE(out+1);
-            ((unsigned char *)in)[15] += 1;
+            aes_encryption(in.b, out.b, &ctx->cipher_key);
+            ctx->l3key[i  ] = get64BE(out.q);
+            ctx->l3key[i+1] = get64BE(out.q + 1);
+            in.b[15] += 1;
         } while (ctx->l3key[i] >= p64 || ctx->l3key[i+1] >= p64);
     }
Re: [PATCH] crypto/vmac: adjust for Misra C:2012 rule 17.5
Posted by Andrew Cooper 2 weeks, 1 day ago 
On 13/05/2026 4:51 pm, Jan Beulich wrote:
> ... ("The function argument corresponding to a parameter declared to have
> an array type shall have an appropriate number of elements"). Instead of
> casts, (ab)use unions.
>
> Signed-off-by: Jan Beulich <jbeulich@suse.com>

The Rule 17.5 violations aren't reported against this function.  They
look to be addressed by one of your other patches.

Which rules is this addressing?  I can't locate anything referencing
this function.

~Andrew
Re: [PATCH] crypto/vmac: adjust for Misra C:2012 rule 17.5
Posted by Jan Beulich 2 weeks, 1 day ago 
On 14.05.2026 20:07, Andrew Cooper wrote:
> On 13/05/2026 4:51 pm, Jan Beulich wrote:
>> ... ("The function argument corresponding to a parameter declared to have
>> an array type shall have an appropriate number of elements"). Instead of
>> casts, (ab)use unions.
>>
>> Signed-off-by: Jan Beulich <jbeulich@suse.com>
> 
> The Rule 17.5 violations aren't reported against this function.

The report is against uses of aes_encryption() from this function.

>  They look to be addressed by one of your other patches.

I don't think so. That other patch is independent.

> Which rules is this addressing?  I can't locate anything referencing
> this function.

It's still very much 17.5, which the job runs also confirm (the other patch
didn't eliminate the violations here, while this patch does).

Jan
Re: [PATCH] crypto/vmac: adjust for Misra C:2012 rule 17.5
Posted by Andrew Cooper 1 week, 1 day ago 
On 15/05/2026 7:32 am, Jan Beulich wrote:
> On 14.05.2026 20:07, Andrew Cooper wrote:
>> On 13/05/2026 4:51 pm, Jan Beulich wrote:
>>> ... ("The function argument corresponding to a parameter declared to have
>>> an array type shall have an appropriate number of elements"). Instead of
>>> casts, (ab)use unions.
>>>
>>> Signed-off-by: Jan Beulich <jbeulich@suse.com>
>> The Rule 17.5 violations aren't reported against this function.
> The report is against uses of aes_encryption() from this function.

Oh, that's very well hidden in the report.  Both the top and bottom of
it say rijndaelEncrypt().

> --- a/xen/crypto/vmac.c
> +++ b/xen/crypto/vmac.c
> @@ -926,41 +926,41 @@ uint64_t vmac(unsigned char m[],
>  
>  void vmac_set_key(const unsigned char user_key[], vmac_ctx_t *ctx)
>  {
> -    uint64_t in[2] = {0}, out[2];
> +    union {
> +        uint64_t q[2];
> +        uint8_t b[16];
> +    } in, out;
>      unsigned i;
>      aes_key_setup(user_key, &ctx->cipher_key);
>      
>      /* Fill nh key */
> -    ((unsigned char *)in)[0] = 0x80; 
> +    in = (typeof(in)){ .b[0] = 0x80 };

typeof like this is not good for legibility.

In this case, I'd prefer to keep the "} in = {}, out;" pattern from
before, and this line be a direct translation like the others in the file.

With that, Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>

Patchew 2.1-devel-ea86937

© 2016 - 2026 Red Hat, Inc.