Re: [RFC PATCH] libcrypto/chachapoly: Use strict typing for fixed size array arguments

["Jason A. Donenfeld" <Jason@zx2c4.com>]

On Fri, Nov 14, 2025 at 07:07:07PM +0100, Ard Biesheuvel wrote:
> void xchacha20poly1305_encrypt(u8 *dst, const u8 *src, const size_t src_len,
>                                const u8 *ad, const size_t ad_len,
>                                const u8 (*nonce)[XCHACHA20POLY1305_NONCE_SIZE],
>                                const u8 (*key)[CHACHA20POLY1305_KEY_SIZE])
> 
> However, this variant is checked more strictly by the compiler, and only
> arrays of the correct size are accepted as plain arguments (using the &
> operator), and so inadvertent mixing up of arguments or passing buffers
> of an incorrect size will trigger an error at build time.

Interesting idea! And codegen is the same, you say?

There's another variant of this that doesn't change callsites and keeps
the single pointer, which more accurate reflects what the function does:

void xchacha20poly1305_encrypt(u8 *dst, const u8 *src, const size_t src_len,
                               const u8 *ad, const size_t ad_len,
                               const u8 nonce[static XCHACHA20POLY1305_NONCE_SIZE],
                               const u8 key[static CHACHA20POLY1305_KEY_SIZE])

An obscure use of the `static` keyword, but this is what it's used for -
telling the compiler what size you expect the object to be. Last time I
investigated this, only clang respected it, but now it looks like gcc
does too:

    zx2c4@thinkpad /tmp $ cat a.c
    
    void blah(unsigned char herp[static 7]);
    
    static void schma(void)
    {
        unsigned char good[] = { 1, 2, 3, 4, 5, 6, 7 };
        unsigned char bad[] = { 1, 2, 3, 4, 5, 6 };
        blah(good);
        blah(bad);
    }
    zx2c4@thinkpad /tmp $ gcc -c a.c
    a.c: In function ‘schma’:
    a.c:9:9: warning: ‘blah’ accessing 7 bytes in a region of size 6 [-Wstringop-overflow=]
        9 |         blah(bad);
          |         ^~~~~~~~~
    a.c:9:9: note: referencing argument 1 of type ‘unsigned char[7]’
    a.c:2:6: note: in a call to function ‘blah’
        2 | void blah(unsigned char herp[static 7]);
          |      ^~~~
    zx2c4@thinkpad /tmp $ clang -c a.c
    a.c:9:2: warning: array argument is too small; contains 6 elements, callee requires at least 7
          [-Warray-bounds]
        9 |         blah(bad);
          |         ^    ~~~
    a.c:2:25: note: callee declares array parameter as static here
        2 | void blah(unsigned char herp[static 7]);
          |                         ^   ~~~~~~~~~~
    1 warning generated.


This doesn't account for buffers that are oversize -- the less dangerous
case -- but maybe that's fine, to keep "normal" semantics of function
calls and still get some checking? And adding `static` a bunch of places
is easy. It could apply much wider than just chapoly.

This all makes me wish we had NT's SAL notations though...

Jason