Thanks to visit codestin.com
Credit goes to github.com

Skip to content

fix: Remove the MPI constructor which may be misused #410

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 2 commits into from
Closed

fix: Remove the MPI constructor which may be misused #410

wants to merge 2 commits into from

Conversation

@wiktor-k
Copy link
Contributor

This patch removes the MPI constructor which may be used to construct invalid MPIs. It also adjusts the From<u8> implementation to use a safe variant.

@hko-s please see if this is what we discussed. Thanks!

Fixes: #401

dignifiedquire
dignifiedquire reviewed Sep 18, 2024
View reviewed changes
src/types/mpi.rs Outdated
}
}

impl From<&[u8]> for Mpi {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I wonder if we should remove this entirely and force direct calls instead

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

also this is problematic, as this now behaves differently to From<Vec<u8>> as well as the From variants for MpiRef

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think it's a good idea to remove both Froms since it's not a simple conversion.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Removing all From implementations sounds potentially right to me. We could try out how that would look, in this PR.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe all is a bit too much since there are many (e.g. for BigUint). The other approach would be having from_slice but inside stripping leading zeros (basically renaming from_raw_slice to from_slice).

@wiktor-k wiktor-k force-pushed the wiktor/main-make-mpi-safe branch 2 times, most recently from aad6906 to d49807a Compare September 18, 2024 10:38
dignifiedquire
dignifiedquire approved these changes Sep 18, 2024
View reviewed changes
Copy link
Member

@dignifiedquire dignifiedquire left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this is a good start, we can always remove/change more in follow ups

@wiktor-k
Copy link
Contributor Author

this is a good start, we can always remove/change more in follow ups

I'm wondering about two further changes here:

  • rename Mpi::from_raw_slice to Mpi::from_slice since it sounds more idiomatic and the name is free now :)
  • make MpiRef::from_slice internally apply strip_leading_zeros to the input.

The docs of both Mpi and MpiRef both indicate that "The inner value is ready to be serialized, without the need to strip leading zeros" and making that constructor strip it, it would ensure that this invariant always holds.

If that doesn't sound like a good idea I'd propose alternative design: documenting that MpiRef::from_slice MUST be called with trailing zeros stripped (to preserve the docs invariant).

@hko-s
Copy link
Contributor

hko-s commented Sep 18, 2024

this is a good start, we can always remove/change more in follow ups

I'm wondering about two further changes here:

* rename `Mpi::from_raw_slice` to `Mpi::from_slice` since it sounds more idiomatic and the name is free now :)

* make `MpiRef::from_slice` internally apply `strip_leading_zeros` to the input.

The docs of both Mpi and MpiRef both indicate that "The inner value is ready to be serialized, without the need to strip leading zeros" and making that constructor strip it, it would ensure that this invariant always holds.

If that doesn't sound like a good idea I'd propose alternative design: documenting that MpiRef::from_slice MUST be called with trailing zeros stripped (to preserve the docs invariant).

I like the idea to make the Mpi type guarantee this invariant (and documenting it in the API docs).
Removing the "unchecked" constructors sounds very attractive to me.

Alternatively: keeping unchecked constructors around, but giving them scarier names, possibly limiting their visibility in the API, and documenting what expectations these put on the caller sounds acceptable to me as well.

(I'm not super worried about the performance of always checking, but we could compare benchmark results of always checking in all Mpi constructors?)

@wiktor-k
fix: Make the Mpi::from_slice and MpiRef::from_slice safe
d4102cc 
This patch adjusts the MPI constructors to always strip leading zeros
so that they are always valid after construction.

Fixes: rpgp#401
Signed-off-by: Wiktor Kwapisiewicz <[email protected]>
@wiktor-k wiktor-k force-pushed the wiktor/main-make-mpi-safe branch from d49807a to d4102cc Compare September 19, 2024 12:00
@hko-s hko-s mentioned this pull request Sep 23, 2024
Merged
@hko-s
Copy link
Contributor

hko-s commented Sep 23, 2024

(Closing this in favor of #416, to steal ~50% of the glory from @wiktor-k)

@hko-s hko-s closed this Sep 23, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@hko-s hko-s hko-s left review comments

@dignifiedquire dignifiedquire dignifiedquire approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

MPI interface is too easy to misuse

3 participants

@wiktor-k @hko-s @dignifiedquire