Mirage_crypto_rng.generate_into: adjust docstring; Generator.generate…

…_into: emit unsafe warning
mirage · Jan 7, 2025 · 5919c92 · 5919c92
1 parent fafabab
commit 5919c92
Show file tree

Hide file tree

Showing 2 changed files with 13 additions and 3 deletions.
diff --git a/rng/mirage_crypto_rng.mli b/rng/mirage_crypto_rng.mli
@@ -169,10 +169,13 @@ module type Generator = sig
   (** Create a new, unseeded {{!g}g}. *)
 
   val generate_into : g:g -> bytes -> off:int -> int -> unit
+  [@@alert unsafe "Does not do bounds checks. Use Mirage_crypto_rng.generate_into instead."]
   (** [generate_into ~g buf ~off n] produces [n] uniformly distributed random
       bytes into [buf] at offset [off], updating the state of [g].
 
-      @raise Invalid_argument if buffer is too small (it must be: Bytes.length buf - off >= n)
+      Assumes that [buf] is at least [off + n] bytes long. Also assumes that
+      [off] and [n] are positive integers. Caution: do not use in your
+      application, use [Mirage_crypto_rng.generate_into] instead.
   *)
 
   val reseed : g:g -> string -> unit
@@ -246,7 +249,11 @@ val generate_into : ?g:g -> bytes -> ?off:int -> int -> unit
 (** [generate_into ~g buf ~off len] invokes
     {{!Generator.generate_into}generate_into} on [g] or
     {{!generator}default generator}. The random data is put into [buf] starting
-    at [off] (defaults to 0) with [len] bytes. *)
+    at [off] (defaults to 0) with [len] bytes.
+
+    @raise Invalid_argument if buffer is too small (it must be: [Bytes.length
+      buf - off >= n]) or [off] or [n] are negative.
+*)
 
 val generate : ?g:g -> int -> string
 (** Invoke {!generate_into} on [g] or {{!generator}default generator} and a

diff --git a/rng/rng.ml b/rng/rng.ml
@@ -42,6 +42,7 @@ module type Generator = sig
   val block : int
   val create : ?time:(unit -> int64) -> unit -> g
   val generate_into : g:g -> bytes -> off:int -> int -> unit
+  [@@alert unsafe "Does not do bounds checks. Use Mirage_crypto_rng.generate_into instead."]
   val reseed : g:g -> string -> unit
   val accumulate : g:g -> source -> [`Acc of string -> unit]
   val seeded : g:g -> bool
@@ -78,7 +79,9 @@ let generate_into ?(g = default_generator ()) b ?(off = 0) n =
                  string_of_int n);
   if Bytes.length b - off < n then
     invalid_arg "buffer too short";
-  M.generate_into ~g b ~off n
+  begin[@alert "-unsafe"]
+    M.generate_into ~g b ~off n
+  end
 
 let generate ?g n =
   let data = Bytes.create n in