Make integer downsizing explicit
Reassure both humans and compilers that the places where we assign an
integer to a smaller type are safe.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
diff --git a/library/psa_crypto_slot_management.c b/library/psa_crypto_slot_management.c
index d740960..feedbb5 100644
--- a/library/psa_crypto_slot_management.c
+++ b/library/psa_crypto_slot_management.c
@@ -116,7 +116,12 @@
static psa_key_id_t volatile_key_id_of_index(size_t slice_idx,
size_t slot_idx)
{
- return 0x40000000u | (slice_idx << KEY_ID_SLOT_INDEX_WIDTH) | slot_idx;
+ /* We assert above that the slice and slot indexes fit in separate
+ * bit-fields inside psa_key_id_t, which is a 32-bit type per the
+ * PSA Cryptography specification. */
+ return (psa_key_id_t) (0x40000000u |
+ (slice_idx << KEY_ID_SLOT_INDEX_WIDTH) |
+ slot_idx);
}
/* Calculate the slice containing the given volatile key.
@@ -529,7 +534,8 @@
}
*p_slot = slot;
- slot->slice_index = slice_idx;
+ /* We assert at compile time that the slice index fits in uint8_t. */
+ slot->slice_index = (uint8_t) slice_idx;
return PSA_SUCCESS;
}
@@ -566,7 +572,8 @@
next_free = key_slice_length(slice_idx);
}
global_data.first_free_slot_index[slice_idx] = slot_idx;
- slot->var.free.next_free_relative_to_next = next_free - slot_idx - 1;
+ slot->var.free.next_free_relative_to_next =
+ (int32_t) next_free - (int32_t) slot_idx - 1;
return PSA_SUCCESS;
}