Stories
Slash Boxes
Comments

SoylentNews is people

posted by martyb on Saturday December 02 2017, @01:48PM   Printer-friendly
from the see-what-we-did-there? dept.

https://www.cossacklabs.com/blog/macros-in-crypto-c-code.html

Like death and taxes, one thing that you can be sure of is that using C macros in a modern software project will cause a debate. While for some macros remain a convenient and efficient way of achieving particular programming goals, for others they are opaque, introduce the unnecessary risk of coding errors, and reduce readability.

The criticism of macros is particularly acute in the wider security community. Among Cossack Labs' engineers and the core Themis crypto library contributors there are people who previously worked on auditing cryptographic implementations of critical code. Their typical knee-jerk reaction to macros was always "kill it with fire and never use it again". Taking no sides, we would like to assess both pros and cons of using such dangerous things as macros in security code (as we faced the issue when developing Themis) and suggest some techniques for lowering the accompanying risks.

We'll also discuss a custom "for-audit" build target for Themis designed specifically to generate source code that exposes the macros to inspection because we appreciate the need for security software to be subject to detailed source code scrutiny.


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 3, Interesting) by tonyPick on Saturday December 02 2017, @04:03PM (1 child)

    by tonyPick (1237) on Saturday December 02 2017, @04:03PM (#604312) Homepage Journal

    it would be easy enough to replace one with an inline function in many cases but you'd still have to code hop to the function definition to read it so I don't see that it would help the readability hugely.

    Playing devils advocate (even though I agree with your general point), one issue is that functions are easier to reason about than macros in C, since function calls will always be pass by value, but macro implementations can change argument values in place in unexpected ways, or create shadow variables which lead to unexpected/incorrect results.

    Quick example would be mixing postfix operators with macros: something like" #define SQUARE(x) ((x)*(x))" Can be passed "SQUARE(x++)" which expands as "(x++) * (x++)" - x gets incremented twice, rather than once, and the result will probably not be what you expect. You can't make this mistake with a function call.

    Starting Score:    1  point
    Moderation   +1  
       Interesting=1, Total=1
    Extra 'Interesting' Modifier   0  
    Karma-Bonus Modifier   +1  

    Total Score:   3  
  • (Score: 4, Informative) by Pino P on Saturday December 02 2017, @11:57PM

    by Pino P (4721) on Saturday December 02 2017, @11:57PM (#604469) Journal

    Can be passed "SQUARE(x++)" which expands as "(x++) * (x++)" - x gets incremented twice, rather than once

    No, that's undefined behavior because the two uses of ++ are unsequenced [wikipedia.org]. A high-quality compiler ought to emit a diagnostic for easily detectable undefined behaviors such as this.