Resolve -Wconversion and -Wsign-conversion warnings

This commit enables additional warnings (-Wconversion, -Wsign-conversions)
requiring more explicit casts.
All of those casts should already be safe as checked by CBMC.

Resolves #543

Signed-off-by: Matthias J. Kannwischer <[email protected]>

Author: mkannwischer

examples/basic/Makefile

@@ -59,6 +59,8 @@ CFLAGS := \
 	-Werror \
 	-Wpointer-arith \
 	-Wredundant-decls \
+	-Wconversion \
+	-Wsign-conversion \
 	-Wno-long-long \
 	-Wno-unknown-pragmas \
 	-Wno-unused-command-line-argument \

mldsa/fips202/fips202.c

@@ -94,9 +94,12 @@ __contract__(
     mld_keccakf1600_permute(s);
     pos = 0;
   }
-  mld_keccakf1600_xor_bytes(s, in, pos, inlen);
+  /* Safety: At this point, inlen < r, so the truncation to unsigned is safe. */
+  mld_keccakf1600_xor_bytes(s, in, pos, (unsigned)inlen);
 
-  return pos + inlen;
+  /* Safety: At this point, inlen < r and pos <= r so the truncation to unsigned
+   * is safe. */
+  return (unsigned)(pos + inlen);
 }
 
 /*************************************************
@@ -177,7 +180,8 @@ __contract__(
       mld_keccakf1600_permute(s);
       pos = 0;
     }
-    i = bytes_to_go < r - pos ? bytes_to_go : r - pos;
+    /* Safety: If bytes_to_go < r - pos, truncation to unsigned is safe. */
+    i = bytes_to_go < r - pos ? (unsigned)bytes_to_go : r - pos;
     mld_keccakf1600_extract_bytes(s, out + out_offset, pos, i);
     bytes_to_go -= i;
     pos += i;

mldsa/fips202/fips202x4.c

@@ -53,19 +53,21 @@ __contract__(
     inlen -= r;
   }
 
+  /* Safety: At this point, inlen < r, so the truncations to unsigned are safe
+   * below. */
   if (inlen > 0)
   {
-    mld_keccakf1600x4_xor_bytes(s, in0, in1, in2, in3, 0, inlen);
+    mld_keccakf1600x4_xor_bytes(s, in0, in1, in2, in3, 0, (unsigned)inlen);
   }
 
   if (inlen == r - 1)
   {
     p |= 128;
-    mld_keccakf1600x4_xor_bytes(s, &p, &p, &p, &p, inlen, 1);
+    mld_keccakf1600x4_xor_bytes(s, &p, &p, &p, &p, (unsigned)inlen, 1);
   }
   else
   {
-    mld_keccakf1600x4_xor_bytes(s, &p, &p, &p, &p, inlen, 1);
+    mld_keccakf1600x4_xor_bytes(s, &p, &p, &p, &p, (unsigned)inlen, 1);
     p = 128;
     mld_keccakf1600x4_xor_bytes(s, &p, &p, &p, &p, r - 1, 1);
   }

mldsa/native/aarch64/meta.h

@@ -54,14 +54,16 @@ static MLD_INLINE int mld_rej_uniform_native(int32_t *r, unsigned len,
   {
     return -1;
   }
+
+  /* Safety: outlen is at most MLDSA_N, hence, this cast is safe. */
   return (int)mld_rej_uniform_asm(r, buf, buflen, mld_rej_uniform_table);
 }
 
 static MLD_INLINE int mld_rej_uniform_eta2_native(int32_t *r, unsigned len,
                                                   const uint8_t *buf,
                                                   unsigned buflen)
 {
-  int outlen;
+  unsigned int outlen;
   /* AArch64 implementation assumes specific buffer lengths */
   if (len != MLDSA_N || buflen != MLD_AARCH64_REJ_UNIFORM_ETA2_BUFLEN)
   {
@@ -75,17 +77,17 @@ static MLD_INLINE int mld_rej_uniform_eta2_native(int32_t *r, unsigned len,
    * We declassify prior the input data and mark the outputs as secret.
    */
   MLD_CT_TESTING_DECLASSIFY(buf, buflen);
-  outlen =
-      (int)mld_rej_uniform_eta2_asm(r, buf, buflen, mld_rej_uniform_eta_table);
+  outlen = mld_rej_uniform_eta2_asm(r, buf, buflen, mld_rej_uniform_eta_table);
   MLD_CT_TESTING_SECRET(r, sizeof(int32_t) * outlen);
-  return outlen;
+  /* Safety: outlen is at most MLDSA_N and, hence, this cast is safe. */
+  return (int)outlen;
 }
 
 static MLD_INLINE int mld_rej_uniform_eta4_native(int32_t *r, unsigned len,
                                                   const uint8_t *buf,
                                                   unsigned buflen)
 {
-  int outlen;
+  unsigned int outlen;
   /* AArch64 implementation assumes specific buffer lengths */
   if (len != MLDSA_N || buflen != MLD_AARCH64_REJ_UNIFORM_ETA4_BUFLEN)
   {
@@ -99,10 +101,10 @@ static MLD_INLINE int mld_rej_uniform_eta4_native(int32_t *r, unsigned len,
    * We declassify prior the input data and mark the outputs as secret.
    */
   MLD_CT_TESTING_DECLASSIFY(buf, buflen);
-  outlen =
-      (int)mld_rej_uniform_eta4_asm(r, buf, buflen, mld_rej_uniform_eta_table);
+  outlen = mld_rej_uniform_eta4_asm(r, buf, buflen, mld_rej_uniform_eta_table);
   MLD_CT_TESTING_SECRET(r, sizeof(int32_t) * outlen);
-  return outlen;
+  /* Safety: outlen is at most MLDSA_N and, hence, this cast is safe. */
+  return (int)outlen;
 }
 
 static MLD_INLINE void mld_poly_decompose_32_native(int32_t *a1, int32_t *a0,

mldsa/native/aarch64/src/polyz_unpack_table.c

@@ -14,17 +14,17 @@
 /* Table of indices used for tbl instructions in polyz_unpack_{17,19}. */
 
 MLD_ALIGN const uint8_t mld_polyz_unpack_17_indices[] = {
-    0,  1,  2,  -1, 2,  3,  4,  -1, 4,  5,  6,  -1, 6,  7,  8,  -1,
-    9,  10, 11, -1, 11, 12, 13, -1, 13, 14, 15, -1, 15, 16, 17, -1,
-    2,  3,  4,  -1, 4,  5,  6,  -1, 6,  7,  8,  -1, 8,  9,  10, -1,
-    11, 12, 13, -1, 13, 14, 15, -1, 15, 16, 17, -1, 17, 18, 19, -1,
+    0,  1,  2,  255, 2,  3,  4,  255, 4,  5,  6,  255, 6,  7,  8,  255,
+    9,  10, 11, 255, 11, 12, 13, 255, 13, 14, 15, 255, 15, 16, 17, 255,
+    2,  3,  4,  255, 4,  5,  6,  255, 6,  7,  8,  255, 8,  9,  10, 255,
+    11, 12, 13, 255, 13, 14, 15, 255, 15, 16, 17, 255, 17, 18, 19, 255,
 };
 
 MLD_ALIGN const uint8_t mld_polyz_unpack_19_indices[] = {
-    0,  1,  2,  -1, 2,  3,  4,  -1, 5,  6,  7,  -1, 7,  8,  9,  -1,
-    10, 11, 12, -1, 12, 13, 14, -1, 15, 16, 17, -1, 17, 18, 19, -1,
-    4,  5,  6,  -1, 6,  7,  8,  -1, 9,  10, 11, -1, 11, 12, 13, -1,
-    14, 15, 16, -1, 16, 17, 18, -1, 19, 20, 21, -1, 21, 22, 23, -1,
+    0,  1,  2,  255, 2,  3,  4,  255, 5,  6,  7,  255, 7,  8,  9,  255,
+    10, 11, 12, 255, 12, 13, 14, 255, 15, 16, 17, 255, 17, 18, 19, 255,
+    4,  5,  6,  255, 6,  7,  8,  255, 9,  10, 11, 255, 11, 12, 13, 255,
+    14, 15, 16, 255, 16, 17, 18, 255, 19, 20, 21, 255, 21, 22, 23, 255,
 };
 
 #else /* MLD_ARITH_BACKEND_AARCH64 && !MLD_CONFIG_MULTILEVEL_NO_SHARED */

mldsa/native/x86_64/meta.h

@@ -59,14 +59,15 @@ static MLD_INLINE int mld_rej_uniform_native(int32_t *r, unsigned len,
     return -1;
   }
 
+  /* Safety: outlen is at most MLDSA_N and, hence, this cast is safe. */
   return (int)mld_rej_uniform_avx2(r, buf);
 }
 
 static MLD_INLINE int mld_rej_uniform_eta2_native(int32_t *r, unsigned len,
                                                   const uint8_t *buf,
                                                   unsigned buflen)
 {
-  int outlen;
+  unsigned int outlen;
   /* AVX2 implementation assumes specific buffer lengths */
   if (len != MLDSA_N || buflen != MLD_AVX2_REJ_UNIFORM_ETA2_BUFLEN)
   {
@@ -81,16 +82,17 @@ static MLD_INLINE int mld_rej_uniform_eta2_native(int32_t *r, unsigned len,
    * We declassify prior the input data and mark the outputs as secret.
    */
   MLD_CT_TESTING_DECLASSIFY(buf, buflen);
-  outlen = (int)mld_rej_uniform_eta2_avx2(r, buf);
+  outlen = mld_rej_uniform_eta2_avx2(r, buf);
   MLD_CT_TESTING_SECRET(r, sizeof(int32_t) * outlen);
-  return outlen;
+  /* Safety: outlen is at most MLDSA_N and, hence, this cast is safe. */
+  return (int)outlen;
 }
 
 static MLD_INLINE int mld_rej_uniform_eta4_native(int32_t *r, unsigned len,
                                                   const uint8_t *buf,
                                                   unsigned buflen)
 {
-  int outlen;
+  unsigned int outlen;
   /* AVX2 implementation assumes specific buffer lengths */
   if (len != MLDSA_N || buflen != MLD_AVX2_REJ_UNIFORM_ETA4_BUFLEN)
   {
@@ -105,9 +107,10 @@ static MLD_INLINE int mld_rej_uniform_eta4_native(int32_t *r, unsigned len,
    * We declassify prior the input data and mark the outputs as secret.
    */
   MLD_CT_TESTING_DECLASSIFY(buf, buflen);
-  outlen = (int)mld_rej_uniform_eta4_avx2(r, buf);
+  outlen = mld_rej_uniform_eta4_avx2(r, buf);
   MLD_CT_TESTING_SECRET(r, sizeof(int32_t) * outlen);
-  return outlen;
+  /* Safety: outlen is at most MLDSA_N and, hence, this cast is safe. */
+  return (int)outlen;
 }
 
 static MLD_INLINE void mld_poly_decompose_32_native(int32_t *a1, int32_t *a0,

mldsa/native/x86_64/src/poly_chknorm_avx2.c

@@ -41,7 +41,7 @@ uint32_t mld_poly_chknorm_avx2(const __m256i *a, int32_t B)
     t = _mm256_or_si256(t, f);
   }
 
-  return _mm256_testz_si256(t, t) - 1;
+  return (uint32_t)(_mm256_testz_si256(t, t) - 1);
 }
 
 #else /* MLD_ARITH_BACKEND_X86_64_DEFAULT && !MLD_CONFIG_MULTILEVEL_NO_SHARED \

mldsa/native/x86_64/src/rej_uniform_avx2.c

@@ -93,13 +93,13 @@ unsigned int mld_rej_uniform_avx2(
     pos += 24;
 
     tmp = _mm256_sub_epi32(d, bound);
-    good = _mm256_movemask_ps((__m256)tmp);
+    good = (uint32_t)_mm256_movemask_ps((__m256)tmp);
     tmp = _mm256_cvtepu8_epi32(
         _mm_loadl_epi64((__m128i *)&mld_rej_uniform_table[good]));
     d = _mm256_permutevar8x32_epi32(d, tmp);
 
     _mm256_storeu_si256((__m256i *)&r[ctr], d);
-    ctr += _mm_popcnt_u32(good);
+    ctr += (unsigned)_mm_popcnt_u32(good);
   }
 
   while (ctr < MLDSA_N && pos <= MLD_AVX2_REJ_UNIFORM_BUFLEN - 3)
@@ -111,7 +111,8 @@ unsigned int mld_rej_uniform_avx2(
 
     if (t < MLDSA_Q)
     {
-      r[ctr++] = t;
+      /* Safe because t < MLDSA_Q. */
+      r[ctr++] = (int32_t)t;
     }
   }
 

mldsa/native/x86_64/src/rej_uniform_eta2_avx2.c

@@ -60,7 +60,7 @@ unsigned int mld_rej_uniform_eta2_avx2(
 
     f1 = _mm256_sub_epi8(f0, bound);
     f0 = _mm256_sub_epi8(eta, f0);
-    good = _mm256_movemask_epi8(f1);
+    good = (uint32_t)_mm256_movemask_epi8(f1);
 
     g0 = _mm256_castsi256_si128(f0);
     g1 = _mm_loadl_epi64((__m128i *)&mld_rej_uniform_table[good & 0xFF]);
@@ -70,7 +70,7 @@ unsigned int mld_rej_uniform_eta2_avx2(
     f2 = _mm256_mullo_epi16(f2, p);
     f1 = _mm256_add_epi32(f1, f2);
     _mm256_storeu_si256((__m256i *)&r[ctr], f1);
-    ctr += _mm_popcnt_u32(good & 0xFF);
+    ctr += (unsigned)_mm_popcnt_u32(good & 0xFF);
     good >>= 8;
     pos += 4;
 
@@ -86,7 +86,7 @@ unsigned int mld_rej_uniform_eta2_avx2(
     f2 = _mm256_mullo_epi16(f2, p);
     f1 = _mm256_add_epi32(f1, f2);
     _mm256_storeu_si256((__m256i *)&r[ctr], f1);
-    ctr += _mm_popcnt_u32(good & 0xFF);
+    ctr += (unsigned)_mm_popcnt_u32(good & 0xFF);
     good >>= 8;
     pos += 4;
 
@@ -102,7 +102,7 @@ unsigned int mld_rej_uniform_eta2_avx2(
     f2 = _mm256_mullo_epi16(f2, p);
     f1 = _mm256_add_epi32(f1, f2);
     _mm256_storeu_si256((__m256i *)&r[ctr], f1);
-    ctr += _mm_popcnt_u32(good & 0xFF);
+    ctr += (unsigned)_mm_popcnt_u32(good & 0xFF);
     good >>= 8;
     pos += 4;
 
@@ -118,7 +118,7 @@ unsigned int mld_rej_uniform_eta2_avx2(
     f2 = _mm256_mullo_epi16(f2, p);
     f1 = _mm256_add_epi32(f1, f2);
     _mm256_storeu_si256((__m256i *)&r[ctr], f1);
-    ctr += _mm_popcnt_u32(good);
+    ctr += (unsigned)_mm_popcnt_u32(good);
     pos += 4;
   }
 
@@ -130,12 +130,12 @@ unsigned int mld_rej_uniform_eta2_avx2(
     if (t0 < 15)
     {
       t0 = t0 - (205 * t0 >> 10) * 5;
-      r[ctr++] = 2 - t0;
+      r[ctr++] = (int32_t)(2 - t0);
     }
     if (t1 < 15 && ctr < MLDSA_N)
     {
       t1 = t1 - (205 * t1 >> 10) * 5;
-      r[ctr++] = 2 - t1;
+      r[ctr++] = (int32_t)(2 - t1);
     }
   }
 

mldsa/native/x86_64/src/rej_uniform_eta4_avx2.c

@@ -58,14 +58,14 @@ unsigned int mld_rej_uniform_eta4_avx2(
 
     f1 = _mm256_sub_epi8(f0, bound);
     f0 = _mm256_sub_epi8(eta, f0);
-    good = _mm256_movemask_epi8(f1);
+    good = (uint32_t)_mm256_movemask_epi8(f1);
 
     g0 = _mm256_castsi256_si128(f0);
     g1 = _mm_loadl_epi64((__m128i *)&mld_rej_uniform_table[good & 0xFF]);
     g1 = _mm_shuffle_epi8(g0, g1);
     f1 = _mm256_cvtepi8_epi32(g1);
     _mm256_storeu_si256((__m256i *)&r[ctr], f1);
-    ctr += _mm_popcnt_u32(good & 0xFF);
+    ctr += (unsigned)_mm_popcnt_u32(good & 0xFF);
     good >>= 8;
     pos += 4;
 
@@ -78,7 +78,7 @@ unsigned int mld_rej_uniform_eta4_avx2(
     g1 = _mm_shuffle_epi8(g0, g1);
     f1 = _mm256_cvtepi8_epi32(g1);
     _mm256_storeu_si256((__m256i *)&r[ctr], f1);
-    ctr += _mm_popcnt_u32(good & 0xFF);
+    ctr += (unsigned)_mm_popcnt_u32(good & 0xFF);
     good >>= 8;
     pos += 4;
 
@@ -91,7 +91,7 @@ unsigned int mld_rej_uniform_eta4_avx2(
     g1 = _mm_shuffle_epi8(g0, g1);
     f1 = _mm256_cvtepi8_epi32(g1);
     _mm256_storeu_si256((__m256i *)&r[ctr], f1);
-    ctr += _mm_popcnt_u32(good & 0xFF);
+    ctr += (unsigned)_mm_popcnt_u32(good & 0xFF);
     good >>= 8;
     pos += 4;
 
@@ -104,7 +104,7 @@ unsigned int mld_rej_uniform_eta4_avx2(
     g1 = _mm_shuffle_epi8(g0, g1);
     f1 = _mm256_cvtepi8_epi32(g1);
     _mm256_storeu_si256((__m256i *)&r[ctr], f1);
-    ctr += _mm_popcnt_u32(good);
+    ctr += (unsigned)_mm_popcnt_u32(good);
     pos += 4;
   }
 
@@ -115,11 +115,11 @@ unsigned int mld_rej_uniform_eta4_avx2(
 
     if (t0 < 9)
     {
-      r[ctr++] = 4 - t0;
+      r[ctr++] = (int32_t)(4 - t0);
     }
     if (t1 < 9 && ctr < MLDSA_N)
     {
-      r[ctr++] = 4 - t1;
+      r[ctr++] = (int32_t)(4 - t1);
     }
   }