Potential problem with anonymous types

[emberian]

One of my "favorite" corners of C, especially thwarted by libclang's incomplete exposure of it via the C API!

The following code, when corrode'd, complains:

("encrypt.c": line 117): illegal member access of incomplete type; check whether a real C compiler accepts this:
    l.e

/*
// HS1-SIV v2.0 reference code.
//
// Note: This implements HS1-SIV v2, and not v1 or Draft v2.
//
// ** This version is slow and susceptible to side-channel attacks. **
// ** Do not use for any purpose other than to understand HS1-SIV.  **
//
// Written by Ted Krovetz (ted@krovetz.net). Last modified 12 Sep 2015.
//
// This is free and unencumbered software released into the public domain.
//
// Anyone is free to copy, modify, publish, use, compile, sell, or
// distribute this software, either in source code form or as a compiled
// binary, for any purpose, commercial or non-commercial, and by any
// means.
//
// In jurisdictions that recognize copyright laws, the author or authors
// of this software dedicate any and all copyright interest in the
// software to the public domain. We make this dedication for the benefit
// of the public at large and to the detriment of our heirs and
// successors. We intend this dedication to be an overt act of
// relinquishment in perpetuity of all present and future rights to this
// software under copyright law.
//
// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
// EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
// MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
// IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR
// OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE,
// ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR
// OTHER DEALINGS IN THE SOFTWARE.
//
// For more information, please refer to <http://unlicense.org/>
//
// The author knows of no intellectual property claims relevant to this work.
*/

/* Exactly one of the following should be set */
#define HS1_SIV_LO  1
#define HS1_SIV     0
#define HS1_SIV_HI  0

/* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
 *
 *     I n c l u d e s   a n d   u t i l i t i e s
 *
 * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */

#include "api.h"
#include "crypto_aead.h"

#if HS1_SIV_LO
#define HS1_SIV_NH_LEN      64
#define HS1_SIV_HASH_RNDS    2
#define HS1_SIV_CHACHA_RNDS  8
#define HS1_SIV_SIV_LEN      CRYPTO_ABYTES
#elif HS1_SIV
#define HS1_SIV_NH_LEN      64
#define HS1_SIV_HASH_RNDS    4
#define HS1_SIV_CHACHA_RNDS 12
#define HS1_SIV_SIV_LEN     CRYPTO_ABYTES
#elif HS1_SIV_HI
#define HS1_SIV_NH_LEN      64
#define HS1_SIV_HASH_RNDS    6
#define HS1_SIV_CHACHA_RNDS 20
#define HS1_SIV_SIV_LEN     CRYPTO_ABYTES
#endif

#define __STDC_LIMIT_MACROS
#include <string.h>
#include <stdint.h>
#include <stdlib.h>
#include <stdio.h>

#if __GNUC__
    #define HS1_SIV_ALIGN(n) __attribute__ ((aligned(n)))
#elif _MSC_VER
    #define HS1_SIV_ALIGN(n) __declspec(align(n))
#elif (__STDC_VERSION >= 201112L) || (__cplusplus >= 201103L)
    #define HS1_SIV_ALIGN(n) alignas(n)
#else /* Not GNU/Microsoft/C11: delete alignment uses.     */
    #pragma message ( "Struct alignment not guaranteed" )
    #define HS1_SIV_ALIGN(n)
#endif

HS1_SIV_ALIGN(16)
typedef struct {
    unsigned char chacha_key[32];
    unsigned char nh_key[HS1_SIV_NH_LEN+16*(HS1_SIV_HASH_RNDS-1)];
    unsigned char poly_key[HS1_SIV_HASH_RNDS*8];
    #if HS1_SIV_ASU_HASH /* ASU */
    unsigned char asu_key[HS1_SIV_HASH_RNDS*24];
    #else
    unsigned char asu_key[];
    #endif
} hs1siv_ctx_t;

/* Little-endian reads and writes. */

static uint32_t swap32(uint32_t x) {
    return (((x & 0x000000ffu) << 24) | ((x & 0x0000ff00u) << 8)  |
            ((x & 0x00ff0000u) >> 8)  | ((x & 0xff000000u) >> 24));
}

static uint64_t swap64(uint64_t x) {
    return ((x & UINT64_C(0x00000000000000ff)) << 56) |
           ((x & UINT64_C(0x000000000000ff00)) << 40) |
           ((x & UINT64_C(0x0000000000ff0000)) << 24) |
           ((x & UINT64_C(0x00000000ff000000)) <<  8) |
           ((x & UINT64_C(0x000000ff00000000)) >>  8) |
           ((x & UINT64_C(0x0000ff0000000000)) >> 24) |
           ((x & UINT64_C(0x00ff000000000000)) >> 40) |
           ((x & UINT64_C(0xff00000000000000)) >> 56);
}

static int le() { const union { int x; char e; } l = { 1 }; return l.e; }
static uint32_t read32le(uint32_t *p) { return (le()?*p:swap32(*p)); }
static uint64_t read64le(uint64_t *p) { return (le()?*p:swap64(*p)); }
static void write32le(uint32_t *p, uint32_t w) { *p = (le()?w:swap32(w)); }
static void write64le(uint64_t *p, uint64_t w) { *p = (le()?w:swap64(w)); }

/* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
 *
 *     C h a c h a   S e c t i o n -- Implementation borrowed from D Bernstein
 *
 * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */

/* This chacha implementation was adapted from a public domain implementation
 * found at http://cr.yp.to/chacha.html. It has been modified to accommodate
 * 12-byte IVs as specified in RFC 7539.
 */

typedef struct { uint32_t input[16]; } chacha_ctx_t;

static uint32_t rotl(uint32_t x, unsigned n) { return (x<<n) | (x>>(32-n)); }

#define QUARTERROUND(a,b,c,d) \
  x[a] += x[b]; x[d] = rotl(x[d] ^ x[a],16); \
  x[c] += x[d]; x[b] = rotl(x[b] ^ x[c],12); \
  x[a] += x[b]; x[d] = rotl(x[d] ^ x[a], 8); \
  x[c] += x[d]; x[b] = rotl(x[b] ^ x[c], 7);

static void salsa20_wordtobyte(unsigned char output[64], uint32_t input[16])
{
  uint32_t i, x[16];

  for (i = 0;i < 16;++i) x[i] = input[i];
  for (i = HS1_SIV_CHACHA_RNDS;i != 0;i -= 2) {
    QUARTERROUND( 0, 4, 8,12)
    QUARTERROUND( 1, 5, 9,13)
    QUARTERROUND( 2, 6,10,14)
    QUARTERROUND( 3, 7,11,15)
    QUARTERROUND( 0, 5,10,15)
    QUARTERROUND( 1, 6,11,12)
    QUARTERROUND( 2, 7, 8,13)
    QUARTERROUND( 3, 4, 9,14)
  }
  for (i = 0;i < 16;++i) x[i] += input[i];
  for (i = 0;i < 16;++i) write32le((uint32_t *)(output + 4 * i),x[i]);
}

static const char sigma[] = "expand 32-byte k";
static const char tau[] = "expand 16-byte k";

void chacha_keysetup(chacha_ctx_t *x, const unsigned char *k, unsigned kbits)
{
  const char *constants;

  x->input[4] = read32le((uint32_t *)(k + 0));
  x->input[5] = read32le((uint32_t *)(k + 4));
  x->input[6] = read32le((uint32_t *)(k + 8));
  x->input[7] = read32le((uint32_t *)(k + 12));
  if (kbits == 256) { /* recommended */
    k += 16;
    constants = sigma;
  } else { /* kbits == 128 */
    constants = tau;
  }
  x->input[8] = read32le((uint32_t *)(k + 0));
  x->input[9] = read32le((uint32_t *)(k + 4));
  x->input[10] = read32le((uint32_t *)(k + 8));
  x->input[11] = read32le((uint32_t *)(k + 12));
  x->input[0] = read32le((uint32_t *)(constants + 0));
  x->input[1] = read32le((uint32_t *)(constants + 4));
  x->input[2] = read32le((uint32_t *)(constants + 8));
  x->input[3] = read32le((uint32_t *)(constants + 12));
}

void chacha_ivsetup(chacha_ctx_t *x,const unsigned char *iv)
{
  x->input[12] = 0;
  x->input[13] = read32le((uint32_t *)(iv + 0)); /* Modified for 12-byte iv */
  x->input[14] = read32le((uint32_t *)(iv + 4));
  x->input[15] = read32le((uint32_t *)(iv + 8));
}

void chacha(chacha_ctx_t *x,unsigned char *out,unsigned bytes)
{
  unsigned char output[64];
  unsigned i;

  if (!bytes) return;
  for (;;) {
    salsa20_wordtobyte(output,x->input);
    x->input[12] += 1;
    if (bytes <= 64) {
      for (i = 0;i < bytes;++i) out[i] = output[i];
      return;
    }
    for (i = 0;i < 64;++i) out[i] = output[i];
    bytes -= 64;
    out += 64;
  }
}

void hs1siv_chacha256(void *out, unsigned outbytes,
                      unsigned char *iv, void *user_key)
{
    chacha_ctx_t ctx;

    chacha_keysetup(&ctx, user_key, 256);
    chacha_ivsetup(&ctx,iv);
    chacha(&ctx,out,outbytes);
}

/* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
 *
 *     H S 1 - H a s h   S e c t i o n
 *
 * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */

static const uint64_t m60 = ((uint64_t)1 << 60) - 1;
static const uint64_t m61 = ((uint64_t)1 << 61) - 1;

/* dh:dl = a * b : since a and b are both < 64 bits, no overflow in m. */
static void pmul64(uint64_t *dh, uint64_t *dl, uint64_t a, uint64_t b) {
    uint64_t m = (uint64_t)(uint32_t)(a>>32) * (uint64_t)(uint32_t)b
               + (uint64_t)(uint32_t)(b>>32) * (uint64_t)(uint32_t)a;
    uint64_t h = (uint64_t)(uint32_t)(a>>32) * (uint64_t)(uint32_t)(b>>32);
    uint64_t l = (uint64_t)(uint32_t)a * (uint64_t)(uint32_t)b;
    h += (m >> 32); l += (m << 32);  /* h:l += (m>>32):(m<<32)      */
    if (l < (m << 32)) h += 1;       /* Check for carry from l to h */
    *dl=l; *dh=h;
}

/* Return 62 bits congruent to ak+m % (2^61-1). Assumes 60-bit k,m; 62-bit a */
static uint64_t poly_step(uint64_t a, uint64_t m, uint64_t k) {
        uint64_t h,l;
        pmul64(&h,&l,a,k);
        return (l & m61) + ((h << 3) | (l >> 61)) + m;
}

static uint64_t poly_finalize(uint64_t a) {
    a = (a & m61) + (a >> 61);   /* a may be 62 bits, so one final reduction */
    if (a == m61) a = 0;
    return a;
}

#if (HS1_SIV_HASH_RNDS > 4)
static uint32_t asu_hash(uint64_t x, uint64_t *k) {
    uint64_t t = k[0] + k[1] * (uint32_t)x + k[2] * (uint32_t)(x >> 32);
    return (uint32_t)(t >> 32);
}
#endif

void prf_hash2(uint64_t *h, uint32_t *in, unsigned inbytes, uint32_t *nhkey,
               uint64_t *polykey, uint64_t *asukey) {
    uint64_t s0 = 1, s1 = 1;
    unsigned i=0, j;

    /* Hash full blocks of HS1_SIV_NH_LEN bytes */
    while (inbytes >= HS1_SIV_NH_LEN) {
        uint64_t a0 = 0, a1 = 0;
        for (i=0;i<HS1_SIV_NH_LEN/4;i+=8) {
            a0 += (uint64_t)(read32le(in+i+0) + nhkey[i+0]) *
                            (read32le(in+i+2) + nhkey[i+2]);
            a0 += (uint64_t)(read32le(in+i+1) + nhkey[i+1]) *
                            (read32le(in+i+3) + nhkey[i+3]);
            a1 += (uint64_t)(read32le(in+i+0) + nhkey[i+4]) *
                            (read32le(in+i+2) + nhkey[i+6]);
            a1 += (uint64_t)(read32le(in+i+1) + nhkey[i+5]) *
                            (read32le(in+i+3) + nhkey[i+7]);
            a0 += (uint64_t)(read32le(in+i+4) + nhkey[i+4]) *
                            (read32le(in+i+6) + nhkey[i+6]);
            a0 += (uint64_t)(read32le(in+i+5) + nhkey[i+5]) *
                            (read32le(in+i+7) + nhkey[i+7]);
            a1 += (uint64_t)(read32le(in+i+4) + nhkey[i+8]) *
                            (read32le(in+i+6) + nhkey[i+10]);
            a1 += (uint64_t)(read32le(in+i+5) + nhkey[i+9]) *
                            (read32le(in+i+7) + nhkey[i+11]);
        }
        s0 = poly_step(s0, a0&m60, polykey[0]);
        s1 = poly_step(s1, a1&m60, polykey[1]);
        inbytes -= HS1_SIV_NH_LEN;
        in += HS1_SIV_NH_LEN/4;
    }
    /* If partial block remains, hash it */
    i=0;
    if (inbytes != 0) {
        uint64_t a0 = 0, a1 = 0;
        while (inbytes >= 16) {
            a0 += (uint64_t)(read32le(in+i+0) + nhkey[i+0]) *
                            (read32le(in+i+2) + nhkey[i+2]);
            a0 += (uint64_t)(read32le(in+i+1) + nhkey[i+1]) *
                            (read32le(in+i+3) + nhkey[i+3]);
            a1 += (uint64_t)(read32le(in+i+0) + nhkey[i+4]) *
                            (read32le(in+i+2) + nhkey[i+6]);
            a1 += (uint64_t)(read32le(in+i+1) + nhkey[i+5]) *
                            (read32le(in+i+3) + nhkey[i+7]);
            i += 4; inbytes -= 16;
        }
        if (inbytes) {
            uint32_t tail[4] = {0,0,0,0};
            for (j=0;j<inbytes;j++)
                ((unsigned char *)tail)[j] = ((unsigned char *)(in+i))[j];
            a0 += (uint64_t)(read32le(tail+0) + nhkey[i+0]) *
                            (read32le(tail+2) + nhkey[i+2]);
            a0 += (uint64_t)(read32le(tail+1) + nhkey[i+1]) *
                            (read32le(tail+3) + nhkey[i+3]);
            a1 += (uint64_t)(read32le(tail+0) + nhkey[i+4]) *
                            (read32le(tail+2) + nhkey[i+6]);
            a1 += (uint64_t)(read32le(tail+1) + nhkey[i+5]) *
                            (read32le(tail+3) + nhkey[i+7]);
            a0 += inbytes;
            a1 += inbytes;
        }
        s0 = poly_step(s0, a0&m60, polykey[0]);
        s1 = poly_step(s1, a1&m60, polykey[1]);
    }
    s0 = poly_finalize(s0);
    s1 = poly_finalize(s1);
    #if (HS1_SIV_HASH_RNDS > 4)
    write64le(h, (uint64_t)asu_hash(s1, asukey+3) << 32 | asu_hash(s0, asukey));
    #else
    (void)asukey;
    write64le(h,s0);
    write64le(h+1,s1);
    #endif
}

void hs1_hash(hs1siv_ctx_t *ctx, void *in, unsigned inbytes, void *out) {
    uint64_t *h = (uint64_t *)out;
    unsigned k = (HS1_SIV_HASH_RNDS > 4 ? 1 : 2);

    prf_hash2(h, (uint32_t *)in, inbytes, (uint32_t *)ctx->nh_key,
              (uint64_t *)ctx->poly_key, (uint64_t *)ctx->asu_key);
    #if HS1_SIV_HASH_RNDS > 2
    prf_hash2(h+k, (uint32_t *)in, inbytes, (uint32_t *)ctx->nh_key+8,
              (uint64_t *)ctx->poly_key+2, (uint64_t *)ctx->asu_key+3);
    #if HS1_SIV_HASH_RNDS > 4
    prf_hash2(h+2*k, (uint32_t *)in, inbytes, (uint32_t *)ctx->nh_key+16,
              (uint64_t *)ctx->poly_key+4, (uint64_t *)ctx->asu_key+6);
    #if HS1_SIV_HASH_RNDS > 6
    prf_hash2(h+3*k, (uint32_t *)in, inbytes, (uint32_t *)ctx->nh_key+24,
              (uint64_t *)ctx->poly_key+6, (uint64_t *)ctx->asu_key+9);
    #endif
    #endif
    #endif
}

/* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
 *
 *     P R F   S e c t i o n
 *
 * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */

/*
typedef struct {
    unsigned char chacha_key[32];
    unsigned char nh_key[HS1_SIV_NH_LEN+16*(HS1_SIV_HASH_RNDS-1)];
    unsigned char poly_key[HS1_SIV_HASH_RNDS*8];
    #if (HS1_SIV_HASH_RNDS > 4)
    unsigned char asu_key[HS1_SIV_HASH_RNDS*24];
    #else
    unsigned char asu_key[];
    #endif
} hs1siv_ctx_t;
*/

void hs1siv_subkeygen(hs1siv_ctx_t *ctx, void *user_key, unsigned key_bytes)
{
    unsigned char chacha_key[32];
    unsigned char iv[12];
    unsigned i=0;

    /* Copy user_key as many times as needed to fill 32 byte chacha key */
    while (i < 32) {
        unsigned nbytes = 32-i;
        if (nbytes > key_bytes) nbytes = key_bytes;
        memcpy(chacha_key+i,user_key,nbytes);
        i += nbytes;
    }

    /* Build key-derivation nonce and fill context */
    memset(iv,0,12);
    iv[0] = key_bytes;
    iv[2] = HS1_SIV_SIV_LEN;
    iv[4] = HS1_SIV_CHACHA_RNDS;
    iv[5] = HS1_SIV_HASH_RNDS;
    iv[6] = HS1_SIV_NH_LEN;
    hs1siv_chacha256(ctx, sizeof(hs1siv_ctx_t), iv, chacha_key);

    /* Pre-process internal keys: make future reads little-endian, mod poly */
    for (i=0; i<sizeof(ctx->nh_key)/4; i++)
        ((uint32_t *)ctx->nh_key)[i] = read32le(((uint32_t *)ctx->nh_key)+i);
    for (i=0; i<sizeof(ctx->poly_key)/8; i++)
        ((uint64_t *)ctx->poly_key)[i] = read64le(((uint64_t *)ctx->poly_key)+i)
                                       & m60;
    #if (HS1_SIV_HASH_RNDS > 4)
    for (i=0; i<sizeof(ctx->asu_key)/8; i++)
        ((uint64_t *)ctx->asu_key)[i] = read64le(((uint64_t *)ctx->asu_key)+i);
    #endif
}

void hs1(
    hs1siv_ctx_t *hs1_ctx,
    void *in, unsigned inbytes,
    void *iv,
    void *out, unsigned outbytes
)
{
    #if (HS1_SIV_HASH_RNDS > 4)
    uint64_t h[HS1_SIV_HASH_RNDS/2];
    #else
    uint64_t h[HS1_SIV_HASH_RNDS];
    #endif

    unsigned i;
    unsigned char key[32];
    chacha_ctx_t chacha_ctx;

    hs1_hash(hs1_ctx, in, inbytes, h);
    memcpy(key, hs1_ctx->chacha_key, 32);
    for (i=0; i<sizeof(h)/8;i++) ((uint64_t *)key)[i] ^= h[i];
    chacha_keysetup(&chacha_ctx, key, 256);
    chacha_ivsetup(&chacha_ctx,(unsigned char *)iv);
    chacha(&chacha_ctx, (unsigned char *)out, outbytes);
}

void hs1siv_encrypt(hs1siv_ctx_t *ctx, void *m, unsigned mbytes,
                    void *a, unsigned abytes, void *n, void *t, void *c)
{
    unsigned i;
    unsigned abuflen = (abytes+HS1_SIV_NH_LEN-1)/HS1_SIV_NH_LEN*HS1_SIV_NH_LEN;
    unsigned buflen = abuflen + (mbytes+15)/16*16 + 16;
    unsigned char tmp_t[HS1_SIV_SIV_LEN];
    unsigned char *buf = (unsigned char *)malloc(buflen);
    memset(buf, 0, buflen);
    memcpy(buf, a, abytes);
    memcpy(buf+abuflen, m, mbytes);
    write32le((uint32_t *)(buf+buflen-16), abytes);
    write32le((uint32_t *)(buf+buflen-8), mbytes);
    hs1(ctx, buf, buflen, n, tmp_t, HS1_SIV_SIV_LEN);
    free(buf);
    buf = (unsigned char *)malloc(mbytes+64);
    hs1(ctx, tmp_t, HS1_SIV_SIV_LEN, n, buf, mbytes+64);
    for (i=0; i<mbytes; i++)
        buf[64+i] ^= ((unsigned char *)m)[i];
    memcpy(c,buf+64,mbytes);
    memcpy(t,tmp_t,HS1_SIV_SIV_LEN);
    free(buf);
}

int hs1siv_decrypt(hs1siv_ctx_t *ctx, void *c, unsigned cbytes,
                   void *a, unsigned abytes, void *n, void *t, void *m)
{
    unsigned i;
    unsigned abuflen = (abytes+HS1_SIV_NH_LEN-1)/HS1_SIV_NH_LEN*HS1_SIV_NH_LEN;
    unsigned buflen = abuflen + (cbytes+15)/16*16 + 16;
    unsigned char *maybe_m = (unsigned char *)malloc(cbytes);
    unsigned char maybe_t[HS1_SIV_SIV_LEN];
    unsigned char *buf = (unsigned char *)malloc(cbytes+64);
    hs1(ctx, t, HS1_SIV_SIV_LEN, n, buf, cbytes+64);
    for (i=0; i<cbytes; i++)
        ((unsigned char *)maybe_m)[i] = ((unsigned char *)c)[i] ^ buf[64+i];
    free(buf);
    buf = (unsigned char *)malloc(buflen);
    memset(buf, 0, buflen);
    memcpy(buf, a, abytes);
    memcpy(buf+abuflen, maybe_m, cbytes);
    write32le((uint32_t *)(buf+buflen-16), abytes);
    write32le((uint32_t *)(buf+buflen-8), cbytes);
    hs1(ctx, buf, buflen, n, maybe_t, HS1_SIV_SIV_LEN);
    free(buf);
    if (memcmp(t,maybe_t,HS1_SIV_SIV_LEN) == 0) {
        memcpy(m,maybe_m,cbytes);
        free(maybe_m);
        return 0;
    } else {
        free(maybe_m);
        return -1;
    }
}

int crypto_aead_encrypt(
    unsigned char *c,unsigned long long *clen,
    const unsigned char *m,unsigned long long mlen,
    const unsigned char *ad,unsigned long long adlen,
    const unsigned char *nsec,
    const unsigned char *npub,
    const unsigned char *k
)
{
    hs1siv_ctx_t ctx;
    (void)nsec;
    hs1siv_subkeygen(&ctx, (void *)k, CRYPTO_KEYBYTES);
    if (clen) *clen = mlen+CRYPTO_ABYTES;
    hs1siv_encrypt(&ctx, (void *)m, mlen, (void *)ad, adlen, (void *)npub,
                   c+mlen, c);
    return 0;
}

int crypto_aead_decrypt(
    unsigned char *m,unsigned long long *mlen,
    unsigned char *nsec,
    const unsigned char *c,unsigned long long clen,
    const unsigned char *ad,unsigned long long adlen,
    const unsigned char *npub,
    const unsigned char *k
)
{
    hs1siv_ctx_t ctx;
    (void)nsec;
    if (mlen) *mlen = clen-CRYPTO_ABYTES;
    hs1siv_subkeygen(&ctx, (void *)k, CRYPTO_KEYBYTES);
    return hs1siv_decrypt(&ctx, (void *)c, clen-CRYPTO_ABYTES,
        (void *)ad, adlen, (void *)npub, (void *)(c+clen-CRYPTO_ABYTES), m);
}

#include <string.h>

static uint8_t KEY_32_BYTES[32] = {0};
int main(int argc, char **argv) {
    char *msg = "The crow flies at midnight.";
    hs1siv_ctx_t ctx;
    for (int i = 0; i < 32; i++) {
        KEY_32_BYTES[i] = i;
    }

    uint64_t out[2];

    hs1siv_subkeygen(&ctx, (void *)KEY_32_BYTES, CRYPTO_KEYBYTES);
    hs1_hash(&ctx, msg, strlen(msg), out);
    printf("%x %x\n", out[0], out[1]);
    return 0;
}

[jameysharp]

Hi @cmr, and thanks for trying Corrode!

This isn't a problem with anonymous types, which are handled... adequately... but rather with unions, which aren't implemented yet if you actually try to access or initialize the union's fields. Rust only got support for C-style unions recently and I haven't caught up yet. I'm tracking that in issue #22 and pull request #63, so I'm closing this issue in favor of those.

Also, if you could provide minimal test cases for future bugs, that'd be super helpful! You can use C-Reduce to automatically minimize your test cases, or just manually try deleting parts of your input until you figure out which ones are necessary to observe the bug you're trying to report.