Improved safety comment on make_mechanism()

jacobprudhomme · jacobprudhomme · commit 13f40fa6e9cb · 2025-05-12T15:24:07.000+02:00
Signed-off-by: Jacob Prud'homme &lt;2160185+jacobprudhomme@users.noreply.github.com&gt;
diff --git a/cryptoki/src/mechanism/mod.rs b/cryptoki/src/mechanism/mod.rs
@@ -1252,11 +1252,17 @@ impl From<&Mechanism<'_>> for CK_MECHANISM {
 fn make_mechanism<T>(mechanism: CK_MECHANISM_TYPE, param: &T) -> CK_MECHANISM {
     CK_MECHANISM {
         mechanism,
-        // SAFETY: Parameters that expect to have some part of themselves
-        // mutated (such as additional_derived_keys in Kbkdf{*}Params) should
-        // indicate this to the end user by marking the relevant constructor
-        // parameters as mut. Otherwise, we should generally not expect the
-        // backend to mutate the parameters, so this cast is fine.
+        /* SAFETY: Parameters that expect to have some part of themselves
+         * mutated should indicate this to the end user by marking both the
+         * relevant constructor parameters and the type's PhantomData as mut.
+         * Otherwise, we should generally not expect the backend to mutate the
+         * parameters, so this cast is fine.
+         * The list of such mutable parameter types so far:
+         * - aead::GcmParams
+         * - aead::GcmMessageParams
+         * - kbkdf::KbkdfParams
+         * - kbkdf::KbkdfFeedbackParams
+        **/
         pParameter: param as *const T as *mut c_void,
         ulParameterLen: size_of::<T>()
             .try_into()
