openpgp: Don't mark memory-safe Protected::into_vec as unsafe

In general, `unsafe` is an escape hatch for when do we suspicious but
actually memory-safe fiddling that the compiler can't understand.

Copying the secret into a raw `Vec` may be risky from the security point
of view but is not `unsafe` in the sense above. Use established practice
of using long/unwieldy names for functions that need careful thought.

2 files changed, 6 insertions, 8 deletions

diff --git a/openpgp/src/crypto/ecdh.rs b/openpgp/src/crypto/ecdh.rs
index b8250f9f..8649753d 100644
--- a/openpgp/src/crypto/ecdh.rs
+++ b/openpgp/src/crypto/ecdh.rs
@@ -147,9 +147,7 @@ fn pkcs5_pad(sk: Protected, target_len: usize) -> Result<Protected> {
     }
 
     // !!! THIS FUNCTION MUST NOT FAIL FROM THIS POINT ON !!!
-    let mut buf: Vec<u8> = unsafe {
-        sk.into_vec()
-    };
+    let mut buf: Vec<u8> = sk.expose_into_unprotected_vec();
     let missing = target_len - buf.len();
     assert!(missing <= 0xff);
     for _ in 0..missing {
@@ -173,9 +171,7 @@ fn pkcs5_unpad(sk: Protected, target_len: usize) -> Result<Protected> {
         return Err(Error::InvalidArgument("message too small".into()).into());
     }
 
-    let mut buf: Vec<u8> = unsafe {
-        sk.into_vec()
-    };
+    let mut buf: Vec<u8> = sk.expose_into_unprotected_vec();
     let mut good = true;
     let missing = (buf.len() - target_len) as u8;
     for &b in &buf[target_len..] {
diff --git a/openpgp/src/crypto/mem.rs b/openpgp/src/crypto/mem.rs
index 9ad839f7..6b2ed613 100644
--- a/openpgp/src/crypto/mem.rs
+++ b/openpgp/src/crypto/mem.rs
@@ -64,8 +64,10 @@ impl Hash for Protected {
 
 impl Protected {
     /// Converts to a buffer for modification.
-    pub(crate) unsafe fn into_vec(self) -> Vec<u8> {
-        self.iter().cloned().collect()
+    ///
+    /// Don't expose `Protected` values unless you know what you're doing.
+    pub(crate) fn expose_into_unprotected_vec(self) -> Vec<u8> {
+        self.0.clone().into()
     }
 }