diff options
author | Igor Matuszewski <igor@sequoia-pgp.org> | 2020-10-06 21:07:55 +0200 |
---|---|---|
committer | Igor Matuszewski <igor@sequoia-pgp.org> | 2020-10-08 15:11:23 +0200 |
commit | 0dad1b8dfb8e4cb021fa5094a2f46f848310f7dc (patch) | |
tree | 75d34f1a1f18713de3ba7044898f8c4171f2a918 /openpgp | |
parent | 582355043aeb20223b46178140e7e44b0854697d (diff) |
openpgp: Don't mark memory-safe Protected::into_vec as unsafe
In general, `unsafe` is an escape hatch for when do we suspicious but
actually memory-safe fiddling that the compiler can't understand.
Copying the secret into a raw `Vec` may be risky from the security point
of view but is not `unsafe` in the sense above. Use established practice
of using long/unwieldy names for functions that need careful thought.
Diffstat (limited to 'openpgp')
-rw-r--r-- | openpgp/src/crypto/ecdh.rs | 8 | ||||
-rw-r--r-- | openpgp/src/crypto/mem.rs | 6 |
2 files changed, 6 insertions, 8 deletions
diff --git a/openpgp/src/crypto/ecdh.rs b/openpgp/src/crypto/ecdh.rs index b8250f9f..8649753d 100644 --- a/openpgp/src/crypto/ecdh.rs +++ b/openpgp/src/crypto/ecdh.rs @@ -147,9 +147,7 @@ fn pkcs5_pad(sk: Protected, target_len: usize) -> Result<Protected> { } // !!! THIS FUNCTION MUST NOT FAIL FROM THIS POINT ON !!! - let mut buf: Vec<u8> = unsafe { - sk.into_vec() - }; + let mut buf: Vec<u8> = sk.expose_into_unprotected_vec(); let missing = target_len - buf.len(); assert!(missing <= 0xff); for _ in 0..missing { @@ -173,9 +171,7 @@ fn pkcs5_unpad(sk: Protected, target_len: usize) -> Result<Protected> { return Err(Error::InvalidArgument("message too small".into()).into()); } - let mut buf: Vec<u8> = unsafe { - sk.into_vec() - }; + let mut buf: Vec<u8> = sk.expose_into_unprotected_vec(); let mut good = true; let missing = (buf.len() - target_len) as u8; for &b in &buf[target_len..] { diff --git a/openpgp/src/crypto/mem.rs b/openpgp/src/crypto/mem.rs index 9ad839f7..6b2ed613 100644 --- a/openpgp/src/crypto/mem.rs +++ b/openpgp/src/crypto/mem.rs @@ -64,8 +64,10 @@ impl Hash for Protected { impl Protected { /// Converts to a buffer for modification. - pub(crate) unsafe fn into_vec(self) -> Vec<u8> { - self.iter().cloned().collect() + /// + /// Don't expose `Protected` values unless you know what you're doing. + pub(crate) fn expose_into_unprotected_vec(self) -> Vec<u8> { + self.0.clone().into() } } |