Merge pull request #184 from elichai/2019-11-context

apoelstra · web-flow · commit 1e711f194c91 · 2019-11-27T19:58:44.000Z
Fix a safety problem and make the Context trait unimplementable
diff --git a/src/context.rs b/src/context.rs
@@ -8,14 +8,14 @@ use Secp256k1;
 pub use self::std_only::*;
 
 /// A trait for all kinds of Context's that Lets you define the exact flags and a function to deallocate memory.
-/// * DO NOT * implement it for your own types.
-pub unsafe trait Context {
+/// It shouldn't be possible to implement this for types outside this crate.
+pub unsafe trait Context : private::Sealed {
     /// Flags for the ffi.
     const FLAGS: c_uint;
     /// A constant description of the context.
     const DESCRIPTION: &'static str;
     /// A function to deallocate the memory when the context is dropped.
-    fn deallocate(ptr: *mut [u8]);
+    unsafe fn deallocate(ptr: *mut [u8]);
 }
 
 /// Marker trait for indicating that an instance of `Secp256k1` can be used for signing.
@@ -39,8 +39,24 @@ pub struct AllPreallocated<'buf> {
     phantom: PhantomData<&'buf ()>,
 }
 
+mod private {
+    use super::*;
+    // A trick to prevent users from implementing a trait.
+    // on one hand this trait is public, on the other it's in a private module
+    // so it's not visible to anyone besides it's parent (the context module)
+    pub trait Sealed {}
+
+    impl<'buf> Sealed for AllPreallocated<'buf> {}
+    impl<'buf> Sealed for VerifyOnlyPreallocated<'buf> {}
+    impl<'buf> Sealed for SignOnlyPreallocated<'buf> {}
+}
+
 #[cfg(feature = "std")]
 mod std_only {
+    impl private::Sealed for SignOnly {}
+    impl private::Sealed for All {}
+    impl private::Sealed for VerifyOnly {}
+
     use super::*;
 
     /// Represents the set of capabilities needed for signing.
@@ -62,26 +78,26 @@ mod std_only {
         const FLAGS: c_uint = ffi::SECP256K1_START_SIGN;
         const DESCRIPTION: &'static str = "signing only";
 
-        fn deallocate(ptr: *mut [u8]) {
-            let _ = unsafe { Box::from_raw(ptr) };
+        unsafe fn deallocate(ptr: *mut [u8]) {
+            let _ = Box::from_raw(ptr);
         }
     }
 
     unsafe impl Context for VerifyOnly {
         const FLAGS: c_uint = ffi::SECP256K1_START_VERIFY;
         const DESCRIPTION: &'static str = "verification only";
 
-        fn deallocate(ptr: *mut [u8]) {
-            let _ = unsafe { Box::from_raw(ptr) };
+        unsafe fn deallocate(ptr: *mut [u8]) {
+            let _ = Box::from_raw(ptr);
         }
     }
 
     unsafe impl Context for All {
         const FLAGS: c_uint = VerifyOnly::FLAGS | SignOnly::FLAGS;
         const DESCRIPTION: &'static str = "all capabilities";
 
-        fn deallocate(ptr: *mut [u8]) {
-            let _ = unsafe { Box::from_raw(ptr) };
+        unsafe fn deallocate(ptr: *mut [u8]) {
+            let _ = Box::from_raw(ptr);
         }
     }
 
@@ -136,7 +152,6 @@ mod std_only {
             }
         }
     }
-
 }
 
 impl<'buf> Signing for SignOnlyPreallocated<'buf> {}
@@ -149,7 +164,7 @@ unsafe impl<'buf> Context for SignOnlyPreallocated<'buf> {
     const FLAGS: c_uint = ffi::SECP256K1_START_SIGN;
     const DESCRIPTION: &'static str = "signing only";
 
-    fn deallocate(_ptr: *mut [u8]) {
+    unsafe fn deallocate(_ptr: *mut [u8]) {
         // Allocated by the user
     }
 }
@@ -158,7 +173,7 @@ unsafe impl<'buf> Context for VerifyOnlyPreallocated<'buf> {
     const FLAGS: c_uint = ffi::SECP256K1_START_VERIFY;
     const DESCRIPTION: &'static str = "verification only";
 
-    fn deallocate(_ptr: *mut [u8]) {
+    unsafe fn deallocate(_ptr: *mut [u8]) {
         // Allocated by the user
     }
 }
@@ -167,7 +182,7 @@ unsafe impl<'buf> Context for AllPreallocated<'buf> {
     const FLAGS: c_uint = SignOnlyPreallocated::FLAGS | VerifyOnlyPreallocated::FLAGS;
     const DESCRIPTION: &'static str = "all capabilities";
 
-    fn deallocate(_ptr: *mut [u8]) {
+    unsafe fn deallocate(_ptr: *mut [u8]) {
         // Allocated by the user
     }
 }
diff --git a/src/lib.rs b/src/lib.rs
@@ -574,8 +574,10 @@ impl<C: Context> Eq for Secp256k1<C> { }
 
 impl<C: Context> Drop for Secp256k1<C> {
     fn drop(&mut self) {
-        unsafe { ffi::secp256k1_context_preallocated_destroy(self.ctx) };
-        C::deallocate(self.buf);
+        unsafe {
+            ffi::secp256k1_context_preallocated_destroy(self.ctx);
+            C::deallocate(self.buf);
+        }
     }
 }
 

Original file line number	Diff line number	Diff line change
`@@ -8,14 +8,14 @@ use Secp256k1;`
`8`	`8`	`pub use self::std_only::*;`
`9`	`9`
`10`	`10`	`/// A trait for all kinds of Context's that Lets you define the exact flags and a function to deallocate memory.`
`11`		`-/// * DO NOT * implement it for your own types.`
`12`		`-pub unsafe trait Context {`
	`11`	`+/// It shouldn't be possible to implement this for types outside this crate.`
	`12`	`+pub unsafe trait Context : private::Sealed {`
`13`	`13`	`/// Flags for the ffi.`
`14`	`14`	`const FLAGS: c_uint;`
`15`	`15`	`/// A constant description of the context.`
`16`	`16`	`const DESCRIPTION: &'static str;`
`17`	`17`	`/// A function to deallocate the memory when the context is dropped.`
`18`		`- fn deallocate(ptr: *mut [u8]);`
	`18`	`+ unsafe fn deallocate(ptr: *mut [u8]);`
`19`	`19`	`}`
`20`	`20`
`21`	`21`	/// Marker trait for indicating that an instance of `Secp256k1` can be used for signing.
`@@ -39,8 +39,24 @@ pub struct AllPreallocated<'buf> {`
`39`	`39`	`phantom: PhantomData<&'buf ()>,`
`40`	`40`	`}`
`41`	`41`
	`42`	`+mod private {`
	`43`	`+ use super::*;`
	`44`	`+ // A trick to prevent users from implementing a trait.`
	`45`	`+ // on one hand this trait is public, on the other it's in a private module`
	`46`	`+ // so it's not visible to anyone besides it's parent (the context module)`
	`47`	`+ pub trait Sealed {}`
	`48`	`+`
	`49`	`+ impl<'buf> Sealed for AllPreallocated<'buf> {}`
	`50`	`+ impl<'buf> Sealed for VerifyOnlyPreallocated<'buf> {}`
	`51`	`+ impl<'buf> Sealed for SignOnlyPreallocated<'buf> {}`
	`52`	`+}`
	`53`	`+`
`42`	`54`	`#[cfg(feature = "std")]`
`43`	`55`	`mod std_only {`
	`56`	`+ impl private::Sealed for SignOnly {}`
	`57`	`+ impl private::Sealed for All {}`
	`58`	`+ impl private::Sealed for VerifyOnly {}`
	`59`	`+`
`44`	`60`	`use super::*;`
`45`	`61`
`46`	`62`	`/// Represents the set of capabilities needed for signing.`
`@@ -62,26 +78,26 @@ mod std_only {`
`62`	`78`	`const FLAGS: c_uint = ffi::SECP256K1_START_SIGN;`
`63`	`79`	`const DESCRIPTION: &'static str = "signing only";`
`64`	`80`
`65`		`- fn deallocate(ptr: *mut [u8]) {`
`66`		`- let _ = unsafe { Box::from_raw(ptr) };`
	`81`	`+ unsafe fn deallocate(ptr: *mut [u8]) {`
	`82`	`+ let _ = Box::from_raw(ptr);`
`67`	`83`	`}`
`68`	`84`	`}`
`69`	`85`
`70`	`86`	`unsafe impl Context for VerifyOnly {`
`71`	`87`	`const FLAGS: c_uint = ffi::SECP256K1_START_VERIFY;`
`72`	`88`	`const DESCRIPTION: &'static str = "verification only";`
`73`	`89`
`74`		`- fn deallocate(ptr: *mut [u8]) {`
`75`		`- let _ = unsafe { Box::from_raw(ptr) };`
	`90`	`+ unsafe fn deallocate(ptr: *mut [u8]) {`
	`91`	`+ let _ = Box::from_raw(ptr);`
`76`	`92`	`}`
`77`	`93`	`}`
`78`	`94`
`79`	`95`	`unsafe impl Context for All {`
`80`	`96`	`const FLAGS: c_uint = VerifyOnly::FLAGS \| SignOnly::FLAGS;`
`81`	`97`	`const DESCRIPTION: &'static str = "all capabilities";`
`82`	`98`
`83`		`- fn deallocate(ptr: *mut [u8]) {`
`84`		`- let _ = unsafe { Box::from_raw(ptr) };`
	`99`	`+ unsafe fn deallocate(ptr: *mut [u8]) {`
	`100`	`+ let _ = Box::from_raw(ptr);`
`85`	`101`	`}`
`86`	`102`	`}`
`87`	`103`
`@@ -136,7 +152,6 @@ mod std_only {`
`136`	`152`	`}`
`137`	`153`	`}`
`138`	`154`	`}`
`139`		`-`
`140`	`155`	`}`
`141`	`156`
`142`	`157`	`impl<'buf> Signing for SignOnlyPreallocated<'buf> {}`
`@@ -149,7 +164,7 @@ unsafe impl<'buf> Context for SignOnlyPreallocated<'buf> {`
`149`	`164`	`const FLAGS: c_uint = ffi::SECP256K1_START_SIGN;`
`150`	`165`	`const DESCRIPTION: &'static str = "signing only";`
`151`	`166`
`152`		`- fn deallocate(_ptr: *mut [u8]) {`
	`167`	`+ unsafe fn deallocate(_ptr: *mut [u8]) {`
`153`	`168`	`// Allocated by the user`
`154`	`169`	`}`
`155`	`170`	`}`
`@@ -158,7 +173,7 @@ unsafe impl<'buf> Context for VerifyOnlyPreallocated<'buf> {`
`158`	`173`	`const FLAGS: c_uint = ffi::SECP256K1_START_VERIFY;`
`159`	`174`	`const DESCRIPTION: &'static str = "verification only";`
`160`	`175`
`161`		`- fn deallocate(_ptr: *mut [u8]) {`
	`176`	`+ unsafe fn deallocate(_ptr: *mut [u8]) {`
`162`	`177`	`// Allocated by the user`
`163`	`178`	`}`
`164`	`179`	`}`
`@@ -167,7 +182,7 @@ unsafe impl<'buf> Context for AllPreallocated<'buf> {`
`167`	`182`	`const FLAGS: c_uint = SignOnlyPreallocated::FLAGS \| VerifyOnlyPreallocated::FLAGS;`
`168`	`183`	`const DESCRIPTION: &'static str = "all capabilities";`
`169`	`184`
`170`		`- fn deallocate(_ptr: *mut [u8]) {`
	`185`	`+ unsafe fn deallocate(_ptr: *mut [u8]) {`
`171`	`186`	`// Allocated by the user`
`172`	`187`	`}`
`173`	`188`	`}`
Original file line number	Diff line number	Diff line change
`@@ -574,8 +574,10 @@ impl<C: Context> Eq for Secp256k1<C> { }`
`574`	`574`
`575`	`575`	`impl<C: Context> Drop for Secp256k1<C> {`
`576`	`576`	`fn drop(&mut self) {`
`577`		`- unsafe { ffi::secp256k1_context_preallocated_destroy(self.ctx) };`
`578`		`- C::deallocate(self.buf);`
	`577`	`+ unsafe {`
	`578`	`+ ffi::secp256k1_context_preallocated_destroy(self.ctx);`
	`579`	`+ C::deallocate(self.buf);`
	`580`	`+ }`
`579`	`581`	`}`
`580`	`582`	`}`
`581`	`583`