From 0f29348b6c473e305ee9afde9722955cedb9526c Mon Sep 17 00:00:00 2001 From: Andrew Poelstra Date: Thu, 11 Aug 2022 18:57:51 +0000 Subject: [PATCH] move some unsafe code inside an unsafe{} boundary An internal function had a non-unsafe signature but could be called with data that would cause it to exhibit UB. Move the unsafety inside of the function so that the function signature now enforces soundness. Fixes #481 --- src/ecdsa/mod.rs | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/src/ecdsa/mod.rs b/src/ecdsa/mod.rs index 5f96cbe4e..d38a4873d 100644 --- a/src/ecdsa/mod.rs +++ b/src/ecdsa/mod.rs @@ -257,10 +257,14 @@ impl Secp256k1 { &self, msg: &Message, sk: &SecretKey, - noncedata_ptr: *const ffi::types::c_void, + noncedata: Option<&[u8; 32]>, ) -> Signature { unsafe { let mut ret = ffi::Signature::new(); + let noncedata_ptr = match noncedata { + Some(arr) => arr.as_c_ptr() as *const _, + None => ptr::null(), + }; // We can assume the return value because it's not possible to construct // an invalid signature from a valid `Message` and `SecretKey` assert_eq!(ffi::secp256k1_ecdsa_sign(self.ctx, &mut ret, msg.as_c_ptr(), @@ -273,7 +277,7 @@ impl Secp256k1 { /// Constructs a signature for `msg` using the secret key `sk` and RFC6979 nonce /// Requires a signing-capable context. pub fn sign_ecdsa(&self, msg: &Message, sk: &SecretKey) -> Signature { - self.sign_ecdsa_with_noncedata_pointer(msg, sk, ptr::null()) + self.sign_ecdsa_with_noncedata_pointer(msg, sk, None) } /// Constructs a signature for `msg` using the secret key `sk` and RFC6979 nonce @@ -287,8 +291,7 @@ impl Secp256k1 { sk: &SecretKey, noncedata: &[u8; 32], ) -> Signature { - let noncedata_ptr = noncedata.as_ptr() as *const ffi::types::c_void; - self.sign_ecdsa_with_noncedata_pointer(msg, sk, noncedata_ptr) + self.sign_ecdsa_with_noncedata_pointer(msg, sk, Some(noncedata)) } fn sign_grind_with_check(