Merge pull request #85 from stouset/specify-correct-mutability-in-ffi

Align mut-ness with underlying FFI calls

src/boxed.rs

@@ -473,7 +473,7 @@ impl<T: Bytes + Zeroable> From<&mut [T]> for Box<T> {
 unsafe impl<T: Bytes + Send> Send for Box<T> {}
 
 /// Immediately changes the page protection level on `ptr` to `prot`.
-fn mprotect<T>(ptr: *const T, prot: Prot) {
+fn mprotect<T>(ptr: *mut T, prot: Prot) {
     if !match prot {
         Prot::NoAccess  => unsafe { sodium::mprotect_noaccess(ptr)  },
         Prot::ReadOnly  => unsafe { sodium::mprotect_readonly(ptr)  },
@@ -693,7 +693,7 @@ mod tests {
     #[should_panic(expected = "secrets: error setting memory protection to NoAccess")]
     fn it_detects_sodium_mprotect_failure() {
         sodium::fail();
-        mprotect(std::ptr::null::<u8>(), Prot::NoAccess);
+        mprotect(std::ptr::null_mut::<u8>(), Prot::NoAccess);
     }
 }
 

src/ffi/sodium.rs

@@ -122,15 +122,15 @@ pub(crate) unsafe fn free<T>(ptr: *mut T) {
 }
 
 /// Calls the platform's underlying `mlock(2)` implementation.
-pub(crate) unsafe fn mlock<T>(ptr: *const T) -> bool {
+pub(crate) unsafe fn mlock<T>(ptr: *mut T) -> bool {
     #[cfg(test)]
     { if FAIL.with(|f| f.replace(false)) { return false }; let _x = 0; };
 
     sodium_mlock(ptr as *mut _, mem::size_of::<T>()) == 0
 }
 
 /// Calls the platform's underlying `munlock(2)` implementation.
-pub(crate) unsafe fn munlock<T>(ptr: *const T) -> bool {
+pub(crate) unsafe fn munlock<T>(ptr: *mut T) -> bool {
     #[cfg(test)]
     { if FAIL.with(|f| f.replace(false)) { return false }; let _x = 0; };
 
@@ -141,7 +141,7 @@ pub(crate) unsafe fn munlock<T>(ptr: *const T) -> bool {
 /// memory to `PROT_NONE`. This must be used in lieu of a raw call to
 /// `mprotect` which is unaware of the specific allocation pattern used
 /// by libsodium.
-pub(crate) unsafe fn mprotect_noaccess<T>(ptr: *const T) -> bool {
+pub(crate) unsafe fn mprotect_noaccess<T>(ptr: *mut T) -> bool {
     #[cfg(test)]
     { if FAIL.with(|f| f.replace(false)) { return false }; let _x = 0; };
 
@@ -152,7 +152,7 @@ pub(crate) unsafe fn mprotect_noaccess<T>(ptr: *const T) -> bool {
 /// memory to `PROT_READ`. This must be used in lieu of a raw call to
 /// `mprotect` which is unaware of the specific allocation pattern used
 /// by libsodium.
-pub(crate) unsafe fn mprotect_readonly<T>(ptr: *const T) -> bool {
+pub(crate) unsafe fn mprotect_readonly<T>(ptr: *mut T) -> bool {
     #[cfg(test)]
     { if FAIL.with(|f| f.replace(false)) { return false }; let _x = 0; };
 
@@ -163,7 +163,7 @@ pub(crate) unsafe fn mprotect_readonly<T>(ptr: *const T) -> bool {
 /// memory to `PROT_WRITE`. This must be used in lieu of a raw call to
 /// `mprotect` which is unaware of the specific allocation pattern used
 /// by libsodium.
-pub(crate) unsafe fn mprotect_readwrite<T>(ptr: *const T) -> bool {
+pub(crate) unsafe fn mprotect_readwrite<T>(ptr: *mut T) -> bool {
     #[cfg(test)]
     { if FAIL.with(|f| f.replace(false)) { return false }; let _x = 0; };
 

src/secret.rs

@@ -118,7 +118,7 @@ impl<T: Bytes> Secret<T> {
             data: T::uninitialized(),
         };
 
-        if unsafe { !sodium::mlock(&secret.data) } {
+        if unsafe { !sodium::mlock(&mut secret.data) } {
             panic!("secrets: unable to mlock memory for a Secret");
         };
 
@@ -196,7 +196,7 @@ impl<T: Bytes> Drop for Secret<T> {
     /// Ensures that the [`Secret`]'s underlying memory is `munlock`ed
     /// and zeroed when it leaves scope.
     fn drop(&mut self) {
-        if unsafe { !sodium::munlock(&self.data) } {
+        if unsafe { !sodium::munlock(&mut self.data) } {
             // [`Drop::drop`] is called during stack unwinding, so we
             // may be in a panic already.
             if !thread::panicking() {