forbid unsafe

README.md

@@ -1,3 +1,5 @@
+[![Safety Dance](https://img.shields.io/badge/unsafe-forbidden-success.svg)](https://github.com/rust-secure-code/safety-dance/)
+
 Rust-Lightning, not Rusty's Lightning!
 =====
 

src/lib.rs

@@ -10,6 +10,7 @@
 //! instead of having a rather-separate lightning appendage to a wallet.
 
 #![cfg_attr(not(feature = "fuzztarget"), deny(missing_docs))]
+#![forbid(unsafe_code)]
 
 extern crate bitcoin;
 extern crate bitcoin_hashes;

src/ln/msgs.rs

@@ -713,7 +713,6 @@ mod fuzzy_internal_msgs {
 		pub(crate) data: OnionRealm0HopData,
 		pub(crate) hmac: [u8; 32],
 	}
-	unsafe impl ::util::internal_traits::NoDealloc for OnionHopData{}
 
 	pub struct DecodedOnionErrorPacket {
 		pub(crate) hmac: [u8; 32],

src/ln/onion_utils.rs

@@ -1,7 +1,7 @@
 use ln::channelmanager::{PaymentHash, HTLCSource};
 use ln::msgs;
 use ln::router::{Route,RouteHop};
-use util::{byte_utils, internal_traits};
+use util::byte_utils;
 use util::chacha20::ChaCha20;
 use util::errors::{self, APIError};
 use util::ser::{Readable, Writeable};
@@ -17,7 +17,6 @@ use secp256k1::Secp256k1;
 use secp256k1::ecdh::SharedSecret;
 use secp256k1;
 
-use std::ptr;
 use std::io::Cursor;
 use std::sync::Arc;
 
@@ -114,8 +113,6 @@ pub(super) fn build_onion_payloads(route: &Route, starting_htlc_offset: u32) ->
 	let mut cur_cltv = starting_htlc_offset;
 	let mut last_short_channel_id = 0;
 	let mut res: Vec<msgs::OnionHopData> = Vec::with_capacity(route.hops.len());
-	internal_traits::test_no_dealloc::<msgs::OnionHopData>(None);
-	unsafe { res.set_len(route.hops.len()); }
 
 	for (idx, hop) in route.hops.iter().enumerate().rev() {
 		// First hop gets special values so that it can check, on receipt, that everything is
@@ -123,7 +120,7 @@ pub(super) fn build_onion_payloads(route: &Route, starting_htlc_offset: u32) ->
 		// the intended recipient).
 		let value_msat = if cur_value_msat == 0 { hop.fee_msat } else { cur_value_msat };
 		let cltv = if cur_cltv == starting_htlc_offset { hop.cltv_expiry_delta + starting_htlc_offset } else { cur_cltv };
-		res[idx] = msgs::OnionHopData {
+		res.insert(0, msgs::OnionHopData {
 			realm: 0,
 			data: msgs::OnionRealm0HopData {
 				short_channel_id: last_short_channel_id,
@@ -131,7 +128,7 @@ pub(super) fn build_onion_payloads(route: &Route, starting_htlc_offset: u32) ->
 				outgoing_cltv_value: cltv,
 			},
 			hmac: [0; 32],
-		};
+		});
 		cur_value_msat += hop.fee_msat;
 		if cur_value_msat >= 21000000 * 100000000 * 1000 {
 			return Err(APIError::RouteError{err: "Channel fees overflowed?!"});
@@ -147,8 +144,8 @@ pub(super) fn build_onion_payloads(route: &Route, starting_htlc_offset: u32) ->
 
 #[inline]
 fn shift_arr_right(arr: &mut [u8; 20*65]) {
-	unsafe {
-		ptr::copy(arr[0..].as_ptr(), arr[65..].as_mut_ptr(), 19*65);
+	for i in (65..20*65).rev() {
+		arr[i] = arr[i-65];
 	}
 	for i in 0..65 {
 		arr[i] = 0;

src/util/internal_traits.rs

@@ -1,7 +0,0 @@
-/// A simple marker trait that indicates a type requires no deallocation. Implies we can set_len()
-/// on a Vec of these things and will be safe to overwrite them with =.
-pub unsafe trait NoDealloc {}
-
-/// Just call with test_no_dealloc::<Type>(None)
-#[inline]
-pub fn test_no_dealloc<T : NoDealloc>(_: Option<T>) { }

src/util/mod.rs

@@ -9,7 +9,6 @@ pub(crate) mod chacha20;
 #[cfg(not(feature = "fuzztarget"))]
 pub(crate) mod poly1305;
 pub(crate) mod chacha20poly1305rfc;
-pub(crate) mod internal_traits;
 pub(crate) mod transaction_utils;
 
 #[macro_use]