algorithms: protect all functions with pub(crate)

While it is expected that the functions inside algorithms crates might be useful (and used) by other parties, they are low level functions and as such impose a high risk of being misused. Protect all of them with pub(crate) to prevent them from being exposed by mistake. Also add big fat warnings to raw RSA functions, which should never be used unless authors knows exactly what they are using. Signed-off-by: Dmitry Baryshkov <[email protected]>
RustCrypto · tarcieri · Apr 23, 2023 · Apr 19, 2023 · Apr 19, 2023 · Apr 19, 2023
commit d5e42fe33e2b4603f7e392f659d1ce8ca47aba61
diff --git a/src/algorithms/generate.rs b/src/algorithms/generate.rs
@@ -28,7 +28,7 @@ pub struct RsaPrivateKeyComponents {
 ///
 /// [1]: https://patents.google.com/patent/US4405829A/en
 /// [2]: http://www.cacr.math.uwaterloo.ca/techreports/2006/cacr2006-16.pdf
-pub fn generate_multi_prime_key_with_exp<R: CryptoRngCore + ?Sized>(
+pub(crate) fn generate_multi_prime_key_with_exp<R: CryptoRngCore + ?Sized>(
     rng: &mut R,
     nprimes: usize,
     bit_size: usize,

diff --git a/src/algorithms/mgf.rs b/src/algorithms/mgf.rs
@@ -5,7 +5,7 @@ use digest::{Digest, DynDigest, FixedOutputReset};
 /// Mask generation function.
 ///
 /// Panics if out is larger than 2**32. This is in accordance with RFC 8017 - PKCS #1 B.2.1
-pub fn mgf1_xor(out: &mut [u8], digest: &mut dyn DynDigest, seed: &[u8]) {
+pub(crate) fn mgf1_xor(out: &mut [u8], digest: &mut dyn DynDigest, seed: &[u8]) {
     let mut counter = [0u8; 4];
     let mut i = 0;
 
@@ -36,7 +36,7 @@ pub fn mgf1_xor(out: &mut [u8], digest: &mut dyn DynDigest, seed: &[u8]) {
 /// Mask generation function.
 ///
 /// Panics if out is larger than 2**32. This is in accordance with RFC 8017 - PKCS #1 B.2.1
-pub fn mgf1_xor_digest<D>(out: &mut [u8], digest: &mut D, seed: &[u8])
+pub(crate) fn mgf1_xor_digest<D>(out: &mut [u8], digest: &mut D, seed: &[u8])
 where
     D: Digest + FixedOutputReset,
 {

diff --git a/src/algorithms/pad.rs b/src/algorithms/pad.rs
@@ -20,13 +20,13 @@ fn left_pad(input: &[u8], padded_len: usize) -> Result<Vec<u8>> {
 
 /// Converts input to the new vector of the given length, using BE and with 0s left padded.
 #[inline]
-pub fn uint_to_be_pad(input: BigUint, padded_len: usize) -> Result<Vec<u8>> {
+pub(crate) fn uint_to_be_pad(input: BigUint, padded_len: usize) -> Result<Vec<u8>> {
     left_pad(&input.to_bytes_be(), padded_len)
 }
 
 /// Converts input to the new vector of the given length, using BE and with 0s left padded.
 #[inline]
-pub fn uint_to_zeroizing_be_pad(input: BigUint, padded_len: usize) -> Result<Vec<u8>> {
+pub(crate) fn uint_to_zeroizing_be_pad(input: BigUint, padded_len: usize) -> Result<Vec<u8>> {
     let m = Zeroizing::new(input);
     let m = Zeroizing::new(m.to_bytes_be());
     left_pad(&m, padded_len)
@@ -53,4 +53,3 @@ mod tests {
         assert!(padded.is_err());
     }
 }
-
diff --git a/src/algorithms/rsa.rs b/src/algorithms/rsa.rs
@@ -12,12 +12,14 @@ use crate::keytraits::{PrivateKeyParts, PublicKeyParts};
 
 /// Raw RSA encryption of m with the public key. No padding is performed.
 #[inline]
-pub fn rsa_encrypt<K: PublicKeyParts>(key: &K, m: &BigUint) -> Result<BigUint> {
+pub(crate) fn rsa_encrypt<K: PublicKeyParts>(key: &K, m: &BigUint) -> Result<BigUint> {
     Ok(m.modpow(key.e(), key.n()))
 }
 
 /// Performs raw RSA decryption with no padding, resulting in a plaintext `BigUint`.
 /// Peforms RSA blinding if an `Rng` is passed.
+/// WARNING! Raw RSA MUST NOT be used. Instead a proper padding or
+/// signature scheme should be used as implemented by the `rsa` crate.
 #[inline]
 fn rsa_decrypt<R: CryptoRngCore + ?Sized>(
     mut rng: Option<&mut R>,
@@ -113,8 +115,10 @@ fn rsa_decrypt<R: CryptoRngCore + ?Sized>(
 /// Performs RSA decryption, resulting in a plaintext `BigUint`.
 /// Peforms RSA blinding if an `Rng` is passed.
 /// This will also check for errors in the CRT computation.
+/// WARNING! Raw RSA MUST NOT be used. Instead a proper padding or
+/// signature scheme should be used as implemented by the `rsa` crate.
 #[inline]
-pub fn rsa_decrypt_and_check<R: CryptoRngCore + ?Sized>(
+pub(crate) fn rsa_decrypt_and_check<R: CryptoRngCore + ?Sized>(
     priv_key: &impl PrivateKeyParts,
     rng: Option<&mut R>,
     c: &BigUint,