3 files changed, 107 insertions, 90 deletions
diff --git a/src/rust/protover/ffi.rs b/src/rust/protover/ffi.rs
index 3eb22c933e..d724c102d3 100644
--- a/src/rust/protover/ffi.rs
+++ b/src/rust/protover/ffi.rs
@@ -12,6 +12,9 @@ use std::ffi::CString;
 use protover::*;
 use smartlist::*;
 use tor_allocate::allocate_and_copy_string;
+use tor_util::strings::byte_slice_is_c_like;
+use tor_util::strings::empty_static_cstr;
+
 
 /// Translate C enums to Rust Proto enums, using the integer value of the C
 /// enum to map to its associated Rust enum
@@ -137,18 +140,22 @@ pub extern "C" fn protocol_list_supports_protocol_or_later(
 /// Provide an interface for C to translate arguments and return types for
 /// protover::get_supported_protocols
 #[no_mangle]
-pub extern "C" fn protover_get_supported_protocols() -> *mut c_char {
-    // Not handling errors when unwrapping as the content is controlled
-    // and is an empty string
-    let empty = CString::new("").unwrap();
-
-    let supported = get_supported_protocols();
-    let c_supported = match CString::new(supported) {
-        Ok(n) => n,
-        Err(_) => return empty.into_raw(),
-    };
-
-    c_supported.into_raw()
+pub extern "C" fn protover_get_supported_protocols() -> *const c_char {
+    let supported: &'static CStr;
+
+    // If we're going to pass it to C, there cannot be any intermediate NUL
+    // bytes.  An assert is okay here, since changing the const byte slice
+    // in protover.rs to contain a NUL byte somewhere in the middle would be a
+    // programming error.
+    assert!(byte_slice_is_c_like(SUPPORTED_PROTOCOLS));
+
+    // It's okay to unwrap the result of this function because
+    // we can see that the bytes we're passing into it 1) are valid UTF-8,
+    // 2) have no intermediate NUL bytes, and 3) are terminated with a NUL
+    // byte.
+    supported = CStr::from_bytes_with_nul(SUPPORTED_PROTOCOLS).unwrap();
+
+    supported.as_ptr()
 }
 
 /// Provide an interface for C to translate arguments and return types for
@@ -193,15 +200,15 @@ pub extern "C" fn protover_is_supported_here(
 /// Provide an interface for C to translate arguments and return types for
 /// protover::compute_for_old_tor
 #[no_mangle]
-pub extern "C" fn protover_compute_for_old_tor(
-    version: *const c_char,
-) -> *mut c_char {
-    // Not handling errors when unwrapping as the content is controlled
-    // and is an empty string
-    let empty = String::new();
+pub extern "C" fn protover_compute_for_old_tor(version: *const c_char) -> *const c_char {
+    let supported: &'static CStr;
+    let elder_protocols: &'static [u8];
+    let empty: &'static CStr;
+
+    empty = empty_static_cstr();
 
     if version.is_null() {
-        return allocate_and_copy_string(&empty);
+        return empty.as_ptr();
     }
 
     // Require an unsafe block to read the version from a C string. The pointer
@@ -210,10 +217,22 @@ pub extern "C" fn protover_compute_for_old_tor(
 
     let version = match c_str.to_str() {
         Ok(n) => n,
-        Err(_) => return allocate_and_copy_string(&empty),
+        Err(_) => return empty.as_ptr(),
     };
 
-    let supported = compute_for_old_tor(&version);
+    elder_protocols = compute_for_old_tor(&version);
+
+    // If we're going to pass it to C, there cannot be any intermediate NUL
+    // bytes.  An assert is okay here, since changing the const byte slice
+    // in protover.rs to contain a NUL byte somewhere in the middle would be a
+    // programming error.
+    assert!(byte_slice_is_c_like(elder_protocols));
+
+    // It's okay to unwrap the result of this function because
+    // we can see that the bytes we're passing into it 1) are valid UTF-8,
+    // 2) have no intermediate NUL bytes, and 3) are terminated with a NUL
+    // byte.
+    supported = CStr::from_bytes_with_nul(elder_protocols).unwrap();
 
-    allocate_and_copy_string(&supported)
+    supported.as_ptr()
 }
diff --git a/src/rust/protover/lib.rs b/src/rust/protover/lib.rs
index 5a5dea4408..fe8c0f9bb2 100644
--- a/src/rust/protover/lib.rs
+++ b/src/rust/protover/lib.rs
@@ -26,6 +26,7 @@ extern crate libc;
 extern crate smartlist;
 extern crate external;
 extern crate tor_allocate;
+extern crate tor_util;
 
 mod protover;
 pub mod ffi;
diff --git a/src/rust/protover/protover.rs b/src/rust/protover/protover.rs
index af0049a414..826f1b73f1 100644
--- a/src/rust/protover/protover.rs
+++ b/src/rust/protover/protover.rs
@@ -3,12 +3,15 @@
 
 use external::c_tor_version_as_new_as;
 
+use std::str;
 use std::str::FromStr;
 use std::fmt;
 use std::collections::{HashMap, HashSet};
 use std::ops::Range;
 use std::string::String;
 
+use tor_util::strings::NUL_BYTE;
+
 /// The first version of Tor that included "proto" entries in its descriptors.
 /// Authorities should use this to decide whether to guess proto lines.
 ///
@@ -22,21 +25,29 @@ const FIRST_TOR_VERSION_TO_ADVERTISE_PROTOCOLS: &'static str = "0.2.9.3-alpha";
 /// C_RUST_COUPLED: src/or/protover.c `MAX_PROTOCOLS_TO_EXPAND`
 const MAX_PROTOCOLS_TO_EXPAND: u32 = 500;
 
-/// Currently supported protocols and their versions
+/// Currently supported protocols and their versions, as a byte-slice.
+///
+/// # Warning
+///
+/// This byte-slice ends in a NUL byte.  This is so that we can directly convert
+/// it to an `&'static CStr` in the FFI code, in order to hand the static string
+/// to C in a way that is compatible with C static strings.
+///
+/// Rust code which wishes to accesses this string should use
+/// `protover::get_supported_protocols()` instead.
 ///
 /// C_RUST_COUPLED: src/or/protover.c `protover_get_supported_protocols`
-const SUPPORTED_PROTOCOLS: &'static [&'static str] = &[
-    "Cons=1-2",
-    "Desc=1-2",
-    "DirCache=1-2",
-    "HSDir=1-2",
-    "HSIntro=3-4",
-    "HSRend=1-2",
-    "Link=1-4",
-    "LinkAuth=1,3",
-    "Microdesc=1-2",
-    "Relay=1-2",
-];
+pub(crate) const SUPPORTED_PROTOCOLS: &'static [u8] =
+    b"Cons=1-2 \
+    Desc=1-2 \
+    DirCache=1-2 \
+    HSDir=1-2 \
+    HSIntro=3-4 \
+    HSRend=1-2 \
+    Link=1-5 \
+    LinkAuth=1,3 \
+    Microdesc=1-2 \
+    Relay=1-2\0";
 
 /// Known subprotocols in Tor. Indicates which subprotocol a relay supports.
 ///
@@ -94,36 +105,17 @@ impl FromStr for Proto {
 ///
 /// "HSDir=1-1 LinkAuth=1"
 ///
-pub fn get_supported_protocols() -> String {
-    SUPPORTED_PROTOCOLS.join(" ")
+pub fn get_supported_protocols() -> &'static str {
+    // The `len() - 1` is to remove the NUL byte.
+    // The `unwrap` is safe becauase we SUPPORTED_PROTOCOLS is under
+    // our control.
+    str::from_utf8(&SUPPORTED_PROTOCOLS[..SUPPORTED_PROTOCOLS.len() - 1])
+        .unwrap()
 }
 
 pub struct SupportedProtocols(HashMap<Proto, Versions>);
 
 impl SupportedProtocols {
-    /// # Examples
-    ///
-    /// ```
-    /// use protover::SupportedProtocols;
-    ///
-    /// let supported_protocols = SupportedProtocols::from_proto_entries_string(
-    ///     "HSDir=1-2 HSIntro=3-4"
-    /// );
-    /// ```
-    pub fn from_proto_entries_string(
-        proto_entries: &str,
-    ) -> Result<Self, &'static str> {
-        Self::from_proto_entries(proto_entries.split(" "))
-    }
-
-    /// ```
-    /// use protover::SupportedProtocols;
-    ///
-    /// let supported_protocols = SupportedProtocols::from_proto_entries([
-    ///     "HSDir=1-2",
-    ///     "HSIntro=3-4",
-    /// ].iter());
-    /// ```
     pub fn from_proto_entries<I, S>(protocol_strs: I) -> Result<Self, &'static str>
     where
         I: Iterator<Item = S>,
@@ -137,19 +129,30 @@ impl SupportedProtocols {
         Ok(SupportedProtocols(parsed))
     }
 
-    /// Translates supported tor versions from  a string into a HashMap, which
-    /// is useful when looking up a specific subprotocol.
+    /// Translates a string representation of a protocol list to a
+    /// SupportedProtocols instance.
     ///
-    /// # Returns
+    /// # Examples
     ///
-    /// A `Result` whose `Ok` value is a `HashMap<Proto, <Version>>` holding all
-    /// subprotocols and versions currently supported by tor.
+    /// ```
+    /// use protover::SupportedProtocols;
     ///
-    /// The returned `Result`'s `Err` value is an `&'static str` with a
-    /// description of the error.
+    /// let supported_protocols = SupportedProtocols::from_proto_entries_string(
+    ///     "HSDir=1-2 HSIntro=3-4"
+    /// );
+    /// ```
+    pub fn from_proto_entries_string(
+        proto_entries: &str,
+    ) -> Result<Self, &'static str> {
+        Self::from_proto_entries(proto_entries.split(" "))
+    }
+
+    /// Translate the supported tor versions from a string into a
+    /// HashMap, which is useful when looking up a specific
+    /// subprotocol.
     ///
     fn tor_supported() -> Result<Self, &'static str> {
-        Self::from_proto_entries(SUPPORTED_PROTOCOLS.iter().map(|n| *n))
+        Self::from_proto_entries_string(get_supported_protocols())
     }
 }
 
@@ -646,7 +649,7 @@ pub fn compute_vote(
     }
 
     let mut final_output: HashMap<String, String> =
-        HashMap::with_capacity(SUPPORTED_PROTOCOLS.len());
+        HashMap::with_capacity(get_supported_protocols().split(" ").count());
 
     // Go through and remove verstions that are less than the threshold
     for (protocol, versions) in all_count {
@@ -705,7 +708,7 @@ fn write_vote_to_string(vote: &HashMap<String, String>) -> String {
 /// ```
 /// use protover::*;
 ///
-/// let is_supported = is_supported_here(Proto::Link, 5);
+/// let is_supported = is_supported_here(Proto::Link, 10);
 /// assert_eq!(false, is_supported);
 ///
 /// let is_supported = is_supported_here(Proto::Link, 1);
@@ -730,12 +733,12 @@ pub fn is_supported_here(proto: Proto, vers: Version) -> bool {
 ///
 /// # Inputs
 ///
-/// * `version`, a string comprised of "[0-9,-]"
+/// * `version`, a string comprised of "[0-9a-z.-]"
 ///
 /// # Returns
 ///
-/// A `String` whose value is series of pairs, comprising of the protocol name
-/// and versions that it supports. The string takes the following format:
+/// A `&'static [u8]` encoding a list of protocol names and supported
+/// versions. The string takes the following format:
 ///
 /// "HSDir=1-1 LinkAuth=1"
 ///
@@ -743,33 +746,27 @@ pub fn is_supported_here(proto: Proto, vers: Version) -> bool {
 /// only for tor versions older than FIRST_TOR_VERSION_TO_ADVERTISE_PROTOCOLS.
 ///
 /// C_RUST_COUPLED: src/rust/protover.c `compute_for_old_tor`
-pub fn compute_for_old_tor(version: &str) -> String {
-    if c_tor_version_as_new_as(
-        version,
-        FIRST_TOR_VERSION_TO_ADVERTISE_PROTOCOLS,
-    )
-    {
-        return String::new();
+pub fn compute_for_old_tor(version: &str) -> &'static [u8] {
+    if c_tor_version_as_new_as(version, FIRST_TOR_VERSION_TO_ADVERTISE_PROTOCOLS) {
+        return NUL_BYTE;
     }
 
     if c_tor_version_as_new_as(version, "0.2.9.1-alpha") {
-        let ret = "Cons=1-2 Desc=1-2 DirCache=1 HSDir=1 HSIntro=3 HSRend=1-2 \
-                   Link=1-4 LinkAuth=1 Microdesc=1-2 Relay=1-2";
-        return String::from(ret);
+        return b"Cons=1-2 Desc=1-2 DirCache=1 HSDir=1 HSIntro=3 HSRend=1-2 \
+                 Link=1-4 LinkAuth=1 Microdesc=1-2 Relay=1-2\0";
     }
 
     if c_tor_version_as_new_as(version, "0.2.7.5") {
-        let ret = "Cons=1-2 Desc=1-2 DirCache=1 HSDir=1 HSIntro=3 HSRend=1 \
-                   Link=1-4 LinkAuth=1 Microdesc=1-2 Relay=1-2";
-        return String::from(ret);
+        return b"Cons=1-2 Desc=1-2 DirCache=1 HSDir=1 HSIntro=3 HSRend=1 \
+                 Link=1-4 LinkAuth=1 Microdesc=1-2 Relay=1-2\0";
     }
 
     if c_tor_version_as_new_as(version, "0.2.4.19") {
-        let ret = "Cons=1 Desc=1 DirCache=1 HSDir=1 HSIntro=3 HSRend=1 \
-                   Link=1-4 LinkAuth=1 Microdesc=1 Relay=1-2";
-        return String::from(ret);
+        return b"Cons=1 Desc=1 DirCache=1 HSDir=1 HSIntro=3 HSRend=1 \
+                 Link=1-4 LinkAuth=1 Microdesc=1 Relay=1-2\0";
     }
-    String::new()
+
+    NUL_BYTE
 }
 
 #[cfg(test)]