colin/NetworkManager
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

crypto: move nm_crypto_read_file() to "libnm-glib-aux"

Browse Source 
It has no actual dependency on the crypto library. All it does, is
to be careful about not leaking secrets in memory. We have code
for that in libnm-glib-aux already. Move.

The goal is to reduce the number of places where we use libnm-crypto,
because that has a large dependency. libnm-glib-aux is a very light
dependency instead.
This commit is contained in:
Thomas Haller
2022-03-18 21:57:37 +01:00
parent 723e1fc76f
commit 79f676c83a
4 changed files with 42 additions and 34 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
src/libnm-core-impl/nm-setting-8021x.c
View File

@@ -516,7 +516,7 @@ _cert_impl_set(NMSetting8021x *setting,
gs_unref_bytes GBytes *file = NULL; gs_unref_bytes GBytes *file = NULL;
if (NM_IN_SET(property, PROP_PRIVATE_KEY, PROP_PHASE2_PRIVATE_KEY)) { if (NM_IN_SET(property, PROP_PRIVATE_KEY, PROP_PHASE2_PRIVATE_KEY)) {
file = nm_crypto_read_file(value, error); file = nm_utils_read_crypto_file_to_bytes(value, error);
if (!file) if (!file)
goto err; goto err;
format = nm_crypto_verify_private_key_data(g_bytes_get_data(file, NULL), format = nm_crypto_verify_private_key_data(g_bytes_get_data(file, NULL),

37
src/libnm-crypto/nm-crypto.c
View File

@@ -432,35 +432,6 @@ parse_tpm2_wrapped_key_file(const guint8 *data,
return TRUE; return TRUE;
} }
static gboolean
file_read_contents(const char *filename, NMSecretPtr *out_contents, GError **error)
{
nm_assert(out_contents);
nm_assert(out_contents->len == 0);
nm_assert(!out_contents->str);
return nm_utils_file_get_contents(-1,
filename,
100 * 1024 * 1024,
NM_UTILS_FILE_GET_CONTENTS_FLAG_SECRET,
&out_contents->str,
&out_contents->len,
NULL,
error);
}
GBytes *
nm_crypto_read_file(const char *filename, GError **error)
{
nm_auto_clear_secret_ptr NMSecretPtr contents = {0};
g_return_val_if_fail(filename, NULL);
if (!file_read_contents(filename, &contents, error))
return NULL;
return nm_secret_copy_to_gbytes(contents.bin, contents.len);
}
/* /*
* Convert a hex string into bytes. * Convert a hex string into bytes.
*/ */
@@ -661,7 +632,7 @@ nmtst_crypto_decrypt_openssl_private_key(const char *file,
if (!_nm_crypto_init(error)) if (!_nm_crypto_init(error))
return NULL; return NULL;
if (!file_read_contents(file, &contents, error)) if (!nm_utils_read_crypto_file(file, &contents, error))
return NULL; return NULL;
return nmtst_crypto_decrypt_openssl_private_key_data(contents.bin, return nmtst_crypto_decrypt_openssl_private_key_data(contents.bin,
@@ -735,7 +706,7 @@ nm_crypto_load_and_verify_certificate(const char *file,
if (!_nm_crypto_init(error)) if (!_nm_crypto_init(error))
goto out; goto out;
if (!file_read_contents(file, &contents, error)) if (!nm_utils_read_crypto_file(file, &contents, error))
goto out; goto out;
if (contents.len == 0) { if (contents.len == 0) {
@@ -826,7 +797,7 @@ nm_crypto_is_pkcs12_file(const char *file, GError **error)
if (!_nm_crypto_init(error)) if (!_nm_crypto_init(error))
return FALSE; return FALSE;
if (!file_read_contents(file, &contents, error)) if (!nm_utils_read_crypto_file(file, &contents, error))
return FALSE; return FALSE;
return nm_crypto_is_pkcs12_data(contents.bin, contents.len, error); return nm_crypto_is_pkcs12_data(contents.bin, contents.len, error);
@@ -904,7 +875,7 @@ nm_crypto_verify_private_key(const char *filename,
if (!_nm_crypto_init(error)) if (!_nm_crypto_init(error))
return NM_CRYPTO_FILE_FORMAT_UNKNOWN; return NM_CRYPTO_FILE_FORMAT_UNKNOWN;
if (!file_read_contents(filename, &contents, error)) if (!nm_utils_read_crypto_file(filename, &contents, error))
return NM_CRYPTO_FILE_FORMAT_UNKNOWN; return NM_CRYPTO_FILE_FORMAT_UNKNOWN;
return nm_crypto_verify_private_key_data(contents.bin, return nm_crypto_verify_private_key_data(contents.bin,

33
src/libnm-glib-aux/nm-secret-utils.c
View File

@@ -10,6 +10,8 @@
#include <malloc.h> #include <malloc.h>
#include "nm-io-utils.h"
/*****************************************************************************/ /*****************************************************************************/
void void
@@ -176,3 +178,34 @@ nm_utils_memeqzero_secret(gconstpointer data, gsize length)
} }
return 1 & ((acc - 1) >> 8); return 1 & ((acc - 1) >> 8);
} }
/*****************************************************************************/
gboolean
nm_utils_read_crypto_file(const char *filename, NMSecretPtr *out_contents, GError **error)
{
nm_assert(out_contents);
nm_assert(out_contents->len == 0);
nm_assert(!out_contents->str);
return nm_utils_file_get_contents(-1,
filename,
100 * 1024 * 1024,
NM_UTILS_FILE_GET_CONTENTS_FLAG_SECRET,
&out_contents->str,
&out_contents->len,
NULL,
error);
}
GBytes *
nm_utils_read_crypto_file_to_bytes(const char *filename, GError **error)
{
nm_auto_clear_secret_ptr NMSecretPtr contents = {0};
g_return_val_if_fail(filename, NULL);
if (!nm_utils_read_crypto_file(filename, &contents, error))
return NULL;
return nm_secret_copy_to_gbytes(contents.bin, contents.len);
}

4
src/libnm-glib-aux/nm-secret-utils.h
View File

@@ -286,4 +286,8 @@ nm_secret_mem_try_realloc_take(gpointer m_old, gboolean do_bzero_mem, gsize cur_
/*****************************************************************************/ /*****************************************************************************/
gboolean nm_utils_read_crypto_file(const char *filename, NMSecretPtr *out_contents, GError **error);
GBytes *nm_utils_read_crypto_file_to_bytes(const char *filename, GError **error);
#endif /* __NM_SECRET_UTILS_H__ */ #endif /* __NM_SECRET_UTILS_H__ */