From d91bcc4960d02cc8dba5341fb1ef2b85f2a377f6 Mon Sep 17 00:00:00 2001 From: Dan Winship Date: Wed, 3 Dec 2014 08:23:44 -0500 Subject: [PATCH] libnm-core: drop nm_utils_rsa_key_encrypt(), _encrypt_aes() In general, we shouldn't end up with an unencrypted copy of a certificate key anyway, so this function ought to be unnecessary (or at least, not broadly useful enough to be in the public API). nm-applet's GConf migration tool needs it, but that will eventually go away, and until then it can just use libnm-util. --- libnm-core/nm-core-internal.h | 6 +++ libnm-core/nm-utils.c | 94 +++++----------------------------- libnm-core/nm-utils.h | 10 ---- libnm-core/tests/test-crypto.c | 28 +--------- libnm/libnm.ver | 2 - 5 files changed, 20 insertions(+), 120 deletions(-) diff --git a/libnm-core/nm-core-internal.h b/libnm-core/nm-core-internal.h index f4f4fe4c7..c0bbd71ea 100644 --- a/libnm-core/nm-core-internal.h +++ b/libnm-core/nm-core-internal.h @@ -121,4 +121,10 @@ void _nm_dbus_errors_init (void); extern gboolean _nm_utils_is_manager_process; +GByteArray *nm_utils_rsa_key_encrypt (const guint8 *data, + gsize len, + const char *in_password, + char **out_password, + GError **error); + #endif diff --git a/libnm-core/nm-utils.c b/libnm-core/nm-utils.c index 7daf72d39..7f6cf49a1 100644 --- a/libnm-core/nm-utils.c +++ b/libnm-core/nm-utils.c @@ -1975,8 +1975,7 @@ nm_utils_uuid_generate_from_string (const char *s) } /** - * nm_utils_rsa_key_encrypt_helper: - * @cipher: cipher to use for encryption ("DES-EDE3-CBC" or "AES-128-CBC") + * nm_utils_rsa_key_encrypt: * @data: (array length=len): RSA private key data to be encrypted * @len: length of @data * @in_password: (allow-none): existing password to use, if any @@ -1986,18 +1985,17 @@ nm_utils_uuid_generate_from_string (const char *s) * * Encrypts the given RSA private key data with the given password (or generates * a password if no password was given) and converts the data to PEM format - * suitable for writing to a file. + * suitable for writing to a file. It uses Triple DES cipher for the encryption. * * Returns: (transfer full): on success, PEM-formatted data suitable for writing * to a PEM-formatted certificate/private key file. **/ -static GByteArray * -nm_utils_rsa_key_encrypt_helper (const char *cipher, - const guint8 *data, - gsize len, - const char *in_password, - char **out_password, - GError **error) +GByteArray * +nm_utils_rsa_key_encrypt (const guint8 *data, + gsize len, + const char *in_password, + char **out_password, + GError **error) { char salt[16]; int salt_len; @@ -2009,7 +2007,6 @@ nm_utils_rsa_key_encrypt_helper (const char *cipher, const char *p; GByteArray *ret = NULL; - g_return_val_if_fail (!g_strcmp0 (cipher, CIPHER_DES_EDE3_CBC) || !g_strcmp0 (cipher, CIPHER_AES_CBC), NULL); g_return_val_if_fail (data != NULL, NULL); g_return_val_if_fail (len > 0, NULL); if (out_password) @@ -2022,17 +2019,13 @@ nm_utils_rsa_key_encrypt_helper (const char *cipher, in_password = tmp_password = nm_utils_bin2hexstr (pw_buf, sizeof (pw_buf), -1); } - if (g_strcmp0 (cipher, CIPHER_AES_CBC) == 0) - salt_len = 16; - else - salt_len = 8; - + salt_len = 8; if (!crypto_randomize (salt, salt_len, error)) goto out; - key = crypto_make_des_aes_key (cipher, &salt[0], salt_len, in_password, &key_len, NULL); + key = crypto_make_des_aes_key (CIPHER_DES_EDE3_CBC, &salt[0], salt_len, in_password, &key_len, NULL); g_return_val_if_fail (key, NULL); - enc = crypto_encrypt (cipher, data, len, salt, salt_len, key, key_len, &enc_len, error); + enc = crypto_encrypt (CIPHER_DES_EDE3_CBC, data, len, salt, salt_len, key, key_len, &enc_len, error); if (!enc) goto out; @@ -2042,7 +2035,7 @@ nm_utils_rsa_key_encrypt_helper (const char *cipher, /* Convert the salt to a hex string */ tmp = nm_utils_bin2hexstr (salt, salt_len, salt_len * 2); - g_string_append_printf (pem, "DEK-Info: %s,%s\n\n", cipher, tmp); + g_string_append_printf (pem, "DEK-Info: %s,%s\n\n", CIPHER_DES_EDE3_CBC, tmp); g_free (tmp); /* Convert the encrypted key to a base64 string */ @@ -2083,69 +2076,6 @@ out: return ret; } -/** - * nm_utils_rsa_key_encrypt: - * @data: (array length=len): RSA private key data to be encrypted - * @len: length of @data - * @in_password: (allow-none): existing password to use, if any - * @out_password: (out) (allow-none): if @in_password was %NULL, a random - * password will be generated and returned in this argument - * @error: detailed error information on return, if an error occurred - * - * Encrypts the given RSA private key data with the given password (or generates - * a password if no password was given) and converts the data to PEM format - * suitable for writing to a file. It uses Triple DES cipher for the encryption. - * - * Returns: (transfer full): on success, PEM-formatted data suitable for writing - * to a PEM-formatted certificate/private key file. - **/ -GByteArray * -nm_utils_rsa_key_encrypt (const guint8 *data, - gsize len, - const char *in_password, - char **out_password, - GError **error) -{ - - - return nm_utils_rsa_key_encrypt_helper (CIPHER_DES_EDE3_CBC, - data, len, - in_password, - out_password, - error); -} - -/** - * nm_utils_rsa_key_encrypt_aes: - * @data: (array length=len): RSA private key data to be encrypted - * @len: length of @data - * @in_password: (allow-none): existing password to use, if any - * @out_password: (out) (allow-none): if @in_password was %NULL, a random - * password will be generated and returned in this argument - * @error: detailed error information on return, if an error occurred - * - * Encrypts the given RSA private key data with the given password (or generates - * a password if no password was given) and converts the data to PEM format - * suitable for writing to a file. It uses AES cipher for the encryption. - * - * Returns: (transfer full): on success, PEM-formatted data suitable for writing - * to a PEM-formatted certificate/private key file. - **/ -GByteArray * -nm_utils_rsa_key_encrypt_aes (const guint8 *data, - gsize len, - const char *in_password, - char **out_password, - GError **error) -{ - - return nm_utils_rsa_key_encrypt_helper (CIPHER_AES_CBC, - data, len, - in_password, - out_password, - error); -} - static gboolean file_has_extension (const char *filename, const char *extensions[]) { diff --git a/libnm-core/nm-utils.h b/libnm-core/nm-utils.h index debcc83bb..85f5afd06 100644 --- a/libnm-core/nm-utils.h +++ b/libnm-core/nm-utils.h @@ -123,16 +123,6 @@ GPtrArray *nm_utils_ip_routes_from_variant (GVariant *value, char *nm_utils_uuid_generate (void); char *nm_utils_uuid_generate_from_string (const char *s); -GByteArray *nm_utils_rsa_key_encrypt (const guint8 *data, - gsize len, - const char *in_password, - char **out_password, - GError **error); -GByteArray *nm_utils_rsa_key_encrypt_aes (const guint8 *data, - gsize len, - const char *in_password, - char **out_password, - GError **error); gboolean nm_utils_file_is_certificate (const char *filename); gboolean nm_utils_file_is_private_key (const char *filename, gboolean *out_encrypted); gboolean nm_utils_file_is_pkcs12 (const char *filename); diff --git a/libnm-core/tests/test-crypto.c b/libnm-core/tests/test-crypto.c index 05157f018..0777de3f3 100644 --- a/libnm-core/tests/test-crypto.c +++ b/libnm-core/tests/test-crypto.c @@ -33,6 +33,7 @@ #include "crypto.h" #include "nm-utils.h" #include "nm-errors.h" +#include "nm-core-internal.h" #include "nm-test-utils.h" @@ -254,28 +255,6 @@ test_load_pkcs8 (const char *path, } } -static gboolean -is_cipher_aes (const char *path) -{ - char *contents; - gsize length = 0; - const char *cipher; - gboolean is_aes = FALSE; - - if (!g_file_get_contents (path, &contents, &length, NULL)) - return FALSE; - - cipher = strstr (contents, "DEK-Info: "); - if (cipher) { - cipher += strlen ("DEK-Info: "); - if (g_str_has_prefix (cipher, "AES-128-CBC")) - is_aes = TRUE; - } - - g_free (contents); - return is_aes; -} - static void test_encrypt_private_key (const char *path, const char *password) @@ -290,10 +269,7 @@ test_encrypt_private_key (const char *path, g_assert_cmpint (key_type, ==, NM_CRYPTO_KEY_TYPE_RSA); /* Now re-encrypt the private key */ - if (is_cipher_aes (path)) - encrypted = nm_utils_rsa_key_encrypt_aes (array->data, array->len, password, NULL, &error); - else - encrypted = nm_utils_rsa_key_encrypt (array->data, array->len, password, NULL, &error); + encrypted = nm_utils_rsa_key_encrypt (array->data, array->len, password, NULL, &error); g_assert_no_error (error); g_assert (encrypted != NULL); diff --git a/libnm/libnm.ver b/libnm/libnm.ver index ec29475dd..58d886029 100644 --- a/libnm/libnm.ver +++ b/libnm/libnm.ver @@ -788,8 +788,6 @@ global: nm_utils_ipaddr_valid; nm_utils_is_empty_ssid; nm_utils_is_uuid; - nm_utils_rsa_key_encrypt; - nm_utils_rsa_key_encrypt_aes; nm_utils_same_ssid; nm_utils_security_type_get_type; nm_utils_security_valid;