colin/NetworkManager
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

libnm-core: drop nm_utils_rsa_key_encrypt(), _encrypt_aes()

Browse Source 
In general, we shouldn't end up with an unencrypted copy of a
certificate key anyway, so this function ought to be unnecessary (or
at least, not broadly useful enough to be in the public API).
nm-applet's GConf migration tool needs it, but that will eventually go
away, and until then it can just use libnm-util.
This commit is contained in:
Dan Winship
2014-12-03 08:23:44 -05:00
parent ef3de46c43
commit d91bcc4960
5 changed files with 20 additions and 120 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
libnm-core/nm-core-internal.h
View File

@@ -121,4 +121,10 @@ void _nm_dbus_errors_init (void);
extern gboolean _nm_utils_is_manager_process; extern gboolean _nm_utils_is_manager_process;
GByteArray *nm_utils_rsa_key_encrypt (const guint8 *data,
gsize len,
const char *in_password,
char **out_password,
GError **error);
#endif #endif

94
libnm-core/nm-utils.c
View File

@@ -1975,8 +1975,7 @@ nm_utils_uuid_generate_from_string (const char *s)
} }
/** /**
* nm_utils_rsa_key_encrypt_helper: * nm_utils_rsa_key_encrypt:
* @cipher: cipher to use for encryption ("DES-EDE3-CBC" or "AES-128-CBC")
* @data: (array length=len): RSA private key data to be encrypted * @data: (array length=len): RSA private key data to be encrypted
* @len: length of @data * @len: length of @data
* @in_password: (allow-none): existing password to use, if any * @in_password: (allow-none): existing password to use, if any
@@ -1986,18 +1985,17 @@ nm_utils_uuid_generate_from_string (const char *s)
* *
* Encrypts the given RSA private key data with the given password (or generates * Encrypts the given RSA private key data with the given password (or generates
* a password if no password was given) and converts the data to PEM format * a password if no password was given) and converts the data to PEM format
* suitable for writing to a file. * suitable for writing to a file. It uses Triple DES cipher for the encryption.
* *
* Returns: (transfer full): on success, PEM-formatted data suitable for writing * Returns: (transfer full): on success, PEM-formatted data suitable for writing
* to a PEM-formatted certificate/private key file. * to a PEM-formatted certificate/private key file.
**/ **/
static GByteArray * GByteArray *
nm_utils_rsa_key_encrypt_helper (const char *cipher, nm_utils_rsa_key_encrypt (const guint8 *data,
const guint8 *data, gsize len,
gsize len, const char *in_password,
const char *in_password, char **out_password,
char **out_password, GError **error)
GError **error)
{ {
char salt[16]; char salt[16];
int salt_len; int salt_len;
@@ -2009,7 +2007,6 @@ nm_utils_rsa_key_encrypt_helper (const char *cipher,
const char *p; const char *p;
GByteArray *ret = NULL; GByteArray *ret = NULL;
g_return_val_if_fail (!g_strcmp0 (cipher, CIPHER_DES_EDE3_CBC) || !g_strcmp0 (cipher, CIPHER_AES_CBC), NULL);
g_return_val_if_fail (data != NULL, NULL); g_return_val_if_fail (data != NULL, NULL);
g_return_val_if_fail (len > 0, NULL); g_return_val_if_fail (len > 0, NULL);
if (out_password) if (out_password)
@@ -2022,17 +2019,13 @@ nm_utils_rsa_key_encrypt_helper (const char *cipher,
in_password = tmp_password = nm_utils_bin2hexstr (pw_buf, sizeof (pw_buf), -1); in_password = tmp_password = nm_utils_bin2hexstr (pw_buf, sizeof (pw_buf), -1);
} }
if (g_strcmp0 (cipher, CIPHER_AES_CBC) == 0) salt_len = 8;
salt_len = 16;
else
salt_len = 8;
if (!crypto_randomize (salt, salt_len, error)) if (!crypto_randomize (salt, salt_len, error))
goto out; goto out;
key = crypto_make_des_aes_key (cipher, &salt[0], salt_len, in_password, &key_len, NULL); key = crypto_make_des_aes_key (CIPHER_DES_EDE3_CBC, &salt[0], salt_len, in_password, &key_len, NULL);
g_return_val_if_fail (key, NULL); g_return_val_if_fail (key, NULL);
enc = crypto_encrypt (cipher, data, len, salt, salt_len, key, key_len, &enc_len, error); enc = crypto_encrypt (CIPHER_DES_EDE3_CBC, data, len, salt, salt_len, key, key_len, &enc_len, error);
if (!enc) if (!enc)
goto out; goto out;
@@ -2042,7 +2035,7 @@ nm_utils_rsa_key_encrypt_helper (const char *cipher,
/* Convert the salt to a hex string */ /* Convert the salt to a hex string */
tmp = nm_utils_bin2hexstr (salt, salt_len, salt_len * 2); tmp = nm_utils_bin2hexstr (salt, salt_len, salt_len * 2);
g_string_append_printf (pem, "DEK-Info: %s,%s\n\n", cipher, tmp); g_string_append_printf (pem, "DEK-Info: %s,%s\n\n", CIPHER_DES_EDE3_CBC, tmp);
g_free (tmp); g_free (tmp);
/* Convert the encrypted key to a base64 string */ /* Convert the encrypted key to a base64 string */
@@ -2083,69 +2076,6 @@ out:
return ret; return ret;
} }
/**
* nm_utils_rsa_key_encrypt:
* @data: (array length=len): RSA private key data to be encrypted
* @len: length of @data
* @in_password: (allow-none): existing password to use, if any
* @out_password: (out) (allow-none): if @in_password was %NULL, a random
* password will be generated and returned in this argument
* @error: detailed error information on return, if an error occurred
*
* Encrypts the given RSA private key data with the given password (or generates
* a password if no password was given) and converts the data to PEM format
* suitable for writing to a file. It uses Triple DES cipher for the encryption.
*
* Returns: (transfer full): on success, PEM-formatted data suitable for writing
* to a PEM-formatted certificate/private key file.
**/
GByteArray *
nm_utils_rsa_key_encrypt (const guint8 *data,
gsize len,
const char *in_password,
char **out_password,
GError **error)
{
return nm_utils_rsa_key_encrypt_helper (CIPHER_DES_EDE3_CBC,
data, len,
in_password,
out_password,
error);
}
/**
* nm_utils_rsa_key_encrypt_aes:
* @data: (array length=len): RSA private key data to be encrypted
* @len: length of @data
* @in_password: (allow-none): existing password to use, if any
* @out_password: (out) (allow-none): if @in_password was %NULL, a random
* password will be generated and returned in this argument
* @error: detailed error information on return, if an error occurred
*
* Encrypts the given RSA private key data with the given password (or generates
* a password if no password was given) and converts the data to PEM format
* suitable for writing to a file. It uses AES cipher for the encryption.
*
* Returns: (transfer full): on success, PEM-formatted data suitable for writing
* to a PEM-formatted certificate/private key file.
**/
GByteArray *
nm_utils_rsa_key_encrypt_aes (const guint8 *data,
gsize len,
const char *in_password,
char **out_password,
GError **error)
{
return nm_utils_rsa_key_encrypt_helper (CIPHER_AES_CBC,
data, len,
in_password,
out_password,
error);
}
static gboolean static gboolean
file_has_extension (const char *filename, const char *extensions[]) file_has_extension (const char *filename, const char *extensions[])
{ {

10
libnm-core/nm-utils.h
View File

@@ -123,16 +123,6 @@ GPtrArray *nm_utils_ip_routes_from_variant (GVariant *value,
char *nm_utils_uuid_generate (void); char *nm_utils_uuid_generate (void);
char *nm_utils_uuid_generate_from_string (const char *s); char *nm_utils_uuid_generate_from_string (const char *s);
GByteArray *nm_utils_rsa_key_encrypt (const guint8 *data,
gsize len,
const char *in_password,
char **out_password,
GError **error);
GByteArray *nm_utils_rsa_key_encrypt_aes (const guint8 *data,
gsize len,
const char *in_password,
char **out_password,
GError **error);
gboolean nm_utils_file_is_certificate (const char *filename); gboolean nm_utils_file_is_certificate (const char *filename);
gboolean nm_utils_file_is_private_key (const char *filename, gboolean *out_encrypted); gboolean nm_utils_file_is_private_key (const char *filename, gboolean *out_encrypted);
gboolean nm_utils_file_is_pkcs12 (const char *filename); gboolean nm_utils_file_is_pkcs12 (const char *filename);

28
libnm-core/tests/test-crypto.c
View File

@@ -33,6 +33,7 @@
#include "crypto.h" #include "crypto.h"
#include "nm-utils.h" #include "nm-utils.h"
#include "nm-errors.h" #include "nm-errors.h"
#include "nm-core-internal.h"
#include "nm-test-utils.h" #include "nm-test-utils.h"
@@ -254,28 +255,6 @@ test_load_pkcs8 (const char *path,
} }
} }
static gboolean
is_cipher_aes (const char *path)
{
char *contents;
gsize length = 0;
const char *cipher;
gboolean is_aes = FALSE;
if (!g_file_get_contents (path, &contents, &length, NULL))
return FALSE;
cipher = strstr (contents, "DEK-Info: ");
if (cipher) {
cipher += strlen ("DEK-Info: ");
if (g_str_has_prefix (cipher, "AES-128-CBC"))
is_aes = TRUE;
}
g_free (contents);
return is_aes;
}
static void static void
test_encrypt_private_key (const char *path, test_encrypt_private_key (const char *path,
const char *password) const char *password)
@@ -290,10 +269,7 @@ test_encrypt_private_key (const char *path,
g_assert_cmpint (key_type, ==, NM_CRYPTO_KEY_TYPE_RSA); g_assert_cmpint (key_type, ==, NM_CRYPTO_KEY_TYPE_RSA);
/* Now re-encrypt the private key */ /* Now re-encrypt the private key */
if (is_cipher_aes (path)) encrypted = nm_utils_rsa_key_encrypt (array->data, array->len, password, NULL, &error);
encrypted = nm_utils_rsa_key_encrypt_aes (array->data, array->len, password, NULL, &error);
else
encrypted = nm_utils_rsa_key_encrypt (array->data, array->len, password, NULL, &error);
g_assert_no_error (error); g_assert_no_error (error);
g_assert (encrypted != NULL); g_assert (encrypted != NULL);

2
libnm/libnm.ver
View File

@@ -788,8 +788,6 @@ global:
nm_utils_ipaddr_valid; nm_utils_ipaddr_valid;
nm_utils_is_empty_ssid; nm_utils_is_empty_ssid;
nm_utils_is_uuid; nm_utils_is_uuid;
nm_utils_rsa_key_encrypt;
nm_utils_rsa_key_encrypt_aes;
nm_utils_same_ssid; nm_utils_same_ssid;
nm_utils_security_type_get_type; nm_utils_security_type_get_type;
nm_utils_security_valid; nm_utils_security_valid;