colin/NetworkManager
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

libnm-core: drop nm_utils_rsa_key_encrypt(), _encrypt_aes()

Browse Source 
In general, we shouldn't end up with an unencrypted copy of a
certificate key anyway, so this function ought to be unnecessary (or
at least, not broadly useful enough to be in the public API).
nm-applet's GConf migration tool needs it, but that will eventually go
away, and until then it can just use libnm-util.
This commit is contained in:
Dan Winship
2014-12-03 08:23:44 -05:00
parent ef3de46c43
commit d91bcc4960
5 changed files with 20 additions and 120 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
libnm-core/nm-core-internal.h
View File

@@ -121,4 +121,10 @@ void _nm_dbus_errors_init (void);
extern gboolean _nm_utils_is_manager_process;
GByteArray *nm_utils_rsa_key_encrypt (const guint8 *data,
gsize len,
const char *in_password,
char **out_password,
GError **error);
#endif

94
libnm-core/nm-utils.c
View File

@@ -1975,8 +1975,7 @@ nm_utils_uuid_generate_from_string (const char *s)
}
/**
* nm_utils_rsa_key_encrypt_helper:
* @cipher: cipher to use for encryption ("DES-EDE3-CBC" or "AES-128-CBC")
* nm_utils_rsa_key_encrypt:
* @data: (array length=len): RSA private key data to be encrypted
* @len: length of @data
* @in_password: (allow-none): existing password to use, if any
@@ -1986,18 +1985,17 @@ nm_utils_uuid_generate_from_string (const char *s)
*
* Encrypts the given RSA private key data with the given password (or generates
* a password if no password was given) and converts the data to PEM format
* suitable for writing to a file.
* suitable for writing to a file. It uses Triple DES cipher for the encryption.
*
* Returns: (transfer full): on success, PEM-formatted data suitable for writing
* to a PEM-formatted certificate/private key file.
**/
static GByteArray *
nm_utils_rsa_key_encrypt_helper (const char *cipher,
const guint8 *data,
gsize len,
const char *in_password,
char **out_password,
GError **error)
GByteArray *
nm_utils_rsa_key_encrypt (const guint8 *data,
gsize len,
const char *in_password,
char **out_password,
GError **error)
{
char salt[16];
int salt_len;
@@ -2009,7 +2007,6 @@ nm_utils_rsa_key_encrypt_helper (const char *cipher,
const char *p;
GByteArray *ret = NULL;
g_return_val_if_fail (!g_strcmp0 (cipher, CIPHER_DES_EDE3_CBC) || !g_strcmp0 (cipher, CIPHER_AES_CBC), NULL);
g_return_val_if_fail (data != NULL, NULL);
g_return_val_if_fail (len > 0, NULL);
if (out_password)
@@ -2022,17 +2019,13 @@ nm_utils_rsa_key_encrypt_helper (const char *cipher,
in_password = tmp_password = nm_utils_bin2hexstr (pw_buf, sizeof (pw_buf), -1);
}
if (g_strcmp0 (cipher, CIPHER_AES_CBC) == 0)
salt_len = 16;
else
salt_len = 8;
salt_len = 8;
if (!crypto_randomize (salt, salt_len, error))
goto out;
key = crypto_make_des_aes_key (cipher, &salt[0], salt_len, in_password, &key_len, NULL);
key = crypto_make_des_aes_key (CIPHER_DES_EDE3_CBC, &salt[0], salt_len, in_password, &key_len, NULL);
g_return_val_if_fail (key, NULL);
enc = crypto_encrypt (cipher, data, len, salt, salt_len, key, key_len, &enc_len, error);
enc = crypto_encrypt (CIPHER_DES_EDE3_CBC, data, len, salt, salt_len, key, key_len, &enc_len, error);
if (!enc)
goto out;
@@ -2042,7 +2035,7 @@ nm_utils_rsa_key_encrypt_helper (const char *cipher,
/* Convert the salt to a hex string */
tmp = nm_utils_bin2hexstr (salt, salt_len, salt_len * 2);
g_string_append_printf (pem, "DEK-Info: %s,%s\n\n", cipher, tmp);
g_string_append_printf (pem, "DEK-Info: %s,%s\n\n", CIPHER_DES_EDE3_CBC, tmp);
g_free (tmp);
/* Convert the encrypted key to a base64 string */
@@ -2083,69 +2076,6 @@ out:
return ret;
}
/**
* nm_utils_rsa_key_encrypt:
* @data: (array length=len): RSA private key data to be encrypted
* @len: length of @data
* @in_password: (allow-none): existing password to use, if any
* @out_password: (out) (allow-none): if @in_password was %NULL, a random
* password will be generated and returned in this argument
* @error: detailed error information on return, if an error occurred
*
* Encrypts the given RSA private key data with the given password (or generates
* a password if no password was given) and converts the data to PEM format
* suitable for writing to a file. It uses Triple DES cipher for the encryption.
*
* Returns: (transfer full): on success, PEM-formatted data suitable for writing
* to a PEM-formatted certificate/private key file.
**/
GByteArray *
nm_utils_rsa_key_encrypt (const guint8 *data,
gsize len,
const char *in_password,
char **out_password,
GError **error)
{
return nm_utils_rsa_key_encrypt_helper (CIPHER_DES_EDE3_CBC,
data, len,
in_password,
out_password,
error);
}
/**
* nm_utils_rsa_key_encrypt_aes:
* @data: (array length=len): RSA private key data to be encrypted
* @len: length of @data
* @in_password: (allow-none): existing password to use, if any
* @out_password: (out) (allow-none): if @in_password was %NULL, a random
* password will be generated and returned in this argument
* @error: detailed error information on return, if an error occurred
*
* Encrypts the given RSA private key data with the given password (or generates
* a password if no password was given) and converts the data to PEM format
* suitable for writing to a file. It uses AES cipher for the encryption.
*
* Returns: (transfer full): on success, PEM-formatted data suitable for writing
* to a PEM-formatted certificate/private key file.
**/
GByteArray *
nm_utils_rsa_key_encrypt_aes (const guint8 *data,
gsize len,
const char *in_password,
char **out_password,
GError **error)
{
return nm_utils_rsa_key_encrypt_helper (CIPHER_AES_CBC,
data, len,
in_password,
out_password,
error);
}
static gboolean
file_has_extension (const char *filename, const char *extensions[])
{

10
libnm-core/nm-utils.h
View File

@@ -123,16 +123,6 @@ GPtrArray *nm_utils_ip_routes_from_variant (GVariant *value,
char *nm_utils_uuid_generate (void);
char *nm_utils_uuid_generate_from_string (const char *s);
GByteArray *nm_utils_rsa_key_encrypt (const guint8 *data,
gsize len,
const char *in_password,
char **out_password,
GError **error);
GByteArray *nm_utils_rsa_key_encrypt_aes (const guint8 *data,
gsize len,
const char *in_password,
char **out_password,
GError **error);
gboolean nm_utils_file_is_certificate (const char *filename);
gboolean nm_utils_file_is_private_key (const char *filename, gboolean *out_encrypted);
gboolean nm_utils_file_is_pkcs12 (const char *filename);

28
libnm-core/tests/test-crypto.c
View File

@@ -33,6 +33,7 @@
#include "crypto.h"
#include "nm-utils.h"
#include "nm-errors.h"
#include "nm-core-internal.h"
#include "nm-test-utils.h"
@@ -254,28 +255,6 @@ test_load_pkcs8 (const char *path,
}
}
static gboolean
is_cipher_aes (const char *path)
{
char *contents;
gsize length = 0;
const char *cipher;
gboolean is_aes = FALSE;
if (!g_file_get_contents (path, &contents, &length, NULL))
return FALSE;
cipher = strstr (contents, "DEK-Info: ");
if (cipher) {
cipher += strlen ("DEK-Info: ");
if (g_str_has_prefix (cipher, "AES-128-CBC"))
is_aes = TRUE;
}
g_free (contents);
return is_aes;
}
static void
test_encrypt_private_key (const char *path,
const char *password)
@@ -290,10 +269,7 @@ test_encrypt_private_key (const char *path,
g_assert_cmpint (key_type, ==, NM_CRYPTO_KEY_TYPE_RSA);
/* Now re-encrypt the private key */
if (is_cipher_aes (path))
encrypted = nm_utils_rsa_key_encrypt_aes (array->data, array->len, password, NULL, &error);
else
encrypted = nm_utils_rsa_key_encrypt (array->data, array->len, password, NULL, &error);
encrypted = nm_utils_rsa_key_encrypt (array->data, array->len, password, NULL, &error);
g_assert_no_error (error);
g_assert (encrypted != NULL);

2
libnm/libnm.ver
View File

@@ -788,8 +788,6 @@ global:
nm_utils_ipaddr_valid;
nm_utils_is_empty_ssid;
nm_utils_is_uuid;
nm_utils_rsa_key_encrypt;
nm_utils_rsa_key_encrypt_aes;
nm_utils_same_ssid;
nm_utils_security_type_get_type;
nm_utils_security_valid;