diff options
| author | Thomas Haller <thaller@redhat.com> | 2022-03-18 21:57:37 +0100 |
|---|---|---|
| committer | Thomas Haller <thaller@redhat.com> | 2022-03-29 11:56:04 +0200 |
| commit | 79f676c83a3bdc9926b87702ef8a39bb14f50ee5 (patch) | |
| tree | 7ccd66711e2ed827c417c64a120d7deace7a0244 | |
| parent | 723e1fc76f127001eded94ffbeabc0395738bec7 (diff) | |
| download | NetworkManager-79f676c83a3bdc9926b87702ef8a39bb14f50ee5.tar.gz | |
crypto: move nm_crypto_read_file() to "libnm-glib-aux"
It has no actual dependency on the crypto library. All it does, is
to be careful about not leaking secrets in memory. We have code
for that in libnm-glib-aux already. Move.
The goal is to reduce the number of places where we use libnm-crypto,
because that has a large dependency. libnm-glib-aux is a very light
dependency instead.
| -rw-r--r-- | src/libnm-core-impl/nm-setting-8021x.c | 2 | ||||
| -rw-r--r-- | src/libnm-crypto/nm-crypto.c | 37 | ||||
| -rw-r--r-- | src/libnm-glib-aux/nm-secret-utils.c | 33 | ||||
| -rw-r--r-- | src/libnm-glib-aux/nm-secret-utils.h | 4 |
4 files changed, 42 insertions, 34 deletions
diff --git a/src/libnm-core-impl/nm-setting-8021x.c b/src/libnm-core-impl/nm-setting-8021x.c index 70cb2b56ab..dce35cf016 100644 --- a/src/libnm-core-impl/nm-setting-8021x.c +++ b/src/libnm-core-impl/nm-setting-8021x.c @@ -516,7 +516,7 @@ _cert_impl_set(NMSetting8021x *setting, gs_unref_bytes GBytes *file = NULL; if (NM_IN_SET(property, PROP_PRIVATE_KEY, PROP_PHASE2_PRIVATE_KEY)) { - file = nm_crypto_read_file(value, error); + file = nm_utils_read_crypto_file_to_bytes(value, error); if (!file) goto err; format = nm_crypto_verify_private_key_data(g_bytes_get_data(file, NULL), diff --git a/src/libnm-crypto/nm-crypto.c b/src/libnm-crypto/nm-crypto.c index 0480105120..4a38f0c4c1 100644 --- a/src/libnm-crypto/nm-crypto.c +++ b/src/libnm-crypto/nm-crypto.c @@ -432,35 +432,6 @@ parse_tpm2_wrapped_key_file(const guint8 *data, return TRUE; } -static gboolean -file_read_contents(const char *filename, NMSecretPtr *out_contents, GError **error) -{ - nm_assert(out_contents); - nm_assert(out_contents->len == 0); - nm_assert(!out_contents->str); - - return nm_utils_file_get_contents(-1, - filename, - 100 * 1024 * 1024, - NM_UTILS_FILE_GET_CONTENTS_FLAG_SECRET, - &out_contents->str, - &out_contents->len, - NULL, - error); -} - -GBytes * -nm_crypto_read_file(const char *filename, GError **error) -{ - nm_auto_clear_secret_ptr NMSecretPtr contents = {0}; - - g_return_val_if_fail(filename, NULL); - - if (!file_read_contents(filename, &contents, error)) - return NULL; - return nm_secret_copy_to_gbytes(contents.bin, contents.len); -} - /* * Convert a hex string into bytes. */ @@ -661,7 +632,7 @@ nmtst_crypto_decrypt_openssl_private_key(const char *file, if (!_nm_crypto_init(error)) return NULL; - if (!file_read_contents(file, &contents, error)) + if (!nm_utils_read_crypto_file(file, &contents, error)) return NULL; return nmtst_crypto_decrypt_openssl_private_key_data(contents.bin, @@ -735,7 +706,7 @@ nm_crypto_load_and_verify_certificate(const char *file, if (!_nm_crypto_init(error)) goto out; - if (!file_read_contents(file, &contents, error)) + if (!nm_utils_read_crypto_file(file, &contents, error)) goto out; if (contents.len == 0) { @@ -826,7 +797,7 @@ nm_crypto_is_pkcs12_file(const char *file, GError **error) if (!_nm_crypto_init(error)) return FALSE; - if (!file_read_contents(file, &contents, error)) + if (!nm_utils_read_crypto_file(file, &contents, error)) return FALSE; return nm_crypto_is_pkcs12_data(contents.bin, contents.len, error); @@ -904,7 +875,7 @@ nm_crypto_verify_private_key(const char *filename, if (!_nm_crypto_init(error)) return NM_CRYPTO_FILE_FORMAT_UNKNOWN; - if (!file_read_contents(filename, &contents, error)) + if (!nm_utils_read_crypto_file(filename, &contents, error)) return NM_CRYPTO_FILE_FORMAT_UNKNOWN; return nm_crypto_verify_private_key_data(contents.bin, diff --git a/src/libnm-glib-aux/nm-secret-utils.c b/src/libnm-glib-aux/nm-secret-utils.c index c764b6e575..983b04cac8 100644 --- a/src/libnm-glib-aux/nm-secret-utils.c +++ b/src/libnm-glib-aux/nm-secret-utils.c @@ -10,6 +10,8 @@ #include <malloc.h> +#include "nm-io-utils.h" + /*****************************************************************************/ void @@ -176,3 +178,34 @@ nm_utils_memeqzero_secret(gconstpointer data, gsize length) } return 1 & ((acc - 1) >> 8); } + +/*****************************************************************************/ + +gboolean +nm_utils_read_crypto_file(const char *filename, NMSecretPtr *out_contents, GError **error) +{ + nm_assert(out_contents); + nm_assert(out_contents->len == 0); + nm_assert(!out_contents->str); + + return nm_utils_file_get_contents(-1, + filename, + 100 * 1024 * 1024, + NM_UTILS_FILE_GET_CONTENTS_FLAG_SECRET, + &out_contents->str, + &out_contents->len, + NULL, + error); +} + +GBytes * +nm_utils_read_crypto_file_to_bytes(const char *filename, GError **error) +{ + nm_auto_clear_secret_ptr NMSecretPtr contents = {0}; + + g_return_val_if_fail(filename, NULL); + + if (!nm_utils_read_crypto_file(filename, &contents, error)) + return NULL; + return nm_secret_copy_to_gbytes(contents.bin, contents.len); +} diff --git a/src/libnm-glib-aux/nm-secret-utils.h b/src/libnm-glib-aux/nm-secret-utils.h index 513dbca5bc..c175bc8f3e 100644 --- a/src/libnm-glib-aux/nm-secret-utils.h +++ b/src/libnm-glib-aux/nm-secret-utils.h @@ -286,4 +286,8 @@ nm_secret_mem_try_realloc_take(gpointer m_old, gboolean do_bzero_mem, gsize cur_ /*****************************************************************************/ +gboolean nm_utils_read_crypto_file(const char *filename, NMSecretPtr *out_contents, GError **error); + +GBytes *nm_utils_read_crypto_file_to_bytes(const char *filename, GError **error); + #endif /* __NM_SECRET_UTILS_H__ */ |