crypto: move nm_crypto_read_file() to "libnm-glib-aux"

It has no actual dependency on the crypto library. All it does, is to be careful about not leaking secrets in memory. We have code for that in libnm-glib-aux already. Move. The goal is to reduce the number of places where we use libnm-crypto, because that has a large dependency. libnm-glib-aux is a very light dependency instead.
2024-10-15 04:24:32 +00:00 · 2022-03-18 21:57:37 +01:00 · 2022-03-18 21:57:37 +01:00 · 79f676c83a
parent 723e1fc76f
commit 79f676c83a
4 changed files with 42 additions and 34 deletions
--- a/src/libnm-core-impl/nm-setting-8021x.c
+++ b/src/libnm-core-impl/nm-setting-8021x.c
@ -516,7 +516,7 @@ _cert_impl_set(NMSetting8021x         *setting,
        gs_unref_bytes GBytes *file = NULL;

        if (NM_IN_SET(property, PROP_PRIVATE_KEY, PROP_PHASE2_PRIVATE_KEY)) {
-            file = nm_crypto_read_file(value, error);
+            file = nm_utils_read_crypto_file_to_bytes(value, error);
            if (!file)
                goto err;
            format = nm_crypto_verify_private_key_data(g_bytes_get_data(file, NULL),
--- a/src/libnm-crypto/nm-crypto.c
+++ b/src/libnm-crypto/nm-crypto.c
@ -432,35 +432,6 @@ parse_tpm2_wrapped_key_file(const guint8 *data,
    return TRUE;
 }

-static gboolean
-file_read_contents(const char *filename, NMSecretPtr *out_contents, GError **error)
-{
-    nm_assert(out_contents);
-    nm_assert(out_contents->len == 0);
-    nm_assert(!out_contents->str);
-
-    return nm_utils_file_get_contents(-1,
-                                      filename,
-                                      100 * 1024 * 1024,
-                                      NM_UTILS_FILE_GET_CONTENTS_FLAG_SECRET,
-                                      &out_contents->str,
-                                      &out_contents->len,
-                                      NULL,
-                                      error);
-}
-
-GBytes *
-nm_crypto_read_file(const char *filename, GError **error)
-{
-    nm_auto_clear_secret_ptr NMSecretPtr contents = {0};
-
-    g_return_val_if_fail(filename, NULL);
-
-    if (!file_read_contents(filename, &contents, error))
-        return NULL;
-    return nm_secret_copy_to_gbytes(contents.bin, contents.len);
-}
-
 /*
 * Convert a hex string into bytes.
 */
@ -661,7 +632,7 @@ nmtst_crypto_decrypt_openssl_private_key(const char      *file,
    if (!_nm_crypto_init(error))
        return NULL;

-    if (!file_read_contents(file, &contents, error))
+    if (!nm_utils_read_crypto_file(file, &contents, error))
        return NULL;

    return nmtst_crypto_decrypt_openssl_private_key_data(contents.bin,
@ -735,7 +706,7 @@ nm_crypto_load_and_verify_certificate(const char         *file,
    if (!_nm_crypto_init(error))
        goto out;

-    if (!file_read_contents(file, &contents, error))
+    if (!nm_utils_read_crypto_file(file, &contents, error))
        goto out;

    if (contents.len == 0) {
@ -826,7 +797,7 @@ nm_crypto_is_pkcs12_file(const char *file, GError **error)
    if (!_nm_crypto_init(error))
        return FALSE;

-    if (!file_read_contents(file, &contents, error))
+    if (!nm_utils_read_crypto_file(file, &contents, error))
        return FALSE;

    return nm_crypto_is_pkcs12_data(contents.bin, contents.len, error);
@ -904,7 +875,7 @@ nm_crypto_verify_private_key(const char *filename,
    if (!_nm_crypto_init(error))
        return NM_CRYPTO_FILE_FORMAT_UNKNOWN;

-    if (!file_read_contents(filename, &contents, error))
+    if (!nm_utils_read_crypto_file(filename, &contents, error))
        return NM_CRYPTO_FILE_FORMAT_UNKNOWN;

    return nm_crypto_verify_private_key_data(contents.bin,
--- a/src/libnm-glib-aux/nm-secret-utils.c
+++ b/src/libnm-glib-aux/nm-secret-utils.c
@ -10,6 +10,8 @@

 #include <malloc.h>

+#include "nm-io-utils.h"
+
 /*****************************************************************************/

 void
@ -176,3 +178,34 @@ nm_utils_memeqzero_secret(gconstpointer data, gsize length)
    }
    return 1 & ((acc - 1) >> 8);
 }
+
+/*****************************************************************************/
+
+gboolean
+nm_utils_read_crypto_file(const char *filename, NMSecretPtr *out_contents, GError **error)
+{
+    nm_assert(out_contents);
+    nm_assert(out_contents->len == 0);
+    nm_assert(!out_contents->str);
+
+    return nm_utils_file_get_contents(-1,
+                                      filename,
+                                      100 * 1024 * 1024,
+                                      NM_UTILS_FILE_GET_CONTENTS_FLAG_SECRET,
+                                      &out_contents->str,
+                                      &out_contents->len,
+                                      NULL,
+                                      error);
+}
+
+GBytes *
+nm_utils_read_crypto_file_to_bytes(const char *filename, GError **error)
+{
+    nm_auto_clear_secret_ptr NMSecretPtr contents = {0};
+
+    g_return_val_if_fail(filename, NULL);
+
+    if (!nm_utils_read_crypto_file(filename, &contents, error))
+        return NULL;
+    return nm_secret_copy_to_gbytes(contents.bin, contents.len);
+}
--- a/src/libnm-glib-aux/nm-secret-utils.h
+++ b/src/libnm-glib-aux/nm-secret-utils.h
@ -286,4 +286,8 @@ nm_secret_mem_try_realloc_take(gpointer m_old, gboolean do_bzero_mem, gsize cur_

 /*****************************************************************************/

+gboolean nm_utils_read_crypto_file(const char *filename, NMSecretPtr *out_contents, GError **error);
+
+GBytes *nm_utils_read_crypto_file_to_bytes(const char *filename, GError **error);
+
 #endif /* __NM_SECRET_UTILS_H__ */