Commit e46ba018 authored by Thomas Haller's avatar Thomas Haller

libnm: rename and expose nm_utils_base64secret_decode() in libnm

A NetworkManager client requires an API to validate and decode
a base64 secret -- like it is used by WireGuard. If we don't have
this as part of the API, it's inconvenient. Expose it.

Rename it from _nm_utils_wireguard_decode_key(), to give it a more
general name.

Also, rename _nm_utils_wireguard_normalize_key() to
nm_utils_base64secret_normalize(). But this one we keep as internal
API. The user will care more about validating and decoding the base64
key. To convert the key back to base64, we don't need a public API in
libnm.

This is another ABI change since 1.16-rc1.
parent f3ac8c6f
......@@ -765,13 +765,9 @@ gboolean _nm_connection_find_secret (NMConnection *self,
#define nm_auto_unref_wgpeer nm_auto(_nm_auto_unref_wgpeer)
NM_AUTO_DEFINE_FCN_VOID0 (NMWireGuardPeer *, _nm_auto_unref_wgpeer, nm_wireguard_peer_unref)
gboolean _nm_utils_wireguard_decode_key (const char *base64_key,
gsize required_key_len,
guint8 *out_key);
gboolean _nm_utils_wireguard_normalize_key (const char *base64_key,
gsize required_key_len,
char **out_base64_key_norm);
gboolean nm_utils_base64secret_normalize (const char *base64_key,
gsize required_key_len,
char **out_base64_key_norm);
/*****************************************************************************/
......
......@@ -2920,7 +2920,7 @@ _read_setting_wireguard_peer (KeyfileReaderInfo *info)
nm_assert (g_str_has_prefix (info->group, NM_KEYFILE_GROUPPREFIX_WIREGUARD_PEER));
cstr = &info->group[NM_STRLEN (NM_KEYFILE_GROUPPREFIX_WIREGUARD_PEER)];
if ( !_nm_utils_wireguard_normalize_key (cstr, NM_WIREGUARD_PUBLIC_KEY_LEN, &str)
if ( !nm_utils_base64secret_normalize (cstr, NM_WIREGUARD_PUBLIC_KEY_LEN, &str)
|| !nm_streq0 (str, cstr)) {
/* the group name must be identical to the normalized(!) key, so that it
* is uniquely identified. */
......
......@@ -309,9 +309,9 @@ nm_wireguard_peer_set_public_key (NMWireGuardPeer *self,
return TRUE;
}
is_valid = _nm_utils_wireguard_normalize_key (public_key,
NM_WIREGUARD_PUBLIC_KEY_LEN,
&public_key_normalized);
is_valid = nm_utils_base64secret_normalize (public_key,
NM_WIREGUARD_PUBLIC_KEY_LEN,
&public_key_normalized);
nm_assert (is_valid == (public_key_normalized != NULL));
if ( !is_valid
......@@ -397,9 +397,9 @@ nm_wireguard_peer_set_preshared_key (NMWireGuardPeer *self,
return TRUE;
}
is_valid = _nm_utils_wireguard_normalize_key (preshared_key,
NM_WIREGUARD_SYMMETRIC_KEY_LEN,
&preshared_key_normalized);
is_valid = nm_utils_base64secret_normalize (preshared_key,
NM_WIREGUARD_SYMMETRIC_KEY_LEN,
&preshared_key_normalized);
nm_assert (is_valid == (preshared_key_normalized != NULL));
if ( !is_valid
......@@ -1128,9 +1128,9 @@ again:
return pd;
}
if ( try_with_normalized_key
&& _nm_utils_wireguard_normalize_key (public_key,
NM_WIREGUARD_PUBLIC_KEY_LEN,
&public_key_normalized)) {
&& nm_utils_base64secret_normalize (public_key,
NM_WIREGUARD_PUBLIC_KEY_LEN,
&public_key_normalized)) {
public_key = public_key_normalized;
try_with_normalized_key = FALSE;
goto again;
......@@ -2299,9 +2299,9 @@ set_property (GObject *object, guint prop_id,
nm_clear_pointer (&priv->private_key, nm_free_secret);
str = g_value_get_string (value);
if (str) {
if (_nm_utils_wireguard_normalize_key (str,
NM_WIREGUARD_PUBLIC_KEY_LEN,
&priv->private_key))
if (nm_utils_base64secret_normalize (str,
NM_WIREGUARD_PUBLIC_KEY_LEN,
&priv->private_key))
priv->private_key_valid = TRUE;
else {
priv->private_key = g_strdup (str);
......
......@@ -6673,21 +6673,23 @@ nm_utils_version (void)
/*****************************************************************************/
/**
* _nm_utils_wireguard_decode_key:
* nm_utils_base64secret_decode:
* @base64_key: the (possibly invalid) base64 encode key.
* @required_key_len: the expected (binary) length of the key after
* decoding. If the length does not match, the validation fails.
* @out_key: (allow-none): an optional output buffer for the binary
* @out_key: (allow-none): (out): an optional output buffer for the binary
* key. If given, it will be filled with exactly @required_key_len
* bytes.
*
* Returns: %TRUE if the input key is a valid base64 encoded key
* with @required_key_len bytes.
*
* Since: 1.16
*/
gboolean
_nm_utils_wireguard_decode_key (const char *base64_key,
gsize required_key_len,
guint8 *out_key)
nm_utils_base64secret_decode (const char *base64_key,
gsize required_key_len,
guint8 *out_key)
{
gs_free guint8 *bin_arr = NULL;
gsize base64_key_len;
......@@ -6715,9 +6717,9 @@ _nm_utils_wireguard_decode_key (const char *base64_key,
}
gboolean
_nm_utils_wireguard_normalize_key (const char *base64_key,
gsize required_key_len,
char **out_base64_key_norm)
nm_utils_base64secret_normalize (const char *base64_key,
gsize required_key_len,
char **out_base64_key_norm)
{
gs_free guint8 *buf_free = NULL;
guint8 buf_static[200];
......@@ -6729,7 +6731,7 @@ _nm_utils_wireguard_normalize_key (const char *base64_key,
} else
buf = buf_static;
if (!_nm_utils_wireguard_decode_key (base64_key, required_key_len, buf)) {
if (!nm_utils_base64secret_decode (base64_key, required_key_len, buf)) {
NM_SET_OUT (out_base64_key_norm, NULL);
return FALSE;
}
......
......@@ -263,6 +263,10 @@ NMSriovVF *nm_utils_sriov_vf_from_str (const char *str, GError **error);
NM_AVAILABLE_IN_1_12
gint64 nm_utils_get_timestamp_msec (void);
NM_AVAILABLE_IN_1_16
gboolean nm_utils_base64secret_decode (const char *base64_key,
gsize required_key_len,
guint8 *out_key);
G_END_DECLS
......
......@@ -1479,6 +1479,7 @@ global:
nm_setting_wireguard_set_peer;
nm_team_link_watcher_get_vlanid;
nm_team_link_watcher_new_arp_ping2;
nm_utils_base64secret_decode;
nm_wifi_p2p_peer_connection_valid;
nm_wifi_p2p_peer_filter_connections;
nm_wifi_p2p_peer_get_flags;
......
......@@ -729,9 +729,9 @@ _peers_get_platform_list (NMDeviceWireGuardPrivate *priv,
NMPWireGuardPeer *plp = &plpeers[i_good];
NMSettingSecretFlags psk_secret_flags;
if (!_nm_utils_wireguard_decode_key (nm_wireguard_peer_get_public_key (peer_data->peer),
sizeof (plp->public_key),
plp->public_key))
if (!nm_utils_base64secret_decode (nm_wireguard_peer_get_public_key (peer_data->peer),
sizeof (plp->public_key),
plp->public_key))
continue;
*plf = NM_PLATFORM_WIREGUARD_CHANGE_PEER_FLAG_NONE;
......@@ -754,9 +754,9 @@ _peers_get_platform_list (NMDeviceWireGuardPrivate *priv,
LINK_CONFIG_MODE_REAPPLY)) {
psk_secret_flags = nm_wireguard_peer_get_preshared_key_flags (peer_data->peer);
if (!NM_FLAGS_HAS (psk_secret_flags, NM_SETTING_SECRET_FLAG_NOT_REQUIRED)) {
if ( !_nm_utils_wireguard_decode_key (nm_wireguard_peer_get_preshared_key (peer_data->peer),
sizeof (plp->preshared_key),
plp->preshared_key)
if ( !nm_utils_base64secret_decode (nm_wireguard_peer_get_preshared_key (peer_data->peer),
sizeof (plp->preshared_key),
plp->preshared_key)
&& config_mode == LINK_CONFIG_MODE_FULL)
goto skip;
}
......@@ -1128,9 +1128,9 @@ link_config (NMDeviceWireGuard *self,
wg_lnk.fwmark = nm_setting_wireguard_get_fwmark (s_wg),
wg_change_flags |= NM_PLATFORM_WIREGUARD_CHANGE_FLAG_HAS_FWMARK;
if (_nm_utils_wireguard_decode_key (nm_setting_wireguard_get_private_key (s_wg),
sizeof (wg_lnk.private_key),
wg_lnk.private_key)) {
if (nm_utils_base64secret_decode (nm_setting_wireguard_get_private_key (s_wg),
sizeof (wg_lnk.private_key),
wg_lnk.private_key)) {
wg_lnk_clear_private_key = NM_SECRET_PTR_ARRAY (wg_lnk.private_key);
wg_change_flags |= NM_PLATFORM_WIREGUARD_CHANGE_FLAG_HAS_PRIVATE_KEY;
} else {
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment