From: "Daniel P. Berrange" <berrange@redhat.com>
To: Eric Blake <eblake@redhat.com>
Cc: qemu-devel@nongnu.org, Markus Armbruster <armbru@redhat.com>
Subject: Re: [Qemu-devel] [PATCH v3 4/5] crypto: add QCryptoSecret object class for password/key handling
Date: Wed, 9 Dec 2015 12:56:39 +0000 [thread overview]
Message-ID: <20151209125639.GE19914@redhat.com> (raw)
In-Reply-To: <56670A24.8030302@redhat.com>
On Tue, Dec 08, 2015 at 09:49:40AM -0700, Eric Blake wrote:
> On 11/27/2015 09:30 AM, Daniel P. Berrange wrote:
> > Introduce a new QCryptoSecret object class which will be used
> > for providing passwords and keys to other objects which need
> > sensitive credentials.
> >
>
> > More examples are shown in the updated docs.
> >
> > Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
> > ---
>
> > +++ b/crypto/secret.c
>
> > +static void
> > +qcrypto_secret_load_data(QCryptoSecret *secret,
> > + uint8_t **output,
> > + size_t *outputlen,
> > + Error **errp)
> > +{
>
> > + if (!g_file_get_contents(secret->file, &data, &length, &gerr)) {
> > + error_setg(errp,
> > + "Unable to read %s: %s",
> > + secret->file, gerr->message);
> > + g_error_free(gerr);
> > + return;
> > + }
> > + if (length) {
> > + /* Even though data is raw 8-bit, so may contain
> > + * arbitrary NULs, ensure it is explicitly NUL
> > + * terminated */
> > + *output = g_renew(uint8_t, data, length + 1);
> > + (*output)[length] = '\0';
>
> These two lines are dead code. g_file_get_contents() guarantees that on
> success, contents is malloc'd large enough and that contents[length] == 0.
>
> https://developer.gnome.org/glib/stable/glib-File-Utilities.html#g-file-get-contents
Yep, I just checked the source too and it matches the docs
>
> > + *outputlen = length;
> > + } else {
> > + error_setg(errp, "Secret file %s is empty",
> > + secret->file);
>
> Is there any technical reason why we must forbid a 0-length password?
> (Sometimes, having the empty string as a password can be a useful for
> development tests). I'm not opposed to rejecting it, especially if
> doing so now avoids a more cryptic error message later because there is
> indeed a technical reason; but just want to make sure it is not an
> arbitrary limitation.
It was fairly arbitrary, motivated by a desire to give an error
message if user accidentally pointed to a bad file, but based
on your point about empty passwords I'll remove this and leave
it upto the callers to decide if they'll accept empty passwords.
>
> > + g_free(data);
> > + }
> > + } else if (secret->data) {
> > + *outputlen = strlen(secret->data);
> > + *output = g_new(uint8_t, *outputlen + 1);
> > + memcpy(*output, secret->data, *outputlen + 1);
>
> These two lines could be shortened to:
> *output = g_strdup(secret->data);
Yes, indeed, I'll fix that.
>
> > +
> > +static void qcrypto_secret_decrypt(QCryptoSecret *secret,
> > + const uint8_t *input,
> > + size_t inputlen,
> > + uint8_t **output,
> > + size_t *outputlen,
> > + Error **errp)
> > +{
>
> > + if (secret->format == QCRYPTO_SECRET_FORMAT_BASE64) {
> > + ciphertext = qbase64_decode((const gchar*)input,
> > + inputlen,
> > + &ciphertextlen,
> > + errp);
> > + if (!ciphertext) {
> > + goto cleanup;
> > + }
> > + plaintext = g_new0(uint8_t, ciphertextlen + 1);
> > + } else {
> > + ciphertextlen = inputlen;
> > + plaintext = g_new0(uint8_t, inputlen + 1);
>
> g_new0(uint8_t, value) is the same as g_malloc0(value); I don't know if
> it is worth the distinction. But not worth a respin on its own.
I just prefer to always use g_new0 so it is explicit what type we're
using, though I wish glib's allocators worked like libvirt's so it
got the compiler to provide the correct type.
Regards,
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
next prev parent reply other threads:[~2015-12-09 12:56 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-11-27 16:30 [Qemu-devel] [PATCH v3 0/5] Add framework for passing secrets to QEMU Daniel P. Berrange
2015-11-27 16:30 ` [Qemu-devel] [PATCH v3 1/5] util: add base64 decoding function Daniel P. Berrange
2015-12-08 16:18 ` Eric Blake
2015-12-09 12:50 ` Daniel P. Berrange
2015-12-09 15:18 ` Eric Blake
2015-11-27 16:30 ` [Qemu-devel] [PATCH v3 2/5] qemu-char: convert to use error checked base64 decode Daniel P. Berrange
2015-11-27 16:30 ` [Qemu-devel] [PATCH v3 3/5] qga: " Daniel P. Berrange
2015-11-27 16:30 ` [Qemu-devel] [PATCH v3 4/5] crypto: add QCryptoSecret object class for password/key handling Daniel P. Berrange
2015-12-08 16:49 ` Eric Blake
2015-12-09 12:56 ` Daniel P. Berrange [this message]
2015-11-27 16:30 ` [Qemu-devel] [PATCH v3 5/5] crypto: add support for loading encrypted x509 keys Daniel P. Berrange
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20151209125639.GE19914@redhat.com \
--to=berrange@redhat.com \
--cc=armbru@redhat.com \
--cc=eblake@redhat.com \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).