/* SPDX-License-Identifier: LGPL-2.1-or-later */

/*

 * Dan Williams <dcbw@redhat.com>

 * Copyright (C) 2007 - 2015 Red Hat, Inc.

 */

#include "nm-default.h"

#include "nm-crypto-impl.h"

#include <gnutls/gnutls.h>

#include <gnutls/crypto.h>

#include <gnutls/x509.h>

#include <gnutls/pkcs12.h>

#include "nm-glib-aux/nm-secret-utils.h"

#include "nm-errors.h"

/*****************************************************************************/

static gboolean

_get_cipher_info(NMCryptoCipherType cipher, int *out_cipher_mech, guint8 *out_real_iv_len)

{

    static const int cipher_mechs[] = {

        [NM_CRYPTO_CIPHER_DES_EDE3_CBC] = GNUTLS_CIPHER_3DES_CBC,

        [NM_CRYPTO_CIPHER_DES_CBC]      = GNUTLS_CIPHER_DES_CBC,

        [NM_CRYPTO_CIPHER_AES_128_CBC]  = GNUTLS_CIPHER_AES_128_CBC,

        [NM_CRYPTO_CIPHER_AES_192_CBC]  = GNUTLS_CIPHER_AES_192_CBC,

        [NM_CRYPTO_CIPHER_AES_256_CBC]  = GNUTLS_CIPHER_AES_256_CBC,

    };

    g_return_val_if_fail(_NM_INT_NOT_NEGATIVE(cipher)

                             && (gsize) cipher < G_N_ELEMENTS(cipher_mechs),

                         FALSE);

    if (cipher_mechs[cipher] == 0)

        return FALSE;

    NM_SET_OUT(out_cipher_mech, cipher_mechs[cipher]);

    NM_SET_OUT(out_real_iv_len, nm_crypto_cipher_get_info(cipher)->real_iv_len);

    return TRUE;

}

/*****************************************************************************/

gboolean

_nm_crypto_init(GError **error)

{

    static gboolean initialized = FALSE;

    if (initialized)

        return TRUE;

    if (gnutls_global_init() != 0) {

        gnutls_global_deinit();

        g_set_error_literal(error,

                            NM_CRYPTO_ERROR,

                            NM_CRYPTO_ERROR_FAILED,

                            _("Failed to initialize the crypto engine."));

        return FALSE;

    }

    initialized = TRUE;

    return TRUE;

}

/*****************************************************************************/

guint8 *

_nmtst_crypto_decrypt(NMCryptoCipherType cipher,

                      const guint8 *     data,

                      gsize              data_len,

                      const guint8 *     iv,

                      gsize              iv_len,

                      const guint8 *     key,

                      gsize              key_len,

                      gsize *            out_len,

                      GError **          error)

{

    gnutls_cipher_hd_t                   ctx;

    gnutls_datum_t                       key_dt, iv_dt;

    int                                  err;

    int                                  cipher_mech;

    nm_auto_clear_secret_ptr NMSecretPtr output = {0};

    guint8                               pad_i, pad_len;

    guint8                               real_iv_len;

    if (!_get_cipher_info(cipher, &cipher_mech, &real_iv_len)) {

        g_set_error(error,

                    NM_CRYPTO_ERROR,

                    NM_CRYPTO_ERROR_UNKNOWN_CIPHER,

                    _("Unsupported key cipher for decryption"));

        return NULL;

    }

    if (!_nm_crypto_init(error))

        return NULL;

    if (iv_len < real_iv_len) {

        g_set_error(error,

                    NM_CRYPTO_ERROR,

                    NM_CRYPTO_ERROR_INVALID_DATA,

                    _("Invalid IV length (must be at least %u)."),

                    (guint) real_iv_len);

        return NULL;

    }

    output.len = data_len;

    output.bin = g_malloc(data_len);

    key_dt.data = (unsigned char *) key;

    key_dt.size = key_len;

    iv_dt.data  = (unsigned char *) iv;

    iv_dt.size  = iv_len;

    err = gnutls_cipher_init(&ctx, cipher_mech, &key_dt, &iv_dt);

    if (err < 0) {

        g_set_error(error,

                    NM_CRYPTO_ERROR,

                    NM_CRYPTO_ERROR_DECRYPTION_FAILED,

                    _("Failed to initialize the decryption cipher context: %s (%s)"),

                    gnutls_strerror_name(err),

                    gnutls_strerror(err));

        return NULL;

    }

    err = gnutls_cipher_decrypt2(ctx, data, data_len, output.bin, output.len);

    gnutls_cipher_deinit(ctx);

    if (err < 0) {

        g_set_error(error,

                    NM_CRYPTO_ERROR,

                    NM_CRYPTO_ERROR_DECRYPTION_FAILED,

                    _("Failed to decrypt the private key: %s (%s)"),

                    gnutls_strerror_name(err),

                    gnutls_strerror(err));

        return NULL;

    }

    pad_len = output.len > 0 ? output.bin[output.len - 1] : 0;

    /* Check if the padding at the end of the decrypted data is valid */

    if (pad_len == 0 || pad_len > real_iv_len) {

        g_set_error(error,

                    NM_CRYPTO_ERROR,

                    NM_CRYPTO_ERROR_DECRYPTION_FAILED,

                    _("Failed to decrypt the private key: unexpected padding length."));

        return NULL;

    }

    /* Validate tail padding; last byte is the padding size, and all pad bytes

     * should contain the padding size.

     */

    for (pad_i = 1; pad_i <= pad_len; ++pad_i) {

        if (output.bin[data_len - pad_i] != pad_len) {

            g_set_error(error,

                        NM_CRYPTO_ERROR,

                        NM_CRYPTO_ERROR_DECRYPTION_FAILED,

                        _("Failed to decrypt the private key."));

            return NULL;

        }

    }

    *out_len = output.len - pad_len;

    return g_steal_pointer(&output.bin);

}

guint8 *

_nmtst_crypto_encrypt(NMCryptoCipherType cipher,

                      const guint8 *     data,

                      gsize              data_len,

                      const guint8 *     iv,

                      gsize              iv_len,

                      const guint8 *     key,

                      gsize              key_len,

                      gsize *            out_len,

                      GError **          error)

{

    gnutls_cipher_hd_t                   ctx;

    gnutls_datum_t                       key_dt, iv_dt;

    int                                  err;

    int                                  cipher_mech;

    nm_auto_clear_secret_ptr NMSecretPtr output     = {0};

    nm_auto_clear_secret_ptr NMSecretPtr padded_buf = {0};

    gsize                                i, pad_len;

    nm_assert(iv_len);

    if (cipher == NM_CRYPTO_CIPHER_DES_CBC || !_get_cipher_info(cipher, &cipher_mech, NULL)) {

        g_set_error(error,

                    NM_CRYPTO_ERROR,

                    NM_CRYPTO_ERROR_UNKNOWN_CIPHER,

                    _("Unsupported key cipher for encryption"));

        return NULL;

    }

    if (!_nm_crypto_init(error))

        return NULL;

    key_dt.data = (unsigned char *) key;

    key_dt.size = key_len;

    iv_dt.data  = (unsigned char *) iv;

    iv_dt.size  = iv_len;

    err = gnutls_cipher_init(&ctx, cipher_mech, &key_dt, &iv_dt);

    if (err < 0) {

        g_set_error(error,

                    NM_CRYPTO_ERROR,

                    NM_CRYPTO_ERROR_ENCRYPTION_FAILED,

                    _("Failed to initialize the encryption cipher context: %s (%s)"),

                    gnutls_strerror_name(err),

                    gnutls_strerror(err));

        return NULL;

    }

    /* If data_len % ivlen == 0, then we add another complete block

     * onto the end so that the decrypter knows there's padding.

     */

    pad_len = iv_len - (data_len % iv_len);

    padded_buf.len = data_len + pad_len;

    padded_buf.bin = g_malloc(padded_buf.len);

    memcpy(padded_buf.bin, data, data_len);

    for (i = 0; i < pad_len; i++)

        padded_buf.bin[data_len + i] = (guint8)(pad_len & 0xFF);

    output.len = padded_buf.len;

    output.bin = g_malloc(output.len);

    err = gnutls_cipher_encrypt2(ctx, padded_buf.bin, padded_buf.len, output.bin, output.len);

    gnutls_cipher_deinit(ctx);

    if (err < 0) {

        g_set_error(error,

                    NM_CRYPTO_ERROR,

                    NM_CRYPTO_ERROR_ENCRYPTION_FAILED,

                    _("Failed to encrypt the data: %s (%s)"),

                    gnutls_strerror_name(err),

                    gnutls_strerror(err));

        return NULL;

    }

    *out_len = output.len;

    return g_steal_pointer(&output.bin);

}

gboolean

_nm_crypto_verify_x509(const guint8 *data, gsize len, GError **error)

{

    gnutls_x509_crt_t der;

    gnutls_datum_t    dt;

    int               err;

    if (!_nm_crypto_init(error))

        return FALSE;

    err = gnutls_x509_crt_init(&der;;

    if (err < 0) {

        g_set_error(error,

                    NM_CRYPTO_ERROR,

                    NM_CRYPTO_ERROR_INVALID_DATA,

                    _("Error initializing certificate data: %s"),

                    gnutls_strerror(err));

        return FALSE;

    }

    /* Try DER first */

    dt.data = (unsigned char *) data;

    dt.size = len;

    err     = gnutls_x509_crt_import(der, &dt, GNUTLS_X509_FMT_DER);

    if (err == GNUTLS_E_SUCCESS) {

        gnutls_x509_crt_deinit(der);

        return TRUE;

    }

    /* And PEM next */

    err = gnutls_x509_crt_import(der, &dt, GNUTLS_X509_FMT_PEM);

    gnutls_x509_crt_deinit(der);

    if (err == GNUTLS_E_SUCCESS)

        return TRUE;

    g_set_error(error,

                NM_CRYPTO_ERROR,

                NM_CRYPTO_ERROR_INVALID_DATA,

                _("Couldn't decode certificate: %s"),

                gnutls_strerror(err));

    return FALSE;

}

gboolean

_nm_crypto_verify_pkcs12(const guint8 *data, gsize data_len, const char *password, GError **error)

{

    gnutls_pkcs12_t p12;

    gnutls_datum_t  dt;

    int             err;

    g_return_val_if_fail(data != NULL, FALSE);

    if (!_nm_crypto_init(error))

        return FALSE;

    dt.data = (unsigned char *) data;

    dt.size = data_len;

    err = gnutls_pkcs12_init(&p12);

    if (err < 0) {

        g_set_error(error,

                    NM_CRYPTO_ERROR,

                    NM_CRYPTO_ERROR_FAILED,

                    _("Couldn't initialize PKCS#12 decoder: %s"),

                    gnutls_strerror(err));

        return FALSE;

    }

    /* DER first */

    err = gnutls_pkcs12_import(p12, &dt, GNUTLS_X509_FMT_DER, 0);

    if (err < 0) {

        /* PEM next */

        err = gnutls_pkcs12_import(p12, &dt, GNUTLS_X509_FMT_PEM, 0);

        if (err < 0) {

            g_set_error(error,

                        NM_CRYPTO_ERROR,

                        NM_CRYPTO_ERROR_INVALID_DATA,

                        _("Couldn't decode PKCS#12 file: %s"),

                        gnutls_strerror(err));

            gnutls_pkcs12_deinit(p12);

            return FALSE;

        }

    }

    err = gnutls_pkcs12_verify_mac(p12, password);

    gnutls_pkcs12_deinit(p12);

    if (err != GNUTLS_E_SUCCESS) {

        g_set_error(error,

                    NM_CRYPTO_ERROR,

                    NM_CRYPTO_ERROR_DECRYPTION_FAILED,

                    _("Couldn't verify PKCS#12 file: %s"),

                    gnutls_strerror(err));

        return FALSE;

    }

    return TRUE;

}

gboolean

_nm_crypto_verify_pkcs8(const guint8 *data,

                        gsize         data_len,

                        gboolean      is_encrypted,

                        const char *  password,

                        GError **     error)

{

    gnutls_x509_privkey_t p8;

    gnutls_datum_t        dt;

    int                   err;

    g_return_val_if_fail(data != NULL, FALSE);

    if (!_nm_crypto_init(error))

        return FALSE;

    err = gnutls_x509_privkey_init(&p8;;

    if (err < 0) {

        g_set_error(error,

                    NM_CRYPTO_ERROR,

                    NM_CRYPTO_ERROR_FAILED,

                    _("Couldn't initialize PKCS#8 decoder: %s"),

                    gnutls_strerror(err));

        return FALSE;

    }

    dt.data = (unsigned char *) data;

    dt.size = data_len;

    err = gnutls_x509_privkey_import_pkcs8(p8,

                                           &dt,

                                           GNUTLS_X509_FMT_DER,

                                           is_encrypted ? password : NULL,

                                           is_encrypted ? 0 : GNUTLS_PKCS_PLAIN);

    gnutls_x509_privkey_deinit(p8);

    if (err < 0) {

        if (err == GNUTLS_E_UNKNOWN_CIPHER_TYPE) {

            /* HACK: gnutls < 3.5.4 doesn't support all the cipher types that openssl

             * can use with PKCS#8, so if we encounter one, we have to assume

             * the given password works.  gnutls needs to unsuckify, apparently.

             * Specifically, by default openssl uses pbeWithMD5AndDES-CBC

             * which gnutls does not support.

             */

        } else {

            g_set_error(error,

                        NM_CRYPTO_ERROR,

                        NM_CRYPTO_ERROR_INVALID_DATA,

                        _("Couldn't decode PKCS#8 file: %s"),

                        gnutls_strerror(err));

            return FALSE;

        }

    }

    return TRUE;

}

gboolean

_nm_crypto_randomize(void *buffer, gsize buffer_len, GError **error)

{

    if (!_nm_crypto_init(error))

        return FALSE;

    gnutls_rnd(GNUTLS_RND_RANDOM, buffer, buffer_len);

    return TRUE;

}