|
Packit Service |
87a54e |
/* SPDX-License-Identifier: LGPL-2.1-or-later */
|
|
Packit |
5756e2 |
/*
|
|
Packit |
5756e2 |
* Dan Williams <dcbw@redhat.com>
|
|
Packit |
5756e2 |
* Copyright (C) 2007 - 2015 Red Hat, Inc.
|
|
Packit |
5756e2 |
*/
|
|
Packit |
5756e2 |
|
|
Packit |
5756e2 |
#include "nm-default.h"
|
|
Packit |
5756e2 |
|
|
Packit |
5756e2 |
#include "nm-crypto-impl.h"
|
|
Packit |
5756e2 |
|
|
Packit |
5756e2 |
#include <gnutls/gnutls.h>
|
|
Packit |
5756e2 |
#include <gnutls/crypto.h>
|
|
Packit |
5756e2 |
#include <gnutls/x509.h>
|
|
Packit |
5756e2 |
#include <gnutls/pkcs12.h>
|
|
Packit |
5756e2 |
|
|
Packit |
5756e2 |
#include "nm-glib-aux/nm-secret-utils.h"
|
|
Packit |
5756e2 |
#include "nm-errors.h"
|
|
Packit |
5756e2 |
|
|
Packit |
5756e2 |
/*****************************************************************************/
|
|
Packit |
5756e2 |
|
|
Packit |
5756e2 |
static gboolean
|
|
Packit Service |
a1bd4f |
_get_cipher_info(NMCryptoCipherType cipher, int *out_cipher_mech, guint8 *out_real_iv_len)
|
|
Packit |
5756e2 |
{
|
|
Packit Service |
a1bd4f |
static const int cipher_mechs[] = {
|
|
Packit Service |
a1bd4f |
[NM_CRYPTO_CIPHER_DES_EDE3_CBC] = GNUTLS_CIPHER_3DES_CBC,
|
|
Packit Service |
a1bd4f |
[NM_CRYPTO_CIPHER_DES_CBC] = GNUTLS_CIPHER_DES_CBC,
|
|
Packit Service |
a1bd4f |
[NM_CRYPTO_CIPHER_AES_128_CBC] = GNUTLS_CIPHER_AES_128_CBC,
|
|
Packit Service |
a1bd4f |
[NM_CRYPTO_CIPHER_AES_192_CBC] = GNUTLS_CIPHER_AES_192_CBC,
|
|
Packit Service |
a1bd4f |
[NM_CRYPTO_CIPHER_AES_256_CBC] = GNUTLS_CIPHER_AES_256_CBC,
|
|
Packit Service |
a1bd4f |
};
|
|
Packit Service |
a1bd4f |
|
|
Packit Service |
a1bd4f |
g_return_val_if_fail(_NM_INT_NOT_NEGATIVE(cipher)
|
|
Packit Service |
a1bd4f |
&& (gsize) cipher < G_N_ELEMENTS(cipher_mechs),
|
|
Packit Service |
a1bd4f |
FALSE);
|
|
Packit Service |
a1bd4f |
|
|
Packit Service |
a1bd4f |
if (cipher_mechs[cipher] == 0)
|
|
Packit Service |
a1bd4f |
return FALSE;
|
|
Packit Service |
a1bd4f |
|
|
Packit Service |
a1bd4f |
NM_SET_OUT(out_cipher_mech, cipher_mechs[cipher]);
|
|
Packit Service |
a1bd4f |
NM_SET_OUT(out_real_iv_len, nm_crypto_cipher_get_info(cipher)->real_iv_len);
|
|
Packit Service |
a1bd4f |
return TRUE;
|
|
Packit |
5756e2 |
}
|
|
Packit |
5756e2 |
|
|
Packit |
5756e2 |
/*****************************************************************************/
|
|
Packit |
5756e2 |
|
|
Packit |
5756e2 |
gboolean
|
|
Packit Service |
a1bd4f |
_nm_crypto_init(GError **error)
|
|
Packit |
5756e2 |
{
|
|
Packit Service |
a1bd4f |
static gboolean initialized = FALSE;
|
|
Packit Service |
a1bd4f |
|
|
Packit Service |
a1bd4f |
if (initialized)
|
|
Packit Service |
a1bd4f |
return TRUE;
|
|
Packit Service |
a1bd4f |
|
|
Packit Service |
a1bd4f |
if (gnutls_global_init() != 0) {
|
|
Packit Service |
a1bd4f |
gnutls_global_deinit();
|
|
Packit Service |
a1bd4f |
g_set_error_literal(error,
|
|
Packit Service |
a1bd4f |
NM_CRYPTO_ERROR,
|
|
Packit Service |
a1bd4f |
NM_CRYPTO_ERROR_FAILED,
|
|
Packit Service |
a1bd4f |
_("Failed to initialize the crypto engine."));
|
|
Packit Service |
a1bd4f |
return FALSE;
|
|
Packit Service |
a1bd4f |
}
|
|
Packit Service |
a1bd4f |
|
|
Packit Service |
a1bd4f |
initialized = TRUE;
|
|
Packit Service |
a1bd4f |
return TRUE;
|
|
Packit |
5756e2 |
}
|
|
Packit |
5756e2 |
|
|
Packit |
5756e2 |
/*****************************************************************************/
|
|
Packit |
5756e2 |
|
|
Packit |
5756e2 |
guint8 *
|
|
Packit Service |
a1bd4f |
_nmtst_crypto_decrypt(NMCryptoCipherType cipher,
|
|
Packit Service |
a1bd4f |
const guint8 * data,
|
|
Packit Service |
a1bd4f |
gsize data_len,
|
|
Packit Service |
a1bd4f |
const guint8 * iv,
|
|
Packit Service |
a1bd4f |
gsize iv_len,
|
|
Packit Service |
a1bd4f |
const guint8 * key,
|
|
Packit Service |
a1bd4f |
gsize key_len,
|
|
Packit Service |
a1bd4f |
gsize * out_len,
|
|
Packit Service |
a1bd4f |
GError ** error)
|
|
Packit |
5756e2 |
{
|
|
Packit Service |
a1bd4f |
gnutls_cipher_hd_t ctx;
|
|
Packit Service |
a1bd4f |
gnutls_datum_t key_dt, iv_dt;
|
|
Packit Service |
a1bd4f |
int err;
|
|
Packit Service |
a1bd4f |
int cipher_mech;
|
|
Packit Service |
a1bd4f |
nm_auto_clear_secret_ptr NMSecretPtr output = {0};
|
|
Packit Service |
a1bd4f |
guint8 pad_i, pad_len;
|
|
Packit Service |
a1bd4f |
guint8 real_iv_len;
|
|
Packit Service |
a1bd4f |
|
|
Packit Service |
a1bd4f |
if (!_get_cipher_info(cipher, &cipher_mech, &real_iv_len)) {
|
|
Packit Service |
a1bd4f |
g_set_error(error,
|
|
Packit Service |
a1bd4f |
NM_CRYPTO_ERROR,
|
|
Packit Service |
a1bd4f |
NM_CRYPTO_ERROR_UNKNOWN_CIPHER,
|
|
Packit Service |
a1bd4f |
_("Unsupported key cipher for decryption"));
|
|
Packit Service |
a1bd4f |
return NULL;
|
|
Packit Service |
a1bd4f |
}
|
|
Packit Service |
a1bd4f |
|
|
Packit Service |
a1bd4f |
if (!_nm_crypto_init(error))
|
|
Packit Service |
a1bd4f |
return NULL;
|
|
Packit Service |
a1bd4f |
|
|
Packit Service |
a1bd4f |
if (iv_len < real_iv_len) {
|
|
Packit Service |
a1bd4f |
g_set_error(error,
|
|
Packit Service |
a1bd4f |
NM_CRYPTO_ERROR,
|
|
Packit Service |
a1bd4f |
NM_CRYPTO_ERROR_INVALID_DATA,
|
|
Packit Service |
a1bd4f |
_("Invalid IV length (must be at least %u)."),
|
|
Packit Service |
a1bd4f |
(guint) real_iv_len);
|
|
Packit Service |
a1bd4f |
return NULL;
|
|
Packit Service |
a1bd4f |
}
|
|
Packit Service |
a1bd4f |
|
|
Packit Service |
a1bd4f |
output.len = data_len;
|
|
Packit Service |
a1bd4f |
output.bin = g_malloc(data_len);
|
|
Packit Service |
a1bd4f |
|
|
Packit Service |
a1bd4f |
key_dt.data = (unsigned char *) key;
|
|
Packit Service |
a1bd4f |
key_dt.size = key_len;
|
|
Packit Service |
a1bd4f |
iv_dt.data = (unsigned char *) iv;
|
|
Packit Service |
a1bd4f |
iv_dt.size = iv_len;
|
|
Packit Service |
a1bd4f |
|
|
Packit Service |
a1bd4f |
err = gnutls_cipher_init(&ctx, cipher_mech, &key_dt, &iv_dt);
|
|
Packit Service |
a1bd4f |
if (err < 0) {
|
|
Packit Service |
a1bd4f |
g_set_error(error,
|
|
Packit Service |
a1bd4f |
NM_CRYPTO_ERROR,
|
|
Packit Service |
a1bd4f |
NM_CRYPTO_ERROR_DECRYPTION_FAILED,
|
|
Packit Service |
a1bd4f |
_("Failed to initialize the decryption cipher context: %s (%s)"),
|
|
Packit Service |
a1bd4f |
gnutls_strerror_name(err),
|
|
Packit Service |
a1bd4f |
gnutls_strerror(err));
|
|
Packit Service |
a1bd4f |
return NULL;
|
|
Packit Service |
a1bd4f |
}
|
|
Packit Service |
a1bd4f |
|
|
Packit Service |
a1bd4f |
err = gnutls_cipher_decrypt2(ctx, data, data_len, output.bin, output.len);
|
|
Packit Service |
a1bd4f |
|
|
Packit Service |
a1bd4f |
gnutls_cipher_deinit(ctx);
|
|
Packit Service |
a1bd4f |
|
|
Packit Service |
a1bd4f |
if (err < 0) {
|
|
Packit Service |
a1bd4f |
g_set_error(error,
|
|
Packit Service |
a1bd4f |
NM_CRYPTO_ERROR,
|
|
Packit Service |
a1bd4f |
NM_CRYPTO_ERROR_DECRYPTION_FAILED,
|
|
Packit Service |
a1bd4f |
_("Failed to decrypt the private key: %s (%s)"),
|
|
Packit Service |
a1bd4f |
gnutls_strerror_name(err),
|
|
Packit Service |
a1bd4f |
gnutls_strerror(err));
|
|
Packit Service |
a1bd4f |
return NULL;
|
|
Packit Service |
a1bd4f |
}
|
|
Packit Service |
a1bd4f |
|
|
Packit Service |
a1bd4f |
pad_len = output.len > 0 ? output.bin[output.len - 1] : 0;
|
|
Packit Service |
a1bd4f |
|
|
Packit Service |
a1bd4f |
/* Check if the padding at the end of the decrypted data is valid */
|
|
Packit Service |
a1bd4f |
if (pad_len == 0 || pad_len > real_iv_len) {
|
|
Packit Service |
a1bd4f |
g_set_error(error,
|
|
Packit Service |
a1bd4f |
NM_CRYPTO_ERROR,
|
|
Packit Service |
a1bd4f |
NM_CRYPTO_ERROR_DECRYPTION_FAILED,
|
|
Packit Service |
a1bd4f |
_("Failed to decrypt the private key: unexpected padding length."));
|
|
Packit Service |
a1bd4f |
return NULL;
|
|
Packit Service |
a1bd4f |
}
|
|
Packit Service |
a1bd4f |
|
|
Packit Service |
a1bd4f |
/* Validate tail padding; last byte is the padding size, and all pad bytes
|
|
Packit Service |
a1bd4f |
* should contain the padding size.
|
|
Packit Service |
a1bd4f |
*/
|
|
Packit Service |
a1bd4f |
for (pad_i = 1; pad_i <= pad_len; ++pad_i) {
|
|
Packit Service |
a1bd4f |
if (output.bin[data_len - pad_i] != pad_len) {
|
|
Packit Service |
a1bd4f |
g_set_error(error,
|
|
Packit Service |
a1bd4f |
NM_CRYPTO_ERROR,
|
|
Packit Service |
a1bd4f |
NM_CRYPTO_ERROR_DECRYPTION_FAILED,
|
|
Packit Service |
a1bd4f |
_("Failed to decrypt the private key."));
|
|
Packit Service |
a1bd4f |
return NULL;
|
|
Packit Service |
a1bd4f |
}
|
|
Packit Service |
a1bd4f |
}
|
|
Packit Service |
a1bd4f |
|
|
Packit Service |
a1bd4f |
*out_len = output.len - pad_len;
|
|
Packit Service |
a1bd4f |
return g_steal_pointer(&output.bin);
|
|
Packit |
5756e2 |
}
|
|
Packit |
5756e2 |
|
|
Packit |
5756e2 |
guint8 *
|
|
Packit Service |
a1bd4f |
_nmtst_crypto_encrypt(NMCryptoCipherType cipher,
|
|
Packit Service |
a1bd4f |
const guint8 * data,
|
|
Packit Service |
a1bd4f |
gsize data_len,
|
|
Packit Service |
a1bd4f |
const guint8 * iv,
|
|
Packit Service |
a1bd4f |
gsize iv_len,
|
|
Packit Service |
a1bd4f |
const guint8 * key,
|
|
Packit Service |
a1bd4f |
gsize key_len,
|
|
Packit Service |
a1bd4f |
gsize * out_len,
|
|
Packit Service |
a1bd4f |
GError ** error)
|
|
Packit |
5756e2 |
{
|
|
Packit Service |
a1bd4f |
gnutls_cipher_hd_t ctx;
|
|
Packit Service |
a1bd4f |
gnutls_datum_t key_dt, iv_dt;
|
|
Packit Service |
a1bd4f |
int err;
|
|
Packit Service |
a1bd4f |
int cipher_mech;
|
|
Packit Service |
a1bd4f |
nm_auto_clear_secret_ptr NMSecretPtr output = {0};
|
|
Packit Service |
a1bd4f |
nm_auto_clear_secret_ptr NMSecretPtr padded_buf = {0};
|
|
Packit Service |
a1bd4f |
gsize i, pad_len;
|
|
Packit Service |
a1bd4f |
|
|
Packit Service |
a1bd4f |
nm_assert(iv_len);
|
|
Packit Service |
a1bd4f |
|
|
Packit Service |
a1bd4f |
if (cipher == NM_CRYPTO_CIPHER_DES_CBC || !_get_cipher_info(cipher, &cipher_mech, NULL)) {
|
|
Packit Service |
a1bd4f |
g_set_error(error,
|
|
Packit Service |
a1bd4f |
NM_CRYPTO_ERROR,
|
|
Packit Service |
a1bd4f |
NM_CRYPTO_ERROR_UNKNOWN_CIPHER,
|
|
Packit Service |
a1bd4f |
_("Unsupported key cipher for encryption"));
|
|
Packit Service |
a1bd4f |
return NULL;
|
|
Packit Service |
a1bd4f |
}
|
|
Packit Service |
a1bd4f |
|
|
Packit Service |
a1bd4f |
if (!_nm_crypto_init(error))
|
|
Packit Service |
a1bd4f |
return NULL;
|
|
Packit Service |
a1bd4f |
|
|
Packit Service |
a1bd4f |
key_dt.data = (unsigned char *) key;
|
|
Packit Service |
a1bd4f |
key_dt.size = key_len;
|
|
Packit Service |
a1bd4f |
iv_dt.data = (unsigned char *) iv;
|
|
Packit Service |
a1bd4f |
iv_dt.size = iv_len;
|
|
Packit Service |
a1bd4f |
|
|
Packit Service |
a1bd4f |
err = gnutls_cipher_init(&ctx, cipher_mech, &key_dt, &iv_dt);
|
|
Packit Service |
a1bd4f |
if (err < 0) {
|
|
Packit Service |
a1bd4f |
g_set_error(error,
|
|
Packit Service |
a1bd4f |
NM_CRYPTO_ERROR,
|
|
Packit Service |
a1bd4f |
NM_CRYPTO_ERROR_ENCRYPTION_FAILED,
|
|
Packit Service |
a1bd4f |
_("Failed to initialize the encryption cipher context: %s (%s)"),
|
|
Packit Service |
a1bd4f |
gnutls_strerror_name(err),
|
|
Packit Service |
a1bd4f |
gnutls_strerror(err));
|
|
Packit Service |
a1bd4f |
return NULL;
|
|
Packit Service |
a1bd4f |
}
|
|
Packit Service |
a1bd4f |
|
|
Packit Service |
a1bd4f |
/* If data_len % ivlen == 0, then we add another complete block
|
|
Packit Service |
a1bd4f |
* onto the end so that the decrypter knows there's padding.
|
|
Packit Service |
a1bd4f |
*/
|
|
Packit Service |
a1bd4f |
pad_len = iv_len - (data_len % iv_len);
|
|
Packit Service |
a1bd4f |
|
|
Packit Service |
a1bd4f |
padded_buf.len = data_len + pad_len;
|
|
Packit Service |
a1bd4f |
padded_buf.bin = g_malloc(padded_buf.len);
|
|
Packit Service |
a1bd4f |
memcpy(padded_buf.bin, data, data_len);
|
|
Packit Service |
a1bd4f |
for (i = 0; i < pad_len; i++)
|
|
Packit Service |
a1bd4f |
padded_buf.bin[data_len + i] = (guint8)(pad_len & 0xFF);
|
|
Packit Service |
a1bd4f |
|
|
Packit Service |
a1bd4f |
output.len = padded_buf.len;
|
|
Packit Service |
a1bd4f |
output.bin = g_malloc(output.len);
|
|
Packit Service |
a1bd4f |
|
|
Packit Service |
a1bd4f |
err = gnutls_cipher_encrypt2(ctx, padded_buf.bin, padded_buf.len, output.bin, output.len);
|
|
Packit Service |
a1bd4f |
|
|
Packit Service |
a1bd4f |
gnutls_cipher_deinit(ctx);
|
|
Packit Service |
a1bd4f |
|
|
Packit Service |
a1bd4f |
if (err < 0) {
|
|
Packit Service |
a1bd4f |
g_set_error(error,
|
|
Packit Service |
a1bd4f |
NM_CRYPTO_ERROR,
|
|
Packit Service |
a1bd4f |
NM_CRYPTO_ERROR_ENCRYPTION_FAILED,
|
|
Packit Service |
a1bd4f |
_("Failed to encrypt the data: %s (%s)"),
|
|
Packit Service |
a1bd4f |
gnutls_strerror_name(err),
|
|
Packit Service |
a1bd4f |
gnutls_strerror(err));
|
|
Packit Service |
a1bd4f |
return NULL;
|
|
Packit Service |
a1bd4f |
}
|
|
Packit Service |
a1bd4f |
|
|
Packit Service |
a1bd4f |
*out_len = output.len;
|
|
Packit Service |
a1bd4f |
return g_steal_pointer(&output.bin);
|
|
Packit |
5756e2 |
}
|
|
Packit |
5756e2 |
|
|
Packit |
5756e2 |
gboolean
|
|
Packit Service |
a1bd4f |
_nm_crypto_verify_x509(const guint8 *data, gsize len, GError **error)
|
|
Packit |
5756e2 |
{
|
|
Packit Service |
a1bd4f |
gnutls_x509_crt_t der;
|
|
Packit Service |
a1bd4f |
gnutls_datum_t dt;
|
|
Packit Service |
a1bd4f |
int err;
|
|
Packit Service |
a1bd4f |
|
|
Packit Service |
a1bd4f |
if (!_nm_crypto_init(error))
|
|
Packit Service |
a1bd4f |
return FALSE;
|
|
Packit Service |
a1bd4f |
|
|
Packit Service |
a1bd4f |
err = gnutls_x509_crt_init(&der;;
|
|
Packit Service |
a1bd4f |
if (err < 0) {
|
|
Packit Service |
a1bd4f |
g_set_error(error,
|
|
Packit Service |
a1bd4f |
NM_CRYPTO_ERROR,
|
|
Packit Service |
a1bd4f |
NM_CRYPTO_ERROR_INVALID_DATA,
|
|
Packit Service |
a1bd4f |
_("Error initializing certificate data: %s"),
|
|
Packit Service |
a1bd4f |
gnutls_strerror(err));
|
|
Packit Service |
a1bd4f |
return FALSE;
|
|
Packit Service |
a1bd4f |
}
|
|
Packit Service |
a1bd4f |
|
|
Packit Service |
a1bd4f |
/* Try DER first */
|
|
Packit Service |
a1bd4f |
dt.data = (unsigned char *) data;
|
|
Packit Service |
a1bd4f |
dt.size = len;
|
|
Packit Service |
a1bd4f |
err = gnutls_x509_crt_import(der, &dt, GNUTLS_X509_FMT_DER);
|
|
Packit Service |
a1bd4f |
if (err == GNUTLS_E_SUCCESS) {
|
|
Packit Service |
a1bd4f |
gnutls_x509_crt_deinit(der);
|
|
Packit Service |
a1bd4f |
return TRUE;
|
|
Packit Service |
a1bd4f |
}
|
|
Packit Service |
a1bd4f |
|
|
Packit Service |
a1bd4f |
/* And PEM next */
|
|
Packit Service |
a1bd4f |
err = gnutls_x509_crt_import(der, &dt, GNUTLS_X509_FMT_PEM);
|
|
Packit Service |
a1bd4f |
gnutls_x509_crt_deinit(der);
|
|
Packit Service |
a1bd4f |
if (err == GNUTLS_E_SUCCESS)
|
|
Packit Service |
a1bd4f |
return TRUE;
|
|
Packit Service |
a1bd4f |
|
|
Packit Service |
a1bd4f |
g_set_error(error,
|
|
Packit Service |
a1bd4f |
NM_CRYPTO_ERROR,
|
|
Packit Service |
a1bd4f |
NM_CRYPTO_ERROR_INVALID_DATA,
|
|
Packit Service |
a1bd4f |
_("Couldn't decode certificate: %s"),
|
|
Packit Service |
a1bd4f |
gnutls_strerror(err));
|
|
Packit Service |
a1bd4f |
return FALSE;
|
|
Packit |
5756e2 |
}
|
|
Packit |
5756e2 |
|
|
Packit |
5756e2 |
gboolean
|
|
Packit Service |
a1bd4f |
_nm_crypto_verify_pkcs12(const guint8 *data, gsize data_len, const char *password, GError **error)
|
|
Packit |
5756e2 |
{
|
|
Packit Service |
a1bd4f |
gnutls_pkcs12_t p12;
|
|
Packit Service |
a1bd4f |
gnutls_datum_t dt;
|
|
Packit Service |
a1bd4f |
int err;
|
|
Packit Service |
a1bd4f |
|
|
Packit Service |
a1bd4f |
g_return_val_if_fail(data != NULL, FALSE);
|
|
Packit Service |
a1bd4f |
|
|
Packit Service |
a1bd4f |
if (!_nm_crypto_init(error))
|
|
Packit Service |
a1bd4f |
return FALSE;
|
|
Packit Service |
a1bd4f |
|
|
Packit Service |
a1bd4f |
dt.data = (unsigned char *) data;
|
|
Packit Service |
a1bd4f |
dt.size = data_len;
|
|
Packit Service |
a1bd4f |
|
|
Packit Service |
a1bd4f |
err = gnutls_pkcs12_init(&p12);
|
|
Packit Service |
a1bd4f |
if (err < 0) {
|
|
Packit Service |
a1bd4f |
g_set_error(error,
|
|
Packit Service |
a1bd4f |
NM_CRYPTO_ERROR,
|
|
Packit Service |
a1bd4f |
NM_CRYPTO_ERROR_FAILED,
|
|
Packit Service |
a1bd4f |
_("Couldn't initialize PKCS#12 decoder: %s"),
|
|
Packit Service |
a1bd4f |
gnutls_strerror(err));
|
|
Packit Service |
a1bd4f |
return FALSE;
|
|
Packit Service |
a1bd4f |
}
|
|
Packit Service |
a1bd4f |
|
|
Packit Service |
a1bd4f |
/* DER first */
|
|
Packit Service |
a1bd4f |
err = gnutls_pkcs12_import(p12, &dt, GNUTLS_X509_FMT_DER, 0);
|
|
Packit Service |
a1bd4f |
if (err < 0) {
|
|
Packit Service |
a1bd4f |
/* PEM next */
|
|
Packit Service |
a1bd4f |
err = gnutls_pkcs12_import(p12, &dt, GNUTLS_X509_FMT_PEM, 0);
|
|
Packit Service |
a1bd4f |
if (err < 0) {
|
|
Packit Service |
a1bd4f |
g_set_error(error,
|
|
Packit Service |
a1bd4f |
NM_CRYPTO_ERROR,
|
|
Packit Service |
a1bd4f |
NM_CRYPTO_ERROR_INVALID_DATA,
|
|
Packit Service |
a1bd4f |
_("Couldn't decode PKCS#12 file: %s"),
|
|
Packit Service |
a1bd4f |
gnutls_strerror(err));
|
|
Packit Service |
a1bd4f |
gnutls_pkcs12_deinit(p12);
|
|
Packit Service |
a1bd4f |
return FALSE;
|
|
Packit Service |
a1bd4f |
}
|
|
Packit Service |
a1bd4f |
}
|
|
Packit Service |
a1bd4f |
|
|
Packit Service |
a1bd4f |
err = gnutls_pkcs12_verify_mac(p12, password);
|
|
Packit Service |
a1bd4f |
|
|
Packit Service |
a1bd4f |
gnutls_pkcs12_deinit(p12);
|
|
Packit Service |
a1bd4f |
|
|
Packit Service |
a1bd4f |
if (err != GNUTLS_E_SUCCESS) {
|
|
Packit Service |
a1bd4f |
g_set_error(error,
|
|
Packit Service |
a1bd4f |
NM_CRYPTO_ERROR,
|
|
Packit Service |
a1bd4f |
NM_CRYPTO_ERROR_DECRYPTION_FAILED,
|
|
Packit Service |
a1bd4f |
_("Couldn't verify PKCS#12 file: %s"),
|
|
Packit Service |
a1bd4f |
gnutls_strerror(err));
|
|
Packit Service |
a1bd4f |
return FALSE;
|
|
Packit Service |
a1bd4f |
}
|
|
Packit Service |
a1bd4f |
|
|
Packit Service |
a1bd4f |
return TRUE;
|
|
Packit |
5756e2 |
}
|
|
Packit |
5756e2 |
|
|
Packit |
5756e2 |
gboolean
|
|
Packit Service |
a1bd4f |
_nm_crypto_verify_pkcs8(const guint8 *data,
|
|
Packit Service |
a1bd4f |
gsize data_len,
|
|
Packit Service |
a1bd4f |
gboolean is_encrypted,
|
|
Packit Service |
a1bd4f |
const char * password,
|
|
Packit Service |
a1bd4f |
GError ** error)
|
|
Packit |
5756e2 |
{
|
|
Packit Service |
a1bd4f |
gnutls_x509_privkey_t p8;
|
|
Packit Service |
a1bd4f |
gnutls_datum_t dt;
|
|
Packit Service |
a1bd4f |
int err;
|
|
Packit Service |
a1bd4f |
|
|
Packit Service |
a1bd4f |
g_return_val_if_fail(data != NULL, FALSE);
|
|
Packit Service |
a1bd4f |
|
|
Packit Service |
a1bd4f |
if (!_nm_crypto_init(error))
|
|
Packit Service |
a1bd4f |
return FALSE;
|
|
Packit Service |
a1bd4f |
|
|
Packit Service |
a1bd4f |
err = gnutls_x509_privkey_init(&p8;;
|
|
Packit Service |
a1bd4f |
if (err < 0) {
|
|
Packit Service |
a1bd4f |
g_set_error(error,
|
|
Packit Service |
a1bd4f |
NM_CRYPTO_ERROR,
|
|
Packit Service |
a1bd4f |
NM_CRYPTO_ERROR_FAILED,
|
|
Packit Service |
a1bd4f |
_("Couldn't initialize PKCS#8 decoder: %s"),
|
|
Packit Service |
a1bd4f |
gnutls_strerror(err));
|
|
Packit Service |
a1bd4f |
return FALSE;
|
|
Packit Service |
a1bd4f |
}
|
|
Packit Service |
a1bd4f |
|
|
Packit Service |
a1bd4f |
dt.data = (unsigned char *) data;
|
|
Packit Service |
a1bd4f |
dt.size = data_len;
|
|
Packit Service |
a1bd4f |
|
|
Packit Service |
a1bd4f |
err = gnutls_x509_privkey_import_pkcs8(p8,
|
|
Packit Service |
a1bd4f |
&dt,
|
|
Packit Service |
a1bd4f |
GNUTLS_X509_FMT_DER,
|
|
Packit Service |
a1bd4f |
is_encrypted ? password : NULL,
|
|
Packit Service |
a1bd4f |
is_encrypted ? 0 : GNUTLS_PKCS_PLAIN);
|
|
Packit Service |
a1bd4f |
|
|
Packit Service |
a1bd4f |
gnutls_x509_privkey_deinit(p8);
|
|
Packit Service |
a1bd4f |
|
|
Packit Service |
a1bd4f |
if (err < 0) {
|
|
Packit Service |
a1bd4f |
if (err == GNUTLS_E_UNKNOWN_CIPHER_TYPE) {
|
|
Packit Service |
a1bd4f |
/* HACK: gnutls < 3.5.4 doesn't support all the cipher types that openssl
|
|
Packit Service |
a1bd4f |
* can use with PKCS#8, so if we encounter one, we have to assume
|
|
Packit Service |
a1bd4f |
* the given password works. gnutls needs to unsuckify, apparently.
|
|
Packit Service |
a1bd4f |
* Specifically, by default openssl uses pbeWithMD5AndDES-CBC
|
|
Packit Service |
a1bd4f |
* which gnutls does not support.
|
|
Packit Service |
a1bd4f |
*/
|
|
Packit Service |
a1bd4f |
} else {
|
|
Packit Service |
a1bd4f |
g_set_error(error,
|
|
Packit Service |
a1bd4f |
NM_CRYPTO_ERROR,
|
|
Packit Service |
a1bd4f |
NM_CRYPTO_ERROR_INVALID_DATA,
|
|
Packit Service |
a1bd4f |
_("Couldn't decode PKCS#8 file: %s"),
|
|
Packit Service |
a1bd4f |
gnutls_strerror(err));
|
|
Packit Service |
a1bd4f |
return FALSE;
|
|
Packit Service |
a1bd4f |
}
|
|
Packit Service |
a1bd4f |
}
|
|
Packit Service |
a1bd4f |
|
|
Packit Service |
a1bd4f |
return TRUE;
|
|
Packit |
5756e2 |
}
|
|
Packit |
5756e2 |
|
|
Packit |
5756e2 |
gboolean
|
|
Packit Service |
a1bd4f |
_nm_crypto_randomize(void *buffer, gsize buffer_len, GError **error)
|
|
Packit |
5756e2 |
{
|
|
Packit Service |
a1bd4f |
if (!_nm_crypto_init(error))
|
|
Packit Service |
a1bd4f |
return FALSE;
|
|
Packit |
5756e2 |
|
|
Packit Service |
a1bd4f |
gnutls_rnd(GNUTLS_RND_RANDOM, buffer, buffer_len);
|
|
Packit Service |
a1bd4f |
return TRUE;
|
|
Packit |
5756e2 |
}
|