diff options
| -rw-r--r-- | libnm-core/crypto.c | 47 | ||||
| -rw-r--r-- | libnm-core/crypto.h | 24 | ||||
| -rw-r--r-- | libnm-core/crypto_gnutls.c | 49 | ||||
| -rw-r--r-- | libnm-core/crypto_nss.c | 65 |
4 files changed, 84 insertions, 101 deletions
diff --git a/libnm-core/crypto.c b/libnm-core/crypto.c index 2cc671c7df..e28415705c 100644 --- a/libnm-core/crypto.c +++ b/libnm-core/crypto.c @@ -117,12 +117,7 @@ parse_old_openssl_key_file (const guint8 *data, end_tag = PEM_DSA_KEY_END; break; default: - g_set_error (error, NM_CRYPTO_ERROR, - NM_CRYPTO_ERR_UNKNOWN_KEY_TYPE, - "Unknown key type %d", - key_type); g_assert_not_reached (); - return NULL; } if (!find_tag (start_tag, data, data_len, 0, &start)) @@ -131,7 +126,7 @@ parse_old_openssl_key_file (const guint8 *data, start += strlen (start_tag); if (!find_tag (end_tag, data, data_len, start, &end)) { g_set_error (error, NM_CRYPTO_ERROR, - NM_CRYPTO_ERR_FILE_FORMAT_INVALID, + NM_CRYPTO_ERROR_INVALID_DATA, _("PEM key file had no end tag '%s'."), end_tag); goto parse_error; @@ -144,7 +139,7 @@ parse_old_openssl_key_file (const guint8 *data, if (!lines || g_strv_length (lines) <= 1) { g_set_error (error, NM_CRYPTO_ERROR, - NM_CRYPTO_ERR_FILE_FORMAT_INVALID, + NM_CRYPTO_ERROR_INVALID_DATA, _("Doesn't look like a PEM private key file.")); goto parse_error; } @@ -161,7 +156,7 @@ parse_old_openssl_key_file (const guint8 *data, if (!strncmp (p, PROC_TYPE_TAG, strlen (PROC_TYPE_TAG))) { if (enc_tags++ != 0) { g_set_error (error, NM_CRYPTO_ERROR, - NM_CRYPTO_ERR_FILE_FORMAT_INVALID, + NM_CRYPTO_ERROR_INVALID_DATA, _("Malformed PEM file: Proc-Type was not first tag.")); goto parse_error; } @@ -169,7 +164,7 @@ parse_old_openssl_key_file (const guint8 *data, p += strlen (PROC_TYPE_TAG); if (strcmp (p, "4,ENCRYPTED")) { g_set_error (error, NM_CRYPTO_ERROR, - NM_CRYPTO_ERR_FILE_FORMAT_INVALID, + NM_CRYPTO_ERROR_INVALID_DATA, _("Malformed PEM file: unknown Proc-Type tag '%s'."), p); goto parse_error; @@ -179,7 +174,7 @@ parse_old_openssl_key_file (const guint8 *data, if (enc_tags++ != 1) { g_set_error (error, NM_CRYPTO_ERROR, - NM_CRYPTO_ERR_FILE_FORMAT_INVALID, + NM_CRYPTO_ERROR_INVALID_DATA, _("Malformed PEM file: DEK-Info was not the second tag.")); goto parse_error; } @@ -190,14 +185,14 @@ parse_old_openssl_key_file (const guint8 *data, comma = strchr (p, ','); if (!comma || (*(comma + 1) == '\0')) { g_set_error (error, NM_CRYPTO_ERROR, - NM_CRYPTO_ERR_FILE_FORMAT_INVALID, + NM_CRYPTO_ERROR_INVALID_DATA, _("Malformed PEM file: no IV found in DEK-Info tag.")); goto parse_error; } *comma++ = '\0'; if (!g_ascii_isxdigit (*comma)) { g_set_error (error, NM_CRYPTO_ERROR, - NM_CRYPTO_ERR_FILE_FORMAT_INVALID, + NM_CRYPTO_ERROR_INVALID_DATA, _("Malformed PEM file: invalid format of IV in DEK-Info tag.")); goto parse_error; } @@ -212,7 +207,7 @@ parse_old_openssl_key_file (const guint8 *data, cipher = g_strdup (p); } else { g_set_error (error, NM_CRYPTO_ERROR, - NM_CRYPTO_ERR_UNKNOWN_KEY_TYPE, + NM_CRYPTO_ERROR_INVALID_DATA, _("Malformed PEM file: unknown private key cipher '%s'."), p); goto parse_error; @@ -220,7 +215,7 @@ parse_old_openssl_key_file (const guint8 *data, } else { if ((enc_tags != 0) && (enc_tags != 2)) { g_set_error (error, NM_CRYPTO_ERROR, - NM_CRYPTO_ERR_FILE_FORMAT_INVALID, + NM_CRYPTO_ERROR_INVALID_DATA, "Malformed PEM file: both Proc-Type and DEK-Info tags are required."); goto parse_error; } @@ -231,7 +226,7 @@ parse_old_openssl_key_file (const guint8 *data, tmp = g_base64_decode (str->str, &tmp_len); if (tmp == NULL || !tmp_len) { g_set_error (error, NM_CRYPTO_ERROR, - NM_CRYPTO_ERR_DECODE_FAILED, + NM_CRYPTO_ERROR_INVALID_DATA, _("Could not decode private key.")); goto parse_error; } @@ -284,7 +279,7 @@ parse_pkcs8_key_file (const guint8 *data, encrypted = FALSE; } else { g_set_error_literal (error, NM_CRYPTO_ERROR, - NM_CRYPTO_ERR_FILE_FORMAT_INVALID, + NM_CRYPTO_ERROR_INVALID_DATA, _("Failed to find expected PKCS#8 start tag.")); return NULL; } @@ -292,7 +287,7 @@ parse_pkcs8_key_file (const guint8 *data, start += strlen (start_tag); if (!find_tag (end_tag, data, data_len, start, &end)) { g_set_error (error, NM_CRYPTO_ERROR, - NM_CRYPTO_ERR_FILE_FORMAT_INVALID, + NM_CRYPTO_ERROR_INVALID_DATA, _("Failed to find expected PKCS#8 end tag '%s'."), end_tag); return NULL; @@ -311,7 +306,7 @@ parse_pkcs8_key_file (const guint8 *data, *out_encrypted = encrypted; } else { g_set_error_literal (error, NM_CRYPTO_ERROR, - NM_CRYPTO_ERR_DECODE_FAILED, + NM_CRYPTO_ERROR_INVALID_DATA, _("Failed to decode PKCS#8 private key.")); } @@ -353,7 +348,7 @@ convert_iv (const char *src, num = strlen (src); if (num % 2) { g_set_error (error, NM_CRYPTO_ERROR, - NM_CRYPTO_ERR_RAW_IV_INVALID, + NM_CRYPTO_ERROR_INVALID_DATA, _("IV must be an even number of bytes in length.")); return NULL; } @@ -367,7 +362,7 @@ convert_iv (const char *src, conv[1] = src[(i * 2) + 1]; if (!g_ascii_isxdigit (conv[0]) || !g_ascii_isxdigit (conv[1])) { g_set_error (error, NM_CRYPTO_ERROR, - NM_CRYPTO_ERR_RAW_IV_INVALID, + NM_CRYPTO_ERROR_INVALID_DATA, _("IV contains non-hexadecimal digits.")); goto error; } @@ -407,7 +402,7 @@ make_des_aes_key (const char *cipher, digest_len = 16; else { g_set_error (error, NM_CRYPTO_ERROR, - NM_CRYPTO_ERR_UNKNOWN_CIPHER, + NM_CRYPTO_ERROR_UNKNOWN_CIPHER, _("Private key cipher '%s' was unknown."), cipher); return NULL; @@ -519,7 +514,7 @@ crypto_decrypt_private_key_data (const guint8 *data, if (!parsed) { g_clear_error (error); g_set_error (error, NM_CRYPTO_ERROR, - NM_CRYPTO_ERR_FILE_FORMAT_INVALID, + NM_CRYPTO_ERROR_INVALID_DATA, _("Unable to determine private key type.")); } } @@ -576,7 +571,7 @@ extract_pem_cert_data (GByteArray *contents, GError **error) if (!find_tag (PEM_CERT_BEGIN, contents->data, contents->len, 0, &start)) { g_set_error (error, NM_CRYPTO_ERROR, - NM_CRYPTO_ERR_FILE_FORMAT_INVALID, + NM_CRYPTO_ERROR_INVALID_DATA, _("PEM certificate had no start tag '%s'."), PEM_CERT_BEGIN); goto done; @@ -585,7 +580,7 @@ extract_pem_cert_data (GByteArray *contents, GError **error) start += strlen (PEM_CERT_BEGIN); if (!find_tag (PEM_CERT_END, contents->data, contents->len, start, &end)) { g_set_error (error, NM_CRYPTO_ERROR, - NM_CRYPTO_ERR_FILE_FORMAT_INVALID, + NM_CRYPTO_ERROR_INVALID_DATA, _("PEM certificate had no end tag '%s'."), PEM_CERT_END); goto done; @@ -603,7 +598,7 @@ extract_pem_cert_data (GByteArray *contents, GError **error) g_assert (cert->len == length); } else { g_set_error (error, NM_CRYPTO_ERROR, - NM_CRYPTO_ERR_DECODE_FAILED, + NM_CRYPTO_ERROR_INVALID_DATA, _("Failed to decode certificate.")); } @@ -668,7 +663,7 @@ crypto_is_pkcs12_data (const guint8 *data, if (success == FALSE) { /* If the error was just a decryption error, then it's pkcs#12 */ if (error) { - if (g_error_matches (error, NM_CRYPTO_ERROR, NM_CRYPTO_ERR_CIPHER_DECRYPT_FAILED)) + if (g_error_matches (error, NM_CRYPTO_ERROR, NM_CRYPTO_ERROR_DECRYPTION_FAILED)) success = TRUE; g_error_free (error); } diff --git a/libnm-core/crypto.h b/libnm-core/crypto.h index a530080ec6..67abbdade3 100644 --- a/libnm-core/crypto.h +++ b/libnm-core/crypto.h @@ -32,24 +32,12 @@ #define CIPHER_AES_CBC "AES-128-CBC" enum { - NM_CRYPTO_ERR_NONE = 0, - NM_CRYPTO_ERR_INIT_FAILED, - NM_CRYPTO_ERR_CANT_READ_FILE, - NM_CRYPTO_ERR_FILE_FORMAT_INVALID, - NM_CRYPTO_ERR_CERT_FORMAT_INVALID, - NM_CRYPTO_ERR_DECODE_FAILED, - NM_CRYPTO_ERR_OUT_OF_MEMORY, - NM_CRYPTO_ERR_UNKNOWN_KEY_TYPE, - NM_CRYPTO_ERR_UNKNOWN_CIPHER, - NM_CRYPTO_ERR_RAW_IV_INVALID, - NM_CRYPTO_ERR_MD5_INIT_FAILED, - NM_CRYPTO_ERR_CIPHER_INIT_FAILED, - NM_CRYPTO_ERR_CIPHER_SET_KEY_FAILED, - NM_CRYPTO_ERR_CIPHER_SET_IV_FAILED, - NM_CRYPTO_ERR_CIPHER_DECRYPT_FAILED, - NM_CRYPTO_ERR_INVALID_PASSWORD, - NM_CRYPTO_ERR_CIPHER_ENCRYPT_FAILED, - NM_CRYPTO_ERR_RANDOMIZE_FAILED + NM_CRYPTO_ERROR_FAILED = 0, + NM_CRYPTO_ERROR_INVALID_DATA, + NM_CRYPTO_ERROR_INVALID_PASSWORD, + NM_CRYPTO_ERROR_UNKNOWN_CIPHER, + NM_CRYPTO_ERROR_DECRYPTION_FAILED, + NM_CRYPTO_ERROR_ENCRYPTION_FAILED, }; typedef enum { diff --git a/libnm-core/crypto_gnutls.c b/libnm-core/crypto_gnutls.c index e79d4fd3e2..8114d28fbf 100644 --- a/libnm-core/crypto_gnutls.c +++ b/libnm-core/crypto_gnutls.c @@ -44,10 +44,9 @@ crypto_init (GError **error) if (gnutls_global_init() != 0) { gnutls_global_deinit(); - g_set_error (error, NM_CRYPTO_ERROR, - NM_CRYPTO_ERR_INIT_FAILED, - "%s", - _("Failed to initialize the crypto engine.")); + g_set_error_literal (error, NM_CRYPTO_ERROR, + NM_CRYPTO_ERROR_FAILED, + _("Failed to initialize the crypto engine.")); return FALSE; } @@ -88,7 +87,7 @@ crypto_md5_hash (const char *salt, err = gcry_md_open (&ctx, GCRY_MD_MD5, 0); if (err) { g_set_error (error, NM_CRYPTO_ERROR, - NM_CRYPTO_ERR_MD5_INIT_FAILED, + NM_CRYPTO_ERROR_FAILED, _("Failed to initialize the MD5 engine: %s / %s."), gcry_strsource (err), gcry_strerror (err)); return FALSE; @@ -147,7 +146,7 @@ crypto_decrypt (const char *cipher, real_iv_len = 16; } else { g_set_error (error, NM_CRYPTO_ERROR, - NM_CRYPTO_ERR_UNKNOWN_CIPHER, + NM_CRYPTO_ERROR_UNKNOWN_CIPHER, _("Private key cipher '%s' was unknown."), cipher); return NULL; @@ -155,7 +154,7 @@ crypto_decrypt (const char *cipher, if (iv_len < real_iv_len) { g_set_error (error, NM_CRYPTO_ERROR, - NM_CRYPTO_ERR_RAW_IV_INVALID, + NM_CRYPTO_ERROR_INVALID_DATA, _("Invalid IV length (must be at least %zd)."), real_iv_len); return NULL; @@ -166,7 +165,7 @@ crypto_decrypt (const char *cipher, err = gcry_cipher_open (&ctx, cipher_mech, GCRY_CIPHER_MODE_CBC, 0); if (err) { g_set_error (error, NM_CRYPTO_ERROR, - NM_CRYPTO_ERR_CIPHER_INIT_FAILED, + NM_CRYPTO_ERROR_DECRYPTION_FAILED, _("Failed to initialize the decryption cipher context: %s / %s."), gcry_strsource (err), gcry_strerror (err)); goto out; @@ -175,7 +174,7 @@ crypto_decrypt (const char *cipher, err = gcry_cipher_setkey (ctx, key, key_len); if (err) { g_set_error (error, NM_CRYPTO_ERROR, - NM_CRYPTO_ERR_CIPHER_SET_KEY_FAILED, + NM_CRYPTO_ERROR_DECRYPTION_FAILED, _("Failed to set symmetric key for decryption: %s / %s."), gcry_strsource (err), gcry_strerror (err)); goto out; @@ -184,7 +183,7 @@ crypto_decrypt (const char *cipher, err = gcry_cipher_setiv (ctx, iv, iv_len); if (err) { g_set_error (error, NM_CRYPTO_ERROR, - NM_CRYPTO_ERR_CIPHER_SET_IV_FAILED, + NM_CRYPTO_ERROR_DECRYPTION_FAILED, _("Failed to set IV for decryption: %s / %s."), gcry_strsource (err), gcry_strerror (err)); goto out; @@ -193,7 +192,7 @@ crypto_decrypt (const char *cipher, err = gcry_cipher_decrypt (ctx, output, data_len, data, data_len); if (err) { g_set_error (error, NM_CRYPTO_ERROR, - NM_CRYPTO_ERR_CIPHER_DECRYPT_FAILED, + NM_CRYPTO_ERROR_DECRYPTION_FAILED, _("Failed to decrypt the private key: %s / %s."), gcry_strsource (err), gcry_strerror (err)); goto out; @@ -203,7 +202,7 @@ crypto_decrypt (const char *cipher, /* Check if the padding at the end of the decrypted data is valid */ if (pad_len == 0 || pad_len > real_iv_len) { g_set_error (error, NM_CRYPTO_ERROR, - NM_CRYPTO_ERR_CIPHER_DECRYPT_FAILED, + NM_CRYPTO_ERROR_DECRYPTION_FAILED, _("Failed to decrypt the private key: unexpected padding length.")); goto out; } @@ -214,7 +213,7 @@ crypto_decrypt (const char *cipher, for (i = 1; i <= pad_len; ++i) { if (output[data_len - i] != pad_len) { g_set_error (error, NM_CRYPTO_ERROR, - NM_CRYPTO_ERR_CIPHER_DECRYPT_FAILED, + NM_CRYPTO_ERROR_DECRYPTION_FAILED, _("Failed to decrypt the private key.")); goto out; } @@ -265,7 +264,7 @@ crypto_encrypt (const char *cipher, salt_len = iv_len; } else { g_set_error (error, NM_CRYPTO_ERROR, - NM_CRYPTO_ERR_UNKNOWN_CIPHER, + NM_CRYPTO_ERROR_UNKNOWN_CIPHER, _("Private key cipher '%s' was unknown."), cipher); return NULL; @@ -287,7 +286,7 @@ crypto_encrypt (const char *cipher, err = gcry_cipher_open (&ctx, cipher_mech, GCRY_CIPHER_MODE_CBC, 0); if (err) { g_set_error (error, NM_CRYPTO_ERROR, - NM_CRYPTO_ERR_CIPHER_INIT_FAILED, + NM_CRYPTO_ERROR_ENCRYPTION_FAILED, _("Failed to initialize the encryption cipher context: %s / %s."), gcry_strsource (err), gcry_strerror (err)); goto out; @@ -296,7 +295,7 @@ crypto_encrypt (const char *cipher, err = gcry_cipher_setkey (ctx, key, key_len); if (err) { g_set_error (error, NM_CRYPTO_ERROR, - NM_CRYPTO_ERR_CIPHER_SET_KEY_FAILED, + NM_CRYPTO_ERROR_ENCRYPTION_FAILED, _("Failed to set symmetric key for encryption: %s / %s."), gcry_strsource (err), gcry_strerror (err)); goto out; @@ -306,7 +305,7 @@ crypto_encrypt (const char *cipher, err = gcry_cipher_setiv (ctx, iv, salt_len); if (err) { g_set_error (error, NM_CRYPTO_ERROR, - NM_CRYPTO_ERR_CIPHER_SET_IV_FAILED, + NM_CRYPTO_ERROR_ENCRYPTION_FAILED, _("Failed to set IV for encryption: %s / %s."), gcry_strsource (err), gcry_strerror (err)); goto out; @@ -315,7 +314,7 @@ crypto_encrypt (const char *cipher, err = gcry_cipher_encrypt (ctx, output, output_len, padded_buf, padded_buf_len); if (err) { g_set_error (error, NM_CRYPTO_ERROR, - NM_CRYPTO_ERR_CIPHER_DECRYPT_FAILED, + NM_CRYPTO_ERROR_ENCRYPTION_FAILED, _("Failed to encrypt the data: %s / %s."), gcry_strsource (err), gcry_strerror (err)); goto out; @@ -355,7 +354,7 @@ crypto_verify_cert (const unsigned char *data, err = gnutls_x509_crt_init (&der); if (err < 0) { g_set_error (error, NM_CRYPTO_ERROR, - NM_CRYPTO_ERR_CERT_FORMAT_INVALID, + NM_CRYPTO_ERROR_INVALID_DATA, _("Error initializing certificate data: %s"), gnutls_strerror (err)); return NM_CRYPTO_FILE_FORMAT_UNKNOWN; @@ -377,7 +376,7 @@ crypto_verify_cert (const unsigned char *data, return NM_CRYPTO_FILE_FORMAT_X509; g_set_error (error, NM_CRYPTO_ERROR, - NM_CRYPTO_ERR_CERT_FORMAT_INVALID, + NM_CRYPTO_ERROR_INVALID_DATA, _("Couldn't decode certificate: %s"), gnutls_strerror (err)); return NM_CRYPTO_FILE_FORMAT_UNKNOWN; @@ -402,7 +401,7 @@ crypto_verify_pkcs12 (const guint8 *data, err = gnutls_pkcs12_init (&p12); if (err < 0) { g_set_error (error, NM_CRYPTO_ERROR, - NM_CRYPTO_ERR_DECODE_FAILED, + NM_CRYPTO_ERROR_FAILED, _("Couldn't initialize PKCS#12 decoder: %s"), gnutls_strerror (err)); return FALSE; @@ -415,7 +414,7 @@ crypto_verify_pkcs12 (const guint8 *data, err = gnutls_pkcs12_import (p12, &dt, GNUTLS_X509_FMT_PEM, 0); if (err < 0) { g_set_error (error, NM_CRYPTO_ERROR, - NM_CRYPTO_ERR_FILE_FORMAT_INVALID, + NM_CRYPTO_ERROR_INVALID_DATA, _("Couldn't decode PKCS#12 file: %s"), gnutls_strerror (err)); goto out; @@ -427,7 +426,7 @@ crypto_verify_pkcs12 (const guint8 *data, success = TRUE; else { g_set_error (error, NM_CRYPTO_ERROR, - NM_CRYPTO_ERR_CIPHER_DECRYPT_FAILED, + NM_CRYPTO_ERROR_DECRYPTION_FAILED, _("Couldn't verify PKCS#12 file: %s"), gnutls_strerror (err)); } @@ -456,7 +455,7 @@ crypto_verify_pkcs8 (const guint8 *data, err = gnutls_x509_privkey_init (&p8); if (err < 0) { g_set_error (error, NM_CRYPTO_ERROR, - NM_CRYPTO_ERR_DECODE_FAILED, + NM_CRYPTO_ERROR_FAILED, _("Couldn't initialize PKCS#8 decoder: %s"), gnutls_strerror (err)); return FALSE; @@ -479,7 +478,7 @@ crypto_verify_pkcs8 (const guint8 *data, */ } else { g_set_error (error, NM_CRYPTO_ERROR, - NM_CRYPTO_ERR_FILE_FORMAT_INVALID, + NM_CRYPTO_ERROR_INVALID_DATA, _("Couldn't decode PKCS#8 file: %s"), gnutls_strerror (err)); return FALSE; diff --git a/libnm-core/crypto_nss.c b/libnm-core/crypto_nss.c index cc6418f452..e2fbd4fed4 100644 --- a/libnm-core/crypto_nss.c +++ b/libnm-core/crypto_nss.c @@ -52,7 +52,7 @@ crypto_init (GError **error) ret = NSS_NoDB_Init (NULL); if (ret != SECSuccess) { g_set_error (error, NM_CRYPTO_ERROR, - NM_CRYPTO_ERR_INIT_FAILED, + NM_CRYPTO_ERROR_FAILED, _("Failed to initialize the crypto engine: %d."), PR_GetError ()); PR_Cleanup (); @@ -103,7 +103,7 @@ crypto_md5_hash (const char *salt, ctx = PK11_CreateDigestContext (SEC_OID_MD5); if (!ctx) { g_set_error (error, NM_CRYPTO_ERROR, - NM_CRYPTO_ERR_MD5_INIT_FAILED, + NM_CRYPTO_ERROR_FAILED, _("Failed to initialize the MD5 context: %d."), PORT_GetError ()); return FALSE; @@ -167,7 +167,7 @@ crypto_decrypt (const char *cipher, real_iv_len = 16; } else { g_set_error (error, NM_CRYPTO_ERROR, - NM_CRYPTO_ERR_UNKNOWN_CIPHER, + NM_CRYPTO_ERROR_UNKNOWN_CIPHER, _("Private key cipher '%s' was unknown."), cipher); return NULL; @@ -175,7 +175,7 @@ crypto_decrypt (const char *cipher, if (iv_len < real_iv_len) { g_set_error (error, NM_CRYPTO_ERROR, - NM_CRYPTO_ERR_RAW_IV_INVALID, + NM_CRYPTO_ERROR_INVALID_DATA, _("Invalid IV length (must be at least %d)."), real_iv_len); return NULL; @@ -186,7 +186,7 @@ crypto_decrypt (const char *cipher, slot = PK11_GetBestSlot (cipher_mech, NULL); if (!slot) { g_set_error (error, NM_CRYPTO_ERROR, - NM_CRYPTO_ERR_CIPHER_INIT_FAILED, + NM_CRYPTO_ERROR_FAILED, _("Failed to initialize the decryption cipher slot.")); goto out; } @@ -196,7 +196,7 @@ crypto_decrypt (const char *cipher, sym_key = PK11_ImportSymKey (slot, cipher_mech, PK11_OriginUnwrap, CKA_DECRYPT, &key_item, NULL); if (!sym_key) { g_set_error (error, NM_CRYPTO_ERROR, - NM_CRYPTO_ERR_CIPHER_SET_KEY_FAILED, + NM_CRYPTO_ERROR_DECRYPTION_FAILED, _("Failed to set symmetric key for decryption.")); goto out; } @@ -206,7 +206,7 @@ crypto_decrypt (const char *cipher, sec_param = PK11_ParamFromIV (cipher_mech, &key_item); if (!sec_param) { g_set_error (error, NM_CRYPTO_ERROR, - NM_CRYPTO_ERR_CIPHER_SET_IV_FAILED, + NM_CRYPTO_ERROR_DECRYPTION_FAILED, _("Failed to set IV for decryption.")); goto out; } @@ -214,7 +214,7 @@ crypto_decrypt (const char *cipher, ctx = PK11_CreateContextBySymKey (cipher_mech, CKA_DECRYPT, sym_key, sec_param); if (!ctx) { g_set_error (error, NM_CRYPTO_ERROR, - NM_CRYPTO_ERR_CIPHER_INIT_FAILED, + NM_CRYPTO_ERROR_DECRYPTION_FAILED, _("Failed to initialize the decryption context.")); goto out; } @@ -227,7 +227,7 @@ crypto_decrypt (const char *cipher, data_len); if (s != SECSuccess) { g_set_error (error, NM_CRYPTO_ERROR, - NM_CRYPTO_ERR_CIPHER_DECRYPT_FAILED, + NM_CRYPTO_ERROR_DECRYPTION_FAILED, _("Failed to decrypt the private key: %d."), PORT_GetError ()); goto out; @@ -235,7 +235,7 @@ crypto_decrypt (const char *cipher, if (decrypted_len > data_len) { g_set_error (error, NM_CRYPTO_ERROR, - NM_CRYPTO_ERR_CIPHER_DECRYPT_FAILED, + NM_CRYPTO_ERROR_DECRYPTION_FAILED, _("Failed to decrypt the private key: decrypted data too large.")); goto out; } @@ -246,7 +246,7 @@ crypto_decrypt (const char *cipher, data_len - decrypted_len); if (s != SECSuccess) { g_set_error (error, NM_CRYPTO_ERROR, - NM_CRYPTO_ERR_CIPHER_DECRYPT_FAILED, + NM_CRYPTO_ERROR_DECRYPTION_FAILED, _("Failed to finalize decryption of the private key: %d."), PORT_GetError ()); goto out; @@ -257,7 +257,7 @@ crypto_decrypt (const char *cipher, /* Check if the padding at the end of the decrypted data is valid */ if (pad_len == 0 || pad_len > real_iv_len) { g_set_error (error, NM_CRYPTO_ERROR, - NM_CRYPTO_ERR_CIPHER_DECRYPT_FAILED, + NM_CRYPTO_ERROR_DECRYPTION_FAILED, _("Failed to decrypt the private key: unexpected padding length.")); goto out; } @@ -268,7 +268,7 @@ crypto_decrypt (const char *cipher, for (i = pad_len; i > 0; i--) { if (output[data_len - i] != pad_len) { g_set_error (error, NM_CRYPTO_ERROR, - NM_CRYPTO_ERR_CIPHER_DECRYPT_FAILED, + NM_CRYPTO_ERROR_DECRYPTION_FAILED, _("Failed to decrypt the private key.")); goto out; } @@ -329,7 +329,7 @@ crypto_encrypt (const char *cipher, cipher_mech = CKM_AES_CBC_PAD; else { g_set_error (error, NM_CRYPTO_ERROR, - NM_CRYPTO_ERR_UNKNOWN_CIPHER, + NM_CRYPTO_ERROR_UNKNOWN_CIPHER, _("Private key cipher '%s' was unknown."), cipher); return NULL; @@ -351,7 +351,7 @@ crypto_encrypt (const char *cipher, slot = PK11_GetBestSlot (cipher_mech, NULL); if (!slot) { g_set_error (error, NM_CRYPTO_ERROR, - NM_CRYPTO_ERR_CIPHER_INIT_FAILED, + NM_CRYPTO_ERROR_FAILED, _("Failed to initialize the encryption cipher slot.")); goto out; } @@ -359,7 +359,7 @@ crypto_encrypt (const char *cipher, sym_key = PK11_ImportSymKey (slot, cipher_mech, PK11_OriginUnwrap, CKA_ENCRYPT, &key_item, NULL); if (!sym_key) { g_set_error (error, NM_CRYPTO_ERROR, - NM_CRYPTO_ERR_CIPHER_SET_KEY_FAILED, + NM_CRYPTO_ERROR_ENCRYPTION_FAILED, _("Failed to set symmetric key for encryption.")); goto out; } @@ -367,7 +367,7 @@ crypto_encrypt (const char *cipher, sec_param = PK11_ParamFromIV (cipher_mech, &iv_item); if (!sec_param) { g_set_error (error, NM_CRYPTO_ERROR, - NM_CRYPTO_ERR_CIPHER_SET_IV_FAILED, + NM_CRYPTO_ERROR_ENCRYPTION_FAILED, _("Failed to set IV for encryption.")); goto out; } @@ -375,7 +375,7 @@ crypto_encrypt (const char *cipher, ctx = PK11_CreateContextBySymKey (cipher_mech, CKA_ENCRYPT, sym_key, sec_param); if (!ctx) { g_set_error (error, NM_CRYPTO_ERROR, - NM_CRYPTO_ERR_CIPHER_INIT_FAILED, + NM_CRYPTO_ERROR_ENCRYPTION_FAILED, _("Failed to initialize the encryption context.")); goto out; } @@ -383,7 +383,7 @@ crypto_encrypt (const char *cipher, ret = PK11_CipherOp (ctx, output, &encrypted_len, output_len, padded_buf, padded_buf_len); if (ret != SECSuccess) { g_set_error (error, NM_CRYPTO_ERROR, - NM_CRYPTO_ERR_CIPHER_ENCRYPT_FAILED, + NM_CRYPTO_ERROR_ENCRYPTION_FAILED, _("Failed to encrypt: %d."), PORT_GetError ()); goto out; @@ -391,7 +391,7 @@ crypto_encrypt (const char *cipher, if (encrypted_len != output_len) { g_set_error (error, NM_CRYPTO_ERROR, - NM_CRYPTO_ERR_CIPHER_ENCRYPT_FAILED, + NM_CRYPTO_ERROR_ENCRYPTION_FAILED, _("Unexpected amount of data after encrypting.")); goto out; } @@ -431,7 +431,7 @@ crypto_verify_cert (const unsigned char *data, cert = CERT_DecodeCertFromPackage ((char *) data, len); if (!cert) { g_set_error (error, NM_CRYPTO_ERROR, - NM_CRYPTO_ERR_CERT_FORMAT_INVALID, + NM_CRYPTO_ERROR_INVALID_DATA, _("Couldn't decode certificate: %d"), PORT_GetError()); return NM_CRYPTO_FILE_FORMAT_UNKNOWN; @@ -451,7 +451,7 @@ crypto_verify_pkcs12 (const guint8 *data, SECItem pw = { 0 }; PK11SlotInfo *slot = NULL; SECStatus s; - char *ucs2_password; + gunichar2 *ucs2_password; glong ucs2_chars = 0; #ifndef WORDS_BIGENDIAN guint16 *p; @@ -463,15 +463,16 @@ crypto_verify_pkcs12 (const guint8 *data, /* PKCS#12 passwords are apparently UCS2 BIG ENDIAN, and NSS doesn't do * any conversions for us. */ - if (password && strlen (password)) { - ucs2_password = (char *) g_utf8_to_utf16 (password, strlen (password), NULL, &ucs2_chars, NULL); - if (!ucs2_password || !ucs2_chars) { + if (password && *password) { + if (!g_utf8_validate (password, -1, NULL)) { g_set_error (error, NM_CRYPTO_ERROR, - NM_CRYPTO_ERR_INVALID_PASSWORD, - _("Couldn't convert password to UCS2: %d"), - PORT_GetError()); + NM_CRYPTO_ERROR_INVALID_PASSWORD, + _("Password must be UTF-8")); return FALSE; } + ucs2_password = g_utf8_to_utf16 (password, strlen (password), NULL, &ucs2_chars, NULL); + /* Can't fail if g_utf8_validate() succeeded */ + g_return_val_if_fail (ucs2_password != NULL && ucs2_chars != 0, FALSE); ucs2_chars *= 2; /* convert # UCS2 characters -> bytes */ pw.data = PORT_ZAlloc(ucs2_chars + 2); @@ -495,7 +496,7 @@ crypto_verify_pkcs12 (const guint8 *data, p12ctx = SEC_PKCS12DecoderStart (&pw, slot, NULL, NULL, NULL, NULL, NULL, NULL); if (!p12ctx) { g_set_error (error, NM_CRYPTO_ERROR, - NM_CRYPTO_ERR_DECODE_FAILED, + NM_CRYPTO_ERROR_FAILED, _("Couldn't initialize PKCS#12 decoder: %d"), PORT_GetError()); goto error; @@ -504,7 +505,7 @@ crypto_verify_pkcs12 (const guint8 *data, s = SEC_PKCS12DecoderUpdate (p12ctx, (guint8 *)data, data_len); if (s != SECSuccess) { g_set_error (error, NM_CRYPTO_ERROR, - NM_CRYPTO_ERR_FILE_FORMAT_INVALID, + NM_CRYPTO_ERROR_INVALID_DATA, _("Couldn't decode PKCS#12 file: %d"), PORT_GetError()); goto error; @@ -513,7 +514,7 @@ crypto_verify_pkcs12 (const guint8 *data, s = SEC_PKCS12DecoderVerify (p12ctx); if (s != SECSuccess) { g_set_error (error, NM_CRYPTO_ERROR, - NM_CRYPTO_ERR_CIPHER_DECRYPT_FAILED, + NM_CRYPTO_ERROR_DECRYPTION_FAILED, _("Couldn't verify PKCS#12 file: %d"), PORT_GetError()); goto error; @@ -558,7 +559,7 @@ crypto_randomize (void *buffer, gsize buffer_len, GError **error) s = PK11_GenerateRandom (buffer, buffer_len); if (s != SECSuccess) { g_set_error_literal (error, NM_CRYPTO_ERROR, - NM_CRYPTO_ERR_RANDOMIZE_FAILED, + NM_CRYPTO_ERROR_FAILED, _("Could not generate random data.")); return FALSE; } |