summaryrefslogtreecommitdiff
path: root/libnm-core/nm-crypto.c
diff options
context:
space:
mode:
Diffstat (limited to 'libnm-core/nm-crypto.c')
-rw-r--r--libnm-core/nm-crypto.c1701
1 files changed, 865 insertions, 836 deletions
diff --git a/libnm-core/nm-crypto.c b/libnm-core/nm-crypto.c
index c818701754..6ba7931737 100644
--- a/libnm-core/nm-crypto.c
+++ b/libnm-core/nm-crypto.c
@@ -25,8 +25,8 @@
#define PEM_DSA_KEY_BEGIN "-----BEGIN DSA PRIVATE KEY-----"
#define PEM_DSA_KEY_END "-----END DSA PRIVATE KEY-----"
-#define PEM_CERT_BEGIN "-----BEGIN CERTIFICATE-----"
-#define PEM_CERT_END "-----END CERTIFICATE-----"
+#define PEM_CERT_BEGIN "-----BEGIN CERTIFICATE-----"
+#define PEM_CERT_END "-----END CERTIFICATE-----"
#define PEM_PKCS8_ENC_KEY_BEGIN "-----BEGIN ENCRYPTED PRIVATE KEY-----"
#define PEM_PKCS8_ENC_KEY_END "-----END ENCRYPTED PRIVATE KEY-----"
@@ -35,917 +35,931 @@
#define PEM_PKCS8_DEC_KEY_END "-----END PRIVATE KEY-----"
#define PEM_TPM2_WRAPPED_KEY_BEGIN "-----BEGIN TSS2 PRIVATE KEY-----"
-#define PEM_TPM2_WRAPPED_KEY_END "-----END TSS2 PRIVATE KEY-----"
+#define PEM_TPM2_WRAPPED_KEY_END "-----END TSS2 PRIVATE KEY-----"
#define PEM_TPM2_OLD_WRAPPED_KEY_BEGIN "-----BEGIN TSS2 KEY BLOB-----"
-#define PEM_TPM2_OLD_WRAPPED_KEY_END "-----END TSS2 KEY BLOB-----"
+#define PEM_TPM2_OLD_WRAPPED_KEY_END "-----END TSS2 KEY BLOB-----"
/*****************************************************************************/
static const NMCryptoCipherInfo cipher_infos[] = {
#define _CI(_cipher, _name, _digest_len, _real_iv_len) \
- [(_cipher) - 1] = { .cipher = _cipher, .name = ""_name"", .digest_len = _digest_len, .real_iv_len = _real_iv_len }
- _CI (NM_CRYPTO_CIPHER_DES_EDE3_CBC, "DES-EDE3-CBC", 24, 8),
- _CI (NM_CRYPTO_CIPHER_DES_CBC, "DES-CBC", 8, 8),
- _CI (NM_CRYPTO_CIPHER_AES_128_CBC, "AES-128-CBC", 16, 16),
- _CI (NM_CRYPTO_CIPHER_AES_192_CBC, "AES-192-CBC", 24, 16),
- _CI (NM_CRYPTO_CIPHER_AES_256_CBC, "AES-256-CBC", 32, 16),
+ [(_cipher) -1] = {.cipher = _cipher, \
+ .name = ""_name \
+ "", \
+ .digest_len = _digest_len, \
+ .real_iv_len = _real_iv_len}
+ _CI(NM_CRYPTO_CIPHER_DES_EDE3_CBC, "DES-EDE3-CBC", 24, 8),
+ _CI(NM_CRYPTO_CIPHER_DES_CBC, "DES-CBC", 8, 8),
+ _CI(NM_CRYPTO_CIPHER_AES_128_CBC, "AES-128-CBC", 16, 16),
+ _CI(NM_CRYPTO_CIPHER_AES_192_CBC, "AES-192-CBC", 24, 16),
+ _CI(NM_CRYPTO_CIPHER_AES_256_CBC, "AES-256-CBC", 32, 16),
};
const NMCryptoCipherInfo *
-nm_crypto_cipher_get_info (NMCryptoCipherType cipher)
+nm_crypto_cipher_get_info(NMCryptoCipherType cipher)
{
- g_return_val_if_fail (cipher > NM_CRYPTO_CIPHER_UNKNOWN && (gsize) cipher < G_N_ELEMENTS (cipher_infos) + 1, NULL);
+ g_return_val_if_fail(cipher > NM_CRYPTO_CIPHER_UNKNOWN
+ && (gsize) cipher < G_N_ELEMENTS(cipher_infos) + 1,
+ NULL);
#if NM_MORE_ASSERTS > 10
- {
- int i, j;
-
- for (i = 0; i < (int) G_N_ELEMENTS (cipher_infos); i++) {
- const NMCryptoCipherInfo *info = &cipher_infos[i];
-
- nm_assert (info->cipher == (NMCryptoCipherType) (i + 1));
- nm_assert (info->name && info->name[0]);
- for (j = 0; j < i; j++)
- nm_assert (g_ascii_strcasecmp (info->name, cipher_infos[j].name) != 0);
- }
- }
+ {
+ int i, j;
+
+ for (i = 0; i < (int) G_N_ELEMENTS(cipher_infos); i++) {
+ const NMCryptoCipherInfo *info = &cipher_infos[i];
+
+ nm_assert(info->cipher == (NMCryptoCipherType)(i + 1));
+ nm_assert(info->name && info->name[0]);
+ for (j = 0; j < i; j++)
+ nm_assert(g_ascii_strcasecmp(info->name, cipher_infos[j].name) != 0);
+ }
+ }
#endif
- return &cipher_infos[cipher - 1];
+ return &cipher_infos[cipher - 1];
}
const NMCryptoCipherInfo *
-nm_crypto_cipher_get_info_by_name (const char *cipher_name, gssize p_len)
+nm_crypto_cipher_get_info_by_name(const char *cipher_name, gssize p_len)
{
- int i;
+ int i;
- nm_assert (nm_crypto_cipher_get_info (NM_CRYPTO_CIPHER_DES_CBC)->cipher == NM_CRYPTO_CIPHER_DES_CBC);
+ nm_assert(nm_crypto_cipher_get_info(NM_CRYPTO_CIPHER_DES_CBC)->cipher
+ == NM_CRYPTO_CIPHER_DES_CBC);
- if (p_len < 0) {
- if (!cipher_name)
- return FALSE;
- p_len = strlen (cipher_name);
- }
+ if (p_len < 0) {
+ if (!cipher_name)
+ return FALSE;
+ p_len = strlen(cipher_name);
+ }
- for (i = 0; i < (int) G_N_ELEMENTS (cipher_infos); i++) {
- const NMCryptoCipherInfo *info = &cipher_infos[i];
+ for (i = 0; i < (int) G_N_ELEMENTS(cipher_infos); i++) {
+ const NMCryptoCipherInfo *info = &cipher_infos[i];
- if ( (gsize) p_len == strlen (info->name)
- && g_ascii_strncasecmp (info->name, cipher_name, p_len) == 0)
- return info;
- }
- return NULL;
+ if ((gsize) p_len == strlen(info->name)
+ && g_ascii_strncasecmp(info->name, cipher_name, p_len) == 0)
+ return info;
+ }
+ return NULL;
}
/*****************************************************************************/
static gboolean
-find_tag (const char *tag,
- const guint8 *data,
- gsize data_len,
- gsize start_at,
- gsize *out_pos)
+find_tag(const char *tag, const guint8 *data, gsize data_len, gsize start_at, gsize *out_pos)
{
- const guint8 *p;
- gsize taglen;
+ const guint8 *p;
+ gsize taglen;
- nm_assert (out_pos);
- nm_assert (start_at <= data_len);
+ nm_assert(out_pos);
+ nm_assert(start_at <= data_len);
- taglen = strlen (tag);
+ taglen = strlen(tag);
- p = memmem (&data[start_at], data_len - start_at, tag, taglen);
- if (!p)
- return FALSE;
+ p = memmem(&data[start_at], data_len - start_at, tag, taglen);
+ if (!p)
+ return FALSE;
- *out_pos = p - data;
+ *out_pos = p - data;
- nm_assert (memcmp (&data[*out_pos], tag, taglen) == 0);
+ nm_assert(memcmp(&data[*out_pos], tag, taglen) == 0);
- return TRUE;
+ return TRUE;
}
-#define DEK_INFO_TAG "DEK-Info: "
+#define DEK_INFO_TAG "DEK-Info: "
#define PROC_TYPE_TAG "Proc-Type: "
static char *
-_extract_line (const guint8 **p, const guint8 *p_end)
+_extract_line(const guint8 **p, const guint8 *p_end)
{
- const guint8 *x, *x0;
-
- nm_assert (p);
- nm_assert (p_end);
- nm_assert (*p);
- nm_assert (*p < p_end);
-
- x = x0 = *p;
- while (TRUE) {
- if (x == p_end) {
- *p = p_end;
- break;
- }
- if (*x == '\0') {
- /* the data contains embedded NUL. This is the end. */
- *p = p_end;
- break;
- }
- if (*x == '\n') {
- *p = x + 1;
- break;
- }
- x++;
- }
-
- if (x == x0)
- return NULL;
- return g_strndup ((char *) x0, x - x0);
+ const guint8 *x, *x0;
+
+ nm_assert(p);
+ nm_assert(p_end);
+ nm_assert(*p);
+ nm_assert(*p < p_end);
+
+ x = x0 = *p;
+ while (TRUE) {
+ if (x == p_end) {
+ *p = p_end;
+ break;
+ }
+ if (*x == '\0') {
+ /* the data contains embedded NUL. This is the end. */
+ *p = p_end;
+ break;
+ }
+ if (*x == '\n') {
+ *p = x + 1;
+ break;
+ }
+ x++;
+ }
+
+ if (x == x0)
+ return NULL;
+ return g_strndup((char *) x0, x - x0);
}
static gboolean
-parse_old_openssl_key_file (const guint8 *data,
- gsize data_len,
- NMSecretPtr *out_parsed,
- NMCryptoKeyType *out_key_type,
- NMCryptoCipherType *out_cipher,
- char **out_iv,
- GError **error)
+parse_old_openssl_key_file(const guint8 * data,
+ gsize data_len,
+ NMSecretPtr * out_parsed,
+ NMCryptoKeyType * out_key_type,
+ NMCryptoCipherType *out_cipher,
+ char ** out_iv,
+ GError ** error)
{
- gsize start = 0, end = 0;
- nm_auto_free_secret char *str = NULL;
- char *str_p;
- gsize str_len;
- int enc_tags = 0;
- NMCryptoKeyType key_type;
- nm_auto_clear_secret_ptr NMSecretPtr parsed = { 0 };
- nm_auto_free_secret char *iv = NULL;
- NMCryptoCipherType cipher = NM_CRYPTO_CIPHER_UNKNOWN;
- const char *start_tag;
- const char *end_tag;
- const guint8 *data_start, *data_end;
-
- nm_assert (!out_parsed || (out_parsed->len == 0 && !out_parsed->bin));
- nm_assert (!out_iv || !*out_iv);
-
- NM_SET_OUT (out_key_type, NM_CRYPTO_KEY_TYPE_UNKNOWN);
- NM_SET_OUT (out_cipher, NM_CRYPTO_CIPHER_UNKNOWN);
-
- if (find_tag (PEM_RSA_KEY_BEGIN, data, data_len, 0, &start)) {
- key_type = NM_CRYPTO_KEY_TYPE_RSA;
- start_tag = PEM_RSA_KEY_BEGIN;
- end_tag = PEM_RSA_KEY_END;
- } else if (find_tag (PEM_DSA_KEY_BEGIN, data, data_len, 0, &start)) {
- key_type = NM_CRYPTO_KEY_TYPE_DSA;
- start_tag = PEM_DSA_KEY_BEGIN;
- end_tag = PEM_DSA_KEY_END;
- } else {
- g_set_error (error, NM_CRYPTO_ERROR,
- NM_CRYPTO_ERROR_INVALID_DATA,
- _("PEM key file had no start tag"));
- return FALSE;
- }
-
- start += strlen (start_tag);
- if (!find_tag (end_tag, data, data_len, start, &end)) {
- g_set_error (error, NM_CRYPTO_ERROR,
- NM_CRYPTO_ERROR_INVALID_DATA,
- _("PEM key file had no end tag '%s'."),
- end_tag);
- return FALSE;
- }
-
- str_len = end - start + 1;
- str = g_new (char, str_len);
- str[0] = '\0';
- str_p = str;
-
- data_start = &data[start];
- data_end = &data[end];
-
- while (data_start < data_end) {
- nm_auto_free_secret char *line = NULL;
- char *p;
-
- line = _extract_line (&data_start, data_end);
- if (!line)
- continue;
-
- p = nm_secret_strchomp (nm_str_skip_leading_spaces (line));
-
- if (!strncmp (p, PROC_TYPE_TAG, strlen (PROC_TYPE_TAG))) {
- if (enc_tags++ != 0 || str_p != str) {
- g_set_error (error, NM_CRYPTO_ERROR,
- NM_CRYPTO_ERROR_INVALID_DATA,
- _("Malformed PEM file: Proc-Type was not first tag."));
- return FALSE;
- }
-
- p += strlen (PROC_TYPE_TAG);
- if (strcmp (p, "4,ENCRYPTED")) {
- g_set_error (error, NM_CRYPTO_ERROR,
- NM_CRYPTO_ERROR_INVALID_DATA,
- _("Malformed PEM file: unknown Proc-Type tag '%s'."),
- p);
- return FALSE;
- }
- } else if (!strncmp (p, DEK_INFO_TAG, strlen (DEK_INFO_TAG))) {
- const NMCryptoCipherInfo *cipher_info;
- char *comma;
- gsize p_len;
-
- if (enc_tags++ != 1 || str_p != str) {
- g_set_error (error, NM_CRYPTO_ERROR,
- NM_CRYPTO_ERROR_INVALID_DATA,
- _("Malformed PEM file: DEK-Info was not the second tag."));
- return FALSE;
- }
-
- p += strlen (DEK_INFO_TAG);
-
- /* Grab the IV first */
- comma = strchr (p, ',');
- if (!comma || (*(comma + 1) == '\0')) {
- g_set_error (error, NM_CRYPTO_ERROR,
- NM_CRYPTO_ERROR_INVALID_DATA,
- _("Malformed PEM file: no IV found in DEK-Info tag."));
- return FALSE;
- }
- p_len = comma - p;
- comma++;
- if (!g_ascii_isxdigit (*comma)) {
- g_set_error (error, NM_CRYPTO_ERROR,
- NM_CRYPTO_ERROR_INVALID_DATA,
- _("Malformed PEM file: invalid format of IV in DEK-Info tag."));
- return FALSE;
- }
- nm_free_secret (iv);
- iv = g_strdup (comma);
-
- /* Get the private key cipher */
- cipher_info = nm_crypto_cipher_get_info_by_name (p, p_len);
- if (!cipher_info) {
- g_set_error (error, NM_CRYPTO_ERROR,
- NM_CRYPTO_ERROR_INVALID_DATA,
- _("Malformed PEM file: unknown private key cipher '%s'."),
- p);
- return FALSE;
- }
- cipher = cipher_info->cipher;
- } else {
- if (enc_tags == 1) {
- g_set_error (error, NM_CRYPTO_ERROR,
- NM_CRYPTO_ERROR_INVALID_DATA,
- "Malformed PEM file: both Proc-Type and DEK-Info tags are required.");
- return FALSE;
- }
- nm_utils_strbuf_append_str (&str_p, &str_len, p);
- nm_assert (str_len > 0);
- }
- }
-
- parsed.bin = (guint8 *) g_base64_decode (str, &parsed.len);
- if (!parsed.bin || parsed.len == 0) {
- g_set_error (error, NM_CRYPTO_ERROR,
- NM_CRYPTO_ERROR_INVALID_DATA,
- _("Could not decode private key."));
- nm_secret_ptr_clear (&parsed);
- return FALSE;
- }
-
- NM_SET_OUT (out_key_type, key_type);
- NM_SET_OUT (out_iv, g_steal_pointer (&iv));
- NM_SET_OUT (out_cipher, cipher);
- nm_secret_ptr_move (out_parsed, &parsed);
- return TRUE;
+ gsize start = 0, end = 0;
+ nm_auto_free_secret char * str = NULL;
+ char * str_p;
+ gsize str_len;
+ int enc_tags = 0;
+ NMCryptoKeyType key_type;
+ nm_auto_clear_secret_ptr NMSecretPtr parsed = {0};
+ nm_auto_free_secret char * iv = NULL;
+ NMCryptoCipherType cipher = NM_CRYPTO_CIPHER_UNKNOWN;
+ const char * start_tag;
+ const char * end_tag;
+ const guint8 * data_start, *data_end;
+
+ nm_assert(!out_parsed || (out_parsed->len == 0 && !out_parsed->bin));
+ nm_assert(!out_iv || !*out_iv);
+
+ NM_SET_OUT(out_key_type, NM_CRYPTO_KEY_TYPE_UNKNOWN);
+ NM_SET_OUT(out_cipher, NM_CRYPTO_CIPHER_UNKNOWN);
+
+ if (find_tag(PEM_RSA_KEY_BEGIN, data, data_len, 0, &start)) {
+ key_type = NM_CRYPTO_KEY_TYPE_RSA;
+ start_tag = PEM_RSA_KEY_BEGIN;
+ end_tag = PEM_RSA_KEY_END;
+ } else if (find_tag(PEM_DSA_KEY_BEGIN, data, data_len, 0, &start)) {
+ key_type = NM_CRYPTO_KEY_TYPE_DSA;
+ start_tag = PEM_DSA_KEY_BEGIN;
+ end_tag = PEM_DSA_KEY_END;
+ } else {
+ g_set_error(error,
+ NM_CRYPTO_ERROR,
+ NM_CRYPTO_ERROR_INVALID_DATA,
+ _("PEM key file had no start tag"));
+ return FALSE;
+ }
+
+ start += strlen(start_tag);
+ if (!find_tag(end_tag, data, data_len, start, &end)) {
+ g_set_error(error,
+ NM_CRYPTO_ERROR,
+ NM_CRYPTO_ERROR_INVALID_DATA,
+ _("PEM key file had no end tag '%s'."),
+ end_tag);
+ return FALSE;
+ }
+
+ str_len = end - start + 1;
+ str = g_new(char, str_len);
+ str[0] = '\0';
+ str_p = str;
+
+ data_start = &data[start];
+ data_end = &data[end];
+
+ while (data_start < data_end) {
+ nm_auto_free_secret char *line = NULL;
+ char * p;
+
+ line = _extract_line(&data_start, data_end);
+ if (!line)
+ continue;
+
+ p = nm_secret_strchomp(nm_str_skip_leading_spaces(line));
+
+ if (!strncmp(p, PROC_TYPE_TAG, strlen(PROC_TYPE_TAG))) {
+ if (enc_tags++ != 0 || str_p != str) {
+ g_set_error(error,
+ NM_CRYPTO_ERROR,
+ NM_CRYPTO_ERROR_INVALID_DATA,
+ _("Malformed PEM file: Proc-Type was not first tag."));
+ return FALSE;
+ }
+
+ p += strlen(PROC_TYPE_TAG);
+ if (strcmp(p, "4,ENCRYPTED")) {
+ g_set_error(error,
+ NM_CRYPTO_ERROR,
+ NM_CRYPTO_ERROR_INVALID_DATA,
+ _("Malformed PEM file: unknown Proc-Type tag '%s'."),
+ p);
+ return FALSE;
+ }
+ } else if (!strncmp(p, DEK_INFO_TAG, strlen(DEK_INFO_TAG))) {
+ const NMCryptoCipherInfo *cipher_info;
+ char * comma;
+ gsize p_len;
+
+ if (enc_tags++ != 1 || str_p != str) {
+ g_set_error(error,
+ NM_CRYPTO_ERROR,
+ NM_CRYPTO_ERROR_INVALID_DATA,
+ _("Malformed PEM file: DEK-Info was not the second tag."));
+ return FALSE;
+ }
+
+ p += strlen(DEK_INFO_TAG);
+
+ /* Grab the IV first */
+ comma = strchr(p, ',');
+ if (!comma || (*(comma + 1) == '\0')) {
+ g_set_error(error,
+ NM_CRYPTO_ERROR,
+ NM_CRYPTO_ERROR_INVALID_DATA,
+ _("Malformed PEM file: no IV found in DEK-Info tag."));
+ return FALSE;
+ }
+ p_len = comma - p;
+ comma++;
+ if (!g_ascii_isxdigit(*comma)) {
+ g_set_error(error,
+ NM_CRYPTO_ERROR,
+ NM_CRYPTO_ERROR_INVALID_DATA,
+ _("Malformed PEM file: invalid format of IV in DEK-Info tag."));
+ return FALSE;
+ }
+ nm_free_secret(iv);
+ iv = g_strdup(comma);
+
+ /* Get the private key cipher */
+ cipher_info = nm_crypto_cipher_get_info_by_name(p, p_len);
+ if (!cipher_info) {
+ g_set_error(error,
+ NM_CRYPTO_ERROR,
+ NM_CRYPTO_ERROR_INVALID_DATA,
+ _("Malformed PEM file: unknown private key cipher '%s'."),
+ p);
+ return FALSE;
+ }
+ cipher = cipher_info->cipher;
+ } else {
+ if (enc_tags == 1) {
+ g_set_error(error,
+ NM_CRYPTO_ERROR,
+ NM_CRYPTO_ERROR_INVALID_DATA,
+ "Malformed PEM file: both Proc-Type and DEK-Info tags are required.");
+ return FALSE;
+ }
+ nm_utils_strbuf_append_str(&str_p, &str_len, p);
+ nm_assert(str_len > 0);
+ }
+ }
+
+ parsed.bin = (guint8 *) g_base64_decode(str, &parsed.len);
+ if (!parsed.bin || parsed.len == 0) {
+ g_set_error(error,
+ NM_CRYPTO_ERROR,
+ NM_CRYPTO_ERROR_INVALID_DATA,
+ _("Could not decode private key."));
+ nm_secret_ptr_clear(&parsed);
+ return FALSE;
+ }
+
+ NM_SET_OUT(out_key_type, key_type);
+ NM_SET_OUT(out_iv, g_steal_pointer(&iv));
+ NM_SET_OUT(out_cipher, cipher);
+ nm_secret_ptr_move(out_parsed, &parsed);
+ return TRUE;
}
static gboolean
-parse_pkcs8_key_file (const guint8 *data,
- gsize data_len,
- NMSecretPtr *parsed,
- gboolean *out_encrypted,
- GError **error)
+parse_pkcs8_key_file(const guint8 *data,
+ gsize data_len,
+ NMSecretPtr * parsed,
+ gboolean * out_encrypted,
+ GError ** error)
{
- gsize start = 0, end = 0;
- const char *start_tag = NULL, *end_tag = NULL;
- gboolean encrypted = FALSE;
- nm_auto_free_secret char *der_base64 = NULL;
-
- nm_assert (parsed);
- nm_assert (!parsed->bin);
- nm_assert (parsed->len == 0);
- nm_assert (out_encrypted);
-
- /* Try encrypted first, decrypted next */
- if (find_tag (PEM_PKCS8_ENC_KEY_BEGIN, data, data_len, 0, &start)) {
- start_tag = PEM_PKCS8_ENC_KEY_BEGIN;
- end_tag = PEM_PKCS8_ENC_KEY_END;
- encrypted = TRUE;
- } else if (find_tag (PEM_PKCS8_DEC_KEY_BEGIN, data, data_len, 0, &start)) {
- start_tag = PEM_PKCS8_DEC_KEY_BEGIN;
- end_tag = PEM_PKCS8_DEC_KEY_END;
- encrypted = FALSE;
- } else {
- g_set_error_literal (error, NM_CRYPTO_ERROR,
- NM_CRYPTO_ERROR_INVALID_DATA,
- _("Failed to find expected PKCS#8 start tag."));
- return FALSE;
- }
-
- start += strlen (start_tag);
- if (!find_tag (end_tag, data, data_len, start, &end)) {
- g_set_error (error, NM_CRYPTO_ERROR,
- NM_CRYPTO_ERROR_INVALID_DATA,
- _("Failed to find expected PKCS#8 end tag '%s'."),
- end_tag);
- return FALSE;
- }
-
- /* g_base64_decode() wants a NULL-terminated string */
- der_base64 = g_strndup ((char *) &data[start], end - start);
-
- parsed->bin = (guint8 *) g_base64_decode (der_base64, &parsed->len);
- if (!parsed->bin || parsed->len == 0) {
- g_set_error_literal (error, NM_CRYPTO_ERROR,
- NM_CRYPTO_ERROR_INVALID_DATA,
- _("Failed to decode PKCS#8 private key."));
- nm_secret_ptr_clear (parsed);
- return FALSE;
- }
-
- *out_encrypted = encrypted;
- return TRUE;
+ gsize start = 0, end = 0;
+ const char * start_tag = NULL, *end_tag = NULL;
+ gboolean encrypted = FALSE;
+ nm_auto_free_secret char *der_base64 = NULL;
+
+ nm_assert(parsed);
+ nm_assert(!parsed->bin);
+ nm_assert(parsed->len == 0);
+ nm_assert(out_encrypted);
+
+ /* Try encrypted first, decrypted next */
+ if (find_tag(PEM_PKCS8_ENC_KEY_BEGIN, data, data_len, 0, &start)) {
+ start_tag = PEM_PKCS8_ENC_KEY_BEGIN;
+ end_tag = PEM_PKCS8_ENC_KEY_END;
+ encrypted = TRUE;
+ } else if (find_tag(PEM_PKCS8_DEC_KEY_BEGIN, data, data_len, 0, &start)) {
+ start_tag = PEM_PKCS8_DEC_KEY_BEGIN;
+ end_tag = PEM_PKCS8_DEC_KEY_END;
+ encrypted = FALSE;
+ } else {
+ g_set_error_literal(error,
+ NM_CRYPTO_ERROR,
+ NM_CRYPTO_ERROR_INVALID_DATA,
+ _("Failed to find expected PKCS#8 start tag."));
+ return FALSE;
+ }
+
+ start += strlen(start_tag);
+ if (!find_tag(end_tag, data, data_len, start, &end)) {
+ g_set_error(error,
+ NM_CRYPTO_ERROR,
+ NM_CRYPTO_ERROR_INVALID_DATA,
+ _("Failed to find expected PKCS#8 end tag '%s'."),
+ end_tag);
+ return FALSE;
+ }
+
+ /* g_base64_decode() wants a NULL-terminated string */
+ der_base64 = g_strndup((char *) &data[start], end - start);
+
+ parsed->bin = (guint8 *) g_base64_decode(der_base64, &parsed->len);
+ if (!parsed->bin || parsed->len == 0) {
+ g_set_error_literal(error,
+ NM_CRYPTO_ERROR,
+ NM_CRYPTO_ERROR_INVALID_DATA,
+ _("Failed to decode PKCS#8 private key."));
+ nm_secret_ptr_clear(parsed);
+ return FALSE;
+ }
+
+ *out_encrypted = encrypted;
+ return TRUE;
}
static gboolean
-parse_tpm2_wrapped_key_file (const guint8 *data,
- gsize data_len,
- gboolean *out_encrypted,
- GError **error)
+parse_tpm2_wrapped_key_file(const guint8 *data,
+ gsize data_len,
+ gboolean * out_encrypted,
+ GError ** error)
{
- gsize start = 0, end = 0;
- const char *start_tag = NULL, *end_tag = NULL;
-
- nm_assert (out_encrypted);
-
- if (find_tag (PEM_TPM2_WRAPPED_KEY_BEGIN, data, data_len, 0, &start)) {
- start_tag = PEM_TPM2_WRAPPED_KEY_BEGIN;
- end_tag = PEM_TPM2_WRAPPED_KEY_END;
- } else if (find_tag (PEM_TPM2_OLD_WRAPPED_KEY_BEGIN, data, data_len, 0, &start)) {
- start_tag = PEM_TPM2_OLD_WRAPPED_KEY_BEGIN;
- end_tag = PEM_TPM2_OLD_WRAPPED_KEY_END;
- } else {
- g_set_error_literal (error, NM_CRYPTO_ERROR,
- NM_CRYPTO_ERROR_INVALID_DATA,
- _("Failed to find expected TSS start tag."));
- return FALSE;
- }
-
- start += strlen (start_tag);
- if (!find_tag (end_tag, data, data_len, start, &end)) {
- g_set_error (error, NM_CRYPTO_ERROR,
- NM_CRYPTO_ERROR_INVALID_DATA,
- _("Failed to find expected TSS end tag '%s'."),
- end_tag);
- return FALSE;
- }
-
- *out_encrypted = FALSE;
- return TRUE;
+ gsize start = 0, end = 0;
+ const char *start_tag = NULL, *end_tag = NULL;
+
+ nm_assert(out_encrypted);
+
+ if (find_tag(PEM_TPM2_WRAPPED_KEY_BEGIN, data, data_len, 0, &start)) {
+ start_tag = PEM_TPM2_WRAPPED_KEY_BEGIN;
+ end_tag = PEM_TPM2_WRAPPED_KEY_END;
+ } else if (find_tag(PEM_TPM2_OLD_WRAPPED_KEY_BEGIN, data, data_len, 0, &start)) {
+ start_tag = PEM_TPM2_OLD_WRAPPED_KEY_BEGIN;
+ end_tag = PEM_TPM2_OLD_WRAPPED_KEY_END;
+ } else {
+ g_set_error_literal(error,
+ NM_CRYPTO_ERROR,
+ NM_CRYPTO_ERROR_INVALID_DATA,
+ _("Failed to find expected TSS start tag."));
+ return FALSE;
+ }
+
+ start += strlen(start_tag);
+ if (!find_tag(end_tag, data, data_len, start, &end)) {
+ g_set_error(error,
+ NM_CRYPTO_ERROR,
+ NM_CRYPTO_ERROR_INVALID_DATA,
+ _("Failed to find expected TSS end tag '%s'."),
+ end_tag);
+ return FALSE;
+ }
+
+ *out_encrypted = FALSE;
+ return TRUE;
}
static gboolean
-file_read_contents (const char *filename,
- NMSecretPtr *out_contents,
- GError **error)
+file_read_contents(const char *filename, NMSecretPtr *out_contents, GError **error)
{
- nm_assert (out_contents);
- nm_assert (out_contents->len == 0);
- nm_assert (!out_contents->str);
-
- return nm_utils_file_get_contents (-1,
- filename,
- 100*1024*1024,
- NM_UTILS_FILE_GET_CONTENTS_FLAG_SECRET,
- &out_contents->str,
- &out_contents->len,
- NULL,
- error);
+ nm_assert(out_contents);
+ nm_assert(out_contents->len == 0);
+ nm_assert(!out_contents->str);
+
+ return nm_utils_file_get_contents(-1,
+ filename,
+ 100 * 1024 * 1024,
+ NM_UTILS_FILE_GET_CONTENTS_FLAG_SECRET,
+ &out_contents->str,
+ &out_contents->len,
+ NULL,
+ error);
}
GBytes *
-nm_crypto_read_file (const char *filename,
- GError **error)
+nm_crypto_read_file(const char *filename, GError **error)
{
- nm_auto_clear_secret_ptr NMSecretPtr contents = { 0 };
+ nm_auto_clear_secret_ptr NMSecretPtr contents = {0};
- g_return_val_if_fail (filename, NULL);
+ g_return_val_if_fail(filename, NULL);
- if (!file_read_contents (filename, &contents, error))
- return NULL;
- return nm_secret_copy_to_gbytes (contents.bin, contents.len);
+ if (!file_read_contents(filename, &contents, error))
+ return NULL;
+ return nm_secret_copy_to_gbytes(contents.bin, contents.len);
}
/*
* Convert a hex string into bytes.
*/
static guint8 *
-_nmtst_convert_iv (const char *src,
- gsize *out_len,
- GError **error)
+_nmtst_convert_iv(const char *src, gsize *out_len, GError **error)
{
- gsize i, num;
- gs_free guint8 *c = NULL;
- int c0, c1;
+ gsize i, num;
+ gs_free guint8 *c = NULL;
+ int c0, c1;
- nm_assert (src);
+ nm_assert(src);
- num = strlen (src);
- if ( num == 0
- || (num % 2) != 0) {
- g_set_error (error, NM_CRYPTO_ERROR,
- NM_CRYPTO_ERROR_INVALID_DATA,
- _("IV must be an even number of bytes in length."));
- return NULL;
- }
+ num = strlen(src);
+ if (num == 0 || (num % 2) != 0) {
+ g_set_error(error,
+ NM_CRYPTO_ERROR,
+ NM_CRYPTO_ERROR_INVALID_DATA,
+ _("IV must be an even number of bytes in length."));
+ return NULL;
+ }
- num /= 2;
- c = g_malloc (num + 1);
+ num /= 2;
+ c = g_malloc(num + 1);
- /* defensively add trailing NUL. This function returns binary data,
+ /* defensively add trailing NUL. This function returns binary data,
* do not assume it's NUL terminated. */
- c[num] = '\0';
-
- for (i = 0; i < num; i++) {
- if ( ((c0 = nm_utils_hexchar_to_int (*(src++))) < 0)
- || ((c1 = nm_utils_hexchar_to_int (*(src++))) < 0)) {
- g_set_error (error, NM_CRYPTO_ERROR,
- NM_CRYPTO_ERROR_INVALID_DATA,
- _("IV contains non-hexadecimal digits."));
- nm_explicit_bzero (c, i);
- return FALSE;
- }
-
- c[i] = (c0 << 4) + c1;
- }
- *out_len = num;
- return g_steal_pointer (&c);
+ c[num] = '\0';
+
+ for (i = 0; i < num; i++) {
+ if (((c0 = nm_utils_hexchar_to_int(*(src++))) < 0)
+ || ((c1 = nm_utils_hexchar_to_int(*(src++))) < 0)) {
+ g_set_error(error,
+ NM_CRYPTO_ERROR,
+ NM_CRYPTO_ERROR_INVALID_DATA,
+ _("IV contains non-hexadecimal digits."));
+ nm_explicit_bzero(c, i);
+ return FALSE;
+ }
+
+ c[i] = (c0 << 4) + c1;
+ }
+ *out_len = num;
+ return g_steal_pointer(&c);
}
guint8 *
-nmtst_crypto_make_des_aes_key (NMCryptoCipherType cipher,
- const guint8 *salt,
- gsize salt_len,
- const char *password,
- gsize *out_len,
- GError **error)
+nmtst_crypto_make_des_aes_key(NMCryptoCipherType cipher,
+ const guint8 * salt,
+ gsize salt_len,
+ const char * password,
+ gsize * out_len,
+ GError ** error)
{
- guint8 *key;
- const NMCryptoCipherInfo *cipher_info;
+ guint8 * key;
+ const NMCryptoCipherInfo *cipher_info;
- g_return_val_if_fail (salt != NULL, NULL);
- g_return_val_if_fail (salt_len >= 8, NULL);
- g_return_val_if_fail (password != NULL, NULL);
- g_return_val_if_fail (out_len != NULL, NULL);
+ g_return_val_if_fail(salt != NULL, NULL);
+ g_return_val_if_fail(salt_len >= 8, NULL);
+ g_return_val_if_fail(password != NULL, NULL);
+ g_return_val_if_fail(out_len != NULL, NULL);
- *out_len = 0;
+ *out_len = 0;
- cipher_info = nm_crypto_cipher_get_info (cipher);
+ cipher_info = nm_crypto_cipher_get_info(cipher);
- g_return_val_if_fail (cipher_info, NULL);
+ g_return_val_if_fail(cipher_info, NULL);
- if (password[0] == '\0')
- return NULL;
+ if (password[0] == '\0')
+ return NULL;
- key = g_malloc (cipher_info->digest_len);
+ key = g_malloc(cipher_info->digest_len);
- nm_crypto_md5_hash (salt,
- 8,
- (guint8 *) password,
- strlen (password),
- key,
- cipher_info->digest_len);
+ nm_crypto_md5_hash(salt,
+ 8,
+ (guint8 *) password,
+ strlen(password),
+ key,
+ cipher_info->digest_len);
- *out_len = cipher_info->digest_len;
- return key;
+ *out_len = cipher_info->digest_len;
+ return key;
}
static gboolean
-_nmtst_decrypt_key (NMCryptoCipherType cipher,
- const guint8 *data,
- gsize data_len,
- const char *iv,
- const char *password,
- NMSecretPtr *parsed,
- GError **error)
+_nmtst_decrypt_key(NMCryptoCipherType cipher,
+ const guint8 * data,
+ gsize data_len,
+ const char * iv,
+ const char * password,
+ NMSecretPtr * parsed,
+ GError ** error)
{
- nm_auto_clear_secret_ptr NMSecretPtr bin_iv = { 0 };
- nm_auto_clear_secret_ptr NMSecretPtr key = { 0 };
-
- nm_assert (password);
- nm_assert (cipher != NM_CRYPTO_CIPHER_UNKNOWN);
- nm_assert (iv);
- nm_assert (parsed);
- nm_assert (!parsed->bin);
- nm_assert (parsed->len == 0);
-
- bin_iv.bin = _nmtst_convert_iv (iv, &bin_iv.len, error);
- if (!bin_iv.bin)
- return FALSE;
-
- if (bin_iv.len < 8) {
- g_set_error (error,
- NM_CRYPTO_ERROR,
- NM_CRYPTO_ERROR_INVALID_DATA,
- _("IV must contain at least 8 characters"));
- return FALSE;
- }
-
- /* Convert the password and IV into a DES or AES key */
- key.bin = nmtst_crypto_make_des_aes_key (cipher, bin_iv.bin, bin_iv.len, password, &key.len, error);
- if (!key.bin || !key.len)
- return FALSE;
-
- parsed->bin = _nmtst_crypto_decrypt (cipher,
- data,
- data_len,
- bin_iv.bin,
- bin_iv.len,
- key.bin,
- key.len,
- &parsed->len,
- error);
- if (!parsed->bin || parsed->len == 0) {
- nm_secret_ptr_clear (parsed);
- return FALSE;
- }
-
- return TRUE;
+ nm_auto_clear_secret_ptr NMSecretPtr bin_iv = {0};
+ nm_auto_clear_secret_ptr NMSecretPtr key = {0};
+
+ nm_assert(password);
+ nm_assert(cipher != NM_CRYPTO_CIPHER_UNKNOWN);
+ nm_assert(iv);
+ nm_assert(parsed);
+ nm_assert(!parsed->bin);
+ nm_assert(parsed->len == 0);
+
+ bin_iv.bin = _nmtst_convert_iv(iv, &bin_iv.len, error);
+ if (!bin_iv.bin)
+ return FALSE;
+
+ if (bin_iv.len < 8) {
+ g_set_error(error,
+ NM_CRYPTO_ERROR,
+ NM_CRYPTO_ERROR_INVALID_DATA,
+ _("IV must contain at least 8 characters"));
+ return FALSE;
+ }
+
+ /* Convert the password and IV into a DES or AES key */
+ key.bin =
+ nmtst_crypto_make_des_aes_key(cipher, bin_iv.bin, bin_iv.len, password, &key.len, error);
+ if (!key.bin || !key.len)
+ return FALSE;
+
+ parsed->bin = _nmtst_crypto_decrypt(cipher,
+ data,
+ data_len,
+ bin_iv.bin,
+ bin_iv.len,
+ key.bin,
+ key.len,
+ &parsed->len,
+ error);
+ if (!parsed->bin || parsed->len == 0) {
+ nm_secret_ptr_clear(parsed);
+ return FALSE;
+ }
+
+ return TRUE;
}
GBytes *
-nmtst_crypto_decrypt_openssl_private_key_data (const guint8 *data,
- gsize data_len,
- const char *password,
- NMCryptoKeyType *out_key_type,
- GError **error)
+nmtst_crypto_decrypt_openssl_private_key_data(const guint8 * data,
+ gsize data_len,
+ const char * password,
+ NMCryptoKeyType *out_key_type,
+ GError ** error)
{
- NMCryptoKeyType key_type = NM_CRYPTO_KEY_TYPE_UNKNOWN;
- nm_auto_clear_secret_ptr NMSecretPtr parsed = { 0 };
- nm_auto_free_secret char *iv = NULL;
- NMCryptoCipherType cipher = NM_CRYPTO_CIPHER_UNKNOWN;
+ NMCryptoKeyType key_type = NM_CRYPTO_KEY_TYPE_UNKNOWN;
+ nm_auto_clear_secret_ptr NMSecretPtr parsed = {0};
+ nm_auto_free_secret char * iv = NULL;
+ NMCryptoCipherType cipher = NM_CRYPTO_CIPHER_UNKNOWN;
- g_return_val_if_fail (data != NULL, NULL);
+ g_return_val_if_fail(data != NULL, NULL);
- NM_SET_OUT (out_key_type, NM_CRYPTO_KEY_TYPE_UNKNOWN);
+ NM_SET_OUT(out_key_type, NM_CRYPTO_KEY_TYPE_UNKNOWN);
- if (!_nm_crypto_init (error))
- return NULL;
+ if (!_nm_crypto_init(error))
+ return NULL;
- if (!parse_old_openssl_key_file (data, data_len, &parsed, &key_type, &cipher, &iv, NULL)) {
- g_set_error (error, NM_CRYPTO_ERROR,
- NM_CRYPTO_ERROR_INVALID_DATA,
- _("Unable to determine private key type."));
- return NULL;
- }
+ if (!parse_old_openssl_key_file(data, data_len, &parsed, &key_type, &cipher, &iv, NULL)) {
+ g_set_error(error,
+ NM_CRYPTO_ERROR,
+ NM_CRYPTO_ERROR_INVALID_DATA,
+ _("Unable to determine private key type."));
+ return NULL;
+ }
- NM_SET_OUT (out_key_type, key_type);
+ NM_SET_OUT(out_key_type, key_type);
- if (password) {
- nm_auto_clear_secret_ptr NMSecretPtr parsed2 = { 0 };
+ if (password) {
+ nm_auto_clear_secret_ptr NMSecretPtr parsed2 = {0};
- if (cipher == NM_CRYPTO_CIPHER_UNKNOWN || !iv) {
- g_set_error (error, NM_CRYPTO_ERROR,
- NM_CRYPTO_ERROR_INVALID_PASSWORD,
- _("Password provided, but key was not encrypted."));
- return NULL;
- }
+ if (cipher == NM_CRYPTO_CIPHER_UNKNOWN || !iv) {
+ g_set_error(error,
+ NM_CRYPTO_ERROR,
+ NM_CRYPTO_ERROR_INVALID_PASSWORD,
+ _("Password provided, but key was not encrypted."));
+ return NULL;
+ }
- if (!_nmtst_decrypt_key (cipher,
- parsed.bin,
- parsed.len,
- iv,
- password,
- &parsed2,
- error))
- return NULL;
+ if (!_nmtst_decrypt_key(cipher, parsed.bin, parsed.len, iv, password, &parsed2, error))
+ return NULL;
- return nm_secret_copy_to_gbytes (parsed2.bin, parsed2.len);
- }
+ return nm_secret_copy_to_gbytes(parsed2.bin, parsed2.len);
+ }
- if (cipher != NM_CRYPTO_CIPHER_UNKNOWN || iv)
- return NULL;
+ if (cipher != NM_CRYPTO_CIPHER_UNKNOWN || iv)
+ return NULL;
- return nm_secret_copy_to_gbytes (parsed.bin, parsed.len);
+ return nm_secret_copy_to_gbytes(parsed.bin, parsed.len);
}
GBytes *
-nmtst_crypto_decrypt_openssl_private_key (const char *file,
- const char *password,
- NMCryptoKeyType *out_key_type,
- GError **error)
+nmtst_crypto_decrypt_openssl_private_key(const char * file,
+ const char * password,
+ NMCryptoKeyType *out_key_type,
+ GError ** error)
{
- nm_auto_clear_secret_ptr NMSecretPtr contents = { 0 };
+ nm_auto_clear_secret_ptr NMSecretPtr contents = {0};
- if (!_nm_crypto_init (error))
- return NULL;
+ if (!_nm_crypto_init(error))
+ return NULL;
- if (!file_read_contents (file, &contents, error))
- return NULL;
+ if (!file_read_contents(file, &contents, error))
+ return NULL;
- return nmtst_crypto_decrypt_openssl_private_key_data (contents.bin,
- contents.len,
- password,
- out_key_type,
- error);
+ return nmtst_crypto_decrypt_openssl_private_key_data(contents.bin,
+ contents.len,
+ password,
+ out_key_type,
+ error);
}
static gboolean
-extract_pem_cert_data (const guint8 *contents,
- gsize contents_len,
- NMSecretPtr *out_cert,
- GError **error)
+extract_pem_cert_data(const guint8 *contents,
+ gsize contents_len,
+ NMSecretPtr * out_cert,
+ GError ** error)
{
- gsize start = 0;
- gsize end = 0;
- nm_auto_free_secret char *der_base64 = NULL;
-
- nm_assert (contents);
- nm_assert (out_cert);
- nm_assert (out_cert->len == 0);
- nm_assert (!out_cert->ptr);
-
- if (!find_tag (PEM_CERT_BEGIN, contents, contents_len, 0, &start)) {
- g_set_error (error, NM_CRYPTO_ERROR,
- NM_CRYPTO_ERROR_INVALID_DATA,
- _("PEM certificate had no start tag '%s'."),
- PEM_CERT_BEGIN);
- return FALSE;
- }
-
- start += strlen (PEM_CERT_BEGIN);
- if (!find_tag (PEM_CERT_END, contents, contents_len, start, &end)) {
- g_set_error (error, NM_CRYPTO_ERROR,
- NM_CRYPTO_ERROR_INVALID_DATA,
- _("PEM certificate had no end tag '%s'."),
- PEM_CERT_END);
- return FALSE;
- }
-
- /* g_base64_decode() wants a NULL-terminated string */
- der_base64 = g_strndup ((const char *) &contents[start], end - start);
-
- out_cert->bin = (guint8 *) g_base64_decode (der_base64, &out_cert->len);
- if (!out_cert->bin || !out_cert->len) {
- g_set_error (error, NM_CRYPTO_ERROR,
- NM_CRYPTO_ERROR_INVALID_DATA,
- _("Failed to decode certificate."));
- nm_secret_ptr_clear (out_cert);
- return FALSE;
- }
-
- return TRUE;
+ gsize start = 0;
+ gsize end = 0;
+ nm_auto_free_secret char *der_base64 = NULL;
+
+ nm_assert(contents);
+ nm_assert(out_cert);
+ nm_assert(out_cert->len == 0);
+ nm_assert(!out_cert->ptr);
+
+ if (!find_tag(PEM_CERT_BEGIN, contents, contents_len, 0, &start)) {
+ g_set_error(error,
+ NM_CRYPTO_ERROR,
+ NM_CRYPTO_ERROR_INVALID_DATA,
+ _("PEM certificate had no start tag '%s'."),
+ PEM_CERT_BEGIN);
+ return FALSE;
+ }
+
+ start += strlen(PEM_CERT_BEGIN);
+ if (!find_tag(PEM_CERT_END, contents, contents_len, start, &end)) {
+ g_set_error(error,
+ NM_CRYPTO_ERROR,
+ NM_CRYPTO_ERROR_INVALID_DATA,
+ _("PEM certificate had no end tag '%s'."),
+ PEM_CERT_END);
+ return FALSE;
+ }
+
+ /* g_base64_decode() wants a NULL-terminated string */
+ der_base64 = g_strndup((const char *) &contents[start], end - start);
+
+ out_cert->bin = (guint8 *) g_base64_decode(der_base64, &out_cert->len);
+ if (!out_cert->bin || !out_cert->len) {
+ g_set_error(error,
+ NM_CRYPTO_ERROR,
+ NM_CRYPTO_ERROR_INVALID_DATA,
+ _("Failed to decode certificate."));
+ nm_secret_ptr_clear(out_cert);
+ return FALSE;
+ }
+
+ return TRUE;
}
gboolean
-nm_crypto_load_and_verify_certificate (const char *file,
- NMCryptoFileFormat *out_file_format,
- GBytes **out_certificate,
- GError **error)
+nm_crypto_load_and_verify_certificate(const char * file,
+ NMCryptoFileFormat *out_file_format,
+ GBytes ** out_certificate,
+ GError ** error)
{
- nm_auto_clear_secret_ptr NMSecretPtr contents = { 0 };
-
- g_return_val_if_fail (file, FALSE);
- nm_assert (!error || !*error);
-
- if (!_nm_crypto_init (error))
- goto out;
-
- if (!file_read_contents (file, &contents, error))
- goto out;
-
- if (contents.len == 0) {
- g_set_error (error,
- NM_CRYPTO_ERROR,
- NM_CRYPTO_ERROR_INVALID_DATA,
- _("Certificate file is empty"));
- goto out;
- }
-
- /* Check for PKCS#12 */
- if (nm_crypto_is_pkcs12_data (contents.bin, contents.len, NULL)) {
- NM_SET_OUT (out_file_format, NM_CRYPTO_FILE_FORMAT_PKCS12);
- NM_SET_OUT (out_certificate, nm_secret_copy_to_gbytes (contents.bin, contents.len));
- return TRUE;
- }
-
- /* Check for plain DER format */
- if (contents.len > 2 && contents.bin[0] == 0x30 && contents.bin[1] == 0x82) {
- if (_nm_crypto_verify_x509 (contents.bin, contents.len, NULL)) {
- NM_SET_OUT (out_file_format, NM_CRYPTO_FILE_FORMAT_X509);
- NM_SET_OUT (out_certificate, nm_secret_copy_to_gbytes (contents.bin, contents.len));
- return TRUE;
- }
- } else {
- nm_auto_clear_secret_ptr NMSecretPtr pem_cert = { 0 };
-
- if (extract_pem_cert_data (contents.bin, contents.len, &pem_cert, NULL)) {
- if (_nm_crypto_verify_x509 (pem_cert.bin, pem_cert.len, NULL)) {
- NM_SET_OUT (out_file_format, NM_CRYPTO_FILE_FORMAT_X509);
- NM_SET_OUT (out_certificate, nm_secret_copy_to_gbytes (contents.bin, contents.len));
- return TRUE;
- }
- }
- }
-
- g_set_error (error,
- NM_CRYPTO_ERROR,
- NM_CRYPTO_ERROR_INVALID_DATA,
- _("Failed to recognize certificate"));
+ nm_auto_clear_secret_ptr NMSecretPtr contents = {0};
+
+ g_return_val_if_fail(file, FALSE);
+ nm_assert(!error || !*error);
+
+ if (!_nm_crypto_init(error))
+ goto out;
+
+ if (!file_read_contents(file, &contents, error))
+ goto out;
+
+ if (contents.len == 0) {
+ g_set_error(error,
+ NM_CRYPTO_ERROR,
+ NM_CRYPTO_ERROR_INVALID_DATA,
+ _("Certificate file is empty"));
+ goto out;
+ }
+
+ /* Check for PKCS#12 */
+ if (nm_crypto_is_pkcs12_data(contents.bin, contents.len, NULL)) {
+ NM_SET_OUT(out_file_format, NM_CRYPTO_FILE_FORMAT_PKCS12);
+ NM_SET_OUT(out_certificate, nm_secret_copy_to_gbytes(contents.bin, contents.len));
+ return TRUE;
+ }
+
+ /* Check for plain DER format */
+ if (contents.len > 2 && contents.bin[0] == 0x30 && contents.bin[1] == 0x82) {
+ if (_nm_crypto_verify_x509(contents.bin, contents.len, NULL)) {
+ NM_SET_OUT(out_file_format, NM_CRYPTO_FILE_FORMAT_X509);
+ NM_SET_OUT(out_certificate, nm_secret_copy_to_gbytes(contents.bin, contents.len));
+ return TRUE;
+ }
+ } else {
+ nm_auto_clear_secret_ptr NMSecretPtr pem_cert = {0};
+
+ if (extract_pem_cert_data(contents.bin, contents.len, &pem_cert, NULL)) {
+ if (_nm_crypto_verify_x509(pem_cert.bin, pem_cert.len, NULL)) {
+ NM_SET_OUT(out_file_format, NM_CRYPTO_FILE_FORMAT_X509);
+ NM_SET_OUT(out_certificate, nm_secret_copy_to_gbytes(contents.bin, contents.len));
+ return TRUE;
+ }
+ }
+ }
+
+ g_set_error(error,
+ NM_CRYPTO_ERROR,
+ NM_CRYPTO_ERROR_INVALID_DATA,
+ _("Failed to recognize certificate"));
out:
- NM_SET_OUT (out_file_format, NM_CRYPTO_FILE_FORMAT_UNKNOWN);
- NM_SET_OUT (out_certificate, NULL);
- return FALSE;
+ NM_SET_OUT(out_file_format, NM_CRYPTO_FILE_FORMAT_UNKNOWN);
+ NM_SET_OUT(out_certificate, NULL);
+ return FALSE;
}
gboolean
-nm_crypto_is_pkcs12_data (const guint8 *data,
- gsize data_len,
- GError **error)
+nm_crypto_is_pkcs12_data(const guint8 *data, gsize data_len, GError **error)
{
- GError *local = NULL;
- gboolean success;
-
- if (!data_len) {
- g_set_error (error,
- NM_CRYPTO_ERROR,
- NM_CRYPTO_ERROR_INVALID_DATA,
- _("Certificate file is empty"));
- return FALSE;
- }
-
- g_return_val_if_fail (data != NULL, FALSE);
-
- if (!_nm_crypto_init (error))
- return FALSE;
-
- success = _nm_crypto_verify_pkcs12 (data, data_len, NULL, &local);
- if (success == FALSE) {
- /* If the error was just a decryption error, then it's pkcs#12 */
- if (local) {
- if (g_error_matches (local, NM_CRYPTO_ERROR, NM_CRYPTO_ERROR_DECRYPTION_FAILED)) {
- success = TRUE;
- g_error_free (local);
- } else
- g_propagate_error (error, local);
- }
- }
- return success;
+ GError * local = NULL;
+ gboolean success;
+
+ if (!data_len) {
+ g_set_error(error,
+ NM_CRYPTO_ERROR,
+ NM_CRYPTO_ERROR_INVALID_DATA,
+ _("Certificate file is empty"));
+ return FALSE;
+ }
+
+ g_return_val_if_fail(data != NULL, FALSE);
+
+ if (!_nm_crypto_init(error))
+ return FALSE;
+
+ success = _nm_crypto_verify_pkcs12(data, data_len, NULL, &local);
+ if (success == FALSE) {
+ /* If the error was just a decryption error, then it's pkcs#12 */
+ if (local) {
+ if (g_error_matches(local, NM_CRYPTO_ERROR, NM_CRYPTO_ERROR_DECRYPTION_FAILED)) {
+ success = TRUE;
+ g_error_free(local);
+ } else
+ g_propagate_error(error, local);
+ }
+ }
+ return success;
}
gboolean
-nm_crypto_is_pkcs12_file (const char *file, GError **error)
+nm_crypto_is_pkcs12_file(const char *file, GError **error)
{
- nm_auto_clear_secret_ptr NMSecretPtr contents = { 0 };
+ nm_auto_clear_secret_ptr NMSecretPtr contents = {0};
- g_return_val_if_fail (file != NULL, FALSE);
+ g_return_val_if_fail(file != NULL, FALSE);
- if (!_nm_crypto_init (error))
- return FALSE;
+ if (!_nm_crypto_init(error))
+ return FALSE;
- if (!file_read_contents (file, &contents, error))
- return FALSE;
+ if (!file_read_contents(file, &contents, error))
+ return FALSE;
- return nm_crypto_is_pkcs12_data (contents.bin, contents.len, error);
+ return nm_crypto_is_pkcs12_data(contents.bin, contents.len, error);
}
/* Verifies that a private key can be read, and if a password is given, that
* the private key can be decrypted with that password.
*/
NMCryptoFileFormat
-nm_crypto_verify_private_key_data (const guint8 *data,
- gsize data_len,
- const char *password,
- gboolean *out_is_encrypted,
- GError **error)
+nm_crypto_verify_private_key_data(const guint8 *data,
+ gsize data_len,
+ const char * password,
+ gboolean * out_is_encrypted,
+ GError ** error)
{
- NMCryptoFileFormat format = NM_CRYPTO_FILE_FORMAT_UNKNOWN;
- gboolean is_encrypted = FALSE;
-
- g_return_val_if_fail (data != NULL, NM_CRYPTO_FILE_FORMAT_UNKNOWN);
- g_return_val_if_fail (out_is_encrypted == NULL || *out_is_encrypted == FALSE, NM_CRYPTO_FILE_FORMAT_UNKNOWN);
-
- if (!_nm_crypto_init (error))
- return NM_CRYPTO_FILE_FORMAT_UNKNOWN;
-
- /* Check for PKCS#12 first */
- if (nm_crypto_is_pkcs12_data (data, data_len, NULL)) {
- is_encrypted = TRUE;
- if ( !password
- || _nm_crypto_verify_pkcs12 (data, data_len, password, error))
- format = NM_CRYPTO_FILE_FORMAT_PKCS12;
- } else {
- nm_auto_clear_secret_ptr NMSecretPtr parsed = { 0 };
-
- /* Maybe it's PKCS#8 */
- if (parse_pkcs8_key_file (data, data_len, &parsed, &is_encrypted, NULL)) {
- if ( !password
- || _nm_crypto_verify_pkcs8 (parsed.bin, parsed.len, is_encrypted, password, error))
- format = NM_CRYPTO_FILE_FORMAT_RAW_KEY;
- } else if (parse_tpm2_wrapped_key_file (data, data_len, &is_encrypted, NULL)) {
- format = NM_CRYPTO_FILE_FORMAT_RAW_KEY;
- } else {
- NMCryptoCipherType cipher;
- nm_auto_free_secret char *iv = NULL;
-
- /* Or it's old-style OpenSSL */
- if (parse_old_openssl_key_file (data, data_len, NULL, NULL, &cipher, &iv, NULL)) {
- format = NM_CRYPTO_FILE_FORMAT_RAW_KEY;
- is_encrypted = (cipher != NM_CRYPTO_CIPHER_UNKNOWN && iv);
- }
- }
- }
-
- if ( format == NM_CRYPTO_FILE_FORMAT_UNKNOWN
- && error
- && !*error) {
- g_set_error (error,
- NM_CRYPTO_ERROR,
- NM_CRYPTO_ERROR_INVALID_DATA,
- _("not a valid private key"));
- }
-
- if (out_is_encrypted)
- *out_is_encrypted = is_encrypted;
- return format;
+ NMCryptoFileFormat format = NM_CRYPTO_FILE_FORMAT_UNKNOWN;
+ gboolean is_encrypted = FALSE;
+
+ g_return_val_if_fail(data != NULL, NM_CRYPTO_FILE_FORMAT_UNKNOWN);
+ g_return_val_if_fail(out_is_encrypted == NULL || *out_is_encrypted == FALSE,
+ NM_CRYPTO_FILE_FORMAT_UNKNOWN);
+
+ if (!_nm_crypto_init(error))
+ return NM_CRYPTO_FILE_FORMAT_UNKNOWN;
+
+ /* Check for PKCS#12 first */
+ if (nm_crypto_is_pkcs12_data(data, data_len, NULL)) {
+ is_encrypted = TRUE;
+ if (!password || _nm_crypto_verify_pkcs12(data, data_len, password, error))
+ format = NM_CRYPTO_FILE_FORMAT_PKCS12;
+ } else {
+ nm_auto_clear_secret_ptr NMSecretPtr parsed = {0};
+
+ /* Maybe it's PKCS#8 */
+ if (parse_pkcs8_key_file(data, data_len, &parsed, &is_encrypted, NULL)) {
+ if (!password
+ || _nm_crypto_verify_pkcs8(parsed.bin, parsed.len, is_encrypted, password, error))
+ format = NM_CRYPTO_FILE_FORMAT_RAW_KEY;
+ } else if (parse_tpm2_wrapped_key_file(data, data_len, &is_encrypted, NULL)) {
+ format = NM_CRYPTO_FILE_FORMAT_RAW_KEY;
+ } else {
+ NMCryptoCipherType cipher;
+ nm_auto_free_secret char *iv = NULL;
+
+ /* Or it's old-style OpenSSL */
+ if (parse_old_openssl_key_file(data, data_len, NULL, NULL, &cipher, &iv, NULL)) {
+ format = NM_CRYPTO_FILE_FORMAT_RAW_KEY;
+ is_encrypted = (cipher != NM_CRYPTO_CIPHER_UNKNOWN && iv);
+ }
+ }
+ }
+
+ if (format == NM_CRYPTO_FILE_FORMAT_UNKNOWN && error && !*error) {
+ g_set_error(error,
+ NM_CRYPTO_ERROR,
+ NM_CRYPTO_ERROR_INVALID_DATA,
+ _("not a valid private key"));
+ }
+
+ if (out_is_encrypted)
+ *out_is_encrypted = is_encrypted;
+ return format;
}
NMCryptoFileFormat
-nm_crypto_verify_private_key (const char *filename,
- const char *password,
- gboolean *out_is_encrypted,
- GError **error)
+nm_crypto_verify_private_key(const char *filename,
+ const char *password,
+ gboolean * out_is_encrypted,
+ GError ** error)
{
- nm_auto_clear_secret_ptr NMSecretPtr contents = { 0 };
+ nm_auto_clear_secret_ptr NMSecretPtr contents = {0};
- g_return_val_if_fail (filename != NULL, NM_CRYPTO_FILE_FORMAT_UNKNOWN);
+ g_return_val_if_fail(filename != NULL, NM_CRYPTO_FILE_FORMAT_UNKNOWN);
- if (!_nm_crypto_init (error))
- return NM_CRYPTO_FILE_FORMAT_UNKNOWN;
+ if (!_nm_crypto_init(error))
+ return NM_CRYPTO_FILE_FORMAT_UNKNOWN;
- if (!file_read_contents (filename, &contents, error))
- return NM_CRYPTO_FILE_FORMAT_UNKNOWN;
+ if (!file_read_contents(filename, &contents, error))
+ return NM_CRYPTO_FILE_FORMAT_UNKNOWN;
- return nm_crypto_verify_private_key_data (contents.bin, contents.len, password, out_is_encrypted, error);
+ return nm_crypto_verify_private_key_data(contents.bin,
+ contents.len,
+ password,
+ out_is_encrypted,
+ error);
}
void
-nm_crypto_md5_hash (const guint8 *salt,
- gsize salt_len,
- const guint8 *password,
- gsize password_len,
- guint8 *buffer,
- gsize buflen)
+nm_crypto_md5_hash(const guint8 *salt,
+ gsize salt_len,
+ const guint8 *password,
+ gsize password_len,
+ guint8 * buffer,
+ gsize buflen)
{
- nm_auto_free_checksum GChecksum *ctx = NULL;
- nm_auto_clear_static_secret_ptr const NMSecretPtr digest = NM_SECRET_PTR_STATIC (NM_UTILS_CHECKSUM_LENGTH_MD5);
- gsize bufidx = 0;
- int i;
-
- g_return_if_fail (password_len == 0 || password);
- g_return_if_fail (buffer);
- g_return_if_fail (buflen > 0);
- g_return_if_fail (salt_len == 0 || salt);
-
- ctx = g_checksum_new (G_CHECKSUM_MD5);
-
- for (;;) {
- if (password_len > 0)
- g_checksum_update (ctx, (const guchar *) password, password_len);
- if (salt_len > 0)
- g_checksum_update (ctx, (const guchar *) salt, salt_len);
-
- nm_utils_checksum_get_digest_len (ctx, digest.bin, NM_UTILS_CHECKSUM_LENGTH_MD5);
-
- for (i = 0; i < NM_UTILS_CHECKSUM_LENGTH_MD5; i++) {
- if (bufidx >= buflen)
- return;
- buffer[bufidx++] = digest.bin[i];
- }
-
- g_checksum_reset (ctx);
- g_checksum_update (ctx, digest.ptr, NM_UTILS_CHECKSUM_LENGTH_MD5);
- }
+ nm_auto_free_checksum GChecksum * ctx = NULL;
+ nm_auto_clear_static_secret_ptr const NMSecretPtr digest =
+ NM_SECRET_PTR_STATIC(NM_UTILS_CHECKSUM_LENGTH_MD5);
+ gsize bufidx = 0;
+ int i;
+
+ g_return_if_fail(password_len == 0 || password);
+ g_return_if_fail(buffer);
+ g_return_if_fail(buflen > 0);
+ g_return_if_fail(salt_len == 0 || salt);
+
+ ctx = g_checksum_new(G_CHECKSUM_MD5);
+
+ for (;;) {
+ if (password_len > 0)
+ g_checksum_update(ctx, (const guchar *) password, password_len);
+ if (salt_len > 0)
+ g_checksum_update(ctx, (const guchar *) salt, salt_len);
+
+ nm_utils_checksum_get_digest_len(ctx, digest.bin, NM_UTILS_CHECKSUM_LENGTH_MD5);
+
+ for (i = 0; i < NM_UTILS_CHECKSUM_LENGTH_MD5; i++) {
+ if (bufidx >= buflen)
+ return;
+ buffer[bufidx++] = digest.bin[i];
+ }
+
+ g_checksum_reset(ctx);
+ g_checksum_update(ctx, digest.ptr, NM_UTILS_CHECKSUM_LENGTH_MD5);
+ }
}
gboolean
-nm_crypto_randomize (void *buffer, gsize buffer_len, GError **error)
+nm_crypto_randomize(void *buffer, gsize buffer_len, GError **error)
{
- return _nm_crypto_randomize (buffer, buffer_len, error);
+ return _nm_crypto_randomize(buffer, buffer_len, error);
}
-
/**
* nmtst_crypto_rsa_key_encrypt:
* @data: (array length=len): RSA private key data to be encrypted
@@ -963,93 +977,108 @@ nm_crypto_randomize (void *buffer, gsize buffer_len, GError **error)
* to a PEM-formatted certificate/private key file.
**/
GBytes *
-nmtst_crypto_rsa_key_encrypt (const guint8 *data,
- gsize len,
- const char *in_password,
- char **out_password,
- GError **error)
+nmtst_crypto_rsa_key_encrypt(const guint8 *data,
+ gsize len,
+ const char * in_password,
+ char ** out_password,
+ GError ** error)
{
- guint8 salt[8];
- nm_auto_clear_secret_ptr NMSecretPtr key = { 0 };
- nm_auto_clear_secret_ptr NMSecretPtr enc = { 0 };
- gs_unref_ptrarray GPtrArray *pem = NULL;
- nm_auto_free_secret char *tmp_password = NULL;
- nm_auto_free_secret char *enc_base64 = NULL;
- gsize enc_base64_len;
- const char *p;
- gsize ret_len, ret_idx;
- guint i;
- NMSecretBuf *ret;
-
- g_return_val_if_fail (data, NULL);
- g_return_val_if_fail (len > 0, NULL);
- g_return_val_if_fail (!out_password || !*out_password, NULL);
-
- /* Make the password if needed */
- if (!in_password) {
- nm_auto_clear_static_secret_ptr NMSecretPtr pw_buf = NM_SECRET_PTR_STATIC (32);
-
- if (!nm_crypto_randomize (pw_buf.bin, pw_buf.len, error))
- return NULL;
- tmp_password = nm_utils_bin2hexstr (pw_buf.bin, pw_buf.len, -1);
- in_password = tmp_password;
- }
-
- if (!nm_crypto_randomize (salt, sizeof (salt), error))
- return NULL;
-
- key.bin = nmtst_crypto_make_des_aes_key (NM_CRYPTO_CIPHER_DES_EDE3_CBC, salt, sizeof (salt), in_password, &key.len, NULL);
- if (!key.bin)
- g_return_val_if_reached (NULL);
-
- enc.bin = _nmtst_crypto_encrypt (NM_CRYPTO_CIPHER_DES_EDE3_CBC, data, len, salt, sizeof (salt), key.bin, key.len, &enc.len, error);
- if (!enc.bin)
- return NULL;
-
- /* What follows is not the most efficient way to construct the pem
+ guint8 salt[8];
+ nm_auto_clear_secret_ptr NMSecretPtr key = {0};
+ nm_auto_clear_secret_ptr NMSecretPtr enc = {0};
+ gs_unref_ptrarray GPtrArray *pem = NULL;
+ nm_auto_free_secret char * tmp_password = NULL;
+ nm_auto_free_secret char * enc_base64 = NULL;
+ gsize enc_base64_len;
+ const char * p;
+ gsize ret_len, ret_idx;
+ guint i;
+ NMSecretBuf * ret;
+
+ g_return_val_if_fail(data, NULL);
+ g_return_val_if_fail(len > 0, NULL);
+ g_return_val_if_fail(!out_password || !*out_password, NULL);
+
+ /* Make the password if needed */
+ if (!in_password) {
+ nm_auto_clear_static_secret_ptr NMSecretPtr pw_buf = NM_SECRET_PTR_STATIC(32);
+
+ if (!nm_crypto_randomize(pw_buf.bin, pw_buf.len, error))
+ return NULL;
+ tmp_password = nm_utils_bin2hexstr(pw_buf.bin, pw_buf.len, -1);
+ in_password = tmp_password;
+ }
+
+ if (!nm_crypto_randomize(salt, sizeof(salt), error))
+ return NULL;
+
+ key.bin = nmtst_crypto_make_des_aes_key(NM_CRYPTO_CIPHER_DES_EDE3_CBC,
+ salt,
+ sizeof(salt),
+ in_password,
+ &key.len,
+ NULL);
+ if (!key.bin)
+ g_return_val_if_reached(NULL);
+
+ enc.bin = _nmtst_crypto_encrypt(NM_CRYPTO_CIPHER_DES_EDE3_CBC,
+ data,
+ len,
+ salt,
+ sizeof(salt),
+ key.bin,
+ key.len,
+ &enc.len,
+ error);
+ if (!enc.bin)
+ return NULL;
+
+ /* What follows is not the most efficient way to construct the pem
* file line-by-line. At least, it makes sure, that the data will be cleared
* again and not left around in memory.
*
* If this would not be test code, we should improve the implementation
* to avoid some of the copying. */
- pem = g_ptr_array_new_with_free_func ((GDestroyNotify) nm_free_secret);
-
- g_ptr_array_add (pem, g_strdup ("-----BEGIN RSA PRIVATE KEY-----\n"));
- g_ptr_array_add (pem, g_strdup ("Proc-Type: 4,ENCRYPTED\n"));
-
- /* Convert the salt to a hex string */
- g_ptr_array_add (pem, g_strdup_printf ("DEK-Info: %s,",
- nm_crypto_cipher_get_info (NM_CRYPTO_CIPHER_DES_EDE3_CBC)->name));
- g_ptr_array_add (pem, nm_utils_bin2hexstr (salt, sizeof (salt), sizeof (salt) * 2));
- g_ptr_array_add (pem, g_strdup ("\n\n"));
-
- /* Convert the encrypted key to a base64 string */
- enc_base64 = g_base64_encode ((const guchar *) enc.bin, enc.len);
- enc_base64_len = strlen (enc_base64);
- for (p = enc_base64; (p - enc_base64) < (ptrdiff_t) enc_base64_len; p += 64) {
- g_ptr_array_add (pem, g_strndup (p, 64));
- g_ptr_array_add (pem, g_strdup ("\n"));
- }
-
- g_ptr_array_add (pem, g_strdup ("-----END RSA PRIVATE KEY-----\n"));
-
- ret_len = 0;
- for (i = 0; i < pem->len; i++)
- ret_len += strlen (pem->pdata[i]);
-
- ret = nm_secret_buf_new (ret_len + 1);
- ret_idx = 0;
- for (i = 0; i < pem->len; i++) {
- const char *line = pem->pdata[i];
- gsize line_l = strlen (line);
-
- memcpy (&ret->bin[ret_idx], line, line_l);
- ret_idx += line_l;
- nm_assert (ret_idx <= ret_len);
- }
- nm_assert (ret_idx == ret_len);
- ret->bin[ret_len] = '\0';
-
- NM_SET_OUT (out_password, g_strdup (tmp_password));
- return nm_secret_buf_to_gbytes_take (ret, ret_len);
+ pem = g_ptr_array_new_with_free_func((GDestroyNotify) nm_free_secret);
+
+ g_ptr_array_add(pem, g_strdup("-----BEGIN RSA PRIVATE KEY-----\n"));
+ g_ptr_array_add(pem, g_strdup("Proc-Type: 4,ENCRYPTED\n"));
+
+ /* Convert the salt to a hex string */
+ g_ptr_array_add(
+ pem,
+ g_strdup_printf("DEK-Info: %s,",
+ nm_crypto_cipher_get_info(NM_CRYPTO_CIPHER_DES_EDE3_CBC)->name));
+ g_ptr_array_add(pem, nm_utils_bin2hexstr(salt, sizeof(salt), sizeof(salt) * 2));
+ g_ptr_array_add(pem, g_strdup("\n\n"));
+
+ /* Convert the encrypted key to a base64 string */
+ enc_base64 = g_base64_encode((const guchar *) enc.bin, enc.len);
+ enc_base64_len = strlen(enc_base64);
+ for (p = enc_base64; (p - enc_base64) < (ptrdiff_t) enc_base64_len; p += 64) {
+ g_ptr_array_add(pem, g_strndup(p, 64));
+ g_ptr_array_add(pem, g_strdup("\n"));
+ }
+
+ g_ptr_array_add(pem, g_strdup("-----END RSA PRIVATE KEY-----\n"));
+
+ ret_len = 0;
+ for (i = 0; i < pem->len; i++)
+ ret_len += strlen(pem->pdata[i]);
+
+ ret = nm_secret_buf_new(ret_len + 1);
+ ret_idx = 0;
+ for (i = 0; i < pem->len; i++) {
+ const char *line = pem->pdata[i];
+ gsize line_l = strlen(line);
+
+ memcpy(&ret->bin[ret_idx], line, line_l);
+ ret_idx += line_l;
+ nm_assert(ret_idx <= ret_len);
+ }
+ nm_assert(ret_idx == ret_len);
+ ret->bin[ret_len] = '\0';
+
+ NM_SET_OUT(out_password, g_strdup(tmp_password));
+ return nm_secret_buf_to_gbytes_take(ret, ret_len);
}
View Lorry Controller Status