Commit 8c35e96b authored by Dan Williams's avatar Dan Williams
Browse files

libnm-util: add nm_utils_rsa_key_encrypt() and fix crypto padding mixups

To be backwards compatible clients need to handle both paths to private
keys and the decrypted private key data, which is what used to get passed
in the private-key and phase2-private-key attributes of the 802.1x setting.
When moving a connection around between system-settings and user-settings,
if the private key is decrypted data, the settings service needs to store
that decrypted data somewhere so that the key can be sent to NM during
the connection process.

But we don't want to store the decrypted private key data, so we have to
re-encrypt it (possibly generating a private key password if one wasn't
sent with the decrypted data) and save it to disk, then send NM a path
to that private key during connection.

To help clients do this, and so that they don't have to carry around
multiple crypto implementations depending on whether they want to use
NSS or gnutls/gcrypt, add a helper to libnm-util.

Furthermore, I misunderstood a bunch of stuff with crypto padding when
writing the encrypt/decrypt functions long ago, so fix that up.  Don't
return padding as part of the decrypted data, and make sure to verify
the padding's expected lengths and values when decrypting.  Many thanks
to Nalin Dahyabhai for pointing me in the right direction.
parent a371951f
......@@ -18,7 +18,7 @@
* Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
* Boston, MA 02110-1301 USA.
*
* (C) Copyright 2007 - 2008 Red Hat, Inc.
* (C) Copyright 2007 - 2009 Red Hat, Inc.
*/
#include <glib.h>
......
......@@ -44,6 +44,8 @@ enum {
NM_CRYPTO_ERR_CIPHER_SET_IV_FAILED,
NM_CRYPTO_ERR_CIPHER_DECRYPT_FAILED,
NM_CRYPTO_ERR_INVALID_PASSWORD,
NM_CRYPTO_ERR_CIPHER_ENCRYPT_FAILED,
NM_CRYPTO_ERR_RANDOMIZE_FAILED
};
typedef enum {
......@@ -108,6 +110,17 @@ char * crypto_decrypt (const char *cipher,
gsize *out_len,
GError **error);
char * crypto_encrypt (const char *cipher,
const GByteArray *data,
const char *iv,
gsize iv_len,
const char *key,
gsize key_len,
gsize *out_len,
GError **error);
gboolean crypto_randomize (void *buffer, gsize buffer_len, GError **error);
NMCryptoFileFormat crypto_verify_cert (const unsigned char *data,
gsize len,
GError **error);
......
/* -*- Mode: C; tab-width: 4; indent-tabs-mode: t; c-basic-offset: 4 -*- */
/* NetworkManager Wireless Applet -- Display wireless access points and allow user control
*
* Dan Williams <dcbw@redhat.com>
......@@ -17,7 +18,7 @@
* Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
* Boston, MA 02110-1301 USA.
*
* (C) Copyright 2007 - 2008 Red Hat, Inc.
* (C) Copyright 2007 - 2009 Red Hat, Inc.
*/
#include <glib.h>
......@@ -30,6 +31,8 @@
#include "crypto.h"
#define SALT_LEN 8
static gboolean initialized = FALSE;
gboolean
......@@ -76,7 +79,7 @@ crypto_md5_hash (const char *salt,
char *p = buffer;
if (salt)
g_return_val_if_fail (salt_len >= 8, FALSE);
g_return_val_if_fail (salt_len >= SALT_LEN, FALSE);
g_return_val_if_fail (password != NULL, FALSE);
g_return_val_if_fail (password_len > 0, FALSE);
......@@ -99,7 +102,7 @@ crypto_md5_hash (const char *salt,
gcry_md_write (ctx, digest, digest_len);
gcry_md_write (ctx, password, password_len);
if (salt)
gcry_md_write (ctx, salt, 8); /* Only use 8 bytes of salt */
gcry_md_write (ctx, salt, SALT_LEN); /* Only use 8 bytes of salt */
gcry_md_final (ctx);
memcpy (digest, gcry_md_read (ctx, 0), digest_len);
gcry_md_reset (ctx);
......@@ -131,13 +134,15 @@ crypto_decrypt (const char *cipher,
int cipher_mech, i;
char *output = NULL;
gboolean success = FALSE;
gsize pad_len;
gsize pad_len, real_iv_len;
if (!strcmp (cipher, CIPHER_DES_EDE3_CBC))
if (!strcmp (cipher, CIPHER_DES_EDE3_CBC)) {
cipher_mech = GCRY_CIPHER_3DES;
else if (!strcmp (cipher, CIPHER_DES_CBC))
real_iv_len = SALT_LEN;
} else if (!strcmp (cipher, CIPHER_DES_CBC)) {
cipher_mech = GCRY_CIPHER_DES;
else {
real_iv_len = SALT_LEN;
} else {
g_set_error (error, NM_CRYPTO_ERROR,
NM_CRYPTO_ERR_UNKNOWN_CIPHER,
_("Private key cipher '%s' was unknown."),
......@@ -145,7 +150,15 @@ crypto_decrypt (const char *cipher,
return NULL;
}
output = g_malloc0 (data->len + 1);
if (iv_len < real_iv_len) {
g_set_error (error, NM_CRYPTO_ERROR,
NM_CRYPTO_ERR_RAW_IV_INVALID,
_("Invalid IV length (must be at least %zd)."),
real_iv_len);
return NULL;
}
output = g_malloc0 (data->len);
if (!output) {
g_set_error (error, NM_CRYPTO_ERROR,
NM_CRYPTO_ERR_OUT_OF_MEMORY,
......@@ -190,6 +203,14 @@ crypto_decrypt (const char *cipher,
}
pad_len = output[data->len - 1];
/* Check if the padding at the end of the decrypted data is valid */
if (pad_len == 0 || pad_len > real_iv_len) {
g_set_error (error, NM_CRYPTO_ERROR,
NM_CRYPTO_ERR_CIPHER_DECRYPT_FAILED,
_("Failed to decrypt the private key: unexpected padding length."));
goto out;
}
/* Validate tail padding; last byte is the padding size, and all pad bytes
* should contain the padding size.
*/
......@@ -203,7 +224,6 @@ crypto_decrypt (const char *cipher,
}
*out_len = data->len - pad_len;
output[*out_len] = '\0';
success = TRUE;
out:
......@@ -219,6 +239,113 @@ out:
return output;
}
char *
crypto_encrypt (const char *cipher,
const GByteArray *data,
const char *iv,
const gsize iv_len,
const char *key,
gsize key_len,
gsize *out_len,
GError **error)
{
gcry_cipher_hd_t ctx;
gcry_error_t err;
int cipher_mech;
char *output = NULL;
gboolean success = FALSE;
gsize padded_buf_len, pad_len, output_len;
char *padded_buf = NULL;
guint32 i;
if (!strcmp (cipher, CIPHER_DES_EDE3_CBC))
cipher_mech = GCRY_CIPHER_3DES;
else {
g_set_error (error, NM_CRYPTO_ERROR,
NM_CRYPTO_ERR_UNKNOWN_CIPHER,
_("Private key cipher '%s' was unknown."),
cipher);
return NULL;
}
/* If data->len % ivlen == 0, then we add another complete block
* onto the end so that the decrypter knows there's padding.
*/
pad_len = iv_len - (data->len % iv_len);
output_len = padded_buf_len = data->len + pad_len;
padded_buf = g_malloc0 (padded_buf_len);
memcpy (padded_buf, data->data, data->len);
for (i = 0; i < pad_len; i++)
padded_buf[data->len + i] = (guint8) (pad_len & 0xFF);
output = g_malloc0 (output_len);
if (!output) {
g_set_error (error, NM_CRYPTO_ERROR,
NM_CRYPTO_ERR_OUT_OF_MEMORY,
_("Could not allocate memory for encrypting."));
return NULL;
}
err = gcry_cipher_open (&ctx, cipher_mech, GCRY_CIPHER_MODE_CBC, 0);
if (err) {
g_set_error (error, NM_CRYPTO_ERROR,
NM_CRYPTO_ERR_CIPHER_INIT_FAILED,
_("Failed to initialize the encryption cipher context: %s / %s."),
gcry_strsource (err), gcry_strerror (err));
goto out;
}
err = gcry_cipher_setkey (ctx, key, key_len);
if (err) {
g_set_error (error, NM_CRYPTO_ERROR,
NM_CRYPTO_ERR_CIPHER_SET_KEY_FAILED,
_("Failed to set symmetric key for encryption: %s / %s."),
gcry_strsource (err), gcry_strerror (err));
goto out;
}
/* gcrypt only wants 8 bytes of the IV (same as the DES block length) */
err = gcry_cipher_setiv (ctx, iv, SALT_LEN);
if (err) {
g_set_error (error, NM_CRYPTO_ERROR,
NM_CRYPTO_ERR_CIPHER_SET_IV_FAILED,
_("Failed to set IV for encryption: %s / %s."),
gcry_strsource (err), gcry_strerror (err));
goto out;
}
err = gcry_cipher_encrypt (ctx, output, output_len, padded_buf, padded_buf_len);
if (err) {
g_set_error (error, NM_CRYPTO_ERROR,
NM_CRYPTO_ERR_CIPHER_DECRYPT_FAILED,
_("Failed to encrypt the data: %s / %s."),
gcry_strsource (err), gcry_strerror (err));
goto out;
}
*out_len = output_len;
success = TRUE;
out:
if (padded_buf) {
memset (padded_buf, 0, padded_buf_len);
g_free (padded_buf);
padded_buf = NULL;
}
if (!success) {
if (output) {
/* Don't expose key material */
memset (output, 0, output_len);
g_free (output);
output = NULL;
}
}
gcry_cipher_close (ctx);
return output;
}
NMCryptoFileFormat
crypto_verify_cert (const unsigned char *data,
gsize len,
......@@ -312,3 +439,10 @@ out:
return success;
}
gboolean
crypto_randomize (void *buffer, gsize buffer_len, GError **error)
{
gcry_randomize (buffer, buffer_len, GCRY_STRONG_RANDOM);
return TRUE;
}
......@@ -18,7 +18,7 @@
* Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
* Boston, MA 02110-1301 USA.
*
* (C) Copyright 2007 - 2008 Red Hat, Inc.
* (C) Copyright 2007 - 2009 Red Hat, Inc.
*/
#include "config.h"
......@@ -147,8 +147,7 @@ crypto_decrypt (const char *cipher,
GError **error)
{
char *output = NULL;
int tmp1_len = 0;
unsigned int tmp2_len = 0;
int decrypted_len = 0;
CK_MECHANISM_TYPE cipher_mech;
PK11SlotInfo *slot = NULL;
SECItem key_item;
......@@ -157,13 +156,16 @@ crypto_decrypt (const char *cipher,
PK11Context *ctx = NULL;
SECStatus s;
gboolean success = FALSE;
gsize len;
unsigned int pad_len = 0;
guint32 i, real_iv_len = 0;
if (!strcmp (cipher, CIPHER_DES_EDE3_CBC))
if (!strcmp (cipher, CIPHER_DES_EDE3_CBC)) {
cipher_mech = CKM_DES3_CBC_PAD;
else if (!strcmp (cipher, CIPHER_DES_CBC))
real_iv_len = 8;
} else if (!strcmp (cipher, CIPHER_DES_CBC)) {
cipher_mech = CKM_DES_CBC_PAD;
else {
real_iv_len = 8;
} else {
g_set_error (error, NM_CRYPTO_ERROR,
NM_CRYPTO_ERR_UNKNOWN_CIPHER,
_("Private key cipher '%s' was unknown."),
......@@ -171,7 +173,15 @@ crypto_decrypt (const char *cipher,
return NULL;
}
output = g_malloc0 (data->len + 1);
if (iv_len < real_iv_len) {
g_set_error (error, NM_CRYPTO_ERROR,
NM_CRYPTO_ERR_RAW_IV_INVALID,
_("Invalid IV length (must be at least %d)."),
real_iv_len);
return NULL;
}
output = g_malloc0 (data->len);
if (!output) {
g_set_error (error, NM_CRYPTO_ERROR,
NM_CRYPTO_ERR_OUT_OF_MEMORY,
......@@ -198,7 +208,7 @@ crypto_decrypt (const char *cipher,
}
key_item.data = (unsigned char *) iv;
key_item.len = iv_len;
key_item.len = real_iv_len;
sec_param = PK11_ParamFromIV (cipher_mech, &key_item);
if (!sec_param) {
g_set_error (error, NM_CRYPTO_ERROR,
......@@ -217,7 +227,7 @@ crypto_decrypt (const char *cipher,
s = PK11_CipherOp (ctx,
(unsigned char *) output,
&tmp1_len,
&decrypted_len,
data->len,
data->data,
data->len);
......@@ -229,10 +239,17 @@ crypto_decrypt (const char *cipher,
goto out;
}
if (decrypted_len > data->len) {
g_set_error (error, NM_CRYPTO_ERROR,
NM_CRYPTO_ERR_CIPHER_DECRYPT_FAILED,
_("Failed to decrypt the private key: decrypted data too large."));
goto out;
}
s = PK11_DigestFinal (ctx,
(unsigned char *) (output + tmp1_len),
&tmp2_len,
data->len - tmp1_len);
(unsigned char *) (output + decrypted_len),
&pad_len,
data->len - decrypted_len);
if (s != SECSuccess) {
g_set_error (error, NM_CRYPTO_ERROR,
NM_CRYPTO_ERR_CIPHER_DECRYPT_FAILED,
......@@ -240,12 +257,29 @@ crypto_decrypt (const char *cipher,
PORT_GetError ());
goto out;
}
len = tmp1_len + tmp2_len;
if (len > data->len)
pad_len = data->len - decrypted_len;
/* Check if the padding at the end of the decrypted data is valid */
if (pad_len == 0 || pad_len > real_iv_len) {
g_set_error (error, NM_CRYPTO_ERROR,
NM_CRYPTO_ERR_CIPHER_DECRYPT_FAILED,
_("Failed to decrypt the private key: unexpected padding length."));
goto out;
}
*out_len = len;
output[*out_len] = '\0';
/* Validate tail padding; last byte is the padding size, and all pad bytes
* should contain the padding size.
*/
for (i = 1; i <= pad_len; ++i) {
if (output[data->len - i] != pad_len) {
g_set_error (error, NM_CRYPTO_ERROR,
NM_CRYPTO_ERR_CIPHER_DECRYPT_FAILED,
_("Failed to decrypt the private key."));
goto out;
}
}
*out_len = decrypted_len;
success = TRUE;
out:
......@@ -269,6 +303,134 @@ out:
return output;
}
char *
crypto_encrypt (const char *cipher,
const GByteArray *data,
const char *iv,
gsize iv_len,
const char *key,
gsize key_len,
gsize *out_len,
GError **error)
{
SECStatus ret;
CK_MECHANISM_TYPE cipher_mech = CKM_DES3_CBC_PAD;
PK11SlotInfo *slot = NULL;
SECItem key_item = { .data = (unsigned char *) key, .len = key_len };
SECItem iv_item = { .data = (unsigned char *) iv, .len = iv_len };
PK11SymKey *sym_key = NULL;
SECItem *sec_param = NULL;
PK11Context *ctx = NULL;
unsigned char *output, *padded_buf;
gsize output_len;
int encrypted_len = 0, i;
gboolean success = FALSE;
gsize padded_buf_len, pad_len;
if (!strcmp (cipher, CIPHER_DES_EDE3_CBC))
cipher_mech = CKM_DES3_CBC_PAD;
else {
g_set_error (error, NM_CRYPTO_ERROR,
NM_CRYPTO_ERR_UNKNOWN_CIPHER,
_("Private key cipher '%s' was unknown."),
cipher);
return NULL;
}
/* If data->len % ivlen == 0, then we add another complete block
* onto the end so that the decrypter knows there's padding.
*/
pad_len = iv_len - (data->len % iv_len);
output_len = padded_buf_len = data->len + pad_len;
padded_buf = g_malloc0 (padded_buf_len);
memcpy (padded_buf, data->data, data->len);
for (i = 0; i < pad_len; i++)
padded_buf[data->len + i] = (guint8) (pad_len & 0xFF);
output = g_malloc0 (output_len);
if (!output) {
g_set_error (error, NM_CRYPTO_ERROR,
NM_CRYPTO_ERR_OUT_OF_MEMORY,
_("Could not allocate memory for encrypting."));
return NULL;
}
slot = PK11_GetBestSlot (cipher_mech, NULL);
if (!slot) {
g_set_error (error, NM_CRYPTO_ERROR,
NM_CRYPTO_ERR_CIPHER_INIT_FAILED,
_("Failed to initialize the encryption cipher slot."));
goto out;
}
sym_key = PK11_ImportSymKey (slot, cipher_mech, PK11_OriginUnwrap, CKA_ENCRYPT, &key_item, NULL);
if (!sym_key) {
g_set_error (error, NM_CRYPTO_ERROR,
NM_CRYPTO_ERR_CIPHER_SET_KEY_FAILED,
_("Failed to set symmetric key for encryption."));
goto out;
}
sec_param = PK11_ParamFromIV (cipher_mech, &iv_item);
if (!sec_param) {
g_set_error (error, NM_CRYPTO_ERROR,
NM_CRYPTO_ERR_CIPHER_SET_IV_FAILED,
_("Failed to set IV for encryption."));
goto out;
}
ctx = PK11_CreateContextBySymKey (cipher_mech, CKA_ENCRYPT, sym_key, sec_param);
if (!ctx) {
g_set_error (error, NM_CRYPTO_ERROR,
NM_CRYPTO_ERR_CIPHER_INIT_FAILED,
_("Failed to initialize the encryption context."));
goto out;
}
ret = PK11_CipherOp (ctx, output, &encrypted_len, output_len, padded_buf, padded_buf_len);
if (ret != SECSuccess) {
g_set_error (error, NM_CRYPTO_ERROR,
NM_CRYPTO_ERR_CIPHER_ENCRYPT_FAILED,
_("Failed to encrypt: %d."),
PORT_GetError ());
goto out;
}
if (encrypted_len != output_len) {
g_set_error (error, NM_CRYPTO_ERROR,
NM_CRYPTO_ERR_CIPHER_ENCRYPT_FAILED,
_("Unexpected amount of data after encrypting."));
goto out;
}
*out_len = encrypted_len;
success = TRUE;
out:
if (ctx)
PK11_DestroyContext (ctx, PR_TRUE);
if (sym_key)
PK11_FreeSymKey (sym_key);
if (sec_param)
SECITEM_FreeItem (sec_param, PR_TRUE);
if (slot)
PK11_FreeSlot (slot);
if (padded_buf) {
memset (padded_buf, 0, padded_buf_len);
g_free (padded_buf);
padded_buf = NULL;
}
if (!success) {
memset (output, 0, output_len);
g_free (output);
output = NULL;
}
return (char *) output;
}
NMCryptoFileFormat
crypto_verify_cert (const unsigned char *data,
gsize len,
......@@ -382,3 +544,18 @@ error:
return FALSE;
}
gboolean
crypto_randomize (void *buffer, gsize buffer_len, GError **error)
{
SECStatus s;
s = PK11_GenerateRandom (buffer, buffer_len);
if (s != SECSuccess) {
g_set_error_literal (error, NM_CRYPTO_ERROR,
NM_CRYPTO_ERR_RANDOMIZE_FAILED,
_("Could not generate random data."));
return FALSE;
}
return TRUE;
}
......@@ -322,6 +322,7 @@ global:
nm_setting_olpc_mesh_get_channel;
nm_setting_olpc_mesh_get_dhcp_anycast_address;
nm_utils_deinit;
nm_utils_rsa_key_encrypt;
nm_utils_escape_ssid;
nm_utils_gvalue_hash_dup;
nm_utils_init;
......
......@@ -21,7 +21,7 @@
* Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
* Boston, MA 02110-1301 USA.
*
* (C) Copyright 2005 - 2008 Red Hat, Inc.
* (C) Copyright 2005 - 2009 Red Hat, Inc.
*/
#include <string.h>
......@@ -34,6 +34,7 @@
#include <glib.h>
#include <glib-object.h>
#include <glib/gi18n.h>
#include <dbus/dbus-glib.h>
#include <uuid/uuid.h>
......@@ -1498,3 +1499,205 @@ out:
return buf;
}
static char *
make_key (const char *salt,
const gsize salt_len,
const char *password,
gsize *out_len,
GError **error)
{
char *key;
guint32 digest_len = 24; /* DES-EDE3-CBC */
g_return_val_if_fail (salt != NULL, NULL);
g_return_val_if_fail (salt_len >= 8, NULL);
g_return_val_if_fail (password != NULL, NULL);
g_return_val_if_fail (out_len != NULL, NULL);
key = g_malloc0 (digest_len + 1);
if (!key) {
g_set_error (error,
NM_CRYPTO_ERROR,
NM_CRYPTO_ERR_OUT_OF_MEMORY,
_("Not enough memory to make encryption key."));
return NULL;
}
if (!crypto_md5_hash (salt, salt_len, password, strlen (password), key, digest_len, error)) {
*out_len = 0;
memset (key, 0, digest_len);
g_free (key);
key = NULL;
} else
*out_len = digest_len;
return key;
}
/*
* utils_bin2hexstr
*
* Convert a byte-array into a hexadecimal string.
*
* Code originally by Alex Larsson <alexl@redhat.com> and
* copyright Red Hat, Inc. under terms of the LGPL.
*
*/
static char *
utils_bin2hexstr (const char *bytes, int len, int final_len)
{
static char hex_digits[] = "0123456789abcdef";
char *result;
int i;
gsize buflen = (len * 2) + 1;
g_return_val_if_fail (bytes != NULL, NULL);
g_return_val_if_fail (len > 0, NULL);
g_return_val_if_fail (len < 4096, NULL); /* Arbitrary limit */
if (final_len > -1)
g_return_val_if_fail (final_len < buflen, NULL);