crypto_gnutls.c 11.7 KB
Newer Older
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20
/* -*- Mode: C; tab-width: 4; indent-tabs-mode: t; c-basic-offset: 4 -*- */
/* NetworkManager Wireless Applet -- Display wireless access points and allow user control
 *
 * Dan Williams <dcbw@redhat.com>
 *
 * This library is free software; you can redistribute it and/or
 * modify it under the terms of the GNU Lesser General Public
 * License as published by the Free Software Foundation; either
 * version 2 of the License, or (at your option) any later version.
 *
 * This library is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
 * Lesser General Public License for more details.
 *
 * You should have received a copy of the GNU Lesser General Public
 * License along with this library; if not, write to the
 * Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
 * Boston, MA 02110-1301 USA.
 *
21
 * Copyright 2007 - 2015 Red Hat, Inc.
22 23
 */

24
#include "nm-default.h"
25

26
#include <gnutls/gnutls.h>
27
#include <gnutls/crypto.h>
28 29 30 31
#include <gnutls/x509.h>
#include <gnutls/pkcs12.h>

#include "crypto.h"
32
#include "nm-errors.h"
33 34 35 36 37 38 39 40 41 42 43 44 45

#define SALT_LEN 8

static gboolean initialized = FALSE;

gboolean
crypto_init (GError **error)
{
	if (initialized)
		return TRUE;

	if (gnutls_global_init() != 0) {
		gnutls_global_deinit();
46 47 48
		g_set_error_literal (error, NM_CRYPTO_ERROR,
		                     NM_CRYPTO_ERROR_FAILED,
		                     _("Failed to initialize the crypto engine."));
49 50 51 52 53 54 55 56 57 58
		return FALSE;
	}

	initialized = TRUE;
	return TRUE;
}

char *
crypto_decrypt (const char *cipher,
                int key_type,
59 60
                const guint8 *data,
                gsize data_len,
61 62 63 64 65 66 67
                const char *iv,
                const gsize iv_len,
                const char *key,
                const gsize key_len,
                gsize *out_len,
                GError **error)
{
68 69 70
	gnutls_cipher_hd_t ctx;
	gnutls_datum_t key_dt, iv_dt;
	int err;
71 72 73 74 75
	int cipher_mech, i;
	char *output = NULL;
	gboolean success = FALSE;
	gsize pad_len, real_iv_len;

76 77 78
	if (!crypto_init (error))
		return NULL;

79
	if (!strcmp (cipher, CIPHER_DES_EDE3_CBC)) {
80
		cipher_mech = GNUTLS_CIPHER_3DES_CBC;
81 82
		real_iv_len = SALT_LEN;
	} else if (!strcmp (cipher, CIPHER_DES_CBC)) {
83
		cipher_mech = GNUTLS_CIPHER_DES_CBC;
84
		real_iv_len = SALT_LEN;
85
	} else if (!strcmp (cipher, CIPHER_AES_128_CBC)) {
86
		cipher_mech = GNUTLS_CIPHER_AES_128_CBC;
87
		real_iv_len = 16;
88 89 90 91 92 93
	} else if (!strcmp (cipher, CIPHER_AES_192_CBC)) {
		cipher_mech = GNUTLS_CIPHER_AES_192_CBC;
		real_iv_len = 16;
	} else if (!strcmp (cipher, CIPHER_AES_256_CBC)) {
		cipher_mech = GNUTLS_CIPHER_AES_256_CBC;
		real_iv_len = 16;
94 95
	} else {
		g_set_error (error, NM_CRYPTO_ERROR,
96
		             NM_CRYPTO_ERROR_UNKNOWN_CIPHER,
97 98 99 100 101 102 103
		             _("Private key cipher '%s' was unknown."),
		             cipher);
		return NULL;
	}

	if (iv_len < real_iv_len) {
		g_set_error (error, NM_CRYPTO_ERROR,
104
		             NM_CRYPTO_ERROR_INVALID_DATA,
105 106 107 108 109
		             _("Invalid IV length (must be at least %zd)."),
		             real_iv_len);
		return NULL;
	}

110
	output = g_malloc0 (data_len);
111

112 113 114 115
	key_dt.data = (unsigned char *) key;
	key_dt.size = key_len;
	iv_dt.data = (unsigned char *) iv;
	iv_dt.size = iv_len;
116

117 118
	err = gnutls_cipher_init (&ctx, cipher_mech, &key_dt, &iv_dt);
	if (err < 0) {
119
		g_set_error (error, NM_CRYPTO_ERROR,
120
		             NM_CRYPTO_ERROR_DECRYPTION_FAILED,
121 122
		             _("Failed to initialize the decryption cipher context: %s (%s)"),
		             gnutls_strerror_name (err), gnutls_strerror (err));
123 124 125
		goto out;
	}

126 127
	err = gnutls_cipher_decrypt2 (ctx, data, data_len, output, data_len);
	if (err < 0) {
128
		g_set_error (error, NM_CRYPTO_ERROR,
129
		             NM_CRYPTO_ERROR_DECRYPTION_FAILED,
130 131
		             _("Failed to decrypt the private key: %s (%s)"),
		             gnutls_strerror_name (err), gnutls_strerror (err));
132 133
		goto out;
	}
134
	pad_len = output[data_len - 1];
135 136 137 138

	/* Check if the padding at the end of the decrypted data is valid */
	if (pad_len == 0 || pad_len > real_iv_len) {
		g_set_error (error, NM_CRYPTO_ERROR,
139
		             NM_CRYPTO_ERROR_DECRYPTION_FAILED,
140 141 142 143 144 145 146 147
		             _("Failed to decrypt the private key: unexpected padding length."));
		goto out;
	}

	/* Validate tail padding; last byte is the padding size, and all pad bytes
	 * should contain the padding size.
	 */
	for (i = 1; i <= pad_len; ++i) {
148
		if (output[data_len - i] != pad_len) {
149
			g_set_error (error, NM_CRYPTO_ERROR,
150
			             NM_CRYPTO_ERROR_DECRYPTION_FAILED,
151 152 153 154 155
			             _("Failed to decrypt the private key."));
			goto out;
		}
	}

156
	*out_len = data_len - pad_len;
157 158 159 160 161 162
	success = TRUE;

out:
	if (!success) {
		if (output) {
			/* Don't expose key material */
163
			memset (output, 0, data_len);
164 165 166 167
			g_free (output);
			output = NULL;
		}
	}
168
	gnutls_cipher_deinit (ctx);
169 170 171 172 173
	return output;
}

char *
crypto_encrypt (const char *cipher,
174 175
                const guint8 *data,
                gsize data_len,
176 177 178 179 180 181 182
                const char *iv,
                const gsize iv_len,
                const char *key,
                gsize key_len,
                gsize *out_len,
                GError **error)
{
183 184 185
	gnutls_cipher_hd_t ctx;
	gnutls_datum_t key_dt, iv_dt;
	int err;
186 187 188 189 190 191 192
	int cipher_mech;
	char *output = NULL;
	gboolean success = FALSE;
	gsize padded_buf_len, pad_len, output_len;
	char *padded_buf = NULL;
	guint32 i;

193 194 195
	if (!crypto_init (error))
		return NULL;

196
	if (!strcmp (cipher, CIPHER_DES_EDE3_CBC))
197
		cipher_mech = GNUTLS_CIPHER_3DES_CBC;
198
	else if (!strcmp (cipher, CIPHER_AES_128_CBC))
199
		cipher_mech = GNUTLS_CIPHER_AES_128_CBC;
200 201 202 203
	else if (!strcmp (cipher, CIPHER_AES_192_CBC))
		cipher_mech = GNUTLS_CIPHER_AES_192_CBC;
	else if (!strcmp (cipher, CIPHER_AES_256_CBC))
		cipher_mech = GNUTLS_CIPHER_AES_256_CBC;
204
	else {
205
		g_set_error (error, NM_CRYPTO_ERROR,
206
		             NM_CRYPTO_ERROR_UNKNOWN_CIPHER,
207 208 209 210 211
		             _("Private key cipher '%s' was unknown."),
		             cipher);
		return NULL;
	}

212
	/* If data_len % ivlen == 0, then we add another complete block
213 214
	 * onto the end so that the decrypter knows there's padding.
	 */
215 216
	pad_len = iv_len - (data_len % iv_len);
	output_len = padded_buf_len = data_len + pad_len;
217 218
	padded_buf = g_malloc0 (padded_buf_len);

219
	memcpy (padded_buf, data, data_len);
220
	for (i = 0; i < pad_len; i++)
221
		padded_buf[data_len + i] = (guint8) (pad_len & 0xFF);
222 223 224

	output = g_malloc0 (output_len);

225 226 227 228
	key_dt.data = (unsigned char *) key;
	key_dt.size = key_len;
	iv_dt.data = (unsigned char *) iv;
	iv_dt.size = iv_len;
229

230 231
	err = gnutls_cipher_init (&ctx, cipher_mech, &key_dt, &iv_dt);
	if (err < 0) {
232
		g_set_error (error, NM_CRYPTO_ERROR,
233
		             NM_CRYPTO_ERROR_ENCRYPTION_FAILED,
234 235
		             _("Failed to initialize the encryption cipher context: %s (%s)"),
		             gnutls_strerror_name (err), gnutls_strerror (err));
236 237 238
		goto out;
	}

239 240
	err = gnutls_cipher_encrypt2 (ctx, padded_buf, padded_buf_len, output, output_len);
	if (err < 0) {
241
		g_set_error (error, NM_CRYPTO_ERROR,
242
		             NM_CRYPTO_ERROR_ENCRYPTION_FAILED,
243 244
		             _("Failed to encrypt the data: %s (%s)"),
		             gnutls_strerror_name (err), gnutls_strerror (err));
245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265
		goto out;
	}

	*out_len = output_len;
	success = TRUE;

out:
	if (padded_buf) {
		memset (padded_buf, 0, padded_buf_len);
		g_free (padded_buf);
		padded_buf = NULL;
	}

	if (!success) {
		if (output) {
			/* Don't expose key material */
			memset (output, 0, output_len);
			g_free (output);
			output = NULL;
		}
	}
266
	gnutls_cipher_deinit (ctx);
267 268 269 270 271 272 273 274 275 276 277 278
	return output;
}

NMCryptoFileFormat
crypto_verify_cert (const unsigned char *data,
                    gsize len,
                    GError **error)
{
	gnutls_x509_crt_t der;
	gnutls_datum_t dt;
	int err;

279 280 281
	if (!crypto_init (error))
		return NM_CRYPTO_FILE_FORMAT_UNKNOWN;

282 283 284
	err = gnutls_x509_crt_init (&der);
	if (err < 0) {
		g_set_error (error, NM_CRYPTO_ERROR,
285
		             NM_CRYPTO_ERROR_INVALID_DATA,
286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306
		             _("Error initializing certificate data: %s"),
		             gnutls_strerror (err));
		return NM_CRYPTO_FILE_FORMAT_UNKNOWN;
	}

	/* Try DER first */
	dt.data = (unsigned char *) data;
	dt.size = len;
	err = gnutls_x509_crt_import (der, &dt, GNUTLS_X509_FMT_DER);
	if (err == GNUTLS_E_SUCCESS) {
		gnutls_x509_crt_deinit (der);
		return NM_CRYPTO_FILE_FORMAT_X509;
	}

	/* And PEM next */
	err = gnutls_x509_crt_import (der, &dt, GNUTLS_X509_FMT_PEM);
	gnutls_x509_crt_deinit (der);
	if (err == GNUTLS_E_SUCCESS)
		return NM_CRYPTO_FILE_FORMAT_X509;

	g_set_error (error, NM_CRYPTO_ERROR,
307
	             NM_CRYPTO_ERROR_INVALID_DATA,
308 309 310 311 312 313
	             _("Couldn't decode certificate: %s"),
	             gnutls_strerror (err));
	return NM_CRYPTO_FILE_FORMAT_UNKNOWN;
}

gboolean
314 315
crypto_verify_pkcs12 (const guint8 *data,
                      gsize data_len,
316 317 318 319 320 321 322 323 324 325
                      const char *password,
                      GError **error)
{
	gnutls_pkcs12_t p12;
	gnutls_datum_t dt;
	gboolean success = FALSE;
	int err;

	g_return_val_if_fail (data != NULL, FALSE);

326 327 328
	if (!crypto_init (error))
		return FALSE;

329 330
	dt.data = (unsigned char *) data;
	dt.size = data_len;
331 332 333 334

	err = gnutls_pkcs12_init (&p12);
	if (err < 0) {
		g_set_error (error, NM_CRYPTO_ERROR,
335
		             NM_CRYPTO_ERROR_FAILED,
336 337 338 339 340 341 342 343 344 345 346 347
		             _("Couldn't initialize PKCS#12 decoder: %s"),
		             gnutls_strerror (err));
		return FALSE;
	}

	/* DER first */
	err = gnutls_pkcs12_import (p12, &dt, GNUTLS_X509_FMT_DER, 0);
	if (err < 0) {
		/* PEM next */
		err = gnutls_pkcs12_import (p12, &dt, GNUTLS_X509_FMT_PEM, 0);
		if (err < 0) {
			g_set_error (error, NM_CRYPTO_ERROR,
348
			             NM_CRYPTO_ERROR_INVALID_DATA,
349 350 351 352 353 354 355 356 357 358 359
			             _("Couldn't decode PKCS#12 file: %s"),
			             gnutls_strerror (err));
			goto out;
		}
	}

	err = gnutls_pkcs12_verify_mac (p12, password);
	if (err == GNUTLS_E_SUCCESS)
		success = TRUE;
	else {
		g_set_error (error, NM_CRYPTO_ERROR,
360
		             NM_CRYPTO_ERROR_DECRYPTION_FAILED,
361 362 363 364 365 366 367 368 369 370
		             _("Couldn't verify PKCS#12 file: %s"),
		             gnutls_strerror (err));
	}

out:
	gnutls_pkcs12_deinit (p12);
	return success;
}

gboolean
371 372
crypto_verify_pkcs8 (const guint8 *data,
                     gsize data_len,
373 374 375 376 377 378 379 380 381 382
                     gboolean is_encrypted,
                     const char *password,
                     GError **error)
{
	gnutls_x509_privkey_t p8;
	gnutls_datum_t dt;
	int err;

	g_return_val_if_fail (data != NULL, FALSE);

383 384 385
	if (!crypto_init (error))
		return FALSE;

386 387
	dt.data = (unsigned char *) data;
	dt.size = data_len;
388 389 390 391

	err = gnutls_x509_privkey_init (&p8);
	if (err < 0) {
		g_set_error (error, NM_CRYPTO_ERROR,
392
		             NM_CRYPTO_ERROR_FAILED,
393 394 395 396 397 398 399 400 401 402 403 404 405 406
		             _("Couldn't initialize PKCS#8 decoder: %s"),
		             gnutls_strerror (err));
		return FALSE;
	}

	err = gnutls_x509_privkey_import_pkcs8 (p8,
	                                        &dt,
	                                        GNUTLS_X509_FMT_DER,
	                                        is_encrypted ? password : NULL,
	                                        is_encrypted ? 0 : GNUTLS_PKCS_PLAIN);
	gnutls_x509_privkey_deinit (p8);

	if (err < 0) {
		if (err == GNUTLS_E_UNKNOWN_CIPHER_TYPE) {
407
			/* HACK: gnutls < 3.5.4 doesn't support all the cipher types that openssl
408 409 410 411 412 413 414
			 * can use with PKCS#8, so if we encounter one, we have to assume
			 * the given password works.  gnutls needs to unsuckify, apparently.
			 * Specifically, by default openssl uses pbeWithMD5AndDES-CBC
			 * which gnutls does not support.
			 */
		} else {
			g_set_error (error, NM_CRYPTO_ERROR,
415
			             NM_CRYPTO_ERROR_INVALID_DATA,
416 417 418 419 420 421 422 423 424 425 426 427
			             _("Couldn't decode PKCS#8 file: %s"),
			             gnutls_strerror (err));
			return FALSE;
		}
	}

	return TRUE;
}

gboolean
crypto_randomize (void *buffer, gsize buffer_len, GError **error)
{
428 429 430
	if (!crypto_init (error))
		return FALSE;

431
	gnutls_rnd (GNUTLS_RND_RANDOM, buffer, buffer_len);
432 433
	return TRUE;
}