Commit 93f85edc authored by Beniamino Galvani's avatar Beniamino Galvani

libnm-core: support private keys encrypted with AES-{192,256}-CBC

https://github.com/NetworkManager/NetworkManager/pull/189
parent e763a07a
...@@ -805,7 +805,8 @@ EXTRA_DIST += \ ...@@ -805,7 +805,8 @@ EXTRA_DIST += \
libnm-core/tests/certs/test2_ca_cert.pem \ libnm-core/tests/certs/test2_ca_cert.pem \
libnm-core/tests/certs/test2-cert.p12 \ libnm-core/tests/certs/test2-cert.p12 \
libnm-core/tests/certs/test2_key_and_cert.pem \ libnm-core/tests/certs/test2_key_and_cert.pem \
libnm-core/tests/certs/test-aes-key.pem \ libnm-core/tests/certs/test-aes-128-key.pem \
libnm-core/tests/certs/test-aes-256-key.pem \
libnm-core/tests/certs/test_ca_cert.der \ libnm-core/tests/certs/test_ca_cert.der \
libnm-core/tests/certs/test_ca_cert.pem \ libnm-core/tests/certs/test_ca_cert.pem \
libnm-core/tests/certs/test-ca-cert.pem \ libnm-core/tests/certs/test-ca-cert.pem \
......
...@@ -158,7 +158,13 @@ parse_old_openssl_key_file (const guint8 *data, ...@@ -158,7 +158,13 @@ parse_old_openssl_key_file (const guint8 *data,
goto parse_error; goto parse_error;
} }
} else if (!strncmp (p, DEK_INFO_TAG, strlen (DEK_INFO_TAG))) { } else if (!strncmp (p, DEK_INFO_TAG, strlen (DEK_INFO_TAG))) {
static const char *const known_ciphers[] = { CIPHER_DES_EDE3_CBC,
CIPHER_DES_CBC,
CIPHER_AES_128_CBC,
CIPHER_AES_192_CBC,
CIPHER_AES_256_CBC };
char *comma; char *comma;
guint i;
if (enc_tags++ != 1 || str->len != 0) { if (enc_tags++ != 1 || str->len != 0) {
g_set_error (error, NM_CRYPTO_ERROR, g_set_error (error, NM_CRYPTO_ERROR,
...@@ -187,13 +193,13 @@ parse_old_openssl_key_file (const guint8 *data, ...@@ -187,13 +193,13 @@ parse_old_openssl_key_file (const guint8 *data,
iv = g_strdup (comma); iv = g_strdup (comma);
/* Get the private key cipher */ /* Get the private key cipher */
if (!strcasecmp (p, "DES-EDE3-CBC")) { for (i = 0; i < G_N_ELEMENTS (known_ciphers); i++) {
cipher = g_strdup (p); if (!g_ascii_strcasecmp (p, known_ciphers[i])) {
} else if (!strcasecmp (p, "DES-CBC")) { cipher = g_strdup (known_ciphers[i]);
cipher = g_strdup (p); break;
} else if (!strcasecmp (p, "AES-128-CBC")) { }
cipher = g_strdup (p); }
} else { if (i == G_N_ELEMENTS (known_ciphers)) {
g_set_error (error, NM_CRYPTO_ERROR, g_set_error (error, NM_CRYPTO_ERROR,
NM_CRYPTO_ERROR_INVALID_DATA, NM_CRYPTO_ERROR_INVALID_DATA,
_("Malformed PEM file: unknown private key cipher '%s'."), _("Malformed PEM file: unknown private key cipher '%s'."),
...@@ -383,12 +389,16 @@ crypto_make_des_aes_key (const char *cipher, ...@@ -383,12 +389,16 @@ crypto_make_des_aes_key (const char *cipher,
g_return_val_if_fail (password != NULL, NULL); g_return_val_if_fail (password != NULL, NULL);
g_return_val_if_fail (out_len != NULL, NULL); g_return_val_if_fail (out_len != NULL, NULL);
if (!strcmp (cipher, "DES-EDE3-CBC")) if (!strcmp (cipher, CIPHER_DES_EDE3_CBC))
digest_len = 24; digest_len = 24;
else if (!strcmp (cipher, "DES-CBC")) else if (!strcmp (cipher, CIPHER_DES_CBC))
digest_len = 8; digest_len = 8;
else if (!strcmp (cipher, "AES-128-CBC")) else if (!strcmp (cipher, CIPHER_AES_128_CBC))
digest_len = 16; digest_len = 16;
else if (!strcmp (cipher, CIPHER_AES_192_CBC))
digest_len = 24;
else if (!strcmp (cipher, CIPHER_AES_256_CBC))
digest_len = 32;
else { else {
g_set_error (error, NM_CRYPTO_ERROR, g_set_error (error, NM_CRYPTO_ERROR,
NM_CRYPTO_ERROR_UNKNOWN_CIPHER, NM_CRYPTO_ERROR_UNKNOWN_CIPHER,
......
...@@ -30,8 +30,10 @@ ...@@ -30,8 +30,10 @@
#define MD5_HASH_LEN 20 #define MD5_HASH_LEN 20
#define CIPHER_DES_EDE3_CBC "DES-EDE3-CBC" #define CIPHER_DES_EDE3_CBC "DES-EDE3-CBC"
#define CIPHER_DES_CBC "DES-CBC" #define CIPHER_DES_CBC "DES-CBC"
#define CIPHER_AES_CBC "AES-128-CBC" #define CIPHER_AES_128_CBC "AES-128-CBC"
#define CIPHER_AES_192_CBC "AES-192-CBC"
#define CIPHER_AES_256_CBC "AES-256-CBC"
typedef enum { typedef enum {
NM_CRYPTO_KEY_TYPE_UNKNOWN = 0, NM_CRYPTO_KEY_TYPE_UNKNOWN = 0,
......
...@@ -82,9 +82,15 @@ crypto_decrypt (const char *cipher, ...@@ -82,9 +82,15 @@ crypto_decrypt (const char *cipher,
} else if (!strcmp (cipher, CIPHER_DES_CBC)) { } else if (!strcmp (cipher, CIPHER_DES_CBC)) {
cipher_mech = GNUTLS_CIPHER_DES_CBC; cipher_mech = GNUTLS_CIPHER_DES_CBC;
real_iv_len = SALT_LEN; real_iv_len = SALT_LEN;
} else if (!strcmp (cipher, CIPHER_AES_CBC)) { } else if (!strcmp (cipher, CIPHER_AES_128_CBC)) {
cipher_mech = GNUTLS_CIPHER_AES_128_CBC; cipher_mech = GNUTLS_CIPHER_AES_128_CBC;
real_iv_len = 16; real_iv_len = 16;
} else if (!strcmp (cipher, CIPHER_AES_192_CBC)) {
cipher_mech = GNUTLS_CIPHER_AES_192_CBC;
real_iv_len = 16;
} else if (!strcmp (cipher, CIPHER_AES_256_CBC)) {
cipher_mech = GNUTLS_CIPHER_AES_256_CBC;
real_iv_len = 16;
} else { } else {
g_set_error (error, NM_CRYPTO_ERROR, g_set_error (error, NM_CRYPTO_ERROR,
NM_CRYPTO_ERROR_UNKNOWN_CIPHER, NM_CRYPTO_ERROR_UNKNOWN_CIPHER,
...@@ -189,8 +195,12 @@ crypto_encrypt (const char *cipher, ...@@ -189,8 +195,12 @@ crypto_encrypt (const char *cipher,
if (!strcmp (cipher, CIPHER_DES_EDE3_CBC)) if (!strcmp (cipher, CIPHER_DES_EDE3_CBC))
cipher_mech = GNUTLS_CIPHER_3DES_CBC; cipher_mech = GNUTLS_CIPHER_3DES_CBC;
else if (!strcmp (cipher, CIPHER_AES_CBC)) else if (!strcmp (cipher, CIPHER_AES_128_CBC))
cipher_mech = GNUTLS_CIPHER_AES_128_CBC; cipher_mech = GNUTLS_CIPHER_AES_128_CBC;
else if (!strcmp (cipher, CIPHER_AES_192_CBC))
cipher_mech = GNUTLS_CIPHER_AES_192_CBC;
else if (!strcmp (cipher, CIPHER_AES_256_CBC))
cipher_mech = GNUTLS_CIPHER_AES_256_CBC;
else { else {
g_set_error (error, NM_CRYPTO_ERROR, g_set_error (error, NM_CRYPTO_ERROR,
NM_CRYPTO_ERROR_UNKNOWN_CIPHER, NM_CRYPTO_ERROR_UNKNOWN_CIPHER,
......
...@@ -103,7 +103,9 @@ crypto_decrypt (const char *cipher, ...@@ -103,7 +103,9 @@ crypto_decrypt (const char *cipher,
} else if (!strcmp (cipher, CIPHER_DES_CBC)) { } else if (!strcmp (cipher, CIPHER_DES_CBC)) {
cipher_mech = CKM_DES_CBC_PAD; cipher_mech = CKM_DES_CBC_PAD;
real_iv_len = 8; real_iv_len = 8;
} else if (!strcmp (cipher, CIPHER_AES_CBC)) { } else if (NM_IN_STRSET (cipher, CIPHER_AES_128_CBC,
CIPHER_AES_192_CBC,
CIPHER_AES_256_CBC)) {
cipher_mech = CKM_AES_CBC_PAD; cipher_mech = CKM_AES_CBC_PAD;
real_iv_len = 16; real_iv_len = 16;
} else { } else {
...@@ -269,7 +271,10 @@ crypto_encrypt (const char *cipher, ...@@ -269,7 +271,10 @@ crypto_encrypt (const char *cipher,
if (!strcmp (cipher, CIPHER_DES_EDE3_CBC)) if (!strcmp (cipher, CIPHER_DES_EDE3_CBC))
cipher_mech = CKM_DES3_CBC_PAD; cipher_mech = CKM_DES3_CBC_PAD;
else if (!strcmp (cipher, CIPHER_AES_CBC)) else if (NM_IN_STRSET (cipher,
CIPHER_AES_128_CBC,
CIPHER_AES_192_CBC,
CIPHER_AES_256_CBC))
cipher_mech = CKM_AES_CBC_PAD; cipher_mech = CKM_AES_CBC_PAD;
else { else {
g_set_error (error, NM_CRYPTO_ERROR, g_set_error (error, NM_CRYPTO_ERROR,
......
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-256-CBC,5FF6BD2D4E57E8933D4A6814DEF5305A
9Br+xw6XOg7qUqfeE5PJ4g/PAm7eTcPMb4FzSKkaEosLo6oj4f37TwXuojJZeAmi
1EytpqM1vdYHCLdjg+qYaTIq6mzMZIyoaREokcOhcNrq5S0J39gJLVV9LjiXhCAH
GQgDBnbRT6HGz70AyTRLcW9aj6uBzTv/m92sLUw2txFeBXK8n2AA1oHJTgsFNYjf
/ZvTCE1VMQHDPx31Vn5WXSUHNc0hx4MTIwpHqWI17ohr8IiWCs5HXVfVaqrNeNEw
haD7fg8oNxjLs46/4dDWmfWXhDsMFSweZv03gZdyVjwn1IOqeVGmTdLpllfgOW7E
+XE8Y/d55s5nkOxu6eXNMtWgjclKBGr2iMxxnODmEsUt2WcV98cPS+25o3hOfy3s
NIcfxtWVRFUtjqf3ragyGLuXFqATkj1slj4LVMeewRJ1g+Z6ti0mwBN+ZrYtKdec
FRNb4zr5FW+3SqkIIJVfxJEYJDB4zODhMg8tySEHLKuT0uz42YQ4aoOHTzO5WDBY
2BI7TjRppXcExPnkAk5jqbKA6BjT9KcAVyypfxDKvCeXKdjDcL6ISOBSm6cQBh8D
HxsFzMy9PF6kKNeiNiEsVPnKYvhvs1hTBtp+IAgJ6KZnCDKplZFxo/mBAlV2KyCT
x+Mhmme3fXdLJkvxlVJAoAhwgXvomVCVTGI3JhcQIqVgxPIKYpqlHVFC7JjG+yQX
tvzCPtr9G9+Ofrm6zXjlDD7zNyl/KfFtEWhO2ePHkQlCEuKJnsnRIf/wQ0viG0yY
MH31Z/84o2pKLBKY5fq8+eYuYoP9Rk4W2LpjGMvdkKhEHL26kZofeFyqD+JcaxHc
kQh7/SbWAsREGb9Jp7I2q1mo749mse1oSFIQa5gN3jB0mgHZd6edRYeW2Up+rqEK
k6Xd6uqs7bZd5W9sP7Cf6yJOFEjqFVLQEVEXWSchgeta/JNrjGr3UzLFN2S+vhvX
XgDa41y2UdXHRqj2s864u0ZDPyGXYZnVbvQn/8xHQ7rvxHowpTn+XXUEf0AQnk3j
9h++3McwP8GuVxkwc6o9TfOL+ell5jup7F3SekwEiE3hqY8x87g6X2zD5VSnfCy3
0t0LmPGI1b3LABeYjA1WEdhoTlHrNLkwOR4gsudrJ5nxIzfGy+IHaloXLJy4YKfX
pJ+qyGRUR42YD9IhiEmmmO1VoJgVEYfBiz50Jg8emddku6eKdmv9IKjiSb2pTbDS
4oUYKg109OOn+krk67dNXofAXrBa8v7QusC0yz9N25H05Xyou1iqpGk+uBrTqEO6
lW9lWQo57BQU9og40xMKH/xQgIxfQRktUKsPizj8mKil4izo5KgjPSqBeEbj+Q3c
0FKlrpTXQlXfX5Z5esqMuCSiwQEzoJR+V+SUaSVcg1av0k/CJMin4Cr8roai+OjK
lhaQIvx35Bzd02yERYsfpDjmQCXmIeiDm8JtB6znbQPUJ4d8kzWR+5ACOZW/dUss
YhWJRkZpkIwTY+/sDU4mnP2R37MNo+OH4CwZyUDHjlkRPGW+6JBEpnnlI9a/1Vb1
pjAGpi/8u/luvZGTzCzxQG2dZc5YQR869U+wFsFbLRiD0aP2SpdOH0QxxPOcdR8+
HWyL01BJBKyK/wZWJhe+63zlk1L5CA0XYpoNkYpMlPNZkcqR7QzUOATfuBgI2aPM
AXaweaAWhpPCDsc2RypIs9DhTiCCkt8tq8Au15hVUKAoshLeewPtv0t75MEC0hVB
z6FVnNlqq0cqqcSVqvUG6JUGtFOGgG3ifEMXggq5k12+wGzY63DLR8dFPNpOL6/1
nocOayHJIU9M8PP817PzhAUAePRRUKRg8kkbKKeZnCJxoF7O15AFVEJnl9Vyokkz
bULYhzYVx3xh8THMi+5jsnKWPJyMeYHbHH3C658SIw6Ff9fgEWscv5ZkGYdKMg+l
8hBn+++SoqIO+F3lOGco+s8qlYox106lUwJEtORXcBxmkaHSo/X2AVO8Owt4vYli
mjWnY6V9vooBgOuCMcY780pcoj2lSf9JPHDYK0j8t5VumDUSLyLt+tCj0yv/vl5L
9L++vbu2akZRC9ChijYpfhTvXoG36ePhoT7AGGnhpFjjw1VqG80GY4XSODKzH86w
kUcZoErb8swUPYOtsybtuPb+6c/YofQ8GfpVosPZgSRD4+U7v+zA3/z8xF2B0xt6
uV8hXbropuni8KmbFuKrPZK3p2v2aZ8F0+GITwS75/hbT6D7ruUSr5q4V0VKeE8G
k3QSI0s6+74stPv3S/ByCxu8q51ffYqVw00wzPpEc4SmHEa0R7IczJKXupmDdZZM
1rASSBNzS5TZDBXP6S7npYQ8nHhgXTdCFO7eM3bp24B/i2o0s7+gkKrz0DkEbv9I
UrCJjTL8OIIP4qSLMILzZ8pB28c+zyM482ZqFY/2b7j6WlTiqa9P1adrD1gLxTQ0
Sw9xY+sY3PAJqcnPA5NjDZL/h5plgHhCqDa9pEtdBVG2Mxcl9bXbphwD1MIzj4gr
xtlW1HUJ/iOhFcXldOJ1MCt++Bm5av4mL5adQ/oUnL5Q0oZZFwqT09k7xe7lZ98N
uj2Lfl8NN7N3ama9KatgbX5g6IALuk/rJN/4KEiiu24m+lR7c5L0pg/cG6LIFjmk
HlTsc0ANCgeZBhDJ8kvjcXDhFOqoYE/+D2VO6ZEHRsDibQ+kjpaH+DiD01/gh0N0
HM6GGtm3GbOyZUhw5OFz04xzcyFYo2xaqzgaZieAOcrt2s6XyPVf1gww08/HtTMR
gLg14MUQvRXV6kPJfdu4OLZ//b6J0KnzVyLDRdOrWIj2raLWmKwQN9qv05/yskcD
Y6x7wq3v6iZpFjDc53sslhwp2XRsoWT9X5alVspz8WvP/kqgkTdzpPFdp1vIovOQ
kRXdzzKICDGDJUIcTL8cJ3Dv4XqNR/sVyuB4dfndzQQApbdYTDNpwX0VJDBjMkQy
Up6aiUknxa6Cbp7b1ZfUQY8yNBAIZL+R8dmobT3nAHW61DaASHSxn+elCD2Ja/6b
EiWikskyN6crMAv35ILr5ySsZK97ttNNmRoGFbt8bTjRd83Ie+UfH445kCKsY83x
aDCvWm+bbV6M9rSgjhJ3bWOudiw+EBMGvSamSnS7CYnRmwq4t+4bM2sh2nYKY0qw
-----END RSA PRIVATE KEY-----
...@@ -476,8 +476,11 @@ main (int argc, char **argv) ...@@ -476,8 +476,11 @@ main (int argc, char **argv)
g_test_add_data_func ("/libnm/crypto/key/padding-8", g_test_add_data_func ("/libnm/crypto/key/padding-8",
"test2_key_and_cert.pem, 12345testing", "test2_key_and_cert.pem, 12345testing",
test_key); test_key);
g_test_add_data_func ("/libnm/crypto/key/aes", g_test_add_data_func ("/libnm/crypto/key/aes-128",
"test-aes-key.pem, test-aes-password", "test-aes-128-key.pem, test-aes-password",
test_key);
g_test_add_data_func ("/libnm/crypto/key/aes-256",
"test-aes-256-key.pem, test-aes-password",
test_key); test_key);
g_test_add_data_func ("/libnm/crypto/key/decrypted", g_test_add_data_func ("/libnm/crypto/key/decrypted",
"test-key-only-decrypted.pem", "test-key-only-decrypted.pem",
......
...@@ -383,8 +383,8 @@ main (int argc, char **argv) ...@@ -383,8 +383,8 @@ main (int argc, char **argv)
g_test_add_data_func ("/libnm/crypto/key/padding-8", g_test_add_data_func ("/libnm/crypto/key/padding-8",
"test2_key_and_cert.pem, 12345testing", "test2_key_and_cert.pem, 12345testing",
test_key); test_key);
g_test_add_data_func ("/libnm/crypto/key/aes", g_test_add_data_func ("/libnm/crypto/key/aes-128",
"test-aes-key.pem, test-aes-password", "test-aes-128-key.pem, test-aes-password",
test_key); test_key);
g_test_add_data_func ("/libnm/crypto/PKCS#12/1", g_test_add_data_func ("/libnm/crypto/PKCS#12/1",
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment