You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
275 lines
12 KiB
275 lines
12 KiB
From 0590bacaecdfb57d5289a2c3d0628424689353d1 Mon Sep 17 00:00:00 2001 |
|
From: Beniamino Galvani <bgalvani@redhat.com> |
|
Date: Mon, 27 Aug 2018 17:04:34 +0200 |
|
Subject: [PATCH] libnm-core: support private keys encrypted with |
|
AES-{192,256}-CBC |
|
|
|
https://github.com/NetworkManager/NetworkManager/pull/189 |
|
(cherry picked from commit 93f85edcce502cfa6d3676f58bf9e8e1a527ea53) |
|
(cherry picked from commit 74fc6f30b2fef3b8631128907e036bda88491970) |
|
--- |
|
Makefile.am | 3 +- |
|
libnm-core/crypto.c | 30 +++++++---- |
|
libnm-core/crypto.h | 6 ++- |
|
libnm-core/crypto_gnutls.c | 14 ++++- |
|
libnm-core/crypto_nss.c | 9 +++- |
|
...{test-aes-key.pem => test-aes-128-key.pem} | 0 |
|
libnm-core/tests/certs/test-aes-256-key.pem | 54 +++++++++++++++++++ |
|
libnm-core/tests/test-crypto.c | 7 ++- |
|
libnm-util/tests/test-crypto.c | 4 +- |
|
9 files changed, 106 insertions(+), 21 deletions(-) |
|
rename libnm-core/tests/certs/{test-aes-key.pem => test-aes-128-key.pem} (100%) |
|
create mode 100644 libnm-core/tests/certs/test-aes-256-key.pem |
|
|
|
diff --git a/Makefile.am b/Makefile.am |
|
index cdb5cfc9d..d86fa26c7 100644 |
|
--- a/Makefile.am |
|
+++ b/Makefile.am |
|
@@ -749,7 +749,8 @@ EXTRA_DIST += \ |
|
libnm-core/tests/certs/test2_ca_cert.pem \ |
|
libnm-core/tests/certs/test2-cert.p12 \ |
|
libnm-core/tests/certs/test2_key_and_cert.pem \ |
|
- libnm-core/tests/certs/test-aes-key.pem \ |
|
+ libnm-core/tests/certs/test-aes-128-key.pem \ |
|
+ libnm-core/tests/certs/test-aes-256-key.pem \ |
|
libnm-core/tests/certs/test_ca_cert.der \ |
|
libnm-core/tests/certs/test_ca_cert.pem \ |
|
libnm-core/tests/certs/test-ca-cert.pem \ |
|
diff --git a/libnm-core/crypto.c b/libnm-core/crypto.c |
|
index c4e48475f..319f8055f 100644 |
|
--- a/libnm-core/crypto.c |
|
+++ b/libnm-core/crypto.c |
|
@@ -158,7 +158,13 @@ parse_old_openssl_key_file (const guint8 *data, |
|
goto parse_error; |
|
} |
|
} else if (!strncmp (p, DEK_INFO_TAG, strlen (DEK_INFO_TAG))) { |
|
+ static const char *const known_ciphers[] = { CIPHER_DES_EDE3_CBC, |
|
+ CIPHER_DES_CBC, |
|
+ CIPHER_AES_128_CBC, |
|
+ CIPHER_AES_192_CBC, |
|
+ CIPHER_AES_256_CBC }; |
|
char *comma; |
|
+ guint i; |
|
|
|
if (enc_tags++ != 1 || str->len != 0) { |
|
g_set_error (error, NM_CRYPTO_ERROR, |
|
@@ -187,13 +193,13 @@ parse_old_openssl_key_file (const guint8 *data, |
|
iv = g_strdup (comma); |
|
|
|
/* Get the private key cipher */ |
|
- if (!strcasecmp (p, "DES-EDE3-CBC")) { |
|
- cipher = g_strdup (p); |
|
- } else if (!strcasecmp (p, "DES-CBC")) { |
|
- cipher = g_strdup (p); |
|
- } else if (!strcasecmp (p, "AES-128-CBC")) { |
|
- cipher = g_strdup (p); |
|
- } else { |
|
+ for (i = 0; i < G_N_ELEMENTS (known_ciphers); i++) { |
|
+ if (!g_ascii_strcasecmp (p, known_ciphers[i])) { |
|
+ cipher = g_strdup (known_ciphers[i]); |
|
+ break; |
|
+ } |
|
+ } |
|
+ if (i == G_N_ELEMENTS (known_ciphers)) { |
|
g_set_error (error, NM_CRYPTO_ERROR, |
|
NM_CRYPTO_ERROR_INVALID_DATA, |
|
_("Malformed PEM file: unknown private key cipher '%s'."), |
|
@@ -383,12 +389,16 @@ crypto_make_des_aes_key (const char *cipher, |
|
g_return_val_if_fail (password != NULL, NULL); |
|
g_return_val_if_fail (out_len != NULL, NULL); |
|
|
|
- if (!strcmp (cipher, "DES-EDE3-CBC")) |
|
+ if (!strcmp (cipher, CIPHER_DES_EDE3_CBC)) |
|
digest_len = 24; |
|
- else if (!strcmp (cipher, "DES-CBC")) |
|
+ else if (!strcmp (cipher, CIPHER_DES_CBC)) |
|
digest_len = 8; |
|
- else if (!strcmp (cipher, "AES-128-CBC")) |
|
+ else if (!strcmp (cipher, CIPHER_AES_128_CBC)) |
|
digest_len = 16; |
|
+ else if (!strcmp (cipher, CIPHER_AES_192_CBC)) |
|
+ digest_len = 24; |
|
+ else if (!strcmp (cipher, CIPHER_AES_256_CBC)) |
|
+ digest_len = 32; |
|
else { |
|
g_set_error (error, NM_CRYPTO_ERROR, |
|
NM_CRYPTO_ERROR_UNKNOWN_CIPHER, |
|
diff --git a/libnm-core/crypto.h b/libnm-core/crypto.h |
|
index e89f09193..d20d6f310 100644 |
|
--- a/libnm-core/crypto.h |
|
+++ b/libnm-core/crypto.h |
|
@@ -30,8 +30,10 @@ |
|
|
|
#define MD5_HASH_LEN 20 |
|
#define CIPHER_DES_EDE3_CBC "DES-EDE3-CBC" |
|
-#define CIPHER_DES_CBC "DES-CBC" |
|
-#define CIPHER_AES_CBC "AES-128-CBC" |
|
+#define CIPHER_DES_CBC "DES-CBC" |
|
+#define CIPHER_AES_128_CBC "AES-128-CBC" |
|
+#define CIPHER_AES_192_CBC "AES-192-CBC" |
|
+#define CIPHER_AES_256_CBC "AES-256-CBC" |
|
|
|
typedef enum { |
|
NM_CRYPTO_KEY_TYPE_UNKNOWN = 0, |
|
diff --git a/libnm-core/crypto_gnutls.c b/libnm-core/crypto_gnutls.c |
|
index 53a3ba4ad..49181ee72 100644 |
|
--- a/libnm-core/crypto_gnutls.c |
|
+++ b/libnm-core/crypto_gnutls.c |
|
@@ -82,9 +82,15 @@ crypto_decrypt (const char *cipher, |
|
} else if (!strcmp (cipher, CIPHER_DES_CBC)) { |
|
cipher_mech = GNUTLS_CIPHER_DES_CBC; |
|
real_iv_len = SALT_LEN; |
|
- } else if (!strcmp (cipher, CIPHER_AES_CBC)) { |
|
+ } else if (!strcmp (cipher, CIPHER_AES_128_CBC)) { |
|
cipher_mech = GNUTLS_CIPHER_AES_128_CBC; |
|
real_iv_len = 16; |
|
+ } else if (!strcmp (cipher, CIPHER_AES_192_CBC)) { |
|
+ cipher_mech = GNUTLS_CIPHER_AES_192_CBC; |
|
+ real_iv_len = 16; |
|
+ } else if (!strcmp (cipher, CIPHER_AES_256_CBC)) { |
|
+ cipher_mech = GNUTLS_CIPHER_AES_256_CBC; |
|
+ real_iv_len = 16; |
|
} else { |
|
g_set_error (error, NM_CRYPTO_ERROR, |
|
NM_CRYPTO_ERROR_UNKNOWN_CIPHER, |
|
@@ -189,8 +195,12 @@ crypto_encrypt (const char *cipher, |
|
|
|
if (!strcmp (cipher, CIPHER_DES_EDE3_CBC)) |
|
cipher_mech = GNUTLS_CIPHER_3DES_CBC; |
|
- else if (!strcmp (cipher, CIPHER_AES_CBC)) |
|
+ else if (!strcmp (cipher, CIPHER_AES_128_CBC)) |
|
cipher_mech = GNUTLS_CIPHER_AES_128_CBC; |
|
+ else if (!strcmp (cipher, CIPHER_AES_192_CBC)) |
|
+ cipher_mech = GNUTLS_CIPHER_AES_192_CBC; |
|
+ else if (!strcmp (cipher, CIPHER_AES_256_CBC)) |
|
+ cipher_mech = GNUTLS_CIPHER_AES_256_CBC; |
|
else { |
|
g_set_error (error, NM_CRYPTO_ERROR, |
|
NM_CRYPTO_ERROR_UNKNOWN_CIPHER, |
|
diff --git a/libnm-core/crypto_nss.c b/libnm-core/crypto_nss.c |
|
index 56e91e26f..9a0c43349 100644 |
|
--- a/libnm-core/crypto_nss.c |
|
+++ b/libnm-core/crypto_nss.c |
|
@@ -103,7 +103,9 @@ crypto_decrypt (const char *cipher, |
|
} else if (!strcmp (cipher, CIPHER_DES_CBC)) { |
|
cipher_mech = CKM_DES_CBC_PAD; |
|
real_iv_len = 8; |
|
- } else if (!strcmp (cipher, CIPHER_AES_CBC)) { |
|
+ } else if (NM_IN_STRSET (cipher, CIPHER_AES_128_CBC, |
|
+ CIPHER_AES_192_CBC, |
|
+ CIPHER_AES_256_CBC)) { |
|
cipher_mech = CKM_AES_CBC_PAD; |
|
real_iv_len = 16; |
|
} else { |
|
@@ -269,7 +271,10 @@ crypto_encrypt (const char *cipher, |
|
|
|
if (!strcmp (cipher, CIPHER_DES_EDE3_CBC)) |
|
cipher_mech = CKM_DES3_CBC_PAD; |
|
- else if (!strcmp (cipher, CIPHER_AES_CBC)) |
|
+ else if (NM_IN_STRSET (cipher, |
|
+ CIPHER_AES_128_CBC, |
|
+ CIPHER_AES_192_CBC, |
|
+ CIPHER_AES_256_CBC)) |
|
cipher_mech = CKM_AES_CBC_PAD; |
|
else { |
|
g_set_error (error, NM_CRYPTO_ERROR, |
|
diff --git a/libnm-core/tests/certs/test-aes-key.pem b/libnm-core/tests/certs/test-aes-128-key.pem |
|
similarity index 100% |
|
rename from libnm-core/tests/certs/test-aes-key.pem |
|
rename to libnm-core/tests/certs/test-aes-128-key.pem |
|
diff --git a/libnm-core/tests/certs/test-aes-256-key.pem b/libnm-core/tests/certs/test-aes-256-key.pem |
|
new file mode 100644 |
|
index 000000000..e51bafd3d |
|
--- /dev/null |
|
+++ b/libnm-core/tests/certs/test-aes-256-key.pem |
|
@@ -0,0 +1,54 @@ |
|
+-----BEGIN RSA PRIVATE KEY----- |
|
+Proc-Type: 4,ENCRYPTED |
|
+DEK-Info: AES-256-CBC,5FF6BD2D4E57E8933D4A6814DEF5305A |
|
+ |
|
+9Br+xw6XOg7qUqfeE5PJ4g/PAm7eTcPMb4FzSKkaEosLo6oj4f37TwXuojJZeAmi |
|
+1EytpqM1vdYHCLdjg+qYaTIq6mzMZIyoaREokcOhcNrq5S0J39gJLVV9LjiXhCAH |
|
+GQgDBnbRT6HGz70AyTRLcW9aj6uBzTv/m92sLUw2txFeBXK8n2AA1oHJTgsFNYjf |
|
+/ZvTCE1VMQHDPx31Vn5WXSUHNc0hx4MTIwpHqWI17ohr8IiWCs5HXVfVaqrNeNEw |
|
+haD7fg8oNxjLs46/4dDWmfWXhDsMFSweZv03gZdyVjwn1IOqeVGmTdLpllfgOW7E |
|
++XE8Y/d55s5nkOxu6eXNMtWgjclKBGr2iMxxnODmEsUt2WcV98cPS+25o3hOfy3s |
|
+NIcfxtWVRFUtjqf3ragyGLuXFqATkj1slj4LVMeewRJ1g+Z6ti0mwBN+ZrYtKdec |
|
+FRNb4zr5FW+3SqkIIJVfxJEYJDB4zODhMg8tySEHLKuT0uz42YQ4aoOHTzO5WDBY |
|
+2BI7TjRppXcExPnkAk5jqbKA6BjT9KcAVyypfxDKvCeXKdjDcL6ISOBSm6cQBh8D |
|
+HxsFzMy9PF6kKNeiNiEsVPnKYvhvs1hTBtp+IAgJ6KZnCDKplZFxo/mBAlV2KyCT |
|
+x+Mhmme3fXdLJkvxlVJAoAhwgXvomVCVTGI3JhcQIqVgxPIKYpqlHVFC7JjG+yQX |
|
+tvzCPtr9G9+Ofrm6zXjlDD7zNyl/KfFtEWhO2ePHkQlCEuKJnsnRIf/wQ0viG0yY |
|
+MH31Z/84o2pKLBKY5fq8+eYuYoP9Rk4W2LpjGMvdkKhEHL26kZofeFyqD+JcaxHc |
|
+kQh7/SbWAsREGb9Jp7I2q1mo749mse1oSFIQa5gN3jB0mgHZd6edRYeW2Up+rqEK |
|
+k6Xd6uqs7bZd5W9sP7Cf6yJOFEjqFVLQEVEXWSchgeta/JNrjGr3UzLFN2S+vhvX |
|
+XgDa41y2UdXHRqj2s864u0ZDPyGXYZnVbvQn/8xHQ7rvxHowpTn+XXUEf0AQnk3j |
|
+9h++3McwP8GuVxkwc6o9TfOL+ell5jup7F3SekwEiE3hqY8x87g6X2zD5VSnfCy3 |
|
+0t0LmPGI1b3LABeYjA1WEdhoTlHrNLkwOR4gsudrJ5nxIzfGy+IHaloXLJy4YKfX |
|
+pJ+qyGRUR42YD9IhiEmmmO1VoJgVEYfBiz50Jg8emddku6eKdmv9IKjiSb2pTbDS |
|
+4oUYKg109OOn+krk67dNXofAXrBa8v7QusC0yz9N25H05Xyou1iqpGk+uBrTqEO6 |
|
+lW9lWQo57BQU9og40xMKH/xQgIxfQRktUKsPizj8mKil4izo5KgjPSqBeEbj+Q3c |
|
+0FKlrpTXQlXfX5Z5esqMuCSiwQEzoJR+V+SUaSVcg1av0k/CJMin4Cr8roai+OjK |
|
+lhaQIvx35Bzd02yERYsfpDjmQCXmIeiDm8JtB6znbQPUJ4d8kzWR+5ACOZW/dUss |
|
+YhWJRkZpkIwTY+/sDU4mnP2R37MNo+OH4CwZyUDHjlkRPGW+6JBEpnnlI9a/1Vb1 |
|
+pjAGpi/8u/luvZGTzCzxQG2dZc5YQR869U+wFsFbLRiD0aP2SpdOH0QxxPOcdR8+ |
|
+HWyL01BJBKyK/wZWJhe+63zlk1L5CA0XYpoNkYpMlPNZkcqR7QzUOATfuBgI2aPM |
|
+AXaweaAWhpPCDsc2RypIs9DhTiCCkt8tq8Au15hVUKAoshLeewPtv0t75MEC0hVB |
|
+z6FVnNlqq0cqqcSVqvUG6JUGtFOGgG3ifEMXggq5k12+wGzY63DLR8dFPNpOL6/1 |
|
+nocOayHJIU9M8PP817PzhAUAePRRUKRg8kkbKKeZnCJxoF7O15AFVEJnl9Vyokkz |
|
+bULYhzYVx3xh8THMi+5jsnKWPJyMeYHbHH3C658SIw6Ff9fgEWscv5ZkGYdKMg+l |
|
+8hBn+++SoqIO+F3lOGco+s8qlYox106lUwJEtORXcBxmkaHSo/X2AVO8Owt4vYli |
|
+mjWnY6V9vooBgOuCMcY780pcoj2lSf9JPHDYK0j8t5VumDUSLyLt+tCj0yv/vl5L |
|
+9L++vbu2akZRC9ChijYpfhTvXoG36ePhoT7AGGnhpFjjw1VqG80GY4XSODKzH86w |
|
+kUcZoErb8swUPYOtsybtuPb+6c/YofQ8GfpVosPZgSRD4+U7v+zA3/z8xF2B0xt6 |
|
+uV8hXbropuni8KmbFuKrPZK3p2v2aZ8F0+GITwS75/hbT6D7ruUSr5q4V0VKeE8G |
|
+k3QSI0s6+74stPv3S/ByCxu8q51ffYqVw00wzPpEc4SmHEa0R7IczJKXupmDdZZM |
|
+1rASSBNzS5TZDBXP6S7npYQ8nHhgXTdCFO7eM3bp24B/i2o0s7+gkKrz0DkEbv9I |
|
+UrCJjTL8OIIP4qSLMILzZ8pB28c+zyM482ZqFY/2b7j6WlTiqa9P1adrD1gLxTQ0 |
|
+Sw9xY+sY3PAJqcnPA5NjDZL/h5plgHhCqDa9pEtdBVG2Mxcl9bXbphwD1MIzj4gr |
|
+xtlW1HUJ/iOhFcXldOJ1MCt++Bm5av4mL5adQ/oUnL5Q0oZZFwqT09k7xe7lZ98N |
|
+uj2Lfl8NN7N3ama9KatgbX5g6IALuk/rJN/4KEiiu24m+lR7c5L0pg/cG6LIFjmk |
|
+HlTsc0ANCgeZBhDJ8kvjcXDhFOqoYE/+D2VO6ZEHRsDibQ+kjpaH+DiD01/gh0N0 |
|
+HM6GGtm3GbOyZUhw5OFz04xzcyFYo2xaqzgaZieAOcrt2s6XyPVf1gww08/HtTMR |
|
+gLg14MUQvRXV6kPJfdu4OLZ//b6J0KnzVyLDRdOrWIj2raLWmKwQN9qv05/yskcD |
|
+Y6x7wq3v6iZpFjDc53sslhwp2XRsoWT9X5alVspz8WvP/kqgkTdzpPFdp1vIovOQ |
|
+kRXdzzKICDGDJUIcTL8cJ3Dv4XqNR/sVyuB4dfndzQQApbdYTDNpwX0VJDBjMkQy |
|
+Up6aiUknxa6Cbp7b1ZfUQY8yNBAIZL+R8dmobT3nAHW61DaASHSxn+elCD2Ja/6b |
|
+EiWikskyN6crMAv35ILr5ySsZK97ttNNmRoGFbt8bTjRd83Ie+UfH445kCKsY83x |
|
+aDCvWm+bbV6M9rSgjhJ3bWOudiw+EBMGvSamSnS7CYnRmwq4t+4bM2sh2nYKY0qw |
|
+-----END RSA PRIVATE KEY----- |
|
diff --git a/libnm-core/tests/test-crypto.c b/libnm-core/tests/test-crypto.c |
|
index fb99ffea7..5fb26c1fc 100644 |
|
--- a/libnm-core/tests/test-crypto.c |
|
+++ b/libnm-core/tests/test-crypto.c |
|
@@ -476,8 +476,11 @@ main (int argc, char **argv) |
|
g_test_add_data_func ("/libnm/crypto/key/padding-8", |
|
"test2_key_and_cert.pem, 12345testing", |
|
test_key); |
|
- g_test_add_data_func ("/libnm/crypto/key/aes", |
|
- "test-aes-key.pem, test-aes-password", |
|
+ g_test_add_data_func ("/libnm/crypto/key/aes-128", |
|
+ "test-aes-128-key.pem, test-aes-password", |
|
+ test_key); |
|
+ g_test_add_data_func ("/libnm/crypto/key/aes-256", |
|
+ "test-aes-256-key.pem, test-aes-password", |
|
test_key); |
|
g_test_add_data_func ("/libnm/crypto/key/decrypted", |
|
"test-key-only-decrypted.pem", |
|
diff --git a/libnm-util/tests/test-crypto.c b/libnm-util/tests/test-crypto.c |
|
index 61bd97745..af6028a52 100644 |
|
--- a/libnm-util/tests/test-crypto.c |
|
+++ b/libnm-util/tests/test-crypto.c |
|
@@ -383,8 +383,8 @@ main (int argc, char **argv) |
|
g_test_add_data_func ("/libnm/crypto/key/padding-8", |
|
"test2_key_and_cert.pem, 12345testing", |
|
test_key); |
|
- g_test_add_data_func ("/libnm/crypto/key/aes", |
|
- "test-aes-key.pem, test-aes-password", |
|
+ g_test_add_data_func ("/libnm/crypto/key/aes-128", |
|
+ "test-aes-128-key.pem, test-aes-password", |
|
test_key); |
|
|
|
g_test_add_data_func ("/libnm/crypto/PKCS#12/1", |
|
-- |
|
2.17.1 |
|
|
|
|