colin/NetworkManager
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
08aabc2bee64d26986a3e15c49d6522cbede62a0
NetworkManager/libnm-util/crypto.h
Dan Williams 28e6523b8d libnm-util: rework certificate and private key handling 
First, it was not easily possible to set a private key without
also providing a password.  This used to be OK, but now with
secret flags it may be the case that when the connection is read,
there's no private key password.  So functions that set the
private key must account for NULL passwords.

Unfortunately, the crytpo code did not handle this case well.
We need to be able to independently (a) verify that a file looks
like a certificate or private key and (b) that a given password
decrypts a private key.  Previously the crypto code would fail
to verify the file when the password was NULL.

So this change fixes up the crytpo code for a more distinct
split between these two operations, such that if no password is
given, the file is still checked to ensure that it's a private
key or a certificate.  If a password is given, the password is
checked against the private key file.

This commit also changes how private keys and certificates were
handled with the BLOB scheme.  Previously only the first certificate
or first private key was included in the property data, while now
the entire file is encoded in the data.  This is intended to fix
cases where multiple private keys or certificates are present in
a PEM file.  It also allows clients to push certificate data to
NetworkManager for storage in system settings locations, which was
not as flexible before when only part of the certificate or key
was sent as the data.
2011-03-02 12:00:47 -06:00

140 lines
4.8 KiB
C
Raw Blame History

/* -*- Mode: C; tab-width: 4; indent-tabs-mode: t; c-basic-offset: 4 -*- */
/*
* Dan Williams <dcbw@redhat.com>
*
* This library is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public
* License as published by the Free Software Foundation; either
* version 2 of the License, or (at your option) any later version.
*
* This library is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public
* License along with this library; if not, write to the
* Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
* Boston, MA 02110-1301 USA.
*
* (C) Copyright 2007 - 2011 Red Hat, Inc.
*/
#ifndef __CRYPTO_H__
#define __CRYPTO_H__
#include <glib.h>
#define MD5_HASH_LEN 20
#define CIPHER_DES_EDE3_CBC "DES-EDE3-CBC"
#define CIPHER_DES_CBC "DES-CBC"
enum {
NM_CRYPTO_ERR_NONE = 0,
NM_CRYPTO_ERR_INIT_FAILED,
NM_CRYPTO_ERR_CANT_READ_FILE,
NM_CRYPTO_ERR_FILE_FORMAT_INVALID,
NM_CRYPTO_ERR_CERT_FORMAT_INVALID,
NM_CRYPTO_ERR_DECODE_FAILED,
NM_CRYPTO_ERR_OUT_OF_MEMORY,
NM_CRYPTO_ERR_UNKNOWN_KEY_TYPE,
NM_CRYPTO_ERR_UNKNOWN_CIPHER,
NM_CRYPTO_ERR_RAW_IV_INVALID,
NM_CRYPTO_ERR_MD5_INIT_FAILED,
NM_CRYPTO_ERR_CIPHER_INIT_FAILED,
NM_CRYPTO_ERR_CIPHER_SET_KEY_FAILED,
NM_CRYPTO_ERR_CIPHER_SET_IV_FAILED,
NM_CRYPTO_ERR_CIPHER_DECRYPT_FAILED,
NM_CRYPTO_ERR_INVALID_PASSWORD,
NM_CRYPTO_ERR_CIPHER_ENCRYPT_FAILED,
NM_CRYPTO_ERR_RANDOMIZE_FAILED
};
typedef enum {
NM_CRYPTO_KEY_TYPE_UNKNOWN = 0,
NM_CRYPTO_KEY_TYPE_RSA,
NM_CRYPTO_KEY_TYPE_DSA
} NMCryptoKeyType;
typedef enum {
NM_CRYPTO_FILE_FORMAT_UNKNOWN = 0,
NM_CRYPTO_FILE_FORMAT_X509,
NM_CRYPTO_FILE_FORMAT_RAW_KEY,
NM_CRYPTO_FILE_FORMAT_PKCS12
} NMCryptoFileFormat;
#define NM_CRYPTO_ERROR _nm_crypto_error_quark ()
GQuark _nm_crypto_error_quark (void);
gboolean crypto_init (GError **error);
void crypto_deinit (void);
GByteArray *crypto_decrypt_private_key_data (const GByteArray *contents,
const char *password,
NMCryptoKeyType *out_key_type,
GError **error);
GByteArray *crypto_decrypt_private_key (const char *file,
const char *password,
NMCryptoKeyType *out_key_type,
GError **error);
GByteArray *crypto_load_and_verify_certificate (const char *file,
NMCryptoFileFormat *out_file_format,
GError **error);
gboolean crypto_is_pkcs12_file (const char *file, GError **error);
gboolean crypto_is_pkcs12_data (const GByteArray *data);
NMCryptoFileFormat crypto_verify_private_key_data (const GByteArray *contents,
const char *password,
GError **error);
NMCryptoFileFormat crypto_verify_private_key (const char *file,
const char *password,
GError **error);
/* Internal utils API bits for crypto providers */
gboolean crypto_md5_hash (const char *salt,
const gsize salt_len,
const char *password,
gsize password_len,
char *buffer,
gsize buflen,
GError **error);
char * crypto_decrypt (const char *cipher,
int key_type,
GByteArray *data,
const char *iv,
const gsize iv_len,
const char *key,
const gsize key_len,
gsize *out_len,
GError **error);
char * crypto_encrypt (const char *cipher,
const GByteArray *data,
const char *iv,
gsize iv_len,
const char *key,
gsize key_len,
gsize *out_len,
GError **error);
gboolean crypto_randomize (void *buffer, gsize buffer_len, GError **error);
NMCryptoFileFormat crypto_verify_cert (const unsigned char *data,
gsize len,
GError **error);
gboolean crypto_verify_pkcs12 (const GByteArray *data,
const char *password,
GError **error);
#endif /* __CRYPTO_H__ */
Reference in New Issue View Git Blame Copy Permalink