fdo-mirrors/NetworkManager
1
0
Fork 0
mirror of https://gitlab.freedesktop.org/NetworkManager/NetworkManager.git synced 2026-01-03 04:40:13 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

libnm-core: fix up/simplify NMCryptoError

Browse source 
Many of NMCryptoError's codes would basically never be useful for
programs to distinguish between. Streamline the codes, and fix the
enumeration member names to start with "NM_CRYPTO_ERROR_" rather than
"NM_CRYPTO_ERR_".
This commit is contained in:
Dan Winship 2014-10-15 12:44:13 -04:00
parent 2d8e7bd247
commit 663a06b6d9
4 changed files with 84 additions and 101 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

47
libnm-core/crypto.c
View file

@ -117,12 +117,7 @@ parse_old_openssl_key_file (const guint8 *data,
end_tag = PEM_DSA_KEY_END;
break;
default:
g_set_error (error, NM_CRYPTO_ERROR,
NM_CRYPTO_ERR_UNKNOWN_KEY_TYPE,
"Unknown key type %d",
key_type);
g_assert_not_reached ();
return NULL;
}
if (!find_tag (start_tag, data, data_len, 0, &start))
@ -131,7 +126,7 @@ parse_old_openssl_key_file (const guint8 *data,
start += strlen (start_tag);
if (!find_tag (end_tag, data, data_len, start, &end)) {
g_set_error (error, NM_CRYPTO_ERROR,
NM_CRYPTO_ERR_FILE_FORMAT_INVALID,
NM_CRYPTO_ERROR_INVALID_DATA,
_("PEM key file had no end tag '%s'."),
end_tag);
goto parse_error;
@ -144,7 +139,7 @@ parse_old_openssl_key_file (const guint8 *data,
if (!lines || g_strv_length (lines) <= 1) {
g_set_error (error, NM_CRYPTO_ERROR,
NM_CRYPTO_ERR_FILE_FORMAT_INVALID,
NM_CRYPTO_ERROR_INVALID_DATA,
_("Doesn't look like a PEM private key file."));
goto parse_error;
}
@ -161,7 +156,7 @@ parse_old_openssl_key_file (const guint8 *data,
if (!strncmp (p, PROC_TYPE_TAG, strlen (PROC_TYPE_TAG))) {
if (enc_tags++ != 0) {
g_set_error (error, NM_CRYPTO_ERROR,
NM_CRYPTO_ERR_FILE_FORMAT_INVALID,
NM_CRYPTO_ERROR_INVALID_DATA,
_("Malformed PEM file: Proc-Type was not first tag."));
goto parse_error;
}
@ -169,7 +164,7 @@ parse_old_openssl_key_file (const guint8 *data,
p += strlen (PROC_TYPE_TAG);
if (strcmp (p, "4,ENCRYPTED")) {
g_set_error (error, NM_CRYPTO_ERROR,
NM_CRYPTO_ERR_FILE_FORMAT_INVALID,
NM_CRYPTO_ERROR_INVALID_DATA,
_("Malformed PEM file: unknown Proc-Type tag '%s'."),
p);
goto parse_error;
@ -179,7 +174,7 @@ parse_old_openssl_key_file (const guint8 *data,
if (enc_tags++ != 1) {
g_set_error (error, NM_CRYPTO_ERROR,
NM_CRYPTO_ERR_FILE_FORMAT_INVALID,
NM_CRYPTO_ERROR_INVALID_DATA,
_("Malformed PEM file: DEK-Info was not the second tag."));
goto parse_error;
}
@ -190,14 +185,14 @@ parse_old_openssl_key_file (const guint8 *data,
comma = strchr (p, ',');
if (!comma || (*(comma + 1) == '\0')) {
g_set_error (error, NM_CRYPTO_ERROR,
NM_CRYPTO_ERR_FILE_FORMAT_INVALID,
NM_CRYPTO_ERROR_INVALID_DATA,
_("Malformed PEM file: no IV found in DEK-Info tag."));
goto parse_error;
}
*comma++ = '\0';
if (!g_ascii_isxdigit (*comma)) {
g_set_error (error, NM_CRYPTO_ERROR,
NM_CRYPTO_ERR_FILE_FORMAT_INVALID,
NM_CRYPTO_ERROR_INVALID_DATA,
_("Malformed PEM file: invalid format of IV in DEK-Info tag."));
goto parse_error;
}
@ -212,7 +207,7 @@ parse_old_openssl_key_file (const guint8 *data,
cipher = g_strdup (p);
} else {
g_set_error (error, NM_CRYPTO_ERROR,
NM_CRYPTO_ERR_UNKNOWN_KEY_TYPE,
NM_CRYPTO_ERROR_INVALID_DATA,
_("Malformed PEM file: unknown private key cipher '%s'."),
p);
goto parse_error;
@ -220,7 +215,7 @@ parse_old_openssl_key_file (const guint8 *data,
} else {
if ((enc_tags != 0) && (enc_tags != 2)) {
g_set_error (error, NM_CRYPTO_ERROR,
NM_CRYPTO_ERR_FILE_FORMAT_INVALID,
NM_CRYPTO_ERROR_INVALID_DATA,
"Malformed PEM file: both Proc-Type and DEK-Info tags are required.");
goto parse_error;
}
@ -231,7 +226,7 @@ parse_old_openssl_key_file (const guint8 *data,
tmp = g_base64_decode (str->str, &tmp_len);
if (tmp == NULL || !tmp_len) {
g_set_error (error, NM_CRYPTO_ERROR,
NM_CRYPTO_ERR_DECODE_FAILED,
NM_CRYPTO_ERROR_INVALID_DATA,
_("Could not decode private key."));
goto parse_error;
}
@ -284,7 +279,7 @@ parse_pkcs8_key_file (const guint8 *data,
encrypted = FALSE;
} else {
g_set_error_literal (error, NM_CRYPTO_ERROR,
NM_CRYPTO_ERR_FILE_FORMAT_INVALID,
NM_CRYPTO_ERROR_INVALID_DATA,
_("Failed to find expected PKCS#8 start tag."));
return NULL;
}
@ -292,7 +287,7 @@ parse_pkcs8_key_file (const guint8 *data,
start += strlen (start_tag);
if (!find_tag (end_tag, data, data_len, start, &end)) {
g_set_error (error, NM_CRYPTO_ERROR,
NM_CRYPTO_ERR_FILE_FORMAT_INVALID,
NM_CRYPTO_ERROR_INVALID_DATA,
_("Failed to find expected PKCS#8 end tag '%s'."),
end_tag);
return NULL;
@ -311,7 +306,7 @@ parse_pkcs8_key_file (const guint8 *data,
*out_encrypted = encrypted;
} else {
g_set_error_literal (error, NM_CRYPTO_ERROR,
NM_CRYPTO_ERR_DECODE_FAILED,
NM_CRYPTO_ERROR_INVALID_DATA,
_("Failed to decode PKCS#8 private key."));
}
@ -353,7 +348,7 @@ convert_iv (const char *src,
num = strlen (src);
if (num % 2) {
g_set_error (error, NM_CRYPTO_ERROR,
NM_CRYPTO_ERR_RAW_IV_INVALID,
NM_CRYPTO_ERROR_INVALID_DATA,
_("IV must be an even number of bytes in length."));
return NULL;
}
@ -367,7 +362,7 @@ convert_iv (const char *src,
conv[1] = src[(i * 2) + 1];
if (!g_ascii_isxdigit (conv[0]) || !g_ascii_isxdigit (conv[1])) {
g_set_error (error, NM_CRYPTO_ERROR,
NM_CRYPTO_ERR_RAW_IV_INVALID,
NM_CRYPTO_ERROR_INVALID_DATA,
_("IV contains non-hexadecimal digits."));
goto error;
}
@ -407,7 +402,7 @@ make_des_aes_key (const char *cipher,
digest_len = 16;
else {
g_set_error (error, NM_CRYPTO_ERROR,
NM_CRYPTO_ERR_UNKNOWN_CIPHER,
NM_CRYPTO_ERROR_UNKNOWN_CIPHER,
_("Private key cipher '%s' was unknown."),
cipher);
return NULL;
@ -519,7 +514,7 @@ crypto_decrypt_private_key_data (const guint8 *data,
if (!parsed) {
g_clear_error (error);
g_set_error (error, NM_CRYPTO_ERROR,
NM_CRYPTO_ERR_FILE_FORMAT_INVALID,
NM_CRYPTO_ERROR_INVALID_DATA,
_("Unable to determine private key type."));
}
}
@ -576,7 +571,7 @@ extract_pem_cert_data (GByteArray *contents, GError **error)
if (!find_tag (PEM_CERT_BEGIN, contents->data, contents->len, 0, &start)) {
g_set_error (error, NM_CRYPTO_ERROR,
NM_CRYPTO_ERR_FILE_FORMAT_INVALID,
NM_CRYPTO_ERROR_INVALID_DATA,
_("PEM certificate had no start tag '%s'."),
PEM_CERT_BEGIN);
goto done;
@ -585,7 +580,7 @@ extract_pem_cert_data (GByteArray *contents, GError **error)
start += strlen (PEM_CERT_BEGIN);
if (!find_tag (PEM_CERT_END, contents->data, contents->len, start, &end)) {
g_set_error (error, NM_CRYPTO_ERROR,
NM_CRYPTO_ERR_FILE_FORMAT_INVALID,
NM_CRYPTO_ERROR_INVALID_DATA,
_("PEM certificate had no end tag '%s'."),
PEM_CERT_END);
goto done;
@ -603,7 +598,7 @@ extract_pem_cert_data (GByteArray *contents, GError **error)
g_assert (cert->len == length);
} else {
g_set_error (error, NM_CRYPTO_ERROR,
NM_CRYPTO_ERR_DECODE_FAILED,
NM_CRYPTO_ERROR_INVALID_DATA,
_("Failed to decode certificate."));
}
@ -668,7 +663,7 @@ crypto_is_pkcs12_data (const guint8 *data,
if (success == FALSE) {
/* If the error was just a decryption error, then it's pkcs#12 */
if (error) {
if (g_error_matches (error, NM_CRYPTO_ERROR, NM_CRYPTO_ERR_CIPHER_DECRYPT_FAILED))
if (g_error_matches (error, NM_CRYPTO_ERROR, NM_CRYPTO_ERROR_DECRYPTION_FAILED))
success = TRUE;
g_error_free (error);
}

24
libnm-core/crypto.h
View file

@ -32,24 +32,12 @@
#define CIPHER_AES_CBC "AES-128-CBC"
enum {
NM_CRYPTO_ERR_NONE = 0,
NM_CRYPTO_ERR_INIT_FAILED,
NM_CRYPTO_ERR_CANT_READ_FILE,
NM_CRYPTO_ERR_FILE_FORMAT_INVALID,
NM_CRYPTO_ERR_CERT_FORMAT_INVALID,
NM_CRYPTO_ERR_DECODE_FAILED,
NM_CRYPTO_ERR_OUT_OF_MEMORY,
NM_CRYPTO_ERR_UNKNOWN_KEY_TYPE,
NM_CRYPTO_ERR_UNKNOWN_CIPHER,
NM_CRYPTO_ERR_RAW_IV_INVALID,
NM_CRYPTO_ERR_MD5_INIT_FAILED,
NM_CRYPTO_ERR_CIPHER_INIT_FAILED,
NM_CRYPTO_ERR_CIPHER_SET_KEY_FAILED,
NM_CRYPTO_ERR_CIPHER_SET_IV_FAILED,
NM_CRYPTO_ERR_CIPHER_DECRYPT_FAILED,
NM_CRYPTO_ERR_INVALID_PASSWORD,
NM_CRYPTO_ERR_CIPHER_ENCRYPT_FAILED,
NM_CRYPTO_ERR_RANDOMIZE_FAILED
NM_CRYPTO_ERROR_FAILED = 0,
NM_CRYPTO_ERROR_INVALID_DATA,
NM_CRYPTO_ERROR_INVALID_PASSWORD,
NM_CRYPTO_ERROR_UNKNOWN_CIPHER,
NM_CRYPTO_ERROR_DECRYPTION_FAILED,
NM_CRYPTO_ERROR_ENCRYPTION_FAILED,
};
typedef enum {

49
libnm-core/crypto_gnutls.c
View file

@ -44,10 +44,9 @@ crypto_init (GError **error)
if (gnutls_global_init() != 0) {
gnutls_global_deinit();
g_set_error (error, NM_CRYPTO_ERROR,
NM_CRYPTO_ERR_INIT_FAILED,
"%s",
_("Failed to initialize the crypto engine."));
g_set_error_literal (error, NM_CRYPTO_ERROR,
NM_CRYPTO_ERROR_FAILED,
_("Failed to initialize the crypto engine."));
return FALSE;
}
@ -88,7 +87,7 @@ crypto_md5_hash (const char *salt,
err = gcry_md_open (&ctx, GCRY_MD_MD5, 0);
if (err) {
g_set_error (error, NM_CRYPTO_ERROR,
NM_CRYPTO_ERR_MD5_INIT_FAILED,
NM_CRYPTO_ERROR_FAILED,
_("Failed to initialize the MD5 engine: %s / %s."),
gcry_strsource (err), gcry_strerror (err));
return FALSE;
@ -147,7 +146,7 @@ crypto_decrypt (const char *cipher,
real_iv_len = 16;
} else {
g_set_error (error, NM_CRYPTO_ERROR,
NM_CRYPTO_ERR_UNKNOWN_CIPHER,
NM_CRYPTO_ERROR_UNKNOWN_CIPHER,
_("Private key cipher '%s' was unknown."),
cipher);
return NULL;
@ -155,7 +154,7 @@ crypto_decrypt (const char *cipher,
if (iv_len < real_iv_len) {
g_set_error (error, NM_CRYPTO_ERROR,
NM_CRYPTO_ERR_RAW_IV_INVALID,
NM_CRYPTO_ERROR_INVALID_DATA,
_("Invalid IV length (must be at least %zd)."),
real_iv_len);
return NULL;
@ -166,7 +165,7 @@ crypto_decrypt (const char *cipher,
err = gcry_cipher_open (&ctx, cipher_mech, GCRY_CIPHER_MODE_CBC, 0);
if (err) {
g_set_error (error, NM_CRYPTO_ERROR,
NM_CRYPTO_ERR_CIPHER_INIT_FAILED,
NM_CRYPTO_ERROR_DECRYPTION_FAILED,
_("Failed to initialize the decryption cipher context: %s / %s."),
gcry_strsource (err), gcry_strerror (err));
goto out;
@ -175,7 +174,7 @@ crypto_decrypt (const char *cipher,
err = gcry_cipher_setkey (ctx, key, key_len);
if (err) {
g_set_error (error, NM_CRYPTO_ERROR,
NM_CRYPTO_ERR_CIPHER_SET_KEY_FAILED,
NM_CRYPTO_ERROR_DECRYPTION_FAILED,
_("Failed to set symmetric key for decryption: %s / %s."),
gcry_strsource (err), gcry_strerror (err));
goto out;
@ -184,7 +183,7 @@ crypto_decrypt (const char *cipher,
err = gcry_cipher_setiv (ctx, iv, iv_len);
if (err) {
g_set_error (error, NM_CRYPTO_ERROR,
NM_CRYPTO_ERR_CIPHER_SET_IV_FAILED,
NM_CRYPTO_ERROR_DECRYPTION_FAILED,
_("Failed to set IV for decryption: %s / %s."),
gcry_strsource (err), gcry_strerror (err));
goto out;
@ -193,7 +192,7 @@ crypto_decrypt (const char *cipher,
err = gcry_cipher_decrypt (ctx, output, data_len, data, data_len);
if (err) {
g_set_error (error, NM_CRYPTO_ERROR,
NM_CRYPTO_ERR_CIPHER_DECRYPT_FAILED,
NM_CRYPTO_ERROR_DECRYPTION_FAILED,
_("Failed to decrypt the private key: %s / %s."),
gcry_strsource (err), gcry_strerror (err));
goto out;
@ -203,7 +202,7 @@ crypto_decrypt (const char *cipher,
/* Check if the padding at the end of the decrypted data is valid */
if (pad_len == 0 || pad_len > real_iv_len) {
g_set_error (error, NM_CRYPTO_ERROR,
NM_CRYPTO_ERR_CIPHER_DECRYPT_FAILED,
NM_CRYPTO_ERROR_DECRYPTION_FAILED,
_("Failed to decrypt the private key: unexpected padding length."));
goto out;
}
@ -214,7 +213,7 @@ crypto_decrypt (const char *cipher,
for (i = 1; i <= pad_len; ++i) {
if (output[data_len - i] != pad_len) {
g_set_error (error, NM_CRYPTO_ERROR,
NM_CRYPTO_ERR_CIPHER_DECRYPT_FAILED,
NM_CRYPTO_ERROR_DECRYPTION_FAILED,
_("Failed to decrypt the private key."));
goto out;
}
@ -265,7 +264,7 @@ crypto_encrypt (const char *cipher,
salt_len = iv_len;
} else {
g_set_error (error, NM_CRYPTO_ERROR,
NM_CRYPTO_ERR_UNKNOWN_CIPHER,
NM_CRYPTO_ERROR_UNKNOWN_CIPHER,
_("Private key cipher '%s' was unknown."),
cipher);
return NULL;
@ -287,7 +286,7 @@ crypto_encrypt (const char *cipher,
err = gcry_cipher_open (&ctx, cipher_mech, GCRY_CIPHER_MODE_CBC, 0);
if (err) {
g_set_error (error, NM_CRYPTO_ERROR,
NM_CRYPTO_ERR_CIPHER_INIT_FAILED,
NM_CRYPTO_ERROR_ENCRYPTION_FAILED,
_("Failed to initialize the encryption cipher context: %s / %s."),
gcry_strsource (err), gcry_strerror (err));
goto out;
@ -296,7 +295,7 @@ crypto_encrypt (const char *cipher,
err = gcry_cipher_setkey (ctx, key, key_len);
if (err) {
g_set_error (error, NM_CRYPTO_ERROR,
NM_CRYPTO_ERR_CIPHER_SET_KEY_FAILED,
NM_CRYPTO_ERROR_ENCRYPTION_FAILED,
_("Failed to set symmetric key for encryption: %s / %s."),
gcry_strsource (err), gcry_strerror (err));
goto out;
@ -306,7 +305,7 @@ crypto_encrypt (const char *cipher,
err = gcry_cipher_setiv (ctx, iv, salt_len);
if (err) {
g_set_error (error, NM_CRYPTO_ERROR,
NM_CRYPTO_ERR_CIPHER_SET_IV_FAILED,
NM_CRYPTO_ERROR_ENCRYPTION_FAILED,
_("Failed to set IV for encryption: %s / %s."),
gcry_strsource (err), gcry_strerror (err));
goto out;
@ -315,7 +314,7 @@ crypto_encrypt (const char *cipher,
err = gcry_cipher_encrypt (ctx, output, output_len, padded_buf, padded_buf_len);
if (err) {
g_set_error (error, NM_CRYPTO_ERROR,
NM_CRYPTO_ERR_CIPHER_DECRYPT_FAILED,
NM_CRYPTO_ERROR_ENCRYPTION_FAILED,
_("Failed to encrypt the data: %s / %s."),
gcry_strsource (err), gcry_strerror (err));
goto out;
@ -355,7 +354,7 @@ crypto_verify_cert (const unsigned char *data,
err = gnutls_x509_crt_init (&der);
if (err < 0) {
g_set_error (error, NM_CRYPTO_ERROR,
NM_CRYPTO_ERR_CERT_FORMAT_INVALID,
NM_CRYPTO_ERROR_INVALID_DATA,
_("Error initializing certificate data: %s"),
gnutls_strerror (err));
return NM_CRYPTO_FILE_FORMAT_UNKNOWN;
@ -377,7 +376,7 @@ crypto_verify_cert (const unsigned char *data,
return NM_CRYPTO_FILE_FORMAT_X509;
g_set_error (error, NM_CRYPTO_ERROR,
NM_CRYPTO_ERR_CERT_FORMAT_INVALID,
NM_CRYPTO_ERROR_INVALID_DATA,
_("Couldn't decode certificate: %s"),
gnutls_strerror (err));
return NM_CRYPTO_FILE_FORMAT_UNKNOWN;
@ -402,7 +401,7 @@ crypto_verify_pkcs12 (const guint8 *data,
err = gnutls_pkcs12_init (&p12);
if (err < 0) {
g_set_error (error, NM_CRYPTO_ERROR,
NM_CRYPTO_ERR_DECODE_FAILED,
NM_CRYPTO_ERROR_FAILED,
_("Couldn't initialize PKCS#12 decoder: %s"),
gnutls_strerror (err));
return FALSE;
@ -415,7 +414,7 @@ crypto_verify_pkcs12 (const guint8 *data,
err = gnutls_pkcs12_import (p12, &dt, GNUTLS_X509_FMT_PEM, 0);
if (err < 0) {
g_set_error (error, NM_CRYPTO_ERROR,
NM_CRYPTO_ERR_FILE_FORMAT_INVALID,
NM_CRYPTO_ERROR_INVALID_DATA,
_("Couldn't decode PKCS#12 file: %s"),
gnutls_strerror (err));
goto out;
@ -427,7 +426,7 @@ crypto_verify_pkcs12 (const guint8 *data,
success = TRUE;
else {
g_set_error (error, NM_CRYPTO_ERROR,
NM_CRYPTO_ERR_CIPHER_DECRYPT_FAILED,
NM_CRYPTO_ERROR_DECRYPTION_FAILED,
_("Couldn't verify PKCS#12 file: %s"),
gnutls_strerror (err));
}
@ -456,7 +455,7 @@ crypto_verify_pkcs8 (const guint8 *data,
err = gnutls_x509_privkey_init (&p8);
if (err < 0) {
g_set_error (error, NM_CRYPTO_ERROR,
NM_CRYPTO_ERR_DECODE_FAILED,
NM_CRYPTO_ERROR_FAILED,
_("Couldn't initialize PKCS#8 decoder: %s"),
gnutls_strerror (err));
return FALSE;
@ -479,7 +478,7 @@ crypto_verify_pkcs8 (const guint8 *data,
*/
} else {
g_set_error (error, NM_CRYPTO_ERROR,
NM_CRYPTO_ERR_FILE_FORMAT_INVALID,
NM_CRYPTO_ERROR_INVALID_DATA,
_("Couldn't decode PKCS#8 file: %s"),
gnutls_strerror (err));
return FALSE;

65
libnm-core/crypto_nss.c
View file

@ -52,7 +52,7 @@ crypto_init (GError **error)
ret = NSS_NoDB_Init (NULL);
if (ret != SECSuccess) {
g_set_error (error, NM_CRYPTO_ERROR,
NM_CRYPTO_ERR_INIT_FAILED,
NM_CRYPTO_ERROR_FAILED,
_("Failed to initialize the crypto engine: %d."),
PR_GetError ());
PR_Cleanup ();
@ -103,7 +103,7 @@ crypto_md5_hash (const char *salt,
ctx = PK11_CreateDigestContext (SEC_OID_MD5);
if (!ctx) {
g_set_error (error, NM_CRYPTO_ERROR,
NM_CRYPTO_ERR_MD5_INIT_FAILED,
NM_CRYPTO_ERROR_FAILED,
_("Failed to initialize the MD5 context: %d."),
PORT_GetError ());
return FALSE;
@ -167,7 +167,7 @@ crypto_decrypt (const char *cipher,
real_iv_len = 16;
} else {
g_set_error (error, NM_CRYPTO_ERROR,
NM_CRYPTO_ERR_UNKNOWN_CIPHER,
NM_CRYPTO_ERROR_UNKNOWN_CIPHER,
_("Private key cipher '%s' was unknown."),
cipher);
return NULL;
@ -175,7 +175,7 @@ crypto_decrypt (const char *cipher,
if (iv_len < real_iv_len) {
g_set_error (error, NM_CRYPTO_ERROR,
NM_CRYPTO_ERR_RAW_IV_INVALID,
NM_CRYPTO_ERROR_INVALID_DATA,
_("Invalid IV length (must be at least %d)."),
real_iv_len);
return NULL;
@ -186,7 +186,7 @@ crypto_decrypt (const char *cipher,
slot = PK11_GetBestSlot (cipher_mech, NULL);
if (!slot) {
g_set_error (error, NM_CRYPTO_ERROR,
NM_CRYPTO_ERR_CIPHER_INIT_FAILED,
NM_CRYPTO_ERROR_FAILED,
_("Failed to initialize the decryption cipher slot."));
goto out;
}
@ -196,7 +196,7 @@ crypto_decrypt (const char *cipher,
sym_key = PK11_ImportSymKey (slot, cipher_mech, PK11_OriginUnwrap, CKA_DECRYPT, &key_item, NULL);
if (!sym_key) {
g_set_error (error, NM_CRYPTO_ERROR,
NM_CRYPTO_ERR_CIPHER_SET_KEY_FAILED,
NM_CRYPTO_ERROR_DECRYPTION_FAILED,
_("Failed to set symmetric key for decryption."));
goto out;
}
@ -206,7 +206,7 @@ crypto_decrypt (const char *cipher,
sec_param = PK11_ParamFromIV (cipher_mech, &key_item);
if (!sec_param) {
g_set_error (error, NM_CRYPTO_ERROR,
NM_CRYPTO_ERR_CIPHER_SET_IV_FAILED,
NM_CRYPTO_ERROR_DECRYPTION_FAILED,
_("Failed to set IV for decryption."));
goto out;
}
@ -214,7 +214,7 @@ crypto_decrypt (const char *cipher,
ctx = PK11_CreateContextBySymKey (cipher_mech, CKA_DECRYPT, sym_key, sec_param);
if (!ctx) {
g_set_error (error, NM_CRYPTO_ERROR,
NM_CRYPTO_ERR_CIPHER_INIT_FAILED,
NM_CRYPTO_ERROR_DECRYPTION_FAILED,
_("Failed to initialize the decryption context."));
goto out;
}
@ -227,7 +227,7 @@ crypto_decrypt (const char *cipher,
data_len);
if (s != SECSuccess) {
g_set_error (error, NM_CRYPTO_ERROR,
NM_CRYPTO_ERR_CIPHER_DECRYPT_FAILED,
NM_CRYPTO_ERROR_DECRYPTION_FAILED,
_("Failed to decrypt the private key: %d."),
PORT_GetError ());
goto out;
@ -235,7 +235,7 @@ crypto_decrypt (const char *cipher,
if (decrypted_len > data_len) {
g_set_error (error, NM_CRYPTO_ERROR,
NM_CRYPTO_ERR_CIPHER_DECRYPT_FAILED,
NM_CRYPTO_ERROR_DECRYPTION_FAILED,
_("Failed to decrypt the private key: decrypted data too large."));
goto out;
}
@ -246,7 +246,7 @@ crypto_decrypt (const char *cipher,
data_len - decrypted_len);
if (s != SECSuccess) {
g_set_error (error, NM_CRYPTO_ERROR,
NM_CRYPTO_ERR_CIPHER_DECRYPT_FAILED,
NM_CRYPTO_ERROR_DECRYPTION_FAILED,
_("Failed to finalize decryption of the private key: %d."),
PORT_GetError ());
goto out;
@ -257,7 +257,7 @@ crypto_decrypt (const char *cipher,
/* Check if the padding at the end of the decrypted data is valid */
if (pad_len == 0 || pad_len > real_iv_len) {
g_set_error (error, NM_CRYPTO_ERROR,
NM_CRYPTO_ERR_CIPHER_DECRYPT_FAILED,
NM_CRYPTO_ERROR_DECRYPTION_FAILED,
_("Failed to decrypt the private key: unexpected padding length."));
goto out;
}
@ -268,7 +268,7 @@ crypto_decrypt (const char *cipher,
for (i = pad_len; i > 0; i--) {
if (output[data_len - i] != pad_len) {
g_set_error (error, NM_CRYPTO_ERROR,
NM_CRYPTO_ERR_CIPHER_DECRYPT_FAILED,
NM_CRYPTO_ERROR_DECRYPTION_FAILED,
_("Failed to decrypt the private key."));
goto out;
}
@ -329,7 +329,7 @@ crypto_encrypt (const char *cipher,
cipher_mech = CKM_AES_CBC_PAD;
else {
g_set_error (error, NM_CRYPTO_ERROR,
NM_CRYPTO_ERR_UNKNOWN_CIPHER,
NM_CRYPTO_ERROR_UNKNOWN_CIPHER,
_("Private key cipher '%s' was unknown."),
cipher);
return NULL;
@ -351,7 +351,7 @@ crypto_encrypt (const char *cipher,
slot = PK11_GetBestSlot (cipher_mech, NULL);
if (!slot) {
g_set_error (error, NM_CRYPTO_ERROR,
NM_CRYPTO_ERR_CIPHER_INIT_FAILED,
NM_CRYPTO_ERROR_FAILED,
_("Failed to initialize the encryption cipher slot."));
goto out;
}
@ -359,7 +359,7 @@ crypto_encrypt (const char *cipher,
sym_key = PK11_ImportSymKey (slot, cipher_mech, PK11_OriginUnwrap, CKA_ENCRYPT, &key_item, NULL);
if (!sym_key) {
g_set_error (error, NM_CRYPTO_ERROR,
NM_CRYPTO_ERR_CIPHER_SET_KEY_FAILED,
NM_CRYPTO_ERROR_ENCRYPTION_FAILED,
_("Failed to set symmetric key for encryption."));
goto out;
}
@ -367,7 +367,7 @@ crypto_encrypt (const char *cipher,
sec_param = PK11_ParamFromIV (cipher_mech, &iv_item);
if (!sec_param) {
g_set_error (error, NM_CRYPTO_ERROR,
NM_CRYPTO_ERR_CIPHER_SET_IV_FAILED,
NM_CRYPTO_ERROR_ENCRYPTION_FAILED,
_("Failed to set IV for encryption."));
goto out;
}
@ -375,7 +375,7 @@ crypto_encrypt (const char *cipher,
ctx = PK11_CreateContextBySymKey (cipher_mech, CKA_ENCRYPT, sym_key, sec_param);
if (!ctx) {
g_set_error (error, NM_CRYPTO_ERROR,
NM_CRYPTO_ERR_CIPHER_INIT_FAILED,
NM_CRYPTO_ERROR_ENCRYPTION_FAILED,
_("Failed to initialize the encryption context."));
goto out;
}
@ -383,7 +383,7 @@ crypto_encrypt (const char *cipher,
ret = PK11_CipherOp (ctx, output, &encrypted_len, output_len, padded_buf, padded_buf_len);
if (ret != SECSuccess) {
g_set_error (error, NM_CRYPTO_ERROR,
NM_CRYPTO_ERR_CIPHER_ENCRYPT_FAILED,
NM_CRYPTO_ERROR_ENCRYPTION_FAILED,
_("Failed to encrypt: %d."),
PORT_GetError ());
goto out;
@ -391,7 +391,7 @@ crypto_encrypt (const char *cipher,
if (encrypted_len != output_len) {
g_set_error (error, NM_CRYPTO_ERROR,
NM_CRYPTO_ERR_CIPHER_ENCRYPT_FAILED,
NM_CRYPTO_ERROR_ENCRYPTION_FAILED,
_("Unexpected amount of data after encrypting."));
goto out;
}
@ -431,7 +431,7 @@ crypto_verify_cert (const unsigned char *data,
cert = CERT_DecodeCertFromPackage ((char *) data, len);
if (!cert) {
g_set_error (error, NM_CRYPTO_ERROR,
NM_CRYPTO_ERR_CERT_FORMAT_INVALID,
NM_CRYPTO_ERROR_INVALID_DATA,
_("Couldn't decode certificate: %d"),
PORT_GetError());
return NM_CRYPTO_FILE_FORMAT_UNKNOWN;
@ -451,7 +451,7 @@ crypto_verify_pkcs12 (const guint8 *data,
SECItem pw = { 0 };
PK11SlotInfo *slot = NULL;
SECStatus s;
char *ucs2_password;
gunichar2 *ucs2_password;
glong ucs2_chars = 0;
#ifndef WORDS_BIGENDIAN
guint16 *p;
@ -463,15 +463,16 @@ crypto_verify_pkcs12 (const guint8 *data,
/* PKCS#12 passwords are apparently UCS2 BIG ENDIAN, and NSS doesn't do
* any conversions for us.
*/
if (password && strlen (password)) {
ucs2_password = (char *) g_utf8_to_utf16 (password, strlen (password), NULL, &ucs2_chars, NULL);
if (!ucs2_password || !ucs2_chars) {
if (password && *password) {
if (!g_utf8_validate (password, -1, NULL)) {
g_set_error (error, NM_CRYPTO_ERROR,
NM_CRYPTO_ERR_INVALID_PASSWORD,
_("Couldn't convert password to UCS2: %d"),
PORT_GetError());
NM_CRYPTO_ERROR_INVALID_PASSWORD,
_("Password must be UTF-8"));
return FALSE;
}
ucs2_password = g_utf8_to_utf16 (password, strlen (password), NULL, &ucs2_chars, NULL);
/* Can't fail if g_utf8_validate() succeeded */
g_return_val_if_fail (ucs2_password != NULL && ucs2_chars != 0, FALSE);
ucs2_chars *= 2; /* convert # UCS2 characters -> bytes */
pw.data = PORT_ZAlloc(ucs2_chars + 2);
@ -495,7 +496,7 @@ crypto_verify_pkcs12 (const guint8 *data,
p12ctx = SEC_PKCS12DecoderStart (&pw, slot, NULL, NULL, NULL, NULL, NULL, NULL);
if (!p12ctx) {
g_set_error (error, NM_CRYPTO_ERROR,
NM_CRYPTO_ERR_DECODE_FAILED,
NM_CRYPTO_ERROR_FAILED,
_("Couldn't initialize PKCS#12 decoder: %d"),
PORT_GetError());
goto error;
@ -504,7 +505,7 @@ crypto_verify_pkcs12 (const guint8 *data,
s = SEC_PKCS12DecoderUpdate (p12ctx, (guint8 *)data, data_len);
if (s != SECSuccess) {
g_set_error (error, NM_CRYPTO_ERROR,
NM_CRYPTO_ERR_FILE_FORMAT_INVALID,
NM_CRYPTO_ERROR_INVALID_DATA,
_("Couldn't decode PKCS#12 file: %d"),
PORT_GetError());
goto error;
@ -513,7 +514,7 @@ crypto_verify_pkcs12 (const guint8 *data,
s = SEC_PKCS12DecoderVerify (p12ctx);
if (s != SECSuccess) {
g_set_error (error, NM_CRYPTO_ERROR,
NM_CRYPTO_ERR_CIPHER_DECRYPT_FAILED,
NM_CRYPTO_ERROR_DECRYPTION_FAILED,
_("Couldn't verify PKCS#12 file: %d"),
PORT_GetError());
goto error;
@ -558,7 +559,7 @@ crypto_randomize (void *buffer, gsize buffer_len, GError **error)
s = PK11_GenerateRandom (buffer, buffer_len);
if (s != SECSuccess) {
g_set_error_literal (error, NM_CRYPTO_ERROR,
NM_CRYPTO_ERR_RANDOMIZE_FAILED,
NM_CRYPTO_ERROR_FAILED,
_("Could not generate random data."));
return FALSE;
}