From b3e39d42758c678935e7a33aea48c03f7a2b2763 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ji=C5=99=C3=AD=20Klime=C5=A1?= <jklimes@redhat.com>
Date: Fri, 2 May 2014 13:01:55 +0200
Subject: [PATCH] libnm-util: allow AES cipher for private keys

and add a testcase to check the encryption with AES.
---
 libnm-util/crypto.c                     | 20 ++++++++++-------
 libnm-util/crypto.h                     |  3 ++-
 libnm-util/crypto_gnutls.c              |  3 +++
 libnm-util/crypto_nss.c                 |  3 +++
 libnm-util/tests/Makefile.am            |  3 +++
 libnm-util/tests/certs/Makefile.am      |  3 ++-
 libnm-util/tests/certs/test-aes-key.pem | 30 +++++++++++++++++++++++++
 7 files changed, 55 insertions(+), 10 deletions(-)
 create mode 100644 libnm-util/tests/certs/test-aes-key.pem

diff --git a/libnm-util/crypto.c b/libnm-util/crypto.c
index c2a93b3bef..0ac4fbacd4 100644
--- a/libnm-util/crypto.c
+++ b/libnm-util/crypto.c
@@ -206,6 +206,8 @@ parse_old_openssl_key_file (const GByteArray *contents,
 				cipher = g_strdup (p);
 			} else if (!strcasecmp (p, "DES-CBC")) {
 				cipher = g_strdup (p);
+			} else if (!strcasecmp (p, "AES-128-CBC")) {
+				cipher = g_strdup (p);
 			} else {
 				g_set_error (error, NM_CRYPTO_ERROR,
 				             NM_CRYPTO_ERR_UNKNOWN_KEY_TYPE,
@@ -378,12 +380,12 @@ error:
 }
 
 static char *
-make_des_key (const char *cipher,
-              const char *salt,
-              const gsize salt_len,
-              const char *password,
-              gsize *out_len,
-              GError **error)
+make_des_aes_key (const char *cipher,
+                  const char *salt,
+                  const gsize salt_len,
+                  const char *password,
+                  gsize *out_len,
+                  GError **error)
 {
 	char *key;
 	guint32 digest_len;
@@ -398,6 +400,8 @@ make_des_key (const char *cipher,
 		digest_len = 24;
 	else if (!strcmp (cipher, "DES-CBC"))
 		digest_len = 8;
+	else if (!strcmp (cipher, "AES-128-CBC"))
+		digest_len = 16;
 	else {
 		g_set_error (error, NM_CRYPTO_ERROR,
 		             NM_CRYPTO_ERR_UNKNOWN_CIPHER,
@@ -454,8 +458,8 @@ decrypt_key (const char *cipher,
 	if (!bin_iv)
 		return NULL;
 
-	/* Convert the PIN and IV into a DES key */
-	key = make_des_key (cipher, bin_iv, bin_iv_len, password, &key_len, error);
+	/* Convert the password and IV into a DES or AES key */
+	key = make_des_aes_key (cipher, bin_iv, bin_iv_len, password, &key_len, error);
 	if (!key || !key_len)
 		goto out;
 
diff --git a/libnm-util/crypto.h b/libnm-util/crypto.h
index 482ed0876c..1cbf61c120 100644
--- a/libnm-util/crypto.h
+++ b/libnm-util/crypto.h
@@ -18,7 +18,7 @@
  * Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
  * Boston, MA 02110-1301 USA.
  *
- * (C) Copyright 2007 - 2011 Red Hat, Inc.
+ * (C) Copyright 2007 - 2014 Red Hat, Inc.
  */
 
 #ifndef __CRYPTO_H__
@@ -29,6 +29,7 @@
 #define MD5_HASH_LEN 20
 #define CIPHER_DES_EDE3_CBC "DES-EDE3-CBC"
 #define CIPHER_DES_CBC "DES-CBC"
+#define CIPHER_AES_CBC "AES-128-CBC"
 
 enum {
 	NM_CRYPTO_ERR_NONE = 0,
diff --git a/libnm-util/crypto_gnutls.c b/libnm-util/crypto_gnutls.c
index 4926fb9e78..c272e373e0 100644
--- a/libnm-util/crypto_gnutls.c
+++ b/libnm-util/crypto_gnutls.c
@@ -141,6 +141,9 @@ crypto_decrypt (const char *cipher,
 	} else if (!strcmp (cipher, CIPHER_DES_CBC)) {
 		cipher_mech = GCRY_CIPHER_DES;
 		real_iv_len = SALT_LEN;
+	} else if (!strcmp (cipher, CIPHER_AES_CBC)) {
+		cipher_mech = GCRY_CIPHER_AES;
+		real_iv_len = 16;
 	} else {
 		g_set_error (error, NM_CRYPTO_ERROR,
 		             NM_CRYPTO_ERR_UNKNOWN_CIPHER,
diff --git a/libnm-util/crypto_nss.c b/libnm-util/crypto_nss.c
index ac060ce2d4..23863902f6 100644
--- a/libnm-util/crypto_nss.c
+++ b/libnm-util/crypto_nss.c
@@ -161,6 +161,9 @@ crypto_decrypt (const char *cipher,
 	} else if (!strcmp (cipher, CIPHER_DES_CBC)) {
 		cipher_mech = CKM_DES_CBC_PAD;
 		real_iv_len = 8;
+	} else if (!strcmp (cipher, CIPHER_AES_CBC)) {
+		cipher_mech = CKM_AES_CBC_PAD;
+		real_iv_len = 16;
 	} else {
 		g_set_error (error, NM_CRYPTO_ERROR,
 		             NM_CRYPTO_ERR_UNKNOWN_CIPHER,
diff --git a/libnm-util/tests/Makefile.am b/libnm-util/tests/Makefile.am
index 52e8adc349..6d3d225ef3 100644
--- a/libnm-util/tests/Makefile.am
+++ b/libnm-util/tests/Makefile.am
@@ -125,6 +125,9 @@ check-local: test-crypto test-setting-8021x
 		$(srcdir)/certs/pkcs8-enc-key.pem \
 		"1234567890"
 
+# Private key with AES cipher
+	$(abs_builddir)/test-crypto --key $(srcdir)/certs/test-aes-key.pem "test-aes-password"
+
 TESTS = test-settings-defaults test-secrets test-general test-setting-dcb
 
 endif
diff --git a/libnm-util/tests/certs/Makefile.am b/libnm-util/tests/certs/Makefile.am
index e0f00a479e..309925174c 100644
--- a/libnm-util/tests/certs/Makefile.am
+++ b/libnm-util/tests/certs/Makefile.am
@@ -20,5 +20,6 @@ EXTRA_DIST = \
 	test-key-only-decrypted.der \
 	pkcs8-enc-key.pem \
 	pkcs8-noenc-key.pem \
-	pkcs8-decrypted.der
+	pkcs8-decrypted.der \
+	test-aes-key.pem
 
diff --git a/libnm-util/tests/certs/test-aes-key.pem b/libnm-util/tests/certs/test-aes-key.pem
new file mode 100644
index 0000000000..aab8f463ca
--- /dev/null
+++ b/libnm-util/tests/certs/test-aes-key.pem
@@ -0,0 +1,30 @@
+-----BEGIN RSA PRIVATE KEY-----
+Proc-Type: 4,ENCRYPTED
+DEK-Info: AES-128-CBC,800391B7DD72364B4C2562E0B6AEA000
+
+E9dgNCIATOr4CN5c8o6B+8wdqq/I1BLmPmW2qT7YZepoF7E+RUb8ZLjo1VO2XsJw
+Ir4EzuH7837zBD9dP5CjlY8cWfR63gZpEWRY5Jub8kzvqiL4UZ0Qr8IHOZxAkKEz
+EL1Pn7e+tYt4kA372LPZHWO3vRCgmL1iSJj2/k3avPWAx7NUie4bzGI+00WNv699
+ClKzsJbWB1eiQvYgOr4aVV26oWfa896JkBoGhgZQ6ckqFpsdAos8m46iOSVZrwgq
+Y2/d1CvfQod+87c8LRatwAjf+d6YAJJaeMyxjCGuAY6/JyDsorUkM2OlvbTt6WOA
+gSPWO8I+Ov6THb4IuPhpIJ30Sl88tc6MlIByW49EWu2G1jPw3L8iqRzZ50Z85dyz
+N9yFP91wEwi5F0Zed4iEpg3NVfklEe/VYqCldc5f9fZ84G5V98ZlAdNSqwd/UNBU
+iPTflGqVpp1u+J2isOk+Agpj1MCxh2q0RNuvY9KHzOYBScirfbG4DKNbQgS/5Zw7
+3g9YL5Wbo7BczHLiXf/2adu6T8wI1LKRjkeLV9dK1Vw3ZaGy3mB9oFhCgjh9BNHw
+wC78CVcUErjtOXdQagiCQn5k5EGeAB97QFROoAFjAmGvq3xCi4EHd9Sk6fcMm7Oi
+1fuVR5EXUubF4Llq06lFzQp01s2F73noH49bs3qwdf0n8nrL2XhKB0XCOV/I3K5c
+Y3W+YSl361QGjZ/NUcFLIIy+Uro90MmUBNk6af+wGHRJeflpVnK0ATX1PtpNHziz
+jiMiIZicjgfVLxl1a5zTl6KUmGWKlZb533adQ0s6q9Qmi5Vk5L5W/GdMjcFtZbM6
+GU7EOkwihMLb3DVsNbm7vb8tUXqe/e5RmXtij8Yb+2a6/M9yaOHa0VjHzdiKHecr
+eEYaKQDj7NCWLslNnRRh9GmgXcu2pqBhqRM3HAt3cEaHKKWHTcoWcz11pFwMHNtn
+bU9GjGRVc3lCGhVNRiloO0zrKHmcBpDVLw2+ycXXpj/RaBW2fy0xRLKolyla+jEr
+zdLzVI61O50ZMycOtPmE7DVZpkokn32hGer1eCOFnsN1lywi4cWLvU0jbQC+CJyw
+T9vS8zB3WgOl8rC1AHsfQ4KYajlKleQm89deurQymnt/Qx49SiQA+TpwG9Xvx2TP
+3Vc1NwZfM9ZZ1+6xit/rTuS3LhnmhEnGnV5ZyvAdmkCcV2iHjOnLnQWWQn24MHU3
+8Y9D4AdpI5V7Igwr3vH2NZMiw1W2Yc5EJuPAT8nIs5sgOYhXB/QLPJvulvOQhuNC
+NPwJ6A505JrVNfHuEaoGUyA+mPeWuLwQo8y8cM6ZdFMG3RrwFNzuYTrc1Z/9GsmA
+C0UfHf5dL0r7oWZ1SbpSvsmHYqc8sIypq0ohuLEbpegS/hWP8b2/XDRTjfTiJOrM
+4LsUH9PMOJSxDlwS+7e3FdcGfgXfsMgB3aOjQvNpKEolOuv4A5LVFeMrrwtw4Xo1
+EuhstZwyarUTJenDUXzkakhA+8Yw/g2a7RsnANVTkeBuv2PbqFL4zdlsWvcpkz41
+ESxx1siSeU1E9beOII0zSi8vUD0IAevRHaWSlfU2po600IzX1FN97pa4DJV2ycgn
+-----END RSA PRIVATE KEY-----