diff options
author | Thomas Haller <thaller@redhat.com> | 2022-03-18 20:53:40 +0100 |
---|---|---|
committer | Thomas Haller <thaller@redhat.com> | 2022-03-29 11:56:03 +0200 |
commit | 3a97604a27aceb58d8edfeee7da9e56b50387a2b (patch) | |
tree | ecda76f585f78e5e63fa2f4bf8914a029e206fda | |
parent | 89bba8fa847ffb3f37ba625e8eefec4e161074e1 (diff) | |
download | NetworkManager-3a97604a27aceb58d8edfeee7da9e56b50387a2b.tar.gz |
libnm: don't depend nm-crypto on "nm-error.h"
"nm-error.h" is public API of libnm, and contains error numbers and
quarks. Clearly our "nm-crypto" implementation wants to use those
errors.
I want to move "nm-crypto" out of libnm, and as it's more basic, I think
it should not have a dependency on all of libnm-core. Also because
libnm-core currently uses nm-crypto, so there would be a circular
dependency. Which would be possible to do (libnm-core-aux-intern is
also used in such a way). But it's better avoided, to have clear
hierarchy of dependencies.
Add a version of the same error codes to libnm-base. libnm-base is a
very basic dependency (just one step above libnm-glib-aux).
-rw-r--r-- | src/libnm-base/nm-base.c | 6 | ||||
-rw-r--r-- | src/libnm-base/nm-base.h | 16 | ||||
-rw-r--r-- | src/libnm-core-impl/nm-crypto-gnutls.c | 69 | ||||
-rw-r--r-- | src/libnm-core-impl/nm-crypto-impl.h | 1 | ||||
-rw-r--r-- | src/libnm-core-impl/nm-crypto-nss.c | 107 | ||||
-rw-r--r-- | src/libnm-core-impl/nm-crypto-null.c | 29 | ||||
-rw-r--r-- | src/libnm-core-impl/nm-crypto.c | 113 | ||||
-rw-r--r-- | src/libnm-core-impl/nm-errors.c | 14 | ||||
-rw-r--r-- | src/libnm-core-impl/tests/test-crypto.c | 18 |
9 files changed, 214 insertions, 159 deletions
diff --git a/src/libnm-base/nm-base.c b/src/libnm-base/nm-base.c index e35b5d56ef..f81b285c4e 100644 --- a/src/libnm-base/nm-base.c +++ b/src/libnm-base/nm-base.c @@ -3,3 +3,9 @@ #include "libnm-glib-aux/nm-default-glib-i18n-lib.h" #include "nm-base.h" + +/*****************************************************************************/ + +NM_CACHED_QUARK_FCN("nm-crypto-error-quark", _nm_crypto_error_quark); + +/*****************************************************************************/ diff --git a/src/libnm-base/nm-base.h b/src/libnm-base/nm-base.h index 0363e3b64b..ff062a18b8 100644 --- a/src/libnm-base/nm-base.h +++ b/src/libnm-base/nm-base.h @@ -393,4 +393,20 @@ typedef struct { #define NM_BOND_PORT_QUEUE_ID_DEF 0 +/*****************************************************************************/ + +/* NM_CRYPTO_ERROR is part of public API in libnm (implemented in libnm-core). + * We also want to use it without libnm-core. So this "_" variant is the internal + * version, with numerically same values -- to be used without libnm-base. */ + +#define _NM_CRYPTO_ERROR_FAILED 0 +#define _NM_CRYPTO_ERROR_INVALID_DATA 1 +#define _NM_CRYPTO_ERROR_INVALID_PASSWORD 2 +#define _NM_CRYPTO_ERROR_UNKNOWN_CIPHER 3 +#define _NM_CRYPTO_ERROR_DECRYPTION_FAILED 4 +#define _NM_CRYPTO_ERROR_ENCRYPTION_FAILED 5 + +#define _NM_CRYPTO_ERROR _nm_crypto_error_quark() +GQuark _nm_crypto_error_quark(void); + #endif /* __NM_LIBNM_BASE_H__ */ diff --git a/src/libnm-core-impl/nm-crypto-gnutls.c b/src/libnm-core-impl/nm-crypto-gnutls.c index d9e5913645..7352a38e60 100644 --- a/src/libnm-core-impl/nm-crypto-gnutls.c +++ b/src/libnm-core-impl/nm-crypto-gnutls.c @@ -14,7 +14,6 @@ #include <gnutls/pkcs12.h> #include "libnm-glib-aux/nm-secret-utils.h" -#include "nm-errors.h" /*****************************************************************************/ @@ -54,8 +53,8 @@ _nm_crypto_init(GError **error) if (gnutls_global_init() != 0) { gnutls_global_deinit(); g_set_error_literal(error, - NM_CRYPTO_ERROR, - NM_CRYPTO_ERROR_FAILED, + _NM_CRYPTO_ERROR, + _NM_CRYPTO_ERROR_FAILED, _("Failed to initialize the crypto engine.")); return FALSE; } @@ -87,8 +86,8 @@ _nmtst_crypto_decrypt(NMCryptoCipherType cipher, if (!_get_cipher_info(cipher, &cipher_mech, &real_iv_len)) { g_set_error(error, - NM_CRYPTO_ERROR, - NM_CRYPTO_ERROR_UNKNOWN_CIPHER, + _NM_CRYPTO_ERROR, + _NM_CRYPTO_ERROR_UNKNOWN_CIPHER, _("Unsupported key cipher for decryption")); return NULL; } @@ -98,8 +97,8 @@ _nmtst_crypto_decrypt(NMCryptoCipherType cipher, if (iv_len < real_iv_len) { g_set_error(error, - NM_CRYPTO_ERROR, - NM_CRYPTO_ERROR_INVALID_DATA, + _NM_CRYPTO_ERROR, + _NM_CRYPTO_ERROR_INVALID_DATA, _("Invalid IV length (must be at least %u)."), (guint) real_iv_len); return NULL; @@ -116,8 +115,8 @@ _nmtst_crypto_decrypt(NMCryptoCipherType cipher, err = gnutls_cipher_init(&ctx, cipher_mech, &key_dt, &iv_dt); if (err < 0) { g_set_error(error, - NM_CRYPTO_ERROR, - NM_CRYPTO_ERROR_DECRYPTION_FAILED, + _NM_CRYPTO_ERROR, + _NM_CRYPTO_ERROR_DECRYPTION_FAILED, _("Failed to initialize the decryption cipher context: %s (%s)"), gnutls_strerror_name(err), gnutls_strerror(err)); @@ -130,8 +129,8 @@ _nmtst_crypto_decrypt(NMCryptoCipherType cipher, if (err < 0) { g_set_error(error, - NM_CRYPTO_ERROR, - NM_CRYPTO_ERROR_DECRYPTION_FAILED, + _NM_CRYPTO_ERROR, + _NM_CRYPTO_ERROR_DECRYPTION_FAILED, _("Failed to decrypt the private key: %s (%s)"), gnutls_strerror_name(err), gnutls_strerror(err)); @@ -143,8 +142,8 @@ _nmtst_crypto_decrypt(NMCryptoCipherType cipher, /* Check if the padding at the end of the decrypted data is valid */ if (pad_len == 0 || pad_len > real_iv_len) { g_set_error(error, - NM_CRYPTO_ERROR, - NM_CRYPTO_ERROR_DECRYPTION_FAILED, + _NM_CRYPTO_ERROR, + _NM_CRYPTO_ERROR_DECRYPTION_FAILED, _("Failed to decrypt the private key: unexpected padding length.")); return NULL; } @@ -155,8 +154,8 @@ _nmtst_crypto_decrypt(NMCryptoCipherType cipher, for (pad_i = 1; pad_i <= pad_len; ++pad_i) { if (output.bin[data_len - pad_i] != pad_len) { g_set_error(error, - NM_CRYPTO_ERROR, - NM_CRYPTO_ERROR_DECRYPTION_FAILED, + _NM_CRYPTO_ERROR, + _NM_CRYPTO_ERROR_DECRYPTION_FAILED, _("Failed to decrypt the private key.")); return NULL; } @@ -189,8 +188,8 @@ _nmtst_crypto_encrypt(NMCryptoCipherType cipher, if (cipher == NM_CRYPTO_CIPHER_DES_CBC || !_get_cipher_info(cipher, &cipher_mech, NULL)) { g_set_error(error, - NM_CRYPTO_ERROR, - NM_CRYPTO_ERROR_UNKNOWN_CIPHER, + _NM_CRYPTO_ERROR, + _NM_CRYPTO_ERROR_UNKNOWN_CIPHER, _("Unsupported key cipher for encryption")); return NULL; } @@ -206,8 +205,8 @@ _nmtst_crypto_encrypt(NMCryptoCipherType cipher, err = gnutls_cipher_init(&ctx, cipher_mech, &key_dt, &iv_dt); if (err < 0) { g_set_error(error, - NM_CRYPTO_ERROR, - NM_CRYPTO_ERROR_ENCRYPTION_FAILED, + _NM_CRYPTO_ERROR, + _NM_CRYPTO_ERROR_ENCRYPTION_FAILED, _("Failed to initialize the encryption cipher context: %s (%s)"), gnutls_strerror_name(err), gnutls_strerror(err)); @@ -234,8 +233,8 @@ _nmtst_crypto_encrypt(NMCryptoCipherType cipher, if (err < 0) { g_set_error(error, - NM_CRYPTO_ERROR, - NM_CRYPTO_ERROR_ENCRYPTION_FAILED, + _NM_CRYPTO_ERROR, + _NM_CRYPTO_ERROR_ENCRYPTION_FAILED, _("Failed to encrypt the data: %s (%s)"), gnutls_strerror_name(err), gnutls_strerror(err)); @@ -259,8 +258,8 @@ _nm_crypto_verify_x509(const guint8 *data, gsize len, GError **error) err = gnutls_x509_crt_init(&der); if (err < 0) { g_set_error(error, - NM_CRYPTO_ERROR, - NM_CRYPTO_ERROR_INVALID_DATA, + _NM_CRYPTO_ERROR, + _NM_CRYPTO_ERROR_INVALID_DATA, _("Error initializing certificate data: %s"), gnutls_strerror(err)); return FALSE; @@ -282,8 +281,8 @@ _nm_crypto_verify_x509(const guint8 *data, gsize len, GError **error) return TRUE; g_set_error(error, - NM_CRYPTO_ERROR, - NM_CRYPTO_ERROR_INVALID_DATA, + _NM_CRYPTO_ERROR, + _NM_CRYPTO_ERROR_INVALID_DATA, _("Couldn't decode certificate: %s"), gnutls_strerror(err)); return FALSE; @@ -307,8 +306,8 @@ _nm_crypto_verify_pkcs12(const guint8 *data, gsize data_len, const char *passwor err = gnutls_pkcs12_init(&p12); if (err < 0) { g_set_error(error, - NM_CRYPTO_ERROR, - NM_CRYPTO_ERROR_FAILED, + _NM_CRYPTO_ERROR, + _NM_CRYPTO_ERROR_FAILED, _("Couldn't initialize PKCS#12 decoder: %s"), gnutls_strerror(err)); return FALSE; @@ -321,8 +320,8 @@ _nm_crypto_verify_pkcs12(const guint8 *data, gsize data_len, const char *passwor err = gnutls_pkcs12_import(p12, &dt, GNUTLS_X509_FMT_PEM, 0); if (err < 0) { g_set_error(error, - NM_CRYPTO_ERROR, - NM_CRYPTO_ERROR_INVALID_DATA, + _NM_CRYPTO_ERROR, + _NM_CRYPTO_ERROR_INVALID_DATA, _("Couldn't decode PKCS#12 file: %s"), gnutls_strerror(err)); gnutls_pkcs12_deinit(p12); @@ -336,8 +335,8 @@ _nm_crypto_verify_pkcs12(const guint8 *data, gsize data_len, const char *passwor if (err != GNUTLS_E_SUCCESS) { g_set_error(error, - NM_CRYPTO_ERROR, - NM_CRYPTO_ERROR_DECRYPTION_FAILED, + _NM_CRYPTO_ERROR, + _NM_CRYPTO_ERROR_DECRYPTION_FAILED, _("Couldn't verify PKCS#12 file: %s"), gnutls_strerror(err)); return FALSE; @@ -365,8 +364,8 @@ _nm_crypto_verify_pkcs8(const guint8 *data, err = gnutls_x509_privkey_init(&p8); if (err < 0) { g_set_error(error, - NM_CRYPTO_ERROR, - NM_CRYPTO_ERROR_FAILED, + _NM_CRYPTO_ERROR, + _NM_CRYPTO_ERROR_FAILED, _("Couldn't initialize PKCS#8 decoder: %s"), gnutls_strerror(err)); return FALSE; @@ -393,8 +392,8 @@ _nm_crypto_verify_pkcs8(const guint8 *data, */ } else { g_set_error(error, - NM_CRYPTO_ERROR, - NM_CRYPTO_ERROR_INVALID_DATA, + _NM_CRYPTO_ERROR, + _NM_CRYPTO_ERROR_INVALID_DATA, _("Couldn't decode PKCS#8 file: %s"), gnutls_strerror(err)); return FALSE; diff --git a/src/libnm-core-impl/nm-crypto-impl.h b/src/libnm-core-impl/nm-crypto-impl.h index 61c3f7f8e2..0b7c14dc08 100644 --- a/src/libnm-core-impl/nm-crypto-impl.h +++ b/src/libnm-core-impl/nm-crypto-impl.h @@ -8,6 +8,7 @@ #define __NM_CRYPTO_IMPL_H__ #include "nm-crypto.h" +#include "libnm-base/nm-base.h" gboolean _nm_crypto_init(GError **error); diff --git a/src/libnm-core-impl/nm-crypto-nss.c b/src/libnm-core-impl/nm-crypto-nss.c index c27bf09e35..cd5966c42a 100644 --- a/src/libnm-core-impl/nm-crypto-nss.c +++ b/src/libnm-core-impl/nm-crypto-nss.c @@ -21,7 +21,7 @@ NM_PRAGMA_WARNING_DISABLE("-Wstrict-prototypes") NM_PRAGMA_WARNING_REENABLE #include "libnm-glib-aux/nm-secret-utils.h" -#include "nm-errors.h" +#include "libnm-base/nm-base.h" /*****************************************************************************/ @@ -65,8 +65,8 @@ _nm_crypto_init(GError **error) ret = NSS_NoDB_Init(NULL); if (ret != SECSuccess) { g_set_error(error, - NM_CRYPTO_ERROR, - NM_CRYPTO_ERROR_FAILED, + _NM_CRYPTO_ERROR, + _NM_CRYPTO_ERROR_FAILED, _("Failed to initialize the crypto engine: %d."), PR_GetError()); PR_Cleanup(); @@ -113,16 +113,16 @@ _nmtst_crypto_decrypt(NMCryptoCipherType cipher, if (!_get_cipher_info(cipher, &cipher_mech, &real_iv_len)) { g_set_error(error, - NM_CRYPTO_ERROR, - NM_CRYPTO_ERROR_UNKNOWN_CIPHER, + _NM_CRYPTO_ERROR, + _NM_CRYPTO_ERROR_UNKNOWN_CIPHER, _("Unsupported key cipher for decryption")); return NULL; } if (iv_len < real_iv_len) { g_set_error(error, - NM_CRYPTO_ERROR, - NM_CRYPTO_ERROR_INVALID_DATA, + _NM_CRYPTO_ERROR, + _NM_CRYPTO_ERROR_INVALID_DATA, _("Invalid IV length (must be at least %u)."), (guint) real_iv_len); return NULL; @@ -134,8 +134,8 @@ _nmtst_crypto_decrypt(NMCryptoCipherType cipher, slot = PK11_GetBestSlot(cipher_mech, NULL); if (!slot) { g_set_error(error, - NM_CRYPTO_ERROR, - NM_CRYPTO_ERROR_FAILED, + _NM_CRYPTO_ERROR, + _NM_CRYPTO_ERROR_FAILED, _("Failed to initialize the decryption cipher slot.")); goto out; } @@ -145,8 +145,8 @@ _nmtst_crypto_decrypt(NMCryptoCipherType cipher, sym_key = PK11_ImportSymKey(slot, cipher_mech, PK11_OriginUnwrap, CKA_DECRYPT, &key_item, NULL); if (!sym_key) { g_set_error(error, - NM_CRYPTO_ERROR, - NM_CRYPTO_ERROR_DECRYPTION_FAILED, + _NM_CRYPTO_ERROR, + _NM_CRYPTO_ERROR_DECRYPTION_FAILED, _("Failed to set symmetric key for decryption.")); goto out; } @@ -156,8 +156,8 @@ _nmtst_crypto_decrypt(NMCryptoCipherType cipher, sec_param = PK11_ParamFromIV(cipher_mech, &key_item); if (!sec_param) { g_set_error(error, - NM_CRYPTO_ERROR, - NM_CRYPTO_ERROR_DECRYPTION_FAILED, + _NM_CRYPTO_ERROR, + _NM_CRYPTO_ERROR_DECRYPTION_FAILED, _("Failed to set IV for decryption.")); goto out; } @@ -165,8 +165,8 @@ _nmtst_crypto_decrypt(NMCryptoCipherType cipher, ctx = PK11_CreateContextBySymKey(cipher_mech, CKA_DECRYPT, sym_key, sec_param); if (!ctx) { g_set_error(error, - NM_CRYPTO_ERROR, - NM_CRYPTO_ERROR_DECRYPTION_FAILED, + _NM_CRYPTO_ERROR, + _NM_CRYPTO_ERROR_DECRYPTION_FAILED, _("Failed to initialize the decryption context.")); goto out; } @@ -182,8 +182,8 @@ _nmtst_crypto_decrypt(NMCryptoCipherType cipher, data_len); if (s != SECSuccess) { g_set_error(error, - NM_CRYPTO_ERROR, - NM_CRYPTO_ERROR_DECRYPTION_FAILED, + _NM_CRYPTO_ERROR, + _NM_CRYPTO_ERROR_DECRYPTION_FAILED, _("Failed to decrypt the private key: %d."), PORT_GetError()); goto out; @@ -191,8 +191,8 @@ _nmtst_crypto_decrypt(NMCryptoCipherType cipher, if (decrypted_len > data_len) { g_set_error(error, - NM_CRYPTO_ERROR, - NM_CRYPTO_ERROR_DECRYPTION_FAILED, + _NM_CRYPTO_ERROR, + _NM_CRYPTO_ERROR_DECRYPTION_FAILED, _("Failed to decrypt the private key: decrypted data too large.")); goto out; } @@ -203,8 +203,8 @@ _nmtst_crypto_decrypt(NMCryptoCipherType cipher, data_len - decrypted_len); if (s != SECSuccess) { g_set_error(error, - NM_CRYPTO_ERROR, - NM_CRYPTO_ERROR_DECRYPTION_FAILED, + _NM_CRYPTO_ERROR, + _NM_CRYPTO_ERROR_DECRYPTION_FAILED, _("Failed to finalize decryption of the private key: %d."), PORT_GetError()); goto out; @@ -216,8 +216,8 @@ _nmtst_crypto_decrypt(NMCryptoCipherType cipher, /* Check if the padding at the end of the decrypted data is valid */ if (pad_len == 0 || pad_len > real_iv_len) { g_set_error(error, - NM_CRYPTO_ERROR, - NM_CRYPTO_ERROR_DECRYPTION_FAILED, + _NM_CRYPTO_ERROR, + _NM_CRYPTO_ERROR_DECRYPTION_FAILED, _("Failed to decrypt the private key: unexpected padding length.")); goto out; } @@ -228,8 +228,8 @@ _nmtst_crypto_decrypt(NMCryptoCipherType cipher, for (i = pad_len; i > 0; i--) { if (output.bin[data_len - i] != pad_len) { g_set_error(error, - NM_CRYPTO_ERROR, - NM_CRYPTO_ERROR_DECRYPTION_FAILED, + _NM_CRYPTO_ERROR, + _NM_CRYPTO_ERROR_DECRYPTION_FAILED, _("Failed to decrypt the private key.")); goto out; } @@ -283,8 +283,8 @@ _nmtst_crypto_encrypt(NMCryptoCipherType cipher, if (cipher == NM_CRYPTO_CIPHER_DES_CBC || !_get_cipher_info(cipher, &cipher_mech, NULL)) { g_set_error(error, - NM_CRYPTO_ERROR, - NM_CRYPTO_ERROR_UNKNOWN_CIPHER, + _NM_CRYPTO_ERROR, + _NM_CRYPTO_ERROR_UNKNOWN_CIPHER, _("Unsupported key cipher for encryption")); return NULL; } @@ -295,8 +295,8 @@ _nmtst_crypto_encrypt(NMCryptoCipherType cipher, slot = PK11_GetBestSlot(cipher_mech, NULL); if (!slot) { g_set_error(error, - NM_CRYPTO_ERROR, - NM_CRYPTO_ERROR_FAILED, + _NM_CRYPTO_ERROR, + _NM_CRYPTO_ERROR_FAILED, _("Failed to initialize the encryption cipher slot.")); return NULL; } @@ -304,8 +304,8 @@ _nmtst_crypto_encrypt(NMCryptoCipherType cipher, sym_key = PK11_ImportSymKey(slot, cipher_mech, PK11_OriginUnwrap, CKA_ENCRYPT, &key_item, NULL); if (!sym_key) { g_set_error(error, - NM_CRYPTO_ERROR, - NM_CRYPTO_ERROR_ENCRYPTION_FAILED, + _NM_CRYPTO_ERROR, + _NM_CRYPTO_ERROR_ENCRYPTION_FAILED, _("Failed to set symmetric key for encryption.")); goto out; } @@ -313,8 +313,8 @@ _nmtst_crypto_encrypt(NMCryptoCipherType cipher, sec_param = PK11_ParamFromIV(cipher_mech, &iv_item); if (!sec_param) { g_set_error(error, - NM_CRYPTO_ERROR, - NM_CRYPTO_ERROR_ENCRYPTION_FAILED, + _NM_CRYPTO_ERROR, + _NM_CRYPTO_ERROR_ENCRYPTION_FAILED, _("Failed to set IV for encryption.")); goto out; } @@ -322,8 +322,8 @@ _nmtst_crypto_encrypt(NMCryptoCipherType cipher, ctx = PK11_CreateContextBySymKey(cipher_mech, CKA_ENCRYPT, sym_key, sec_param); if (!ctx) { g_set_error(error, - NM_CRYPTO_ERROR, - NM_CRYPTO_ERROR_ENCRYPTION_FAILED, + _NM_CRYPTO_ERROR, + _NM_CRYPTO_ERROR_ENCRYPTION_FAILED, _("Failed to initialize the encryption context.")); goto out; } @@ -347,8 +347,8 @@ _nmtst_crypto_encrypt(NMCryptoCipherType cipher, PK11_CipherOp(ctx, output.bin, &encrypted_len, output.len, padded_buf.bin, padded_buf.len); if (ret != SECSuccess) { g_set_error(error, - NM_CRYPTO_ERROR, - NM_CRYPTO_ERROR_ENCRYPTION_FAILED, + _NM_CRYPTO_ERROR, + _NM_CRYPTO_ERROR_ENCRYPTION_FAILED, _("Failed to encrypt: %d."), PORT_GetError()); goto out; @@ -356,8 +356,8 @@ _nmtst_crypto_encrypt(NMCryptoCipherType cipher, if (encrypted_len != output.len) { g_set_error(error, - NM_CRYPTO_ERROR, - NM_CRYPTO_ERROR_ENCRYPTION_FAILED, + _NM_CRYPTO_ERROR, + _NM_CRYPTO_ERROR_ENCRYPTION_FAILED, _("Unexpected amount of data after encrypting.")); goto out; } @@ -393,8 +393,8 @@ _nm_crypto_verify_x509(const guint8 *data, gsize len, GError **error) cert = CERT_DecodeCertFromPackage((char *) data, len); if (!cert) { g_set_error(error, - NM_CRYPTO_ERROR, - NM_CRYPTO_ERROR_INVALID_DATA, + _NM_CRYPTO_ERROR, + _NM_CRYPTO_ERROR_INVALID_DATA, _("Couldn't decode certificate: %d"), PORT_GetError()); return FALSE; @@ -438,8 +438,8 @@ _nm_crypto_verify_pkcs12(const guint8 *data, gsize data_len, const char *passwor if (!ucs2_password.bin || ucs2_password.len == 0) { g_set_error(error, - NM_CRYPTO_ERROR, - NM_CRYPTO_ERROR_INVALID_PASSWORD, + _NM_CRYPTO_ERROR, + _NM_CRYPTO_ERROR_INVALID_PASSWORD, _("Password must be UTF-8")); return FALSE; } @@ -461,15 +461,18 @@ _nm_crypto_verify_pkcs12(const guint8 *data, gsize data_len, const char *passwor slot = PK11_GetInternalKeySlot(); if (!slot) { - g_set_error(error, NM_CRYPTO_ERROR, NM_CRYPTO_ERROR_FAILED, _("Couldn't initialize slot")); + g_set_error(error, + _NM_CRYPTO_ERROR, + _NM_CRYPTO_ERROR_FAILED, + _("Couldn't initialize slot")); goto out; } p12ctx = SEC_PKCS12DecoderStart(&pw, slot, NULL, NULL, NULL, NULL, NULL, NULL); if (!p12ctx) { g_set_error(error, - NM_CRYPTO_ERROR, - NM_CRYPTO_ERROR_FAILED, + _NM_CRYPTO_ERROR, + _NM_CRYPTO_ERROR_FAILED, _("Couldn't initialize PKCS#12 decoder: %d"), PORT_GetError()); goto out; @@ -478,8 +481,8 @@ _nm_crypto_verify_pkcs12(const guint8 *data, gsize data_len, const char *passwor s = SEC_PKCS12DecoderUpdate(p12ctx, (guint8 *) data, data_len); if (s != SECSuccess) { g_set_error(error, - NM_CRYPTO_ERROR, - NM_CRYPTO_ERROR_INVALID_DATA, + _NM_CRYPTO_ERROR, + _NM_CRYPTO_ERROR_INVALID_DATA, _("Couldn't decode PKCS#12 file: %d"), PORT_GetError()); goto out; @@ -488,8 +491,8 @@ _nm_crypto_verify_pkcs12(const guint8 *data, gsize data_len, const char *passwor s = SEC_PKCS12DecoderVerify(p12ctx); if (s != SECSuccess) { g_set_error(error, - NM_CRYPTO_ERROR, - NM_CRYPTO_ERROR_DECRYPTION_FAILED, + _NM_CRYPTO_ERROR, + _NM_CRYPTO_ERROR_DECRYPTION_FAILED, _("Couldn't verify PKCS#12 file: %d"), PORT_GetError()); goto out; @@ -539,8 +542,8 @@ _nm_crypto_randomize(void *buffer, gsize buffer_len, GError **error) s = PK11_GenerateRandom(buffer, buffer_len); if (s != SECSuccess) { g_set_error_literal(error, - NM_CRYPTO_ERROR, - NM_CRYPTO_ERROR_FAILED, + _NM_CRYPTO_ERROR, + _NM_CRYPTO_ERROR_FAILED, _("Could not generate random data.")); return FALSE; } diff --git a/src/libnm-core-impl/nm-crypto-null.c b/src/libnm-core-impl/nm-crypto-null.c index 2f072257ec..6f6c7f2897 100644 --- a/src/libnm-core-impl/nm-crypto-null.c +++ b/src/libnm-core-impl/nm-crypto-null.c @@ -9,7 +9,6 @@ #include "nm-crypto-impl.h" #include "libnm-glib-aux/nm-secret-utils.h" -#include "nm-errors.h" /*****************************************************************************/ @@ -17,8 +16,8 @@ gboolean _nm_crypto_init(GError **error) { g_set_error(error, - NM_CRYPTO_ERROR, - NM_CRYPTO_ERROR_FAILED, + _NM_CRYPTO_ERROR, + _NM_CRYPTO_ERROR_FAILED, _("Compiled without crypto support.")); return FALSE; } @@ -35,8 +34,8 @@ _nmtst_crypto_decrypt(NMCryptoCipherType cipher, GError **error) { g_set_error(error, - NM_CRYPTO_ERROR, - NM_CRYPTO_ERROR_FAILED, + _NM_CRYPTO_ERROR, + _NM_CRYPTO_ERROR_FAILED, _("Compiled without crypto support.")); return NULL; } @@ -53,8 +52,8 @@ _nmtst_crypto_encrypt(NMCryptoCipherType cipher, GError **error) { g_set_error(error, - NM_CRYPTO_ERROR, - NM_CRYPTO_ERROR_FAILED, + _NM_CRYPTO_ERROR, + _NM_CRYPTO_ERROR_FAILED, _("Compiled without crypto support.")); return NULL; } @@ -63,8 +62,8 @@ gboolean _nm_crypto_verify_x509(const guint8 *data, gsize len, GError **error) { g_set_error(error, - NM_CRYPTO_ERROR, - NM_CRYPTO_ERROR_FAILED, + _NM_CRYPTO_ERROR, + _NM_CRYPTO_ERROR_FAILED, _("Compiled without crypto support.")); return FALSE; } @@ -73,8 +72,8 @@ gboolean _nm_crypto_verify_pkcs12(const guint8 *data, gsize data_len, const char *password, GError **error) { g_set_error(error, - NM_CRYPTO_ERROR, - NM_CRYPTO_ERROR_FAILED, + _NM_CRYPTO_ERROR, + _NM_CRYPTO_ERROR_FAILED, _("Compiled without crypto support.")); return FALSE; } @@ -87,8 +86,8 @@ _nm_crypto_verify_pkcs8(const guint8 *data, GError **error) { g_set_error(error, - NM_CRYPTO_ERROR, - NM_CRYPTO_ERROR_FAILED, + _NM_CRYPTO_ERROR, + _NM_CRYPTO_ERROR_FAILED, _("Compiled without crypto support.")); return FALSE; } @@ -97,8 +96,8 @@ gboolean _nm_crypto_randomize(void *buffer, gsize buffer_len, GError **error) { g_set_error(error, - NM_CRYPTO_ERROR, - NM_CRYPTO_ERROR_FAILED, + _NM_CRYPTO_ERROR, + _NM_CRYPTO_ERROR_FAILED, _("Compiled without crypto support.")); return FALSE; } diff --git a/src/libnm-core-impl/nm-crypto.c b/src/libnm-core-impl/nm-crypto.c index d081f49728..f612b5f3fe 100644 --- a/src/libnm-core-impl/nm-crypto.c +++ b/src/libnm-core-impl/nm-crypto.c @@ -16,7 +16,8 @@ #include "libnm-glib-aux/nm-io-utils.h" #include "nm-crypto-impl.h" -#include "nm-errors.h" + +/*****************************************************************************/ #define PEM_RSA_KEY_BEGIN "-----BEGIN RSA PRIVATE KEY-----" #define PEM_RSA_KEY_END "-----END RSA PRIVATE KEY-----" @@ -202,8 +203,8 @@ parse_old_openssl_key_file(const guint8 *data, end_tag = PEM_DSA_KEY_END; } else { g_set_error(error, - NM_CRYPTO_ERROR, - NM_CRYPTO_ERROR_INVALID_DATA, + _NM_CRYPTO_ERROR, + _NM_CRYPTO_ERROR_INVALID_DATA, _("PEM key file had no start tag")); return FALSE; } @@ -211,8 +212,8 @@ parse_old_openssl_key_file(const guint8 *data, start += strlen(start_tag); if (!find_tag(end_tag, data, data_len, start, &end)) { g_set_error(error, - NM_CRYPTO_ERROR, - NM_CRYPTO_ERROR_INVALID_DATA, + _NM_CRYPTO_ERROR, + _NM_CRYPTO_ERROR_INVALID_DATA, _("PEM key file had no end tag '%s'."), end_tag); return FALSE; @@ -239,8 +240,8 @@ parse_old_openssl_key_file(const guint8 *data, if (!strncmp(p, PROC_TYPE_TAG, strlen(PROC_TYPE_TAG))) { if (enc_tags++ != 0 || str_p != str) { g_set_error(error, - NM_CRYPTO_ERROR, - NM_CRYPTO_ERROR_INVALID_DATA, + _NM_CRYPTO_ERROR, + _NM_CRYPTO_ERROR_INVALID_DATA, _("Malformed PEM file: Proc-Type was not first tag.")); return FALSE; } @@ -248,8 +249,8 @@ parse_old_openssl_key_file(const guint8 *data, p += strlen(PROC_TYPE_TAG); if (strcmp(p, "4,ENCRYPTED")) { g_set_error(error, - NM_CRYPTO_ERROR, - NM_CRYPTO_ERROR_INVALID_DATA, + _NM_CRYPTO_ERROR, + _NM_CRYPTO_ERROR_INVALID_DATA, _("Malformed PEM file: unknown Proc-Type tag '%s'."), p); return FALSE; @@ -261,8 +262,8 @@ parse_old_openssl_key_file(const guint8 *data, if (enc_tags++ != 1 || str_p != str) { g_set_error(error, - NM_CRYPTO_ERROR, - NM_CRYPTO_ERROR_INVALID_DATA, + _NM_CRYPTO_ERROR, + _NM_CRYPTO_ERROR_INVALID_DATA, _("Malformed PEM file: DEK-Info was not the second tag.")); return FALSE; } @@ -273,8 +274,8 @@ parse_old_openssl_key_file(const guint8 *data, comma = strchr(p, ','); if (!comma || (*(comma + 1) == '\0')) { g_set_error(error, - NM_CRYPTO_ERROR, - NM_CRYPTO_ERROR_INVALID_DATA, + _NM_CRYPTO_ERROR, + _NM_CRYPTO_ERROR_INVALID_DATA, _("Malformed PEM file: no IV found in DEK-Info tag.")); return FALSE; } @@ -282,8 +283,8 @@ parse_old_openssl_key_file(const guint8 *data, comma++; if (!g_ascii_isxdigit(*comma)) { g_set_error(error, - NM_CRYPTO_ERROR, - NM_CRYPTO_ERROR_INVALID_DATA, + _NM_CRYPTO_ERROR, + _NM_CRYPTO_ERROR_INVALID_DATA, _("Malformed PEM file: invalid format of IV in DEK-Info tag.")); return FALSE; } @@ -294,8 +295,8 @@ parse_old_openssl_key_file(const guint8 *data, cipher_info = nm_crypto_cipher_get_info_by_name(p, p_len); if (!cipher_info) { g_set_error(error, - NM_CRYPTO_ERROR, - NM_CRYPTO_ERROR_INVALID_DATA, + _NM_CRYPTO_ERROR, + _NM_CRYPTO_ERROR_INVALID_DATA, _("Malformed PEM file: unknown private key cipher '%s'."), p); return FALSE; @@ -304,8 +305,8 @@ parse_old_openssl_key_file(const guint8 *data, } else { if (enc_tags == 1) { g_set_error(error, - NM_CRYPTO_ERROR, - NM_CRYPTO_ERROR_INVALID_DATA, + _NM_CRYPTO_ERROR, + _NM_CRYPTO_ERROR_INVALID_DATA, "Malformed PEM file: both Proc-Type and DEK-Info tags are required."); return FALSE; } @@ -317,8 +318,8 @@ parse_old_openssl_key_file(const guint8 *data, parsed.bin = (guint8 *) g_base64_decode(str, &parsed.len); if (!parsed.bin || parsed.len == 0) { g_set_error(error, - NM_CRYPTO_ERROR, - NM_CRYPTO_ERROR_INVALID_DATA, + _NM_CRYPTO_ERROR, + _NM_CRYPTO_ERROR_INVALID_DATA, _("Could not decode private key.")); nm_secret_ptr_clear(&parsed); return FALSE; @@ -359,8 +360,8 @@ parse_pkcs8_key_file(const guint8 *data, encrypted = FALSE; } else { g_set_error_literal(error, - NM_CRYPTO_ERROR, - NM_CRYPTO_ERROR_INVALID_DATA, + _NM_CRYPTO_ERROR, + _NM_CRYPTO_ERROR_INVALID_DATA, _("Failed to find expected PKCS#8 start tag.")); return FALSE; } @@ -368,8 +369,8 @@ parse_pkcs8_key_file(const guint8 *data, start += strlen(start_tag); if (!find_tag(end_tag, data, data_len, start, &end)) { g_set_error(error, - NM_CRYPTO_ERROR, - NM_CRYPTO_ERROR_INVALID_DATA, + _NM_CRYPTO_ERROR, + _NM_CRYPTO_ERROR_INVALID_DATA, _("Failed to find expected PKCS#8 end tag '%s'."), end_tag); return FALSE; @@ -381,8 +382,8 @@ parse_pkcs8_key_file(const guint8 *data, parsed->bin = (guint8 *) g_base64_decode(der_base64, &parsed->len); if (!parsed->bin || parsed->len == 0) { g_set_error_literal(error, - NM_CRYPTO_ERROR, - NM_CRYPTO_ERROR_INVALID_DATA, + _NM_CRYPTO_ERROR, + _NM_CRYPTO_ERROR_INVALID_DATA, _("Failed to decode PKCS#8 private key.")); nm_secret_ptr_clear(parsed); return FALSE; @@ -411,8 +412,8 @@ parse_tpm2_wrapped_key_file(const guint8 *data, end_tag = PEM_TPM2_OLD_WRAPPED_KEY_END; } else { g_set_error_literal(error, - NM_CRYPTO_ERROR, - NM_CRYPTO_ERROR_INVALID_DATA, + _NM_CRYPTO_ERROR, + _NM_CRYPTO_ERROR_INVALID_DATA, _("Failed to find expected TSS start tag.")); return FALSE; } @@ -420,8 +421,8 @@ parse_tpm2_wrapped_key_file(const guint8 *data, start += strlen(start_tag); if (!find_tag(end_tag, data, data_len, start, &end)) { g_set_error(error, - NM_CRYPTO_ERROR, - NM_CRYPTO_ERROR_INVALID_DATA, + _NM_CRYPTO_ERROR, + _NM_CRYPTO_ERROR_INVALID_DATA, _("Failed to find expected TSS end tag '%s'."), end_tag); return FALSE; @@ -475,8 +476,8 @@ _nmtst_convert_iv(const char *src, gsize *out_len, GError **error) num = strlen(src); if (num == 0 || (num % 2) != 0) { g_set_error(error, - NM_CRYPTO_ERROR, - NM_CRYPTO_ERROR_INVALID_DATA, + _NM_CRYPTO_ERROR, + _NM_CRYPTO_ERROR_INVALID_DATA, _("IV must be an even number of bytes in length.")); return NULL; } @@ -492,8 +493,8 @@ _nmtst_convert_iv(const char *src, gsize *out_len, GError **error) if (((c0 = nm_utils_hexchar_to_int(*(src++))) < 0) || ((c1 = nm_utils_hexchar_to_int(*(src++))) < 0)) { g_set_error(error, - NM_CRYPTO_ERROR, - NM_CRYPTO_ERROR_INVALID_DATA, + _NM_CRYPTO_ERROR, + _NM_CRYPTO_ERROR_INVALID_DATA, _("IV contains non-hexadecimal digits.")); nm_explicit_bzero(c, i); return FALSE; @@ -568,8 +569,8 @@ _nmtst_decrypt_key(NMCryptoCipherType cipher, if (bin_iv.len < 8) { g_set_error(error, - NM_CRYPTO_ERROR, - NM_CRYPTO_ERROR_INVALID_DATA, + _NM_CRYPTO_ERROR, + _NM_CRYPTO_ERROR_INVALID_DATA, _("IV must contain at least 8 characters")); return FALSE; } @@ -618,8 +619,8 @@ nmtst_crypto_decrypt_openssl_private_key_data(const guint8 *data, if (!parse_old_openssl_key_file(data, data_len, &parsed, &key_type, &cipher, &iv, NULL)) { g_set_error(error, - NM_CRYPTO_ERROR, - NM_CRYPTO_ERROR_INVALID_DATA, + _NM_CRYPTO_ERROR, + _NM_CRYPTO_ERROR_INVALID_DATA, _("Unable to determine private key type.")); return NULL; } @@ -631,8 +632,8 @@ nmtst_crypto_decrypt_openssl_private_key_data(const guint8 *data, if (cipher == NM_CRYPTO_CIPHER_UNKNOWN || !iv) { g_set_error(error, - NM_CRYPTO_ERROR, - NM_CRYPTO_ERROR_INVALID_PASSWORD, + _NM_CRYPTO_ERROR, + _NM_CRYPTO_ERROR_INVALID_PASSWORD, _("Password provided, but key was not encrypted.")); return NULL; } @@ -687,8 +688,8 @@ extract_pem_cert_data(const guint8 *contents, if (!find_tag(PEM_CERT_BEGIN, contents, contents_len, 0, &start)) { g_set_error(error, - NM_CRYPTO_ERROR, - NM_CRYPTO_ERROR_INVALID_DATA, + _NM_CRYPTO_ERROR, + _NM_CRYPTO_ERROR_INVALID_DATA, _("PEM certificate had no start tag '%s'."), PEM_CERT_BEGIN); return FALSE; @@ -697,8 +698,8 @@ extract_pem_cert_data(const guint8 *contents, start += strlen(PEM_CERT_BEGIN); if (!find_tag(PEM_CERT_END, contents, contents_len, start, &end)) { g_set_error(error, - NM_CRYPTO_ERROR, - NM_CRYPTO_ERROR_INVALID_DATA, + _NM_CRYPTO_ERROR, + _NM_CRYPTO_ERROR_INVALID_DATA, _("PEM certificate had no end tag '%s'."), PEM_CERT_END); return FALSE; @@ -710,8 +711,8 @@ extract_pem_cert_data(const guint8 *contents, out_cert->bin = (guint8 *) g_base64_decode(der_base64, &out_cert->len); if (!out_cert->bin || !out_cert->len) { g_set_error(error, - NM_CRYPTO_ERROR, - NM_CRYPTO_ERROR_INVALID_DATA, + _NM_CRYPTO_ERROR, + _NM_CRYPTO_ERROR_INVALID_DATA, _("Failed to decode certificate.")); nm_secret_ptr_clear(out_cert); return FALSE; @@ -739,8 +740,8 @@ nm_crypto_load_and_verify_certificate(const char *file, if (contents.len == 0) { g_set_error(error, - NM_CRYPTO_ERROR, - NM_CRYPTO_ERROR_INVALID_DATA, + _NM_CRYPTO_ERROR, + _NM_CRYPTO_ERROR_INVALID_DATA, _("Certificate file is empty")); goto out; } @@ -772,8 +773,8 @@ nm_crypto_load_and_verify_certificate(const char *file, } g_set_error(error, - NM_CRYPTO_ERROR, - NM_CRYPTO_ERROR_INVALID_DATA, + _NM_CRYPTO_ERROR, + _NM_CRYPTO_ERROR_INVALID_DATA, _("Failed to recognize certificate")); out: @@ -790,8 +791,8 @@ nm_crypto_is_pkcs12_data(const guint8 *data, gsize data_len, GError **error) if (!data_len) { g_set_error(error, - NM_CRYPTO_ERROR, - NM_CRYPTO_ERROR_INVALID_DATA, + _NM_CRYPTO_ERROR, + _NM_CRYPTO_ERROR_INVALID_DATA, _("Certificate file is empty")); return FALSE; } @@ -805,7 +806,7 @@ nm_crypto_is_pkcs12_data(const guint8 *data, gsize data_len, GError **error) if (success == FALSE) { /* If the error was just a decryption error, then it's pkcs#12 */ if (local) { - if (g_error_matches(local, NM_CRYPTO_ERROR, NM_CRYPTO_ERROR_DECRYPTION_FAILED)) { + if (g_error_matches(local, _NM_CRYPTO_ERROR, _NM_CRYPTO_ERROR_DECRYPTION_FAILED)) { success = TRUE; g_error_free(local); } else @@ -880,8 +881,8 @@ nm_crypto_verify_private_key_data(const guint8 *data, if (format == NM_CRYPTO_FILE_FORMAT_UNKNOWN && error && !*error) { g_set_error(error, - NM_CRYPTO_ERROR, - NM_CRYPTO_ERROR_INVALID_DATA, + _NM_CRYPTO_ERROR, + _NM_CRYPTO_ERROR_INVALID_DATA, _("not a valid private key")); } diff --git a/src/libnm-core-impl/nm-errors.c b/src/libnm-core-impl/nm-errors.c index ea4ca5e9e6..fad854bc2d 100644 --- a/src/libnm-core-impl/nm-errors.c +++ b/src/libnm-core-impl/nm-errors.c @@ -12,12 +12,24 @@ NM_CACHED_QUARK_FCN("nm-agent-manager-error-quark", nm_agent_manager_error_quark); NM_CACHED_QUARK_FCN("nm-connection-error-quark", nm_connection_error_quark); -NM_CACHED_QUARK_FCN("nm-crypto-error-quark", nm_crypto_error_quark); NM_CACHED_QUARK_FCN("nm-device-error-quark", nm_device_error_quark); NM_CACHED_QUARK_FCN("nm-secret-agent-error-quark", nm_secret_agent_error_quark); NM_CACHED_QUARK_FCN("nm-settings-error-quark", nm_settings_error_quark); NM_CACHED_QUARK_FCN("nm-vpn-plugin-error-quark", nm_vpn_plugin_error_quark); +GQuark +nm_crypto_error_quark(void) +{ + G_STATIC_ASSERT(NM_CRYPTO_ERROR_FAILED == _NM_CRYPTO_ERROR_FAILED); + G_STATIC_ASSERT(NM_CRYPTO_ERROR_INVALID_DATA == _NM_CRYPTO_ERROR_INVALID_DATA); + G_STATIC_ASSERT(NM_CRYPTO_ERROR_INVALID_PASSWORD == _NM_CRYPTO_ERROR_INVALID_PASSWORD); + G_STATIC_ASSERT(NM_CRYPTO_ERROR_UNKNOWN_CIPHER == _NM_CRYPTO_ERROR_UNKNOWN_CIPHER); + G_STATIC_ASSERT(NM_CRYPTO_ERROR_DECRYPTION_FAILED == _NM_CRYPTO_ERROR_DECRYPTION_FAILED); + G_STATIC_ASSERT(NM_CRYPTO_ERROR_ENCRYPTION_FAILED == _NM_CRYPTO_ERROR_ENCRYPTION_FAILED); + + return _nm_crypto_error_quark(); +} + static void register_error_domain(GQuark domain, const char *interface, GType enum_type) { diff --git a/src/libnm-core-impl/tests/test-crypto.c b/src/libnm-core-impl/tests/test-crypto.c index 6a6e7fbc80..8ff250cdce 100644 --- a/src/libnm-core-impl/tests/test-crypto.c +++ b/src/libnm-core-impl/tests/test-crypto.c @@ -399,6 +399,23 @@ test_md5(void) } } +/*****************************************************************************/ + +static void +test_crypto_error(void) +{ + G_STATIC_ASSERT(NM_CRYPTO_ERROR_FAILED == _NM_CRYPTO_ERROR_FAILED); + G_STATIC_ASSERT(NM_CRYPTO_ERROR_INVALID_DATA == _NM_CRYPTO_ERROR_INVALID_DATA); + G_STATIC_ASSERT(NM_CRYPTO_ERROR_INVALID_PASSWORD == _NM_CRYPTO_ERROR_INVALID_PASSWORD); + G_STATIC_ASSERT(NM_CRYPTO_ERROR_UNKNOWN_CIPHER == _NM_CRYPTO_ERROR_UNKNOWN_CIPHER); + G_STATIC_ASSERT(NM_CRYPTO_ERROR_DECRYPTION_FAILED == _NM_CRYPTO_ERROR_DECRYPTION_FAILED); + G_STATIC_ASSERT(NM_CRYPTO_ERROR_ENCRYPTION_FAILED == _NM_CRYPTO_ERROR_ENCRYPTION_FAILED); + + g_assert_cmpint(NM_CRYPTO_ERROR, ==, _NM_CRYPTO_ERROR); +} + +/*****************************************************************************/ + NMTST_DEFINE(); int @@ -448,6 +465,7 @@ main(int argc, char **argv) g_test_add_data_func("/libnm/crypto/PKCS#8", "pkcs8-enc-key.pem, 1234567890", test_pkcs8); g_test_add_func("/libnm/crypto/md5", test_md5); + g_test_add_func("/libnm/crypto/error", test_crypto_error); ret = g_test_run(); |