summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--libnm-core/crypto.c47
-rw-r--r--libnm-core/crypto.h24
-rw-r--r--libnm-core/crypto_gnutls.c49
-rw-r--r--libnm-core/crypto_nss.c65
4 files changed, 84 insertions, 101 deletions
diff --git a/libnm-core/crypto.c b/libnm-core/crypto.c
index 2cc671c7df..e28415705c 100644
--- a/libnm-core/crypto.c
+++ b/libnm-core/crypto.c
@@ -117,12 +117,7 @@ parse_old_openssl_key_file (const guint8 *data,
end_tag = PEM_DSA_KEY_END;
break;
default:
- g_set_error (error, NM_CRYPTO_ERROR,
- NM_CRYPTO_ERR_UNKNOWN_KEY_TYPE,
- "Unknown key type %d",
- key_type);
g_assert_not_reached ();
- return NULL;
}
if (!find_tag (start_tag, data, data_len, 0, &start))
@@ -131,7 +126,7 @@ parse_old_openssl_key_file (const guint8 *data,
start += strlen (start_tag);
if (!find_tag (end_tag, data, data_len, start, &end)) {
g_set_error (error, NM_CRYPTO_ERROR,
- NM_CRYPTO_ERR_FILE_FORMAT_INVALID,
+ NM_CRYPTO_ERROR_INVALID_DATA,
_("PEM key file had no end tag '%s'."),
end_tag);
goto parse_error;
@@ -144,7 +139,7 @@ parse_old_openssl_key_file (const guint8 *data,
if (!lines || g_strv_length (lines) <= 1) {
g_set_error (error, NM_CRYPTO_ERROR,
- NM_CRYPTO_ERR_FILE_FORMAT_INVALID,
+ NM_CRYPTO_ERROR_INVALID_DATA,
_("Doesn't look like a PEM private key file."));
goto parse_error;
}
@@ -161,7 +156,7 @@ parse_old_openssl_key_file (const guint8 *data,
if (!strncmp (p, PROC_TYPE_TAG, strlen (PROC_TYPE_TAG))) {
if (enc_tags++ != 0) {
g_set_error (error, NM_CRYPTO_ERROR,
- NM_CRYPTO_ERR_FILE_FORMAT_INVALID,
+ NM_CRYPTO_ERROR_INVALID_DATA,
_("Malformed PEM file: Proc-Type was not first tag."));
goto parse_error;
}
@@ -169,7 +164,7 @@ parse_old_openssl_key_file (const guint8 *data,
p += strlen (PROC_TYPE_TAG);
if (strcmp (p, "4,ENCRYPTED")) {
g_set_error (error, NM_CRYPTO_ERROR,
- NM_CRYPTO_ERR_FILE_FORMAT_INVALID,
+ NM_CRYPTO_ERROR_INVALID_DATA,
_("Malformed PEM file: unknown Proc-Type tag '%s'."),
p);
goto parse_error;
@@ -179,7 +174,7 @@ parse_old_openssl_key_file (const guint8 *data,
if (enc_tags++ != 1) {
g_set_error (error, NM_CRYPTO_ERROR,
- NM_CRYPTO_ERR_FILE_FORMAT_INVALID,
+ NM_CRYPTO_ERROR_INVALID_DATA,
_("Malformed PEM file: DEK-Info was not the second tag."));
goto parse_error;
}
@@ -190,14 +185,14 @@ parse_old_openssl_key_file (const guint8 *data,
comma = strchr (p, ',');
if (!comma || (*(comma + 1) == '\0')) {
g_set_error (error, NM_CRYPTO_ERROR,
- NM_CRYPTO_ERR_FILE_FORMAT_INVALID,
+ NM_CRYPTO_ERROR_INVALID_DATA,
_("Malformed PEM file: no IV found in DEK-Info tag."));
goto parse_error;
}
*comma++ = '\0';
if (!g_ascii_isxdigit (*comma)) {
g_set_error (error, NM_CRYPTO_ERROR,
- NM_CRYPTO_ERR_FILE_FORMAT_INVALID,
+ NM_CRYPTO_ERROR_INVALID_DATA,
_("Malformed PEM file: invalid format of IV in DEK-Info tag."));
goto parse_error;
}
@@ -212,7 +207,7 @@ parse_old_openssl_key_file (const guint8 *data,
cipher = g_strdup (p);
} else {
g_set_error (error, NM_CRYPTO_ERROR,
- NM_CRYPTO_ERR_UNKNOWN_KEY_TYPE,
+ NM_CRYPTO_ERROR_INVALID_DATA,
_("Malformed PEM file: unknown private key cipher '%s'."),
p);
goto parse_error;
@@ -220,7 +215,7 @@ parse_old_openssl_key_file (const guint8 *data,
} else {
if ((enc_tags != 0) && (enc_tags != 2)) {
g_set_error (error, NM_CRYPTO_ERROR,
- NM_CRYPTO_ERR_FILE_FORMAT_INVALID,
+ NM_CRYPTO_ERROR_INVALID_DATA,
"Malformed PEM file: both Proc-Type and DEK-Info tags are required.");
goto parse_error;
}
@@ -231,7 +226,7 @@ parse_old_openssl_key_file (const guint8 *data,
tmp = g_base64_decode (str->str, &tmp_len);
if (tmp == NULL || !tmp_len) {
g_set_error (error, NM_CRYPTO_ERROR,
- NM_CRYPTO_ERR_DECODE_FAILED,
+ NM_CRYPTO_ERROR_INVALID_DATA,
_("Could not decode private key."));
goto parse_error;
}
@@ -284,7 +279,7 @@ parse_pkcs8_key_file (const guint8 *data,
encrypted = FALSE;
} else {
g_set_error_literal (error, NM_CRYPTO_ERROR,
- NM_CRYPTO_ERR_FILE_FORMAT_INVALID,
+ NM_CRYPTO_ERROR_INVALID_DATA,
_("Failed to find expected PKCS#8 start tag."));
return NULL;
}
@@ -292,7 +287,7 @@ parse_pkcs8_key_file (const guint8 *data,
start += strlen (start_tag);
if (!find_tag (end_tag, data, data_len, start, &end)) {
g_set_error (error, NM_CRYPTO_ERROR,
- NM_CRYPTO_ERR_FILE_FORMAT_INVALID,
+ NM_CRYPTO_ERROR_INVALID_DATA,
_("Failed to find expected PKCS#8 end tag '%s'."),
end_tag);
return NULL;
@@ -311,7 +306,7 @@ parse_pkcs8_key_file (const guint8 *data,
*out_encrypted = encrypted;
} else {
g_set_error_literal (error, NM_CRYPTO_ERROR,
- NM_CRYPTO_ERR_DECODE_FAILED,
+ NM_CRYPTO_ERROR_INVALID_DATA,
_("Failed to decode PKCS#8 private key."));
}
@@ -353,7 +348,7 @@ convert_iv (const char *src,
num = strlen (src);
if (num % 2) {
g_set_error (error, NM_CRYPTO_ERROR,
- NM_CRYPTO_ERR_RAW_IV_INVALID,
+ NM_CRYPTO_ERROR_INVALID_DATA,
_("IV must be an even number of bytes in length."));
return NULL;
}
@@ -367,7 +362,7 @@ convert_iv (const char *src,
conv[1] = src[(i * 2) + 1];
if (!g_ascii_isxdigit (conv[0]) || !g_ascii_isxdigit (conv[1])) {
g_set_error (error, NM_CRYPTO_ERROR,
- NM_CRYPTO_ERR_RAW_IV_INVALID,
+ NM_CRYPTO_ERROR_INVALID_DATA,
_("IV contains non-hexadecimal digits."));
goto error;
}
@@ -407,7 +402,7 @@ make_des_aes_key (const char *cipher,
digest_len = 16;
else {
g_set_error (error, NM_CRYPTO_ERROR,
- NM_CRYPTO_ERR_UNKNOWN_CIPHER,
+ NM_CRYPTO_ERROR_UNKNOWN_CIPHER,
_("Private key cipher '%s' was unknown."),
cipher);
return NULL;
@@ -519,7 +514,7 @@ crypto_decrypt_private_key_data (const guint8 *data,
if (!parsed) {
g_clear_error (error);
g_set_error (error, NM_CRYPTO_ERROR,
- NM_CRYPTO_ERR_FILE_FORMAT_INVALID,
+ NM_CRYPTO_ERROR_INVALID_DATA,
_("Unable to determine private key type."));
}
}
@@ -576,7 +571,7 @@ extract_pem_cert_data (GByteArray *contents, GError **error)
if (!find_tag (PEM_CERT_BEGIN, contents->data, contents->len, 0, &start)) {
g_set_error (error, NM_CRYPTO_ERROR,
- NM_CRYPTO_ERR_FILE_FORMAT_INVALID,
+ NM_CRYPTO_ERROR_INVALID_DATA,
_("PEM certificate had no start tag '%s'."),
PEM_CERT_BEGIN);
goto done;
@@ -585,7 +580,7 @@ extract_pem_cert_data (GByteArray *contents, GError **error)
start += strlen (PEM_CERT_BEGIN);
if (!find_tag (PEM_CERT_END, contents->data, contents->len, start, &end)) {
g_set_error (error, NM_CRYPTO_ERROR,
- NM_CRYPTO_ERR_FILE_FORMAT_INVALID,
+ NM_CRYPTO_ERROR_INVALID_DATA,
_("PEM certificate had no end tag '%s'."),
PEM_CERT_END);
goto done;
@@ -603,7 +598,7 @@ extract_pem_cert_data (GByteArray *contents, GError **error)
g_assert (cert->len == length);
} else {
g_set_error (error, NM_CRYPTO_ERROR,
- NM_CRYPTO_ERR_DECODE_FAILED,
+ NM_CRYPTO_ERROR_INVALID_DATA,
_("Failed to decode certificate."));
}
@@ -668,7 +663,7 @@ crypto_is_pkcs12_data (const guint8 *data,
if (success == FALSE) {
/* If the error was just a decryption error, then it's pkcs#12 */
if (error) {
- if (g_error_matches (error, NM_CRYPTO_ERROR, NM_CRYPTO_ERR_CIPHER_DECRYPT_FAILED))
+ if (g_error_matches (error, NM_CRYPTO_ERROR, NM_CRYPTO_ERROR_DECRYPTION_FAILED))
success = TRUE;
g_error_free (error);
}
diff --git a/libnm-core/crypto.h b/libnm-core/crypto.h
index a530080ec6..67abbdade3 100644
--- a/libnm-core/crypto.h
+++ b/libnm-core/crypto.h
@@ -32,24 +32,12 @@
#define CIPHER_AES_CBC "AES-128-CBC"
enum {
- NM_CRYPTO_ERR_NONE = 0,
- NM_CRYPTO_ERR_INIT_FAILED,
- NM_CRYPTO_ERR_CANT_READ_FILE,
- NM_CRYPTO_ERR_FILE_FORMAT_INVALID,
- NM_CRYPTO_ERR_CERT_FORMAT_INVALID,
- NM_CRYPTO_ERR_DECODE_FAILED,
- NM_CRYPTO_ERR_OUT_OF_MEMORY,
- NM_CRYPTO_ERR_UNKNOWN_KEY_TYPE,
- NM_CRYPTO_ERR_UNKNOWN_CIPHER,
- NM_CRYPTO_ERR_RAW_IV_INVALID,
- NM_CRYPTO_ERR_MD5_INIT_FAILED,
- NM_CRYPTO_ERR_CIPHER_INIT_FAILED,
- NM_CRYPTO_ERR_CIPHER_SET_KEY_FAILED,
- NM_CRYPTO_ERR_CIPHER_SET_IV_FAILED,
- NM_CRYPTO_ERR_CIPHER_DECRYPT_FAILED,
- NM_CRYPTO_ERR_INVALID_PASSWORD,
- NM_CRYPTO_ERR_CIPHER_ENCRYPT_FAILED,
- NM_CRYPTO_ERR_RANDOMIZE_FAILED
+ NM_CRYPTO_ERROR_FAILED = 0,
+ NM_CRYPTO_ERROR_INVALID_DATA,
+ NM_CRYPTO_ERROR_INVALID_PASSWORD,
+ NM_CRYPTO_ERROR_UNKNOWN_CIPHER,
+ NM_CRYPTO_ERROR_DECRYPTION_FAILED,
+ NM_CRYPTO_ERROR_ENCRYPTION_FAILED,
};
typedef enum {
diff --git a/libnm-core/crypto_gnutls.c b/libnm-core/crypto_gnutls.c
index e79d4fd3e2..8114d28fbf 100644
--- a/libnm-core/crypto_gnutls.c
+++ b/libnm-core/crypto_gnutls.c
@@ -44,10 +44,9 @@ crypto_init (GError **error)
if (gnutls_global_init() != 0) {
gnutls_global_deinit();
- g_set_error (error, NM_CRYPTO_ERROR,
- NM_CRYPTO_ERR_INIT_FAILED,
- "%s",
- _("Failed to initialize the crypto engine."));
+ g_set_error_literal (error, NM_CRYPTO_ERROR,
+ NM_CRYPTO_ERROR_FAILED,
+ _("Failed to initialize the crypto engine."));
return FALSE;
}
@@ -88,7 +87,7 @@ crypto_md5_hash (const char *salt,
err = gcry_md_open (&ctx, GCRY_MD_MD5, 0);
if (err) {
g_set_error (error, NM_CRYPTO_ERROR,
- NM_CRYPTO_ERR_MD5_INIT_FAILED,
+ NM_CRYPTO_ERROR_FAILED,
_("Failed to initialize the MD5 engine: %s / %s."),
gcry_strsource (err), gcry_strerror (err));
return FALSE;
@@ -147,7 +146,7 @@ crypto_decrypt (const char *cipher,
real_iv_len = 16;
} else {
g_set_error (error, NM_CRYPTO_ERROR,
- NM_CRYPTO_ERR_UNKNOWN_CIPHER,
+ NM_CRYPTO_ERROR_UNKNOWN_CIPHER,
_("Private key cipher '%s' was unknown."),
cipher);
return NULL;
@@ -155,7 +154,7 @@ crypto_decrypt (const char *cipher,
if (iv_len < real_iv_len) {
g_set_error (error, NM_CRYPTO_ERROR,
- NM_CRYPTO_ERR_RAW_IV_INVALID,
+ NM_CRYPTO_ERROR_INVALID_DATA,
_("Invalid IV length (must be at least %zd)."),
real_iv_len);
return NULL;
@@ -166,7 +165,7 @@ crypto_decrypt (const char *cipher,
err = gcry_cipher_open (&ctx, cipher_mech, GCRY_CIPHER_MODE_CBC, 0);
if (err) {
g_set_error (error, NM_CRYPTO_ERROR,
- NM_CRYPTO_ERR_CIPHER_INIT_FAILED,
+ NM_CRYPTO_ERROR_DECRYPTION_FAILED,
_("Failed to initialize the decryption cipher context: %s / %s."),
gcry_strsource (err), gcry_strerror (err));
goto out;
@@ -175,7 +174,7 @@ crypto_decrypt (const char *cipher,
err = gcry_cipher_setkey (ctx, key, key_len);
if (err) {
g_set_error (error, NM_CRYPTO_ERROR,
- NM_CRYPTO_ERR_CIPHER_SET_KEY_FAILED,
+ NM_CRYPTO_ERROR_DECRYPTION_FAILED,
_("Failed to set symmetric key for decryption: %s / %s."),
gcry_strsource (err), gcry_strerror (err));
goto out;
@@ -184,7 +183,7 @@ crypto_decrypt (const char *cipher,
err = gcry_cipher_setiv (ctx, iv, iv_len);
if (err) {
g_set_error (error, NM_CRYPTO_ERROR,
- NM_CRYPTO_ERR_CIPHER_SET_IV_FAILED,
+ NM_CRYPTO_ERROR_DECRYPTION_FAILED,
_("Failed to set IV for decryption: %s / %s."),
gcry_strsource (err), gcry_strerror (err));
goto out;
@@ -193,7 +192,7 @@ crypto_decrypt (const char *cipher,
err = gcry_cipher_decrypt (ctx, output, data_len, data, data_len);
if (err) {
g_set_error (error, NM_CRYPTO_ERROR,
- NM_CRYPTO_ERR_CIPHER_DECRYPT_FAILED,
+ NM_CRYPTO_ERROR_DECRYPTION_FAILED,
_("Failed to decrypt the private key: %s / %s."),
gcry_strsource (err), gcry_strerror (err));
goto out;
@@ -203,7 +202,7 @@ crypto_decrypt (const char *cipher,
/* Check if the padding at the end of the decrypted data is valid */
if (pad_len == 0 || pad_len > real_iv_len) {
g_set_error (error, NM_CRYPTO_ERROR,
- NM_CRYPTO_ERR_CIPHER_DECRYPT_FAILED,
+ NM_CRYPTO_ERROR_DECRYPTION_FAILED,
_("Failed to decrypt the private key: unexpected padding length."));
goto out;
}
@@ -214,7 +213,7 @@ crypto_decrypt (const char *cipher,
for (i = 1; i <= pad_len; ++i) {
if (output[data_len - i] != pad_len) {
g_set_error (error, NM_CRYPTO_ERROR,
- NM_CRYPTO_ERR_CIPHER_DECRYPT_FAILED,
+ NM_CRYPTO_ERROR_DECRYPTION_FAILED,
_("Failed to decrypt the private key."));
goto out;
}
@@ -265,7 +264,7 @@ crypto_encrypt (const char *cipher,
salt_len = iv_len;
} else {
g_set_error (error, NM_CRYPTO_ERROR,
- NM_CRYPTO_ERR_UNKNOWN_CIPHER,
+ NM_CRYPTO_ERROR_UNKNOWN_CIPHER,
_("Private key cipher '%s' was unknown."),
cipher);
return NULL;
@@ -287,7 +286,7 @@ crypto_encrypt (const char *cipher,
err = gcry_cipher_open (&ctx, cipher_mech, GCRY_CIPHER_MODE_CBC, 0);
if (err) {
g_set_error (error, NM_CRYPTO_ERROR,
- NM_CRYPTO_ERR_CIPHER_INIT_FAILED,
+ NM_CRYPTO_ERROR_ENCRYPTION_FAILED,
_("Failed to initialize the encryption cipher context: %s / %s."),
gcry_strsource (err), gcry_strerror (err));
goto out;
@@ -296,7 +295,7 @@ crypto_encrypt (const char *cipher,
err = gcry_cipher_setkey (ctx, key, key_len);
if (err) {
g_set_error (error, NM_CRYPTO_ERROR,
- NM_CRYPTO_ERR_CIPHER_SET_KEY_FAILED,
+ NM_CRYPTO_ERROR_ENCRYPTION_FAILED,
_("Failed to set symmetric key for encryption: %s / %s."),
gcry_strsource (err), gcry_strerror (err));
goto out;
@@ -306,7 +305,7 @@ crypto_encrypt (const char *cipher,
err = gcry_cipher_setiv (ctx, iv, salt_len);
if (err) {
g_set_error (error, NM_CRYPTO_ERROR,
- NM_CRYPTO_ERR_CIPHER_SET_IV_FAILED,
+ NM_CRYPTO_ERROR_ENCRYPTION_FAILED,
_("Failed to set IV for encryption: %s / %s."),
gcry_strsource (err), gcry_strerror (err));
goto out;
@@ -315,7 +314,7 @@ crypto_encrypt (const char *cipher,
err = gcry_cipher_encrypt (ctx, output, output_len, padded_buf, padded_buf_len);
if (err) {
g_set_error (error, NM_CRYPTO_ERROR,
- NM_CRYPTO_ERR_CIPHER_DECRYPT_FAILED,
+ NM_CRYPTO_ERROR_ENCRYPTION_FAILED,
_("Failed to encrypt the data: %s / %s."),
gcry_strsource (err), gcry_strerror (err));
goto out;
@@ -355,7 +354,7 @@ crypto_verify_cert (const unsigned char *data,
err = gnutls_x509_crt_init (&der);
if (err < 0) {
g_set_error (error, NM_CRYPTO_ERROR,
- NM_CRYPTO_ERR_CERT_FORMAT_INVALID,
+ NM_CRYPTO_ERROR_INVALID_DATA,
_("Error initializing certificate data: %s"),
gnutls_strerror (err));
return NM_CRYPTO_FILE_FORMAT_UNKNOWN;
@@ -377,7 +376,7 @@ crypto_verify_cert (const unsigned char *data,
return NM_CRYPTO_FILE_FORMAT_X509;
g_set_error (error, NM_CRYPTO_ERROR,
- NM_CRYPTO_ERR_CERT_FORMAT_INVALID,
+ NM_CRYPTO_ERROR_INVALID_DATA,
_("Couldn't decode certificate: %s"),
gnutls_strerror (err));
return NM_CRYPTO_FILE_FORMAT_UNKNOWN;
@@ -402,7 +401,7 @@ crypto_verify_pkcs12 (const guint8 *data,
err = gnutls_pkcs12_init (&p12);
if (err < 0) {
g_set_error (error, NM_CRYPTO_ERROR,
- NM_CRYPTO_ERR_DECODE_FAILED,
+ NM_CRYPTO_ERROR_FAILED,
_("Couldn't initialize PKCS#12 decoder: %s"),
gnutls_strerror (err));
return FALSE;
@@ -415,7 +414,7 @@ crypto_verify_pkcs12 (const guint8 *data,
err = gnutls_pkcs12_import (p12, &dt, GNUTLS_X509_FMT_PEM, 0);
if (err < 0) {
g_set_error (error, NM_CRYPTO_ERROR,
- NM_CRYPTO_ERR_FILE_FORMAT_INVALID,
+ NM_CRYPTO_ERROR_INVALID_DATA,
_("Couldn't decode PKCS#12 file: %s"),
gnutls_strerror (err));
goto out;
@@ -427,7 +426,7 @@ crypto_verify_pkcs12 (const guint8 *data,
success = TRUE;
else {
g_set_error (error, NM_CRYPTO_ERROR,
- NM_CRYPTO_ERR_CIPHER_DECRYPT_FAILED,
+ NM_CRYPTO_ERROR_DECRYPTION_FAILED,
_("Couldn't verify PKCS#12 file: %s"),
gnutls_strerror (err));
}
@@ -456,7 +455,7 @@ crypto_verify_pkcs8 (const guint8 *data,
err = gnutls_x509_privkey_init (&p8);
if (err < 0) {
g_set_error (error, NM_CRYPTO_ERROR,
- NM_CRYPTO_ERR_DECODE_FAILED,
+ NM_CRYPTO_ERROR_FAILED,
_("Couldn't initialize PKCS#8 decoder: %s"),
gnutls_strerror (err));
return FALSE;
@@ -479,7 +478,7 @@ crypto_verify_pkcs8 (const guint8 *data,
*/
} else {
g_set_error (error, NM_CRYPTO_ERROR,
- NM_CRYPTO_ERR_FILE_FORMAT_INVALID,
+ NM_CRYPTO_ERROR_INVALID_DATA,
_("Couldn't decode PKCS#8 file: %s"),
gnutls_strerror (err));
return FALSE;
diff --git a/libnm-core/crypto_nss.c b/libnm-core/crypto_nss.c
index cc6418f452..e2fbd4fed4 100644
--- a/libnm-core/crypto_nss.c
+++ b/libnm-core/crypto_nss.c
@@ -52,7 +52,7 @@ crypto_init (GError **error)
ret = NSS_NoDB_Init (NULL);
if (ret != SECSuccess) {
g_set_error (error, NM_CRYPTO_ERROR,
- NM_CRYPTO_ERR_INIT_FAILED,
+ NM_CRYPTO_ERROR_FAILED,
_("Failed to initialize the crypto engine: %d."),
PR_GetError ());
PR_Cleanup ();
@@ -103,7 +103,7 @@ crypto_md5_hash (const char *salt,
ctx = PK11_CreateDigestContext (SEC_OID_MD5);
if (!ctx) {
g_set_error (error, NM_CRYPTO_ERROR,
- NM_CRYPTO_ERR_MD5_INIT_FAILED,
+ NM_CRYPTO_ERROR_FAILED,
_("Failed to initialize the MD5 context: %d."),
PORT_GetError ());
return FALSE;
@@ -167,7 +167,7 @@ crypto_decrypt (const char *cipher,
real_iv_len = 16;
} else {
g_set_error (error, NM_CRYPTO_ERROR,
- NM_CRYPTO_ERR_UNKNOWN_CIPHER,
+ NM_CRYPTO_ERROR_UNKNOWN_CIPHER,
_("Private key cipher '%s' was unknown."),
cipher);
return NULL;
@@ -175,7 +175,7 @@ crypto_decrypt (const char *cipher,
if (iv_len < real_iv_len) {
g_set_error (error, NM_CRYPTO_ERROR,
- NM_CRYPTO_ERR_RAW_IV_INVALID,
+ NM_CRYPTO_ERROR_INVALID_DATA,
_("Invalid IV length (must be at least %d)."),
real_iv_len);
return NULL;
@@ -186,7 +186,7 @@ crypto_decrypt (const char *cipher,
slot = PK11_GetBestSlot (cipher_mech, NULL);
if (!slot) {
g_set_error (error, NM_CRYPTO_ERROR,
- NM_CRYPTO_ERR_CIPHER_INIT_FAILED,
+ NM_CRYPTO_ERROR_FAILED,
_("Failed to initialize the decryption cipher slot."));
goto out;
}
@@ -196,7 +196,7 @@ crypto_decrypt (const char *cipher,
sym_key = PK11_ImportSymKey (slot, cipher_mech, PK11_OriginUnwrap, CKA_DECRYPT, &key_item, NULL);
if (!sym_key) {
g_set_error (error, NM_CRYPTO_ERROR,
- NM_CRYPTO_ERR_CIPHER_SET_KEY_FAILED,
+ NM_CRYPTO_ERROR_DECRYPTION_FAILED,
_("Failed to set symmetric key for decryption."));
goto out;
}
@@ -206,7 +206,7 @@ crypto_decrypt (const char *cipher,
sec_param = PK11_ParamFromIV (cipher_mech, &key_item);
if (!sec_param) {
g_set_error (error, NM_CRYPTO_ERROR,
- NM_CRYPTO_ERR_CIPHER_SET_IV_FAILED,
+ NM_CRYPTO_ERROR_DECRYPTION_FAILED,
_("Failed to set IV for decryption."));
goto out;
}
@@ -214,7 +214,7 @@ crypto_decrypt (const char *cipher,
ctx = PK11_CreateContextBySymKey (cipher_mech, CKA_DECRYPT, sym_key, sec_param);
if (!ctx) {
g_set_error (error, NM_CRYPTO_ERROR,
- NM_CRYPTO_ERR_CIPHER_INIT_FAILED,
+ NM_CRYPTO_ERROR_DECRYPTION_FAILED,
_("Failed to initialize the decryption context."));
goto out;
}
@@ -227,7 +227,7 @@ crypto_decrypt (const char *cipher,
data_len);
if (s != SECSuccess) {
g_set_error (error, NM_CRYPTO_ERROR,
- NM_CRYPTO_ERR_CIPHER_DECRYPT_FAILED,
+ NM_CRYPTO_ERROR_DECRYPTION_FAILED,
_("Failed to decrypt the private key: %d."),
PORT_GetError ());
goto out;
@@ -235,7 +235,7 @@ crypto_decrypt (const char *cipher,
if (decrypted_len > data_len) {
g_set_error (error, NM_CRYPTO_ERROR,
- NM_CRYPTO_ERR_CIPHER_DECRYPT_FAILED,
+ NM_CRYPTO_ERROR_DECRYPTION_FAILED,
_("Failed to decrypt the private key: decrypted data too large."));
goto out;
}
@@ -246,7 +246,7 @@ crypto_decrypt (const char *cipher,
data_len - decrypted_len);
if (s != SECSuccess) {
g_set_error (error, NM_CRYPTO_ERROR,
- NM_CRYPTO_ERR_CIPHER_DECRYPT_FAILED,
+ NM_CRYPTO_ERROR_DECRYPTION_FAILED,
_("Failed to finalize decryption of the private key: %d."),
PORT_GetError ());
goto out;
@@ -257,7 +257,7 @@ crypto_decrypt (const char *cipher,
/* Check if the padding at the end of the decrypted data is valid */
if (pad_len == 0 || pad_len > real_iv_len) {
g_set_error (error, NM_CRYPTO_ERROR,
- NM_CRYPTO_ERR_CIPHER_DECRYPT_FAILED,
+ NM_CRYPTO_ERROR_DECRYPTION_FAILED,
_("Failed to decrypt the private key: unexpected padding length."));
goto out;
}
@@ -268,7 +268,7 @@ crypto_decrypt (const char *cipher,
for (i = pad_len; i > 0; i--) {
if (output[data_len - i] != pad_len) {
g_set_error (error, NM_CRYPTO_ERROR,
- NM_CRYPTO_ERR_CIPHER_DECRYPT_FAILED,
+ NM_CRYPTO_ERROR_DECRYPTION_FAILED,
_("Failed to decrypt the private key."));
goto out;
}
@@ -329,7 +329,7 @@ crypto_encrypt (const char *cipher,
cipher_mech = CKM_AES_CBC_PAD;
else {
g_set_error (error, NM_CRYPTO_ERROR,
- NM_CRYPTO_ERR_UNKNOWN_CIPHER,
+ NM_CRYPTO_ERROR_UNKNOWN_CIPHER,
_("Private key cipher '%s' was unknown."),
cipher);
return NULL;
@@ -351,7 +351,7 @@ crypto_encrypt (const char *cipher,
slot = PK11_GetBestSlot (cipher_mech, NULL);
if (!slot) {
g_set_error (error, NM_CRYPTO_ERROR,
- NM_CRYPTO_ERR_CIPHER_INIT_FAILED,
+ NM_CRYPTO_ERROR_FAILED,
_("Failed to initialize the encryption cipher slot."));
goto out;
}
@@ -359,7 +359,7 @@ crypto_encrypt (const char *cipher,
sym_key = PK11_ImportSymKey (slot, cipher_mech, PK11_OriginUnwrap, CKA_ENCRYPT, &key_item, NULL);
if (!sym_key) {
g_set_error (error, NM_CRYPTO_ERROR,
- NM_CRYPTO_ERR_CIPHER_SET_KEY_FAILED,
+ NM_CRYPTO_ERROR_ENCRYPTION_FAILED,
_("Failed to set symmetric key for encryption."));
goto out;
}
@@ -367,7 +367,7 @@ crypto_encrypt (const char *cipher,
sec_param = PK11_ParamFromIV (cipher_mech, &iv_item);
if (!sec_param) {
g_set_error (error, NM_CRYPTO_ERROR,
- NM_CRYPTO_ERR_CIPHER_SET_IV_FAILED,
+ NM_CRYPTO_ERROR_ENCRYPTION_FAILED,
_("Failed to set IV for encryption."));
goto out;
}
@@ -375,7 +375,7 @@ crypto_encrypt (const char *cipher,
ctx = PK11_CreateContextBySymKey (cipher_mech, CKA_ENCRYPT, sym_key, sec_param);
if (!ctx) {
g_set_error (error, NM_CRYPTO_ERROR,
- NM_CRYPTO_ERR_CIPHER_INIT_FAILED,
+ NM_CRYPTO_ERROR_ENCRYPTION_FAILED,
_("Failed to initialize the encryption context."));
goto out;
}
@@ -383,7 +383,7 @@ crypto_encrypt (const char *cipher,
ret = PK11_CipherOp (ctx, output, &encrypted_len, output_len, padded_buf, padded_buf_len);
if (ret != SECSuccess) {
g_set_error (error, NM_CRYPTO_ERROR,
- NM_CRYPTO_ERR_CIPHER_ENCRYPT_FAILED,
+ NM_CRYPTO_ERROR_ENCRYPTION_FAILED,
_("Failed to encrypt: %d."),
PORT_GetError ());
goto out;
@@ -391,7 +391,7 @@ crypto_encrypt (const char *cipher,
if (encrypted_len != output_len) {
g_set_error (error, NM_CRYPTO_ERROR,
- NM_CRYPTO_ERR_CIPHER_ENCRYPT_FAILED,
+ NM_CRYPTO_ERROR_ENCRYPTION_FAILED,
_("Unexpected amount of data after encrypting."));
goto out;
}
@@ -431,7 +431,7 @@ crypto_verify_cert (const unsigned char *data,
cert = CERT_DecodeCertFromPackage ((char *) data, len);
if (!cert) {
g_set_error (error, NM_CRYPTO_ERROR,
- NM_CRYPTO_ERR_CERT_FORMAT_INVALID,
+ NM_CRYPTO_ERROR_INVALID_DATA,
_("Couldn't decode certificate: %d"),
PORT_GetError());
return NM_CRYPTO_FILE_FORMAT_UNKNOWN;
@@ -451,7 +451,7 @@ crypto_verify_pkcs12 (const guint8 *data,
SECItem pw = { 0 };
PK11SlotInfo *slot = NULL;
SECStatus s;
- char *ucs2_password;
+ gunichar2 *ucs2_password;
glong ucs2_chars = 0;
#ifndef WORDS_BIGENDIAN
guint16 *p;
@@ -463,15 +463,16 @@ crypto_verify_pkcs12 (const guint8 *data,
/* PKCS#12 passwords are apparently UCS2 BIG ENDIAN, and NSS doesn't do
* any conversions for us.
*/
- if (password && strlen (password)) {
- ucs2_password = (char *) g_utf8_to_utf16 (password, strlen (password), NULL, &ucs2_chars, NULL);
- if (!ucs2_password || !ucs2_chars) {
+ if (password && *password) {
+ if (!g_utf8_validate (password, -1, NULL)) {
g_set_error (error, NM_CRYPTO_ERROR,
- NM_CRYPTO_ERR_INVALID_PASSWORD,
- _("Couldn't convert password to UCS2: %d"),
- PORT_GetError());
+ NM_CRYPTO_ERROR_INVALID_PASSWORD,
+ _("Password must be UTF-8"));
return FALSE;
}
+ ucs2_password = g_utf8_to_utf16 (password, strlen (password), NULL, &ucs2_chars, NULL);
+ /* Can't fail if g_utf8_validate() succeeded */
+ g_return_val_if_fail (ucs2_password != NULL && ucs2_chars != 0, FALSE);
ucs2_chars *= 2; /* convert # UCS2 characters -> bytes */
pw.data = PORT_ZAlloc(ucs2_chars + 2);
@@ -495,7 +496,7 @@ crypto_verify_pkcs12 (const guint8 *data,
p12ctx = SEC_PKCS12DecoderStart (&pw, slot, NULL, NULL, NULL, NULL, NULL, NULL);
if (!p12ctx) {
g_set_error (error, NM_CRYPTO_ERROR,
- NM_CRYPTO_ERR_DECODE_FAILED,
+ NM_CRYPTO_ERROR_FAILED,
_("Couldn't initialize PKCS#12 decoder: %d"),
PORT_GetError());
goto error;
@@ -504,7 +505,7 @@ crypto_verify_pkcs12 (const guint8 *data,
s = SEC_PKCS12DecoderUpdate (p12ctx, (guint8 *)data, data_len);
if (s != SECSuccess) {
g_set_error (error, NM_CRYPTO_ERROR,
- NM_CRYPTO_ERR_FILE_FORMAT_INVALID,
+ NM_CRYPTO_ERROR_INVALID_DATA,
_("Couldn't decode PKCS#12 file: %d"),
PORT_GetError());
goto error;
@@ -513,7 +514,7 @@ crypto_verify_pkcs12 (const guint8 *data,
s = SEC_PKCS12DecoderVerify (p12ctx);
if (s != SECSuccess) {
g_set_error (error, NM_CRYPTO_ERROR,
- NM_CRYPTO_ERR_CIPHER_DECRYPT_FAILED,
+ NM_CRYPTO_ERROR_DECRYPTION_FAILED,
_("Couldn't verify PKCS#12 file: %d"),
PORT_GetError());
goto error;
@@ -558,7 +559,7 @@ crypto_randomize (void *buffer, gsize buffer_len, GError **error)
s = PK11_GenerateRandom (buffer, buffer_len);
if (s != SECSuccess) {
g_set_error_literal (error, NM_CRYPTO_ERROR,
- NM_CRYPTO_ERR_RANDOMIZE_FAILED,
+ NM_CRYPTO_ERROR_FAILED,
_("Could not generate random data."));
return FALSE;
}