mirror of
https://gitlab.freedesktop.org/NetworkManager/NetworkManager
synced 2024-10-02 22:38:01 +00:00
crypto: don't try to decrypt PKCS#8 key if no password is supplied
crypto_verify_private_key_data() must try to decrypt the key only when a password is supplied. Previously the decrypt test always passed because we detected an unsupported cipher and faked success. Now since version 3.5.4 gnutls supports PBES1-DES-CBC-MD5 and the key is actually decrypted when a password is supplied. Also, don't assert that a wrong password works because we're now able to actually verify it (only with recent gnutls). https://bugzilla.gnome.org/show_bug.cgi?id=771623
This commit is contained in:
parent
93a753e311
commit
0e96d23733
|
@ -712,7 +712,7 @@ crypto_verify_private_key_data (const guint8 *data,
|
|||
/* Maybe it's PKCS#8 */
|
||||
tmp = parse_pkcs8_key_file (data, data_len, &is_encrypted, NULL);
|
||||
if (tmp) {
|
||||
if (crypto_verify_pkcs8 (tmp->data, tmp->len, is_encrypted, password, error))
|
||||
if (!password || crypto_verify_pkcs8 (tmp->data, tmp->len, is_encrypted, password, error))
|
||||
format = NM_CRYPTO_FILE_FORMAT_RAW_KEY;
|
||||
} else {
|
||||
char *cipher, *iv;
|
||||
|
|
|
@ -394,7 +394,7 @@ crypto_verify_pkcs8 (const guint8 *data,
|
|||
|
||||
if (err < 0) {
|
||||
if (err == GNUTLS_E_UNKNOWN_CIPHER_TYPE) {
|
||||
/* HACK: gnutls doesn't support all the cipher types that openssl
|
||||
/* HACK: gnutls < 3.5.4 doesn't support all the cipher types that openssl
|
||||
* can use with PKCS#8, so if we encounter one, we have to assume
|
||||
* the given password works. gnutls needs to unsuckify, apparently.
|
||||
* Specifically, by default openssl uses pbeWithMD5AndDES-CBC
|
||||
|
|
|
@ -364,12 +364,11 @@ test_pkcs8 (gconstpointer test_data)
|
|||
password = parts[1];
|
||||
|
||||
test_is_pkcs12 (path, TRUE);
|
||||
test_load_pkcs8 (path, password, -1);
|
||||
/* Until gnutls and NSS grow support for all the ciphers that openssl
|
||||
* can use with PKCS#8, we can't actually verify the password. So we
|
||||
* expect a bad password to work for the time being.
|
||||
/* Note: NSS and gnutls < 3.5.4 don't support all the ciphers that openssl
|
||||
* can use with PKCS#8 and thus the password can't be actually verified with
|
||||
* such libraries.
|
||||
*/
|
||||
test_load_pkcs8 (path, "blahblahblah", -1);
|
||||
test_load_pkcs8 (path, password, -1);
|
||||
|
||||
g_free (path);
|
||||
g_strfreev (parts);
|
||||
|
|
|
@ -708,7 +708,7 @@ crypto_verify_private_key_data (const GByteArray *contents,
|
|||
/* Maybe it's PKCS#8 */
|
||||
tmp = parse_pkcs8_key_file (contents, &is_encrypted, error);
|
||||
if (tmp) {
|
||||
if (crypto_verify_pkcs8 (tmp, is_encrypted, password, error))
|
||||
if (!password || crypto_verify_pkcs8 (tmp, is_encrypted, password, error))
|
||||
format = NM_CRYPTO_FILE_FORMAT_RAW_KEY;
|
||||
} else {
|
||||
g_clear_error (error);
|
||||
|
|
|
@ -334,11 +334,6 @@ test_pkcs8 (gconstpointer test_data)
|
|||
|
||||
test_is_pkcs12 (path, TRUE, "not-pkcs12");
|
||||
test_load_pkcs8 (path, password, FALSE, "pkcs8-private-key");
|
||||
/* Until gnutls and NSS grow support for all the ciphers that openssl
|
||||
* can use with PKCS#8, we can't actually verify the password. So we
|
||||
* expect a bad password to work for the time being.
|
||||
*/
|
||||
test_load_pkcs8 (path, "blahblahblah", FALSE, "pkcs8-private-key-bad-password");
|
||||
|
||||
g_free (path);
|
||||
g_strfreev (parts);
|
||||
|
|
Loading…
Reference in a new issue