libnm-core: support private keys encrypted with AES-{192,256}-CBC

https://github.com/NetworkManager/NetworkManager/pull/189

Makefile.am

@@ -805,7 +805,8 @@ EXTRA_DIST += \
 	libnm-core/tests/certs/test2_ca_cert.pem \
 	libnm-core/tests/certs/test2-cert.p12 \
 	libnm-core/tests/certs/test2_key_and_cert.pem \
-	libnm-core/tests/certs/test-aes-key.pem \
+	libnm-core/tests/certs/test-aes-128-key.pem \
+	libnm-core/tests/certs/test-aes-256-key.pem \
 	libnm-core/tests/certs/test_ca_cert.der \
 	libnm-core/tests/certs/test_ca_cert.pem \
 	libnm-core/tests/certs/test-ca-cert.pem \

libnm-core/crypto.c

@@ -158,7 +158,13 @@ parse_old_openssl_key_file (const guint8 *data,
 				goto parse_error;
 			}
 		} else if (!strncmp (p, DEK_INFO_TAG, strlen (DEK_INFO_TAG))) {
+			static const char *const known_ciphers[] = { CIPHER_DES_EDE3_CBC,
+			                                             CIPHER_DES_CBC,
+			                                             CIPHER_AES_128_CBC,
+			                                             CIPHER_AES_192_CBC,
+			                                             CIPHER_AES_256_CBC };
 			char *comma;
+			guint i;
 
 			if (enc_tags++ != 1 || str->len != 0) {
 				g_set_error (error, NM_CRYPTO_ERROR,
@@ -187,13 +193,13 @@ parse_old_openssl_key_file (const guint8 *data,
 			iv = g_strdup (comma);
 
 			/* Get the private key cipher */
-			if (!strcasecmp (p, "DES-EDE3-CBC")) {
-				cipher = g_strdup (p);
-			} else if (!strcasecmp (p, "DES-CBC")) {
-				cipher = g_strdup (p);
-			} else if (!strcasecmp (p, "AES-128-CBC")) {
-				cipher = g_strdup (p);
-			} else {
+			for (i = 0; i < G_N_ELEMENTS (known_ciphers); i++) {
+				if (!g_ascii_strcasecmp (p, known_ciphers[i])) {
+					cipher = g_strdup (known_ciphers[i]);
+					break;
+				}
+			}
+			if (i == G_N_ELEMENTS (known_ciphers)) {
 				g_set_error (error, NM_CRYPTO_ERROR,
 				             NM_CRYPTO_ERROR_INVALID_DATA,
 				             _("Malformed PEM file: unknown private key cipher '%s'."),
@@ -383,12 +389,16 @@ crypto_make_des_aes_key (const char *cipher,
 	g_return_val_if_fail (password != NULL, NULL);
 	g_return_val_if_fail (out_len != NULL, NULL);
 
-	if (!strcmp (cipher, "DES-EDE3-CBC"))
+	if (!strcmp (cipher, CIPHER_DES_EDE3_CBC))
 		digest_len = 24;
-	else if (!strcmp (cipher, "DES-CBC"))
+	else if (!strcmp (cipher, CIPHER_DES_CBC))
 		digest_len = 8;
-	else if (!strcmp (cipher, "AES-128-CBC"))
+	else if (!strcmp (cipher, CIPHER_AES_128_CBC))
 		digest_len = 16;
+	else if (!strcmp (cipher, CIPHER_AES_192_CBC))
+		digest_len = 24;
+	else if (!strcmp (cipher, CIPHER_AES_256_CBC))
+		digest_len = 32;
 	else {
 		g_set_error (error, NM_CRYPTO_ERROR,
 		             NM_CRYPTO_ERROR_UNKNOWN_CIPHER,

libnm-core/crypto.h

@@ -30,8 +30,10 @@
 
 #define MD5_HASH_LEN 20
 #define CIPHER_DES_EDE3_CBC "DES-EDE3-CBC"
-#define CIPHER_DES_CBC "DES-CBC"
-#define CIPHER_AES_CBC "AES-128-CBC"
+#define CIPHER_DES_CBC      "DES-CBC"
+#define CIPHER_AES_128_CBC  "AES-128-CBC"
+#define CIPHER_AES_192_CBC  "AES-192-CBC"
+#define CIPHER_AES_256_CBC  "AES-256-CBC"
 
 typedef enum {
 	NM_CRYPTO_KEY_TYPE_UNKNOWN = 0,

libnm-core/crypto_gnutls.c

@@ -82,9 +82,15 @@ crypto_decrypt (const char *cipher,
 	} else if (!strcmp (cipher, CIPHER_DES_CBC)) {
 		cipher_mech = GNUTLS_CIPHER_DES_CBC;
 		real_iv_len = SALT_LEN;
-	} else if (!strcmp (cipher, CIPHER_AES_CBC)) {
+	} else if (!strcmp (cipher, CIPHER_AES_128_CBC)) {
 		cipher_mech = GNUTLS_CIPHER_AES_128_CBC;
 		real_iv_len = 16;
+	} else if (!strcmp (cipher, CIPHER_AES_192_CBC)) {
+		cipher_mech = GNUTLS_CIPHER_AES_192_CBC;
+		real_iv_len = 16;
+	} else if (!strcmp (cipher, CIPHER_AES_256_CBC)) {
+		cipher_mech = GNUTLS_CIPHER_AES_256_CBC;
+		real_iv_len = 16;
 	} else {
 		g_set_error (error, NM_CRYPTO_ERROR,
 		             NM_CRYPTO_ERROR_UNKNOWN_CIPHER,
@@ -189,8 +195,12 @@ crypto_encrypt (const char *cipher,
 
 	if (!strcmp (cipher, CIPHER_DES_EDE3_CBC))
 		cipher_mech = GNUTLS_CIPHER_3DES_CBC;
-	else if (!strcmp (cipher, CIPHER_AES_CBC))
+	else if (!strcmp (cipher, CIPHER_AES_128_CBC))
 		cipher_mech = GNUTLS_CIPHER_AES_128_CBC;
+	else if (!strcmp (cipher, CIPHER_AES_192_CBC))
+		cipher_mech = GNUTLS_CIPHER_AES_192_CBC;
+	else if (!strcmp (cipher, CIPHER_AES_256_CBC))
+		cipher_mech = GNUTLS_CIPHER_AES_256_CBC;
 	else {
 		g_set_error (error, NM_CRYPTO_ERROR,
 		             NM_CRYPTO_ERROR_UNKNOWN_CIPHER,

libnm-core/crypto_nss.c

@@ -103,7 +103,9 @@ crypto_decrypt (const char *cipher,
 	} else if (!strcmp (cipher, CIPHER_DES_CBC)) {
 		cipher_mech = CKM_DES_CBC_PAD;
 		real_iv_len = 8;
-	} else if (!strcmp (cipher, CIPHER_AES_CBC)) {
+	} else if (NM_IN_STRSET (cipher, CIPHER_AES_128_CBC,
+	                                 CIPHER_AES_192_CBC,
+	                                 CIPHER_AES_256_CBC)) {
 		cipher_mech = CKM_AES_CBC_PAD;
 		real_iv_len = 16;
 	} else {
@@ -269,7 +271,10 @@ crypto_encrypt (const char *cipher,
 
 	if (!strcmp (cipher, CIPHER_DES_EDE3_CBC))
 		cipher_mech = CKM_DES3_CBC_PAD;
-	else if (!strcmp (cipher, CIPHER_AES_CBC))
+	else if (NM_IN_STRSET (cipher,
+	                       CIPHER_AES_128_CBC,
+	                       CIPHER_AES_192_CBC,
+	                       CIPHER_AES_256_CBC))
 		cipher_mech = CKM_AES_CBC_PAD;
 	else {
 		g_set_error (error, NM_CRYPTO_ERROR,

libnm-core/tests/certs/test-aes-256-key.pem

@@ -0,0 +1,54 @@
+-----BEGIN RSA PRIVATE KEY-----
+Proc-Type: 4,ENCRYPTED
+DEK-Info: AES-256-CBC,5FF6BD2D4E57E8933D4A6814DEF5305A
+
+9Br+xw6XOg7qUqfeE5PJ4g/PAm7eTcPMb4FzSKkaEosLo6oj4f37TwXuojJZeAmi
+1EytpqM1vdYHCLdjg+qYaTIq6mzMZIyoaREokcOhcNrq5S0J39gJLVV9LjiXhCAH
+GQgDBnbRT6HGz70AyTRLcW9aj6uBzTv/m92sLUw2txFeBXK8n2AA1oHJTgsFNYjf
+/ZvTCE1VMQHDPx31Vn5WXSUHNc0hx4MTIwpHqWI17ohr8IiWCs5HXVfVaqrNeNEw
+haD7fg8oNxjLs46/4dDWmfWXhDsMFSweZv03gZdyVjwn1IOqeVGmTdLpllfgOW7E
++XE8Y/d55s5nkOxu6eXNMtWgjclKBGr2iMxxnODmEsUt2WcV98cPS+25o3hOfy3s
+NIcfxtWVRFUtjqf3ragyGLuXFqATkj1slj4LVMeewRJ1g+Z6ti0mwBN+ZrYtKdec
+FRNb4zr5FW+3SqkIIJVfxJEYJDB4zODhMg8tySEHLKuT0uz42YQ4aoOHTzO5WDBY
+2BI7TjRppXcExPnkAk5jqbKA6BjT9KcAVyypfxDKvCeXKdjDcL6ISOBSm6cQBh8D
+HxsFzMy9PF6kKNeiNiEsVPnKYvhvs1hTBtp+IAgJ6KZnCDKplZFxo/mBAlV2KyCT
+x+Mhmme3fXdLJkvxlVJAoAhwgXvomVCVTGI3JhcQIqVgxPIKYpqlHVFC7JjG+yQX
+tvzCPtr9G9+Ofrm6zXjlDD7zNyl/KfFtEWhO2ePHkQlCEuKJnsnRIf/wQ0viG0yY
+MH31Z/84o2pKLBKY5fq8+eYuYoP9Rk4W2LpjGMvdkKhEHL26kZofeFyqD+JcaxHc
+kQh7/SbWAsREGb9Jp7I2q1mo749mse1oSFIQa5gN3jB0mgHZd6edRYeW2Up+rqEK
+k6Xd6uqs7bZd5W9sP7Cf6yJOFEjqFVLQEVEXWSchgeta/JNrjGr3UzLFN2S+vhvX
+XgDa41y2UdXHRqj2s864u0ZDPyGXYZnVbvQn/8xHQ7rvxHowpTn+XXUEf0AQnk3j
+9h++3McwP8GuVxkwc6o9TfOL+ell5jup7F3SekwEiE3hqY8x87g6X2zD5VSnfCy3
+0t0LmPGI1b3LABeYjA1WEdhoTlHrNLkwOR4gsudrJ5nxIzfGy+IHaloXLJy4YKfX
+pJ+qyGRUR42YD9IhiEmmmO1VoJgVEYfBiz50Jg8emddku6eKdmv9IKjiSb2pTbDS
+4oUYKg109OOn+krk67dNXofAXrBa8v7QusC0yz9N25H05Xyou1iqpGk+uBrTqEO6
+lW9lWQo57BQU9og40xMKH/xQgIxfQRktUKsPizj8mKil4izo5KgjPSqBeEbj+Q3c
+0FKlrpTXQlXfX5Z5esqMuCSiwQEzoJR+V+SUaSVcg1av0k/CJMin4Cr8roai+OjK
+lhaQIvx35Bzd02yERYsfpDjmQCXmIeiDm8JtB6znbQPUJ4d8kzWR+5ACOZW/dUss
+YhWJRkZpkIwTY+/sDU4mnP2R37MNo+OH4CwZyUDHjlkRPGW+6JBEpnnlI9a/1Vb1
+pjAGpi/8u/luvZGTzCzxQG2dZc5YQR869U+wFsFbLRiD0aP2SpdOH0QxxPOcdR8+
+HWyL01BJBKyK/wZWJhe+63zlk1L5CA0XYpoNkYpMlPNZkcqR7QzUOATfuBgI2aPM
+AXaweaAWhpPCDsc2RypIs9DhTiCCkt8tq8Au15hVUKAoshLeewPtv0t75MEC0hVB
+z6FVnNlqq0cqqcSVqvUG6JUGtFOGgG3ifEMXggq5k12+wGzY63DLR8dFPNpOL6/1
+nocOayHJIU9M8PP817PzhAUAePRRUKRg8kkbKKeZnCJxoF7O15AFVEJnl9Vyokkz
+bULYhzYVx3xh8THMi+5jsnKWPJyMeYHbHH3C658SIw6Ff9fgEWscv5ZkGYdKMg+l
+8hBn+++SoqIO+F3lOGco+s8qlYox106lUwJEtORXcBxmkaHSo/X2AVO8Owt4vYli
+mjWnY6V9vooBgOuCMcY780pcoj2lSf9JPHDYK0j8t5VumDUSLyLt+tCj0yv/vl5L
+9L++vbu2akZRC9ChijYpfhTvXoG36ePhoT7AGGnhpFjjw1VqG80GY4XSODKzH86w
+kUcZoErb8swUPYOtsybtuPb+6c/YofQ8GfpVosPZgSRD4+U7v+zA3/z8xF2B0xt6
+uV8hXbropuni8KmbFuKrPZK3p2v2aZ8F0+GITwS75/hbT6D7ruUSr5q4V0VKeE8G
+k3QSI0s6+74stPv3S/ByCxu8q51ffYqVw00wzPpEc4SmHEa0R7IczJKXupmDdZZM
+1rASSBNzS5TZDBXP6S7npYQ8nHhgXTdCFO7eM3bp24B/i2o0s7+gkKrz0DkEbv9I
+UrCJjTL8OIIP4qSLMILzZ8pB28c+zyM482ZqFY/2b7j6WlTiqa9P1adrD1gLxTQ0
+Sw9xY+sY3PAJqcnPA5NjDZL/h5plgHhCqDa9pEtdBVG2Mxcl9bXbphwD1MIzj4gr
+xtlW1HUJ/iOhFcXldOJ1MCt++Bm5av4mL5adQ/oUnL5Q0oZZFwqT09k7xe7lZ98N
+uj2Lfl8NN7N3ama9KatgbX5g6IALuk/rJN/4KEiiu24m+lR7c5L0pg/cG6LIFjmk
+HlTsc0ANCgeZBhDJ8kvjcXDhFOqoYE/+D2VO6ZEHRsDibQ+kjpaH+DiD01/gh0N0
+HM6GGtm3GbOyZUhw5OFz04xzcyFYo2xaqzgaZieAOcrt2s6XyPVf1gww08/HtTMR
+gLg14MUQvRXV6kPJfdu4OLZ//b6J0KnzVyLDRdOrWIj2raLWmKwQN9qv05/yskcD
+Y6x7wq3v6iZpFjDc53sslhwp2XRsoWT9X5alVspz8WvP/kqgkTdzpPFdp1vIovOQ
+kRXdzzKICDGDJUIcTL8cJ3Dv4XqNR/sVyuB4dfndzQQApbdYTDNpwX0VJDBjMkQy
+Up6aiUknxa6Cbp7b1ZfUQY8yNBAIZL+R8dmobT3nAHW61DaASHSxn+elCD2Ja/6b
+EiWikskyN6crMAv35ILr5ySsZK97ttNNmRoGFbt8bTjRd83Ie+UfH445kCKsY83x
+aDCvWm+bbV6M9rSgjhJ3bWOudiw+EBMGvSamSnS7CYnRmwq4t+4bM2sh2nYKY0qw
+-----END RSA PRIVATE KEY-----

libnm-core/tests/test-crypto.c

@@ -476,8 +476,11 @@ main (int argc, char **argv)
 	g_test_add_data_func ("/libnm/crypto/key/padding-8",
 	                      "test2_key_and_cert.pem, 12345testing",
 	                      test_key);
-	g_test_add_data_func ("/libnm/crypto/key/aes",
-	                      "test-aes-key.pem, test-aes-password",
+	g_test_add_data_func ("/libnm/crypto/key/aes-128",
+	                      "test-aes-128-key.pem, test-aes-password",
+	                      test_key);
+	g_test_add_data_func ("/libnm/crypto/key/aes-256",
+	                      "test-aes-256-key.pem, test-aes-password",
 	                      test_key);
 	g_test_add_data_func ("/libnm/crypto/key/decrypted",
 	                      "test-key-only-decrypted.pem",

libnm-util/tests/test-crypto.c

@@ -383,8 +383,8 @@ main (int argc, char **argv)
 	g_test_add_data_func ("/libnm/crypto/key/padding-8",
 	                      "test2_key_and_cert.pem, 12345testing",
 	                      test_key);
-	g_test_add_data_func ("/libnm/crypto/key/aes",
-	                      "test-aes-key.pem, test-aes-password",
+	g_test_add_data_func ("/libnm/crypto/key/aes-128",
+	                      "test-aes-128-key.pem, test-aes-password",
 	                      test_key);
 
 	g_test_add_data_func ("/libnm/crypto/PKCS#12/1",