Patch Detail
get:
Show a patch.
patch:
Update a patch.
put:
Update a patch.
GET /api/1.2/patches/802696/?format=api
{ "id": 802696, "url": "http://patchwork.ozlabs.org/api/1.2/patches/802696/?format=api", "web_url": "http://patchwork.ozlabs.org/project/swupdate/patch/20170817141546.31426-1-christian.storm@siemens.com/", "project": { "id": 58, "url": "http://patchwork.ozlabs.org/api/1.2/projects/58/?format=api", "name": "swupdate development", "link_name": "swupdate", "list_id": "swupdate.googlegroups.com", "list_email": "swupdate@googlegroups.com", "web_url": "https://github.com/sbabic/swupdate", "scm_url": "git://github.com/sbabic/swupdate", "webscm_url": "", "list_archive_url": "", "list_archive_url_format": "", "commit_url_format": "" }, "msgid": "<20170817141546.31426-1-christian.storm@siemens.com>", "list_archive_url": null, "date": "2017-08-17T14:15:45", "name": "[resent,1/2] crypt: add support for using salt", "commit_ref": null, "pull_url": null, "state": "accepted", "archived": false, "hash": "573432eae9a0aca8ec74e14108b3362fbe282e46", "submitter": { "id": 72180, "url": "http://patchwork.ozlabs.org/api/1.2/people/72180/?format=api", "name": "Storm, Christian", "email": "christian.storm@siemens.com" }, "delegate": { "id": 1693, "url": "http://patchwork.ozlabs.org/api/1.2/users/1693/?format=api", "username": "sbabic", "first_name": "Stefano", "last_name": "Babic", "email": "sbabic@denx.de" }, "mbox": "http://patchwork.ozlabs.org/project/swupdate/patch/20170817141546.31426-1-christian.storm@siemens.com/mbox/", "series": [], "comments": "http://patchwork.ozlabs.org/api/patches/802696/comments/", "check": "pending", "checks": "http://patchwork.ozlabs.org/api/patches/802696/checks/", "tags": {}, "related": [], "headers": { "Return-Path": "<swupdate+bncBDD6BWV65QPBBY6L23GAKGQE4I4LX3Y@googlegroups.com>", "X-Original-To": "incoming@patchwork.ozlabs.org", "Delivered-To": "patchwork-incoming@bilbo.ozlabs.org", "Authentication-Results": [ "ozlabs.org;\n\tspf=pass (mailfrom) smtp.mailfrom=googlegroups.com\n\t(client-ip=2a00:1450:400c:c0c::23d;\n\thelo=mail-wr0-x23d.google.com;\n\tenvelope-from=swupdate+bncbdd6bwv65qpbby6l23gakgqe4i4lx3y@googlegroups.com;\n\treceiver=<UNKNOWN>)", "ozlabs.org; dkim=pass (2048-bit key;\n\tunprotected) header.d=googlegroups.com header.i=@googlegroups.com\n\theader.b=\"gSYOrA0U\"; dkim-atps=neutral" ], "Received": [ "from mail-wr0-x23d.google.com (mail-wr0-x23d.google.com\n\t[IPv6:2a00:1450:400c:c0c::23d])\n\t(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128\n\tbits)) (No client certificate requested)\n\tby ozlabs.org (Postfix) with ESMTPS id 3xY7d30frFz9t42\n\tfor <incoming@patchwork.ozlabs.org>;\n\tFri, 18 Aug 2017 00:19:18 +1000 (AEST)", "by mail-wr0-x23d.google.com with SMTP id f8sf15393wrf.3\n\tfor <incoming@patchwork.ozlabs.org>;\n\tThu, 17 Aug 2017 07:19:18 -0700 (PDT)", "by 10.25.143.82 with SMTP id r79ls230595lfd.32.gmail; Thu, 17 Aug\n\t2017 07:19:15 -0700 (PDT)", "from david.siemens.de (david.siemens.de. [192.35.17.14])\n\tby gmr-mx.google.com with ESMTPS id\n\tn126si1553566wma.7.2017.08.17.07.19.15\n\tfor <swupdate@googlegroups.com>\n\t(version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);\n\tThu, 17 Aug 2017 07:19:15 -0700 (PDT)", "from mail2.siemens.de (mail2.siemens.de [139.25.208.11])\n\tby david.siemens.de (8.15.2/8.15.2) with ESMTPS id v7HEJEGI000708\n\t(version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK)\n\tfor <swupdate@googlegroups.com>; Thu, 17 Aug 2017 16:19:14 +0200", "from MD1KR9XC.ww002.siemens.net ([139.25.68.253])\n\tby mail2.siemens.de (8.15.2/8.15.2) with ESMTP id v7HEJEvc031432;\n\tThu, 17 Aug 2017 16:19:14 +0200" ], "ARC-Seal": [ "i=2; a=rsa-sha256; t=1502979556; cv=pass;\n\td=google.com; s=arc-20160816;\n\tb=T7JkHZKygkTP/VSUnHajNQuAAH5G7LHpHTF9U/ezxHXv68J50CzcJN3rzdi1G46AMK\n\tRpWm6eBFGE5dUUITdeBRrDs1h7x7EArQ35FP3lxBOcRcykpKGvQPDFV2G7SGzAePQakv\n\t7qp26YUzqiN6CjNiRIQ9ayIvLbmBcJQ5ZLkHZ66uj3rdP5OhS3kgz2aZzTFV1f7Ff1IK\n\t/BS1FvyikWHSjo7VV4lc0CHe8zyYxvwKe2PhiJTOEZ1iQQLSY/N1vsm3kHbMt4b8KQlr\n\tACEeGka7J0bbkySHFyD6296WT4aJ4sgy91Weki+vHWkp5V/PyAMrf6zac/FMss1VS+6K\n\tLxvA==", "i=1; a=rsa-sha256; t=1502979555; cv=none;\n\td=google.com; s=arc-20160816;\n\tb=yafKuOrqwaepKUrqzP24EfqhLMOsdNNew/aKiqqcEj0fChpLdzdgGWbjyLze4/56eJ\n\t/gz3rCiPUHo0O+lYZDgGNfNvZ1s4qN4MbqW9IsYe42RpukcHMZ4WTAAVzeIYG+9eYJz7\n\tzynizq+DDCMxMbc8TwPEZe93sZ3JBJzLlCInIFglv+FtOmR/JQ8oqhxUdO8wDlPwjiJg\n\t20gKCc8UkzJBOmXUr2pS/37vHzN8NUTfHmME2PDqaWuBzaFbaSezKTvoDZQ6F/OBFDdg\n\tUOecEtJf3RN6quZX9D6so5sh/T77P1GrsmBhLMQk9sTyh0sH832iA7U6DokbKnZQBF3h\n\tzvZA==" ], "ARC-Message-Signature": [ "i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com;\n\ts=arc-20160816; \n\th=list-unsubscribe:list-subscribe:list-archive:list-help:list-post\n\t:list-id:mailing-list:precedence:message-id:date:subject:cc:to:from\n\t:arc-authentication-results:arc-message-signature:mime-version\n\t:sender:dkim-signature:arc-authentication-results;\n\tbh=w5L09qoVDEPfqWvSMzyW8nWvDOnDVL9ZXppiYZPL8qc=;\n\tb=DxhQ4BbFaVN+xeH0qmfX58yJzB0Tio1nviVAhJAbiqL02YZkjkpjTlVuTs7mfLjVKy\n\tvCxwPZjjGbMhWYVPNKYen0SE+QIwX6nC0crXsoOHD2PONTA7UZCKR0Cd1FmgDgs13kR6\n\t0Be6TL65ptEOorty86uem3/justVOHn/oZI+nFvCT4MoHuceJ9DaUT5SMUuP5a4Ew+zC\n\tY88xF00TzV+arfUK+8fs2vcNJd4QjetWAbz42eYQ6wpbI2shO9Rdc7n96jfpM3s5eEl3\n\tKBbVbuxmy52EL/Ol3Zs2tjQzOfZtfrZxVNCna4dAE8ym/89jM77Ba1CWrYmJ2yoY6Oi1\n\tfmkQ==", "i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;\n\ts=arc-20160816; \n\th=message-id:date:subject:cc:to:from:arc-authentication-results;\n\tbh=cB3QNEU8S/vTf2ME/KdAkiA3siU/9b2hQG6/xBNNYAQ=;\n\tb=DjiTMXaqIJrFfKEIOxHLL7iql7W7VP2g75szG+1kbOelH3UdEvvk4NmbYRIVk2EVPc\n\tTEBKru1x5miBhlSNYEUXqyid25QELhjZl7cqmXVIqNRInTfOlx7DtqSm/7sXtutAeS/E\n\tQYCZBGSbbC+WJmR5tEUug48Oqg8UKbmdgt8X52JSMtZIg8eXsKg8UGQ4eGaUcR1otE7w\n\thMsPsCqYM3QNgqw8Q/FfEuQ8z3wH4Tc4olNH7xFtqXJQ56Tyaiv22uTK8tpg2XZ6Vdl7\n\t0MLAz65nSNaIrzOSQO1jdeTSqFe7KJ9zd/Fl/ToqZfE85+pPbEkccQ7fL3+0Lo3F7zKa\n\t6PRA==" ], "ARC-Authentication-Results": [ "i=2; gmr-mx.google.com;\n\tspf=neutral (google.com: 192.35.17.14 is neither permitted nor denied\n\tby best guess record for domain of\n\tchristian.storm@siemens.com)\n\tsmtp.mailfrom=christian.storm@siemens.com", "i=1; gmr-mx.google.com;\n\tspf=neutral (google.com: 192.35.17.14 is neither permitted nor denied\n\tby best guess record for domain of\n\tchristian.storm@siemens.com)\n\tsmtp.mailfrom=christian.storm@siemens.com" ], "DKIM-Signature": "v=1; a=rsa-sha256; c=relaxed/relaxed;\n\td=googlegroups.com; s=20161025;\n\th=sender:mime-version:from:to:cc:subject:date:message-id\n\t:x-original-sender:x-original-authentication-results:precedence\n\t:mailing-list:list-id:list-post:list-help:list-archive\n\t:list-subscribe:list-unsubscribe;\n\tbh=w5L09qoVDEPfqWvSMzyW8nWvDOnDVL9ZXppiYZPL8qc=;\n\tb=gSYOrA0UcqW+IaW87vQI655SHFZfj9jFinFikzOtGXkIhQa2B9+/TCMmAObVXEnHbA\n\t4kj0XxoqWW9dy6X/hiDcO/zD0u6/+DDDg7Ffsr52Cnzo+e2P+P1Q9fvHwQlj/mg6uUR5\n\tQ8K5s7Q1QezaM0QwAmDq1SYxRGNYSQRpYjHIq2x5TXMMO5KlRfZRSbYICNS820xsJ0zL\n\tQvsgovxr7rPCPt9C3ou+9TNzPod7RqiTJGD4/l4Ir6NgCH2Jfd+bzUJfU681t8SnZKiK\n\tSjiJDpMunLdr2hbBMU087pac/gDmhY716WTt2y/opdujOt3O9jj7xWqMt+v2eofcvUnh\n\tDGFQ==", "X-Google-DKIM-Signature": "v=1; a=rsa-sha256; c=relaxed/relaxed;\n\td=1e100.net; s=20161025;\n\th=sender:x-gm-message-state:mime-version:from:to:cc:subject:date\n\t:message-id:x-original-sender:x-original-authentication-results\n\t:precedence:mailing-list:list-id:x-spam-checked-in-group:list-post\n\t:list-help:list-archive:list-subscribe:list-unsubscribe;\n\tbh=w5L09qoVDEPfqWvSMzyW8nWvDOnDVL9ZXppiYZPL8qc=;\n\tb=BnK3soub55BdUPb8YRylKB9/+FS0MzCeps3HBDew1PsxqMuQKWjXWHM8IUlephU5dW\n\tDNIWZ/IrbP2OrLr8FeLQqjrIdIcRcPX/6L5LiM6G2jIgzgC9JDicf1x8/8D474lBbAJS\n\tPiUC0IdhvMiGVFRClRh/fewzc/MF8yVnNmRvL4JpeSNsbnmfcO+Jdce/RnQVRuKck2Zb\n\tbBn2675GhPqhM8b2XZkVdu2p5vsK8NPXfMKvpNx8MN+8vUtBf9yIHet0aqZ9/I8ycWjS\n\tl/9gnmaR5wpqvu8m8UgVarxidpZneSp4K2uD0P0ZYuqDQgWcLw4iGzrKhQBDLdpCUPlt\n\tW9mA==", "Sender": "swupdate@googlegroups.com", "X-Gm-Message-State": "AHYfb5jybr4KRMEKbL2xkkhQLOgRy6ozqbmy8n1dtfUIRU8DjSQM5mVo\n\t+l4TBoall/ZlhQ==", "X-Received": [ "by 10.46.32.135 with SMTP id g7mr10630lji.18.1502979555794;\n\tThu, 17 Aug 2017 07:19:15 -0700 (PDT)", "by 10.46.82.212 with SMTP id n81mr932156lje.9.1502979555253;\n\tThu, 17 Aug 2017 07:19:15 -0700 (PDT)" ], "MIME-Version": "1.0", "X-BeenThere": "swupdate@googlegroups.com", "Received-SPF": "neutral (google.com: 192.35.17.14 is neither permitted nor\n\tdenied by best guess record for domain of\n\tchristian.storm@siemens.com) client-ip=192.35.17.14; ", "From": "Christian Storm <christian.storm@siemens.com>", "To": "swupdate@googlegroups.com", "Cc": "Christian Storm <christian.storm@siemens.com>", "Subject": "[swupdate] [PATCH resent 1/2] crypt: add support for using salt", "Date": "Thu, 17 Aug 2017 16:15:45 +0200", "Message-Id": "<20170817141546.31426-1-christian.storm@siemens.com>", "X-Mailer": "git-send-email 2.14.1", "X-Original-Sender": "christian.storm@siemens.com", "X-Original-Authentication-Results": "gmr-mx.google.com; spf=neutral\n\t(google.com: 192.35.17.14 is neither permitted nor denied by best\n\tguess\n\trecord for domain of christian.storm@siemens.com)\n\tsmtp.mailfrom=christian.storm@siemens.com", "Content-Type": "text/plain; charset=\"UTF-8\"", "Precedence": "list", "Mailing-list": "list swupdate@googlegroups.com;\n\tcontact swupdate+owners@googlegroups.com", "List-ID": "<swupdate.googlegroups.com>", "X-Spam-Checked-In-Group": "swupdate@googlegroups.com", "X-Google-Group-Id": "605343134186", "List-Post": "<https://groups.google.com/group/swupdate/post>,\n\t<mailto:swupdate@googlegroups.com>", "List-Help": "<https://groups.google.com/support/>,\n\t<mailto:swupdate+help@googlegroups.com>", "List-Archive": "<https://groups.google.com/group/swupdate", "List-Subscribe": "<https://groups.google.com/group/swupdate/subscribe>,\n\t<mailto:swupdate+subscribe@googlegroups.com>", "List-Unsubscribe": "<mailto:googlegroups-manage+605343134186+unsubscribe@googlegroups.com>,\n\t<https://groups.google.com/group/swupdate/subscribe>" }, "content": "Support OpenSSL symmetric image encryption using salt. For backwards\ncompatibility, also support symmetric image encryption without salt.\n\nSigned-off-by: Christian Storm <christian.storm@siemens.com>\n---\n core/cpio_utils.c | 4 +++-\n core/util.c | 53 ++++++++++++++++++++++++++++++++---------\n corelib/swupdate_decrypt.c | 20 ++++++++++++++--\n doc/source/encrypted_images.rst | 28 ++++++++++++++--------\n include/sslapi.h | 4 ++--\n include/util.h | 1 +\n 6 files changed, 84 insertions(+), 26 deletions(-)", "diff": "diff --git a/core/cpio_utils.c b/core/cpio_utils.c\nindex 7834a89..c3df86f 100644\n--- a/core/cpio_utils.c\n+++ b/core/cpio_utils.c\n@@ -130,6 +130,7 @@ int copyfile(int fdin, void *out, unsigned int nbytes, unsigned long *offs, unsi\n \tunsigned int md_len = 0;\n \tunsigned char *aes_key;\n \tunsigned char *ivt;\n+\tunsigned char *salt;\n \n \tif (!callback) {\n \t\tcallback = copy_write;\n@@ -166,7 +167,8 @@ int copyfile(int fdin, void *out, unsigned int nbytes, unsigned long *offs, unsi\n \n \t\taes_key = get_aes_key();\n \t\tivt = get_aes_ivt();\n-\t\tdcrypt = swupdate_DECRYPT_init(aes_key, ivt);\n+\t\tsalt = get_aes_salt();\n+\t\tdcrypt = swupdate_DECRYPT_init(aes_key, ivt, salt);\n \t\tif (!dcrypt) {\n \t\t\tERROR(\"decrypt initialization failure, aborting\");\n \t\t\tret = -EFAULT;\ndiff --git a/core/util.c b/core/util.c\nindex fc8e282..b714f29 100644\n--- a/core/util.c\n+++ b/core/util.c\n@@ -31,9 +31,15 @@\n #include \"util.h\"\n #include \"generated/autoconf.h\"\n \n+/*\n+ * key is 256 bit for aes_256\n+ * ivt is 128 bit\n+ * salt is 64 bit\n+ */\n struct decryption_key {\n \tunsigned char key[32];\n \tunsigned char ivt[16];\n+\tunsigned char salt[8];\n };\n \n static struct decryption_key *aes_key = NULL;\n@@ -276,6 +282,10 @@ static int ascii_to_bin(unsigned char *hash, const char *s, size_t len)\n \tunsigned int i;\n \tunsigned int val;\n \n+\tif (s == NULL) {\n+\t\treturn 0;\n+\t}\n+\n \tif (len % 2)\n \t\treturn -EINVAL;\n \tif (strlen(s) == len) {\n@@ -339,14 +349,29 @@ int count_elem_list(struct imglist *list)\n int load_decryption_key(char *fname)\n {\n \tFILE *fp;\n-\tchar *b1, *b2;\n+\tchar *b1 = NULL, *b2 = NULL, *b3 = NULL;\n \tint ret;\n \n \tfp = fopen(fname, \"r\");\n \tif (!fp)\n \t\treturn -EBADF;\n \n-\tret = fscanf(fp, \"%ms %ms\", &b1, &b2);\n+\tret = fscanf(fp, \"%ms %ms %ms\", &b1, &b2, &b3);\n+\tswitch (ret) {\n+\t\tcase 2:\n+\t\t\tb3 = NULL;\n+\t\t\tDEBUG(\"Read decryption key and initialization vector from file %s.\", fname);\n+\t\t\tbreak;\n+\t\tcase 3:\n+\t\t\tDEBUG(\"Read decryption key, initialization vector, and salt from file %s.\", fname);\n+\t\t\tbreak;\n+\t\tdefault:\n+\t\t\tif (b1 != NULL)\n+\t\t\t\tfree(b1);\n+\t\t\tfprintf(stderr, \"File with decryption key is not in the format <key> <ivt> nor <key> <ivt> <salt>\\n\");\n+\t\t\tfclose(fp);\n+\t\t\treturn -EINVAL;\n+\t}\n \tfclose(fp);\n \n \tif (aes_key)\n@@ -356,16 +381,16 @@ int load_decryption_key(char *fname)\n \tif (!aes_key)\n \t\treturn -ENOMEM;\n \n-\tif (ret != 2) {\n-\t\tfprintf(stderr, \"File with decryption key is in the format <key> <ivt>\\n\");\n-\t\treturn -EINVAL;\n-\t}\n+\tret = ascii_to_bin(aes_key->key, b1, sizeof(aes_key->key) * 2) |\n+\t ascii_to_bin(aes_key->ivt, b2, sizeof(aes_key->ivt) * 2) |\n+\t ascii_to_bin(aes_key->salt, b3, sizeof(aes_key->salt) * 2);\n \n-\t/*\n-\t * Key is for aes_256, it must be 256 bit\n-\t * and IVT is 128 bit\n-\t */\n-\tret = ascii_to_bin(aes_key->key, b1, 64) | ascii_to_bin(aes_key->ivt, b2, 32); \n+\tif (b1 != NULL)\n+\t\tfree(b1);\n+\tif (b2 != NULL)\n+\t\tfree(b2);\n+\tif (b3 != NULL)\n+\t\tfree(b3);\n \n \tif (ret) {\n \t\tfprintf(stderr, \"Keys are invalid\\n\");\n@@ -387,6 +412,12 @@ unsigned char *get_aes_ivt(void) {\n \treturn aes_key->ivt;\n }\n \n+unsigned char *get_aes_salt(void) {\n+\tif (!aes_key)\n+\t\treturn NULL;\n+\treturn aes_key->salt;\n+}\n+\n char** string_split(char* s, const char d)\n {\n \tchar** result = 0;\ndiff --git a/corelib/swupdate_decrypt.c b/corelib/swupdate_decrypt.c\nindex 8e092c8..24a6c5c 100644\n--- a/corelib/swupdate_decrypt.c\n+++ b/corelib/swupdate_decrypt.c\n@@ -28,7 +28,7 @@\n #include \"sslapi.h\"\n #include \"util.h\"\n \n-struct swupdate_digest *swupdate_DECRYPT_init(unsigned char *key, unsigned char *iv)\n+struct swupdate_digest *swupdate_DECRYPT_init(unsigned char *key, unsigned char *iv, unsigned char *salt)\n {\n \tstruct swupdate_digest *dgst;\n \tint ret;\n@@ -38,11 +38,27 @@ struct swupdate_digest *swupdate_DECRYPT_init(unsigned char *key, unsigned char\n \t\treturn NULL;\n \t}\n \n+\tconst EVP_CIPHER *cipher = EVP_aes_256_cbc();\n+\n \tdgst = calloc(1, sizeof(*dgst));\n \tif (!dgst) {\n \t\treturn NULL;\n \t}\n \n+\tif (salt != NULL) {\n+\t\tunsigned char dummy_key[EVP_MAX_KEY_LENGTH];\n+\t\tunsigned char dummy_iv[EVP_MAX_IV_LENGTH];\n+\t\tunsigned char dummy_pwd[5] = \"DUMMY\";\n+\t\tif (!EVP_BytesToKey(cipher, EVP_sha1(), salt,\n+\t\t\t\t\t\t\tdummy_pwd, sizeof(dummy_pwd),\n+\t\t\t\t\t\t\t1,\n+\t\t\t\t\t\t\t(unsigned char *)&dummy_key, (unsigned char *)&dummy_iv)) {\n+\t\t\tERROR(\"Cannot set salt.\");\n+\t\t\tfree(dgst);\n+\t\t\treturn NULL;\n+\t\t}\n+\t}\n+\n #if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)\n \tEVP_CIPHER_CTX_init(&dgst->ctxdec);\n #else\n@@ -63,7 +79,7 @@ struct swupdate_digest *swupdate_DECRYPT_init(unsigned char *key, unsigned char\n \t/*\n \t * Check openSSL documentation for return errors\n \t */\n-\tret = EVP_DecryptInit_ex(SSL_GET_CTXDEC(dgst), EVP_aes_256_cbc(), NULL, key, iv);\n+\tret = EVP_DecryptInit_ex(SSL_GET_CTXDEC(dgst), cipher, NULL, key, iv);\n \tif (ret != 1) {\n \t\tERROR(\"Decrypt Engine not initialized, error 0x%lx\\n\", ERR_get_error());\n \t\tfree(dgst);\ndiff --git a/doc/source/encrypted_images.rst b/doc/source/encrypted_images.rst\nindex 4358126..a7d85a2 100644\n--- a/doc/source/encrypted_images.rst\n+++ b/doc/source/encrypted_images.rst\n@@ -14,35 +14,43 @@ A complete documentation can be found at the\n \n ::\n \n- openssl enc -aes-256-cbc -k <PASSPHRASE> -nosalt -P -md sha1\n+ openssl enc -aes-256-cbc -k <PASSPHRASE> -P -md sha1\n \n The key and initialization vector is generated based on the given ``<PASSPHRASE>``.\n The output of the above command looks like this:\n \n ::\n \n- key=B60D121B438A380C343D5EC3C2037564B82FFEF3542808AB5694FA93C3179140\n- iv =20578C4FEF1AEE907B1DC95C776F8160\n-\n+ salt=CE7B0488EFBF0D1B\n+ key=B78CC67DD3DC13042A1B575184D4E16D6A09412C242CE253ACEE0F06B5AD68FC\n+ iv =65D793B87B6724BB27954C7664F15FF3\n \n Then, encrypt an image using this information via\n \n ::\n \n- openssl enc -aes-256-cbc -in <INFILE> -out <OUTFILE> -K <KEY> -iv <IV>\n+ openssl enc -aes-256-cbc -in <INFILE> -out <OUTFILE> -K <KEY> -iv <IV> -S <SALT>\n \n where ``<INFILE>`` is the unencrypted source image file and ``<OUTFILE>`` is the\n encrypted output image file to be referenced in ``sw-description``.\n-``<KEY>`` is the hex value part of the first line of output from the key generation\n-command above and ``<IV>`` is the hex value part of the second line. \n+``<KEY>`` is the hex value part of the 2nd line of output from the key generation\n+command above, ``<IV>`` is the hex value part of the 3rd line, and ``<SALT>`` is\n+the hex value part of the 1st line.\n \n Then, create a key file to be supplied to SWUpdate via the `-K` switch by \n-putting the key and initialization vector hex values on one line separated by\n-whitespace, e.g., for above example values\n+putting the key, initialization vector, and salt hex values on one line\n+separated by whitespace, e.g., for above example values\n \n ::\n \n- B60D121B438A380C343D5EC3C2037564B82FFEF3542808AB5694FA93C3179140 20578C4FEF1AEE907B1DC95C776F8160\n+ B78CC67DD3DC13042A1B575184D4E16D6A09412C242CE253ACEE0F06B5AD68FC 65D793B87B6724BB27954C7664F15FF3 CE7B0488EFBF0D1B\n+\n+\n+Note that, while not recommended and for backwards compatibility, OpenSSL may be\n+used without salt. For disabling salt, add the ``-nosalt`` parameter to the key\n+generation command above. Accordingly, drop the ``-S <SALT>`` parameter in the\n+encryption command and omit the 3rd field of the key file to be supplied to\n+SWUpdate being the salt.\n \n \n Example sw-description with Encrypted Image\ndiff --git a/include/sslapi.h b/include/sslapi.h\nindex 500db7c..1df656d 100644\n--- a/include/sslapi.h\n+++ b/include/sslapi.h\n@@ -106,7 +106,7 @@ int swupdate_HASH_compare(unsigned char *hash1, unsigned char *hash2);\n #endif\n \n #ifdef CONFIG_ENCRYPTED_IMAGES\n-struct swupdate_digest *swupdate_DECRYPT_init(unsigned char *key, unsigned char *iv);\n+struct swupdate_digest *swupdate_DECRYPT_init(unsigned char *key, unsigned char *iv, unsigned char *salt);\n int swupdate_DECRYPT_update(struct swupdate_digest *dgst, unsigned char *buf, \n \t\t\t\tint *outlen, unsigned char *cryptbuf, int inlen);\n int swupdate_DECRYPT_final(struct swupdate_digest *dgst, unsigned char *buf,\n@@ -117,7 +117,7 @@ void swupdate_DECRYPT_cleanup(struct swupdate_digest *dgst);\n * Note: macro for swupdate_DECRYPT_init is\n * just to avoid compiler warnings\n */\n-#define swupdate_DECRYPT_init(key, iv) (((key != NULL) | (ivt != NULL)) ? NULL : NULL)\n+#define swupdate_DECRYPT_init(key, iv, salt) (((key != NULL) | (ivt != NULL) | (salt != NULL)) ? NULL : NULL)\n #define swupdate_DECRYPT_update(p, buf, len, cbuf, inlen) (-1)\n #define swupdate_DECRYPT_final(p, buf, len) (-1)\n #define swupdate_DECRYPT_cleanup(p)\ndiff --git a/include/util.h b/include/util.h\nindex 2d6f047..70a0acc 100644\n--- a/include/util.h\n+++ b/include/util.h\n@@ -173,6 +173,7 @@ int count_elem_list(struct imglist *list);\n int load_decryption_key(char *fname);\n unsigned char *get_aes_key(void);\n unsigned char *get_aes_ivt(void);\n+unsigned char *get_aes_salt(void);\n \n /* Getting global information */\n int get_install_info(sourcetype *source, char *buf, size_t len);\n", "prefixes": [ "resent", "1/2" ] }