| Message ID | 20201214151432.38297-1-dev@online.ms |
|---|---|
| State | Changes Requested |
| Headers | show |
| Series | [meta-swupdate] remove all references to a salt value for encryption | expand |
Hi Christoph, On 14.12.20 16:14, Christoph Lauer wrote: > From: Christoph Lauer <christoph.lauer@xtronic.de> > > In release 2019.11, support for the salt encryption parameter was removed (see commit 9ce94342d3c212b06a283f95dc9c1c8c52155ce7). > Consequently, remove all references to a salt value for key creation and encryption. > The keyfile for encryption can still contain a salt value, it will simply be ignored. > > Signed-off-by: Christoph Lauer <christoph.lauer@xtronic.de> > --- > classes/swupdate-common.bbclass | 20 +++++++++----------- > classes/swupdate-enc.bbclass | 8 +++----- > classes/swupdate.bbclass | 10 +++++----- > 3 files changed, 17 insertions(+), 21 deletions(-) > > diff --git a/classes/swupdate-common.bbclass b/classes/swupdate-common.bbclass > index ae4cf9c..27bbba8 100644 > --- a/classes/swupdate-common.bbclass > +++ b/classes/swupdate-common.bbclass > @@ -30,22 +30,20 @@ def swupdate_extract_keys(keyfile_path): > k,v = _.split('=',maxsplit=1) > data[k.rstrip()] = v > > - key = data['key'].rstrip('\n') > - iv = data['iv'].rstrip('\n') > - salt = data['salt'].rstrip('\n') > + key = data['key'].rstrip('\n') > + iv = data['iv'].rstrip('\n') > > - return key,iv,salt > + return key,iv > > -def swupdate_encrypt_file(f, out, key, ivt, salt): > +def swupdate_encrypt_file(f, out, key, ivt): > import subprocess > encargs = ["openssl", "enc", "-aes-256-cbc", "-in", f, "-out", out] > - encargs += ["-K", key, "-iv", ivt, "-S", salt] > - cmd = "openssl enc -aes-256-cbc -in '%s' -out '%s' -K '%s' -iv '%s' -S '%s'" % ( > + encargs += ["-K", key, "-iv", ivt, "-nosalt"] > + cmd = "openssl enc -aes-256-cbc -in '%s' -out '%s' -K '%s' -iv '%s' -nosalt" % ( It looks to me that cmd is simply dead code after I switched from os.sysetm to subprocess. cmd is not used, see call to subprocess.run, so just drop it. > f, > out, > key, > - ivt, > - salt) > + ivt) > subprocess.run(encargs, check=True) > > def swupdate_write_sha256(s, filename, hash): > @@ -109,8 +107,8 @@ def prepare_sw_description(d, s, list_for_cpio): > if encrypt: > bb.note("Encryption of sw-description") > shutil.copyfile(os.path.join(s, 'sw-description'), os.path.join(s, 'sw-description.plain')) > - key,iv,salt = swupdate_extract_keys(d.getVar('SWUPDATE_AES_FILE', True)) > - swupdate_encrypt_file(os.path.join(s, 'sw-description.plain'), os.path.join(s, 'sw-description'), key, iv, salt) > + key,iv = swupdate_extract_keys(d.getVar('SWUPDATE_AES_FILE', True)) > + swupdate_encrypt_file(os.path.join(s, 'sw-description.plain'), os.path.join(s, 'sw-description'), key, iv) > > signing = d.getVar('SWUPDATE_SIGNING', True) > if signing == "1": > diff --git a/classes/swupdate-enc.bbclass b/classes/swupdate-enc.bbclass > index 198ae98..dc421c0 100644 > --- a/classes/swupdate-enc.bbclass > +++ b/classes/swupdate-enc.bbclass > @@ -1,9 +1,8 @@ > # > # The key must be generated as described in doc > # with > -# openssl enc -aes-256-cbc -k <PASSPHRASE> -P -md sha1 > +# openssl enc -aes-256-cbc -k <PASSPHRASE> -P -md sha1 -nosalt > # The file is in the format > -# salt= > # key= > # iv= > # parameters: $1 = input file, $2 = output file > @@ -12,11 +11,10 @@ swu_encrypt_file() { > output=$2 > key=`cat ${SWUPDATE_AES_FILE} | grep ^key | cut -d '=' -f 2` > iv=`cat ${SWUPDATE_AES_FILE} | grep ^iv | cut -d '=' -f 2` > - salt=`cat ${SWUPDATE_AES_FILE} | grep ^salt | cut -d '=' -f 2` > - if [ -z ${salt} ] || [ -z ${key} ] || [ -z ${iv} ];then > + if [ -z ${key} ] || [ -z ${iv} ];then > bbfatal "SWUPDATE_AES_FILE=$SWUPDATE_AES_FILE does not contain valid keys" > fi > - openssl enc -aes-256-cbc -in ${input} -out ${output} -K ${key} -iv ${iv} -S ${salt} > + openssl enc -aes-256-cbc -in ${input} -out ${output} -K ${key} -iv ${iv} -nosalt > } > > CONVERSIONTYPES += "enc" > diff --git a/classes/swupdate.bbclass b/classes/swupdate.bbclass > index 81bbc0c..fe7b6ec 100644 > --- a/classes/swupdate.bbclass > +++ b/classes/swupdate.bbclass > @@ -101,15 +101,15 @@ python do_swuimage () { > filename = os.path.basename(local) > aes_file = d.getVar('SWUPDATE_AES_FILE', True) > if aes_file: > - key,iv,salt = swupdate_extract_keys(d.getVar('SWUPDATE_AES_FILE', True)) > + key,iv = swupdate_extract_keys(d.getVar('SWUPDATE_AES_FILE', True)) > if (filename != 'sw-description') and (os.path.isfile(local)): > encrypted = (d.getVarFlag("SWUPDATE_IMAGES_ENCRYPTED", filename, True) or "") > dst = os.path.join(s, "%s" % filename ) > if encrypted == '1': > bb.note("Encryption requested for %s" %(filename)) > - if not key or not iv or not salt: > + if not key or not iv: > bb.fatal("Encryption required, but no key found") > - swupdate_encrypt_file(local, dst, key, iv, salt) > + swupdate_encrypt_file(local, dst, key, iv) > else: > shutil.copyfile(local, dst) > list_for_cpio.append(filename) > @@ -121,9 +121,9 @@ python do_swuimage () { > target_imagename = os.path.basename(imagename) # allow images in subfolders of DEPLOY_DIR_IMAGE > dst = os.path.join(s, target_imagename) > if encrypt == '1': > - key,iv,salt = swupdate_extract_keys(d.getVar('SWUPDATE_AES_FILE', True)) > + key,iv = swupdate_extract_keys(d.getVar('SWUPDATE_AES_FILE', True)) > bb.note("Encryption requested for %s" %(imagename)) > - swupdate_encrypt_file(src, dst, key, iv, salt) > + swupdate_encrypt_file(src, dst, key, iv) > else: > shutil.copyfile(src, dst) > list_for_cpio.append(target_imagename) > -- > 2.17.1 > Best regards, Stefano Babic
diff --git a/classes/swupdate-common.bbclass b/classes/swupdate-common.bbclass index ae4cf9c..27bbba8 100644 --- a/classes/swupdate-common.bbclass +++ b/classes/swupdate-common.bbclass @@ -30,22 +30,20 @@ def swupdate_extract_keys(keyfile_path): k,v = _.split('=',maxsplit=1) data[k.rstrip()] = v - key = data['key'].rstrip('\n') - iv = data['iv'].rstrip('\n') - salt = data['salt'].rstrip('\n') + key = data['key'].rstrip('\n') + iv = data['iv'].rstrip('\n') - return key,iv,salt + return key,iv -def swupdate_encrypt_file(f, out, key, ivt, salt): +def swupdate_encrypt_file(f, out, key, ivt): import subprocess encargs = ["openssl", "enc", "-aes-256-cbc", "-in", f, "-out", out] - encargs += ["-K", key, "-iv", ivt, "-S", salt] - cmd = "openssl enc -aes-256-cbc -in '%s' -out '%s' -K '%s' -iv '%s' -S '%s'" % ( + encargs += ["-K", key, "-iv", ivt, "-nosalt"] + cmd = "openssl enc -aes-256-cbc -in '%s' -out '%s' -K '%s' -iv '%s' -nosalt" % ( f, out, key, - ivt, - salt) + ivt) subprocess.run(encargs, check=True) def swupdate_write_sha256(s, filename, hash): @@ -109,8 +107,8 @@ def prepare_sw_description(d, s, list_for_cpio): if encrypt: bb.note("Encryption of sw-description") shutil.copyfile(os.path.join(s, 'sw-description'), os.path.join(s, 'sw-description.plain')) - key,iv,salt = swupdate_extract_keys(d.getVar('SWUPDATE_AES_FILE', True)) - swupdate_encrypt_file(os.path.join(s, 'sw-description.plain'), os.path.join(s, 'sw-description'), key, iv, salt) + key,iv = swupdate_extract_keys(d.getVar('SWUPDATE_AES_FILE', True)) + swupdate_encrypt_file(os.path.join(s, 'sw-description.plain'), os.path.join(s, 'sw-description'), key, iv) signing = d.getVar('SWUPDATE_SIGNING', True) if signing == "1": diff --git a/classes/swupdate-enc.bbclass b/classes/swupdate-enc.bbclass index 198ae98..dc421c0 100644 --- a/classes/swupdate-enc.bbclass +++ b/classes/swupdate-enc.bbclass @@ -1,9 +1,8 @@ # # The key must be generated as described in doc # with -# openssl enc -aes-256-cbc -k <PASSPHRASE> -P -md sha1 +# openssl enc -aes-256-cbc -k <PASSPHRASE> -P -md sha1 -nosalt # The file is in the format -# salt= # key= # iv= # parameters: $1 = input file, $2 = output file @@ -12,11 +11,10 @@ swu_encrypt_file() { output=$2 key=`cat ${SWUPDATE_AES_FILE} | grep ^key | cut -d '=' -f 2` iv=`cat ${SWUPDATE_AES_FILE} | grep ^iv | cut -d '=' -f 2` - salt=`cat ${SWUPDATE_AES_FILE} | grep ^salt | cut -d '=' -f 2` - if [ -z ${salt} ] || [ -z ${key} ] || [ -z ${iv} ];then + if [ -z ${key} ] || [ -z ${iv} ];then bbfatal "SWUPDATE_AES_FILE=$SWUPDATE_AES_FILE does not contain valid keys" fi - openssl enc -aes-256-cbc -in ${input} -out ${output} -K ${key} -iv ${iv} -S ${salt} + openssl enc -aes-256-cbc -in ${input} -out ${output} -K ${key} -iv ${iv} -nosalt } CONVERSIONTYPES += "enc" diff --git a/classes/swupdate.bbclass b/classes/swupdate.bbclass index 81bbc0c..fe7b6ec 100644 --- a/classes/swupdate.bbclass +++ b/classes/swupdate.bbclass @@ -101,15 +101,15 @@ python do_swuimage () { filename = os.path.basename(local) aes_file = d.getVar('SWUPDATE_AES_FILE', True) if aes_file: - key,iv,salt = swupdate_extract_keys(d.getVar('SWUPDATE_AES_FILE', True)) + key,iv = swupdate_extract_keys(d.getVar('SWUPDATE_AES_FILE', True)) if (filename != 'sw-description') and (os.path.isfile(local)): encrypted = (d.getVarFlag("SWUPDATE_IMAGES_ENCRYPTED", filename, True) or "") dst = os.path.join(s, "%s" % filename ) if encrypted == '1': bb.note("Encryption requested for %s" %(filename)) - if not key or not iv or not salt: + if not key or not iv: bb.fatal("Encryption required, but no key found") - swupdate_encrypt_file(local, dst, key, iv, salt) + swupdate_encrypt_file(local, dst, key, iv) else: shutil.copyfile(local, dst) list_for_cpio.append(filename) @@ -121,9 +121,9 @@ python do_swuimage () { target_imagename = os.path.basename(imagename) # allow images in subfolders of DEPLOY_DIR_IMAGE dst = os.path.join(s, target_imagename) if encrypt == '1': - key,iv,salt = swupdate_extract_keys(d.getVar('SWUPDATE_AES_FILE', True)) + key,iv = swupdate_extract_keys(d.getVar('SWUPDATE_AES_FILE', True)) bb.note("Encryption requested for %s" %(imagename)) - swupdate_encrypt_file(src, dst, key, iv, salt) + swupdate_encrypt_file(src, dst, key, iv) else: shutil.copyfile(src, dst) list_for_cpio.append(target_imagename)