diff mbox series

[36/42] mkfs.ubifs: Compute encryption key descriptor automatically

Message ID 20181018143718.26298-37-richard@nod.at
State Accepted
Delegated to: David Oberhollenzer
Headers show
Series mtd-utils: Add fscrypt support to mkfs.ubifs | expand

Commit Message

Richard Weinberger Oct. 18, 2018, 2:37 p.m. UTC 
...if none is given. To be compatible with fscryptctl.

Signed-off-by: Richard Weinberger <richard@nod.at>
---
 ubifs-utils/mkfs.ubifs/crypto.c     | 27 ++++++++++++++++++++++++---
 ubifs-utils/mkfs.ubifs/crypto.h     |  1 +
 ubifs-utils/mkfs.ubifs/fscrypt.c    | 11 ++++++++---
 ubifs-utils/mkfs.ubifs/mkfs.ubifs.c |  2 --
 4 files changed, 33 insertions(+), 8 deletions(-)
diff mbox series

Patch

diff --git a/ubifs-utils/mkfs.ubifs/crypto.c b/ubifs-utils/mkfs.ubifs/crypto.c
index d0f24e1a5f6f..50a09b53ebfe 100644
--- a/ubifs-utils/mkfs.ubifs/crypto.c
+++ b/ubifs-utils/mkfs.ubifs/crypto.c
@@ -26,7 +26,7 @@ 
 #include "fscrypt.h"
 #include "common.h"
 
-static int do_sha256(const unsigned char *in, size_t len, unsigned char *out)
+static int do_hash(const EVP_MD *md, const unsigned char *in, size_t len, unsigned char *out)
 {
 	unsigned int out_len;
 	EVP_MD_CTX *mdctx = EVP_MD_CTX_create();
@@ -34,7 +34,7 @@  static int do_sha256(const unsigned char *in, size_t len, unsigned char *out)
 	if (!mdctx)
 		return -1;
 
-	if (EVP_DigestInit_ex(mdctx, EVP_sha256(), NULL) != 1)
+	if (EVP_DigestInit_ex(mdctx, md, NULL) != 1)
 		return -1;
 
 	if(EVP_DigestUpdate(mdctx, in, len) != 1)
@@ -121,7 +121,7 @@  static size_t gen_essiv_salt(const void *iv, size_t iv_len, const void *key, siz
 		return -1;
 	}
 
-	if (do_sha256(key, key_len, sha256) != 0) {
+	if (do_hash(EVP_sha256(), key, key_len, sha256) != 0) {
 		errmsg("sha256 failed");
 		return -1;
 	}
@@ -288,6 +288,27 @@  ssize_t derive_key_aes(const void *deriving_key, const void *source_key,
 			  aes_key_len, NULL, 0, derived_key);
 }
 
+int derive_key_descriptor(const void *source_key, void *descriptor)
+{
+	int ret = -1;
+	void *hash1 = xzalloc(EVP_MD_size(EVP_sha512()));
+	void *hash2 = xzalloc(EVP_MD_size(EVP_sha512()));
+
+	if (do_hash(EVP_sha512(), source_key, FS_MAX_KEY_SIZE, hash1) != 0)
+		goto out;
+
+	if (do_hash(EVP_sha512(), hash1, EVP_MD_size(EVP_sha512()), hash2) != 0)
+		goto out;
+
+	memcpy(descriptor, hash2, FS_KEY_DESCRIPTOR_SIZE);
+
+	ret = 0;
+out:
+	free(hash1);
+	free(hash2);
+	return ret;
+}
+
 static struct cipher ciphers[] = {
 	{
 		.name = "AES-128-CBC",
diff --git a/ubifs-utils/mkfs.ubifs/crypto.h b/ubifs-utils/mkfs.ubifs/crypto.h
index c2631dd0fd89..f275839aa77d 100644
--- a/ubifs-utils/mkfs.ubifs/crypto.h
+++ b/ubifs-utils/mkfs.ubifs/crypto.h
@@ -49,6 +49,7 @@  void crypto_cleanup(void);
 ssize_t derive_key_aes(const void *deriving_key, const void *source_key,
 		       size_t source_key_len, void *derived_key);
 
+int derive_key_descriptor(const void *source_key, void *descriptor);
 
 struct cipher *get_cipher(const char *name);
 
diff --git a/ubifs-utils/mkfs.ubifs/fscrypt.c b/ubifs-utils/mkfs.ubifs/fscrypt.c
index b9f9acc17c17..ce6e2fc29ce0 100644
--- a/ubifs-utils/mkfs.ubifs/fscrypt.c
+++ b/ubifs-utils/mkfs.ubifs/fscrypt.c
@@ -242,12 +242,17 @@  struct fscrypt_context *init_fscrypt_context(const char *cipher_name,
 		return NULL;
 	}
 
-	if (parse_key_descriptor(key_descriptor, master_key_descriptor))
-		return NULL;
-
 	if (load_master_key(key_file, fscrypt_cipher))
 		return NULL;
 
+	if (!key_descriptor) {
+		if (derive_key_descriptor(fscrypt_masterkey, master_key_descriptor))
+			return NULL;
+	} else {
+		if (parse_key_descriptor(key_descriptor, master_key_descriptor))
+			return NULL;
+	}
+
 	RAND_bytes((void *)nonce, FS_KEY_DERIVATION_NONCE_SIZE);
 
 	new_fctx = xmalloc(sizeof(*new_fctx));
diff --git a/ubifs-utils/mkfs.ubifs/mkfs.ubifs.c b/ubifs-utils/mkfs.ubifs/mkfs.ubifs.c
index 9bd15a2f047a..f8d8e52f1bae 100644
--- a/ubifs-utils/mkfs.ubifs/mkfs.ubifs.c
+++ b/ubifs-utils/mkfs.ubifs/mkfs.ubifs.c
@@ -752,8 +752,6 @@  static int get_options(int argc, char**argv)
 	if (key_file || key_desc) {
 		if (!key_file)
 			return err_msg("no key file specified");
-		if (!key_desc)
-			return err_msg("no key descriptor specified");
 
 		c->double_hash = 1;
 		c->encrypted = 1;