diff mbox series

[meta-swupdate,v2] remove all references to a salt value for encryption

Message ID 20201215085418.7244-1-dev@online.ms
State Accepted
Headers show
Series [meta-swupdate,v2] remove all references to a salt value for encryption | expand

Commit Message

Christoph Lauer Dec. 15, 2020, 8:54 a.m. UTC
From: Christoph Lauer <christoph.lauer@xtronic.de>

In release 2019.11, support for the salt encryption parameter was removed (see commit 9ce94342d3c212b06a283f95dc9c1c8c52155ce7).
Consequently, remove all references to a salt value for key creation and encryption.
The keyfile for encryption can still contain a salt value, it will simply be ignored.
Also remove obsolete cmd variable.

Signed-off-by: Christoph Lauer <christoph.lauer@xtronic.de>
Signed-off-by: Christoph Lauer <dev@online.ms>
---
 classes/swupdate-common.bbclass | 17 +++++------------
 classes/swupdate-enc.bbclass    |  8 +++-----
 classes/swupdate.bbclass        | 10 +++++-----
 3 files changed, 13 insertions(+), 22 deletions(-)

--
2.17.1

Comments

Stefano Babic Dec. 15, 2020, 10:56 a.m. UTC | #1
On 15.12.20 09:54, Christoph Lauer wrote:
> From: Christoph Lauer <christoph.lauer@xtronic.de>
> 
> In release 2019.11, support for the salt encryption parameter was removed (see commit 9ce94342d3c212b06a283f95dc9c1c8c52155ce7).
> Consequently, remove all references to a salt value for key creation and encryption.
> The keyfile for encryption can still contain a salt value, it will simply be ignored.
> Also remove obsolete cmd variable.
> 
> Signed-off-by: Christoph Lauer <christoph.lauer@xtronic.de>
> Signed-off-by: Christoph Lauer <dev@online.ms>
> ---
>  classes/swupdate-common.bbclass | 17 +++++------------
>  classes/swupdate-enc.bbclass    |  8 +++-----
>  classes/swupdate.bbclass        | 10 +++++-----
>  3 files changed, 13 insertions(+), 22 deletions(-)
> 
> diff --git a/classes/swupdate-common.bbclass b/classes/swupdate-common.bbclass
> index 564700d..578f305 100644
> --- a/classes/swupdate-common.bbclass
> +++ b/classes/swupdate-common.bbclass
> @@ -32,20 +32,13 @@ def swupdate_extract_keys(keyfile_path):
> 
>      key = data['key'].rstrip('\n')
>      iv = data['iv'].rstrip('\n')
> -    salt = data['salt'].rstrip('\n')
> 
> -    return key,iv,salt
> +    return key,iv
> 
> -def swupdate_encrypt_file(f, out, key, ivt, salt):
> +def swupdate_encrypt_file(f, out, key, ivt):
>      import subprocess
>      encargs = ["openssl", "enc", "-aes-256-cbc", "-in", f, "-out", out]
> -    encargs += ["-K", key, "-iv", ivt, "-S", salt]
> -    cmd = "openssl enc -aes-256-cbc -in '%s' -out '%s' -K '%s' -iv '%s' -S '%s'" % (
> -                f,
> -                out,
> -                key,
> -                ivt,
> -                salt)
> +    encargs += ["-K", key, "-iv", ivt, "-nosalt"]
>      subprocess.run(encargs, check=True)
> 
>  def swupdate_write_sha256(s, filename, hash):
> @@ -109,8 +102,8 @@ def prepare_sw_description(d, s, list_for_cpio):
>      if encrypt:
>          bb.note("Encryption of sw-description")
>          shutil.copyfile(os.path.join(s, 'sw-description'), os.path.join(s, 'sw-description.plain'))
> -        key,iv,salt = swupdate_extract_keys(d.getVar('SWUPDATE_AES_FILE', True))
> -        swupdate_encrypt_file(os.path.join(s, 'sw-description.plain'), os.path.join(s, 'sw-description'), key, iv, salt)
> +        key,iv = swupdate_extract_keys(d.getVar('SWUPDATE_AES_FILE', True))
> +        swupdate_encrypt_file(os.path.join(s, 'sw-description.plain'), os.path.join(s, 'sw-description'), key, iv)
> 
>      signing = d.getVar('SWUPDATE_SIGNING', True)
>      if signing == "1":
> diff --git a/classes/swupdate-enc.bbclass b/classes/swupdate-enc.bbclass
> index 198ae98..dc421c0 100644
> --- a/classes/swupdate-enc.bbclass
> +++ b/classes/swupdate-enc.bbclass
> @@ -1,9 +1,8 @@
>  #
>  # The key must be generated as described in doc
>  # with
> -# openssl enc -aes-256-cbc -k <PASSPHRASE> -P -md sha1
> +# openssl enc -aes-256-cbc -k <PASSPHRASE> -P -md sha1 -nosalt
>  # The file is in the format
> -# salt=
>  # key=
>  # iv=
>  # parameters: $1 = input file, $2 = output file
> @@ -12,11 +11,10 @@ swu_encrypt_file() {
>  	output=$2
>  	key=`cat ${SWUPDATE_AES_FILE} | grep ^key | cut -d '=' -f 2`
>  	iv=`cat ${SWUPDATE_AES_FILE} | grep ^iv | cut -d '=' -f 2`
> -	salt=`cat ${SWUPDATE_AES_FILE} | grep ^salt | cut -d '=' -f 2`
> -	if [ -z ${salt} ] || [ -z ${key} ] || [ -z ${iv} ];then
> +	if [ -z ${key} ] || [ -z ${iv} ];then
>  		bbfatal "SWUPDATE_AES_FILE=$SWUPDATE_AES_FILE does not contain valid keys"
>  	fi
> -	openssl enc -aes-256-cbc -in ${input} -out ${output} -K ${key} -iv ${iv} -S ${salt}
> +	openssl enc -aes-256-cbc -in ${input} -out ${output} -K ${key} -iv ${iv} -nosalt
>  }
> 
>  CONVERSIONTYPES += "enc"
> diff --git a/classes/swupdate.bbclass b/classes/swupdate.bbclass
> index 81bbc0c..fe7b6ec 100644
> --- a/classes/swupdate.bbclass
> +++ b/classes/swupdate.bbclass
> @@ -101,15 +101,15 @@ python do_swuimage () {
>          filename = os.path.basename(local)
>          aes_file = d.getVar('SWUPDATE_AES_FILE', True)
>          if aes_file:
> -            key,iv,salt = swupdate_extract_keys(d.getVar('SWUPDATE_AES_FILE', True))
> +            key,iv = swupdate_extract_keys(d.getVar('SWUPDATE_AES_FILE', True))
>          if (filename != 'sw-description') and (os.path.isfile(local)):
>              encrypted = (d.getVarFlag("SWUPDATE_IMAGES_ENCRYPTED", filename, True) or "")
>              dst = os.path.join(s, "%s" % filename )
>              if encrypted == '1':
>                  bb.note("Encryption requested for %s" %(filename))
> -                if not key or not iv or not salt:
> +                if not key or not iv:
>                      bb.fatal("Encryption required, but no key found")
> -                swupdate_encrypt_file(local, dst, key, iv, salt)
> +                swupdate_encrypt_file(local, dst, key, iv)
>              else:
>                  shutil.copyfile(local, dst)
>              list_for_cpio.append(filename)
> @@ -121,9 +121,9 @@ python do_swuimage () {
>          target_imagename = os.path.basename(imagename)  # allow images in subfolders of DEPLOY_DIR_IMAGE
>          dst = os.path.join(s, target_imagename)
>          if encrypt == '1':
> -            key,iv,salt = swupdate_extract_keys(d.getVar('SWUPDATE_AES_FILE', True))
> +            key,iv = swupdate_extract_keys(d.getVar('SWUPDATE_AES_FILE', True))
>              bb.note("Encryption requested for %s" %(imagename))
> -            swupdate_encrypt_file(src, dst, key, iv, salt)
> +            swupdate_encrypt_file(src, dst, key, iv)
>          else:
>              shutil.copyfile(src, dst)
>          list_for_cpio.append(target_imagename)
> --
> 2.17.1
> 

Applied to -master, -gatesgarth, -dunfell, -thud, thanks !

Best regards,
Stefano Babic
diff mbox series

Patch

diff --git a/classes/swupdate-common.bbclass b/classes/swupdate-common.bbclass
index 564700d..578f305 100644
--- a/classes/swupdate-common.bbclass
+++ b/classes/swupdate-common.bbclass
@@ -32,20 +32,13 @@  def swupdate_extract_keys(keyfile_path):

     key = data['key'].rstrip('\n')
     iv = data['iv'].rstrip('\n')
-    salt = data['salt'].rstrip('\n')

-    return key,iv,salt
+    return key,iv

-def swupdate_encrypt_file(f, out, key, ivt, salt):
+def swupdate_encrypt_file(f, out, key, ivt):
     import subprocess
     encargs = ["openssl", "enc", "-aes-256-cbc", "-in", f, "-out", out]
-    encargs += ["-K", key, "-iv", ivt, "-S", salt]
-    cmd = "openssl enc -aes-256-cbc -in '%s' -out '%s' -K '%s' -iv '%s' -S '%s'" % (
-                f,
-                out,
-                key,
-                ivt,
-                salt)
+    encargs += ["-K", key, "-iv", ivt, "-nosalt"]
     subprocess.run(encargs, check=True)

 def swupdate_write_sha256(s, filename, hash):
@@ -109,8 +102,8 @@  def prepare_sw_description(d, s, list_for_cpio):
     if encrypt:
         bb.note("Encryption of sw-description")
         shutil.copyfile(os.path.join(s, 'sw-description'), os.path.join(s, 'sw-description.plain'))
-        key,iv,salt = swupdate_extract_keys(d.getVar('SWUPDATE_AES_FILE', True))
-        swupdate_encrypt_file(os.path.join(s, 'sw-description.plain'), os.path.join(s, 'sw-description'), key, iv, salt)
+        key,iv = swupdate_extract_keys(d.getVar('SWUPDATE_AES_FILE', True))
+        swupdate_encrypt_file(os.path.join(s, 'sw-description.plain'), os.path.join(s, 'sw-description'), key, iv)

     signing = d.getVar('SWUPDATE_SIGNING', True)
     if signing == "1":
diff --git a/classes/swupdate-enc.bbclass b/classes/swupdate-enc.bbclass
index 198ae98..dc421c0 100644
--- a/classes/swupdate-enc.bbclass
+++ b/classes/swupdate-enc.bbclass
@@ -1,9 +1,8 @@ 
 #
 # The key must be generated as described in doc
 # with
-# openssl enc -aes-256-cbc -k <PASSPHRASE> -P -md sha1
+# openssl enc -aes-256-cbc -k <PASSPHRASE> -P -md sha1 -nosalt
 # The file is in the format
-# salt=
 # key=
 # iv=
 # parameters: $1 = input file, $2 = output file
@@ -12,11 +11,10 @@  swu_encrypt_file() {
 	output=$2
 	key=`cat ${SWUPDATE_AES_FILE} | grep ^key | cut -d '=' -f 2`
 	iv=`cat ${SWUPDATE_AES_FILE} | grep ^iv | cut -d '=' -f 2`
-	salt=`cat ${SWUPDATE_AES_FILE} | grep ^salt | cut -d '=' -f 2`
-	if [ -z ${salt} ] || [ -z ${key} ] || [ -z ${iv} ];then
+	if [ -z ${key} ] || [ -z ${iv} ];then
 		bbfatal "SWUPDATE_AES_FILE=$SWUPDATE_AES_FILE does not contain valid keys"
 	fi
-	openssl enc -aes-256-cbc -in ${input} -out ${output} -K ${key} -iv ${iv} -S ${salt}
+	openssl enc -aes-256-cbc -in ${input} -out ${output} -K ${key} -iv ${iv} -nosalt
 }

 CONVERSIONTYPES += "enc"
diff --git a/classes/swupdate.bbclass b/classes/swupdate.bbclass
index 81bbc0c..fe7b6ec 100644
--- a/classes/swupdate.bbclass
+++ b/classes/swupdate.bbclass
@@ -101,15 +101,15 @@  python do_swuimage () {
         filename = os.path.basename(local)
         aes_file = d.getVar('SWUPDATE_AES_FILE', True)
         if aes_file:
-            key,iv,salt = swupdate_extract_keys(d.getVar('SWUPDATE_AES_FILE', True))
+            key,iv = swupdate_extract_keys(d.getVar('SWUPDATE_AES_FILE', True))
         if (filename != 'sw-description') and (os.path.isfile(local)):
             encrypted = (d.getVarFlag("SWUPDATE_IMAGES_ENCRYPTED", filename, True) or "")
             dst = os.path.join(s, "%s" % filename )
             if encrypted == '1':
                 bb.note("Encryption requested for %s" %(filename))
-                if not key or not iv or not salt:
+                if not key or not iv:
                     bb.fatal("Encryption required, but no key found")
-                swupdate_encrypt_file(local, dst, key, iv, salt)
+                swupdate_encrypt_file(local, dst, key, iv)
             else:
                 shutil.copyfile(local, dst)
             list_for_cpio.append(filename)
@@ -121,9 +121,9 @@  python do_swuimage () {
         target_imagename = os.path.basename(imagename)  # allow images in subfolders of DEPLOY_DIR_IMAGE
         dst = os.path.join(s, target_imagename)
         if encrypt == '1':
-            key,iv,salt = swupdate_extract_keys(d.getVar('SWUPDATE_AES_FILE', True))
+            key,iv = swupdate_extract_keys(d.getVar('SWUPDATE_AES_FILE', True))
             bb.note("Encryption requested for %s" %(imagename))
-            swupdate_encrypt_file(src, dst, key, iv, salt)
+            swupdate_encrypt_file(src, dst, key, iv)
         else:
             shutil.copyfile(src, dst)
         list_for_cpio.append(target_imagename)