Message ID | 20201215085418.7244-1-dev@online.ms |
---|---|
State | Accepted |
Headers | show |
Series | [meta-swupdate,v2] remove all references to a salt value for encryption | expand |
On 15.12.20 09:54, Christoph Lauer wrote: > From: Christoph Lauer <christoph.lauer@xtronic.de> > > In release 2019.11, support for the salt encryption parameter was removed (see commit 9ce94342d3c212b06a283f95dc9c1c8c52155ce7). > Consequently, remove all references to a salt value for key creation and encryption. > The keyfile for encryption can still contain a salt value, it will simply be ignored. > Also remove obsolete cmd variable. > > Signed-off-by: Christoph Lauer <christoph.lauer@xtronic.de> > Signed-off-by: Christoph Lauer <dev@online.ms> > --- > classes/swupdate-common.bbclass | 17 +++++------------ > classes/swupdate-enc.bbclass | 8 +++----- > classes/swupdate.bbclass | 10 +++++----- > 3 files changed, 13 insertions(+), 22 deletions(-) > > diff --git a/classes/swupdate-common.bbclass b/classes/swupdate-common.bbclass > index 564700d..578f305 100644 > --- a/classes/swupdate-common.bbclass > +++ b/classes/swupdate-common.bbclass > @@ -32,20 +32,13 @@ def swupdate_extract_keys(keyfile_path): > > key = data['key'].rstrip('\n') > iv = data['iv'].rstrip('\n') > - salt = data['salt'].rstrip('\n') > > - return key,iv,salt > + return key,iv > > -def swupdate_encrypt_file(f, out, key, ivt, salt): > +def swupdate_encrypt_file(f, out, key, ivt): > import subprocess > encargs = ["openssl", "enc", "-aes-256-cbc", "-in", f, "-out", out] > - encargs += ["-K", key, "-iv", ivt, "-S", salt] > - cmd = "openssl enc -aes-256-cbc -in '%s' -out '%s' -K '%s' -iv '%s' -S '%s'" % ( > - f, > - out, > - key, > - ivt, > - salt) > + encargs += ["-K", key, "-iv", ivt, "-nosalt"] > subprocess.run(encargs, check=True) > > def swupdate_write_sha256(s, filename, hash): > @@ -109,8 +102,8 @@ def prepare_sw_description(d, s, list_for_cpio): > if encrypt: > bb.note("Encryption of sw-description") > shutil.copyfile(os.path.join(s, 'sw-description'), os.path.join(s, 'sw-description.plain')) > - key,iv,salt = swupdate_extract_keys(d.getVar('SWUPDATE_AES_FILE', True)) > - swupdate_encrypt_file(os.path.join(s, 'sw-description.plain'), os.path.join(s, 'sw-description'), key, iv, salt) > + key,iv = swupdate_extract_keys(d.getVar('SWUPDATE_AES_FILE', True)) > + swupdate_encrypt_file(os.path.join(s, 'sw-description.plain'), os.path.join(s, 'sw-description'), key, iv) > > signing = d.getVar('SWUPDATE_SIGNING', True) > if signing == "1": > diff --git a/classes/swupdate-enc.bbclass b/classes/swupdate-enc.bbclass > index 198ae98..dc421c0 100644 > --- a/classes/swupdate-enc.bbclass > +++ b/classes/swupdate-enc.bbclass > @@ -1,9 +1,8 @@ > # > # The key must be generated as described in doc > # with > -# openssl enc -aes-256-cbc -k <PASSPHRASE> -P -md sha1 > +# openssl enc -aes-256-cbc -k <PASSPHRASE> -P -md sha1 -nosalt > # The file is in the format > -# salt= > # key= > # iv= > # parameters: $1 = input file, $2 = output file > @@ -12,11 +11,10 @@ swu_encrypt_file() { > output=$2 > key=`cat ${SWUPDATE_AES_FILE} | grep ^key | cut -d '=' -f 2` > iv=`cat ${SWUPDATE_AES_FILE} | grep ^iv | cut -d '=' -f 2` > - salt=`cat ${SWUPDATE_AES_FILE} | grep ^salt | cut -d '=' -f 2` > - if [ -z ${salt} ] || [ -z ${key} ] || [ -z ${iv} ];then > + if [ -z ${key} ] || [ -z ${iv} ];then > bbfatal "SWUPDATE_AES_FILE=$SWUPDATE_AES_FILE does not contain valid keys" > fi > - openssl enc -aes-256-cbc -in ${input} -out ${output} -K ${key} -iv ${iv} -S ${salt} > + openssl enc -aes-256-cbc -in ${input} -out ${output} -K ${key} -iv ${iv} -nosalt > } > > CONVERSIONTYPES += "enc" > diff --git a/classes/swupdate.bbclass b/classes/swupdate.bbclass > index 81bbc0c..fe7b6ec 100644 > --- a/classes/swupdate.bbclass > +++ b/classes/swupdate.bbclass > @@ -101,15 +101,15 @@ python do_swuimage () { > filename = os.path.basename(local) > aes_file = d.getVar('SWUPDATE_AES_FILE', True) > if aes_file: > - key,iv,salt = swupdate_extract_keys(d.getVar('SWUPDATE_AES_FILE', True)) > + key,iv = swupdate_extract_keys(d.getVar('SWUPDATE_AES_FILE', True)) > if (filename != 'sw-description') and (os.path.isfile(local)): > encrypted = (d.getVarFlag("SWUPDATE_IMAGES_ENCRYPTED", filename, True) or "") > dst = os.path.join(s, "%s" % filename ) > if encrypted == '1': > bb.note("Encryption requested for %s" %(filename)) > - if not key or not iv or not salt: > + if not key or not iv: > bb.fatal("Encryption required, but no key found") > - swupdate_encrypt_file(local, dst, key, iv, salt) > + swupdate_encrypt_file(local, dst, key, iv) > else: > shutil.copyfile(local, dst) > list_for_cpio.append(filename) > @@ -121,9 +121,9 @@ python do_swuimage () { > target_imagename = os.path.basename(imagename) # allow images in subfolders of DEPLOY_DIR_IMAGE > dst = os.path.join(s, target_imagename) > if encrypt == '1': > - key,iv,salt = swupdate_extract_keys(d.getVar('SWUPDATE_AES_FILE', True)) > + key,iv = swupdate_extract_keys(d.getVar('SWUPDATE_AES_FILE', True)) > bb.note("Encryption requested for %s" %(imagename)) > - swupdate_encrypt_file(src, dst, key, iv, salt) > + swupdate_encrypt_file(src, dst, key, iv) > else: > shutil.copyfile(src, dst) > list_for_cpio.append(target_imagename) > -- > 2.17.1 > Applied to -master, -gatesgarth, -dunfell, -thud, thanks ! Best regards, Stefano Babic
diff --git a/classes/swupdate-common.bbclass b/classes/swupdate-common.bbclass index 564700d..578f305 100644 --- a/classes/swupdate-common.bbclass +++ b/classes/swupdate-common.bbclass @@ -32,20 +32,13 @@ def swupdate_extract_keys(keyfile_path): key = data['key'].rstrip('\n') iv = data['iv'].rstrip('\n') - salt = data['salt'].rstrip('\n') - return key,iv,salt + return key,iv -def swupdate_encrypt_file(f, out, key, ivt, salt): +def swupdate_encrypt_file(f, out, key, ivt): import subprocess encargs = ["openssl", "enc", "-aes-256-cbc", "-in", f, "-out", out] - encargs += ["-K", key, "-iv", ivt, "-S", salt] - cmd = "openssl enc -aes-256-cbc -in '%s' -out '%s' -K '%s' -iv '%s' -S '%s'" % ( - f, - out, - key, - ivt, - salt) + encargs += ["-K", key, "-iv", ivt, "-nosalt"] subprocess.run(encargs, check=True) def swupdate_write_sha256(s, filename, hash): @@ -109,8 +102,8 @@ def prepare_sw_description(d, s, list_for_cpio): if encrypt: bb.note("Encryption of sw-description") shutil.copyfile(os.path.join(s, 'sw-description'), os.path.join(s, 'sw-description.plain')) - key,iv,salt = swupdate_extract_keys(d.getVar('SWUPDATE_AES_FILE', True)) - swupdate_encrypt_file(os.path.join(s, 'sw-description.plain'), os.path.join(s, 'sw-description'), key, iv, salt) + key,iv = swupdate_extract_keys(d.getVar('SWUPDATE_AES_FILE', True)) + swupdate_encrypt_file(os.path.join(s, 'sw-description.plain'), os.path.join(s, 'sw-description'), key, iv) signing = d.getVar('SWUPDATE_SIGNING', True) if signing == "1": diff --git a/classes/swupdate-enc.bbclass b/classes/swupdate-enc.bbclass index 198ae98..dc421c0 100644 --- a/classes/swupdate-enc.bbclass +++ b/classes/swupdate-enc.bbclass @@ -1,9 +1,8 @@ # # The key must be generated as described in doc # with -# openssl enc -aes-256-cbc -k <PASSPHRASE> -P -md sha1 +# openssl enc -aes-256-cbc -k <PASSPHRASE> -P -md sha1 -nosalt # The file is in the format -# salt= # key= # iv= # parameters: $1 = input file, $2 = output file @@ -12,11 +11,10 @@ swu_encrypt_file() { output=$2 key=`cat ${SWUPDATE_AES_FILE} | grep ^key | cut -d '=' -f 2` iv=`cat ${SWUPDATE_AES_FILE} | grep ^iv | cut -d '=' -f 2` - salt=`cat ${SWUPDATE_AES_FILE} | grep ^salt | cut -d '=' -f 2` - if [ -z ${salt} ] || [ -z ${key} ] || [ -z ${iv} ];then + if [ -z ${key} ] || [ -z ${iv} ];then bbfatal "SWUPDATE_AES_FILE=$SWUPDATE_AES_FILE does not contain valid keys" fi - openssl enc -aes-256-cbc -in ${input} -out ${output} -K ${key} -iv ${iv} -S ${salt} + openssl enc -aes-256-cbc -in ${input} -out ${output} -K ${key} -iv ${iv} -nosalt } CONVERSIONTYPES += "enc" diff --git a/classes/swupdate.bbclass b/classes/swupdate.bbclass index 81bbc0c..fe7b6ec 100644 --- a/classes/swupdate.bbclass +++ b/classes/swupdate.bbclass @@ -101,15 +101,15 @@ python do_swuimage () { filename = os.path.basename(local) aes_file = d.getVar('SWUPDATE_AES_FILE', True) if aes_file: - key,iv,salt = swupdate_extract_keys(d.getVar('SWUPDATE_AES_FILE', True)) + key,iv = swupdate_extract_keys(d.getVar('SWUPDATE_AES_FILE', True)) if (filename != 'sw-description') and (os.path.isfile(local)): encrypted = (d.getVarFlag("SWUPDATE_IMAGES_ENCRYPTED", filename, True) or "") dst = os.path.join(s, "%s" % filename ) if encrypted == '1': bb.note("Encryption requested for %s" %(filename)) - if not key or not iv or not salt: + if not key or not iv: bb.fatal("Encryption required, but no key found") - swupdate_encrypt_file(local, dst, key, iv, salt) + swupdate_encrypt_file(local, dst, key, iv) else: shutil.copyfile(local, dst) list_for_cpio.append(filename) @@ -121,9 +121,9 @@ python do_swuimage () { target_imagename = os.path.basename(imagename) # allow images in subfolders of DEPLOY_DIR_IMAGE dst = os.path.join(s, target_imagename) if encrypt == '1': - key,iv,salt = swupdate_extract_keys(d.getVar('SWUPDATE_AES_FILE', True)) + key,iv = swupdate_extract_keys(d.getVar('SWUPDATE_AES_FILE', True)) bb.note("Encryption requested for %s" %(imagename)) - swupdate_encrypt_file(src, dst, key, iv, salt) + swupdate_encrypt_file(src, dst, key, iv) else: shutil.copyfile(src, dst) list_for_cpio.append(target_imagename)