From patchwork Mon Dec 14 15:14:32 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Christoph Lauer X-Patchwork-Id: 1415993 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=googlegroups.com (client-ip=2a00:1450:4864:20::137; helo=mail-lf1-x137.google.com; envelope-from=swupdate+bncbaabbyec337akgqe7ibtygy@googlegroups.com; receiver=) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=online.ms Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=googlegroups.com header.i=@googlegroups.com header.a=rsa-sha256 header.s=20161025 header.b=r+jH/ABs; dkim-atps=neutral Received: from mail-lf1-x137.google.com (mail-lf1-x137.google.com [IPv6:2a00:1450:4864:20::137]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4CvlLK6Wtbz9sPB for ; Tue, 15 Dec 2020 02:14:46 +1100 (AEDT) Received: by mail-lf1-x137.google.com with SMTP id h64sf7795199lfd.18 for ; Mon, 14 Dec 2020 07:14:46 -0800 (PST) ARC-Seal: i=2; a=rsa-sha256; t=1607958880; cv=pass; d=google.com; s=arc-20160816; b=pf1Gt1AEzDS5RW4ir9ezQz3ve3E7RKuAOym3WIlfw++yusn6RWS51ezSKDxp2ff3g9 dZn33Ekfu+pLzvqmh64CTdaoalY9UegxOerWIGrwm84hKghxE1XUNxU4ErhtkCSi/e2c lDUBirMBDH0yzRDKGK1jpske66CIx6ILUAmNDrMZuvnoHqz+c6FePp90yyNobdBxCZ5W ib7W+EfttKJ1HN7pQZxbi+lXxP5tXzRMF1kn1KO6WggVZp/de/mxGepsa7BfLfxQbynI UE5P0kN0CiMO4oE0sWekysU4AGzLyrFVdt+SM5+pCExvUCJun19I53OmuuMOvA9kQcaB qQcA== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:message-id:date:subject:cc:to:from :mime-version:sender:dkim-signature; bh=0TTicqUOWmofg83HMTfWXvXcDYgeC13gg8Qi+uJzkmg=; b=SkD/JDNraf9UCDPcJgkkRv0+vbp28Pm8PSz0e/Cw/Og+eWqQW0kUHkn1tCfLbOljC+ YWYdjwAv+laTPsJ6qxvH36v5UfMUMGMHs/phG8Th1LjttudOLWEcXw9gqAkfi/fkk+Yn 31Eqq6vDF7+MA91omy9uo3YCrW/i1axDZNiadxgqiHLi40Zs6xOroub1GGkChnC7aZe6 y43XbYhTTISxYs6qONvqdZlxcH9/2wJuVMb+2ioo6QgGyoXJFGDjqobycswM6FayPS1p T7B6Jhe+NocOMKcJ28tFQ5tBd0wkKEaiMLxElrh5c5bUptIbj/Yuo/SUUv97J9YwsmJS 3YGA== ARC-Authentication-Results: i=2; gmr-mx.google.com; dkim=pass header.i=@web.de header.s=dbaedf251592 header.b=rO3iiR5S; spf=pass (google.com: domain of dev@online.ms designates 212.227.15.3 as permitted sender) smtp.mailfrom=dev@online.ms DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlegroups.com; s=20161025; h=sender:mime-version:from:to:cc:subject:date:message-id :x-original-sender:x-original-authentication-results:precedence :mailing-list:list-id:list-post:list-help:list-archive :list-subscribe:list-unsubscribe; bh=0TTicqUOWmofg83HMTfWXvXcDYgeC13gg8Qi+uJzkmg=; b=r+jH/ABsDsn2x+O8Mvxb+2vJX3cOht1OG/YpK0FB8J5m+mw+FPWqduBLg5FRRr+r6m JG77HYUycmOXd7Kp6uwN22NLa/+r0Rntqc77yPp80FWzy8EVQK6ti1JayYaMfc6vIbjt Nh21DpBiGgW7GZ8Xa0FuvxcMZDvvstKTjNMROEJnlytQLMNB3NaHfQG1VRiaqoAGahNi PWBlMD1npbKf/lf6zHfCFMgYUsItCoE3f+LKhcqEvBXhp5L/bEI0XY2NOJWPL9Thoc6s o4/bSk+JckRIkKNETq5BUFu3PhdZ5lNJEjynZbBLs8x7S4K7PQ4+bua3AKnLK79Vi6Gp KU0g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=sender:x-gm-message-state:mime-version:from:to:cc:subject:date :message-id:x-original-sender:x-original-authentication-results :precedence:mailing-list:list-id:x-spam-checked-in-group:list-post :list-help:list-archive:list-subscribe:list-unsubscribe; bh=0TTicqUOWmofg83HMTfWXvXcDYgeC13gg8Qi+uJzkmg=; b=fKj0SkQjaarT4zg+UzW5bF9PNGEwJKhRWCWnd6q24J+jvP9WXMuFOMfpGQeYjUdBXa XP0+Qixv/NelBqG0dvau4u7lJEAgbcbSGsqYgi+mu3WtxtGIo5hYzqwbwTJhkNNdihd8 IwqNI/0kTxy6JjPfJA5HGXu017Cfp+hZ+YxM/+LUQ/nTH1GmCCCj4MBmNuHE/bsvmtWK 7Qfeh54mqdamm5CYE3LrJCTX91djdo8B/xaMxSwmKnjY9wDocfYSVOjQcEJ9Io+tlv2k gNPaLJ3qdJ0GRCwK6bIO3Ydny9OSE6s3vOpAExepG8tZrkWvTLyPHmXcHAosDVhmU6S8 H+VQ== Sender: swupdate@googlegroups.com X-Gm-Message-State: AOAM532J+XhlZfzNwGCg5tkjw0VP1U+KOYgjvOQkygHF2DTSppRuVKOs 9ShYsPSHWrr/Uj0P8pvZAAI= X-Google-Smtp-Source: ABdhPJz/Fs2qqPYjdAC2dbkR0XkGdpEma5P2wVixQ8vYkZ6/K14AXNILC6NpuD0JWiPJTc210+I25g== X-Received: by 2002:a2e:b88e:: with SMTP id r14mr10512121ljp.254.1607958880525; Mon, 14 Dec 2020 07:14:40 -0800 (PST) MIME-Version: 1.0 X-BeenThere: swupdate@googlegroups.com Received: by 2002:a19:c886:: with SMTP id y128ls1025090lff.0.gmail; Mon, 14 Dec 2020 07:14:39 -0800 (PST) X-Received: by 2002:ac2:4987:: with SMTP id f7mr9315615lfl.41.1607958879481; Mon, 14 Dec 2020 07:14:39 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1607958879; cv=none; d=google.com; s=arc-20160816; b=NFtsiRpZ6slr2Xq/xJpS8DNZD4xS6mHSHtTpX4BSi3Wd+OWpsh4QVdL8Yj85ww9ZqS ou3PMaRCxd5j/TqQjJnDopcxyovbYj6faKXclAlqfnk8NrVJhkb6MHOhP5PSMO2QJmlt 9qQvtGjehHQ42FAkZngpNhjybeM6oqSHCdXeaSovDsbj9MNEkLBU96c3H/3rY2FgZA46 Lv7xukk1az/5UXVXvA+MHQ1f3xp/KjmQec0kbuaZgkYsoDEQq312d6PpF+b7Rn/RLFjM DxeqUeWKZG+kKPrsYG9dHdyJfAeAFNRcNZ/nzPIeGKPPtBRp1sU86S/zZmN1eUMIQXeZ 0wAg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:message-id:date:subject:cc:to:from :dkim-signature; bh=nLXdlR2V5zCPeqe79BBGt6oX/VC1rPrZdXyn3zkev2g=; b=EYmSF+2jn8//EfNYR545A58kC1zD7kTwyISXqfIN+fCTjkk+ccNpAzAXeGpVeIj6d2 oFHKU74U4+w2+Y85sJ1K858So2nA00IXAI4EYWF+aySUH+BgDXofbESBqZWygQbYT3gP PEkN94oj/5OT0TAqjX+6QHvZTt8xGTy1Uy2e6Uu31bvucVqZuYL8eW+R6ho1cx84bUzp JqUYhinpM8hzjkAaB/QlX9vKLmAVruApUobWMM7/olFv0dxKxXzQcIAe+NWqbtv7r173 bA99Cq3r9wR52427JY5b0gPNvoHUd8RBnbvx8Bsc3gftbyj4/mLRWGRkp4Q4uV+igktq giig== ARC-Authentication-Results: i=1; gmr-mx.google.com; dkim=pass header.i=@web.de header.s=dbaedf251592 header.b=rO3iiR5S; spf=pass (google.com: domain of dev@online.ms designates 212.227.15.3 as permitted sender) smtp.mailfrom=dev@online.ms Received: from mout.web.de (mout.web.de. [212.227.15.3]) by gmr-mx.google.com with ESMTPS id h21si724874ljj.6.2020.12.14.07.14.39 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 14 Dec 2020 07:14:39 -0800 (PST) Received-SPF: pass (google.com: domain of dev@online.ms designates 212.227.15.3 as permitted sender) client-ip=212.227.15.3; X-UI-Sender-Class: c548c8c5-30a9-4db5-a2e7-cb6cb037b8f9 Received: from XTR-ACUYOCTO-P01.xtronic-net.com ([178.251.90.190]) by smtp.web.de (mrweb003 [213.165.67.108]) with ESMTPSA (Nemesis) id 0LcgYZ-1kMPV321Zv-00k7Tn; Mon, 14 Dec 2020 16:14:38 +0100 From: Christoph Lauer To: swupdate@googlegroups.com Cc: Christoph Lauer Subject: [swupdate] [meta-swupdate][PATCH] remove all references to a salt value for encryption Date: Mon, 14 Dec 2020 16:14:32 +0100 Message-Id: <20201214151432.38297-1-dev@online.ms> X-Mailer: git-send-email 2.17.1 X-Provags-ID: V03:K1:D7Uq7W+SP7+GdXcL5ssze+vkvwvpjVo1I7yppVvY5RztHfwh6jI 03XUnyt/Xvib/7diw4+iaMO6+kRiB6BFuEdw64YoqJd6v40I5igOjYHICIG/Jtk0XpC8Zg6 XKogIebv5P/Ef5gAstDuSedQsDXRWDkHcDrR2cz7Pzp/u55R1I9hl4xJEhXoHS9rnerYc/J AEZTzE+m+tSbu5Ju00p6g== X-Spam-Flag: NO X-UI-Out-Filterresults: notjunk:1;V03:K0:zNWVre6MD/8=:l+3qp4tDj+dIYMgwFXte5g erTmXKnLj7lTjVtsxuSId7nJP5PJR90LINguILFqNf9S16RJn56whvYYfezwjRPN2yT//D1BM goFZCLGeaD7ucMSXTiNZMpqKmcalzfl0XAbCcMdmAnm9l9CyMOwyJFojZO3+McSYDbmzm017f k5L73NnT4m15rwDfzJOXHsnuFaLI1r6hjzSLl5c7vDSYA/xTzIF9806CU4Ik95oRrEuwBDRJZ 3fsFO+7TqEqDwgfyN3vJXw4pfvrf5/8RT6iwqtf+2kiu5zv32YVqIT0wGfr98/owR4waBa+MK 1nGrIDAzGJZFHEjFcSqx1N1g6wXZS4mx3RtxIfWWJo8cRPwbrgknNLh1wd5VG01LUNJZCj4FT 53SJkroodcgvEOQ1RkhyVnrsXsKfHUQgF92jpi7jiBe0QywdRtpOM8ze7Uz7LFtSkvWiIf1Jk GMRY841RTFE5iRMaZHSqyh/1SL/Us+gAbzY2+VHWdWZIR+r/l6ZL2jDH4VHvbk6mnnAZjVUlZ Al3oibh3DiVCD0pN7T6StJMfTffqDj8jBikbNWuCMZn9j7AWJB7kdi7LaWCgnS4ekk+JOVx3V AVlZDI6fqvOpJOUn3qFcKTDj/vriZuXEWaBxkWRqHN4bDUw6LIOurEjBYx3CNTY6jM/c1pxxt r+pDUqhrM1GiQL/SaiBA5MkbHKq52zybRXJQAG5SwWZpA5VaZQgP/qbxQHEUMJIiCJLOV9oX3 idMfQ6IAspxFs3l/In7GEv1dWYYYLzDi90JCY29oZDEtGUDZL3J0UUeyeqtbbmYdAByHSe32g D+AIZYh9y5CORDW7qP+kdBtoJCwRRZW0ONcuUMPAhqw/bCuGpLmDjJtjr2IdvnId1cW9stYvj 051Lt9dlkewykoVYoZww== X-Original-Sender: dev@online.ms X-Original-Authentication-Results: gmr-mx.google.com; dkim=pass header.i=@web.de header.s=dbaedf251592 header.b=rO3iiR5S; spf=pass (google.com: domain of dev@online.ms designates 212.227.15.3 as permitted sender) smtp.mailfrom=dev@online.ms Precedence: list Mailing-list: list swupdate@googlegroups.com; contact swupdate+owners@googlegroups.com List-ID: X-Spam-Checked-In-Group: swupdate@googlegroups.com X-Google-Group-Id: 605343134186 List-Post: , List-Help: , List-Archive: , List-Unsubscribe: , From: Christoph Lauer In release 2019.11, support for the salt encryption parameter was removed (see commit 9ce94342d3c212b06a283f95dc9c1c8c52155ce7). Consequently, remove all references to a salt value for key creation and encryption. The keyfile for encryption can still contain a salt value, it will simply be ignored. Signed-off-by: Christoph Lauer --- classes/swupdate-common.bbclass | 20 +++++++++----------- classes/swupdate-enc.bbclass | 8 +++----- classes/swupdate.bbclass | 10 +++++----- 3 files changed, 17 insertions(+), 21 deletions(-) -- 2.17.1 diff --git a/classes/swupdate-common.bbclass b/classes/swupdate-common.bbclass index ae4cf9c..27bbba8 100644 --- a/classes/swupdate-common.bbclass +++ b/classes/swupdate-common.bbclass @@ -30,22 +30,20 @@ def swupdate_extract_keys(keyfile_path): k,v = _.split('=',maxsplit=1) data[k.rstrip()] = v - key = data['key'].rstrip('\n') - iv = data['iv'].rstrip('\n') - salt = data['salt'].rstrip('\n') + key = data['key'].rstrip('\n') + iv = data['iv'].rstrip('\n') - return key,iv,salt + return key,iv -def swupdate_encrypt_file(f, out, key, ivt, salt): +def swupdate_encrypt_file(f, out, key, ivt): import subprocess encargs = ["openssl", "enc", "-aes-256-cbc", "-in", f, "-out", out] - encargs += ["-K", key, "-iv", ivt, "-S", salt] - cmd = "openssl enc -aes-256-cbc -in '%s' -out '%s' -K '%s' -iv '%s' -S '%s'" % ( + encargs += ["-K", key, "-iv", ivt, "-nosalt"] + cmd = "openssl enc -aes-256-cbc -in '%s' -out '%s' -K '%s' -iv '%s' -nosalt" % ( f, out, key, - ivt, - salt) + ivt) subprocess.run(encargs, check=True) def swupdate_write_sha256(s, filename, hash): @@ -109,8 +107,8 @@ def prepare_sw_description(d, s, list_for_cpio): if encrypt: bb.note("Encryption of sw-description") shutil.copyfile(os.path.join(s, 'sw-description'), os.path.join(s, 'sw-description.plain')) - key,iv,salt = swupdate_extract_keys(d.getVar('SWUPDATE_AES_FILE', True)) - swupdate_encrypt_file(os.path.join(s, 'sw-description.plain'), os.path.join(s, 'sw-description'), key, iv, salt) + key,iv = swupdate_extract_keys(d.getVar('SWUPDATE_AES_FILE', True)) + swupdate_encrypt_file(os.path.join(s, 'sw-description.plain'), os.path.join(s, 'sw-description'), key, iv) signing = d.getVar('SWUPDATE_SIGNING', True) if signing == "1": diff --git a/classes/swupdate-enc.bbclass b/classes/swupdate-enc.bbclass index 198ae98..dc421c0 100644 --- a/classes/swupdate-enc.bbclass +++ b/classes/swupdate-enc.bbclass @@ -1,9 +1,8 @@ # # The key must be generated as described in doc # with -# openssl enc -aes-256-cbc -k -P -md sha1 +# openssl enc -aes-256-cbc -k -P -md sha1 -nosalt # The file is in the format -# salt= # key= # iv= # parameters: $1 = input file, $2 = output file @@ -12,11 +11,10 @@ swu_encrypt_file() { output=$2 key=`cat ${SWUPDATE_AES_FILE} | grep ^key | cut -d '=' -f 2` iv=`cat ${SWUPDATE_AES_FILE} | grep ^iv | cut -d '=' -f 2` - salt=`cat ${SWUPDATE_AES_FILE} | grep ^salt | cut -d '=' -f 2` - if [ -z ${salt} ] || [ -z ${key} ] || [ -z ${iv} ];then + if [ -z ${key} ] || [ -z ${iv} ];then bbfatal "SWUPDATE_AES_FILE=$SWUPDATE_AES_FILE does not contain valid keys" fi - openssl enc -aes-256-cbc -in ${input} -out ${output} -K ${key} -iv ${iv} -S ${salt} + openssl enc -aes-256-cbc -in ${input} -out ${output} -K ${key} -iv ${iv} -nosalt } CONVERSIONTYPES += "enc" diff --git a/classes/swupdate.bbclass b/classes/swupdate.bbclass index 81bbc0c..fe7b6ec 100644 --- a/classes/swupdate.bbclass +++ b/classes/swupdate.bbclass @@ -101,15 +101,15 @@ python do_swuimage () { filename = os.path.basename(local) aes_file = d.getVar('SWUPDATE_AES_FILE', True) if aes_file: - key,iv,salt = swupdate_extract_keys(d.getVar('SWUPDATE_AES_FILE', True)) + key,iv = swupdate_extract_keys(d.getVar('SWUPDATE_AES_FILE', True)) if (filename != 'sw-description') and (os.path.isfile(local)): encrypted = (d.getVarFlag("SWUPDATE_IMAGES_ENCRYPTED", filename, True) or "") dst = os.path.join(s, "%s" % filename ) if encrypted == '1': bb.note("Encryption requested for %s" %(filename)) - if not key or not iv or not salt: + if not key or not iv: bb.fatal("Encryption required, but no key found") - swupdate_encrypt_file(local, dst, key, iv, salt) + swupdate_encrypt_file(local, dst, key, iv) else: shutil.copyfile(local, dst) list_for_cpio.append(filename) @@ -121,9 +121,9 @@ python do_swuimage () { target_imagename = os.path.basename(imagename) # allow images in subfolders of DEPLOY_DIR_IMAGE dst = os.path.join(s, target_imagename) if encrypt == '1': - key,iv,salt = swupdate_extract_keys(d.getVar('SWUPDATE_AES_FILE', True)) + key,iv = swupdate_extract_keys(d.getVar('SWUPDATE_AES_FILE', True)) bb.note("Encryption requested for %s" %(imagename)) - swupdate_encrypt_file(src, dst, key, iv, salt) + swupdate_encrypt_file(src, dst, key, iv) else: shutil.copyfile(src, dst) list_for_cpio.append(target_imagename)