From patchwork Tue Dec 15 08:54:18 2020
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Christoph Lauer <dev@online.ms>
X-Patchwork-Id: 1416333
Return-Path: <swupdate+bncBAABBQ7T4H7AKGQECRKIQIQ@googlegroups.com>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Authentication-Results: ozlabs.org;
 spf=pass (sender SPF authorized) smtp.mailfrom=googlegroups.com
 (client-ip=2a00:1450:4864:20::139; helo=mail-lf1-x139.google.com;
 envelope-from=swupdate+bncbaabbq7t4h7akgqecrkiqiq@googlegroups.com;
 receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org;
 dmarc=none (p=none dis=none) header.from=online.ms
Authentication-Results: ozlabs.org;
	dkim=pass (2048-bit key;
 unprotected) header.d=googlegroups.com header.i=@googlegroups.com
 header.a=rsa-sha256 header.s=20161025 header.b=rb1GDhsi;
	dkim-atps=neutral
Received: from mail-lf1-x139.google.com (mail-lf1-x139.google.com
 [IPv6:2a00:1450:4864:20::139])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest
 SHA256)
	(No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id 4CwBs81ZPbz9sRK
	for <incoming@patchwork.ozlabs.org>; Tue, 15 Dec 2020 19:54:32 +1100 (AEDT)
Received: by mail-lf1-x139.google.com with SMTP id e16sf9770874lfd.19
        for <incoming@patchwork.ozlabs.org>;
 Tue, 15 Dec 2020 00:54:32 -0800 (PST)
ARC-Seal: i=2; a=rsa-sha256; t=1608022467; cv=pass;
        d=google.com; s=arc-20160816;
        b=mDGG/LL0jAI1gvLl5SNzScFi8maI3CNExswlDGn7qxbK0AnHTraCL3wi+PRh6V51tf
         kzEg+lFd+F2+akJ7QyItushEvcoTVKLtnOPXdOPLOlLwJbR2+q+HeUAx411Qp3l7+kAC
         cb2YwbAEYlY8D0fomHFJ8Eg7gub5yt3osMeCcs9IDSaVDfrhWDHj30Cd2VjDRdFQRnfN
         bC42j/y85/ys4QOA40snCpAM06fiPZohtcbNuAsJEKLDNxrigNSHNRCVwY8LZ+yGLv/D
         FI/iXhIg26/hq8mYN7zZxIDBWe9iHMfos9lzPu4G/BfPcPlz81LUN9Prt2ZmiBQ+rZC2
         iTXA==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post
         :list-id:mailing-list:precedence:message-id:date:subject:cc:to:from
         :mime-version:sender:dkim-signature;
        bh=wouOhxn88ISBpQXuWXUQgW2JiO3EXpiXZV9GeYO1Sn8=;
        b=dLKq1q2hPfeUd3ed/b5GYXJkURwcN/7mY9p+C+cHVAjYJ+MWPJwCzkC2Suom9rfj4F
         r8WGS2XkDdtjJYl+va8Cvn9w7N5e1yp5OyesGZetyVEwCv17wxuRkfrOWE06+t5CvVll
         OkRLSZhXVI3rELzrq4W46AQZ730ms2By+dhqrN3Dm+5U2cJWnn79S919vw2WpCYR4qKl
         o5YDpKF4ZPlf7l8tUVIm1/BHuop/oCPV9Dgumm/FTElQ6YnTBwWSDqrGEVpjciL20UE/
         wOjFOM6RC/Ela11K6kLarG9e8/gZcO0W6wNTeDMY2Lg1YNeRm4hn3wP1y722KvZvP+Ca
         Sg9Q==
ARC-Authentication-Results: i=2; gmr-mx.google.com;
       dkim=pass header.i=@web.de header.s=dbaedf251592 header.b=rvj5PhUE;
       spf=pass (google.com: domain of dev@online.ms designates 212.227.15.4
 as permitted sender) smtp.mailfrom=dev@online.ms
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=googlegroups.com; s=20161025;
        h=sender:mime-version:from:to:cc:subject:date:message-id
         :x-original-sender:x-original-authentication-results:precedence
         :mailing-list:list-id:list-post:list-help:list-archive
         :list-subscribe:list-unsubscribe;
        bh=wouOhxn88ISBpQXuWXUQgW2JiO3EXpiXZV9GeYO1Sn8=;
        b=rb1GDhsi+K0PoFJst7rfS+Kqlr39CGyAQR73e23mhzW2GwEeETFp5sBHdS8RX+6/g0
         bzGOLlCUzUBMFEnU50D9VbK1CviYwJOv5qtwmwHitTu3xJio4Z8o1h0UvsZe4fK+juVp
         U4NrfkGLxJ6+rgTzy8lLlVwA+EyfRUv/LknXvh2sIVLw3yM1iLm13dPk9sm8HxzSg4l+
         zig92mtiVeZ1mkk6RhqcuIJdiM4NbLnf19vrT8wA16ngTDM7oyXvuZW6xtvI1lRQvKNo
         k2CHMKAUoxWtolKNp62lDpB5A0U3WWR+bY0SgHhtAGiMmMi/HhT9Fy9R4sVsR8hYgLmg
         xV6w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=sender:x-gm-message-state:mime-version:from:to:cc:subject:date
         :message-id:x-original-sender:x-original-authentication-results
         :precedence:mailing-list:list-id:x-spam-checked-in-group:list-post
         :list-help:list-archive:list-subscribe:list-unsubscribe;
        bh=wouOhxn88ISBpQXuWXUQgW2JiO3EXpiXZV9GeYO1Sn8=;
        b=LOFhtBw6PIDOZ9XNqnyP0maTfCDTgccQMIaoC+2zLiI2qwy4vY8m8kslmrIf9+1gQg
         GJEmSUE3KaRrd//hpMl2F9TpsIXEixEZpLm4fRHjBAiRPmFpt4vgAXJG1oo0WRo81loB
         Zfcjy3cQEGf94w3jlkEvnQVGCDdyBXbrm51WcH3D3TkyQw+osu6aCrVAiVfwyrt4Aauj
         EnDaFPE657PzUWqiMu9EpGNQY4P84ndy1tD7IxVBVeSX2VwhLvzfz6ms0RShmXcsTUkv
         A8AmPhuLAyaG1sZn4PKXeA56OHTsLgR06ujNKLAfGE4tbqc6O6hNtuBiINdbRAWhr6s9
         i41A==
Sender: swupdate@googlegroups.com
X-Gm-Message-State: AOAM5300pCDdpaFIfoFFhiE4FcETrUM/kJ+iJKiVTjb3vINn2DzdjtPc
	k2KWSugbPs+XqYjnrXYqib4=
X-Google-Smtp-Source: 
 ABdhPJxElmP9+DikvL60frOKvWxBCQF5Ufv2v6SKodsxv9XffzaM4guImKoKqUQn2x9HfKfOE6JVzw==
X-Received: by 2002:a19:7e89:: with SMTP id z131mr10581958lfc.2.1608022467617;
        Tue, 15 Dec 2020 00:54:27 -0800 (PST)
MIME-Version: 1.0
X-BeenThere: swupdate@googlegroups.com
Received: by 2002:a05:6512:10d4:: with SMTP id k20ls1072677lfg.3.gmail; Tue,
 15 Dec 2020 00:54:25 -0800 (PST)
X-Received: by 2002:ac2:5cac:: with SMTP id
 e12mr10685153lfq.216.1608022464951;
        Tue, 15 Dec 2020 00:54:24 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1608022464; cv=none;
        d=google.com; s=arc-20160816;
        b=h9AV0pdQeaifo81BvZf/SeNsqhukDSZqYK3MAE25V7oxpRAJ4ausOrjo6S9/vbGg1w
         RR+Lx1bwa5JVqGzLEQVd0//ns9We/ujGf0e1BIFe4e+j/RLciIAZTE+WjEf2lRMKrj4J
         c/6AmL2VP2VsbcmxgFnsfuHCu9yjB2RvbcSin3nM7Jv3jsfbER9NKCDXWPnIq6ESVCl+
         bk0DpbZjQkGyECIpScJFiKo3V7B52fvS9gY2NJ+7hs6Qw/AmD1fQlaTW2D1hPf03Wiuk
         K5DXSk7HWlJjBrrBP6m4BBJOtxHhQc6gtDMg6BMjNlRnN+Vtdbthqq35dy1V858/iAs2
         NBNQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=content-transfer-encoding:message-id:date:subject:cc:to:from
         :dkim-signature;
        bh=+f7UrI0JyVTxIPoDZBA1GVhFKDdOJVTwEvziQf66pjY=;
        b=z4I9FkK8HKRAMIrEazWZPr72hM9w6lRjXIQYHphlz3x0y0xpF+WsikiDXjCMdkCB5e
         mI3yYf+i0Z3HQNVmc87tCzgd78ibImZLG/w5Vz4S0lcttvYsYbPiByP8B6VaMzMu+zJb
         //Mg7QhRnFQbLyRCxtwDr3Al7H07bIkGoo4Y95iKb9JEjStnY/FrnRpKfiVK7/wdB5qT
         wr6SpnZXJYyiNlzsPI/P93MXDfHx+aoWJYLxB83MHsdjguy3SXTDJrGcA4MaRfOjkBhE
         qB6nGdqUZWGISwcgwolMsUvBW3XeAvH/bsP3nILA51420qlJXNnBTCjRdYB8GlxqCheW
         bTTQ==
ARC-Authentication-Results: i=1; gmr-mx.google.com;
       dkim=pass header.i=@web.de header.s=dbaedf251592 header.b=rvj5PhUE;
       spf=pass (google.com: domain of dev@online.ms designates 212.227.15.4
 as permitted sender) smtp.mailfrom=dev@online.ms
Received: from mout.web.de (mout.web.de. [212.227.15.4])
        by gmr-mx.google.com with ESMTPS id
 q28si743761lfb.10.2020.12.15.00.54.24
        for <swupdate@googlegroups.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Tue, 15 Dec 2020 00:54:24 -0800 (PST)
Received-SPF: pass (google.com: domain of dev@online.ms designates
 212.227.15.4 as permitted sender) client-ip=212.227.15.4;
X-UI-Sender-Class: c548c8c5-30a9-4db5-a2e7-cb6cb037b8f9
Received: from XTR-ACUYOCTO-P01.xtronic-net.com ([178.251.90.190]) by
 smtp.web.de (mrweb006 [213.165.67.108]) with ESMTPSA (Nemesis) id
 1M2xw0-1knzdk0dcy-003eaq; Tue, 15 Dec 2020 09:54:24 +0100
From: Christoph Lauer <dev@online.ms>
To: swupdate@googlegroups.com
Cc: Christoph Lauer <christoph.lauer@xtronic.de>,
	Christoph Lauer <dev@online.ms>
Subject: [swupdate] [meta-swupdate][PATCH][v2] remove all references to a salt
 value for encryption
Date: Tue, 15 Dec 2020 09:54:18 +0100
Message-Id: <20201215085418.7244-1-dev@online.ms>
X-Mailer: git-send-email 2.17.1
X-Provags-ID: V03:K1:kV1e1mMHyEBsjIddAr/zD4rbWAUQ5I9LZaMvqqkgghsbiNSftkb
 T47dtuiG9F/eX87ZRCFLXzIrUbie3H4/y2AU4CHgzhDcpMFzmfbBqidk31WWBXi97AZ//Af
 xiEezysyixQ+xMPCHPYCpdKpRflAT5fg8djLnEgIezy0z9SjZLfS5ulbUrbyc5OU68dydqM
 RqREsyk24FcYYD2tkeyrQ==
X-Spam-Flag: NO
X-UI-Out-Filterresults: notjunk:1;V03:K0:q2HSdDfhQlE=:WmRdF7gfxwwqjHqkU+Ar5k
 Zpbx15hs3psHWiVIU1sD7tcSg1YcmdbUVXf2SKhsstwZbZOpYIxqpL6OG+hlvJsOk48kgISH6
 TZt3/oN+v3Dk0hX52xzWngPkSnAgG36M5rSlr0ienJxKoPqBbIM9yMyAylNWFDNnG1QOVleHu
 ddKQVznJdvMeFqO+Z0yOpgg6gy6QCmJJYsnD1vtZitO2fxWi+QWfOJZ7PUL1IAKVtAj9An8rB
 pmD9fMAZiEeHpTlKancSCqfT86wB6WeFnSXCDZgAgZNh9E6dIEfj+b7NpS6vMyUQMGe4J409e
 B41LG4RPn/NLd+RlQpLxGsFtQMTKIRAa5a1OvsRJxcFZ1x47H4WCRbFPnscAGTiA7hCFAN2K9
 EhjgQeX3ImpT3OQPBkkRv3D/aR0Y1I8uo7TPNJvG/IaIDUe+6B/bK/JJ5vUEqP/mRk2h6ztOX
 iVOa8GPUmQGlW7pKHdLC55knfMoiX6QxFCfe+/v8tJiERM9VWwJykUgqMap1WfxP+plucddrc
 5otsNpxMXEvmNyRFMtTPfAdmtFeAxQvgMK44etzspcjuUmPJX59zvqXJcXmOmLN3lQYgjEG31
 5nDjp4lCLOL3LfFE4FAFDoZf7aW637JMllvVRL/8OzgHIcG+myUV4lsPawRMyehf6YA5xOW5+
 QEN2h1oov7lw3fBgLiDYOlrtPhr4EsoFE6SGpOxIBn8ybEnXmvp/wqKfU2kz0/lSSb1yIaDCj
 CLR/OPFc+18ze84SArwliO9306Blh3PvRQv7Vccg7o3JxqhwrbL4OyxCkRrxjzeVgNAO451l8
 LUCt4DiqKYaRsx7ef+XeBAU0jOZMJPtCBINKumiH2CBo2pbvxn2q976X5hdtxL8v7/JprxqfR
 SXa85ViDCRXFY8LxHbug==
X-Original-Sender: dev@online.ms
X-Original-Authentication-Results: gmr-mx.google.com;       dkim=pass
 header.i=@web.de header.s=dbaedf251592 header.b=rvj5PhUE;       spf=pass
 (google.com: domain of dev@online.ms designates 212.227.15.4 as permitted
 sender) smtp.mailfrom=dev@online.ms
Precedence: list
Mailing-list: list swupdate@googlegroups.com;
 contact swupdate+owners@googlegroups.com
List-ID: <swupdate.googlegroups.com>
X-Spam-Checked-In-Group: swupdate@googlegroups.com
X-Google-Group-Id: 605343134186
List-Post: <https://groups.google.com/group/swupdate/post>,
 <mailto:swupdate@googlegroups.com>
List-Help: <https://groups.google.com/support/>,
 <mailto:swupdate+help@googlegroups.com>
List-Archive: <https://groups.google.com/group/swupdate
List-Subscribe: <https://groups.google.com/group/swupdate/subscribe>,
 <mailto:swupdate+subscribe@googlegroups.com>
List-Unsubscribe: 
 <mailto:googlegroups-manage+605343134186+unsubscribe@googlegroups.com>,
 <https://groups.google.com/group/swupdate/subscribe>

From: Christoph Lauer <christoph.lauer@xtronic.de>

In release 2019.11, support for the salt encryption parameter was removed (see commit 9ce94342d3c212b06a283f95dc9c1c8c52155ce7).
Consequently, remove all references to a salt value for key creation and encryption.
The keyfile for encryption can still contain a salt value, it will simply be ignored.
Also remove obsolete cmd variable.

Signed-off-by: Christoph Lauer <christoph.lauer@xtronic.de>
Signed-off-by: Christoph Lauer <dev@online.ms>
---
 classes/swupdate-common.bbclass | 17 +++++------------
 classes/swupdate-enc.bbclass    |  8 +++-----
 classes/swupdate.bbclass        | 10 +++++-----
 3 files changed, 13 insertions(+), 22 deletions(-)

--
2.17.1

diff --git a/classes/swupdate-common.bbclass b/classes/swupdate-common.bbclass
index 564700d..578f305 100644
--- a/classes/swupdate-common.bbclass
+++ b/classes/swupdate-common.bbclass
@@ -32,20 +32,13 @@ def swupdate_extract_keys(keyfile_path):

     key = data['key'].rstrip('\n')
     iv = data['iv'].rstrip('\n')
-    salt = data['salt'].rstrip('\n')

-    return key,iv,salt
+    return key,iv

-def swupdate_encrypt_file(f, out, key, ivt, salt):
+def swupdate_encrypt_file(f, out, key, ivt):
     import subprocess
     encargs = ["openssl", "enc", "-aes-256-cbc", "-in", f, "-out", out]
-    encargs += ["-K", key, "-iv", ivt, "-S", salt]
-    cmd = "openssl enc -aes-256-cbc -in '%s' -out '%s' -K '%s' -iv '%s' -S '%s'" % (
-                f,
-                out,
-                key,
-                ivt,
-                salt)
+    encargs += ["-K", key, "-iv", ivt, "-nosalt"]
     subprocess.run(encargs, check=True)

 def swupdate_write_sha256(s, filename, hash):
@@ -109,8 +102,8 @@ def prepare_sw_description(d, s, list_for_cpio):
     if encrypt:
         bb.note("Encryption of sw-description")
         shutil.copyfile(os.path.join(s, 'sw-description'), os.path.join(s, 'sw-description.plain'))
-        key,iv,salt = swupdate_extract_keys(d.getVar('SWUPDATE_AES_FILE', True))
-        swupdate_encrypt_file(os.path.join(s, 'sw-description.plain'), os.path.join(s, 'sw-description'), key, iv, salt)
+        key,iv = swupdate_extract_keys(d.getVar('SWUPDATE_AES_FILE', True))
+        swupdate_encrypt_file(os.path.join(s, 'sw-description.plain'), os.path.join(s, 'sw-description'), key, iv)

     signing = d.getVar('SWUPDATE_SIGNING', True)
     if signing == "1":
diff --git a/classes/swupdate-enc.bbclass b/classes/swupdate-enc.bbclass
index 198ae98..dc421c0 100644
--- a/classes/swupdate-enc.bbclass
+++ b/classes/swupdate-enc.bbclass
@@ -1,9 +1,8 @@
 #
 # The key must be generated as described in doc
 # with
-# openssl enc -aes-256-cbc -k <PASSPHRASE> -P -md sha1
+# openssl enc -aes-256-cbc -k <PASSPHRASE> -P -md sha1 -nosalt
 # The file is in the format
-# salt=
 # key=
 # iv=
 # parameters: $1 = input file, $2 = output file
@@ -12,11 +11,10 @@ swu_encrypt_file() {
 	output=$2
 	key=`cat ${SWUPDATE_AES_FILE} | grep ^key | cut -d '=' -f 2`
 	iv=`cat ${SWUPDATE_AES_FILE} | grep ^iv | cut -d '=' -f 2`
-	salt=`cat ${SWUPDATE_AES_FILE} | grep ^salt | cut -d '=' -f 2`
-	if [ -z ${salt} ] || [ -z ${key} ] || [ -z ${iv} ];then
+	if [ -z ${key} ] || [ -z ${iv} ];then
 		bbfatal "SWUPDATE_AES_FILE=$SWUPDATE_AES_FILE does not contain valid keys"
 	fi
-	openssl enc -aes-256-cbc -in ${input} -out ${output} -K ${key} -iv ${iv} -S ${salt}
+	openssl enc -aes-256-cbc -in ${input} -out ${output} -K ${key} -iv ${iv} -nosalt
 }

 CONVERSIONTYPES += "enc"
diff --git a/classes/swupdate.bbclass b/classes/swupdate.bbclass
index 81bbc0c..fe7b6ec 100644
--- a/classes/swupdate.bbclass
+++ b/classes/swupdate.bbclass
@@ -101,15 +101,15 @@ python do_swuimage () {
         filename = os.path.basename(local)
         aes_file = d.getVar('SWUPDATE_AES_FILE', True)
         if aes_file:
-            key,iv,salt = swupdate_extract_keys(d.getVar('SWUPDATE_AES_FILE', True))
+            key,iv = swupdate_extract_keys(d.getVar('SWUPDATE_AES_FILE', True))
         if (filename != 'sw-description') and (os.path.isfile(local)):
             encrypted = (d.getVarFlag("SWUPDATE_IMAGES_ENCRYPTED", filename, True) or "")
             dst = os.path.join(s, "%s" % filename )
             if encrypted == '1':
                 bb.note("Encryption requested for %s" %(filename))
-                if not key or not iv or not salt:
+                if not key or not iv:
                     bb.fatal("Encryption required, but no key found")
-                swupdate_encrypt_file(local, dst, key, iv, salt)
+                swupdate_encrypt_file(local, dst, key, iv)
             else:
                 shutil.copyfile(local, dst)
             list_for_cpio.append(filename)
@@ -121,9 +121,9 @@ python do_swuimage () {
         target_imagename = os.path.basename(imagename)  # allow images in subfolders of DEPLOY_DIR_IMAGE
         dst = os.path.join(s, target_imagename)
         if encrypt == '1':
-            key,iv,salt = swupdate_extract_keys(d.getVar('SWUPDATE_AES_FILE', True))
+            key,iv = swupdate_extract_keys(d.getVar('SWUPDATE_AES_FILE', True))
             bb.note("Encryption requested for %s" %(imagename))
-            swupdate_encrypt_file(src, dst, key, iv, salt)
+            swupdate_encrypt_file(src, dst, key, iv)
         else:
             shutil.copyfile(src, dst)
         list_for_cpio.append(target_imagename)