@@ -14,6 +14,10 @@ if WITH_SELINUX
AM_CPPFLAGS += -DWITH_SELINUX
endif
+if WITH_CRYPTO
+AM_CPPFLAGS += -DWITH_CRYPTO
+endif
+
sbin_PROGRAMS =
sbin_SCRIPTS =
check_PROGRAMS =
@@ -69,7 +69,7 @@ need_lzo="no"
need_xattr="no"
need_cmocka="no"
need_selinux="no"
-
+need_openssl="no"
AM_COND_IF([UNIT_TESTS], [
need_cmocka="yes"
@@ -115,8 +115,6 @@ AC_ARG_ENABLE([lsmtd],
esac],
[AM_CONDITIONAL([BUILD_LSMTD], [true])])
-AC_CHECK_HEADER(openssl/rand.h)
-
AC_ARG_WITH([jffs],
[AS_HELP_STRING([--without-jffs], [Disable jffsX utilities])],
[case "${withval}" in
@@ -140,6 +138,7 @@ AM_COND_IF([BUILD_UBIFS], [
need_xattr="yes"
need_zlib="yes"
need_lzo="yes"
+ need_openssl="yes"
])
AM_COND_IF([BUILD_JFFSX], [
@@ -174,6 +173,15 @@ AC_ARG_WITH([selinux],
*) AC_MSG_ERROR([bad value ${withval} for --with-selinux]) ;;
esac])
+AC_ARG_WITH([crypto],
+ [AS_HELP_STRING([--without-crypto],
+ [Disable support for UBIFS crypto features])],
+ [case "${withval}" in
+ yes) ;;
+ no) need_openssl="no";;
+ *) AC_MSG_ERROR([bad value ${withval} for --without-crypto]) ;;
+ esac])
+
##### search for dependencies #####
clock_gettime_missing="no"
@@ -184,6 +192,7 @@ lzo_missing="no"
xattr_missing="no"
cmocka_missing="no"
selinux_missing="no"
+openssl_missing="no"
if test "x$need_zlib" = "xyes"; then
PKG_CHECK_MODULES(ZLIB, [zlib], [], [zlib_missing="yes"])
@@ -226,6 +235,11 @@ if test "x$need_selinux" = "xyes"; then
AC_CHECK_HEADERS([selinux/label.h], [], [selinux_missing="yes"])
fi
+if test "x$need_openssl" = "xyes"; then
+ AC_CHECK_HEADER(openssl/rand.h)
+ PKG_CHECK_MODULES(OPENSSL, [openssl], [], [openssl_missing="yes"])
+fi
+
if test "x$need_cmocka" = "xyes"; then
PKG_CHECK_MODULES(CMOCKA, [cmocka], [], [cmocka_missing="yes"])
fi
@@ -281,6 +295,12 @@ if test "x$selinux_missing" = "xyes"; then
need_selinux="no"
fi
+if test "x$openssl_missing" = "xyes"; then
+ AC_MSG_WARN([cannot find headers for OpenSSL library])
+ AC_MSG_WARN([disabling OpenSSL support])
+ need_openssl="no"
+fi
+
if test "x$cmocka_missing" = "xyes"; then
AC_MSG_WARN([cannot find CMocka library required for unit tests])
AC_MSG_NOTICE([unit tests can optionally be disabled])
@@ -296,6 +316,7 @@ fi
AM_CONDITIONAL([WITHOUT_LZO], [test "x$need_lzo" != "xyes"])
AM_CONDITIONAL([WITHOUT_XATTR], [test "x$need_xattr" != "xyes"])
AM_CONDITIONAL([WITH_SELINUX], [test "x$need_selinux" == "xyes"])
+AM_CONDITIONAL([WITH_CRYPTO], [test "x$need_openssl" == "xyes"])
AC_CHECK_SIZEOF([off_t])
AC_CHECK_SIZEOF([loff_t])
@@ -10,15 +10,19 @@ mkfs_ubifs_SOURCES = \
ubifs-utils/mkfs.ubifs/crc16.c \
ubifs-utils/mkfs.ubifs/lpt.c \
ubifs-utils/mkfs.ubifs/compr.c \
- ubifs-utils/mkfs.ubifs/crypto.c \
- ubifs-utils/mkfs.ubifs/fscrypt.c \
ubifs-utils/mkfs.ubifs/hashtable/hashtable.h \
ubifs-utils/mkfs.ubifs/hashtable/hashtable_itr.h \
ubifs-utils/mkfs.ubifs/hashtable/hashtable_private.h \
ubifs-utils/mkfs.ubifs/hashtable/hashtable.c \
ubifs-utils/mkfs.ubifs/hashtable/hashtable_itr.c \
ubifs-utils/mkfs.ubifs/devtable.c
-mkfs_ubifs_LDADD = libmtd.a libubi.a $(ZLIB_LIBS) $(LZO_LIBS) $(UUID_LIBS) $(LIBSELINUX_LIBS) -lm -lssl -lcrypto
+
+if WITH_CRYPTO
+mkfs_ubifs_SOURCES += ubifs-utils/mkfs.ubifs/crypto.c \
+ ubifs-utils/mkfs.ubifs/fscrypt.c
+endif
+
+mkfs_ubifs_LDADD = libmtd.a libubi.a $(ZLIB_LIBS) $(LZO_LIBS) $(UUID_LIBS) $(LIBSELINUX_LIBS) $(OPENSSL_LIBS) -lm
mkfs_ubifs_CPPFLAGS = $(AM_CPPFLAGS) $(ZLIB_CFLAGS) $(LZO_CFLAGS) $(UUID_CFLAGS) $(LIBSELINUX_CFLAGS)\
-I$(top_srcdir)/ubi-utils/include -I$(top_srcdir)/ubifs-utils/mkfs.ubifs/
@@ -41,19 +41,18 @@ struct cipher {
unsigned int fscrypt_fname_mode;
};
-
+#ifdef WITH_CRYPTO
int crypto_init(void);
-
void crypto_cleanup(void);
-
ssize_t derive_key_aes(const void *deriving_key, const void *source_key,
size_t source_key_len, void *derived_key);
-
int derive_key_descriptor(const void *source_key, void *descriptor);
-
struct cipher *get_cipher(const char *name);
-
void list_ciphers(FILE *fp);
+#else
+static inline int crypto_init(void) { return 0;}
+static inline void crypto_cleanup(void) {}
+#endif /* WITH_CRYPTO */
#endif /* UBIFS_CRYPTO_H */
@@ -97,27 +97,76 @@ struct fscrypt_symlink_data {
#define FS_IV_SIZE 16
#endif
+#ifdef WITH_CRYPTO
unsigned char *calc_fscrypt_subkey(struct fscrypt_context *fctx);
-
struct fscrypt_context *inherit_fscrypt_context(struct fscrypt_context *fctx);
-
void free_fscrypt_context(struct fscrypt_context *fctx);
-
void print_fscrypt_master_key_descriptor(struct fscrypt_context *fctx);
-
unsigned int fscrypt_fname_encrypted_size(struct fscrypt_context *fctx,
unsigned int ilen);
-
int encrypt_path(void **outbuf, void *data, unsigned int data_len,
unsigned int max_namelen, struct fscrypt_context *fctx);
-
int encrypt_data_node(struct fscrypt_context *fctx, unsigned int block_no,
struct ubifs_data_node *dn, size_t length);
-
struct fscrypt_context *init_fscrypt_context(const char *cipher_name,
unsigned int flags,
const char *key_file,
const char *key_descriptor);
-
+#else
+static inline struct fscrypt_context *init_fscrypt_context(
+ const char *cipher_name,
+ unsigned int flags,
+ const char *key_file,
+ const char *key_descriptor)
+{
+ (void)cipher_name;
+ (void)flags;
+ (void)key_file;
+ (void)key_descriptor;
+
+ assert(0);
+ return NULL;
+}
+
+static inline void free_fscrypt_context(struct fscrypt_context *fctx)
+{
+ (void)fctx;
+
+ assert(0);
+}
+
+static inline int encrypt_path(void **outbuf, void *data, unsigned int data_len,
+ unsigned int max_namelen, struct fscrypt_context *fctx)
+{
+ (void)outbuf;
+ (void)data;
+ (void)data_len;
+ (void)max_namelen;
+ (void)fctx;
+
+ assert(0);
+ return -1;
+}
+
+static inline int encrypt_data_node(struct fscrypt_context *fctx, unsigned int block_no,
+ struct ubifs_data_node *dn, size_t length)
+{
+ (void)fctx;
+ (void)block_no;
+ (void)dn;
+ (void)length;
+
+ assert(0);
+ return -1;
+}
+
+static inline struct fscrypt_context *inherit_fscrypt_context(struct fscrypt_context *fctx)
+{
+ (void)fctx;
+
+ assert(0);
+ return NULL;
+}
+#endif /* WITH_CRYPTO */
#endif /* FSCRYPT_H */
@@ -508,9 +508,12 @@ static int get_options(int argc, char**argv)
{
int opt, i, fscrypt_flags = FS_POLICY_FLAGS_PAD_4;
const char *key_file = NULL, *key_desc = NULL;
- const char *tbl_file = NULL, *cipher_name = "AES-128-CBC";
+ const char *tbl_file = NULL;
struct stat st;
char *endp;
+#ifdef WITH_CRYPTO
+ const char *cipher_name;
+#endif
c->fanout = 8;
c->orph_lebs = 1;
@@ -587,8 +590,10 @@ static int get_options(int argc, char**argv)
exit(EXIT_SUCCESS);
case '?':
printf("%s", helptext);
+#ifdef WITH_CRYPTO
printf("\n\nSupported ciphers:\n");
list_ciphers(stdout);
+#endif
exit(-1);
case 'v':
verbose = 1;
@@ -729,7 +734,11 @@ static int get_options(int argc, char**argv)
break;
}
case 'C':
+#ifdef WITH_CRYPTO
cipher_name = optarg;
+#else
+ return err_msg("mkfs.ubifs was built without crypto support.");
+#endif
break;
}
}
@@ -748,20 +757,26 @@ static int get_options(int argc, char**argv)
if (c->max_leb_cnt == -1)
c->max_leb_cnt = c->vi.rsvd_lebs;
}
-
if (key_file || key_desc) {
+#ifdef WITH_CRYPTO
if (!key_file)
return err_msg("no key file specified");
c->double_hash = 1;
c->encrypted = 1;
+ if (cipher_name == NULL)
+ cipher_name = "AES-128-CBC";
+
root_fctx = init_fscrypt_context(cipher_name, fscrypt_flags,
key_file, key_desc);
if (!root_fctx)
return -1;
print_fscrypt_master_key_descriptor(root_fctx);
+#else
+ return err_msg("mkfs.ubifs was built without crypto support.");
+#endif
}
if (c->min_io_size == -1)
@@ -1385,6 +1400,7 @@ static inline int inode_add_selinux_xattr(struct ubifs_ino_node *host_ino,
}
#endif
+#ifdef WITH_CRYPTO
static int set_fscrypt_context(struct ubifs_ino_node *host_ino, ino_t inum,
struct stat *host_st,
struct fscrypt_context *fctx)
@@ -1421,6 +1437,31 @@ static int encrypt_symlink(void *dst, void *data, unsigned int data_len,
free(sd);
return link_disk_len;
}
+#else
+static int set_fscrypt_context(struct ubifs_ino_node *host_ino, ino_t inum,
+ struct stat *host_st,
+ struct fscrypt_context *fctx)
+{
+ (void)host_ino;
+ (void)inum;
+ (void)host_st;
+ (void)fctx;
+
+ assert(0);
+ return -1;
+}
+static int encrypt_symlink(void *dst, void *data, unsigned int data_len,
+ struct fscrypt_context *fctx)
+{
+ (void)dst;
+ (void)data;
+ (void)data_len;
+ (void)fctx;
+
+ assert(0);
+ return -1;
+}
+#endif
/**
* add_inode - write an inode.
@@ -1582,9 +1623,11 @@ static int add_symlink_inode(const char *path_name, struct stat *st, ino_t inum,
static void set_dent_cookie(struct ubifs_dent_node *dent)
{
+#ifdef WITH_CRYPTO
if (c->double_hash)
RAND_bytes((void *)&dent->cookie, sizeof(dent->cookie));
else
+#endif
dent->cookie = 0;
}
@@ -1981,7 +2024,8 @@ static int add_directory(const char *dir_name, ino_t dir_inum, struct stat *st,
inum = ++c->highest_inum;
- new_fctx = inherit_fscrypt_context(fctx);
+ if (fctx)
+ new_fctx = inherit_fscrypt_context(fctx);
if (S_ISDIR(dent_st.st_mode)) {
err = add_directory(name, inum, &dent_st, 1, new_fctx);
@@ -2006,7 +2050,8 @@ static int add_directory(const char *dir_name, ino_t dir_inum, struct stat *st,
size += ALIGN(UBIFS_DENT_NODE_SZ + strlen(entry->d_name) + 1,
8);
- free_fscrypt_context(new_fctx);
+ if (new_fctx)
+ free_fscrypt_context(new_fctx);
}
/*
@@ -2068,7 +2113,8 @@ static int add_directory(const char *dir_name, ino_t dir_inum, struct stat *st,
size += ALIGN(UBIFS_DENT_NODE_SZ + strlen(nh_elt->name) + 1, 8);
nh_elt = next_name_htbl_element(ph_elt, &itr);
- free_fscrypt_context(new_fctx);
+ if (new_fctx)
+ free_fscrypt_context(new_fctx);
}
creat_sqnum = dir_creat_sqnum;
Signed-off-by: Richard Weinberger <richard@nod.at> --- Makefile.am | 4 ++ configure.ac | 27 ++++++++++-- ubifs-utils/Makemodule.am | 10 +++-- ubifs-utils/mkfs.ubifs/crypto.h | 11 +++-- ubifs-utils/mkfs.ubifs/fscrypt.h | 65 +++++++++++++++++++++++++---- ubifs-utils/mkfs.ubifs/mkfs.ubifs.c | 56 ++++++++++++++++++++++--- 6 files changed, 148 insertions(+), 25 deletions(-)