Commit 5d87dcb0 authored by Christoph Lauer's avatar Christoph Lauer Committed by Stefano Babic
Browse files

remove all references to a salt value for encryption



In release 2019.11, support for the salt encryption parameter was removed (see commit 9ce94342d3c212b06a283f95dc9c1c8c52155ce7).
Consequently, remove all references to a salt value for key creation and encryption.
The keyfile for encryption can still contain a salt value, it will simply be ignored.
Also remove obsolete cmd variable.
Signed-off-by: default avatarChristoph Lauer <christoph.lauer@xtronic.de>
Signed-off-by: default avatarChristoph Lauer <dev@online.ms>
parent 96711869
......@@ -32,20 +32,13 @@ def swupdate_extract_keys(keyfile_path):
key = data['key'].rstrip('\n')
iv = data['iv'].rstrip('\n')
salt = data['salt'].rstrip('\n')
return key,iv,salt
return key,iv
def swupdate_encrypt_file(f, out, key, ivt, salt):
def swupdate_encrypt_file(f, out, key, ivt):
import subprocess
encargs = ["openssl", "enc", "-aes-256-cbc", "-in", f, "-out", out]
encargs += ["-K", key, "-iv", ivt, "-S", salt]
cmd = "openssl enc -aes-256-cbc -in '%s' -out '%s' -K '%s' -iv '%s' -S '%s'" % (
f,
out,
key,
ivt,
salt)
encargs += ["-K", key, "-iv", ivt, "-nosalt"]
subprocess.run(encargs, check=True)
def swupdate_write_sha256(s, filename, hash):
......@@ -109,8 +102,8 @@ def prepare_sw_description(d, s, list_for_cpio):
if encrypt:
bb.note("Encryption of sw-description")
shutil.copyfile(os.path.join(s, 'sw-description'), os.path.join(s, 'sw-description.plain'))
key,iv,salt = swupdate_extract_keys(d.getVar('SWUPDATE_AES_FILE', True))
swupdate_encrypt_file(os.path.join(s, 'sw-description.plain'), os.path.join(s, 'sw-description'), key, iv, salt)
key,iv = swupdate_extract_keys(d.getVar('SWUPDATE_AES_FILE', True))
swupdate_encrypt_file(os.path.join(s, 'sw-description.plain'), os.path.join(s, 'sw-description'), key, iv)
signing = d.getVar('SWUPDATE_SIGNING', True)
if signing == "1":
......
#
# The key must be generated as described in doc
# with
# openssl enc -aes-256-cbc -k <PASSPHRASE> -P -md sha1
# openssl enc -aes-256-cbc -k <PASSPHRASE> -P -md sha1 -nosalt
# The file is in the format
# salt=
# key=
# iv=
# parameters: $1 = input file, $2 = output file
......@@ -12,11 +11,10 @@ swu_encrypt_file() {
output=$2
key=`cat ${SWUPDATE_AES_FILE} | grep ^key | cut -d '=' -f 2`
iv=`cat ${SWUPDATE_AES_FILE} | grep ^iv | cut -d '=' -f 2`
salt=`cat ${SWUPDATE_AES_FILE} | grep ^salt | cut -d '=' -f 2`
if [ -z ${salt} ] || [ -z ${key} ] || [ -z ${iv} ];then
if [ -z ${key} ] || [ -z ${iv} ];then
bbfatal "SWUPDATE_AES_FILE=$SWUPDATE_AES_FILE does not contain valid keys"
fi
openssl enc -aes-256-cbc -in ${input} -out ${output} -K ${key} -iv ${iv} -S ${salt}
openssl enc -aes-256-cbc -in ${input} -out ${output} -K ${key} -iv ${iv} -nosalt
}
CONVERSIONTYPES += "enc"
......
......@@ -101,15 +101,15 @@ python do_swuimage () {
filename = os.path.basename(local)
aes_file = d.getVar('SWUPDATE_AES_FILE', True)
if aes_file:
key,iv,salt = swupdate_extract_keys(d.getVar('SWUPDATE_AES_FILE', True))
key,iv = swupdate_extract_keys(d.getVar('SWUPDATE_AES_FILE', True))
if (filename != 'sw-description') and (os.path.isfile(local)):
encrypted = (d.getVarFlag("SWUPDATE_IMAGES_ENCRYPTED", filename, True) or "")
dst = os.path.join(s, "%s" % filename )
if encrypted == '1':
bb.note("Encryption requested for %s" %(filename))
if not key or not iv or not salt:
if not key or not iv:
bb.fatal("Encryption required, but no key found")
swupdate_encrypt_file(local, dst, key, iv, salt)
swupdate_encrypt_file(local, dst, key, iv)
else:
shutil.copyfile(local, dst)
list_for_cpio.append(filename)
......@@ -121,9 +121,9 @@ python do_swuimage () {
target_imagename = os.path.basename(imagename) # allow images in subfolders of DEPLOY_DIR_IMAGE
dst = os.path.join(s, target_imagename)
if encrypt == '1':
key,iv,salt = swupdate_extract_keys(d.getVar('SWUPDATE_AES_FILE', True))
key,iv = swupdate_extract_keys(d.getVar('SWUPDATE_AES_FILE', True))
bb.note("Encryption requested for %s" %(imagename))
swupdate_encrypt_file(src, dst, key, iv, salt)
swupdate_encrypt_file(src, dst, key, iv)
else:
shutil.copyfile(src, dst)
list_for_cpio.append(target_imagename)
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment