Fix breakage if encryption is not set

Commit introduces the encryption into the swupdate class, but it breaks builds if encryption is not used at all. Fix this and rework function to retrieve key from a file. Replace os.system() with subprocess.run() - this should be done for other occurrencies od os.system() that is declared obsolete. Signed-off-by: Stefano Babic <sbabic@denx.de>

Fix breakage if encryption is not set
Commit introduces the encryption into the swupdate class, but it breaks builds if encryption is not used at all. Fix this and rework function to retrieve key from a file. Replace os.system() with subprocess.run() - this should be done for other occurrencies od os.system() that is declared obsolete. Signed-off-by: Stefano Babic <sbabic@denx.de>
9995157c · Stefano Babic · 4bf4a4a3 · 9995157c · 9995157c
Commit 9995157c authored Nov 30, 2020 by Stefano Babic
--- a/classes/swupdate-common.bbclass
+++ b/classes/swupdate-common.bbclass
@@ -18,35 +18,35 @@ def swupdate_get_sha256(s, filename):
            m.update(data)
    return m.hexdigest()

-def swupdate_extract_keys(keyfile):
+def swupdate_extract_keys(keyfile_path):
    try:
-        keys = open(keyfile)
+        with open(keyfile_path, 'r') as f:
+            lines = f.readlines()
    except IOError:
        bb.fatal("Failed to open file with keys %s" % (keyfile))
-    lines = keys.read()
-    keys.close()
-    lines = lines.splitlines(True)
-    for line in lines:
-        line = line.replace('\n', '')
-        kv = line.split('=')
-        if kv[0] == 'salt':
-            salt = kv[1]
-        if kv[0] == 'key':
-            key = kv[1]
-        if kv[0] == 'iv' or kv[0] == 'iv ':
-            iv = kv[1]
+
+    data = {}
+    for _ in lines:
+        k,v = _.split('=',maxsplit=1)
+        data[k.rstrip()] = v
+
+    key = data['key']
+    iv = data['iv']
+    salt = data['salt']
+
    return key,iv,salt

 def swupdate_encrypt_file(f, out, key, ivt, salt):
+    import subprocess
+    encargs = ["openssl", "enc", "-aes-256-cbc", "-in", f, "-out", out]
+    encargs += ["-K", key, "-iv", ivt, "-S", salt]
    cmd = "openssl enc -aes-256-cbc -in '%s' -out '%s' -K '%s' -iv '%s' -S '%s'" % (
                f,
                out,
                key,
                ivt,
                salt)
-    if os.system(cmd) != 0:
-        bb.fatal("Failed to encrypt %s" % (f))
-
+    subprocess.run(encargs, check=True)

 def swupdate_write_sha256(s, filename, hash):
    write_lines = []

--- a/classes/swupdate.bbclass
+++ b/classes/swupdate.bbclass
@@ -99,12 +99,16 @@ python do_swuimage () {
    for url in fetch.urls:
        local = fetch.localpath(url)
        filename = os.path.basename(local)
+        aes_file = d.getVar('SWUPDATE_AES_FILE', True)
+        if aes_file:
+            key,iv,salt = swupdate_extract_keys(d.getVar('SWUPDATE_AES_FILE', True))
        if (filename != 'sw-description') and (os.path.isfile(local)):
            encrypted = (d.getVarFlag("SWUPDATE_IMAGES_ENCRYPTED", filename, True) or "")
-            key,iv,salt = swupdate_extract_keys(d.getVar('SWUPDATE_AES_FILE', True))
            dst = os.path.join(s, "%s" % filename )
            if encrypted == '1':
                bb.note("Encryption requested for %s" %(filename))
+                if not key or not iv or not salt:
+                    bb.fatal("Encryption required, but no key found")
                swupdate_encrypt_file(local, dst, key, iv, salt)
            else:
                shutil.copyfile(local, dst)
@@ -148,7 +152,7 @@ python do_swuimage () {
                if not image_found:
                    bb.fatal("swupdate cannot find image file: %s" % os.path.join(deploydir, imagebase + fstype))
        else:  # Allow also complete entries like "image.ext4.gz" in SWUPDATE_IMAGES
-            if not add_image_to_swu(deploydir, image, s):
+            if not add_image_to_swu(deploydir, image, s, encrypted):
                bb.fatal("swupdate cannot find %s image file" % image)

    prepare_sw_description(d, s, list_for_cpio)