summaryrefslogtreecommitdiff
path: root/ubifs-utils
diff options
context:
space:
mode:
authorRichard Weinberger <richard@nod.at>2018-10-18 16:37:12 +0200
committerDavid Oberhollenzer <david.oberhollenzer@sigma-star.at>2018-11-01 12:42:01 +0100
commit9c8caf5aca7527235afcbbb813e9bf490a239dee (patch)
treec5dbafb842920201295ae9572084f66467799d33 /ubifs-utils
parent922a6e998538a1ea57682d0d3373cb4d19e9dc02 (diff)
mkfs.ubifs: Compute encryption key descriptor automatically
...if none is given. To be compatible with fscryptctl. Signed-off-by: Richard Weinberger <richard@nod.at> Signed-off-by: David Oberhollenzer <david.oberhollenzer@sigma-star.at>
Diffstat (limited to 'ubifs-utils')
-rw-r--r--ubifs-utils/mkfs.ubifs/crypto.c27
-rw-r--r--ubifs-utils/mkfs.ubifs/crypto.h1
-rw-r--r--ubifs-utils/mkfs.ubifs/fscrypt.c11
-rw-r--r--ubifs-utils/mkfs.ubifs/mkfs.ubifs.c2
4 files changed, 33 insertions, 8 deletions
diff --git a/ubifs-utils/mkfs.ubifs/crypto.c b/ubifs-utils/mkfs.ubifs/crypto.c
index d0f24e1..50a09b5 100644
--- a/ubifs-utils/mkfs.ubifs/crypto.c
+++ b/ubifs-utils/mkfs.ubifs/crypto.c
@@ -26,7 +26,7 @@
#include "fscrypt.h"
#include "common.h"
-static int do_sha256(const unsigned char *in, size_t len, unsigned char *out)
+static int do_hash(const EVP_MD *md, const unsigned char *in, size_t len, unsigned char *out)
{
unsigned int out_len;
EVP_MD_CTX *mdctx = EVP_MD_CTX_create();
@@ -34,7 +34,7 @@ static int do_sha256(const unsigned char *in, size_t len, unsigned char *out)
if (!mdctx)
return -1;
- if (EVP_DigestInit_ex(mdctx, EVP_sha256(), NULL) != 1)
+ if (EVP_DigestInit_ex(mdctx, md, NULL) != 1)
return -1;
if(EVP_DigestUpdate(mdctx, in, len) != 1)
@@ -121,7 +121,7 @@ static size_t gen_essiv_salt(const void *iv, size_t iv_len, const void *key, siz
return -1;
}
- if (do_sha256(key, key_len, sha256) != 0) {
+ if (do_hash(EVP_sha256(), key, key_len, sha256) != 0) {
errmsg("sha256 failed");
return -1;
}
@@ -288,6 +288,27 @@ ssize_t derive_key_aes(const void *deriving_key, const void *source_key,
aes_key_len, NULL, 0, derived_key);
}
+int derive_key_descriptor(const void *source_key, void *descriptor)
+{
+ int ret = -1;
+ void *hash1 = xzalloc(EVP_MD_size(EVP_sha512()));
+ void *hash2 = xzalloc(EVP_MD_size(EVP_sha512()));
+
+ if (do_hash(EVP_sha512(), source_key, FS_MAX_KEY_SIZE, hash1) != 0)
+ goto out;
+
+ if (do_hash(EVP_sha512(), hash1, EVP_MD_size(EVP_sha512()), hash2) != 0)
+ goto out;
+
+ memcpy(descriptor, hash2, FS_KEY_DESCRIPTOR_SIZE);
+
+ ret = 0;
+out:
+ free(hash1);
+ free(hash2);
+ return ret;
+}
+
static struct cipher ciphers[] = {
{
.name = "AES-128-CBC",
diff --git a/ubifs-utils/mkfs.ubifs/crypto.h b/ubifs-utils/mkfs.ubifs/crypto.h
index c2631dd..f275839 100644
--- a/ubifs-utils/mkfs.ubifs/crypto.h
+++ b/ubifs-utils/mkfs.ubifs/crypto.h
@@ -49,6 +49,7 @@ void crypto_cleanup(void);
ssize_t derive_key_aes(const void *deriving_key, const void *source_key,
size_t source_key_len, void *derived_key);
+int derive_key_descriptor(const void *source_key, void *descriptor);
struct cipher *get_cipher(const char *name);
diff --git a/ubifs-utils/mkfs.ubifs/fscrypt.c b/ubifs-utils/mkfs.ubifs/fscrypt.c
index b9f9acc..ce6e2fc 100644
--- a/ubifs-utils/mkfs.ubifs/fscrypt.c
+++ b/ubifs-utils/mkfs.ubifs/fscrypt.c
@@ -242,12 +242,17 @@ struct fscrypt_context *init_fscrypt_context(const char *cipher_name,
return NULL;
}
- if (parse_key_descriptor(key_descriptor, master_key_descriptor))
- return NULL;
-
if (load_master_key(key_file, fscrypt_cipher))
return NULL;
+ if (!key_descriptor) {
+ if (derive_key_descriptor(fscrypt_masterkey, master_key_descriptor))
+ return NULL;
+ } else {
+ if (parse_key_descriptor(key_descriptor, master_key_descriptor))
+ return NULL;
+ }
+
RAND_bytes((void *)nonce, FS_KEY_DERIVATION_NONCE_SIZE);
new_fctx = xmalloc(sizeof(*new_fctx));
diff --git a/ubifs-utils/mkfs.ubifs/mkfs.ubifs.c b/ubifs-utils/mkfs.ubifs/mkfs.ubifs.c
index 9bd15a2..f8d8e52 100644
--- a/ubifs-utils/mkfs.ubifs/mkfs.ubifs.c
+++ b/ubifs-utils/mkfs.ubifs/mkfs.ubifs.c
@@ -752,8 +752,6 @@ static int get_options(int argc, char**argv)
if (key_file || key_desc) {
if (!key_file)
return err_msg("no key file specified");
- if (!key_desc)
- return err_msg("no key descriptor specified");
c->double_hash = 1;
c->encrypted = 1;