From: Richard Weinberger <richard@nod.at>
To: linux-mtd@lists.infradead.org
Cc: david.oberhollenzer@sigma-star.at, Richard Weinberger <richard@nod.at>
Subject: [PATCH 40/42] mkfs.ubifs: Enable support for building without crypto
Date: Thu, 18 Oct 2018 16:37:16 +0200 [thread overview]
Message-ID: <20181018143718.26298-41-richard@nod.at> (raw)
In-Reply-To: <20181018143718.26298-1-richard@nod.at>
Signed-off-by: Richard Weinberger <richard@nod.at>
---
Makefile.am | 4 ++
configure.ac | 27 ++++++++++--
ubifs-utils/Makemodule.am | 10 +++--
ubifs-utils/mkfs.ubifs/crypto.h | 11 +++--
ubifs-utils/mkfs.ubifs/fscrypt.h | 65 +++++++++++++++++++++++++----
ubifs-utils/mkfs.ubifs/mkfs.ubifs.c | 56 ++++++++++++++++++++++---
6 files changed, 148 insertions(+), 25 deletions(-)
diff --git a/Makefile.am b/Makefile.am
index 391edef4ee31..1bc4684b191d 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -14,6 +14,10 @@ if WITH_SELINUX
AM_CPPFLAGS += -DWITH_SELINUX
endif
+if WITH_CRYPTO
+AM_CPPFLAGS += -DWITH_CRYPTO
+endif
+
sbin_PROGRAMS =
sbin_SCRIPTS =
check_PROGRAMS =
diff --git a/configure.ac b/configure.ac
index 346fcbd26328..d5abb14263b5 100644
--- a/configure.ac
+++ b/configure.ac
@@ -69,7 +69,7 @@ need_lzo="no"
need_xattr="no"
need_cmocka="no"
need_selinux="no"
-
+need_openssl="no"
AM_COND_IF([UNIT_TESTS], [
need_cmocka="yes"
@@ -115,8 +115,6 @@ AC_ARG_ENABLE([lsmtd],
esac],
[AM_CONDITIONAL([BUILD_LSMTD], [true])])
-AC_CHECK_HEADER(openssl/rand.h)
-
AC_ARG_WITH([jffs],
[AS_HELP_STRING([--without-jffs], [Disable jffsX utilities])],
[case "${withval}" in
@@ -140,6 +138,7 @@ AM_COND_IF([BUILD_UBIFS], [
need_xattr="yes"
need_zlib="yes"
need_lzo="yes"
+ need_openssl="yes"
])
AM_COND_IF([BUILD_JFFSX], [
@@ -174,6 +173,15 @@ AC_ARG_WITH([selinux],
*) AC_MSG_ERROR([bad value ${withval} for --with-selinux]) ;;
esac])
+AC_ARG_WITH([crypto],
+ [AS_HELP_STRING([--without-crypto],
+ [Disable support for UBIFS crypto features])],
+ [case "${withval}" in
+ yes) ;;
+ no) need_openssl="no";;
+ *) AC_MSG_ERROR([bad value ${withval} for --without-crypto]) ;;
+ esac])
+
##### search for dependencies #####
clock_gettime_missing="no"
@@ -184,6 +192,7 @@ lzo_missing="no"
xattr_missing="no"
cmocka_missing="no"
selinux_missing="no"
+openssl_missing="no"
if test "x$need_zlib" = "xyes"; then
PKG_CHECK_MODULES(ZLIB, [zlib], [], [zlib_missing="yes"])
@@ -226,6 +235,11 @@ if test "x$need_selinux" = "xyes"; then
AC_CHECK_HEADERS([selinux/label.h], [], [selinux_missing="yes"])
fi
+if test "x$need_openssl" = "xyes"; then
+ AC_CHECK_HEADER(openssl/rand.h)
+ PKG_CHECK_MODULES(OPENSSL, [openssl], [], [openssl_missing="yes"])
+fi
+
if test "x$need_cmocka" = "xyes"; then
PKG_CHECK_MODULES(CMOCKA, [cmocka], [], [cmocka_missing="yes"])
fi
@@ -281,6 +295,12 @@ if test "x$selinux_missing" = "xyes"; then
need_selinux="no"
fi
+if test "x$openssl_missing" = "xyes"; then
+ AC_MSG_WARN([cannot find headers for OpenSSL library])
+ AC_MSG_WARN([disabling OpenSSL support])
+ need_openssl="no"
+fi
+
if test "x$cmocka_missing" = "xyes"; then
AC_MSG_WARN([cannot find CMocka library required for unit tests])
AC_MSG_NOTICE([unit tests can optionally be disabled])
@@ -296,6 +316,7 @@ fi
AM_CONDITIONAL([WITHOUT_LZO], [test "x$need_lzo" != "xyes"])
AM_CONDITIONAL([WITHOUT_XATTR], [test "x$need_xattr" != "xyes"])
AM_CONDITIONAL([WITH_SELINUX], [test "x$need_selinux" == "xyes"])
+AM_CONDITIONAL([WITH_CRYPTO], [test "x$need_openssl" == "xyes"])
AC_CHECK_SIZEOF([off_t])
AC_CHECK_SIZEOF([loff_t])
diff --git a/ubifs-utils/Makemodule.am b/ubifs-utils/Makemodule.am
index 5905a2badbb6..b8e4075c9d2a 100644
--- a/ubifs-utils/Makemodule.am
+++ b/ubifs-utils/Makemodule.am
@@ -10,15 +10,19 @@ mkfs_ubifs_SOURCES = \
ubifs-utils/mkfs.ubifs/crc16.c \
ubifs-utils/mkfs.ubifs/lpt.c \
ubifs-utils/mkfs.ubifs/compr.c \
- ubifs-utils/mkfs.ubifs/crypto.c \
- ubifs-utils/mkfs.ubifs/fscrypt.c \
ubifs-utils/mkfs.ubifs/hashtable/hashtable.h \
ubifs-utils/mkfs.ubifs/hashtable/hashtable_itr.h \
ubifs-utils/mkfs.ubifs/hashtable/hashtable_private.h \
ubifs-utils/mkfs.ubifs/hashtable/hashtable.c \
ubifs-utils/mkfs.ubifs/hashtable/hashtable_itr.c \
ubifs-utils/mkfs.ubifs/devtable.c
-mkfs_ubifs_LDADD = libmtd.a libubi.a $(ZLIB_LIBS) $(LZO_LIBS) $(UUID_LIBS) $(LIBSELINUX_LIBS) -lm -lssl -lcrypto
+
+if WITH_CRYPTO
+mkfs_ubifs_SOURCES += ubifs-utils/mkfs.ubifs/crypto.c \
+ ubifs-utils/mkfs.ubifs/fscrypt.c
+endif
+
+mkfs_ubifs_LDADD = libmtd.a libubi.a $(ZLIB_LIBS) $(LZO_LIBS) $(UUID_LIBS) $(LIBSELINUX_LIBS) $(OPENSSL_LIBS) -lm
mkfs_ubifs_CPPFLAGS = $(AM_CPPFLAGS) $(ZLIB_CFLAGS) $(LZO_CFLAGS) $(UUID_CFLAGS) $(LIBSELINUX_CFLAGS)\
-I$(top_srcdir)/ubi-utils/include -I$(top_srcdir)/ubifs-utils/mkfs.ubifs/
diff --git a/ubifs-utils/mkfs.ubifs/crypto.h b/ubifs-utils/mkfs.ubifs/crypto.h
index f275839aa77d..b6ffad19b72d 100644
--- a/ubifs-utils/mkfs.ubifs/crypto.h
+++ b/ubifs-utils/mkfs.ubifs/crypto.h
@@ -41,19 +41,18 @@ struct cipher {
unsigned int fscrypt_fname_mode;
};
-
+#ifdef WITH_CRYPTO
int crypto_init(void);
-
void crypto_cleanup(void);
-
ssize_t derive_key_aes(const void *deriving_key, const void *source_key,
size_t source_key_len, void *derived_key);
-
int derive_key_descriptor(const void *source_key, void *descriptor);
-
struct cipher *get_cipher(const char *name);
-
void list_ciphers(FILE *fp);
+#else
+static inline int crypto_init(void) { return 0;}
+static inline void crypto_cleanup(void) {}
+#endif /* WITH_CRYPTO */
#endif /* UBIFS_CRYPTO_H */
diff --git a/ubifs-utils/mkfs.ubifs/fscrypt.h b/ubifs-utils/mkfs.ubifs/fscrypt.h
index e3cfee50290a..3b717b4359c6 100644
--- a/ubifs-utils/mkfs.ubifs/fscrypt.h
+++ b/ubifs-utils/mkfs.ubifs/fscrypt.h
@@ -97,27 +97,76 @@ struct fscrypt_symlink_data {
#define FS_IV_SIZE 16
#endif
+#ifdef WITH_CRYPTO
unsigned char *calc_fscrypt_subkey(struct fscrypt_context *fctx);
-
struct fscrypt_context *inherit_fscrypt_context(struct fscrypt_context *fctx);
-
void free_fscrypt_context(struct fscrypt_context *fctx);
-
void print_fscrypt_master_key_descriptor(struct fscrypt_context *fctx);
-
unsigned int fscrypt_fname_encrypted_size(struct fscrypt_context *fctx,
unsigned int ilen);
-
int encrypt_path(void **outbuf, void *data, unsigned int data_len,
unsigned int max_namelen, struct fscrypt_context *fctx);
-
int encrypt_data_node(struct fscrypt_context *fctx, unsigned int block_no,
struct ubifs_data_node *dn, size_t length);
-
struct fscrypt_context *init_fscrypt_context(const char *cipher_name,
unsigned int flags,
const char *key_file,
const char *key_descriptor);
-
+#else
+static inline struct fscrypt_context *init_fscrypt_context(
+ const char *cipher_name,
+ unsigned int flags,
+ const char *key_file,
+ const char *key_descriptor)
+{
+ (void)cipher_name;
+ (void)flags;
+ (void)key_file;
+ (void)key_descriptor;
+
+ assert(0);
+ return NULL;
+}
+
+static inline void free_fscrypt_context(struct fscrypt_context *fctx)
+{
+ (void)fctx;
+
+ assert(0);
+}
+
+static inline int encrypt_path(void **outbuf, void *data, unsigned int data_len,
+ unsigned int max_namelen, struct fscrypt_context *fctx)
+{
+ (void)outbuf;
+ (void)data;
+ (void)data_len;
+ (void)max_namelen;
+ (void)fctx;
+
+ assert(0);
+ return -1;
+}
+
+static inline int encrypt_data_node(struct fscrypt_context *fctx, unsigned int block_no,
+ struct ubifs_data_node *dn, size_t length)
+{
+ (void)fctx;
+ (void)block_no;
+ (void)dn;
+ (void)length;
+
+ assert(0);
+ return -1;
+}
+
+static inline struct fscrypt_context *inherit_fscrypt_context(struct fscrypt_context *fctx)
+{
+ (void)fctx;
+
+ assert(0);
+ return NULL;
+}
+#endif /* WITH_CRYPTO */
#endif /* FSCRYPT_H */
diff --git a/ubifs-utils/mkfs.ubifs/mkfs.ubifs.c b/ubifs-utils/mkfs.ubifs/mkfs.ubifs.c
index e4204dae07cb..7073bf052688 100644
--- a/ubifs-utils/mkfs.ubifs/mkfs.ubifs.c
+++ b/ubifs-utils/mkfs.ubifs/mkfs.ubifs.c
@@ -508,9 +508,12 @@ static int get_options(int argc, char**argv)
{
int opt, i, fscrypt_flags = FS_POLICY_FLAGS_PAD_4;
const char *key_file = NULL, *key_desc = NULL;
- const char *tbl_file = NULL, *cipher_name = "AES-128-CBC";
+ const char *tbl_file = NULL;
struct stat st;
char *endp;
+#ifdef WITH_CRYPTO
+ const char *cipher_name;
+#endif
c->fanout = 8;
c->orph_lebs = 1;
@@ -587,8 +590,10 @@ static int get_options(int argc, char**argv)
exit(EXIT_SUCCESS);
case '?':
printf("%s", helptext);
+#ifdef WITH_CRYPTO
printf("\n\nSupported ciphers:\n");
list_ciphers(stdout);
+#endif
exit(-1);
case 'v':
verbose = 1;
@@ -729,7 +734,11 @@ static int get_options(int argc, char**argv)
break;
}
case 'C':
+#ifdef WITH_CRYPTO
cipher_name = optarg;
+#else
+ return err_msg("mkfs.ubifs was built without crypto support.");
+#endif
break;
}
}
@@ -748,20 +757,26 @@ static int get_options(int argc, char**argv)
if (c->max_leb_cnt == -1)
c->max_leb_cnt = c->vi.rsvd_lebs;
}
-
if (key_file || key_desc) {
+#ifdef WITH_CRYPTO
if (!key_file)
return err_msg("no key file specified");
c->double_hash = 1;
c->encrypted = 1;
+ if (cipher_name == NULL)
+ cipher_name = "AES-128-CBC";
+
root_fctx = init_fscrypt_context(cipher_name, fscrypt_flags,
key_file, key_desc);
if (!root_fctx)
return -1;
print_fscrypt_master_key_descriptor(root_fctx);
+#else
+ return err_msg("mkfs.ubifs was built without crypto support.");
+#endif
}
if (c->min_io_size == -1)
@@ -1385,6 +1400,7 @@ static inline int inode_add_selinux_xattr(struct ubifs_ino_node *host_ino,
}
#endif
+#ifdef WITH_CRYPTO
static int set_fscrypt_context(struct ubifs_ino_node *host_ino, ino_t inum,
struct stat *host_st,
struct fscrypt_context *fctx)
@@ -1421,6 +1437,31 @@ static int encrypt_symlink(void *dst, void *data, unsigned int data_len,
free(sd);
return link_disk_len;
}
+#else
+static int set_fscrypt_context(struct ubifs_ino_node *host_ino, ino_t inum,
+ struct stat *host_st,
+ struct fscrypt_context *fctx)
+{
+ (void)host_ino;
+ (void)inum;
+ (void)host_st;
+ (void)fctx;
+
+ assert(0);
+ return -1;
+}
+static int encrypt_symlink(void *dst, void *data, unsigned int data_len,
+ struct fscrypt_context *fctx)
+{
+ (void)dst;
+ (void)data;
+ (void)data_len;
+ (void)fctx;
+
+ assert(0);
+ return -1;
+}
+#endif
/**
* add_inode - write an inode.
@@ -1582,9 +1623,11 @@ static int add_symlink_inode(const char *path_name, struct stat *st, ino_t inum,
static void set_dent_cookie(struct ubifs_dent_node *dent)
{
+#ifdef WITH_CRYPTO
if (c->double_hash)
RAND_bytes((void *)&dent->cookie, sizeof(dent->cookie));
else
+#endif
dent->cookie = 0;
}
@@ -1981,7 +2024,8 @@ static int add_directory(const char *dir_name, ino_t dir_inum, struct stat *st,
inum = ++c->highest_inum;
- new_fctx = inherit_fscrypt_context(fctx);
+ if (fctx)
+ new_fctx = inherit_fscrypt_context(fctx);
if (S_ISDIR(dent_st.st_mode)) {
err = add_directory(name, inum, &dent_st, 1, new_fctx);
@@ -2006,7 +2050,8 @@ static int add_directory(const char *dir_name, ino_t dir_inum, struct stat *st,
size += ALIGN(UBIFS_DENT_NODE_SZ + strlen(entry->d_name) + 1,
8);
- free_fscrypt_context(new_fctx);
+ if (new_fctx)
+ free_fscrypt_context(new_fctx);
}
/*
@@ -2068,7 +2113,8 @@ static int add_directory(const char *dir_name, ino_t dir_inum, struct stat *st,
size += ALIGN(UBIFS_DENT_NODE_SZ + strlen(nh_elt->name) + 1, 8);
nh_elt = next_name_htbl_element(ph_elt, &itr);
- free_fscrypt_context(new_fctx);
+ if (new_fctx)
+ free_fscrypt_context(new_fctx);
}
creat_sqnum = dir_creat_sqnum;
--
2.19.1
next prev parent reply other threads:[~2018-10-18 14:41 UTC|newest]
Thread overview: 45+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-10-18 14:36 [PATCH 00/42] mtd-utils: Add fscrypt support to mkfs.ubifs Richard Weinberger
2018-10-18 14:36 ` [PATCH 01/42] Import latest ubifs-media.h Richard Weinberger
2018-10-18 14:36 ` [PATCH 02/42] common: Add round functions Richard Weinberger
2018-10-18 14:36 ` [PATCH 03/42] mkfs.ubifs: Add crypto helper functions Richard Weinberger
2018-10-18 14:36 ` [PATCH 04/42] mkfs.ubifs: Implement UBIFS_FLG_DOUBLE_HASH Richard Weinberger
2018-10-18 14:36 ` [PATCH 05/42] mkfs.ubifs: Make r5 hash binary string aware Richard Weinberger
2018-10-18 14:36 ` [PATCH 06/42] mkfs.ubifs: Add fscrypto defines Richard Weinberger
2018-10-18 14:36 ` [PATCH 07/42] mkfs.ubifs: Add basic fscrypto functions Richard Weinberger
2018-10-18 14:36 ` [PATCH 08/42] mkfs.ubifs: Implement UBIFS_FLG_ENCRYPTION Richard Weinberger
2018-10-18 14:36 ` [PATCH 09/42] mkfs.ubifs: Implement basic fscrypto context passing Richard Weinberger
2018-10-18 14:36 ` [PATCH 10/42] mkfs.ubifs: Implement fscrypto context store as xattr Richard Weinberger
2018-10-18 14:36 ` [PATCH 11/42] mkfs.ubifs: Store directory name len in the temporary index Richard Weinberger
2018-10-18 14:36 ` [PATCH 12/42] mkfs.ubifs: Implement filename encryption Richard Weinberger
2018-10-18 14:36 ` [PATCH 13/42] mkfs.ubifs: Add dummy setup for crypto Richard Weinberger
2018-10-18 14:36 ` [PATCH 14/42] mkfs.ubifs: Pass source/dest key len to key derive function Richard Weinberger
2018-10-18 14:36 ` [PATCH 15/42] mkfs.ubifs: Add encrypted symlink support Richard Weinberger
2018-10-18 14:36 ` [PATCH 16/42] mkfs.ubifs: Implement file contents encryption Richard Weinberger
2018-10-18 14:36 ` [PATCH 17/42] mkfs.ubifs: Move symlink data encryption to helper function Richard Weinberger
2018-10-18 14:36 ` [PATCH 18/42] mkfs.ubifs: Make sure we catch nodes that should or should not have name Richard Weinberger
2018-10-18 14:36 ` [PATCH 19/42] mkfs.ubifs: Free all index entry names Richard Weinberger
2018-10-18 14:36 ` [PATCH 20/42] mkfs.ubifs: Seperate path encryption from symlink encryption helper Richard Weinberger
2018-10-18 14:36 ` [PATCH 21/42] mkfs.ubifs: Cleanup add_dent_node, user path " Richard Weinberger
2018-10-18 14:36 ` [PATCH 22/42] mkfs.ubifs: Replace constant values with parameters in init_fscrypt_context Richard Weinberger
2018-10-18 14:36 ` [PATCH 23/42] mkfs.ubifs: Make encryption dependend on (not-yet-existant) command line options Richard Weinberger
2018-10-18 14:37 ` [PATCH 24/42] mkfs.ubifs: Get key descriptor from command line and master key from file Richard Weinberger
2018-10-18 14:37 ` [PATCH 25/42] mkfs.ubifs: Specify padding policy via command line Richard Weinberger
2018-10-18 14:37 ` [PATCH 26/42] mkfs.ubifs: Initial support for encryption command lines Richard Weinberger
2018-10-18 14:37 ` [PATCH 27/42] mkfs.ubifs: Remove cipher implementations from public header Richard Weinberger
2018-10-18 14:37 ` [PATCH 28/42] mkfs.ubifs: Move fscrypt definitions and functions out of mkfs.ubifs.c Richard Weinberger
2018-10-18 14:37 ` [PATCH 29/42] mkfs.ubifs: Cleanup over-long lines Richard Weinberger
2018-10-18 14:37 ` [PATCH 30/42] mkfs.ubifs: Check length of master key Richard Weinberger
2018-10-18 14:37 ` [PATCH 31/42] mkfs.ubifs: Accept 0x prefix for key descriptor Richard Weinberger
2018-10-18 14:37 ` [PATCH 32/42] mkfs.ubifs: Correctly use iv lengths in aes-cts mode Richard Weinberger
2018-10-18 14:37 ` [PATCH 33/42] mkfs.ubifs: Enable Cipher selection Richard Weinberger
2018-10-18 14:37 ` [PATCH 34/42] mkfs.ubifs: Use correct sizes for keys and hash lengths Richard Weinberger
2018-10-18 14:37 ` [PATCH 35/42] mkfs.ubifs: Fixup AES-XTS mode Richard Weinberger
2018-10-18 14:37 ` [PATCH 36/42] mkfs.ubifs: Compute encryption key descriptor automatically Richard Weinberger
2018-10-18 14:37 ` [PATCH 37/42] mkfs.ubifs: Fix key descriptor printing Richard Weinberger
2018-10-18 14:37 ` [PATCH 38/42] mkfs.ubifs: More fscryptctl compatibility Richard Weinberger
2018-10-18 14:37 ` [PATCH 39/42] mkfs.ubifs: Move RAND_poll to crypto.c Richard Weinberger
2018-10-18 14:37 ` Richard Weinberger [this message]
2018-10-18 14:37 ` [PATCH 41/42] mkfs.ubifs: Print key descriptor only when generated Richard Weinberger
2018-10-18 14:37 ` [PATCH 42/42] mkfs.ubifs: Use AES-256-XTS as default Richard Weinberger
2018-11-02 16:41 ` [PATCH 00/42] mtd-utils: Add fscrypt support to mkfs.ubifs David Oberhollenzer
2018-11-02 16:43 ` Richard Weinberger
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20181018143718.26298-41-richard@nod.at \
--to=richard@nod.at \
--cc=david.oberhollenzer@sigma-star.at \
--cc=linux-mtd@lists.infradead.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox