uencrypt: add support for mbedtls

This commit includes some additional changes:
 - better handling of iv and keys in openssl/wolfssl variants
 - fix compiler warnings and whitespace
 - build all 3 variants as separate packages
 - adjust the new package name in targets' DEVICE_PACKAGES
 - remove PKG_FLAGS:=nonshared

[Beeline SmartBox Flash - OK]
Tested-by: Mikhail Zhilkin <csharper2005@gmail.com>
[after test: replaced a hardcoded IV size of 16 by cipher_info->iv_size]
Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
This commit is contained in:
Eneas U de Queiroz 2023-02-17 08:12:40 -03:00
parent 6ac6f2402d
commit 4662adef2a
No known key found for this signature in database
GPG Key ID: A1FE5A85EFAE657D
6 changed files with 314 additions and 57 deletions

View File

@ -4,55 +4,80 @@
include $(TOPDIR)/rules.mk
PKG_NAME:=uencrypt
PKG_RELEASE:=3
PKG_RELEASE:=4
PKG_FLAGS:=nonshared
PKG_LICENSE:=GPL-2.0-or-later
PKG_MAINTAINER:=Eneas U de Queiroz <cotequeiroz@gmail.com>
PKG_CONFIG_DEPENDS:=\
CONFIG_UENCRYPT_OPENSSL \
CONFIG_UENCRYPT_WOLFSSL
include $(INCLUDE_DIR)/package.mk
include $(INCLUDE_DIR)/cmake.mk
CMAKE_INSTALL:=1
CMAKE_OPTIONS+=$(if $(CONFIG_UENCRYPT_WOLFSSL),-DUSE_WOLFSSL=1)
ifeq ($(BUILD_VARIANT),mbedtls)
CMAKE_OPTIONS+=-DUSE_MBEDTLS=1
else ifeq ($(BUILD_VARIANT),wolfssl)
CMAKE_OPTIONS+=-DUSE_WOLFSSL=1
endif
define Package/uencrypt
define Package/uencrypt/default
SECTION:=utils
CATEGORY:=Base system
TITLE:=Decryption utility for Arcadyan WG4xx223 and TP-Link Deco S4
DEPENDS:=+UENCRYPT_WOLFSSL:libwolfssl +UENCRYPT_OPENSSL:libopenssl
TITLE:=Small Decryption utility
endef
define Package/uencrypt/description
define Package/uencrypt/default/description
This is a small encrypton/decryption program. It defaults
to AES-128-CBC, but supports any encryption provided by
the available openssl/wolfssl library. Even though it can
be used for regular encryption and decryption operations,
the crypto library. Even though it can be used for
non-critical* regular encryption and decryption operations,
it is included here to unencrypt the configuration from mtd
on Arcadyan WG430223/WG443223 and TP-Link Deco S4 routers
on some devices.
* Key and IV are exposed on cmdline
This variant uses $(1) as crypto provider
endef
define Package/uencrypt/config
if PACKAGE_uencrypt
choice
prompt "Crypto provider"
default UENCRYPT_WOLFSSL
config UENCRYPT_OPENSSL
bool "OpenSSL"
config UENCRYPT_WOLFSSL
bool "wolfSSL"
endchoice
endif
define Package/uencrypt-mbedtls
$(Package/uencrypt/default)
VARIANT:=mbedtls
TITLE+= using mbedTLS
DEPENDS:=+libmbedtls
CONFLICTS:=uencrypt-openssl uencrypt-wolfssl
endef
define Package/uencrypt/install
Package/uencrypt-mbedtls/description= \
$(call Package/uencrypt/default/description,mbedTLS)
define Package/uencrypt-openssl
$(Package/uencrypt/default)
VARIANT:=openssl
TITLE+= using OpenSSL
DEPENDS:=+libopenssl
CONFLICTS:=uencrypt-wolfssl
endef
Package/uencrypt-openssl/description= \
$(call Package/uencrypt/default/description,OpenSSL)
define Package/uencrypt-wolfssl
$(Package/uencrypt/default)
VARIANT:=wolfssl
TITLE+= using wolfSSL
DEPENDS:=+libwolfssl
endef
Package/uencrypt-wolfssl/description= \
$(call Package/uencrypt/default/description,wolfSSL)
define Package/uencrypt/default/install
$(INSTALL_DIR) $(1)/usr/bin
$(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/bin/uencrypt $(1)/usr/bin
endef
Package/uencrypt-openssl/install = $(Package/uencrypt/default/install)
Package/uencrypt-wolfssl/install = $(Package/uencrypt/default/install)
Package/uencrypt-mbedtls/install = $(Package/uencrypt/default/install)
$(eval $(call BuildPackage,uencrypt))
$(eval $(call BuildPackage,uencrypt-mbedtls))
$(eval $(call BuildPackage,uencrypt-openssl))
$(eval $(call BuildPackage,uencrypt-wolfssl))

View File

@ -5,16 +5,27 @@ cmake_minimum_required(VERSION 2.8.12 FATAL_ERROR)
project(uencrypt LANGUAGES C)
option(USE_WOLFSSL "Use WolfSSL as crypto provider" OFF)
if (USE_WOLFSSL)
add_definitions(-DUSE_WOLFSSL)
find_library(WOLFSSL_LIBRARY wolfssl REQUIRED)
set(CRYPTO_LIBRARIES ${WOLFSSL_LIBRARY})
option(USE_MBEDTLS "Use mbedTLS as crypto provider" OFF)
if (USE_MBEDTLS)
if (USE_WOLFSSL)
message(WARNING "USE_MBEDTLS and USE_WOLFSSL are both set. Building with USE_MBEDTLS.")
endif()
add_definitions(-DUSE_MBEDTLS)
find_library(MBEDCRYPTO_LIBRARY mbedcrypto REQUIRED)
set(CRYPTO_LIBRARIES ${MBEDCRYPTO_LIBRARY})
add_executable(${PROJECT_NAME} ${PROJECT_NAME}-mbedtls.c)
else()
find_package(OpenSSL REQUIRED)
set(CRYPTO_LIBRARIES ${OPENSSL_CRYPTO_LIBRARY})
add_executable(${PROJECT_NAME} ${PROJECT_NAME}-openssl.c)
if (USE_WOLFSSL)
add_definitions(-DUSE_WOLFSSL)
find_library(WOLFSSL_LIBRARY wolfssl REQUIRED)
set(CRYPTO_LIBRARIES ${WOLFSSL_LIBRARY})
else()
find_package(OpenSSL REQUIRED)
set(CRYPTO_LIBRARIES ${OPENSSL_CRYPTO_LIBRARY})
endif()
endif()
add_executable(${PROJECT_NAME} ${PROJECT_NAME}.c)
target_link_libraries(${PROJECT_NAME} ${CRYPTO_LIBRARIES})
install(TARGETS ${PROJECT_NAME} RUNTIME DESTINATION bin)

View File

@ -0,0 +1,212 @@
/* SPDX-License-Identifier: GPL-2.0-or-later
* Copyright (C) 2023 Eneas Ulir de Queiroz
*/
#include <ctype.h>
#include <errno.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <mbedtls/cipher.h>
int do_crypt(FILE *infile, FILE *outfile, const mbedtls_cipher_info_t *cipher_info,
const unsigned char *key, const unsigned char *iv, int enc, int padding)
{
mbedtls_cipher_context_t ctx;
unsigned char inbuf[1024], outbuf[1024 + MBEDTLS_MAX_BLOCK_LENGTH];
size_t inlen, outlen;
int ret = 0;
int step;
mbedtls_cipher_init(&ctx);
if ((ret = mbedtls_cipher_setup(&ctx, cipher_info))) {
fprintf(stderr, "Error: mbedtls_cipher_setup: %d\n", ret);
goto out;
}
step = iv ? 1024 : mbedtls_cipher_get_block_size(&ctx);
if ((ret = mbedtls_cipher_setkey(&ctx, key, (int) mbedtls_cipher_get_key_bitlen(&ctx),
enc ? MBEDTLS_ENCRYPT : MBEDTLS_DECRYPT))) {
fprintf(stderr, "Error: mbedtls_cipher_setkey: %d\n", ret);
goto out;
}
if (iv && (ret = mbedtls_cipher_set_iv(&ctx, iv, cipher_info->iv_size))) {
fprintf(stderr, "Error: mbedtls_cipher_set_iv: %d\n", ret);
goto out;
}
if (cipher_info->block_size > 1) {
if (cipher_info->mode == MBEDTLS_MODE_CBC) {
if ((ret = mbedtls_cipher_set_padding_mode(&ctx,
padding ? MBEDTLS_PADDING_PKCS7
: MBEDTLS_PADDING_NONE))) {
fprintf(stderr, "Error: mbedtls_cipher_set_padding_mode: %d\n", ret);
goto out;
}
} else {
if (cipher_info->mode != MBEDTLS_MODE_CBC && padding) {
fprintf(stderr, "Error: mbedTLS only supports padding with CBC ciphers.\n");
goto out;
}
}
}
if ((ret = mbedtls_cipher_reset(&ctx))) {
fprintf(stderr, "Error: mbedtls_cipher_reset: %d\n", ret);
goto out;
}
for (;;) {
inlen = fread(inbuf, 1, step, infile);
if (inlen <= 0)
break;
if ((ret = mbedtls_cipher_update(&ctx, inbuf, inlen, outbuf, &outlen))) {
fprintf(stderr, "Error: mbedtls_cipher_update: %d\n", ret);
goto out;
}
fwrite(outbuf, 1, outlen, outfile);
}
if ((ret = mbedtls_cipher_finish(&ctx, outbuf, &outlen))) {
fprintf(stderr, "Error: mbedtls_cipher_finish: %d\n", ret);
goto out;
}
fwrite(outbuf, 1, outlen, outfile);
out:
mbedtls_cipher_free(&ctx);
return ret;
}
static void check_enc_dec(const int enc)
{
if (enc == -1)
return;
fprintf(stderr, "Error: both -d and -e were specified.\n");
exit(EXIT_FAILURE);
}
static void check_cipher(const mbedtls_cipher_info_t *cipher_info)
{
const int *list;
if (cipher_info == NULL) {
fprintf(stderr, "Error: invalid cipher: %s.\n", optarg);
fprintf(stderr, "Supported ciphers: \n");
for (list = mbedtls_cipher_list(); *list; list++) {
cipher_info = mbedtls_cipher_info_from_type(*list);
if (!cipher_info)
continue;
fprintf(stderr, "\t%s\n", cipher_info->name);
}
exit(EXIT_FAILURE);
}
}
static void show_usage(const char* name)
{
fprintf(stderr, "Usage: %s: [-d | -e] [-n] -k key [-i iv] [-c cipher]\n"
"-d = decrypt; -e = encrypt; -n = no padding\n", name);
}
char *hexstr2buf(const char *str, size_t *len)
{
char *buf;
size_t inlen = strlen(str);
*len = 0;
if (inlen % 2)
return NULL;
*len = inlen >> 1;
buf = malloc(*len);
for (size_t x = 0; x < *len; x++)
sscanf(str + x * 2, "%2hhx", buf + x);
return buf;
}
static char* upperstr(char *str) {
for (char *s = str; *s; s++)
*s = toupper((unsigned char) *s);
return str;
}
int main(int argc, char *argv[])
{
int enc = -1;
unsigned char *iv = NULL;
unsigned char *key = NULL;
size_t keylen = 0, ivlen = 0;
int opt;
int padding = 1;
const mbedtls_cipher_info_t *cipher_info =
mbedtls_cipher_info_from_type (MBEDTLS_CIPHER_AES_128_CBC);
int ret;
while ((opt = getopt(argc, argv, "c:dei:k:n")) != -1) {
switch (opt) {
case 'c':
cipher_info = mbedtls_cipher_info_from_string(upperstr(optarg));
check_cipher(cipher_info);
break;
case 'd':
check_enc_dec(enc);
enc = 0;
break;
case 'e':
check_enc_dec(enc);
enc = 1;
break;
case 'i':
iv = (unsigned char *) hexstr2buf((const char *)optarg, &ivlen);
if (iv == NULL) {
fprintf(stderr, "Error setting IV to %s. The IV should be encoded in hex.\n",
optarg);
exit(EINVAL);
}
break;
case 'k':
key = (unsigned char *) hexstr2buf((const char *)optarg, &keylen);
if (key == NULL) {
fprintf(stderr, "Error setting key to %s. The key should be encoded in hex.\n",
optarg);
exit(EINVAL);
}
break;
case 'n':
padding = 0;
break;
default:
show_usage(argv[0]);
exit(EINVAL);
}
}
if (cipher_info->iv_size) {
if (iv == NULL) {
fprintf(stderr, "Error: iv not set.\n");
show_usage(argv[0]);
exit(EXIT_FAILURE);
}
if (ivlen != cipher_info->iv_size) {
fprintf(stderr, "Error: IV must be %d bytes; given IV is %zd bytes.\n",
cipher_info->iv_size, ivlen);
exit(EXIT_FAILURE);
}
}
if (key == NULL) {
fprintf(stderr, "Error: key not set.\n");
show_usage(argv[0]);
exit(EXIT_FAILURE);
}
if (keylen != cipher_info->key_bitlen >> 3) {
fprintf(stderr, "Error: key must be %d bytes; given key is %zd bytes.\n",
cipher_info->key_bitlen >> 3, keylen);
exit(EXIT_FAILURE);
}
ret = do_crypt(stdin, stdout, cipher_info, key, iv, !!enc, padding);
if (iv)
memset(iv, 0, ivlen);
memset(key, 0, keylen);
free(iv);
free(key);
return ret;
}

View File

@ -1,5 +1,5 @@
/* SPDX-License-Identifier: GPL-2.0-or-later
* Copyright (C) 2022 Eneas Ulir de Queiroz
* Copyright (C) 2022-2023 Eneas Ulir de Queiroz
*/
#include <errno.h>
@ -15,8 +15,8 @@
# include <openssl/evp.h>
#endif
int do_crypt(FILE *infile, FILE *outfile, const EVP_CIPHER *cipher, const char *key, const char *iv,
int enc, int padding)
int do_crypt(FILE *infile, FILE *outfile, const EVP_CIPHER *cipher, const unsigned char *key,
const unsigned char *iv, int enc, int padding)
{
EVP_CIPHER_CTX *ctx;
unsigned char inbuf[1024], outbuf[1024 + EVP_MAX_BLOCK_LENGTH];
@ -63,12 +63,12 @@ static void print_ciphers(const OBJ_NAME *name,void *arg) {
static void check_cipher(const EVP_CIPHER *cipher)
{
if (cipher == NULL) {
fprintf(stderr, "Error: invalid cipher: %s.\n", optarg);
fprintf(stderr, "Error: invalid cipher: %s.\n", optarg);
#ifndef USE_WOLFSSL
fprintf(stderr, "Supported ciphers: \n", optarg);
OBJ_NAME_do_all_sorted(OBJ_NAME_TYPE_CIPHER_METH, print_ciphers, stderr);
fprintf(stderr, "Supported ciphers: \n");
OBJ_NAME_do_all_sorted(OBJ_NAME_TYPE_CIPHER_METH, print_ciphers, stderr);
#endif
exit(EXIT_FAILURE);
exit(EXIT_FAILURE);
}
}
@ -83,10 +83,10 @@ int main(int argc, char *argv[])
int enc = -1;
unsigned char *iv = NULL;
unsigned char *key = NULL;
long len;
long ivlen = 0, keylen = 0;
int cipher_ivlen, cipher_keylen;
int opt;
int padding = 1;
int need_iv = 1;
const EVP_CIPHER *cipher = EVP_aes_128_cbc();
int ret;
@ -95,9 +95,6 @@ int main(int argc, char *argv[])
case 'c':
cipher = EVP_get_cipherbyname(optarg);
check_cipher(cipher);
int arglen = strlen(optarg);
if (arglen > 3 && strncmp(optarg+arglen-3, "ecb", 3) == 0) //if ends with "ecb"
need_iv = 0;
break;
case 'd':
check_enc_dec(enc);
@ -108,7 +105,7 @@ int main(int argc, char *argv[])
enc = 1;
break;
case 'i':
iv = OPENSSL_hexstr2buf((const char *)optarg, &len);
iv = OPENSSL_hexstr2buf((const char *)optarg, &ivlen);
if (iv == NULL) {
fprintf(stderr, "Error setting IV to %s. The IV should be encoded in hex.\n",
optarg);
@ -116,7 +113,7 @@ int main(int argc, char *argv[])
}
break;
case 'k':
key = OPENSSL_hexstr2buf((const char *)optarg, &len);
key = OPENSSL_hexstr2buf((const char *)optarg, &keylen);
if (key == NULL) {
fprintf(stderr, "Error setting key to %s. The key should be encoded in hex.\n",
optarg);
@ -131,16 +128,28 @@ int main(int argc, char *argv[])
exit(EINVAL);
}
}
if (need_iv && iv == NULL) {
fprintf(stderr, "Error: iv not set.\n");
show_usage(argv[0]);
exit(EXIT_FAILURE);
}
if (key == NULL) {
fprintf(stderr, "Error: key not set.\n");
show_usage(argv[0]);
exit(EXIT_FAILURE);
}
if ((cipher_keylen = EVP_CIPHER_key_length(cipher)) != keylen) {
fprintf(stderr, "Error: key must be %d bytes; given key is %ld bytes.\n",
cipher_keylen, keylen);
exit(EXIT_FAILURE);
}
if ((cipher_ivlen = EVP_CIPHER_iv_length(cipher))) {
if (iv == NULL) {
fprintf(stderr, "Error: IV not set.\n");
show_usage(argv[0]);
exit(EXIT_FAILURE);
}
if (cipher_ivlen != ivlen) {
fprintf(stderr, "Error: IV must be %d bytes; given IV is %ld bytes.\n",
cipher_ivlen, ivlen);
exit(EXIT_FAILURE);
}
}
ret = do_crypt(stdin, stdout, cipher, key, iv, !!enc, padding);
if (ret)
fprintf(stderr, "Error during crypt operation.\n");

View File

@ -509,7 +509,7 @@ define Device/tplink_deco-s4-v2
IMAGE_SIZE := 13824k
DEVICE_MODEL := Deco S4
DEVICE_VARIANT := v2
DEVICE_PACKAGES := kmod-ath10k-ct ath10k-firmware-qca9888-ct uencrypt
DEVICE_PACKAGES := kmod-ath10k-ct ath10k-firmware-qca9888-ct uencrypt-mbedtls
SUPPORTED_DEVICES += deco-s4-v2
TPLINK_BOARD_ID := DECO-S4-V2
endef

View File

@ -379,7 +379,7 @@ define Device/beeline_smartbox-flash
IMAGES += factory.trx
IMAGE/factory.trx := append-kernel | append-ubi | check-size
IMAGE/sysupgrade.bin := sysupgrade-tar | append-metadata
DEVICE_PACKAGES := kmod-usb3 kmod-mt7615-firmware uencrypt
DEVICE_PACKAGES := kmod-usb3 kmod-mt7615-firmware uencrypt-mbedtls
endef
TARGET_DEVICES += beeline_smartbox-flash
@ -1587,7 +1587,7 @@ define Device/mts_wg430223
IMAGES += factory.trx
IMAGE/factory.trx := append-kernel | append-ubi | check-size
IMAGE/sysupgrade.bin := sysupgrade-tar | append-metadata
DEVICE_PACKAGES := kmod-mt7615-firmware uencrypt
DEVICE_PACKAGES := kmod-mt7615-firmware uencrypt-mbedtls
endef
TARGET_DEVICES += mts_wg430223