From bbff98d04bb4c680dae224597cc34ff641824f2a Mon Sep 17 00:00:00 2001
From: df <fieldhouse@gmx.net>
Date: Fri, 1 Oct 2021 15:45:13 +0100
Subject: [PATCH] Improve processing and display of custom encryption key

---
 .../html/settings/modules/advanced/init.hook  | 20 ++++-----
 webif/include/modversion.jim                  |  5 ++-
 webif/lib/system.class                        | 45 ++++++++++++++++++-
 webif/lib/ts.class                            | 13 ++----
 4 files changed, 59 insertions(+), 24 deletions(-)

diff --git a/webif/html/settings/modules/advanced/init.hook b/webif/html/settings/modules/advanced/init.hook
index abecda1..128015b 100644
--- a/webif/html/settings/modules/advanced/init.hook
+++ b/webif/html/settings/modules/advanced/init.hook
@@ -13,16 +13,19 @@ if {[cgi_get act] eq "xtelnet"} {
 
 if {[cgi_get act] eq "cryptokey"} {
 	set val [cgi_get cryptokey ""]
-	if {[string length "$val"] == 0} {
+	if {$val eq ""} {
 		set val [system encryptionkey]
 		puts "Using native encryption key.<br>"
 	} elseif {[string length $val] != 32} {
 		puts "Encryption key is too short."
 		exit
 	}
-	file write "/mod/boot/cryptokey" [binary format H* $val]
-	system nugget cryptokey -init
-	puts "Installed new encryption key."
+	if {[system customencryptionkey $val] ne ""} {
+	    system nugget cryptokey -init
+	    puts "Installed new encryption key."
+	} else {
+	    puts "Failed to install encryption key $val" 
+	}    
 	exit
 }
 
@@ -34,13 +37,8 @@ set logkeep [$settings logkeep]
 set logage [$settings logage]
 
 set cryptokey [system encryptionkey]
-if {![catch {set ck_fd [open "/mod/boot/cryptokey"]}]} {
-	set ck_bytes [$ck_fd read 16]
-	$ck_fd close
-	binary scan $ck_bytes H* ck_key
-	if {[string length $ck_key] == 32} {
-		set cryptokey $ck_key
-	}
+if {[set customkey [system customencryptionkey]] ne ""} {
+    set cryptokey $customkey
 }
 
 handle_int_update pkgdev $pkgdev "Development Package Display"
diff --git a/webif/include/modversion.jim b/webif/include/modversion.jim
index 85c7493..43b5a36 100755
--- a/webif/include/modversion.jim
+++ b/webif/include/modversion.jim
@@ -20,7 +20,10 @@ puts "<br>Loader Version: [system loaderver]"
 puts "<br>System ID: [system systemid]"
 puts "<br>Serial Number: [system serialno]"
 if {$mws::pagetag eq "Diagnostics"} {
-	puts "<br>Encryption Key: [system encryptionkey]"
+	puts "<br>Native Encryption Key: [system encryptionkey]"
+        if {[set customkey [system customencryptionkey]] ne ""} {
+            puts "<br>Custom Encryption Key: $customkey"
+        }
 }
 puts "<br>Last Boot Reason: [system lastbootreason]"
 
diff --git a/webif/lib/system.class b/webif/lib/system.class
index e0ffb9a..1a08edc 100644
--- a/webif/lib/system.class
+++ b/webif/lib/system.class
@@ -143,6 +143,13 @@ proc {system serialno} {} {{serial ""}} {
 	    string range $bytes 9 end]"
 	return $serial
 }
+proc {system keybytestostring} {key_bytes} {
+	binary scan $key_bytes H* key_str                         
+	if {[string length $key_str] == 32} {                    
+		return $key_str
+	}
+	return {}
+}                                                     
 
 proc {system encryptionkey} {} {{key ""}} {
 	if {$key ne ""} { return $key }
@@ -152,8 +159,42 @@ proc {system encryptionkey} {} {{key ""}} {
 	$fd seek 0xcb800
 	append bytes [$fd read 10]
 	$fd close
-	binary scan $bytes H* key
-	return $key
+	return [system keybytestostring $bytes]
+}
+
+proc {system customencryptionkey} {{key ""}} {
+
+        proc open_keyfile {{access r}} {
+            return [open "/mod/boot/cryptokey" $access]
+        }
+
+        set ck_fd {}
+        try {
+            if {$key ne ""} {
+                set ck_bytes [binary format H* $key]
+                set test [system keybytestostring $ck_bytes]
+                if {![string equal -nocase $test $key]} {
+                    throw 1 "Invalid custom key"
+                }
+                # attempt not to truncate on update until written
+                set ck_fd [open_keyfile a]
+                $ck_fd seek 0
+                $ck_fd puts -nonewline $ck_bytes
+                $ck_fd close
+                set ck_fd {}
+                return $key
+            } else {
+                set ck_fd [open_keyfile]
+                set ck_bytes [$ck_fd read 16]
+                return [system keybytestostring $ck_bytes]
+            }
+        } on error {msg opts} {
+           return {}
+        } finally {
+            if {$ck_fd ne {}} {
+                $ck_fd close
+            }
+        }   
 }
 
 proc {system loaderver} {} {{ver ""}} {
diff --git a/webif/lib/ts.class b/webif/lib/ts.class
index bcfe270..526814a 100644
--- a/webif/lib/ts.class
+++ b/webif/lib/ts.class
@@ -863,16 +863,9 @@ ts method getkey {mode} {
 	}
 	if { $mode ne "dlna" } {
 		# also try other keys, such as this - same as active?
-		try {
-			set fd [open "/mod/boot/cryptokey"]
-			set bytes [$fd read 16]
-			binary scan $bytes H* key
-			if {[string length $key] == 32} {
-				ladd keys $key
-			}
-		} on error {} {
-		} finally {
-			catch {$fd close}
+		set key [system customencryptionkey]
+		if {$key ne ""} {
+			ladd keys $key
 		}
 
 		# the native key