Add config yadm.openssl-old
The newer versions (OpenSSL 1.1.1 or LibreSSL 2.9.1) support the pbkdf2 key derivation function, while older versions do not. In addition the new versions have changed the default digest to SHA256 instead of MD5. Files encrypted with older versions would throw warnings about deprecated key derivation used files encrypted with newer versions + pbkdf2 would not be decryptable using older versions These problems matter, when many users maintain their dotfiles across different systems with different levels of OpenSSL support. A new boolean config option has been added, yadm.openssl-old * If false, use options -pbkdf2 -iter 100000 -md sha512 * If true, use options -md md5 (and if decrypting with newer versions warnings will be printed)
This commit is contained in:
Tim Byrne
parent
47d4ea5f7e
commit
05ae6f0257
2 changed files with 14 additions and 2 deletions
|
|
@ -124,6 +124,7 @@ def supported_configs():
|
|||
'yadm.gpg-program',
|
||||
'yadm.gpg-recipient',
|
||||
'yadm.openssl-ciphername',
|
||||
'yadm.openssl-old',
|
||||
'yadm.openssl-program',
|
||||
'yadm.ssh-perms',
|
||||
]
|
||||
|
|
|
|||
15
yadm
15
yadm
|
|
@ -55,6 +55,8 @@ OPERATING_SYSTEM="Unknown"
|
|||
|
||||
ENCRYPT_INCLUDE_FILES="unparsed"
|
||||
|
||||
OPENSSL_OPTS=()
|
||||
|
||||
LEGACY_WARNING_ISSUED=0
|
||||
INVALID_ALT=()
|
||||
|
||||
|
|
@ -922,6 +924,14 @@ function _get_openssl_ciphername() {
|
|||
echo "$OPENSSL_CIPHERNAME"
|
||||
}
|
||||
|
||||
function _set_openssl_options() {
|
||||
if [ "$(config --bool yadm.openssl-old)" == "true" ]; then
|
||||
OPENSSL_OPTS=(-md md5)
|
||||
else
|
||||
OPENSSL_OPTS=(-pbkdf2 -iter 100000 -md sha512)
|
||||
fi
|
||||
}
|
||||
|
||||
function _get_cipher() {
|
||||
output_archive="$1"
|
||||
yadm_cipher="$(config yadm.cipher)"
|
||||
|
|
@ -930,7 +940,6 @@ function _get_cipher() {
|
|||
fi
|
||||
}
|
||||
|
||||
|
||||
function _decrypt_from() {
|
||||
|
||||
local output_archive
|
||||
|
|
@ -948,7 +957,8 @@ function _decrypt_from() {
|
|||
require_openssl
|
||||
|
||||
OPENSSL_CIPHERNAME="$(_get_openssl_ciphername)"
|
||||
$OPENSSL_PROGRAM enc -d "-${OPENSSL_CIPHERNAME}" -salt -in "$output_archive"
|
||||
_set_openssl_options
|
||||
$OPENSSL_PROGRAM enc -d "${OPENSSL_OPTS[@]}" "-${OPENSSL_CIPHERNAME}" -salt -in "$output_archive"
|
||||
;;
|
||||
|
||||
*)
|
||||
|
|
@ -1239,6 +1249,7 @@ yadm.gpg-perms
|
|||
yadm.gpg-program
|
||||
yadm.gpg-recipient
|
||||
yadm.openssl-ciphername
|
||||
yadm.openssl-old
|
||||
yadm.openssl-program
|
||||
yadm.ssh-perms
|
||||
EOF
|
||||
|
|
|
|||
Loading…
Reference in a new issue