From 05ae6f02571baeab7e5d4c94aae5e3f8036d34eb Mon Sep 17 00:00:00 2001
From: Tim Byrne <sultan@locehilios.com>
Date: Fri, 25 Sep 2020 09:25:38 -0500
Subject: [PATCH] Add config yadm.openssl-old

The newer versions (OpenSSL 1.1.1 or LibreSSL 2.9.1) support the pbkdf2
key derivation function, while older versions do not. In addition the
new versions have changed the default digest to SHA256 instead of MD5.

Files encrypted with older versions would throw warnings about
deprecated key derivation used files encrypted with newer versions +
pbkdf2 would not be decryptable using older versions These problems
matter, when many users maintain their dotfiles across different systems
with different levels of OpenSSL support.

A new boolean config option has been added, yadm.openssl-old

* If false, use options -pbkdf2 -iter 100000 -md sha512
* If true, use options -md md5 (and if decrypting with newer versions
  warnings will be printed)
---
 test/conftest.py |  1 +
 yadm             | 15 +++++++++++++--
 2 files changed, 14 insertions(+), 2 deletions(-)

diff --git a/test/conftest.py b/test/conftest.py
index 23621f5..7bbc5be 100644
--- a/test/conftest.py
+++ b/test/conftest.py
@@ -124,6 +124,7 @@ def supported_configs():
         'yadm.gpg-program',
         'yadm.gpg-recipient',
         'yadm.openssl-ciphername',
+        'yadm.openssl-old',
         'yadm.openssl-program',
         'yadm.ssh-perms',
         ]
diff --git a/yadm b/yadm
index 3c2b274..cfa84cb 100755
--- a/yadm
+++ b/yadm
@@ -55,6 +55,8 @@ OPERATING_SYSTEM="Unknown"
 
 ENCRYPT_INCLUDE_FILES="unparsed"
 
+OPENSSL_OPTS=()
+
 LEGACY_WARNING_ISSUED=0
 INVALID_ALT=()
 
@@ -922,6 +924,14 @@ function _get_openssl_ciphername() {
   echo "$OPENSSL_CIPHERNAME"
 }
 
+function _set_openssl_options() {
+  if [ "$(config --bool yadm.openssl-old)" == "true" ]; then
+    OPENSSL_OPTS=(-md md5)
+  else
+    OPENSSL_OPTS=(-pbkdf2 -iter 100000 -md sha512)
+  fi
+}
+
 function _get_cipher() {
   output_archive="$1"
   yadm_cipher="$(config yadm.cipher)"
@@ -930,7 +940,6 @@ function _get_cipher() {
   fi
 }
 
-
 function _decrypt_from() {
 
   local output_archive
@@ -948,7 +957,8 @@ function _decrypt_from() {
       require_openssl
 
       OPENSSL_CIPHERNAME="$(_get_openssl_ciphername)"
-      $OPENSSL_PROGRAM enc -d "-${OPENSSL_CIPHERNAME}" -salt -in "$output_archive"
+      _set_openssl_options
+      $OPENSSL_PROGRAM enc -d "${OPENSSL_OPTS[@]}" "-${OPENSSL_CIPHERNAME}" -salt -in "$output_archive"
       ;;
 
     *)
@@ -1239,6 +1249,7 @@ yadm.gpg-perms
 yadm.gpg-program
 yadm.gpg-recipient
 yadm.openssl-ciphername
+yadm.openssl-old
 yadm.openssl-program
 yadm.ssh-perms
 EOF