From 05ae6f02571baeab7e5d4c94aae5e3f8036d34eb Mon Sep 17 00:00:00 2001 From: Tim Byrne Date: Fri, 25 Sep 2020 09:25:38 -0500 Subject: [PATCH] Add config yadm.openssl-old The newer versions (OpenSSL 1.1.1 or LibreSSL 2.9.1) support the pbkdf2 key derivation function, while older versions do not. In addition the new versions have changed the default digest to SHA256 instead of MD5. Files encrypted with older versions would throw warnings about deprecated key derivation used files encrypted with newer versions + pbkdf2 would not be decryptable using older versions These problems matter, when many users maintain their dotfiles across different systems with different levels of OpenSSL support. A new boolean config option has been added, yadm.openssl-old * If false, use options -pbkdf2 -iter 100000 -md sha512 * If true, use options -md md5 (and if decrypting with newer versions warnings will be printed) --- test/conftest.py | 1 + yadm | 15 +++++++++++++-- 2 files changed, 14 insertions(+), 2 deletions(-) diff --git a/test/conftest.py b/test/conftest.py index 23621f5..7bbc5be 100644 --- a/test/conftest.py +++ b/test/conftest.py @@ -124,6 +124,7 @@ def supported_configs(): 'yadm.gpg-program', 'yadm.gpg-recipient', 'yadm.openssl-ciphername', + 'yadm.openssl-old', 'yadm.openssl-program', 'yadm.ssh-perms', ] diff --git a/yadm b/yadm index 3c2b274..cfa84cb 100755 --- a/yadm +++ b/yadm @@ -55,6 +55,8 @@ OPERATING_SYSTEM="Unknown" ENCRYPT_INCLUDE_FILES="unparsed" +OPENSSL_OPTS=() + LEGACY_WARNING_ISSUED=0 INVALID_ALT=() @@ -922,6 +924,14 @@ function _get_openssl_ciphername() { echo "$OPENSSL_CIPHERNAME" } +function _set_openssl_options() { + if [ "$(config --bool yadm.openssl-old)" == "true" ]; then + OPENSSL_OPTS=(-md md5) + else + OPENSSL_OPTS=(-pbkdf2 -iter 100000 -md sha512) + fi +} + function _get_cipher() { output_archive="$1" yadm_cipher="$(config yadm.cipher)" @@ -930,7 +940,6 @@ function _get_cipher() { fi } - function _decrypt_from() { local output_archive @@ -948,7 +957,8 @@ function _decrypt_from() { require_openssl OPENSSL_CIPHERNAME="$(_get_openssl_ciphername)" - $OPENSSL_PROGRAM enc -d "-${OPENSSL_CIPHERNAME}" -salt -in "$output_archive" + _set_openssl_options + $OPENSSL_PROGRAM enc -d "${OPENSSL_OPTS[@]}" "-${OPENSSL_CIPHERNAME}" -salt -in "$output_archive" ;; *) @@ -1239,6 +1249,7 @@ yadm.gpg-perms yadm.gpg-program yadm.gpg-recipient yadm.openssl-ciphername +yadm.openssl-old yadm.openssl-program yadm.ssh-perms EOF