1
0
Fork 0
mirror of synced 2024-12-22 06:31:07 -05:00

Add config yadm.openssl-old

The newer versions (OpenSSL 1.1.1 or LibreSSL 2.9.1) support the pbkdf2
key derivation function, while older versions do not. In addition the
new versions have changed the default digest to SHA256 instead of MD5.

Files encrypted with older versions would throw warnings about
deprecated key derivation used files encrypted with newer versions +
pbkdf2 would not be decryptable using older versions These problems
matter, when many users maintain their dotfiles across different systems
with different levels of OpenSSL support.

A new boolean config option has been added, yadm.openssl-old

* If false, use options -pbkdf2 -iter 100000 -md sha512
* If true, use options -md md5 (and if decrypting with newer versions
  warnings will be printed)
This commit is contained in:
Tim Byrne 2020-09-25 09:25:38 -05:00
parent 47d4ea5f7e
commit 05ae6f0257
No known key found for this signature in database
GPG key ID: 14DB4FC2465A4B12
2 changed files with 14 additions and 2 deletions

View file

@ -124,6 +124,7 @@ def supported_configs():
'yadm.gpg-program', 'yadm.gpg-program',
'yadm.gpg-recipient', 'yadm.gpg-recipient',
'yadm.openssl-ciphername', 'yadm.openssl-ciphername',
'yadm.openssl-old',
'yadm.openssl-program', 'yadm.openssl-program',
'yadm.ssh-perms', 'yadm.ssh-perms',
] ]

15
yadm
View file

@ -55,6 +55,8 @@ OPERATING_SYSTEM="Unknown"
ENCRYPT_INCLUDE_FILES="unparsed" ENCRYPT_INCLUDE_FILES="unparsed"
OPENSSL_OPTS=()
LEGACY_WARNING_ISSUED=0 LEGACY_WARNING_ISSUED=0
INVALID_ALT=() INVALID_ALT=()
@ -922,6 +924,14 @@ function _get_openssl_ciphername() {
echo "$OPENSSL_CIPHERNAME" echo "$OPENSSL_CIPHERNAME"
} }
function _set_openssl_options() {
if [ "$(config --bool yadm.openssl-old)" == "true" ]; then
OPENSSL_OPTS=(-md md5)
else
OPENSSL_OPTS=(-pbkdf2 -iter 100000 -md sha512)
fi
}
function _get_cipher() { function _get_cipher() {
output_archive="$1" output_archive="$1"
yadm_cipher="$(config yadm.cipher)" yadm_cipher="$(config yadm.cipher)"
@ -930,7 +940,6 @@ function _get_cipher() {
fi fi
} }
function _decrypt_from() { function _decrypt_from() {
local output_archive local output_archive
@ -948,7 +957,8 @@ function _decrypt_from() {
require_openssl require_openssl
OPENSSL_CIPHERNAME="$(_get_openssl_ciphername)" OPENSSL_CIPHERNAME="$(_get_openssl_ciphername)"
$OPENSSL_PROGRAM enc -d "-${OPENSSL_CIPHERNAME}" -salt -in "$output_archive" _set_openssl_options
$OPENSSL_PROGRAM enc -d "${OPENSSL_OPTS[@]}" "-${OPENSSL_CIPHERNAME}" -salt -in "$output_archive"
;; ;;
*) *)
@ -1239,6 +1249,7 @@ yadm.gpg-perms
yadm.gpg-program yadm.gpg-program
yadm.gpg-recipient yadm.gpg-recipient
yadm.openssl-ciphername yadm.openssl-ciphername
yadm.openssl-old
yadm.openssl-program yadm.openssl-program
yadm.ssh-perms yadm.ssh-perms
EOF EOF