From baaeb88628cd5a42786f7b3dae1ed86f25285e5e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Luis=20L=C3=B3pez?= Date: Wed, 9 Jan 2019 12:05:06 +0100 Subject: [PATCH 1/7] Initial support for alternative cyphers. This patch implements an OpenSSL cypher (via openssl enc command). It has to be enabled using yadm.cypher configuration key. Some rough edges: - archive file refers to GPG (.gpg extension) - no test cases --- yadm | 113 +++++++++++++++++++++++++++++++++++++++++++++++++++-------- 1 file changed, 99 insertions(+), 14 deletions(-) diff --git a/yadm b/yadm index e55a287..e912bda 100755 --- a/yadm +++ b/yadm @@ -34,6 +34,7 @@ HOOK_COMMAND="" FULL_COMMAND="" GPG_PROGRAM="gpg" +OPENSSL_PROGRAM="openssl" GIT_PROGRAM="git" ENVTPL_PROGRAM="envtpl" LSB_RELEASE_PROGRAM="lsb_release" @@ -388,9 +389,88 @@ EOF } +function _decrypt_from() { + + local output_archive + output_archive="$1" + + local yadm_crypher + yadm_crypher="$(config yadm.cypher)" + if [ -z "$yadm_crypher" ]; then + yadm_crypher="gpg" + fi + + case "$yadm_crypher" in + gpg) + require_gpg + + $GPG_PROGRAM -d "$output_archive" + ;; + + openssl) + require_openssl + + $OPENSSL_PROGRAM enc -d -aes256 -in "$output_archive" + ;; + + *) + error_out "Unknown cypher '$yadm_crypher'" + ;; + + esac + +} + +function _encrypt_to() { + + local output_archive + output_archive="$1" + + local yadm_crypher + yadm_crypher="$(config yadm.cypher)" + if [ -z "$yadm_crypher" ]; then + yadm_crypher="gpg" + fi + + case "$yadm_crypher" in + gpg) + require_gpg + + #; Build gpg options for gpg + GPG_KEY="$(config yadm.gpg-recipient)" + if [ "$GPG_KEY" = "ASK" ]; then + GPG_OPTS=("--no-default-recipient" "-e") + elif [ "$GPG_KEY" != "" ]; then + GPG_OPTS=("-e" "-r $GPG_KEY") + else + GPG_OPTS=("-c") + fi + + $GPG_PROGRAM --yes "${GPG_OPTS[@]}" --output "$output_archive" + ;; + + openssl) + require_openssl + + #; Build openssl options for openssl + OPENSSL_CIPHERNAME="$(config yadm.openssl-ciphername)" + if [ -z "$OPENSSL_CIPHERNAME" ]; then + OPENSSL_CIPHERNAME="aes256" + fi + + $OPENSSL_PROGRAM enc -"$OPENSSL_CIPHERNAME" -e -out "$output_archive" + ;; + + *) + error_out "Unknown cypher '$yadm_crypher'" + ;; + + esac + +} + function decrypt() { - require_gpg require_archive YADM_WORK=$(unix_path "$("$GIT_PROGRAM" config core.worktree)") @@ -402,7 +482,7 @@ function decrypt() { fi #; decrypt the archive - if ($GPG_PROGRAM -d "$YADM_ARCHIVE" || echo 1) | tar v${tar_option}f - -C "$YADM_WORK"; then + if (_decrypt_from "$YADM_ARCHIVE" || echo 1) | tar v${tar_option}f - -C "$YADM_WORK"; then [ ! "$DO_LIST" = "YES" ] && echo "All files decrypted." else error_out "Unable to extract encrypted files." @@ -414,29 +494,18 @@ function decrypt() { function encrypt() { - require_gpg require_encrypt parse_encrypt cd_work "Encryption" || return - #; Build gpg options for gpg - GPG_KEY="$(config yadm.gpg-recipient)" - if [ "$GPG_KEY" = "ASK" ]; then - GPG_OPTS=("--no-default-recipient" "-e") - elif [ "$GPG_KEY" != "" ]; then - GPG_OPTS=("-e" "-r $GPG_KEY") - else - GPG_OPTS=("-c") - fi - #; report which files will be encrypted echo "Encrypting the following files:" printf '%s\n' "${ENCRYPT_INCLUDE_FILES[@]}" echo #; encrypt all files which match the globs - if tar -f - -c "${ENCRYPT_INCLUDE_FILES[@]}" | $GPG_PROGRAM --yes "${GPG_OPTS[@]}" --output "$YADM_ARCHIVE"; then + if tar -f - -c "${ENCRYPT_INCLUDE_FILES[@]}" | _encrypt_to "$YADM_ARCHIVE"; then echo "Wrote new file: $YADM_ARCHIVE" else error_out "Unable to write $YADM_ARCHIVE" @@ -600,10 +669,12 @@ yadm.auto-alt yadm.auto-perms yadm.auto-private-dirs yadm.cygwin-copy +yadm.cypher yadm.git-program yadm.gpg-perms yadm.gpg-program yadm.gpg-recipient +yadm.openssl-program yadm.ssh-perms EOF } @@ -1041,6 +1112,20 @@ function require_gpg() { command -v "$GPG_PROGRAM" >/dev/null 2>&1 || \ error_out "This functionality requires GPG to be installed, but the command '$GPG_PROGRAM' cannot be located.$more_info" } +function require_openssl() { + local alt_openssl + alt_openssl="$(config yadm.openssl-program)" + + local more_info + more_info="" + + if [ "$alt_openssl" != "" ] ; then + OPENSSL_PROGRAM="$alt_openssl" + more_info="\nThis command has been set via the yadm.openssl-program configuration." + fi + command -v "$OPENSSL_PROGRAM" >/dev/null 2>&1 || \ + error_out "This functionality requires OpenSSL to be installed, but the command '$OPENSSL_PROGRAM' cannot be located.$more_info" +} function require_repo() { [ -d "$YADM_REPO" ] || error_out "Git repo does not exist. did you forget to run 'init' or 'clone'?" } From bde5ecbc66b6bc7e71641adf0d3532c4d1db34b2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Luis=20L=C3=B3pez?= Date: Wed, 9 Jan 2019 12:55:25 +0100 Subject: [PATCH 2/7] Deduplicate openssl cipher name code (and change default value) --- yadm | 21 +++++++++++++-------- 1 file changed, 13 insertions(+), 8 deletions(-) diff --git a/yadm b/yadm index e912bda..64bf0ea 100755 --- a/yadm +++ b/yadm @@ -389,6 +389,15 @@ EOF } +function _get_openssl_ciphername() { + OPENSSL_CIPHERNAME="$(config yadm.openssl-ciphername)" + if [ -z "$OPENSSL_CIPHERNAME" ]; then + OPENSSL_CIPHERNAME="aes-256-cbc" + fi + + echo "$OPENSSL_CIPHERNAME" +} + function _decrypt_from() { local output_archive @@ -410,7 +419,8 @@ function _decrypt_from() { openssl) require_openssl - $OPENSSL_PROGRAM enc -d -aes256 -in "$output_archive" + OPENSSL_CIPHERNAME="$(_get_openssl_ciphername)" + $OPENSSL_PROGRAM enc -d -$OPENSSL_CIPHERNAME -salt -in "$output_archive" ;; *) @@ -452,13 +462,8 @@ function _encrypt_to() { openssl) require_openssl - #; Build openssl options for openssl - OPENSSL_CIPHERNAME="$(config yadm.openssl-ciphername)" - if [ -z "$OPENSSL_CIPHERNAME" ]; then - OPENSSL_CIPHERNAME="aes256" - fi - - $OPENSSL_PROGRAM enc -"$OPENSSL_CIPHERNAME" -e -out "$output_archive" + OPENSSL_CIPHERNAME="$(_get_openssl_ciphername)" + $OPENSSL_PROGRAM enc -e -$OPENSSL_CIPHERNAME -salt -out "$output_archive" ;; *) From 67ce492b2ad27600378b3e4cacf39f559d97c35d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Luis=20L=C3=B3pez?= Date: Thu, 10 Jan 2019 14:50:51 +0100 Subject: [PATCH 3/7] Added undocumented config `yadm.openssl-ciphername` --- yadm | 1 + 1 file changed, 1 insertion(+) diff --git a/yadm b/yadm index 64bf0ea..d45b993 100755 --- a/yadm +++ b/yadm @@ -679,6 +679,7 @@ yadm.git-program yadm.gpg-perms yadm.gpg-program yadm.gpg-recipient +yadm.openssl-ciphername yadm.openssl-program yadm.ssh-perms EOF From 7698adfd772c65a18e6a75dc4ab5348ebf01c831 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Luis=20L=C3=B3pez?= Date: Mon, 17 Feb 2020 09:31:45 +0100 Subject: [PATCH 4/7] Rebase on top of upstream/develop --- yadm | 3 --- 1 file changed, 3 deletions(-) diff --git a/yadm b/yadm index 250ae77..5995a15 100755 --- a/yadm +++ b/yadm @@ -1170,11 +1170,8 @@ yadm.auto-alt yadm.auto-exclude yadm.auto-perms yadm.auto-private-dirs -<<<<<<< HEAD -======= yadm.cygwin-copy yadm.cypher ->>>>>>> local yadm.git-program yadm.gpg-perms yadm.gpg-program From 9fe53777496bb0600408cc6968af70e684d3dddc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Luis=20L=C3=B3pez?= Date: Mon, 17 Feb 2020 11:53:29 +0100 Subject: [PATCH 5/7] Fix some typos and code style --- yadm | 30 +++++++++++++++--------------- 1 file changed, 15 insertions(+), 15 deletions(-) diff --git a/yadm b/yadm index 5995a15..5032638 100755 --- a/yadm +++ b/yadm @@ -870,13 +870,13 @@ function _decrypt_from() { local output_archive output_archive="$1" - local yadm_crypher - yadm_crypher="$(config yadm.cypher)" - if [ -z "$yadm_crypher" ]; then - yadm_crypher="gpg" + local yadm_cipher + yadm_cipher="$(config yadm.cipher)" + if [ -z "$yadm_cipher" ]; then + yadm_cipher="gpg" fi - case "$yadm_crypher" in + case "$yadm_cipher" in gpg) require_gpg @@ -887,11 +887,11 @@ function _decrypt_from() { require_openssl OPENSSL_CIPHERNAME="$(_get_openssl_ciphername)" - $OPENSSL_PROGRAM enc -d -$OPENSSL_CIPHERNAME -salt -in "$output_archive" + $OPENSSL_PROGRAM enc -d "-${OPENSSL_CIPHERNAME}" -salt -in "$output_archive" ;; *) - error_out "Unknown cypher '$yadm_crypher'" + error_out "Unknown cipher '$yadm_cipher'" ;; esac @@ -903,13 +903,13 @@ function _encrypt_to() { local output_archive output_archive="$1" - local yadm_crypher - yadm_crypher="$(config yadm.cypher)" - if [ -z "$yadm_crypher" ]; then - yadm_crypher="gpg" + local yadm_cipher + yadm_cipher="$(config yadm.cipher)" + if [ -z "$yadm_cipher" ]; then + yadm_cipher="gpg" fi - case "$yadm_crypher" in + case "$yadm_cipher" in gpg) require_gpg @@ -930,11 +930,11 @@ function _encrypt_to() { require_openssl OPENSSL_CIPHERNAME="$(_get_openssl_ciphername)" - $OPENSSL_PROGRAM enc -e -$OPENSSL_CIPHERNAME -salt -out "$output_archive" + $OPENSSL_PROGRAM enc -e "-${OPENSSL_CIPHERNAME}" -salt -out "$output_archive" ;; *) - error_out "Unknown cypher '$yadm_crypher'" + error_out "Unknown cipher '$yadm_cipher'" ;; esac @@ -1171,7 +1171,7 @@ yadm.auto-exclude yadm.auto-perms yadm.auto-private-dirs yadm.cygwin-copy -yadm.cypher +yadm.cipher yadm.git-program yadm.gpg-perms yadm.gpg-program From 831c9ec09da23273fa33185d309a37bc189dcee3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Luis=20L=C3=B3pez?= Date: Mon, 17 Feb 2020 11:54:03 +0100 Subject: [PATCH 6/7] Testing: add new config items to tests --- test/conftest.py | 3 +++ 1 file changed, 3 insertions(+) diff --git a/test/conftest.py b/test/conftest.py index 31d872b..0c0cef8 100644 --- a/test/conftest.py +++ b/test/conftest.py @@ -117,10 +117,13 @@ def supported_configs(): 'yadm.auto-exclude', 'yadm.auto-perms', 'yadm.auto-private-dirs', + 'yadm.cipher', 'yadm.git-program', 'yadm.gpg-perms', 'yadm.gpg-program', 'yadm.gpg-recipient', + 'yadm.openssl-ciphername', + 'yadm.openssl-program', 'yadm.ssh-perms', ] From 778c33145cb586ee129551cd57a75543b266b88e Mon Sep 17 00:00:00 2001 From: Tim Byrne Date: Fri, 28 Feb 2020 07:38:49 -0600 Subject: [PATCH 7/7] Remove legacy code which was reintroduced --- yadm | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/yadm b/yadm index e5463dc..059eb2b 100755 --- a/yadm +++ b/yadm @@ -914,7 +914,7 @@ function _encrypt_to() { gpg) require_gpg - #; Build gpg options for gpg + # Build gpg options for gpg GPG_KEY="$(config yadm.gpg-recipient)" if [ "$GPG_KEY" = "ASK" ]; then GPG_OPTS=("--no-default-recipient" "-e") @@ -1178,7 +1178,6 @@ yadm.auto-alt yadm.auto-exclude yadm.auto-perms yadm.auto-private-dirs -yadm.cygwin-copy yadm.cipher yadm.git-program yadm.gpg-perms @@ -1992,7 +1991,7 @@ function require_openssl() { OPENSSL_PROGRAM="$alt_openssl" more_info="\nThis command has been set via the yadm.openssl-program configuration." fi - command -v "$OPENSSL_PROGRAM" >/dev/null 2>&1 || \ + command -v "$OPENSSL_PROGRAM" &> /dev/null || error_out "This functionality requires OpenSSL to be installed, but the command '$OPENSSL_PROGRAM' cannot be located.$more_info" } function require_repo() {