Simplified use_pbkdf2 arg to kdf

Erotemic · Erotemic · commit 8004de8dc460 · 2022-06-14T13:01:19.000-04:00
diff --git a/tests/test_transcrypt.py b/tests/test_transcrypt.py
@@ -24,7 +24,7 @@ class Transcrypt(ub.NiceRepr):
         >>> from test_transcrypt import *  # NOQA
         >>> sandbox = DemoSandbox(verbose=1, dpath='special:cache').setup()
         >>> config = {'digest': 'sha256',
-        >>>           'use_pbkdf2': '1',
+        >>>           'kdf': 'pbkdf2',
         >>>           'salt_method': '665896be121e1a0a4a7b18f01780061'}
         >>> self = Transcrypt(sandbox.repo_dpath,
         >>>                   config=config, env=sandbox.env, verbose=1)
@@ -55,7 +55,7 @@ class Transcrypt(ub.NiceRepr):
         'cipher': 'aes-256-cbc',
         'password': None,
         'digest': 'md5',
-        'use_pbkdf2': '0',
+        'kdf': 'none',
         'salt_method': 'password',
     }
 
@@ -87,7 +87,7 @@ def _config_args(self):
             "-c", self.config['cipher'],
             "-p", self.config['password'],
             "-md", self.config['digest'],
-            "--use-pbkdf2", self.config['use_pbkdf2'],
+            "--kdf", self.config['kdf'],
             "-sm", self.config['salt_method'],
         ]
         args = [template.format(**self.config) for template in arg_templates]
@@ -200,7 +200,7 @@ def _load_unversioned_config(self):
         local_config = {
             'cipher': self._cmd('git config --get --local transcrypt.cipher')['out'].strip(),
             'digest': self._cmd('git config --get --local transcrypt.digest')['out'].strip(),
-            'use_pbkdf2': self._cmd('git config --get --local transcrypt.use-pbkdf2')['out'].strip(),
+            'kdf': self._cmd('git config --get --local transcrypt.kdf')['out'].strip(),
             'salt_method': self._cmd('git config --get --local transcrypt.salt-method')['out'].strip(),
             'password': self._cmd('git config --get --local transcrypt.password')['out'].strip(),
             'openssl_path': self._cmd('git config --get --local transcrypt.openssl-path')['out'].strip(),
@@ -371,7 +371,7 @@ def test_export_gpg(self):
         # FIXME
         is_ok = got_config == config
         if not is_ok:
-            is_ok = all([got_config[k] == config[k] for k in {'digest', 'password', 'cipher', 'use_pbkdf2'}])
+            is_ok = all([got_config[k] == config[k] for k in {'digest', 'password', 'cipher', 'kdf'}])
 
         if not is_ok:
             print(f'got_config={got_config}')
@@ -391,7 +391,7 @@ def test_rekey(self):
             'cipher': 'aes-256-cbc',
             'password': '12345',
             'digest': 'sha256',
-            'use_pbkdf2': '1',
+            'kdf': 'pbkdf2',
             'salt_method': 'random',
         }
         raw_before = self.tc.show_raw(self.sandbox.secret_fpath)
@@ -406,7 +406,7 @@ def test_legacy_defaults():
         'cipher': 'aes-256-cbc',
         'password': 'correct horse battery staple',
         'digest': 'md5',
-        'use_pbkdf2': '0',
+        'kdf': 'none',
         'salt_method': 'password',
     }
     verbose = 1
@@ -421,7 +421,7 @@ def test_secure_defaults():
         'cipher': 'aes-256-cbc',
         'password': 'correct horse battery staple',
         'digest': 'sha512',
-        'use_pbkdf2': '1',
+        'kdf': 'pbkdf2',
         'salt_method': 'random',
     }
     verbose = 1
@@ -436,7 +436,7 @@ def test_configured_salt_changes_on_rekey():
         'cipher': 'aes-256-cbc',
         'password': 'correct horse battery staple',
         'digest': 'sha512',
-        'use_pbkdf2': '1',
+        'kdf': 'pbkdf2',
         'salt_method': 'random',
     }
     verbose = 1
@@ -448,7 +448,7 @@ def test_configured_salt_changes_on_rekey():
     after_config = self.tc._load_unversioned_config()
     assert before_config['password'] != after_config['password']
     assert before_config['cipher'] == after_config['cipher']
-    assert before_config['use_pbkdf2'] == after_config['use_pbkdf2']
+    assert before_config['kdf'] == after_config['kdf']
     assert before_config['salt_method'] == after_config['salt_method']
     assert before_config['openssl_path'] == after_config['openssl_path']
 
@@ -473,7 +473,7 @@ def test_configuration_grid():
         'cipher': ['aes-256-cbc', 'aes-128-ecb'],
         'password': ['correct horse battery staple'],
         'digest': ['md5', 'sha256'],
-        'use_pbkdf2': ['0', '1'],
+        'kdf': ['none', 'pbkdf2'],
         'salt_method': ['password', 'random', 'mylittlecustomsalt'],
     }
     test_grid = list(ub.named_product(basis))
diff --git a/transcrypt b/transcrypt
@@ -28,7 +28,7 @@ readonly VERSION='3.0.0-pre'
 # the default cipher to utilize
 readonly DEFAULT_CIPHER='aes-256-cbc'
 readonly DEFAULT_DIGEST='MD5'
-readonly DEFAULT_USE_PBKDF2='0'
+readonly DEFAULT_KDF='none'
 readonly DEFAULT_SALT_METHOD='password'
 
 # These are the implemented methods for computing deterministic salt
@@ -246,7 +246,7 @@ _load_transcrypt_config_vars() {
 	# Populate bash vars with our config
 	cipher=$(_load_config_var "transcrypt.cipher") || (echo "failed to load transcrypt.cipher" && false)
 	digest=$(_load_config_var "transcrypt.digest") || (echo "failed to load transcrypt.digest" && false)
-	use_pbkdf2=$(_load_config_var "transcrypt.use-pbkdf2") || (echo "failed to load transcrypt.use-pbkdf2" && false)
+	kdf=$(_load_config_var "transcrypt.kdf") || (echo "failed to load transcrypt.kdf" && false)
 	salt_method=$(_load_config_var "transcrypt.salt-method") || (echo "failed to load transcrypt.salt-method" && false)
 	openssl_path=$(_load_config_var "transcrypt.openssl-path") || (echo "failed to load transcrypt.openssl-path" && false)
 	password=$(_load_unversioned_config_var transcrypt.password) || (echo "failed to load transcrypt.password" && false)
@@ -257,7 +257,7 @@ _load_vars_for_encryption() {
 	# Helper to populate variables needed to call openssl encryption
 	_load_transcrypt_config_vars
 
-	if [[ "$use_pbkdf2" == "1" ]]; then
+	if [[ "$kdf" == "1" ]] || [[ "$kdf" == "pbkdf2" ]]; then
 		pbkdf2_args=('-pbkdf2')
 	else
 		pbkdf2_args=()
@@ -568,8 +568,8 @@ validate_digest() {
 	_validate_variable_str "digest" "$valid_digests"
 }
 
-validate_use_pbkdf2() {
-	_validate_variable_str "use_pbkdf2" "0 1"
+validate_kdf() {
+	_validate_variable_str "kdf" "0 1 none pbkdf2"
 }
 
 validate_salt_method() {
@@ -599,14 +599,14 @@ get_cipher() {
 	_get_user_input cipher "$DEFAULT_CIPHER" "validate_cipher" "$prompt"
 }
 
-get_use_pbkdf2() {
+get_kdf() {
 	local prompt
-	prompt=$(printf 'Use pbkdf2? [%s] ' "$DEFAULT_USE_PBKDF2")
-	if [[ "$use_pbkdf2" == "" ]]; then
-		use_pbkdf2=$(_load_versioned_config_var "transcrypt.use-pbkdf2")
-		# echo "Loaded use_pbkdf2 = $use_pbkdf2 from local config"
+	prompt=$(printf 'Which key derivation function? [%s] ' "$DEFAULT_KDF")
+	if [[ "$kdf" == "" ]]; then
+		kdf=$(_load_versioned_config_var "transcrypt.kdf")
+		# echo "Loaded kdf = $kdf from local config"
 	fi
-	_get_user_input use_pbkdf2 "$DEFAULT_USE_PBKDF2" "validate_use_pbkdf2" "$prompt"
+	_get_user_input kdf "$DEFAULT_KDF" "validate_kdf" "$prompt"
 }
 
 get_salt_method() {
@@ -650,7 +650,6 @@ ensure_salt_method() {
 	# Check if randomized salt needs to be written
 	if [[ "$salt_method" == "random" ]]; then
 		# Replace random with something random.
-		#salt_method=$(_load_versioned_config_var "transcrypt.salt-method")
 		# If we have not configured the salt_method (or we need to rekey),
 		# then generate new random salt
 		salt_method=$(openssl rand -hex 32)
@@ -770,7 +769,7 @@ save_configuration() {
 	_set_config_var "transcrypt.version" "$VERSION"
 	_set_config_var "transcrypt.cipher" "$cipher"
 	_set_config_var "transcrypt.digest" "$digest"
-	_set_config_var "transcrypt.use-pbkdf2" "$use_pbkdf2"
+	_set_config_var "transcrypt.kdf" "$kdf"
 	_set_config_var "transcrypt.salt-method" "$salt_method"
 	_set_unversioned_config_var "transcrypt.openssl-path" "$openssl_path"
 	_set_unversioned_config_var "transcrypt.password" "$password"
@@ -819,7 +818,7 @@ _display_git_configuration() {
 # Show the config of the current runtime
 _display_runtime_configuration() {
 	printf '  DIGEST:  %s\n' "$digest"
-	printf '  USE_PBKDF2: %s\n' "$use_pbkdf2"
+	printf '  USE_PBKDF2: %s\n' "$kdf"
 	printf '  SALT_METHOD: %s\n' "$salt_method"
 	if [[ "$salt_method" == "configured" ]]; then
 		printf '  CONFIG_SALT: %s\n' "$salt_method"
@@ -837,8 +836,8 @@ display_configuration() {
 	_display_git_configuration
 	_display_runtime_configuration
 	printf 'Copy and paste the following command to initialize a cloned repository:\n\n'
-	printf "  transcrypt -c '%s' -p '%s' -md '%s' --use-pbkdf2 '%s' -sm '%s'\n" \
-		"$cipher" "$escaped_password" "$digest" "$use_pbkdf2" "$salt_method"
+	printf "  transcrypt -c '%s' -p '%s' -md '%s' --kdf '%s' -sm '%s'\n" \
+		"$cipher" "$escaped_password" "$digest" "$kdf" "$salt_method"
 }
 
 # remove transcrypt-related settings from the repository's git config
@@ -1118,8 +1117,8 @@ export_gpg() {
 
 	local gpg_encrypt_cmd="gpg --batch --recipient $gpg_recipient --trust-model always --yes --armor --quiet --encrypt -"
 	#printf 'password=%s\ncipher=%s\n' "$current_password" "$current_cipher" | $gpg_encrypt_cmd >"${CRYPT_DIR}/${gpg_recipient}.asc"
-	printf 'password=%s\ncipher=%s\ndigest=%s\nuse_pbkdf2=%s\nsalt_method=%s\n\n' \
-		"$password" "$cipher" "$digest" "$use_pbkdf2" "$salt_method" |
+	printf 'password=%s\ncipher=%s\ndigest=%s\nkdf=%s\nsalt_method=%s\n\n' \
+		"$password" "$cipher" "$digest" "$kdf" "$salt_method" |
 		$gpg_encrypt_cmd >"${CRYPT_DIR}/${gpg_recipient}.asc"
 	printf "The transcrypt configuration has been encrypted and exported to:\n%s/crypt/%s.asc\n" "$GIT_DIR" "$gpg_recipient"
 }
@@ -1154,7 +1153,7 @@ import_gpg() {
 	cipher=$(printf '%s' "$configuration" | grep '^cipher' | cut -d'=' -f 2-)
 	password=$(printf '%s' "$configuration" | grep '^password' | cut -d'=' -f 2-)
 	digest=$(printf '%s' "$configuration" | grep '^digest' | cut -d'=' -f 2-)
-	use_pbkdf2=$(printf '%s' "$configuration" | grep '^use_pbkdf2' | cut -d'=' -f 2-)
+	kdf=$(printf '%s' "$configuration" | grep '^kdf' | cut -d'=' -f 2-)
 	salt_method=$(printf '%s' "$configuration" | grep '^salt_method' | cut -d'=' -f 2-)
 	salt_method=$(printf '%s' "$configuration" | grep '^salt_method' | cut -d'=' -f 2-)
 }
@@ -1199,9 +1198,12 @@ help() {
 		            the digest used to hash the salted password;
 		            defaults to md5
 
-		     -pbkdf2, --use_pbkdf2=USE_PBKDF2
-		            Use the pbkdf2 openssl encryption feature;
-		            defaults to 0
+		     --kdf=PBKDF2
+                    the key-derivation-function to use. Currently can be either
+                    'pbkdf2' or 'none'. Defaults to none.
+
+             -pbkdf2
+		            equivalent to passing --kdf2='pbkdf2'
 
 		     -sm, --salt_method=SALT_METHOD
 		            Method used to compute deterministic salt; can be password, random,
@@ -1313,7 +1315,7 @@ transcrypt_main() {
 	uninstall=''
 	upgrade=''
 	openssl_path='openssl'
-	use_pbkdf2=''
+	kdf=''
 	digest=''
 	salt_method=''
 	salt_method=''
@@ -1366,14 +1368,14 @@ transcrypt_main() {
 			digest=${1#*=}
 			;;
 		-pbkdf2)
-			use_pbkdf2=1
+			kdf=pbkdf2
 			;;
-		--use-pbkdf2)
-			use_pbkdf2=${2}
+		--kdf)
+			kdf=${2}
 			shift
 			;;
-		--use-pbkdf2=*)
-			use_pbkdf2=${1#*=}
+		--kdf=*)
+			kdf=${1#*=}
 			;;
 		-sm | --salt-method)
 			salt_method=$2
@@ -1520,7 +1522,7 @@ transcrypt_main() {
 	# perform function calls to configure transcrypt
 	get_cipher
 	get_digest
-	get_use_pbkdf2
+	get_kdf
 	get_salt_method
 	get_password
 
