1 files changed, 78 insertions, 0 deletions

diff --git a/auth2aes.sh b/auth2aes.sh
new file mode 100644
index 0000000..ea087b0
--- /dev/null
+++ b/auth2aes.sh
@@ -0,0 +1,78 @@
+#!/bin/bash
+# auth2aes wraps "openssl enc" protect a file with a password
+# with aes-256-cbc, with a pbkdf2-derived key.
+# This file could be a ~/.bash_aliases or source'd from another script.
+
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <https://www.gnu.org/licenses/>.
+
+# Copyright © 2021 Ludovic Pouzenc <ludovic@pouzenc.fr>
+
+alias auth2aes="_auth2aes e"
+alias aes2auth="_auth2aes d"
+_auth2aes() {
+	local aespass
+	local aespass2
+	local res
+	local out
+	local status=0
+	local iterations=XXX #TODO Choose a number > 800000 here, should be ~1 sec of CPU workload
+	local action="$1"; shift
+	
+	# Minimal "usage" / help if called without any args
+	if [[ $# -eq 0 || ( "e" != "$action" && "d" != "$action" ) ]]; then
+		echo "Usage: auth2aes <filepath-to-encrypt>..." >&2
+		echo "       aes2auth <filepath-to-decrypt>..." >&2
+		return 1
+	fi
+	# Interactive password input (2 times if encrypt)
+	read -sp "Please enter the password to derive the key from (undisplayed): " aespass
+	res=$?; echo
+	if [[ $res -ne 0 || -z "$aespass" ]]; then
+		echo "Wrong input" >&2
+		return 2
+	fi
+	if [ "e" == "$action" ]; then
+		read -sp "Please confirm by typing it again: " aespass2
+		res=$?; echo
+		if [[ $res -ne 0 || "$aespass" != "$aespass2" ]]; then
+			echo "Wrong input" >&2
+			return 3
+		fi
+	fi
+	# for each command-line arg 
+	while [ -n "$1" ]; do
+		# skip file if unreadable
+		if [ ! -r "$1" ]; then
+			echo "Unreadable file: '$1'" >&2
+			status=$((status|4))
+			shift; continue
+		fi
+		# Append or remove .aes output file extension according to $action
+		[ "e" == "$action" ] && out="$1.aes" || out="${1%.aes}"
+
+		# Encode or decode verbosely
+		[ "d" == "$action" ] && echo "Decrypting '$1' => '$out'"
+		echo $aespass | openssl enc -$action -pass stdin -aes-256-cbc -pbkdf2 -iter $iterations -in "$1" -out "$out"
+
+		if [ $? -eq 0 ]; then
+		       [ "e" == "$action" ] && echo "File '$1' encrypted with aes-256-cbc pbkdf2 $iterations iterations => '$out'"
+		       [ "d" == "$action" ] && echo "Success"
+		else
+		    echo "failure with openssl enc -$action" >&2
+			status=$((status|8))
+		fi
+		shift
+	done
+	return $status
+}