From 9d4d0b90ebfe282f37011b197dfbc28b250e335c Mon Sep 17 00:00:00 2001
From: Andy <andy@themandoon.com>
Date: Thu, 30 Apr 2020 15:16:42 +1000
Subject: [PATCH] Add option to specify openssl key digest

OpenSSL has deprecated MD5 key digests. The default digest was
MD5. To avoid regenerating keys that use MD5 this option allows
users to specify the digest type.
---
 unlockgeli | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/unlockgeli b/unlockgeli
index 96df5dc..1bc8088 100755
--- a/unlockgeli
+++ b/unlockgeli
@@ -23,6 +23,7 @@ unlockgeli_start()
 		eval key=\${unlockgeli_${_g}_key}
 		eval key_identityfile=\${unlockgeli_${_g}_key_identityfile}
 		eval key_enc_pw=\${unlockgeli_${_g}_key_enc_pw}
+		eval key_digest=\${unlockgeli_${_g}_key_digest:+"-md "\${unlockgeli_${_g}_key_digest}}
 		eval passphrase=\${unlockgeli_${_g}_passphrase}
 		eval passphrase_identityfile=\${unlockgeli_${_g}_passphrase_identityfile}
 		eval passphrase_enc_pw=\${unlockgeli_${_g}_passphrase_enc_pw}
@@ -37,7 +38,7 @@ unlockgeli_start()
 		if [ -n "${key_enc_pw}" ]; then
 			echo "Decrypting keyfile"
 			mv $keytempfile ${keytempfile}.aes
-			openssl enc -aes-256-cbc -a -salt -d -in ${keytempfile}.aes -out $keytempfile -k "${key_enc_pw}"
+			openssl enc -aes-256-cbc -a -salt -d -in ${keytempfile}.aes -out $keytempfile -k "${key_enc_pw}" ${key_digest}
 			if [ "$?" -ne "0" ]; then
 			    warn "Unable to decrypt identity file ${key}"
 			fi
@@ -52,7 +53,7 @@ unlockgeli_start()
 			if [ -n "${passphrase_enc_pw}" ]; then
 				echo "Decrypting passphrase file"
 				mv $pwtempfile ${pwtempfile}.aes
-				openssl enc -aes-256-cbc -a -salt -d -in ${pwtempfile}.aes -out $pwtempfile -k "${passphrase_enc_pw}"
+				openssl enc -aes-256-cbc -a -salt -d -in ${pwtempfile}.aes -out $pwtempfile -k "${passphrase_enc_pw}" ${key_digest}
 				if [ "$?" -ne "0" ]; then
 				    warn "Unable to decrypt passphrase file ${passphrase}"
 				fi