Change all key generation to use PBKDF2;

change all internal encryption back to cbc mode;
add hidden command to convert from gcm to cbc internally

credentials/commands/create.go

@@ -3,7 +3,6 @@ package commands
 import (
 	"context"
 	"encoding/base64"
-	"encoding/hex"
 	"fmt"
 	"os"
 	"time"
@@ -71,11 +70,8 @@ password.`,
 			check(survey.Ask(mdqs, &ci.MetadataInput))
 			check(survey.Ask(cqs, &ci))
 
-			key, err := hex.DecodeString(cfg.GetString(clitypes.KeyPrivateKey))
-			check(err)
-
-			keypass, err := crypto.CombinePasswordAndKey([]byte(masterpass), []byte(key))
-			check(err)
+			key := cfg.GetString(clitypes.KeyPrivateKey)
+			keypass := crypto.GeneratePBKDF2Key([]byte(masterpass), []byte(key))
 
 			prompt := &survey.Confirm{Message: "Do you want a random password?", Default: true}
 			check(survey.AskOne(prompt, &newpass, nil))
@@ -104,7 +100,7 @@ password.`,
 				}
 			}
 
-			cipherpass, err := crypto.GCMEncrypt(keypass, []byte(ci.Password))
+			cipherpass, err := crypto.CBCEncrypt(keypass, []byte(ci.Password))
 			check(err)
 
 			ci.Password = base64.StdEncoding.EncodeToString(cipherpass)
@@ -117,7 +113,7 @@ password.`,
 				prompt := &survey.Password{Message: "OTP secret:"}
 				check(survey.AskOne(prompt, &secret, nil))
 
-				ciphersecret, err := crypto.GCMEncrypt(keypass, []byte(secret))
+				ciphersecret, err := crypto.CBCEncrypt(keypass, []byte(secret))
 				check(err)
 
 				ci.OTPSecret = base64.StdEncoding.EncodeToString(ciphersecret)

credentials/commands/gcm-to-cbc.go

@@ -0,0 +1,108 @@
+package commands
+
+import (
+	"context"
+	"encoding/base64"
+	"encoding/hex"
+	"fmt"
+	"time"
+
+	clitypes "github.com/mitchell/selfpass/cli/types"
+	"github.com/mitchell/selfpass/credentials/types"
+	"github.com/mitchell/selfpass/crypto"
+	"github.com/spf13/cobra"
+)
+
+func MakeGCMToCBC(repo clitypes.ConfigRepo, initClient CredentialClientInit) *cobra.Command {
+	gcmToCBC := &cobra.Command{
+		Use:    "gcm-to-cbc",
+		Hidden: true,
+
+		Run: func(cmd *cobra.Command, args []string) {
+			masterpass, cfg, err := repo.OpenConfig()
+			check(err)
+
+			privKey := cfg.GetString(clitypes.KeyPrivateKey)
+
+			fmt.Println(privKey)
+
+			oldHex, err := hex.DecodeString(privKey)
+			check(err)
+
+			oldKey, err := crypto.CombinePasswordAndKey([]byte(masterpass), oldHex)
+			check(err)
+
+			key := crypto.GeneratePBKDF2Key([]byte(masterpass), []byte(privKey))
+
+			ctx, cancel := context.WithTimeout(context.Background(), time.Second*30)
+			defer cancel()
+
+			client := initClient(ctx)
+
+			mdch, errch := client.GetAllMetadata(ctx, "")
+
+		receive:
+			for {
+				select {
+				case <-ctx.Done():
+					check(ctx.Err())
+
+				case err := <-errch:
+					check(err)
+
+				case md, ok := <-mdch:
+					if !ok {
+						break receive
+					}
+
+					cred, err := client.Get(ctx, md.ID)
+					check(err)
+
+					cipherpass, err := base64.StdEncoding.DecodeString(cred.Password)
+					check(err)
+
+					plainpass, err := crypto.GCMDecrypt(oldKey, cipherpass)
+					check(err)
+
+					cipherpass, err = crypto.CBCEncrypt(key, plainpass)
+					check(err)
+
+					password := base64.StdEncoding.EncodeToString(cipherpass)
+
+					var otpSecret string
+
+					if cred.OTPSecret != "" {
+						ciphersecret, err := base64.StdEncoding.DecodeString(cred.OTPSecret)
+						check(err)
+
+						plainsecret, err := crypto.GCMDecrypt(oldKey, ciphersecret)
+						check(err)
+
+						ciphersecret, err = crypto.CBCEncrypt(key, plainsecret)
+						check(err)
+
+						otpSecret = base64.StdEncoding.EncodeToString(ciphersecret)
+					}
+
+					credIn := types.CredentialInput{
+						MetadataInput: types.MetadataInput{
+							Primary:    cred.Primary,
+							SourceHost: cred.SourceHost,
+							LoginURL:   cred.LoginURL,
+							Tag:        cred.Tag,
+						},
+						Username:  cred.Username,
+						Email:     cred.Email,
+						Password:  password,
+						OTPSecret: otpSecret,
+					}
+
+					_, err = client.Update(ctx, cred.ID, credIn)
+					check(err)
+				}
+			}
+		},
+	}
+
+	return gcmToCBC
+}

credentials/commands/get.go

@@ -3,7 +3,6 @@ package commands
 import (
 	"context"
 	"encoding/base64"
-	"encoding/hex"
 	"fmt"
 	"time"
 
@@ -45,11 +44,8 @@ decrypting password.`,
 
 			fmt.Println("Wrote primary user key to clipboard.")
 
-			key, err := hex.DecodeString(cfg.GetString(clitypes.KeyPrivateKey))
-			check(err)
-
-			passkey, err := crypto.CombinePasswordAndKey([]byte(masterpass), key)
-			check(err)
+			key := cfg.GetString(clitypes.KeyPrivateKey)
+			passkey := crypto.GeneratePBKDF2Key([]byte(masterpass), []byte(key))
 
 			prompt = &survey.Confirm{Message: "Copy password to clipboard?", Default: true}
 			check(survey.AskOne(prompt, &copyPass, nil))
@@ -58,7 +54,7 @@ decrypting password.`,
 				passbytes, err := base64.StdEncoding.DecodeString(cred.Password)
 				check(err)
 
-				plainpass, err := crypto.GCMDecrypt(passkey, passbytes)
+				plainpass, err := crypto.CBCDecrypt(passkey, passbytes)
 
 				check(clipboard.WriteAll(string(plainpass)))
 
@@ -74,7 +70,7 @@ decrypting password.`,
 					secretbytes, err := base64.StdEncoding.DecodeString(cred.OTPSecret)
 					check(err)
 
-					plainsecret, err := crypto.GCMDecrypt(passkey, secretbytes)
+					plainsecret, err := crypto.CBCDecrypt(passkey, secretbytes)
 
 					otp, err := totp.GenerateCode(string(plainsecret), time.Now())
 					check(err)

credentials/commands/update.go

@@ -3,7 +3,6 @@ package commands
 import (
 	"context"
 	"encoding/base64"
-	"encoding/hex"
 	"fmt"
 	"os"
 	"time"
@@ -100,11 +99,8 @@ password.`,
 			ci.Password = cred.Password
 			ci.OTPSecret = cred.OTPSecret
 
-			key, err := hex.DecodeString(cfg.GetString(clitypes.KeyPrivateKey))
-			check(err)
-
-			keypass, err := crypto.CombinePasswordAndKey([]byte(masterpass), []byte(key))
-			check(err)
+			key := cfg.GetString(clitypes.KeyPrivateKey)
+			keypass := crypto.GeneratePBKDF2Key([]byte(masterpass), []byte(key))
 
 			prompt = &survey.Confirm{Message: "Do you want a new password?", Default: true}
 			check(survey.AskOne(prompt, &newpass, nil))
@@ -138,7 +134,7 @@ password.`,
 					}
 				}
 
-				cipherpass, err := crypto.GCMEncrypt(keypass, []byte(ci.Password))
+				cipherpass, err := crypto.CBCEncrypt(keypass, []byte(ci.Password))
 				check(err)
 
 				ci.Password = base64.StdEncoding.EncodeToString(cipherpass)
@@ -152,7 +148,7 @@ password.`,
 				prompt := &survey.Password{Message: "OTP secret:"}
 				check(survey.AskOne(prompt, &secret, nil))
 
-				ciphersecret, err := crypto.GCMEncrypt(keypass, []byte(secret))
+				ciphersecret, err := crypto.CBCEncrypt(keypass, []byte(secret))
 				check(err)
 
 				ci.OTPSecret = base64.StdEncoding.EncodeToString(ciphersecret)