Avoid null bytes decryption work-around for files with doubled "Salted" prefix due to #147

jmurty · jmurty · commit f709d4718ed9 · 2023-03-01T22:05:02.000+11:00
Improve the work-around for files incorrectly encrypted with doubled "Salted" prefixes due to #147 to avoid null byte warnings – and possibly errors – by checking prefix data as hex-encoded values instead of raw bytes which could contain null characters that are not well handled in bash scripts. This should avoid warnings like the following during decryption: warning: command substitution: ignored null byte in input Unfortunately the need for hex-encoding of bytes adds a new requirement for the `hexdump` command.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -32,6 +32,20 @@ system, you must also run the `--upgrade` command in each repository:
    $ transcrypt --upgrade
    ```
 
+## [Unreleased]
+
+### Changed
+
+- The `hexdump` command is now required by Transcrypt. It will be installed
+  already on many systems, or comes with the `bsdmainutils` package on
+  Ubuntu/Debian that was already required to get the `column` command.
+
+### Fixed
+
+- Avoid null byte warnings when decrypting certain files, caused by a work-
+  around in 2.2.1 to repair files that could have been incorrectly encrypted
+  with 2.2.0 due to issue #147
+
 ## [2.2.1] - 2023-02-11
 
 ### Fixed
diff --git a/README.md b/README.md
@@ -55,7 +55,7 @@ The requirements to run transcrypt are minimal:
 - Bash
 - Git
 - OpenSSL
-- `column` command (on Ubuntu/Debian install `bsdmainutils`)
+- `column` and `hexdump` commands (on Ubuntu/Debian install `bsdmainutils`)
 - `xxd` command if using OpenSSL version 3
   (on Ubuntu/Debian is included with `vim`)
 
diff --git a/transcrypt b/transcrypt
@@ -191,10 +191,11 @@ git_smudge() {
 		# that causes garbage characters at top of decrypted files.
 		#
 		# Check file header, which we already know starts with "Salted", to see if
-		# it has exactly the same "Salted__XYZ" prefix mistakenly repeated twice
-		local header_decoded=$(echo "$(head -c48 <"$tempfile")" | openssl base64 -d)
-		local first_salt_prefix=$(echo "$header_decoded" | cut -b 1-16)         # First 16 bytes
-		local maybe_second_salt_prefix=$(echo "$header_decoded" | cut -b 17-32) # Second 16 bytes
+		# it has exactly the same "Salted__XYZ" prefix mistakenly repeated twice.
+		# Base64 decode gives raw bytes, hexdump gives bytes as ASCII hex characters.
+		local header_as_hex=$(echo "$(head -c48 <"$tempfile")" | openssl base64 -d | hexdump -ve '1/1 "%02x"')
+		local first_salt_prefix=$(echo "$header_as_hex" | cut -b 1-32)         # First 32 chars
+		local maybe_second_salt_prefix=$(echo "$header_as_hex" | cut -b 33-64) # Second 32 chars
 
 		# If the salted prefix is repeated -- and not empty, to avoid mistaken match if
 		# base64 decoding fails -- remove the first occurrence before decrypting...
