crypt: Deprecate PEM keys.

Users have been advised since 2018 to create RFC4716 keys (see
commit 9e2b093bed5d), and this has been the default key format for
ssh-keygen(1) for a long time as well. Upgrade the severity of the
existing log message from info to warning to encourage users at
runtime to replace their old keys.

diff --git a/NEWS.md b/NEWS.md
index 598db71fae93734158509fa5f76853ceb09ccb7b..e122c43fdd1f76b96474db9f6a42297933650814 100644 (file)
--- a/NEWS.md
+++ b/NEWS.md
@@ -1,6 +1,17 @@
 NEWS
 ====
 
+----------------------------------------------
+0.7.3 (to be announced) "weighted correctness"
+----------------------------------------------
+
+- Old style PEM keys are now deprecated. They still work but their
+  use results in a run-time warning. The removal of PEM key support is
+  scheduled for paraslash-0.8.0.
+
+Downloads:
+[tarball](./releases/paraslash-git.tar.xz)
+
 -------------------------------------
 0.7.2 (2023-03-08) "optical friction"
 -------------------------------------

diff --git a/crypt_common.c b/crypt_common.c
index d7471235682855d3f376f0d5796b39567498937b..286ebe38f2215b879c3171183490b2199779f500 100644 (file)
--- a/crypt_common.c
+++ b/crypt_common.c
@@ -295,7 +295,7 @@ int decode_private_key(const char *key_file, unsigned char **result,
                key_type = PKT_PEM;
                begin = map + strlen(PRIVATE_PEM_KEY_HEADER);
                footer = strstr(map, PRIVATE_PEM_KEY_FOOTER);
-               PARA_INFO_LOG("detected legacy PEM key %s\n", key_file);
+               PARA_WARNING_LOG("detected legacy PEM key %s\n", key_file);
        } else if (strncmp(map, PRIVATE_OPENSSH_KEY_HEADER,
                        strlen(PRIVATE_OPENSSH_KEY_HEADER)) == 0) {
                key_type = PKT_OPENSSH;