I'm attempting to "integrate" support for the IDEA cipher into my current system that uses the GnuPG command-line interface for encrypting/decrypting data files sent between my company and our partners. I've read all of the instructions I can find online for various ways to get this set up, and I'm still unable to get the IDEA cipher to load properly.
First, my configuration: I'm using Windows 7 (64-bit) Professional and GnuPG 2.0.17. The --version lists as follows:
gpg (GnuPG) 2.0.17 (Gpg4win 2.1.0)
libgcrypt 1.4.6
Copyright (C) 2011 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Home: C:/Users/<username>/AppData/Roaming/gnupg
Supported algorithms:
Pubkey: RSA, ELG, DSA
Cipher: 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH, CAMELLIA128,
CAMELLIA192, CAMELLIA256
Hash: MD5, SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2
The command-line executable is actually located on a network share (\\<SERVERNAME>\<ShareName>\GnuPG\gpg.exe), which generally works perfectly for everything I have to encrypt/decrypt EXCEPT when I run into files encrypted using the IDEA cipher. I get the following message when it tries:
gpg: cipher algorithm 1 (IDEA) is unknown or disabled
gpg: encrypted with 2048-bit ELG key, ID C4186BB7, created 2003-05-14
"<keyname#domain.com>"
gpg: public key decryption failed: Invalid cipher algorithm
gpg: decryption failed: No secret key
So, I started Googling everything I could find. I've downloaded the idea.dll library (after digging through all sorts of junk trying to find it) and placed it in the \\<SERVERNAME>\<ShareName>\GnuPG\lib directory, as instructed.
Most of the resources I can find talk about adding the line load-extension lib\idea to the gpg.conf file located in C:/Users/<username>/AppData/Roaming/gnupg. This doesn't work, as I still get the same results to the --version command (no IDEA cipher listed in the supported algorithms). I've also tried explicitly using the full path to the library instead of just the "shortcut" like this: load-extension "\\<SERVERNAME>\<ShareName>\GnuPG\lib\idea.dll", but no luck.
Another suggestion is to add the load-extension switch to the actual command-line like this:
\\<SERVERNAME>\<ShareName>\GnuPG\gpg.exe --load-extension idea
I've tried multiple variations of this option as well, including using the full file name, the full path and file name, etc., but I still can't get the IDEA cipher to load. I've tried putting the idea.dll in the GnuPG Home directory (C:/Users/<username>/AppData/Roaming/gnupg) and trying to get GnuPG to load it from that location with all of the same suggestions as listed above.
The idea.dll file I have doesn't have any version information listed in the Properties dialog, but it's modification date is listed as 20 September 2002. Any suggestions on something I may have overlooked here?
EDIT 1: I'd eventually like to move away from doing my encryption/decryption via command-line and migrate my application to use the BouncyCastle API, as I believe the IDEA cipher is "built-in" over there. Unfortunately, though, I'm having issues getting that working as well (see my SO question on the problems I'm facing with BouncyCastle).
EDIT 2: One other thing to note is that all of the testing I've done above has been from a basic (elevated) command prompt - completely outside of my actual application - so that I can eliminate that as a potential cause of the problem.
So, I kept digging around and even cross-posted my question on the Spiceworks community site. One of the things I found - but had basically ignored, as I didn't see the relevance at the time - was a thread in the GnuPG mailing list. However, one of the other users over on Spiceworks pointed it out to me again, so I gave it another read. I'm basically reposting what I posted over on that site as a reference for anyone else who might run into this issue.
Here's what Werner Koch said in his message on that mailing list:
Nope. GnuPG-2 does not support loading of extensions. the option is a dummy option. The reason for this is that crypto operations are done by Libgcrypt and not by gpg.exe.
The next version of Libgcrypt will support IDEA and thus GnuPG 2.1 will be able to decrypt old (i.e. PGP 2) files, directly. However, using IDEA is not a good idea, we have far better algorithms for ages.
...and the response from the person asking the question was:
When I have to make use of "idea.dll" so that I can decrypt messages
that were encrypted with it, I then use Gpg 1.4.x, and I have it in
an altogether separate folder from the real installation of Gpg
2.0.x. I could not agree with you more in regard to its comparatively inferior algorithms, but that does not preclude my needing it from
time to time.
Is there any reason I should not place it in the same folder as the
gpg.exe version 1.4.x and then make reference to it there? Thanks.
Based on these comments, I figured that, since I'm using GnuPG v2.0.17, maybe I need to try to find an older version of GnuPG (from the 1.4.x family) I can use. I found and downloaded the source code for 1.4.20, downloaded MnGW/MSYS and tried to compile it. Unfortunately, I had problems getting it to compile, and errors kept popping up in the process.
Then, I just happened to be looking at a Windows Explorer window to check a path for some of the files I was working with, and I noticed another directory that contained the gpg.exe file. I fired up a command prompt and just tried to run a --version check on it, and I got this:
gpg (GnuPG) 1.4.9
Copyright (C) 2008 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>;
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Home: C:/Users/<username>/AppData/Roaming/gnupg
Supported algorithms:
Pubkey: RSA, RSA-E, RSA-S, ELG-E, DSA
**gpg: LoadLibrary failed: The system cannot find the file specified.
gpg: invalid module `c:\\lib\\gnupg\lib/idea': The specified module could not be
found.**
Cipher: 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH
Hash: MD5, SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2
HOLY CRAP! It's version 1.4.9, and this time it actually appears that it's at least TRYING to load the IDEA library!
So, I tried again, but this time I used the --load-extension switch:
C:\gnu\gnupg\gpg --load-extension C:\GnuPG\lib\idea.dll --version
gpg (GnuPG) 1.4.9
Copyright (C) 2008 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>;
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Home: C:/Users/<username>/AppData/Roaming/gnupg
Supported algorithms:
Pubkey: RSA, RSA-E, RSA-S, ELG-E, DSA
Cipher: **IDEA**, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH
Hash: MD5, SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2
HOLY CRAP AGAIN! There's the IDEA cipher this time!
So, now comes the real test - I tried my command line to decrypt the file using this older executable:
C:\GNU\GnuPG\gpg.exe --load-extension C:\GnuPG\lib\idea.dll --batch --passphrase <password> --output "C:\Testing\decrypted.txt" --decrypt "C:\Testing\encrypted.pgp"
Executing this now gives me the following output:
gpg: WARNING: cipher algorithm IDEA not found in recipient preferences
gpg: encrypted with 2048-bit ELG-E key, ID C4186BB7, created 2003-05-14
"<keyname#domain.com>"
I looked, and sure enough, the decrypted file IS THERE! Even though I got the warning about the IDEA cipher algorithm, it still decrypted the file normally, and put it out exactly as expected!
I guess the answer here is that you can't use GnuPG v2.0.x to decrypt files encrypted using the IDEA cipher at all. It would seem that you have to drop back to a previous version of GnuPG in order to even load the library. Thanks for your help. I think I can finally put together a working command-line solution now. Maybe one day I'll actually finish working on the BouncyCastle API implementation, but for now I'm just happy to get the thing working. (doing my happy dance)
EDIT: So, for my "final" (but definitely not perfect) solution, I've got my application attempting to decrypt the file via the 2.0 version, then, if that fails (the decrypted file doesn't exist), try to decrypt using the 1.4 version with the IDEA cipher loaded. Through all of my testing so far, it seems that this works exactly as expected, and my IDEA-encrypted files are being decrypted normally. I should probably build something that actually reads the standard output from the command line to make the determination whether or not to try again with 1.4, but this looks like it's going to work for my purposes until I can figure out BouncyCastle.
Related
I need to determine whether a user's version of OpenJDK is susceptible to a particular security vulnerability. As an example, CVE-2016-0695 was discovered in OpenJDK 8u77, as revealed in the April 2016 Critical Patch Update. Ideally, detecting whether a user's OpenJDK version is vulnerable would be as simple as checking whether it's <= 8u77 or > 8u77 and accordingly marking it as vulnerable or not (assuming that all previous versions are also vulnerable and that the fix gets applied by the next version). The picture gets muddied by manual patches, though.
If I understand correctly, the April 2016 patch would be automatically bundled into the next version of OpenJDK8 (8u91, in this case), but would also be available for manual application. The latter would probably be an attractive option to risk-averse users who want to keep their Java version as-is while patching security holes. If a user manually applies the patch to their 8u77 install, is there any way for me to detect that? For instance, does the version number reported by java -version change? Or is there no indicator that a patch had been applied?
If the OpenJDK build comes from a vendor, the vendor may publish security information. For example, here is the CVE-2016-0695 security information from Debian. This information typically contains the first fixed package version, according to some vendor-specific versioning scheme.
However, in general, you need to obtain the sources for that OpenJDK build and review them if they have to fix.
To find the patch corresponding to a particular CVE ID (say CVE-2016-0695), in most cases, the easiest way is to go to the Red Hat Bugzilla tracker, here the flaw bug for CVE-2016-0695, and note the internal Oracle bug number listed there, 8138593 in this case. Then you need to check out the appropriate OpenJDK sub-tree, in this case for the jdk component:
hg clone http://hg.openjdk.java.net/jdk8u/jdk8u/jdk
And look in the history for the appropriate commit, based on the Oracle bug number (8138593):
changeset: 11581:594e8dca337c
user: igerasim
date: Thu Dec 24 08:42:10 2015 +0300
summary: 8138593: Make DSA more fair
The commit themselves do not contain CVE IDs (which are often not available when the fix is written, so this is understandable), so the detour via the Red Hat bug tracker is needed. (I have not seen a CVE-ID-to-bug-number mapping from Oracle.)
You can view the patch using another Mercurial command:
hg export 594e8dca337c
Once you have the patch, it is a matter of review the source code to check whether it has been applied. If you cannot obtain the source code for some reason, for changes to the jdk, it is often sufficient to disassemble the relevant classes using javap -c. For native code, you need a different disassembler (such as objdump -dr).
The OpenJDK JDK 8 Updates Project provides source code, rather than builds or binary patches. Per the Q&A at http://openjdk.java.net/projects/jdk8u/qanda.html
Security fixes for this Project's source code will be made available
in the JDK 8 Update Project around the same time as they're released
in products from Oracle
They are made available in order to be integrated into the Project's Mercurial forest. Such source code patches are not provided separately, to be applied manually by users for other releases.
In general, if you need to understand whether a particular change has been applied in a third party build, you will need to get and compare the source code from upstream and the third party builds and/or their commit history. Mechanisms to obtain the source code, commit history, patching policies, patch versioning and patch timing may differ from third party to third party.
we have a old AIX server and it has an executable file and we want to rewrite the same logic of the executable file on linux server, so we are trying to read it but could not find a way to do that.could you please let us know if there is a way to decipher this file
$ file execfile
execfile: executable (RISC System/6000) or object module
The IBM RS/6000 has a POWER architecture CPU, possibly a PowerPC 603 or PowerPC 604, or possibly one of the newer models like POWER1, POWER2, POWER3, etc. The most recent (current) systems use POWER7 or POWER8.
Anyway, if the system has the compiler and toolchain installed on it then there should be a decent symbolic debugger included, and you should be able to use that to disassemble any executable. Depending on exactly which version of the OS it was compiled on, and which compiler was used, you might even be able to use PowerPC tools on some other OS, such as MacOS, or even potentially a cross-compiler toolchain on any type of system, to disassemble the program. For example GDB built for PowerPC may be able to disassemble the program.
However if the executable has been stripped of symbols (as was typically the case on AIX systems, IIRC), and especially if it had been run through the most powerful optimizing stage of the compiler, then you'll be pretty much lost and what you are trying to do will be impractical and require many man hours to decipher -- indeed many thousands of man hours for any significantly sized program, even if you're able to hire someone to help who is familiar with the code generation patterns of the particular compiler which was used.
You might be better off trying to hire an archeologist to help you dig through the specific landfill where you might hope to find listings or backup tapes or CDs or disks containing the original source code, or specification documents, etc., for this program. Seriously.
Or try to find and (re-)hire the original author(s).
My company has many many thousands of old compressed files that are maintained by a small program written many years ago. The program successfully decrypts and decompresses individual files using internal addZip unzip calls (from Stephen Darlingotn's original addZip 0.69 library) but whenever I attempt to open the file manually with the password using 7Zip, WinRAR, or the modern PKZip, it tells me the password is not correct.
My initial theory was that the password I was given was incorrect, but I can clearly see it used in the DLL (The source is lost in time, but the decompilation lists and uses the password very clearly).
Is it possible that modern programs don't support older ZIP encrypted files? The file PK header corresponds to a PK ZIP 2.0 file (created by addZip library v0.69), with encryption and normal deflation (per the PKZip spec), the first 10 bytes being...
50 4B 03 04 14 00 0B 00 08 00
The call made to encrypt/decrypt it seems very straight forward...
<Module>.addUNZIP_Decrypt(<Module>.std.basic_string<char,std::char_traits<char>,std::allocator<char> >.c_str(ptr3));
<Module>.addUNZIP_Overwrite(11);
<Module>.addUNZIP_InstallCallback(<Module>.__unep#?zip_callback#?A0xb8f18585##$$FYGHFFPAD#Z);
<Module>.addUNZIP_View(0);
...with that ptr3 parameter on that first call being the pointer to the password.
Is it possible the way this is being called is somehow adding additional unprintable chars to the password? I can't seem to find the source for the addZip library to validate it. ...and even if the password did have unprintable chars, I'm not sure how I'd feed that to a modern opening program. The password isn't that long and has low entropy so I even tried brute forcing it with a few extra chars, but that didn't seem to do the trick (although I'm not sure it was even working because I'm starting to wonder if modern programs can read these zips).
I'm at a loss and the thought of manually and individually opening and saving 100000 documents is driving me to update my resume (kidding).
I had a similar situation.
I ran some tests with a version of AddZip (v0.7 if I'm not mistaken) and I saw the same behaviour.
Investigating the issue I saw some references to the library stating that it is shareware, not freeware as I thought, and that one of the limitations of the shareware version is that the password, no matter what you input, is "Unregistered".
In the version I was using it worked.
HTH,
Paulo
When I use Subversion in Cygwin to update some repository, some directories update with success, while some other one gets a failure with the error message:
svn: E200030: sqlite: disk I/O error
When doing svn update again for the same repository, a different directory can get the same error. Sometimes, there is a SVN instruction after the above error message.
This happened due to a change someone wanted in Cygwin's SQLite package. I was the maintainer of that package when this question was asked, and I made the change that caused this symptom.
The change was released as Cygwin SQLite version 3.7.12.1-1, and it fixed that one person's problem, but it had this bad side effect of preventing Cygwin's Subversion package from cooperating with native Windows Subversion implementations.
What Happened?
The core issue here is that Subversion 1.7 changed the working copy on-disk format. Part of that change involves a new SQLite database file, .svn/wc.db. Now, in order to implement SQLite's concurrency guarantees, SQLite locks the database file while it is accessing it.
That's all fine and sensible, but you run into a problem when you try to mix Windows native and POSIX file locking semantics. On Windows, file locking almost always means mandatory locking, but on Linux systems — which Cygwin is trying to emulate — locking usually means advisory locking instead.
That helps understand where the "disk I/O error" comes from.
The Cygwin SQLite 3.7.12.1-1 change was to build the library in "Unix mode" instead of "Cygwin mode." In Cygwin mode, the library uses Windows native file locking, which goes against the philosophy of Cygwin: where possible, Cygwin packages call POSIX functions instead of direct to the Windows API, so that cygwin1.dll can provide the proper POSIX semantics.
POSIX advisory file locking is exactly what you want with SQLite when all the programs accessing the SQLite DBs in question are built with Cygwin, which is the default assumption within Cygwin. But, when you run a Windows native Subversion program like TortoiseSVN alongside a pure POSIX Cygwin svn, you get a conflict. When the TortoiseSVN Windows Explorer shell extension has the .svn/wc.db file locked with a mandatory lock and Cygwin svn comes along and tries an advisory lock on it, it fails immediately. Cygwin svn assumes a lock attempt will either succeed immediately or block until it can succeed, so it incorrectly interprets the lock failure as a disk I/O error.
How Did We Solve This Dilemma?
Within Cygwin, we always try to play nice with Windows native programs where possible. The trick was to find a way to do that, while still playing nice with Cygwin programs, too.
Not everyone agreed that we should attempt this. "Cygwin SQLite is part of Cygwin, so it only needs to work well with other Cygwin programs," one group would say. The counterpartisans would reply, "Cygwin runs on Windows, so it has to perform well with other Windows programs."
Fortunately, we came up with a way to make both groups happy.
As part of the Cygwin SQLite 3.7.17-x packaging effort, I tested a new feature that Corinna Vinschen added to cygwin1.dll version 1.7.19. It allowed a program to request mandatory file locking through the BSD file locking APIs. My part of the change was to make Cygwin SQLite turn this feature on and off at the user's direction, allowing the same package to meet the needs of both the Cygwin-centric and Windows-native camps.
This Cygwin DLL feature was further improved in 1.7.20, and I released Cygwin SQLite 3.7.13-3 using the finalized locking semantics. This version allowed a choice of three locking strategies: POSIX advisory locking, BSD advisory locking, and BSD/Cygwin mandatory locking. So far, the latter strategy has proven to be completely compatible with native Windows locking.
Later, when Jan Nijtmans took over maintenance of Cygwin SQLite, he further enhanced this mechanism by fully integrating it with the SQLite VFS layer. This allowed a fourth option: the native Windows locking that Cygwin SQLite used to use before we started on this journey. This is mostly a hedge against the possibility that the BSD/Windows locking strategy doesn't cooperate cleanly with a native Windows SQLite program. So far as I know, no one has ever needed to use this option, but it's nice to know it's there.
Alternate Remedy
If the conflict you're having is between Cygwin's command line svn and the TortoiseSVN Windows Explorer shell extension, there's another option to fix it. TortoiseSVN ships with native Windows Subversion command-line programs as well. If you put these in your PATH ahead of Cygwin's bin directory, you shouldn't run into this problem at all.
Having encountered the same problem, it appears (in my case at least) to be an interaction with TortoiseSVN. Disabling TortoiseSVN's status icon cache (Settings > Icon Overlays > Status cache "None" > Apply) has everything working just fine for me.
(That obviously doesn't resolve the underlying problem, which appears to be due to the SQL package that Cygwin's Subversion package relies on changing its mode of access. As I write, there's active [if slow] discussion on the Cygwin mailing list about how to resolve this.)
ldd /usr/bin/svn shows that SVN depends on /usr/bin/cygsqlite3-0.dll.
After I change libsqlite3 from 3.7.12 back to 3.7.3, the problem seems to go away. So this may be a SQLite library problem.
Using TortoiseSVN, ticking off Refresh shell overlays at clean up solved the problem for me.
For others reference, I just had this same error (svn: E200030: sqlite: disk I/O error) and found that one of my log files was taking up all my space (and could not write to the HDD because there was no free space).
Run (to make sure you have enough disk space)
df -h
(If you don't delete some large files (I just removed some backup and log files)
Then I just needed to run:
svn cleanup
This resolved the error for me.
This question has been asked many times before by others, but somehow the answers made me more confused.
In my Qt application (for symbian devices), I have a file with user details (Email ids n passwords) which I store in target device, so want to encrypt this data in the file to keep it secure. I don't need a super secure encryption techniques, just any moderate one would do. How can I do this using Qt?
I downloaded QCA and tried installing but it failed on Verifying Qt 4 build env.. Reason:Unable to find the qmake tool for Qt 4. (I've set the QTDIR to the installed qt path)
Can someone direct me to proper installation steps, examples or alternatives to QCA? (or may be even Symbian encryption APIs would do)
Thanks
You can also use the data caging provided by the operating system and store your files in the application's private directory. You can get its location with QApplication::applicationDirPath().
For encryption in Qt apps I usually use the plain old openssl C library. It's also available on Symbian devices.