https://bugzilla.novell.com/show_bug.cgi?id=329470
Summary: mcrypt lost enigma
Product: openSUSE 10.3
Version: Beta 2
Platform: x86
OS/Version: openSUSE 10.3
Status: NEW
Severity: Normal
Priority: P5 - None
Component: Other
AssignedTo: bnc-team-screening@forge.provo.novell.com
ReportedBy: brian@aljex.com
QAContact: qa@suse.de
Found By: ---
I have a very heavily used script that needs the classic unix crypt command.
I had enigma souces a long time ago but for a few years now I have been using
the following script which uses mcrypt:
------
#!/bin/sh
# emulate crypt using mcrypt
# brian@aljex.com
case $1 in
-h|--help) echo "Usage: crypt [key] file_out" >&2 ;exit 1 ;;
esac
mcrypt -q -a enigma -o scrypt -m stream -b -F ${1:+-k $1} 2>/dev/null
------
The script that needs crypt is this , cgc/uncgc:
------
#!/bin/ksh
# Encrypts and Decrypts using crypt and urlenc
#
# Used to garble cgi query strings so that the user cannot see or guess
# any real paths, and cannot abuse the cgi to see info they shouldn't.
#
# Written specifically to be used both as a filePro "USER" command, and
# in cgi (or other) scripts. This means This script has to always output
# a linefeed at the end of the data, and should loop forever
# (until HUP/ABORT/TERM etc...)
#
# In filePro you use it like this:
# Then: user cgc = cgc
# Then: cgc = <plain text data>
# Then: system "winstart http://.../cgi-bin/script?"{cgc
#
# Then inside the cgi script you do:
# DECRYPTED=`echo $QUERY_STRING |uncgc`
# to decrypt the query string.
#
# Normally reads a secret random key from a file, but you may optionally
# specify a key on the command line which will be used instead of reading
# the key file
#
# TODO:
# * one-time-use keys?
# during cgc, generate a random key to a random temp file.
# during uncgc, if the file exits, use it then delete it.
# * keys with specific lifetimes?
#
# Brian K. White - brian@aljex.com - Aljex Software
# This reads a random value that is generated every midnight from cron.
# The key stays the same all day, but changes every day.
KEYFILE=/etc/CGCKEY
KEY="$1"
getcgckey () {
[ -n "$KEY" ] && return
[ -s $KEYFILE ] || cgckey
read KEY < $KEYFILE
}
case ${0##*/} in
cgc) # encrypt
getcgckey
while read PLAINTEXT ; do
print "${PLAINTEXT}\c" |crypt $KEY |base64 |urlenc -n -
echo
done
;;
uncgc) # decrypt
getcgckey
while read ENCRYPTED ; do
echo "${ENCRYPTED}" |urldec -n - |base64 -d |crypt $KEY
echo
done
;;
cgckey) # generate random key
umask 0
typeset -i36 K
KEY=""
until [ ${#KEY} -ge 8 ] ; do
K=$((RANDOM/911))
IFS='#' read b k <<<$K
KEY+=$k
done
echo "$KEY" > $KEYFILE
;;
esac
------
This is a working example.
==== opensuse 10.2 ====
nj3:~ # mcrypt --version
Mcrypt v.0.9.4 (i686-suse-linux-gnu)
Linked against libmcrypt v.2.5.7
Copyright (C) 1998-2002 Nikos Mavroyanopoulos (nmav@gnutls.org)
nj3:~ # cgc
hello << typed in
11OSPA4%3D%0D%0A << script output
<< pressed break
nj3:~ # uncgc
11OSPA4%3D%0D%0A << pasted in
hello << script output
<< pressed break
nj3:~ #
This the broken box, the same scripts on 10.3
The word "Aljex" in the otherwise random binary junk is my terminal emulators
response to a Ctrl-E that must have been in that binary junk.
==== opensuse factory 10.3 ====
rpm package versions:
mcrypt 2.6.6-12
libmcrypt 2.5.8-29
nj7:~ # mcrypt --version
Mcrypt v.0.9.9 (i586-suse-linux-gnu)
Linked against libmcrypt v.2.5.8
Copyright (C) 1998-2002 Nikos Mavroyanopoulos (nmav@gnutls.org)
nj7:~ # uncgc
ww0EAwMCl%2FSe%2BbrHfiJgyReoSw9LvcfnEjChZtgZPpTxkZwqZ5fdoA%3D%3D%0D%0A
PÉO-T`+:vp+ªT=ê=<¦d9Yëtîünèpûo1üëS+Y{V,råB)m!p¦\i&}xÜ+äl¬Æª
Aljex
Input file incomplete.
á++:3Eñ-`+CEdIJgäGÑ+-aƒx/Çß+-
nj7:~ #
This is the broken box, now working after downgrading mcrypt and libmcrypt
==== opensuse factory 10.3 with mcrypt from 10.2 ====
rpm package versions:
mcrypt 2.6.4-139
libmcrypt 2.5.7-154
nj7:~ # mcrypt --version
Mcrypt v.0.9.4 (i686-suse-linux-gnu)
Linked against libmcrypt v.2.5.7
Copyright (C) 1998-2002 Nikos Mavroyanopoulos (nmav@gnutls.org)
nj7:~ # cgc
hello
eTwCEC4%3D%0D%0A
nj7:~ # uncgc
eTwCEC4%3D%0D%0A
hello
nj7:~ #
The heart of the problem is:
nj7:~ # echo "hello" |mcrypt -q -a enigma -o scrypt -m stream -b -F -k 00000000
Algorithm enigma is not available in OpenPGP encryption.
cast-128 will be used instead.
5+ö\-H¥`+i¢¦ü
`+++-%"¦++ü+¬¦wönj7:~ # Aljex
-bash: Aljex: command not found
nj7:~ #
Ideally I want to continue to use enigma so that I can have other things
besides mcrypt encrypt and decrypt between each other successfully, but in
theory, this should still have worked as-is. One process used mcrypt to encrypt
something using a certain key, and a few seconds later another process failed
to decrypt the same string, using the same mcrypt binary on the same box using
the same key. The change in algorythm _should_ have been transparent in this
case, so this is two bugs.
1) the loss of enigma
2) failed encrypt/decrypt pair uing all same options and key
Also, marking packages as taboo in yast doesn't seem to have any effect.
Since I need to force an old version of mcrypt, I tried to lock them in yast,
but the next time I enter yast, the packages are not flagged as taboo and
selecting all updateable packages includes mcrypt/libmcrypt and updates them
(and so, breaks them).
--
Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.