lenc 1.1.3 → 1.2.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: b4b56f1960462bf9fd9382ff2059182a881e51dd
-  data.tar.gz: 0cb704fcc7bda5e7a326202be609027d1cb7edfa
+  metadata.gz: 81e06c0955051deca4de3a4687debbed0d38ab2e
+  data.tar.gz: 38b7cf28b8c71b99711d440a27dc7535fc82ed02
 SHA512:
-  metadata.gz: 41948757b4d963f3b7cc23f6c8292e8ce51b918b2f1860087cb34c3d95765f6b82900fee46c47adb399b01cb6050a09761c6d56caf3c921badbb542263f45a1a
-  data.tar.gz: da5a5af9488d3901d29b71c29556df4c343f0dfa82c882556dad404ef24148e593e046d022604abef1cb2b4859c832fa49b41695d1d20fbb4e49bcf7fb3ad038
+  metadata.gz: be50fb30cf452036677c901f05c5eaa81db9fcc6b071a2029ec87f11b4c89d9f9ff39606e97ec428720e304a2a02188253abadeea8db67cc9363ddfa22377011
+  data.tar.gz: c5e73819b059507bffa9aac25dbb7c22f21a256d278898e1139285627609a80c98b8a7bda407663e8d54c4a8ba2e63a1c0433c0ee8bcb777a966bc17b1ac6024

data/README.md

@@ -5,6 +5,9 @@ Lenc
 LEnc is a Ruby gem that maintains encrypted repositories of files, enabling secure, encrypted
 backups to free cloud services such as Dropbox, Google Drive, and Microsoft SkyDrive.
 
+It can also encrypt or decrypt directory trees 'in place', so that the original files are
+overwritten by their encrypted versions.
+
 Written by Jeff Sember, March 2013.
 
 [Source code documentation can be found here.](http://rubydoc.info/gems/lenc/frames)
@@ -23,8 +26,8 @@ is named "__lenc_repo__.txt").
 versions of all the files found in the <source> directory.  This directory
 is usually mapped to a cloud service (e.g., Dropbox), or perhaps to a thumb drive.
 		
-		NOTE:  THE <encrypted> DIRECTORY IS MANAGED BY THE PROGRAM!  
-		ANY FILES WRITTEN TO THIS DIRECTORY BY THE USER MAY BE DELETED.
+	NOTE:  THE <encrypted> DIRECTORY IS MANAGED BY THE PROGRAM!  
+	ANY FILES WRITTEN TO THIS DIRECTORY BY THE USER MAY BE DELETED.
 
 * A \<recover\> directory.  The program can recover a set of encrypted files here.
 For safety, the this directory must not lie within an existing repository.
@@ -38,16 +41,16 @@ The program can be asked to perform one of the following tasks:
 __Setting up a repository.__  Select a directory you wish to be the \<source\> 
 directory, and make it the current directory.  Type:
     
-		lencrypt -i KEY ENCDIR
+	lencrypt -i ENCDIR
     
-with KEY a set of characters (8 to 56 letters) to be used as the encryption key,
+with KEY a set of characters (up to 56 letters) to be used as the encryption key,
 and ENCDIR the name of the \<encrypted\> directory (it must not already exist, and
 it cannot lie within the current directory's tree).
  
 
 __Updating a repository.__ From within a \<source\> directory tree, type:
 
-		lencrypt
+	lencrypt
     
 You will be prompted for the encryption key, and then the program will examine 
 which files within the \<source\> directory have been changed (since the repository 
@@ -56,17 +59,44 @@ was created or last updated), and re-encrypt these into the \<encrypted\> direct
 
 __Recovering encrypted files.__  Type:
 
-		lencrypt -r KEY ENCDIR RECDIR
+	lencrypt -r ENCDIR RECDIR
     
-with KEY the key associated with a repository whose encrypted files are stored in ENCDIR.
+where ENCDIR contains an encrypted repository's files.
 The recovered files will be stored in RECDIR.
 
-
 Additional options can be found by typing:
 
-		lencrypt -h
-    
+	lencrypt -h
     
+Encrypting files 'in place'
+----------------
+In addition to maintaining encrypted repositories, the gem can also encrypt (and decrypt)
+files 'in place', in effect replacing the files with their encrypted counterparts.  To encrypt
+a particular directory's contents (and all of its subdirectories), from that directory, type:
+
+	encr -i
+
+This marks the directory as the root of an 'in place' repository (by writing a small configuration file).
+You will be prompted for an encryption password.
+
+Once such a repository has been defined, the files can be encrypted. From the repository directory (or
+any of its subdirectories), type:
+
+	encr 
+
+After you enter a password, the program will encrypt all the files (or at least those not marked for
+skipping within a .lencignore file).  If you create any new unencrypted files, you can
+repeat this command to encrypt them.
+
+To decrypt the repository's contents, type:
+
+	encr -d
+
+It is very important to remember the encryption password, since it is NOT stored anywhere by the
+program.  By design, you must enter the correct password twice before any files are encrypted: once when the
+repository is initialized, and again when the actual encryption is to take place.
+
+   
 Ignore files
 ----------------
 If desired, you can avoid storing selected files in the encryption repository.  

data/bin/encr

@@ -0,0 +1,5 @@
+#!/usr/local/bin/ruby
+
+require 'lenc'
+
+EncrApp.new().run(ARGV)

data/lib/lenc.rb

@@ -1 +1,2 @@
 require 'lenc/lencrypt'
+require 'lenc/encr'

data/lib/lenc/aes.rb

@@ -142,7 +142,8 @@ module RepoInternal
       
 =end
   class MyAES 
-    
+    attr_accessor :prefix_mode
+
     private
     
     # decryptState values
@@ -153,6 +154,7 @@ module RepoInternal
     # to help generate unique nonces (in conjunction with system clock)
     @@nonceHelper = 0
       
+    
     # Construct a MyAES object to encrypt/decrypt a sequence of bytes.
     # @param encrypting true for encryption, false for decryption
     # @param key   a bytearray of 4..56 bytes
@@ -179,7 +181,7 @@ module RepoInternal
       key = bytes_to_str(key)
         
       if key.size < 4 || key.size > 56
-          raise ArgumentError, 'Key length not 4..56 bytes' 
+          raise ArgumentError, "Key length ##{key.size} not 4..56 bytes" 
       end
         
       # expand the key to be at least 32 bytes
@@ -304,28 +306,37 @@ module RepoInternal
           raise LEnc::DecryptionError, "header doesn't verify"
         end
           
-        nPadBytes = newData[CHUNK_VERIFY_SIZE].ord  
-        actualEnd = csize - nPadBytes
-        if nPadBytes > 16 or actualEnd < CHUNK_HEADER_SIZE 
-          raise LEnc::DecryptionError, "nPadBytes/actualEnd mismatch"
-        end  
-        
+        # If we're in prefix mode, we're only interested in whether
+        # the chunk start matches the verification string above; we 
+        # don't actually produce any decoded data (partly because we
+        # do not really know how many padding bytes there are in the
+        # decryption stream)
         
+        if !prefix_mode
+
+          nPadBytes = newData[CHUNK_VERIFY_SIZE].ord
+          actualEnd = csize - nPadBytes
+          if nPadBytes > 16 or actualEnd < CHUNK_HEADER_SIZE
+            raise LEnc::DecryptionError, "nPadBytes/actualEnd mismatch"
+          end
 
-        # Verify that the padding bytes have correct values
-        (actualEnd...csize).each do |i|
-          if newData[i] != PAD_CHAR
-            raise LEnc::DecryptionError,"padding char bad value"
+          # Verify that the padding bytes have correct values
+          (actualEnd...csize).each do |i|
+            if newData[i] != PAD_CHAR
+              raise LEnc::DecryptionError,"padding char bad value"
+            end
           end
+
+          newData = newData[CHUNK_HEADER_SIZE ... actualEnd]
+
+          @inputBuffer.slice!(0,csize)
+          @outputBuffer  << newData
+
         end
-          
-        newData = newData[CHUNK_HEADER_SIZE ... actualEnd]
-          
-        @decryptState = DS_WAITCHUNK
-          
-        @inputBuffer.slice!(0,csize)
-        @outputBuffer  << newData
         
+        @decryptState = DS_WAITCHUNK
+  
+
       end
       
       incrNonce()
@@ -427,26 +438,43 @@ module RepoInternal
     # Returns true iff the start of the string seems to decrypt correctly
     # for the given password
     def self.is_string_encrypted(key, test_str) 
-      db = warndb 0
+      db = warndb  0
       
-      !db || hex_dump(test_str, "areBytesEncrypted?")
+      !db || hex_dump(test_str, "is_string_encrypted?")
       
       simple_str(test_str)
       
       lnth = test_str.size
       lnth -= NONCE_SIZE_SMALL
-      if lnth < AES_BLOCK_SIZE 
-        !db || pr("  insufficient # bytes\n")
+      if lnth < AES_BLOCK_SIZE || lnth % AES_BLOCK_SIZE != 0
+        !db || pr("  bad # bytes\n")
         return false
       end
       
+      hdr_size = AES_BLOCK_SIZE
+      
+      # This method is failing, I suspect because with the mode of AES we're using (CRC?) we can't
+      # decrypt only a single block, and must instead decrypt a complete chunk.
+      
+      # No, now I think it's interpreting a bad 'padding' value (due to only decrypting partially)
+      # as indication of bad decryption
+      
+      if false
+        warn("using full chunk size")
+        hdr_size = [lnth,CHUNK_SIZE_ENCR].min
+      end
+      
       begin
-          de = MyAES.new(false, key)    
-          de.finish(test_str[0...AES_BLOCK_SIZE + NONCE_SIZE_SMALL])
-          decr = de.flush()
-          !db || hex_dump(decr,"decrypted successfully")
-      rescue LEnc::DecryptionError
-        !db || pr(" (caught DecryptionError)\n")
+          de = MyAES.new(false, key)  
+          
+          # Put this decryptor into prefix mode, so that we are only interested
+          # in whether the header verifies correctly
+          de.prefix_mode = true
+               
+          de.finish(test_str[0...hdr_size + NONCE_SIZE_SMALL])
+          de.flush()
+      rescue LEnc::DecryptionError => e
+        !db || pr(" (caught DecryptionError #{e})\n")
         return false
       end
         
@@ -460,20 +488,34 @@ module RepoInternal
     # for the given password, and the file is of the expected length.
     def self.is_file_encrypted(key, path) 
       
+      db = warndb 0
+      
+      !db || pr("is_file_encrypted '#{path}'?\n")
     #    key = str_to_bytes(key)
       
       if not File.file?(path) 
+        !db || pr(" not a file\n")
         return false
       end
       
       lnth = File.size(path)
       minSize = NONCE_SIZE_SMALL + AES_BLOCK_SIZE
-      if lnth < minSize or ((lnth - minSize) % _AES_BLOCK_SIZE) != 0
+      !db || pr(" file size=#{lnth}, minSize=#{minSize}\n")
+      if lnth < minSize or ((lnth - minSize) % AES_BLOCK_SIZE) != 0
+        !db || pr(" length not appropriate\n")
         return false
       end
       
+      if false
+        warn("using full size of file")
+        minSize = lnth
+      end
+      
       f = File.open(path,"rb")
-      return is_string_encrypted(key, f.read(minSize))
+      s = f.read(minSize)
+      ret = is_string_encrypted(key, s)
+      !db || pr(" is_string_encrypted returning #{ret}\n")
+      ret
     end
   
   
@@ -485,35 +527,68 @@ end # module RepoInternal
 if main? __FILE__
   
   s = ''
-  16.times {|x| s << (65+x).chr}
-    
+  17.times {|x| s << (65+x).chr}
+  s *= 8 
 
   nonce  = "abc" * 20
   nonce  = nonce[0...16]
   key = "onefishtwofishredfishbluefish" * 3
   key = key[0...32]
   
-  hex_dump(key,"key")
-  hex_dump(nonce,"nonce")
   
-  aes = OpenSSL::Cipher.new("AES-256-CBC")
-      
-  aes.padding = 0
-  aes.encrypt
-  aes.key = key
-        
-  aes.iv = nonce
-        
-  enc = aes.update(s)
-  enc << aes.final
-        
-  hex_dump(s,"calling aes.encrypt with")
-  hex_dump(enc,"aes.encrypt returned")
+  if false # this seems to work, disable for now
+    hex_dump(key,"key")
+    hex_dump(nonce,"nonce")
+
+    aes = OpenSSL::Cipher.new("AES-256-CBC")
+
+    aes.padding = 0
+    aes.encrypt
+    aes.key = key
+
+    aes.iv = nonce
 
-  s = enc
+    enc = aes.update(s)
+    enc << aes.final
+
+    hex_dump(s,"calling aes.encrypt with")
+    hex_dump(enc,"aes.encrypt returned")
+
+    s = enc
+
+    require 'base64'
+    s = Base64.urlsafe_encode64(s)
+    hex_dump(s,"base64")
+
+    # Verify that we don't need every block to verify encryption
+    aes = OpenSSL::Cipher.new("AES-256-CBC")
+    aes.padding = 0
+    aes.decrypt
+    aes.key = key
+    aes.iv = nonce
+
+    dec = aes.update(enc[0...16])
+    dec << aes.final
+
+    hex_dump(dec,"decrypted")
+  end
+
+  include RepoInternal
+  
+  aes = MyAES.new(true, key, nonce)
+  
+  aes.finish(s)
+  enc = aes.flush()
+  
+  hex_dump(enc,"encrypted")
+  
+  aes = MyAES.new(false, key)
+  aes.finish(enc)
+  dec = aes.flush()
+  hex_dump(dec,"decrypted")
+  
+  isenc = MyAES.is_string_encrypted(key, enc)
+  pr("is encrypted= #{isenc}\n")
   
-  require 'base64'
-  s = Base64.urlsafe_encode64(s)
-  hex_dump(s,"base64")
 
 end

data/lib/lenc/encr.rb

@@ -0,0 +1,64 @@
+require_relative 'repo'
+
+class EncrApp
+  include LEnc
+  
+  def run(argv = ARGV) 
+     
+    req 'trollop'
+    p = Trollop::Parser.new do
+        opt :init, "create new singular repository"  
+        opt :orignames, "(with --init) leave filenames unencrypted"
+        opt :encrypt, "encrypt files (default operation)"
+        opt :decrypt, "decrypt files"
+        opt :key, "encryption key", :type => :string  
+        opt :verbose,"verbose operation"
+        opt :where, "specify source directory (default = current directory)", :type => :strings
+        opt :quiet, "quiet operation"
+    end
+    
+    options = Trollop::with_standard_exception_handling p do
+      p.parse argv
+    end
+    
+    v = 0
+    v = -1 if options[:quiet]
+    v = 1  if options[:verbose]
+    
+    nOpt = 0
+    nOpt += 1 if options[:init]
+    nOpt += 1 if options[:encrypt]
+    nOpt += 1 if options[:decrypt]
+            
+    p.die("Only one operation can be performed at a time.",nil) if nOpt > 1
+  
+    r = Repo.new(:dryrun => options[:dryrun], :verbosity => v)
+    
+    key = options[:key]
+      
+    begin
+      
+      if options[:init]
+        r.create(options[:where], key, nil, options[:orignames])
+      elsif options[:decrypt]
+        r.open(options[:where],key)
+        r.perform_decrypt
+      else
+        r.open(options[:where],key)
+        r.perform_encrypt
+      end
+
+      r.close()
+    rescue Exception =>e
+      puts("\nProblem encountered: #{e.message}")
+    end
+
+  end
+end
+
+if __FILE__ == $0
+  args = ARGV
+  
+  EncrApp.new().run(args)
+end
+  

data/lib/lenc/lencrypt.rb

@@ -1,21 +1,17 @@
 require_relative 'repo'
 
-# The application script (i.e., the 'main program')
-#
 class LEncApp
   include LEnc
   
   def run(argv = ARGV) 
-     
+      
     req 'trollop'
     p = Trollop::Parser.new do
-        opt :init, "create new encryption repository: KEY ENCDIR ", :type => :strings
+        opt :init, "create new encryption repository: ENCDIR ", :type => :string
+        opt :key, "encryption key", :type => :string  
         opt :orignames, "(with --init) leave filenames unencrypted"
-        opt :storekey, "(with --init) store the key within the repository configuration file so it" \
-              " need not be entered with every update"
-        opt :update, "update encrypted repository (default operation): KEY", :default => ""
-        #opt :updatepwd, "specify key for update: KEY", :type => :string
-        opt :recover, "recover files from an encrypted repository: KEY ENCDIR RECDIR", :type => :strings
+        opt :update, "update encrypted repository (default operation)"  
+        opt :recover, "recover files from an encrypted repository: ENCDIR RECDIR", :type => :strings
         opt :where, "specify source directory (default = current directory)", :type => :string
         opt :verbose,"verbose operation"
         opt :quiet, "quiet operation"
@@ -34,12 +30,9 @@ class LEncApp
     v = -1 if options[:quiet]
     v = 1  if options[:verbose]
     
-    update_pwd = options[:update]
-    update_pwd = nil if update_pwd.size == 0
-    
     nOpt = 0
     nOpt += 1 if options[:init]
-    nOpt += 1 if update_pwd  
+    nOpt += 1 if options[:update]
     nOpt += 1 if options[:recover]
             
     #pr("trollop opts = %s\n",d2(options))
@@ -52,20 +45,20 @@ class LEncApp
     begin
 
       if (a = options[:init])
-        p.die("Expecting: KEY ENCDIR",nil) if a.size != 2
-        pwd,encDir = a
-        r.create(options[:where], pwd, encDir, options[:orignames], options[:storekey])
+        encDir = a  
+        r.create(options[:where], options[:key], encDir, options[:orignames])
       elsif (a = options[:recover])
-        p.Trollop::die("Expecting: KEY ENCDIR RECDIR",nil) if a.size != 3
-        r.perform_recovery(a[0],a[1],a[2])
+        p.die("Expecting: ENCDIR RECDIR",nil) if a.size != 2
+        r.perform_recovery(options[:key],a[0],a[1])
       else
-        r.open(options[:where],update_pwd)
-        r.perform_update(options[:verifyenc])
+        r.open(options[:where],options[:key])
+        r.perform_encrypt()
       end
 
       r.close()
     rescue Exception =>e
       puts("\nProblem encountered: #{e.message}")
+      puts e.backtrace
     end
 
   end
@@ -74,7 +67,6 @@ end
 if __FILE__ == $0
   args = ARGV
   
-  
   LEncApp.new().run(args)
 end