This source code free to use, redistribute, and modify for any
purpose, with the only restriction that if you modify anything that
would cripple or weaken it, you either have to say specifically what
the modifications are and what they do, or not associate your work
with this code.  This is only to prevent a version with worse or
intentional problems from being confused with this one.  It uses
libraries which are under different restrictions, so check those terms
too as well as your local laws and restrictions.

You will also need the minipgp package which supports PGP 2.6.3 since
lots of things PGP 5.0 does are the same.

These programs aren't designed to replace PGP, but to allow PGP to be
integrated into other programs which use cryptography (e.g. anything
using DH/DSA could use the PGP key rings and servers).  It is also a
very quick hack, so don't expect high quality or robustness.

This code is also a patchwork since I have to use several libraries
each which has their own calling conventions - it is mostly glue.

I hope these routines will be integrated into the other libraries as
appropriate, and that each library would eventually support all
functions.  I used SSLeay because I have worked a little more with it
and have some applications that use some things only it has, and it
can be built with RSAref, but Cryptlib probably would have worked and
is where I get RIPEMD.



CAST ENCRYPTION and RIPE-MD160 (which aren't in SSLeay)

These programs also will need a version of CAST to build properly
since that is integrated into PGP5.0 in several places.

SSLeay 0.8.1 has an addition to libeay to support cast in

ftp://ftp.psy.uq.oz.au/pub/Crypto/libeay/

The latest version was libcast-0.8.2b.tar.gz

To use the libraries without that, remove the -DUSECAST section in the
Makefile.

PGP 5.0 also has support for RIPE-MD160.  The routine I use is from
Peter Gutmann's cryptlib 2.00, but you just have to make hash/ripemd.o
after doing the configuration for your architecture.

Cryptlib's homepage http://www.cs.auckland.ac.nz/~pgut001/cryptlib.html

NOTE FOR DEC ALPHA: libcast-0.8.2b isn't set up properly, some
unsigned longs should be unsigned int and ROTL needs a mask.
Also add -D_BIG_WORDS in pgplib.



USAGE NOTES

These also have -i infile and -o outfile prefixes like minipgp

./pgp5sign <textfile >sigfile [-k keyid] [-r secring] [-p pp] [-t type]
./pgp5sign >ophdr -1 -t 1 ...

Produce DSA/SHA signature of textfile, saving detached signature into
sigfile, using secringfile (usually secring.skr), and key with 8 byte
id of keyid8, and optional pp (passphrase) to unlock.  Use -t 1 for
onepass, and 24 for DH subkey.  The -1 writes the onepass header to
stdout.

./pgp5cryp -d cipher.pgp [keyring [pp]]

PGP5 decryption.

./pgp5sign -v <newcomp >oldcomp
./pgp5sign -v -s sigfile <testfile
./pgp5sign -v [pubring] <opsfile >delitfile

The first form is used to convert new (chunk-length) to old style
(length of length) for decompression, the third does the one pass sig
check used just after decompression, also strips literal packet
wrapper.  The second with -s checkfile checks a detached signature.

./pgp5cryp -d cipher.pgp [-r secring [-p pp]] | \
  ./pgp5sign -v | ../minipgp | ./pgp5sign -v >plain.txt

decrypt cipher.pgp, using optional secring, and passphrase to plain.txt

In all cases, secring and pubring default as per environment or in the
.pgp directory, and use .pkr and .skr extensions

See the test.sh file for an example of usage and testnp.sh for a test
on systems that don't have PGP.

new5key generates a new public key to pubnew.pkr and a new secret key
to secnew.skr using an existing set of key parameters.  Adding a "-g
numbits" parameter will generate any parameter not found in the
keyring.  Note: you must use at least -g 768 for PGP to work with it,
and the the DH size will be the number you specify, and the DSA size
will be 512 (minimum) or half of the DH size up to 1024. With "-G
DSAnumbits", it will force the DSA size, but PGP will not accept DSA
signatures if this is greater than 1024 (See the top of pgpDSAkey.c).
If no -g numbits is specified, the DH key will be twice the size of
the -G value.  The DH generator has been adjusted to avoid an attack
on El Gamal signatures, so will use a generator of 5.

[DSA and DH only need one integer to be private, the rest are special
primes or other numbers and can be used among a group of people].

The keyids can be dumped with lookup5, which works on both secret and
public keyrings, and can also be used to lookup keys, e.g.  ./lookup5
-m prz will find any key with the string "prz".  For batch files,
... -k `./lookup5 -e -m prz` ... will return the hex encryption key to
be entered as a parameter, and -s would return the signing key
instead.  ./lookup5 -r secring.skr -u "user id" -x is used to extract
key material for signing.

Going the other way, use:

./pgp5cryp -l plain.txt <plain.txt | minipgp -z | ./pgp5cryp | \
  ./pgp5cryp -k DHkeyid [-r keyring]

the first pgp5cryp encapsulates the file in a literal packet with the
new format.  minipgp -z does the compression, and the second
./pgp5cryp changes the packet and length bytes to the new style.
pgp5enc -k keyid does the actual encryption.



OTHER NOTES

Both pgp5cryp and pgp5sign have a [-a algorithm] parameter, which is
the numeric representation of the algorithm.  Warning: I don't bounds
check so you will get SIGSEGV if you specify an invalid value.  For
pgp5enc, 1=IDEA, 2=DES, 3=CAST.  For pgp5sign, 1=MD5, 2=SHA, 3=RIPEM.
The defaults are IDEA and SHA.  pgp5sign also has "-A alg", 1 is for
RSA, 16 is for El Gamal (-A 17 is DSA, the default). pgp5cryp has -A
with 1 doing RSA if it is compiled to do so.

Note: With a weakness reported in El Gamal signatures, I have altered
the generators and the signature checking code to try to avoid this,
but it will create different values or may reject signatures from PGP
based DH parameters.

pgpv will report a bad signature with anything except SHA, since that
is part of the Digital Signature Standard.  (pgp has a test in
dsaVerify rejecting everything except SHA for the hash algorithm,
otherwise DSA/MD5 or DSA/RIPEMD would work).

I haven't been as careful about wiping memory and preventing memory
leaks and other things to make the code robust.  Nor have I tried to
make any of my code thread safe, since I currently don't have such
applications and would leave that to the experts.

The keyring structure has been complicated further, so I don't do
anything with that internally (but can extract and sign key material
for compatibility), but assume you can use pgpk or manually examine
the signatures or be careful what you put on the keyring.

You can undefine -DUSEIDEA to avoid using a patented algorithm, and
RSA support is optional.

