How encrypt data/text stream instead of a file?

Discussion:

don rhummy

2008-12-18 06:14:19 UTC

All the examples of using GnuPG are of giving it a local filename to encrypt or decrypt. How do I pass it data, either as a stream or byte by byte?

Robert J. Hansen

2008-12-18 12:36:28 UTC

Permalink

Post by don rhummy
How do I pass it data, either as a stream or byte by byte?

Painfully. While technically possible, it is almost certainly a better
idea to use some other technology.

David Shaw

2008-12-18 15:52:44 UTC

Permalink

Post by don rhummy
All the examples of using GnuPG are of giving it a local filename to
encrypt or decrypt. How do I pass it data, either as a stream or
byte by byte?

GnuPG is designed to be able to accept a stream or a file. To do a
stream instead of a file, just don't give a filename. GnuPG will then
read data from standard input.

So, for example:

my-pipeline-that-streams-data | gpg --encrypt | my-pipeline-that-
accepts-encrypted-data

You can freely mix streams and files as well:

my-pipeline-that-streams-data | gpg -o output-file.gpg --encrypt

Or

gpg -o - --encrypt myfile | my-pipeline-that-accepts-encrypted-data

Anyway, that's how you do it on the command line. If you want to do
it inside a program, it depends on what language you're using and how
that language deals with calling out to a command line. In general,
though, you want to write data to the head of the GPG pipe, and read
data from the tail of the GPG pipe. I do this frequently in C via the
usual pipe/fork/exec/dup2 method.

David

Robert J. Hansen

2008-12-18 17:40:41 UTC

Permalink

Post by David Shaw
GnuPG is designed to be able to accept a stream or a file.

My bad. I was reading that as the OP needed GnuPG to function as a
stream cipher.

don rhummy

2008-12-18 17:49:41 UTC

Permalink

OK, so I need to put the data into the out stream. Can you give some sample code from C doing this? I'm not 100% clear on the order, etc of calling gpg and sending the data to "out." Thanks!

From: David Shaw <dshaw at jabberwocky.com>
Subject: Re: How encrypt data/text stream instead of a file?
To: donrhummy at yahoo.com
Cc: gnupg-users at gnupg.org
Date: Thursday, December 18, 2008, 10:52 AM

Post by don rhummy
All the examples of using GnuPG are of giving it a

local filename to encrypt or decrypt. How do I pass it data,
either as a stream or byte by byte?
GnuPG is designed to be able to accept a stream or a file.
To do a stream instead of a file, just don't give a
filename. GnuPG will then read data from standard input.
my-pipeline-that-streams-data | gpg --encrypt |
my-pipeline-that-accepts-encrypted-data
my-pipeline-that-streams-data | gpg -o output-file.gpg
--encrypt
Or
gpg -o - --encrypt myfile |
my-pipeline-that-accepts-encrypted-data
Anyway, that's how you do it on the command line. If
you want to do it inside a program, it depends on what
language you're using and how that language deals with
calling out to a command line. In general, though, you want
to write data to the head of the GPG pipe, and read data
from the tail of the GPG pipe. I do this frequently in C
via the usual pipe/fork/exec/dup2 method.
David

David Shaw

2008-12-18 18:01:48 UTC

Permalink

Post by don rhummy
OK, so I need to put the data into the out stream. Can you give some sample code from C doing this? I'm not 100% clear on the order, etc of calling gpg and sending the data to "out." Thanks!

I don't want to do a full pipe/fork/exec/dup2 tutorial here (it's the
GnuPG list after all), but read this:

http://www.cs.uleth.ca/~holzmann/C/system/pipeforkexec.html

Or try "popen" (and add some error checking):

FILE *my_gpg_stream;

my_gpg_stream=popen("gpg -o - -r whoever -e the-file-to-encrypt ..etc...","r");

(now read from "my_gpg_stream" until you see EOF).

pclose(my_gpg_stream);

David

Werner Koch

2008-12-19 11:03:48 UTC

Permalink

Post by David Shaw
my_gpg_stream=popen("gpg -o - -r whoever -e the-file-to-encrypt ..etc...","r");

We all now that but anyway:

Please make 100% sure that you don't insert any data (filenames, user
IDS, etc) you received from a user into the command line passed to
popen.

popen uses the shell to execute gpg and thus all kind of shell quoting
tricks can be used to take over the system. If you really need to
insert data received from the user, screen the data against a list of
innocent characters (i.e. "[a-zA-Z0-9_.-]") and reject it if you notice
any other character.

Salam-Shalom,

Werner

--
Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz.