legally circumvent the Sept 1,94 Legal Kludge, Program Part 000
-----BEGIN PGP SIGNED MESSAGE----- released to the public domain. The legal kludge makes output from PGP 2.6 from an Eastern University incompatible with earlier versions after Sept 1 1994. A Usenet article has documented a discovery by Paul Elliott that the pgp 2.6 legal kludge can be disabled by invoking it with the following parameters: pgp +CERT_DEPTH=0 +LEGAL_KLUDGE=OFF +CERT_DEPTH=real_desired_value others This program invokes pgp with the above parameters. "real_desired_value" is taken from the CONFIG.TXT file. This will cause the legal kludge that makes PGP from an Eastern University incompatible with earlier versions of PGP to be turned off. This program does not address the incompatible signature format problem. This does not modify the code or the executable of PGP in any way. It simply invokes it with unusual parameters. Therefore it should be legal. The program searches your config.txt file for the default value of CERT_DEPTH. It will run slightly faster if this variable is at the top of that file. The program to be invoked may be controlled by the environment variable "PGPEU". EU stands for Eastern university. This variable may specify the file name or a complete path. If this variable is undefined, the program indicated by the hard coded string "PGPEXE" will be invoked this string may be defined with a -DPGPEXE= flag at compile time. By default (that is if PGPEU is undefined) PGPNOKLG.EXE will search your path for a program called "PGP.EXE". Thus the command: PGPNOKLG -e file will call PGP 2.6 in a way so that the result will be compatible with earlier versions of PGP. The program PGPNOKLX.EXE invokes (by default) a program called "PGP26.EXE". So you could take the original program "PGP.EXE" from an Eastern University and rename it to "PGP26.EXE" somewhere in your path. You could the rename "PGPNOKLX.EXE" to "PGP.EXE" then when PGP is invoked normally it will really be PGPNOKLX which will invoke the original pgp (AS PGP26) in a way that output will be compatible with earlier versions. Thus scripts, shells and mail programs that are designed to invoke pgp could continue to work, but in a way that the output is compatible with earlier versions of PGP. This program has been ported to MSDOS and OS/2. Somebody please port to all other platforms. I have posted a zip file which contains source, makefiles and binaries as a pgp signed binary, in 3 posts. The following is the source for the programs pgpnoklg and pgpnoklx. - ---------------------------------------------------------------------- /* Released to public domain! works dos os/2, please port to all other platforms It has been recently discovered by paul elliott that the PGP26 (eastern University) legal kludge can be disabled by invoking pgp with the following parameters: pgp +CERT_DEPTH=0 +LEGAL_KLUDGE=OFF +CERT_DEPTH=real_desired_value others This program invokes pgp with the above parameters. "real_desired_value" is taken from the CONFIG.TXT file. This will cause the legal kludge that makes PGP from an Eastern University incompatible with earlier versions of PGP be turned off. This program does not address the incompatible signature format problem. The program to be invoked may be controled by the environment variable "PGPEU". EU stands for Eastern university. this variable may specify the file name or a complete path. If this varriable is undefined, the program indicated by the hard coded string "PGPEXE" will be invoked this string may be defined with a -DPGPEXE= flag at compile time. The program searches your config.txt file for the default value of CERT_DEPTH. It will run slightly faster if this variable is at the top of the file. deveolped for borland c++ compilers for msdos and os2 to compile bcc pgpknolg.cpp */ // necessary include files. #include <stdlib.h> #include <string.h> #include <dir.h> #include <iostream.h> #include <fstream.h> #include <strstrea.h> #include <iomanip.h> #include <process.h> // define executable path to invoke pgp. #ifndef PGPEXE #define PGPEXE "pgp" #endif #if defined(__OS2__) || defined(__MSDOS__) #define SEP '\\' #define SEPSTR "\\" #else #define SEP '/' #define SEPSTR "/" #endif int main(int argc,char *argv[]) { // path to invoke pgp. char pgpexe[MAXPATH]; // if environment variable PGPEU is defined use it // as the program to invoke as pgp! char * pgpeust=getenv("PGPEU"); if (pgpeust) strcpy(pgpexe,pgpeust); else *pgpexe=0; // If no such environment variable use hard coded PGPEXE macro! if (*pgpexe == 0 ) strcpy(pgpexe,PGPEXE); char path[MAXPATH]; // get the path where the config.txt file is supposed to be strcpy(path,getenv("PGPPATH") ); // and get its length int len=strlen(path); #if defined(__OS2__) || defined(__MSDOS__) // convert all '/' to backslashes for dos os/2 char *w; for(w=path;*w;w++) if(*w=='/') *w=SEP; #endif // if there some chars and last one is not \ then add one. if (len) { if ( path[len-1] != SEP ) strcat(path,SEPSTR); }; // add the filespec. strcat(path,"CONFIG.TXT"); // default value if can not get from config.txt file // this is the value in the pgp26 executable int cert_depth=4; // parse the config file for the value of CERT_DEPTH { // open the file ifstream config(path); if ( config.good() ) { // read till eof while( !config.eof() ) { char buf[512]; // read a line config.getline(buf,sizeof(buf)); // if not commented. if ( *buf != '#' ) { istrstream line(buf); char field[80],equ[80]; int depth; // parse line to first field equal char and value line >> field >> equ >>depth; if ( line) { // upcase the field strupr(field); // if we have a "CERT_DEPTH=val" LINE if ( (strcmp(field,"CERT_DEPTH") == 0) && (strcmp(equ ,"=") == 0 ) ) { // save stored depth cert_depth =depth; // abort search of rest of file // this program will go faster if CERT_DEPTH is // at top of file! break; } } } } } } // create a parameter string fo the form "CERT_DEPTH=val" // where val was found in the config.txt file! char reset_par[20]; { ostrstream reset_file(reset_par,sizeof(reset_par)); reset_file << "+CERT_DEPTH=" << cert_depth << ends; } typedef char * string; // list of arguements! string list[200]; // leading arguemnts int out_idx = 0; // name of program list[out_idx++] = "PGP.EXE"; // we do this to set the variable "value" in pgp 2.6 to =0 // the value of CERT_DEPTH is not really needed to be 0 list[out_idx++] = "+CERT_DEPTH=0"; // this will set pgp varriable "legal_kludge" =value=0 // works because value is zero because of above. list[out_idx++] = "+LEGAL_KLUDGE=OFF"; // set value of CERT_DEPTH back to its proper value. list[out_idx++] = reset_par; // add all the rest of the parameters from the command line! for( argc--, argv++; argc; argc--,argv++,out_idx++) list[out_idx] = *argv; // termintate the line! list[out_idx]=NULL; // replace the current program with an execvp call // never returns from execvp return execvp(pgpexe,list); } -----BEGIN PGP SIGNATURE----- Version: 2.6 iQCVAgUBLi2sYw2Gnhl89QSNAQFAGwQAsYh2fCaK9y9ssONU6k9VMDKQLmc5Qz9L 7FdNOl3Qj5Kd7mudMLU/e0tsSPL9Sr4i629bKVFOlFXUXloYn5xRBsz+Ura4pgZD X2H5bzMAldrwdSN0zfjYX6G8NnvkcpXAZ0BFqw7tBWsflSx3wOjOXLxRDrfKvVvC DNx7M3uD3vg= =xdD6 -----END PGP SIGNATURE-----
One thing I haven't understood with this "LEGAL_KLUDGE" business, where the command line is kind of cumbersome. Can't you get the same effect by setting the parameters in the config.txt file? If so you just add two lines and forget it. I haven't looked at PGP 2.6 so I don't know why this wouldn't work. It would certainly seem to simplify things. Hal
[Much deleted...] I was fortunate to talk with Phil about the legal kludge bug at DefCon II in Las Vegas this past weekend. Basically the point he gave to me about not bothering to bypass it is that it only gives more ammunition to the patent holders. It took quite a bit of time and money to agree upon the RSAREF licensing for PGP 2.6, bypassing the feature because of the bug only recreates more tension for Phil. In his presentation saturday morning at the DefCon convention, he said that like all free software, it's pretty much beyond anyone's control to prevent it from getting exported anyways, just like pirated software, and it had unfortunately arrived in Europe already. IMHO, I figure they already got it, what's to stop them from using version 2.6 outside of the U.S. My main point is to just use 2.6 and let 2.3a use die off since everyone basically already HAS 2.6 inside AND outside of the U.S. and not give the patent holders any more reasons to come down harder on him and cause tighter restraints put on cryptography in general since this has been an obvious example that cryptography software cannot be kept within the U.S. no matter how many precautions they took to not let it get out. He told me that there's nothing wrong with 2.6 and just encouraged me to use 2.6 as it was intented to be used. After talking with him face to face, seeing the kind of person he is, it sorta opened my eyes. I mean while talking to him about this, I could tell how much he has been through over this, and how he really wishes that every joe blow doesn't come up with "NEW" versions of it. This is just a situation where too many cooks can spoil the soup. Now I see this message about PGPEU. I know this is probably an open invitation to get flamed but let's give it a break. Yes, PGP is freeware and able to be modified and distributed, but bypassing features requested by the patent holder is only going to cause trouble for a such a nice guy like Phil. He did us all a great service by creating a program like PGP, and it cost him alot. Distribution of modified versions of PGP only puts us back to where we were with 2.3a. Everything we do affects each other's futures, and I think during the battlecry of "Down with clipper" and modified copies of PGP, some of us tend to forget how this will all affect the person who opened up our eyes and showed us that we did need strong encryption for the average user. [Please direct all flames to /dev/null] Thumper (yeah, just Thumper) =-=-=-=-=-=-=-=-=- GREP THIS NSA! =-=-=-=-=-=-=- thumper@kaiwan.com - PGP NSA ViaCrypt 2600 Phrack EFF #hack LOD/H = Finger for PGP 2.6 Pub Key = 950 FBI MindVox ESN KC NUA QSD Hacker DEFCON - Big Brother *IS* watching! - SprintNet MCI AT&T HoHoCon DNIC TRW CBI 5ESS =
Date: Sun, 24 Jul 1994 22:34:43 -0700 (PDT) From: thumper <thumper@kaiwan.com> My main point is to just use 2.6 and let 2.3a use die off since everyone basically already HAS 2.6 inside AND outside of the U.S. . . . . Is anyone running a remailer that uses a version of PGP that will *NOT* deal with post-July-PGP2.6? Rick
From: Rick Busdiecker <rfb@lehman.com> Date: Tue, 26 Jul 1994 00:24:56 -0400 Is anyone running a remailer that uses a version of PGP that will *NOT* deal with post-July-PGP2.6? Ummm... I guess I meant post-August. Whenever the legal_kludge thingy kicks in. Rick
participants (4)
-
0x7CF5048D@nowhere -
Hal -
Rick Busdiecker -
thumper