safe-webdrop
diff --git a/‎claes‎
Lines changed: 411 additions & 298 deletions b/‎claes‎
Lines changed: 411 additions & 298 deletions
diff --git a/‎claes.sig‎
0 Bytes b/‎claes.sig‎
0 Bytes
diff --git a/‎clsmime‎
Lines changed: 171 additions & 100 deletions b/‎clsmime‎
Lines changed: 171 additions & 100 deletions
diff --git a/‎clsmime.sig‎
0 Bytes b/‎clsmime.sig‎
0 Bytes
diff --git a/‎man/claes.1‎
Lines changed: 24 additions & 10 deletions b/‎man/claes.1‎
Lines changed: 24 additions & 10 deletions
diff --git a/‎man/clsmime.1‎
Lines changed: 24 additions & 6 deletions b/‎man/clsmime.1‎
Lines changed: 24 additions & 6 deletions
diff --git a/‎pdf/claes-manual.pdf‎
938 Bytes b/‎pdf/claes-manual.pdf‎
938 Bytes
diff --git a/‎pdf/clsmime-manual.pdf‎
397 Bytes b/‎pdf/clsmime-manual.pdf‎
397 Bytes
@@ -1,4 +1,4 @@
-.TH CLAES "1"          "June 2025" "Cryptlib Tools"  "Cryptlib Tools"             CLAES "1"
+.TH CLAES "1"          "August 2025" "Cryptlib Tools"  "Cryptlib Tools"             CLAES "1"
 .SH NAME
 \fBclaes\fR \- conventional encryption tool interoperating with gpg and openssl
 .SH SYNOPSIS
@@ -7,10 +7,10 @@
 .SH DESCRIPTION
 \fBclaes\fR encrypts or decrypts data in OpenPGP format, CMS format and OPENSSL format using files or standard input with a passphrase-based AES cipher.
 If no FILE or "-" is given, data is read from standard input. 
-The size of any input data is limited to 150 MByte.  The default mode of operation is \fBencryption\fR with the ciphertext stored base64-encoded in the OpenPGP format.  To decrypt base64-encoded or binary input data the option "-decrypt" must be used.
+The size of any internal input data is limited to 256 MByte.  The default mode of operation is \fBencryption\fR with the ciphertext stored base64-encoded in the OpenPGP format.  To decrypt base64-encoded or binary input data the option \fB-decrypt\fR must be used.
 
-All input data is processed AS IS and is treated internally as binary data with no changes. For every encryption or decryption a user-provided passphrase is read from the terminal in which claes is run. So claes always works interactively.
-There is deliberately no public-key-cryptography build into claes. If you need those, please use clsmime and clkeys.
+All input data is processed AS IS and is treated internally as binary data with no changes. For every encryption or decryption a user-provided passphrase is read from the terminal in which claes is run. So \fBclaes\fR always works interactively.
+There is deliberately no public-key-cryptography build into claes. If you need those, please use \fBclsmime\fR and \fBclkeys\fR.
 
 .SH OPTIONS
 .PP
@@ -28,14 +28,23 @@ print debugging information to stderr
 produce CMS enveloped and encrypted data instead of OpenPGP (default)
 .TP
 \fB\-openssl\fR    
-produce encrypted data using pbkdf2 in openssl format
+produce encrypted data in openssl format using pbkdf2 for passphrase mangling
 .TP
 \fB\-128\fR        
-forces the use of 128 bit AES keys in conjunction with -openssl\br
-(256 bits is the default)
+forces the use of 128 bit AES keys in conjunction with -openssl
+.br
+(AES 256 bits is the default)
 .TP
 \fB\-decrypt\fR    
 decrypts an encrypted message (default is encrypt)
+.br
+If data is compressed it will be de-compressed automatically
+.TP
+\fB\-binary\fR    
+uses binary data both for input and output
+.TP
+\fB\-compress\fR    
+forces compression before data is encrypted
 .PP
 
 .SH NOTES
@@ -62,20 +71,25 @@ data from stdin. This program is part of the systemd package.
 
 Without any options claes produces OpenPGP (base64-encoded) encrypted messages using AES-128.
 It can decrypt any messages (ascii or binary) produced by GnuPG with the following ciphers:
-AES, AES192, AES256, 3DES and CAST-128.
+AES, AES192, AES256, 3DES and CAST-128. The option "-binary" causes the output written to a
+file with the .gpg extension. As binary output does not compute the CRC24 checksum, it is much
+faster than the default mode and is recommended for the encryption of larger files.
 
-To mangle the password correctly the option --s2k-digest-algo SHA256 must be used with gpg.
+To mangle the password correctly the option \fB--s2k-digest-algo SHA256\fR must be used with gpg.
 
+From version 1.1 an MDC packet is added to every encryption in OpenPGP mode. Integrity protection
+is also used with the CMS format.
 .TP
 \fBopenssl\fR
 
-In OpenSSL mode claes writes (base64-encoded) encrypted messages in the proprietary OpenSSL format using AES256 as the default.
+In OpenSSL mode claes writes encrypted messages in the proprietary OpenSSL format using AES256 as the default.
 
 These messages can be decrypted with openssl :\br
 \fB      openssl aes-256-cbc -pbkdf2 -d -a -in FILE.asc \fR
 
 The use of AES-128 can be forced by the additional option -128 both for encryption or decryption of OpenSSL messages.
 
+There is no compression available in OpenSSL mode.
 .TP
 \fBCMS\fR
 
 
@@ -10,6 +10,8 @@
 
 .B clsmime [OPTIONS] verify signed_message [CArootCertificate]
 
+.B clsmime [OPTIONS] list [<NumLines>] MessageFile
+
 .br
 .SH DESCRIPTION
 \fBclsmime\fR encrypts text or binary data with a RSA \fBpublic key\fR stored in a recipients's certificate file.
@@ -41,6 +43,13 @@ generate a detached signature in S/MIME format as multipart/signed
 .br
 (default is a signature including the enclosed text message)
 .TP
+\fB-integritycheck\fR
+forces integrity protection while encrypting data. 
+.br
+The cryptogram is enveloped in a authEnvelopedData object that cannot be decrypted with OpenSSL.
+.br
+Use this option when the output data is processed with \fBclsmime\fR.
+.TP
 \fB\-binary\fR
 do not change the input bytes (default is \fBtext mode\fR)
 
@@ -63,25 +72,31 @@ write the certificate chain to the file system during verification of a S/MIME s
 
 
 \fBMicrosoft Outlook:\fR Use the contacts tab to enter the Common Name and the email address and finally 
-click on the \\'certificate button\\' to import the contact's certificate stored in a *.cer file.
+click on the 'certificate button' to import the contact's certificate stored in a *.cer file.
 
 .TP
 \fBOpenSSL\fR
 
 The following OpenSSL commands can be used to exchange message files with \fBclsmime\fR :\br
 
-\fB Encryption   :\fR openssl smime -encrypt -aes-256-cbc -in message -binary -out message.smime certfile
+.in +4n
+\fB Encryption   :\fR 
+ openssl smime -encrypt -aes-256-cbc -in message -binary -out message.smime certfile
 
-\fB Decryption   :\fR openssl smime -decrypt -in message  -out message.clear -recip cert -inkey RSAkey
+\fB Decryption   :\fR 
+ openssl smime -decrypt -in message  -out message.clear -recip cert -inkey RSAkey
 
-\fB Signing      :\fR openssl smime -sign -in message -text -signer cert -inkey RSAkey -out message.sig
+\fB Signing      :\fR 
+ openssl smime -sign -in message -text -signer cert -inkey RSAkey -out message.sig
 
-\fB Verification :\fR openssl smime -verify -in message -out message.verified -inkey certfile -CAfile CAcert
+\fB Verification :\fR 
+ openssl smime -verify -in message -out message.verified -inkey certfile -CAfile CAcert
+
+.PP
 
 \fBCertChains\fR can be examined with: 
 .br
 sed -i \'s/CERTIFICATE CHAIN/PKCS7/\' certchain ; openssl pkcs7 -in certchain -text -print_certs
-.PP
 
 .SH NOTES
 Full documentation <https://senderek.ie/cryptlib/tools>     
@@ -104,6 +119,9 @@ data from stdin. This program is part of the systemd package.
 /usr/bin/systemd-ask-password
 This program is used to provide the passphrase based on a user's input.
 .TP
+/usr/bin/dumpasn1
+This program is used to list the ASN1 structure of output files.
+.TP
 /lib64/libcl.so.3.4.8
 The cryptlib library.
 .TP