evpo / encryptpad Goto Github PK

Select multiple lines and press tab. The lines are replaced with tab as in windows notepad. Advanced editors tab the lines instead.

It will be great if user can optionally click a menuitem to launch a frame within editor window. This frame will show the live rendering of the text interpreted as if it is markdown or orgmode .

EncryptPad GUI File Encryption dialogue encrypts binary files and sets t (text) flag. When gpg decrypts such a file on Windows or EncryptPad decrypts it, the file is good. However, on Linux or Mac gpg decrypts and strips CR (carriage return) bytes because it thinks that the content is text and converts to Linux line endings that don't have CR.

All gpg actions right now seem to break when they encounter "armored" GPG files.

I run flawfinder tool to check if there is flaws or a code that may cause issues.

Note: Most of hits can be false alarms, but they are not wanted in any code that seek the quality and safety.

$ flawfinder -m0 *

back_end_src/encryption_pipeline.cpp:26: 2 char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.

back_end_src/file_helper.cpp:32: 2 fopen:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
back_end_src/file_helper.cpp:54: 2 fopen:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).

back_end_src/packet_composer.cpp:1075: 2 memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.

back_end_src/win_file_reader.cpp:34: 2 MultiByteToWideChar:
Requires maximum length in CHARACTERS, not bytes (CWE-120).
back_end_src/win_file_reader.cpp:40: 2 MultiByteToWideChar:
Requires maximum length in CHARACTERS, not bytes (CWE-120).
back_end_src/win_file_reader.cpp:68: 2 wchar_t:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.

qt_ui/application.cpp:57: 2 open:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).

qt_ui/main.cpp:49: 2 open:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).

qt_ui/mainwindow.cpp:111: 2 open:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
qt_ui/mainwindow.cpp:145: 2 open:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
qt_ui/mainwindow.cpp:406: 2 open:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
qt_ui/mainwindow.cpp:439: 2 open:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
qt_ui/mainwindow.cpp:441: 2 open:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
qt_ui/mainwindow.cpp:626: 2 open:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).

qt_ui/mainwindow.h:70: 2 open:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
qt_ui/mainwindow.h:74: 2 open:
Check when opening files - can an attacker redirect it (via symlinks),
force the opening of special file type (e.g., device files), move things
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).

tests/key_generation_tests.cpp:30: 2 char:
Statically-sized arrays can be improperly restricted, leading to potential
overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
back_end_src/encryption_pipeline.cpp:29: 1 read:
Check buffer boundaries if used in a loop including recursive loops
(CWE-120, CWE-20).
back_end_src/encryption_pipeline.cpp:62: 1 read:
Check buffer boundaries if used in a loop including recursive loops
(CWE-120, CWE-20).

back_end_src/encryptor.cpp:63: 1 read:
Check buffer boundaries if used in a loop including recursive loops
(CWE-120, CWE-20).
back_end_src/encryptor.cpp:234: 1 strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
back_end_src/encryptor.cpp:355: 1 read:
Check buffer boundaries if used in a loop including recursive loops
(CWE-120, CWE-20).
back_end_src/encryptor.cpp:487: 1 read:
Check buffer boundaries if used in a loop including recursive loops
(CWE-120, CWE-20).

back_end_src/packet_composer.cpp:428: 1 read:
Check buffer boundaries if used in a loop including recursive loops
(CWE-120, CWE-20).
back_end_src/packet_composer.cpp:813: 1 read:
Check buffer boundaries if used in a loop including recursive loops
(CWE-120, CWE-20).
back_end_src/packet_composer.cpp:824: 1 read:
Check buffer boundaries if used in a loop including recursive loops
(CWE-120, CWE-20).
back_end_src/packet_composer.cpp:923: 1 read:
Check buffer boundaries if used in a loop including recursive loops
(CWE-120, CWE-20).

back_end_src/packet_stream.h:304: 1 fgetc:
Check buffer boundaries if used in a loop including recursive loops
(CWE-120, CWE-20).

cli/get_password.cpp:83: 1 getchar:
Check buffer boundaries if used in a loop including recursive loops
(CWE-120, CWE-20).

tests/packet_stream_tests.cpp:42: 1 strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
tests/packet_stream_tests.cpp:85: 1 strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
tests/packet_stream_tests.cpp:123: 1 strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
tests/packet_stream_tests.cpp:185: 1 strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
tests/packet_stream_tests.cpp:205: 1 strlen:
Does not handle strings that are not \0-terminated; if given one it may
perform an over-read (it could cause a crash if unprotected) (CWE-126).
back_end_src/packet_stream.h:309: 0 fread:
Function accepts input from outside program (CWE-20). Make sure input data
is filtered, especially if an attacker could manipulate it.

Not every hit is necessarily a security vulnerability.

When overwriting a file, copy it to a bak file with the same name.

This will let the user to output the content of an encrypted file to console without writing it to the disk. It is also a good way to pipe tools.

It should be a hard-coded value used when the program runs for the first time.

run encryptcli -d file. It will stop for user input without requesting a passphrase.

Add parameters providing descriptor ids (example: 0 for stdin) used for reading passphrases. Two parameters for the password and key file passphrase.

I would like to use this fine editor to open/save files encrypted with GPG, using my own gpg key. In other words, the equivalent of the following workflow (though naturally bypassing creating unencrypted files on disk...). Is it possible? How?

# saving a new file
vi new-file.txt
# gpg2 asks for passphrase, or uses in-memory passphrase from gpg-agent
gpg2 --encrypt -r [email protected] < new-file.txt > new-file.txt.gpg
rm new-file.txt

# opening existing file
# gpg2 asks for passphrase, or uses in-memory passphrase from gpg-agent
gpg2 < new-file.txt.gpg > new-file.txt
vi new-file.txt

Linux packages prefer dynamic linking.

The up and down buttons already have large steps to increment the S2K iterations. However, the max button would be even better.

This will be useful for testing and if some users prefer a language other than their system

[--lang en|ru|fr] [file to open] 

This will let the user not to save a temporary file and download it from somewhere and pipe directly to EncryptPad

In ini file for the beginning and in GUI ideally

Attempting to build on Fedora 23, from current master, with some hints from https://www.reddit.com/r/crypto/comments/488huo/encryptpad_is_an_open_source_openpgp_symmetric/

• On top of the Development Tools group, installed clang and q5-atbase-devel.
• Modified build/Makefile.qt_ui to use qmake-qt5 (exporting QMAKE did not work)
• in cli/Makefile removed LDFLAGS += -static

However the build still errors out with (using make --debug=b):

    Must remake target 'release/EncryptPad'.
make[2]: Entering directory '/home/martin/src/EncryptPad/build/qt_build'
g++ -Wl,-O1 -Wl,-z,relro -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -o release/EncryptPad release/obj/application.o release/obj/file_name_helper.o release/obj/main.o release/obj/mainwindow.o release/obj/set_key_dialog.o release/obj/set_password_dialog.o release/obj/async_load.o release/obj/plain_text_switch.o release/obj/file_properties_dialog.o release/obj/new_key_dialog.o release/obj/preferences_dialog.o release/obj/recent_files_service.o release/obj/find_and_replace.o release/obj/get_password_dialog.o release/obj/confirm_password_dialog.o release/obj/get_password_or_key_dialog.o release/obj/set_encryption_key.o release/obj/file_encryption_dialog.o release/obj/m_window_load_adapter.o release/obj/file_encryption_dlg_adapter.o release/obj/file_dlg_async.o release/obj/password_generation_dialog.o release/obj/load_save_handler.o release/obj/file_request_service.o release/obj/plain_text_edit.o release/obj/find_dialog.o release/obj/qrc_EncryptPad.o release/obj/moc_application.o release/obj/moc_mainwindow.o release/obj/moc_set_key_dialog.o release/obj/moc_set_password_dialog.o release/obj/moc_async_load.o release/obj/moc_plain_text_switch.o release/obj/moc_file_properties_dialog.o release/obj/moc_new_key_dialog.o release/obj/moc_preferences_dialog.o release/obj/moc_recent_files_service.o release/obj/moc_find_and_replace.o release/obj/moc_get_password_dialog.o release/obj/moc_confirm_password_dialog.o release/obj/moc_get_password_or_key_dialog.o release/obj/moc_file_encryption_dialog.o release/obj/moc_file_dlg_async.o release/obj/moc_password_generation_dialog.o release/obj/moc_plain_text_edit.o release/obj/moc_find_dialog.o   -L/home/martin/src/EncryptPad/qt_ui/../deps/stlplus/portability/GNULINUX-x86_64-release -L/home/martin/src/EncryptPad/qt_ui/../deps/botan -L/home/martin/src/EncryptPad/qt_ui/../back_end_src/GNULINUX-x86_64-release -lback_end_src -lportability -lbotan-1.10 /home/martin/src/EncryptPad/qt_ui/../deps/zlib/libz.a -lQt5Widgets -lQt5Gui -lQt5Core -lGL -lpthread
/usr/bin/ld: /home/martin/src/EncryptPad/qt_ui/../back_end_src/GNULINUX-x86_64-release/libback_end_src.a(password_generator.o): relocation R_X86_64_32 against `.bss' can not be used when making a shared object; recompile with -fPIC
/home/martin/src/EncryptPad/qt_ui/../back_end_src/GNULINUX-x86_64-release/libback_end_src.a: error adding symbols: Bad value
collect2: error: ld returned 1 exit status
Makefile:258: recipe for target 'release/EncryptPad' failed
make[2]: *** [release/EncryptPad] Error 1
make[2]: Leaving directory '/home/martin/src/EncryptPad/build/qt_build'
Makefile.qt_ui:28: recipe for target 'x_make' failed
make[1]: *** [x_make] Error 2
make[1]: Leaving directory '/home/martin/src/EncryptPad/build'
Makefile:3: recipe for target 'all' failed
make: *** [all] Error 2

Add a text box to the properties dialogue so iterations can be edited

...instead of providing multiple binaries

Currently it is 65,536. I think it is a minimum. Maximum number should be 65,011,712

Currently there are five keys. This number is too small for some users (see #40).

Open mutt and send an email with msmtp. It will evaluate the password from encryptcli and encryptcli crashes because it cannot open /dev/tty.

Check the Makefile.qt_ui and the parent makefile

At least we need to mention it in the documentation. However, it's even better not to overwrite it if it already exists.

At the moment if more than one instance needed, the user has to open the second from command line with:

open -a EncryptPad.app

This bug is only on Mac OS. It can be solved another way. By showing a tool tip for example.

Encryptpad is great so thanks to all developers but is it possible to add the ability to select text and background colour?
Thanks

Qt falls back to its own file manager that does not integrate with the system and does not show usb drives. See the description here

1. Use standard Qt localization tools to translate the GUI to different languages.
2. Update the build to compile multiple languages.

I attempted to install it, and received this error:

fatal error: QtWidgets: No such file or directory

I don't know why I got this, I have QT5 installed. Here's the full error:

make -f Makefile.qt_ui RELEASE=on USE_SYSTEM_LIBS=
make[1]: Entering directory `/home/peterspc/PackageDownloads/EncryptPad-master/build'
mkdir -p ./qt_build
cd ./qt_build && qmake -r -spec linux-g++ "CONFIG+=release" ../../qt_ui/EncryptPad.pro
make -C ./qt_build
make[2]: Entering directory `/home/dave/Packages/EncryptPad-master/build/qt_build'
g++ -c -pipe -O2 -Wall -W -D_REENTRANT -DQT_NO_DEBUG -DQT_GUI_LIB -DQT_CORE_LIB -DQT_SHARED -I../../../../anaconda3/mkspecs/linux-g++ -I../../qt_ui -I../../../../anaconda3/include/QtCore -I../../../../anaconda3/include/QtGui -I../../../../anaconda3/include -I../../deps/botan/build/include -I../../deps/stlplus/portability -I../../back_end_src -I. -I. -I../../qt_ui -I. -o release/obj/application.o ../../qt_ui/application.cpp
In file included from ../../back_end_src/packet_stream.h:29:0,
             from ../../back_end_src/packet_composer.h:29,
             from ../../back_end_src/encryptor.h:25,
             from ../../qt_ui/async_load.h:26,
             from ../../qt_ui/mainwindow.h:27,
             from ../../qt_ui/application.h:24,
             from ../../qt_ui/application.cpp:23:
../../back_end_src/epad_utilities.h:114:13: warning: identifier ‘nullptr’ is a keyword in C++11 [-Wc++0x-compat]
         return nullptr;
         ^
In file included from ../../qt_ui/mainwindow.h:32:0,
             from ../../qt_ui/application.h:24,
             from ../../qt_ui/application.cpp:23:
../../qt_ui/load_save_handler.h:21:21: fatal error: QtWidgets: No such file or directory
 #include <QtWidgets>
                 ^
compilation terminated.
make[2]: *** [release/obj/application.o] Error 1
make[2]: Leaving directory `/home/peterspc/PackageDownloads/EncryptPad-master/build/qt_build'
make[1]: *** [x_make] Error 2
make[1]: Leaving directory `/home/peterspc/PackageDownloads/EncryptPad-master/build'
make: *** [all] Error 2

it switches to the text edit pointer after moving it up and down.

When compiled with clang, there is a compilation error in stlplus on implicit conversion from string to bool. The issue has been fixed in the latest version of stlplus.

We will also need to propose an update to stlplus to support double dash -- in command line parameters. It only supports single dash at the moment.

Now key files are always 65536 iterations

• is more traditional way to separate words in cli commands. EncryptPad uses underscores, which is counter intuitive

I guess this isn't an "Issue", it's just annoying- every once in a while it will prompt me for password again when I save. (And I mean when I just leave the file open, I don't mean opening it again). Can I change the frequency of how often it does that? For example--- zero. In other words, only when I freshly open the file after closing it? I can't find that in the settings...

Not a an issue, just wanted to say thanks for EncryptPad

Been using it more and more in the last couple of weeks on Xubuntu 16.04 from webupd8 PPA.
Found it very handy to protect information that does not fit well in password mangers.

Environment: Windows 10 with Anniversary Update
EncryptPad Version: 0.3.2.3 Beta

Well I don't know whether it is true that it doesn't support all the non-ascii characters, but at least it doesn't support CJK characters. This also effects those who set encryptpad as the file types' default program.
For example:
encryptpad C:\example.gpg worked fine, but encryptpad C:\中文\example.gpg will give a message box saying "Cannot open the file because it does not exist".
The open command in GUI menu worked fine.

Why I ask is that I was encrypting/decrypting the same file with both gpg, on the commandline and encryptpad and somehow the file became permanently unreadable (even without encryption, passphrase or key). Its ok, as I do have another copy, but i'm just puzzled as to how it happened. Gpg and encryptpad would be 100% compatible wouldn't they? I compiled EncryptPad from source.

1. Open FileEncryption dialogue
2. Set passphrase and key
3. Encrypt a fie
4. Clear the passphrase and leave the key as is.
5. Encrypt again.
6. It is a key only file now, which is correct.
7. Set the passphrase again
8. Encrypt
9. It is a key only file, which is wrong because the passphrase is set and ignored.

AppImage is a format for portable applications on Linux that bundles an application and everything it needs to run that cannot be expected to be part of the base system (e.g., Qt). The resulting AppImage runs on most not-too-outdated Linux desktop distributions - without installation, without root, without touching any of the system libraries.

It also runs easily from a Live USB or Live ISO without the need for installation - just download, set the executable bit (via the GUI or with chmod a+x, and run.

It would be useful to have an official AppImage from the EncryptPad project.
I have made an example AppImage here:
https://bintray.com/probono/AppImages/EncryptPad/_latestVersion#files

The recipe that generated this AppImage is here:
https://github.com/probonopd/AppImages/blob/master/recipes/meta/EncryptPad.yml

Hide it