Merge pull request #587 from libtom/add-pem-support

Add PEM support

.ci/Valgrind-Ubuntu_focal.supp

@@ -0,0 +1,6 @@
+{
+   <s_decode_header>
+   Memcheck:Cond
+   ...
+   fun:s_decode_header
+}

.ci/meta_builds.sh

@@ -22,6 +22,14 @@ fi
 function run_gcc() {
    bash .ci/check_source.sh "CHECK_SOURCES" "$2" "$3" "$4" "$5"
 
+   make -j$(nproc) pem-info V=0
+
+   echo "verify docs..."
+   while read -r line; do
+     grep -q -e "$line" doc/crypt.tex || { echo "Failed to find \"$line\" in doc/crypt.tex"; exit 1; }
+   done < <(./pem-info | grep '^\\' | sed 's@\\@\\\\@g')
+   echo "docs OK"
+
    make clean &>/dev/null
 
    echo

.ci/valgrind.sh

@@ -31,7 +31,14 @@ echo "Run tests with valgrind..."
 for i in `seq 1 10` ; do sleep 300 && echo "Valgrind tests in Progress..."; done &
 alive_pid=$!
 
-valgrind --error-exitcode=666 --leak-check=full --show-leak-kinds=all --errors-for-leak-kinds=all ./test >test_std.txt 2> >(tee -a test_err.txt >&2) || { kill $alive_pid; echo "Valgrind failed"; exit 1; }
+readonly VALGRIND_OPTS="--error-exitcode=666 --leak-check=full --show-leak-kinds=all --errors-for-leak-kinds=all"
+
+readonly distro="$(lsb_release -si)_$(lsb_release -sc)"
+readonly suppfile=".ci/Valgrind-${distro}.supp"
+function get_suppfile() { [ -f "$suppfile" ] && echo "--suppressions=$suppfile" || echo ""; }
+readonly VALGRIND_EXTRA_OPTS=$(get_suppfile)
+
+valgrind $VALGRIND_OPTS $VALGRIND_EXTRA_OPTS ./test >test_std.txt 2> >(tee -a test_err.txt >&2) || { kill $alive_pid; echo "Valgrind failed"; exit 1; }
 
 kill $alive_pid
 

.gitignore

@@ -34,6 +34,10 @@ multi
 multi.exe
 openssl-enc
 openssl-enc.exe
+openssh-privkey
+openssh-privkey.exe
+pem-info
+pem-info.exe
 sizes
 sizes.exe
 small

demos/openssh-privkey.c

@@ -0,0 +1,131 @@
+/* LibTomCrypt, modular cryptographic library -- Tom St Denis */
+/* SPDX-License-Identifier: Unlicense */
+
+/**
+  @file openssh-privkey.c
+  OpenSSH Private Key decryption demo, Steffen Jaeckel
+*/
+
+#include <tomcrypt.h>
+#include <stdarg.h>
+#include <termios.h>
+
+#if defined(LTC_PEM_SSH)
+static void print_err(const char *fmt, ...)
+{
+   va_list args;
+
+   va_start(args, fmt);
+   vfprintf(stderr, fmt, args);
+   va_end(args);
+}
+
+static void die_(int err, int line)
+{
+   print_err("%3d: LTC sez %s\n", line, error_to_string(err));
+   exit(EXIT_FAILURE);
+}
+
+#define die(i) do { die_(i, __LINE__); } while(0)
+#define DIE(s, ...) do { print_err("%3d: " s "\n", __LINE__, ##__VA_ARGS__); exit(EXIT_FAILURE); } while(0)
+
+static char* getpassword(const char *prompt, size_t maxlen)
+{
+   char *wr, *end, *pass = XCALLOC(1, maxlen + 1);
+   struct termios tio;
+   tcflag_t c_lflag;
+   if (pass == NULL)
+      return NULL;
+   wr = pass;
+   end = pass + maxlen;
+
+   tcgetattr(0, &tio);
+   c_lflag = tio.c_lflag;
+   tio.c_lflag &= ~ECHO;
+   tcsetattr(0, TCSANOW, &tio);
+
+   printf("%s", prompt);
+   fflush(stdout);
+   while (pass < end) {
+      int c = getchar();
+      if (c == '\r' || c == '\n' || c == -1)
+         break;
+      *wr++ = c;
+   }
+   tio.c_lflag = c_lflag;
+   tcsetattr(0, TCSAFLUSH, &tio);
+   printf("\n");
+   return pass;
+}
+
+static int password_get(void **p, unsigned long *l, void *u)
+{
+   (void)u;
+   *p = getpassword("Enter passphrase: ", 256);
+   *l = strlen(*p);
+   return 0;
+}
+
+static void print(ltc_pka_key *k)
+{
+   int err = CRYPT_OK;
+   unsigned char buf[256];
+   unsigned long lbuf = sizeof(buf);
+   char pubkey[256*4/3];
+   unsigned long lpubkey = sizeof(pubkey);
+   void *mpint = NULL;
+   switch (k->id) {
+      case LTC_PKA_ED25519:
+         ltc_mp.init(&mpint);
+         ltc_mp.unsigned_read(mpint, k->u.ed25519.pub, sizeof(k->u.ed25519.pub));
+         if ((err = ssh_encode_sequence_multi(buf, &lbuf,
+                                              LTC_SSHDATA_STRING, "ssh-ed25519", strlen("ssh-ed25519"),
+                                              LTC_SSHDATA_MPINT, mpint,
+                                              0, NULL)) != CRYPT_OK)
+            goto errout;
+         if ((err = base64_encode(buf, lbuf, pubkey, &lpubkey)) != CRYPT_OK)
+            goto errout;
+         printf("\rssh-ed25519 %s\n", pubkey);
+         break;
+      default:
+         print_err("Unsupported key type: %d\n", k->id);
+         break;
+   }
+errout:
+   if (mpint != NULL)
+      ltc_mp.deinit(mpint);
+   if (err != CRYPT_OK)
+      die(err);
+}
+
+int main(int argc, char **argv)
+{
+   int err;
+
+   FILE *f = NULL;
+   ltc_pka_key k;
+   password_ctx pw_ctx = { .callback = password_get };
+
+   if ((err = register_all_ciphers()) != CRYPT_OK) {
+      die(err);
+   }
+   if ((err = register_all_hashes()) != CRYPT_OK) {
+      die(err);
+   }
+   if ((err = crypt_mp_init("ltm")) != CRYPT_OK) {
+      die(err);
+   }
+
+   if (argc > 1) f = fopen(argv[1], "r");
+   else f = stdin;
+   if (f == NULL) DIE("fopen sez no");
+
+   if ((err = pem_decode_openssh_filehandle(f, &k, &pw_ctx))) {
+      die(err);
+   }
+   print(&k);
+   return EXIT_SUCCESS;
+}
+#else
+int main(void) { return EXIT_FAILURE; }
+#endif

demos/pem-info.c

@@ -0,0 +1,101 @@
+/* LibTomCrypt, modular cryptographic library -- Tom St Denis */
+/* SPDX-License-Identifier: Unlicense */
+/* print all PEM related infos */
+#include "tomcrypt_private.h"
+
+#if defined(LTC_PEM_SSH)
+extern const struct blockcipher_info pem_dek_infos[];
+extern const unsigned long pem_dek_infos_num;
+
+extern const struct blockcipher_info ssh_ciphers[];
+extern const unsigned long ssh_ciphers_num;
+
+static const struct {
+   const char *is, *should;
+} cipher_name_map[] = {
+   { "", "none" },
+   { "aes", "AES" },
+   { "blowfish", "Blowfish" },
+   { "c20p1305", "ChaCha20Poly1305" },
+   { "camellia", "Camellia" },
+   { "cast5", "CAST5" },
+   { "chacha20", "ChaCha20" },
+   { "3des", "3DES (EDE)" },
+   { "des", "DES" },
+   { "desx", "DES-X" },
+   { "idea", "IDEA" },
+   { "rc5", "RC5" },
+   { "rc2", "RC2" },
+   { "seed", "SEED" },
+   { "serpent", "Serpent" },
+   { "twofish", "Twofish" },
+};
+
+static const char *s_map_cipher(const char *name)
+{
+   unsigned long n;
+   for (n = 0; n < sizeof(cipher_name_map)/sizeof(cipher_name_map[0]); ++n) {
+      if (strcmp(name, cipher_name_map[n].is) == 0)
+         return cipher_name_map[n].should;
+   }
+   fprintf(stderr, "Error: Can't map %s\n", name);
+   exit(1);
+}
+
+static const struct {
+   enum cipher_mode mode;
+   const char *name;
+} cipher_mode_map[] = {
+   { cm_none,   "none",   },
+   { cm_cbc,    "CBC",    },
+   { cm_cfb,    "CFB",    },
+   { cm_ctr,    "CTR",    },
+   { cm_ofb,    "OFB",    },
+   { cm_stream, "STREAM", },
+   { cm_gcm,    "GCM",    },
+};
+
+static const char *s_map_mode(enum cipher_mode mode)
+{
+   size_t n;
+   mode &= cm_modes;
+   for (n = 0; n < sizeof(cipher_mode_map)/sizeof(cipher_mode_map[0]); ++n) {
+      if (cipher_mode_map[n].mode == mode)
+         return cipher_mode_map[n].name;
+   }
+   fprintf(stderr, "Error: Can't map cipher_mode %d\n", mode);
+   exit(1);
+}
+
+int main(void)
+{
+   unsigned long n;
+   printf("PEM ciphers:\n\n");
+   for (n = 0; n < pem_dek_infos_num; ++n) {
+      char nbuf[32] = {0};
+      size_t nlen = strlen(pem_dek_infos[n].name);
+      memcpy(nbuf, pem_dek_infos[n].name, nlen);
+      nbuf[nlen-1] = '}';
+      printf("\\hline \\texttt{%-18s & %-15s & %-25ld & %-6s \\\\\n",
+                               nbuf, s_map_cipher(pem_dek_infos[n].algo),
+                                              pem_dek_infos[n].keylen * 8,
+                                                       s_map_mode(pem_dek_infos[n].mode));
+   }
+
+   printf("\nSSH ciphers:\n\n");
+   for (n = 0; n < ssh_ciphers_num; ++n) {
+      char nbuf[32] = {0};
+      size_t nlen = strlen(ssh_ciphers[n].name);
+      memcpy(nbuf, ssh_ciphers[n].name, nlen);
+      nbuf[nlen] = '}';
+      printf("\\hline \\texttt{%-30s & %-16s & %-24ld & %-6s \\\\\n",
+                               nbuf, s_map_cipher(ssh_ciphers[n].algo),
+                               ssh_ciphers[n].keylen * 8,
+                                                       s_map_mode(ssh_ciphers[n].mode));
+   }
+
+   return 0;
+}
+#else
+int main(void) { return EXIT_FAILURE; }
+#endif