/usr/src/usr.bin/ssh/ssh/../sshkey.c

Bug Summary

File:	src/usr.bin/ssh/ssh/../sshkey.c
Warning:	line 1749, column 7 Although the value stored to 'ret' is used in the enclosing expression, the value is never actually read from 'ret'

Annotated Source Code

Press '?' to see keyboard shortcuts

Show analyzer invocation

clang -cc1 -cc1 -triple amd64-unknown-openbsd7.4 -analyze -disable-free -clear-ast-before-backend -disable-llvm-verifier -discard-value-names -main-file-name sshkey.c -analyzer-checker=core -analyzer-checker=apiModeling -analyzer-checker=unix -analyzer-checker=deadcode -analyzer-checker=security.insecureAPI.UncheckedReturn -analyzer-checker=security.insecureAPI.getpw -analyzer-checker=security.insecureAPI.gets -analyzer-checker=security.insecureAPI.mktemp -analyzer-checker=security.insecureAPI.mkstemp -analyzer-checker=security.insecureAPI.vfork -analyzer-checker=nullability.NullPassedToNonnull -analyzer-checker=nullability.NullReturnedFromNonnull -analyzer-output plist -w -setup-static-analyzer -mrelocation-model pic -pic-level 1 -pic-is-pie -mframe-pointer=all -relaxed-aliasing -ffp-contract=on -fno-rounding-math -mconstructor-aliases -funwind-tables=2 -target-cpu x86-64 -target-feature +retpoline-indirect-calls -target-feature +retpoline-indirect-branches -tune-cpu generic -debugger-tuning=gdb -fcoverage-compilation-dir=/usr/src/usr.bin/ssh/ssh/obj -resource-dir /usr/local/llvm16/lib/clang/16 -I /usr/src/usr.bin/ssh/ssh/.. -D WITH_OPENSSL -D WITH_ZLIB -D WITH_DSA -D ENABLE_PKCS11 -D HAVE_DLOPEN -internal-isystem /usr/local/llvm16/lib/clang/16/include -internal-externc-isystem /usr/include -O2 -Wno-unused-parameter -fdebug-compilation-dir=/usr/src/usr.bin/ssh/ssh/obj -ferror-limit 19 -fwrapv -D_RET_PROTECTOR -ret-protector -fcf-protection=branch -fno-jump-tables -fgnuc-version=4.2.1 -vectorize-loops -vectorize-slp -fno-builtin-malloc -fno-builtin-calloc -fno-builtin-realloc -fno-builtin-valloc -fno-builtin-free -fno-builtin-strdup -fno-builtin-strndup -analyzer-output=html -faddrsig -D__GCC_HAVE_DWARF2_CFI_ASM=1 -o /home/ben/Projects/scan/2024-01-11-140451-98009-1 -x c /usr/src/usr.bin/ssh/ssh/../sshkey.c

1	/* $OpenBSD: sshkey.c,v 1.142 2024/01/11 01:45:36 djm Exp $ */
2	/*
3	* Copyright (c) 2000, 2001 Markus Friedl. All rights reserved.
4	* Copyright (c) 2008 Alexander von Gernler. All rights reserved.
5	* Copyright (c) 2010,2011 Damien Miller. All rights reserved.
6	*
7	* Redistribution and use in source and binary forms, with or without
8	* modification, are permitted provided that the following conditions
9	* are met:
10	* 1. Redistributions of source code must retain the above copyright
11	* notice, this list of conditions and the following disclaimer.
12	* 2. Redistributions in binary form must reproduce the above copyright
13	* notice, this list of conditions and the following disclaimer in the
14	* documentation and/or other materials provided with the distribution.
15	*
16	* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
17	* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
18	* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
19	* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
20	* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
21	* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
22	* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
23	* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
24	* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
25	* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
26	*/
27
28	#include <sys/types.h>
29	#include <netinet/in.h>
30
31	#ifdef WITH_OPENSSL1
32	#include <openssl/evp.h>
33	#include <openssl/err.h>
34	#include <openssl/pem.h>
35	#endif
36
37	#include "crypto_api.h"
38
39	#include <errno(*__errno()).h>
40	#include <stdio.h>
41	#include <stdlib.h>
42	#include <string.h>
43	#include <util.h>
44	#include <limits.h>
45	#include <resolv.h>
46
47	#include "ssh2.h"
48	#include "ssherr.h"
49	#include "misc.h"
50	#include "sshbuf.h"
51	#include "cipher.h"
52	#include "digest.h"
53	#define SSHKEY_INTERNAL
54	#include "sshkey.h"
55	#include "match.h"
56	#include "ssh-sk.h"
57
58	#ifdef WITH_XMSS
59	#include "sshkey-xmss.h"
60	#include "xmss_fast.h"
61	#endif
62
63	/* openssh private key file format */
64	#define MARK_BEGIN"-----BEGIN OPENSSH PRIVATE KEY-----\n" "-----BEGIN OPENSSH PRIVATE KEY-----\n"
65	#define MARK_END"-----END OPENSSH PRIVATE KEY-----\n" "-----END OPENSSH PRIVATE KEY-----\n"
66	#define MARK_BEGIN_LEN(sizeof("-----BEGIN OPENSSH PRIVATE KEY-----\n") - 1) (sizeof(MARK_BEGIN"-----BEGIN OPENSSH PRIVATE KEY-----\n") - 1)
67	#define MARK_END_LEN(sizeof("-----END OPENSSH PRIVATE KEY-----\n") - 1) (sizeof(MARK_END"-----END OPENSSH PRIVATE KEY-----\n") - 1)
68	#define KDFNAME"bcrypt" "bcrypt"
69	#define AUTH_MAGIC"openssh-key-v1" "openssh-key-v1"
70	#define SALT_LEN16 16
71	#define DEFAULT_CIPHERNAME"aes256-ctr" "aes256-ctr"
72	#define DEFAULT_ROUNDS24 24
73
74	/* Version identification string for SSH v1 identity files. */
75	#define LEGACY_BEGIN"SSH PRIVATE KEY FILE FORMAT 1.1\n" "SSH PRIVATE KEY FILE FORMAT 1.1\n"
76
77	/*
78	* Constants relating to "shielding" support; protection of keys expected
79	* to remain in memory for long durations
80	*/
81	#define SSHKEY_SHIELD_PREKEY_LEN(16 * 1024) (16 * 1024)
82	#define SSHKEY_SHIELD_CIPHER"aes256-ctr" "aes256-ctr" /* XXX want AES-EME* */
83	#define SSHKEY_SHIELD_PREKEY_HASH4 SSH_DIGEST_SHA5124
84
85	int sshkey_private_serialize_opt(struct sshkey *key,
86	struct sshbuf *buf, enum sshkey_serialize_rep);
87	static int sshkey_from_blob_internal(struct sshbuf *buf,
88	struct sshkey **keyp, int allow_cert);
89
90	/* Supported key types */
91	extern const struct sshkey_impl sshkey_ed25519_impl;
92	extern const struct sshkey_impl sshkey_ed25519_cert_impl;
93	extern const struct sshkey_impl sshkey_ed25519_sk_impl;
94	extern const struct sshkey_impl sshkey_ed25519_sk_cert_impl;
95	#ifdef WITH_OPENSSL1
96	extern const struct sshkey_impl sshkey_ecdsa_sk_impl;
97	extern const struct sshkey_impl sshkey_ecdsa_sk_cert_impl;
98	extern const struct sshkey_impl sshkey_ecdsa_sk_webauthn_impl;
99	extern const struct sshkey_impl sshkey_ecdsa_nistp256_impl;
100	extern const struct sshkey_impl sshkey_ecdsa_nistp256_cert_impl;
101	extern const struct sshkey_impl sshkey_ecdsa_nistp384_impl;
102	extern const struct sshkey_impl sshkey_ecdsa_nistp384_cert_impl;
103	extern const struct sshkey_impl sshkey_ecdsa_nistp521_impl;
104	extern const struct sshkey_impl sshkey_ecdsa_nistp521_cert_impl;
105	extern const struct sshkey_impl sshkey_rsa_impl;
106	extern const struct sshkey_impl sshkey_rsa_cert_impl;
107	extern const struct sshkey_impl sshkey_rsa_sha256_impl;
108	extern const struct sshkey_impl sshkey_rsa_sha256_cert_impl;
109	extern const struct sshkey_impl sshkey_rsa_sha512_impl;
110	extern const struct sshkey_impl sshkey_rsa_sha512_cert_impl;
111	# ifdef WITH_DSA1
112	extern const struct sshkey_impl sshkey_dss_impl;
113	extern const struct sshkey_impl sshkey_dsa_cert_impl;
114	# endif
115	#endif /* WITH_OPENSSL */
116	#ifdef WITH_XMSS
117	extern const struct sshkey_impl sshkey_xmss_impl;
118	extern const struct sshkey_impl sshkey_xmss_cert_impl;
119	#endif
120
121	const struct sshkey_impl * const keyimpls[] = {
122	&sshkey_ed25519_impl,
123	&sshkey_ed25519_cert_impl,
124	&sshkey_ed25519_sk_impl,
125	&sshkey_ed25519_sk_cert_impl,
126	#ifdef WITH_OPENSSL1
127	&sshkey_ecdsa_nistp256_impl,
128	&sshkey_ecdsa_nistp256_cert_impl,
129	&sshkey_ecdsa_nistp384_impl,
130	&sshkey_ecdsa_nistp384_cert_impl,
131	&sshkey_ecdsa_nistp521_impl,
132	&sshkey_ecdsa_nistp521_cert_impl,
133	&sshkey_ecdsa_sk_impl,
134	&sshkey_ecdsa_sk_cert_impl,
135	&sshkey_ecdsa_sk_webauthn_impl,
136	# ifdef WITH_DSA1
137	&sshkey_dss_impl,
138	&sshkey_dsa_cert_impl,
139	# endif
140	&sshkey_rsa_impl,
141	&sshkey_rsa_cert_impl,
142	&sshkey_rsa_sha256_impl,
143	&sshkey_rsa_sha256_cert_impl,
144	&sshkey_rsa_sha512_impl,
145	&sshkey_rsa_sha512_cert_impl,
146	#endif /* WITH_OPENSSL */
147	#ifdef WITH_XMSS
148	&sshkey_xmss_impl,
149	&sshkey_xmss_cert_impl,
150	#endif
151	NULL((void *)0)
152	};
153
154	static const struct sshkey_impl *
155	sshkey_impl_from_type(int type)
156	{
157	int i;
158
159	for (i = 0; keyimpls[i] != NULL((void *)0); i++) {
160	if (keyimpls[i]->type == type)
161	return keyimpls[i];
162	}
163	return NULL((void *)0);
164	}
165
166	static const struct sshkey_impl *
167	sshkey_impl_from_type_nid(int type, int nid)
168	{
169	int i;
170
171	for (i = 0; keyimpls[i] != NULL((void *)0); i++) {
172	if (keyimpls[i]->type == type &&
173	(keyimpls[i]->nid == 0 \|\| keyimpls[i]->nid == nid))
174	return keyimpls[i];
175	}
176	return NULL((void *)0);
177	}
178
179	static const struct sshkey_impl *
180	sshkey_impl_from_key(const struct sshkey *k)
181	{
182	if (k == NULL((void *)0))
183	return NULL((void *)0);
184	return sshkey_impl_from_type_nid(k->type, k->ecdsa_nid);
185	}
186
187	const char *
188	sshkey_type(const struct sshkey *k)
189	{
190	const struct sshkey_impl *impl;
191
192	if ((impl = sshkey_impl_from_key(k)) == NULL((void *)0))
193	return "unknown";
194	return impl->shortname;
195	}
196
197	static const char *
198	sshkey_ssh_name_from_type_nid(int type, int nid)
199	{
200	const struct sshkey_impl *impl;
201
202	if ((impl = sshkey_impl_from_type_nid(type, nid)) == NULL((void *)0))
203	return "ssh-unknown";
204	return impl->name;
205	}
206
207	int
208	sshkey_type_is_cert(int type)
209	{
210	const struct sshkey_impl *impl;
211
212	if ((impl = sshkey_impl_from_type(type)) == NULL((void *)0))
213	return 0;
214	return impl->cert;
215	}
216
217	const char *
218	sshkey_ssh_name(const struct sshkey *k)
219	{
220	return sshkey_ssh_name_from_type_nid(k->type, k->ecdsa_nid);
221	}
222
223	const char *
224	sshkey_ssh_name_plain(const struct sshkey *k)
225	{
226	return sshkey_ssh_name_from_type_nid(sshkey_type_plain(k->type),
227	k->ecdsa_nid);
228	}
229
230	int
231	sshkey_type_from_name(const char *name)
232	{
233	int i;
234	const struct sshkey_impl *impl;
235
236	for (i = 0; keyimpls[i] != NULL((void *)0); i++) {
237	impl = keyimpls[i];
238	/* Only allow shortname matches for plain key types */
239	if ((impl->name != NULL((void *)0) && strcmp(name, impl->name) == 0) \|\|
240	(!impl->cert && strcasecmp(impl->shortname, name) == 0))
241	return impl->type;
242	}
243	return KEY_UNSPEC;
244	}
245
246	static int
247	key_type_is_ecdsa_variant(int type)
248	{
249	switch (type) {
250	case KEY_ECDSA:
251	case KEY_ECDSA_CERT:
252	case KEY_ECDSA_SK:
253	case KEY_ECDSA_SK_CERT:
254	return 1;
255	}
256	return 0;
257	}
258
259	int
260	sshkey_ecdsa_nid_from_name(const char *name)
261	{
262	int i;
263
264	for (i = 0; keyimpls[i] != NULL((void *)0); i++) {
265	if (!key_type_is_ecdsa_variant(keyimpls[i]->type))
266	continue;
267	if (keyimpls[i]->name != NULL((void *)0) &&
268	strcmp(name, keyimpls[i]->name) == 0)
269	return keyimpls[i]->nid;
270	}
271	return -1;
272	}
273
274	int
275	sshkey_match_keyname_to_sigalgs(const char keyname, const char sigalgs)
276	{
277	int ktype;
278
279	if (sigalgs == NULL((void )0) \|\| sigalgs == '\0' \|\|
280	(ktype = sshkey_type_from_name(keyname)) == KEY_UNSPEC)
281	return 0;
282	else if (ktype == KEY_RSA) {
283	return match_pattern_list("ssh-rsa", sigalgs, 0) == 1 \|\|
284	match_pattern_list("rsa-sha2-256", sigalgs, 0) == 1 \|\|
285	match_pattern_list("rsa-sha2-512", sigalgs, 0) == 1;
286	} else if (ktype == KEY_RSA_CERT) {
287	return match_pattern_list("ssh-rsa-cert-v01@openssh.com",
288	sigalgs, 0) == 1 \|\|
289	match_pattern_list("rsa-sha2-256-cert-v01@openssh.com",
290	sigalgs, 0) == 1 \|\|
291	match_pattern_list("rsa-sha2-512-cert-v01@openssh.com",
292	sigalgs, 0) == 1;
293	} else
294	return match_pattern_list(keyname, sigalgs, 0) == 1;
295	}
296
297	char *
298	sshkey_alg_list(int certs_only, int plain_only, int include_sigonly, char sep)
299	{
300	char tmp, ret = NULL((void *)0);
301	size_t i, nlen, rlen = 0;
302	const struct sshkey_impl *impl;
303
304	for (i = 0; keyimpls[i] != NULL((void *)0); i++) {
305	impl = keyimpls[i];
306	if (impl->name == NULL((void *)0))
307	continue;
308	if (!include_sigonly && impl->sigonly)
309	continue;
310	if ((certs_only && !impl->cert) \|\| (plain_only && impl->cert))
311	continue;
312	if (ret != NULL((void *)0))
313	ret[rlen++] = sep;
314	nlen = strlen(impl->name);
315	if ((tmp = realloc(ret, rlen + nlen + 2)) == NULL((void *)0)) {
316	free(ret);
317	return NULL((void *)0);
318	}
319	ret = tmp;
320	memcpy(ret + rlen, impl->name, nlen + 1);
321	rlen += nlen;
322	}
323	return ret;
324	}
325
326	int
327	sshkey_names_valid2(const char *names, int allow_wildcard, int plain_only)
328	{
329	char s, cp, *p;
330	const struct sshkey_impl *impl;
331	int i, type;
332
333	if (names == NULL((void *)0) \|\| strcmp(names, "") == 0)
334	return 0;
335	if ((s = cp = strdup(names)) == NULL((void *)0))
336	return 0;
337	for ((p = strsep(&cp, ",")); p && *p != '\0';
338	(p = strsep(&cp, ","))) {
339	type = sshkey_type_from_name(p);
340	if (type == KEY_UNSPEC) {
341	if (allow_wildcard) {
342	/*
343	* Try matching key types against the string.
344	* If any has a positive or negative match then
345	* the component is accepted.
346	*/
347	impl = NULL((void *)0);
348	for (i = 0; keyimpls[i] != NULL((void *)0); i++) {
349	if (match_pattern_list(
350	keyimpls[i]->name, p, 0) != 0) {
351	impl = keyimpls[i];
352	break;
353	}
354	}
355	if (impl != NULL((void *)0))
356	continue;
357	}
358	free(s);
359	return 0;
360	} else if (plain_only && sshkey_type_is_cert(type)) {
361	free(s);
362	return 0;
363	}
364	}
365	free(s);
366	return 1;
367	}
368
369	u_int
370	sshkey_size(const struct sshkey *k)
371	{
372	const struct sshkey_impl *impl;
373
374	if ((impl = sshkey_impl_from_key(k)) == NULL((void *)0))
375	return 0;
376	if (impl->funcs->size != NULL((void *)0))
377	return impl->funcs->size(k);
378	return impl->keybits;
379	}
380
381	static int
382	sshkey_type_is_valid_ca(int type)
383	{
384	const struct sshkey_impl *impl;
385
386	if ((impl = sshkey_impl_from_type(type)) == NULL((void *)0))
387	return 0;
388	/* All non-certificate types may act as CAs */
389	return !impl->cert;
390	}
391
392	int
393	sshkey_is_cert(const struct sshkey *k)
394	{
395	if (k == NULL((void *)0))
396	return 0;
397	return sshkey_type_is_cert(k->type);
398	}
399
400	int
401	sshkey_is_sk(const struct sshkey *k)
402	{
403	if (k == NULL((void *)0))
404	return 0;
405	switch (sshkey_type_plain(k->type)) {
406	case KEY_ECDSA_SK:
407	case KEY_ED25519_SK:
408	return 1;
409	default:
410	return 0;
411	}
412	}
413
414	/* Return the cert-less equivalent to a certified key type */
415	int
416	sshkey_type_plain(int type)
417	{
418	switch (type) {
419	case KEY_RSA_CERT:
420	return KEY_RSA;
421	case KEY_DSA_CERT:
422	return KEY_DSA;
423	case KEY_ECDSA_CERT:
424	return KEY_ECDSA;
425	case KEY_ECDSA_SK_CERT:
426	return KEY_ECDSA_SK;
427	case KEY_ED25519_CERT:
428	return KEY_ED25519;
429	case KEY_ED25519_SK_CERT:
430	return KEY_ED25519_SK;
431	case KEY_XMSS_CERT:
432	return KEY_XMSS;
433	default:
434	return type;
435	}
436	}
437
438	/* Return the cert equivalent to a plain key type */
439	static int
440	sshkey_type_certified(int type)
441	{
442	switch (type) {
443	case KEY_RSA:
444	return KEY_RSA_CERT;
445	case KEY_DSA:
446	return KEY_DSA_CERT;
447	case KEY_ECDSA:
448	return KEY_ECDSA_CERT;
449	case KEY_ECDSA_SK:
450	return KEY_ECDSA_SK_CERT;
451	case KEY_ED25519:
452	return KEY_ED25519_CERT;
453	case KEY_ED25519_SK:
454	return KEY_ED25519_SK_CERT;
455	case KEY_XMSS:
456	return KEY_XMSS_CERT;
457	default:
458	return -1;
459	}
460	}
461
462	#ifdef WITH_OPENSSL1
463	/* XXX: these are really begging for a table-driven approach */
464	int
465	sshkey_curve_name_to_nid(const char *name)
466	{
467	if (strcmp(name, "nistp256") == 0)
468	return NID_X9_62_prime256v1415;
469	else if (strcmp(name, "nistp384") == 0)
470	return NID_secp384r1715;
471	else if (strcmp(name, "nistp521") == 0)
472	return NID_secp521r1716;
473	else
474	return -1;
475	}
476
477	u_int
478	sshkey_curve_nid_to_bits(int nid)
479	{
480	switch (nid) {
481	case NID_X9_62_prime256v1415:
482	return 256;
483	case NID_secp384r1715:
484	return 384;
485	case NID_secp521r1716:
486	return 521;
487	default:
488	return 0;
489	}
490	}
491
492	int
493	sshkey_ecdsa_bits_to_nid(int bits)
494	{
495	switch (bits) {
496	case 256:
497	return NID_X9_62_prime256v1415;
498	case 384:
499	return NID_secp384r1715;
500	case 521:
501	return NID_secp521r1716;
502	default:
503	return -1;
504	}
505	}
506
507	const char *
508	sshkey_curve_nid_to_name(int nid)
509	{
510	switch (nid) {
511	case NID_X9_62_prime256v1415:
512	return "nistp256";
513	case NID_secp384r1715:
514	return "nistp384";
515	case NID_secp521r1716:
516	return "nistp521";
517	default:
518	return NULL((void *)0);
519	}
520	}
521
522	int
523	sshkey_ec_nid_to_hash_alg(int nid)
524	{
525	int kbits = sshkey_curve_nid_to_bits(nid);
526
527	if (kbits <= 0)
528	return -1;
529
530	/* RFC5656 section 6.2.1 */
531	if (kbits <= 256)
532	return SSH_DIGEST_SHA2562;
533	else if (kbits <= 384)
534	return SSH_DIGEST_SHA3843;
535	else
536	return SSH_DIGEST_SHA5124;
537	}
538	#endif /* WITH_OPENSSL */
539
540	static void
541	cert_free(struct sshkey_cert *cert)
542	{
543	u_int i;
544
545	if (cert == NULL((void *)0))
546	return;
547	sshbuf_free(cert->certblob);
548	sshbuf_free(cert->critical);
549	sshbuf_free(cert->extensions);
550	free(cert->key_id);
551	for (i = 0; i < cert->nprincipals; i++)
552	free(cert->principals[i]);
553	free(cert->principals);
554	sshkey_free(cert->signature_key);
555	free(cert->signature_type);
556	freezero(cert, sizeof(*cert));
557	}
558
559	static struct sshkey_cert *
560	cert_new(void)
561	{
562	struct sshkey_cert *cert;
563
564	if ((cert = calloc(1, sizeof(cert))) == NULL((void )0))
565	return NULL((void *)0);
566	if ((cert->certblob = sshbuf_new()) == NULL((void *)0) \|\|
567	(cert->critical = sshbuf_new()) == NULL((void *)0) \|\|
568	(cert->extensions = sshbuf_new()) == NULL((void *)0)) {
569	cert_free(cert);
570	return NULL((void *)0);
571	}
572	cert->key_id = NULL((void *)0);
573	cert->principals = NULL((void *)0);
574	cert->signature_key = NULL((void *)0);
575	cert->signature_type = NULL((void *)0);
576	return cert;
577	}
578
579	struct sshkey *
580	sshkey_new(int type)
581	{
582	struct sshkey *k;
583	const struct sshkey_impl impl = NULL((void )0);
584
585	if (type != KEY_UNSPEC &&
586	(impl = sshkey_impl_from_type(type)) == NULL((void *)0))
587	return NULL((void *)0);
588
589	/* All non-certificate types may act as CAs */
590	if ((k = calloc(1, sizeof(k))) == NULL((void )0))
591	return NULL((void *)0);
592	k->type = type;
593	k->ecdsa_nid = -1;
594	if (impl != NULL((void )0) && impl->funcs->alloc != NULL((void )0)) {
595	if (impl->funcs->alloc(k) != 0) {
596	free(k);
597	return NULL((void *)0);
598	}
599	}
600	if (sshkey_is_cert(k)) {
601	if ((k->cert = cert_new()) == NULL((void *)0)) {
602	sshkey_free(k);
603	return NULL((void *)0);
604	}
605	}
606
607	return k;
608	}
609
610	/* Frees common FIDO fields */
611	void
612	sshkey_sk_cleanup(struct sshkey *k)
613	{
614	free(k->sk_application);
615	sshbuf_free(k->sk_key_handle);
616	sshbuf_free(k->sk_reserved);
617	k->sk_application = NULL((void *)0);
618	k->sk_key_handle = k->sk_reserved = NULL((void *)0);
619	}
620
621	static void
622	sshkey_free_contents(struct sshkey *k)
623	{
624	const struct sshkey_impl *impl;
625
626	if (k == NULL((void *)0))
627	return;
628	if ((impl = sshkey_impl_from_type(k->type)) != NULL((void *)0) &&
629	impl->funcs->cleanup != NULL((void *)0))
630	impl->funcs->cleanup(k);
631	if (sshkey_is_cert(k))
632	cert_free(k->cert);
633	freezero(k->shielded_private, k->shielded_len);
634	freezero(k->shield_prekey, k->shield_prekey_len);
635	}
636
637	void
638	sshkey_free(struct sshkey *k)
639	{
640	sshkey_free_contents(k);
641	freezero(k, sizeof(*k));
642	}
643
644	static int
645	cert_compare(struct sshkey_cert a, struct sshkey_cert b)
646	{
647	if (a == NULL((void )0) && b == NULL((void )0))
648	return 1;
649	if (a == NULL((void )0) \|\| b == NULL((void )0))
650	return 0;
651	if (sshbuf_len(a->certblob) != sshbuf_len(b->certblob))
652	return 0;
653	if (timingsafe_bcmp(sshbuf_ptr(a->certblob), sshbuf_ptr(b->certblob),
654	sshbuf_len(a->certblob)) != 0)
655	return 0;
656	return 1;
657	}
658
659	/* Compares FIDO-specific pubkey fields only */
660	int
661	sshkey_sk_fields_equal(const struct sshkey a, const struct sshkey b)
662	{
663	if (a->sk_application == NULL((void )0) \|\| b->sk_application == NULL((void )0))
664	return 0;
665	if (strcmp(a->sk_application, b->sk_application) != 0)
666	return 0;
667	return 1;
668	}
669
670	/*
671	* Compare public portions of key only, allowing comparisons between
672	* certificates and plain keys too.
673	*/
674	int
675	sshkey_equal_public(const struct sshkey a, const struct sshkey b)
676	{
677	const struct sshkey_impl *impl;
678
679	if (a == NULL((void )0) \|\| b == NULL((void )0) \|\|
680	sshkey_type_plain(a->type) != sshkey_type_plain(b->type))
681	return 0;
682	if ((impl = sshkey_impl_from_type(a->type)) == NULL((void *)0))
683	return 0;
684	return impl->funcs->equal(a, b);
685	}
686
687	int
688	sshkey_equal(const struct sshkey a, const struct sshkey b)
689	{
690	if (a == NULL((void )0) \|\| b == NULL((void )0) \|\| a->type != b->type)
691	return 0;
692	if (sshkey_is_cert(a)) {
693	if (!cert_compare(a->cert, b->cert))
694	return 0;
695	}
696	return sshkey_equal_public(a, b);
697	}
698
699
700	/* Serialise common FIDO key parts */
701	int
702	sshkey_serialize_sk(const struct sshkey key, struct sshbuf b)
703	{
704	int r;
705
706	if ((r = sshbuf_put_cstring(b, key->sk_application)) != 0)
707	return r;
708
709	return 0;
710	}
711
712	static int
713	to_blob_buf(const struct sshkey key, struct sshbuf b, int force_plain,
714	enum sshkey_serialize_rep opts)
715	{
716	int type, ret = SSH_ERR_INTERNAL_ERROR-1;
717	const char *typename;
718	const struct sshkey_impl *impl;
719
720	if (key == NULL((void *)0))
721	return SSH_ERR_INVALID_ARGUMENT-10;
722
723	type = force_plain ? sshkey_type_plain(key->type) : key->type;
724
725	if (sshkey_type_is_cert(type)) {
726	if (key->cert == NULL((void *)0))
727	return SSH_ERR_EXPECTED_CERT-16;
728	if (sshbuf_len(key->cert->certblob) == 0)
729	return SSH_ERR_KEY_LACKS_CERTBLOB-17;
730	/* Use the existing blob */
731	if ((ret = sshbuf_putb(b, key->cert->certblob)) != 0)
732	return ret;
733	return 0;
734	}
735	if ((impl = sshkey_impl_from_type(type)) == NULL((void *)0))
736	return SSH_ERR_KEY_TYPE_UNKNOWN-14;
737
738	typename = sshkey_ssh_name_from_type_nid(type, key->ecdsa_nid);
739	if ((ret = sshbuf_put_cstring(b, typename)) != 0)
740	return ret;
741	return impl->funcs->serialize_public(key, b, opts);
742	}
743
744	int
745	sshkey_putb(const struct sshkey key, struct sshbuf b)
746	{
747	return to_blob_buf(key, b, 0, SSHKEY_SERIALIZE_DEFAULT);
748	}
749
750	int
751	sshkey_puts_opts(const struct sshkey key, struct sshbuf b,
752	enum sshkey_serialize_rep opts)
753	{
754	struct sshbuf *tmp;
755	int r;
756
757	if ((tmp = sshbuf_new()) == NULL((void *)0))
758	return SSH_ERR_ALLOC_FAIL-2;
759	r = to_blob_buf(key, tmp, 0, opts);
760	if (r == 0)
761	r = sshbuf_put_stringb(b, tmp);
762	sshbuf_free(tmp);
763	return r;
764	}
765
766	int
767	sshkey_puts(const struct sshkey key, struct sshbuf b)
768	{
769	return sshkey_puts_opts(key, b, SSHKEY_SERIALIZE_DEFAULT);
770	}
771
772	int
773	sshkey_putb_plain(const struct sshkey key, struct sshbuf b)
774	{
775	return to_blob_buf(key, b, 1, SSHKEY_SERIALIZE_DEFAULT);
776	}
777
778	static int
779	to_blob(const struct sshkey key, u_char blobp, size_t lenp, int force_plain,
780	enum sshkey_serialize_rep opts)
781	{
782	int ret = SSH_ERR_INTERNAL_ERROR-1;
783	size_t len;
784	struct sshbuf b = NULL((void )0);
785
786	if (lenp != NULL((void *)0))
787	*lenp = 0;
788	if (blobp != NULL((void *)0))
789	blobp = NULL((void )0);
790	if ((b = sshbuf_new()) == NULL((void *)0))
791	return SSH_ERR_ALLOC_FAIL-2;
792	if ((ret = to_blob_buf(key, b, force_plain, opts)) != 0)
793	goto out;
794	len = sshbuf_len(b);
795	if (lenp != NULL((void *)0))
796	*lenp = len;
797	if (blobp != NULL((void *)0)) {
798	if ((blobp = malloc(len)) == NULL((void )0)) {
799	ret = SSH_ERR_ALLOC_FAIL-2;
800	goto out;
801	}
802	memcpy(*blobp, sshbuf_ptr(b), len);
803	}
804	ret = 0;
805	out:
806	sshbuf_free(b);
807	return ret;
808	}
809
810	int
811	sshkey_to_blob(const struct sshkey key, u_char blobp, size_t lenp)
812	{
813	return to_blob(key, blobp, lenp, 0, SSHKEY_SERIALIZE_DEFAULT);
814	}
815
816	int
817	sshkey_plain_to_blob(const struct sshkey key, u_char blobp, size_t lenp)
818	{
819	return to_blob(key, blobp, lenp, 1, SSHKEY_SERIALIZE_DEFAULT);
820	}
821
822	int
823	sshkey_fingerprint_raw(const struct sshkey *k, int dgst_alg,
824	u_char *retp, size_t lenp)
825	{
826	u_char blob = NULL((void )0), ret = NULL((void )0);
827	size_t blob_len = 0;
828	int r = SSH_ERR_INTERNAL_ERROR-1;
829
830	if (retp != NULL((void *)0))
831	retp = NULL((void )0);
832	if (lenp != NULL((void *)0))
833	*lenp = 0;
834	if (ssh_digest_bytes(dgst_alg) == 0) {
835	r = SSH_ERR_INVALID_ARGUMENT-10;
836	goto out;
837	}
838	if ((r = to_blob(k, &blob, &blob_len, 1, SSHKEY_SERIALIZE_DEFAULT))
839	!= 0)
840	goto out;
841	if ((ret = calloc(1, SSH_DIGEST_MAX_LENGTH64)) == NULL((void *)0)) {
842	r = SSH_ERR_ALLOC_FAIL-2;
843	goto out;
844	}
845	if ((r = ssh_digest_memory(dgst_alg, blob, blob_len,
846	ret, SSH_DIGEST_MAX_LENGTH64)) != 0)
847	goto out;
848	/* success */
849	if (retp != NULL((void *)0)) {
850	*retp = ret;
851	ret = NULL((void *)0);
852	}
853	if (lenp != NULL((void *)0))
854	*lenp = ssh_digest_bytes(dgst_alg);
855	r = 0;
856	out:
857	free(ret);
858	if (blob != NULL((void *)0))
859	freezero(blob, blob_len);
860	return r;
861	}
862
863	static char *
864	fingerprint_b64(const char alg, u_char dgst_raw, size_t dgst_raw_len)
865	{
866	char *ret;
867	size_t plen = strlen(alg) + 1;
868	size_t rlen = ((dgst_raw_len + 2) / 3) * 4 + plen + 1;
869
870	if (dgst_raw_len > 65536 \|\| (ret = calloc(1, rlen)) == NULL((void *)0))
871	return NULL((void *)0);
872	strlcpy(ret, alg, rlen);
873	strlcat(ret, ":", rlen);
874	if (dgst_raw_len == 0)
875	return ret;
876	if (b64_ntop__b64_ntop(dgst_raw, dgst_raw_len, ret + plen, rlen - plen) == -1) {
877	freezero(ret, rlen);
878	return NULL((void *)0);
879	}
880	/* Trim padding characters from end */
881	ret[strcspn(ret, "=")] = '\0';
882	return ret;
883	}
884
885	static char *
886	fingerprint_hex(const char alg, u_char dgst_raw, size_t dgst_raw_len)
887	{
888	char *retval, hex[5];
889	size_t i, rlen = dgst_raw_len * 3 + strlen(alg) + 2;
890
891	if (dgst_raw_len > 65536 \|\| (retval = calloc(1, rlen)) == NULL((void *)0))
892	return NULL((void *)0);
893	strlcpy(retval, alg, rlen);
894	strlcat(retval, ":", rlen);
895	for (i = 0; i < dgst_raw_len; i++) {
896	snprintf(hex, sizeof(hex), "%s%02x",
897	i > 0 ? ":" : "", dgst_raw[i]);
898	strlcat(retval, hex, rlen);
899	}
900	return retval;
901	}
902
903	static char *
904	fingerprint_bubblebabble(u_char *dgst_raw, size_t dgst_raw_len)
905	{
906	char vowels[] = { 'a', 'e', 'i', 'o', 'u', 'y' };
907	char consonants[] = { 'b', 'c', 'd', 'f', 'g', 'h', 'k', 'l', 'm',
908	'n', 'p', 'r', 's', 't', 'v', 'z', 'x' };
909	u_int i, j = 0, rounds, seed = 1;
910	char *retval;
911
912	rounds = (dgst_raw_len / 2) + 1;
913	if ((retval = calloc(rounds, 6)) == NULL((void *)0))
914	return NULL((void *)0);
915	retval[j++] = 'x';
916	for (i = 0; i < rounds; i++) {
917	u_int idx0, idx1, idx2, idx3, idx4;
918	if ((i + 1 < rounds) \|\| (dgst_raw_len % 2 != 0)) {
919	idx0 = (((((u_int)(dgst_raw[2 * i])) >> 6) & 3) +
920	seed) % 6;
921	idx1 = (((u_int)(dgst_raw[2 * i])) >> 2) & 15;
922	idx2 = ((((u_int)(dgst_raw[2 * i])) & 3) +
923	(seed / 6)) % 6;
924	retval[j++] = vowels[idx0];
925	retval[j++] = consonants[idx1];
926	retval[j++] = vowels[idx2];
927	if ((i + 1) < rounds) {
928	idx3 = (((u_int)(dgst_raw[(2 * i) + 1])) >> 4) & 15;
929	idx4 = (((u_int)(dgst_raw[(2 * i) + 1]))) & 15;
930	retval[j++] = consonants[idx3];
931	retval[j++] = '-';
932	retval[j++] = consonants[idx4];
933	seed = ((seed * 5) +
934	((((u_int)(dgst_raw[2 * i])) * 7) +
935	((u_int)(dgst_raw[(2 * i) + 1])))) % 36;
936	}
937	} else {
938	idx0 = seed % 6;
939	idx1 = 16;
940	idx2 = seed / 6;
941	retval[j++] = vowels[idx0];
942	retval[j++] = consonants[idx1];
943	retval[j++] = vowels[idx2];
944	}
945	}
946	retval[j++] = 'x';
947	retval[j++] = '\0';
948	return retval;
949	}
950
951	/*
952	* Draw an ASCII-Art representing the fingerprint so human brain can
953	* profit from its built-in pattern recognition ability.
954	* This technique is called "random art" and can be found in some
955	* scientific publications like this original paper:
956	*
957	* "Hash Visualization: a New Technique to improve Real-World Security",
958	* Perrig A. and Song D., 1999, International Workshop on Cryptographic
959	* Techniques and E-Commerce (CrypTEC '99)
960	* sparrow.ece.cmu.edu/~adrian/projects/validation/validation.pdf
961	*
962	* The subject came up in a talk by Dan Kaminsky, too.
963	*
964	* If you see the picture is different, the key is different.
965	* If the picture looks the same, you still know nothing.
966	*
967	* The algorithm used here is a worm crawling over a discrete plane,
968	* leaving a trace (augmenting the field) everywhere it goes.
969	* Movement is taken from dgst_raw 2bit-wise. Bumping into walls
970	* makes the respective movement vector be ignored for this turn.
971	* Graphs are not unambiguous, because circles in graphs can be
972	* walked in either direction.
973	*/
974
975	/*
976	* Field sizes for the random art. Have to be odd, so the starting point
977	* can be in the exact middle of the picture, and FLDBASE should be >=8 .
978	* Else pictures would be too dense, and drawing the frame would
979	* fail, too, because the key type would not fit in anymore.
980	*/
981	#define FLDBASE8 8
982	#define FLDSIZE_Y(8 + 1) (FLDBASE8 + 1)
983	#define FLDSIZE_X(8 * 2 + 1) (FLDBASE8 * 2 + 1)
984	static char *
985	fingerprint_randomart(const char alg, u_char dgst_raw, size_t dgst_raw_len,
986	const struct sshkey *k)
987	{
988	/*
989	* Chars to be used after each other every time the worm
990	* intersects with itself. Matter of taste.
991	*/
992	char augmentation_string = " .o+=BOX@%&#/^SE";
993	char retval, p, title[FLDSIZE_X(8 * 2 + 1)], hash[FLDSIZE_X(8 * 2 + 1)];
994	u_char field[FLDSIZE_X(8 * 2 + 1)][FLDSIZE_Y(8 + 1)];
995	size_t i, tlen, hlen;
996	u_int b;
997	int x, y, r;
998	size_t len = strlen(augmentation_string) - 1;
999
1000	if ((retval = calloc((FLDSIZE_X(8 * 2 + 1) + 3), (FLDSIZE_Y(8 + 1) + 2))) == NULL((void *)0))
1001	return NULL((void *)0);
1002
1003	/* initialize field */
1004	memset(field, 0, FLDSIZE_X(8 * 2 + 1) * FLDSIZE_Y(8 + 1) * sizeof(char));
1005	x = FLDSIZE_X(8 * 2 + 1) / 2;
1006	y = FLDSIZE_Y(8 + 1) / 2;
1007
1008	/* process raw key */
1009	for (i = 0; i < dgst_raw_len; i++) {
1010	int input;
1011	/* each byte conveys four 2-bit move commands */
1012	input = dgst_raw[i];
1013	for (b = 0; b < 4; b++) {
1014	/* evaluate 2 bit, rest is shifted later */
1015	x += (input & 0x1) ? 1 : -1;
1016	y += (input & 0x2) ? 1 : -1;
1017
1018	/* assure we are still in bounds */
1019	x = MAXIMUM(x, 0)(((x) > (0)) ? (x) : (0));
1020	y = MAXIMUM(y, 0)(((y) > (0)) ? (y) : (0));
1021	x = MINIMUM(x, FLDSIZE_X - 1)(((x) < ((8 * 2 + 1) - 1)) ? (x) : ((8 * 2 + 1) - 1));
1022	y = MINIMUM(y, FLDSIZE_Y - 1)(((y) < ((8 + 1) - 1)) ? (y) : ((8 + 1) - 1));
1023
1024	/* augment the field */
1025	if (field[x][y] < len - 2)
1026	field[x][y]++;
1027	input = input >> 2;
1028	}
1029	}
1030
1031	/* mark starting point and end point*/
1032	field[FLDSIZE_X(8 * 2 + 1) / 2][FLDSIZE_Y(8 + 1) / 2] = len - 1;
1033	field[x][y] = len;
1034
1035	/* assemble title */
1036	r = snprintf(title, sizeof(title), "[%s %u]",
1037	sshkey_type(k), sshkey_size(k));
1038	/* If [type size] won't fit, then try [type]; fits "[ED25519-CERT]" */
1039	if (r < 0 \|\| r > (int)sizeof(title))
1040	r = snprintf(title, sizeof(title), "[%s]", sshkey_type(k));
1041	tlen = (r <= 0) ? 0 : strlen(title);
1042
1043	/* assemble hash ID. */
1044	r = snprintf(hash, sizeof(hash), "[%s]", alg);
1045	hlen = (r <= 0) ? 0 : strlen(hash);
1046
1047	/* output upper border */
1048	p = retval;
1049	*p++ = '+';
1050	for (i = 0; i < (FLDSIZE_X(8 * 2 + 1) - tlen) / 2; i++)
1051	*p++ = '-';
1052	memcpy(p, title, tlen);
1053	p += tlen;
1054	for (i += tlen; i < FLDSIZE_X(8 * 2 + 1); i++)
1055	*p++ = '-';
1056	*p++ = '+';
1057	*p++ = '\n';
1058
1059	/* output content */
1060	for (y = 0; y < FLDSIZE_Y(8 + 1); y++) {
1061	*p++ = '\|';
1062	for (x = 0; x < FLDSIZE_X(8 * 2 + 1); x++)
1063	*p++ = augmentation_string[MINIMUM(field[x][y], len)(((field[x][y]) < (len)) ? (field[x][y]) : (len))];
1064	*p++ = '\|';
1065	*p++ = '\n';
1066	}
1067
1068	/* output lower border */
1069	*p++ = '+';
1070	for (i = 0; i < (FLDSIZE_X(8 * 2 + 1) - hlen) / 2; i++)
1071	*p++ = '-';
1072	memcpy(p, hash, hlen);
1073	p += hlen;
1074	for (i += hlen; i < FLDSIZE_X(8 * 2 + 1); i++)
1075	*p++ = '-';
1076	*p++ = '+';
1077
1078	return retval;
1079	}
1080
1081	char *
1082	sshkey_fingerprint(const struct sshkey *k, int dgst_alg,
1083	enum sshkey_fp_rep dgst_rep)
1084	{
1085	char retval = NULL((void )0);
1086	u_char *dgst_raw;
1087	size_t dgst_raw_len;
1088
1089	if (sshkey_fingerprint_raw(k, dgst_alg, &dgst_raw, &dgst_raw_len) != 0)
1090	return NULL((void *)0);
1091	switch (dgst_rep) {
1092	case SSH_FP_DEFAULT:
1093	if (dgst_alg == SSH_DIGEST_MD50) {
1094	retval = fingerprint_hex(ssh_digest_alg_name(dgst_alg),
1095	dgst_raw, dgst_raw_len);
1096	} else {
1097	retval = fingerprint_b64(ssh_digest_alg_name(dgst_alg),
1098	dgst_raw, dgst_raw_len);
1099	}
1100	break;
1101	case SSH_FP_HEX:
1102	retval = fingerprint_hex(ssh_digest_alg_name(dgst_alg),
1103	dgst_raw, dgst_raw_len);
1104	break;
1105	case SSH_FP_BASE64:
1106	retval = fingerprint_b64(ssh_digest_alg_name(dgst_alg),
1107	dgst_raw, dgst_raw_len);
1108	break;
1109	case SSH_FP_BUBBLEBABBLE:
1110	retval = fingerprint_bubblebabble(dgst_raw, dgst_raw_len);
1111	break;
1112	case SSH_FP_RANDOMART:
1113	retval = fingerprint_randomart(ssh_digest_alg_name(dgst_alg),
1114	dgst_raw, dgst_raw_len, k);
1115	break;
1116	default:
1117	freezero(dgst_raw, dgst_raw_len);
1118	return NULL((void *)0);
1119	}
1120	freezero(dgst_raw, dgst_raw_len);
1121	return retval;
1122	}
1123
1124	static int
1125	peek_type_nid(const char s, size_t l, int nid)
1126	{
1127	const struct sshkey_impl *impl;
1128	int i;
1129
1130	for (i = 0; keyimpls[i] != NULL((void *)0); i++) {
1131	impl = keyimpls[i];
1132	if (impl->name == NULL((void *)0) \|\| strlen(impl->name) != l)
1133	continue;
1134	if (memcmp(s, impl->name, l) == 0) {
1135	*nid = -1;
1136	if (key_type_is_ecdsa_variant(impl->type))
1137	*nid = impl->nid;
1138	return impl->type;
1139	}
1140	}
1141	return KEY_UNSPEC;
1142	}
1143
1144	/* XXX this can now be made const char * */
1145	int
1146	sshkey_read(struct sshkey ret, char *cpp)
1147	{
1148	struct sshkey *k;
1149	char cp, blobcopy;
1150	size_t space;
1151	int r, type, curve_nid = -1;
1152	struct sshbuf *blob;
1153
1154	if (ret == NULL((void *)0))
1155	return SSH_ERR_INVALID_ARGUMENT-10;
1156	if (ret->type != KEY_UNSPEC && sshkey_impl_from_type(ret->type) == NULL((void *)0))
1157	return SSH_ERR_INVALID_ARGUMENT-10;
1158
1159	/* Decode type */
1160	cp = *cpp;
1161	space = strcspn(cp, " \t");
1162	if (space == strlen(cp))
1163	return SSH_ERR_INVALID_FORMAT-4;
1164	if ((type = peek_type_nid(cp, space, &curve_nid)) == KEY_UNSPEC)
1165	return SSH_ERR_INVALID_FORMAT-4;
1166
1167	/* skip whitespace */
1168	for (cp += space; cp == ' ' \|\| cp == '\t'; cp++)
1169	;
1170	if (*cp == '\0')
1171	return SSH_ERR_INVALID_FORMAT-4;
1172	if (ret->type != KEY_UNSPEC && ret->type != type)
1173	return SSH_ERR_KEY_TYPE_MISMATCH-13;
1174	if ((blob = sshbuf_new()) == NULL((void *)0))
1175	return SSH_ERR_ALLOC_FAIL-2;
1176
1177	/* find end of keyblob and decode */
1178	space = strcspn(cp, " \t");
1179	if ((blobcopy = strndup(cp, space)) == NULL((void *)0)) {
1180	sshbuf_free(blob);
1181	return SSH_ERR_ALLOC_FAIL-2;
1182	}
1183	if ((r = sshbuf_b64tod(blob, blobcopy)) != 0) {
1184	free(blobcopy);
1185	sshbuf_free(blob);
1186	return r;
1187	}
1188	free(blobcopy);
1189	if ((r = sshkey_fromb(blob, &k)) != 0) {
1190	sshbuf_free(blob);
1191	return r;
1192	}
1193	sshbuf_free(blob);
1194
1195	/* skip whitespace and leave cp at start of comment */
1196	for (cp += space; cp == ' ' \|\| cp == '\t'; cp++)
1197	;
1198
1199	/* ensure type of blob matches type at start of line */
1200	if (k->type != type) {
1201	sshkey_free(k);
1202	return SSH_ERR_KEY_TYPE_MISMATCH-13;
1203	}
1204	if (key_type_is_ecdsa_variant(type) && curve_nid != k->ecdsa_nid) {
1205	sshkey_free(k);
1206	return SSH_ERR_EC_CURVE_MISMATCH-15;
1207	}
1208
1209	/* Fill in ret from parsed key */
1210	sshkey_free_contents(ret);
1211	ret = k;
1212	freezero(k, sizeof(*k));
1213
1214	/* success */
1215	*cpp = cp;
1216	return 0;
1217	}
1218
1219	int
1220	sshkey_to_base64(const struct sshkey key, char *b64p)
1221	{
1222	int r = SSH_ERR_INTERNAL_ERROR-1;
1223	struct sshbuf b = NULL((void )0);
1224	char uu = NULL((void )0);
1225
1226	if (b64p != NULL((void *)0))
1227	b64p = NULL((void )0);
1228	if ((b = sshbuf_new()) == NULL((void *)0))
1229	return SSH_ERR_ALLOC_FAIL-2;
1230	if ((r = sshkey_putb(key, b)) != 0)
1231	goto out;
1232	if ((uu = sshbuf_dtob64_string(b, 0)) == NULL((void *)0)) {
1233	r = SSH_ERR_ALLOC_FAIL-2;
1234	goto out;
1235	}
1236	/* Success */
1237	if (b64p != NULL((void *)0)) {
1238	*b64p = uu;
1239	uu = NULL((void *)0);
1240	}
1241	r = 0;
1242	out:
1243	sshbuf_free(b);
1244	free(uu);
1245	return r;
1246	}
1247
1248	int
1249	sshkey_format_text(const struct sshkey key, struct sshbuf b)
1250	{
1251	int r = SSH_ERR_INTERNAL_ERROR-1;
1252	char uu = NULL((void )0);
1253
1254	if ((r = sshkey_to_base64(key, &uu)) != 0)
1255	goto out;
1256	if ((r = sshbuf_putf(b, "%s %s",
1257	sshkey_ssh_name(key), uu)) != 0)
1258	goto out;
1259	r = 0;
1260	out:
1261	free(uu);
1262	return r;
1263	}
1264
1265	int
1266	sshkey_write(const struct sshkey key, FILE f)
1267	{
1268	struct sshbuf b = NULL((void )0);
1269	int r = SSH_ERR_INTERNAL_ERROR-1;
1270
1271	if ((b = sshbuf_new()) == NULL((void *)0))
1272	return SSH_ERR_ALLOC_FAIL-2;
1273	if ((r = sshkey_format_text(key, b)) != 0)
1274	goto out;
1275	if (fwrite(sshbuf_ptr(b), sshbuf_len(b), 1, f) != 1) {
1276	if (feof(f)(!__isthreaded ? (((f)->_flags & 0x0020) != 0) : (feof )(f)))
1277	errno(*__errno()) = EPIPE32;
1278	r = SSH_ERR_SYSTEM_ERROR-24;
1279	goto out;
1280	}
1281	/* Success */
1282	r = 0;
1283	out:
1284	sshbuf_free(b);
1285	return r;
1286	}
1287
1288	const char *
1289	sshkey_cert_type(const struct sshkey *k)
1290	{
1291	switch (k->cert->type) {
1292	case SSH2_CERT_TYPE_USER1:
1293	return "user";
1294	case SSH2_CERT_TYPE_HOST2:
1295	return "host";
1296	default:
1297	return "unknown";
1298	}
1299	}
1300
1301	int
1302	sshkey_check_rsa_length(const struct sshkey *k, int min_size)
1303	{
1304	#ifdef WITH_OPENSSL1
1305	const BIGNUM *rsa_n;
1306	int nbits;
1307
1308	if (k == NULL((void )0) \|\| k->rsa == NULL((void )0) \|\|
1309	(k->type != KEY_RSA && k->type != KEY_RSA_CERT))
1310	return 0;
1311	RSA_get0_key(k->rsa, &rsa_n, NULL((void )0), NULL((void )0));
1312	nbits = BN_num_bits(rsa_n);
1313	if (nbits < SSH_RSA_MINIMUM_MODULUS_SIZE1024 \|\|
1314	(min_size > 0 && nbits < min_size))
1315	return SSH_ERR_KEY_LENGTH-56;
1316	#endif /* WITH_OPENSSL */
1317	return 0;
1318	}
1319
1320	#ifdef WITH_OPENSSL1
1321	int
1322	sshkey_ecdsa_key_to_nid(EC_KEY *k)
1323	{
1324	EC_GROUP *eg;
1325	int nids[] = {
1326	NID_X9_62_prime256v1415,
1327	NID_secp384r1715,
1328	NID_secp521r1716,
1329	-1
1330	};
1331	int nid;
1332	u_int i;
1333	const EC_GROUP *g = EC_KEY_get0_group(k);
1334
1335	/*
1336	* The group may be stored in a ASN.1 encoded private key in one of two
1337	* ways: as a "named group", which is reconstituted by ASN.1 object ID
1338	* or explicit group parameters encoded into the key blob. Only the
1339	* "named group" case sets the group NID for us, but we can figure
1340	* it out for the other case by comparing against all the groups that
1341	* are supported.
1342	*/
1343	if ((nid = EC_GROUP_get_curve_name(g)) > 0)
1344	return nid;
1345	for (i = 0; nids[i] != -1; i++) {
1346	if ((eg = EC_GROUP_new_by_curve_name(nids[i])) == NULL((void *)0))
1347	return -1;
1348	if (EC_GROUP_cmp(g, eg, NULL((void *)0)) == 0)
1349	break;
1350	EC_GROUP_free(eg);
1351	}
1352	if (nids[i] != -1) {
1353	/* Use the group with the NID attached */
1354	EC_GROUP_set_asn1_flag(eg, OPENSSL_EC_NAMED_CURVE0x001);
1355	if (EC_KEY_set_group(k, eg) != 1) {
1356	EC_GROUP_free(eg);
1357	return -1;
1358	}
1359	}
1360	return nids[i];
1361	}
1362	#endif /* WITH_OPENSSL */
1363
1364	int
1365	sshkey_generate(int type, u_int bits, struct sshkey **keyp)
1366	{
1367	struct sshkey *k;
1368	int ret = SSH_ERR_INTERNAL_ERROR-1;
1369	const struct sshkey_impl *impl;
1370
1371	if (keyp == NULL((void *)0) \|\| sshkey_type_is_cert(type))
1372	return SSH_ERR_INVALID_ARGUMENT-10;
1373	keyp = NULL((void )0);
1374	if ((impl = sshkey_impl_from_type(type)) == NULL((void *)0))
1375	return SSH_ERR_KEY_TYPE_UNKNOWN-14;
1376	if (impl->funcs->generate == NULL((void *)0))
1377	return SSH_ERR_FEATURE_UNSUPPORTED-59;
1378	if ((k = sshkey_new(KEY_UNSPEC)) == NULL((void *)0))
1379	return SSH_ERR_ALLOC_FAIL-2;
1380	k->type = type;
1381	if ((ret = impl->funcs->generate(k, bits)) != 0) {
1382	sshkey_free(k);
1383	return ret;
1384	}
1385	/* success */
1386	*keyp = k;
1387	return 0;
1388	}
1389
1390	int
1391	sshkey_cert_copy(const struct sshkey from_key, struct sshkey to_key)
1392	{
1393	u_int i;
1394	const struct sshkey_cert *from;
1395	struct sshkey_cert *to;
1396	int r = SSH_ERR_INTERNAL_ERROR-1;
1397
1398	if (to_key == NULL((void )0) \|\| (from = from_key->cert) == NULL((void )0))
1399	return SSH_ERR_INVALID_ARGUMENT-10;
1400
1401	if ((to = cert_new()) == NULL((void *)0))
1402	return SSH_ERR_ALLOC_FAIL-2;
1403
1404	if ((r = sshbuf_putb(to->certblob, from->certblob)) != 0 \|\|
1405	(r = sshbuf_putb(to->critical, from->critical)) != 0 \|\|
1406	(r = sshbuf_putb(to->extensions, from->extensions)) != 0)
1407	goto out;
1408
1409	to->serial = from->serial;
1410	to->type = from->type;
1411	if (from->key_id == NULL((void *)0))
1412	to->key_id = NULL((void *)0);
1413	else if ((to->key_id = strdup(from->key_id)) == NULL((void *)0)) {
1414	r = SSH_ERR_ALLOC_FAIL-2;
1415	goto out;
1416	}
1417	to->valid_after = from->valid_after;
1418	to->valid_before = from->valid_before;
1419	if (from->signature_key == NULL((void *)0))
1420	to->signature_key = NULL((void *)0);
1421	else if ((r = sshkey_from_private(from->signature_key,
1422	&to->signature_key)) != 0)
1423	goto out;
1424	if (from->signature_type != NULL((void *)0) &&
1425	(to->signature_type = strdup(from->signature_type)) == NULL((void *)0)) {
1426	r = SSH_ERR_ALLOC_FAIL-2;
1427	goto out;
1428	}
1429	if (from->nprincipals > SSHKEY_CERT_MAX_PRINCIPALS256) {
1430	r = SSH_ERR_INVALID_ARGUMENT-10;
1431	goto out;
1432	}
1433	if (from->nprincipals > 0) {
1434	if ((to->principals = calloc(from->nprincipals,
1435	sizeof(to->principals))) == NULL((void )0)) {
1436	r = SSH_ERR_ALLOC_FAIL-2;
1437	goto out;
1438	}
1439	for (i = 0; i < from->nprincipals; i++) {
1440	to->principals[i] = strdup(from->principals[i]);
1441	if (to->principals[i] == NULL((void *)0)) {
1442	to->nprincipals = i;
1443	r = SSH_ERR_ALLOC_FAIL-2;
1444	goto out;
1445	}
1446	}
1447	}
1448	to->nprincipals = from->nprincipals;
1449
1450	/* success */
1451	cert_free(to_key->cert);
1452	to_key->cert = to;
1453	to = NULL((void *)0);
1454	r = 0;
1455	out:
1456	cert_free(to);
1457	return r;
1458	}
1459
1460	int
1461	sshkey_copy_public_sk(const struct sshkey from, struct sshkey to)
1462	{
1463	/* Append security-key application string */
1464	if ((to->sk_application = strdup(from->sk_application)) == NULL((void *)0))
1465	return SSH_ERR_ALLOC_FAIL-2;
1466	return 0;
1467	}
1468
1469	int
1470	sshkey_from_private(const struct sshkey k, struct sshkey *pkp)
1471	{
1472	struct sshkey n = NULL((void )0);
1473	int r = SSH_ERR_INTERNAL_ERROR-1;
1474	const struct sshkey_impl *impl;
1475
1476	pkp = NULL((void )0);
1477	if ((impl = sshkey_impl_from_key(k)) == NULL((void *)0))
1478	return SSH_ERR_KEY_TYPE_UNKNOWN-14;
1479	if ((n = sshkey_new(k->type)) == NULL((void *)0)) {
1480	r = SSH_ERR_ALLOC_FAIL-2;
1481	goto out;
1482	}
1483	if ((r = impl->funcs->copy_public(k, n)) != 0)
1484	goto out;
1485	if (sshkey_is_cert(k) && (r = sshkey_cert_copy(k, n)) != 0)
1486	goto out;
1487	/* success */
1488	*pkp = n;
1489	n = NULL((void *)0);
1490	r = 0;
1491	out:
1492	sshkey_free(n);
1493	return r;
1494	}
1495
1496	int
1497	sshkey_is_shielded(struct sshkey *k)
1498	{
1499	return k != NULL((void )0) && k->shielded_private != NULL((void )0);
1500	}
1501
1502	int
1503	sshkey_shield_private(struct sshkey *k)
1504	{
1505	struct sshbuf prvbuf = NULL((void )0);
1506	u_char prekey = NULL((void )0), enc = NULL((void )0), keyiv[SSH_DIGEST_MAX_LENGTH64];
1507	struct sshcipher_ctx cctx = NULL((void )0);
1508	const struct sshcipher *cipher;
1509	size_t i, enclen = 0;
1510	struct sshkey kswap = NULL((void )0), tmp;
1511	int r = SSH_ERR_INTERNAL_ERROR-1;
1512
1513	#ifdef DEBUG_PK
1514	fprintf(stderr(&__sF[2]), "%s: entering for %s\n", __func__, sshkey_ssh_name(k));
1515	#endif
1516	if ((cipher = cipher_by_name(SSHKEY_SHIELD_CIPHER"aes256-ctr")) == NULL((void *)0)) {
1517	r = SSH_ERR_INVALID_ARGUMENT-10;
1518	goto out;
1519	}
1520	if (cipher_keylen(cipher) + cipher_ivlen(cipher) >
1521	ssh_digest_bytes(SSHKEY_SHIELD_PREKEY_HASH4)) {
1522	r = SSH_ERR_INTERNAL_ERROR-1;
1523	goto out;
1524	}
1525
1526	/* Prepare a random pre-key, and from it an ephemeral key */
1527	if ((prekey = malloc(SSHKEY_SHIELD_PREKEY_LEN(16 * 1024))) == NULL((void *)0)) {
1528	r = SSH_ERR_ALLOC_FAIL-2;
1529	goto out;
1530	}
1531	arc4random_buf(prekey, SSHKEY_SHIELD_PREKEY_LEN(16 * 1024));
1532	if ((r = ssh_digest_memory(SSHKEY_SHIELD_PREKEY_HASH4,
1533	prekey, SSHKEY_SHIELD_PREKEY_LEN(16 * 1024),
1534	keyiv, SSH_DIGEST_MAX_LENGTH64)) != 0)
1535	goto out;
1536	#ifdef DEBUG_PK
1537	fprintf(stderr(&__sF[2]), "%s: key+iv\n", __func__);
1538	sshbuf_dump_data(keyiv, ssh_digest_bytes(SSHKEY_SHIELD_PREKEY_HASH4),
1539	stderr(&__sF[2]));
1540	#endif
1541	if ((r = cipher_init(&cctx, cipher, keyiv, cipher_keylen(cipher),
1542	keyiv + cipher_keylen(cipher), cipher_ivlen(cipher), 1)) != 0)
1543	goto out;
1544
1545	/* Serialise and encrypt the private key using the ephemeral key */
1546	if ((prvbuf = sshbuf_new()) == NULL((void *)0)) {
1547	r = SSH_ERR_ALLOC_FAIL-2;
1548	goto out;
1549	}
1550	if (sshkey_is_shielded(k) && (r = sshkey_unshield_private(k)) != 0)
1551	goto out;
1552	if ((r = sshkey_private_serialize_opt(k, prvbuf,
1553	SSHKEY_SERIALIZE_SHIELD)) != 0)
1554	goto out;
1555	/* pad to cipher blocksize */
1556	i = 0;
1557	while (sshbuf_len(prvbuf) % cipher_blocksize(cipher)) {
1558	if ((r = sshbuf_put_u8(prvbuf, ++i & 0xff)) != 0)
1559	goto out;
1560	}
1561	#ifdef DEBUG_PK
1562	fprintf(stderr(&__sF[2]), "%s: serialised\n", __func__);
1563	sshbuf_dump(prvbuf, stderr(&__sF[2]));
1564	#endif
1565	/* encrypt */
1566	enclen = sshbuf_len(prvbuf);
1567	if ((enc = malloc(enclen)) == NULL((void *)0)) {
1568	r = SSH_ERR_ALLOC_FAIL-2;
1569	goto out;
1570	}
1571	if ((r = cipher_crypt(cctx, 0, enc,
1572	sshbuf_ptr(prvbuf), sshbuf_len(prvbuf), 0, 0)) != 0)
1573	goto out;
1574	#ifdef DEBUG_PK
1575	fprintf(stderr(&__sF[2]), "%s: encrypted\n", __func__);
1576	sshbuf_dump_data(enc, enclen, stderr(&__sF[2]));
1577	#endif
1578
1579	/* Make a scrubbed, public-only copy of our private key argument */
1580	if ((r = sshkey_from_private(k, &kswap)) != 0)
1581	goto out;
1582
1583	/* Swap the private key out (it will be destroyed below) */
1584	tmp = *kswap;
1585	kswap = k;
1586	*k = tmp;
1587
1588	/* Insert the shielded key into our argument */
1589	k->shielded_private = enc;
1590	k->shielded_len = enclen;
1591	k->shield_prekey = prekey;
1592	k->shield_prekey_len = SSHKEY_SHIELD_PREKEY_LEN(16 * 1024);
1593	enc = prekey = NULL((void )0); / transferred */
1594	enclen = 0;
1595
1596	/* preserve key fields that are required for correct operation */
1597	k->sk_flags = kswap->sk_flags;
1598
1599	/* success */
1600	r = 0;
1601
1602	out:
1603	/* XXX behaviour on error - invalidate original private key? */
1604	cipher_free(cctx);
1605	explicit_bzero(keyiv, sizeof(keyiv));
1606	explicit_bzero(&tmp, sizeof(tmp));
1607	freezero(enc, enclen);
1608	freezero(prekey, SSHKEY_SHIELD_PREKEY_LEN(16 * 1024));
1609	sshkey_free(kswap);
1610	sshbuf_free(prvbuf);
1611	return r;
1612	}
1613
1614	/* Check deterministic padding after private key */
1615	static int
1616	private2_check_padding(struct sshbuf *decrypted)
1617	{
1618	u_char pad;
1619	size_t i;
1620	int r;
1621
1622	i = 0;
1623	while (sshbuf_len(decrypted)) {
1624	if ((r = sshbuf_get_u8(decrypted, &pad)) != 0)
1625	goto out;
1626	if (pad != (++i & 0xff)) {
1627	r = SSH_ERR_INVALID_FORMAT-4;
1628	goto out;
1629	}
1630	}
1631	/* success */
1632	r = 0;
1633	out:
1634	explicit_bzero(&pad, sizeof(pad));
1635	explicit_bzero(&i, sizeof(i));
1636	return r;
1637	}
1638
1639	int
1640	sshkey_unshield_private(struct sshkey *k)
1641	{
1642	struct sshbuf prvbuf = NULL((void )0);
1643	u_char *cp, keyiv[SSH_DIGEST_MAX_LENGTH64];
1644	struct sshcipher_ctx cctx = NULL((void )0);
1645	const struct sshcipher *cipher;
1646	struct sshkey kswap = NULL((void )0), tmp;
1647	int r = SSH_ERR_INTERNAL_ERROR-1;
1648
1649	#ifdef DEBUG_PK
1650	fprintf(stderr(&__sF[2]), "%s: entering for %s\n", __func__, sshkey_ssh_name(k));
1651	#endif
1652	if (!sshkey_is_shielded(k))
1653	return 0; /* nothing to do */
1654
1655	if ((cipher = cipher_by_name(SSHKEY_SHIELD_CIPHER"aes256-ctr")) == NULL((void *)0)) {
1656	r = SSH_ERR_INVALID_ARGUMENT-10;
1657	goto out;
1658	}
1659	if (cipher_keylen(cipher) + cipher_ivlen(cipher) >
1660	ssh_digest_bytes(SSHKEY_SHIELD_PREKEY_HASH4)) {
1661	r = SSH_ERR_INTERNAL_ERROR-1;
1662	goto out;
1663	}
1664	/* check size of shielded key blob */
1665	if (k->shielded_len < cipher_blocksize(cipher) \|\|
1666	(k->shielded_len % cipher_blocksize(cipher)) != 0) {
1667	r = SSH_ERR_INVALID_FORMAT-4;
1668	goto out;
1669	}
1670
1671	/* Calculate the ephemeral key from the prekey */
1672	if ((r = ssh_digest_memory(SSHKEY_SHIELD_PREKEY_HASH4,
1673	k->shield_prekey, k->shield_prekey_len,
1674	keyiv, SSH_DIGEST_MAX_LENGTH64)) != 0)
1675	goto out;
1676	if ((r = cipher_init(&cctx, cipher, keyiv, cipher_keylen(cipher),
1677	keyiv + cipher_keylen(cipher), cipher_ivlen(cipher), 0)) != 0)
1678	goto out;
1679	#ifdef DEBUG_PK
1680	fprintf(stderr(&__sF[2]), "%s: key+iv\n", __func__);
1681	sshbuf_dump_data(keyiv, ssh_digest_bytes(SSHKEY_SHIELD_PREKEY_HASH4),
1682	stderr(&__sF[2]));
1683	#endif
1684
1685	/* Decrypt and parse the shielded private key using the ephemeral key */
1686	if ((prvbuf = sshbuf_new()) == NULL((void *)0)) {
1687	r = SSH_ERR_ALLOC_FAIL-2;
1688	goto out;
1689	}
1690	if ((r = sshbuf_reserve(prvbuf, k->shielded_len, &cp)) != 0)
1691	goto out;
1692	/* decrypt */
1693	#ifdef DEBUG_PK
1694	fprintf(stderr(&__sF[2]), "%s: encrypted\n", __func__);
1695	sshbuf_dump_data(k->shielded_private, k->shielded_len, stderr(&__sF[2]));
1696	#endif
1697	if ((r = cipher_crypt(cctx, 0, cp,
1698	k->shielded_private, k->shielded_len, 0, 0)) != 0)
1699	goto out;
1700	#ifdef DEBUG_PK
1701	fprintf(stderr(&__sF[2]), "%s: serialised\n", __func__);
1702	sshbuf_dump(prvbuf, stderr(&__sF[2]));
1703	#endif
1704	/* Parse private key */
1705	if ((r = sshkey_private_deserialize(prvbuf, &kswap)) != 0)
1706	goto out;
1707
1708	if ((r = private2_check_padding(prvbuf)) != 0)
1709	goto out;
1710
1711	/* Swap the parsed key back into place */
1712	tmp = *kswap;
1713	kswap = k;
1714	*k = tmp;
1715
1716	/* success */
1717	r = 0;
1718
1719	out:
1720	cipher_free(cctx);
1721	explicit_bzero(keyiv, sizeof(keyiv));
1722	explicit_bzero(&tmp, sizeof(tmp));
1723	sshkey_free(kswap);
1724	sshbuf_free(prvbuf);
1725	return r;
1726	}
1727
1728	static int
1729	cert_parse(struct sshbuf b, struct sshkey key, struct sshbuf *certbuf)
1730	{
1731	struct sshbuf principals = NULL((void )0), crit = NULL((void )0);
1732	struct sshbuf exts = NULL((void )0), ca = NULL((void )0);
1733	u_char sig = NULL((void )0);
1734	size_t signed_len = 0, slen = 0, kidlen = 0;
1735	int ret = SSH_ERR_INTERNAL_ERROR-1;
1736
1737	/* Copy the entire key blob for verification and later serialisation */
1738	if ((ret = sshbuf_putb(key->cert->certblob, certbuf)) != 0)
1739	return ret;
1740
1741	/* Parse body of certificate up to signature */
1742	if ((ret = sshbuf_get_u64(b, &key->cert->serial)) != 0 \|\|
1743	(ret = sshbuf_get_u32(b, &key->cert->type)) != 0 \|\|
1744	(ret = sshbuf_get_cstring(b, &key->cert->key_id, &kidlen)) != 0 \|\|
1745	(ret = sshbuf_froms(b, &principals)) != 0 \|\|
1746	(ret = sshbuf_get_u64(b, &key->cert->valid_after)) != 0 \|\|
1747	(ret = sshbuf_get_u64(b, &key->cert->valid_before)) != 0 \|\|
1748	(ret = sshbuf_froms(b, &crit)) != 0 \|\|
1749	(ret = sshbuf_froms(b, &exts)) != 0 \|\|
	Although the value stored to 'ret' is used in the enclosing expression, the value is never actually read from 'ret'
1750	(ret = sshbuf_get_string_direct(b, NULL((void )0), NULL((void )0))) != 0 \|\|
1751	(ret = sshbuf_froms(b, &ca)) != 0) {
1752	/* XXX debug print error for ret */
1753	ret = SSH_ERR_INVALID_FORMAT-4;
1754	goto out;
1755	}
1756
1757	/* Signature is left in the buffer so we can calculate this length */
1758	signed_len = sshbuf_len(key->cert->certblob) - sshbuf_len(b);
1759
1760	if ((ret = sshbuf_get_string(b, &sig, &slen)) != 0) {
1761	ret = SSH_ERR_INVALID_FORMAT-4;
1762	goto out;
1763	}
1764
1765	if (key->cert->type != SSH2_CERT_TYPE_USER1 &&
1766	key->cert->type != SSH2_CERT_TYPE_HOST2) {
1767	ret = SSH_ERR_KEY_CERT_UNKNOWN_TYPE-18;
1768	goto out;
1769	}
1770
1771	/* Parse principals section */
1772	while (sshbuf_len(principals) > 0) {
1773	char principal = NULL((void )0);
1774	char *oprincipals = NULL((void )0);
1775
1776	if (key->cert->nprincipals >= SSHKEY_CERT_MAX_PRINCIPALS256) {
1777	ret = SSH_ERR_INVALID_FORMAT-4;
1778	goto out;
1779	}
1780	if ((ret = sshbuf_get_cstring(principals, &principal,
1781	NULL((void *)0))) != 0) {
1782	ret = SSH_ERR_INVALID_FORMAT-4;
1783	goto out;
1784	}
1785	oprincipals = key->cert->principals;
1786	key->cert->principals = recallocarray(key->cert->principals,
1787	key->cert->nprincipals, key->cert->nprincipals + 1,
1788	sizeof(*key->cert->principals));
1789	if (key->cert->principals == NULL((void *)0)) {
1790	free(principal);
1791	key->cert->principals = oprincipals;
1792	ret = SSH_ERR_ALLOC_FAIL-2;
1793	goto out;
1794	}
1795	key->cert->principals[key->cert->nprincipals++] = principal;
1796	}
1797
1798	/*
1799	* Stash a copies of the critical options and extensions sections
1800	* for later use.
1801	*/
1802	if ((ret = sshbuf_putb(key->cert->critical, crit)) != 0 \|\|
1803	(exts != NULL((void *)0) &&
1804	(ret = sshbuf_putb(key->cert->extensions, exts)) != 0))
1805	goto out;
1806
1807	/*
1808	* Validate critical options and extensions sections format.
1809	*/
1810	while (sshbuf_len(crit) != 0) {
1811	if ((ret = sshbuf_get_string_direct(crit, NULL((void )0), NULL((void )0))) != 0 \|\|
1812	(ret = sshbuf_get_string_direct(crit, NULL((void )0), NULL((void )0))) != 0) {
1813	sshbuf_reset(key->cert->critical);
1814	ret = SSH_ERR_INVALID_FORMAT-4;
1815	goto out;
1816	}
1817	}
1818	while (exts != NULL((void *)0) && sshbuf_len(exts) != 0) {
1819	if ((ret = sshbuf_get_string_direct(exts, NULL((void )0), NULL((void )0))) != 0 \|\|
1820	(ret = sshbuf_get_string_direct(exts, NULL((void )0), NULL((void )0))) != 0) {
1821	sshbuf_reset(key->cert->extensions);
1822	ret = SSH_ERR_INVALID_FORMAT-4;
1823	goto out;
1824	}
1825	}
1826
1827	/* Parse CA key and check signature */
1828	if (sshkey_from_blob_internal(ca, &key->cert->signature_key, 0) != 0) {
1829	ret = SSH_ERR_KEY_CERT_INVALID_SIGN_KEY-19;
1830	goto out;
1831	}
1832	if (!sshkey_type_is_valid_ca(key->cert->signature_key->type)) {
1833	ret = SSH_ERR_KEY_CERT_INVALID_SIGN_KEY-19;
1834	goto out;
1835	}
1836	if ((ret = sshkey_verify(key->cert->signature_key, sig, slen,
1837	sshbuf_ptr(key->cert->certblob), signed_len, NULL((void )0), 0, NULL((void )0))) != 0)
1838	goto out;
1839	if ((ret = sshkey_get_sigtype(sig, slen,
1840	&key->cert->signature_type)) != 0)
1841	goto out;
1842
1843	/* Success */
1844	ret = 0;
1845	out:
1846	sshbuf_free(ca);
1847	sshbuf_free(crit);
1848	sshbuf_free(exts);
1849	sshbuf_free(principals);
1850	free(sig);
1851	return ret;
1852	}
1853
1854	int
1855	sshkey_deserialize_sk(struct sshbuf b, struct sshkey key)
1856	{
1857	/* Parse additional security-key application string */
1858	if (sshbuf_get_cstring(b, &key->sk_application, NULL((void *)0)) != 0)
1859	return SSH_ERR_INVALID_FORMAT-4;
1860	return 0;
1861	}
1862
1863	static int
1864	sshkey_from_blob_internal(struct sshbuf b, struct sshkey *keyp,
1865	int allow_cert)
1866	{
1867	int type, ret = SSH_ERR_INTERNAL_ERROR-1;
1868	char ktype = NULL((void )0);
1869	struct sshkey key = NULL((void )0);
1870	struct sshbuf *copy;
1871	const struct sshkey_impl *impl;
1872
1873	#ifdef DEBUG_PK /* XXX */
1874	sshbuf_dump(b, stderr(&__sF[2]));
1875	#endif
1876	if (keyp != NULL((void *)0))
1877	keyp = NULL((void )0);
1878	if ((copy = sshbuf_fromb(b)) == NULL((void *)0)) {
1879	ret = SSH_ERR_ALLOC_FAIL-2;
1880	goto out;
1881	}
1882	if (sshbuf_get_cstring(b, &ktype, NULL((void *)0)) != 0) {
1883	ret = SSH_ERR_INVALID_FORMAT-4;
1884	goto out;
1885	}
1886
1887	type = sshkey_type_from_name(ktype);
1888	if (!allow_cert && sshkey_type_is_cert(type)) {
1889	ret = SSH_ERR_KEY_CERT_INVALID_SIGN_KEY-19;
1890	goto out;
1891	}
1892	if ((impl = sshkey_impl_from_type(type)) == NULL((void *)0)) {
1893	ret = SSH_ERR_KEY_TYPE_UNKNOWN-14;
1894	goto out;
1895	}
1896	if ((key = sshkey_new(type)) == NULL((void *)0)) {
1897	ret = SSH_ERR_ALLOC_FAIL-2;
1898	goto out;
1899	}
1900	if (sshkey_type_is_cert(type)) {
1901	/* Skip nonce that precedes all certificates */
1902	if (sshbuf_get_string_direct(b, NULL((void )0), NULL((void )0)) != 0) {
1903	ret = SSH_ERR_INVALID_FORMAT-4;
1904	goto out;
1905	}
1906	}
1907	if ((ret = impl->funcs->deserialize_public(ktype, b, key)) != 0)
1908	goto out;
1909
1910	/* Parse certificate potion */
1911	if (sshkey_is_cert(key) && (ret = cert_parse(b, key, copy)) != 0)
1912	goto out;
1913
1914	if (key != NULL((void *)0) && sshbuf_len(b) != 0) {
1915	ret = SSH_ERR_INVALID_FORMAT-4;
1916	goto out;
1917	}
1918	ret = 0;
1919	if (keyp != NULL((void *)0)) {
1920	*keyp = key;
1921	key = NULL((void *)0);
1922	}
1923	out:
1924	sshbuf_free(copy);
1925	sshkey_free(key);
1926	free(ktype);
1927	return ret;
1928	}
1929
1930	int
1931	sshkey_from_blob(const u_char blob, size_t blen, struct sshkey *keyp)
1932	{
1933	struct sshbuf *b;
1934	int r;
1935
1936	if ((b = sshbuf_from(blob, blen)) == NULL((void *)0))
1937	return SSH_ERR_ALLOC_FAIL-2;
1938	r = sshkey_from_blob_internal(b, keyp, 1);
1939	sshbuf_free(b);
1940	return r;
1941	}
1942
1943	int
1944	sshkey_fromb(struct sshbuf b, struct sshkey *keyp)
1945	{
1946	return sshkey_from_blob_internal(b, keyp, 1);
1947	}
1948
1949	int
1950	sshkey_froms(struct sshbuf buf, struct sshkey *keyp)
1951	{
1952	struct sshbuf *b;
1953	int r;
1954
1955	if ((r = sshbuf_froms(buf, &b)) != 0)
1956	return r;
1957	r = sshkey_from_blob_internal(b, keyp, 1);
1958	sshbuf_free(b);
1959	return r;
1960	}
1961
1962	int
1963	sshkey_get_sigtype(const u_char sig, size_t siglen, char *sigtypep)
1964	{
1965	int r;
1966	struct sshbuf b = NULL((void )0);
1967	char sigtype = NULL((void )0);
1968
1969	if (sigtypep != NULL((void *)0))
1970	sigtypep = NULL((void )0);
1971	if ((b = sshbuf_from(sig, siglen)) == NULL((void *)0))
1972	return SSH_ERR_ALLOC_FAIL-2;
1973	if ((r = sshbuf_get_cstring(b, &sigtype, NULL((void *)0))) != 0)
1974	goto out;
1975	/* success */
1976	if (sigtypep != NULL((void *)0)) {
1977	*sigtypep = sigtype;
1978	sigtype = NULL((void *)0);
1979	}
1980	r = 0;
1981	out:
1982	free(sigtype);
1983	sshbuf_free(b);
1984	return r;
1985	}
1986
1987	/*
1988	*
1989	* Checks whether a certificate's signature type is allowed.
1990	* Returns 0 (success) if the certificate signature type appears in the
1991	* "allowed" pattern-list, or the key is not a certificate to begin with.
1992	* Otherwise returns a ssherr.h code.
1993	*/
1994	int
1995	sshkey_check_cert_sigtype(const struct sshkey key, const char allowed)
1996	{
1997	if (key == NULL((void )0) \|\| allowed == NULL((void )0))
1998	return SSH_ERR_INVALID_ARGUMENT-10;
1999	if (!sshkey_type_is_cert(key->type))
2000	return 0;
2001	if (key->cert == NULL((void )0) \|\| key->cert->signature_type == NULL((void )0))
2002	return SSH_ERR_INVALID_ARGUMENT-10;
2003	if (match_pattern_list(key->cert->signature_type, allowed, 0) != 1)
2004	return SSH_ERR_SIGN_ALG_UNSUPPORTED-58;
2005	return 0;
2006	}
2007
2008	/*
2009	* Returns the expected signature algorithm for a given public key algorithm.
2010	*/
2011	const char *
2012	sshkey_sigalg_by_name(const char *name)
2013	{
2014	const struct sshkey_impl *impl;
2015	int i;
2016
2017	for (i = 0; keyimpls[i] != NULL((void *)0); i++) {
2018	impl = keyimpls[i];
2019	if (strcmp(impl->name, name) != 0)
2020	continue;
2021	if (impl->sigalg != NULL((void *)0))
2022	return impl->sigalg;
2023	if (!impl->cert)
2024	return impl->name;
2025	return sshkey_ssh_name_from_type_nid(
2026	sshkey_type_plain(impl->type), impl->nid);
2027	}
2028	return NULL((void *)0);
2029	}
2030
2031	/*
2032	* Verifies that the signature algorithm appearing inside the signature blob
2033	* matches that which was requested.
2034	*/
2035	int
2036	sshkey_check_sigtype(const u_char *sig, size_t siglen,
2037	const char *requested_alg)
2038	{
2039	const char *expected_alg;
2040	char sigtype = NULL((void )0);
2041	int r;
2042
2043	if (requested_alg == NULL((void *)0))
2044	return 0;
2045	if ((expected_alg = sshkey_sigalg_by_name(requested_alg)) == NULL((void *)0))
2046	return SSH_ERR_INVALID_ARGUMENT-10;
2047	if ((r = sshkey_get_sigtype(sig, siglen, &sigtype)) != 0)
2048	return r;
2049	r = strcmp(expected_alg, sigtype) == 0;
2050	free(sigtype);
2051	return r ? 0 : SSH_ERR_SIGN_ALG_UNSUPPORTED-58;
2052	}
2053
2054	int
2055	sshkey_sign(struct sshkey *key,
2056	u_char *sigp, size_t lenp,
2057	const u_char *data, size_t datalen,
2058	const char alg, const char sk_provider, const char *sk_pin, u_int compat)
2059	{
2060	int was_shielded = sshkey_is_shielded(key);
2061	int r2, r = SSH_ERR_INTERNAL_ERROR-1;
2062	const struct sshkey_impl *impl;
2063
2064	if (sigp != NULL((void *)0))
2065	sigp = NULL((void )0);
2066	if (lenp != NULL((void *)0))
2067	*lenp = 0;
2068	if (datalen > SSH_KEY_MAX_SIGN_DATA_SIZE(1 << 20))
2069	return SSH_ERR_INVALID_ARGUMENT-10;
2070	if ((impl = sshkey_impl_from_key(key)) == NULL((void *)0))
2071	return SSH_ERR_KEY_TYPE_UNKNOWN-14;
2072	if ((r = sshkey_unshield_private(key)) != 0)
2073	return r;
2074	if (sshkey_is_sk(key)) {
2075	r = sshsk_sign(sk_provider, key, sigp, lenp, data,
2076	datalen, compat, sk_pin);
2077	} else {
2078	if (impl->funcs->sign == NULL((void *)0))
2079	r = SSH_ERR_SIGN_ALG_UNSUPPORTED-58;
2080	else {
2081	r = impl->funcs->sign(key, sigp, lenp, data, datalen,
2082	alg, sk_provider, sk_pin, compat);
2083	}
2084	}
2085	if (was_shielded && (r2 = sshkey_shield_private(key)) != 0)
2086	return r2;
2087	return r;
2088	}
2089
2090	/*
2091	* ssh_key_verify returns 0 for a correct signature and < 0 on error.
2092	* If "alg" specified, then the signature must use that algorithm.
2093	*/
2094	int
2095	sshkey_verify(const struct sshkey *key,
2096	const u_char *sig, size_t siglen,
2097	const u_char data, size_t dlen, const char alg, u_int compat,
2098	struct sshkey_sig_details **detailsp)
2099	{
2100	const struct sshkey_impl *impl;
2101
2102	if (detailsp != NULL((void *)0))
2103	detailsp = NULL((void )0);
2104	if (siglen == 0 \|\| dlen > SSH_KEY_MAX_SIGN_DATA_SIZE(1 << 20))
2105	return SSH_ERR_INVALID_ARGUMENT-10;
2106	if ((impl = sshkey_impl_from_key(key)) == NULL((void *)0))
2107	return SSH_ERR_KEY_TYPE_UNKNOWN-14;
2108	return impl->funcs->verify(key, sig, siglen, data, dlen,
2109	alg, compat, detailsp);
2110	}
2111
2112	/* Convert a plain key to their _CERT equivalent */
2113	int
2114	sshkey_to_certified(struct sshkey *k)
2115	{
2116	int newtype;
2117
2118	if ((newtype = sshkey_type_certified(k->type)) == -1)
2119	return SSH_ERR_INVALID_ARGUMENT-10;
2120	if ((k->cert = cert_new()) == NULL((void *)0))
2121	return SSH_ERR_ALLOC_FAIL-2;
2122	k->type = newtype;
2123	return 0;
2124	}
2125
2126	/* Convert a certificate to its raw key equivalent */
2127	int
2128	sshkey_drop_cert(struct sshkey *k)
2129	{
2130	if (!sshkey_type_is_cert(k->type))
2131	return SSH_ERR_KEY_TYPE_UNKNOWN-14;
2132	cert_free(k->cert);
2133	k->cert = NULL((void *)0);
2134	k->type = sshkey_type_plain(k->type);
2135	return 0;
2136	}
2137
2138	/* Sign a certified key, (re-)generating the signed certblob. */
2139	int
2140	sshkey_certify_custom(struct sshkey k, struct sshkey ca, const char *alg,
2141	const char sk_provider, const char sk_pin,
2142	sshkey_certify_signer signer, void signer_ctx)
2143	{
2144	const struct sshkey_impl *impl;
2145	struct sshbuf principals = NULL((void )0);
2146	u_char ca_blob = NULL((void )0), sig_blob = NULL((void )0), nonce[32];
2147	size_t i, ca_len, sig_len;
2148	int ret = SSH_ERR_INTERNAL_ERROR-1;
2149	struct sshbuf cert = NULL((void )0);
2150	char sigtype = NULL((void )0);
2151
2152	if (k == NULL((void )0) \|\| k->cert == NULL((void )0) \|\|
2153	k->cert->certblob == NULL((void )0) \|\| ca == NULL((void )0))
2154	return SSH_ERR_INVALID_ARGUMENT-10;
2155	if (!sshkey_is_cert(k))
2156	return SSH_ERR_KEY_TYPE_UNKNOWN-14;
2157	if (!sshkey_type_is_valid_ca(ca->type))
2158	return SSH_ERR_KEY_CERT_INVALID_SIGN_KEY-19;
2159	if ((impl = sshkey_impl_from_key(k)) == NULL((void *)0))
2160	return SSH_ERR_INTERNAL_ERROR-1;
2161
2162	/*
2163	* If no alg specified as argument but a signature_type was set,
2164	* then prefer that. If both were specified, then they must match.
2165	*/
2166	if (alg == NULL((void *)0))
2167	alg = k->cert->signature_type;
2168	else if (k->cert->signature_type != NULL((void *)0) &&
2169	strcmp(alg, k->cert->signature_type) != 0)
2170	return SSH_ERR_INVALID_ARGUMENT-10;
2171
2172	/*
2173	* If no signing algorithm or signature_type was specified and we're
2174	* using a RSA key, then default to a good signature algorithm.
2175	*/
2176	if (alg == NULL((void *)0) && ca->type == KEY_RSA)
2177	alg = "rsa-sha2-512";
2178
2179	if ((ret = sshkey_to_blob(ca, &ca_blob, &ca_len)) != 0)
2180	return SSH_ERR_KEY_CERT_INVALID_SIGN_KEY-19;
2181
2182	cert = k->cert->certblob; /* for readability */
2183	sshbuf_reset(cert);
2184	if ((ret = sshbuf_put_cstring(cert, sshkey_ssh_name(k))) != 0)
2185	goto out;
2186
2187	/* -v01 certs put nonce first */
2188	arc4random_buf(&nonce, sizeof(nonce));
2189	if ((ret = sshbuf_put_string(cert, nonce, sizeof(nonce))) != 0)
2190	goto out;
2191
2192	/* Public key next */
2193	if ((ret = impl->funcs->serialize_public(k, cert,
2194	SSHKEY_SERIALIZE_DEFAULT)) != 0)
2195	goto out;
2196
2197	/* Then remaining cert fields */
2198	if ((ret = sshbuf_put_u64(cert, k->cert->serial)) != 0 \|\|
2199	(ret = sshbuf_put_u32(cert, k->cert->type)) != 0 \|\|
2200	(ret = sshbuf_put_cstring(cert, k->cert->key_id)) != 0)
2201	goto out;
2202
2203	if ((principals = sshbuf_new()) == NULL((void *)0)) {
2204	ret = SSH_ERR_ALLOC_FAIL-2;
2205	goto out;
2206	}
2207	for (i = 0; i < k->cert->nprincipals; i++) {
2208	if ((ret = sshbuf_put_cstring(principals,
2209	k->cert->principals[i])) != 0)
2210	goto out;
2211	}
2212	if ((ret = sshbuf_put_stringb(cert, principals)) != 0 \|\|
2213	(ret = sshbuf_put_u64(cert, k->cert->valid_after)) != 0 \|\|
2214	(ret = sshbuf_put_u64(cert, k->cert->valid_before)) != 0 \|\|
2215	(ret = sshbuf_put_stringb(cert, k->cert->critical)) != 0 \|\|
2216	(ret = sshbuf_put_stringb(cert, k->cert->extensions)) != 0 \|\|
2217	(ret = sshbuf_put_string(cert, NULL((void )0), 0)) != 0 \|\| / Reserved */
2218	(ret = sshbuf_put_string(cert, ca_blob, ca_len)) != 0)
2219	goto out;
2220
2221	/* Sign the whole mess */
2222	if ((ret = signer(ca, &sig_blob, &sig_len, sshbuf_ptr(cert),
2223	sshbuf_len(cert), alg, sk_provider, sk_pin, 0, signer_ctx)) != 0)
2224	goto out;
2225	/* Check and update signature_type against what was actually used */
2226	if ((ret = sshkey_get_sigtype(sig_blob, sig_len, &sigtype)) != 0)
2227	goto out;
2228	if (alg != NULL((void *)0) && strcmp(alg, sigtype) != 0) {
2229	ret = SSH_ERR_SIGN_ALG_UNSUPPORTED-58;
2230	goto out;
2231	}
2232	if (k->cert->signature_type == NULL((void *)0)) {
2233	k->cert->signature_type = sigtype;
2234	sigtype = NULL((void *)0);
2235	}
2236	/* Append signature and we are done */
2237	if ((ret = sshbuf_put_string(cert, sig_blob, sig_len)) != 0)
2238	goto out;
2239	ret = 0;
2240	out:
2241	if (ret != 0)
2242	sshbuf_reset(cert);
2243	free(sig_blob);
2244	free(ca_blob);
2245	free(sigtype);
2246	sshbuf_free(principals);
2247	return ret;
2248	}
2249
2250	static int
2251	default_key_sign(struct sshkey key, u_char sigp, size_t lenp,
2252	const u_char *data, size_t datalen,
2253	const char alg, const char sk_provider, const char *sk_pin,
2254	u_int compat, void *ctx)
2255	{
2256	if (ctx != NULL((void *)0))
2257	return SSH_ERR_INVALID_ARGUMENT-10;
2258	return sshkey_sign(key, sigp, lenp, data, datalen, alg,
2259	sk_provider, sk_pin, compat);
2260	}
2261
2262	int
2263	sshkey_certify(struct sshkey k, struct sshkey ca, const char *alg,
2264	const char sk_provider, const char sk_pin)
2265	{
2266	return sshkey_certify_custom(k, ca, alg, sk_provider, sk_pin,
2267	default_key_sign, NULL((void *)0));
2268	}
2269
2270	int
2271	sshkey_cert_check_authority(const struct sshkey *k,
2272	int want_host, int require_principal, int wildcard_pattern,
2273	uint64_t verify_time, const char name, const char *reason)
2274	{
2275	u_int i, principal_matches;
2276
2277	if (reason == NULL((void *)0))
2278	return SSH_ERR_INVALID_ARGUMENT-10;
2279	if (!sshkey_is_cert(k)) {
2280	*reason = "Key is not a certificate";
2281	return SSH_ERR_KEY_CERT_INVALID-25;
2282	}
2283	if (want_host) {
2284	if (k->cert->type != SSH2_CERT_TYPE_HOST2) {
2285	*reason = "Certificate invalid: not a host certificate";
2286	return SSH_ERR_KEY_CERT_INVALID-25;
2287	}
2288	} else {
2289	if (k->cert->type != SSH2_CERT_TYPE_USER1) {
2290	*reason = "Certificate invalid: not a user certificate";
2291	return SSH_ERR_KEY_CERT_INVALID-25;
2292	}
2293	}
2294	if (verify_time < k->cert->valid_after) {
2295	*reason = "Certificate invalid: not yet valid";
2296	return SSH_ERR_KEY_CERT_INVALID-25;
2297	}
2298	if (verify_time >= k->cert->valid_before) {
2299	*reason = "Certificate invalid: expired";
2300	return SSH_ERR_KEY_CERT_INVALID-25;
2301	}
2302	if (k->cert->nprincipals == 0) {
2303	if (require_principal) {
2304	*reason = "Certificate lacks principal list";
2305	return SSH_ERR_KEY_CERT_INVALID-25;
2306	}
2307	} else if (name != NULL((void *)0)) {
2308	principal_matches = 0;
2309	for (i = 0; i < k->cert->nprincipals; i++) {
2310	if (wildcard_pattern) {
2311	if (match_pattern(k->cert->principals[i],
2312	name)) {
2313	principal_matches = 1;
2314	break;
2315	}
2316	} else if (strcmp(name, k->cert->principals[i]) == 0) {
2317	principal_matches = 1;
2318	break;
2319	}
2320	}
2321	if (!principal_matches) {
2322	*reason = "Certificate invalid: name is not a listed "
2323	"principal";
2324	return SSH_ERR_KEY_CERT_INVALID-25;
2325	}
2326	}
2327	return 0;
2328	}
2329
2330	int
2331	sshkey_cert_check_authority_now(const struct sshkey *k,
2332	int want_host, int require_principal, int wildcard_pattern,
2333	const char name, const char *reason)
2334	{
2335	time_t now;
2336
2337	if ((now = time(NULL((void *)0))) < 0) {
2338	/* yikes - system clock before epoch! */
2339	*reason = "Certificate invalid: not yet valid";
2340	return SSH_ERR_KEY_CERT_INVALID-25;
2341	}
2342	return sshkey_cert_check_authority(k, want_host, require_principal,
2343	wildcard_pattern, (uint64_t)now, name, reason);
2344	}
2345
2346	int
2347	sshkey_cert_check_host(const struct sshkey key, const char host,
2348	int wildcard_principals, const char *ca_sign_algorithms,
2349	const char **reason)
2350	{
2351	int r;
2352
2353	if ((r = sshkey_cert_check_authority_now(key, 1, 0, wildcard_principals,
2354	host, reason)) != 0)
2355	return r;
2356	if (sshbuf_len(key->cert->critical) != 0) {
2357	*reason = "Certificate contains unsupported critical options";
2358	return SSH_ERR_KEY_CERT_INVALID-25;
2359	}
2360	if (ca_sign_algorithms != NULL((void *)0) &&
2361	(r = sshkey_check_cert_sigtype(key, ca_sign_algorithms)) != 0) {
2362	*reason = "Certificate signed with disallowed algorithm";
2363	return SSH_ERR_KEY_CERT_INVALID-25;
2364	}
2365	return 0;
2366	}
2367
2368	size_t
2369	sshkey_format_cert_validity(const struct sshkey_cert cert, char s, size_t l)
2370	{
2371	char from[32], to[32], ret[128];
2372
2373	from = to = '\0';
2374	if (cert->valid_after == 0 &&
2375	cert->valid_before == 0xffffffffffffffffULL)
2376	return strlcpy(s, "forever", l);
2377
2378	if (cert->valid_after != 0)
2379	format_absolute_time(cert->valid_after, from, sizeof(from));
2380	if (cert->valid_before != 0xffffffffffffffffULL)
2381	format_absolute_time(cert->valid_before, to, sizeof(to));
2382
2383	if (cert->valid_after == 0)
2384	snprintf(ret, sizeof(ret), "before %s", to);
2385	else if (cert->valid_before == 0xffffffffffffffffULL)
2386	snprintf(ret, sizeof(ret), "after %s", from);
2387	else
2388	snprintf(ret, sizeof(ret), "from %s to %s", from, to);
2389
2390	return strlcpy(s, ret, l);
2391	}
2392
2393	/* Common serialization for FIDO private keys */
2394	int
2395	sshkey_serialize_private_sk(const struct sshkey key, struct sshbuf b)
2396	{
2397	int r;
2398
2399	if ((r = sshbuf_put_cstring(b, key->sk_application)) != 0 \|\|
2400	(r = sshbuf_put_u8(b, key->sk_flags)) != 0 \|\|
2401	(r = sshbuf_put_stringb(b, key->sk_key_handle)) != 0 \|\|
2402	(r = sshbuf_put_stringb(b, key->sk_reserved)) != 0)
2403	return r;
2404
2405	return 0;
2406	}
2407
2408	int
2409	sshkey_private_serialize_opt(struct sshkey key, struct sshbuf buf,
2410	enum sshkey_serialize_rep opts)
2411	{
2412	int r = SSH_ERR_INTERNAL_ERROR-1;
2413	int was_shielded = sshkey_is_shielded(key);
2414	struct sshbuf b = NULL((void )0);
2415	const struct sshkey_impl *impl;
2416
2417	if ((impl = sshkey_impl_from_key(key)) == NULL((void *)0))
2418	return SSH_ERR_INTERNAL_ERROR-1;
2419	if ((r = sshkey_unshield_private(key)) != 0)
2420	return r;
2421	if ((b = sshbuf_new()) == NULL((void *)0))
2422	return SSH_ERR_ALLOC_FAIL-2;
2423	if ((r = sshbuf_put_cstring(b, sshkey_ssh_name(key))) != 0)
2424	goto out;
2425	if (sshkey_is_cert(key)) {
2426	if (key->cert == NULL((void *)0) \|\|
2427	sshbuf_len(key->cert->certblob) == 0) {
2428	r = SSH_ERR_INVALID_ARGUMENT-10;
2429	goto out;
2430	}
2431	if ((r = sshbuf_put_stringb(b, key->cert->certblob)) != 0)
2432	goto out;
2433	}
2434	if ((r = impl->funcs->serialize_private(key, b, opts)) != 0)
2435	goto out;
2436
2437	/*
2438	* success (but we still need to append the output to buf after
2439	* possibly re-shielding the private key)
2440	*/
2441	r = 0;
2442	out:
2443	if (was_shielded)
2444	r = sshkey_shield_private(key);
2445	if (r == 0)
2446	r = sshbuf_putb(buf, b);
2447	sshbuf_free(b);
2448
2449	return r;
2450	}
2451
2452	int
2453	sshkey_private_serialize(struct sshkey key, struct sshbuf b)
2454	{
2455	return sshkey_private_serialize_opt(key, b,
2456	SSHKEY_SERIALIZE_DEFAULT);
2457	}
2458
2459	/* Shared deserialization of FIDO private key components */
2460	int
2461	sshkey_private_deserialize_sk(struct sshbuf buf, struct sshkey k)
2462	{
2463	int r;
2464
2465	if ((k->sk_key_handle = sshbuf_new()) == NULL((void *)0) \|\|
2466	(k->sk_reserved = sshbuf_new()) == NULL((void *)0))
2467	return SSH_ERR_ALLOC_FAIL-2;
2468	if ((r = sshbuf_get_cstring(buf, &k->sk_application, NULL((void *)0))) != 0 \|\|
2469	(r = sshbuf_get_u8(buf, &k->sk_flags)) != 0 \|\|
2470	(r = sshbuf_get_stringb(buf, k->sk_key_handle)) != 0 \|\|
2471	(r = sshbuf_get_stringb(buf, k->sk_reserved)) != 0)
2472	return r;
2473
2474	return 0;
2475	}
2476
2477	int
2478	sshkey_private_deserialize(struct sshbuf buf, struct sshkey *kp)
2479	{
2480	const struct sshkey_impl *impl;
2481	char tname = NULL((void )0);
2482	char expect_sk_application = NULL((void )0);
2483	u_char expect_ed25519_pk = NULL((void )0);
2484	struct sshkey k = NULL((void )0);
2485	int type, r = SSH_ERR_INTERNAL_ERROR-1;
2486
2487	if (kp != NULL((void *)0))
2488	kp = NULL((void )0);
2489	if ((r = sshbuf_get_cstring(buf, &tname, NULL((void *)0))) != 0)
2490	goto out;
2491	type = sshkey_type_from_name(tname);
2492	if (sshkey_type_is_cert(type)) {
2493	/*
2494	* Certificate key private keys begin with the certificate
2495	* itself. Make sure this matches the type of the enclosing
2496	* private key.
2497	*/
2498	if ((r = sshkey_froms(buf, &k)) != 0)
2499	goto out;
2500	if (k->type != type) {
2501	r = SSH_ERR_KEY_CERT_MISMATCH-45;
2502	goto out;
2503	}
2504	/* For ECDSA keys, the group must match too */
2505	if (k->type == KEY_ECDSA &&
2506	k->ecdsa_nid != sshkey_ecdsa_nid_from_name(tname)) {
2507	r = SSH_ERR_KEY_CERT_MISMATCH-45;
2508	goto out;
2509	}
2510	/*
2511	* Several fields are redundant between certificate and
2512	* private key body, we require these to match.
2513	*/
2514	expect_sk_application = k->sk_application;
2515	expect_ed25519_pk = k->ed25519_pk;
2516	k->sk_application = NULL((void *)0);
2517	k->ed25519_pk = NULL((void *)0);
2518	/* XXX xmss too or refactor */
2519	} else {
2520	if ((k = sshkey_new(type)) == NULL((void *)0)) {
2521	r = SSH_ERR_ALLOC_FAIL-2;
2522	goto out;
2523	}
2524	}
2525	if ((impl = sshkey_impl_from_type(type)) == NULL((void *)0)) {
2526	r = SSH_ERR_INTERNAL_ERROR-1;
2527	goto out;
2528	}
2529	if ((r = impl->funcs->deserialize_private(tname, buf, k)) != 0)
2530	goto out;
2531
2532	/* XXX xmss too or refactor */
2533	if ((expect_sk_application != NULL((void )0) && (k->sk_application == NULL((void )0) \|\|
2534	strcmp(expect_sk_application, k->sk_application) != 0)) \|\|
2535	(expect_ed25519_pk != NULL((void )0) && (k->ed25519_pk == NULL((void )0) \|\|
2536	memcmp(expect_ed25519_pk, k->ed25519_pk, ED25519_PK_SZ32U) != 0))) {
2537	r = SSH_ERR_KEY_CERT_MISMATCH-45;
2538	goto out;
2539	}
2540	/* success */
2541	r = 0;
2542	if (kp != NULL((void *)0)) {
2543	*kp = k;
2544	k = NULL((void *)0);
2545	}
2546	out:
2547	free(tname);
2548	sshkey_free(k);
2549	free(expect_sk_application);
2550	free(expect_ed25519_pk);
2551	return r;
2552	}
2553
2554	#ifdef WITH_OPENSSL1
2555	int
2556	sshkey_ec_validate_public(const EC_GROUP group, const EC_POINT public)
2557	{
2558	EC_POINT nq = NULL((void )0);
2559	BIGNUM order = NULL((void )0), x = NULL((void )0), y = NULL((void )0), tmp = NULL((void )0);
2560	int ret = SSH_ERR_KEY_INVALID_EC_VALUE-20;
2561
2562	/*
2563	* NB. This assumes OpenSSL has already verified that the public
2564	* point lies on the curve. This is done by EC_POINT_oct2point()
2565	* implicitly calling EC_POINT_is_on_curve(). If this code is ever
2566	* reachable with public points not unmarshalled using
2567	* EC_POINT_oct2point then the caller will need to explicitly check.
2568	*/
2569
2570	/*
2571	* We shouldn't ever hit this case because bignum_get_ecpoint()
2572	* refuses to load GF2m points.
2573	*/
2574	if (EC_METHOD_get_field_type(EC_GROUP_method_of(group)) !=
2575	NID_X9_62_prime_field406)
2576	goto out;
2577
2578	/* Q != infinity */
2579	if (EC_POINT_is_at_infinity(group, public))
2580	goto out;
2581
2582	if ((x = BN_new()) == NULL((void *)0) \|\|
2583	(y = BN_new()) == NULL((void *)0) \|\|
2584	(order = BN_new()) == NULL((void *)0) \|\|
2585	(tmp = BN_new()) == NULL((void *)0)) {
2586	ret = SSH_ERR_ALLOC_FAIL-2;
2587	goto out;
2588	}
2589
2590	/* log2(x) > log2(order)/2, log2(y) > log2(order)/2 */
2591	if (EC_GROUP_get_order(group, order, NULL((void *)0)) != 1 \|\|
2592	EC_POINT_get_affine_coordinates_GFp(group, public,
2593	x, y, NULL((void *)0)) != 1) {
2594	ret = SSH_ERR_LIBCRYPTO_ERROR-22;
2595	goto out;
2596	}
2597	if (BN_num_bits(x) <= BN_num_bits(order) / 2 \|\|
2598	BN_num_bits(y) <= BN_num_bits(order) / 2)
2599	goto out;
2600
2601	/* nQ == infinity (n == order of subgroup) */
2602	if ((nq = EC_POINT_new(group)) == NULL((void *)0)) {
2603	ret = SSH_ERR_ALLOC_FAIL-2;
2604	goto out;
2605	}
2606	if (EC_POINT_mul(group, nq, NULL((void )0), public, order, NULL((void )0)) != 1) {
2607	ret = SSH_ERR_LIBCRYPTO_ERROR-22;
2608	goto out;
2609	}
2610	if (EC_POINT_is_at_infinity(group, nq) != 1)
2611	goto out;
2612
2613	/* x < order - 1, y < order - 1 */
2614	if (!BN_sub(tmp, order, BN_value_one())) {
2615	ret = SSH_ERR_LIBCRYPTO_ERROR-22;
2616	goto out;
2617	}
2618	if (BN_cmp(x, tmp) >= 0 \|\| BN_cmp(y, tmp) >= 0)
2619	goto out;
2620	ret = 0;
2621	out:
2622	BN_clear_free(x);
2623	BN_clear_free(y);
2624	BN_clear_free(order);
2625	BN_clear_free(tmp);
2626	EC_POINT_free(nq);
2627	return ret;
2628	}
2629
2630	int
2631	sshkey_ec_validate_private(const EC_KEY *key)
2632	{
2633	BIGNUM order = NULL((void )0), tmp = NULL((void )0);
2634	int ret = SSH_ERR_KEY_INVALID_EC_VALUE-20;
2635
2636	if ((order = BN_new()) == NULL((void )0) \|\| (tmp = BN_new()) == NULL((void )0)) {
2637	ret = SSH_ERR_ALLOC_FAIL-2;
2638	goto out;
2639	}
2640
2641	/* log2(private) > log2(order)/2 */
2642	if (EC_GROUP_get_order(EC_KEY_get0_group(key), order, NULL((void *)0)) != 1) {
2643	ret = SSH_ERR_LIBCRYPTO_ERROR-22;
2644	goto out;
2645	}
2646	if (BN_num_bits(EC_KEY_get0_private_key(key)) <=
2647	BN_num_bits(order) / 2)
2648	goto out;
2649
2650	/* private < order - 1 */
2651	if (!BN_sub(tmp, order, BN_value_one())) {
2652	ret = SSH_ERR_LIBCRYPTO_ERROR-22;
2653	goto out;
2654	}
2655	if (BN_cmp(EC_KEY_get0_private_key(key), tmp) >= 0)
2656	goto out;
2657	ret = 0;
2658	out:
2659	BN_clear_free(order);
2660	BN_clear_free(tmp);
2661	return ret;
2662	}
2663
2664	void
2665	sshkey_dump_ec_point(const EC_GROUP group, const EC_POINT point)
2666	{
2667	BIGNUM x = NULL((void )0), y = NULL((void )0);
2668
2669	if (point == NULL((void *)0)) {
2670	fputs("point=(NULL)\n", stderr(&__sF[2]));
2671	return;
2672	}
2673	if ((x = BN_new()) == NULL((void )0) \|\| (y = BN_new()) == NULL((void )0)) {
2674	fprintf(stderr(&__sF[2]), "%s: BN_new failed\n", __func__);
2675	goto out;
2676	}
2677	if (EC_METHOD_get_field_type(EC_GROUP_method_of(group)) !=
2678	NID_X9_62_prime_field406) {
2679	fprintf(stderr(&__sF[2]), "%s: group is not a prime field\n", __func__);
2680	goto out;
2681	}
2682	if (EC_POINT_get_affine_coordinates_GFp(group, point,
2683	x, y, NULL((void *)0)) != 1) {
2684	fprintf(stderr(&__sF[2]), "%s: EC_POINT_get_affine_coordinates_GFp\n",
2685	__func__);
2686	goto out;
2687	}
2688	fputs("x=", stderr(&__sF[2]));
2689	BN_print_fp(stderr(&__sF[2]), x);
2690	fputs("\ny=", stderr(&__sF[2]));
2691	BN_print_fp(stderr(&__sF[2]), y);
2692	fputs("\n", stderr(&__sF[2]));
2693	out:
2694	BN_clear_free(x);
2695	BN_clear_free(y);
2696	}
2697
2698	void
2699	sshkey_dump_ec_key(const EC_KEY *key)
2700	{
2701	const BIGNUM *exponent;
2702
2703	sshkey_dump_ec_point(EC_KEY_get0_group(key),
2704	EC_KEY_get0_public_key(key));
2705	fputs("exponent=", stderr(&__sF[2]));
2706	if ((exponent = EC_KEY_get0_private_key(key)) == NULL((void *)0))
2707	fputs("(NULL)", stderr(&__sF[2]));
2708	else
2709	BN_print_fp(stderr(&__sF[2]), EC_KEY_get0_private_key(key));
2710	fputs("\n", stderr(&__sF[2]));
2711	}
2712	#endif /* WITH_OPENSSL */
2713
2714	static int
2715	sshkey_private_to_blob2(struct sshkey prv, struct sshbuf blob,
2716	const char passphrase, const char comment, const char *ciphername,
2717	int rounds)
2718	{
2719	u_char cp, key = NULL((void )0), pubkeyblob = NULL((void *)0);
2720	u_char salt[SALT_LEN16];
2721	size_t i, pubkeylen, keylen, ivlen, blocksize, authlen;
2722	u_int check;
2723	int r = SSH_ERR_INTERNAL_ERROR-1;
2724	struct sshcipher_ctx ciphercontext = NULL((void )0);
2725	const struct sshcipher *cipher;
2726	const char *kdfname = KDFNAME"bcrypt";
2727	struct sshbuf encoded = NULL((void )0), encrypted = NULL((void )0), kdf = NULL((void )0);
2728
2729	if (rounds <= 0)
2730	rounds = DEFAULT_ROUNDS24;
2731	if (passphrase == NULL((void *)0) \|\| !strlen(passphrase)) {
2732	ciphername = "none";
2733	kdfname = "none";
2734	} else if (ciphername == NULL((void *)0))
2735	ciphername = DEFAULT_CIPHERNAME"aes256-ctr";
2736	if ((cipher = cipher_by_name(ciphername)) == NULL((void *)0)) {
2737	r = SSH_ERR_INVALID_ARGUMENT-10;
2738	goto out;
2739	}
2740
2741	if ((kdf = sshbuf_new()) == NULL((void *)0) \|\|
2742	(encoded = sshbuf_new()) == NULL((void *)0) \|\|
2743	(encrypted = sshbuf_new()) == NULL((void *)0)) {
2744	r = SSH_ERR_ALLOC_FAIL-2;
2745	goto out;
2746	}
2747	blocksize = cipher_blocksize(cipher);
2748	keylen = cipher_keylen(cipher);
2749	ivlen = cipher_ivlen(cipher);
2750	authlen = cipher_authlen(cipher);
2751	if ((key = calloc(1, keylen + ivlen)) == NULL((void *)0)) {
2752	r = SSH_ERR_ALLOC_FAIL-2;
2753	goto out;
2754	}
2755	if (strcmp(kdfname, "bcrypt") == 0) {
2756	arc4random_buf(salt, SALT_LEN16);
2757	if (bcrypt_pbkdf(passphrase, strlen(passphrase),
2758	salt, SALT_LEN16, key, keylen + ivlen, rounds) < 0) {
2759	r = SSH_ERR_INVALID_ARGUMENT-10;
2760	goto out;
2761	}
2762	if ((r = sshbuf_put_string(kdf, salt, SALT_LEN16)) != 0 \|\|
2763	(r = sshbuf_put_u32(kdf, rounds)) != 0)
2764	goto out;
2765	} else if (strcmp(kdfname, "none") != 0) {
2766	/* Unsupported KDF type */
2767	r = SSH_ERR_KEY_UNKNOWN_CIPHER-42;
2768	goto out;
2769	}
2770	if ((r = cipher_init(&ciphercontext, cipher, key, keylen,
2771	key + keylen, ivlen, 1)) != 0)
2772	goto out;
2773
2774	if ((r = sshbuf_put(encoded, AUTH_MAGIC"openssh-key-v1", sizeof(AUTH_MAGIC"openssh-key-v1"))) != 0 \|\|
2775	(r = sshbuf_put_cstring(encoded, ciphername)) != 0 \|\|
2776	(r = sshbuf_put_cstring(encoded, kdfname)) != 0 \|\|
2777	(r = sshbuf_put_stringb(encoded, kdf)) != 0 \|\|
2778	(r = sshbuf_put_u32(encoded, 1)) != 0 \|\| /* number of keys */
2779	(r = sshkey_to_blob(prv, &pubkeyblob, &pubkeylen)) != 0 \|\|
2780	(r = sshbuf_put_string(encoded, pubkeyblob, pubkeylen)) != 0)
2781	goto out;
2782
2783	/* set up the buffer that will be encrypted */
2784
2785	/* Random check bytes */
2786	check = arc4random();
2787	if ((r = sshbuf_put_u32(encrypted, check)) != 0 \|\|
2788	(r = sshbuf_put_u32(encrypted, check)) != 0)
2789	goto out;
2790
2791	/* append private key and comment*/
2792	if ((r = sshkey_private_serialize_opt(prv, encrypted,
2793	SSHKEY_SERIALIZE_FULL)) != 0 \|\|
2794	(r = sshbuf_put_cstring(encrypted, comment)) != 0)
2795	goto out;
2796
2797	/* padding */
2798	i = 0;
2799	while (sshbuf_len(encrypted) % blocksize) {
2800	if ((r = sshbuf_put_u8(encrypted, ++i & 0xff)) != 0)
2801	goto out;
2802	}
2803
2804	/* length in destination buffer */
2805	if ((r = sshbuf_put_u32(encoded, sshbuf_len(encrypted))) != 0)
2806	goto out;
2807
2808	/* encrypt */
2809	if ((r = sshbuf_reserve(encoded,
2810	sshbuf_len(encrypted) + authlen, &cp)) != 0)
2811	goto out;
2812	if ((r = cipher_crypt(ciphercontext, 0, cp,
2813	sshbuf_ptr(encrypted), sshbuf_len(encrypted), 0, authlen)) != 0)
2814	goto out;
2815
2816	sshbuf_reset(blob);
2817
2818	/* assemble uuencoded key */
2819	if ((r = sshbuf_put(blob, MARK_BEGIN"-----BEGIN OPENSSH PRIVATE KEY-----\n", MARK_BEGIN_LEN(sizeof("-----BEGIN OPENSSH PRIVATE KEY-----\n") - 1))) != 0 \|\|
2820	(r = sshbuf_dtob64(encoded, blob, 1)) != 0 \|\|
2821	(r = sshbuf_put(blob, MARK_END"-----END OPENSSH PRIVATE KEY-----\n", MARK_END_LEN(sizeof("-----END OPENSSH PRIVATE KEY-----\n") - 1))) != 0)
2822	goto out;
2823
2824	/* success */
2825	r = 0;
2826
2827	out:
2828	sshbuf_free(kdf);
2829	sshbuf_free(encoded);
2830	sshbuf_free(encrypted);
2831	cipher_free(ciphercontext);
2832	explicit_bzero(salt, sizeof(salt));
2833	if (key != NULL((void *)0))
2834	freezero(key, keylen + ivlen);
2835	if (pubkeyblob != NULL((void *)0))
2836	freezero(pubkeyblob, pubkeylen);
2837	return r;
2838	}
2839
2840	static int
2841	private2_uudecode(struct sshbuf blob, struct sshbuf *decodedp)
2842	{
2843	const u_char *cp;
2844	size_t encoded_len;
2845	int r;
2846	u_char last;
2847	struct sshbuf encoded = NULL((void )0), decoded = NULL((void )0);
2848
2849	if (blob == NULL((void )0) \|\| decodedp == NULL((void )0))
2850	return SSH_ERR_INVALID_ARGUMENT-10;
2851
2852	decodedp = NULL((void )0);
2853
2854	if ((encoded = sshbuf_new()) == NULL((void *)0) \|\|
2855	(decoded = sshbuf_new()) == NULL((void *)0)) {
2856	r = SSH_ERR_ALLOC_FAIL-2;
2857	goto out;
2858	}
2859
2860	/* check preamble */
2861	cp = sshbuf_ptr(blob);
2862	encoded_len = sshbuf_len(blob);
2863	if (encoded_len < (MARK_BEGIN_LEN(sizeof("-----BEGIN OPENSSH PRIVATE KEY-----\n") - 1) + MARK_END_LEN(sizeof("-----END OPENSSH PRIVATE KEY-----\n") - 1)) \|\|
2864	memcmp(cp, MARK_BEGIN"-----BEGIN OPENSSH PRIVATE KEY-----\n", MARK_BEGIN_LEN(sizeof("-----BEGIN OPENSSH PRIVATE KEY-----\n") - 1)) != 0) {
2865	r = SSH_ERR_INVALID_FORMAT-4;
2866	goto out;
2867	}
2868	cp += MARK_BEGIN_LEN(sizeof("-----BEGIN OPENSSH PRIVATE KEY-----\n") - 1);
2869	encoded_len -= MARK_BEGIN_LEN(sizeof("-----BEGIN OPENSSH PRIVATE KEY-----\n") - 1);
2870
2871	/* Look for end marker, removing whitespace as we go */
2872	while (encoded_len > 0) {
2873	if (cp != '\n' && cp != '\r') {
2874	if ((r = sshbuf_put_u8(encoded, *cp)) != 0)
2875	goto out;
2876	}
2877	last = *cp;
2878	encoded_len--;
2879	cp++;
2880	if (last == '\n') {
2881	if (encoded_len >= MARK_END_LEN(sizeof("-----END OPENSSH PRIVATE KEY-----\n") - 1) &&
2882	memcmp(cp, MARK_END"-----END OPENSSH PRIVATE KEY-----\n", MARK_END_LEN(sizeof("-----END OPENSSH PRIVATE KEY-----\n") - 1)) == 0) {
2883	/* \0 terminate */
2884	if ((r = sshbuf_put_u8(encoded, 0)) != 0)
2885	goto out;
2886	break;
2887	}
2888	}
2889	}
2890	if (encoded_len == 0) {
2891	r = SSH_ERR_INVALID_FORMAT-4;
2892	goto out;
2893	}
2894
2895	/* decode base64 */
2896	if ((r = sshbuf_b64tod(decoded, (char *)sshbuf_ptr(encoded))) != 0)
2897	goto out;
2898
2899	/* check magic */
2900	if (sshbuf_len(decoded) < sizeof(AUTH_MAGIC"openssh-key-v1") \|\|
2901	memcmp(sshbuf_ptr(decoded), AUTH_MAGIC"openssh-key-v1", sizeof(AUTH_MAGIC"openssh-key-v1"))) {
2902	r = SSH_ERR_INVALID_FORMAT-4;
2903	goto out;
2904	}
2905	/* success */
2906	*decodedp = decoded;
2907	decoded = NULL((void *)0);
2908	r = 0;
2909	out:
2910	sshbuf_free(encoded);
2911	sshbuf_free(decoded);
2912	return r;
2913	}
2914
2915	static int
2916	private2_decrypt(struct sshbuf decoded, const char passphrase,
2917	struct sshbuf decryptedp, struct sshkey pubkeyp)
2918	{
2919	char ciphername = NULL((void )0), kdfname = NULL((void )0);
2920	const struct sshcipher cipher = NULL((void )0);
2921	int r = SSH_ERR_INTERNAL_ERROR-1;
2922	size_t keylen = 0, ivlen = 0, authlen = 0, slen = 0;
2923	struct sshbuf kdf = NULL((void )0), decrypted = NULL((void )0);
2924	struct sshcipher_ctx ciphercontext = NULL((void )0);
2925	struct sshkey pubkey = NULL((void )0);
2926	u_char key = NULL((void )0), salt = NULL((void )0), *dp;
2927	u_int blocksize, rounds, nkeys, encrypted_len, check1, check2;
2928
2929	if (decoded == NULL((void )0) \|\| decryptedp == NULL((void )0) \|\| pubkeyp == NULL((void *)0))
2930	return SSH_ERR_INVALID_ARGUMENT-10;
2931
2932	decryptedp = NULL((void )0);
2933	pubkeyp = NULL((void )0);
2934
2935	if ((decrypted = sshbuf_new()) == NULL((void *)0)) {
2936	r = SSH_ERR_ALLOC_FAIL-2;
2937	goto out;
2938	}
2939
2940	/* parse public portion of key */
2941	if ((r = sshbuf_consume(decoded, sizeof(AUTH_MAGIC"openssh-key-v1"))) != 0 \|\|
2942	(r = sshbuf_get_cstring(decoded, &ciphername, NULL((void *)0))) != 0 \|\|
2943	(r = sshbuf_get_cstring(decoded, &kdfname, NULL((void *)0))) != 0 \|\|
2944	(r = sshbuf_froms(decoded, &kdf)) != 0 \|\|
2945	(r = sshbuf_get_u32(decoded, &nkeys)) != 0)
2946	goto out;
2947
2948	if (nkeys != 1) {
2949	/* XXX only one key supported at present */
2950	r = SSH_ERR_INVALID_FORMAT-4;
2951	goto out;
2952	}
2953
2954	if ((r = sshkey_froms(decoded, &pubkey)) != 0 \|\|
2955	(r = sshbuf_get_u32(decoded, &encrypted_len)) != 0)
2956	goto out;
2957
2958	if ((cipher = cipher_by_name(ciphername)) == NULL((void *)0)) {
2959	r = SSH_ERR_KEY_UNKNOWN_CIPHER-42;
2960	goto out;
2961	}
2962	if (strcmp(kdfname, "none") != 0 && strcmp(kdfname, "bcrypt") != 0) {
2963	r = SSH_ERR_KEY_UNKNOWN_CIPHER-42;
2964	goto out;
2965	}
2966	if (strcmp(kdfname, "none") == 0 && strcmp(ciphername, "none") != 0) {
2967	r = SSH_ERR_INVALID_FORMAT-4;
2968	goto out;
2969	}
2970	if ((passphrase == NULL((void *)0) \|\| strlen(passphrase) == 0) &&
2971	strcmp(kdfname, "none") != 0) {
2972	/* passphrase required */
2973	r = SSH_ERR_KEY_WRONG_PASSPHRASE-43;
2974	goto out;
2975	}
2976
2977	/* check size of encrypted key blob */
2978	blocksize = cipher_blocksize(cipher);
2979	if (encrypted_len < blocksize \|\| (encrypted_len % blocksize) != 0) {
2980	r = SSH_ERR_INVALID_FORMAT-4;
2981	goto out;
2982	}
2983
2984	/* setup key */
2985	keylen = cipher_keylen(cipher);
2986	ivlen = cipher_ivlen(cipher);
2987	authlen = cipher_authlen(cipher);
2988	if ((key = calloc(1, keylen + ivlen)) == NULL((void *)0)) {
2989	r = SSH_ERR_ALLOC_FAIL-2;
2990	goto out;
2991	}
2992	if (strcmp(kdfname, "bcrypt") == 0) {
2993	if ((r = sshbuf_get_string(kdf, &salt, &slen)) != 0 \|\|
2994	(r = sshbuf_get_u32(kdf, &rounds)) != 0)
2995	goto out;
2996	if (bcrypt_pbkdf(passphrase, strlen(passphrase), salt, slen,
2997	key, keylen + ivlen, rounds) < 0) {
2998	r = SSH_ERR_INVALID_FORMAT-4;
2999	goto out;
3000	}
3001	}
3002
3003	/* check that an appropriate amount of auth data is present */
3004	if (sshbuf_len(decoded) < authlen \|\|
3005	sshbuf_len(decoded) - authlen < encrypted_len) {
3006	r = SSH_ERR_INVALID_FORMAT-4;
3007	goto out;
3008	}
3009
3010	/* decrypt private portion of key */
3011	if ((r = sshbuf_reserve(decrypted, encrypted_len, &dp)) != 0 \|\|
3012	(r = cipher_init(&ciphercontext, cipher, key, keylen,
3013	key + keylen, ivlen, 0)) != 0)
3014	goto out;
3015	if ((r = cipher_crypt(ciphercontext, 0, dp, sshbuf_ptr(decoded),
3016	encrypted_len, 0, authlen)) != 0) {
3017	/* an integrity error here indicates an incorrect passphrase */
3018	if (r == SSH_ERR_MAC_INVALID-30)
3019	r = SSH_ERR_KEY_WRONG_PASSPHRASE-43;
3020	goto out;
3021	}
3022	if ((r = sshbuf_consume(decoded, encrypted_len + authlen)) != 0)
3023	goto out;
3024	/* there should be no trailing data */
3025	if (sshbuf_len(decoded) != 0) {
3026	r = SSH_ERR_INVALID_FORMAT-4;
3027	goto out;
3028	}
3029
3030	/* check check bytes */
3031	if ((r = sshbuf_get_u32(decrypted, &check1)) != 0 \|\|
3032	(r = sshbuf_get_u32(decrypted, &check2)) != 0)
3033	goto out;
3034	if (check1 != check2) {
3035	r = SSH_ERR_KEY_WRONG_PASSPHRASE-43;
3036	goto out;
3037	}
3038	/* success */
3039	*decryptedp = decrypted;
3040	decrypted = NULL((void *)0);
3041	*pubkeyp = pubkey;
3042	pubkey = NULL((void *)0);
3043	r = 0;
3044	out:
3045	cipher_free(ciphercontext);
3046	free(ciphername);
3047	free(kdfname);
3048	sshkey_free(pubkey);
3049	if (salt != NULL((void *)0)) {
3050	explicit_bzero(salt, slen);
3051	free(salt);
3052	}
3053	if (key != NULL((void *)0)) {
3054	explicit_bzero(key, keylen + ivlen);
3055	free(key);
3056	}
3057	sshbuf_free(kdf);
3058	sshbuf_free(decrypted);
3059	return r;
3060	}
3061
3062	static int
3063	sshkey_parse_private2(struct sshbuf blob, int type, const char passphrase,
3064	struct sshkey keyp, char commentp)
3065	{
3066	char comment = NULL((void )0);
3067	int r = SSH_ERR_INTERNAL_ERROR-1;
3068	struct sshbuf decoded = NULL((void )0), decrypted = NULL((void )0);
3069	struct sshkey k = NULL((void )0), pubkey = NULL((void )0);
3070
3071	if (keyp != NULL((void *)0))
3072	keyp = NULL((void )0);
3073	if (commentp != NULL((void *)0))
3074	commentp = NULL((void )0);
3075
3076	/* Undo base64 encoding and decrypt the private section */
3077	if ((r = private2_uudecode(blob, &decoded)) != 0 \|\|
3078	(r = private2_decrypt(decoded, passphrase,
3079	&decrypted, &pubkey)) != 0)
3080	goto out;
3081
3082	if (type != KEY_UNSPEC &&
3083	sshkey_type_plain(type) != sshkey_type_plain(pubkey->type)) {
3084	r = SSH_ERR_KEY_TYPE_MISMATCH-13;
3085	goto out;
3086	}
3087
3088	/* Load the private key and comment */
3089	if ((r = sshkey_private_deserialize(decrypted, &k)) != 0 \|\|
3090	(r = sshbuf_get_cstring(decrypted, &comment, NULL((void *)0))) != 0)
3091	goto out;
3092
3093	/* Check deterministic padding after private section */
3094	if ((r = private2_check_padding(decrypted)) != 0)
3095	goto out;
3096
3097	/* Check that the public key in the envelope matches the private key */
3098	if (!sshkey_equal(pubkey, k)) {
3099	r = SSH_ERR_INVALID_FORMAT-4;
3100	goto out;
3101	}
3102
3103	/* success */
3104	r = 0;
3105	if (keyp != NULL((void *)0)) {
3106	*keyp = k;
3107	k = NULL((void *)0);
3108	}
3109	if (commentp != NULL((void *)0)) {
3110	*commentp = comment;
3111	comment = NULL((void *)0);
3112	}
3113	out:
3114	free(comment);
3115	sshbuf_free(decoded);
3116	sshbuf_free(decrypted);
3117	sshkey_free(k);
3118	sshkey_free(pubkey);
3119	return r;
3120	}
3121
3122	static int
3123	sshkey_parse_private2_pubkey(struct sshbuf *blob, int type,
3124	struct sshkey **keyp)
3125	{
3126	int r = SSH_ERR_INTERNAL_ERROR-1;
3127	struct sshbuf decoded = NULL((void )0);
3128	struct sshkey pubkey = NULL((void )0);
3129	u_int nkeys = 0;
3130
3131	if (keyp != NULL((void *)0))
3132	keyp = NULL((void )0);
3133
3134	if ((r = private2_uudecode(blob, &decoded)) != 0)
3135	goto out;
3136	/* parse public key from unencrypted envelope */
3137	if ((r = sshbuf_consume(decoded, sizeof(AUTH_MAGIC"openssh-key-v1"))) != 0 \|\|
3138	(r = sshbuf_skip_string(decoded)sshbuf_get_string_direct(decoded, ((void )0), ((void )0))) != 0 \|\| /* cipher */
3139	(r = sshbuf_skip_string(decoded)sshbuf_get_string_direct(decoded, ((void )0), ((void )0))) != 0 \|\| /* KDF alg */
3140	(r = sshbuf_skip_string(decoded)sshbuf_get_string_direct(decoded, ((void )0), ((void )0))) != 0 \|\| /* KDF hint */
3141	(r = sshbuf_get_u32(decoded, &nkeys)) != 0)
3142	goto out;
3143
3144	if (nkeys != 1) {
3145	/* XXX only one key supported at present */
3146	r = SSH_ERR_INVALID_FORMAT-4;
3147	goto out;
3148	}
3149
3150	/* Parse the public key */
3151	if ((r = sshkey_froms(decoded, &pubkey)) != 0)
3152	goto out;
3153
3154	if (type != KEY_UNSPEC &&
3155	sshkey_type_plain(type) != sshkey_type_plain(pubkey->type)) {
3156	r = SSH_ERR_KEY_TYPE_MISMATCH-13;
3157	goto out;
3158	}
3159
3160	/* success */
3161	r = 0;
3162	if (keyp != NULL((void *)0)) {
3163	*keyp = pubkey;
3164	pubkey = NULL((void *)0);
3165	}
3166	out:
3167	sshbuf_free(decoded);
3168	sshkey_free(pubkey);
3169	return r;
3170	}
3171
3172	#ifdef WITH_OPENSSL1
3173	/* convert SSH v2 key to PEM or PKCS#8 format */
3174	static int
3175	sshkey_private_to_blob_pem_pkcs8(struct sshkey key, struct sshbuf buf,
3176	int format, const char _passphrase, const char comment)
3177	{
3178	int was_shielded = sshkey_is_shielded(key);
3179	int success, r;
3180	int blen, len = strlen(_passphrase);
3181	u_char passphrase = (len > 0) ? (u_char )_passphrase : NULL((void *)0);
3182	const EVP_CIPHER cipher = (len > 0) ? EVP_aes_128_cbc() : NULL((void )0);
3183	char *bptr;
3184	BIO bio = NULL((void )0);
3185	struct sshbuf *blob;
3186	EVP_PKEY pkey = NULL((void )0);
3187
3188	if (len > 0 && len <= 4)
3189	return SSH_ERR_PASSPHRASE_TOO_SHORT-40;
3190	if ((blob = sshbuf_new()) == NULL((void *)0))
3191	return SSH_ERR_ALLOC_FAIL-2;
3192	if ((bio = BIO_new(BIO_s_mem())) == NULL((void *)0)) {
3193	r = SSH_ERR_ALLOC_FAIL-2;
3194	goto out;
3195	}
3196	if (format == SSHKEY_PRIVATE_PKCS8 && (pkey = EVP_PKEY_new()) == NULL((void *)0)) {
3197	r = SSH_ERR_ALLOC_FAIL-2;
3198	goto out;
3199	}
3200	if ((r = sshkey_unshield_private(key)) != 0)
3201	goto out;
3202
3203	switch (key->type) {
3204	#ifdef WITH_DSA1
3205	case KEY_DSA:
3206	if (format == SSHKEY_PRIVATE_PEM) {
3207	success = PEM_write_bio_DSAPrivateKey(bio, key->dsa,
3208	cipher, passphrase, len, NULL((void )0), NULL((void )0));
3209	} else {
3210	success = EVP_PKEY_set1_DSA(pkey, key->dsa);
3211	}
3212	break;
3213	#endif
3214	case KEY_ECDSA:
3215	if (format == SSHKEY_PRIVATE_PEM) {
3216	success = PEM_write_bio_ECPrivateKey(bio, key->ecdsa,
3217	cipher, passphrase, len, NULL((void )0), NULL((void )0));
3218	} else {
3219	success = EVP_PKEY_set1_EC_KEY(pkey, key->ecdsa);
3220	}
3221	break;
3222	case KEY_RSA:
3223	if (format == SSHKEY_PRIVATE_PEM) {
3224	success = PEM_write_bio_RSAPrivateKey(bio, key->rsa,
3225	cipher, passphrase, len, NULL((void )0), NULL((void )0));
3226	} else {
3227	success = EVP_PKEY_set1_RSA(pkey, key->rsa);
3228	}
3229	break;
3230	default:
3231	success = 0;
3232	break;
3233	}
3234	if (success == 0) {
3235	r = SSH_ERR_LIBCRYPTO_ERROR-22;
3236	goto out;
3237	}
3238	if (format == SSHKEY_PRIVATE_PKCS8) {
3239	if ((success = PEM_write_bio_PrivateKey(bio, pkey, cipher,
3240	passphrase, len, NULL((void )0), NULL((void )0))) == 0) {
3241	r = SSH_ERR_LIBCRYPTO_ERROR-22;
3242	goto out;
3243	}
3244	}
3245	if ((blen = BIO_get_mem_data(bio, &bptr)BIO_ctrl(bio,3,0,(char *)&bptr)) <= 0) {
3246	r = SSH_ERR_INTERNAL_ERROR-1;
3247	goto out;
3248	}
3249	if ((r = sshbuf_put(blob, bptr, blen)) != 0)
3250	goto out;
3251	r = 0;
3252	out:
3253	if (was_shielded)
3254	r = sshkey_shield_private(key);
3255	if (r == 0)
3256	r = sshbuf_putb(buf, blob);
3257
3258	EVP_PKEY_free(pkey);
3259	sshbuf_free(blob);
3260	BIO_free(bio);
3261	return r;
3262	}
3263	#endif /* WITH_OPENSSL */
3264
3265	/* Serialise "key" to buffer "blob" */
3266	int
3267	sshkey_private_to_fileblob(struct sshkey key, struct sshbuf blob,
3268	const char passphrase, const char comment,
3269	int format, const char *openssh_format_cipher, int openssh_format_rounds)
3270	{
3271	switch (key->type) {
3272	#ifdef WITH_OPENSSL1
3273	case KEY_DSA:
3274	case KEY_ECDSA:
3275	case KEY_RSA:
3276	break; /* see below */
3277	#endif /* WITH_OPENSSL */
3278	case KEY_ED25519:
3279	case KEY_ED25519_SK:
3280	#ifdef WITH_XMSS
3281	case KEY_XMSS:
3282	#endif /* WITH_XMSS */
3283	#ifdef WITH_OPENSSL1
3284	case KEY_ECDSA_SK:
3285	#endif /* WITH_OPENSSL */
3286	return sshkey_private_to_blob2(key, blob, passphrase,
3287	comment, openssh_format_cipher, openssh_format_rounds);
3288	default:
3289	return SSH_ERR_KEY_TYPE_UNKNOWN-14;
3290	}
3291
3292	#ifdef WITH_OPENSSL1
3293	switch (format) {
3294	case SSHKEY_PRIVATE_OPENSSH:
3295	return sshkey_private_to_blob2(key, blob, passphrase,
3296	comment, openssh_format_cipher, openssh_format_rounds);
3297	case SSHKEY_PRIVATE_PEM:
3298	case SSHKEY_PRIVATE_PKCS8:
3299	return sshkey_private_to_blob_pem_pkcs8(key, blob,
3300	format, passphrase, comment);
3301	default:
3302	return SSH_ERR_INVALID_ARGUMENT-10;
3303	}
3304	#endif /* WITH_OPENSSL */
3305	}
3306
3307	#ifdef WITH_OPENSSL1
3308	static int
3309	translate_libcrypto_error(unsigned long pem_err)
3310	{
3311	int pem_reason = ERR_GET_REASON(pem_err)(int)((pem_err)&0xfffL);
3312
3313	switch (ERR_GET_LIB(pem_err)(int)((((unsigned long)pem_err)>>24L)&0xffL)) {
3314	case ERR_LIB_PEM9:
3315	switch (pem_reason) {
3316	case PEM_R_BAD_PASSWORD_READ104:
3317	case PEM_R_PROBLEMS_GETTING_PASSWORD109:
3318	case PEM_R_BAD_DECRYPT101:
3319	return SSH_ERR_KEY_WRONG_PASSPHRASE-43;
3320	default:
3321	return SSH_ERR_INVALID_FORMAT-4;
3322	}
3323	case ERR_LIB_EVP6:
3324	switch (pem_reason) {
3325	case EVP_R_BAD_DECRYPT100:
3326	return SSH_ERR_KEY_WRONG_PASSPHRASE-43;
3327	#ifdef EVP_R_BN_DECODE_ERROR112
3328	case EVP_R_BN_DECODE_ERROR112:
3329	#endif
3330	case EVP_R_DECODE_ERROR114:
3331	#ifdef EVP_R_PRIVATE_KEY_DECODE_ERROR145
3332	case EVP_R_PRIVATE_KEY_DECODE_ERROR145:
3333	#endif
3334	return SSH_ERR_INVALID_FORMAT-4;
3335	default:
3336	return SSH_ERR_LIBCRYPTO_ERROR-22;
3337	}
3338	case ERR_LIB_ASN113:
3339	return SSH_ERR_INVALID_FORMAT-4;
3340	}
3341	return SSH_ERR_LIBCRYPTO_ERROR-22;
3342	}
3343
3344	static void
3345	clear_libcrypto_errors(void)
3346	{
3347	while (ERR_get_error() != 0)
3348	;
3349	}
3350
3351	/*
3352	* Translate OpenSSL error codes to determine whether
3353	* passphrase is required/incorrect.
3354	*/
3355	static int
3356	convert_libcrypto_error(void)
3357	{
3358	/*
3359	* Some password errors are reported at the beginning
3360	* of the error queue.
3361	*/
3362	if (translate_libcrypto_error(ERR_peek_error()) ==
3363	SSH_ERR_KEY_WRONG_PASSPHRASE-43)
3364	return SSH_ERR_KEY_WRONG_PASSPHRASE-43;
3365	return translate_libcrypto_error(ERR_peek_last_error());
3366	}
3367
3368	static int
3369	sshkey_parse_private_pem_fileblob(struct sshbuf *blob, int type,
3370	const char passphrase, struct sshkey *keyp)
3371	{
3372	EVP_PKEY pk = NULL((void )0);
3373	struct sshkey prv = NULL((void )0);
3374	BIO bio = NULL((void )0);
3375	int r;
3376
3377	if (keyp != NULL((void *)0))
3378	keyp = NULL((void )0);
3379
3380	if ((bio = BIO_new(BIO_s_mem())) == NULL((void *)0) \|\| sshbuf_len(blob) > INT_MAX0x7fffffff)
3381	return SSH_ERR_ALLOC_FAIL-2;
3382	if (BIO_write(bio, sshbuf_ptr(blob), sshbuf_len(blob)) !=
3383	(int)sshbuf_len(blob)) {
3384	r = SSH_ERR_ALLOC_FAIL-2;
3385	goto out;
3386	}
3387
3388	clear_libcrypto_errors();
3389	if ((pk = PEM_read_bio_PrivateKey(bio, NULL((void )0), NULL((void )0),
3390	(char )passphrase)) == NULL((void )0)) {
3391	/*
3392	* libcrypto may return various ASN.1 errors when attempting
3393	* to parse a key with an incorrect passphrase.
3394	* Treat all format errors as "incorrect passphrase" if a
3395	* passphrase was supplied.
3396	*/
3397	if (passphrase != NULL((void )0) && passphrase != '\0')
3398	r = SSH_ERR_KEY_WRONG_PASSPHRASE-43;
3399	else
3400	r = convert_libcrypto_error();
3401	goto out;
3402	}
3403	if (EVP_PKEY_base_id(pk) == EVP_PKEY_RSA6 &&
3404	(type == KEY_UNSPEC \|\| type == KEY_RSA)) {
3405	if ((prv = sshkey_new(KEY_UNSPEC)) == NULL((void *)0)) {
3406	r = SSH_ERR_ALLOC_FAIL-2;
3407	goto out;
3408	}
3409	prv->rsa = EVP_PKEY_get1_RSA(pk);
3410	prv->type = KEY_RSA;
3411	#ifdef DEBUG_PK
3412	RSA_print_fp(stderr(&__sF[2]), prv->rsa, 8);
3413	#endif
3414	if (RSA_blinding_on(prv->rsa, NULL((void *)0)) != 1) {
3415	r = SSH_ERR_LIBCRYPTO_ERROR-22;
3416	goto out;
3417	}
3418	if ((r = sshkey_check_rsa_length(prv, 0)) != 0)
3419	goto out;
3420	#ifdef WITH_DSA1
3421	} else if (EVP_PKEY_base_id(pk) == EVP_PKEY_DSA116 &&
3422	(type == KEY_UNSPEC \|\| type == KEY_DSA)) {
3423	if ((prv = sshkey_new(KEY_UNSPEC)) == NULL((void *)0)) {
3424	r = SSH_ERR_ALLOC_FAIL-2;
3425	goto out;
3426	}
3427	prv->dsa = EVP_PKEY_get1_DSA(pk);
3428	prv->type = KEY_DSA;
3429	#ifdef DEBUG_PK
3430	DSA_print_fp(stderr(&__sF[2]), prv->dsa, 8);
3431	#endif
3432	#endif
3433	} else if (EVP_PKEY_base_id(pk) == EVP_PKEY_EC408 &&
3434	(type == KEY_UNSPEC \|\| type == KEY_ECDSA)) {
3435	if ((prv = sshkey_new(KEY_UNSPEC)) == NULL((void *)0)) {
3436	r = SSH_ERR_ALLOC_FAIL-2;
3437	goto out;
3438	}
3439	prv->ecdsa = EVP_PKEY_get1_EC_KEY(pk);
3440	prv->type = KEY_ECDSA;
3441	prv->ecdsa_nid = sshkey_ecdsa_key_to_nid(prv->ecdsa);
3442	if (prv->ecdsa_nid == -1 \|\|
3443	sshkey_curve_nid_to_name(prv->ecdsa_nid) == NULL((void *)0) \|\|
3444	sshkey_ec_validate_public(EC_KEY_get0_group(prv->ecdsa),
3445	EC_KEY_get0_public_key(prv->ecdsa)) != 0 \|\|
3446	sshkey_ec_validate_private(prv->ecdsa) != 0) {
3447	r = SSH_ERR_INVALID_FORMAT-4;
3448	goto out;
3449	}
3450	#ifdef DEBUG_PK
3451	if (prv != NULL((void )0) && prv->ecdsa != NULL((void )0))
3452	sshkey_dump_ec_key(prv->ecdsa);
3453	#endif
3454	} else if (EVP_PKEY_base_id(pk) == EVP_PKEY_ED25519952 &&
3455	(type == KEY_UNSPEC \|\| type == KEY_ED25519)) {
3456	size_t len;
3457
3458	if ((prv = sshkey_new(KEY_UNSPEC)) == NULL((void *)0) \|\|
3459	(prv->ed25519_sk = calloc(1, ED25519_SK_SZ64U)) == NULL((void *)0) \|\|
3460	(prv->ed25519_pk = calloc(1, ED25519_PK_SZ32U)) == NULL((void *)0)) {
3461	r = SSH_ERR_ALLOC_FAIL-2;
3462	goto out;
3463	}
3464	prv->type = KEY_ED25519;
3465	len = ED25519_PK_SZ32U;
3466	if (!EVP_PKEY_get_raw_public_key(pk, prv->ed25519_pk, &len)) {
3467	r = SSH_ERR_LIBCRYPTO_ERROR-22;
3468	goto out;
3469	}
3470	if (len != ED25519_PK_SZ32U) {
3471	r = SSH_ERR_INVALID_FORMAT-4;
3472	goto out;
3473	}
3474	len = ED25519_SK_SZ64U - ED25519_PK_SZ32U;
3475	if (!EVP_PKEY_get_raw_private_key(pk, prv->ed25519_sk, &len)) {
3476	r = SSH_ERR_LIBCRYPTO_ERROR-22;
3477	goto out;
3478	}
3479	if (len != ED25519_SK_SZ64U - ED25519_PK_SZ32U) {
3480	r = SSH_ERR_INVALID_FORMAT-4;
3481	goto out;
3482	}
3483	/* Append the public key to our private key */
3484	memcpy(prv->ed25519_sk + (ED25519_SK_SZ64U - ED25519_PK_SZ32U),
3485	prv->ed25519_pk, ED25519_PK_SZ32U);
3486	#ifdef DEBUG_PK
3487	sshbuf_dump_data(prv->ed25519_sk, ED25519_SK_SZ64U, stderr(&__sF[2]));
3488	#endif
3489	} else {
3490	r = SSH_ERR_INVALID_FORMAT-4;
3491	goto out;
3492	}
3493	r = 0;
3494	if (keyp != NULL((void *)0)) {
3495	*keyp = prv;
3496	prv = NULL((void *)0);
3497	}
3498	out:
3499	BIO_free(bio);
3500	EVP_PKEY_free(pk);
3501	sshkey_free(prv);
3502	return r;
3503	}
3504	#endif /* WITH_OPENSSL */
3505
3506	int
3507	sshkey_parse_private_fileblob_type(struct sshbuf *blob, int type,
3508	const char passphrase, struct sshkey keyp, char *commentp)
3509	{
3510	int r = SSH_ERR_INTERNAL_ERROR-1;
3511
3512	if (keyp != NULL((void *)0))
3513	keyp = NULL((void )0);
3514	if (commentp != NULL((void *)0))
3515	commentp = NULL((void )0);
3516
3517	switch (type) {
3518	case KEY_XMSS:
3519	/* No fallback for new-format-only keys */
3520	return sshkey_parse_private2(blob, type, passphrase,
3521	keyp, commentp);
3522	default:
3523	r = sshkey_parse_private2(blob, type, passphrase, keyp,
3524	commentp);
3525	/* Only fallback to PEM parser if a format error occurred. */
3526	if (r != SSH_ERR_INVALID_FORMAT-4)
3527	return r;
3528	#ifdef WITH_OPENSSL1
3529	return sshkey_parse_private_pem_fileblob(blob, type,
3530	passphrase, keyp);
3531	#else
3532	return SSH_ERR_INVALID_FORMAT-4;
3533	#endif /* WITH_OPENSSL */
3534	}
3535	}
3536
3537	int
3538	sshkey_parse_private_fileblob(struct sshbuf buffer, const char passphrase,
3539	struct sshkey keyp, char commentp)
3540	{
3541	if (keyp != NULL((void *)0))
3542	keyp = NULL((void )0);
3543	if (commentp != NULL((void *)0))
3544	commentp = NULL((void )0);
3545
3546	return sshkey_parse_private_fileblob_type(buffer, KEY_UNSPEC,
3547	passphrase, keyp, commentp);
3548	}
3549
3550	void
3551	sshkey_sig_details_free(struct sshkey_sig_details *details)
3552	{
3553	freezero(details, sizeof(*details));
3554	}
3555
3556	int
3557	sshkey_parse_pubkey_from_private_fileblob_type(struct sshbuf *blob, int type,
3558	struct sshkey **pubkeyp)
3559	{
3560	int r = SSH_ERR_INTERNAL_ERROR-1;
3561
3562	if (pubkeyp != NULL((void *)0))
3563	pubkeyp = NULL((void )0);
3564	/* only new-format private keys bundle a public key inside */
3565	if ((r = sshkey_parse_private2_pubkey(blob, type, pubkeyp)) != 0)
3566	return r;
3567	return 0;
3568	}
3569
3570	#ifdef WITH_XMSS
3571	/*
3572	* serialize the key with the current state and forward the state
3573	* maxsign times.
3574	*/
3575	int
3576	sshkey_private_serialize_maxsign(struct sshkey k, struct sshbuf b,
3577	u_int32_t maxsign, int printerror)
3578	{
3579	int r, rupdate;
3580
3581	if (maxsign == 0 \|\|
3582	sshkey_type_plain(k->type) != KEY_XMSS)
3583	return sshkey_private_serialize_opt(k, b,
3584	SSHKEY_SERIALIZE_DEFAULT);
3585	if ((r = sshkey_xmss_get_state(k, printerror)) != 0 \|\|
3586	(r = sshkey_private_serialize_opt(k, b,
3587	SSHKEY_SERIALIZE_STATE)) != 0 \|\|
3588	(r = sshkey_xmss_forward_state(k, maxsign)) != 0)
3589	goto out;
3590	r = 0;
3591	out:
3592	if ((rupdate = sshkey_xmss_update_state(k, printerror)) != 0) {
3593	if (r == 0)
3594	r = rupdate;
3595	}
3596	return r;
3597	}
3598
3599	u_int32_t
3600	sshkey_signatures_left(const struct sshkey *k)
3601	{
3602	if (sshkey_type_plain(k->type) == KEY_XMSS)
3603	return sshkey_xmss_signatures_left(k);
3604	return 0;
3605	}
3606
3607	int
3608	sshkey_enable_maxsign(struct sshkey *k, u_int32_t maxsign)
3609	{
3610	if (sshkey_type_plain(k->type) != KEY_XMSS)
3611	return SSH_ERR_INVALID_ARGUMENT-10;
3612	return sshkey_xmss_enable_maxsign(k, maxsign);
3613	}
3614
3615	int
3616	sshkey_set_filename(struct sshkey k, const char filename)
3617	{
3618	if (k == NULL((void *)0))
3619	return SSH_ERR_INVALID_ARGUMENT-10;
3620	if (sshkey_type_plain(k->type) != KEY_XMSS)
3621	return 0;
3622	if (filename == NULL((void *)0))
3623	return SSH_ERR_INVALID_ARGUMENT-10;
3624	if ((k->xmss_filename = strdup(filename)) == NULL((void *)0))
3625	return SSH_ERR_ALLOC_FAIL-2;
3626	return 0;
3627	}
3628	#else
3629	int
3630	sshkey_private_serialize_maxsign(struct sshkey k, struct sshbuf b,
3631	u_int32_t maxsign, int printerror)
3632	{
3633	return sshkey_private_serialize_opt(k, b, SSHKEY_SERIALIZE_DEFAULT);
3634	}
3635
3636	u_int32_t
3637	sshkey_signatures_left(const struct sshkey *k)
3638	{
3639	return 0;
3640	}
3641
3642	int
3643	sshkey_enable_maxsign(struct sshkey *k, u_int32_t maxsign)
3644	{
3645	return SSH_ERR_INVALID_ARGUMENT-10;
3646	}
3647
3648	int
3649	sshkey_set_filename(struct sshkey k, const char filename)
3650	{
3651	if (k == NULL((void *)0))
3652	return SSH_ERR_INVALID_ARGUMENT-10;
3653	return 0;
3654	}
3655	#endif /* WITH_XMSS */