/usr/src/usr.bin/ssh/ssh/../sshkey.c

Bug Summary

File:	src/usr.bin/ssh/ssh/../sshkey.c
Warning:	line 2194, column 7 Although the value stored to 'ret' is used in the enclosing expression, the value is never actually read from 'ret'

Annotated Source Code

Press '?' to see keyboard shortcuts

Show analyzer invocation

clang -cc1 -cc1 -triple amd64-unknown-openbsd7.0 -analyze -disable-free -disable-llvm-verifier -discard-value-names -main-file-name sshkey.c -analyzer-store=region -analyzer-opt-analyze-nested-blocks -analyzer-checker=core -analyzer-checker=apiModeling -analyzer-checker=unix -analyzer-checker=deadcode -analyzer-checker=security.insecureAPI.UncheckedReturn -analyzer-checker=security.insecureAPI.getpw -analyzer-checker=security.insecureAPI.gets -analyzer-checker=security.insecureAPI.mktemp -analyzer-checker=security.insecureAPI.mkstemp -analyzer-checker=security.insecureAPI.vfork -analyzer-checker=nullability.NullPassedToNonnull -analyzer-checker=nullability.NullReturnedFromNonnull -analyzer-output plist -w -setup-static-analyzer -mrelocation-model pic -pic-level 1 -pic-is-pie -mframe-pointer=all -relaxed-aliasing -fno-rounding-math -mconstructor-aliases -munwind-tables -target-cpu x86-64 -target-feature +retpoline-indirect-calls -target-feature +retpoline-indirect-branches -tune-cpu generic -debugger-tuning=gdb -fcoverage-compilation-dir=/usr/src/usr.bin/ssh/ssh/obj -resource-dir /usr/local/lib/clang/13.0.0 -I /usr/src/usr.bin/ssh/ssh/.. -D WITH_OPENSSL -D WITH_ZLIB -D ENABLE_PKCS11 -D HAVE_DLOPEN -internal-isystem /usr/local/lib/clang/13.0.0/include -internal-externc-isystem /usr/include -O2 -Wno-unused-parameter -fdebug-compilation-dir=/usr/src/usr.bin/ssh/ssh/obj -ferror-limit 19 -fwrapv -D_RET_PROTECTOR -ret-protector -fgnuc-version=4.2.1 -vectorize-loops -vectorize-slp -fno-builtin-malloc -fno-builtin-calloc -fno-builtin-realloc -fno-builtin-valloc -fno-builtin-free -fno-builtin-strdup -fno-builtin-strndup -analyzer-output=html -faddrsig -D__GCC_HAVE_DWARF2_CFI_ASM=1 -o /home/ben/Projects/vmm/scan-build/2022-01-12-194120-40624-1 -x c /usr/src/usr.bin/ssh/ssh/../sshkey.c

1	/* $OpenBSD: sshkey.c,v 1.120 2022/01/06 22:05:42 djm Exp $ */
2	/*
3	* Copyright (c) 2000, 2001 Markus Friedl. All rights reserved.
4	* Copyright (c) 2008 Alexander von Gernler. All rights reserved.
5	* Copyright (c) 2010,2011 Damien Miller. All rights reserved.
6	*
7	* Redistribution and use in source and binary forms, with or without
8	* modification, are permitted provided that the following conditions
9	* are met:
10	* 1. Redistributions of source code must retain the above copyright
11	* notice, this list of conditions and the following disclaimer.
12	* 2. Redistributions in binary form must reproduce the above copyright
13	* notice, this list of conditions and the following disclaimer in the
14	* documentation and/or other materials provided with the distribution.
15	*
16	* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
17	* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
18	* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
19	* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
20	* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
21	* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
22	* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
23	* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
24	* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
25	* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
26	*/
27
28	#include <sys/types.h>
29	#include <netinet/in.h>
30
31	#ifdef WITH_OPENSSL1
32	#include <openssl/evp.h>
33	#include <openssl/err.h>
34	#include <openssl/pem.h>
35	#endif
36
37	#include "crypto_api.h"
38
39	#include <errno(*__errno()).h>
40	#include <stdio.h>
41	#include <string.h>
42	#include <util.h>
43	#include <limits.h>
44	#include <resolv.h>
45
46	#include "ssh2.h"
47	#include "ssherr.h"
48	#include "misc.h"
49	#include "sshbuf.h"
50	#include "cipher.h"
51	#include "digest.h"
52	#define SSHKEY_INTERNAL
53	#include "sshkey.h"
54	#include "match.h"
55	#include "ssh-sk.h"
56
57	#ifdef WITH_XMSS
58	#include "sshkey-xmss.h"
59	#include "xmss_fast.h"
60	#endif
61
62	/* openssh private key file format */
63	#define MARK_BEGIN"-----BEGIN OPENSSH PRIVATE KEY-----\n" "-----BEGIN OPENSSH PRIVATE KEY-----\n"
64	#define MARK_END"-----END OPENSSH PRIVATE KEY-----\n" "-----END OPENSSH PRIVATE KEY-----\n"
65	#define MARK_BEGIN_LEN(sizeof("-----BEGIN OPENSSH PRIVATE KEY-----\n") - 1) (sizeof(MARK_BEGIN"-----BEGIN OPENSSH PRIVATE KEY-----\n") - 1)
66	#define MARK_END_LEN(sizeof("-----END OPENSSH PRIVATE KEY-----\n") - 1) (sizeof(MARK_END"-----END OPENSSH PRIVATE KEY-----\n") - 1)
67	#define KDFNAME"bcrypt" "bcrypt"
68	#define AUTH_MAGIC"openssh-key-v1" "openssh-key-v1"
69	#define SALT_LEN16 16
70	#define DEFAULT_CIPHERNAME"aes256-ctr" "aes256-ctr"
71	#define DEFAULT_ROUNDS16 16
72
73	/* Version identification string for SSH v1 identity files. */
74	#define LEGACY_BEGIN"SSH PRIVATE KEY FILE FORMAT 1.1\n" "SSH PRIVATE KEY FILE FORMAT 1.1\n"
75
76	/*
77	* Constants relating to "shielding" support; protection of keys expected
78	* to remain in memory for long durations
79	*/
80	#define SSHKEY_SHIELD_PREKEY_LEN(16 * 1024) (16 * 1024)
81	#define SSHKEY_SHIELD_CIPHER"aes256-ctr" "aes256-ctr" /* XXX want AES-EME* */
82	#define SSHKEY_SHIELD_PREKEY_HASH4 SSH_DIGEST_SHA5124
83
84	int sshkey_private_serialize_opt(struct sshkey *key,
85	struct sshbuf *buf, enum sshkey_serialize_rep);
86	static int sshkey_from_blob_internal(struct sshbuf *buf,
87	struct sshkey **keyp, int allow_cert);
88
89	/* Supported key types */
90	struct keytype {
91	const char *name;
92	const char *shortname;
93	const char *sigalg;
94	int type;
95	int nid;
96	int cert;
97	int sigonly;
98	};
99	static const struct keytype keytypes[] = {
100	{ "ssh-ed25519", "ED25519", NULL((void*)0), KEY_ED25519, 0, 0, 0 },
101	{ "ssh-ed25519-cert-v01@openssh.com", "ED25519-CERT", NULL((void*)0),
102	KEY_ED25519_CERT, 0, 1, 0 },
103	{ "sk-ssh-ed25519@openssh.com", "ED25519-SK", NULL((void*)0),
104	KEY_ED25519_SK, 0, 0, 0 },
105	{ "sk-ssh-ed25519-cert-v01@openssh.com", "ED25519-SK-CERT", NULL((void*)0),
106	KEY_ED25519_SK_CERT, 0, 1, 0 },
107	#ifdef WITH_XMSS
108	{ "ssh-xmss@openssh.com", "XMSS", NULL((void*)0), KEY_XMSS, 0, 0, 0 },
109	{ "ssh-xmss-cert-v01@openssh.com", "XMSS-CERT", NULL((void*)0),
110	KEY_XMSS_CERT, 0, 1, 0 },
111	#endif /* WITH_XMSS */
112	#ifdef WITH_OPENSSL1
113	{ "ssh-rsa", "RSA", NULL((void*)0), KEY_RSA, 0, 0, 0 },
114	{ "rsa-sha2-256", "RSA", NULL((void*)0), KEY_RSA, 0, 0, 1 },
115	{ "rsa-sha2-512", "RSA", NULL((void*)0), KEY_RSA, 0, 0, 1 },
116	{ "ssh-dss", "DSA", NULL((void*)0), KEY_DSA, 0, 0, 0 },
117	{ "ecdsa-sha2-nistp256", "ECDSA", NULL((void*)0),
118	KEY_ECDSA, NID_X9_62_prime256v1415, 0, 0 },
119	{ "ecdsa-sha2-nistp384", "ECDSA", NULL((void*)0),
120	KEY_ECDSA, NID_secp384r1715, 0, 0 },
121	{ "ecdsa-sha2-nistp521", "ECDSA", NULL((void*)0),
122	KEY_ECDSA, NID_secp521r1716, 0, 0 },
123	{ "sk-ecdsa-sha2-nistp256@openssh.com", "ECDSA-SK", NULL((void*)0),
124	KEY_ECDSA_SK, NID_X9_62_prime256v1415, 0, 0 },
125	{ "webauthn-sk-ecdsa-sha2-nistp256@openssh.com", "ECDSA-SK", NULL((void*)0),
126	KEY_ECDSA_SK, NID_X9_62_prime256v1415, 0, 1 },
127	{ "ssh-rsa-cert-v01@openssh.com", "RSA-CERT", NULL((void*)0),
128	KEY_RSA_CERT, 0, 1, 0 },
129	{ "rsa-sha2-256-cert-v01@openssh.com", "RSA-CERT",
130	"rsa-sha2-256", KEY_RSA_CERT, 0, 1, 1 },
131	{ "rsa-sha2-512-cert-v01@openssh.com", "RSA-CERT",
132	"rsa-sha2-512", KEY_RSA_CERT, 0, 1, 1 },
133	{ "ssh-dss-cert-v01@openssh.com", "DSA-CERT", NULL((void*)0),
134	KEY_DSA_CERT, 0, 1, 0 },
135	{ "ecdsa-sha2-nistp256-cert-v01@openssh.com", "ECDSA-CERT", NULL((void*)0),
136	KEY_ECDSA_CERT, NID_X9_62_prime256v1415, 1, 0 },
137	{ "ecdsa-sha2-nistp384-cert-v01@openssh.com", "ECDSA-CERT", NULL((void*)0),
138	KEY_ECDSA_CERT, NID_secp384r1715, 1, 0 },
139	{ "ecdsa-sha2-nistp521-cert-v01@openssh.com", "ECDSA-CERT", NULL((void*)0),
140	KEY_ECDSA_CERT, NID_secp521r1716, 1, 0 },
141	{ "sk-ecdsa-sha2-nistp256-cert-v01@openssh.com", "ECDSA-SK-CERT", NULL((void*)0),
142	KEY_ECDSA_SK_CERT, NID_X9_62_prime256v1415, 1, 0 },
143	#endif /* WITH_OPENSSL */
144	{ NULL((void)0), NULL((void)0), NULL((void*)0), -1, -1, 0, 0 }
145	};
146
147	const char *
148	sshkey_type(const struct sshkey *k)
149	{
150	const struct keytype *kt;
151
152	for (kt = keytypes; kt->type != -1; kt++) {
153	if (kt->type == k->type)
154	return kt->shortname;
155	}
156	return "unknown";
157	}
158
159	static const char *
160	sshkey_ssh_name_from_type_nid(int type, int nid)
161	{
162	const struct keytype *kt;
163
164	for (kt = keytypes; kt->type != -1; kt++) {
165	if (kt->type == type && (kt->nid == 0 \|\| kt->nid == nid))
166	return kt->name;
167	}
168	return "ssh-unknown";
169	}
170
171	int
172	sshkey_type_is_cert(int type)
173	{
174	const struct keytype *kt;
175
176	for (kt = keytypes; kt->type != -1; kt++) {
177	if (kt->type == type)
178	return kt->cert;
179	}
180	return 0;
181	}
182
183	const char *
184	sshkey_ssh_name(const struct sshkey *k)
185	{
186	return sshkey_ssh_name_from_type_nid(k->type, k->ecdsa_nid);
187	}
188
189	const char *
190	sshkey_ssh_name_plain(const struct sshkey *k)
191	{
192	return sshkey_ssh_name_from_type_nid(sshkey_type_plain(k->type),
193	k->ecdsa_nid);
194	}
195
196	int
197	sshkey_type_from_name(const char *name)
198	{
199	const struct keytype *kt;
200
201	for (kt = keytypes; kt->type != -1; kt++) {
202	/* Only allow shortname matches for plain key types */
203	if ((kt->name != NULL((void*)0) && strcmp(name, kt->name) == 0) \|\|
204	(!kt->cert && strcasecmp(kt->shortname, name) == 0))
205	return kt->type;
206	}
207	return KEY_UNSPEC;
208	}
209
210	static int
211	key_type_is_ecdsa_variant(int type)
212	{
213	switch (type) {
214	case KEY_ECDSA:
215	case KEY_ECDSA_CERT:
216	case KEY_ECDSA_SK:
217	case KEY_ECDSA_SK_CERT:
218	return 1;
219	}
220	return 0;
221	}
222
223	int
224	sshkey_ecdsa_nid_from_name(const char *name)
225	{
226	const struct keytype *kt;
227
228	for (kt = keytypes; kt->type != -1; kt++) {
229	if (!key_type_is_ecdsa_variant(kt->type))
230	continue;
231	if (kt->name != NULL((void*)0) && strcmp(name, kt->name) == 0)
232	return kt->nid;
233	}
234	return -1;
235	}
236
237	int
238	sshkey_match_keyname_to_sigalgs(const char keyname, const char sigalgs)
239	{
240	int ktype;
241
242	if (sigalgs == NULL((void)0) \|\| sigalgs == '\0' \|\|
243	(ktype = sshkey_type_from_name(keyname)) == KEY_UNSPEC)
244	return 0;
245	else if (ktype == KEY_RSA) {
246	return match_pattern_list("ssh-rsa", sigalgs, 0) == 1 \|\|
247	match_pattern_list("rsa-sha2-256", sigalgs, 0) == 1 \|\|
248	match_pattern_list("rsa-sha2-512", sigalgs, 0) == 1;
249	} else if (ktype == KEY_RSA_CERT) {
250	return match_pattern_list("ssh-rsa-cert-v01@openssh.com",
251	sigalgs, 0) == 1 \|\|
252	match_pattern_list("rsa-sha2-256-cert-v01@openssh.com",
253	sigalgs, 0) == 1 \|\|
254	match_pattern_list("rsa-sha2-512-cert-v01@openssh.com",
255	sigalgs, 0) == 1;
256	} else
257	return match_pattern_list(keyname, sigalgs, 0) == 1;
258	}
259
260	char *
261	sshkey_alg_list(int certs_only, int plain_only, int include_sigonly, char sep)
262	{
263	char tmp, ret = NULL((void*)0);
264	size_t nlen, rlen = 0;
265	const struct keytype *kt;
266
267	for (kt = keytypes; kt->type != -1; kt++) {
268	if (kt->name == NULL((void*)0))
269	continue;
270	if (!include_sigonly && kt->sigonly)
271	continue;
272	if ((certs_only && !kt->cert) \|\| (plain_only && kt->cert))
273	continue;
274	if (ret != NULL((void*)0))
275	ret[rlen++] = sep;
276	nlen = strlen(kt->name);
277	if ((tmp = realloc(ret, rlen + nlen + 2)) == NULL((void*)0)) {
278	free(ret);
279	return NULL((void*)0);
280	}
281	ret = tmp;
282	memcpy(ret + rlen, kt->name, nlen + 1);
283	rlen += nlen;
284	}
285	return ret;
286	}
287
288	int
289	sshkey_names_valid2(const char *names, int allow_wildcard)
290	{
291	char s, cp, *p;
292	const struct keytype *kt;
293	int type;
294
295	if (names == NULL((void*)0) \|\| strcmp(names, "") == 0)
296	return 0;
297	if ((s = cp = strdup(names)) == NULL((void*)0))
298	return 0;
299	for ((p = strsep(&cp, ",")); p && *p != '\0';
300	(p = strsep(&cp, ","))) {
301	type = sshkey_type_from_name(p);
302	if (type == KEY_UNSPEC) {
303	if (allow_wildcard) {
304	/*
305	* Try matching key types against the string.
306	* If any has a positive or negative match then
307	* the component is accepted.
308	*/
309	for (kt = keytypes; kt->type != -1; kt++) {
310	if (match_pattern_list(kt->name,
311	p, 0) != 0)
312	break;
313	}
314	if (kt->type != -1)
315	continue;
316	}
317	free(s);
318	return 0;
319	}
320	}
321	free(s);
322	return 1;
323	}
324
325	u_int
326	sshkey_size(const struct sshkey *k)
327	{
328	#ifdef WITH_OPENSSL1
329	const BIGNUM rsa_n, dsa_p;
330	#endif /* WITH_OPENSSL */
331
332	switch (k->type) {
333	#ifdef WITH_OPENSSL1
334	case KEY_RSA:
335	case KEY_RSA_CERT:
336	if (k->rsa == NULL((void*)0))
337	return 0;
338	RSA_get0_key(k->rsa, &rsa_n, NULL((void)0), NULL((void)0));
339	return BN_num_bits(rsa_n);
340	case KEY_DSA:
341	case KEY_DSA_CERT:
342	if (k->dsa == NULL((void*)0))
343	return 0;
344	DSA_get0_pqg(k->dsa, &dsa_p, NULL((void)0), NULL((void)0));
345	return BN_num_bits(dsa_p);
346	case KEY_ECDSA:
347	case KEY_ECDSA_CERT:
348	case KEY_ECDSA_SK:
349	case KEY_ECDSA_SK_CERT:
350	return sshkey_curve_nid_to_bits(k->ecdsa_nid);
351	#endif /* WITH_OPENSSL */
352	case KEY_ED25519:
353	case KEY_ED25519_CERT:
354	case KEY_ED25519_SK:
355	case KEY_ED25519_SK_CERT:
356	case KEY_XMSS:
357	case KEY_XMSS_CERT:
358	return 256; /* XXX */
359	}
360	return 0;
361	}
362
363	static int
364	sshkey_type_is_valid_ca(int type)
365	{
366	switch (type) {
367	case KEY_RSA:
368	case KEY_DSA:
369	case KEY_ECDSA:
370	case KEY_ECDSA_SK:
371	case KEY_ED25519:
372	case KEY_ED25519_SK:
373	case KEY_XMSS:
374	return 1;
375	default:
376	return 0;
377	}
378	}
379
380	int
381	sshkey_is_cert(const struct sshkey *k)
382	{
383	if (k == NULL((void*)0))
384	return 0;
385	return sshkey_type_is_cert(k->type);
386	}
387
388	int
389	sshkey_is_sk(const struct sshkey *k)
390	{
391	if (k == NULL((void*)0))
392	return 0;
393	switch (sshkey_type_plain(k->type)) {
394	case KEY_ECDSA_SK:
395	case KEY_ED25519_SK:
396	return 1;
397	default:
398	return 0;
399	}
400	}
401
402	/* Return the cert-less equivalent to a certified key type */
403	int
404	sshkey_type_plain(int type)
405	{
406	switch (type) {
407	case KEY_RSA_CERT:
408	return KEY_RSA;
409	case KEY_DSA_CERT:
410	return KEY_DSA;
411	case KEY_ECDSA_CERT:
412	return KEY_ECDSA;
413	case KEY_ECDSA_SK_CERT:
414	return KEY_ECDSA_SK;
415	case KEY_ED25519_CERT:
416	return KEY_ED25519;
417	case KEY_ED25519_SK_CERT:
418	return KEY_ED25519_SK;
419	case KEY_XMSS_CERT:
420	return KEY_XMSS;
421	default:
422	return type;
423	}
424	}
425
426	#ifdef WITH_OPENSSL1
427	/* XXX: these are really begging for a table-driven approach */
428	int
429	sshkey_curve_name_to_nid(const char *name)
430	{
431	if (strcmp(name, "nistp256") == 0)
432	return NID_X9_62_prime256v1415;
433	else if (strcmp(name, "nistp384") == 0)
434	return NID_secp384r1715;
435	else if (strcmp(name, "nistp521") == 0)
436	return NID_secp521r1716;
437	else
438	return -1;
439	}
440
441	u_int
442	sshkey_curve_nid_to_bits(int nid)
443	{
444	switch (nid) {
445	case NID_X9_62_prime256v1415:
446	return 256;
447	case NID_secp384r1715:
448	return 384;
449	case NID_secp521r1716:
450	return 521;
451	default:
452	return 0;
453	}
454	}
455
456	int
457	sshkey_ecdsa_bits_to_nid(int bits)
458	{
459	switch (bits) {
460	case 256:
461	return NID_X9_62_prime256v1415;
462	case 384:
463	return NID_secp384r1715;
464	case 521:
465	return NID_secp521r1716;
466	default:
467	return -1;
468	}
469	}
470
471	const char *
472	sshkey_curve_nid_to_name(int nid)
473	{
474	switch (nid) {
475	case NID_X9_62_prime256v1415:
476	return "nistp256";
477	case NID_secp384r1715:
478	return "nistp384";
479	case NID_secp521r1716:
480	return "nistp521";
481	default:
482	return NULL((void*)0);
483	}
484	}
485
486	int
487	sshkey_ec_nid_to_hash_alg(int nid)
488	{
489	int kbits = sshkey_curve_nid_to_bits(nid);
490
491	if (kbits <= 0)
492	return -1;
493
494	/* RFC5656 section 6.2.1 */
495	if (kbits <= 256)
496	return SSH_DIGEST_SHA2562;
497	else if (kbits <= 384)
498	return SSH_DIGEST_SHA3843;
499	else
500	return SSH_DIGEST_SHA5124;
501	}
502	#endif /* WITH_OPENSSL */
503
504	static void
505	cert_free(struct sshkey_cert *cert)
506	{
507	u_int i;
508
509	if (cert == NULL((void*)0))
510	return;
511	sshbuf_free(cert->certblob);
512	sshbuf_free(cert->critical);
513	sshbuf_free(cert->extensions);
514	free(cert->key_id);
515	for (i = 0; i < cert->nprincipals; i++)
516	free(cert->principals[i]);
517	free(cert->principals);
518	sshkey_free(cert->signature_key);
519	free(cert->signature_type);
520	freezero(cert, sizeof(*cert));
521	}
522
523	static struct sshkey_cert *
524	cert_new(void)
525	{
526	struct sshkey_cert *cert;
527
528	if ((cert = calloc(1, sizeof(cert))) == NULL((void)0))
529	return NULL((void*)0);
530	if ((cert->certblob = sshbuf_new()) == NULL((void*)0) \|\|
531	(cert->critical = sshbuf_new()) == NULL((void*)0) \|\|
532	(cert->extensions = sshbuf_new()) == NULL((void*)0)) {
533	cert_free(cert);
534	return NULL((void*)0);
535	}
536	cert->key_id = NULL((void*)0);
537	cert->principals = NULL((void*)0);
538	cert->signature_key = NULL((void*)0);
539	cert->signature_type = NULL((void*)0);
540	return cert;
541	}
542
543	struct sshkey *
544	sshkey_new(int type)
545	{
546	struct sshkey *k;
547	#ifdef WITH_OPENSSL1
548	RSA *rsa;
549	DSA *dsa;
550	#endif /* WITH_OPENSSL */
551
552	if ((k = calloc(1, sizeof(k))) == NULL((void)0))
553	return NULL((void*)0);
554	k->type = type;
555	k->ecdsa = NULL((void*)0);
556	k->ecdsa_nid = -1;
557	k->dsa = NULL((void*)0);
558	k->rsa = NULL((void*)0);
559	k->cert = NULL((void*)0);
560	k->ed25519_sk = NULL((void*)0);
561	k->ed25519_pk = NULL((void*)0);
562	k->xmss_sk = NULL((void*)0);
563	k->xmss_pk = NULL((void*)0);
564	switch (k->type) {
565	#ifdef WITH_OPENSSL1
566	case KEY_RSA:
567	case KEY_RSA_CERT:
568	if ((rsa = RSA_new()) == NULL((void*)0)) {
569	free(k);
570	return NULL((void*)0);
571	}
572	k->rsa = rsa;
573	break;
574	case KEY_DSA:
575	case KEY_DSA_CERT:
576	if ((dsa = DSA_new()) == NULL((void*)0)) {
577	free(k);
578	return NULL((void*)0);
579	}
580	k->dsa = dsa;
581	break;
582	case KEY_ECDSA:
583	case KEY_ECDSA_CERT:
584	case KEY_ECDSA_SK:
585	case KEY_ECDSA_SK_CERT:
586	/* Cannot do anything until we know the group */
587	break;
588	#endif /* WITH_OPENSSL */
589	case KEY_ED25519:
590	case KEY_ED25519_CERT:
591	case KEY_ED25519_SK:
592	case KEY_ED25519_SK_CERT:
593	case KEY_XMSS:
594	case KEY_XMSS_CERT:
595	/* no need to prealloc */
596	break;
597	case KEY_UNSPEC:
598	break;
599	default:
600	free(k);
601	return NULL((void*)0);
602	}
603
604	if (sshkey_is_cert(k)) {
605	if ((k->cert = cert_new()) == NULL((void*)0)) {
606	sshkey_free(k);
607	return NULL((void*)0);
608	}
609	}
610
611	return k;
612	}
613
614	void
615	sshkey_free(struct sshkey *k)
616	{
617	if (k == NULL((void*)0))
618	return;
619	switch (k->type) {
620	#ifdef WITH_OPENSSL1
621	case KEY_RSA:
622	case KEY_RSA_CERT:
623	RSA_free(k->rsa);
624	k->rsa = NULL((void*)0);
625	break;
626	case KEY_DSA:
627	case KEY_DSA_CERT:
628	DSA_free(k->dsa);
629	k->dsa = NULL((void*)0);
630	break;
631	case KEY_ECDSA_SK:
632	case KEY_ECDSA_SK_CERT:
633	free(k->sk_application);
634	sshbuf_free(k->sk_key_handle);
635	sshbuf_free(k->sk_reserved);
636	/* FALLTHROUGH */
637	case KEY_ECDSA:
638	case KEY_ECDSA_CERT:
639	EC_KEY_free(k->ecdsa);
640	k->ecdsa = NULL((void*)0);
641	break;
642	#endif /* WITH_OPENSSL */
643	case KEY_ED25519_SK:
644	case KEY_ED25519_SK_CERT:
645	free(k->sk_application);
646	sshbuf_free(k->sk_key_handle);
647	sshbuf_free(k->sk_reserved);
648	/* FALLTHROUGH */
649	case KEY_ED25519:
650	case KEY_ED25519_CERT:
651	freezero(k->ed25519_pk, ED25519_PK_SZ32U);
652	k->ed25519_pk = NULL((void*)0);
653	freezero(k->ed25519_sk, ED25519_SK_SZ64U);
654	k->ed25519_sk = NULL((void*)0);
655	break;
656	#ifdef WITH_XMSS
657	case KEY_XMSS:
658	case KEY_XMSS_CERT:
659	freezero(k->xmss_pk, sshkey_xmss_pklen(k));
660	k->xmss_pk = NULL((void*)0);
661	freezero(k->xmss_sk, sshkey_xmss_sklen(k));
662	k->xmss_sk = NULL((void*)0);
663	sshkey_xmss_free_state(k);
664	free(k->xmss_name);
665	k->xmss_name = NULL((void*)0);
666	free(k->xmss_filename);
667	k->xmss_filename = NULL((void*)0);
668	break;
669	#endif /* WITH_XMSS */
670	case KEY_UNSPEC:
671	break;
672	default:
673	break;
674	}
675	if (sshkey_is_cert(k))
676	cert_free(k->cert);
677	freezero(k->shielded_private, k->shielded_len);
678	freezero(k->shield_prekey, k->shield_prekey_len);
679	freezero(k, sizeof(*k));
680	}
681
682	static int
683	cert_compare(struct sshkey_cert a, struct sshkey_cert b)
684	{
685	if (a == NULL((void)0) && b == NULL((void)0))
686	return 1;
687	if (a == NULL((void)0) \|\| b == NULL((void)0))
688	return 0;
689	if (sshbuf_len(a->certblob) != sshbuf_len(b->certblob))
690	return 0;
691	if (timingsafe_bcmp(sshbuf_ptr(a->certblob), sshbuf_ptr(b->certblob),
692	sshbuf_len(a->certblob)) != 0)
693	return 0;
694	return 1;
695	}
696
697	/*
698	* Compare public portions of key only, allowing comparisons between
699	* certificates and plain keys too.
700	*/
701	int
702	sshkey_equal_public(const struct sshkey a, const struct sshkey b)
703	{
704	#ifdef WITH_OPENSSL1
705	const BIGNUM rsa_e_a, rsa_n_a;
706	const BIGNUM rsa_e_b, rsa_n_b;
707	const BIGNUM dsa_p_a, dsa_q_a, dsa_g_a, dsa_pub_key_a;
708	const BIGNUM dsa_p_b, dsa_q_b, dsa_g_b, dsa_pub_key_b;
709	#endif /* WITH_OPENSSL */
710
711	if (a == NULL((void)0) \|\| b == NULL((void)0) \|\|
712	sshkey_type_plain(a->type) != sshkey_type_plain(b->type))
713	return 0;
714
715	switch (a->type) {
716	#ifdef WITH_OPENSSL1
717	case KEY_RSA_CERT:
718	case KEY_RSA:
719	if (a->rsa == NULL((void)0) \|\| b->rsa == NULL((void)0))
720	return 0;
721	RSA_get0_key(a->rsa, &rsa_n_a, &rsa_e_a, NULL((void*)0));
722	RSA_get0_key(b->rsa, &rsa_n_b, &rsa_e_b, NULL((void*)0));
723	return BN_cmp(rsa_e_a, rsa_e_b) == 0 &&
724	BN_cmp(rsa_n_a, rsa_n_b) == 0;
725	case KEY_DSA_CERT:
726	case KEY_DSA:
727	if (a->dsa == NULL((void)0) \|\| b->dsa == NULL((void)0))
728	return 0;
729	DSA_get0_pqg(a->dsa, &dsa_p_a, &dsa_q_a, &dsa_g_a);
730	DSA_get0_pqg(b->dsa, &dsa_p_b, &dsa_q_b, &dsa_g_b);
731	DSA_get0_key(a->dsa, &dsa_pub_key_a, NULL((void*)0));
732	DSA_get0_key(b->dsa, &dsa_pub_key_b, NULL((void*)0));
733	return BN_cmp(dsa_p_a, dsa_p_b) == 0 &&
734	BN_cmp(dsa_q_a, dsa_q_b) == 0 &&
735	BN_cmp(dsa_g_a, dsa_g_b) == 0 &&
736	BN_cmp(dsa_pub_key_a, dsa_pub_key_b) == 0;
737	case KEY_ECDSA_SK:
738	case KEY_ECDSA_SK_CERT:
739	if (a->sk_application == NULL((void)0) \|\| b->sk_application == NULL((void)0))
740	return 0;
741	if (strcmp(a->sk_application, b->sk_application) != 0)
742	return 0;
743	/* FALLTHROUGH */
744	case KEY_ECDSA_CERT:
745	case KEY_ECDSA:
746	if (a->ecdsa == NULL((void)0) \|\| b->ecdsa == NULL((void)0) \|\|
747	EC_KEY_get0_public_key(a->ecdsa) == NULL((void*)0) \|\|
748	EC_KEY_get0_public_key(b->ecdsa) == NULL((void*)0))
749	return 0;
750	if (EC_GROUP_cmp(EC_KEY_get0_group(a->ecdsa),
751	EC_KEY_get0_group(b->ecdsa), NULL((void*)0)) != 0 \|\|
752	EC_POINT_cmp(EC_KEY_get0_group(a->ecdsa),
753	EC_KEY_get0_public_key(a->ecdsa),
754	EC_KEY_get0_public_key(b->ecdsa), NULL((void*)0)) != 0)
755	return 0;
756	return 1;
757	#endif /* WITH_OPENSSL */
758	case KEY_ED25519_SK:
759	case KEY_ED25519_SK_CERT:
760	if (a->sk_application == NULL((void)0) \|\| b->sk_application == NULL((void)0))
761	return 0;
762	if (strcmp(a->sk_application, b->sk_application) != 0)
763	return 0;
764	/* FALLTHROUGH */
765	case KEY_ED25519:
766	case KEY_ED25519_CERT:
767	return a->ed25519_pk != NULL((void)0) && b->ed25519_pk != NULL((void)0) &&
768	memcmp(a->ed25519_pk, b->ed25519_pk, ED25519_PK_SZ32U) == 0;
769	#ifdef WITH_XMSS
770	case KEY_XMSS:
771	case KEY_XMSS_CERT:
772	return a->xmss_pk != NULL((void)0) && b->xmss_pk != NULL((void)0) &&
773	sshkey_xmss_pklen(a) == sshkey_xmss_pklen(b) &&
774	memcmp(a->xmss_pk, b->xmss_pk, sshkey_xmss_pklen(a)) == 0;
775	#endif /* WITH_XMSS */
776	default:
777	return 0;
778	}
779	/* NOTREACHED */
780	}
781
782	int
783	sshkey_equal(const struct sshkey a, const struct sshkey b)
784	{
785	if (a == NULL((void)0) \|\| b == NULL((void)0) \|\| a->type != b->type)
786	return 0;
787	if (sshkey_is_cert(a)) {
788	if (!cert_compare(a->cert, b->cert))
789	return 0;
790	}
791	return sshkey_equal_public(a, b);
792	}
793
794	static int
795	to_blob_buf(const struct sshkey key, struct sshbuf b, int force_plain,
796	enum sshkey_serialize_rep opts)
797	{
798	int type, ret = SSH_ERR_INTERNAL_ERROR-1;
799	const char *typename;
800	#ifdef WITH_OPENSSL1
801	const BIGNUM rsa_n, rsa_e, dsa_p, dsa_q, dsa_g, dsa_pub_key;
802	#endif /* WITH_OPENSSL */
803
804	if (key == NULL((void*)0))
805	return SSH_ERR_INVALID_ARGUMENT-10;
806
807	if (sshkey_is_cert(key)) {
808	if (key->cert == NULL((void*)0))
809	return SSH_ERR_EXPECTED_CERT-16;
810	if (sshbuf_len(key->cert->certblob) == 0)
811	return SSH_ERR_KEY_LACKS_CERTBLOB-17;
812	}
813	type = force_plain ? sshkey_type_plain(key->type) : key->type;
814	typename = sshkey_ssh_name_from_type_nid(type, key->ecdsa_nid);
815
816	switch (type) {
817	#ifdef WITH_OPENSSL1
818	case KEY_DSA_CERT:
819	case KEY_ECDSA_CERT:
820	case KEY_ECDSA_SK_CERT:
821	case KEY_RSA_CERT:
822	#endif /* WITH_OPENSSL */
823	case KEY_ED25519_CERT:
824	case KEY_ED25519_SK_CERT:
825	#ifdef WITH_XMSS
826	case KEY_XMSS_CERT:
827	#endif /* WITH_XMSS */
828	/* Use the existing blob */
829	/* XXX modified flag? */
830	if ((ret = sshbuf_putb(b, key->cert->certblob)) != 0)
831	return ret;
832	break;
833	#ifdef WITH_OPENSSL1
834	case KEY_DSA:
835	if (key->dsa == NULL((void*)0))
836	return SSH_ERR_INVALID_ARGUMENT-10;
837	DSA_get0_pqg(key->dsa, &dsa_p, &dsa_q, &dsa_g);
838	DSA_get0_key(key->dsa, &dsa_pub_key, NULL((void*)0));
839	if ((ret = sshbuf_put_cstring(b, typename)) != 0 \|\|
840	(ret = sshbuf_put_bignum2(b, dsa_p)) != 0 \|\|
841	(ret = sshbuf_put_bignum2(b, dsa_q)) != 0 \|\|
842	(ret = sshbuf_put_bignum2(b, dsa_g)) != 0 \|\|
843	(ret = sshbuf_put_bignum2(b, dsa_pub_key)) != 0)
844	return ret;
845	break;
846	case KEY_ECDSA:
847	case KEY_ECDSA_SK:
848	if (key->ecdsa == NULL((void*)0))
849	return SSH_ERR_INVALID_ARGUMENT-10;
850	if ((ret = sshbuf_put_cstring(b, typename)) != 0 \|\|
851	(ret = sshbuf_put_cstring(b,
852	sshkey_curve_nid_to_name(key->ecdsa_nid))) != 0 \|\|
853	(ret = sshbuf_put_eckey(b, key->ecdsa)) != 0)
854	return ret;
855	if (type == KEY_ECDSA_SK) {
856	if ((ret = sshbuf_put_cstring(b,
857	key->sk_application)) != 0)
858	return ret;
859	}
860	break;
861	case KEY_RSA:
862	if (key->rsa == NULL((void*)0))
863	return SSH_ERR_INVALID_ARGUMENT-10;
864	RSA_get0_key(key->rsa, &rsa_n, &rsa_e, NULL((void*)0));
865	if ((ret = sshbuf_put_cstring(b, typename)) != 0 \|\|
866	(ret = sshbuf_put_bignum2(b, rsa_e)) != 0 \|\|
867	(ret = sshbuf_put_bignum2(b, rsa_n)) != 0)
868	return ret;
869	break;
870	#endif /* WITH_OPENSSL */
871	case KEY_ED25519:
872	case KEY_ED25519_SK:
873	if (key->ed25519_pk == NULL((void*)0))
874	return SSH_ERR_INVALID_ARGUMENT-10;
875	if ((ret = sshbuf_put_cstring(b, typename)) != 0 \|\|
876	(ret = sshbuf_put_string(b,
877	key->ed25519_pk, ED25519_PK_SZ32U)) != 0)
878	return ret;
879	if (type == KEY_ED25519_SK) {
880	if ((ret = sshbuf_put_cstring(b,
881	key->sk_application)) != 0)
882	return ret;
883	}
884	break;
885	#ifdef WITH_XMSS
886	case KEY_XMSS:
887	if (key->xmss_name == NULL((void)0) \|\| key->xmss_pk == NULL((void)0) \|\|
888	sshkey_xmss_pklen(key) == 0)
889	return SSH_ERR_INVALID_ARGUMENT-10;
890	if ((ret = sshbuf_put_cstring(b, typename)) != 0 \|\|
891	(ret = sshbuf_put_cstring(b, key->xmss_name)) != 0 \|\|
892	(ret = sshbuf_put_string(b,
893	key->xmss_pk, sshkey_xmss_pklen(key))) != 0 \|\|
894	(ret = sshkey_xmss_serialize_pk_info(key, b, opts)) != 0)
895	return ret;
896	break;
897	#endif /* WITH_XMSS */
898	default:
899	return SSH_ERR_KEY_TYPE_UNKNOWN-14;
900	}
901	return 0;
902	}
903
904	int
905	sshkey_putb(const struct sshkey key, struct sshbuf b)
906	{
907	return to_blob_buf(key, b, 0, SSHKEY_SERIALIZE_DEFAULT);
908	}
909
910	int
911	sshkey_puts_opts(const struct sshkey key, struct sshbuf b,
912	enum sshkey_serialize_rep opts)
913	{
914	struct sshbuf *tmp;
915	int r;
916
917	if ((tmp = sshbuf_new()) == NULL((void*)0))
918	return SSH_ERR_ALLOC_FAIL-2;
919	r = to_blob_buf(key, tmp, 0, opts);
920	if (r == 0)
921	r = sshbuf_put_stringb(b, tmp);
922	sshbuf_free(tmp);
923	return r;
924	}
925
926	int
927	sshkey_puts(const struct sshkey key, struct sshbuf b)
928	{
929	return sshkey_puts_opts(key, b, SSHKEY_SERIALIZE_DEFAULT);
930	}
931
932	int
933	sshkey_putb_plain(const struct sshkey key, struct sshbuf b)
934	{
935	return to_blob_buf(key, b, 1, SSHKEY_SERIALIZE_DEFAULT);
936	}
937
938	static int
939	to_blob(const struct sshkey key, u_char blobp, size_t lenp, int force_plain,
940	enum sshkey_serialize_rep opts)
941	{
942	int ret = SSH_ERR_INTERNAL_ERROR-1;
943	size_t len;
944	struct sshbuf b = NULL((void)0);
945
946	if (lenp != NULL((void*)0))
947	*lenp = 0;
948	if (blobp != NULL((void*)0))
949	blobp = NULL((void)0);
950	if ((b = sshbuf_new()) == NULL((void*)0))
951	return SSH_ERR_ALLOC_FAIL-2;
952	if ((ret = to_blob_buf(key, b, force_plain, opts)) != 0)
953	goto out;
954	len = sshbuf_len(b);
955	if (lenp != NULL((void*)0))
956	*lenp = len;
957	if (blobp != NULL((void*)0)) {
958	if ((blobp = malloc(len)) == NULL((void)0)) {
959	ret = SSH_ERR_ALLOC_FAIL-2;
960	goto out;
961	}
962	memcpy(*blobp, sshbuf_ptr(b), len);
963	}
964	ret = 0;
965	out:
966	sshbuf_free(b);
967	return ret;
968	}
969
970	int
971	sshkey_to_blob(const struct sshkey key, u_char blobp, size_t lenp)
972	{
973	return to_blob(key, blobp, lenp, 0, SSHKEY_SERIALIZE_DEFAULT);
974	}
975
976	int
977	sshkey_plain_to_blob(const struct sshkey key, u_char blobp, size_t lenp)
978	{
979	return to_blob(key, blobp, lenp, 1, SSHKEY_SERIALIZE_DEFAULT);
980	}
981
982	int
983	sshkey_fingerprint_raw(const struct sshkey *k, int dgst_alg,
984	u_char *retp, size_t lenp)
985	{
986	u_char blob = NULL((void)0), ret = NULL((void)0);
987	size_t blob_len = 0;
988	int r = SSH_ERR_INTERNAL_ERROR-1;
989
990	if (retp != NULL((void*)0))
991	retp = NULL((void)0);
992	if (lenp != NULL((void*)0))
993	*lenp = 0;
994	if (ssh_digest_bytes(dgst_alg) == 0) {
995	r = SSH_ERR_INVALID_ARGUMENT-10;
996	goto out;
997	}
998	if ((r = to_blob(k, &blob, &blob_len, 1, SSHKEY_SERIALIZE_DEFAULT))
999	!= 0)
1000	goto out;
1001	if ((ret = calloc(1, SSH_DIGEST_MAX_LENGTH64)) == NULL((void*)0)) {
1002	r = SSH_ERR_ALLOC_FAIL-2;
1003	goto out;
1004	}
1005	if ((r = ssh_digest_memory(dgst_alg, blob, blob_len,
1006	ret, SSH_DIGEST_MAX_LENGTH64)) != 0)
1007	goto out;
1008	/* success */
1009	if (retp != NULL((void*)0)) {
1010	*retp = ret;
1011	ret = NULL((void*)0);
1012	}
1013	if (lenp != NULL((void*)0))
1014	*lenp = ssh_digest_bytes(dgst_alg);
1015	r = 0;
1016	out:
1017	free(ret);
1018	if (blob != NULL((void*)0))
1019	freezero(blob, blob_len);
1020	return r;
1021	}
1022
1023	static char *
1024	fingerprint_b64(const char alg, u_char dgst_raw, size_t dgst_raw_len)
1025	{
1026	char *ret;
1027	size_t plen = strlen(alg) + 1;
1028	size_t rlen = ((dgst_raw_len + 2) / 3) * 4 + plen + 1;
1029
1030	if (dgst_raw_len > 65536 \|\| (ret = calloc(1, rlen)) == NULL((void*)0))
1031	return NULL((void*)0);
1032	strlcpy(ret, alg, rlen);
1033	strlcat(ret, ":", rlen);
1034	if (dgst_raw_len == 0)
1035	return ret;
1036	if (b64_ntop__b64_ntop(dgst_raw, dgst_raw_len, ret + plen, rlen - plen) == -1) {
1037	freezero(ret, rlen);
1038	return NULL((void*)0);
1039	}
1040	/* Trim padding characters from end */
1041	ret[strcspn(ret, "=")] = '\0';
1042	return ret;
1043	}
1044
1045	static char *
1046	fingerprint_hex(const char alg, u_char dgst_raw, size_t dgst_raw_len)
1047	{
1048	char *retval, hex[5];
1049	size_t i, rlen = dgst_raw_len * 3 + strlen(alg) + 2;
1050
1051	if (dgst_raw_len > 65536 \|\| (retval = calloc(1, rlen)) == NULL((void*)0))
1052	return NULL((void*)0);
1053	strlcpy(retval, alg, rlen);
1054	strlcat(retval, ":", rlen);
1055	for (i = 0; i < dgst_raw_len; i++) {
1056	snprintf(hex, sizeof(hex), "%s%02x",
1057	i > 0 ? ":" : "", dgst_raw[i]);
1058	strlcat(retval, hex, rlen);
1059	}
1060	return retval;
1061	}
1062
1063	static char *
1064	fingerprint_bubblebabble(u_char *dgst_raw, size_t dgst_raw_len)
1065	{
1066	char vowels[] = { 'a', 'e', 'i', 'o', 'u', 'y' };
1067	char consonants[] = { 'b', 'c', 'd', 'f', 'g', 'h', 'k', 'l', 'm',
1068	'n', 'p', 'r', 's', 't', 'v', 'z', 'x' };
1069	u_int i, j = 0, rounds, seed = 1;
1070	char *retval;
1071
1072	rounds = (dgst_raw_len / 2) + 1;
1073	if ((retval = calloc(rounds, 6)) == NULL((void*)0))
1074	return NULL((void*)0);
1075	retval[j++] = 'x';
1076	for (i = 0; i < rounds; i++) {
1077	u_int idx0, idx1, idx2, idx3, idx4;
1078	if ((i + 1 < rounds) \|\| (dgst_raw_len % 2 != 0)) {
1079	idx0 = (((((u_int)(dgst_raw[2 * i])) >> 6) & 3) +
1080	seed) % 6;
1081	idx1 = (((u_int)(dgst_raw[2 * i])) >> 2) & 15;
1082	idx2 = ((((u_int)(dgst_raw[2 * i])) & 3) +
1083	(seed / 6)) % 6;
1084	retval[j++] = vowels[idx0];
1085	retval[j++] = consonants[idx1];
1086	retval[j++] = vowels[idx2];
1087	if ((i + 1) < rounds) {
1088	idx3 = (((u_int)(dgst_raw[(2 * i) + 1])) >> 4) & 15;
1089	idx4 = (((u_int)(dgst_raw[(2 * i) + 1]))) & 15;
1090	retval[j++] = consonants[idx3];
1091	retval[j++] = '-';
1092	retval[j++] = consonants[idx4];
1093	seed = ((seed * 5) +
1094	((((u_int)(dgst_raw[2 * i])) * 7) +
1095	((u_int)(dgst_raw[(2 * i) + 1])))) % 36;
1096	}
1097	} else {
1098	idx0 = seed % 6;
1099	idx1 = 16;
1100	idx2 = seed / 6;
1101	retval[j++] = vowels[idx0];
1102	retval[j++] = consonants[idx1];
1103	retval[j++] = vowels[idx2];
1104	}
1105	}
1106	retval[j++] = 'x';
1107	retval[j++] = '\0';
1108	return retval;
1109	}
1110
1111	/*
1112	* Draw an ASCII-Art representing the fingerprint so human brain can
1113	* profit from its built-in pattern recognition ability.
1114	* This technique is called "random art" and can be found in some
1115	* scientific publications like this original paper:
1116	*
1117	* "Hash Visualization: a New Technique to improve Real-World Security",
1118	* Perrig A. and Song D., 1999, International Workshop on Cryptographic
1119	* Techniques and E-Commerce (CrypTEC '99)
1120	* sparrow.ece.cmu.edu/~adrian/projects/validation/validation.pdf
1121	*
1122	* The subject came up in a talk by Dan Kaminsky, too.
1123	*
1124	* If you see the picture is different, the key is different.
1125	* If the picture looks the same, you still know nothing.
1126	*
1127	* The algorithm used here is a worm crawling over a discrete plane,
1128	* leaving a trace (augmenting the field) everywhere it goes.
1129	* Movement is taken from dgst_raw 2bit-wise. Bumping into walls
1130	* makes the respective movement vector be ignored for this turn.
1131	* Graphs are not unambiguous, because circles in graphs can be
1132	* walked in either direction.
1133	*/
1134
1135	/*
1136	* Field sizes for the random art. Have to be odd, so the starting point
1137	* can be in the exact middle of the picture, and FLDBASE should be >=8 .
1138	* Else pictures would be too dense, and drawing the frame would
1139	* fail, too, because the key type would not fit in anymore.
1140	*/
1141	#define FLDBASE8 8
1142	#define FLDSIZE_Y(8 + 1) (FLDBASE8 + 1)
1143	#define FLDSIZE_X(8 * 2 + 1) (FLDBASE8 * 2 + 1)
1144	static char *
1145	fingerprint_randomart(const char alg, u_char dgst_raw, size_t dgst_raw_len,
1146	const struct sshkey *k)
1147	{
1148	/*
1149	* Chars to be used after each other every time the worm
1150	* intersects with itself. Matter of taste.
1151	*/
1152	char augmentation_string = " .o+=BOX@%&#/^SE";
1153	char retval, p, title[FLDSIZE_X(8 * 2 + 1)], hash[FLDSIZE_X(8 * 2 + 1)];
1154	u_char field[FLDSIZE_X(8 * 2 + 1)][FLDSIZE_Y(8 + 1)];
1155	size_t i, tlen, hlen;
1156	u_int b;
1157	int x, y, r;
1158	size_t len = strlen(augmentation_string) - 1;
1159
1160	if ((retval = calloc((FLDSIZE_X(8 * 2 + 1) + 3), (FLDSIZE_Y(8 + 1) + 2))) == NULL((void*)0))
1161	return NULL((void*)0);
1162
1163	/* initialize field */
1164	memset(field, 0, FLDSIZE_X(8 * 2 + 1) * FLDSIZE_Y(8 + 1) * sizeof(char));
1165	x = FLDSIZE_X(8 * 2 + 1) / 2;
1166	y = FLDSIZE_Y(8 + 1) / 2;
1167
1168	/* process raw key */
1169	for (i = 0; i < dgst_raw_len; i++) {
1170	int input;
1171	/* each byte conveys four 2-bit move commands */
1172	input = dgst_raw[i];
1173	for (b = 0; b < 4; b++) {
1174	/* evaluate 2 bit, rest is shifted later */
1175	x += (input & 0x1) ? 1 : -1;
1176	y += (input & 0x2) ? 1 : -1;
1177
1178	/* assure we are still in bounds */
1179	x = MAXIMUM(x, 0)(((x) > (0)) ? (x) : (0));
1180	y = MAXIMUM(y, 0)(((y) > (0)) ? (y) : (0));
1181	x = MINIMUM(x, FLDSIZE_X - 1)(((x) < ((8 * 2 + 1) - 1)) ? (x) : ((8 * 2 + 1) - 1));
1182	y = MINIMUM(y, FLDSIZE_Y - 1)(((y) < ((8 + 1) - 1)) ? (y) : ((8 + 1) - 1));
1183
1184	/* augment the field */
1185	if (field[x][y] < len - 2)
1186	field[x][y]++;
1187	input = input >> 2;
1188	}
1189	}
1190
1191	/* mark starting point and end point*/
1192	field[FLDSIZE_X(8 * 2 + 1) / 2][FLDSIZE_Y(8 + 1) / 2] = len - 1;
1193	field[x][y] = len;
1194
1195	/* assemble title */
1196	r = snprintf(title, sizeof(title), "[%s %u]",
1197	sshkey_type(k), sshkey_size(k));
1198	/* If [type size] won't fit, then try [type]; fits "[ED25519-CERT]" */
1199	if (r < 0 \|\| r > (int)sizeof(title))
1200	r = snprintf(title, sizeof(title), "[%s]", sshkey_type(k));
1201	tlen = (r <= 0) ? 0 : strlen(title);
1202
1203	/* assemble hash ID. */
1204	r = snprintf(hash, sizeof(hash), "[%s]", alg);
1205	hlen = (r <= 0) ? 0 : strlen(hash);
1206
1207	/* output upper border */
1208	p = retval;
1209	*p++ = '+';
1210	for (i = 0; i < (FLDSIZE_X(8 * 2 + 1) - tlen) / 2; i++)
1211	*p++ = '-';
1212	memcpy(p, title, tlen);
1213	p += tlen;
1214	for (i += tlen; i < FLDSIZE_X(8 * 2 + 1); i++)
1215	*p++ = '-';
1216	*p++ = '+';
1217	*p++ = '\n';
1218
1219	/* output content */
1220	for (y = 0; y < FLDSIZE_Y(8 + 1); y++) {
1221	*p++ = '\|';
1222	for (x = 0; x < FLDSIZE_X(8 * 2 + 1); x++)
1223	*p++ = augmentation_string[MINIMUM(field[x][y], len)(((field[x][y]) < (len)) ? (field[x][y]) : (len))];
1224	*p++ = '\|';
1225	*p++ = '\n';
1226	}
1227
1228	/* output lower border */
1229	*p++ = '+';
1230	for (i = 0; i < (FLDSIZE_X(8 * 2 + 1) - hlen) / 2; i++)
1231	*p++ = '-';
1232	memcpy(p, hash, hlen);
1233	p += hlen;
1234	for (i += hlen; i < FLDSIZE_X(8 * 2 + 1); i++)
1235	*p++ = '-';
1236	*p++ = '+';
1237
1238	return retval;
1239	}
1240
1241	char *
1242	sshkey_fingerprint(const struct sshkey *k, int dgst_alg,
1243	enum sshkey_fp_rep dgst_rep)
1244	{
1245	char retval = NULL((void)0);
1246	u_char *dgst_raw;
1247	size_t dgst_raw_len;
1248
1249	if (sshkey_fingerprint_raw(k, dgst_alg, &dgst_raw, &dgst_raw_len) != 0)
1250	return NULL((void*)0);
1251	switch (dgst_rep) {
1252	case SSH_FP_DEFAULT:
1253	if (dgst_alg == SSH_DIGEST_MD50) {
1254	retval = fingerprint_hex(ssh_digest_alg_name(dgst_alg),
1255	dgst_raw, dgst_raw_len);
1256	} else {
1257	retval = fingerprint_b64(ssh_digest_alg_name(dgst_alg),
1258	dgst_raw, dgst_raw_len);
1259	}
1260	break;
1261	case SSH_FP_HEX:
1262	retval = fingerprint_hex(ssh_digest_alg_name(dgst_alg),
1263	dgst_raw, dgst_raw_len);
1264	break;
1265	case SSH_FP_BASE64:
1266	retval = fingerprint_b64(ssh_digest_alg_name(dgst_alg),
1267	dgst_raw, dgst_raw_len);
1268	break;
1269	case SSH_FP_BUBBLEBABBLE:
1270	retval = fingerprint_bubblebabble(dgst_raw, dgst_raw_len);
1271	break;
1272	case SSH_FP_RANDOMART:
1273	retval = fingerprint_randomart(ssh_digest_alg_name(dgst_alg),
1274	dgst_raw, dgst_raw_len, k);
1275	break;
1276	default:
1277	freezero(dgst_raw, dgst_raw_len);
1278	return NULL((void*)0);
1279	}
1280	freezero(dgst_raw, dgst_raw_len);
1281	return retval;
1282	}
1283
1284	static int
1285	peek_type_nid(const char s, size_t l, int nid)
1286	{
1287	const struct keytype *kt;
1288
1289	for (kt = keytypes; kt->type != -1; kt++) {
1290	if (kt->name == NULL((void*)0) \|\| strlen(kt->name) != l)
1291	continue;
1292	if (memcmp(s, kt->name, l) == 0) {
1293	*nid = -1;
1294	if (key_type_is_ecdsa_variant(kt->type))
1295	*nid = kt->nid;
1296	return kt->type;
1297	}
1298	}
1299	return KEY_UNSPEC;
1300	}
1301
1302	/* XXX this can now be made const char * */
1303	int
1304	sshkey_read(struct sshkey ret, char *cpp)
1305	{
1306	struct sshkey *k;
1307	char cp, blobcopy;
1308	size_t space;
1309	int r, type, curve_nid = -1;
1310	struct sshbuf *blob;
1311
1312	if (ret == NULL((void*)0))
1313	return SSH_ERR_INVALID_ARGUMENT-10;
1314
1315	switch (ret->type) {
1316	case KEY_UNSPEC:
1317	case KEY_RSA:
1318	case KEY_DSA:
1319	case KEY_ECDSA:
1320	case KEY_ECDSA_SK:
1321	case KEY_ED25519:
1322	case KEY_ED25519_SK:
1323	case KEY_DSA_CERT:
1324	case KEY_ECDSA_CERT:
1325	case KEY_ECDSA_SK_CERT:
1326	case KEY_RSA_CERT:
1327	case KEY_ED25519_CERT:
1328	case KEY_ED25519_SK_CERT:
1329	#ifdef WITH_XMSS
1330	case KEY_XMSS:
1331	case KEY_XMSS_CERT:
1332	#endif /* WITH_XMSS */
1333	break; /* ok */
1334	default:
1335	return SSH_ERR_INVALID_ARGUMENT-10;
1336	}
1337
1338	/* Decode type */
1339	cp = *cpp;
1340	space = strcspn(cp, " \t");
1341	if (space == strlen(cp))
1342	return SSH_ERR_INVALID_FORMAT-4;
1343	if ((type = peek_type_nid(cp, space, &curve_nid)) == KEY_UNSPEC)
1344	return SSH_ERR_INVALID_FORMAT-4;
1345
1346	/* skip whitespace */
1347	for (cp += space; cp == ' ' \|\| cp == '\t'; cp++)
1348	;
1349	if (*cp == '\0')
1350	return SSH_ERR_INVALID_FORMAT-4;
1351	if (ret->type != KEY_UNSPEC && ret->type != type)
1352	return SSH_ERR_KEY_TYPE_MISMATCH-13;
1353	if ((blob = sshbuf_new()) == NULL((void*)0))
1354	return SSH_ERR_ALLOC_FAIL-2;
1355
1356	/* find end of keyblob and decode */
1357	space = strcspn(cp, " \t");
1358	if ((blobcopy = strndup(cp, space)) == NULL((void*)0)) {
1359	sshbuf_free(blob);
1360	return SSH_ERR_ALLOC_FAIL-2;
1361	}
1362	if ((r = sshbuf_b64tod(blob, blobcopy)) != 0) {
1363	free(blobcopy);
1364	sshbuf_free(blob);
1365	return r;
1366	}
1367	free(blobcopy);
1368	if ((r = sshkey_fromb(blob, &k)) != 0) {
1369	sshbuf_free(blob);
1370	return r;
1371	}
1372	sshbuf_free(blob);
1373
1374	/* skip whitespace and leave cp at start of comment */
1375	for (cp += space; cp == ' ' \|\| cp == '\t'; cp++)
1376	;
1377
1378	/* ensure type of blob matches type at start of line */
1379	if (k->type != type) {
1380	sshkey_free(k);
1381	return SSH_ERR_KEY_TYPE_MISMATCH-13;
1382	}
1383	if (key_type_is_ecdsa_variant(type) && curve_nid != k->ecdsa_nid) {
1384	sshkey_free(k);
1385	return SSH_ERR_EC_CURVE_MISMATCH-15;
1386	}
1387
1388	/* Fill in ret from parsed key */
1389	ret->type = type;
1390	if (sshkey_is_cert(ret)) {
1391	if (!sshkey_is_cert(k)) {
1392	sshkey_free(k);
1393	return SSH_ERR_EXPECTED_CERT-16;
1394	}
1395	if (ret->cert != NULL((void*)0))
1396	cert_free(ret->cert);
1397	ret->cert = k->cert;
1398	k->cert = NULL((void*)0);
1399	}
1400	switch (sshkey_type_plain(ret->type)) {
1401	#ifdef WITH_OPENSSL1
1402	case KEY_RSA:
1403	RSA_free(ret->rsa);
1404	ret->rsa = k->rsa;
1405	k->rsa = NULL((void*)0);
1406	#ifdef DEBUG_PK
1407	RSA_print_fp(stderr(&__sF[2]), ret->rsa, 8);
1408	#endif
1409	break;
1410	case KEY_DSA:
1411	DSA_free(ret->dsa);
1412	ret->dsa = k->dsa;
1413	k->dsa = NULL((void*)0);
1414	#ifdef DEBUG_PK
1415	DSA_print_fp(stderr(&__sF[2]), ret->dsa, 8);
1416	#endif
1417	break;
1418	case KEY_ECDSA:
1419	EC_KEY_free(ret->ecdsa);
1420	ret->ecdsa = k->ecdsa;
1421	ret->ecdsa_nid = k->ecdsa_nid;
1422	k->ecdsa = NULL((void*)0);
1423	k->ecdsa_nid = -1;
1424	#ifdef DEBUG_PK
1425	sshkey_dump_ec_key(ret->ecdsa);
1426	#endif
1427	break;
1428	case KEY_ECDSA_SK:
1429	EC_KEY_free(ret->ecdsa);
1430	ret->ecdsa = k->ecdsa;
1431	ret->ecdsa_nid = k->ecdsa_nid;
1432	ret->sk_application = k->sk_application;
1433	k->ecdsa = NULL((void*)0);
1434	k->ecdsa_nid = -1;
1435	k->sk_application = NULL((void*)0);
1436	#ifdef DEBUG_PK
1437	sshkey_dump_ec_key(ret->ecdsa);
1438	fprintf(stderr(&__sF[2]), "App: %s\n", ret->sk_application);
1439	#endif
1440	break;
1441	#endif /* WITH_OPENSSL */
1442	case KEY_ED25519:
1443	freezero(ret->ed25519_pk, ED25519_PK_SZ32U);
1444	ret->ed25519_pk = k->ed25519_pk;
1445	k->ed25519_pk = NULL((void*)0);
1446	#ifdef DEBUG_PK
1447	/* XXX */
1448	#endif
1449	break;
1450	case KEY_ED25519_SK:
1451	freezero(ret->ed25519_pk, ED25519_PK_SZ32U);
1452	ret->ed25519_pk = k->ed25519_pk;
1453	ret->sk_application = k->sk_application;
1454	k->ed25519_pk = NULL((void*)0);
1455	k->sk_application = NULL((void*)0);
1456	break;
1457	#ifdef WITH_XMSS
1458	case KEY_XMSS:
1459	free(ret->xmss_pk);
1460	ret->xmss_pk = k->xmss_pk;
1461	k->xmss_pk = NULL((void*)0);
1462	free(ret->xmss_state);
1463	ret->xmss_state = k->xmss_state;
1464	k->xmss_state = NULL((void*)0);
1465	free(ret->xmss_name);
1466	ret->xmss_name = k->xmss_name;
1467	k->xmss_name = NULL((void*)0);
1468	free(ret->xmss_filename);
1469	ret->xmss_filename = k->xmss_filename;
1470	k->xmss_filename = NULL((void*)0);
1471	#ifdef DEBUG_PK
1472	/* XXX */
1473	#endif
1474	break;
1475	#endif /* WITH_XMSS */
1476	default:
1477	sshkey_free(k);
1478	return SSH_ERR_INTERNAL_ERROR-1;
1479	}
1480	sshkey_free(k);
1481
1482	/* success */
1483	*cpp = cp;
1484	return 0;
1485	}
1486
1487	int
1488	sshkey_to_base64(const struct sshkey key, char *b64p)
1489	{
1490	int r = SSH_ERR_INTERNAL_ERROR-1;
1491	struct sshbuf b = NULL((void)0);
1492	char uu = NULL((void)0);
1493
1494	if (b64p != NULL((void*)0))
1495	b64p = NULL((void)0);
1496	if ((b = sshbuf_new()) == NULL((void*)0))
1497	return SSH_ERR_ALLOC_FAIL-2;
1498	if ((r = sshkey_putb(key, b)) != 0)
1499	goto out;
1500	if ((uu = sshbuf_dtob64_string(b, 0)) == NULL((void*)0)) {
1501	r = SSH_ERR_ALLOC_FAIL-2;
1502	goto out;
1503	}
1504	/* Success */
1505	if (b64p != NULL((void*)0)) {
1506	*b64p = uu;
1507	uu = NULL((void*)0);
1508	}
1509	r = 0;
1510	out:
1511	sshbuf_free(b);
1512	free(uu);
1513	return r;
1514	}
1515
1516	int
1517	sshkey_format_text(const struct sshkey key, struct sshbuf b)
1518	{
1519	int r = SSH_ERR_INTERNAL_ERROR-1;
1520	char uu = NULL((void)0);
1521
1522	if ((r = sshkey_to_base64(key, &uu)) != 0)
1523	goto out;
1524	if ((r = sshbuf_putf(b, "%s %s",
1525	sshkey_ssh_name(key), uu)) != 0)
1526	goto out;
1527	r = 0;
1528	out:
1529	free(uu);
1530	return r;
1531	}
1532
1533	int
1534	sshkey_write(const struct sshkey key, FILE f)
1535	{
1536	struct sshbuf b = NULL((void)0);
1537	int r = SSH_ERR_INTERNAL_ERROR-1;
1538
1539	if ((b = sshbuf_new()) == NULL((void*)0))
1540	return SSH_ERR_ALLOC_FAIL-2;
1541	if ((r = sshkey_format_text(key, b)) != 0)
1542	goto out;
1543	if (fwrite(sshbuf_ptr(b), sshbuf_len(b), 1, f) != 1) {
1544	if (feof(f)(!__isthreaded ? (((f)->_flags & 0x0020) != 0) : (feof )(f)))
1545	errno(*__errno()) = EPIPE32;
1546	r = SSH_ERR_SYSTEM_ERROR-24;
1547	goto out;
1548	}
1549	/* Success */
1550	r = 0;
1551	out:
1552	sshbuf_free(b);
1553	return r;
1554	}
1555
1556	const char *
1557	sshkey_cert_type(const struct sshkey *k)
1558	{
1559	switch (k->cert->type) {
1560	case SSH2_CERT_TYPE_USER1:
1561	return "user";
1562	case SSH2_CERT_TYPE_HOST2:
1563	return "host";
1564	default:
1565	return "unknown";
1566	}
1567	}
1568
1569	#ifdef WITH_OPENSSL1
1570	static int
1571	rsa_generate_private_key(u_int bits, RSA **rsap)
1572	{
1573	RSA private = NULL((void)0);
1574	BIGNUM f4 = NULL((void)0);
1575	int ret = SSH_ERR_INTERNAL_ERROR-1;
1576
1577	if (rsap == NULL((void*)0))
1578	return SSH_ERR_INVALID_ARGUMENT-10;
1579	if (bits < SSH_RSA_MINIMUM_MODULUS_SIZE1024 \|\|
1580	bits > SSHBUF_MAX_BIGNUM(16384 / 8) * 8)
1581	return SSH_ERR_KEY_LENGTH-56;
1582	rsap = NULL((void)0);
1583	if ((private = RSA_new()) == NULL((void)0) \|\| (f4 = BN_new()) == NULL((void)0)) {
1584	ret = SSH_ERR_ALLOC_FAIL-2;
1585	goto out;
1586	}
1587	if (!BN_set_word(f4, RSA_F40x10001L) \|\|
1588	!RSA_generate_key_ex(private, bits, f4, NULL((void*)0))) {
1589	ret = SSH_ERR_LIBCRYPTO_ERROR-22;
1590	goto out;
1591	}
1592	*rsap = private;
1593	private = NULL((void*)0);
1594	ret = 0;
1595	out:
1596	RSA_free(private);
1597	BN_free(f4);
1598	return ret;
1599	}
1600
1601	static int
1602	dsa_generate_private_key(u_int bits, DSA **dsap)
1603	{
1604	DSA *private;
1605	int ret = SSH_ERR_INTERNAL_ERROR-1;
1606
1607	if (dsap == NULL((void*)0))
1608	return SSH_ERR_INVALID_ARGUMENT-10;
1609	if (bits != 1024)
1610	return SSH_ERR_KEY_LENGTH-56;
1611	if ((private = DSA_new()) == NULL((void*)0)) {
1612	ret = SSH_ERR_ALLOC_FAIL-2;
1613	goto out;
1614	}
1615	dsap = NULL((void)0);
1616	if (!DSA_generate_parameters_ex(private, bits, NULL((void)0), 0, NULL((void)0),
1617	NULL((void)0), NULL((void)0)) \|\| !DSA_generate_key(private)) {
1618	ret = SSH_ERR_LIBCRYPTO_ERROR-22;
1619	goto out;
1620	}
1621	*dsap = private;
1622	private = NULL((void*)0);
1623	ret = 0;
1624	out:
1625	DSA_free(private);
1626	return ret;
1627	}
1628
1629	int
1630	sshkey_ecdsa_key_to_nid(EC_KEY *k)
1631	{
1632	EC_GROUP *eg;
1633	int nids[] = {
1634	NID_X9_62_prime256v1415,
1635	NID_secp384r1715,
1636	NID_secp521r1716,
1637	-1
1638	};
1639	int nid;
1640	u_int i;
1641	const EC_GROUP *g = EC_KEY_get0_group(k);
1642
1643	/*
1644	* The group may be stored in a ASN.1 encoded private key in one of two
1645	* ways: as a "named group", which is reconstituted by ASN.1 object ID
1646	* or explicit group parameters encoded into the key blob. Only the
1647	* "named group" case sets the group NID for us, but we can figure
1648	* it out for the other case by comparing against all the groups that
1649	* are supported.
1650	*/
1651	if ((nid = EC_GROUP_get_curve_name(g)) > 0)
1652	return nid;
1653	for (i = 0; nids[i] != -1; i++) {
1654	if ((eg = EC_GROUP_new_by_curve_name(nids[i])) == NULL((void*)0))
1655	return -1;
1656	if (EC_GROUP_cmp(g, eg, NULL((void*)0)) == 0)
1657	break;
1658	EC_GROUP_free(eg);
1659	}
1660	if (nids[i] != -1) {
1661	/* Use the group with the NID attached */
1662	EC_GROUP_set_asn1_flag(eg, OPENSSL_EC_NAMED_CURVE0x001);
1663	if (EC_KEY_set_group(k, eg) != 1) {
1664	EC_GROUP_free(eg);
1665	return -1;
1666	}
1667	}
1668	return nids[i];
1669	}
1670
1671	static int
1672	ecdsa_generate_private_key(u_int bits, int nid, EC_KEY *ecdsap)
1673	{
1674	EC_KEY *private;
1675	int ret = SSH_ERR_INTERNAL_ERROR-1;
1676
1677	if (nid == NULL((void)0) \|\| ecdsap == NULL((void)0))
1678	return SSH_ERR_INVALID_ARGUMENT-10;
1679	if ((*nid = sshkey_ecdsa_bits_to_nid(bits)) == -1)
1680	return SSH_ERR_KEY_LENGTH-56;
1681	ecdsap = NULL((void)0);
1682	if ((private = EC_KEY_new_by_curve_name(nid)) == NULL((void)0)) {
1683	ret = SSH_ERR_ALLOC_FAIL-2;
1684	goto out;
1685	}
1686	if (EC_KEY_generate_key(private) != 1) {
1687	ret = SSH_ERR_LIBCRYPTO_ERROR-22;
1688	goto out;
1689	}
1690	EC_KEY_set_asn1_flag(private, OPENSSL_EC_NAMED_CURVE0x001);
1691	*ecdsap = private;
1692	private = NULL((void*)0);
1693	ret = 0;
1694	out:
1695	EC_KEY_free(private);
1696	return ret;
1697	}
1698	#endif /* WITH_OPENSSL */
1699
1700	int
1701	sshkey_generate(int type, u_int bits, struct sshkey **keyp)
1702	{
1703	struct sshkey *k;
1704	int ret = SSH_ERR_INTERNAL_ERROR-1;
1705
1706	if (keyp == NULL((void*)0))
1707	return SSH_ERR_INVALID_ARGUMENT-10;
1708	keyp = NULL((void)0);
1709	if ((k = sshkey_new(KEY_UNSPEC)) == NULL((void*)0))
1710	return SSH_ERR_ALLOC_FAIL-2;
1711	switch (type) {
1712	case KEY_ED25519:
1713	if ((k->ed25519_pk = malloc(ED25519_PK_SZ32U)) == NULL((void*)0) \|\|
1714	(k->ed25519_sk = malloc(ED25519_SK_SZ64U)) == NULL((void*)0)) {
1715	ret = SSH_ERR_ALLOC_FAIL-2;
1716	break;
1717	}
1718	crypto_sign_ed25519_keypair(k->ed25519_pk, k->ed25519_sk);
1719	ret = 0;
1720	break;
1721	#ifdef WITH_XMSS
1722	case KEY_XMSS:
1723	ret = sshkey_xmss_generate_private_key(k, bits);
1724	break;
1725	#endif /* WITH_XMSS */
1726	#ifdef WITH_OPENSSL1
1727	case KEY_DSA:
1728	ret = dsa_generate_private_key(bits, &k->dsa);
1729	break;
1730	case KEY_ECDSA:
1731	ret = ecdsa_generate_private_key(bits, &k->ecdsa_nid,
1732	&k->ecdsa);
1733	break;
1734	case KEY_RSA:
1735	ret = rsa_generate_private_key(bits, &k->rsa);
1736	break;
1737	#endif /* WITH_OPENSSL */
1738	default:
1739	ret = SSH_ERR_INVALID_ARGUMENT-10;
1740	}
1741	if (ret == 0) {
1742	k->type = type;
1743	*keyp = k;
1744	} else
1745	sshkey_free(k);
1746	return ret;
1747	}
1748
1749	int
1750	sshkey_cert_copy(const struct sshkey from_key, struct sshkey to_key)
1751	{
1752	u_int i;
1753	const struct sshkey_cert *from;
1754	struct sshkey_cert *to;
1755	int r = SSH_ERR_INTERNAL_ERROR-1;
1756
1757	if (to_key == NULL((void)0) \|\| (from = from_key->cert) == NULL((void)0))
1758	return SSH_ERR_INVALID_ARGUMENT-10;
1759
1760	if ((to = cert_new()) == NULL((void*)0))
1761	return SSH_ERR_ALLOC_FAIL-2;
1762
1763	if ((r = sshbuf_putb(to->certblob, from->certblob)) != 0 \|\|
1764	(r = sshbuf_putb(to->critical, from->critical)) != 0 \|\|
1765	(r = sshbuf_putb(to->extensions, from->extensions)) != 0)
1766	goto out;
1767
1768	to->serial = from->serial;
1769	to->type = from->type;
1770	if (from->key_id == NULL((void*)0))
1771	to->key_id = NULL((void*)0);
1772	else if ((to->key_id = strdup(from->key_id)) == NULL((void*)0)) {
1773	r = SSH_ERR_ALLOC_FAIL-2;
1774	goto out;
1775	}
1776	to->valid_after = from->valid_after;
1777	to->valid_before = from->valid_before;
1778	if (from->signature_key == NULL((void*)0))
1779	to->signature_key = NULL((void*)0);
1780	else if ((r = sshkey_from_private(from->signature_key,
1781	&to->signature_key)) != 0)
1782	goto out;
1783	if (from->signature_type != NULL((void*)0) &&
1784	(to->signature_type = strdup(from->signature_type)) == NULL((void*)0)) {
1785	r = SSH_ERR_ALLOC_FAIL-2;
1786	goto out;
1787	}
1788	if (from->nprincipals > SSHKEY_CERT_MAX_PRINCIPALS256) {
1789	r = SSH_ERR_INVALID_ARGUMENT-10;
1790	goto out;
1791	}
1792	if (from->nprincipals > 0) {
1793	if ((to->principals = calloc(from->nprincipals,
1794	sizeof(to->principals))) == NULL((void)0)) {
1795	r = SSH_ERR_ALLOC_FAIL-2;
1796	goto out;
1797	}
1798	for (i = 0; i < from->nprincipals; i++) {
1799	to->principals[i] = strdup(from->principals[i]);
1800	if (to->principals[i] == NULL((void*)0)) {
1801	to->nprincipals = i;
1802	r = SSH_ERR_ALLOC_FAIL-2;
1803	goto out;
1804	}
1805	}
1806	}
1807	to->nprincipals = from->nprincipals;
1808
1809	/* success */
1810	cert_free(to_key->cert);
1811	to_key->cert = to;
1812	to = NULL((void*)0);
1813	r = 0;
1814	out:
1815	cert_free(to);
1816	return r;
1817	}
1818
1819	int
1820	sshkey_from_private(const struct sshkey k, struct sshkey *pkp)
1821	{
1822	struct sshkey n = NULL((void)0);
1823	int r = SSH_ERR_INTERNAL_ERROR-1;
1824	#ifdef WITH_OPENSSL1
1825	const BIGNUM rsa_n, rsa_e;
1826	BIGNUM rsa_n_dup = NULL((void)0), rsa_e_dup = NULL((void)0);
1827	const BIGNUM dsa_p, dsa_q, dsa_g, dsa_pub_key;
1828	BIGNUM dsa_p_dup = NULL((void)0), dsa_q_dup = NULL((void)0), dsa_g_dup = NULL((void)0);
1829	BIGNUM dsa_pub_key_dup = NULL((void)0);
1830	#endif /* WITH_OPENSSL */
1831
1832	pkp = NULL((void)0);
1833	if ((n = sshkey_new(k->type)) == NULL((void*)0)) {
1834	r = SSH_ERR_ALLOC_FAIL-2;
1835	goto out;
1836	}
1837	switch (k->type) {
1838	#ifdef WITH_OPENSSL1
1839	case KEY_DSA:
1840	case KEY_DSA_CERT:
1841	DSA_get0_pqg(k->dsa, &dsa_p, &dsa_q, &dsa_g);
1842	DSA_get0_key(k->dsa, &dsa_pub_key, NULL((void*)0));
1843	if ((dsa_p_dup = BN_dup(dsa_p)) == NULL((void*)0) \|\|
1844	(dsa_q_dup = BN_dup(dsa_q)) == NULL((void*)0) \|\|
1845	(dsa_g_dup = BN_dup(dsa_g)) == NULL((void*)0) \|\|
1846	(dsa_pub_key_dup = BN_dup(dsa_pub_key)) == NULL((void*)0)) {
1847	r = SSH_ERR_ALLOC_FAIL-2;
1848	goto out;
1849	}
1850	if (!DSA_set0_pqg(n->dsa, dsa_p_dup, dsa_q_dup, dsa_g_dup)) {
1851	r = SSH_ERR_LIBCRYPTO_ERROR-22;
1852	goto out;
1853	}
1854	dsa_p_dup = dsa_q_dup = dsa_g_dup = NULL((void)0); / transferred */
1855	if (!DSA_set0_key(n->dsa, dsa_pub_key_dup, NULL((void*)0))) {
1856	r = SSH_ERR_LIBCRYPTO_ERROR-22;
1857	goto out;
1858	}
1859	dsa_pub_key_dup = NULL((void)0); / transferred */
1860
1861	break;
1862	case KEY_ECDSA:
1863	case KEY_ECDSA_CERT:
1864	case KEY_ECDSA_SK:
1865	case KEY_ECDSA_SK_CERT:
1866	n->ecdsa_nid = k->ecdsa_nid;
1867	n->ecdsa = EC_KEY_new_by_curve_name(k->ecdsa_nid);
1868	if (n->ecdsa == NULL((void*)0)) {
1869	r = SSH_ERR_ALLOC_FAIL-2;
1870	goto out;
1871	}
1872	if (EC_KEY_set_public_key(n->ecdsa,
1873	EC_KEY_get0_public_key(k->ecdsa)) != 1) {
1874	r = SSH_ERR_LIBCRYPTO_ERROR-22;
1875	goto out;
1876	}
1877	if (k->type != KEY_ECDSA_SK && k->type != KEY_ECDSA_SK_CERT)
1878	break;
1879	/* Append security-key application string */
1880	if ((n->sk_application = strdup(k->sk_application)) == NULL((void*)0))
1881	goto out;
1882	break;
1883	case KEY_RSA:
1884	case KEY_RSA_CERT:
1885	RSA_get0_key(k->rsa, &rsa_n, &rsa_e, NULL((void*)0));
1886	if ((rsa_n_dup = BN_dup(rsa_n)) == NULL((void*)0) \|\|
1887	(rsa_e_dup = BN_dup(rsa_e)) == NULL((void*)0)) {
1888	r = SSH_ERR_ALLOC_FAIL-2;
1889	goto out;
1890	}
1891	if (!RSA_set0_key(n->rsa, rsa_n_dup, rsa_e_dup, NULL((void*)0))) {
1892	r = SSH_ERR_LIBCRYPTO_ERROR-22;
1893	goto out;
1894	}
1895	rsa_n_dup = rsa_e_dup = NULL((void)0); / transferred */
1896	break;
1897	#endif /* WITH_OPENSSL */
1898	case KEY_ED25519:
1899	case KEY_ED25519_CERT:
1900	case KEY_ED25519_SK:
1901	case KEY_ED25519_SK_CERT:
1902	if (k->ed25519_pk != NULL((void*)0)) {
1903	if ((n->ed25519_pk = malloc(ED25519_PK_SZ32U)) == NULL((void*)0)) {
1904	r = SSH_ERR_ALLOC_FAIL-2;
1905	goto out;
1906	}
1907	memcpy(n->ed25519_pk, k->ed25519_pk, ED25519_PK_SZ32U);
1908	}
1909	if (k->type != KEY_ED25519_SK &&
1910	k->type != KEY_ED25519_SK_CERT)
1911	break;
1912	/* Append security-key application string */
1913	if ((n->sk_application = strdup(k->sk_application)) == NULL((void*)0))
1914	goto out;
1915	break;
1916	#ifdef WITH_XMSS
1917	case KEY_XMSS:
1918	case KEY_XMSS_CERT:
1919	if ((r = sshkey_xmss_init(n, k->xmss_name)) != 0)
1920	goto out;
1921	if (k->xmss_pk != NULL((void*)0)) {
1922	u_int32_t left;
1923	size_t pklen = sshkey_xmss_pklen(k);
1924	if (pklen == 0 \|\| sshkey_xmss_pklen(n) != pklen) {
1925	r = SSH_ERR_INTERNAL_ERROR-1;
1926	goto out;
1927	}
1928	if ((n->xmss_pk = malloc(pklen)) == NULL((void*)0)) {
1929	r = SSH_ERR_ALLOC_FAIL-2;
1930	goto out;
1931	}
1932	memcpy(n->xmss_pk, k->xmss_pk, pklen);
1933	/* simulate number of signatures left on pubkey */
1934	left = sshkey_xmss_signatures_left(k);
1935	if (left)
1936	sshkey_xmss_enable_maxsign(n, left);
1937	}
1938	break;
1939	#endif /* WITH_XMSS */
1940	default:
1941	r = SSH_ERR_KEY_TYPE_UNKNOWN-14;
1942	goto out;
1943	}
1944	if (sshkey_is_cert(k) && (r = sshkey_cert_copy(k, n)) != 0)
1945	goto out;
1946	/* success */
1947	*pkp = n;
1948	n = NULL((void*)0);
1949	r = 0;
1950	out:
1951	sshkey_free(n);
1952	#ifdef WITH_OPENSSL1
1953	BN_clear_free(rsa_n_dup);
1954	BN_clear_free(rsa_e_dup);
1955	BN_clear_free(dsa_p_dup);
1956	BN_clear_free(dsa_q_dup);
1957	BN_clear_free(dsa_g_dup);
1958	BN_clear_free(dsa_pub_key_dup);
1959	#endif /* WITH_OPENSSL */
1960
1961	return r;
1962	}
1963
1964	int
1965	sshkey_is_shielded(struct sshkey *k)
1966	{
1967	return k != NULL((void)0) && k->shielded_private != NULL((void)0);
1968	}
1969
1970	int
1971	sshkey_shield_private(struct sshkey *k)
1972	{
1973	struct sshbuf prvbuf = NULL((void)0);
1974	u_char prekey = NULL((void)0), enc = NULL((void)0), keyiv[SSH_DIGEST_MAX_LENGTH64];
1975	struct sshcipher_ctx cctx = NULL((void)0);
1976	const struct sshcipher *cipher;
1977	size_t i, enclen = 0;
1978	struct sshkey kswap = NULL((void)0), tmp;
1979	int r = SSH_ERR_INTERNAL_ERROR-1;
1980
1981	#ifdef DEBUG_PK
1982	fprintf(stderr(&__sF[2]), "%s: entering for %s\n", __func__, sshkey_ssh_name(k));
1983	#endif
1984	if ((cipher = cipher_by_name(SSHKEY_SHIELD_CIPHER"aes256-ctr")) == NULL((void*)0)) {
1985	r = SSH_ERR_INVALID_ARGUMENT-10;
1986	goto out;
1987	}
1988	if (cipher_keylen(cipher) + cipher_ivlen(cipher) >
1989	ssh_digest_bytes(SSHKEY_SHIELD_PREKEY_HASH4)) {
1990	r = SSH_ERR_INTERNAL_ERROR-1;
1991	goto out;
1992	}
1993
1994	/* Prepare a random pre-key, and from it an ephemeral key */
1995	if ((prekey = malloc(SSHKEY_SHIELD_PREKEY_LEN(16 * 1024))) == NULL((void*)0)) {
1996	r = SSH_ERR_ALLOC_FAIL-2;
1997	goto out;
1998	}
1999	arc4random_buf(prekey, SSHKEY_SHIELD_PREKEY_LEN(16 * 1024));
2000	if ((r = ssh_digest_memory(SSHKEY_SHIELD_PREKEY_HASH4,
2001	prekey, SSHKEY_SHIELD_PREKEY_LEN(16 * 1024),
2002	keyiv, SSH_DIGEST_MAX_LENGTH64)) != 0)
2003	goto out;
2004	#ifdef DEBUG_PK
2005	fprintf(stderr(&__sF[2]), "%s: key+iv\n", __func__);
2006	sshbuf_dump_data(keyiv, ssh_digest_bytes(SSHKEY_SHIELD_PREKEY_HASH4),
2007	stderr(&__sF[2]));
2008	#endif
2009	if ((r = cipher_init(&cctx, cipher, keyiv, cipher_keylen(cipher),
2010	keyiv + cipher_keylen(cipher), cipher_ivlen(cipher), 1)) != 0)
2011	goto out;
2012
2013	/* Serialise and encrypt the private key using the ephemeral key */
2014	if ((prvbuf = sshbuf_new()) == NULL((void*)0)) {
2015	r = SSH_ERR_ALLOC_FAIL-2;
2016	goto out;
2017	}
2018	if (sshkey_is_shielded(k) && (r = sshkey_unshield_private(k)) != 0)
2019	goto out;
2020	if ((r = sshkey_private_serialize_opt(k, prvbuf,
2021	SSHKEY_SERIALIZE_SHIELD)) != 0)
2022	goto out;
2023	/* pad to cipher blocksize */
2024	i = 0;
2025	while (sshbuf_len(prvbuf) % cipher_blocksize(cipher)) {
2026	if ((r = sshbuf_put_u8(prvbuf, ++i & 0xff)) != 0)
2027	goto out;
2028	}
2029	#ifdef DEBUG_PK
2030	fprintf(stderr(&__sF[2]), "%s: serialised\n", __func__);
2031	sshbuf_dump(prvbuf, stderr(&__sF[2]));
2032	#endif
2033	/* encrypt */
2034	enclen = sshbuf_len(prvbuf);
2035	if ((enc = malloc(enclen)) == NULL((void*)0)) {
2036	r = SSH_ERR_ALLOC_FAIL-2;
2037	goto out;
2038	}
2039	if ((r = cipher_crypt(cctx, 0, enc,
2040	sshbuf_ptr(prvbuf), sshbuf_len(prvbuf), 0, 0)) != 0)
2041	goto out;
2042	#ifdef DEBUG_PK
2043	fprintf(stderr(&__sF[2]), "%s: encrypted\n", __func__);
2044	sshbuf_dump_data(enc, enclen, stderr(&__sF[2]));
2045	#endif
2046
2047	/* Make a scrubbed, public-only copy of our private key argument */
2048	if ((r = sshkey_from_private(k, &kswap)) != 0)
2049	goto out;
2050
2051	/* Swap the private key out (it will be destroyed below) */
2052	tmp = *kswap;
2053	kswap = k;
2054	*k = tmp;
2055
2056	/* Insert the shielded key into our argument */
2057	k->shielded_private = enc;
2058	k->shielded_len = enclen;
2059	k->shield_prekey = prekey;
2060	k->shield_prekey_len = SSHKEY_SHIELD_PREKEY_LEN(16 * 1024);
2061	enc = prekey = NULL((void)0); / transferred */
2062	enclen = 0;
2063
2064	/* preserve key fields that are required for correct operation */
2065	k->sk_flags = kswap->sk_flags;
2066
2067	/* success */
2068	r = 0;
2069
2070	out:
2071	/* XXX behaviour on error - invalidate original private key? */
2072	cipher_free(cctx);
2073	explicit_bzero(keyiv, sizeof(keyiv));
2074	explicit_bzero(&tmp, sizeof(tmp));
2075	freezero(enc, enclen);
2076	freezero(prekey, SSHKEY_SHIELD_PREKEY_LEN(16 * 1024));
2077	sshkey_free(kswap);
2078	sshbuf_free(prvbuf);
2079	return r;
2080	}
2081
2082	int
2083	sshkey_unshield_private(struct sshkey *k)
2084	{
2085	struct sshbuf prvbuf = NULL((void)0);
2086	u_char pad, *cp, keyiv[SSH_DIGEST_MAX_LENGTH64];
2087	struct sshcipher_ctx cctx = NULL((void)0);
2088	const struct sshcipher *cipher;
2089	size_t i;
2090	struct sshkey kswap = NULL((void)0), tmp;
2091	int r = SSH_ERR_INTERNAL_ERROR-1;
2092
2093	#ifdef DEBUG_PK
2094	fprintf(stderr(&__sF[2]), "%s: entering for %s\n", __func__, sshkey_ssh_name(k));
2095	#endif
2096	if (!sshkey_is_shielded(k))
2097	return 0; /* nothing to do */
2098
2099	if ((cipher = cipher_by_name(SSHKEY_SHIELD_CIPHER"aes256-ctr")) == NULL((void*)0)) {
2100	r = SSH_ERR_INVALID_ARGUMENT-10;
2101	goto out;
2102	}
2103	if (cipher_keylen(cipher) + cipher_ivlen(cipher) >
2104	ssh_digest_bytes(SSHKEY_SHIELD_PREKEY_HASH4)) {
2105	r = SSH_ERR_INTERNAL_ERROR-1;
2106	goto out;
2107	}
2108	/* check size of shielded key blob */
2109	if (k->shielded_len < cipher_blocksize(cipher) \|\|
2110	(k->shielded_len % cipher_blocksize(cipher)) != 0) {
2111	r = SSH_ERR_INVALID_FORMAT-4;
2112	goto out;
2113	}
2114
2115	/* Calculate the ephemeral key from the prekey */
2116	if ((r = ssh_digest_memory(SSHKEY_SHIELD_PREKEY_HASH4,
2117	k->shield_prekey, k->shield_prekey_len,
2118	keyiv, SSH_DIGEST_MAX_LENGTH64)) != 0)
2119	goto out;
2120	if ((r = cipher_init(&cctx, cipher, keyiv, cipher_keylen(cipher),
2121	keyiv + cipher_keylen(cipher), cipher_ivlen(cipher), 0)) != 0)
2122	goto out;
2123	#ifdef DEBUG_PK
2124	fprintf(stderr(&__sF[2]), "%s: key+iv\n", __func__);
2125	sshbuf_dump_data(keyiv, ssh_digest_bytes(SSHKEY_SHIELD_PREKEY_HASH4),
2126	stderr(&__sF[2]));
2127	#endif
2128
2129	/* Decrypt and parse the shielded private key using the ephemeral key */
2130	if ((prvbuf = sshbuf_new()) == NULL((void*)0)) {
2131	r = SSH_ERR_ALLOC_FAIL-2;
2132	goto out;
2133	}
2134	if ((r = sshbuf_reserve(prvbuf, k->shielded_len, &cp)) != 0)
2135	goto out;
2136	/* decrypt */
2137	#ifdef DEBUG_PK
2138	fprintf(stderr(&__sF[2]), "%s: encrypted\n", __func__);
2139	sshbuf_dump_data(k->shielded_private, k->shielded_len, stderr(&__sF[2]));
2140	#endif
2141	if ((r = cipher_crypt(cctx, 0, cp,
2142	k->shielded_private, k->shielded_len, 0, 0)) != 0)
2143	goto out;
2144	#ifdef DEBUG_PK
2145	fprintf(stderr(&__sF[2]), "%s: serialised\n", __func__);
2146	sshbuf_dump(prvbuf, stderr(&__sF[2]));
2147	#endif
2148	/* Parse private key */
2149	if ((r = sshkey_private_deserialize(prvbuf, &kswap)) != 0)
2150	goto out;
2151	/* Check deterministic padding */
2152	i = 0;
2153	while (sshbuf_len(prvbuf)) {
2154	if ((r = sshbuf_get_u8(prvbuf, &pad)) != 0)
2155	goto out;
2156	if (pad != (++i & 0xff)) {
2157	r = SSH_ERR_INVALID_FORMAT-4;
2158	goto out;
2159	}
2160	}
2161
2162	/* Swap the parsed key back into place */
2163	tmp = *kswap;
2164	kswap = k;
2165	*k = tmp;
2166
2167	/* success */
2168	r = 0;
2169
2170	out:
2171	cipher_free(cctx);
2172	explicit_bzero(keyiv, sizeof(keyiv));
2173	explicit_bzero(&tmp, sizeof(tmp));
2174	sshkey_free(kswap);
2175	sshbuf_free(prvbuf);
2176	return r;
2177	}
2178
2179	static int
2180	cert_parse(struct sshbuf b, struct sshkey key, struct sshbuf *certbuf)
2181	{
2182	struct sshbuf principals = NULL((void)0), crit = NULL((void)0);
2183	struct sshbuf exts = NULL((void)0), ca = NULL((void)0);
2184	u_char sig = NULL((void)0);
2185	size_t signed_len = 0, slen = 0, kidlen = 0;
2186	int ret = SSH_ERR_INTERNAL_ERROR-1;
2187
2188	/* Copy the entire key blob for verification and later serialisation */
2189	if ((ret = sshbuf_putb(key->cert->certblob, certbuf)) != 0)
2190	return ret;
2191
2192	/* Parse body of certificate up to signature */
2193	if ((ret = sshbuf_get_u64(b, &key->cert->serial)) != 0 \|\|
2194	(ret = sshbuf_get_u32(b, &key->cert->type)) != 0 \|\|
	Although the value stored to 'ret' is used in the enclosing expression, the value is never actually read from 'ret'
2195	(ret = sshbuf_get_cstring(b, &key->cert->key_id, &kidlen)) != 0 \|\|
2196	(ret = sshbuf_froms(b, &principals)) != 0 \|\|
2197	(ret = sshbuf_get_u64(b, &key->cert->valid_after)) != 0 \|\|
2198	(ret = sshbuf_get_u64(b, &key->cert->valid_before)) != 0 \|\|
2199	(ret = sshbuf_froms(b, &crit)) != 0 \|\|
2200	(ret = sshbuf_froms(b, &exts)) != 0 \|\|
2201	(ret = sshbuf_get_string_direct(b, NULL((void)0), NULL((void)0))) != 0 \|\|
2202	(ret = sshbuf_froms(b, &ca)) != 0) {
2203	/* XXX debug print error for ret */
2204	ret = SSH_ERR_INVALID_FORMAT-4;
2205	goto out;
2206	}
2207
2208	/* Signature is left in the buffer so we can calculate this length */
2209	signed_len = sshbuf_len(key->cert->certblob) - sshbuf_len(b);
2210
2211	if ((ret = sshbuf_get_string(b, &sig, &slen)) != 0) {
2212	ret = SSH_ERR_INVALID_FORMAT-4;
2213	goto out;
2214	}
2215
2216	if (key->cert->type != SSH2_CERT_TYPE_USER1 &&
2217	key->cert->type != SSH2_CERT_TYPE_HOST2) {
2218	ret = SSH_ERR_KEY_CERT_UNKNOWN_TYPE-18;
2219	goto out;
2220	}
2221
2222	/* Parse principals section */
2223	while (sshbuf_len(principals) > 0) {
2224	char principal = NULL((void)0);
2225	char *oprincipals = NULL((void)0);
2226
2227	if (key->cert->nprincipals >= SSHKEY_CERT_MAX_PRINCIPALS256) {
2228	ret = SSH_ERR_INVALID_FORMAT-4;
2229	goto out;
2230	}
2231	if ((ret = sshbuf_get_cstring(principals, &principal,
2232	NULL((void*)0))) != 0) {
2233	ret = SSH_ERR_INVALID_FORMAT-4;
2234	goto out;
2235	}
2236	oprincipals = key->cert->principals;
2237	key->cert->principals = recallocarray(key->cert->principals,
2238	key->cert->nprincipals, key->cert->nprincipals + 1,
2239	sizeof(*key->cert->principals));
2240	if (key->cert->principals == NULL((void*)0)) {
2241	free(principal);
2242	key->cert->principals = oprincipals;
2243	ret = SSH_ERR_ALLOC_FAIL-2;
2244	goto out;
2245	}
2246	key->cert->principals[key->cert->nprincipals++] = principal;
2247	}
2248
2249	/*
2250	* Stash a copies of the critical options and extensions sections
2251	* for later use.
2252	*/
2253	if ((ret = sshbuf_putb(key->cert->critical, crit)) != 0 \|\|
2254	(exts != NULL((void*)0) &&
2255	(ret = sshbuf_putb(key->cert->extensions, exts)) != 0))
2256	goto out;
2257
2258	/*
2259	* Validate critical options and extensions sections format.
2260	*/
2261	while (sshbuf_len(crit) != 0) {
2262	if ((ret = sshbuf_get_string_direct(crit, NULL((void)0), NULL((void)0))) != 0 \|\|
2263	(ret = sshbuf_get_string_direct(crit, NULL((void)0), NULL((void)0))) != 0) {
2264	sshbuf_reset(key->cert->critical);
2265	ret = SSH_ERR_INVALID_FORMAT-4;
2266	goto out;
2267	}
2268	}
2269	while (exts != NULL((void*)0) && sshbuf_len(exts) != 0) {
2270	if ((ret = sshbuf_get_string_direct(exts, NULL((void)0), NULL((void)0))) != 0 \|\|
2271	(ret = sshbuf_get_string_direct(exts, NULL((void)0), NULL((void)0))) != 0) {
2272	sshbuf_reset(key->cert->extensions);
2273	ret = SSH_ERR_INVALID_FORMAT-4;
2274	goto out;
2275	}
2276	}
2277
2278	/* Parse CA key and check signature */
2279	if (sshkey_from_blob_internal(ca, &key->cert->signature_key, 0) != 0) {
2280	ret = SSH_ERR_KEY_CERT_INVALID_SIGN_KEY-19;
2281	goto out;
2282	}
2283	if (!sshkey_type_is_valid_ca(key->cert->signature_key->type)) {
2284	ret = SSH_ERR_KEY_CERT_INVALID_SIGN_KEY-19;
2285	goto out;
2286	}
2287	if ((ret = sshkey_verify(key->cert->signature_key, sig, slen,
2288	sshbuf_ptr(key->cert->certblob), signed_len, NULL((void)0), 0, NULL((void)0))) != 0)
2289	goto out;
2290	if ((ret = sshkey_get_sigtype(sig, slen,
2291	&key->cert->signature_type)) != 0)
2292	goto out;
2293
2294	/* Success */
2295	ret = 0;
2296	out:
2297	sshbuf_free(ca);
2298	sshbuf_free(crit);
2299	sshbuf_free(exts);
2300	sshbuf_free(principals);
2301	free(sig);
2302	return ret;
2303	}
2304
2305	#ifdef WITH_OPENSSL1
2306	static int
2307	check_rsa_length(const RSA *rsa)
2308	{
2309	const BIGNUM *rsa_n;
2310
2311	RSA_get0_key(rsa, &rsa_n, NULL((void)0), NULL((void)0));
2312	if (BN_num_bits(rsa_n) < SSH_RSA_MINIMUM_MODULUS_SIZE1024)
2313	return SSH_ERR_KEY_LENGTH-56;
2314	return 0;
2315	}
2316	#endif /* WITH_OPENSSL */
2317
2318	static int
2319	sshkey_from_blob_internal(struct sshbuf b, struct sshkey *keyp,
2320	int allow_cert)
2321	{
2322	int type, ret = SSH_ERR_INTERNAL_ERROR-1;
2323	char ktype = NULL((void)0), curve = NULL((void)0), xmss_name = NULL((void)0);
2324	struct sshkey key = NULL((void)0);
2325	size_t len;
2326	u_char pk = NULL((void)0);
2327	struct sshbuf *copy;
2328	#ifdef WITH_OPENSSL1
2329	EC_POINT q = NULL((void)0);
2330	BIGNUM rsa_n = NULL((void)0), rsa_e = NULL((void)0);
2331	BIGNUM dsa_p = NULL((void)0), dsa_q = NULL((void)0), dsa_g = NULL((void)0), dsa_pub_key = NULL((void)0);
2332	#endif /* WITH_OPENSSL */
2333
2334	#ifdef DEBUG_PK /* XXX */
2335	sshbuf_dump(b, stderr(&__sF[2]));
2336	#endif
2337	if (keyp != NULL((void*)0))
2338	keyp = NULL((void)0);
2339	if ((copy = sshbuf_fromb(b)) == NULL((void*)0)) {
2340	ret = SSH_ERR_ALLOC_FAIL-2;
2341	goto out;
2342	}
2343	if (sshbuf_get_cstring(b, &ktype, NULL((void*)0)) != 0) {
2344	ret = SSH_ERR_INVALID_FORMAT-4;
2345	goto out;
2346	}
2347
2348	type = sshkey_type_from_name(ktype);
2349	if (!allow_cert && sshkey_type_is_cert(type)) {
2350	ret = SSH_ERR_KEY_CERT_INVALID_SIGN_KEY-19;
2351	goto out;
2352	}
2353	switch (type) {
2354	#ifdef WITH_OPENSSL1
2355	case KEY_RSA_CERT:
2356	/* Skip nonce */
2357	if (sshbuf_get_string_direct(b, NULL((void)0), NULL((void)0)) != 0) {
2358	ret = SSH_ERR_INVALID_FORMAT-4;
2359	goto out;
2360	}
2361	/* FALLTHROUGH */
2362	case KEY_RSA:
2363	if ((key = sshkey_new(type)) == NULL((void*)0)) {
2364	ret = SSH_ERR_ALLOC_FAIL-2;
2365	goto out;
2366	}
2367	if (sshbuf_get_bignum2(b, &rsa_e) != 0 \|\|
2368	sshbuf_get_bignum2(b, &rsa_n) != 0) {
2369	ret = SSH_ERR_INVALID_FORMAT-4;
2370	goto out;
2371	}
2372	if (!RSA_set0_key(key->rsa, rsa_n, rsa_e, NULL((void*)0))) {
2373	ret = SSH_ERR_LIBCRYPTO_ERROR-22;
2374	goto out;
2375	}
2376	rsa_n = rsa_e = NULL((void)0); / transferred */
2377	if ((ret = check_rsa_length(key->rsa)) != 0)
2378	goto out;
2379	#ifdef DEBUG_PK
2380	RSA_print_fp(stderr(&__sF[2]), key->rsa, 8);
2381	#endif
2382	break;
2383	case KEY_DSA_CERT:
2384	/* Skip nonce */
2385	if (sshbuf_get_string_direct(b, NULL((void)0), NULL((void)0)) != 0) {
2386	ret = SSH_ERR_INVALID_FORMAT-4;
2387	goto out;
2388	}
2389	/* FALLTHROUGH */
2390	case KEY_DSA:
2391	if ((key = sshkey_new(type)) == NULL((void*)0)) {
2392	ret = SSH_ERR_ALLOC_FAIL-2;
2393	goto out;
2394	}
2395	if (sshbuf_get_bignum2(b, &dsa_p) != 0 \|\|
2396	sshbuf_get_bignum2(b, &dsa_q) != 0 \|\|
2397	sshbuf_get_bignum2(b, &dsa_g) != 0 \|\|
2398	sshbuf_get_bignum2(b, &dsa_pub_key) != 0) {
2399	ret = SSH_ERR_INVALID_FORMAT-4;
2400	goto out;
2401	}
2402	if (!DSA_set0_pqg(key->dsa, dsa_p, dsa_q, dsa_g)) {
2403	ret = SSH_ERR_LIBCRYPTO_ERROR-22;
2404	goto out;
2405	}
2406	dsa_p = dsa_q = dsa_g = NULL((void)0); / transferred */
2407	if (!DSA_set0_key(key->dsa, dsa_pub_key, NULL((void*)0))) {
2408	ret = SSH_ERR_LIBCRYPTO_ERROR-22;
2409	goto out;
2410	}
2411	dsa_pub_key = NULL((void)0); / transferred */
2412	#ifdef DEBUG_PK
2413	DSA_print_fp(stderr(&__sF[2]), key->dsa, 8);
2414	#endif
2415	break;
2416	case KEY_ECDSA_CERT:
2417	case KEY_ECDSA_SK_CERT:
2418	/* Skip nonce */
2419	if (sshbuf_get_string_direct(b, NULL((void)0), NULL((void)0)) != 0) {
2420	ret = SSH_ERR_INVALID_FORMAT-4;
2421	goto out;
2422	}
2423	/* FALLTHROUGH */
2424	case KEY_ECDSA:
2425	case KEY_ECDSA_SK:
2426	if ((key = sshkey_new(type)) == NULL((void*)0)) {
2427	ret = SSH_ERR_ALLOC_FAIL-2;
2428	goto out;
2429	}
2430	key->ecdsa_nid = sshkey_ecdsa_nid_from_name(ktype);
2431	if (sshbuf_get_cstring(b, &curve, NULL((void*)0)) != 0) {
2432	ret = SSH_ERR_INVALID_FORMAT-4;
2433	goto out;
2434	}
2435	if (key->ecdsa_nid != sshkey_curve_name_to_nid(curve)) {
2436	ret = SSH_ERR_EC_CURVE_MISMATCH-15;
2437	goto out;
2438	}
2439	EC_KEY_free(key->ecdsa);
2440	if ((key->ecdsa = EC_KEY_new_by_curve_name(key->ecdsa_nid))
2441	== NULL((void*)0)) {
2442	ret = SSH_ERR_EC_CURVE_INVALID-12;
2443	goto out;
2444	}
2445	if ((q = EC_POINT_new(EC_KEY_get0_group(key->ecdsa))) == NULL((void*)0)) {
2446	ret = SSH_ERR_ALLOC_FAIL-2;
2447	goto out;
2448	}
2449	if (sshbuf_get_ec(b, q, EC_KEY_get0_group(key->ecdsa)) != 0) {
2450	ret = SSH_ERR_INVALID_FORMAT-4;
2451	goto out;
2452	}
2453	if (sshkey_ec_validate_public(EC_KEY_get0_group(key->ecdsa),
2454	q) != 0) {
2455	ret = SSH_ERR_KEY_INVALID_EC_VALUE-20;
2456	goto out;
2457	}
2458	if (EC_KEY_set_public_key(key->ecdsa, q) != 1) {
2459	/* XXX assume it is a allocation error */
2460	ret = SSH_ERR_ALLOC_FAIL-2;
2461	goto out;
2462	}
2463	#ifdef DEBUG_PK
2464	sshkey_dump_ec_point(EC_KEY_get0_group(key->ecdsa), q);
2465	#endif
2466	if (type == KEY_ECDSA_SK \|\| type == KEY_ECDSA_SK_CERT) {
2467	/* Parse additional security-key application string */
2468	if (sshbuf_get_cstring(b, &key->sk_application,
2469	NULL((void*)0)) != 0) {
2470	ret = SSH_ERR_INVALID_FORMAT-4;
2471	goto out;
2472	}
2473	#ifdef DEBUG_PK
2474	fprintf(stderr(&__sF[2]), "App: %s\n", key->sk_application);
2475	#endif
2476	}
2477	break;
2478	#endif /* WITH_OPENSSL */
2479	case KEY_ED25519_CERT:
2480	case KEY_ED25519_SK_CERT:
2481	/* Skip nonce */
2482	if (sshbuf_get_string_direct(b, NULL((void)0), NULL((void)0)) != 0) {
2483	ret = SSH_ERR_INVALID_FORMAT-4;
2484	goto out;
2485	}
2486	/* FALLTHROUGH */
2487	case KEY_ED25519:
2488	case KEY_ED25519_SK:
2489	if ((ret = sshbuf_get_string(b, &pk, &len)) != 0)
2490	goto out;
2491	if (len != ED25519_PK_SZ32U) {
2492	ret = SSH_ERR_INVALID_FORMAT-4;
2493	goto out;
2494	}
2495	if ((key = sshkey_new(type)) == NULL((void*)0)) {
2496	ret = SSH_ERR_ALLOC_FAIL-2;
2497	goto out;
2498	}
2499	if (type == KEY_ED25519_SK \|\| type == KEY_ED25519_SK_CERT) {
2500	/* Parse additional security-key application string */
2501	if (sshbuf_get_cstring(b, &key->sk_application,
2502	NULL((void*)0)) != 0) {
2503	ret = SSH_ERR_INVALID_FORMAT-4;
2504	goto out;
2505	}
2506	#ifdef DEBUG_PK
2507	fprintf(stderr(&__sF[2]), "App: %s\n", key->sk_application);
2508	#endif
2509	}
2510	key->ed25519_pk = pk;
2511	pk = NULL((void*)0);
2512	break;
2513	#ifdef WITH_XMSS
2514	case KEY_XMSS_CERT:
2515	/* Skip nonce */
2516	if (sshbuf_get_string_direct(b, NULL((void)0), NULL((void)0)) != 0) {
2517	ret = SSH_ERR_INVALID_FORMAT-4;
2518	goto out;
2519	}
2520	/* FALLTHROUGH */
2521	case KEY_XMSS:
2522	if ((ret = sshbuf_get_cstring(b, &xmss_name, NULL((void*)0))) != 0)
2523	goto out;
2524	if ((key = sshkey_new(type)) == NULL((void*)0)) {
2525	ret = SSH_ERR_ALLOC_FAIL-2;
2526	goto out;
2527	}
2528	if ((ret = sshkey_xmss_init(key, xmss_name)) != 0)
2529	goto out;
2530	if ((ret = sshbuf_get_string(b, &pk, &len)) != 0)
2531	goto out;
2532	if (len == 0 \|\| len != sshkey_xmss_pklen(key)) {
2533	ret = SSH_ERR_INVALID_FORMAT-4;
2534	goto out;
2535	}
2536	key->xmss_pk = pk;
2537	pk = NULL((void*)0);
2538	if (type != KEY_XMSS_CERT &&
2539	(ret = sshkey_xmss_deserialize_pk_info(key, b)) != 0)
2540	goto out;
2541	break;
2542	#endif /* WITH_XMSS */
2543	case KEY_UNSPEC:
2544	default:
2545	ret = SSH_ERR_KEY_TYPE_UNKNOWN-14;
2546	goto out;
2547	}
2548
2549	/* Parse certificate potion */
2550	if (sshkey_is_cert(key) && (ret = cert_parse(b, key, copy)) != 0)
2551	goto out;
2552
2553	if (key != NULL((void*)0) && sshbuf_len(b) != 0) {
2554	ret = SSH_ERR_INVALID_FORMAT-4;
2555	goto out;
2556	}
2557	ret = 0;
2558	if (keyp != NULL((void*)0)) {
2559	*keyp = key;
2560	key = NULL((void*)0);
2561	}
2562	out:
2563	sshbuf_free(copy);
2564	sshkey_free(key);
2565	free(xmss_name);
2566	free(ktype);
2567	free(curve);
2568	free(pk);
2569	#ifdef WITH_OPENSSL1
2570	EC_POINT_free(q);
2571	BN_clear_free(rsa_n);
2572	BN_clear_free(rsa_e);
2573	BN_clear_free(dsa_p);
2574	BN_clear_free(dsa_q);
2575	BN_clear_free(dsa_g);
2576	BN_clear_free(dsa_pub_key);
2577	#endif /* WITH_OPENSSL */
2578	return ret;
2579	}
2580
2581	int
2582	sshkey_from_blob(const u_char blob, size_t blen, struct sshkey *keyp)
2583	{
2584	struct sshbuf *b;
2585	int r;
2586
2587	if ((b = sshbuf_from(blob, blen)) == NULL((void*)0))
2588	return SSH_ERR_ALLOC_FAIL-2;
2589	r = sshkey_from_blob_internal(b, keyp, 1);
2590	sshbuf_free(b);
2591	return r;
2592	}
2593
2594	int
2595	sshkey_fromb(struct sshbuf b, struct sshkey *keyp)
2596	{
2597	return sshkey_from_blob_internal(b, keyp, 1);
2598	}
2599
2600	int
2601	sshkey_froms(struct sshbuf buf, struct sshkey *keyp)
2602	{
2603	struct sshbuf *b;
2604	int r;
2605
2606	if ((r = sshbuf_froms(buf, &b)) != 0)
2607	return r;
2608	r = sshkey_from_blob_internal(b, keyp, 1);
2609	sshbuf_free(b);
2610	return r;
2611	}
2612
2613	int
2614	sshkey_get_sigtype(const u_char sig, size_t siglen, char *sigtypep)
2615	{
2616	int r;
2617	struct sshbuf b = NULL((void)0);
2618	char sigtype = NULL((void)0);
2619
2620	if (sigtypep != NULL((void*)0))
2621	sigtypep = NULL((void)0);
2622	if ((b = sshbuf_from(sig, siglen)) == NULL((void*)0))
2623	return SSH_ERR_ALLOC_FAIL-2;
2624	if ((r = sshbuf_get_cstring(b, &sigtype, NULL((void*)0))) != 0)
2625	goto out;
2626	/* success */
2627	if (sigtypep != NULL((void*)0)) {
2628	*sigtypep = sigtype;
2629	sigtype = NULL((void*)0);
2630	}
2631	r = 0;
2632	out:
2633	free(sigtype);
2634	sshbuf_free(b);
2635	return r;
2636	}
2637
2638	/*
2639	*
2640	* Checks whether a certificate's signature type is allowed.
2641	* Returns 0 (success) if the certificate signature type appears in the
2642	* "allowed" pattern-list, or the key is not a certificate to begin with.
2643	* Otherwise returns a ssherr.h code.
2644	*/
2645	int
2646	sshkey_check_cert_sigtype(const struct sshkey key, const char allowed)
2647	{
2648	if (key == NULL((void)0) \|\| allowed == NULL((void)0))
2649	return SSH_ERR_INVALID_ARGUMENT-10;
2650	if (!sshkey_type_is_cert(key->type))
2651	return 0;
2652	if (key->cert == NULL((void)0) \|\| key->cert->signature_type == NULL((void)0))
2653	return SSH_ERR_INVALID_ARGUMENT-10;
2654	if (match_pattern_list(key->cert->signature_type, allowed, 0) != 1)
2655	return SSH_ERR_SIGN_ALG_UNSUPPORTED-58;
2656	return 0;
2657	}
2658
2659	/*
2660	* Returns the expected signature algorithm for a given public key algorithm.
2661	*/
2662	const char *
2663	sshkey_sigalg_by_name(const char *name)
2664	{
2665	const struct keytype *kt;
2666
2667	for (kt = keytypes; kt->type != -1; kt++) {
2668	if (strcmp(kt->name, name) != 0)
2669	continue;
2670	if (kt->sigalg != NULL((void*)0))
2671	return kt->sigalg;
2672	if (!kt->cert)
2673	return kt->name;
2674	return sshkey_ssh_name_from_type_nid(
2675	sshkey_type_plain(kt->type), kt->nid);
2676	}
2677	return NULL((void*)0);
2678	}
2679
2680	/*
2681	* Verifies that the signature algorithm appearing inside the signature blob
2682	* matches that which was requested.
2683	*/
2684	int
2685	sshkey_check_sigtype(const u_char *sig, size_t siglen,
2686	const char *requested_alg)
2687	{
2688	const char *expected_alg;
2689	char sigtype = NULL((void)0);
2690	int r;
2691
2692	if (requested_alg == NULL((void*)0))
2693	return 0;
2694	if ((expected_alg = sshkey_sigalg_by_name(requested_alg)) == NULL((void*)0))
2695	return SSH_ERR_INVALID_ARGUMENT-10;
2696	if ((r = sshkey_get_sigtype(sig, siglen, &sigtype)) != 0)
2697	return r;
2698	r = strcmp(expected_alg, sigtype) == 0;
2699	free(sigtype);
2700	return r ? 0 : SSH_ERR_SIGN_ALG_UNSUPPORTED-58;
2701	}
2702
2703	int
2704	sshkey_sign(struct sshkey *key,
2705	u_char *sigp, size_t lenp,
2706	const u_char *data, size_t datalen,
2707	const char alg, const char sk_provider, const char *sk_pin, u_int compat)
2708	{
2709	int was_shielded = sshkey_is_shielded(key);
2710	int r2, r = SSH_ERR_INTERNAL_ERROR-1;
2711
2712	if (sigp != NULL((void*)0))
2713	sigp = NULL((void)0);
2714	if (lenp != NULL((void*)0))
2715	*lenp = 0;
2716	if (datalen > SSH_KEY_MAX_SIGN_DATA_SIZE(1 << 20))
2717	return SSH_ERR_INVALID_ARGUMENT-10;
2718	if ((r = sshkey_unshield_private(key)) != 0)
2719	return r;
2720	switch (key->type) {
2721	#ifdef WITH_OPENSSL1
2722	case KEY_DSA_CERT:
2723	case KEY_DSA:
2724	r = ssh_dss_sign(key, sigp, lenp, data, datalen, compat);
2725	break;
2726	case KEY_ECDSA_CERT:
2727	case KEY_ECDSA:
2728	r = ssh_ecdsa_sign(key, sigp, lenp, data, datalen, compat);
2729	break;
2730	case KEY_RSA_CERT:
2731	case KEY_RSA:
2732	r = ssh_rsa_sign(key, sigp, lenp, data, datalen, alg);
2733	break;
2734	#endif /* WITH_OPENSSL */
2735	case KEY_ED25519:
2736	case KEY_ED25519_CERT:
2737	r = ssh_ed25519_sign(key, sigp, lenp, data, datalen, compat);
2738	break;
2739	case KEY_ED25519_SK:
2740	case KEY_ED25519_SK_CERT:
2741	case KEY_ECDSA_SK_CERT:
2742	case KEY_ECDSA_SK:
2743	r = sshsk_sign(sk_provider, key, sigp, lenp, data,
2744	datalen, compat, sk_pin);
2745	break;
2746	#ifdef WITH_XMSS
2747	case KEY_XMSS:
2748	case KEY_XMSS_CERT:
2749	r = ssh_xmss_sign(key, sigp, lenp, data, datalen, compat);
2750	break;
2751	#endif /* WITH_XMSS */
2752	default:
2753	r = SSH_ERR_KEY_TYPE_UNKNOWN-14;
2754	break;
2755	}
2756	if (was_shielded && (r2 = sshkey_shield_private(key)) != 0)
2757	return r2;
2758	return r;
2759	}
2760
2761	/*
2762	* ssh_key_verify returns 0 for a correct signature and < 0 on error.
2763	* If "alg" specified, then the signature must use that algorithm.
2764	*/
2765	int
2766	sshkey_verify(const struct sshkey *key,
2767	const u_char *sig, size_t siglen,
2768	const u_char data, size_t dlen, const char alg, u_int compat,
2769	struct sshkey_sig_details **detailsp)
2770	{
2771	if (detailsp != NULL((void*)0))
2772	detailsp = NULL((void)0);
2773	if (siglen == 0 \|\| dlen > SSH_KEY_MAX_SIGN_DATA_SIZE(1 << 20))
2774	return SSH_ERR_INVALID_ARGUMENT-10;
2775	switch (key->type) {
2776	#ifdef WITH_OPENSSL1
2777	case KEY_DSA_CERT:
2778	case KEY_DSA:
2779	return ssh_dss_verify(key, sig, siglen, data, dlen, compat);
2780	case KEY_ECDSA_CERT:
2781	case KEY_ECDSA:
2782	return ssh_ecdsa_verify(key, sig, siglen, data, dlen, compat);
2783	case KEY_ECDSA_SK_CERT:
2784	case KEY_ECDSA_SK:
2785	return ssh_ecdsa_sk_verify(key, sig, siglen, data, dlen,
2786	compat, detailsp);
2787	case KEY_RSA_CERT:
2788	case KEY_RSA:
2789	return ssh_rsa_verify(key, sig, siglen, data, dlen, alg);
2790	#endif /* WITH_OPENSSL */
2791	case KEY_ED25519:
2792	case KEY_ED25519_CERT:
2793	return ssh_ed25519_verify(key, sig, siglen, data, dlen, compat);
2794	case KEY_ED25519_SK:
2795	case KEY_ED25519_SK_CERT:
2796	return ssh_ed25519_sk_verify(key, sig, siglen, data, dlen,
2797	compat, detailsp);
2798	#ifdef WITH_XMSS
2799	case KEY_XMSS:
2800	case KEY_XMSS_CERT:
2801	return ssh_xmss_verify(key, sig, siglen, data, dlen, compat);
2802	#endif /* WITH_XMSS */
2803	default:
2804	return SSH_ERR_KEY_TYPE_UNKNOWN-14;
2805	}
2806	}
2807
2808	/* Convert a plain key to their _CERT equivalent */
2809	int
2810	sshkey_to_certified(struct sshkey *k)
2811	{
2812	int newtype;
2813
2814	switch (k->type) {
2815	#ifdef WITH_OPENSSL1
2816	case KEY_RSA:
2817	newtype = KEY_RSA_CERT;
2818	break;
2819	case KEY_DSA:
2820	newtype = KEY_DSA_CERT;
2821	break;
2822	case KEY_ECDSA:
2823	newtype = KEY_ECDSA_CERT;
2824	break;
2825	case KEY_ECDSA_SK:
2826	newtype = KEY_ECDSA_SK_CERT;
2827	break;
2828	#endif /* WITH_OPENSSL */
2829	case KEY_ED25519_SK:
2830	newtype = KEY_ED25519_SK_CERT;
2831	break;
2832	case KEY_ED25519:
2833	newtype = KEY_ED25519_CERT;
2834	break;
2835	#ifdef WITH_XMSS
2836	case KEY_XMSS:
2837	newtype = KEY_XMSS_CERT;
2838	break;
2839	#endif /* WITH_XMSS */
2840	default:
2841	return SSH_ERR_INVALID_ARGUMENT-10;
2842	}
2843	if ((k->cert = cert_new()) == NULL((void*)0))
2844	return SSH_ERR_ALLOC_FAIL-2;
2845	k->type = newtype;
2846	return 0;
2847	}
2848
2849	/* Convert a certificate to its raw key equivalent */
2850	int
2851	sshkey_drop_cert(struct sshkey *k)
2852	{
2853	if (!sshkey_type_is_cert(k->type))
2854	return SSH_ERR_KEY_TYPE_UNKNOWN-14;
2855	cert_free(k->cert);
2856	k->cert = NULL((void*)0);
2857	k->type = sshkey_type_plain(k->type);
2858	return 0;
2859	}
2860
2861	/* Sign a certified key, (re-)generating the signed certblob. */
2862	int
2863	sshkey_certify_custom(struct sshkey k, struct sshkey ca, const char *alg,
2864	const char sk_provider, const char sk_pin,
2865	sshkey_certify_signer signer, void signer_ctx)
2866	{
2867	struct sshbuf principals = NULL((void)0);
2868	u_char ca_blob = NULL((void)0), sig_blob = NULL((void)0), nonce[32];
2869	size_t i, ca_len, sig_len;
2870	int ret = SSH_ERR_INTERNAL_ERROR-1;
2871	struct sshbuf cert = NULL((void)0);
2872	char sigtype = NULL((void)0);
2873	#ifdef WITH_OPENSSL1
2874	const BIGNUM rsa_n, rsa_e, dsa_p, dsa_q, dsa_g, dsa_pub_key;
2875	#endif /* WITH_OPENSSL */
2876
2877	if (k == NULL((void)0) \|\| k->cert == NULL((void)0) \|\|
2878	k->cert->certblob == NULL((void)0) \|\| ca == NULL((void)0))
2879	return SSH_ERR_INVALID_ARGUMENT-10;
2880	if (!sshkey_is_cert(k))
2881	return SSH_ERR_KEY_TYPE_UNKNOWN-14;
2882	if (!sshkey_type_is_valid_ca(ca->type))
2883	return SSH_ERR_KEY_CERT_INVALID_SIGN_KEY-19;
2884
2885	/*
2886	* If no alg specified as argument but a signature_type was set,
2887	* then prefer that. If both were specified, then they must match.
2888	*/
2889	if (alg == NULL((void*)0))
2890	alg = k->cert->signature_type;
2891	else if (k->cert->signature_type != NULL((void*)0) &&
2892	strcmp(alg, k->cert->signature_type) != 0)
2893	return SSH_ERR_INVALID_ARGUMENT-10;
2894
2895	/*
2896	* If no signing algorithm or signature_type was specified and we're
2897	* using a RSA key, then default to a good signature algorithm.
2898	*/
2899	if (alg == NULL((void*)0) && ca->type == KEY_RSA)
2900	alg = "rsa-sha2-512";
2901
2902	if ((ret = sshkey_to_blob(ca, &ca_blob, &ca_len)) != 0)
2903	return SSH_ERR_KEY_CERT_INVALID_SIGN_KEY-19;
2904
2905	cert = k->cert->certblob; /* for readability */
2906	sshbuf_reset(cert);
2907	if ((ret = sshbuf_put_cstring(cert, sshkey_ssh_name(k))) != 0)
2908	goto out;
2909
2910	/* -v01 certs put nonce first */
2911	arc4random_buf(&nonce, sizeof(nonce));
2912	if ((ret = sshbuf_put_string(cert, nonce, sizeof(nonce))) != 0)
2913	goto out;
2914
2915	/* XXX this substantially duplicates to_blob(); refactor */
2916	switch (k->type) {
2917	#ifdef WITH_OPENSSL1
2918	case KEY_DSA_CERT:
2919	DSA_get0_pqg(k->dsa, &dsa_p, &dsa_q, &dsa_g);
2920	DSA_get0_key(k->dsa, &dsa_pub_key, NULL((void*)0));
2921	if ((ret = sshbuf_put_bignum2(cert, dsa_p)) != 0 \|\|
2922	(ret = sshbuf_put_bignum2(cert, dsa_q)) != 0 \|\|
2923	(ret = sshbuf_put_bignum2(cert, dsa_g)) != 0 \|\|
2924	(ret = sshbuf_put_bignum2(cert, dsa_pub_key)) != 0)
2925	goto out;
2926	break;
2927	case KEY_ECDSA_CERT:
2928	case KEY_ECDSA_SK_CERT:
2929	if ((ret = sshbuf_put_cstring(cert,
2930	sshkey_curve_nid_to_name(k->ecdsa_nid))) != 0 \|\|
2931	(ret = sshbuf_put_ec(cert,
2932	EC_KEY_get0_public_key(k->ecdsa),
2933	EC_KEY_get0_group(k->ecdsa))) != 0)
2934	goto out;
2935	if (k->type == KEY_ECDSA_SK_CERT) {
2936	if ((ret = sshbuf_put_cstring(cert,
2937	k->sk_application)) != 0)
2938	goto out;
2939	}
2940	break;
2941	case KEY_RSA_CERT:
2942	RSA_get0_key(k->rsa, &rsa_n, &rsa_e, NULL((void*)0));
2943	if ((ret = sshbuf_put_bignum2(cert, rsa_e)) != 0 \|\|
2944	(ret = sshbuf_put_bignum2(cert, rsa_n)) != 0)
2945	goto out;
2946	break;
2947	#endif /* WITH_OPENSSL */
2948	case KEY_ED25519_CERT:
2949	case KEY_ED25519_SK_CERT:
2950	if ((ret = sshbuf_put_string(cert,
2951	k->ed25519_pk, ED25519_PK_SZ32U)) != 0)
2952	goto out;
2953	if (k->type == KEY_ED25519_SK_CERT) {
2954	if ((ret = sshbuf_put_cstring(cert,
2955	k->sk_application)) != 0)
2956	goto out;
2957	}
2958	break;
2959	#ifdef WITH_XMSS
2960	case KEY_XMSS_CERT:
2961	if (k->xmss_name == NULL((void*)0)) {
2962	ret = SSH_ERR_INVALID_ARGUMENT-10;
2963	goto out;
2964	}
2965	if ((ret = sshbuf_put_cstring(cert, k->xmss_name)) \|\|
2966	(ret = sshbuf_put_string(cert,
2967	k->xmss_pk, sshkey_xmss_pklen(k))) != 0)
2968	goto out;
2969	break;
2970	#endif /* WITH_XMSS */
2971	default:
2972	ret = SSH_ERR_INVALID_ARGUMENT-10;
2973	goto out;
2974	}
2975
2976	if ((ret = sshbuf_put_u64(cert, k->cert->serial)) != 0 \|\|
2977	(ret = sshbuf_put_u32(cert, k->cert->type)) != 0 \|\|
2978	(ret = sshbuf_put_cstring(cert, k->cert->key_id)) != 0)
2979	goto out;
2980
2981	if ((principals = sshbuf_new()) == NULL((void*)0)) {
2982	ret = SSH_ERR_ALLOC_FAIL-2;
2983	goto out;
2984	}
2985	for (i = 0; i < k->cert->nprincipals; i++) {
2986	if ((ret = sshbuf_put_cstring(principals,
2987	k->cert->principals[i])) != 0)
2988	goto out;
2989	}
2990	if ((ret = sshbuf_put_stringb(cert, principals)) != 0 \|\|
2991	(ret = sshbuf_put_u64(cert, k->cert->valid_after)) != 0 \|\|
2992	(ret = sshbuf_put_u64(cert, k->cert->valid_before)) != 0 \|\|
2993	(ret = sshbuf_put_stringb(cert, k->cert->critical)) != 0 \|\|
2994	(ret = sshbuf_put_stringb(cert, k->cert->extensions)) != 0 \|\|
2995	(ret = sshbuf_put_string(cert, NULL((void)0), 0)) != 0 \|\| / Reserved */
2996	(ret = sshbuf_put_string(cert, ca_blob, ca_len)) != 0)
2997	goto out;
2998
2999	/* Sign the whole mess */
3000	if ((ret = signer(ca, &sig_blob, &sig_len, sshbuf_ptr(cert),
3001	sshbuf_len(cert), alg, sk_provider, sk_pin, 0, signer_ctx)) != 0)
3002	goto out;
3003	/* Check and update signature_type against what was actually used */
3004	if ((ret = sshkey_get_sigtype(sig_blob, sig_len, &sigtype)) != 0)
3005	goto out;
3006	if (alg != NULL((void*)0) && strcmp(alg, sigtype) != 0) {
3007	ret = SSH_ERR_SIGN_ALG_UNSUPPORTED-58;
3008	goto out;
3009	}
3010	if (k->cert->signature_type == NULL((void*)0)) {
3011	k->cert->signature_type = sigtype;
3012	sigtype = NULL((void*)0);
3013	}
3014	/* Append signature and we are done */
3015	if ((ret = sshbuf_put_string(cert, sig_blob, sig_len)) != 0)
3016	goto out;
3017	ret = 0;
3018	out:
3019	if (ret != 0)
3020	sshbuf_reset(cert);
3021	free(sig_blob);
3022	free(ca_blob);
3023	free(sigtype);
3024	sshbuf_free(principals);
3025	return ret;
3026	}
3027
3028	static int
3029	default_key_sign(struct sshkey key, u_char sigp, size_t lenp,
3030	const u_char *data, size_t datalen,
3031	const char alg, const char sk_provider, const char *sk_pin,
3032	u_int compat, void *ctx)
3033	{
3034	if (ctx != NULL((void*)0))
3035	return SSH_ERR_INVALID_ARGUMENT-10;
3036	return sshkey_sign(key, sigp, lenp, data, datalen, alg,
3037	sk_provider, sk_pin, compat);
3038	}
3039
3040	int
3041	sshkey_certify(struct sshkey k, struct sshkey ca, const char *alg,
3042	const char sk_provider, const char sk_pin)
3043	{
3044	return sshkey_certify_custom(k, ca, alg, sk_provider, sk_pin,
3045	default_key_sign, NULL((void*)0));
3046	}
3047
3048	int
3049	sshkey_cert_check_authority(const struct sshkey *k,
3050	int want_host, int require_principal, int wildcard_pattern,
3051	uint64_t verify_time, const char name, const char *reason)
3052	{
3053	u_int i, principal_matches;
3054
3055	if (reason == NULL((void*)0))
3056	return SSH_ERR_INVALID_ARGUMENT-10;
3057	if (!sshkey_is_cert(k)) {
3058	*reason = "Key is not a certificate";
3059	return SSH_ERR_KEY_CERT_INVALID-25;
3060	}
3061	if (want_host) {
3062	if (k->cert->type != SSH2_CERT_TYPE_HOST2) {
3063	*reason = "Certificate invalid: not a host certificate";
3064	return SSH_ERR_KEY_CERT_INVALID-25;
3065	}
3066	} else {
3067	if (k->cert->type != SSH2_CERT_TYPE_USER1) {
3068	*reason = "Certificate invalid: not a user certificate";
3069	return SSH_ERR_KEY_CERT_INVALID-25;
3070	}
3071	}
3072	if (verify_time < k->cert->valid_after) {
3073	*reason = "Certificate invalid: not yet valid";
3074	return SSH_ERR_KEY_CERT_INVALID-25;
3075	}
3076	if (verify_time >= k->cert->valid_before) {
3077	*reason = "Certificate invalid: expired";
3078	return SSH_ERR_KEY_CERT_INVALID-25;
3079	}
3080	if (k->cert->nprincipals == 0) {
3081	if (require_principal) {
3082	*reason = "Certificate lacks principal list";
3083	return SSH_ERR_KEY_CERT_INVALID-25;
3084	}
3085	} else if (name != NULL((void*)0)) {
3086	principal_matches = 0;
3087	for (i = 0; i < k->cert->nprincipals; i++) {
3088	if (wildcard_pattern) {
3089	if (match_pattern(k->cert->principals[i],
3090	name)) {
3091	principal_matches = 1;
3092	break;
3093	}
3094	} else if (strcmp(name, k->cert->principals[i]) == 0) {
3095	principal_matches = 1;
3096	break;
3097	}
3098	}
3099	if (!principal_matches) {
3100	*reason = "Certificate invalid: name is not a listed "
3101	"principal";
3102	return SSH_ERR_KEY_CERT_INVALID-25;
3103	}
3104	}
3105	return 0;
3106	}
3107
3108	int
3109	sshkey_cert_check_authority_now(const struct sshkey *k,
3110	int want_host, int require_principal, int wildcard_pattern,
3111	const char name, const char *reason)
3112	{
3113	time_t now;
3114
3115	if ((now = time(NULL((void*)0))) < 0) {
3116	/* yikes - system clock before epoch! */
3117	*reason = "Certificate invalid: not yet valid";
3118	return SSH_ERR_KEY_CERT_INVALID-25;
3119	}
3120	return sshkey_cert_check_authority(k, want_host, require_principal,
3121	wildcard_pattern, (uint64_t)now, name, reason);
3122	}
3123
3124	int
3125	sshkey_cert_check_host(const struct sshkey key, const char host,
3126	int wildcard_principals, const char *ca_sign_algorithms,
3127	const char **reason)
3128	{
3129	int r;
3130
3131	if ((r = sshkey_cert_check_authority_now(key, 1, 0, wildcard_principals,
3132	host, reason)) != 0)
3133	return r;
3134	if (sshbuf_len(key->cert->critical) != 0) {
3135	*reason = "Certificate contains unsupported critical options";
3136	return SSH_ERR_KEY_CERT_INVALID-25;
3137	}
3138	if (ca_sign_algorithms != NULL((void*)0) &&
3139	(r = sshkey_check_cert_sigtype(key, ca_sign_algorithms)) != 0) {
3140	*reason = "Certificate signed with disallowed algorithm";
3141	return SSH_ERR_KEY_CERT_INVALID-25;
3142	}
3143	return 0;
3144	}
3145
3146	size_t
3147	sshkey_format_cert_validity(const struct sshkey_cert cert, char s, size_t l)
3148	{
3149	char from[32], to[32], ret[128];
3150
3151	from = to = '\0';
3152	if (cert->valid_after == 0 &&
3153	cert->valid_before == 0xffffffffffffffffULL)
3154	return strlcpy(s, "forever", l);
3155
3156	if (cert->valid_after != 0)
3157	format_absolute_time(cert->valid_after, from, sizeof(from));
3158	if (cert->valid_before != 0xffffffffffffffffULL)
3159	format_absolute_time(cert->valid_before, to, sizeof(to));
3160
3161	if (cert->valid_after == 0)
3162	snprintf(ret, sizeof(ret), "before %s", to);
3163	else if (cert->valid_before == 0xffffffffffffffffULL)
3164	snprintf(ret, sizeof(ret), "after %s", from);
3165	else
3166	snprintf(ret, sizeof(ret), "from %s to %s", from, to);
3167
3168	return strlcpy(s, ret, l);
3169	}
3170
3171	int
3172	sshkey_private_serialize_opt(struct sshkey key, struct sshbuf buf,
3173	enum sshkey_serialize_rep opts)
3174	{
3175	int r = SSH_ERR_INTERNAL_ERROR-1;
3176	int was_shielded = sshkey_is_shielded(key);
3177	struct sshbuf b = NULL((void)0);
3178	#ifdef WITH_OPENSSL1
3179	const BIGNUM rsa_n, rsa_e, rsa_d, rsa_iqmp, rsa_p, rsa_q;
3180	const BIGNUM dsa_p, dsa_q, dsa_g, dsa_pub_key, *dsa_priv_key;
3181	#endif /* WITH_OPENSSL */
3182
3183	if ((r = sshkey_unshield_private(key)) != 0)
3184	return r;
3185	if ((b = sshbuf_new()) == NULL((void*)0))
3186	return SSH_ERR_ALLOC_FAIL-2;
3187	if ((r = sshbuf_put_cstring(b, sshkey_ssh_name(key))) != 0)
3188	goto out;
3189	switch (key->type) {
3190	#ifdef WITH_OPENSSL1
3191	case KEY_RSA:
3192	RSA_get0_key(key->rsa, &rsa_n, &rsa_e, &rsa_d);
3193	RSA_get0_factors(key->rsa, &rsa_p, &rsa_q);
3194	RSA_get0_crt_params(key->rsa, NULL((void)0), NULL((void)0), &rsa_iqmp);
3195	if ((r = sshbuf_put_bignum2(b, rsa_n)) != 0 \|\|
3196	(r = sshbuf_put_bignum2(b, rsa_e)) != 0 \|\|
3197	(r = sshbuf_put_bignum2(b, rsa_d)) != 0 \|\|
3198	(r = sshbuf_put_bignum2(b, rsa_iqmp)) != 0 \|\|
3199	(r = sshbuf_put_bignum2(b, rsa_p)) != 0 \|\|
3200	(r = sshbuf_put_bignum2(b, rsa_q)) != 0)
3201	goto out;
3202	break;
3203	case KEY_RSA_CERT:
3204	if (key->cert == NULL((void*)0) \|\| sshbuf_len(key->cert->certblob) == 0) {
3205	r = SSH_ERR_INVALID_ARGUMENT-10;
3206	goto out;
3207	}
3208	RSA_get0_key(key->rsa, NULL((void)0), NULL((void)0), &rsa_d);
3209	RSA_get0_factors(key->rsa, &rsa_p, &rsa_q);
3210	RSA_get0_crt_params(key->rsa, NULL((void)0), NULL((void)0), &rsa_iqmp);
3211	if ((r = sshbuf_put_stringb(b, key->cert->certblob)) != 0 \|\|
3212	(r = sshbuf_put_bignum2(b, rsa_d)) != 0 \|\|
3213	(r = sshbuf_put_bignum2(b, rsa_iqmp)) != 0 \|\|
3214	(r = sshbuf_put_bignum2(b, rsa_p)) != 0 \|\|
3215	(r = sshbuf_put_bignum2(b, rsa_q)) != 0)
3216	goto out;
3217	break;
3218	case KEY_DSA:
3219	DSA_get0_pqg(key->dsa, &dsa_p, &dsa_q, &dsa_g);
3220	DSA_get0_key(key->dsa, &dsa_pub_key, &dsa_priv_key);
3221	if ((r = sshbuf_put_bignum2(b, dsa_p)) != 0 \|\|
3222	(r = sshbuf_put_bignum2(b, dsa_q)) != 0 \|\|
3223	(r = sshbuf_put_bignum2(b, dsa_g)) != 0 \|\|
3224	(r = sshbuf_put_bignum2(b, dsa_pub_key)) != 0 \|\|
3225	(r = sshbuf_put_bignum2(b, dsa_priv_key)) != 0)
3226	goto out;
3227	break;
3228	case KEY_DSA_CERT:
3229	if (key->cert == NULL((void*)0) \|\| sshbuf_len(key->cert->certblob) == 0) {
3230	r = SSH_ERR_INVALID_ARGUMENT-10;
3231	goto out;
3232	}
3233	DSA_get0_key(key->dsa, NULL((void*)0), &dsa_priv_key);
3234	if ((r = sshbuf_put_stringb(b, key->cert->certblob)) != 0 \|\|
3235	(r = sshbuf_put_bignum2(b, dsa_priv_key)) != 0)
3236	goto out;
3237	break;
3238	case KEY_ECDSA:
3239	if ((r = sshbuf_put_cstring(b,
3240	sshkey_curve_nid_to_name(key->ecdsa_nid))) != 0 \|\|
3241	(r = sshbuf_put_eckey(b, key->ecdsa)) != 0 \|\|
3242	(r = sshbuf_put_bignum2(b,
3243	EC_KEY_get0_private_key(key->ecdsa))) != 0)
3244	goto out;
3245	break;
3246	case KEY_ECDSA_CERT:
3247	if (key->cert == NULL((void*)0) \|\| sshbuf_len(key->cert->certblob) == 0) {
3248	r = SSH_ERR_INVALID_ARGUMENT-10;
3249	goto out;
3250	}
3251	if ((r = sshbuf_put_stringb(b, key->cert->certblob)) != 0 \|\|
3252	(r = sshbuf_put_bignum2(b,
3253	EC_KEY_get0_private_key(key->ecdsa))) != 0)
3254	goto out;
3255	break;
3256	case KEY_ECDSA_SK:
3257	if ((r = sshbuf_put_cstring(b,
3258	sshkey_curve_nid_to_name(key->ecdsa_nid))) != 0 \|\|
3259	(r = sshbuf_put_eckey(b, key->ecdsa)) != 0 \|\|
3260	(r = sshbuf_put_cstring(b, key->sk_application)) != 0 \|\|
3261	(r = sshbuf_put_u8(b, key->sk_flags)) != 0 \|\|
3262	(r = sshbuf_put_stringb(b, key->sk_key_handle)) != 0 \|\|
3263	(r = sshbuf_put_stringb(b, key->sk_reserved)) != 0)
3264	goto out;
3265	break;
3266	case KEY_ECDSA_SK_CERT:
3267	if (key->cert == NULL((void*)0) \|\| sshbuf_len(key->cert->certblob) == 0) {
3268	r = SSH_ERR_INVALID_ARGUMENT-10;
3269	goto out;
3270	}
3271	if ((r = sshbuf_put_stringb(b, key->cert->certblob)) != 0 \|\|
3272	(r = sshbuf_put_cstring(b, key->sk_application)) != 0 \|\|
3273	(r = sshbuf_put_u8(b, key->sk_flags)) != 0 \|\|
3274	(r = sshbuf_put_stringb(b, key->sk_key_handle)) != 0 \|\|
3275	(r = sshbuf_put_stringb(b, key->sk_reserved)) != 0)
3276	goto out;
3277	break;
3278	#endif /* WITH_OPENSSL */
3279	case KEY_ED25519:
3280	if ((r = sshbuf_put_string(b, key->ed25519_pk,
3281	ED25519_PK_SZ32U)) != 0 \|\|
3282	(r = sshbuf_put_string(b, key->ed25519_sk,
3283	ED25519_SK_SZ64U)) != 0)
3284	goto out;
3285	break;
3286	case KEY_ED25519_CERT:
3287	if (key->cert == NULL((void*)0) \|\| sshbuf_len(key->cert->certblob) == 0) {
3288	r = SSH_ERR_INVALID_ARGUMENT-10;
3289	goto out;
3290	}
3291	if ((r = sshbuf_put_stringb(b, key->cert->certblob)) != 0 \|\|
3292	(r = sshbuf_put_string(b, key->ed25519_pk,
3293	ED25519_PK_SZ32U)) != 0 \|\|
3294	(r = sshbuf_put_string(b, key->ed25519_sk,
3295	ED25519_SK_SZ64U)) != 0)
3296	goto out;
3297	break;
3298	case KEY_ED25519_SK:
3299	if ((r = sshbuf_put_string(b, key->ed25519_pk,
3300	ED25519_PK_SZ32U)) != 0 \|\|
3301	(r = sshbuf_put_cstring(b, key->sk_application)) != 0 \|\|
3302	(r = sshbuf_put_u8(b, key->sk_flags)) != 0 \|\|
3303	(r = sshbuf_put_stringb(b, key->sk_key_handle)) != 0 \|\|
3304	(r = sshbuf_put_stringb(b, key->sk_reserved)) != 0)
3305	goto out;
3306	break;
3307	case KEY_ED25519_SK_CERT:
3308	if (key->cert == NULL((void*)0) \|\| sshbuf_len(key->cert->certblob) == 0) {
3309	r = SSH_ERR_INVALID_ARGUMENT-10;
3310	goto out;
3311	}
3312	if ((r = sshbuf_put_stringb(b, key->cert->certblob)) != 0 \|\|
3313	(r = sshbuf_put_string(b, key->ed25519_pk,
3314	ED25519_PK_SZ32U)) != 0 \|\|
3315	(r = sshbuf_put_cstring(b, key->sk_application)) != 0 \|\|
3316	(r = sshbuf_put_u8(b, key->sk_flags)) != 0 \|\|
3317	(r = sshbuf_put_stringb(b, key->sk_key_handle)) != 0 \|\|
3318	(r = sshbuf_put_stringb(b, key->sk_reserved)) != 0)
3319	goto out;
3320	break;
3321	#ifdef WITH_XMSS
3322	case KEY_XMSS:
3323	if (key->xmss_name == NULL((void*)0)) {
3324	r = SSH_ERR_INVALID_ARGUMENT-10;
3325	goto out;
3326	}
3327	if ((r = sshbuf_put_cstring(b, key->xmss_name)) != 0 \|\|
3328	(r = sshbuf_put_string(b, key->xmss_pk,
3329	sshkey_xmss_pklen(key))) != 0 \|\|
3330	(r = sshbuf_put_string(b, key->xmss_sk,
3331	sshkey_xmss_sklen(key))) != 0 \|\|
3332	(r = sshkey_xmss_serialize_state_opt(key, b, opts)) != 0)
3333	goto out;
3334	break;
3335	case KEY_XMSS_CERT:
3336	if (key->cert == NULL((void*)0) \|\| sshbuf_len(key->cert->certblob) == 0 \|\|
3337	key->xmss_name == NULL((void*)0)) {
3338	r = SSH_ERR_INVALID_ARGUMENT-10;
3339	goto out;
3340	}
3341	if ((r = sshbuf_put_stringb(b, key->cert->certblob)) != 0 \|\|
3342	(r = sshbuf_put_cstring(b, key->xmss_name)) != 0 \|\|
3343	(r = sshbuf_put_string(b, key->xmss_pk,
3344	sshkey_xmss_pklen(key))) != 0 \|\|
3345	(r = sshbuf_put_string(b, key->xmss_sk,
3346	sshkey_xmss_sklen(key))) != 0 \|\|
3347	(r = sshkey_xmss_serialize_state_opt(key, b, opts)) != 0)
3348	goto out;
3349	break;
3350	#endif /* WITH_XMSS */
3351	default:
3352	r = SSH_ERR_INVALID_ARGUMENT-10;
3353	goto out;
3354	}
3355	/*
3356	* success (but we still need to append the output to buf after
3357	* possibly re-shielding the private key)
3358	*/
3359	r = 0;
3360	out:
3361	if (was_shielded)
3362	r = sshkey_shield_private(key);
3363	if (r == 0)
3364	r = sshbuf_putb(buf, b);
3365	sshbuf_free(b);
3366
3367	return r;
3368	}
3369
3370	int
3371	sshkey_private_serialize(struct sshkey key, struct sshbuf b)
3372	{
3373	return sshkey_private_serialize_opt(key, b,
3374	SSHKEY_SERIALIZE_DEFAULT);
3375	}
3376
3377	int
3378	sshkey_private_deserialize(struct sshbuf buf, struct sshkey *kp)
3379	{
3380	char tname = NULL((void)0), curve = NULL((void)0), xmss_name = NULL((void)0);
3381	char expect_sk_application = NULL((void)0);
3382	struct sshkey k = NULL((void)0);
3383	size_t pklen = 0, sklen = 0;
3384	int type, r = SSH_ERR_INTERNAL_ERROR-1;
3385	u_char ed25519_pk = NULL((void)0), ed25519_sk = NULL((void)0);
3386	u_char expect_ed25519_pk = NULL((void)0);
3387	u_char xmss_pk = NULL((void)0), xmss_sk = NULL((void)0);
3388	#ifdef WITH_OPENSSL1
3389	BIGNUM exponent = NULL((void)0);
3390	BIGNUM rsa_n = NULL((void)0), rsa_e = NULL((void)0), rsa_d = NULL((void)0);
3391	BIGNUM rsa_iqmp = NULL((void)0), rsa_p = NULL((void)0), rsa_q = NULL((void)0);
3392	BIGNUM dsa_p = NULL((void)0), dsa_q = NULL((void)0), dsa_g = NULL((void)0);
3393	BIGNUM dsa_pub_key = NULL((void)0), dsa_priv_key = NULL((void)0);
3394	#endif /* WITH_OPENSSL */
3395
3396	if (kp != NULL((void*)0))
3397	kp = NULL((void)0);
3398	if ((r = sshbuf_get_cstring(buf, &tname, NULL((void*)0))) != 0)
3399	goto out;
3400	type = sshkey_type_from_name(tname);
3401	if (sshkey_type_is_cert(type)) {
3402	/*
3403	* Certificate key private keys begin with the certificate
3404	* itself. Make sure this matches the type of the enclosing
3405	* private key.
3406	*/
3407	if ((r = sshkey_froms(buf, &k)) != 0)
3408	goto out;
3409	if (k->type != type) {
3410	r = SSH_ERR_KEY_CERT_MISMATCH-45;
3411	goto out;
3412	}
3413	/* For ECDSA keys, the group must match too */
3414	if (k->type == KEY_ECDSA &&
3415	k->ecdsa_nid != sshkey_ecdsa_nid_from_name(tname)) {
3416	r = SSH_ERR_KEY_CERT_MISMATCH-45;
3417	goto out;
3418	}
3419	/*
3420	* Several fields are redundant between certificate and
3421	* private key body, we require these to match.
3422	*/
3423	expect_sk_application = k->sk_application;
3424	expect_ed25519_pk = k->ed25519_pk;
3425	k->sk_application = NULL((void*)0);
3426	k->ed25519_pk = NULL((void*)0);
3427	} else {
3428	if ((k = sshkey_new(type)) == NULL((void*)0)) {
3429	r = SSH_ERR_ALLOC_FAIL-2;
3430	goto out;
3431	}
3432	}
3433	switch (type) {
3434	#ifdef WITH_OPENSSL1
3435	case KEY_DSA:
3436	if ((r = sshbuf_get_bignum2(buf, &dsa_p)) != 0 \|\|
3437	(r = sshbuf_get_bignum2(buf, &dsa_q)) != 0 \|\|
3438	(r = sshbuf_get_bignum2(buf, &dsa_g)) != 0 \|\|
3439	(r = sshbuf_get_bignum2(buf, &dsa_pub_key)) != 0)
3440	goto out;
3441	if (!DSA_set0_pqg(k->dsa, dsa_p, dsa_q, dsa_g)) {
3442	r = SSH_ERR_LIBCRYPTO_ERROR-22;
3443	goto out;
3444	}
3445	dsa_p = dsa_q = dsa_g = NULL((void)0); / transferred */
3446	if (!DSA_set0_key(k->dsa, dsa_pub_key, NULL((void*)0))) {
3447	r = SSH_ERR_LIBCRYPTO_ERROR-22;
3448	goto out;
3449	}
3450	dsa_pub_key = NULL((void)0); / transferred */
3451	/* FALLTHROUGH */
3452	case KEY_DSA_CERT:
3453	if ((r = sshbuf_get_bignum2(buf, &dsa_priv_key)) != 0)
3454	goto out;
3455	if (!DSA_set0_key(k->dsa, NULL((void*)0), dsa_priv_key)) {
3456	r = SSH_ERR_LIBCRYPTO_ERROR-22;
3457	goto out;
3458	}
3459	dsa_priv_key = NULL((void)0); / transferred */
3460	break;
3461	case KEY_ECDSA:
3462	if ((k->ecdsa_nid = sshkey_ecdsa_nid_from_name(tname)) == -1) {
3463	r = SSH_ERR_INVALID_ARGUMENT-10;
3464	goto out;
3465	}
3466	if ((r = sshbuf_get_cstring(buf, &curve, NULL((void*)0))) != 0)
3467	goto out;
3468	if (k->ecdsa_nid != sshkey_curve_name_to_nid(curve)) {
3469	r = SSH_ERR_EC_CURVE_MISMATCH-15;
3470	goto out;
3471	}
3472	k->ecdsa = EC_KEY_new_by_curve_name(k->ecdsa_nid);
3473	if (k->ecdsa == NULL((void*)0)) {
3474	r = SSH_ERR_LIBCRYPTO_ERROR-22;
3475	goto out;
3476	}
3477	if ((r = sshbuf_get_eckey(buf, k->ecdsa)) != 0)
3478	goto out;
3479	/* FALLTHROUGH */
3480	case KEY_ECDSA_CERT:
3481	if ((r = sshbuf_get_bignum2(buf, &exponent)) != 0)
3482	goto out;
3483	if (EC_KEY_set_private_key(k->ecdsa, exponent) != 1) {
3484	r = SSH_ERR_LIBCRYPTO_ERROR-22;
3485	goto out;
3486	}
3487	if ((r = sshkey_ec_validate_public(EC_KEY_get0_group(k->ecdsa),
3488	EC_KEY_get0_public_key(k->ecdsa))) != 0 \|\|
3489	(r = sshkey_ec_validate_private(k->ecdsa)) != 0)
3490	goto out;
3491	break;
3492	case KEY_ECDSA_SK:
3493	if ((k->ecdsa_nid = sshkey_ecdsa_nid_from_name(tname)) == -1) {
3494	r = SSH_ERR_INVALID_ARGUMENT-10;
3495	goto out;
3496	}
3497	if ((r = sshbuf_get_cstring(buf, &curve, NULL((void*)0))) != 0)
3498	goto out;
3499	if (k->ecdsa_nid != sshkey_curve_name_to_nid(curve)) {
3500	r = SSH_ERR_EC_CURVE_MISMATCH-15;
3501	goto out;
3502	}
3503	if ((k->sk_key_handle = sshbuf_new()) == NULL((void*)0) \|\|
3504	(k->sk_reserved = sshbuf_new()) == NULL((void*)0)) {
3505	r = SSH_ERR_ALLOC_FAIL-2;
3506	goto out;
3507	}
3508	k->ecdsa = EC_KEY_new_by_curve_name(k->ecdsa_nid);
3509	if (k->ecdsa == NULL((void*)0)) {
3510	r = SSH_ERR_LIBCRYPTO_ERROR-22;
3511	goto out;
3512	}
3513	if ((r = sshbuf_get_eckey(buf, k->ecdsa)) != 0 \|\|
3514	(r = sshbuf_get_cstring(buf, &k->sk_application,
3515	NULL((void*)0))) != 0 \|\|
3516	(r = sshbuf_get_u8(buf, &k->sk_flags)) != 0 \|\|
3517	(r = sshbuf_get_stringb(buf, k->sk_key_handle)) != 0 \|\|
3518	(r = sshbuf_get_stringb(buf, k->sk_reserved)) != 0)
3519	goto out;
3520	if ((r = sshkey_ec_validate_public(EC_KEY_get0_group(k->ecdsa),
3521	EC_KEY_get0_public_key(k->ecdsa))) != 0)
3522	goto out;
3523	break;
3524	case KEY_ECDSA_SK_CERT:
3525	if ((k->sk_key_handle = sshbuf_new()) == NULL((void*)0) \|\|
3526	(k->sk_reserved = sshbuf_new()) == NULL((void*)0)) {
3527	r = SSH_ERR_ALLOC_FAIL-2;
3528	goto out;
3529	}
3530	if ((r = sshbuf_get_cstring(buf, &k->sk_application,
3531	NULL((void*)0))) != 0 \|\|
3532	(r = sshbuf_get_u8(buf, &k->sk_flags)) != 0 \|\|
3533	(r = sshbuf_get_stringb(buf, k->sk_key_handle)) != 0 \|\|
3534	(r = sshbuf_get_stringb(buf, k->sk_reserved)) != 0)
3535	goto out;
3536	if ((r = sshkey_ec_validate_public(EC_KEY_get0_group(k->ecdsa),
3537	EC_KEY_get0_public_key(k->ecdsa))) != 0)
3538	goto out;
3539	break;
3540	case KEY_RSA:
3541	if ((r = sshbuf_get_bignum2(buf, &rsa_n)) != 0 \|\|
3542	(r = sshbuf_get_bignum2(buf, &rsa_e)) != 0)
3543	goto out;
3544	if (!RSA_set0_key(k->rsa, rsa_n, rsa_e, NULL((void*)0))) {
3545	r = SSH_ERR_LIBCRYPTO_ERROR-22;
3546	goto out;
3547	}
3548	rsa_n = rsa_e = NULL((void)0); / transferred */
3549	/* FALLTHROUGH */
3550	case KEY_RSA_CERT:
3551	if ((r = sshbuf_get_bignum2(buf, &rsa_d)) != 0 \|\|
3552	(r = sshbuf_get_bignum2(buf, &rsa_iqmp)) != 0 \|\|
3553	(r = sshbuf_get_bignum2(buf, &rsa_p)) != 0 \|\|
3554	(r = sshbuf_get_bignum2(buf, &rsa_q)) != 0)
3555	goto out;
3556	if (!RSA_set0_key(k->rsa, NULL((void)0), NULL((void)0), rsa_d)) {
3557	r = SSH_ERR_LIBCRYPTO_ERROR-22;
3558	goto out;
3559	}
3560	rsa_d = NULL((void)0); / transferred */
3561	if (!RSA_set0_factors(k->rsa, rsa_p, rsa_q)) {
3562	r = SSH_ERR_LIBCRYPTO_ERROR-22;
3563	goto out;
3564	}
3565	rsa_p = rsa_q = NULL((void)0); / transferred */
3566	if ((r = check_rsa_length(k->rsa)) != 0)
3567	goto out;
3568	if ((r = ssh_rsa_complete_crt_parameters(k, rsa_iqmp)) != 0)
3569	goto out;
3570	break;
3571	#endif /* WITH_OPENSSL */
3572	case KEY_ED25519:
3573	case KEY_ED25519_CERT:
3574	if ((r = sshbuf_get_string(buf, &ed25519_pk, &pklen)) != 0 \|\|
3575	(r = sshbuf_get_string(buf, &ed25519_sk, &sklen)) != 0)
3576	goto out;
3577	if (pklen != ED25519_PK_SZ32U \|\| sklen != ED25519_SK_SZ64U) {
3578	r = SSH_ERR_INVALID_FORMAT-4;
3579	goto out;
3580	}
3581	k->ed25519_pk = ed25519_pk;
3582	k->ed25519_sk = ed25519_sk;
3583	ed25519_pk = ed25519_sk = NULL((void)0); / transferred */
3584	break;
3585	case KEY_ED25519_SK:
3586	case KEY_ED25519_SK_CERT:
3587	if ((r = sshbuf_get_string(buf, &ed25519_pk, &pklen)) != 0)
3588	goto out;
3589	if (pklen != ED25519_PK_SZ32U) {
3590	r = SSH_ERR_INVALID_FORMAT-4;
3591	goto out;
3592	}
3593	if ((k->sk_key_handle = sshbuf_new()) == NULL((void*)0) \|\|
3594	(k->sk_reserved = sshbuf_new()) == NULL((void*)0)) {
3595	r = SSH_ERR_ALLOC_FAIL-2;
3596	goto out;
3597	}
3598	if ((r = sshbuf_get_cstring(buf, &k->sk_application,
3599	NULL((void*)0))) != 0 \|\|
3600	(r = sshbuf_get_u8(buf, &k->sk_flags)) != 0 \|\|
3601	(r = sshbuf_get_stringb(buf, k->sk_key_handle)) != 0 \|\|
3602	(r = sshbuf_get_stringb(buf, k->sk_reserved)) != 0)
3603	goto out;
3604	k->ed25519_pk = ed25519_pk;
3605	ed25519_pk = NULL((void)0); / transferred */
3606	break;
3607	#ifdef WITH_XMSS
3608	case KEY_XMSS:
3609	case KEY_XMSS_CERT:
3610	if ((r = sshbuf_get_cstring(buf, &xmss_name, NULL((void*)0))) != 0 \|\|
3611	(r = sshbuf_get_string(buf, &xmss_pk, &pklen)) != 0 \|\|
3612	(r = sshbuf_get_string(buf, &xmss_sk, &sklen)) != 0)
3613	goto out;
3614	if (type == KEY_XMSS &&
3615	(r = sshkey_xmss_init(k, xmss_name)) != 0)
3616	goto out;
3617	if (pklen != sshkey_xmss_pklen(k) \|\|
3618	sklen != sshkey_xmss_sklen(k)) {
3619	r = SSH_ERR_INVALID_FORMAT-4;
3620	goto out;
3621	}
3622	k->xmss_pk = xmss_pk;
3623	k->xmss_sk = xmss_sk;
3624	xmss_pk = xmss_sk = NULL((void*)0);
3625	/* optional internal state */
3626	if ((r = sshkey_xmss_deserialize_state_opt(k, buf)) != 0)
3627	goto out;
3628	break;
3629	#endif /* WITH_XMSS */
3630	default:
3631	r = SSH_ERR_KEY_TYPE_UNKNOWN-14;
3632	goto out;
3633	}
3634	#ifdef WITH_OPENSSL1
3635	/* enable blinding */
3636	switch (k->type) {
3637	case KEY_RSA:
3638	case KEY_RSA_CERT:
3639	if (RSA_blinding_on(k->rsa, NULL((void*)0)) != 1) {
3640	r = SSH_ERR_LIBCRYPTO_ERROR-22;
3641	goto out;
3642	}
3643	break;
3644	}
3645	#endif /* WITH_OPENSSL */
3646	if ((expect_sk_application != NULL((void)0) && (k->sk_application == NULL((void)0) \|\|
3647	strcmp(expect_sk_application, k->sk_application) != 0)) \|\|
3648	(expect_ed25519_pk != NULL((void)0) && (k->ed25519_pk == NULL((void)0) \|\|
3649	memcmp(expect_ed25519_pk, k->ed25519_pk, ED25519_PK_SZ32U) != 0))) {
3650	r = SSH_ERR_KEY_CERT_MISMATCH-45;
3651	goto out;
3652	}
3653	/* success */
3654	r = 0;
3655	if (kp != NULL((void*)0)) {
3656	*kp = k;
3657	k = NULL((void*)0);
3658	}
3659	out:
3660	free(tname);
3661	free(curve);
3662	#ifdef WITH_OPENSSL1
3663	BN_clear_free(exponent);
3664	BN_clear_free(dsa_p);
3665	BN_clear_free(dsa_q);
3666	BN_clear_free(dsa_g);
3667	BN_clear_free(dsa_pub_key);
3668	BN_clear_free(dsa_priv_key);
3669	BN_clear_free(rsa_n);
3670	BN_clear_free(rsa_e);
3671	BN_clear_free(rsa_d);
3672	BN_clear_free(rsa_p);
3673	BN_clear_free(rsa_q);
3674	BN_clear_free(rsa_iqmp);
3675	#endif /* WITH_OPENSSL */
3676	sshkey_free(k);
3677	freezero(ed25519_pk, pklen);
3678	freezero(ed25519_sk, sklen);
3679	free(xmss_name);
3680	freezero(xmss_pk, pklen);
3681	freezero(xmss_sk, sklen);
3682	free(expect_sk_application);
3683	free(expect_ed25519_pk);
3684	return r;
3685	}
3686
3687	#ifdef WITH_OPENSSL1
3688	int
3689	sshkey_ec_validate_public(const EC_GROUP group, const EC_POINT public)
3690	{
3691	EC_POINT nq = NULL((void)0);
3692	BIGNUM order = NULL((void)0), x = NULL((void)0), y = NULL((void)0), tmp = NULL((void)0);
3693	int ret = SSH_ERR_KEY_INVALID_EC_VALUE-20;
3694
3695	/*
3696	* NB. This assumes OpenSSL has already verified that the public
3697	* point lies on the curve. This is done by EC_POINT_oct2point()
3698	* implicitly calling EC_POINT_is_on_curve(). If this code is ever
3699	* reachable with public points not unmarshalled using
3700	* EC_POINT_oct2point then the caller will need to explicitly check.
3701	*/
3702
3703	/*
3704	* We shouldn't ever hit this case because bignum_get_ecpoint()
3705	* refuses to load GF2m points.
3706	*/
3707	if (EC_METHOD_get_field_type(EC_GROUP_method_of(group)) !=
3708	NID_X9_62_prime_field406)
3709	goto out;
3710
3711	/* Q != infinity */
3712	if (EC_POINT_is_at_infinity(group, public))
3713	goto out;
3714
3715	if ((x = BN_new()) == NULL((void*)0) \|\|
3716	(y = BN_new()) == NULL((void*)0) \|\|
3717	(order = BN_new()) == NULL((void*)0) \|\|
3718	(tmp = BN_new()) == NULL((void*)0)) {
3719	ret = SSH_ERR_ALLOC_FAIL-2;
3720	goto out;
3721	}
3722
3723	/* log2(x) > log2(order)/2, log2(y) > log2(order)/2 */
3724	if (EC_GROUP_get_order(group, order, NULL((void*)0)) != 1 \|\|
3725	EC_POINT_get_affine_coordinates_GFp(group, public,
3726	x, y, NULL((void*)0)) != 1) {
3727	ret = SSH_ERR_LIBCRYPTO_ERROR-22;
3728	goto out;
3729	}
3730	if (BN_num_bits(x) <= BN_num_bits(order) / 2 \|\|
3731	BN_num_bits(y) <= BN_num_bits(order) / 2)
3732	goto out;
3733
3734	/* nQ == infinity (n == order of subgroup) */
3735	if ((nq = EC_POINT_new(group)) == NULL((void*)0)) {
3736	ret = SSH_ERR_ALLOC_FAIL-2;
3737	goto out;
3738	}
3739	if (EC_POINT_mul(group, nq, NULL((void)0), public, order, NULL((void)0)) != 1) {
3740	ret = SSH_ERR_LIBCRYPTO_ERROR-22;
3741	goto out;
3742	}
3743	if (EC_POINT_is_at_infinity(group, nq) != 1)
3744	goto out;
3745
3746	/* x < order - 1, y < order - 1 */
3747	if (!BN_sub(tmp, order, BN_value_one())) {
3748	ret = SSH_ERR_LIBCRYPTO_ERROR-22;
3749	goto out;
3750	}
3751	if (BN_cmp(x, tmp) >= 0 \|\| BN_cmp(y, tmp) >= 0)
3752	goto out;
3753	ret = 0;
3754	out:
3755	BN_clear_free(x);
3756	BN_clear_free(y);
3757	BN_clear_free(order);
3758	BN_clear_free(tmp);
3759	EC_POINT_free(nq);
3760	return ret;
3761	}
3762
3763	int
3764	sshkey_ec_validate_private(const EC_KEY *key)
3765	{
3766	BIGNUM order = NULL((void)0), tmp = NULL((void)0);
3767	int ret = SSH_ERR_KEY_INVALID_EC_VALUE-20;
3768
3769	if ((order = BN_new()) == NULL((void)0) \|\| (tmp = BN_new()) == NULL((void)0)) {
3770	ret = SSH_ERR_ALLOC_FAIL-2;
3771	goto out;
3772	}
3773
3774	/* log2(private) > log2(order)/2 */
3775	if (EC_GROUP_get_order(EC_KEY_get0_group(key), order, NULL((void*)0)) != 1) {
3776	ret = SSH_ERR_LIBCRYPTO_ERROR-22;
3777	goto out;
3778	}
3779	if (BN_num_bits(EC_KEY_get0_private_key(key)) <=
3780	BN_num_bits(order) / 2)
3781	goto out;
3782
3783	/* private < order - 1 */
3784	if (!BN_sub(tmp, order, BN_value_one())) {
3785	ret = SSH_ERR_LIBCRYPTO_ERROR-22;
3786	goto out;
3787	}
3788	if (BN_cmp(EC_KEY_get0_private_key(key), tmp) >= 0)
3789	goto out;
3790	ret = 0;
3791	out:
3792	BN_clear_free(order);
3793	BN_clear_free(tmp);
3794	return ret;
3795	}
3796
3797	void
3798	sshkey_dump_ec_point(const EC_GROUP group, const EC_POINT point)
3799	{
3800	BIGNUM x = NULL((void)0), y = NULL((void)0);
3801
3802	if (point == NULL((void*)0)) {
3803	fputs("point=(NULL)\n", stderr(&__sF[2]));
3804	return;
3805	}
3806	if ((x = BN_new()) == NULL((void)0) \|\| (y = BN_new()) == NULL((void)0)) {
3807	fprintf(stderr(&__sF[2]), "%s: BN_new failed\n", __func__);
3808	goto out;
3809	}
3810	if (EC_METHOD_get_field_type(EC_GROUP_method_of(group)) !=
3811	NID_X9_62_prime_field406) {
3812	fprintf(stderr(&__sF[2]), "%s: group is not a prime field\n", __func__);
3813	goto out;
3814	}
3815	if (EC_POINT_get_affine_coordinates_GFp(group, point,
3816	x, y, NULL((void*)0)) != 1) {
3817	fprintf(stderr(&__sF[2]), "%s: EC_POINT_get_affine_coordinates_GFp\n",
3818	__func__);
3819	goto out;
3820	}
3821	fputs("x=", stderr(&__sF[2]));
3822	BN_print_fp(stderr(&__sF[2]), x);
3823	fputs("\ny=", stderr(&__sF[2]));
3824	BN_print_fp(stderr(&__sF[2]), y);
3825	fputs("\n", stderr(&__sF[2]));
3826	out:
3827	BN_clear_free(x);
3828	BN_clear_free(y);
3829	}
3830
3831	void
3832	sshkey_dump_ec_key(const EC_KEY *key)
3833	{
3834	const BIGNUM *exponent;
3835
3836	sshkey_dump_ec_point(EC_KEY_get0_group(key),
3837	EC_KEY_get0_public_key(key));
3838	fputs("exponent=", stderr(&__sF[2]));
3839	if ((exponent = EC_KEY_get0_private_key(key)) == NULL((void*)0))
3840	fputs("(NULL)", stderr(&__sF[2]));
3841	else
3842	BN_print_fp(stderr(&__sF[2]), EC_KEY_get0_private_key(key));
3843	fputs("\n", stderr(&__sF[2]));
3844	}
3845	#endif /* WITH_OPENSSL */
3846
3847	static int
3848	sshkey_private_to_blob2(struct sshkey prv, struct sshbuf blob,
3849	const char passphrase, const char comment, const char *ciphername,
3850	int rounds)
3851	{
3852	u_char cp, key = NULL((void)0), pubkeyblob = NULL((void*)0);
3853	u_char salt[SALT_LEN16];
3854	char b64 = NULL((void)0);
3855	size_t i, pubkeylen, keylen, ivlen, blocksize, authlen;
3856	u_int check;
3857	int r = SSH_ERR_INTERNAL_ERROR-1;
3858	struct sshcipher_ctx ciphercontext = NULL((void)0);
3859	const struct sshcipher *cipher;
3860	const char *kdfname = KDFNAME"bcrypt";
3861	struct sshbuf encoded = NULL((void)0), encrypted = NULL((void)0), kdf = NULL((void)0);
3862
3863	if (rounds <= 0)
3864	rounds = DEFAULT_ROUNDS16;
3865	if (passphrase == NULL((void*)0) \|\| !strlen(passphrase)) {
3866	ciphername = "none";
3867	kdfname = "none";
3868	} else if (ciphername == NULL((void*)0))
3869	ciphername = DEFAULT_CIPHERNAME"aes256-ctr";
3870	if ((cipher = cipher_by_name(ciphername)) == NULL((void*)0)) {
3871	r = SSH_ERR_INVALID_ARGUMENT-10;
3872	goto out;
3873	}
3874
3875	if ((kdf = sshbuf_new()) == NULL((void*)0) \|\|
3876	(encoded = sshbuf_new()) == NULL((void*)0) \|\|
3877	(encrypted = sshbuf_new()) == NULL((void*)0)) {
3878	r = SSH_ERR_ALLOC_FAIL-2;
3879	goto out;
3880	}
3881	blocksize = cipher_blocksize(cipher);
3882	keylen = cipher_keylen(cipher);
3883	ivlen = cipher_ivlen(cipher);
3884	authlen = cipher_authlen(cipher);
3885	if ((key = calloc(1, keylen + ivlen)) == NULL((void*)0)) {
3886	r = SSH_ERR_ALLOC_FAIL-2;
3887	goto out;
3888	}
3889	if (strcmp(kdfname, "bcrypt") == 0) {
3890	arc4random_buf(salt, SALT_LEN16);
3891	if (bcrypt_pbkdf(passphrase, strlen(passphrase),
3892	salt, SALT_LEN16, key, keylen + ivlen, rounds) < 0) {
3893	r = SSH_ERR_INVALID_ARGUMENT-10;
3894	goto out;
3895	}
3896	if ((r = sshbuf_put_string(kdf, salt, SALT_LEN16)) != 0 \|\|
3897	(r = sshbuf_put_u32(kdf, rounds)) != 0)
3898	goto out;
3899	} else if (strcmp(kdfname, "none") != 0) {
3900	/* Unsupported KDF type */
3901	r = SSH_ERR_KEY_UNKNOWN_CIPHER-42;
3902	goto out;
3903	}
3904	if ((r = cipher_init(&ciphercontext, cipher, key, keylen,
3905	key + keylen, ivlen, 1)) != 0)
3906	goto out;
3907
3908	if ((r = sshbuf_put(encoded, AUTH_MAGIC"openssh-key-v1", sizeof(AUTH_MAGIC"openssh-key-v1"))) != 0 \|\|
3909	(r = sshbuf_put_cstring(encoded, ciphername)) != 0 \|\|
3910	(r = sshbuf_put_cstring(encoded, kdfname)) != 0 \|\|
3911	(r = sshbuf_put_stringb(encoded, kdf)) != 0 \|\|
3912	(r = sshbuf_put_u32(encoded, 1)) != 0 \|\| /* number of keys */
3913	(r = sshkey_to_blob(prv, &pubkeyblob, &pubkeylen)) != 0 \|\|
3914	(r = sshbuf_put_string(encoded, pubkeyblob, pubkeylen)) != 0)
3915	goto out;
3916
3917	/* set up the buffer that will be encrypted */
3918
3919	/* Random check bytes */
3920	check = arc4random();
3921	if ((r = sshbuf_put_u32(encrypted, check)) != 0 \|\|
3922	(r = sshbuf_put_u32(encrypted, check)) != 0)
3923	goto out;
3924
3925	/* append private key and comment*/
3926	if ((r = sshkey_private_serialize_opt(prv, encrypted,
3927	SSHKEY_SERIALIZE_FULL)) != 0 \|\|
3928	(r = sshbuf_put_cstring(encrypted, comment)) != 0)
3929	goto out;
3930
3931	/* padding */
3932	i = 0;
3933	while (sshbuf_len(encrypted) % blocksize) {
3934	if ((r = sshbuf_put_u8(encrypted, ++i & 0xff)) != 0)
3935	goto out;
3936	}
3937
3938	/* length in destination buffer */
3939	if ((r = sshbuf_put_u32(encoded, sshbuf_len(encrypted))) != 0)
3940	goto out;
3941
3942	/* encrypt */
3943	if ((r = sshbuf_reserve(encoded,
3944	sshbuf_len(encrypted) + authlen, &cp)) != 0)
3945	goto out;
3946	if ((r = cipher_crypt(ciphercontext, 0, cp,
3947	sshbuf_ptr(encrypted), sshbuf_len(encrypted), 0, authlen)) != 0)
3948	goto out;
3949
3950	sshbuf_reset(blob);
3951
3952	/* assemble uuencoded key */
3953	if ((r = sshbuf_put(blob, MARK_BEGIN"-----BEGIN OPENSSH PRIVATE KEY-----\n", MARK_BEGIN_LEN(sizeof("-----BEGIN OPENSSH PRIVATE KEY-----\n") - 1))) != 0 \|\|
3954	(r = sshbuf_dtob64(encoded, blob, 1)) != 0 \|\|
3955	(r = sshbuf_put(blob, MARK_END"-----END OPENSSH PRIVATE KEY-----\n", MARK_END_LEN(sizeof("-----END OPENSSH PRIVATE KEY-----\n") - 1))) != 0)
3956	goto out;
3957
3958	/* success */
3959	r = 0;
3960
3961	out:
3962	sshbuf_free(kdf);
3963	sshbuf_free(encoded);
3964	sshbuf_free(encrypted);
3965	cipher_free(ciphercontext);
3966	explicit_bzero(salt, sizeof(salt));
3967	if (key != NULL((void*)0))
3968	freezero(key, keylen + ivlen);
3969	if (pubkeyblob != NULL((void*)0))
3970	freezero(pubkeyblob, pubkeylen);
3971	if (b64 != NULL((void*)0))
3972	freezero(b64, strlen(b64));
3973	return r;
3974	}
3975
3976	static int
3977	private2_uudecode(struct sshbuf blob, struct sshbuf *decodedp)
3978	{
3979	const u_char *cp;
3980	size_t encoded_len;
3981	int r;
3982	u_char last;
3983	struct sshbuf encoded = NULL((void)0), decoded = NULL((void)0);
3984
3985	if (blob == NULL((void)0) \|\| decodedp == NULL((void)0))
3986	return SSH_ERR_INVALID_ARGUMENT-10;
3987
3988	decodedp = NULL((void)0);
3989
3990	if ((encoded = sshbuf_new()) == NULL((void*)0) \|\|
3991	(decoded = sshbuf_new()) == NULL((void*)0)) {
3992	r = SSH_ERR_ALLOC_FAIL-2;
3993	goto out;
3994	}
3995
3996	/* check preamble */
3997	cp = sshbuf_ptr(blob);
3998	encoded_len = sshbuf_len(blob);
3999	if (encoded_len < (MARK_BEGIN_LEN(sizeof("-----BEGIN OPENSSH PRIVATE KEY-----\n") - 1) + MARK_END_LEN(sizeof("-----END OPENSSH PRIVATE KEY-----\n") - 1)) \|\|
4000	memcmp(cp, MARK_BEGIN"-----BEGIN OPENSSH PRIVATE KEY-----\n", MARK_BEGIN_LEN(sizeof("-----BEGIN OPENSSH PRIVATE KEY-----\n") - 1)) != 0) {
4001	r = SSH_ERR_INVALID_FORMAT-4;
4002	goto out;
4003	}
4004	cp += MARK_BEGIN_LEN(sizeof("-----BEGIN OPENSSH PRIVATE KEY-----\n") - 1);
4005	encoded_len -= MARK_BEGIN_LEN(sizeof("-----BEGIN OPENSSH PRIVATE KEY-----\n") - 1);
4006
4007	/* Look for end marker, removing whitespace as we go */
4008	while (encoded_len > 0) {
4009	if (cp != '\n' && cp != '\r') {
4010	if ((r = sshbuf_put_u8(encoded, *cp)) != 0)
4011	goto out;
4012	}
4013	last = *cp;
4014	encoded_len--;
4015	cp++;
4016	if (last == '\n') {
4017	if (encoded_len >= MARK_END_LEN(sizeof("-----END OPENSSH PRIVATE KEY-----\n") - 1) &&
4018	memcmp(cp, MARK_END"-----END OPENSSH PRIVATE KEY-----\n", MARK_END_LEN(sizeof("-----END OPENSSH PRIVATE KEY-----\n") - 1)) == 0) {
4019	/* \0 terminate */
4020	if ((r = sshbuf_put_u8(encoded, 0)) != 0)
4021	goto out;
4022	break;
4023	}
4024	}
4025	}
4026	if (encoded_len == 0) {
4027	r = SSH_ERR_INVALID_FORMAT-4;
4028	goto out;
4029	}
4030
4031	/* decode base64 */
4032	if ((r = sshbuf_b64tod(decoded, (char *)sshbuf_ptr(encoded))) != 0)
4033	goto out;
4034
4035	/* check magic */
4036	if (sshbuf_len(decoded) < sizeof(AUTH_MAGIC"openssh-key-v1") \|\|
4037	memcmp(sshbuf_ptr(decoded), AUTH_MAGIC"openssh-key-v1", sizeof(AUTH_MAGIC"openssh-key-v1"))) {
4038	r = SSH_ERR_INVALID_FORMAT-4;
4039	goto out;
4040	}
4041	/* success */
4042	*decodedp = decoded;
4043	decoded = NULL((void*)0);
4044	r = 0;
4045	out:
4046	sshbuf_free(encoded);
4047	sshbuf_free(decoded);
4048	return r;
4049	}
4050
4051	static int
4052	private2_decrypt(struct sshbuf decoded, const char passphrase,
4053	struct sshbuf decryptedp, struct sshkey pubkeyp)
4054	{
4055	char ciphername = NULL((void)0), kdfname = NULL((void)0);
4056	const struct sshcipher cipher = NULL((void)0);
4057	int r = SSH_ERR_INTERNAL_ERROR-1;
4058	size_t keylen = 0, ivlen = 0, authlen = 0, slen = 0;
4059	struct sshbuf kdf = NULL((void)0), decrypted = NULL((void)0);
4060	struct sshcipher_ctx ciphercontext = NULL((void)0);
4061	struct sshkey pubkey = NULL((void)0);
4062	u_char key = NULL((void)0), salt = NULL((void)0), *dp;
4063	u_int blocksize, rounds, nkeys, encrypted_len, check1, check2;
4064
4065	if (decoded == NULL((void)0) \|\| decryptedp == NULL((void)0) \|\| pubkeyp == NULL((void*)0))
4066	return SSH_ERR_INVALID_ARGUMENT-10;
4067
4068	decryptedp = NULL((void)0);
4069	pubkeyp = NULL((void)0);
4070
4071	if ((decrypted = sshbuf_new()) == NULL((void*)0)) {
4072	r = SSH_ERR_ALLOC_FAIL-2;
4073	goto out;
4074	}
4075
4076	/* parse public portion of key */
4077	if ((r = sshbuf_consume(decoded, sizeof(AUTH_MAGIC"openssh-key-v1"))) != 0 \|\|
4078	(r = sshbuf_get_cstring(decoded, &ciphername, NULL((void*)0))) != 0 \|\|
4079	(r = sshbuf_get_cstring(decoded, &kdfname, NULL((void*)0))) != 0 \|\|
4080	(r = sshbuf_froms(decoded, &kdf)) != 0 \|\|
4081	(r = sshbuf_get_u32(decoded, &nkeys)) != 0)
4082	goto out;
4083
4084	if (nkeys != 1) {
4085	/* XXX only one key supported at present */
4086	r = SSH_ERR_INVALID_FORMAT-4;
4087	goto out;
4088	}
4089
4090	if ((r = sshkey_froms(decoded, &pubkey)) != 0 \|\|
4091	(r = sshbuf_get_u32(decoded, &encrypted_len)) != 0)
4092	goto out;
4093
4094	if ((cipher = cipher_by_name(ciphername)) == NULL((void*)0)) {
4095	r = SSH_ERR_KEY_UNKNOWN_CIPHER-42;
4096	goto out;
4097	}
4098	if (strcmp(kdfname, "none") != 0 && strcmp(kdfname, "bcrypt") != 0) {
4099	r = SSH_ERR_KEY_UNKNOWN_CIPHER-42;
4100	goto out;
4101	}
4102	if (strcmp(kdfname, "none") == 0 && strcmp(ciphername, "none") != 0) {
4103	r = SSH_ERR_INVALID_FORMAT-4;
4104	goto out;
4105	}
4106	if ((passphrase == NULL((void*)0) \|\| strlen(passphrase) == 0) &&
4107	strcmp(kdfname, "none") != 0) {
4108	/* passphrase required */
4109	r = SSH_ERR_KEY_WRONG_PASSPHRASE-43;
4110	goto out;
4111	}
4112
4113	/* check size of encrypted key blob */
4114	blocksize = cipher_blocksize(cipher);
4115	if (encrypted_len < blocksize \|\| (encrypted_len % blocksize) != 0) {
4116	r = SSH_ERR_INVALID_FORMAT-4;
4117	goto out;
4118	}
4119
4120	/* setup key */
4121	keylen = cipher_keylen(cipher);
4122	ivlen = cipher_ivlen(cipher);
4123	authlen = cipher_authlen(cipher);
4124	if ((key = calloc(1, keylen + ivlen)) == NULL((void*)0)) {
4125	r = SSH_ERR_ALLOC_FAIL-2;
4126	goto out;
4127	}
4128	if (strcmp(kdfname, "bcrypt") == 0) {
4129	if ((r = sshbuf_get_string(kdf, &salt, &slen)) != 0 \|\|
4130	(r = sshbuf_get_u32(kdf, &rounds)) != 0)
4131	goto out;
4132	if (bcrypt_pbkdf(passphrase, strlen(passphrase), salt, slen,
4133	key, keylen + ivlen, rounds) < 0) {
4134	r = SSH_ERR_INVALID_FORMAT-4;
4135	goto out;
4136	}
4137	}
4138
4139	/* check that an appropriate amount of auth data is present */
4140	if (sshbuf_len(decoded) < authlen \|\|
4141	sshbuf_len(decoded) - authlen < encrypted_len) {
4142	r = SSH_ERR_INVALID_FORMAT-4;
4143	goto out;
4144	}
4145
4146	/* decrypt private portion of key */
4147	if ((r = sshbuf_reserve(decrypted, encrypted_len, &dp)) != 0 \|\|
4148	(r = cipher_init(&ciphercontext, cipher, key, keylen,
4149	key + keylen, ivlen, 0)) != 0)
4150	goto out;
4151	if ((r = cipher_crypt(ciphercontext, 0, dp, sshbuf_ptr(decoded),
4152	encrypted_len, 0, authlen)) != 0) {
4153	/* an integrity error here indicates an incorrect passphrase */
4154	if (r == SSH_ERR_MAC_INVALID-30)
4155	r = SSH_ERR_KEY_WRONG_PASSPHRASE-43;
4156	goto out;
4157	}
4158	if ((r = sshbuf_consume(decoded, encrypted_len + authlen)) != 0)
4159	goto out;
4160	/* there should be no trailing data */
4161	if (sshbuf_len(decoded) != 0) {
4162	r = SSH_ERR_INVALID_FORMAT-4;
4163	goto out;
4164	}
4165
4166	/* check check bytes */
4167	if ((r = sshbuf_get_u32(decrypted, &check1)) != 0 \|\|
4168	(r = sshbuf_get_u32(decrypted, &check2)) != 0)
4169	goto out;
4170	if (check1 != check2) {
4171	r = SSH_ERR_KEY_WRONG_PASSPHRASE-43;
4172	goto out;
4173	}
4174	/* success */
4175	*decryptedp = decrypted;
4176	decrypted = NULL((void*)0);
4177	*pubkeyp = pubkey;
4178	pubkey = NULL((void*)0);
4179	r = 0;
4180	out:
4181	cipher_free(ciphercontext);
4182	free(ciphername);
4183	free(kdfname);
4184	sshkey_free(pubkey);
4185	if (salt != NULL((void*)0)) {
4186	explicit_bzero(salt, slen);
4187	free(salt);
4188	}
4189	if (key != NULL((void*)0)) {
4190	explicit_bzero(key, keylen + ivlen);
4191	free(key);
4192	}
4193	sshbuf_free(kdf);
4194	sshbuf_free(decrypted);
4195	return r;
4196	}
4197
4198	/* Check deterministic padding after private key */
4199	static int
4200	private2_check_padding(struct sshbuf *decrypted)
4201	{
4202	u_char pad;
4203	size_t i;
4204	int r = SSH_ERR_INTERNAL_ERROR-1;
4205
4206	i = 0;
4207	while (sshbuf_len(decrypted)) {
4208	if ((r = sshbuf_get_u8(decrypted, &pad)) != 0)
4209	goto out;
4210	if (pad != (++i & 0xff)) {
4211	r = SSH_ERR_INVALID_FORMAT-4;
4212	goto out;
4213	}
4214	}
4215	/* success */
4216	r = 0;
4217	out:
4218	explicit_bzero(&pad, sizeof(pad));
4219	explicit_bzero(&i, sizeof(i));
4220	return r;
4221	}
4222
4223	static int
4224	sshkey_parse_private2(struct sshbuf blob, int type, const char passphrase,
4225	struct sshkey keyp, char commentp)
4226	{
4227	char comment = NULL((void)0);
4228	int r = SSH_ERR_INTERNAL_ERROR-1;
4229	struct sshbuf decoded = NULL((void)0), decrypted = NULL((void)0);
4230	struct sshkey k = NULL((void)0), pubkey = NULL((void)0);
4231
4232	if (keyp != NULL((void*)0))
4233	keyp = NULL((void)0);
4234	if (commentp != NULL((void*)0))
4235	commentp = NULL((void)0);
4236
4237	/* Undo base64 encoding and decrypt the private section */
4238	if ((r = private2_uudecode(blob, &decoded)) != 0 \|\|
4239	(r = private2_decrypt(decoded, passphrase,
4240	&decrypted, &pubkey)) != 0)
4241	goto out;
4242
4243	if (type != KEY_UNSPEC &&
4244	sshkey_type_plain(type) != sshkey_type_plain(pubkey->type)) {
4245	r = SSH_ERR_KEY_TYPE_MISMATCH-13;
4246	goto out;
4247	}
4248
4249	/* Load the private key and comment */
4250	if ((r = sshkey_private_deserialize(decrypted, &k)) != 0 \|\|
4251	(r = sshbuf_get_cstring(decrypted, &comment, NULL((void*)0))) != 0)
4252	goto out;
4253
4254	/* Check deterministic padding after private section */
4255	if ((r = private2_check_padding(decrypted)) != 0)
4256	goto out;
4257
4258	/* Check that the public key in the envelope matches the private key */
4259	if (!sshkey_equal(pubkey, k)) {
4260	r = SSH_ERR_INVALID_FORMAT-4;
4261	goto out;
4262	}
4263
4264	/* success */
4265	r = 0;
4266	if (keyp != NULL((void*)0)) {
4267	*keyp = k;
4268	k = NULL((void*)0);
4269	}
4270	if (commentp != NULL((void*)0)) {
4271	*commentp = comment;
4272	comment = NULL((void*)0);
4273	}
4274	out:
4275	free(comment);
4276	sshbuf_free(decoded);
4277	sshbuf_free(decrypted);
4278	sshkey_free(k);
4279	sshkey_free(pubkey);
4280	return r;
4281	}
4282
4283	static int
4284	sshkey_parse_private2_pubkey(struct sshbuf *blob, int type,
4285	struct sshkey **keyp)
4286	{
4287	int r = SSH_ERR_INTERNAL_ERROR-1;
4288	struct sshbuf decoded = NULL((void)0);
4289	struct sshkey pubkey = NULL((void)0);
4290	u_int nkeys = 0;
4291
4292	if (keyp != NULL((void*)0))
4293	keyp = NULL((void)0);
4294
4295	if ((r = private2_uudecode(blob, &decoded)) != 0)
4296	goto out;
4297	/* parse public key from unencrypted envelope */
4298	if ((r = sshbuf_consume(decoded, sizeof(AUTH_MAGIC"openssh-key-v1"))) != 0 \|\|
4299	(r = sshbuf_skip_string(decoded)sshbuf_get_string_direct(decoded, ((void)0), ((void)0))) != 0 \|\| /* cipher */
4300	(r = sshbuf_skip_string(decoded)sshbuf_get_string_direct(decoded, ((void)0), ((void)0))) != 0 \|\| /* KDF alg */
4301	(r = sshbuf_skip_string(decoded)sshbuf_get_string_direct(decoded, ((void)0), ((void)0))) != 0 \|\| /* KDF hint */
4302	(r = sshbuf_get_u32(decoded, &nkeys)) != 0)
4303	goto out;
4304
4305	if (nkeys != 1) {
4306	/* XXX only one key supported at present */
4307	r = SSH_ERR_INVALID_FORMAT-4;
4308	goto out;
4309	}
4310
4311	/* Parse the public key */
4312	if ((r = sshkey_froms(decoded, &pubkey)) != 0)
4313	goto out;
4314
4315	if (type != KEY_UNSPEC &&
4316	sshkey_type_plain(type) != sshkey_type_plain(pubkey->type)) {
4317	r = SSH_ERR_KEY_TYPE_MISMATCH-13;
4318	goto out;
4319	}
4320
4321	/* success */
4322	r = 0;
4323	if (keyp != NULL((void*)0)) {
4324	*keyp = pubkey;
4325	pubkey = NULL((void*)0);
4326	}
4327	out:
4328	sshbuf_free(decoded);
4329	sshkey_free(pubkey);
4330	return r;
4331	}
4332
4333	#ifdef WITH_OPENSSL1
4334	/* convert SSH v2 key to PEM or PKCS#8 format */
4335	static int
4336	sshkey_private_to_blob_pem_pkcs8(struct sshkey key, struct sshbuf buf,
4337	int format, const char _passphrase, const char comment)
4338	{
4339	int was_shielded = sshkey_is_shielded(key);
4340	int success, r;
4341	int blen, len = strlen(_passphrase);
4342	u_char passphrase = (len > 0) ? (u_char )_passphrase : NULL((void*)0);
4343	const EVP_CIPHER cipher = (len > 0) ? EVP_aes_128_cbc() : NULL((void)0);
4344	char *bptr;
4345	BIO bio = NULL((void)0);
4346	struct sshbuf *blob;
4347	EVP_PKEY pkey = NULL((void)0);
4348
4349	if (len > 0 && len <= 4)
4350	return SSH_ERR_PASSPHRASE_TOO_SHORT-40;
4351	if ((blob = sshbuf_new()) == NULL((void*)0))
4352	return SSH_ERR_ALLOC_FAIL-2;
4353	if ((bio = BIO_new(BIO_s_mem())) == NULL((void*)0)) {
4354	r = SSH_ERR_ALLOC_FAIL-2;
4355	goto out;
4356	}
4357	if (format == SSHKEY_PRIVATE_PKCS8 && (pkey = EVP_PKEY_new()) == NULL((void*)0)) {
4358	r = SSH_ERR_ALLOC_FAIL-2;
4359	goto out;
4360	}
4361	if ((r = sshkey_unshield_private(key)) != 0)
4362	goto out;
4363
4364	switch (key->type) {
4365	case KEY_DSA:
4366	if (format == SSHKEY_PRIVATE_PEM) {
4367	success = PEM_write_bio_DSAPrivateKey(bio, key->dsa,
4368	cipher, passphrase, len, NULL((void)0), NULL((void)0));
4369	} else {
4370	success = EVP_PKEY_set1_DSA(pkey, key->dsa);
4371	}
4372	break;
4373	case KEY_ECDSA:
4374	if (format == SSHKEY_PRIVATE_PEM) {
4375	success = PEM_write_bio_ECPrivateKey(bio, key->ecdsa,
4376	cipher, passphrase, len, NULL((void)0), NULL((void)0));
4377	} else {
4378	success = EVP_PKEY_set1_EC_KEY(pkey, key->ecdsa);
4379	}
4380	break;
4381	case KEY_RSA:
4382	if (format == SSHKEY_PRIVATE_PEM) {
4383	success = PEM_write_bio_RSAPrivateKey(bio, key->rsa,
4384	cipher, passphrase, len, NULL((void)0), NULL((void)0));
4385	} else {
4386	success = EVP_PKEY_set1_RSA(pkey, key->rsa);
4387	}
4388	break;
4389	default:
4390	success = 0;
4391	break;
4392	}
4393	if (success == 0) {
4394	r = SSH_ERR_LIBCRYPTO_ERROR-22;
4395	goto out;
4396	}
4397	if (format == SSHKEY_PRIVATE_PKCS8) {
4398	if ((success = PEM_write_bio_PrivateKey(bio, pkey, cipher,
4399	passphrase, len, NULL((void)0), NULL((void)0))) == 0) {
4400	r = SSH_ERR_LIBCRYPTO_ERROR-22;
4401	goto out;
4402	}
4403	}
4404	if ((blen = BIO_get_mem_data(bio, &bptr)BIO_ctrl(bio,3,0,(char *)&bptr)) <= 0) {
4405	r = SSH_ERR_INTERNAL_ERROR-1;
4406	goto out;
4407	}
4408	if ((r = sshbuf_put(blob, bptr, blen)) != 0)
4409	goto out;
4410	r = 0;
4411	out:
4412	if (was_shielded)
4413	r = sshkey_shield_private(key);
4414	if (r == 0)
4415	r = sshbuf_putb(buf, blob);
4416
4417	EVP_PKEY_free(pkey);
4418	sshbuf_free(blob);
4419	BIO_free(bio);
4420	return r;
4421	}
4422	#endif /* WITH_OPENSSL */
4423
4424	/* Serialise "key" to buffer "blob" */
4425	int
4426	sshkey_private_to_fileblob(struct sshkey key, struct sshbuf blob,
4427	const char passphrase, const char comment,
4428	int format, const char *openssh_format_cipher, int openssh_format_rounds)
4429	{
4430	switch (key->type) {
4431	#ifdef WITH_OPENSSL1
4432	case KEY_DSA:
4433	case KEY_ECDSA:
4434	case KEY_RSA:
4435	break; /* see below */
4436	#endif /* WITH_OPENSSL */
4437	case KEY_ED25519:
4438	case KEY_ED25519_SK:
4439	#ifdef WITH_XMSS
4440	case KEY_XMSS:
4441	#endif /* WITH_XMSS */
4442	#ifdef WITH_OPENSSL1
4443	case KEY_ECDSA_SK:
4444	#endif /* WITH_OPENSSL */
4445	return sshkey_private_to_blob2(key, blob, passphrase,
4446	comment, openssh_format_cipher, openssh_format_rounds);
4447	default:
4448	return SSH_ERR_KEY_TYPE_UNKNOWN-14;
4449	}
4450
4451	#ifdef WITH_OPENSSL1
4452	switch (format) {
4453	case SSHKEY_PRIVATE_OPENSSH:
4454	return sshkey_private_to_blob2(key, blob, passphrase,
4455	comment, openssh_format_cipher, openssh_format_rounds);
4456	case SSHKEY_PRIVATE_PEM:
4457	case SSHKEY_PRIVATE_PKCS8:
4458	return sshkey_private_to_blob_pem_pkcs8(key, blob,
4459	format, passphrase, comment);
4460	default:
4461	return SSH_ERR_INVALID_ARGUMENT-10;
4462	}
4463	#endif /* WITH_OPENSSL */
4464	}
4465
4466	#ifdef WITH_OPENSSL1
4467	static int
4468	translate_libcrypto_error(unsigned long pem_err)
4469	{
4470	int pem_reason = ERR_GET_REASON(pem_err)(int)((pem_err)&0xfffL);
4471
4472	switch (ERR_GET_LIB(pem_err)(int)((((unsigned long)pem_err)>>24L)&0xffL)) {
4473	case ERR_LIB_PEM9:
4474	switch (pem_reason) {
4475	case PEM_R_BAD_PASSWORD_READ104:
4476	case PEM_R_PROBLEMS_GETTING_PASSWORD109:
4477	case PEM_R_BAD_DECRYPT101:
4478	return SSH_ERR_KEY_WRONG_PASSPHRASE-43;
4479	default:
4480	return SSH_ERR_INVALID_FORMAT-4;
4481	}
4482	case ERR_LIB_EVP6:
4483	switch (pem_reason) {
4484	case EVP_R_BAD_DECRYPT100:
4485	return SSH_ERR_KEY_WRONG_PASSPHRASE-43;
4486	#ifdef EVP_R_BN_DECODE_ERROR112
4487	case EVP_R_BN_DECODE_ERROR112:
4488	#endif
4489	case EVP_R_DECODE_ERROR114:
4490	#ifdef EVP_R_PRIVATE_KEY_DECODE_ERROR145
4491	case EVP_R_PRIVATE_KEY_DECODE_ERROR145:
4492	#endif
4493	return SSH_ERR_INVALID_FORMAT-4;
4494	default:
4495	return SSH_ERR_LIBCRYPTO_ERROR-22;
4496	}
4497	case ERR_LIB_ASN113:
4498	return SSH_ERR_INVALID_FORMAT-4;
4499	}
4500	return SSH_ERR_LIBCRYPTO_ERROR-22;
4501	}
4502
4503	static void
4504	clear_libcrypto_errors(void)
4505	{
4506	while (ERR_get_error() != 0)
4507	;
4508	}
4509
4510	/*
4511	* Translate OpenSSL error codes to determine whether
4512	* passphrase is required/incorrect.
4513	*/
4514	static int
4515	convert_libcrypto_error(void)
4516	{
4517	/*
4518	* Some password errors are reported at the beginning
4519	* of the error queue.
4520	*/
4521	if (translate_libcrypto_error(ERR_peek_error()) ==
4522	SSH_ERR_KEY_WRONG_PASSPHRASE-43)
4523	return SSH_ERR_KEY_WRONG_PASSPHRASE-43;
4524	return translate_libcrypto_error(ERR_peek_last_error());
4525	}
4526
4527	static int
4528	sshkey_parse_private_pem_fileblob(struct sshbuf *blob, int type,
4529	const char passphrase, struct sshkey *keyp)
4530	{
4531	EVP_PKEY pk = NULL((void)0);
4532	struct sshkey prv = NULL((void)0);
4533	BIO bio = NULL((void)0);
4534	int r;
4535
4536	if (keyp != NULL((void*)0))
4537	keyp = NULL((void)0);
4538
4539	if ((bio = BIO_new(BIO_s_mem())) == NULL((void*)0) \|\| sshbuf_len(blob) > INT_MAX2147483647)
4540	return SSH_ERR_ALLOC_FAIL-2;
4541	if (BIO_write(bio, sshbuf_ptr(blob), sshbuf_len(blob)) !=
4542	(int)sshbuf_len(blob)) {
4543	r = SSH_ERR_ALLOC_FAIL-2;
4544	goto out;
4545	}
4546
4547	clear_libcrypto_errors();
4548	if ((pk = PEM_read_bio_PrivateKey(bio, NULL((void)0), NULL((void)0),
4549	(char )passphrase)) == NULL((void)0)) {
4550	/*
4551	* libcrypto may return various ASN.1 errors when attempting
4552	* to parse a key with an incorrect passphrase.
4553	* Treat all format errors as "incorrect passphrase" if a
4554	* passphrase was supplied.
4555	*/
4556	if (passphrase != NULL((void)0) && passphrase != '\0')
4557	r = SSH_ERR_KEY_WRONG_PASSPHRASE-43;
4558	else
4559	r = convert_libcrypto_error();
4560	goto out;
4561	}
4562	if (EVP_PKEY_base_id(pk) == EVP_PKEY_RSA6 &&
4563	(type == KEY_UNSPEC \|\| type == KEY_RSA)) {
4564	if ((prv = sshkey_new(KEY_UNSPEC)) == NULL((void*)0)) {
4565	r = SSH_ERR_ALLOC_FAIL-2;
4566	goto out;
4567	}
4568	prv->rsa = EVP_PKEY_get1_RSA(pk);
4569	prv->type = KEY_RSA;
4570	#ifdef DEBUG_PK
4571	RSA_print_fp(stderr(&__sF[2]), prv->rsa, 8);
4572	#endif
4573	if (RSA_blinding_on(prv->rsa, NULL((void*)0)) != 1) {
4574	r = SSH_ERR_LIBCRYPTO_ERROR-22;
4575	goto out;
4576	}
4577	if ((r = check_rsa_length(prv->rsa)) != 0)
4578	goto out;
4579	} else if (EVP_PKEY_base_id(pk) == EVP_PKEY_DSA116 &&
4580	(type == KEY_UNSPEC \|\| type == KEY_DSA)) {
4581	if ((prv = sshkey_new(KEY_UNSPEC)) == NULL((void*)0)) {
4582	r = SSH_ERR_ALLOC_FAIL-2;
4583	goto out;
4584	}
4585	prv->dsa = EVP_PKEY_get1_DSA(pk);
4586	prv->type = KEY_DSA;
4587	#ifdef DEBUG_PK
4588	DSA_print_fp(stderr(&__sF[2]), prv->dsa, 8);
4589	#endif
4590	} else if (EVP_PKEY_base_id(pk) == EVP_PKEY_EC408 &&
4591	(type == KEY_UNSPEC \|\| type == KEY_ECDSA)) {
4592	if ((prv = sshkey_new(KEY_UNSPEC)) == NULL((void*)0)) {
4593	r = SSH_ERR_ALLOC_FAIL-2;
4594	goto out;
4595	}
4596	prv->ecdsa = EVP_PKEY_get1_EC_KEY(pk);
4597	prv->type = KEY_ECDSA;
4598	prv->ecdsa_nid = sshkey_ecdsa_key_to_nid(prv->ecdsa);
4599	if (prv->ecdsa_nid == -1 \|\|
4600	sshkey_curve_nid_to_name(prv->ecdsa_nid) == NULL((void*)0) \|\|
4601	sshkey_ec_validate_public(EC_KEY_get0_group(prv->ecdsa),
4602	EC_KEY_get0_public_key(prv->ecdsa)) != 0 \|\|
4603	sshkey_ec_validate_private(prv->ecdsa) != 0) {
4604	r = SSH_ERR_INVALID_FORMAT-4;
4605	goto out;
4606	}
4607	#ifdef DEBUG_PK
4608	if (prv != NULL((void)0) && prv->ecdsa != NULL((void)0))
4609	sshkey_dump_ec_key(prv->ecdsa);
4610	#endif
4611	} else {
4612	r = SSH_ERR_INVALID_FORMAT-4;
4613	goto out;
4614	}
4615	r = 0;
4616	if (keyp != NULL((void*)0)) {
4617	*keyp = prv;
4618	prv = NULL((void*)0);
4619	}
4620	out:
4621	BIO_free(bio);
4622	EVP_PKEY_free(pk);
4623	sshkey_free(prv);
4624	return r;
4625	}
4626	#endif /* WITH_OPENSSL */
4627
4628	int
4629	sshkey_parse_private_fileblob_type(struct sshbuf *blob, int type,
4630	const char passphrase, struct sshkey keyp, char *commentp)
4631	{
4632	int r = SSH_ERR_INTERNAL_ERROR-1;
4633
4634	if (keyp != NULL((void*)0))
4635	keyp = NULL((void)0);
4636	if (commentp != NULL((void*)0))
4637	commentp = NULL((void)0);
4638
4639	switch (type) {
4640	case KEY_ED25519:
4641	case KEY_XMSS:
4642	/* No fallback for new-format-only keys */
4643	return sshkey_parse_private2(blob, type, passphrase,
4644	keyp, commentp);
4645	default:
4646	r = sshkey_parse_private2(blob, type, passphrase, keyp,
4647	commentp);
4648	/* Only fallback to PEM parser if a format error occurred. */
4649	if (r != SSH_ERR_INVALID_FORMAT-4)
4650	return r;
4651	#ifdef WITH_OPENSSL1
4652	return sshkey_parse_private_pem_fileblob(blob, type,
4653	passphrase, keyp);
4654	#else
4655	return SSH_ERR_INVALID_FORMAT-4;
4656	#endif /* WITH_OPENSSL */
4657	}
4658	}
4659
4660	int
4661	sshkey_parse_private_fileblob(struct sshbuf buffer, const char passphrase,
4662	struct sshkey keyp, char commentp)
4663	{
4664	if (keyp != NULL((void*)0))
4665	keyp = NULL((void)0);
4666	if (commentp != NULL((void*)0))
4667	commentp = NULL((void)0);
4668
4669	return sshkey_parse_private_fileblob_type(buffer, KEY_UNSPEC,
4670	passphrase, keyp, commentp);
4671	}
4672
4673	void
4674	sshkey_sig_details_free(struct sshkey_sig_details *details)
4675	{
4676	freezero(details, sizeof(*details));
4677	}
4678
4679	int
4680	sshkey_parse_pubkey_from_private_fileblob_type(struct sshbuf *blob, int type,
4681	struct sshkey **pubkeyp)
4682	{
4683	int r = SSH_ERR_INTERNAL_ERROR-1;
4684
4685	if (pubkeyp != NULL((void*)0))
4686	pubkeyp = NULL((void)0);
4687	/* only new-format private keys bundle a public key inside */
4688	if ((r = sshkey_parse_private2_pubkey(blob, type, pubkeyp)) != 0)
4689	return r;
4690	return 0;
4691	}
4692
4693	#ifdef WITH_XMSS
4694	/*
4695	* serialize the key with the current state and forward the state
4696	* maxsign times.
4697	*/
4698	int
4699	sshkey_private_serialize_maxsign(struct sshkey k, struct sshbuf b,
4700	u_int32_t maxsign, int printerror)
4701	{
4702	int r, rupdate;
4703
4704	if (maxsign == 0 \|\|
4705	sshkey_type_plain(k->type) != KEY_XMSS)
4706	return sshkey_private_serialize_opt(k, b,
4707	SSHKEY_SERIALIZE_DEFAULT);
4708	if ((r = sshkey_xmss_get_state(k, printerror)) != 0 \|\|
4709	(r = sshkey_private_serialize_opt(k, b,
4710	SSHKEY_SERIALIZE_STATE)) != 0 \|\|
4711	(r = sshkey_xmss_forward_state(k, maxsign)) != 0)
4712	goto out;
4713	r = 0;
4714	out:
4715	if ((rupdate = sshkey_xmss_update_state(k, printerror)) != 0) {
4716	if (r == 0)
4717	r = rupdate;
4718	}
4719	return r;
4720	}
4721
4722	u_int32_t
4723	sshkey_signatures_left(const struct sshkey *k)
4724	{
4725	if (sshkey_type_plain(k->type) == KEY_XMSS)
4726	return sshkey_xmss_signatures_left(k);
4727	return 0;
4728	}
4729
4730	int
4731	sshkey_enable_maxsign(struct sshkey *k, u_int32_t maxsign)
4732	{
4733	if (sshkey_type_plain(k->type) != KEY_XMSS)
4734	return SSH_ERR_INVALID_ARGUMENT-10;
4735	return sshkey_xmss_enable_maxsign(k, maxsign);
4736	}
4737
4738	int
4739	sshkey_set_filename(struct sshkey k, const char filename)
4740	{
4741	if (k == NULL((void*)0))
4742	return SSH_ERR_INVALID_ARGUMENT-10;
4743	if (sshkey_type_plain(k->type) != KEY_XMSS)
4744	return 0;
4745	if (filename == NULL((void*)0))
4746	return SSH_ERR_INVALID_ARGUMENT-10;
4747	if ((k->xmss_filename = strdup(filename)) == NULL((void*)0))
4748	return SSH_ERR_ALLOC_FAIL-2;
4749	return 0;
4750	}
4751	#else
4752	int
4753	sshkey_private_serialize_maxsign(struct sshkey k, struct sshbuf b,
4754	u_int32_t maxsign, int printerror)
4755	{
4756	return sshkey_private_serialize_opt(k, b, SSHKEY_SERIALIZE_DEFAULT);
4757	}
4758
4759	u_int32_t
4760	sshkey_signatures_left(const struct sshkey *k)
4761	{
4762	return 0;
4763	}
4764
4765	int
4766	sshkey_enable_maxsign(struct sshkey *k, u_int32_t maxsign)
4767	{
4768	return SSH_ERR_INVALID_ARGUMENT-10;
4769	}
4770
4771	int
4772	sshkey_set_filename(struct sshkey k, const char filename)
4773	{
4774	if (k == NULL((void*)0))
4775	return SSH_ERR_INVALID_ARGUMENT-10;
4776	return 0;
4777	}
4778	#endif /* WITH_XMSS */