xref: /freebsd/crypto/openssh/sshkey.c (revision 396c556d77189a5c474d35cec6f44a762e310b7d)
1 /* $OpenBSD: sshkey.c,v 1.45 2017/03/10 04:07:20 djm Exp $ */
2 /*
3  * Copyright (c) 2000, 2001 Markus Friedl.  All rights reserved.
4  * Copyright (c) 2008 Alexander von Gernler.  All rights reserved.
5  * Copyright (c) 2010,2011 Damien Miller.  All rights reserved.
6  *
7  * Redistribution and use in source and binary forms, with or without
8  * modification, are permitted provided that the following conditions
9  * are met:
10  * 1. Redistributions of source code must retain the above copyright
11  *    notice, this list of conditions and the following disclaimer.
12  * 2. Redistributions in binary form must reproduce the above copyright
13  *    notice, this list of conditions and the following disclaimer in the
14  *    documentation and/or other materials provided with the distribution.
15  *
16  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
17  * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
18  * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
19  * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
20  * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
21  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
22  * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
23  * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
24  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
25  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
26  */
27 
28 #include "includes.h"
29 
30 #include <sys/types.h>
31 #include <netinet/in.h>
32 
33 #ifdef WITH_OPENSSL
34 #include <openssl/evp.h>
35 #include <openssl/err.h>
36 #include <openssl/pem.h>
37 #endif
38 
39 #include "crypto_api.h"
40 
41 #include <errno.h>
42 #include <limits.h>
43 #include <stdio.h>
44 #include <string.h>
45 #include <resolv.h>
46 #ifdef HAVE_UTIL_H
47 #include <util.h>
48 #endif /* HAVE_UTIL_H */
49 
50 #include "ssh2.h"
51 #include "ssherr.h"
52 #include "misc.h"
53 #include "sshbuf.h"
54 #include "rsa.h"
55 #include "cipher.h"
56 #include "digest.h"
57 #define SSHKEY_INTERNAL
58 #include "sshkey.h"
59 #include "match.h"
60 
61 /* openssh private key file format */
62 #define MARK_BEGIN		"-----BEGIN OPENSSH PRIVATE KEY-----\n"
63 #define MARK_END		"-----END OPENSSH PRIVATE KEY-----\n"
64 #define MARK_BEGIN_LEN		(sizeof(MARK_BEGIN) - 1)
65 #define MARK_END_LEN		(sizeof(MARK_END) - 1)
66 #define KDFNAME			"bcrypt"
67 #define AUTH_MAGIC		"openssh-key-v1"
68 #define SALT_LEN		16
69 #define DEFAULT_CIPHERNAME	"aes256-cbc"
70 #define	DEFAULT_ROUNDS		16
71 
72 /* Version identification string for SSH v1 identity files. */
73 #define LEGACY_BEGIN		"SSH PRIVATE KEY FILE FORMAT 1.1\n"
74 
75 static int sshkey_from_blob_internal(struct sshbuf *buf,
76     struct sshkey **keyp, int allow_cert);
77 
78 /* Supported key types */
79 struct keytype {
80 	const char *name;
81 	const char *shortname;
82 	int type;
83 	int nid;
84 	int cert;
85 	int sigonly;
86 };
87 static const struct keytype keytypes[] = {
88 	{ "ssh-ed25519", "ED25519", KEY_ED25519, 0, 0, 0 },
89 	{ "ssh-ed25519-cert-v01@openssh.com", "ED25519-CERT",
90 	    KEY_ED25519_CERT, 0, 1, 0 },
91 #ifdef WITH_OPENSSL
92 # ifdef WITH_SSH1
93 	{ NULL, "RSA1", KEY_RSA1, 0, 0, 0 },
94 # endif
95 	{ "ssh-rsa", "RSA", KEY_RSA, 0, 0, 0 },
96 	{ "rsa-sha2-256", "RSA", KEY_RSA, 0, 0, 1 },
97 	{ "rsa-sha2-512", "RSA", KEY_RSA, 0, 0, 1 },
98 	{ "ssh-dss", "DSA", KEY_DSA, 0, 0, 0 },
99 # ifdef OPENSSL_HAS_ECC
100 	{ "ecdsa-sha2-nistp256", "ECDSA", KEY_ECDSA, NID_X9_62_prime256v1, 0, 0 },
101 	{ "ecdsa-sha2-nistp384", "ECDSA", KEY_ECDSA, NID_secp384r1, 0, 0 },
102 #  ifdef OPENSSL_HAS_NISTP521
103 	{ "ecdsa-sha2-nistp521", "ECDSA", KEY_ECDSA, NID_secp521r1, 0, 0 },
104 #  endif /* OPENSSL_HAS_NISTP521 */
105 # endif /* OPENSSL_HAS_ECC */
106 	{ "ssh-rsa-cert-v01@openssh.com", "RSA-CERT", KEY_RSA_CERT, 0, 1, 0 },
107 	{ "ssh-dss-cert-v01@openssh.com", "DSA-CERT", KEY_DSA_CERT, 0, 1, 0 },
108 # ifdef OPENSSL_HAS_ECC
109 	{ "ecdsa-sha2-nistp256-cert-v01@openssh.com", "ECDSA-CERT",
110 	    KEY_ECDSA_CERT, NID_X9_62_prime256v1, 1, 0 },
111 	{ "ecdsa-sha2-nistp384-cert-v01@openssh.com", "ECDSA-CERT",
112 	    KEY_ECDSA_CERT, NID_secp384r1, 1, 0 },
113 #  ifdef OPENSSL_HAS_NISTP521
114 	{ "ecdsa-sha2-nistp521-cert-v01@openssh.com", "ECDSA-CERT",
115 	    KEY_ECDSA_CERT, NID_secp521r1, 1, 0 },
116 #  endif /* OPENSSL_HAS_NISTP521 */
117 # endif /* OPENSSL_HAS_ECC */
118 #endif /* WITH_OPENSSL */
119 	{ NULL, NULL, -1, -1, 0, 0 }
120 };
121 
122 const char *
123 sshkey_type(const struct sshkey *k)
124 {
125 	const struct keytype *kt;
126 
127 	for (kt = keytypes; kt->type != -1; kt++) {
128 		if (kt->type == k->type)
129 			return kt->shortname;
130 	}
131 	return "unknown";
132 }
133 
134 static const char *
135 sshkey_ssh_name_from_type_nid(int type, int nid)
136 {
137 	const struct keytype *kt;
138 
139 	for (kt = keytypes; kt->type != -1; kt++) {
140 		if (kt->type == type && (kt->nid == 0 || kt->nid == nid))
141 			return kt->name;
142 	}
143 	return "ssh-unknown";
144 }
145 
146 int
147 sshkey_type_is_cert(int type)
148 {
149 	const struct keytype *kt;
150 
151 	for (kt = keytypes; kt->type != -1; kt++) {
152 		if (kt->type == type)
153 			return kt->cert;
154 	}
155 	return 0;
156 }
157 
158 const char *
159 sshkey_ssh_name(const struct sshkey *k)
160 {
161 	return sshkey_ssh_name_from_type_nid(k->type, k->ecdsa_nid);
162 }
163 
164 const char *
165 sshkey_ssh_name_plain(const struct sshkey *k)
166 {
167 	return sshkey_ssh_name_from_type_nid(sshkey_type_plain(k->type),
168 	    k->ecdsa_nid);
169 }
170 
171 int
172 sshkey_type_from_name(const char *name)
173 {
174 	const struct keytype *kt;
175 
176 	for (kt = keytypes; kt->type != -1; kt++) {
177 		/* Only allow shortname matches for plain key types */
178 		if ((kt->name != NULL && strcmp(name, kt->name) == 0) ||
179 		    (!kt->cert && strcasecmp(kt->shortname, name) == 0))
180 			return kt->type;
181 	}
182 	return KEY_UNSPEC;
183 }
184 
185 int
186 sshkey_ecdsa_nid_from_name(const char *name)
187 {
188 	const struct keytype *kt;
189 
190 	for (kt = keytypes; kt->type != -1; kt++) {
191 		if (kt->type != KEY_ECDSA && kt->type != KEY_ECDSA_CERT)
192 			continue;
193 		if (kt->name != NULL && strcmp(name, kt->name) == 0)
194 			return kt->nid;
195 	}
196 	return -1;
197 }
198 
199 char *
200 sshkey_alg_list(int certs_only, int plain_only, int include_sigonly, char sep)
201 {
202 	char *tmp, *ret = NULL;
203 	size_t nlen, rlen = 0;
204 	const struct keytype *kt;
205 
206 	for (kt = keytypes; kt->type != -1; kt++) {
207 		if (kt->name == NULL)
208 			continue;
209 		if (!include_sigonly && kt->sigonly)
210 			continue;
211 		if ((certs_only && !kt->cert) || (plain_only && kt->cert))
212 			continue;
213 		if (ret != NULL)
214 			ret[rlen++] = sep;
215 		nlen = strlen(kt->name);
216 		if ((tmp = realloc(ret, rlen + nlen + 2)) == NULL) {
217 			free(ret);
218 			return NULL;
219 		}
220 		ret = tmp;
221 		memcpy(ret + rlen, kt->name, nlen + 1);
222 		rlen += nlen;
223 	}
224 	return ret;
225 }
226 
227 int
228 sshkey_names_valid2(const char *names, int allow_wildcard)
229 {
230 	char *s, *cp, *p;
231 	const struct keytype *kt;
232 	int type;
233 
234 	if (names == NULL || strcmp(names, "") == 0)
235 		return 0;
236 	if ((s = cp = strdup(names)) == NULL)
237 		return 0;
238 	for ((p = strsep(&cp, ",")); p && *p != '\0';
239 	    (p = strsep(&cp, ","))) {
240 		type = sshkey_type_from_name(p);
241 		if (type == KEY_RSA1) {
242 			free(s);
243 			return 0;
244 		}
245 		if (type == KEY_UNSPEC) {
246 			if (allow_wildcard) {
247 				/*
248 				 * Try matching key types against the string.
249 				 * If any has a positive or negative match then
250 				 * the component is accepted.
251 				 */
252 				for (kt = keytypes; kt->type != -1; kt++) {
253 					if (kt->type == KEY_RSA1)
254 						continue;
255 					if (match_pattern_list(kt->name,
256 					    p, 0) != 0)
257 						break;
258 				}
259 				if (kt->type != -1)
260 					continue;
261 			}
262 			free(s);
263 			return 0;
264 		}
265 	}
266 	free(s);
267 	return 1;
268 }
269 
270 u_int
271 sshkey_size(const struct sshkey *k)
272 {
273 	switch (k->type) {
274 #ifdef WITH_OPENSSL
275 	case KEY_RSA1:
276 	case KEY_RSA:
277 	case KEY_RSA_CERT:
278 		return BN_num_bits(k->rsa->n);
279 	case KEY_DSA:
280 	case KEY_DSA_CERT:
281 		return BN_num_bits(k->dsa->p);
282 	case KEY_ECDSA:
283 	case KEY_ECDSA_CERT:
284 		return sshkey_curve_nid_to_bits(k->ecdsa_nid);
285 #endif /* WITH_OPENSSL */
286 	case KEY_ED25519:
287 	case KEY_ED25519_CERT:
288 		return 256;	/* XXX */
289 	}
290 	return 0;
291 }
292 
293 static int
294 sshkey_type_is_valid_ca(int type)
295 {
296 	switch (type) {
297 	case KEY_RSA:
298 	case KEY_DSA:
299 	case KEY_ECDSA:
300 	case KEY_ED25519:
301 		return 1;
302 	default:
303 		return 0;
304 	}
305 }
306 
307 int
308 sshkey_is_cert(const struct sshkey *k)
309 {
310 	if (k == NULL)
311 		return 0;
312 	return sshkey_type_is_cert(k->type);
313 }
314 
315 /* Return the cert-less equivalent to a certified key type */
316 int
317 sshkey_type_plain(int type)
318 {
319 	switch (type) {
320 	case KEY_RSA_CERT:
321 		return KEY_RSA;
322 	case KEY_DSA_CERT:
323 		return KEY_DSA;
324 	case KEY_ECDSA_CERT:
325 		return KEY_ECDSA;
326 	case KEY_ED25519_CERT:
327 		return KEY_ED25519;
328 	default:
329 		return type;
330 	}
331 }
332 
333 #ifdef WITH_OPENSSL
334 /* XXX: these are really begging for a table-driven approach */
335 int
336 sshkey_curve_name_to_nid(const char *name)
337 {
338 	if (strcmp(name, "nistp256") == 0)
339 		return NID_X9_62_prime256v1;
340 	else if (strcmp(name, "nistp384") == 0)
341 		return NID_secp384r1;
342 # ifdef OPENSSL_HAS_NISTP521
343 	else if (strcmp(name, "nistp521") == 0)
344 		return NID_secp521r1;
345 # endif /* OPENSSL_HAS_NISTP521 */
346 	else
347 		return -1;
348 }
349 
350 u_int
351 sshkey_curve_nid_to_bits(int nid)
352 {
353 	switch (nid) {
354 	case NID_X9_62_prime256v1:
355 		return 256;
356 	case NID_secp384r1:
357 		return 384;
358 # ifdef OPENSSL_HAS_NISTP521
359 	case NID_secp521r1:
360 		return 521;
361 # endif /* OPENSSL_HAS_NISTP521 */
362 	default:
363 		return 0;
364 	}
365 }
366 
367 int
368 sshkey_ecdsa_bits_to_nid(int bits)
369 {
370 	switch (bits) {
371 	case 256:
372 		return NID_X9_62_prime256v1;
373 	case 384:
374 		return NID_secp384r1;
375 # ifdef OPENSSL_HAS_NISTP521
376 	case 521:
377 		return NID_secp521r1;
378 # endif /* OPENSSL_HAS_NISTP521 */
379 	default:
380 		return -1;
381 	}
382 }
383 
384 const char *
385 sshkey_curve_nid_to_name(int nid)
386 {
387 	switch (nid) {
388 	case NID_X9_62_prime256v1:
389 		return "nistp256";
390 	case NID_secp384r1:
391 		return "nistp384";
392 # ifdef OPENSSL_HAS_NISTP521
393 	case NID_secp521r1:
394 		return "nistp521";
395 # endif /* OPENSSL_HAS_NISTP521 */
396 	default:
397 		return NULL;
398 	}
399 }
400 
401 int
402 sshkey_ec_nid_to_hash_alg(int nid)
403 {
404 	int kbits = sshkey_curve_nid_to_bits(nid);
405 
406 	if (kbits <= 0)
407 		return -1;
408 
409 	/* RFC5656 section 6.2.1 */
410 	if (kbits <= 256)
411 		return SSH_DIGEST_SHA256;
412 	else if (kbits <= 384)
413 		return SSH_DIGEST_SHA384;
414 	else
415 		return SSH_DIGEST_SHA512;
416 }
417 #endif /* WITH_OPENSSL */
418 
419 static void
420 cert_free(struct sshkey_cert *cert)
421 {
422 	u_int i;
423 
424 	if (cert == NULL)
425 		return;
426 	sshbuf_free(cert->certblob);
427 	sshbuf_free(cert->critical);
428 	sshbuf_free(cert->extensions);
429 	free(cert->key_id);
430 	for (i = 0; i < cert->nprincipals; i++)
431 		free(cert->principals[i]);
432 	free(cert->principals);
433 	sshkey_free(cert->signature_key);
434 	explicit_bzero(cert, sizeof(*cert));
435 	free(cert);
436 }
437 
438 static struct sshkey_cert *
439 cert_new(void)
440 {
441 	struct sshkey_cert *cert;
442 
443 	if ((cert = calloc(1, sizeof(*cert))) == NULL)
444 		return NULL;
445 	if ((cert->certblob = sshbuf_new()) == NULL ||
446 	    (cert->critical = sshbuf_new()) == NULL ||
447 	    (cert->extensions = sshbuf_new()) == NULL) {
448 		cert_free(cert);
449 		return NULL;
450 	}
451 	cert->key_id = NULL;
452 	cert->principals = NULL;
453 	cert->signature_key = NULL;
454 	return cert;
455 }
456 
457 struct sshkey *
458 sshkey_new(int type)
459 {
460 	struct sshkey *k;
461 #ifdef WITH_OPENSSL
462 	RSA *rsa;
463 	DSA *dsa;
464 #endif /* WITH_OPENSSL */
465 
466 	if ((k = calloc(1, sizeof(*k))) == NULL)
467 		return NULL;
468 	k->type = type;
469 	k->ecdsa = NULL;
470 	k->ecdsa_nid = -1;
471 	k->dsa = NULL;
472 	k->rsa = NULL;
473 	k->cert = NULL;
474 	k->ed25519_sk = NULL;
475 	k->ed25519_pk = NULL;
476 	switch (k->type) {
477 #ifdef WITH_OPENSSL
478 	case KEY_RSA1:
479 	case KEY_RSA:
480 	case KEY_RSA_CERT:
481 		if ((rsa = RSA_new()) == NULL ||
482 		    (rsa->n = BN_new()) == NULL ||
483 		    (rsa->e = BN_new()) == NULL) {
484 			if (rsa != NULL)
485 				RSA_free(rsa);
486 			free(k);
487 			return NULL;
488 		}
489 		k->rsa = rsa;
490 		break;
491 	case KEY_DSA:
492 	case KEY_DSA_CERT:
493 		if ((dsa = DSA_new()) == NULL ||
494 		    (dsa->p = BN_new()) == NULL ||
495 		    (dsa->q = BN_new()) == NULL ||
496 		    (dsa->g = BN_new()) == NULL ||
497 		    (dsa->pub_key = BN_new()) == NULL) {
498 			if (dsa != NULL)
499 				DSA_free(dsa);
500 			free(k);
501 			return NULL;
502 		}
503 		k->dsa = dsa;
504 		break;
505 	case KEY_ECDSA:
506 	case KEY_ECDSA_CERT:
507 		/* Cannot do anything until we know the group */
508 		break;
509 #endif /* WITH_OPENSSL */
510 	case KEY_ED25519:
511 	case KEY_ED25519_CERT:
512 		/* no need to prealloc */
513 		break;
514 	case KEY_UNSPEC:
515 		break;
516 	default:
517 		free(k);
518 		return NULL;
519 	}
520 
521 	if (sshkey_is_cert(k)) {
522 		if ((k->cert = cert_new()) == NULL) {
523 			sshkey_free(k);
524 			return NULL;
525 		}
526 	}
527 
528 	return k;
529 }
530 
531 int
532 sshkey_add_private(struct sshkey *k)
533 {
534 	switch (k->type) {
535 #ifdef WITH_OPENSSL
536 	case KEY_RSA1:
537 	case KEY_RSA:
538 	case KEY_RSA_CERT:
539 #define bn_maybe_alloc_failed(p) (p == NULL && (p = BN_new()) == NULL)
540 		if (bn_maybe_alloc_failed(k->rsa->d) ||
541 		    bn_maybe_alloc_failed(k->rsa->iqmp) ||
542 		    bn_maybe_alloc_failed(k->rsa->q) ||
543 		    bn_maybe_alloc_failed(k->rsa->p) ||
544 		    bn_maybe_alloc_failed(k->rsa->dmq1) ||
545 		    bn_maybe_alloc_failed(k->rsa->dmp1))
546 			return SSH_ERR_ALLOC_FAIL;
547 		break;
548 	case KEY_DSA:
549 	case KEY_DSA_CERT:
550 		if (bn_maybe_alloc_failed(k->dsa->priv_key))
551 			return SSH_ERR_ALLOC_FAIL;
552 		break;
553 #undef bn_maybe_alloc_failed
554 	case KEY_ECDSA:
555 	case KEY_ECDSA_CERT:
556 		/* Cannot do anything until we know the group */
557 		break;
558 #endif /* WITH_OPENSSL */
559 	case KEY_ED25519:
560 	case KEY_ED25519_CERT:
561 		/* no need to prealloc */
562 		break;
563 	case KEY_UNSPEC:
564 		break;
565 	default:
566 		return SSH_ERR_INVALID_ARGUMENT;
567 	}
568 	return 0;
569 }
570 
571 struct sshkey *
572 sshkey_new_private(int type)
573 {
574 	struct sshkey *k = sshkey_new(type);
575 
576 	if (k == NULL)
577 		return NULL;
578 	if (sshkey_add_private(k) != 0) {
579 		sshkey_free(k);
580 		return NULL;
581 	}
582 	return k;
583 }
584 
585 void
586 sshkey_free(struct sshkey *k)
587 {
588 	if (k == NULL)
589 		return;
590 	switch (k->type) {
591 #ifdef WITH_OPENSSL
592 	case KEY_RSA1:
593 	case KEY_RSA:
594 	case KEY_RSA_CERT:
595 		if (k->rsa != NULL)
596 			RSA_free(k->rsa);
597 		k->rsa = NULL;
598 		break;
599 	case KEY_DSA:
600 	case KEY_DSA_CERT:
601 		if (k->dsa != NULL)
602 			DSA_free(k->dsa);
603 		k->dsa = NULL;
604 		break;
605 # ifdef OPENSSL_HAS_ECC
606 	case KEY_ECDSA:
607 	case KEY_ECDSA_CERT:
608 		if (k->ecdsa != NULL)
609 			EC_KEY_free(k->ecdsa);
610 		k->ecdsa = NULL;
611 		break;
612 # endif /* OPENSSL_HAS_ECC */
613 #endif /* WITH_OPENSSL */
614 	case KEY_ED25519:
615 	case KEY_ED25519_CERT:
616 		if (k->ed25519_pk) {
617 			explicit_bzero(k->ed25519_pk, ED25519_PK_SZ);
618 			free(k->ed25519_pk);
619 			k->ed25519_pk = NULL;
620 		}
621 		if (k->ed25519_sk) {
622 			explicit_bzero(k->ed25519_sk, ED25519_SK_SZ);
623 			free(k->ed25519_sk);
624 			k->ed25519_sk = NULL;
625 		}
626 		break;
627 	case KEY_UNSPEC:
628 		break;
629 	default:
630 		break;
631 	}
632 	if (sshkey_is_cert(k))
633 		cert_free(k->cert);
634 	explicit_bzero(k, sizeof(*k));
635 	free(k);
636 }
637 
638 static int
639 cert_compare(struct sshkey_cert *a, struct sshkey_cert *b)
640 {
641 	if (a == NULL && b == NULL)
642 		return 1;
643 	if (a == NULL || b == NULL)
644 		return 0;
645 	if (sshbuf_len(a->certblob) != sshbuf_len(b->certblob))
646 		return 0;
647 	if (timingsafe_bcmp(sshbuf_ptr(a->certblob), sshbuf_ptr(b->certblob),
648 	    sshbuf_len(a->certblob)) != 0)
649 		return 0;
650 	return 1;
651 }
652 
653 /*
654  * Compare public portions of key only, allowing comparisons between
655  * certificates and plain keys too.
656  */
657 int
658 sshkey_equal_public(const struct sshkey *a, const struct sshkey *b)
659 {
660 #if defined(WITH_OPENSSL) && defined(OPENSSL_HAS_ECC)
661 	BN_CTX *bnctx;
662 #endif /* WITH_OPENSSL && OPENSSL_HAS_ECC */
663 
664 	if (a == NULL || b == NULL ||
665 	    sshkey_type_plain(a->type) != sshkey_type_plain(b->type))
666 		return 0;
667 
668 	switch (a->type) {
669 #ifdef WITH_OPENSSL
670 	case KEY_RSA1:
671 	case KEY_RSA_CERT:
672 	case KEY_RSA:
673 		return a->rsa != NULL && b->rsa != NULL &&
674 		    BN_cmp(a->rsa->e, b->rsa->e) == 0 &&
675 		    BN_cmp(a->rsa->n, b->rsa->n) == 0;
676 	case KEY_DSA_CERT:
677 	case KEY_DSA:
678 		return a->dsa != NULL && b->dsa != NULL &&
679 		    BN_cmp(a->dsa->p, b->dsa->p) == 0 &&
680 		    BN_cmp(a->dsa->q, b->dsa->q) == 0 &&
681 		    BN_cmp(a->dsa->g, b->dsa->g) == 0 &&
682 		    BN_cmp(a->dsa->pub_key, b->dsa->pub_key) == 0;
683 # ifdef OPENSSL_HAS_ECC
684 	case KEY_ECDSA_CERT:
685 	case KEY_ECDSA:
686 		if (a->ecdsa == NULL || b->ecdsa == NULL ||
687 		    EC_KEY_get0_public_key(a->ecdsa) == NULL ||
688 		    EC_KEY_get0_public_key(b->ecdsa) == NULL)
689 			return 0;
690 		if ((bnctx = BN_CTX_new()) == NULL)
691 			return 0;
692 		if (EC_GROUP_cmp(EC_KEY_get0_group(a->ecdsa),
693 		    EC_KEY_get0_group(b->ecdsa), bnctx) != 0 ||
694 		    EC_POINT_cmp(EC_KEY_get0_group(a->ecdsa),
695 		    EC_KEY_get0_public_key(a->ecdsa),
696 		    EC_KEY_get0_public_key(b->ecdsa), bnctx) != 0) {
697 			BN_CTX_free(bnctx);
698 			return 0;
699 		}
700 		BN_CTX_free(bnctx);
701 		return 1;
702 # endif /* OPENSSL_HAS_ECC */
703 #endif /* WITH_OPENSSL */
704 	case KEY_ED25519:
705 	case KEY_ED25519_CERT:
706 		return a->ed25519_pk != NULL && b->ed25519_pk != NULL &&
707 		    memcmp(a->ed25519_pk, b->ed25519_pk, ED25519_PK_SZ) == 0;
708 	default:
709 		return 0;
710 	}
711 	/* NOTREACHED */
712 }
713 
714 int
715 sshkey_equal(const struct sshkey *a, const struct sshkey *b)
716 {
717 	if (a == NULL || b == NULL || a->type != b->type)
718 		return 0;
719 	if (sshkey_is_cert(a)) {
720 		if (!cert_compare(a->cert, b->cert))
721 			return 0;
722 	}
723 	return sshkey_equal_public(a, b);
724 }
725 
726 static int
727 to_blob_buf(const struct sshkey *key, struct sshbuf *b, int force_plain)
728 {
729 	int type, ret = SSH_ERR_INTERNAL_ERROR;
730 	const char *typename;
731 
732 	if (key == NULL)
733 		return SSH_ERR_INVALID_ARGUMENT;
734 
735 	if (sshkey_is_cert(key)) {
736 		if (key->cert == NULL)
737 			return SSH_ERR_EXPECTED_CERT;
738 		if (sshbuf_len(key->cert->certblob) == 0)
739 			return SSH_ERR_KEY_LACKS_CERTBLOB;
740 	}
741 	type = force_plain ? sshkey_type_plain(key->type) : key->type;
742 	typename = sshkey_ssh_name_from_type_nid(type, key->ecdsa_nid);
743 
744 	switch (type) {
745 #ifdef WITH_OPENSSL
746 	case KEY_DSA_CERT:
747 	case KEY_ECDSA_CERT:
748 	case KEY_RSA_CERT:
749 #endif /* WITH_OPENSSL */
750 	case KEY_ED25519_CERT:
751 		/* Use the existing blob */
752 		/* XXX modified flag? */
753 		if ((ret = sshbuf_putb(b, key->cert->certblob)) != 0)
754 			return ret;
755 		break;
756 #ifdef WITH_OPENSSL
757 	case KEY_DSA:
758 		if (key->dsa == NULL)
759 			return SSH_ERR_INVALID_ARGUMENT;
760 		if ((ret = sshbuf_put_cstring(b, typename)) != 0 ||
761 		    (ret = sshbuf_put_bignum2(b, key->dsa->p)) != 0 ||
762 		    (ret = sshbuf_put_bignum2(b, key->dsa->q)) != 0 ||
763 		    (ret = sshbuf_put_bignum2(b, key->dsa->g)) != 0 ||
764 		    (ret = sshbuf_put_bignum2(b, key->dsa->pub_key)) != 0)
765 			return ret;
766 		break;
767 # ifdef OPENSSL_HAS_ECC
768 	case KEY_ECDSA:
769 		if (key->ecdsa == NULL)
770 			return SSH_ERR_INVALID_ARGUMENT;
771 		if ((ret = sshbuf_put_cstring(b, typename)) != 0 ||
772 		    (ret = sshbuf_put_cstring(b,
773 		    sshkey_curve_nid_to_name(key->ecdsa_nid))) != 0 ||
774 		    (ret = sshbuf_put_eckey(b, key->ecdsa)) != 0)
775 			return ret;
776 		break;
777 # endif
778 	case KEY_RSA:
779 		if (key->rsa == NULL)
780 			return SSH_ERR_INVALID_ARGUMENT;
781 		if ((ret = sshbuf_put_cstring(b, typename)) != 0 ||
782 		    (ret = sshbuf_put_bignum2(b, key->rsa->e)) != 0 ||
783 		    (ret = sshbuf_put_bignum2(b, key->rsa->n)) != 0)
784 			return ret;
785 		break;
786 #endif /* WITH_OPENSSL */
787 	case KEY_ED25519:
788 		if (key->ed25519_pk == NULL)
789 			return SSH_ERR_INVALID_ARGUMENT;
790 		if ((ret = sshbuf_put_cstring(b, typename)) != 0 ||
791 		    (ret = sshbuf_put_string(b,
792 		    key->ed25519_pk, ED25519_PK_SZ)) != 0)
793 			return ret;
794 		break;
795 	default:
796 		return SSH_ERR_KEY_TYPE_UNKNOWN;
797 	}
798 	return 0;
799 }
800 
801 int
802 sshkey_putb(const struct sshkey *key, struct sshbuf *b)
803 {
804 	return to_blob_buf(key, b, 0);
805 }
806 
807 int
808 sshkey_puts(const struct sshkey *key, struct sshbuf *b)
809 {
810 	struct sshbuf *tmp;
811 	int r;
812 
813 	if ((tmp = sshbuf_new()) == NULL)
814 		return SSH_ERR_ALLOC_FAIL;
815 	r = to_blob_buf(key, tmp, 0);
816 	if (r == 0)
817 		r = sshbuf_put_stringb(b, tmp);
818 	sshbuf_free(tmp);
819 	return r;
820 }
821 
822 int
823 sshkey_putb_plain(const struct sshkey *key, struct sshbuf *b)
824 {
825 	return to_blob_buf(key, b, 1);
826 }
827 
828 static int
829 to_blob(const struct sshkey *key, u_char **blobp, size_t *lenp, int force_plain)
830 {
831 	int ret = SSH_ERR_INTERNAL_ERROR;
832 	size_t len;
833 	struct sshbuf *b = NULL;
834 
835 	if (lenp != NULL)
836 		*lenp = 0;
837 	if (blobp != NULL)
838 		*blobp = NULL;
839 	if ((b = sshbuf_new()) == NULL)
840 		return SSH_ERR_ALLOC_FAIL;
841 	if ((ret = to_blob_buf(key, b, force_plain)) != 0)
842 		goto out;
843 	len = sshbuf_len(b);
844 	if (lenp != NULL)
845 		*lenp = len;
846 	if (blobp != NULL) {
847 		if ((*blobp = malloc(len)) == NULL) {
848 			ret = SSH_ERR_ALLOC_FAIL;
849 			goto out;
850 		}
851 		memcpy(*blobp, sshbuf_ptr(b), len);
852 	}
853 	ret = 0;
854  out:
855 	sshbuf_free(b);
856 	return ret;
857 }
858 
859 int
860 sshkey_to_blob(const struct sshkey *key, u_char **blobp, size_t *lenp)
861 {
862 	return to_blob(key, blobp, lenp, 0);
863 }
864 
865 int
866 sshkey_plain_to_blob(const struct sshkey *key, u_char **blobp, size_t *lenp)
867 {
868 	return to_blob(key, blobp, lenp, 1);
869 }
870 
871 int
872 sshkey_fingerprint_raw(const struct sshkey *k, int dgst_alg,
873     u_char **retp, size_t *lenp)
874 {
875 	u_char *blob = NULL, *ret = NULL;
876 	size_t blob_len = 0;
877 	int r = SSH_ERR_INTERNAL_ERROR;
878 
879 	if (retp != NULL)
880 		*retp = NULL;
881 	if (lenp != NULL)
882 		*lenp = 0;
883 	if (ssh_digest_bytes(dgst_alg) == 0) {
884 		r = SSH_ERR_INVALID_ARGUMENT;
885 		goto out;
886 	}
887 
888 	if (k->type == KEY_RSA1) {
889 #ifdef WITH_OPENSSL
890 		int nlen = BN_num_bytes(k->rsa->n);
891 		int elen = BN_num_bytes(k->rsa->e);
892 
893 		if (nlen < 0 || elen < 0 || nlen >= INT_MAX - elen) {
894 			r = SSH_ERR_INVALID_FORMAT;
895 			goto out;
896 		}
897 		blob_len = nlen + elen;
898 		if ((blob = malloc(blob_len)) == NULL) {
899 			r = SSH_ERR_ALLOC_FAIL;
900 			goto out;
901 		}
902 		BN_bn2bin(k->rsa->n, blob);
903 		BN_bn2bin(k->rsa->e, blob + nlen);
904 #endif /* WITH_OPENSSL */
905 	} else if ((r = to_blob(k, &blob, &blob_len, 1)) != 0)
906 		goto out;
907 	if ((ret = calloc(1, SSH_DIGEST_MAX_LENGTH)) == NULL) {
908 		r = SSH_ERR_ALLOC_FAIL;
909 		goto out;
910 	}
911 	if ((r = ssh_digest_memory(dgst_alg, blob, blob_len,
912 	    ret, SSH_DIGEST_MAX_LENGTH)) != 0)
913 		goto out;
914 	/* success */
915 	if (retp != NULL) {
916 		*retp = ret;
917 		ret = NULL;
918 	}
919 	if (lenp != NULL)
920 		*lenp = ssh_digest_bytes(dgst_alg);
921 	r = 0;
922  out:
923 	free(ret);
924 	if (blob != NULL) {
925 		explicit_bzero(blob, blob_len);
926 		free(blob);
927 	}
928 	return r;
929 }
930 
931 static char *
932 fingerprint_b64(const char *alg, u_char *dgst_raw, size_t dgst_raw_len)
933 {
934 	char *ret;
935 	size_t plen = strlen(alg) + 1;
936 	size_t rlen = ((dgst_raw_len + 2) / 3) * 4 + plen + 1;
937 	int r;
938 
939 	if (dgst_raw_len > 65536 || (ret = calloc(1, rlen)) == NULL)
940 		return NULL;
941 	strlcpy(ret, alg, rlen);
942 	strlcat(ret, ":", rlen);
943 	if (dgst_raw_len == 0)
944 		return ret;
945 	if ((r = b64_ntop(dgst_raw, dgst_raw_len,
946 	    ret + plen, rlen - plen)) == -1) {
947 		explicit_bzero(ret, rlen);
948 		free(ret);
949 		return NULL;
950 	}
951 	/* Trim padding characters from end */
952 	ret[strcspn(ret, "=")] = '\0';
953 	return ret;
954 }
955 
956 static char *
957 fingerprint_hex(const char *alg, u_char *dgst_raw, size_t dgst_raw_len)
958 {
959 	char *retval, hex[5];
960 	size_t i, rlen = dgst_raw_len * 3 + strlen(alg) + 2;
961 
962 	if (dgst_raw_len > 65536 || (retval = calloc(1, rlen)) == NULL)
963 		return NULL;
964 	strlcpy(retval, alg, rlen);
965 	strlcat(retval, ":", rlen);
966 	for (i = 0; i < dgst_raw_len; i++) {
967 		snprintf(hex, sizeof(hex), "%s%02x",
968 		    i > 0 ? ":" : "", dgst_raw[i]);
969 		strlcat(retval, hex, rlen);
970 	}
971 	return retval;
972 }
973 
974 static char *
975 fingerprint_bubblebabble(u_char *dgst_raw, size_t dgst_raw_len)
976 {
977 	char vowels[] = { 'a', 'e', 'i', 'o', 'u', 'y' };
978 	char consonants[] = { 'b', 'c', 'd', 'f', 'g', 'h', 'k', 'l', 'm',
979 	    'n', 'p', 'r', 's', 't', 'v', 'z', 'x' };
980 	u_int i, j = 0, rounds, seed = 1;
981 	char *retval;
982 
983 	rounds = (dgst_raw_len / 2) + 1;
984 	if ((retval = calloc(rounds, 6)) == NULL)
985 		return NULL;
986 	retval[j++] = 'x';
987 	for (i = 0; i < rounds; i++) {
988 		u_int idx0, idx1, idx2, idx3, idx4;
989 		if ((i + 1 < rounds) || (dgst_raw_len % 2 != 0)) {
990 			idx0 = (((((u_int)(dgst_raw[2 * i])) >> 6) & 3) +
991 			    seed) % 6;
992 			idx1 = (((u_int)(dgst_raw[2 * i])) >> 2) & 15;
993 			idx2 = ((((u_int)(dgst_raw[2 * i])) & 3) +
994 			    (seed / 6)) % 6;
995 			retval[j++] = vowels[idx0];
996 			retval[j++] = consonants[idx1];
997 			retval[j++] = vowels[idx2];
998 			if ((i + 1) < rounds) {
999 				idx3 = (((u_int)(dgst_raw[(2 * i) + 1])) >> 4) & 15;
1000 				idx4 = (((u_int)(dgst_raw[(2 * i) + 1]))) & 15;
1001 				retval[j++] = consonants[idx3];
1002 				retval[j++] = '-';
1003 				retval[j++] = consonants[idx4];
1004 				seed = ((seed * 5) +
1005 				    ((((u_int)(dgst_raw[2 * i])) * 7) +
1006 				    ((u_int)(dgst_raw[(2 * i) + 1])))) % 36;
1007 			}
1008 		} else {
1009 			idx0 = seed % 6;
1010 			idx1 = 16;
1011 			idx2 = seed / 6;
1012 			retval[j++] = vowels[idx0];
1013 			retval[j++] = consonants[idx1];
1014 			retval[j++] = vowels[idx2];
1015 		}
1016 	}
1017 	retval[j++] = 'x';
1018 	retval[j++] = '\0';
1019 	return retval;
1020 }
1021 
1022 /*
1023  * Draw an ASCII-Art representing the fingerprint so human brain can
1024  * profit from its built-in pattern recognition ability.
1025  * This technique is called "random art" and can be found in some
1026  * scientific publications like this original paper:
1027  *
1028  * "Hash Visualization: a New Technique to improve Real-World Security",
1029  * Perrig A. and Song D., 1999, International Workshop on Cryptographic
1030  * Techniques and E-Commerce (CrypTEC '99)
1031  * sparrow.ece.cmu.edu/~adrian/projects/validation/validation.pdf
1032  *
1033  * The subject came up in a talk by Dan Kaminsky, too.
1034  *
1035  * If you see the picture is different, the key is different.
1036  * If the picture looks the same, you still know nothing.
1037  *
1038  * The algorithm used here is a worm crawling over a discrete plane,
1039  * leaving a trace (augmenting the field) everywhere it goes.
1040  * Movement is taken from dgst_raw 2bit-wise.  Bumping into walls
1041  * makes the respective movement vector be ignored for this turn.
1042  * Graphs are not unambiguous, because circles in graphs can be
1043  * walked in either direction.
1044  */
1045 
1046 /*
1047  * Field sizes for the random art.  Have to be odd, so the starting point
1048  * can be in the exact middle of the picture, and FLDBASE should be >=8 .
1049  * Else pictures would be too dense, and drawing the frame would
1050  * fail, too, because the key type would not fit in anymore.
1051  */
1052 #define	FLDBASE		8
1053 #define	FLDSIZE_Y	(FLDBASE + 1)
1054 #define	FLDSIZE_X	(FLDBASE * 2 + 1)
1055 static char *
1056 fingerprint_randomart(const char *alg, u_char *dgst_raw, size_t dgst_raw_len,
1057     const struct sshkey *k)
1058 {
1059 	/*
1060 	 * Chars to be used after each other every time the worm
1061 	 * intersects with itself.  Matter of taste.
1062 	 */
1063 	char	*augmentation_string = " .o+=*BOX@%&#/^SE";
1064 	char	*retval, *p, title[FLDSIZE_X], hash[FLDSIZE_X];
1065 	u_char	 field[FLDSIZE_X][FLDSIZE_Y];
1066 	size_t	 i, tlen, hlen;
1067 	u_int	 b;
1068 	int	 x, y, r;
1069 	size_t	 len = strlen(augmentation_string) - 1;
1070 
1071 	if ((retval = calloc((FLDSIZE_X + 3), (FLDSIZE_Y + 2))) == NULL)
1072 		return NULL;
1073 
1074 	/* initialize field */
1075 	memset(field, 0, FLDSIZE_X * FLDSIZE_Y * sizeof(char));
1076 	x = FLDSIZE_X / 2;
1077 	y = FLDSIZE_Y / 2;
1078 
1079 	/* process raw key */
1080 	for (i = 0; i < dgst_raw_len; i++) {
1081 		int input;
1082 		/* each byte conveys four 2-bit move commands */
1083 		input = dgst_raw[i];
1084 		for (b = 0; b < 4; b++) {
1085 			/* evaluate 2 bit, rest is shifted later */
1086 			x += (input & 0x1) ? 1 : -1;
1087 			y += (input & 0x2) ? 1 : -1;
1088 
1089 			/* assure we are still in bounds */
1090 			x = MAXIMUM(x, 0);
1091 			y = MAXIMUM(y, 0);
1092 			x = MINIMUM(x, FLDSIZE_X - 1);
1093 			y = MINIMUM(y, FLDSIZE_Y - 1);
1094 
1095 			/* augment the field */
1096 			if (field[x][y] < len - 2)
1097 				field[x][y]++;
1098 			input = input >> 2;
1099 		}
1100 	}
1101 
1102 	/* mark starting point and end point*/
1103 	field[FLDSIZE_X / 2][FLDSIZE_Y / 2] = len - 1;
1104 	field[x][y] = len;
1105 
1106 	/* assemble title */
1107 	r = snprintf(title, sizeof(title), "[%s %u]",
1108 		sshkey_type(k), sshkey_size(k));
1109 	/* If [type size] won't fit, then try [type]; fits "[ED25519-CERT]" */
1110 	if (r < 0 || r > (int)sizeof(title))
1111 		r = snprintf(title, sizeof(title), "[%s]", sshkey_type(k));
1112 	tlen = (r <= 0) ? 0 : strlen(title);
1113 
1114 	/* assemble hash ID. */
1115 	r = snprintf(hash, sizeof(hash), "[%s]", alg);
1116 	hlen = (r <= 0) ? 0 : strlen(hash);
1117 
1118 	/* output upper border */
1119 	p = retval;
1120 	*p++ = '+';
1121 	for (i = 0; i < (FLDSIZE_X - tlen) / 2; i++)
1122 		*p++ = '-';
1123 	memcpy(p, title, tlen);
1124 	p += tlen;
1125 	for (i += tlen; i < FLDSIZE_X; i++)
1126 		*p++ = '-';
1127 	*p++ = '+';
1128 	*p++ = '\n';
1129 
1130 	/* output content */
1131 	for (y = 0; y < FLDSIZE_Y; y++) {
1132 		*p++ = '|';
1133 		for (x = 0; x < FLDSIZE_X; x++)
1134 			*p++ = augmentation_string[MINIMUM(field[x][y], len)];
1135 		*p++ = '|';
1136 		*p++ = '\n';
1137 	}
1138 
1139 	/* output lower border */
1140 	*p++ = '+';
1141 	for (i = 0; i < (FLDSIZE_X - hlen) / 2; i++)
1142 		*p++ = '-';
1143 	memcpy(p, hash, hlen);
1144 	p += hlen;
1145 	for (i += hlen; i < FLDSIZE_X; i++)
1146 		*p++ = '-';
1147 	*p++ = '+';
1148 
1149 	return retval;
1150 }
1151 
1152 char *
1153 sshkey_fingerprint(const struct sshkey *k, int dgst_alg,
1154     enum sshkey_fp_rep dgst_rep)
1155 {
1156 	char *retval = NULL;
1157 	u_char *dgst_raw;
1158 	size_t dgst_raw_len;
1159 
1160 	if (sshkey_fingerprint_raw(k, dgst_alg, &dgst_raw, &dgst_raw_len) != 0)
1161 		return NULL;
1162 	switch (dgst_rep) {
1163 	case SSH_FP_DEFAULT:
1164 		if (dgst_alg == SSH_DIGEST_MD5) {
1165 			retval = fingerprint_hex(ssh_digest_alg_name(dgst_alg),
1166 			    dgst_raw, dgst_raw_len);
1167 		} else {
1168 			retval = fingerprint_b64(ssh_digest_alg_name(dgst_alg),
1169 			    dgst_raw, dgst_raw_len);
1170 		}
1171 		break;
1172 	case SSH_FP_HEX:
1173 		retval = fingerprint_hex(ssh_digest_alg_name(dgst_alg),
1174 		    dgst_raw, dgst_raw_len);
1175 		break;
1176 	case SSH_FP_BASE64:
1177 		retval = fingerprint_b64(ssh_digest_alg_name(dgst_alg),
1178 		    dgst_raw, dgst_raw_len);
1179 		break;
1180 	case SSH_FP_BUBBLEBABBLE:
1181 		retval = fingerprint_bubblebabble(dgst_raw, dgst_raw_len);
1182 		break;
1183 	case SSH_FP_RANDOMART:
1184 		retval = fingerprint_randomart(ssh_digest_alg_name(dgst_alg),
1185 		    dgst_raw, dgst_raw_len, k);
1186 		break;
1187 	default:
1188 		explicit_bzero(dgst_raw, dgst_raw_len);
1189 		free(dgst_raw);
1190 		return NULL;
1191 	}
1192 	explicit_bzero(dgst_raw, dgst_raw_len);
1193 	free(dgst_raw);
1194 	return retval;
1195 }
1196 
1197 #ifdef WITH_SSH1
1198 /*
1199  * Reads a multiple-precision integer in decimal from the buffer, and advances
1200  * the pointer.  The integer must already be initialized.  This function is
1201  * permitted to modify the buffer.  This leaves *cpp to point just beyond the
1202  * last processed character.
1203  */
1204 static int
1205 read_decimal_bignum(char **cpp, BIGNUM *v)
1206 {
1207 	char *cp;
1208 	size_t e;
1209 	int skip = 1;	/* skip white space */
1210 
1211 	cp = *cpp;
1212 	while (*cp == ' ' || *cp == '\t')
1213 		cp++;
1214 	e = strspn(cp, "0123456789");
1215 	if (e == 0)
1216 		return SSH_ERR_INVALID_FORMAT;
1217 	if (e > SSHBUF_MAX_BIGNUM * 3)
1218 		return SSH_ERR_BIGNUM_TOO_LARGE;
1219 	if (cp[e] == '\0')
1220 		skip = 0;
1221 	else if (strchr(" \t\r\n", cp[e]) == NULL)
1222 		return SSH_ERR_INVALID_FORMAT;
1223 	cp[e] = '\0';
1224 	if (BN_dec2bn(&v, cp) <= 0)
1225 		return SSH_ERR_INVALID_FORMAT;
1226 	*cpp = cp + e + skip;
1227 	return 0;
1228 }
1229 #endif /* WITH_SSH1 */
1230 
1231 /* returns 0 ok, and < 0 error */
1232 int
1233 sshkey_read(struct sshkey *ret, char **cpp)
1234 {
1235 	struct sshkey *k;
1236 	int retval = SSH_ERR_INVALID_FORMAT;
1237 	char *ep, *cp, *space;
1238 	int r, type, curve_nid = -1;
1239 	struct sshbuf *blob;
1240 #ifdef WITH_SSH1
1241 	u_long bits;
1242 #endif /* WITH_SSH1 */
1243 
1244 	if (ret == NULL)
1245 		return SSH_ERR_INVALID_ARGUMENT;
1246 
1247 	cp = *cpp;
1248 
1249 	switch (ret->type) {
1250 	case KEY_RSA1:
1251 #ifdef WITH_SSH1
1252 		/* Get number of bits. */
1253 		bits = strtoul(cp, &ep, 10);
1254 		if (*cp == '\0' || strchr(" \t\r\n", *ep) == NULL ||
1255 		    bits == 0 || bits > SSHBUF_MAX_BIGNUM * 8)
1256 			return SSH_ERR_INVALID_FORMAT;	/* Bad bit count... */
1257 		/* Get public exponent, public modulus. */
1258 		if ((r = read_decimal_bignum(&ep, ret->rsa->e)) < 0)
1259 			return r;
1260 		if ((r = read_decimal_bignum(&ep, ret->rsa->n)) < 0)
1261 			return r;
1262 		/* validate the claimed number of bits */
1263 		if (BN_num_bits(ret->rsa->n) != (int)bits)
1264 			return SSH_ERR_KEY_BITS_MISMATCH;
1265 		*cpp = ep;
1266 		retval = 0;
1267 #endif /* WITH_SSH1 */
1268 		break;
1269 	case KEY_UNSPEC:
1270 	case KEY_RSA:
1271 	case KEY_DSA:
1272 	case KEY_ECDSA:
1273 	case KEY_ED25519:
1274 	case KEY_DSA_CERT:
1275 	case KEY_ECDSA_CERT:
1276 	case KEY_RSA_CERT:
1277 	case KEY_ED25519_CERT:
1278 		space = strchr(cp, ' ');
1279 		if (space == NULL)
1280 			return SSH_ERR_INVALID_FORMAT;
1281 		*space = '\0';
1282 		type = sshkey_type_from_name(cp);
1283 		if (sshkey_type_plain(type) == KEY_ECDSA &&
1284 		    (curve_nid = sshkey_ecdsa_nid_from_name(cp)) == -1)
1285 			return SSH_ERR_EC_CURVE_INVALID;
1286 		*space = ' ';
1287 		if (type == KEY_UNSPEC)
1288 			return SSH_ERR_INVALID_FORMAT;
1289 		cp = space+1;
1290 		if (*cp == '\0')
1291 			return SSH_ERR_INVALID_FORMAT;
1292 		if (ret->type != KEY_UNSPEC && ret->type != type)
1293 			return SSH_ERR_KEY_TYPE_MISMATCH;
1294 		if ((blob = sshbuf_new()) == NULL)
1295 			return SSH_ERR_ALLOC_FAIL;
1296 		/* trim comment */
1297 		space = strchr(cp, ' ');
1298 		if (space) {
1299 			/* advance 'space': skip whitespace */
1300 			*space++ = '\0';
1301 			while (*space == ' ' || *space == '\t')
1302 				space++;
1303 			ep = space;
1304 		} else
1305 			ep = cp + strlen(cp);
1306 		if ((r = sshbuf_b64tod(blob, cp)) != 0) {
1307 			sshbuf_free(blob);
1308 			return r;
1309 		}
1310 		if ((r = sshkey_from_blob(sshbuf_ptr(blob),
1311 		    sshbuf_len(blob), &k)) != 0) {
1312 			sshbuf_free(blob);
1313 			return r;
1314 		}
1315 		sshbuf_free(blob);
1316 		if (k->type != type) {
1317 			sshkey_free(k);
1318 			return SSH_ERR_KEY_TYPE_MISMATCH;
1319 		}
1320 		if (sshkey_type_plain(type) == KEY_ECDSA &&
1321 		    curve_nid != k->ecdsa_nid) {
1322 			sshkey_free(k);
1323 			return SSH_ERR_EC_CURVE_MISMATCH;
1324 		}
1325 		ret->type = type;
1326 		if (sshkey_is_cert(ret)) {
1327 			if (!sshkey_is_cert(k)) {
1328 				sshkey_free(k);
1329 				return SSH_ERR_EXPECTED_CERT;
1330 			}
1331 			if (ret->cert != NULL)
1332 				cert_free(ret->cert);
1333 			ret->cert = k->cert;
1334 			k->cert = NULL;
1335 		}
1336 		switch (sshkey_type_plain(ret->type)) {
1337 #ifdef WITH_OPENSSL
1338 		case KEY_RSA:
1339 			if (ret->rsa != NULL)
1340 				RSA_free(ret->rsa);
1341 			ret->rsa = k->rsa;
1342 			k->rsa = NULL;
1343 #ifdef DEBUG_PK
1344 			RSA_print_fp(stderr, ret->rsa, 8);
1345 #endif
1346 			break;
1347 		case KEY_DSA:
1348 			if (ret->dsa != NULL)
1349 				DSA_free(ret->dsa);
1350 			ret->dsa = k->dsa;
1351 			k->dsa = NULL;
1352 #ifdef DEBUG_PK
1353 			DSA_print_fp(stderr, ret->dsa, 8);
1354 #endif
1355 			break;
1356 # ifdef OPENSSL_HAS_ECC
1357 		case KEY_ECDSA:
1358 			if (ret->ecdsa != NULL)
1359 				EC_KEY_free(ret->ecdsa);
1360 			ret->ecdsa = k->ecdsa;
1361 			ret->ecdsa_nid = k->ecdsa_nid;
1362 			k->ecdsa = NULL;
1363 			k->ecdsa_nid = -1;
1364 #ifdef DEBUG_PK
1365 			sshkey_dump_ec_key(ret->ecdsa);
1366 #endif
1367 			break;
1368 # endif /* OPENSSL_HAS_ECC */
1369 #endif /* WITH_OPENSSL */
1370 		case KEY_ED25519:
1371 			free(ret->ed25519_pk);
1372 			ret->ed25519_pk = k->ed25519_pk;
1373 			k->ed25519_pk = NULL;
1374 #ifdef DEBUG_PK
1375 			/* XXX */
1376 #endif
1377 			break;
1378 		}
1379 		*cpp = ep;
1380 		retval = 0;
1381 /*XXXX*/
1382 		sshkey_free(k);
1383 		if (retval != 0)
1384 			break;
1385 		break;
1386 	default:
1387 		return SSH_ERR_INVALID_ARGUMENT;
1388 	}
1389 	return retval;
1390 }
1391 
1392 int
1393 sshkey_to_base64(const struct sshkey *key, char **b64p)
1394 {
1395 	int r = SSH_ERR_INTERNAL_ERROR;
1396 	struct sshbuf *b = NULL;
1397 	char *uu = NULL;
1398 
1399 	if (b64p != NULL)
1400 		*b64p = NULL;
1401 	if ((b = sshbuf_new()) == NULL)
1402 		return SSH_ERR_ALLOC_FAIL;
1403 	if ((r = sshkey_putb(key, b)) != 0)
1404 		goto out;
1405 	if ((uu = sshbuf_dtob64(b)) == NULL) {
1406 		r = SSH_ERR_ALLOC_FAIL;
1407 		goto out;
1408 	}
1409 	/* Success */
1410 	if (b64p != NULL) {
1411 		*b64p = uu;
1412 		uu = NULL;
1413 	}
1414 	r = 0;
1415  out:
1416 	sshbuf_free(b);
1417 	free(uu);
1418 	return r;
1419 }
1420 
1421 static int
1422 sshkey_format_rsa1(const struct sshkey *key, struct sshbuf *b)
1423 {
1424 	int r = SSH_ERR_INTERNAL_ERROR;
1425 #ifdef WITH_SSH1
1426 	u_int bits = 0;
1427 	char *dec_e = NULL, *dec_n = NULL;
1428 
1429 	if (key->rsa == NULL || key->rsa->e == NULL ||
1430 	    key->rsa->n == NULL) {
1431 		r = SSH_ERR_INVALID_ARGUMENT;
1432 		goto out;
1433 	}
1434 	if ((dec_e = BN_bn2dec(key->rsa->e)) == NULL ||
1435 	    (dec_n = BN_bn2dec(key->rsa->n)) == NULL) {
1436 		r = SSH_ERR_ALLOC_FAIL;
1437 		goto out;
1438 	}
1439 	/* size of modulus 'n' */
1440 	if ((bits = BN_num_bits(key->rsa->n)) <= 0) {
1441 		r = SSH_ERR_INVALID_ARGUMENT;
1442 		goto out;
1443 	}
1444 	if ((r = sshbuf_putf(b, "%u %s %s", bits, dec_e, dec_n)) != 0)
1445 		goto out;
1446 
1447 	/* Success */
1448 	r = 0;
1449  out:
1450 	if (dec_e != NULL)
1451 		OPENSSL_free(dec_e);
1452 	if (dec_n != NULL)
1453 		OPENSSL_free(dec_n);
1454 #endif /* WITH_SSH1 */
1455 
1456 	return r;
1457 }
1458 
1459 static int
1460 sshkey_format_text(const struct sshkey *key, struct sshbuf *b)
1461 {
1462 	int r = SSH_ERR_INTERNAL_ERROR;
1463 	char *uu = NULL;
1464 
1465 	if (key->type == KEY_RSA1) {
1466 		if ((r = sshkey_format_rsa1(key, b)) != 0)
1467 			goto out;
1468 	} else {
1469 		/* Unsupported key types handled in sshkey_to_base64() */
1470 		if ((r = sshkey_to_base64(key, &uu)) != 0)
1471 			goto out;
1472 		if ((r = sshbuf_putf(b, "%s %s",
1473 		    sshkey_ssh_name(key), uu)) != 0)
1474 			goto out;
1475 	}
1476 	r = 0;
1477  out:
1478 	free(uu);
1479 	return r;
1480 }
1481 
1482 int
1483 sshkey_write(const struct sshkey *key, FILE *f)
1484 {
1485 	struct sshbuf *b = NULL;
1486 	int r = SSH_ERR_INTERNAL_ERROR;
1487 
1488 	if ((b = sshbuf_new()) == NULL)
1489 		return SSH_ERR_ALLOC_FAIL;
1490 	if ((r = sshkey_format_text(key, b)) != 0)
1491 		goto out;
1492 	if (fwrite(sshbuf_ptr(b), sshbuf_len(b), 1, f) != 1) {
1493 		if (feof(f))
1494 			errno = EPIPE;
1495 		r = SSH_ERR_SYSTEM_ERROR;
1496 		goto out;
1497 	}
1498 	/* Success */
1499 	r = 0;
1500  out:
1501 	sshbuf_free(b);
1502 	return r;
1503 }
1504 
1505 const char *
1506 sshkey_cert_type(const struct sshkey *k)
1507 {
1508 	switch (k->cert->type) {
1509 	case SSH2_CERT_TYPE_USER:
1510 		return "user";
1511 	case SSH2_CERT_TYPE_HOST:
1512 		return "host";
1513 	default:
1514 		return "unknown";
1515 	}
1516 }
1517 
1518 #ifdef WITH_OPENSSL
1519 static int
1520 rsa_generate_private_key(u_int bits, RSA **rsap)
1521 {
1522 	RSA *private = NULL;
1523 	BIGNUM *f4 = NULL;
1524 	int ret = SSH_ERR_INTERNAL_ERROR;
1525 
1526 	if (rsap == NULL ||
1527 	    bits < SSH_RSA_MINIMUM_MODULUS_SIZE ||
1528 	    bits > SSHBUF_MAX_BIGNUM * 8)
1529 		return SSH_ERR_INVALID_ARGUMENT;
1530 	*rsap = NULL;
1531 	if ((private = RSA_new()) == NULL || (f4 = BN_new()) == NULL) {
1532 		ret = SSH_ERR_ALLOC_FAIL;
1533 		goto out;
1534 	}
1535 	if (!BN_set_word(f4, RSA_F4) ||
1536 	    !RSA_generate_key_ex(private, bits, f4, NULL)) {
1537 		ret = SSH_ERR_LIBCRYPTO_ERROR;
1538 		goto out;
1539 	}
1540 	*rsap = private;
1541 	private = NULL;
1542 	ret = 0;
1543  out:
1544 	if (private != NULL)
1545 		RSA_free(private);
1546 	if (f4 != NULL)
1547 		BN_free(f4);
1548 	return ret;
1549 }
1550 
1551 static int
1552 dsa_generate_private_key(u_int bits, DSA **dsap)
1553 {
1554 	DSA *private;
1555 	int ret = SSH_ERR_INTERNAL_ERROR;
1556 
1557 	if (dsap == NULL || bits != 1024)
1558 		return SSH_ERR_INVALID_ARGUMENT;
1559 	if ((private = DSA_new()) == NULL) {
1560 		ret = SSH_ERR_ALLOC_FAIL;
1561 		goto out;
1562 	}
1563 	*dsap = NULL;
1564 	if (!DSA_generate_parameters_ex(private, bits, NULL, 0, NULL,
1565 	    NULL, NULL) || !DSA_generate_key(private)) {
1566 		ret = SSH_ERR_LIBCRYPTO_ERROR;
1567 		goto out;
1568 	}
1569 	*dsap = private;
1570 	private = NULL;
1571 	ret = 0;
1572  out:
1573 	if (private != NULL)
1574 		DSA_free(private);
1575 	return ret;
1576 }
1577 
1578 # ifdef OPENSSL_HAS_ECC
1579 int
1580 sshkey_ecdsa_key_to_nid(EC_KEY *k)
1581 {
1582 	EC_GROUP *eg;
1583 	int nids[] = {
1584 		NID_X9_62_prime256v1,
1585 		NID_secp384r1,
1586 #  ifdef OPENSSL_HAS_NISTP521
1587 		NID_secp521r1,
1588 #  endif /* OPENSSL_HAS_NISTP521 */
1589 		-1
1590 	};
1591 	int nid;
1592 	u_int i;
1593 	BN_CTX *bnctx;
1594 	const EC_GROUP *g = EC_KEY_get0_group(k);
1595 
1596 	/*
1597 	 * The group may be stored in a ASN.1 encoded private key in one of two
1598 	 * ways: as a "named group", which is reconstituted by ASN.1 object ID
1599 	 * or explicit group parameters encoded into the key blob. Only the
1600 	 * "named group" case sets the group NID for us, but we can figure
1601 	 * it out for the other case by comparing against all the groups that
1602 	 * are supported.
1603 	 */
1604 	if ((nid = EC_GROUP_get_curve_name(g)) > 0)
1605 		return nid;
1606 	if ((bnctx = BN_CTX_new()) == NULL)
1607 		return -1;
1608 	for (i = 0; nids[i] != -1; i++) {
1609 		if ((eg = EC_GROUP_new_by_curve_name(nids[i])) == NULL) {
1610 			BN_CTX_free(bnctx);
1611 			return -1;
1612 		}
1613 		if (EC_GROUP_cmp(g, eg, bnctx) == 0)
1614 			break;
1615 		EC_GROUP_free(eg);
1616 	}
1617 	BN_CTX_free(bnctx);
1618 	if (nids[i] != -1) {
1619 		/* Use the group with the NID attached */
1620 		EC_GROUP_set_asn1_flag(eg, OPENSSL_EC_NAMED_CURVE);
1621 		if (EC_KEY_set_group(k, eg) != 1) {
1622 			EC_GROUP_free(eg);
1623 			return -1;
1624 		}
1625 	}
1626 	return nids[i];
1627 }
1628 
1629 static int
1630 ecdsa_generate_private_key(u_int bits, int *nid, EC_KEY **ecdsap)
1631 {
1632 	EC_KEY *private;
1633 	int ret = SSH_ERR_INTERNAL_ERROR;
1634 
1635 	if (nid == NULL || ecdsap == NULL ||
1636 	    (*nid = sshkey_ecdsa_bits_to_nid(bits)) == -1)
1637 		return SSH_ERR_INVALID_ARGUMENT;
1638 	*ecdsap = NULL;
1639 	if ((private = EC_KEY_new_by_curve_name(*nid)) == NULL) {
1640 		ret = SSH_ERR_ALLOC_FAIL;
1641 		goto out;
1642 	}
1643 	if (EC_KEY_generate_key(private) != 1) {
1644 		ret = SSH_ERR_LIBCRYPTO_ERROR;
1645 		goto out;
1646 	}
1647 	EC_KEY_set_asn1_flag(private, OPENSSL_EC_NAMED_CURVE);
1648 	*ecdsap = private;
1649 	private = NULL;
1650 	ret = 0;
1651  out:
1652 	if (private != NULL)
1653 		EC_KEY_free(private);
1654 	return ret;
1655 }
1656 # endif /* OPENSSL_HAS_ECC */
1657 #endif /* WITH_OPENSSL */
1658 
1659 int
1660 sshkey_generate(int type, u_int bits, struct sshkey **keyp)
1661 {
1662 	struct sshkey *k;
1663 	int ret = SSH_ERR_INTERNAL_ERROR;
1664 
1665 	if (keyp == NULL)
1666 		return SSH_ERR_INVALID_ARGUMENT;
1667 	*keyp = NULL;
1668 	if ((k = sshkey_new(KEY_UNSPEC)) == NULL)
1669 		return SSH_ERR_ALLOC_FAIL;
1670 	switch (type) {
1671 	case KEY_ED25519:
1672 		if ((k->ed25519_pk = malloc(ED25519_PK_SZ)) == NULL ||
1673 		    (k->ed25519_sk = malloc(ED25519_SK_SZ)) == NULL) {
1674 			ret = SSH_ERR_ALLOC_FAIL;
1675 			break;
1676 		}
1677 		crypto_sign_ed25519_keypair(k->ed25519_pk, k->ed25519_sk);
1678 		ret = 0;
1679 		break;
1680 #ifdef WITH_OPENSSL
1681 	case KEY_DSA:
1682 		ret = dsa_generate_private_key(bits, &k->dsa);
1683 		break;
1684 # ifdef OPENSSL_HAS_ECC
1685 	case KEY_ECDSA:
1686 		ret = ecdsa_generate_private_key(bits, &k->ecdsa_nid,
1687 		    &k->ecdsa);
1688 		break;
1689 # endif /* OPENSSL_HAS_ECC */
1690 	case KEY_RSA:
1691 	case KEY_RSA1:
1692 		ret = rsa_generate_private_key(bits, &k->rsa);
1693 		break;
1694 #endif /* WITH_OPENSSL */
1695 	default:
1696 		ret = SSH_ERR_INVALID_ARGUMENT;
1697 	}
1698 	if (ret == 0) {
1699 		k->type = type;
1700 		*keyp = k;
1701 	} else
1702 		sshkey_free(k);
1703 	return ret;
1704 }
1705 
1706 int
1707 sshkey_cert_copy(const struct sshkey *from_key, struct sshkey *to_key)
1708 {
1709 	u_int i;
1710 	const struct sshkey_cert *from;
1711 	struct sshkey_cert *to;
1712 	int ret = SSH_ERR_INTERNAL_ERROR;
1713 
1714 	if (to_key->cert != NULL) {
1715 		cert_free(to_key->cert);
1716 		to_key->cert = NULL;
1717 	}
1718 
1719 	if ((from = from_key->cert) == NULL)
1720 		return SSH_ERR_INVALID_ARGUMENT;
1721 
1722 	if ((to = to_key->cert = cert_new()) == NULL)
1723 		return SSH_ERR_ALLOC_FAIL;
1724 
1725 	if ((ret = sshbuf_putb(to->certblob, from->certblob)) != 0 ||
1726 	    (ret = sshbuf_putb(to->critical, from->critical)) != 0 ||
1727 	    (ret = sshbuf_putb(to->extensions, from->extensions)) != 0)
1728 		return ret;
1729 
1730 	to->serial = from->serial;
1731 	to->type = from->type;
1732 	if (from->key_id == NULL)
1733 		to->key_id = NULL;
1734 	else if ((to->key_id = strdup(from->key_id)) == NULL)
1735 		return SSH_ERR_ALLOC_FAIL;
1736 	to->valid_after = from->valid_after;
1737 	to->valid_before = from->valid_before;
1738 	if (from->signature_key == NULL)
1739 		to->signature_key = NULL;
1740 	else if ((ret = sshkey_from_private(from->signature_key,
1741 	    &to->signature_key)) != 0)
1742 		return ret;
1743 
1744 	if (from->nprincipals > SSHKEY_CERT_MAX_PRINCIPALS)
1745 		return SSH_ERR_INVALID_ARGUMENT;
1746 	if (from->nprincipals > 0) {
1747 		if ((to->principals = calloc(from->nprincipals,
1748 		    sizeof(*to->principals))) == NULL)
1749 			return SSH_ERR_ALLOC_FAIL;
1750 		for (i = 0; i < from->nprincipals; i++) {
1751 			to->principals[i] = strdup(from->principals[i]);
1752 			if (to->principals[i] == NULL) {
1753 				to->nprincipals = i;
1754 				return SSH_ERR_ALLOC_FAIL;
1755 			}
1756 		}
1757 	}
1758 	to->nprincipals = from->nprincipals;
1759 	return 0;
1760 }
1761 
1762 int
1763 sshkey_from_private(const struct sshkey *k, struct sshkey **pkp)
1764 {
1765 	struct sshkey *n = NULL;
1766 	int ret = SSH_ERR_INTERNAL_ERROR;
1767 
1768 	*pkp = NULL;
1769 	switch (k->type) {
1770 #ifdef WITH_OPENSSL
1771 	case KEY_DSA:
1772 	case KEY_DSA_CERT:
1773 		if ((n = sshkey_new(k->type)) == NULL)
1774 			return SSH_ERR_ALLOC_FAIL;
1775 		if ((BN_copy(n->dsa->p, k->dsa->p) == NULL) ||
1776 		    (BN_copy(n->dsa->q, k->dsa->q) == NULL) ||
1777 		    (BN_copy(n->dsa->g, k->dsa->g) == NULL) ||
1778 		    (BN_copy(n->dsa->pub_key, k->dsa->pub_key) == NULL)) {
1779 			sshkey_free(n);
1780 			return SSH_ERR_ALLOC_FAIL;
1781 		}
1782 		break;
1783 # ifdef OPENSSL_HAS_ECC
1784 	case KEY_ECDSA:
1785 	case KEY_ECDSA_CERT:
1786 		if ((n = sshkey_new(k->type)) == NULL)
1787 			return SSH_ERR_ALLOC_FAIL;
1788 		n->ecdsa_nid = k->ecdsa_nid;
1789 		n->ecdsa = EC_KEY_new_by_curve_name(k->ecdsa_nid);
1790 		if (n->ecdsa == NULL) {
1791 			sshkey_free(n);
1792 			return SSH_ERR_ALLOC_FAIL;
1793 		}
1794 		if (EC_KEY_set_public_key(n->ecdsa,
1795 		    EC_KEY_get0_public_key(k->ecdsa)) != 1) {
1796 			sshkey_free(n);
1797 			return SSH_ERR_LIBCRYPTO_ERROR;
1798 		}
1799 		break;
1800 # endif /* OPENSSL_HAS_ECC */
1801 	case KEY_RSA:
1802 	case KEY_RSA1:
1803 	case KEY_RSA_CERT:
1804 		if ((n = sshkey_new(k->type)) == NULL)
1805 			return SSH_ERR_ALLOC_FAIL;
1806 		if ((BN_copy(n->rsa->n, k->rsa->n) == NULL) ||
1807 		    (BN_copy(n->rsa->e, k->rsa->e) == NULL)) {
1808 			sshkey_free(n);
1809 			return SSH_ERR_ALLOC_FAIL;
1810 		}
1811 		break;
1812 #endif /* WITH_OPENSSL */
1813 	case KEY_ED25519:
1814 	case KEY_ED25519_CERT:
1815 		if ((n = sshkey_new(k->type)) == NULL)
1816 			return SSH_ERR_ALLOC_FAIL;
1817 		if (k->ed25519_pk != NULL) {
1818 			if ((n->ed25519_pk = malloc(ED25519_PK_SZ)) == NULL) {
1819 				sshkey_free(n);
1820 				return SSH_ERR_ALLOC_FAIL;
1821 			}
1822 			memcpy(n->ed25519_pk, k->ed25519_pk, ED25519_PK_SZ);
1823 		}
1824 		break;
1825 	default:
1826 		return SSH_ERR_KEY_TYPE_UNKNOWN;
1827 	}
1828 	if (sshkey_is_cert(k)) {
1829 		if ((ret = sshkey_cert_copy(k, n)) != 0) {
1830 			sshkey_free(n);
1831 			return ret;
1832 		}
1833 	}
1834 	*pkp = n;
1835 	return 0;
1836 }
1837 
1838 static int
1839 cert_parse(struct sshbuf *b, struct sshkey *key, struct sshbuf *certbuf)
1840 {
1841 	struct sshbuf *principals = NULL, *crit = NULL;
1842 	struct sshbuf *exts = NULL, *ca = NULL;
1843 	u_char *sig = NULL;
1844 	size_t signed_len = 0, slen = 0, kidlen = 0;
1845 	int ret = SSH_ERR_INTERNAL_ERROR;
1846 
1847 	/* Copy the entire key blob for verification and later serialisation */
1848 	if ((ret = sshbuf_putb(key->cert->certblob, certbuf)) != 0)
1849 		return ret;
1850 
1851 	/* Parse body of certificate up to signature */
1852 	if ((ret = sshbuf_get_u64(b, &key->cert->serial)) != 0 ||
1853 	    (ret = sshbuf_get_u32(b, &key->cert->type)) != 0 ||
1854 	    (ret = sshbuf_get_cstring(b, &key->cert->key_id, &kidlen)) != 0 ||
1855 	    (ret = sshbuf_froms(b, &principals)) != 0 ||
1856 	    (ret = sshbuf_get_u64(b, &key->cert->valid_after)) != 0 ||
1857 	    (ret = sshbuf_get_u64(b, &key->cert->valid_before)) != 0 ||
1858 	    (ret = sshbuf_froms(b, &crit)) != 0 ||
1859 	    (ret = sshbuf_froms(b, &exts)) != 0 ||
1860 	    (ret = sshbuf_get_string_direct(b, NULL, NULL)) != 0 ||
1861 	    (ret = sshbuf_froms(b, &ca)) != 0) {
1862 		/* XXX debug print error for ret */
1863 		ret = SSH_ERR_INVALID_FORMAT;
1864 		goto out;
1865 	}
1866 
1867 	/* Signature is left in the buffer so we can calculate this length */
1868 	signed_len = sshbuf_len(key->cert->certblob) - sshbuf_len(b);
1869 
1870 	if ((ret = sshbuf_get_string(b, &sig, &slen)) != 0) {
1871 		ret = SSH_ERR_INVALID_FORMAT;
1872 		goto out;
1873 	}
1874 
1875 	if (key->cert->type != SSH2_CERT_TYPE_USER &&
1876 	    key->cert->type != SSH2_CERT_TYPE_HOST) {
1877 		ret = SSH_ERR_KEY_CERT_UNKNOWN_TYPE;
1878 		goto out;
1879 	}
1880 
1881 	/* Parse principals section */
1882 	while (sshbuf_len(principals) > 0) {
1883 		char *principal = NULL;
1884 		char **oprincipals = NULL;
1885 
1886 		if (key->cert->nprincipals >= SSHKEY_CERT_MAX_PRINCIPALS) {
1887 			ret = SSH_ERR_INVALID_FORMAT;
1888 			goto out;
1889 		}
1890 		if ((ret = sshbuf_get_cstring(principals, &principal,
1891 		    NULL)) != 0) {
1892 			ret = SSH_ERR_INVALID_FORMAT;
1893 			goto out;
1894 		}
1895 		oprincipals = key->cert->principals;
1896 		key->cert->principals = reallocarray(key->cert->principals,
1897 		    key->cert->nprincipals + 1, sizeof(*key->cert->principals));
1898 		if (key->cert->principals == NULL) {
1899 			free(principal);
1900 			key->cert->principals = oprincipals;
1901 			ret = SSH_ERR_ALLOC_FAIL;
1902 			goto out;
1903 		}
1904 		key->cert->principals[key->cert->nprincipals++] = principal;
1905 	}
1906 
1907 	/*
1908 	 * Stash a copies of the critical options and extensions sections
1909 	 * for later use.
1910 	 */
1911 	if ((ret = sshbuf_putb(key->cert->critical, crit)) != 0 ||
1912 	    (exts != NULL &&
1913 	    (ret = sshbuf_putb(key->cert->extensions, exts)) != 0))
1914 		goto out;
1915 
1916 	/*
1917 	 * Validate critical options and extensions sections format.
1918 	 */
1919 	while (sshbuf_len(crit) != 0) {
1920 		if ((ret = sshbuf_get_string_direct(crit, NULL, NULL)) != 0 ||
1921 		    (ret = sshbuf_get_string_direct(crit, NULL, NULL)) != 0) {
1922 			sshbuf_reset(key->cert->critical);
1923 			ret = SSH_ERR_INVALID_FORMAT;
1924 			goto out;
1925 		}
1926 	}
1927 	while (exts != NULL && sshbuf_len(exts) != 0) {
1928 		if ((ret = sshbuf_get_string_direct(exts, NULL, NULL)) != 0 ||
1929 		    (ret = sshbuf_get_string_direct(exts, NULL, NULL)) != 0) {
1930 			sshbuf_reset(key->cert->extensions);
1931 			ret = SSH_ERR_INVALID_FORMAT;
1932 			goto out;
1933 		}
1934 	}
1935 
1936 	/* Parse CA key and check signature */
1937 	if (sshkey_from_blob_internal(ca, &key->cert->signature_key, 0) != 0) {
1938 		ret = SSH_ERR_KEY_CERT_INVALID_SIGN_KEY;
1939 		goto out;
1940 	}
1941 	if (!sshkey_type_is_valid_ca(key->cert->signature_key->type)) {
1942 		ret = SSH_ERR_KEY_CERT_INVALID_SIGN_KEY;
1943 		goto out;
1944 	}
1945 	if ((ret = sshkey_verify(key->cert->signature_key, sig, slen,
1946 	    sshbuf_ptr(key->cert->certblob), signed_len, 0)) != 0)
1947 		goto out;
1948 
1949 	/* Success */
1950 	ret = 0;
1951  out:
1952 	sshbuf_free(ca);
1953 	sshbuf_free(crit);
1954 	sshbuf_free(exts);
1955 	sshbuf_free(principals);
1956 	free(sig);
1957 	return ret;
1958 }
1959 
1960 static int
1961 sshkey_from_blob_internal(struct sshbuf *b, struct sshkey **keyp,
1962     int allow_cert)
1963 {
1964 	int type, ret = SSH_ERR_INTERNAL_ERROR;
1965 	char *ktype = NULL, *curve = NULL;
1966 	struct sshkey *key = NULL;
1967 	size_t len;
1968 	u_char *pk = NULL;
1969 	struct sshbuf *copy;
1970 #if defined(WITH_OPENSSL) && defined(OPENSSL_HAS_ECC)
1971 	EC_POINT *q = NULL;
1972 #endif /* WITH_OPENSSL && OPENSSL_HAS_ECC */
1973 
1974 #ifdef DEBUG_PK /* XXX */
1975 	sshbuf_dump(b, stderr);
1976 #endif
1977 	if (keyp != NULL)
1978 		*keyp = NULL;
1979 	if ((copy = sshbuf_fromb(b)) == NULL) {
1980 		ret = SSH_ERR_ALLOC_FAIL;
1981 		goto out;
1982 	}
1983 	if (sshbuf_get_cstring(b, &ktype, NULL) != 0) {
1984 		ret = SSH_ERR_INVALID_FORMAT;
1985 		goto out;
1986 	}
1987 
1988 	type = sshkey_type_from_name(ktype);
1989 	if (!allow_cert && sshkey_type_is_cert(type)) {
1990 		ret = SSH_ERR_KEY_CERT_INVALID_SIGN_KEY;
1991 		goto out;
1992 	}
1993 	switch (type) {
1994 #ifdef WITH_OPENSSL
1995 	case KEY_RSA_CERT:
1996 		/* Skip nonce */
1997 		if (sshbuf_get_string_direct(b, NULL, NULL) != 0) {
1998 			ret = SSH_ERR_INVALID_FORMAT;
1999 			goto out;
2000 		}
2001 		/* FALLTHROUGH */
2002 	case KEY_RSA:
2003 		if ((key = sshkey_new(type)) == NULL) {
2004 			ret = SSH_ERR_ALLOC_FAIL;
2005 			goto out;
2006 		}
2007 		if (sshbuf_get_bignum2(b, key->rsa->e) != 0 ||
2008 		    sshbuf_get_bignum2(b, key->rsa->n) != 0) {
2009 			ret = SSH_ERR_INVALID_FORMAT;
2010 			goto out;
2011 		}
2012 #ifdef DEBUG_PK
2013 		RSA_print_fp(stderr, key->rsa, 8);
2014 #endif
2015 		break;
2016 	case KEY_DSA_CERT:
2017 		/* Skip nonce */
2018 		if (sshbuf_get_string_direct(b, NULL, NULL) != 0) {
2019 			ret = SSH_ERR_INVALID_FORMAT;
2020 			goto out;
2021 		}
2022 		/* FALLTHROUGH */
2023 	case KEY_DSA:
2024 		if ((key = sshkey_new(type)) == NULL) {
2025 			ret = SSH_ERR_ALLOC_FAIL;
2026 			goto out;
2027 		}
2028 		if (sshbuf_get_bignum2(b, key->dsa->p) != 0 ||
2029 		    sshbuf_get_bignum2(b, key->dsa->q) != 0 ||
2030 		    sshbuf_get_bignum2(b, key->dsa->g) != 0 ||
2031 		    sshbuf_get_bignum2(b, key->dsa->pub_key) != 0) {
2032 			ret = SSH_ERR_INVALID_FORMAT;
2033 			goto out;
2034 		}
2035 #ifdef DEBUG_PK
2036 		DSA_print_fp(stderr, key->dsa, 8);
2037 #endif
2038 		break;
2039 	case KEY_ECDSA_CERT:
2040 		/* Skip nonce */
2041 		if (sshbuf_get_string_direct(b, NULL, NULL) != 0) {
2042 			ret = SSH_ERR_INVALID_FORMAT;
2043 			goto out;
2044 		}
2045 		/* FALLTHROUGH */
2046 # ifdef OPENSSL_HAS_ECC
2047 	case KEY_ECDSA:
2048 		if ((key = sshkey_new(type)) == NULL) {
2049 			ret = SSH_ERR_ALLOC_FAIL;
2050 			goto out;
2051 		}
2052 		key->ecdsa_nid = sshkey_ecdsa_nid_from_name(ktype);
2053 		if (sshbuf_get_cstring(b, &curve, NULL) != 0) {
2054 			ret = SSH_ERR_INVALID_FORMAT;
2055 			goto out;
2056 		}
2057 		if (key->ecdsa_nid != sshkey_curve_name_to_nid(curve)) {
2058 			ret = SSH_ERR_EC_CURVE_MISMATCH;
2059 			goto out;
2060 		}
2061 		if (key->ecdsa != NULL)
2062 			EC_KEY_free(key->ecdsa);
2063 		if ((key->ecdsa = EC_KEY_new_by_curve_name(key->ecdsa_nid))
2064 		    == NULL) {
2065 			ret = SSH_ERR_EC_CURVE_INVALID;
2066 			goto out;
2067 		}
2068 		if ((q = EC_POINT_new(EC_KEY_get0_group(key->ecdsa))) == NULL) {
2069 			ret = SSH_ERR_ALLOC_FAIL;
2070 			goto out;
2071 		}
2072 		if (sshbuf_get_ec(b, q, EC_KEY_get0_group(key->ecdsa)) != 0) {
2073 			ret = SSH_ERR_INVALID_FORMAT;
2074 			goto out;
2075 		}
2076 		if (sshkey_ec_validate_public(EC_KEY_get0_group(key->ecdsa),
2077 		    q) != 0) {
2078 			ret = SSH_ERR_KEY_INVALID_EC_VALUE;
2079 			goto out;
2080 		}
2081 		if (EC_KEY_set_public_key(key->ecdsa, q) != 1) {
2082 			/* XXX assume it is a allocation error */
2083 			ret = SSH_ERR_ALLOC_FAIL;
2084 			goto out;
2085 		}
2086 #ifdef DEBUG_PK
2087 		sshkey_dump_ec_point(EC_KEY_get0_group(key->ecdsa), q);
2088 #endif
2089 		break;
2090 # endif /* OPENSSL_HAS_ECC */
2091 #endif /* WITH_OPENSSL */
2092 	case KEY_ED25519_CERT:
2093 		/* Skip nonce */
2094 		if (sshbuf_get_string_direct(b, NULL, NULL) != 0) {
2095 			ret = SSH_ERR_INVALID_FORMAT;
2096 			goto out;
2097 		}
2098 		/* FALLTHROUGH */
2099 	case KEY_ED25519:
2100 		if ((ret = sshbuf_get_string(b, &pk, &len)) != 0)
2101 			goto out;
2102 		if (len != ED25519_PK_SZ) {
2103 			ret = SSH_ERR_INVALID_FORMAT;
2104 			goto out;
2105 		}
2106 		if ((key = sshkey_new(type)) == NULL) {
2107 			ret = SSH_ERR_ALLOC_FAIL;
2108 			goto out;
2109 		}
2110 		key->ed25519_pk = pk;
2111 		pk = NULL;
2112 		break;
2113 	case KEY_UNSPEC:
2114 		if ((key = sshkey_new(type)) == NULL) {
2115 			ret = SSH_ERR_ALLOC_FAIL;
2116 			goto out;
2117 		}
2118 		break;
2119 	default:
2120 		ret = SSH_ERR_KEY_TYPE_UNKNOWN;
2121 		goto out;
2122 	}
2123 
2124 	/* Parse certificate potion */
2125 	if (sshkey_is_cert(key) && (ret = cert_parse(b, key, copy)) != 0)
2126 		goto out;
2127 
2128 	if (key != NULL && sshbuf_len(b) != 0) {
2129 		ret = SSH_ERR_INVALID_FORMAT;
2130 		goto out;
2131 	}
2132 	ret = 0;
2133 	if (keyp != NULL) {
2134 		*keyp = key;
2135 		key = NULL;
2136 	}
2137  out:
2138 	sshbuf_free(copy);
2139 	sshkey_free(key);
2140 	free(ktype);
2141 	free(curve);
2142 	free(pk);
2143 #if defined(WITH_OPENSSL) && defined(OPENSSL_HAS_ECC)
2144 	if (q != NULL)
2145 		EC_POINT_free(q);
2146 #endif /* WITH_OPENSSL && OPENSSL_HAS_ECC */
2147 	return ret;
2148 }
2149 
2150 int
2151 sshkey_from_blob(const u_char *blob, size_t blen, struct sshkey **keyp)
2152 {
2153 	struct sshbuf *b;
2154 	int r;
2155 
2156 	if ((b = sshbuf_from(blob, blen)) == NULL)
2157 		return SSH_ERR_ALLOC_FAIL;
2158 	r = sshkey_from_blob_internal(b, keyp, 1);
2159 	sshbuf_free(b);
2160 	return r;
2161 }
2162 
2163 int
2164 sshkey_fromb(struct sshbuf *b, struct sshkey **keyp)
2165 {
2166 	return sshkey_from_blob_internal(b, keyp, 1);
2167 }
2168 
2169 int
2170 sshkey_froms(struct sshbuf *buf, struct sshkey **keyp)
2171 {
2172 	struct sshbuf *b;
2173 	int r;
2174 
2175 	if ((r = sshbuf_froms(buf, &b)) != 0)
2176 		return r;
2177 	r = sshkey_from_blob_internal(b, keyp, 1);
2178 	sshbuf_free(b);
2179 	return r;
2180 }
2181 
2182 int
2183 sshkey_sign(const struct sshkey *key,
2184     u_char **sigp, size_t *lenp,
2185     const u_char *data, size_t datalen, const char *alg, u_int compat)
2186 {
2187 	if (sigp != NULL)
2188 		*sigp = NULL;
2189 	if (lenp != NULL)
2190 		*lenp = 0;
2191 	if (datalen > SSH_KEY_MAX_SIGN_DATA_SIZE)
2192 		return SSH_ERR_INVALID_ARGUMENT;
2193 	switch (key->type) {
2194 #ifdef WITH_OPENSSL
2195 	case KEY_DSA_CERT:
2196 	case KEY_DSA:
2197 		return ssh_dss_sign(key, sigp, lenp, data, datalen, compat);
2198 # ifdef OPENSSL_HAS_ECC
2199 	case KEY_ECDSA_CERT:
2200 	case KEY_ECDSA:
2201 		return ssh_ecdsa_sign(key, sigp, lenp, data, datalen, compat);
2202 # endif /* OPENSSL_HAS_ECC */
2203 	case KEY_RSA_CERT:
2204 	case KEY_RSA:
2205 		return ssh_rsa_sign(key, sigp, lenp, data, datalen, alg);
2206 #endif /* WITH_OPENSSL */
2207 	case KEY_ED25519:
2208 	case KEY_ED25519_CERT:
2209 		return ssh_ed25519_sign(key, sigp, lenp, data, datalen, compat);
2210 	default:
2211 		return SSH_ERR_KEY_TYPE_UNKNOWN;
2212 	}
2213 }
2214 
2215 /*
2216  * ssh_key_verify returns 0 for a correct signature  and < 0 on error.
2217  */
2218 int
2219 sshkey_verify(const struct sshkey *key,
2220     const u_char *sig, size_t siglen,
2221     const u_char *data, size_t dlen, u_int compat)
2222 {
2223 	if (siglen == 0 || dlen > SSH_KEY_MAX_SIGN_DATA_SIZE)
2224 		return SSH_ERR_INVALID_ARGUMENT;
2225 	switch (key->type) {
2226 #ifdef WITH_OPENSSL
2227 	case KEY_DSA_CERT:
2228 	case KEY_DSA:
2229 		return ssh_dss_verify(key, sig, siglen, data, dlen, compat);
2230 # ifdef OPENSSL_HAS_ECC
2231 	case KEY_ECDSA_CERT:
2232 	case KEY_ECDSA:
2233 		return ssh_ecdsa_verify(key, sig, siglen, data, dlen, compat);
2234 # endif /* OPENSSL_HAS_ECC */
2235 	case KEY_RSA_CERT:
2236 	case KEY_RSA:
2237 		return ssh_rsa_verify(key, sig, siglen, data, dlen);
2238 #endif /* WITH_OPENSSL */
2239 	case KEY_ED25519:
2240 	case KEY_ED25519_CERT:
2241 		return ssh_ed25519_verify(key, sig, siglen, data, dlen, compat);
2242 	default:
2243 		return SSH_ERR_KEY_TYPE_UNKNOWN;
2244 	}
2245 }
2246 
2247 /* Converts a private to a public key */
2248 int
2249 sshkey_demote(const struct sshkey *k, struct sshkey **dkp)
2250 {
2251 	struct sshkey *pk;
2252 	int ret = SSH_ERR_INTERNAL_ERROR;
2253 
2254 	*dkp = NULL;
2255 	if ((pk = calloc(1, sizeof(*pk))) == NULL)
2256 		return SSH_ERR_ALLOC_FAIL;
2257 	pk->type = k->type;
2258 	pk->flags = k->flags;
2259 	pk->ecdsa_nid = k->ecdsa_nid;
2260 	pk->dsa = NULL;
2261 	pk->ecdsa = NULL;
2262 	pk->rsa = NULL;
2263 	pk->ed25519_pk = NULL;
2264 	pk->ed25519_sk = NULL;
2265 
2266 	switch (k->type) {
2267 #ifdef WITH_OPENSSL
2268 	case KEY_RSA_CERT:
2269 		if ((ret = sshkey_cert_copy(k, pk)) != 0)
2270 			goto fail;
2271 		/* FALLTHROUGH */
2272 	case KEY_RSA1:
2273 	case KEY_RSA:
2274 		if ((pk->rsa = RSA_new()) == NULL ||
2275 		    (pk->rsa->e = BN_dup(k->rsa->e)) == NULL ||
2276 		    (pk->rsa->n = BN_dup(k->rsa->n)) == NULL) {
2277 			ret = SSH_ERR_ALLOC_FAIL;
2278 			goto fail;
2279 			}
2280 		break;
2281 	case KEY_DSA_CERT:
2282 		if ((ret = sshkey_cert_copy(k, pk)) != 0)
2283 			goto fail;
2284 		/* FALLTHROUGH */
2285 	case KEY_DSA:
2286 		if ((pk->dsa = DSA_new()) == NULL ||
2287 		    (pk->dsa->p = BN_dup(k->dsa->p)) == NULL ||
2288 		    (pk->dsa->q = BN_dup(k->dsa->q)) == NULL ||
2289 		    (pk->dsa->g = BN_dup(k->dsa->g)) == NULL ||
2290 		    (pk->dsa->pub_key = BN_dup(k->dsa->pub_key)) == NULL) {
2291 			ret = SSH_ERR_ALLOC_FAIL;
2292 			goto fail;
2293 		}
2294 		break;
2295 	case KEY_ECDSA_CERT:
2296 		if ((ret = sshkey_cert_copy(k, pk)) != 0)
2297 			goto fail;
2298 		/* FALLTHROUGH */
2299 # ifdef OPENSSL_HAS_ECC
2300 	case KEY_ECDSA:
2301 		pk->ecdsa = EC_KEY_new_by_curve_name(pk->ecdsa_nid);
2302 		if (pk->ecdsa == NULL) {
2303 			ret = SSH_ERR_ALLOC_FAIL;
2304 			goto fail;
2305 		}
2306 		if (EC_KEY_set_public_key(pk->ecdsa,
2307 		    EC_KEY_get0_public_key(k->ecdsa)) != 1) {
2308 			ret = SSH_ERR_LIBCRYPTO_ERROR;
2309 			goto fail;
2310 		}
2311 		break;
2312 # endif /* OPENSSL_HAS_ECC */
2313 #endif /* WITH_OPENSSL */
2314 	case KEY_ED25519_CERT:
2315 		if ((ret = sshkey_cert_copy(k, pk)) != 0)
2316 			goto fail;
2317 		/* FALLTHROUGH */
2318 	case KEY_ED25519:
2319 		if (k->ed25519_pk != NULL) {
2320 			if ((pk->ed25519_pk = malloc(ED25519_PK_SZ)) == NULL) {
2321 				ret = SSH_ERR_ALLOC_FAIL;
2322 				goto fail;
2323 			}
2324 			memcpy(pk->ed25519_pk, k->ed25519_pk, ED25519_PK_SZ);
2325 		}
2326 		break;
2327 	default:
2328 		ret = SSH_ERR_KEY_TYPE_UNKNOWN;
2329  fail:
2330 		sshkey_free(pk);
2331 		return ret;
2332 	}
2333 	*dkp = pk;
2334 	return 0;
2335 }
2336 
2337 /* Convert a plain key to their _CERT equivalent */
2338 int
2339 sshkey_to_certified(struct sshkey *k)
2340 {
2341 	int newtype;
2342 
2343 	switch (k->type) {
2344 #ifdef WITH_OPENSSL
2345 	case KEY_RSA:
2346 		newtype = KEY_RSA_CERT;
2347 		break;
2348 	case KEY_DSA:
2349 		newtype = KEY_DSA_CERT;
2350 		break;
2351 	case KEY_ECDSA:
2352 		newtype = KEY_ECDSA_CERT;
2353 		break;
2354 #endif /* WITH_OPENSSL */
2355 	case KEY_ED25519:
2356 		newtype = KEY_ED25519_CERT;
2357 		break;
2358 	default:
2359 		return SSH_ERR_INVALID_ARGUMENT;
2360 	}
2361 	if ((k->cert = cert_new()) == NULL)
2362 		return SSH_ERR_ALLOC_FAIL;
2363 	k->type = newtype;
2364 	return 0;
2365 }
2366 
2367 /* Convert a certificate to its raw key equivalent */
2368 int
2369 sshkey_drop_cert(struct sshkey *k)
2370 {
2371 	if (!sshkey_type_is_cert(k->type))
2372 		return SSH_ERR_KEY_TYPE_UNKNOWN;
2373 	cert_free(k->cert);
2374 	k->cert = NULL;
2375 	k->type = sshkey_type_plain(k->type);
2376 	return 0;
2377 }
2378 
2379 /* Sign a certified key, (re-)generating the signed certblob. */
2380 int
2381 sshkey_certify(struct sshkey *k, struct sshkey *ca, const char *alg)
2382 {
2383 	struct sshbuf *principals = NULL;
2384 	u_char *ca_blob = NULL, *sig_blob = NULL, nonce[32];
2385 	size_t i, ca_len, sig_len;
2386 	int ret = SSH_ERR_INTERNAL_ERROR;
2387 	struct sshbuf *cert;
2388 
2389 	if (k == NULL || k->cert == NULL ||
2390 	    k->cert->certblob == NULL || ca == NULL)
2391 		return SSH_ERR_INVALID_ARGUMENT;
2392 	if (!sshkey_is_cert(k))
2393 		return SSH_ERR_KEY_TYPE_UNKNOWN;
2394 	if (!sshkey_type_is_valid_ca(ca->type))
2395 		return SSH_ERR_KEY_CERT_INVALID_SIGN_KEY;
2396 
2397 	if ((ret = sshkey_to_blob(ca, &ca_blob, &ca_len)) != 0)
2398 		return SSH_ERR_KEY_CERT_INVALID_SIGN_KEY;
2399 
2400 	cert = k->cert->certblob; /* for readability */
2401 	sshbuf_reset(cert);
2402 	if ((ret = sshbuf_put_cstring(cert, sshkey_ssh_name(k))) != 0)
2403 		goto out;
2404 
2405 	/* -v01 certs put nonce first */
2406 	arc4random_buf(&nonce, sizeof(nonce));
2407 	if ((ret = sshbuf_put_string(cert, nonce, sizeof(nonce))) != 0)
2408 		goto out;
2409 
2410 	/* XXX this substantially duplicates to_blob(); refactor */
2411 	switch (k->type) {
2412 #ifdef WITH_OPENSSL
2413 	case KEY_DSA_CERT:
2414 		if ((ret = sshbuf_put_bignum2(cert, k->dsa->p)) != 0 ||
2415 		    (ret = sshbuf_put_bignum2(cert, k->dsa->q)) != 0 ||
2416 		    (ret = sshbuf_put_bignum2(cert, k->dsa->g)) != 0 ||
2417 		    (ret = sshbuf_put_bignum2(cert, k->dsa->pub_key)) != 0)
2418 			goto out;
2419 		break;
2420 # ifdef OPENSSL_HAS_ECC
2421 	case KEY_ECDSA_CERT:
2422 		if ((ret = sshbuf_put_cstring(cert,
2423 		    sshkey_curve_nid_to_name(k->ecdsa_nid))) != 0 ||
2424 		    (ret = sshbuf_put_ec(cert,
2425 		    EC_KEY_get0_public_key(k->ecdsa),
2426 		    EC_KEY_get0_group(k->ecdsa))) != 0)
2427 			goto out;
2428 		break;
2429 # endif /* OPENSSL_HAS_ECC */
2430 	case KEY_RSA_CERT:
2431 		if ((ret = sshbuf_put_bignum2(cert, k->rsa->e)) != 0 ||
2432 		    (ret = sshbuf_put_bignum2(cert, k->rsa->n)) != 0)
2433 			goto out;
2434 		break;
2435 #endif /* WITH_OPENSSL */
2436 	case KEY_ED25519_CERT:
2437 		if ((ret = sshbuf_put_string(cert,
2438 		    k->ed25519_pk, ED25519_PK_SZ)) != 0)
2439 			goto out;
2440 		break;
2441 	default:
2442 		ret = SSH_ERR_INVALID_ARGUMENT;
2443 		goto out;
2444 	}
2445 
2446 	if ((ret = sshbuf_put_u64(cert, k->cert->serial)) != 0 ||
2447 	    (ret = sshbuf_put_u32(cert, k->cert->type)) != 0 ||
2448 	    (ret = sshbuf_put_cstring(cert, k->cert->key_id)) != 0)
2449 		goto out;
2450 
2451 	if ((principals = sshbuf_new()) == NULL) {
2452 		ret = SSH_ERR_ALLOC_FAIL;
2453 		goto out;
2454 	}
2455 	for (i = 0; i < k->cert->nprincipals; i++) {
2456 		if ((ret = sshbuf_put_cstring(principals,
2457 		    k->cert->principals[i])) != 0)
2458 			goto out;
2459 	}
2460 	if ((ret = sshbuf_put_stringb(cert, principals)) != 0 ||
2461 	    (ret = sshbuf_put_u64(cert, k->cert->valid_after)) != 0 ||
2462 	    (ret = sshbuf_put_u64(cert, k->cert->valid_before)) != 0 ||
2463 	    (ret = sshbuf_put_stringb(cert, k->cert->critical)) != 0 ||
2464 	    (ret = sshbuf_put_stringb(cert, k->cert->extensions)) != 0 ||
2465 	    (ret = sshbuf_put_string(cert, NULL, 0)) != 0 || /* Reserved */
2466 	    (ret = sshbuf_put_string(cert, ca_blob, ca_len)) != 0)
2467 		goto out;
2468 
2469 	/* Sign the whole mess */
2470 	if ((ret = sshkey_sign(ca, &sig_blob, &sig_len, sshbuf_ptr(cert),
2471 	    sshbuf_len(cert), alg, 0)) != 0)
2472 		goto out;
2473 
2474 	/* Append signature and we are done */
2475 	if ((ret = sshbuf_put_string(cert, sig_blob, sig_len)) != 0)
2476 		goto out;
2477 	ret = 0;
2478  out:
2479 	if (ret != 0)
2480 		sshbuf_reset(cert);
2481 	free(sig_blob);
2482 	free(ca_blob);
2483 	sshbuf_free(principals);
2484 	return ret;
2485 }
2486 
2487 int
2488 sshkey_cert_check_authority(const struct sshkey *k,
2489     int want_host, int require_principal,
2490     const char *name, const char **reason)
2491 {
2492 	u_int i, principal_matches;
2493 	time_t now = time(NULL);
2494 
2495 	if (reason != NULL)
2496 		*reason = NULL;
2497 
2498 	if (want_host) {
2499 		if (k->cert->type != SSH2_CERT_TYPE_HOST) {
2500 			*reason = "Certificate invalid: not a host certificate";
2501 			return SSH_ERR_KEY_CERT_INVALID;
2502 		}
2503 	} else {
2504 		if (k->cert->type != SSH2_CERT_TYPE_USER) {
2505 			*reason = "Certificate invalid: not a user certificate";
2506 			return SSH_ERR_KEY_CERT_INVALID;
2507 		}
2508 	}
2509 	if (now < 0) {
2510 		/* yikes - system clock before epoch! */
2511 		*reason = "Certificate invalid: not yet valid";
2512 		return SSH_ERR_KEY_CERT_INVALID;
2513 	}
2514 	if ((u_int64_t)now < k->cert->valid_after) {
2515 		*reason = "Certificate invalid: not yet valid";
2516 		return SSH_ERR_KEY_CERT_INVALID;
2517 	}
2518 	if ((u_int64_t)now >= k->cert->valid_before) {
2519 		*reason = "Certificate invalid: expired";
2520 		return SSH_ERR_KEY_CERT_INVALID;
2521 	}
2522 	if (k->cert->nprincipals == 0) {
2523 		if (require_principal) {
2524 			*reason = "Certificate lacks principal list";
2525 			return SSH_ERR_KEY_CERT_INVALID;
2526 		}
2527 	} else if (name != NULL) {
2528 		principal_matches = 0;
2529 		for (i = 0; i < k->cert->nprincipals; i++) {
2530 			if (strcmp(name, k->cert->principals[i]) == 0) {
2531 				principal_matches = 1;
2532 				break;
2533 			}
2534 		}
2535 		if (!principal_matches) {
2536 			*reason = "Certificate invalid: name is not a listed "
2537 			    "principal";
2538 			return SSH_ERR_KEY_CERT_INVALID;
2539 		}
2540 	}
2541 	return 0;
2542 }
2543 
2544 size_t
2545 sshkey_format_cert_validity(const struct sshkey_cert *cert, char *s, size_t l)
2546 {
2547 	char from[32], to[32], ret[64];
2548 	time_t tt;
2549 	struct tm *tm;
2550 
2551 	*from = *to = '\0';
2552 	if (cert->valid_after == 0 &&
2553 	    cert->valid_before == 0xffffffffffffffffULL)
2554 		return strlcpy(s, "forever", l);
2555 
2556 	if (cert->valid_after != 0) {
2557 		/* XXX revisit INT_MAX in 2038 :) */
2558 		tt = cert->valid_after > INT_MAX ?
2559 		    INT_MAX : cert->valid_after;
2560 		tm = localtime(&tt);
2561 		strftime(from, sizeof(from), "%Y-%m-%dT%H:%M:%S", tm);
2562 	}
2563 	if (cert->valid_before != 0xffffffffffffffffULL) {
2564 		/* XXX revisit INT_MAX in 2038 :) */
2565 		tt = cert->valid_before > INT_MAX ?
2566 		    INT_MAX : cert->valid_before;
2567 		tm = localtime(&tt);
2568 		strftime(to, sizeof(to), "%Y-%m-%dT%H:%M:%S", tm);
2569 	}
2570 
2571 	if (cert->valid_after == 0)
2572 		snprintf(ret, sizeof(ret), "before %s", to);
2573 	else if (cert->valid_before == 0xffffffffffffffffULL)
2574 		snprintf(ret, sizeof(ret), "after %s", from);
2575 	else
2576 		snprintf(ret, sizeof(ret), "from %s to %s", from, to);
2577 
2578 	return strlcpy(s, ret, l);
2579 }
2580 
2581 int
2582 sshkey_private_serialize(const struct sshkey *key, struct sshbuf *b)
2583 {
2584 	int r = SSH_ERR_INTERNAL_ERROR;
2585 
2586 	if ((r = sshbuf_put_cstring(b, sshkey_ssh_name(key))) != 0)
2587 		goto out;
2588 	switch (key->type) {
2589 #ifdef WITH_OPENSSL
2590 	case KEY_RSA:
2591 		if ((r = sshbuf_put_bignum2(b, key->rsa->n)) != 0 ||
2592 		    (r = sshbuf_put_bignum2(b, key->rsa->e)) != 0 ||
2593 		    (r = sshbuf_put_bignum2(b, key->rsa->d)) != 0 ||
2594 		    (r = sshbuf_put_bignum2(b, key->rsa->iqmp)) != 0 ||
2595 		    (r = sshbuf_put_bignum2(b, key->rsa->p)) != 0 ||
2596 		    (r = sshbuf_put_bignum2(b, key->rsa->q)) != 0)
2597 			goto out;
2598 		break;
2599 	case KEY_RSA_CERT:
2600 		if (key->cert == NULL || sshbuf_len(key->cert->certblob) == 0) {
2601 			r = SSH_ERR_INVALID_ARGUMENT;
2602 			goto out;
2603 		}
2604 		if ((r = sshbuf_put_stringb(b, key->cert->certblob)) != 0 ||
2605 		    (r = sshbuf_put_bignum2(b, key->rsa->d)) != 0 ||
2606 		    (r = sshbuf_put_bignum2(b, key->rsa->iqmp)) != 0 ||
2607 		    (r = sshbuf_put_bignum2(b, key->rsa->p)) != 0 ||
2608 		    (r = sshbuf_put_bignum2(b, key->rsa->q)) != 0)
2609 			goto out;
2610 		break;
2611 	case KEY_DSA:
2612 		if ((r = sshbuf_put_bignum2(b, key->dsa->p)) != 0 ||
2613 		    (r = sshbuf_put_bignum2(b, key->dsa->q)) != 0 ||
2614 		    (r = sshbuf_put_bignum2(b, key->dsa->g)) != 0 ||
2615 		    (r = sshbuf_put_bignum2(b, key->dsa->pub_key)) != 0 ||
2616 		    (r = sshbuf_put_bignum2(b, key->dsa->priv_key)) != 0)
2617 			goto out;
2618 		break;
2619 	case KEY_DSA_CERT:
2620 		if (key->cert == NULL || sshbuf_len(key->cert->certblob) == 0) {
2621 			r = SSH_ERR_INVALID_ARGUMENT;
2622 			goto out;
2623 		}
2624 		if ((r = sshbuf_put_stringb(b, key->cert->certblob)) != 0 ||
2625 		    (r = sshbuf_put_bignum2(b, key->dsa->priv_key)) != 0)
2626 			goto out;
2627 		break;
2628 # ifdef OPENSSL_HAS_ECC
2629 	case KEY_ECDSA:
2630 		if ((r = sshbuf_put_cstring(b,
2631 		    sshkey_curve_nid_to_name(key->ecdsa_nid))) != 0 ||
2632 		    (r = sshbuf_put_eckey(b, key->ecdsa)) != 0 ||
2633 		    (r = sshbuf_put_bignum2(b,
2634 		    EC_KEY_get0_private_key(key->ecdsa))) != 0)
2635 			goto out;
2636 		break;
2637 	case KEY_ECDSA_CERT:
2638 		if (key->cert == NULL || sshbuf_len(key->cert->certblob) == 0) {
2639 			r = SSH_ERR_INVALID_ARGUMENT;
2640 			goto out;
2641 		}
2642 		if ((r = sshbuf_put_stringb(b, key->cert->certblob)) != 0 ||
2643 		    (r = sshbuf_put_bignum2(b,
2644 		    EC_KEY_get0_private_key(key->ecdsa))) != 0)
2645 			goto out;
2646 		break;
2647 # endif /* OPENSSL_HAS_ECC */
2648 #endif /* WITH_OPENSSL */
2649 	case KEY_ED25519:
2650 		if ((r = sshbuf_put_string(b, key->ed25519_pk,
2651 		    ED25519_PK_SZ)) != 0 ||
2652 		    (r = sshbuf_put_string(b, key->ed25519_sk,
2653 		    ED25519_SK_SZ)) != 0)
2654 			goto out;
2655 		break;
2656 	case KEY_ED25519_CERT:
2657 		if (key->cert == NULL || sshbuf_len(key->cert->certblob) == 0) {
2658 			r = SSH_ERR_INVALID_ARGUMENT;
2659 			goto out;
2660 		}
2661 		if ((r = sshbuf_put_stringb(b, key->cert->certblob)) != 0 ||
2662 		    (r = sshbuf_put_string(b, key->ed25519_pk,
2663 		    ED25519_PK_SZ)) != 0 ||
2664 		    (r = sshbuf_put_string(b, key->ed25519_sk,
2665 		    ED25519_SK_SZ)) != 0)
2666 			goto out;
2667 		break;
2668 	default:
2669 		r = SSH_ERR_INVALID_ARGUMENT;
2670 		goto out;
2671 	}
2672 	/* success */
2673 	r = 0;
2674  out:
2675 	return r;
2676 }
2677 
2678 int
2679 sshkey_private_deserialize(struct sshbuf *buf, struct sshkey **kp)
2680 {
2681 	char *tname = NULL, *curve = NULL;
2682 	struct sshkey *k = NULL;
2683 	size_t pklen = 0, sklen = 0;
2684 	int type, r = SSH_ERR_INTERNAL_ERROR;
2685 	u_char *ed25519_pk = NULL, *ed25519_sk = NULL;
2686 #ifdef WITH_OPENSSL
2687 	BIGNUM *exponent = NULL;
2688 #endif /* WITH_OPENSSL */
2689 
2690 	if (kp != NULL)
2691 		*kp = NULL;
2692 	if ((r = sshbuf_get_cstring(buf, &tname, NULL)) != 0)
2693 		goto out;
2694 	type = sshkey_type_from_name(tname);
2695 	switch (type) {
2696 #ifdef WITH_OPENSSL
2697 	case KEY_DSA:
2698 		if ((k = sshkey_new_private(type)) == NULL) {
2699 			r = SSH_ERR_ALLOC_FAIL;
2700 			goto out;
2701 		}
2702 		if ((r = sshbuf_get_bignum2(buf, k->dsa->p)) != 0 ||
2703 		    (r = sshbuf_get_bignum2(buf, k->dsa->q)) != 0 ||
2704 		    (r = sshbuf_get_bignum2(buf, k->dsa->g)) != 0 ||
2705 		    (r = sshbuf_get_bignum2(buf, k->dsa->pub_key)) != 0 ||
2706 		    (r = sshbuf_get_bignum2(buf, k->dsa->priv_key)) != 0)
2707 			goto out;
2708 		break;
2709 	case KEY_DSA_CERT:
2710 		if ((r = sshkey_froms(buf, &k)) != 0 ||
2711 		    (r = sshkey_add_private(k)) != 0 ||
2712 		    (r = sshbuf_get_bignum2(buf, k->dsa->priv_key)) != 0)
2713 			goto out;
2714 		break;
2715 # ifdef OPENSSL_HAS_ECC
2716 	case KEY_ECDSA:
2717 		if ((k = sshkey_new_private(type)) == NULL) {
2718 			r = SSH_ERR_ALLOC_FAIL;
2719 			goto out;
2720 		}
2721 		if ((k->ecdsa_nid = sshkey_ecdsa_nid_from_name(tname)) == -1) {
2722 			r = SSH_ERR_INVALID_ARGUMENT;
2723 			goto out;
2724 		}
2725 		if ((r = sshbuf_get_cstring(buf, &curve, NULL)) != 0)
2726 			goto out;
2727 		if (k->ecdsa_nid != sshkey_curve_name_to_nid(curve)) {
2728 			r = SSH_ERR_EC_CURVE_MISMATCH;
2729 			goto out;
2730 		}
2731 		k->ecdsa = EC_KEY_new_by_curve_name(k->ecdsa_nid);
2732 		if (k->ecdsa  == NULL || (exponent = BN_new()) == NULL) {
2733 			r = SSH_ERR_LIBCRYPTO_ERROR;
2734 			goto out;
2735 		}
2736 		if ((r = sshbuf_get_eckey(buf, k->ecdsa)) != 0 ||
2737 		    (r = sshbuf_get_bignum2(buf, exponent)))
2738 			goto out;
2739 		if (EC_KEY_set_private_key(k->ecdsa, exponent) != 1) {
2740 			r = SSH_ERR_LIBCRYPTO_ERROR;
2741 			goto out;
2742 		}
2743 		if ((r = sshkey_ec_validate_public(EC_KEY_get0_group(k->ecdsa),
2744 		    EC_KEY_get0_public_key(k->ecdsa))) != 0 ||
2745 		    (r = sshkey_ec_validate_private(k->ecdsa)) != 0)
2746 			goto out;
2747 		break;
2748 	case KEY_ECDSA_CERT:
2749 		if ((exponent = BN_new()) == NULL) {
2750 			r = SSH_ERR_LIBCRYPTO_ERROR;
2751 			goto out;
2752 		}
2753 		if ((r = sshkey_froms(buf, &k)) != 0 ||
2754 		    (r = sshkey_add_private(k)) != 0 ||
2755 		    (r = sshbuf_get_bignum2(buf, exponent)) != 0)
2756 			goto out;
2757 		if (EC_KEY_set_private_key(k->ecdsa, exponent) != 1) {
2758 			r = SSH_ERR_LIBCRYPTO_ERROR;
2759 			goto out;
2760 		}
2761 		if ((r = sshkey_ec_validate_public(EC_KEY_get0_group(k->ecdsa),
2762 		    EC_KEY_get0_public_key(k->ecdsa))) != 0 ||
2763 		    (r = sshkey_ec_validate_private(k->ecdsa)) != 0)
2764 			goto out;
2765 		break;
2766 # endif /* OPENSSL_HAS_ECC */
2767 	case KEY_RSA:
2768 		if ((k = sshkey_new_private(type)) == NULL) {
2769 			r = SSH_ERR_ALLOC_FAIL;
2770 			goto out;
2771 		}
2772 		if ((r = sshbuf_get_bignum2(buf, k->rsa->n)) != 0 ||
2773 		    (r = sshbuf_get_bignum2(buf, k->rsa->e)) != 0 ||
2774 		    (r = sshbuf_get_bignum2(buf, k->rsa->d)) != 0 ||
2775 		    (r = sshbuf_get_bignum2(buf, k->rsa->iqmp)) != 0 ||
2776 		    (r = sshbuf_get_bignum2(buf, k->rsa->p)) != 0 ||
2777 		    (r = sshbuf_get_bignum2(buf, k->rsa->q)) != 0 ||
2778 		    (r = rsa_generate_additional_parameters(k->rsa)) != 0)
2779 			goto out;
2780 		break;
2781 	case KEY_RSA_CERT:
2782 		if ((r = sshkey_froms(buf, &k)) != 0 ||
2783 		    (r = sshkey_add_private(k)) != 0 ||
2784 		    (r = sshbuf_get_bignum2(buf, k->rsa->d)) != 0 ||
2785 		    (r = sshbuf_get_bignum2(buf, k->rsa->iqmp)) != 0 ||
2786 		    (r = sshbuf_get_bignum2(buf, k->rsa->p)) != 0 ||
2787 		    (r = sshbuf_get_bignum2(buf, k->rsa->q)) != 0 ||
2788 		    (r = rsa_generate_additional_parameters(k->rsa)) != 0)
2789 			goto out;
2790 		break;
2791 #endif /* WITH_OPENSSL */
2792 	case KEY_ED25519:
2793 		if ((k = sshkey_new_private(type)) == NULL) {
2794 			r = SSH_ERR_ALLOC_FAIL;
2795 			goto out;
2796 		}
2797 		if ((r = sshbuf_get_string(buf, &ed25519_pk, &pklen)) != 0 ||
2798 		    (r = sshbuf_get_string(buf, &ed25519_sk, &sklen)) != 0)
2799 			goto out;
2800 		if (pklen != ED25519_PK_SZ || sklen != ED25519_SK_SZ) {
2801 			r = SSH_ERR_INVALID_FORMAT;
2802 			goto out;
2803 		}
2804 		k->ed25519_pk = ed25519_pk;
2805 		k->ed25519_sk = ed25519_sk;
2806 		ed25519_pk = ed25519_sk = NULL;
2807 		break;
2808 	case KEY_ED25519_CERT:
2809 		if ((r = sshkey_froms(buf, &k)) != 0 ||
2810 		    (r = sshkey_add_private(k)) != 0 ||
2811 		    (r = sshbuf_get_string(buf, &ed25519_pk, &pklen)) != 0 ||
2812 		    (r = sshbuf_get_string(buf, &ed25519_sk, &sklen)) != 0)
2813 			goto out;
2814 		if (pklen != ED25519_PK_SZ || sklen != ED25519_SK_SZ) {
2815 			r = SSH_ERR_INVALID_FORMAT;
2816 			goto out;
2817 		}
2818 		k->ed25519_pk = ed25519_pk;
2819 		k->ed25519_sk = ed25519_sk;
2820 		ed25519_pk = ed25519_sk = NULL;
2821 		break;
2822 	default:
2823 		r = SSH_ERR_KEY_TYPE_UNKNOWN;
2824 		goto out;
2825 	}
2826 #ifdef WITH_OPENSSL
2827 	/* enable blinding */
2828 	switch (k->type) {
2829 	case KEY_RSA:
2830 	case KEY_RSA_CERT:
2831 	case KEY_RSA1:
2832 		if (RSA_blinding_on(k->rsa, NULL) != 1) {
2833 			r = SSH_ERR_LIBCRYPTO_ERROR;
2834 			goto out;
2835 		}
2836 		break;
2837 	}
2838 #endif /* WITH_OPENSSL */
2839 	/* success */
2840 	r = 0;
2841 	if (kp != NULL) {
2842 		*kp = k;
2843 		k = NULL;
2844 	}
2845  out:
2846 	free(tname);
2847 	free(curve);
2848 #ifdef WITH_OPENSSL
2849 	if (exponent != NULL)
2850 		BN_clear_free(exponent);
2851 #endif /* WITH_OPENSSL */
2852 	sshkey_free(k);
2853 	if (ed25519_pk != NULL) {
2854 		explicit_bzero(ed25519_pk, pklen);
2855 		free(ed25519_pk);
2856 	}
2857 	if (ed25519_sk != NULL) {
2858 		explicit_bzero(ed25519_sk, sklen);
2859 		free(ed25519_sk);
2860 	}
2861 	return r;
2862 }
2863 
2864 #if defined(WITH_OPENSSL) && defined(OPENSSL_HAS_ECC)
2865 int
2866 sshkey_ec_validate_public(const EC_GROUP *group, const EC_POINT *public)
2867 {
2868 	BN_CTX *bnctx;
2869 	EC_POINT *nq = NULL;
2870 	BIGNUM *order, *x, *y, *tmp;
2871 	int ret = SSH_ERR_KEY_INVALID_EC_VALUE;
2872 
2873 	/*
2874 	 * NB. This assumes OpenSSL has already verified that the public
2875 	 * point lies on the curve. This is done by EC_POINT_oct2point()
2876 	 * implicitly calling EC_POINT_is_on_curve(). If this code is ever
2877 	 * reachable with public points not unmarshalled using
2878 	 * EC_POINT_oct2point then the caller will need to explicitly check.
2879 	 */
2880 
2881 	if ((bnctx = BN_CTX_new()) == NULL)
2882 		return SSH_ERR_ALLOC_FAIL;
2883 	BN_CTX_start(bnctx);
2884 
2885 	/*
2886 	 * We shouldn't ever hit this case because bignum_get_ecpoint()
2887 	 * refuses to load GF2m points.
2888 	 */
2889 	if (EC_METHOD_get_field_type(EC_GROUP_method_of(group)) !=
2890 	    NID_X9_62_prime_field)
2891 		goto out;
2892 
2893 	/* Q != infinity */
2894 	if (EC_POINT_is_at_infinity(group, public))
2895 		goto out;
2896 
2897 	if ((x = BN_CTX_get(bnctx)) == NULL ||
2898 	    (y = BN_CTX_get(bnctx)) == NULL ||
2899 	    (order = BN_CTX_get(bnctx)) == NULL ||
2900 	    (tmp = BN_CTX_get(bnctx)) == NULL) {
2901 		ret = SSH_ERR_ALLOC_FAIL;
2902 		goto out;
2903 	}
2904 
2905 	/* log2(x) > log2(order)/2, log2(y) > log2(order)/2 */
2906 	if (EC_GROUP_get_order(group, order, bnctx) != 1 ||
2907 	    EC_POINT_get_affine_coordinates_GFp(group, public,
2908 	    x, y, bnctx) != 1) {
2909 		ret = SSH_ERR_LIBCRYPTO_ERROR;
2910 		goto out;
2911 	}
2912 	if (BN_num_bits(x) <= BN_num_bits(order) / 2 ||
2913 	    BN_num_bits(y) <= BN_num_bits(order) / 2)
2914 		goto out;
2915 
2916 	/* nQ == infinity (n == order of subgroup) */
2917 	if ((nq = EC_POINT_new(group)) == NULL) {
2918 		ret = SSH_ERR_ALLOC_FAIL;
2919 		goto out;
2920 	}
2921 	if (EC_POINT_mul(group, nq, NULL, public, order, bnctx) != 1) {
2922 		ret = SSH_ERR_LIBCRYPTO_ERROR;
2923 		goto out;
2924 	}
2925 	if (EC_POINT_is_at_infinity(group, nq) != 1)
2926 		goto out;
2927 
2928 	/* x < order - 1, y < order - 1 */
2929 	if (!BN_sub(tmp, order, BN_value_one())) {
2930 		ret = SSH_ERR_LIBCRYPTO_ERROR;
2931 		goto out;
2932 	}
2933 	if (BN_cmp(x, tmp) >= 0 || BN_cmp(y, tmp) >= 0)
2934 		goto out;
2935 	ret = 0;
2936  out:
2937 	BN_CTX_free(bnctx);
2938 	if (nq != NULL)
2939 		EC_POINT_free(nq);
2940 	return ret;
2941 }
2942 
2943 int
2944 sshkey_ec_validate_private(const EC_KEY *key)
2945 {
2946 	BN_CTX *bnctx;
2947 	BIGNUM *order, *tmp;
2948 	int ret = SSH_ERR_KEY_INVALID_EC_VALUE;
2949 
2950 	if ((bnctx = BN_CTX_new()) == NULL)
2951 		return SSH_ERR_ALLOC_FAIL;
2952 	BN_CTX_start(bnctx);
2953 
2954 	if ((order = BN_CTX_get(bnctx)) == NULL ||
2955 	    (tmp = BN_CTX_get(bnctx)) == NULL) {
2956 		ret = SSH_ERR_ALLOC_FAIL;
2957 		goto out;
2958 	}
2959 
2960 	/* log2(private) > log2(order)/2 */
2961 	if (EC_GROUP_get_order(EC_KEY_get0_group(key), order, bnctx) != 1) {
2962 		ret = SSH_ERR_LIBCRYPTO_ERROR;
2963 		goto out;
2964 	}
2965 	if (BN_num_bits(EC_KEY_get0_private_key(key)) <=
2966 	    BN_num_bits(order) / 2)
2967 		goto out;
2968 
2969 	/* private < order - 1 */
2970 	if (!BN_sub(tmp, order, BN_value_one())) {
2971 		ret = SSH_ERR_LIBCRYPTO_ERROR;
2972 		goto out;
2973 	}
2974 	if (BN_cmp(EC_KEY_get0_private_key(key), tmp) >= 0)
2975 		goto out;
2976 	ret = 0;
2977  out:
2978 	BN_CTX_free(bnctx);
2979 	return ret;
2980 }
2981 
2982 void
2983 sshkey_dump_ec_point(const EC_GROUP *group, const EC_POINT *point)
2984 {
2985 	BIGNUM *x, *y;
2986 	BN_CTX *bnctx;
2987 
2988 	if (point == NULL) {
2989 		fputs("point=(NULL)\n", stderr);
2990 		return;
2991 	}
2992 	if ((bnctx = BN_CTX_new()) == NULL) {
2993 		fprintf(stderr, "%s: BN_CTX_new failed\n", __func__);
2994 		return;
2995 	}
2996 	BN_CTX_start(bnctx);
2997 	if ((x = BN_CTX_get(bnctx)) == NULL ||
2998 	    (y = BN_CTX_get(bnctx)) == NULL) {
2999 		fprintf(stderr, "%s: BN_CTX_get failed\n", __func__);
3000 		return;
3001 	}
3002 	if (EC_METHOD_get_field_type(EC_GROUP_method_of(group)) !=
3003 	    NID_X9_62_prime_field) {
3004 		fprintf(stderr, "%s: group is not a prime field\n", __func__);
3005 		return;
3006 	}
3007 	if (EC_POINT_get_affine_coordinates_GFp(group, point, x, y,
3008 	    bnctx) != 1) {
3009 		fprintf(stderr, "%s: EC_POINT_get_affine_coordinates_GFp\n",
3010 		    __func__);
3011 		return;
3012 	}
3013 	fputs("x=", stderr);
3014 	BN_print_fp(stderr, x);
3015 	fputs("\ny=", stderr);
3016 	BN_print_fp(stderr, y);
3017 	fputs("\n", stderr);
3018 	BN_CTX_free(bnctx);
3019 }
3020 
3021 void
3022 sshkey_dump_ec_key(const EC_KEY *key)
3023 {
3024 	const BIGNUM *exponent;
3025 
3026 	sshkey_dump_ec_point(EC_KEY_get0_group(key),
3027 	    EC_KEY_get0_public_key(key));
3028 	fputs("exponent=", stderr);
3029 	if ((exponent = EC_KEY_get0_private_key(key)) == NULL)
3030 		fputs("(NULL)", stderr);
3031 	else
3032 		BN_print_fp(stderr, EC_KEY_get0_private_key(key));
3033 	fputs("\n", stderr);
3034 }
3035 #endif /* WITH_OPENSSL && OPENSSL_HAS_ECC */
3036 
3037 static int
3038 sshkey_private_to_blob2(const struct sshkey *prv, struct sshbuf *blob,
3039     const char *passphrase, const char *comment, const char *ciphername,
3040     int rounds)
3041 {
3042 	u_char *cp, *key = NULL, *pubkeyblob = NULL;
3043 	u_char salt[SALT_LEN];
3044 	char *b64 = NULL;
3045 	size_t i, pubkeylen, keylen, ivlen, blocksize, authlen;
3046 	u_int check;
3047 	int r = SSH_ERR_INTERNAL_ERROR;
3048 	struct sshcipher_ctx *ciphercontext = NULL;
3049 	const struct sshcipher *cipher;
3050 	const char *kdfname = KDFNAME;
3051 	struct sshbuf *encoded = NULL, *encrypted = NULL, *kdf = NULL;
3052 
3053 	if (rounds <= 0)
3054 		rounds = DEFAULT_ROUNDS;
3055 	if (passphrase == NULL || !strlen(passphrase)) {
3056 		ciphername = "none";
3057 		kdfname = "none";
3058 	} else if (ciphername == NULL)
3059 		ciphername = DEFAULT_CIPHERNAME;
3060 	else if (cipher_number(ciphername) != SSH_CIPHER_SSH2) {
3061 		r = SSH_ERR_INVALID_ARGUMENT;
3062 		goto out;
3063 	}
3064 	if ((cipher = cipher_by_name(ciphername)) == NULL) {
3065 		r = SSH_ERR_INTERNAL_ERROR;
3066 		goto out;
3067 	}
3068 
3069 	if ((kdf = sshbuf_new()) == NULL ||
3070 	    (encoded = sshbuf_new()) == NULL ||
3071 	    (encrypted = sshbuf_new()) == NULL) {
3072 		r = SSH_ERR_ALLOC_FAIL;
3073 		goto out;
3074 	}
3075 	blocksize = cipher_blocksize(cipher);
3076 	keylen = cipher_keylen(cipher);
3077 	ivlen = cipher_ivlen(cipher);
3078 	authlen = cipher_authlen(cipher);
3079 	if ((key = calloc(1, keylen + ivlen)) == NULL) {
3080 		r = SSH_ERR_ALLOC_FAIL;
3081 		goto out;
3082 	}
3083 	if (strcmp(kdfname, "bcrypt") == 0) {
3084 		arc4random_buf(salt, SALT_LEN);
3085 		if (bcrypt_pbkdf(passphrase, strlen(passphrase),
3086 		    salt, SALT_LEN, key, keylen + ivlen, rounds) < 0) {
3087 			r = SSH_ERR_INVALID_ARGUMENT;
3088 			goto out;
3089 		}
3090 		if ((r = sshbuf_put_string(kdf, salt, SALT_LEN)) != 0 ||
3091 		    (r = sshbuf_put_u32(kdf, rounds)) != 0)
3092 			goto out;
3093 	} else if (strcmp(kdfname, "none") != 0) {
3094 		/* Unsupported KDF type */
3095 		r = SSH_ERR_KEY_UNKNOWN_CIPHER;
3096 		goto out;
3097 	}
3098 	if ((r = cipher_init(&ciphercontext, cipher, key, keylen,
3099 	    key + keylen, ivlen, 1)) != 0)
3100 		goto out;
3101 
3102 	if ((r = sshbuf_put(encoded, AUTH_MAGIC, sizeof(AUTH_MAGIC))) != 0 ||
3103 	    (r = sshbuf_put_cstring(encoded, ciphername)) != 0 ||
3104 	    (r = sshbuf_put_cstring(encoded, kdfname)) != 0 ||
3105 	    (r = sshbuf_put_stringb(encoded, kdf)) != 0 ||
3106 	    (r = sshbuf_put_u32(encoded, 1)) != 0 ||	/* number of keys */
3107 	    (r = sshkey_to_blob(prv, &pubkeyblob, &pubkeylen)) != 0 ||
3108 	    (r = sshbuf_put_string(encoded, pubkeyblob, pubkeylen)) != 0)
3109 		goto out;
3110 
3111 	/* set up the buffer that will be encrypted */
3112 
3113 	/* Random check bytes */
3114 	check = arc4random();
3115 	if ((r = sshbuf_put_u32(encrypted, check)) != 0 ||
3116 	    (r = sshbuf_put_u32(encrypted, check)) != 0)
3117 		goto out;
3118 
3119 	/* append private key and comment*/
3120 	if ((r = sshkey_private_serialize(prv, encrypted)) != 0 ||
3121 	    (r = sshbuf_put_cstring(encrypted, comment)) != 0)
3122 		goto out;
3123 
3124 	/* padding */
3125 	i = 0;
3126 	while (sshbuf_len(encrypted) % blocksize) {
3127 		if ((r = sshbuf_put_u8(encrypted, ++i & 0xff)) != 0)
3128 			goto out;
3129 	}
3130 
3131 	/* length in destination buffer */
3132 	if ((r = sshbuf_put_u32(encoded, sshbuf_len(encrypted))) != 0)
3133 		goto out;
3134 
3135 	/* encrypt */
3136 	if ((r = sshbuf_reserve(encoded,
3137 	    sshbuf_len(encrypted) + authlen, &cp)) != 0)
3138 		goto out;
3139 	if ((r = cipher_crypt(ciphercontext, 0, cp,
3140 	    sshbuf_ptr(encrypted), sshbuf_len(encrypted), 0, authlen)) != 0)
3141 		goto out;
3142 
3143 	/* uuencode */
3144 	if ((b64 = sshbuf_dtob64(encoded)) == NULL) {
3145 		r = SSH_ERR_ALLOC_FAIL;
3146 		goto out;
3147 	}
3148 
3149 	sshbuf_reset(blob);
3150 	if ((r = sshbuf_put(blob, MARK_BEGIN, MARK_BEGIN_LEN)) != 0)
3151 		goto out;
3152 	for (i = 0; i < strlen(b64); i++) {
3153 		if ((r = sshbuf_put_u8(blob, b64[i])) != 0)
3154 			goto out;
3155 		/* insert line breaks */
3156 		if (i % 70 == 69 && (r = sshbuf_put_u8(blob, '\n')) != 0)
3157 			goto out;
3158 	}
3159 	if (i % 70 != 69 && (r = sshbuf_put_u8(blob, '\n')) != 0)
3160 		goto out;
3161 	if ((r = sshbuf_put(blob, MARK_END, MARK_END_LEN)) != 0)
3162 		goto out;
3163 
3164 	/* success */
3165 	r = 0;
3166 
3167  out:
3168 	sshbuf_free(kdf);
3169 	sshbuf_free(encoded);
3170 	sshbuf_free(encrypted);
3171 	cipher_free(ciphercontext);
3172 	explicit_bzero(salt, sizeof(salt));
3173 	if (key != NULL) {
3174 		explicit_bzero(key, keylen + ivlen);
3175 		free(key);
3176 	}
3177 	if (pubkeyblob != NULL) {
3178 		explicit_bzero(pubkeyblob, pubkeylen);
3179 		free(pubkeyblob);
3180 	}
3181 	if (b64 != NULL) {
3182 		explicit_bzero(b64, strlen(b64));
3183 		free(b64);
3184 	}
3185 	return r;
3186 }
3187 
3188 static int
3189 sshkey_parse_private2(struct sshbuf *blob, int type, const char *passphrase,
3190     struct sshkey **keyp, char **commentp)
3191 {
3192 	char *comment = NULL, *ciphername = NULL, *kdfname = NULL;
3193 	const struct sshcipher *cipher = NULL;
3194 	const u_char *cp;
3195 	int r = SSH_ERR_INTERNAL_ERROR;
3196 	size_t encoded_len;
3197 	size_t i, keylen = 0, ivlen = 0, authlen = 0, slen = 0;
3198 	struct sshbuf *encoded = NULL, *decoded = NULL;
3199 	struct sshbuf *kdf = NULL, *decrypted = NULL;
3200 	struct sshcipher_ctx *ciphercontext = NULL;
3201 	struct sshkey *k = NULL;
3202 	u_char *key = NULL, *salt = NULL, *dp, pad, last;
3203 	u_int blocksize, rounds, nkeys, encrypted_len, check1, check2;
3204 
3205 	if (keyp != NULL)
3206 		*keyp = NULL;
3207 	if (commentp != NULL)
3208 		*commentp = NULL;
3209 
3210 	if ((encoded = sshbuf_new()) == NULL ||
3211 	    (decoded = sshbuf_new()) == NULL ||
3212 	    (decrypted = sshbuf_new()) == NULL) {
3213 		r = SSH_ERR_ALLOC_FAIL;
3214 		goto out;
3215 	}
3216 
3217 	/* check preamble */
3218 	cp = sshbuf_ptr(blob);
3219 	encoded_len = sshbuf_len(blob);
3220 	if (encoded_len < (MARK_BEGIN_LEN + MARK_END_LEN) ||
3221 	    memcmp(cp, MARK_BEGIN, MARK_BEGIN_LEN) != 0) {
3222 		r = SSH_ERR_INVALID_FORMAT;
3223 		goto out;
3224 	}
3225 	cp += MARK_BEGIN_LEN;
3226 	encoded_len -= MARK_BEGIN_LEN;
3227 
3228 	/* Look for end marker, removing whitespace as we go */
3229 	while (encoded_len > 0) {
3230 		if (*cp != '\n' && *cp != '\r') {
3231 			if ((r = sshbuf_put_u8(encoded, *cp)) != 0)
3232 				goto out;
3233 		}
3234 		last = *cp;
3235 		encoded_len--;
3236 		cp++;
3237 		if (last == '\n') {
3238 			if (encoded_len >= MARK_END_LEN &&
3239 			    memcmp(cp, MARK_END, MARK_END_LEN) == 0) {
3240 				/* \0 terminate */
3241 				if ((r = sshbuf_put_u8(encoded, 0)) != 0)
3242 					goto out;
3243 				break;
3244 			}
3245 		}
3246 	}
3247 	if (encoded_len == 0) {
3248 		r = SSH_ERR_INVALID_FORMAT;
3249 		goto out;
3250 	}
3251 
3252 	/* decode base64 */
3253 	if ((r = sshbuf_b64tod(decoded, (char *)sshbuf_ptr(encoded))) != 0)
3254 		goto out;
3255 
3256 	/* check magic */
3257 	if (sshbuf_len(decoded) < sizeof(AUTH_MAGIC) ||
3258 	    memcmp(sshbuf_ptr(decoded), AUTH_MAGIC, sizeof(AUTH_MAGIC))) {
3259 		r = SSH_ERR_INVALID_FORMAT;
3260 		goto out;
3261 	}
3262 	/* parse public portion of key */
3263 	if ((r = sshbuf_consume(decoded, sizeof(AUTH_MAGIC))) != 0 ||
3264 	    (r = sshbuf_get_cstring(decoded, &ciphername, NULL)) != 0 ||
3265 	    (r = sshbuf_get_cstring(decoded, &kdfname, NULL)) != 0 ||
3266 	    (r = sshbuf_froms(decoded, &kdf)) != 0 ||
3267 	    (r = sshbuf_get_u32(decoded, &nkeys)) != 0 ||
3268 	    (r = sshbuf_skip_string(decoded)) != 0 || /* pubkey */
3269 	    (r = sshbuf_get_u32(decoded, &encrypted_len)) != 0)
3270 		goto out;
3271 
3272 	if ((cipher = cipher_by_name(ciphername)) == NULL) {
3273 		r = SSH_ERR_KEY_UNKNOWN_CIPHER;
3274 		goto out;
3275 	}
3276 	if ((passphrase == NULL || strlen(passphrase) == 0) &&
3277 	    strcmp(ciphername, "none") != 0) {
3278 		/* passphrase required */
3279 		r = SSH_ERR_KEY_WRONG_PASSPHRASE;
3280 		goto out;
3281 	}
3282 	if (strcmp(kdfname, "none") != 0 && strcmp(kdfname, "bcrypt") != 0) {
3283 		r = SSH_ERR_KEY_UNKNOWN_CIPHER;
3284 		goto out;
3285 	}
3286 	if (!strcmp(kdfname, "none") && strcmp(ciphername, "none") != 0) {
3287 		r = SSH_ERR_INVALID_FORMAT;
3288 		goto out;
3289 	}
3290 	if (nkeys != 1) {
3291 		/* XXX only one key supported */
3292 		r = SSH_ERR_INVALID_FORMAT;
3293 		goto out;
3294 	}
3295 
3296 	/* check size of encrypted key blob */
3297 	blocksize = cipher_blocksize(cipher);
3298 	if (encrypted_len < blocksize || (encrypted_len % blocksize) != 0) {
3299 		r = SSH_ERR_INVALID_FORMAT;
3300 		goto out;
3301 	}
3302 
3303 	/* setup key */
3304 	keylen = cipher_keylen(cipher);
3305 	ivlen = cipher_ivlen(cipher);
3306 	authlen = cipher_authlen(cipher);
3307 	if ((key = calloc(1, keylen + ivlen)) == NULL) {
3308 		r = SSH_ERR_ALLOC_FAIL;
3309 		goto out;
3310 	}
3311 	if (strcmp(kdfname, "bcrypt") == 0) {
3312 		if ((r = sshbuf_get_string(kdf, &salt, &slen)) != 0 ||
3313 		    (r = sshbuf_get_u32(kdf, &rounds)) != 0)
3314 			goto out;
3315 		if (bcrypt_pbkdf(passphrase, strlen(passphrase), salt, slen,
3316 		    key, keylen + ivlen, rounds) < 0) {
3317 			r = SSH_ERR_INVALID_FORMAT;
3318 			goto out;
3319 		}
3320 	}
3321 
3322 	/* check that an appropriate amount of auth data is present */
3323 	if (sshbuf_len(decoded) < encrypted_len + authlen) {
3324 		r = SSH_ERR_INVALID_FORMAT;
3325 		goto out;
3326 	}
3327 
3328 	/* decrypt private portion of key */
3329 	if ((r = sshbuf_reserve(decrypted, encrypted_len, &dp)) != 0 ||
3330 	    (r = cipher_init(&ciphercontext, cipher, key, keylen,
3331 	    key + keylen, ivlen, 0)) != 0)
3332 		goto out;
3333 	if ((r = cipher_crypt(ciphercontext, 0, dp, sshbuf_ptr(decoded),
3334 	    encrypted_len, 0, authlen)) != 0) {
3335 		/* an integrity error here indicates an incorrect passphrase */
3336 		if (r == SSH_ERR_MAC_INVALID)
3337 			r = SSH_ERR_KEY_WRONG_PASSPHRASE;
3338 		goto out;
3339 	}
3340 	if ((r = sshbuf_consume(decoded, encrypted_len + authlen)) != 0)
3341 		goto out;
3342 	/* there should be no trailing data */
3343 	if (sshbuf_len(decoded) != 0) {
3344 		r = SSH_ERR_INVALID_FORMAT;
3345 		goto out;
3346 	}
3347 
3348 	/* check check bytes */
3349 	if ((r = sshbuf_get_u32(decrypted, &check1)) != 0 ||
3350 	    (r = sshbuf_get_u32(decrypted, &check2)) != 0)
3351 		goto out;
3352 	if (check1 != check2) {
3353 		r = SSH_ERR_KEY_WRONG_PASSPHRASE;
3354 		goto out;
3355 	}
3356 
3357 	/* Load the private key and comment */
3358 	if ((r = sshkey_private_deserialize(decrypted, &k)) != 0 ||
3359 	    (r = sshbuf_get_cstring(decrypted, &comment, NULL)) != 0)
3360 		goto out;
3361 
3362 	/* Check deterministic padding */
3363 	i = 0;
3364 	while (sshbuf_len(decrypted)) {
3365 		if ((r = sshbuf_get_u8(decrypted, &pad)) != 0)
3366 			goto out;
3367 		if (pad != (++i & 0xff)) {
3368 			r = SSH_ERR_INVALID_FORMAT;
3369 			goto out;
3370 		}
3371 	}
3372 
3373 	/* XXX decode pubkey and check against private */
3374 
3375 	/* success */
3376 	r = 0;
3377 	if (keyp != NULL) {
3378 		*keyp = k;
3379 		k = NULL;
3380 	}
3381 	if (commentp != NULL) {
3382 		*commentp = comment;
3383 		comment = NULL;
3384 	}
3385  out:
3386 	pad = 0;
3387 	cipher_free(ciphercontext);
3388 	free(ciphername);
3389 	free(kdfname);
3390 	free(comment);
3391 	if (salt != NULL) {
3392 		explicit_bzero(salt, slen);
3393 		free(salt);
3394 	}
3395 	if (key != NULL) {
3396 		explicit_bzero(key, keylen + ivlen);
3397 		free(key);
3398 	}
3399 	sshbuf_free(encoded);
3400 	sshbuf_free(decoded);
3401 	sshbuf_free(kdf);
3402 	sshbuf_free(decrypted);
3403 	sshkey_free(k);
3404 	return r;
3405 }
3406 
3407 #if WITH_SSH1
3408 /*
3409  * Serialises the authentication (private) key to a blob, encrypting it with
3410  * passphrase.  The identification of the blob (lowest 64 bits of n) will
3411  * precede the key to provide identification of the key without needing a
3412  * passphrase.
3413  */
3414 static int
3415 sshkey_private_rsa1_to_blob(struct sshkey *key, struct sshbuf *blob,
3416     const char *passphrase, const char *comment)
3417 {
3418 	struct sshbuf *buffer = NULL, *encrypted = NULL;
3419 	u_char buf[8];
3420 	int r, cipher_num;
3421 	struct sshcipher_ctx *ciphercontext = NULL;
3422 	const struct sshcipher *cipher;
3423 	u_char *cp;
3424 
3425 	/*
3426 	 * If the passphrase is empty, use SSH_CIPHER_NONE to ease converting
3427 	 * to another cipher; otherwise use SSH_AUTHFILE_CIPHER.
3428 	 */
3429 	cipher_num = (strcmp(passphrase, "") == 0) ?
3430 	    SSH_CIPHER_NONE : SSH_CIPHER_3DES;
3431 	if ((cipher = cipher_by_number(cipher_num)) == NULL)
3432 		return SSH_ERR_INTERNAL_ERROR;
3433 
3434 	/* This buffer is used to build the secret part of the private key. */
3435 	if ((buffer = sshbuf_new()) == NULL)
3436 		return SSH_ERR_ALLOC_FAIL;
3437 
3438 	/* Put checkbytes for checking passphrase validity. */
3439 	if ((r = sshbuf_reserve(buffer, 4, &cp)) != 0)
3440 		goto out;
3441 	arc4random_buf(cp, 2);
3442 	memcpy(cp + 2, cp, 2);
3443 
3444 	/*
3445 	 * Store the private key (n and e will not be stored because they
3446 	 * will be stored in plain text, and storing them also in encrypted
3447 	 * format would just give known plaintext).
3448 	 * Note: q and p are stored in reverse order to SSL.
3449 	 */
3450 	if ((r = sshbuf_put_bignum1(buffer, key->rsa->d)) != 0 ||
3451 	    (r = sshbuf_put_bignum1(buffer, key->rsa->iqmp)) != 0 ||
3452 	    (r = sshbuf_put_bignum1(buffer, key->rsa->q)) != 0 ||
3453 	    (r = sshbuf_put_bignum1(buffer, key->rsa->p)) != 0)
3454 		goto out;
3455 
3456 	/* Pad the part to be encrypted to a size that is a multiple of 8. */
3457 	explicit_bzero(buf, 8);
3458 	if ((r = sshbuf_put(buffer, buf, 8 - (sshbuf_len(buffer) % 8))) != 0)
3459 		goto out;
3460 
3461 	/* This buffer will be used to contain the data in the file. */
3462 	if ((encrypted = sshbuf_new()) == NULL) {
3463 		r = SSH_ERR_ALLOC_FAIL;
3464 		goto out;
3465 	}
3466 
3467 	/* First store keyfile id string. */
3468 	if ((r = sshbuf_put(encrypted, LEGACY_BEGIN,
3469 	    sizeof(LEGACY_BEGIN))) != 0)
3470 		goto out;
3471 
3472 	/* Store cipher type and "reserved" field. */
3473 	if ((r = sshbuf_put_u8(encrypted, cipher_num)) != 0 ||
3474 	    (r = sshbuf_put_u32(encrypted, 0)) != 0)
3475 		goto out;
3476 
3477 	/* Store public key.  This will be in plain text. */
3478 	if ((r = sshbuf_put_u32(encrypted, BN_num_bits(key->rsa->n))) != 0 ||
3479 	    (r = sshbuf_put_bignum1(encrypted, key->rsa->n)) != 0 ||
3480 	    (r = sshbuf_put_bignum1(encrypted, key->rsa->e)) != 0 ||
3481 	    (r = sshbuf_put_cstring(encrypted, comment)) != 0)
3482 		goto out;
3483 
3484 	/* Allocate space for the private part of the key in the buffer. */
3485 	if ((r = sshbuf_reserve(encrypted, sshbuf_len(buffer), &cp)) != 0)
3486 		goto out;
3487 
3488 	if ((r = cipher_set_key_string(&ciphercontext, cipher, passphrase,
3489 	    CIPHER_ENCRYPT)) != 0)
3490 		goto out;
3491 	if ((r = cipher_crypt(ciphercontext, 0, cp,
3492 	    sshbuf_ptr(buffer), sshbuf_len(buffer), 0, 0)) != 0)
3493 		goto out;
3494 
3495 	r = sshbuf_putb(blob, encrypted);
3496 
3497  out:
3498 	cipher_free(ciphercontext);
3499 	explicit_bzero(buf, sizeof(buf));
3500 	sshbuf_free(buffer);
3501 	sshbuf_free(encrypted);
3502 
3503 	return r;
3504 }
3505 #endif /* WITH_SSH1 */
3506 
3507 #ifdef WITH_OPENSSL
3508 /* convert SSH v2 key in OpenSSL PEM format */
3509 static int
3510 sshkey_private_pem_to_blob(struct sshkey *key, struct sshbuf *blob,
3511     const char *_passphrase, const char *comment)
3512 {
3513 	int success, r;
3514 	int blen, len = strlen(_passphrase);
3515 	u_char *passphrase = (len > 0) ? (u_char *)_passphrase : NULL;
3516 #if (OPENSSL_VERSION_NUMBER < 0x00907000L)
3517 	const EVP_CIPHER *cipher = (len > 0) ? EVP_des_ede3_cbc() : NULL;
3518 #else
3519  	const EVP_CIPHER *cipher = (len > 0) ? EVP_aes_128_cbc() : NULL;
3520 #endif
3521 	const u_char *bptr;
3522 	BIO *bio = NULL;
3523 
3524 	if (len > 0 && len <= 4)
3525 		return SSH_ERR_PASSPHRASE_TOO_SHORT;
3526 	if ((bio = BIO_new(BIO_s_mem())) == NULL)
3527 		return SSH_ERR_ALLOC_FAIL;
3528 
3529 	switch (key->type) {
3530 	case KEY_DSA:
3531 		success = PEM_write_bio_DSAPrivateKey(bio, key->dsa,
3532 		    cipher, passphrase, len, NULL, NULL);
3533 		break;
3534 #ifdef OPENSSL_HAS_ECC
3535 	case KEY_ECDSA:
3536 		success = PEM_write_bio_ECPrivateKey(bio, key->ecdsa,
3537 		    cipher, passphrase, len, NULL, NULL);
3538 		break;
3539 #endif
3540 	case KEY_RSA:
3541 		success = PEM_write_bio_RSAPrivateKey(bio, key->rsa,
3542 		    cipher, passphrase, len, NULL, NULL);
3543 		break;
3544 	default:
3545 		success = 0;
3546 		break;
3547 	}
3548 	if (success == 0) {
3549 		r = SSH_ERR_LIBCRYPTO_ERROR;
3550 		goto out;
3551 	}
3552 	if ((blen = BIO_get_mem_data(bio, &bptr)) <= 0) {
3553 		r = SSH_ERR_INTERNAL_ERROR;
3554 		goto out;
3555 	}
3556 	if ((r = sshbuf_put(blob, bptr, blen)) != 0)
3557 		goto out;
3558 	r = 0;
3559  out:
3560 	BIO_free(bio);
3561 	return r;
3562 }
3563 #endif /* WITH_OPENSSL */
3564 
3565 /* Serialise "key" to buffer "blob" */
3566 int
3567 sshkey_private_to_fileblob(struct sshkey *key, struct sshbuf *blob,
3568     const char *passphrase, const char *comment,
3569     int force_new_format, const char *new_format_cipher, int new_format_rounds)
3570 {
3571 	switch (key->type) {
3572 #ifdef WITH_SSH1
3573 	case KEY_RSA1:
3574 		return sshkey_private_rsa1_to_blob(key, blob,
3575 		    passphrase, comment);
3576 #endif /* WITH_SSH1 */
3577 #ifdef WITH_OPENSSL
3578 	case KEY_DSA:
3579 	case KEY_ECDSA:
3580 	case KEY_RSA:
3581 		if (force_new_format) {
3582 			return sshkey_private_to_blob2(key, blob, passphrase,
3583 			    comment, new_format_cipher, new_format_rounds);
3584 		}
3585 		return sshkey_private_pem_to_blob(key, blob,
3586 		    passphrase, comment);
3587 #endif /* WITH_OPENSSL */
3588 	case KEY_ED25519:
3589 		return sshkey_private_to_blob2(key, blob, passphrase,
3590 		    comment, new_format_cipher, new_format_rounds);
3591 	default:
3592 		return SSH_ERR_KEY_TYPE_UNKNOWN;
3593 	}
3594 }
3595 
3596 #ifdef WITH_SSH1
3597 /*
3598  * Parse the public, unencrypted portion of a RSA1 key.
3599  */
3600 int
3601 sshkey_parse_public_rsa1_fileblob(struct sshbuf *blob,
3602     struct sshkey **keyp, char **commentp)
3603 {
3604 	int r;
3605 	struct sshkey *pub = NULL;
3606 	struct sshbuf *copy = NULL;
3607 
3608 	if (keyp != NULL)
3609 		*keyp = NULL;
3610 	if (commentp != NULL)
3611 		*commentp = NULL;
3612 
3613 	/* Check that it is at least big enough to contain the ID string. */
3614 	if (sshbuf_len(blob) < sizeof(LEGACY_BEGIN))
3615 		return SSH_ERR_INVALID_FORMAT;
3616 
3617 	/*
3618 	 * Make sure it begins with the id string.  Consume the id string
3619 	 * from the buffer.
3620 	 */
3621 	if (memcmp(sshbuf_ptr(blob), LEGACY_BEGIN, sizeof(LEGACY_BEGIN)) != 0)
3622 		return SSH_ERR_INVALID_FORMAT;
3623 	/* Make a working copy of the keyblob and skip past the magic */
3624 	if ((copy = sshbuf_fromb(blob)) == NULL)
3625 		return SSH_ERR_ALLOC_FAIL;
3626 	if ((r = sshbuf_consume(copy, sizeof(LEGACY_BEGIN))) != 0)
3627 		goto out;
3628 
3629 	/* Skip cipher type, reserved data and key bits. */
3630 	if ((r = sshbuf_get_u8(copy, NULL)) != 0 ||	/* cipher type */
3631 	    (r = sshbuf_get_u32(copy, NULL)) != 0 ||	/* reserved */
3632 	    (r = sshbuf_get_u32(copy, NULL)) != 0)	/* key bits */
3633 		goto out;
3634 
3635 	/* Read the public key from the buffer. */
3636 	if ((pub = sshkey_new(KEY_RSA1)) == NULL ||
3637 	    (r = sshbuf_get_bignum1(copy, pub->rsa->n)) != 0 ||
3638 	    (r = sshbuf_get_bignum1(copy, pub->rsa->e)) != 0)
3639 		goto out;
3640 
3641 	/* Finally, the comment */
3642 	if ((r = sshbuf_get_string(copy, (u_char**)commentp, NULL)) != 0)
3643 		goto out;
3644 
3645 	/* The encrypted private part is not parsed by this function. */
3646 
3647 	r = 0;
3648 	if (keyp != NULL) {
3649 		*keyp = pub;
3650 		pub = NULL;
3651 	}
3652  out:
3653 	sshbuf_free(copy);
3654 	sshkey_free(pub);
3655 	return r;
3656 }
3657 
3658 static int
3659 sshkey_parse_private_rsa1(struct sshbuf *blob, const char *passphrase,
3660     struct sshkey **keyp, char **commentp)
3661 {
3662 	int r;
3663 	u_int16_t check1, check2;
3664 	u_int8_t cipher_type;
3665 	struct sshbuf *decrypted = NULL, *copy = NULL;
3666 	u_char *cp;
3667 	char *comment = NULL;
3668 	struct sshcipher_ctx *ciphercontext = NULL;
3669 	const struct sshcipher *cipher;
3670 	struct sshkey *prv = NULL;
3671 
3672 	if (keyp != NULL)
3673 		*keyp = NULL;
3674 	if (commentp != NULL)
3675 		*commentp = NULL;
3676 
3677 	/* Check that it is at least big enough to contain the ID string. */
3678 	if (sshbuf_len(blob) < sizeof(LEGACY_BEGIN))
3679 		return SSH_ERR_INVALID_FORMAT;
3680 
3681 	/*
3682 	 * Make sure it begins with the id string.  Consume the id string
3683 	 * from the buffer.
3684 	 */
3685 	if (memcmp(sshbuf_ptr(blob), LEGACY_BEGIN, sizeof(LEGACY_BEGIN)) != 0)
3686 		return SSH_ERR_INVALID_FORMAT;
3687 
3688 	if ((prv = sshkey_new_private(KEY_RSA1)) == NULL) {
3689 		r = SSH_ERR_ALLOC_FAIL;
3690 		goto out;
3691 	}
3692 	if ((copy = sshbuf_fromb(blob)) == NULL ||
3693 	    (decrypted = sshbuf_new()) == NULL) {
3694 		r = SSH_ERR_ALLOC_FAIL;
3695 		goto out;
3696 	}
3697 	if ((r = sshbuf_consume(copy, sizeof(LEGACY_BEGIN))) != 0)
3698 		goto out;
3699 
3700 	/* Read cipher type. */
3701 	if ((r = sshbuf_get_u8(copy, &cipher_type)) != 0 ||
3702 	    (r = sshbuf_get_u32(copy, NULL)) != 0)	/* reserved */
3703 		goto out;
3704 
3705 	/* Read the public key and comment from the buffer. */
3706 	if ((r = sshbuf_get_u32(copy, NULL)) != 0 ||	/* key bits */
3707 	    (r = sshbuf_get_bignum1(copy, prv->rsa->n)) != 0 ||
3708 	    (r = sshbuf_get_bignum1(copy, prv->rsa->e)) != 0 ||
3709 	    (r = sshbuf_get_cstring(copy, &comment, NULL)) != 0)
3710 		goto out;
3711 
3712 	/* Check that it is a supported cipher. */
3713 	cipher = cipher_by_number(cipher_type);
3714 	if (cipher == NULL) {
3715 		r = SSH_ERR_KEY_UNKNOWN_CIPHER;
3716 		goto out;
3717 	}
3718 	/* Initialize space for decrypted data. */
3719 	if ((r = sshbuf_reserve(decrypted, sshbuf_len(copy), &cp)) != 0)
3720 		goto out;
3721 
3722 	/* Rest of the buffer is encrypted.  Decrypt it using the passphrase. */
3723 	if ((r = cipher_set_key_string(&ciphercontext, cipher, passphrase,
3724 	    CIPHER_DECRYPT)) != 0)
3725 		goto out;
3726 	if ((r = cipher_crypt(ciphercontext, 0, cp,
3727 	    sshbuf_ptr(copy), sshbuf_len(copy), 0, 0)) != 0)
3728 		goto out;
3729 
3730 	if ((r = sshbuf_get_u16(decrypted, &check1)) != 0 ||
3731 	    (r = sshbuf_get_u16(decrypted, &check2)) != 0)
3732 		goto out;
3733 	if (check1 != check2) {
3734 		r = SSH_ERR_KEY_WRONG_PASSPHRASE;
3735 		goto out;
3736 	}
3737 
3738 	/* Read the rest of the private key. */
3739 	if ((r = sshbuf_get_bignum1(decrypted, prv->rsa->d)) != 0 ||
3740 	    (r = sshbuf_get_bignum1(decrypted, prv->rsa->iqmp)) != 0 ||
3741 	    (r = sshbuf_get_bignum1(decrypted, prv->rsa->q)) != 0 ||
3742 	    (r = sshbuf_get_bignum1(decrypted, prv->rsa->p)) != 0)
3743 		goto out;
3744 
3745 	/* calculate p-1 and q-1 */
3746 	if ((r = rsa_generate_additional_parameters(prv->rsa)) != 0)
3747 		goto out;
3748 
3749 	/* enable blinding */
3750 	if (RSA_blinding_on(prv->rsa, NULL) != 1) {
3751 		r = SSH_ERR_LIBCRYPTO_ERROR;
3752 		goto out;
3753 	}
3754 	r = 0;
3755 	if (keyp != NULL) {
3756 		*keyp = prv;
3757 		prv = NULL;
3758 	}
3759 	if (commentp != NULL) {
3760 		*commentp = comment;
3761 		comment = NULL;
3762 	}
3763  out:
3764 	cipher_free(ciphercontext);
3765 	free(comment);
3766 	sshkey_free(prv);
3767 	sshbuf_free(copy);
3768 	sshbuf_free(decrypted);
3769 	return r;
3770 }
3771 #endif /* WITH_SSH1 */
3772 
3773 #ifdef WITH_OPENSSL
3774 static int
3775 sshkey_parse_private_pem_fileblob(struct sshbuf *blob, int type,
3776     const char *passphrase, struct sshkey **keyp)
3777 {
3778 	EVP_PKEY *pk = NULL;
3779 	struct sshkey *prv = NULL;
3780 	BIO *bio = NULL;
3781 	int r;
3782 
3783 	if (keyp != NULL)
3784 		*keyp = NULL;
3785 
3786 	if ((bio = BIO_new(BIO_s_mem())) == NULL || sshbuf_len(blob) > INT_MAX)
3787 		return SSH_ERR_ALLOC_FAIL;
3788 	if (BIO_write(bio, sshbuf_ptr(blob), sshbuf_len(blob)) !=
3789 	    (int)sshbuf_len(blob)) {
3790 		r = SSH_ERR_ALLOC_FAIL;
3791 		goto out;
3792 	}
3793 
3794 	if ((pk = PEM_read_bio_PrivateKey(bio, NULL, NULL,
3795 	    (char *)passphrase)) == NULL) {
3796 		unsigned long pem_err = ERR_peek_last_error();
3797 		int pem_reason = ERR_GET_REASON(pem_err);
3798 
3799 		/*
3800 		 * Translate OpenSSL error codes to determine whether
3801 		 * passphrase is required/incorrect.
3802 		 */
3803 		switch (ERR_GET_LIB(pem_err)) {
3804 		case ERR_LIB_PEM:
3805 			switch (pem_reason) {
3806 			case PEM_R_BAD_PASSWORD_READ:
3807 			case PEM_R_PROBLEMS_GETTING_PASSWORD:
3808 			case PEM_R_BAD_DECRYPT:
3809 				r = SSH_ERR_KEY_WRONG_PASSPHRASE;
3810 				goto out;
3811 			default:
3812 				r = SSH_ERR_INVALID_FORMAT;
3813 				goto out;
3814 			}
3815 		case ERR_LIB_EVP:
3816 			switch (pem_reason) {
3817 			case EVP_R_BAD_DECRYPT:
3818 				r = SSH_ERR_KEY_WRONG_PASSPHRASE;
3819 				goto out;
3820 			case EVP_R_BN_DECODE_ERROR:
3821 			case EVP_R_DECODE_ERROR:
3822 #ifdef EVP_R_PRIVATE_KEY_DECODE_ERROR
3823 			case EVP_R_PRIVATE_KEY_DECODE_ERROR:
3824 #endif
3825 				r = SSH_ERR_INVALID_FORMAT;
3826 				goto out;
3827 			default:
3828 				r = SSH_ERR_LIBCRYPTO_ERROR;
3829 				goto out;
3830 			}
3831 		case ERR_LIB_ASN1:
3832 			r = SSH_ERR_INVALID_FORMAT;
3833 			goto out;
3834 		}
3835 		r = SSH_ERR_LIBCRYPTO_ERROR;
3836 		goto out;
3837 	}
3838 	if (pk->type == EVP_PKEY_RSA &&
3839 	    (type == KEY_UNSPEC || type == KEY_RSA)) {
3840 		if ((prv = sshkey_new(KEY_UNSPEC)) == NULL) {
3841 			r = SSH_ERR_ALLOC_FAIL;
3842 			goto out;
3843 		}
3844 		prv->rsa = EVP_PKEY_get1_RSA(pk);
3845 		prv->type = KEY_RSA;
3846 #ifdef DEBUG_PK
3847 		RSA_print_fp(stderr, prv->rsa, 8);
3848 #endif
3849 		if (RSA_blinding_on(prv->rsa, NULL) != 1) {
3850 			r = SSH_ERR_LIBCRYPTO_ERROR;
3851 			goto out;
3852 		}
3853 	} else if (pk->type == EVP_PKEY_DSA &&
3854 	    (type == KEY_UNSPEC || type == KEY_DSA)) {
3855 		if ((prv = sshkey_new(KEY_UNSPEC)) == NULL) {
3856 			r = SSH_ERR_ALLOC_FAIL;
3857 			goto out;
3858 		}
3859 		prv->dsa = EVP_PKEY_get1_DSA(pk);
3860 		prv->type = KEY_DSA;
3861 #ifdef DEBUG_PK
3862 		DSA_print_fp(stderr, prv->dsa, 8);
3863 #endif
3864 #ifdef OPENSSL_HAS_ECC
3865 	} else if (pk->type == EVP_PKEY_EC &&
3866 	    (type == KEY_UNSPEC || type == KEY_ECDSA)) {
3867 		if ((prv = sshkey_new(KEY_UNSPEC)) == NULL) {
3868 			r = SSH_ERR_ALLOC_FAIL;
3869 			goto out;
3870 		}
3871 		prv->ecdsa = EVP_PKEY_get1_EC_KEY(pk);
3872 		prv->type = KEY_ECDSA;
3873 		prv->ecdsa_nid = sshkey_ecdsa_key_to_nid(prv->ecdsa);
3874 		if (prv->ecdsa_nid == -1 ||
3875 		    sshkey_curve_nid_to_name(prv->ecdsa_nid) == NULL ||
3876 		    sshkey_ec_validate_public(EC_KEY_get0_group(prv->ecdsa),
3877 		    EC_KEY_get0_public_key(prv->ecdsa)) != 0 ||
3878 		    sshkey_ec_validate_private(prv->ecdsa) != 0) {
3879 			r = SSH_ERR_INVALID_FORMAT;
3880 			goto out;
3881 		}
3882 # ifdef DEBUG_PK
3883 		if (prv != NULL && prv->ecdsa != NULL)
3884 			sshkey_dump_ec_key(prv->ecdsa);
3885 # endif
3886 #endif /* OPENSSL_HAS_ECC */
3887 	} else {
3888 		r = SSH_ERR_INVALID_FORMAT;
3889 		goto out;
3890 	}
3891 	r = 0;
3892 	if (keyp != NULL) {
3893 		*keyp = prv;
3894 		prv = NULL;
3895 	}
3896  out:
3897 	BIO_free(bio);
3898 	if (pk != NULL)
3899 		EVP_PKEY_free(pk);
3900 	sshkey_free(prv);
3901 	return r;
3902 }
3903 #endif /* WITH_OPENSSL */
3904 
3905 int
3906 sshkey_parse_private_fileblob_type(struct sshbuf *blob, int type,
3907     const char *passphrase, struct sshkey **keyp, char **commentp)
3908 {
3909 	int r = SSH_ERR_INTERNAL_ERROR;
3910 
3911 	if (keyp != NULL)
3912 		*keyp = NULL;
3913 	if (commentp != NULL)
3914 		*commentp = NULL;
3915 
3916 	switch (type) {
3917 #ifdef WITH_SSH1
3918 	case KEY_RSA1:
3919 		return sshkey_parse_private_rsa1(blob, passphrase,
3920 		    keyp, commentp);
3921 #endif /* WITH_SSH1 */
3922 #ifdef WITH_OPENSSL
3923 	case KEY_DSA:
3924 	case KEY_ECDSA:
3925 	case KEY_RSA:
3926 		return sshkey_parse_private_pem_fileblob(blob, type,
3927 		    passphrase, keyp);
3928 #endif /* WITH_OPENSSL */
3929 	case KEY_ED25519:
3930 		return sshkey_parse_private2(blob, type, passphrase,
3931 		    keyp, commentp);
3932 	case KEY_UNSPEC:
3933 		r = sshkey_parse_private2(blob, type, passphrase, keyp,
3934 		    commentp);
3935 		/* Do not fallback to PEM parser if only passphrase is wrong. */
3936 		if (r == 0 || r == SSH_ERR_KEY_WRONG_PASSPHRASE)
3937 			return r;
3938 #ifdef WITH_OPENSSL
3939 		return sshkey_parse_private_pem_fileblob(blob, type,
3940 		    passphrase, keyp);
3941 #else
3942 		return SSH_ERR_INVALID_FORMAT;
3943 #endif /* WITH_OPENSSL */
3944 	default:
3945 		return SSH_ERR_KEY_TYPE_UNKNOWN;
3946 	}
3947 }
3948 
3949 int
3950 sshkey_parse_private_fileblob(struct sshbuf *buffer, const char *passphrase,
3951     struct sshkey **keyp, char **commentp)
3952 {
3953 	if (keyp != NULL)
3954 		*keyp = NULL;
3955 	if (commentp != NULL)
3956 		*commentp = NULL;
3957 
3958 #ifdef WITH_SSH1
3959 	/* it's a SSH v1 key if the public key part is readable */
3960 	if (sshkey_parse_public_rsa1_fileblob(buffer, NULL, NULL) == 0) {
3961 		return sshkey_parse_private_fileblob_type(buffer, KEY_RSA1,
3962 		    passphrase, keyp, commentp);
3963 	}
3964 #endif /* WITH_SSH1 */
3965 	return sshkey_parse_private_fileblob_type(buffer, KEY_UNSPEC,
3966 	    passphrase, keyp, commentp);
3967 }
3968