openssh.patch

From 9aefd8306f793f0d82c70bbdd632f28f43f16ab5 Mon Sep 17 00:00:00 2001
From: Alex Wilson <alex@cooperi.net>
Date: Wed, 9 Mar 2022 14:38:30 +1000
Subject: [PATCH] xxx: pivy changes

---
 authfd.c                        |   2 +-
 authfd.h                        |   4 +
 cipher.c                        |   6 +-
 defines.h                       |   2 +-
 digest.h                        |  14 +-
 misc.c                          |   2 +
 openbsd-compat/arc4random.c     |   7 +
 openbsd-compat/bcrypt_pbkdf.c   |   2 +-
 openbsd-compat/openbsd-compat.h |   4 +-
 sshbuf-getput-basic.c           | 198 ++++++++++++++++
 sshbuf-getput-crypto.c          |  72 +++++-
 sshbuf.c                        |  18 ++
 sshbuf.h                        |  19 ++
 ssherr.h                        |  26 +++
 sshkey.c                        | 396 +++++++++++++++++++++++++++++++-
 sshkey.h                        |  12 +
 16 files changed, 768 insertions(+), 16 deletions(-)

diff --git a/authfd.c b/authfd.c
index e04ad0cf2..d5a6a5c8f 100644
--- a/authfd.c
+++ openssh/authfd.c
@@ -134,7 +134,7 @@ ssh_get_authentication_socket(int *fdp)
 }
 
 /* Communicate with agent: send request and read reply */
-static int
+int
 ssh_request_reply(int sock, struct sshbuf *request, struct sshbuf *reply)
 {
 	int r;
diff --git a/authfd.h b/authfd.h
index c1e4b405c..251c74a06 100644
--- a/authfd.h
+++ openssh/authfd.h
@@ -60,6 +60,8 @@ int	ssh_update_card(int sock, int add, const char *reader_id,
 	    int cert_only, struct sshkey **certs, size_t ncerts);
 int	ssh_remove_all_identities(int sock, int version);
 
+int	ssh_request_reply(int, struct sshbuf *, struct sshbuf *);
+
 int	ssh_agent_sign(int sock, const struct sshkey *key,
 	    u_char **sigp, size_t *lenp,
 	    const u_char *data, size_t datalen, const char *alg, u_int compat);
@@ -104,6 +106,8 @@ int	ssh_agent_bind_hostkey(int sock, const struct sshkey *key,
 /* generic extension mechanism */
 #define SSH_AGENTC_EXTENSION			27
 
+#define	SSH_AGENT_EXT_FAILURE			28
+
 #define	SSH_AGENT_CONSTRAIN_LIFETIME		1
 #define	SSH_AGENT_CONSTRAIN_CONFIRM		2
 #define	SSH_AGENT_CONSTRAIN_MAXSIGN		3
diff --git a/cipher.c b/cipher.c
index 7d6e7d8c6..fd130b394 100644
--- a/cipher.c
+++ openssh/cipher.c
@@ -94,16 +94,16 @@ static const struct sshcipher ciphers[] = {
 	{ "aes128-ctr",		16, 16, 0, 0, 0, EVP_aes_128_ctr },
 	{ "aes192-ctr",		16, 24, 0, 0, 0, EVP_aes_192_ctr },
 	{ "aes256-ctr",		16, 32, 0, 0, 0, EVP_aes_256_ctr },
-	{ "aes128-gcm@openssh.com",
+	{ "aes128-gcm",
 				16, 16, 12, 16, 0, EVP_aes_128_gcm },
-	{ "aes256-gcm@openssh.com",
+	{ "aes256-gcm",
 				16, 32, 12, 16, 0, EVP_aes_256_gcm },
 #else
 	{ "aes128-ctr",		16, 16, 0, 0, CFLAG_AESCTR, NULL },
 	{ "aes192-ctr",		16, 24, 0, 0, CFLAG_AESCTR, NULL },
 	{ "aes256-ctr",		16, 32, 0, 0, CFLAG_AESCTR, NULL },
 #endif
-	{ "chacha20-poly1305@openssh.com",
+	{ "chacha20-poly1305",
 				8, 64, 0, 16, CFLAG_CHACHAPOLY, NULL },
 	{ "none",		8, 0, 0, 0, CFLAG_NONE, NULL },
 
diff --git a/defines.h b/defines.h
index ed860e78b..c645f7788 100644
--- a/defines.h
+++ openssh/defines.h
@@ -906,7 +906,7 @@ struct winsize {
  */
 #if defined(HAVE_ARC4RANDOM) && defined(HAVE_ARC4RANDOM_UNIFORM) && \
     !defined(HAVE_ARC4RANDOM_STIR)
-# define arc4random_stir()
+void arc4random_stir(void);
 #endif
 
 #ifndef HAVE_VA_COPY
diff --git a/digest.h b/digest.h
index 274574d0e..4b569962f 100644
--- a/digest.h
+++ openssh/digest.h
@@ -22,12 +22,14 @@
 #define SSH_DIGEST_MAX_LENGTH	64
 
 /* Digest algorithms */
-#define SSH_DIGEST_MD5		0
-#define SSH_DIGEST_SHA1		1
-#define SSH_DIGEST_SHA256	2
-#define SSH_DIGEST_SHA384	3
-#define SSH_DIGEST_SHA512	4
-#define SSH_DIGEST_MAX		5
+enum sshdigest_types {
+	SSH_DIGEST_MD5 = 0,
+	SSH_DIGEST_SHA1 = 1,
+	SSH_DIGEST_SHA256 = 2,
+	SSH_DIGEST_SHA384 = 3,
+	SSH_DIGEST_SHA512 = 4,
+	SSH_DIGEST_MAX
+};
 
 struct sshbuf;
 struct ssh_digest_ctx;
diff --git a/misc.c b/misc.c
index afdf5142e..4d5c38b79 100644
--- a/misc.c
+++ openssh/misc.c
@@ -2843,7 +2843,9 @@ subprocess(const char *tag, const char *command,
 			error("%s: dup2: %s", tag, strerror(errno));
 			_exit(1);
 		}
+#if defined(HAVE_CLOSEFROM) && !defined(BROKEN_CLOSEFROM)
 		closefrom(STDERR_FILENO + 1);
+#endif
 
 		if (geteuid() == 0 &&
 		    initgroups(pw->pw_name, pw->pw_gid) == -1) {
diff --git a/openbsd-compat/arc4random.c b/openbsd-compat/arc4random.c
index ffd33734d..b4d67b7fc 100644
--- a/openbsd-compat/arc4random.c
+++ openssh/openbsd-compat/arc4random.c
@@ -231,6 +231,13 @@ arc4random_buf(void *buf, size_t n)
 }
 DEF_WEAK(arc4random_buf);
 # endif /* !HAVE_ARC4RANDOM_BUF */
+#else /* !HAVE_ARC4RANDOM */
+# ifndef HAVE_ARC4RANDOM_STIR
+void
+arc4random_stir(void)
+{
+}
+# endif /* !HAVE_ARC4RANDOM_STIR */
 #endif /* !HAVE_ARC4RANDOM */
 
 /* arc4random_buf() that uses platform arc4random() */
diff --git a/openbsd-compat/bcrypt_pbkdf.c b/openbsd-compat/bcrypt_pbkdf.c
index 5a22ba3b4..f006b14cc 100644
--- a/openbsd-compat/bcrypt_pbkdf.c
+++ openssh/openbsd-compat/bcrypt_pbkdf.c
@@ -137,7 +137,7 @@ bcrypt_pbkdf(const char *pass, size_t passlen, const uint8_t *salt, size_t saltl
 	memcpy(countsalt, salt, saltlen);
 
 	/* collapse password */
-	crypto_hash_sha512(sha2pass, pass, passlen);
+	crypto_hash_sha512(sha2pass, (const unsigned char *)pass, passlen);
 
 	/* generate key, sizeof(out) at a time */
 	for (count = 1; keylen > 0; count++) {
diff --git a/openbsd-compat/openbsd-compat.h b/openbsd-compat/openbsd-compat.h
index 0823d6a83..4d6fdaefc 100644
--- a/openbsd-compat/openbsd-compat.h
+++ openssh/openbsd-compat/openbsd-compat.h
@@ -233,8 +233,8 @@ uint32_t arc4random(void);
 void arc4random_buf(void *, size_t);
 #endif
 
-#ifndef HAVE_ARC4RANDOM_STIR
-# define arc4random_stir()
+#if !defined(HAVE_ARC4RANDOM_STIR) && !defined(HAVE_ARC4RANDOM)
+void arc4random_stir(void);
 #endif
 
 #ifndef HAVE_ARC4RANDOM_UNIFORM
diff --git a/sshbuf-getput-basic.c b/sshbuf-getput-basic.c
index 5c71b0e53..3305d52f7 100644
--- a/sshbuf-getput-basic.c
+++ openssh/sshbuf-getput-basic.c
@@ -302,6 +302,41 @@ sshbuf_get_cstring(struct sshbuf *buf, char **valp, size_t *lenp)
 	return 0;
 }
 
+int
+sshbuf_get_cstring8(struct sshbuf *buf, char **valp, size_t *lenp)
+{
+	size_t len;
+	const u_char *p, *z;
+	int r;
+
+	if (valp != NULL)
+		*valp = NULL;
+	if (lenp != NULL)
+		*lenp = 0;
+	if ((r = sshbuf_peek_string8_direct(buf, &p, &len)) != 0)
+		return r;
+	/* Allow a \0 only at the end of the string */
+	if (len > 0 &&
+	    (z = memchr(p , '\0', len)) != NULL && z < p + len - 1) {
+		SSHBUF_DBG(("SSH_ERR_INVALID_FORMAT"));
+		return SSH_ERR_INVALID_FORMAT;
+	}
+	if ((r = sshbuf_skip_string8(buf)) != 0)
+		return -1;
+	if (valp != NULL) {
+		if ((*valp = malloc(len + 1)) == NULL) {
+			SSHBUF_DBG(("SSH_ERR_ALLOC_FAIL"));
+			return SSH_ERR_ALLOC_FAIL;
+		}
+		if (len != 0)
+			memcpy(*valp, p, len);
+		(*valp)[len] = '\0';
+	}
+	if (lenp != NULL)
+		*lenp = (size_t)len;
+	return 0;
+}
+
 int
 sshbuf_get_stringb(struct sshbuf *buf, struct sshbuf *v)
 {
@@ -322,6 +357,26 @@ sshbuf_get_stringb(struct sshbuf *buf, struct sshbuf *v)
 	return 0;
 }
 
+int
+sshbuf_get_stringb8(struct sshbuf *buf, struct sshbuf *v)
+{
+	uint8_t len;
+	u_char *p;
+	int r;
+
+	/*
+	 * Use sshbuf_peek_string_direct() to figure out if there is
+	 * a complete string in 'buf' and copy the string directly
+	 * into 'v'.
+	 */
+	if ((r = sshbuf_peek_string8_direct(buf, NULL, NULL)) != 0 ||
+	    (r = sshbuf_get_u8(buf, &len)) != 0 ||
+	    (r = sshbuf_reserve(v, len, &p)) != 0 ||
+	    (r = sshbuf_get(buf, p, len)) != 0)
+		return r;
+	return 0;
+}
+
 int
 sshbuf_put(struct sshbuf *buf, const void *v, size_t len)
 {
@@ -528,12 +583,36 @@ sshbuf_put_string(struct sshbuf *buf, const void *v, size_t len)
 	return 0;
 }
 
+int
+sshbuf_put_string8(struct sshbuf *buf, const void *v, size_t len)
+{
+	u_char *d;
+	int r;
+
+	if (len > 0xFF - 1) {
+		SSHBUF_DBG(("SSH_ERR_NO_BUFFER_SPACE"));
+		return SSH_ERR_NO_BUFFER_SPACE;
+	}
+	if ((r = sshbuf_reserve(buf, len + 1, &d)) < 0)
+		return r;
+	d[0] = len;
+	if (len != 0)
+		memcpy(d + 1, v, len);
+	return 0;
+}
+
 int
 sshbuf_put_cstring(struct sshbuf *buf, const char *v)
 {
 	return sshbuf_put_string(buf, v, v == NULL ? 0 : strlen(v));
 }
 
+int
+sshbuf_put_cstring8(struct sshbuf *buf, const char *v)
+{
+	return sshbuf_put_string8(buf, (u_char *)v, v == NULL ? 0 : strlen(v));
+}
+
 int
 sshbuf_put_stringb(struct sshbuf *buf, const struct sshbuf *v)
 {
@@ -543,6 +622,12 @@ sshbuf_put_stringb(struct sshbuf *buf, const struct sshbuf *v)
 	return sshbuf_put_string(buf, sshbuf_ptr(v), sshbuf_len(v));
 }
 
+int
+sshbuf_put_stringb8(struct sshbuf *buf, const struct sshbuf *v)
+{
+	return sshbuf_put_string8(buf, sshbuf_ptr(v), sshbuf_len(v));
+}
+
 int
 sshbuf_froms(struct sshbuf *buf, struct sshbuf **bufp)
 {
@@ -631,3 +716,116 @@ sshbuf_get_bignum2_bytes_direct(struct sshbuf *buf,
 	}
 	return 0;
 }
+
+extern void *malloc_conceal(size_t size);
+
+int
+sshbuf_get_string8_conceal(struct sshbuf *buf, u_char **valp, size_t *lenp)
+{
+	const u_char *val;
+	size_t len;
+	int r;
+
+	if (valp != NULL)
+		*valp = NULL;
+	if (lenp != NULL)
+		*lenp = 0;
+	if ((r = sshbuf_get_string8_direct(buf, &val, &len)) < 0)
+		return r;
+	if (valp != NULL) {
+		if ((*valp = malloc_conceal(len + 1)) == NULL) {
+			SSHBUF_DBG(("SSH_ERR_ALLOC_FAIL"));
+			return SSH_ERR_ALLOC_FAIL;
+		}
+		if (len != 0)
+			memcpy(*valp, val, len);
+		(*valp)[len] = '\0';
+	}
+	if (lenp != NULL)
+		*lenp = len;
+	return 0;
+}
+
+int
+sshbuf_get_string8(struct sshbuf *buf, u_char **valp, size_t *lenp)
+{
+	const u_char *val;
+	size_t len;
+	int r;
+
+	if (valp != NULL)
+		*valp = NULL;
+	if (lenp != NULL)
+		*lenp = 0;
+	if ((r = sshbuf_get_string8_direct(buf, &val, &len)) < 0)
+		return r;
+	if (valp != NULL) {
+		if ((*valp = malloc(len + 1)) == NULL) {
+			SSHBUF_DBG(("SSH_ERR_ALLOC_FAIL"));
+			return SSH_ERR_ALLOC_FAIL;
+		}
+		if (len != 0)
+			memcpy(*valp, val, len);
+		(*valp)[len] = '\0';
+	}
+	if (lenp != NULL)
+		*lenp = len;
+	return 0;
+}
+
+int
+sshbuf_get_string8_direct(struct sshbuf *buf, const u_char **valp, size_t *lenp)
+{
+	size_t len;
+	const u_char *p;
+	int r;
+
+	if (valp != NULL)
+		*valp = NULL;
+	if (lenp != NULL)
+		*lenp = 0;
+	if ((r = sshbuf_peek_string8_direct(buf, &p, &len)) < 0)
+		return r;
+	if (valp != NULL)
+		*valp = p;
+	if (lenp != NULL)
+		*lenp = len;
+	if (sshbuf_consume(buf, len + 1) != 0) {
+		/* Shouldn't happen */
+		SSHBUF_DBG(("SSH_ERR_INTERNAL_ERROR"));
+		SSHBUF_ABORT();
+		return SSH_ERR_INTERNAL_ERROR;
+	}
+	return 0;
+}
+
+int
+sshbuf_peek_string8_direct(const struct sshbuf *buf, const u_char **valp,
+    size_t *lenp)
+{
+	uint32_t len;
+	const u_char *p = sshbuf_ptr(buf);
+
+	if (valp != NULL)
+		*valp = NULL;
+	if (lenp != NULL)
+		*lenp = 0;
+	if (sshbuf_len(buf) < 1) {
+		SSHBUF_DBG(("SSH_ERR_MESSAGE_INCOMPLETE"));
+		return SSH_ERR_MESSAGE_INCOMPLETE;
+	}
+	len = p[0];
+	if (len > SSHBUF_SIZE_MAX - 1) {
+		SSHBUF_DBG(("SSH_ERR_STRING_TOO_LARGE"));
+		return SSH_ERR_STRING_TOO_LARGE;
+	}
+	if (sshbuf_len(buf) - 1 < len) {
+		SSHBUF_DBG(("SSH_ERR_MESSAGE_INCOMPLETE"));
+		return SSH_ERR_MESSAGE_INCOMPLETE;
+	}
+	if (valp != NULL)
+		*valp = p + 1;
+	if (lenp != NULL)
+		*lenp = len;
+	return 0;
+}
diff --git a/sshbuf-getput-crypto.c b/sshbuf-getput-crypto.c
index e7bffe225..2d59296fa 100644
--- a/sshbuf-getput-crypto.c
+++ openssh/sshbuf-getput-crypto.c
@@ -63,8 +63,10 @@ get_ec(const u_char *d, size_t len, EC_POINT *v, const EC_GROUP *g)
 	if (len == 0 || len > SSHBUF_MAX_ECPOINT)
 		return SSH_ERR_ECPOINT_TOO_LARGE;
 	/* Only handle uncompressed points */
-	if (*d != POINT_CONVERSION_UNCOMPRESSED)
+	if (*d != POINT_CONVERSION_UNCOMPRESSED &&
+	    (*d & ~0x1) != POINT_CONVERSION_COMPRESSED) {
 		return SSH_ERR_INVALID_FORMAT;
+	}
 	if (v != NULL && EC_POINT_oct2point(g, v, d, len, NULL) != 1)
 		return SSH_ERR_INVALID_FORMAT; /* XXX assumption */
 	return 0;
@@ -125,6 +127,41 @@ sshbuf_get_eckey(struct sshbuf *buf, EC_KEY *v)
 	}
 	return 0;
 }
+
+int
+sshbuf_get_eckey8(struct sshbuf *buf, EC_KEY *v)
+{
+	EC_POINT *pt = EC_POINT_new(EC_KEY_get0_group(v));
+	int r;
+	const u_char *d;
+	size_t len;
+
+	if (pt == NULL) {
+		SSHBUF_DBG(("SSH_ERR_ALLOC_FAIL"));
+		return SSH_ERR_ALLOC_FAIL;
+	}
+	if ((r = sshbuf_peek_string8_direct(buf, &d, &len)) < 0) {
+		EC_POINT_free(pt);
+		return r;
+	}
+	if ((r = get_ec(d, len, pt, EC_KEY_get0_group(v))) != 0) {
+		EC_POINT_free(pt);
+		return r;
+	}
+	if (EC_KEY_set_public_key(v, pt) != 1) {
+		EC_POINT_free(pt);
+		return SSH_ERR_ALLOC_FAIL; /* XXX assumption */
+	}
+	EC_POINT_free(pt);
+	/* Skip string */
+	if (sshbuf_get_string8_direct(buf, NULL, NULL) != 0) {
+		/* Shouldn't happen */
+		SSHBUF_DBG(("SSH_ERR_INTERNAL_ERROR"));
+		SSHBUF_ABORT();
+		return SSH_ERR_INTERNAL_ERROR;
+	}
+	return 0;
+}
 #endif /* OPENSSL_HAS_ECC */
 
 int
@@ -186,5 +223,38 @@ sshbuf_put_ec_pkey(struct sshbuf *buf, EVP_PKEY *pkey)
 		return SSH_ERR_LIBCRYPTO_ERROR;
 	return sshbuf_put_eckey(buf, ec);
 }
+
+int
+sshbuf_put_ec8(struct sshbuf *buf, const EC_POINT *v, const EC_GROUP *g)
+{
+	u_char d[SSHBUF_MAX_ECPOINT];
+	BN_CTX *bn_ctx;
+	size_t len;
+	int ret;
+
+	if ((bn_ctx = BN_CTX_new()) == NULL)
+		return SSH_ERR_ALLOC_FAIL;
+	if ((len = EC_POINT_point2oct(g, v, POINT_CONVERSION_COMPRESSED,
+	    NULL, 0, bn_ctx)) > SSHBUF_MAX_ECPOINT) {
+		BN_CTX_free(bn_ctx);
+		return SSH_ERR_INVALID_ARGUMENT;
+	}
+	if (EC_POINT_point2oct(g, v, POINT_CONVERSION_COMPRESSED,
+	    d, len, bn_ctx) != len) {
+		BN_CTX_free(bn_ctx);
+		return SSH_ERR_INTERNAL_ERROR; /* Shouldn't happen */
+	}
+	BN_CTX_free(bn_ctx);
+	ret = sshbuf_put_string8(buf, d, len);
+	explicit_bzero(d, len);
+	return ret;
+}
+
+int
+sshbuf_put_eckey8(struct sshbuf *buf, const EC_KEY *v)
+{
+	return sshbuf_put_ec8(buf, EC_KEY_get0_public_key(v),
+	    EC_KEY_get0_group(v));
+}
 #endif /* OPENSSL_HAS_ECC */
 #endif /* WITH_OPENSSL */
diff --git a/sshbuf.c b/sshbuf.c
index 1b714e5f9..765b72380 100644
--- a/sshbuf.c
+++ openssh/sshbuf.c
@@ -425,3 +425,21 @@ sshbuf_consume_end(struct sshbuf *buf, size_t len)
 	return 0;
 }
 
+
+size_t
+sshbuf_offset(const struct sshbuf *buf)
+{
+	return buf->off;
+}
+
+int
+sshbuf_rewind(struct sshbuf *buf, size_t pos)
+{
+	int r;
+	if ((r = sshbuf_check_sanity(buf)) != 0)
+		return r;
+	if (pos > sshbuf_len(buf))
+		return SSH_ERR_INVALID_ARGUMENT;
+	buf->off = pos;
+	return 0;
+}
diff --git a/sshbuf.h b/sshbuf.h
index 49c32af8f..9d9b3d955 100644
--- a/sshbuf.h
+++ openssh/sshbuf.h
@@ -194,6 +194,14 @@ int	sshbuf_put_string(struct sshbuf *buf, const void *v, size_t len);
 int	sshbuf_put_cstring(struct sshbuf *buf, const char *v);
 int	sshbuf_put_stringb(struct sshbuf *buf, const struct sshbuf *v);
 
+int	sshbuf_get_string8(struct sshbuf *buf, u_char **valp, size_t *lenp);
+int	sshbuf_get_string8_conceal(struct sshbuf *buf, u_char **valp, size_t *lenp);
+int	sshbuf_get_cstring8(struct sshbuf *buf, char **valp, size_t *lenp);
+int	sshbuf_get_stringb8(struct sshbuf *buf, struct sshbuf *v);
+int	sshbuf_put_string8(struct sshbuf *buf, const void *v, size_t len);
+int	sshbuf_put_cstring8(struct sshbuf *buf, const char *v);
+int	sshbuf_put_stringb8(struct sshbuf *buf, const struct sshbuf *v);
+
 /*
  * "Direct" variant of sshbuf_get_string, returns pointer into the sshbuf to
  * avoid an malloc+memcpy. The pointer is guaranteed to be valid until the
@@ -201,13 +209,18 @@ int	sshbuf_put_stringb(struct sshbuf *buf, const struct sshbuf *v);
  */
 int	sshbuf_get_string_direct(struct sshbuf *buf, const u_char **valp,
 	    size_t *lenp);
+int	sshbuf_get_string8_direct(struct sshbuf *buf, const u_char **valp,
+	    size_t *lenp);
 
 /* Skip past a string */
 #define sshbuf_skip_string(buf) sshbuf_get_string_direct(buf, NULL, NULL)
+#define sshbuf_skip_string8(buf) sshbuf_get_string8_direct(buf, NULL, NULL)
 
 /* Another variant: "peeks" into the buffer without modifying it */
 int	sshbuf_peek_string_direct(const struct sshbuf *buf, const u_char **valp,
 	    size_t *lenp);
+int	sshbuf_peek_string8_direct(const struct sshbuf *buf, const u_char **valp,
+	    size_t *lenp);
 
 /*
  * Functions to extract or store SSH wire encoded bignums and elliptic
@@ -225,6 +238,9 @@ int	sshbuf_get_eckey(struct sshbuf *buf, EC_KEY *v);
 int	sshbuf_put_ec(struct sshbuf *buf, const EC_POINT *v, const EC_GROUP *g);
 int	sshbuf_put_eckey(struct sshbuf *buf, const EC_KEY *v);
 int	sshbuf_put_ec_pkey(struct sshbuf *buf, EVP_PKEY *pkey);
+int	sshbuf_put_ec8(struct sshbuf *buf, const EC_POINT *v, const EC_GROUP *g);
+int	sshbuf_put_eckey8(struct sshbuf *buf, const EC_KEY *v);
+int	sshbuf_get_eckey8(struct sshbuf *buf, EC_KEY *v);
 # endif /* OPENSSL_HAS_ECC */
 #endif /* WITH_OPENSSL */
 
@@ -346,6 +362,9 @@ int sshbuf_read(int, struct sshbuf *, size_t, size_t *)
 		((u_char *)(p))[1] = __v & 0xff; \
 	} while (0)
 
+size_t	sshbuf_offset(const struct sshbuf *buf);
+int	sshbuf_rewind(struct sshbuf *buf, size_t pos);
+
 /* Internal definitions follow. Exposed for regress tests */
 #ifdef SSHBUF_INTERNAL
 
diff --git a/ssherr.h b/ssherr.h
index 085e75274..e97c45771 100644
--- a/ssherr.h
+++ openssh/ssherr.h
@@ -86,4 +86,30 @@
 /* Translate a numeric error code to a human-readable error string */
 const char *ssh_err(int n);
 
+#define ssherrf(func, code, ...)		\
+    errf(((code) == SSH_ERR_MESSAGE_INCOMPLETE) ? "IncompleteMessageError" : \
+    "LibSSHError", NULL, func " returned %d (%s)", ##__VA_ARGS__, \
+    code, ssh_err(code))
+
+#define make_sslerrf(var, call, action, ...)	\
+	do {	\
+		char _ssl_errbuf[128]; \
+		int _ssl_errflags = 0, _ssl_errline; \
+		const char *_ssl_errdata, *_ssl_errfile; \
+		unsigned long _ssl_err = ERR_peek_last_error(); \
+		ERR_load_crypto_strings(); \
+		ERR_error_string(_ssl_err, _ssl_errbuf); \
+		ERR_get_error_line_data(&_ssl_errfile, &_ssl_errline, \
+		    &_ssl_errdata, &_ssl_errflags); \
+		var = NULL; \
+		if (_ssl_errflags & ERR_TXT_STRING) { \
+			var = errf("OpenSSLErrorData", var, "%s", \
+			    _ssl_errdata); \
+		} \
+		var = errf("OpenSSLError", var, \
+		    call " (%s:%d) returned error %u (%s) while " action, \
+		    _ssl_errfile, _ssl_errline, _ssl_err, _ssl_errbuf, \
+		    ##__VA_ARGS__); \
+	} while (0)
+
 #endif /* _SSHERR_H */
diff --git a/sshkey.c b/sshkey.c
index 1db83788d..de597d818 100644
--- a/sshkey.c
+++ openssh/sshkey.c
@@ -2212,17 +2212,21 @@ sshkey_sign(struct sshkey *key,
 		return SSH_ERR_KEY_TYPE_UNKNOWN;
 	if ((r = sshkey_unshield_private(key)) != 0)
 		return r;
+#if defined(WITH_SK)
 	if (sshkey_is_sk(key)) {
 		r = sshsk_sign(sk_provider, key, sigp, lenp, data,
 		    datalen, compat, sk_pin);
 	} else {
+#endif
 		if (impl->funcs->sign == NULL)
 			r = SSH_ERR_SIGN_ALG_UNSUPPORTED;
 		else {
 			r = impl->funcs->sign(key, sigp, lenp, data, datalen,
 			    alg, sk_provider, sk_pin, compat);
-		 }
+		}
+#if defined(WITH_SK)
 	}
+#endif
 	if (was_shielded && (r2 = sshkey_shield_private(key)) != 0)
 		return r2;
 	return r;
@@ -3842,3 +3846,393 @@ sshkey_set_filename(struct sshkey *k, const char *filename)
 	return 0;
 }
 #endif /* WITH_XMSS */
+
+int
+sshkey_from_evp_pkey(EVP_PKEY *pk, int type, struct sshkey **keyp)
+{
+	struct sshkey *prv = NULL;
+	int r;
+	int pktype = EVP_PKEY_base_id(pk);
+	EVP_PKEY *pkey;
+	RSA *rsa;
+	EC_KEY *eck;
+	DSA *dsa;
+
+	pkey = EVP_PKEY_new();
+	if (pkey == NULL) {
+		r = SSH_ERR_ALLOC_FAIL;
+		goto out;
+	}
+
+	if (pktype == EVP_PKEY_RSA &&
+	    (type == KEY_UNSPEC || type == KEY_RSA)) {
+		if ((prv = sshkey_new(KEY_RSA)) == NULL) {
+			r = SSH_ERR_ALLOC_FAIL;
+			goto out;
+		}
+		rsa = EVP_PKEY_get1_RSA(pk);
+		EVP_PKEY_set1_RSA(pkey, rsa);
+
+	} else if (pktype == EVP_PKEY_DSA &&
+	    (type == KEY_UNSPEC || type == KEY_DSA)) {
+		if ((prv = sshkey_new(KEY_DSA)) == NULL) {
+			r = SSH_ERR_ALLOC_FAIL;
+			goto out;
+		}
+		dsa = EVP_PKEY_get1_DSA(pk);
+		EVP_PKEY_set1_DSA(pkey, dsa);
+
+	} else if (pktype == EVP_PKEY_EC &&
+	    (type == KEY_UNSPEC || type == KEY_ECDSA)) {
+		if ((prv = sshkey_new(KEY_ECDSA)) == NULL) {
+			r = SSH_ERR_ALLOC_FAIL;
+			goto out;
+		}
+		eck = EVP_PKEY_get1_EC_KEY(pk);
+		prv->ecdsa_nid = sshkey_ecdsa_key_to_nid(eck);
+		if (prv->ecdsa_nid == -1 ||
+		    sshkey_curve_nid_to_name(prv->ecdsa_nid) == NULL ||
+		    sshkey_ec_validate_public(EC_KEY_get0_group(eck),
+		    EC_KEY_get0_public_key(eck)) != 0) {
+			r = SSH_ERR_INVALID_FORMAT;
+			goto out;
+		}
+		EVP_PKEY_set1_EC_KEY(pkey, eck);
+
+	} else {
+		r = SSH_ERR_INVALID_FORMAT;
+		goto out;
+	}
+
+	EVP_PKEY_free(prv->pkey);
+	prv->pkey = pkey;
+
+	r = 0;
+	if (keyp != NULL) {
+		*keyp = prv;
+		prv = NULL;
+	}
+ out:
+	sshkey_free(prv);
+	return r;
+}
+
+static int
+ssh_ecdsa_sig_from_asn1(enum sshdigest_types dtype, const uint8_t *sig,
+    size_t siglen, struct sshbuf *buf)
+{
+	ECDSA_SIG *esig = NULL;
+	struct sshbuf *b;
+	int nid;
+	const char *type;
+	const uint8_t *ptr;
+	int rv;
+
+	switch (dtype) {
+	case SSH_DIGEST_SHA256:
+		nid = NID_X9_62_prime256v1;
+		break;
+	case SSH_DIGEST_SHA384:
+		nid = NID_secp384r1;
+		break;
+	case SSH_DIGEST_SHA512:
+		nid = NID_secp521r1;
+		break;
+	default:
+		return (SSH_ERR_KEY_TYPE_MISMATCH);
+	}
+
+	b = sshbuf_new();
+	if (b == NULL)
+		return (SSH_ERR_ALLOC_FAIL);
+
+	type = sshkey_ssh_name_from_type_nid(KEY_ECDSA, nid);
+
+	ptr = sig;
+	if (d2i_ECDSA_SIG(&esig, (const uint8_t **)&ptr, siglen) == NULL) {
+		rv = SSH_ERR_INVALID_ARGUMENT;
+		goto out;
+	}
+	if (esig == NULL || ptr <= sig || ((size_t)(ptr - sig) < siglen)) {
+		rv = SSH_ERR_INVALID_ARGUMENT;
+		goto out;
+	}
+
+	if ((rv = sshbuf_put_bignum2(b, ECDSA_SIG_get0_r(esig))) != 0 ||
+	    (rv = sshbuf_put_bignum2(b, ECDSA_SIG_get0_s(esig))) != 0) {
+		goto out;
+	}
+
+	if ((rv = sshbuf_put_cstring(buf, type)) != 0 ||
+	    (rv = sshbuf_put_stringb(buf, b)) != 0) {
+		goto out;
+	}
+
+	rv = 0;
+
+out:
+	sshbuf_free(b);
+	if (esig != NULL)
+		ECDSA_SIG_free(esig);
+	return (rv);
+}
+
+static const char *
+rsa_hash_alg_ident(int hash_alg)
+{
+	switch (hash_alg) {
+	case SSH_DIGEST_SHA1:
+		return "ssh-rsa";
+	case SSH_DIGEST_SHA256:
+		return "rsa-sha2-256";
+	case SSH_DIGEST_SHA512:
+		return "rsa-sha2-512";
+	}
+	return NULL;
+}
+
+static int
+rsa_hash_alg_from_ident(const char *ident)
+{
+	if (strcasecmp(ident, "ssh-rsa") == 0 ||
+	    strcasecmp(ident, "ssh-rsa-cert-v01@openssh.com") == 0)
+		return SSH_DIGEST_SHA1;
+	if (strcasecmp(ident, "rsa-sha2-256") == 0)
+		return SSH_DIGEST_SHA256;
+	if (strcasecmp(ident, "rsa-sha2-512") == 0)
+		return SSH_DIGEST_SHA512;
+	return -1;
+}
+
+static int
+rsa_hash_alg_nid(int type)
+{
+	switch (type) {
+	case SSH_DIGEST_SHA1:
+		return NID_sha1;
+	case SSH_DIGEST_SHA256:
+		return NID_sha256;
+	case SSH_DIGEST_SHA512:
+		return NID_sha512;
+	default:
+		return -1;
+	}
+}
+
+static int
+ssh_rsa_sig_from_asn1(const struct sshkey *pubkey, enum sshdigest_types dtype,
+    const uint8_t *sig, size_t siglen, struct sshbuf *buf)
+{
+	int r;
+	const char *algid = rsa_hash_alg_ident(dtype);
+	size_t slen;
+	RSA *rsa;
+
+	if (algid == NULL)
+		return (SSH_ERR_KEY_TYPE_MISMATCH);
+	if (pubkey->type != KEY_RSA)
+		return (SSH_ERR_KEY_TYPE_MISMATCH);
+
+	rsa = EVP_PKEY_get1_RSA(pubkey->pkey);
+	slen = RSA_size(rsa);
+	if (slen <= 0 || slen > SSHBUF_MAX_BIGNUM)
+		return (SSH_ERR_INVALID_ARGUMENT);
+	if (slen != siglen)
+		return (SSH_ERR_INVALID_ARGUMENT);
+
+	if ((r = sshbuf_put_cstring(buf, algid)) != 0 ||
+	    (r = sshbuf_put_string(buf, sig, siglen)) != 0) {
+		return (r);
+	}
+
+	return (0);
+}
+
+static int
+ssh_ed25519_sig_from_asn1(enum sshdigest_types dtype, const uint8_t *sig,
+    size_t siglen, struct sshbuf *buf)
+{
+	int r;
+
+	if (dtype != 0 && dtype != SSH_DIGEST_SHA512)
+		return (SSH_ERR_KEY_TYPE_MISMATCH);
+
+	if (siglen != crypto_sign_ed25519_BYTES)
+		return (SSH_ERR_INVALID_ARGUMENT);
+
+	if ((r = sshbuf_put_cstring(buf, "ssh-ed25519")) != 0 ||
+	    (r = sshbuf_put_string(buf, sig, siglen)) != 0) {
+		return (r);
+	}
+
+	return (0);
+}
+
+int
+sshkey_sig_from_asn1(const struct sshkey *key, enum sshdigest_types dtype,
+    const uint8_t *sig, size_t siglen, struct sshbuf *buf)
+{
+	if (siglen == 0)
+		return SSH_ERR_INVALID_ARGUMENT;
+	switch (key->type) {
+	case KEY_ECDSA_CERT:
+	case KEY_ECDSA:
+		return ssh_ecdsa_sig_from_asn1(dtype, sig, siglen, buf);
+	case KEY_RSA_CERT:
+	case KEY_RSA:
+		return ssh_rsa_sig_from_asn1(key, dtype, sig, siglen, buf);
+	case KEY_ED25519:
+	case KEY_ED25519_CERT:
+		return ssh_ed25519_sig_from_asn1(dtype, sig, siglen, buf);
+	default:
+		return SSH_ERR_KEY_TYPE_UNKNOWN;
+	}
+}
+
+static int
+ssh_rsa_sig_to_asn1(const char *typename, struct sshbuf *sshsig,
+    enum sshdigest_types *dtype, struct sshbuf *asn1sig)
+{
+	u_char *v = NULL;
+	size_t len;
+	int rc;
+
+	if ((rc = sshbuf_get_string(sshsig, &v, &len)))
+		goto out;
+
+	if ((rc = sshbuf_put(asn1sig, v, len)))
+		goto out;
+
+	rc = 0;
+	*dtype = rsa_hash_alg_from_ident(typename);
+
+out:
+	free(v);
+	return rc;
+}
+
+static int
+ssh_ecdsa_sig_to_asn1(const struct sshkey *key, struct sshbuf *sshsig,
+    enum sshdigest_types *dtype, struct sshbuf *asn1sig)
+{
+	ECDSA_SIG *esig = NULL;
+	uint8_t *buf = NULL;
+	size_t len;
+	int rc;
+	BIGNUM *r = NULL, *s = NULL;
+
+	switch (key->ecdsa_nid) {
+	case NID_X9_62_prime256v1:
+		*dtype = SSH_DIGEST_SHA256;
+		break;
+	case NID_secp384r1:
+		*dtype = SSH_DIGEST_SHA384;
+		break;
+	case NID_secp521r1:
+		*dtype = SSH_DIGEST_SHA512;
+		break;
+	default:
+		rc = SSH_ERR_KEY_TYPE_MISMATCH;
+		goto out;
+	}
+
+	esig = ECDSA_SIG_new();
+	if (esig == NULL)
+		return SSH_ERR_ALLOC_FAIL;
+
+	if ((rc = sshbuf_get_bignum2(sshsig, &r)) ||
+	    (rc = sshbuf_get_bignum2(sshsig, &s)))
+		goto out;
+
+	rc = ECDSA_SIG_set0(esig, r, s);
+	if (rc != 1) {
+		rc = SSH_ERR_LIBCRYPTO_ERROR;
+		goto out;
+	}
+	/* ECDSA_SIG_set0 takes ownership of the bignums */
+	r = NULL;
+	s = NULL;
+
+	len = i2d_ECDSA_SIG(esig, &buf);
+	if (len <= 0) {
+		rc = SSH_ERR_LIBCRYPTO_ERROR;
+		goto out;
+	}
+
+	if ((rc = sshbuf_put(asn1sig, buf, len)))
+		goto out;
+
+	rc = 0;
+
+out:
+	ECDSA_SIG_free(esig);
+	BN_free(r);
+	BN_free(s);
+	OPENSSL_free(buf);
+	return (rc);
+}
+
+static int
+ssh_ed25519_sig_to_asn1(struct sshbuf *sshsig, enum sshdigest_types *dtype,
+    struct sshbuf *asn1sig)
+{
+	u_char *v = NULL;
+	size_t len;
+	int rc;
+
+	if ((rc = sshbuf_get_string(sshsig, &v, &len)))
+		goto out;
+
+	if (len != crypto_sign_ed25519_BYTES)
+		return SSH_ERR_INVALID_FORMAT;
+
+	if ((rc = sshbuf_put(asn1sig, v, len)))
+		goto out;
+
+	rc = 0;
+	*dtype = SSH_DIGEST_SHA512;
+
+out:
+	free(v);
+	return rc;
+}
+
+int
+sshkey_sig_to_asn1(const struct sshkey *key, struct sshbuf *sshsig,
+    enum sshdigest_types *dtype, struct sshbuf *asn1sig)
+{
+	int rc;
+	char *typename;
+	int ktype;
+
+	rc = sshbuf_get_cstring(sshsig, &typename, NULL);
+	if (rc != 0)
+		return rc;
+
+	ktype = sshkey_type_from_name(typename);
+	if (ktype == KEY_UNSPEC)
+		return SSH_ERR_KEY_TYPE_UNKNOWN;
+
+	if (key->type != KEY_UNSPEC && key->type != ktype)
+		return SSH_ERR_KEY_TYPE_MISMATCH;
+
+	switch (ktype) {
+	case KEY_RSA:
+	case KEY_RSA_CERT:
+		rc = ssh_rsa_sig_to_asn1(typename, sshsig, dtype, asn1sig);
+		break;
+	case KEY_ECDSA:
+	case KEY_ECDSA_CERT:
+		rc = ssh_ecdsa_sig_to_asn1(key, sshsig, dtype, asn1sig);
+		break;
+	case KEY_ED25519:
+	case KEY_ED25519_CERT:
+		rc = ssh_ed25519_sig_to_asn1(sshsig, dtype, asn1sig);
+		break;
+	default:
+		rc = SSH_ERR_KEY_TYPE_UNKNOWN;
+	}
+
+	free(typename);
+	return rc;
+}
diff --git a/sshkey.h b/sshkey.h
index d0cdea0ce..71d86b2f8 100644
--- a/sshkey.h
+++ openssh/sshkey.h
@@ -26,6 +26,8 @@
 #ifndef SSHKEY_H
 #define SSHKEY_H
 
+#include "config.h"
+#include "digest.h"
 #include <sys/types.h>
 
 #ifdef WITH_OPENSSL
@@ -219,6 +221,9 @@ u_int		 sshkey_size(const struct sshkey *);
 int		 sshkey_generate(int type, u_int bits, struct sshkey **keyp);
 int		 sshkey_from_private(const struct sshkey *, struct sshkey **);
 
+/* Compat */
+#define	sshkey_demote	sshkey_from_private
+
 int		 sshkey_is_shielded(struct sshkey *);
 int		 sshkey_shield_private(struct sshkey *);
 int		 sshkey_unshield_private(struct sshkey *);
@@ -335,6 +340,13 @@ void	 sshkey_sig_details_free(struct sshkey_sig_details *);
 int	sshkey_ecdsa_fixup_group(EVP_PKEY *k); /* ssh-ecdsa.c */
 #endif
 
+int	 sshkey_from_evp_pkey(EVP_PKEY *pk, int type, struct sshkey **keyp);
+
+int	 sshkey_sig_from_asn1(const struct sshkey *key, enum sshdigest_types,
+    const uint8_t *sig, size_t siglen, struct sshbuf *buf);
+int	 sshkey_sig_to_asn1(const struct sshkey *key, struct sshbuf *sshsig,
+    enum sshdigest_types *dtype, struct sshbuf *asn1sig);
+
 #ifdef SSHKEY_INTERNAL
 int	sshkey_sk_fields_equal(const struct sshkey *a, const struct sshkey *b);
 void	sshkey_sk_cleanup(struct sshkey *k);
-- 
2.46.2