31 files changed, 267 insertions, 81 deletions

diff --git a/regress/Makefile b/regress/Makefile
index 01e257a94..53a50ffca 100644
--- a/regress/Makefile
+++ b/regress/Makefile
@@ -1,4 +1,4 @@
-#       $OpenBSD: Makefile,v 1.106 2020/01/31 23:25:08 djm Exp $
+#       $OpenBSD: Makefile,v 1.108 2020/04/20 04:44:47 djm Exp $
 
 tests:          prep file-tests t-exec unit
 
@@ -66,6 +66,7 @@ LTESTS= 	connect \
                 cfgparse \
                 cfgmatch \
                 cfgmatchlisten \
+                percent \
                 addrmatch \
                 localcommand \
                 forcecommand \
@@ -90,8 +91,8 @@ LTESTS= 	connect \
                 servcfginclude \
                 allow-deny-users \
                 authinfo \
-                sshsig
-
+                sshsig \
+                keygen-comment
 
 
 INTEROP_TESTS=  putty-transfer putty-ciphers putty-kex conch-ciphers
diff --git a/regress/addrmatch.sh b/regress/addrmatch.sh
index 1584bd405..e7d29c3f3 100644
--- a/regress/addrmatch.sh
+++ b/regress/addrmatch.sh
@@ -1,4 +1,4 @@
-#       $OpenBSD: addrmatch.sh,v 1.4 2012/05/13 01:42:32 dtucker Exp $
+#       $OpenBSD: addrmatch.sh,v 1.5 2020/03/13 03:18:45 djm Exp $
 #       Placed in the Public Domain.
 
 tid="address match"
@@ -43,7 +43,7 @@ run_trial user 19.0.0.1 somehost 1.2.3.4 5678 match4 "localport"
 
 if test "$TEST_SSH_IPV6" != "no"; then
 run_trial user ::1 somehost.example.com ::2 1234 match2 "bare IP6 address"
-run_trial user ::2 somehost.exaple.com ::2 1234 nomatch "deny IPv6"
+run_trial user ::2 somehost.example.com ::2 1234 nomatch "deny IPv6"
 run_trial user ::3 somehost ::2 1234 nomatch "IP6 negated"
 run_trial user ::4 somehost ::2 1234 nomatch "IP6 no match"
 run_trial user 2000::1 somehost ::2 1234 match2 "IP6 network"
diff --git a/regress/key-options.sh b/regress/key-options.sh
index 112c9bd8e..097f46eba 100644
--- a/regress/key-options.sh
+++ b/regress/key-options.sh
@@ -7,6 +7,12 @@ origkeys="$OBJ/authkeys_orig"
 authkeys="$OBJ/authorized_keys_${USER}"
 cp $authkeys $origkeys
 
+# Allocating ptys can require privileges on some platforms.
+skip_pty=""
+if ! config_defined HAVE_OPENPTY && [ "x$SUDO" == "x" ]; then
+        skip_pty="no openpty(3) and SUDO not set"
+fi
+
 # Test command= forced command
 for c in 'command="echo bar"' 'no-pty,command="echo bar"'; do
         sed "s/.*/$c &/" $origkeys >$authkeys
@@ -27,7 +33,7 @@ expect_pty_succeed() {
         rm -f $OBJ/data
         sed "s/.*/$opts &/" $origkeys >$authkeys
         verbose "key option pty $which"
-        config_defined HAVE_OPENPTY || verbose "skipped for no openpty(3)"
+        [ "x$skip_pty" != "x" ] && verbose "skipped because $skip_pty" && return
         ${SSH} -ttq -F $OBJ/ssh_proxy somehost "tty > $OBJ/data; exit 0"
         if [ $? -ne 0 ] ; then
                 fail "key option failed $which"
@@ -45,7 +51,7 @@ expect_pty_fail() {
         rm -f $OBJ/data
         sed "s/.*/$opts &/" $origkeys >$authkeys
         verbose "key option pty $which"
-        config_defined HAVE_OPENPTY || verbose "skipped for no openpty(3)"
+        [ "x$skip_pty" != "x" ] && verbose "skipped because $skip_pty" && return
         ${SSH} -ttq -F $OBJ/ssh_proxy somehost "tty > $OBJ/data; exit 0"
         if [ $? -eq 0 ]; then
                 r=`cat $OBJ/data`
diff --git a/regress/keygen-comment.sh b/regress/keygen-comment.sh
new file mode 100644
index 000000000..af571d390
--- /dev/null
+++ b/regress/keygen-comment.sh
@@ -0,0 +1,52 @@
+#    Placed in the Public Domain.
+
+tid="Comment extraction from private key"
+
+S1="secret1"
+
+check_fingerprint () {
+        file="$1"
+        comment="$2"
+        trace "fingerprinting $file"
+        if ! ${SSHKEYGEN} -l -E sha256 -f $file > $OBJ/$t-fgp ; then
+                fail "ssh-keygen -l failed for $t-key"
+        fi
+        if ! egrep "^([0-9]+) SHA256:(.){43} ${comment} \(.*\)\$" \
+            $OBJ/$t-fgp >/dev/null 2>&1 ; then
+                fail "comment is not correctly recovered for $t-key"
+        fi
+        rm -f $OBJ/$t-fgp
+}
+
+for fmt in '' RFC4716 PKCS8 PEM; do
+        for t in $SSH_KEYTYPES; do
+                trace "generating $t key in '$fmt' format"
+                rm -f $OBJ/$t-key*
+                oldfmt=""
+                case "$fmt" in
+                PKCS8|PEM) oldfmt=1 ;;
+                esac
+                # Some key types like ssh-ed25519 and *@openssh.com are never
+                # stored in old formats.
+                case "$t" in
+                ssh-ed25519|*openssh.com) test -z "$oldfmt" || continue ;;
+                esac
+                comment="foo bar"
+                fmtarg=""
+                test -z "$fmt" || fmtarg="-m $fmt"
+                ${SSHKEYGEN} $fmtarg -N '' -C "${comment}" \
+                    -t $t -f $OBJ/$t-key >/dev/null 2>&1 || \
+                        fatal "keygen of $t in format $fmt failed"
+                check_fingerprint $OBJ/$t-key "${comment}"
+                check_fingerprint $OBJ/$t-key.pub "${comment}"
+                # Output fingerprint using only private file
+                trace "fingerprinting $t key using private key file"
+                rm -f $OBJ/$t-key.pub
+                if [ ! -z "$oldfmt" ] ; then
+                        # Comment cannot be recovered from old format keys.
+                        comment="no comment"
+                fi
+                check_fingerprint $OBJ/$t-key "${comment}"
+                rm -f $OBJ/$t-key*
+        done
+done
diff --git a/regress/misc/kexfuzz/Makefile b/regress/misc/kexfuzz/Makefile
index 9eb86931c..ede5e2fb4 100644
--- a/regress/misc/kexfuzz/Makefile
+++ b/regress/misc/kexfuzz/Makefile
@@ -1,4 +1,4 @@
-#       $OpenBSD: Makefile,v 1.7 2020/01/26 00:09:50 djm Exp $
+#       $OpenBSD: Makefile,v 1.8 2020/04/03 04:07:48 djm Exp $
 
 .include <bsd.own.mk>
 .include <bsd.obj.mk>
@@ -19,7 +19,7 @@ SRCS+=ssh-ecdsa.c ssh-ed25519.c mac.c umac.c umac128.c hmac.c misc.c
 SRCS+=ssherr.c uidswap.c cleanup.c xmalloc.c match.c krl.c fatal.c
 SRCS+=addrmatch.c bitmap.c packet.c dispatch.c canohost.c ssh_api.c
 SRCS+=compat.c ed25519.c hash.c ge25519.c fe25519.c sc25519.c verify.c
-SRCS+=cipher-chachapoly.c chacha.c poly1305.c
+SRCS+=cipher-chachapoly.c chacha.c poly1305.c utf8.c
 SRCS+=sshbuf-io.c ssh-ecdsa-sk.c ssh-ed25519-sk.c msg.c ssh-sk-client.c
 
 SRCS+=  kex.c
diff --git a/regress/misc/sk-dummy/sk-dummy.c b/regress/misc/sk-dummy/sk-dummy.c
index dca158ded..f3acb2fb7 100644
--- a/regress/misc/sk-dummy/sk-dummy.c
+++ b/regress/misc/sk-dummy/sk-dummy.c
@@ -47,7 +47,7 @@
         } while (0)
 #endif
 
-#if SSH_SK_VERSION_MAJOR != 0x00040000
+#if SSH_SK_VERSION_MAJOR != 0x00050000
 # error SK API has changed, sk-dummy.c needs an update
 #endif
 
@@ -468,13 +468,15 @@ sig_ed25519(const uint8_t *message, size_t message_len,
 }
 
 int
-sk_sign(uint32_t alg, const uint8_t *message, size_t message_len,
+sk_sign(uint32_t alg, const uint8_t *data, size_t datalen,
     const char *application, const uint8_t *key_handle, size_t key_handle_len,
     uint8_t flags, const char *pin, struct sk_option **options,
     struct sk_sign_response **sign_response)
 {
         struct sk_sign_response *response = NULL;
         int ret = SSH_SK_ERR_GENERAL;
+        SHA256_CTX ctx;
+        uint8_t message[32];
 
         if (sign_response == NULL) {
                 skdebug(__func__, "sign_response == NULL");
@@ -487,17 +489,20 @@ sk_sign(uint32_t alg, const uint8_t *message, size_t message_len,
                 skdebug(__func__, "calloc response failed");
                 goto out;
         }
+        SHA256_Init(&ctx);
+        SHA256_Update(&ctx, data, datalen);
+        SHA256_Final(message, &ctx);
         response->flags = flags;
         response->counter = 0x12345678;
         switch(alg) {
         case SSH_SK_ECDSA:
-                if (sig_ecdsa(message, message_len, application,
+                if (sig_ecdsa(message, sizeof(message), application,
                     response->counter, flags, key_handle, key_handle_len,
                     response) != 0)
                         goto out;
                 break;
         case SSH_SK_ED25519:
-                if (sig_ed25519(message, message_len, application,
+                if (sig_ed25519(message, sizeof(message), application,
                     response->counter, flags, key_handle, key_handle_len,
                     response) != 0)
                         goto out;
@@ -510,6 +515,7 @@ sk_sign(uint32_t alg, const uint8_t *message, size_t message_len,
         response = NULL;
         ret = 0;
  out:
+        explicit_bzero(message, sizeof(message));
         if (response != NULL) {
                 free(response->sig_r);
                 free(response->sig_s);
diff --git a/regress/netcat.c b/regress/netcat.c
index 2d86818e2..fe94dd908 100644
--- a/regress/netcat.c
+++ b/regress/netcat.c
@@ -64,6 +64,9 @@
 #ifdef HAVE_ERR_H
 # include <err.h>
 #endif
+#ifdef HAVE_SYS_BYTEORDER_H
+# include <sys/byteorder.h>
+#endif
 
 /* Telnet options from arpa/telnet.h */
 #define IAC     255
diff --git a/regress/percent.sh b/regress/percent.sh
new file mode 100644
index 000000000..2e891f693
--- /dev/null
+++ b/regress/percent.sh
@@ -0,0 +1,88 @@
+#       $OpenBSD: percent.sh,v 1.6 2020/04/10 00:54:03 dtucker Exp $
+#       Placed in the Public Domain.
+
+tid="percent expansions"
+
+if [ -x "/usr/xpg4/bin/id" ]; then
+        PATH=/usr/xpg4/bin:$PATH
+        export PATH
+fi
+
+USER=`id -u -n`
+USERID=`id -u`
+HOST=`hostname | cut -f1 -d.`
+HOSTNAME=`hostname`
+
+# Localcommand is evaluated after connection because %T is not available
+# until then.  Because of this we use a different method of exercising it,
+# and we can't override the remote user otherwise authentication will fail.
+# We also have to explicitly enable it.
+echo "permitlocalcommand yes" >> $OBJ/ssh_proxy
+
+trial()
+{
+        opt="$1"; arg="$2"; expect="$3"
+
+        trace "test $opt=$arg $expect"
+        rm -f $OBJ/actual
+        case "$opt" in
+        localcommand)
+                ${SSH} -F $OBJ/ssh_proxy -o $opt="echo '$arg' >$OBJ/actual" \
+                    somehost true
+                got=`cat $OBJ/actual`
+                ;;
+        matchexec)
+                (cat $OBJ/ssh_proxy && \
+                 echo "Match Exec \"echo '$arg' >$OBJ/actual\"") \
+                    >$OBJ/ssh_proxy_match
+                ${SSH} -F $OBJ/ssh_proxy_match remuser@somehost true || true
+                got=`cat $OBJ/actual`
+                ;;
+        *forward)
+                # LocalForward and RemoteForward take two args and only
+                # operate on Unix domain socket paths
+                got=`${SSH} -F $OBJ/ssh_proxy -o $opt="/$arg /$arg" -G \
+                    remuser@somehost | awk '$1=="'$opt'"{print $2" "$3}'`
+                expect="/$expect /$expect"
+                ;;
+        *)
+                got=`${SSH} -F $OBJ/ssh_proxy -o $opt="$arg" -G \
+                    remuser@somehost | awk '$1=="'$opt'"{print $2}'`
+        esac
+        if [ "$got" != "$expect" ]; then
+                fail "$opt=$arg expect $expect got $got"
+        fi
+}
+
+for i in matchexec localcommand remotecommand controlpath identityagent \
+    forwardagent localforward remoteforward; do
+        verbose $tid $i
+        if [ "$i" = "localcommand" ]; then
+                REMUSER=$USER
+                trial $i '%T' NONE
+        else
+                REMUSER=remuser
+        fi
+        # Matches implementation in readconf.c:ssh_connection_hash()
+        HASH=`printf "${HOSTNAME}127.0.0.1${PORT}$REMUSER" |
+            openssl sha1 | cut -f2 -d' '`
+        trial $i '%%' '%'
+        trial $i '%C' $HASH
+        trial $i '%i' $USERID
+        trial $i '%h' 127.0.0.1
+        trial $i '%d' $HOME
+        trial $i '%L' $HOST
+        trial $i '%l' $HOSTNAME
+        trial $i '%n' somehost
+        trial $i '%p' $PORT
+        trial $i '%r' $REMUSER
+        trial $i '%u' $USER
+        trial $i '%%/%C/%i/%h/%d/%L/%l/%n/%p/%r/%u' \
+            "%/$HASH/$USERID/127.0.0.1/$HOME/$HOST/$HOSTNAME/somehost/$PORT/$REMUSER/$USER"
+done
+
+# A subset of options support tilde expansion
+for i in controlpath identityagent forwardagent; do
+        trial $i '~' $HOME/
+        trial $i '~/.ssh' $HOME/.ssh
+done
diff --git a/regress/reexec.sh b/regress/reexec.sh
index 2192456cd..8966ba524 100644
--- a/regress/reexec.sh
+++ b/regress/reexec.sh
@@ -9,7 +9,10 @@ SSHD_COPY=$OBJ/sshd
 # Start a sshd and then delete it
 start_sshd_copy ()
 {
-        cp $SSHD_ORIG $SSHD_COPY
+        # NB. prefer ln to cp here. On some OSX 19.4 configurations,
+        # djm has seen failure after fork() when the executable image
+        # has been removed from the filesystem.
+        ln $SSHD_ORIG $SSHD_COPY || cp $SSHD_ORIG $SSHD_COPY
         SSHD=$SSHD_COPY
         start_sshd
         SSHD=$SSHD_ORIG
diff --git a/regress/sftp-badcmds.sh b/regress/sftp-badcmds.sh
index 7f85c4f22..5b016d558 100644
--- a/regress/sftp-badcmds.sh
+++ b/regress/sftp-badcmds.sh
@@ -1,4 +1,4 @@
-#       $OpenBSD: sftp-badcmds.sh,v 1.6 2013/05/17 10:26:26 dtucker Exp $
+#       $OpenBSD: sftp-badcmds.sh,v 1.7 2020/03/13 03:18:45 djm Exp $
 #       Placed in the Public Domain.
 
 tid="sftp invalid commands"
@@ -58,7 +58,7 @@ rm -rf ${COPY}
 cp ${DATA2} ${COPY}
 verbose "$tid: glob put files to local file"
 echo "put /bin/l* $COPY" | ${SFTP} -D ${SFTPSERVER} >/dev/null 2>&1 
-cmp ${DATA2} ${COPY} || fail "put successed when it should have failed"
+cmp ${DATA2} ${COPY} || fail "put succeeded when it should have failed"
 
 rm -rf ${COPY} ${COPY}.1 ${COPY}.2 ${COPY}.dd
 
diff --git a/regress/sshsig.sh b/regress/sshsig.sh
index da362c179..1e2f9dda4 100644
--- a/regress/sshsig.sh
+++ b/regress/sshsig.sh
@@ -1,4 +1,4 @@
-#       $OpenBSD: sshsig.sh,v 1.3 2019/11/26 23:43:10 djm Exp $
+#       $OpenBSD: sshsig.sh,v 1.4 2020/03/13 03:18:45 djm Exp $
 #       Placed in the Public Domain.
 
 tid="sshsig"
@@ -133,7 +133,7 @@ for t in $SIGNKEYS; do
         # check-novalidate with invalid data
         ${SSHKEYGEN} -vvv -Y check-novalidate -s $sigfile -n $sig_namespace \
                 < $DATA2 >/dev/null 2>&1 && \
-                fail "sucessfully checked signature for $t key with invalid data"
+                fail "succeeded checking signature for $t key with invalid data"
 
         # Check signing keys using ssh-agent.
         ${SSHADD} -D >/dev/null 2>&1 # Remove all previously-loaded keys.
diff --git a/regress/test-exec.sh b/regress/test-exec.sh
index a3a40719f..d8491b2be 100644
--- a/regress/test-exec.sh
+++ b/regress/test-exec.sh
@@ -1,4 +1,4 @@
-#       $OpenBSD: test-exec.sh,v 1.75 2020/01/31 23:25:08 djm Exp $
+#       $OpenBSD: test-exec.sh,v 1.76 2020/04/04 23:04:41 dtucker Exp $
 #       Placed in the Public Domain.
 
 #SUDO=sudo
@@ -23,6 +23,16 @@ else
         PORT=4242
 fi
 
+# If configure tells us to use a different egrep, create a wrapper function
+# to call it.  This means we don't need to change all the tests that depend
+# on a good implementation.
+if test "x${EGREP}" != "x"; then
+        egrep ()
+{
+         ${EGREP} "$@"
+}
+fi
+
 if [ -x /usr/ucb/whoami ]; then
         USER=`/usr/ucb/whoami`
 elif whoami >/dev/null 2>&1; then
@@ -512,7 +522,9 @@ fi
 rm -f $OBJ/known_hosts $OBJ/authorized_keys_$USER
 
 SSH_SK_PROVIDER=
-if [ -f "${SRC}/misc/sk-dummy/obj/sk-dummy.so" ] ; then
+if ! config_defined ENABLE_SK; then
+        trace skipping sk-dummy
+elif [ -f "${SRC}/misc/sk-dummy/obj/sk-dummy.so" ] ; then
         SSH_SK_PROVIDER="${SRC}/misc/sk-dummy/obj/sk-dummy.so"
 elif [ -f "${SRC}/misc/sk-dummy/sk-dummy.so" ] ; then
         SSH_SK_PROVIDER="${SRC}/misc/sk-dummy/sk-dummy.so"
@@ -537,14 +549,16 @@ maybe_filter_sk() {
 
 SSH_KEYTYPES=`$SSH -Q key-plain | maybe_filter_sk`
 SSH_HOSTKEY_TYPES=`$SSH -Q key-plain | maybe_filter_sk`
- 
+
 for t in ${SSH_KEYTYPES}; do
         # generate user key
-        trace "generating key type $t"
         if [ ! -f $OBJ/$t ] || [ ${SSHKEYGEN_BIN} -nt $OBJ/$t ]; then
+                trace "generating key type $t"
                 rm -f $OBJ/$t
                 ${SSHKEYGEN} -q -N '' -t $t  -f $OBJ/$t ||\
                         fail "ssh-keygen for $t failed"
+        else
+                trace "using cached key type $t"
         fi
 
         # setup authorized keys
diff --git a/regress/unittests/authopt/Makefile b/regress/unittests/authopt/Makefile
index 492092fc6..e8edc7b5f 100644
--- a/regress/unittests/authopt/Makefile
+++ b/regress/unittests/authopt/Makefile
@@ -1,4 +1,4 @@
-#       $OpenBSD: Makefile,v 1.4 2020/01/26 00:09:50 djm Exp $
+#       $OpenBSD: Makefile,v 1.5 2020/04/06 09:43:55 dtucker Exp $
 
 PROG=test_authopt
 SRCS=tests.c
@@ -17,6 +17,7 @@ SRCS+=ssh-ed25519-sk.c sk-usbhid.c
 
 SRCS+=digest-openssl.c
 #SRCS+=digest-libc.c
+SRCS+=utf8.c
 
 REGRESS_TARGETS=run-regress-${PROG}
 
diff --git a/regress/unittests/hostkeys/Makefile b/regress/unittests/hostkeys/Makefile
index c0a893135..d841d96be 100644
--- a/regress/unittests/hostkeys/Makefile
+++ b/regress/unittests/hostkeys/Makefile
@@ -1,4 +1,4 @@
-#       $OpenBSD: Makefile,v 1.7 2020/01/26 00:09:50 djm Exp $
+#       $OpenBSD: Makefile,v 1.8 2020/04/06 09:43:56 dtucker Exp $
 
 PROG=test_hostkeys
 SRCS=tests.c test_iterate.c
@@ -15,6 +15,7 @@ SRCS+=ssh-ed25519-sk.c sk-usbhid.c
 
 SRCS+=digest-openssl.c
 #SRCS+=digest-libc.c
+SRCS+=utf8.c
 
 REGRESS_TARGETS=run-regress-${PROG}
 
diff --git a/regress/unittests/kex/Makefile b/regress/unittests/kex/Makefile
index 648006c78..1c5d68ce8 100644
--- a/regress/unittests/kex/Makefile
+++ b/regress/unittests/kex/Makefile
@@ -1,4 +1,4 @@
-#       $OpenBSD: Makefile,v 1.9 2020/01/26 00:09:50 djm Exp $
+#       $OpenBSD: Makefile,v 1.10 2020/04/06 09:43:56 dtucker Exp $
 
 PROG=test_kex
 SRCS=tests.c test_kex.c
@@ -25,6 +25,7 @@ SRCS+=	smult_curve25519_ref.c
 SRCS+=  kexgen.c
 SRCS+=  kexsntrup4591761x25519.c
 SRCS+=  sntrup4591761.c
+SRCS+=  utf8.c
 
 SRCS+=digest-openssl.c
 #SRCS+=digest-libc.c
diff --git a/regress/unittests/sshkey/Makefile b/regress/unittests/sshkey/Makefile
index 78b2cf0ce..29c9b3ba7 100644
--- a/regress/unittests/sshkey/Makefile
+++ b/regress/unittests/sshkey/Makefile
@@ -1,4 +1,4 @@
-#       $OpenBSD: Makefile,v 1.9 2020/01/26 00:09:50 djm Exp $
+#       $OpenBSD: Makefile,v 1.10 2020/04/06 09:43:56 dtucker Exp $
 
 PROG=test_sshkey
 SRCS=tests.c test_sshkey.c test_file.c test_fuzz.c common.c
@@ -15,6 +15,7 @@ SRCS+=ssh-ed25519-sk.c sk-usbhid.c
 
 SRCS+=digest-openssl.c
 #SRCS+=digest-libc.c
+SRCS+=utf8.c
 
 REGRESS_TARGETS=run-regress-${PROG}
 
diff --git a/regress/unittests/sshkey/mktestdata.sh b/regress/unittests/sshkey/mktestdata.sh
index 93da34c64..8efe6dd03 100755
--- a/regress/unittests/sshkey/mktestdata.sh
+++ b/regress/unittests/sshkey/mktestdata.sh
@@ -1,5 +1,5 @@
 #!/bin/sh
-# $OpenBSD: mktestdata.sh,v 1.7 2018/09/12 01:36:45 djm Exp $
+# $OpenBSD: mktestdata.sh,v 1.10 2020/05/01 04:03:14 djm Exp $
 
 PW=mekmitasdigoat
 
@@ -56,8 +56,8 @@ ecdsa_params() {
             awk '/^pub:/,/^ASN1 OID:/' | #\
             grep -v '^[a-zA-Z]' | tr -d ' \n:' > ${_outbase}.pub
         openssl ec -noout -text -in $_in | \
-            grep "ASN1 OID:" | tr -d '\n' | \
-            sed 's/.*: //;s/ *$//' > ${_outbase}.curve
+            grep "ASN1 OID:" | \
+            sed 's/.*: //;s/ *$//' | tr -d '\n' > ${_outbase}.curve
         for x in priv pub curve ; do
                 echo "" >> ${_outbase}.$x
                 echo ============ ${_outbase}.$x
@@ -77,20 +77,24 @@ rm -f rsa_1_pw dsa_1_pw ecdsa_1_pw ed25519_1_pw
 rm -f rsa_n_pw dsa_n_pw ecdsa_n_pw
 rm -f pw *.pub *.bn.* *.param.* *.fp *.fp.bb
 
-ssh-keygen -t rsa -b 1024 -C "RSA test key #1" -N "" -f rsa_1
-ssh-keygen -t dsa -b 1024 -C "DSA test key #1" -N "" -f dsa_1
-ssh-keygen -t ecdsa -b 256 -C "ECDSA test key #1" -N "" -f ecdsa_1
+ssh-keygen -t rsa -b 1024 -C "RSA test key #1" -N "" -f rsa_1 -m PEM
+ssh-keygen -t dsa -b 1024 -C "DSA test key #1" -N "" -f dsa_1 -m PEM
+ssh-keygen -t ecdsa -b 256 -C "ECDSA test key #1" -N "" -f ecdsa_1 -m PEM
 ssh-keygen -t ed25519 -C "ED25519 test key #1" -N "" -f ed25519_1
 
-ssh-keygen -t rsa -b 2048 -C "RSA test key #2" -N "" -f rsa_2
-ssh-keygen -t dsa -b 1024 -C "DSA test key #2" -N "" -f dsa_2
-ssh-keygen -t ecdsa -b 521 -C "ECDSA test key #2" -N "" -f ecdsa_2
+ssh-keygen -t rsa -b 2048 -C "RSA test key #2" -N "" -f rsa_2 -m PEM
+ssh-keygen -t dsa -b 1024 -C "DSA test key #2" -N "" -f dsa_2 -m PEM
+ssh-keygen -t ecdsa -b 521 -C "ECDSA test key #2" -N "" -f ecdsa_2 -m PEM
 ssh-keygen -t ed25519 -C "ED25519 test key #1" -N "" -f ed25519_2
 
 cp rsa_1 rsa_n
 cp dsa_1 dsa_n
 cp ecdsa_1 ecdsa_n
 
+ssh-keygen -pf rsa_n -N ""
+ssh-keygen -pf dsa_n -N ""
+ssh-keygen -pf ecdsa_n -N ""
+
 cp rsa_1 rsa_1_pw
 cp dsa_1 dsa_1_pw
 cp ecdsa_1 ecdsa_1_pw
@@ -99,13 +103,13 @@ cp rsa_1 rsa_n_pw
 cp dsa_1 dsa_n_pw
 cp ecdsa_1 ecdsa_n_pw
 
-ssh-keygen -pf rsa_1_pw -N "$PW"
-ssh-keygen -pf dsa_1_pw -N "$PW"
-ssh-keygen -pf ecdsa_1_pw -N "$PW"
+ssh-keygen -pf rsa_1_pw -m PEM -N "$PW"
+ssh-keygen -pf dsa_1_pw -m PEM -N "$PW"
+ssh-keygen -pf ecdsa_1_pw -m PEM -N "$PW"
 ssh-keygen -pf ed25519_1_pw -N "$PW"
-ssh-keygen -opf rsa_n_pw -N "$PW"
-ssh-keygen -opf dsa_n_pw -N "$PW"
-ssh-keygen -opf ecdsa_n_pw -N "$PW"
+ssh-keygen -pf rsa_n_pw -N "$PW"
+ssh-keygen -pf dsa_n_pw -N "$PW"
+ssh-keygen -pf ecdsa_n_pw -N "$PW"
 
 rsa_params rsa_1 rsa_1.param
 rsa_params rsa_2 rsa_2.param
diff --git a/regress/unittests/sshkey/testdata/dsa_n b/regress/unittests/sshkey/testdata/dsa_n
index d3f24824f..657624e0e 100644
--- a/regress/unittests/sshkey/testdata/dsa_n
+++ b/regress/unittests/sshkey/testdata/dsa_n
@@ -1,12 +1,21 @@
------BEGIN DSA PRIVATE KEY-----
-MIIBvAIBAAKBgQD6kutNFRsHTwEAv6d39Lhsqy1apdHBZ9c2HfyRr7WmypyGIy2m
-Ka43vzXI8CNwmRSYs+A6d0vJC7Pl+f9QzJ/04NWOA+MiwfurwrR3CRe61QRYb8Py
-mcHOxueHs95IcjrbIPNn86cjnPP5qvv/guUzCjuww4zBdJOXpligrGt2XwIVAKMD
-/50qQy7j8JaMk+1+Xtg1pK01AoGBAO7l9QVVbSSoy5lq6cOtvpf8UlwOa6+zBwbl
-o4gmFd1RwX1yWkA8kQ7RrhCSg8Hc6mIGnKRgKRli/3LgbSfZ0obFJehkRtEWtN4P
-h8fVUeS74iQbIwFQeKlYHIlNTRoGtAbdi3nHdV+BBkEQc1V3rjqYqhjOoz/yNsgz
-LND26HrdAoGBAOdXpyfmobEBaOqZAuvgj1P0uhjG2P31Ufurv22FWPBU3A9qrkxb
-OXwE0LwvjCvrsQV/lrYhJz/tiys40VeahulWZE5SAHMXGIf95LiLSgaXMjko7joo
-t+LK84ltLymwZ4QMnYjnZSSclf1UuyQMcUtb34+I0u9Ycnyhp2mSFsQtAhRYIbQ5
-KfXsZuBPuWe5FJz3ldaEgw==
------END DSA PRIVATE KEY-----
+-----BEGIN OPENSSH PRIVATE KEY-----
+b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABswAAAAdzc2gtZH
+NzAAAAgQD6kutNFRsHTwEAv6d39Lhsqy1apdHBZ9c2HfyRr7WmypyGIy2mKa43vzXI8CNw
+mRSYs+A6d0vJC7Pl+f9QzJ/04NWOA+MiwfurwrR3CRe61QRYb8PymcHOxueHs95IcjrbIP
+Nn86cjnPP5qvv/guUzCjuww4zBdJOXpligrGt2XwAAABUAowP/nSpDLuPwloyT7X5e2DWk
+rTUAAACBAO7l9QVVbSSoy5lq6cOtvpf8UlwOa6+zBwblo4gmFd1RwX1yWkA8kQ7RrhCSg8
+Hc6mIGnKRgKRli/3LgbSfZ0obFJehkRtEWtN4Ph8fVUeS74iQbIwFQeKlYHIlNTRoGtAbd
+i3nHdV+BBkEQc1V3rjqYqhjOoz/yNsgzLND26HrdAAAAgQDnV6cn5qGxAWjqmQLr4I9T9L
+oYxtj99VH7q79thVjwVNwPaq5MWzl8BNC8L4wr67EFf5a2ISc/7YsrONFXmobpVmROUgBz
+FxiH/eS4i0oGlzI5KO46KLfiyvOJbS8psGeEDJ2I52UknJX9VLskDHFLW9+PiNLvWHJ8oa
+dpkhbELQAAAdhWTOFbVkzhWwAAAAdzc2gtZHNzAAAAgQD6kutNFRsHTwEAv6d39Lhsqy1a
+pdHBZ9c2HfyRr7WmypyGIy2mKa43vzXI8CNwmRSYs+A6d0vJC7Pl+f9QzJ/04NWOA+Miwf
+urwrR3CRe61QRYb8PymcHOxueHs95IcjrbIPNn86cjnPP5qvv/guUzCjuww4zBdJOXplig
+rGt2XwAAABUAowP/nSpDLuPwloyT7X5e2DWkrTUAAACBAO7l9QVVbSSoy5lq6cOtvpf8Ul
+wOa6+zBwblo4gmFd1RwX1yWkA8kQ7RrhCSg8Hc6mIGnKRgKRli/3LgbSfZ0obFJehkRtEW
+tN4Ph8fVUeS74iQbIwFQeKlYHIlNTRoGtAbdi3nHdV+BBkEQc1V3rjqYqhjOoz/yNsgzLN
+D26HrdAAAAgQDnV6cn5qGxAWjqmQLr4I9T9LoYxtj99VH7q79thVjwVNwPaq5MWzl8BNC8
+L4wr67EFf5a2ISc/7YsrONFXmobpVmROUgBzFxiH/eS4i0oGlzI5KO46KLfiyvOJbS8psG
+eEDJ2I52UknJX9VLskDHFLW9+PiNLvWHJ8oadpkhbELQAAABRYIbQ5KfXsZuBPuWe5FJz3
+ldaEgwAAAAAB
+-----END OPENSSH PRIVATE KEY-----
diff --git a/regress/unittests/sshkey/testdata/ecdsa_n b/regress/unittests/sshkey/testdata/ecdsa_n
index 80382b62d..9694f32e4 100644
--- a/regress/unittests/sshkey/testdata/ecdsa_n
+++ b/regress/unittests/sshkey/testdata/ecdsa_n
@@ -1,5 +1,8 @@
------BEGIN EC PRIVATE KEY-----
-MHcCAQEEIPPNyUAnjvFr+eT/7t/IyjuQQd/aLFiTY92LB9gIjyrMoAoGCCqGSM49
-AwEHoUQDQgAEDFlblkOrW9ydKVhtM+9AY3c9saBE7SG3lFx38nBavkADDaI9jh3/
-kvG/Jt9vpm22qwoklTCGDfzCkXkIKaWlBw==
------END EC PRIVATE KEY-----
+-----BEGIN OPENSSH PRIVATE KEY-----
+b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAaAAAABNlY2RzYS
+1zaGEyLW5pc3RwMjU2AAAACG5pc3RwMjU2AAAAQQQMWVuWQ6tb3J0pWG0z70Bjdz2xoETt
+IbeUXHfycFq+QAMNoj2OHf+S8b8m32+mbbarCiSVMIYN/MKReQgppaUHAAAAoFrmmZBa5p
+mQAAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBAxZW5ZDq1vcnSlY
+bTPvQGN3PbGgRO0ht5Rcd/JwWr5AAw2iPY4d/5Lxvybfb6ZttqsKJJUwhg38wpF5CCmlpQ
+cAAAAhAPPNyUAnjvFr+eT/7t/IyjuQQd/aLFiTY92LB9gIjyrMAAAAAAECAwQFBgc=
+-----END OPENSSH PRIVATE KEY-----
diff --git a/regress/unittests/sshkey/testdata/rsa1_1 b/regress/unittests/sshkey/testdata/rsa1_1
deleted file mode 100644
index 161cc04dc..000000000
--- a/regress/unittests/sshkey/testdata/rsa1_1
+++ /dev/null
diff --git a/regress/unittests/sshkey/testdata/rsa1_1.fp b/regress/unittests/sshkey/testdata/rsa1_1.fp
deleted file mode 100644
index 21b3d1a9a..000000000
--- a/regress/unittests/sshkey/testdata/rsa1_1.fp
+++ /dev/null
@@ -1 +0,0 @@
-SHA256:/kk7K9S9kwYFiFilnZYFwCsQJweI/SGQVR2nIa8VBhE
diff --git a/regress/unittests/sshkey/testdata/rsa1_1.fp.bb b/regress/unittests/sshkey/testdata/rsa1_1.fp.bb
deleted file mode 100644
index 62991b3e0..000000000
--- a/regress/unittests/sshkey/testdata/rsa1_1.fp.bb
+++ /dev/null
@@ -1 +0,0 @@
-xilil-nabyf-gynih-duheb-gokyp-bofet-nekac-bosod-lozin-kuvyh-poxix
diff --git a/regress/unittests/sshkey/testdata/rsa1_1.param.n b/regress/unittests/sshkey/testdata/rsa1_1.param.n
deleted file mode 100644
index 9a2549bbb..000000000
--- a/regress/unittests/sshkey/testdata/rsa1_1.param.n
+++ /dev/null
@@ -1 +0,0 @@
-00ce8ca77a556eba887f9a866c084a6402785354a81c10854d343181fa09351223a65f99915f8433d11a9c41677d307c03c3a39865b83e7172d2c1d878333c980438d6e4462106a0065cd75cfea7ca7f21538bf2f43f2af49cacee51b22e3bdcc5e87b59cc691f7c6942a77ef13bfdfb24300777b727348d0ba7900ba06b886729
diff --git a/regress/unittests/sshkey/testdata/rsa1_1.pub b/regress/unittests/sshkey/testdata/rsa1_1.pub
deleted file mode 100644
index f665b0d64..000000000
--- a/regress/unittests/sshkey/testdata/rsa1_1.pub
+++ /dev/null
@@ -1 +0,0 @@
-1024 65537 145043942670517902781741650890610683756045780348507433188994725700923246927874581962206512480287863636935077725837494808988986557337885675565086448774391442851909709751605441036910145362277967349042489937363543710406342212883803780768870873303921572812138116796733586484633244057911618360651775855949808953129 RSA1 test key #1
diff --git a/regress/unittests/sshkey/testdata/rsa1_1_pw b/regress/unittests/sshkey/testdata/rsa1_1_pw
deleted file mode 100644
index e73c6794a..000000000
--- a/regress/unittests/sshkey/testdata/rsa1_1_pw
+++ /dev/null
diff --git a/regress/unittests/sshkey/testdata/rsa1_2 b/regress/unittests/sshkey/testdata/rsa1_2
deleted file mode 100644
index 1d672ddea..000000000
--- a/regress/unittests/sshkey/testdata/rsa1_2
+++ /dev/null
diff --git a/regress/unittests/sshkey/testdata/rsa1_2.fp b/regress/unittests/sshkey/testdata/rsa1_2.fp
deleted file mode 100644
index 00516d521..000000000
--- a/regress/unittests/sshkey/testdata/rsa1_2.fp
+++ /dev/null
@@ -1 +0,0 @@
-SHA256:JaOeRCnLl/TLe7vn1+aQ4ONyKZCUhK5x3k4VHilmbpE
diff --git a/regress/unittests/sshkey/testdata/rsa1_2.fp.bb b/regress/unittests/sshkey/testdata/rsa1_2.fp.bb
deleted file mode 100644
index b4989a588..000000000
--- a/regress/unittests/sshkey/testdata/rsa1_2.fp.bb
+++ /dev/null
@@ -1 +0,0 @@
-xipag-zohut-zepuk-pisyv-kamog-pupus-netud-tudis-melup-cynov-gaxox
diff --git a/regress/unittests/sshkey/testdata/rsa1_2.param.n b/regress/unittests/sshkey/testdata/rsa1_2.param.n
deleted file mode 100644
index 25d438d06..000000000
--- a/regress/unittests/sshkey/testdata/rsa1_2.param.n
+++ /dev/null
@@ -1 +0,0 @@
-00cab091b57a154740c1bb7020f46a21a19dc40f647db2aab1babd30cabe241f0437391e68376ba35e48c624b8eaf6b59424d4c1a848c9fd1ef5cdc7c1b7f5e5df23b7ad513b79021286d38c52fdfae35656659e8649b2bf8bedf7c99664e45534007bd1c5dc3de1dafdf2d34ad087155951aa0f3d500b36d0d804bbccdef15ab31ca3dd40bdf5196065a97f397ef576caffb606be8232f6e0614aea0e979b9584296673fabb1dbd9f3212495c428842a2ab1f1768dd424fb6fdceeeab9126cacdfc834f0a0d09ba73ad8360d183ba85bb1565555cc6a536eb8d06df1a1e841107c021ae28a2d8b3465f9d8b58ef4045aea1c4ad7f8bf639574d6b142af67b4eb3
diff --git a/regress/unittests/sshkey/testdata/rsa1_2.pub b/regress/unittests/sshkey/testdata/rsa1_2.pub
deleted file mode 100644
index acab6dda6..000000000
--- a/regress/unittests/sshkey/testdata/rsa1_2.pub
+++ /dev/null
@@ -1 +0,0 @@
-2048 65537 25587207108642486834576012232250034427766229965612147538722032399009467293691448851087324679403117563681753304072089087252850866332601294130674473984011813227791089686736237645788471744456489819306046398653719249100878753563464696688916667605969658659855996383142110932332560049231682024775766802333675397528993897914717996946881193454997890776063024953924432026083898531677702536941151535135950834711001926404724453460085864892836473957600610133803037286539329764689125111700732309717375455919436557475211197800228646235077584780367991159670572954337165006813357814232200750568307753718414790655085790471723847208627 RSA1 test key #2
diff --git a/regress/unittests/sshkey/testdata/rsa_n b/regress/unittests/sshkey/testdata/rsa_n
index 5de3f8422..b8e585e51 100644
--- a/regress/unittests/sshkey/testdata/rsa_n
+++ b/regress/unittests/sshkey/testdata/rsa_n
@@ -1,15 +1,16 @@
------BEGIN RSA PRIVATE KEY-----
-MIICXAIBAAKBgQDLV5lUTt7FrADseB/CGhEZzpoojjEW5y8+ePvLppmK3MmMI18u
-d6vxzpK3bwZLYkVSyfJYI0HmIuGhdu7yMrW6wb84gbq8C31Xoe9EORcIUuGSvDKd
-NSM1SjlhDquRblDFB8kToqXyx1lqrXecXylxIUOL0jE+u0rU1967pDJx+wIDAQAB
-AoGAXyj5mpjmbD+YlxGIWz/zrM4hGsWgd4VteKEJxT6MMI4uzCRpkMd0ck8oHiwZ
-GAI/SwUzIsgtONQuH3AXVsUgghW4Ynn+8ksEv0IZ918WDMDwqvqkyrVzsOsZzqYj
-Pf8DUDKCpwFjnlknJ04yvWBZvVhWtY4OiZ8GV0Ttsu3k+GECQQD1YHfvBb5FdJBv
-Uhde2Il+jaFia8mwVVNNaiD2ECxXx6CzGz54ZLEB9NPVfDUZK8lJ4UJDqelWNh3i
-PF3RefWDAkEA1CVBzAFL4mNwpleVPzrfy69xP3gWOa26MxM/GE6zx9jC7HgQ3KPa
-WKdG/FuHs085aTRDaDLmGcZ8IvMuu7NgKQJAcIOKmxR0Gd8IN7NZugjqixggb0Pj
-mLKXXwESGiJyYtHL0zTj4Uqyi6Ya2GJ66o7UXscmnmYz828fJtTtZBdbRwJBALfi
-C2QvA32Zv/0PEXibKXy996WSC4G3ShwXZKtHHKHvCxY5BDSbehk59VesZrVPyG2e
-NYdOBxD0cIlCzJE56/ECQAndVkxvO8hwyEFGGwF3faHIAe/OxVb+MjaU25//Pe1/
-h/e6tlCk4w9CODpyV685gV394eYwMcGDcIkipTNUDZs=
------END RSA PRIVATE KEY-----
+-----BEGIN OPENSSH PRIVATE KEY-----
+b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAlwAAAAdzc2gtcn
+NhAAAAAwEAAQAAAIEAy1eZVE7exawA7HgfwhoRGc6aKI4xFucvPnj7y6aZitzJjCNfLner
+8c6St28GS2JFUsnyWCNB5iLhoXbu8jK1usG/OIG6vAt9V6HvRDkXCFLhkrwynTUjNUo5YQ
+6rkW5QxQfJE6Kl8sdZaq13nF8pcSFDi9IxPrtK1Nfeu6QycfsAAAH4to4I7raOCO4AAAAH
+c3NoLXJzYQAAAIEAy1eZVE7exawA7HgfwhoRGc6aKI4xFucvPnj7y6aZitzJjCNfLner8c
+6St28GS2JFUsnyWCNB5iLhoXbu8jK1usG/OIG6vAt9V6HvRDkXCFLhkrwynTUjNUo5YQ6r
+kW5QxQfJE6Kl8sdZaq13nF8pcSFDi9IxPrtK1Nfeu6QycfsAAAADAQABAAAAgF8o+ZqY5m
+w/mJcRiFs/86zOIRrFoHeFbXihCcU+jDCOLswkaZDHdHJPKB4sGRgCP0sFMyLILTjULh9w
+F1bFIIIVuGJ5/vJLBL9CGfdfFgzA8Kr6pMq1c7DrGc6mIz3/A1AygqcBY55ZJydOMr1gWb
+1YVrWODomfBldE7bLt5PhhAAAAQAndVkxvO8hwyEFGGwF3faHIAe/OxVb+MjaU25//Pe1/
+h/e6tlCk4w9CODpyV685gV394eYwMcGDcIkipTNUDZsAAABBAPVgd+8FvkV0kG9SF17YiX
+6NoWJrybBVU01qIPYQLFfHoLMbPnhksQH009V8NRkryUnhQkOp6VY2HeI8XdF59YMAAABB
+ANQlQcwBS+JjcKZXlT8638uvcT94FjmtujMTPxhOs8fYwux4ENyj2linRvxbh7NPOWk0Q2
+gy5hnGfCLzLruzYCkAAAAAAQID
+-----END OPENSSH PRIVATE KEY-----