===================================================================
RCS file: /cvsrepo/anoncvs/cvs/src/usr.bin/ssh/ssh-keygen.c,v
retrieving revision 1.421
retrieving revision 1.431
diff -u -r1.421 -r1.431
--- src/usr.bin/ssh/ssh-keygen.c	2020/10/18 11:32:02	1.421
+++ src/usr.bin/ssh/ssh-keygen.c	2021/07/09 09:55:56	1.431
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssh-keygen.c,v 1.421 2020/10/18 11:32:02 djm Exp $ */
+/* $OpenBSD: ssh-keygen.c,v 1.431 2021/07/09 09:55:56 djm Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1994 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -26,10 +26,10 @@
 #include <fcntl.h>
 #include <netdb.h>
 #include <pwd.h>
+#include <stdarg.h>
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
-#include <stdarg.h>
 #include <unistd.h>
 #include <limits.h>
 #include <locale.h>
@@ -55,6 +55,7 @@
 #include "sshsig.h"
 #include "ssh-sk.h"
 #include "sk-api.h" /* XXX for SSH_SK_USER_PRESENCE_REQD; remove */
+#include "cipher.h"
 
 #ifdef ENABLE_PKCS11
 #include "ssh-pkcs11.h"
@@ -178,7 +179,7 @@
 		fatal("unknown key type %s", key_type_name);
 	if (*bitsp == 0) {
 #ifdef WITH_OPENSSL
-		u_int nid;
+		int nid;
 
 		switch(type) {
 		case KEY_DSA:
@@ -1317,7 +1318,7 @@
 	foreach_options |= print_fingerprint ? HKF_WANT_PARSE_KEY : 0;
 	if ((r = hostkeys_foreach(identity_file, (find_host || !hash_hosts) ?
 	    known_hosts_find_delete : known_hosts_hash, &ctx, name, NULL,
-	    foreach_options)) != 0) {
+	    foreach_options, 0)) != 0) {
 		if (inplace)
 			unlink(tmp);
 		fatal_fr(r, "hostkeys_foreach");
@@ -1831,7 +1832,7 @@
 			}
 			r = sshkey_certify(public, ca, key_type_name,
 			    sk_provider, pin);
-			notify_complete(notifier);
+			notify_complete(notifier, "User presence confirmed");
 			if (r != 0)
 				fatal_r(r, "Couldn't certify key %s", tmp);
 		}
@@ -1985,7 +1986,7 @@
 			fatal("Invalid source-address list");
 		certflags_src_addr = xstrdup(val);
 	} else if (strncasecmp(opt, "extension:", 10) == 0 ||
-		   (iscrit = (strncasecmp(opt, "critical:", 9) == 0))) {
+		    (iscrit = (strncasecmp(opt, "critical:", 9) == 0))) {
 		val = xstrdup(strchr(opt, ':') + 1);
 		if ((cp = strchr(val, '=')) != NULL)
 			*cp++ = '\0';
@@ -2705,12 +2706,12 @@
 				fatal_f("sshkey_fingerprint failed");
 			if (principal == NULL) {
 				printf("Good \"%s\" signature with %s key %s\n",
-				       sig_namespace, sshkey_type(sign_key), fp);
+				    sig_namespace, sshkey_type(sign_key), fp);
 
 			} else {
 				printf("Good \"%s\" signature for %s with %s key %s\n",
-				       sig_namespace, principal,
-				       sshkey_type(sign_key), fp);
+				    sig_namespace, principal,
+				    sshkey_type(sign_key), fp);
 			}
 		} else {
 			printf("Could not verify signature.\n");
@@ -2745,7 +2746,8 @@
 	}
 	if ((r = sshsig_find_principals(allowed_keys, sign_key,
 	    &principals)) != 0) {
-		error_fr(r, "sshsig_get_principal");
+		if (r != SSH_ERR_KEY_NOT_FOUND)
+			error_fr(r, "sshsig_find_principal");
 		goto done;
 	}
 	ret = 0;
@@ -3044,9 +3046,9 @@
 	    "usage: ssh-keygen [-q] [-a rounds] [-b bits] [-C comment] [-f output_keyfile]\n"
 	    "                  [-m format] [-N new_passphrase] [-O option]\n"
 	    "                  [-t dsa | ecdsa | ecdsa-sk | ed25519 | ed25519-sk | rsa]\n"
-	    "                  [-w provider]\n"
+	    "                  [-w provider] [-Z cipher]\n"
 	    "       ssh-keygen -p [-a rounds] [-f keyfile] [-m format] [-N new_passphrase]\n"
-	    "                   [-P old_passphrase]\n"
+	    "                   [-P old_passphrase] [-Z cipher]\n"
 	    "       ssh-keygen -i [-f input_keyfile] [-m key_format]\n"
 	    "       ssh-keygen -e [-f input_keyfile] [-m key_format]\n"
 	    "       ssh-keygen -y [-f input_keyfile]\n"
@@ -3079,7 +3081,7 @@
 	    "       ssh-keygen -Y check-novalidate -n namespace -s signature_file\n"
 	    "       ssh-keygen -Y sign -f key_file -n namespace file ...\n"
 	    "       ssh-keygen -Y verify -f allowed_signers_file -I signer_identity\n"
-	    "       		-n namespace -s signature_file [-r revocation_file]\n");
+	    "                  -n namespace -s signature_file [-r revocation_file]\n");
 	exit(1);
 }
 
@@ -3129,6 +3131,7 @@
 	pw = getpwuid(getuid());
 	if (!pw)
 		fatal("No user exists for uid %lu", (u_long)getuid());
+	pw = pwcopy(pw);
 	if (gethostname(hostname, sizeof(hostname)) == -1)
 		fatal("gethostname: %s", strerror(errno));
 
@@ -3234,6 +3237,9 @@
 			break;
 		case 'Z':
 			openssh_format_cipher = optarg;
+			if (cipher_by_name(openssh_format_cipher) == NULL)
+				fatal("Invalid OpenSSH-format cipher '%s'",
+				    openssh_format_cipher);
 			break;
 		case 'C':
 			identity_comment = optarg;
@@ -3340,12 +3346,12 @@
 		if (strncmp(sign_op, "find-principals", 15) == 0) {
 			if (ca_key_path == NULL) {
 				error("Too few arguments for find-principals:"
-				      "missing signature file");
+				    "missing signature file");
 				exit(1);
 			}
 			if (!have_identity) {
 				error("Too few arguments for find-principals:"
-				      "missing allowed keys file");
+				    "missing allowed keys file");
 				exit(1);
 			}
 			return sig_find_principals(ca_key_path, identity_file);
@@ -3366,7 +3372,7 @@
 		} else if (strncmp(sign_op, "check-novalidate", 16) == 0) {
 			if (ca_key_path == NULL) {
 				error("Too few arguments for check-novalidate: "
-				      "missing signature file");
+				    "missing signature file");
 				exit(1);
 			}
 			return sig_verify(ca_key_path, cert_principals,