3 files changed, 83 insertions, 98 deletions

diff --git a/lib/public_key/src/pubkey_pbe.erl b/lib/public_key/src/pubkey_pbe.erl
index 0243bcaa82..e89e16f120 100644
--- a/lib/public_key/src/pubkey_pbe.erl
+++ b/lib/public_key/src/pubkey_pbe.erl
@@ -222,7 +222,8 @@ pbe_pad(Data, {#'PBEParameter'{}, _}) ->
 pbe_pad(Data, #'PBES2-params'{}) ->
     pbe_pad(Data);
 pbe_pad(Data, _) ->
-    Data.
+pbe_pad(Data).%%    Data.
+
 
 pbe_pad(Data) ->
     N = 8 - (erlang:byte_size(Data) rem 8), 
diff --git a/lib/public_key/src/pubkey_ssh.erl b/lib/public_key/src/pubkey_ssh.erl
index 75c1880655..a7d018e440 100644
--- a/lib/public_key/src/pubkey_ssh.erl
+++ b/lib/public_key/src/pubkey_ssh.erl
@@ -29,7 +29,15 @@
 	]).
 
 -define(UINT32(X), X:32/unsigned-big-integer).
--define(STRING(X), ?UINT32((size(X))), (X)/binary).
+-define(STRING(X), ?UINT32((byte_size(X))), (X)/binary).
+
+-define(DEC_BIN(X,Len),   ?UINT32(Len), X:Len/binary ).
+-define(DEC_MPINT(I,Len), ?DEC_INT(I,Len) ).
+-define(DEC_INT(I,Len),   ?UINT32(Len), I:Len/big-signed-integer-unit:8 ).
+
+-define(Empint(X),  (mpint(X))/binary ).
+-define(Estring(X), (string(X))/binary ).
+
 
 %% Max encoded line length is 72, but conformance examples use 68
 %% Comment from rfc 4716: "The following are some examples of public
@@ -47,12 +55,12 @@
 %% Description: Decodes a ssh file-binary.
 %%--------------------------------------------------------------------
 decode(Bin, public_key)->
-    case binary:match(Bin, begin_marker()) of
-	nomatch ->
-	    openssh_decode(Bin, openssh_public_key);
-	_ ->
-	    rfc4716_decode(Bin)
-    end;
+    PKtype =
+        case binary:match(Bin, begin_marker()) of
+            nomatch -> openssh_public_key;
+            _ -> rfc4716_public_key
+        end,
+    decode(Bin, PKtype);
 decode(Bin, rfc4716_public_key) ->
     rfc4716_decode(Bin);
 decode(Bin, ssh2_pubkey) ->
@@ -164,26 +172,8 @@ join_entry([Line | Lines], Entry) ->
     join_entry(Lines, [Line | Entry]).
 
 
-rfc4716_pubkey_decode(<<?UINT32(Len), Type:Len/binary,
-			?UINT32(SizeE), E:SizeE/binary,
-			?UINT32(SizeN), N:SizeN/binary>>) when Type == <<"ssh-rsa">> ->
-    #'RSAPublicKey'{modulus = erlint(SizeN, N),
-		    publicExponent = erlint(SizeE, E)};
-
-rfc4716_pubkey_decode(<<?UINT32(Len), Type:Len/binary,
-			?UINT32(SizeP), P:SizeP/binary,
-			?UINT32(SizeQ), Q:SizeQ/binary,
-			?UINT32(SizeG), G:SizeG/binary,
-			?UINT32(SizeY), Y:SizeY/binary>>) when Type == <<"ssh-dss">> ->
-    {erlint(SizeY, Y),
-     #'Dss-Parms'{p = erlint(SizeP, P),
-		  q = erlint(SizeQ, Q),
-		  g = erlint(SizeG, G)}};
-rfc4716_pubkey_decode(<<?UINT32(Len), ECDSA_SHA2_etc:Len/binary,
-			?UINT32(SizeId), Id:SizeId/binary,
-			?UINT32(SizeQ), Q:SizeQ/binary>>) ->
-    <<"ecdsa-sha2-", Id/binary>> = ECDSA_SHA2_etc,
-    {#'ECPoint'{point = Q}, {namedCurve,public_key:ssh_curvename2oid(Id)}}.
+rfc4716_pubkey_decode(BinKey) -> ssh2_pubkey_decode(BinKey).
+
 
 openssh_decode(Bin, FileType) ->
     Lines = binary:split(Bin, <<"\n">>, [global]),
@@ -267,18 +257,14 @@ decode_comment(Comment) ->
 
 openssh_pubkey_decode(Type,  Base64Enc) ->
     try
-	ssh2_pubkey_decode(Type,  base64:mime_decode(Base64Enc))
+        <<?DEC_BIN(Type,_TL), Bin/binary>> = base64:mime_decode(Base64Enc),
+	ssh2_pubkey_decode(Type,  Bin)
     catch
 	_:_ ->
 	    {Type, base64:mime_decode(Base64Enc)}
     end.
 
 
-erlint(MPIntSize, MPIntValue) ->
-    Bits= MPIntSize * 8,
-    <<Integer:Bits/integer>> = MPIntValue,
-    Integer.
-
 ssh1_rsa_pubkey_decode(MBin, EBin) ->
     #'RSAPublicKey'{modulus = integer_decode(MBin),
 		    publicExponent = integer_decode(EBin)}.
@@ -411,71 +397,37 @@ comma_list_encode([Option | Rest], Acc) ->
 
 
 ssh2_pubkey_encode(#'RSAPublicKey'{modulus = N, publicExponent = E}) ->
-    ssh2_pubkey_encode({#'RSAPublicKey'{modulus = N, publicExponent = E}, 'ssh-rsa'});
-
-ssh2_pubkey_encode({Key, 'rsa-sha2-256'}) -> ssh2_pubkey_encode({Key, 'ssh-rsa'});
-ssh2_pubkey_encode({Key, 'rsa-sha2-512'}) -> ssh2_pubkey_encode({Key, 'ssh-rsa'});
-ssh2_pubkey_encode({#'RSAPublicKey'{modulus = N, publicExponent = E}, SignAlg}) ->
-    SignAlgName = list_to_binary(atom_to_list(SignAlg)),
-    StrLen = size(SignAlgName),
-    EBin = mpint(E),
-    NBin = mpint(N),
-    <<?UINT32(StrLen), SignAlgName:StrLen/binary,
-      EBin/binary,
-      NBin/binary>>;
-ssh2_pubkey_encode({{_,#'Dss-Parms'{}}=Key, _}) ->
-    ssh2_pubkey_encode(Key);
+    <<?STRING(<<"ssh-rsa">>), ?Empint(E), ?Empint(N)>>;
 ssh2_pubkey_encode({Y,  #'Dss-Parms'{p = P, q = Q, g = G}}) ->
-    TypeStr = <<"ssh-dss">>,
-    StrLen = size(TypeStr),
-    PBin = mpint(P),
-    QBin = mpint(Q),
-    GBin = mpint(G),
-    YBin = mpint(Y),
-    <<?UINT32(StrLen), TypeStr:StrLen/binary,
-      PBin/binary,
-      QBin/binary,
-      GBin/binary,
-      YBin/binary>>;
-ssh2_pubkey_encode({{#'ECPoint'{},_}=Key, _}) ->
-    ssh2_pubkey_encode(Key);
+    <<?STRING(<<"ssh-dss">>), ?Empint(P), ?Empint(Q), ?Empint(G), ?Empint(Y)>>;
 ssh2_pubkey_encode(Key={#'ECPoint'{point = Q}, {namedCurve,OID}}) ->
-    TypeStr = key_type(Key),
-    StrLen = size(TypeStr),
-    IdB = public_key:oid2ssh_curvename(OID),
-    <<?UINT32(StrLen), TypeStr:StrLen/binary,
-      (string(IdB))/binary,
-      (string(Q))/binary>>.
+    Curve = public_key:oid2ssh_curvename(OID),
+    <<?STRING(key_type(Key)), ?Estring(Curve), ?Estring(Q)>>.
 
 
-ssh2_pubkey_decode(Bin = <<?UINT32(Len), Type:Len/binary, _/binary>>) ->
+ssh2_pubkey_decode(<<?DEC_BIN(Type,_TL), Bin/binary>>) ->
     ssh2_pubkey_decode(Type, Bin).
 
-ssh2_pubkey_decode(<<"rsa-sha2-256">>, Bin) -> ssh2_pubkey_decode(<<"ssh-rsa">>, Bin);
-ssh2_pubkey_decode(<<"rsa-sha2-512">>, Bin) -> ssh2_pubkey_decode(<<"ssh-rsa">>, Bin);
+%% ssh2_pubkey_decode(<<"rsa-sha2-256">>, Bin) -> ssh2_pubkey_decode(<<"ssh-rsa">>, Bin);
+%% ssh2_pubkey_decode(<<"rsa-sha2-512">>, Bin) -> ssh2_pubkey_decode(<<"ssh-rsa">>, Bin);
 ssh2_pubkey_decode(<<"ssh-rsa">>,
-		   <<?UINT32(Len),   _:Len/binary,
-		     ?UINT32(SizeE), E:SizeE/binary,
-		     ?UINT32(SizeN), N:SizeN/binary>>) ->
-    #'RSAPublicKey'{modulus = erlint(SizeN, N),
-		    publicExponent = erlint(SizeE, E)};
+                   <<?DEC_INT(E, _EL),
+                     ?DEC_INT(N, _NL)>>) ->
+    #'RSAPublicKey'{modulus = N,
+		    publicExponent = E};
 
 ssh2_pubkey_decode(<<"ssh-dss">>,
-		   <<?UINT32(Len),   _:Len/binary,
-		     ?UINT32(SizeP), P:SizeP/binary,
-		     ?UINT32(SizeQ), Q:SizeQ/binary,
-		     ?UINT32(SizeG), G:SizeG/binary,
-		     ?UINT32(SizeY), Y:SizeY/binary>>) ->
-    {erlint(SizeY, Y),
-     #'Dss-Parms'{p = erlint(SizeP, P),
-		  q = erlint(SizeQ, Q),
-		  g = erlint(SizeG, G)}};
+                   <<?DEC_INT(P, _PL),
+                     ?DEC_INT(Q, _QL),
+                     ?DEC_INT(G, _GL),
+                     ?DEC_INT(Y, _YL)>>) ->
+    {Y, #'Dss-Parms'{p = P,
+                     q = Q,
+                     g = G}};
 
 ssh2_pubkey_decode(<<"ecdsa-sha2-",Id/binary>>,
-		   <<?UINT32(Len), ECDSA_SHA2_etc:Len/binary,
-		     ?UINT32(SizeId), Id:SizeId/binary,
-		     ?UINT32(SizeQ), Q:SizeQ/binary>>) ->
-    <<"ecdsa-sha2-", Id/binary>> = ECDSA_SHA2_etc,
+                   <<?DEC_BIN(Id, _IL),
+                     ?DEC_BIN(Q, _QL)>>) ->
     {#'ECPoint'{point = Q}, {namedCurve,public_key:ssh_curvename2oid(Id)}}.
 
 
@@ -575,17 +527,16 @@ mpint(X) -> mpint_pos(X).
 
 mpint_neg(X) ->
     Bin = int_to_bin_neg(X, []),
-    Sz = byte_size(Bin),
-    <<?UINT32(Sz), Bin/binary>>.
+    <<?STRING(Bin)>>.
     
 mpint_pos(X) ->
     Bin = int_to_bin_pos(X, []),
     <<MSB,_/binary>> = Bin,
-    Sz = byte_size(Bin),
     if MSB band 16#80 == 16#80 ->
-	    <<?UINT32((Sz+1)), 0, Bin/binary>>;
+            B = << 0, Bin/binary>>,
+	    <<?STRING(B)>>;
        true ->
-	    <<?UINT32(Sz), Bin/binary>>
+	    <<?STRING(Bin)>>
     end.
 
 int_to_bin_pos(0,Ds=[_|_]) ->
@@ -602,7 +553,8 @@ int_to_bin_neg(X,Ds) ->
 string(X) when is_binary(X) ->
     << ?STRING(X) >>;
 string(X) ->
-    << ?STRING(list_to_binary(X)) >>.
+    B = list_to_binary(X),
+    << ?STRING(B) >>.
 
 is_ssh_curvename(Id) -> try public_key:ssh_curvename2oid(Id) of _ -> true
 			catch _:_  -> false
diff --git a/lib/public_key/src/public_key.erl b/lib/public_key/src/public_key.erl
index cc01b61433..c6ab4d06ae 100644
--- a/lib/public_key/src/public_key.erl
+++ b/lib/public_key/src/public_key.erl
@@ -942,7 +942,6 @@ ssh_decode(SshBin, Type) when is_binary(SshBin),
 %%--------------------------------------------------------------------
 -spec ssh_encode([{public_key(), Attributes::list()}], ssh_file()) -> binary()
 	      ; (public_key(), ssh2_pubkey) -> binary()
-	      ; ({public_key(),atom()}, ssh2_pubkey) -> binary()
 	      .
 %%
 %% Description: Encodes a list of ssh file entries (public keys and
@@ -1454,13 +1453,43 @@ verify_hostname_match_default0({dns_id,R}, {dNSName,P}) ->
     R==P;
 verify_hostname_match_default0({uri_id,R}, {uniformResourceIdentifier,P}) ->
     R==P;
-verify_hostname_match_default0({srv_id,R}, {T,P}) when T == srvName ;
-                                                       T == ?srvName_OID ->
+verify_hostname_match_default0({ip,R}, {iPAddress,P}) when length(P) == 4 ->
+    %% IPv4
+    try
+        list_to_tuple(P)
+            == if is_tuple(R), size(R)==4 -> R;
+                  is_list(R) -> ok(inet:parse_ipv4strict_address(R))
+               end
+    catch
+        _:_ ->
+            false
+    end;
+
+verify_hostname_match_default0({ip,R}, {iPAddress,P}) when length(P) == 16 ->
+    %% IPv6. The length 16 is due to the certificate specification.
+    try
+        l16_to_tup(P)
+            == if is_tuple(R), size(R)==8 -> R;
+                  is_list(R) -> ok(inet:parse_ipv6strict_address(R))
+               end
+    catch
+        _:_ ->
+            false
+    end;
+verify_hostname_match_default0({srv_id,R}, {srvName,P}) ->
+    R==P;
+verify_hostname_match_default0({srv_id,R}, {?srvName_OID,P}) ->
     R==P;
 verify_hostname_match_default0(_, _) ->
     false.
 
+ok({ok,X}) -> X.
 
+l16_to_tup(L) -> list_to_tuple(l16_to_tup(L, [])).
+%%
+l16_to_tup([A,B|T], Acc) -> l16_to_tup(T, [(A bsl 8) bor B | Acc]);
+l16_to_tup([], Acc) -> lists:reverse(Acc).
+    
 match_wild(A,     [$*|B]) -> match_wild_suffixes(A, B);
 match_wild([C|A], [ C|B]) -> match_wild(A, B);
 match_wild([],        []) -> true;
@@ -1499,13 +1528,16 @@ verify_hostname_match_loop(Refs, Pres, MatchFun, FailCB, Cert) ->
       Refs).
 
 
+to_lower_ascii({ip,_}=X) -> X;
+to_lower_ascii({iPAddress,_}=X) -> X;
 to_lower_ascii(S) when is_list(S) -> lists:map(fun to_lower_ascii/1, S);
 to_lower_ascii({T,S}) -> {T, to_lower_ascii(S)};
 to_lower_ascii(C) when $A =< C,C =< $Z -> C + ($a-$A);
 to_lower_ascii(C) -> C.
 
 to_string(S) when is_list(S) -> S;
-to_string(B) when is_binary(B) -> binary_to_list(B).
+to_string(B) when is_binary(B) -> binary_to_list(B);
+to_string(X) -> X.
 
 format_details([]) ->
     no_relevant_crls;