Robin_Jadoul/testing - Change UHAEQPZUODJ5YVBZJPPJVLO7EBW6DC2JXHQBN26ARELAVULG3JUQC

Support ecdsa-sha2-nistp256 keys for authentication

Created by Robin_Jadoul on April 14, 2023

UHAEQPZUODJ5YVBZJPPJVLO7EBW6DC2JXHQBN26ARELAVULG3JUQC

Dependencies

In channels

main

Change contents

Replacement in thrussh-keys/src/signature.rs at line 18 [4.5821]

B:BD[4.6321] → [4.6321:6370]

    RSA { hash: SignatureHash, bytes: Vec<u8> },

[4.6321]

[4.6370]

    RSA {
        hash: SignatureHash,
        bytes: Vec<u8>,
    },
    P256(Vec<u8>), // Can't use SignatureBytes because ssh mpint encoding

Insertion in thrussh-keys/src/signature.rs at line 52 [4.5821]

[4.7453]

            }
            Signature::P256(ref bytes) => {
                let t = b"ecdsa-sha2-nistp256";
                bytes_
                    .write_u32::<BigEndian>((t.len() + bytes.len() + 8) as u32)
                    .unwrap();
                bytes_.extend_ssh_string(t);
                bytes_.extend_ssh_string(&bytes);

Insertion in thrussh-keys/src/signature.rs at line 87 [4.5821]

[4.8412]

            b"ecdsa-sha2-nistp256" => Ok(Signature::P256(bytes.to_vec())),

Insertion in thrussh-keys/src/signature.rs at line 101 [4.5821]
[4.8808]
[4.8808]
```
            Signature::P256(ref signature) => &signature,
```

Replacement in thrussh-keys/src/lib.rs at line 13 [4.21590]

B:BD[4.22188] → [4.22188:22195]

//!```

[4.22188]

[4.22195]

#![cfg_attr(not(feature = "openssl"), doc = "```no_run")]
#![cfg_attr(feature = "openssl", doc = "```")]

Insertion in thrussh-keys/src/lib.rs at line 122 [4.21590]
[5.952]
[5.952]
```
    #[cfg(feature = "p256")]
```

Insertion in thrussh-keys/src/lib.rs at line 124 [4.21590]

[5.978]

    P256(#[from] p256::elliptic_curve::Error),
    #[cfg(feature = "p256")]
    #[error(transparent)]
    P256ECDSA(#[from] p256::ecdsa::Error),
    #[error(transparent)]

Insertion in thrussh-keys/src/lib.rs at line 154 [4.21590]
[4.27479]
[4.27479]
```
const KEYTYPE_P256: &'static [u8] = b"ecdsa-sha2-nistp256";
```
Replacement in thrussh-keys/src/lib.rs at line 158 [4.21590]
B:BD[4.27555] → [4.27555:27563]
```
/// ```
```
[4.27555]
[4.27563]
```
/// ```no_run
```

Insertion in thrussh-keys/src/lib.rs at line 217 [4.21590]

[4.29595]

            }
            #[cfg(feature = "p256")]
            key::PublicKey::P256(ref publickey) => {
                use encoding::Encoding;
                s.extend_ssh_string(b"ecdsa-sha2-nistp256");
                s.extend_ssh_string(b"nistp256");
                s.extend_ssh_string(&publickey.to_sec1_bytes());

Insertion in thrussh-keys/src/lib.rs at line 248 [4.21590]

[4.30339]

            #[cfg(feature = "p256")]
            key::KeyPair::P256(ref key) => {
                use encoding::Encoding;
                let public = p256::ecdsa::SigningKey::from(key)
                    .verifying_key()
                    .to_sec1_bytes();
                s.extend_ssh_string(b"ecdsa-sha2-nistp256");
                s.extend_ssh_string(b"nistp256");
                s.extend_ssh_string(&public);
            }

Insertion in thrussh-keys/src/lib.rs at line 479 [4.21590]

[4.38275]

-----END OPENSSH PRIVATE KEY-----";
    #[cfg(feature = "p256")]
    const P256_KEY: &'static str = "-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAACmFlczI1Ni1jYmMAAAAGYmNyeXB0AAAAGAAAABAh
krrfr9PH+vNievobev0EAAAAEAAAAAEAAABoAAAAE2VjZHNhLXNoYTItbmlzdHAy
NTYAAAAIbmlzdHAyNTYAAABBBHtLt3JSpJSWyg7Tvx7LNuWEjX8lFJDupLh14RwW
zy5TaiVMM4iF+gZlzM12r6mVwWdQq9fTcN/QhElyR4m34oIAAACwe18misSLWNBp
kWsNwQD9+wZx6w4YHykv/hA1v4B1iavk176z4JwtzwnS0sDSW+ME2HEpO7uJMlAc
1ZItX9W+dRdFjPkKYibMCCcylOIUrjqWkhFnFOpHrTsiyuIwBFwSrfis8r2AX5xb
EsDf+t3612/JMMTJMUvqsK9hxR6SrT73CS2W4/UbAQ1O0b7eDShH9zMyiMC4lYec
Ru6GNGRltIpY3hqCB6di+lzu6iPrMEE=

Replacement in thrussh-keys/src/lib.rs at line 509 [4.21590]

B:BD[4.38717] → [5.1308:1340]

    #[cfg(feature = "openssl")]

[4.38717]

    #[cfg(feature = "p256")]
    fn test_decode_p256_secret_key() {
        extern crate env_logger;
        env_logger::try_init().unwrap_or(());
        decode_secret_key(P256_KEY, Some("blabla")).unwrap();
    }
    #[test]

Insertion in thrussh-keys/src/lib.rs at line 640 [4.21590]

[4.45145]

    #[cfg(feature = "p256")]
    pub const PKCS8_P256: &'static str = "-----BEGIN ENCRYPTED PRIVATE KEY-----
MIHsMFcGCSqGSIb3DQEFDTBKMCkGCSqGSIb3DQEFDDAcBAh155uUbhbyFQICCAAw
DAYIKoZIhvcNAgkFADAdBglghkgBZQMEASoEEL4PGMOq8KM573vkRzh8GSMEgZBt
6UPxhwgoiSqXdlfe/1hTzVKFjpFQNe5UUXxPHlw1a7+24sPzHwqY39tVWlbNO4QR
0bwebnTG8/pMR2X/3Hch2d/okVlfpeqYTyiBcbW1nXAJtK+eorZ80P2UCHD/X7sj
iLhibttN17vvg7HZPqf9wQm+Mef97nmP13oEFU3s856haS3T0OVVh+d+dpLuntM=
-----END ENCRYPTED PRIVATE KEY-----";

Replacement in thrussh-keys/src/lib.rs at line 731 [4.21590]
∅:D[5.1667] → [4.49226:49248]
B:BD[4.49226] → [4.49226:49248]
```
    fn test_pkcs8() {
```
[5.1667]
[4.49248]
```
    fn test_pkcs8_rsa() {
```

Insertion in thrussh-keys/src/lib.rs at line 737 [4.21590]

[4.49391]

[5.1732]

    #[test]
    #[cfg(feature = "p256")]
    fn test_pkcs8_p256() {
        env_logger::try_init().unwrap_or(());
        decode_secret_key(PKCS8_P256, Some("blabla")).unwrap();
    }

Insertion in thrussh-keys/src/lib.rs at line 878 [4.21590]

[4.55759]

[5.2424]

    #[cfg(feature = "p256")]
    fn test_client_agent_p256() {
        let key = decode_secret_key(PKCS8_P256, Some("blabla")).unwrap();
        test_client_agent(key)
    }
    #[test]
    #[cfg(feature = "p256")]
    fn test_client_agent_openssh_p256() {
        let key = decode_secret_key(P256_KEY, Some("blabla")).unwrap();
        test_client_agent(key)
    }
    #[test]

Insertion in thrussh-keys/src/key.rs at line 21 [4.57451]
[4.58203]
[5.2869]
```
#[cfg(feature = "p256")]
use p256::ecdsa::signature::Verifier;
```

Insertion in thrussh-keys/src/key.rs at line 48 [4.57451]

[4.58872]

/// The name of the ecdsa-sha2-nistp256 algorithm for SSH.
pub const ECDSA_SHA2_NISTP256: Name = Name("ecdsa-sha2-nistp256");

Insertion in thrussh-keys/src/key.rs at line 114 [4.57451]

[4.60477]

    #[doc(hidden)]
    #[cfg(feature = "p256")]
    P256(p256::PublicKey),

Insertion in thrussh-keys/src/key.rs at line 196 [4.57451]

[4.63024]

            b"ecdsa-sha2-nistp256" if cfg!(feature = "p256") => {
                #[cfg(feature = "p256")]
                {
                    let mut p = pubkey.reader(0);
                    let key_algo = p.read_string()?;
                    let identifier = p.read_string()?;
                    if key_algo != b"ecdsa-sha2-nistp256" || identifier != b"nistp256" {
                        debug!("Rejecting {identifier:?} for not being nistp256");
                        return Err(Error::CouldNotReadKey.into());
                    }
                    let sec1_bytes = p.read_string()?;
                    return p256::PublicKey::from_sec1_bytes(sec1_bytes)
                        .map(PublicKey::P256)
                        .map_err(|e| {
                            debug!("from_sec1_bytes failure: {e:?}");
                            Error::CouldNotReadKey
                        });
                }
                #[cfg(not(feature = "p256"))]
                unreachable!();
            }

Insertion in thrussh-keys/src/key.rs at line 227 [4.57451]

[4.63304]

            #[cfg(feature = "p256")]
            PublicKey::P256(_) => ECDSA_SHA2_NISTP256.0,

Insertion in thrussh-keys/src/key.rs at line 247 [4.57451]

[4.63941]

            }
            #[cfg(feature = "p256")]
            &PublicKey::P256(ref public) => {
                let mut reader = sig.reader(0);
                let mut concat = [0u8; 64];
                // Ad-hoc reading of mpints:
                //  - We only consider the last 32 bytes => leading 0 is still treated fine
                //  - We implicitly pad missing leading bytes as 0, which is also fine for a modular value
                match reader.read_mpint() {
                    Ok(r) => r.into_iter().rev().enumerate().for_each(|(i, b)| {
                        if i < 32 {
                            concat[31 - i] = *b;
                        }
                    }),
                    Err(_) => {
                        debug!("Malformed scalar: r");
                        return false;
                    }
                };
                match reader.read_mpint() {
                    Ok(s) => s.into_iter().rev().enumerate().for_each(|(i, b)| {
                        if i < 32 {
                            concat[63 - i] = *b;
                        }
                    }),
                    Err(_) => {
                        debug!("Malformed scalar: s");
                        return false;
                    }
                };
                p256::ecdsa::Signature::from_slice(&concat)
                    .and_then(|sig| {
                        p256::ecdsa::VerifyingKey::from(public)
                            .verify(buffer, &sig)
                            .map(|()| true)
                    })
                    .unwrap_or(false)

Insertion in thrussh-keys/src/key.rs at line 333 [4.57451]
[4.64687]
[4.64687]
```
    #[cfg(feature = "p256")]
    P256(p256::SecretKey),
```

Insertion in thrussh-keys/src/key.rs at line 347 [4.57451]

[4.65062]

            #[cfg(feature = "p256")]
            KeyPair::P256(_) => write!(f, "P256( (hidden) )"),

Insertion in thrussh-keys/src/key.rs at line 382 [4.57451]

[4.66079]

            #[cfg(feature = "p256")]
            &KeyPair::P256(ref key) => PublicKey::P256(key.public_key().to_owned()),

Insertion in thrussh-keys/src/key.rs at line 393 [4.57451]

[4.66301]

            #[cfg(feature = "p256")]
            KeyPair::P256(_) => ECDSA_SHA2_NISTP256.0,

Insertion in thrussh-keys/src/key.rs at line 411 [4.57451]

[4.66742]

    #[cfg(feature = "p256")]
    pub fn generate_p256() -> Option<Self> {
        Some(KeyPair::P256(p256::SecretKey::random(
            &mut rand::rngs::OsRng::default(),
        )))
    }

Insertion in thrussh-keys/src/key.rs at line 430 [4.57451]

[4.67252]


            #[cfg(feature = "p256")]
            &KeyPair::P256(ref secret) => {
                let sig = p256::ecdsa::SigningKey::from(secret)
                    .sign_recoverable(to_sign)?
                    .0;
                let mut bytes = vec![];
                bytes.extend_ssh_mpint(&sig.r().as_ref().to_bytes());
                bytes.extend_ssh_mpint(&sig.s().as_ref().to_bytes());
                Ok(Signature::P256(bytes))
            }

Insertion in thrussh-keys/src/key.rs at line 470 [4.57451]

[4.68447]

            }
            #[cfg(feature = "p256")]
            &KeyPair::P256(ref secret) => {
                let sig = p256::ecdsa::SigningKey::from(secret)
                    .sign_recoverable(to_sign.as_ref())?
                    .0
                    .to_bytes();
                buffer.push_u32_be((ECDSA_SHA2_NISTP256.0.len() + sig.len() + 8) as u32);
                buffer.extend_ssh_string(ECDSA_SHA2_NISTP256.0.as_bytes());
                buffer.extend_ssh_string(&sig);

Insertion in thrussh-keys/src/key.rs at line 506 [4.57451]

[4.69590]

            #[cfg(feature = "p256")]
            &KeyPair::P256(ref secret) => {
                let sig = p256::ecdsa::SigningKey::from(secret)
                    .sign_recoverable(&buffer)?
                    .0
                    .to_bytes();
                buffer.push_u32_be((ECDSA_SHA2_NISTP256.0.len() + sig.len() + 8) as u32);
                buffer.extend_ssh_string(ECDSA_SHA2_NISTP256.0.as_bytes());
                buffer.extend_ssh_string(&sig);
            }

Insertion in thrussh-keys/src/key.rs at line 576 [4.57451]

[4.71277]

    if t == b"ecdsa-sha2-nistp256" {
        #[cfg(feature = "p256")]
        {
            let sec1_bytes = pos.read_string()?;
            return p256::PublicKey::from_sec1_bytes(sec1_bytes)
                .map(PublicKey::P256)
                .map_err(|_| Error::CouldNotReadKey);
        }
    }

Deletion in thrussh-keys/src/format/pkcs8.rs at line 21 [4.71340]
B:BD[4.72005] → [5.6266:6294]
```
#[cfg(feature = "openssl")]
```

Insertion in thrussh-keys/src/format/pkcs8.rs at line 22 [4.71340]

[4.72064]

const ECPUBLICKEY: &'static [u64] = &[1, 2, 840, 10045, 2, 1];
const P256: &'static [u64] = &[1, 2, 840, 10045, 3, 1, 7];

Replacement in thrussh-keys/src/format/pkcs8.rs at line 202 [4.71340]
B:BD[4.78532] → [5.6404:6432]
```
#[cfg(feature = "openssl")]
```
[4.78532]
[6.1443]
```
// #[cfg(feature = "openssl")]
```

Replacement in thrussh-keys/src/format/pkcs8.rs at line 206 [4.71340]

B:BD[4.78713] → [4.78713:78765]

        reader.next().read_null()?;
        Ok(oid)

[4.78713]

[4.78765]

        if oid.components().as_slice() == ECPUBLICKEY {
            reader.next().read_oid()
        } else {
            reader.next().read_null()?;
            Ok(oid)
        }

Replacement in thrussh-keys/src/format/pkcs8.rs at line 213 [4.71340]

B:BD[4.78774] → [4.78774:78866]

B:BD[4.78866] → [6.1519:1599]

∅:D[6.1599] → [4.78954:79215]

B:BD[4.78954] → [4.78954:79215]

B:BD[4.79215] → [6.1600:1671]

∅:D[6.1671] → [4.79294:80149]

B:BD[4.79294] → [4.79294:80149]

    if oid.components().as_slice() == RSA {
        let seq = &reader.next().read_bytes()?;
        let rsa: Result<Rsa<Private>, Error> = yasna::parse_der(seq, |reader| {
            reader.read_sequence(|reader| {
                let version = reader.next().read_u32()?;
                if version != 0 {
                    return Ok(Err(Error::CouldNotReadKey.into()));
                }
                use openssl::bn::BigNum;
                let mut read_key = || -> Result<Rsa<Private>, Error> {
                    Ok(Rsa::from_private_components(
                        BigNum::from_slice(&reader.next().read_biguint()?.to_bytes_be())?,
                        BigNum::from_slice(&reader.next().read_biguint()?.to_bytes_be())?,
                        BigNum::from_slice(&reader.next().read_biguint()?.to_bytes_be())?,
                        BigNum::from_slice(&reader.next().read_biguint()?.to_bytes_be())?,
                        BigNum::from_slice(&reader.next().read_biguint()?.to_bytes_be())?,
                        BigNum::from_slice(&reader.next().read_biguint()?.to_bytes_be())?,
                        BigNum::from_slice(&reader.next().read_biguint()?.to_bytes_be())?,
                        BigNum::from_slice(&reader.next().read_biguint()?.to_bytes_be())?,
                    )?)
                };
                Ok(read_key())

[4.78774]

[4.80149]

    if oid.components().as_slice() == RSA && cfg!(feature = "openssl") {
        #[cfg(feature = "openssl")]
        {
            let seq = &reader.next().read_bytes()?;
            let rsa: Result<Rsa<Private>, Error> = yasna::parse_der(seq, |reader| {
                reader.read_sequence(|reader| {
                    let version = reader.next().read_u32()?;
                    if version != 0 {
                        return Ok(Err(Error::CouldNotReadKey.into()));
                    }
                    use openssl::bn::BigNum;
                    let mut read_key = || -> Result<Rsa<Private>, Error> {
                        Ok(Rsa::from_private_components(
                            BigNum::from_slice(&reader.next().read_biguint()?.to_bytes_be())?,
                            BigNum::from_slice(&reader.next().read_biguint()?.to_bytes_be())?,
                            BigNum::from_slice(&reader.next().read_biguint()?.to_bytes_be())?,
                            BigNum::from_slice(&reader.next().read_biguint()?.to_bytes_be())?,
                            BigNum::from_slice(&reader.next().read_biguint()?.to_bytes_be())?,
                            BigNum::from_slice(&reader.next().read_biguint()?.to_bytes_be())?,
                            BigNum::from_slice(&reader.next().read_biguint()?.to_bytes_be())?,
                            BigNum::from_slice(&reader.next().read_biguint()?.to_bytes_be())?,
                        )?)
                    };
                    Ok(read_key())
                })
            })?;
            Ok(key::KeyPair::RSA {
                key: rsa?,
                hash: SignatureHash::SHA2_256,

Replacement in thrussh-keys/src/format/pkcs8.rs at line 243 [4.71340]

B:BD[4.80164] → [4.80164:80285]

        })?;
        Ok(key::KeyPair::RSA {
            key: rsa?,
            hash: SignatureHash::SHA2_256,
        })

[4.80164]

[4.80285]

        }
        #[cfg(not(feature = "openssl"))]
        unreachable!()
    } else if oid.components().as_slice() == P256 && cfg!(feature = "p256") {
        #[cfg(feature = "p256")]
        {
            let bytes = &reader.next().read_bytes()?;
            Ok(key::KeyPair::P256(p256::SecretKey::from_sec1_der(bytes)?))
        }
        #[cfg(not(feature = "p256"))]
        unreachable!()

Deletion in thrussh-keys/src/format/pkcs8.rs at line 259 [4.71340]
B:BD[5.6436] → [5.6436:6578]
∅:D[5.6578] → [4.80347:80350]
B:BD[4.80347] → [4.80347:80350]
```
#[cfg(not(feature = "openssl"))]
fn read_key_v0(_: &mut BERReaderSeq) -> Result<key::KeyPair, Error> {
    Err(Error::CouldNotReadKey.into())
}
```

Insertion in thrussh-keys/src/format/pkcs8.rs at line 271 [4.71340]

[4.80833]

        #[cfg(feature = "p256")]
        key::KeyPair::P256(_) => println!("P256"),

Insertion in thrussh-keys/src/format/pkcs8.rs at line 328 [4.71340]

[4.82470]

            #[cfg(feature = "p256")]
            key::KeyPair::P256(ref key) => writer.next().write_der(
                p256::pkcs8::EncodePrivateKey::to_pkcs8_der(key)
                    .expect("Writing p256 as pkcs8")
                    .as_bytes(),
            ),

Replacement in thrussh-keys/src/format/openssh.rs at line 3 [4.86809]
B:BD[4.86880] → [4.86880:86930]
```
use crate::{Error, KEYTYPE_ED25519, KEYTYPE_RSA};
```
[4.86880]
[5.8678]
```
use crate::{Error, KEYTYPE_ED25519, KEYTYPE_P256, KEYTYPE_RSA};
```

Insertion in thrussh-keys/src/format/openssh.rs at line 71 [4.86809]

[5.10430]

                    });
                }
            } else if key_type == KEYTYPE_P256 && cfg!(feature = "p256") {
                #[cfg(feature = "p256")]
                {
                    let _nistp256 = position.read_string()?;
                    let pub_bytes = position.read_string()?;
                    let sec_bytes = position.read_mpint()?;
                    let _comment = position.read_string()?;
                    let mut key_bytes = [0u8; 32];
                    // Reading mpints in a naive way, but sufficient for modular values here
                    sec_bytes.into_iter().rev().enumerate().for_each(|(i, b)| {
                        if i < 32 {
                            key_bytes[31 - i] = *b;
                        }

Insertion in thrussh-keys/src/format/openssh.rs at line 87 [4.86809]

[5.10454]

                    let key = p256::SecretKey::from_bytes(&key_bytes.into())?;
                    if key.public_key().to_sec1_bytes().as_ref() != pub_bytes {
                        return Err(Error::CouldNotReadKey);
                    }
                    return Ok(key::KeyPair::P256(key));

Insertion in thrussh-keys/src/agent/server.rs at line 257 [4.125237]

[4.133343]

[5.13611]

            #[cfg(feature = "p256")]
            b"ecdsa-sha2-nistp256" => {
                let public_ = r.read_string()?;
                let pos1 = r.position;
                let priv_ = r.read_mpint()?;
                let _comment = r.read_string()?;
                let mut priv_bytes = [0u8; 32];
                priv_.into_iter().rev().enumerate().for_each(|(i, b)| {
                    if i < 32 {
                        priv_bytes[31 - i] = *b;
                    }
                });
                let key =
                    crate::key::KeyPair::P256(p256::SecretKey::from_bytes(&priv_bytes.into())?);
                if public_ != crate::PublicKeyBase64::public_key_bytes(&key) {
                    return Ok(false);
                }
                (self.buf[pos0..pos1].to_vec(), key)
            }

Insertion in thrussh-keys/src/agent/client.rs at line 127 [4.139093]

[4.142975]

                self.buf.extend_ssh_string(b"");
            }
            #[cfg(feature = "p256")]
            key::KeyPair::P256(ref key) => {
                self.buf.extend_ssh_string(b"ecdsa-sha2-nistp256");
                self.buf.extend_ssh_string(b"nistp256");
                let bytes = key.public_key().to_sec1_bytes();
                self.buf.extend_ssh_string(&bytes);
                self.buf.extend_ssh_mpint(&key.to_bytes());

Insertion in thrussh-keys/src/agent/client.rs at line 275 [4.139093]

[4.148374]

[2.0]

                    #[cfg(feature = "p256")]
                    b"ecdsa-sha2-nistp256" => {
                        let nistp256 = r.read_string()?;
                        if nistp256 != b"nistp256" {
                            return Err(Error::UnsupportedKeyType(nistp256.to_vec()));
                        }
                        let key = r.read_string()?;
                        keys.push(PublicKey::P256(p256::PublicKey::from_sec1_bytes(key)?));
                    }

Insertion in thrussh-keys/src/agent/client.rs at line 418 [4.139093]

[4.153322]

                        b"ecdsa-sha2-nistp256" => Ok(Signature::P256(sig.to_vec())),

Insertion in thrussh-keys/src/agent/client.rs at line 519 [4.139093]

[4.157002]

        #[cfg(feature = "p256")]
        PublicKey::P256(ref key) => {
            buf.extend(&[0, 0, 0, 0]);
            let len0 = buf.len();
            buf.extend_ssh_string(b"ecdsa-sha2-nistp256");
            let mut inner_buf = vec![];
            inner_buf.extend_ssh_string(b"nistp256");
            inner_buf.extend_ssh_string(&key.to_sec1_bytes());
            buf.extend(&inner_buf);
            let len1 = buf.len();
            BigEndian::write_u32(&mut buf[5..], (len1 - len0) as u32);
        }

Insertion in thrussh-keys/Cargo.toml at line 42 [4.157024]
[5.14032]
[4.158050]
```
p256 = { version = "0.13", optional = true, features = [ "ecdsa" ] }
```
Replacement in thrussh-keys/Cargo.toml at line 56 [4.157024]
B:BD[5.14182] → [5.14182:14203]
```
bcrypt-pbkdf = "0.6"
```
[5.14182]
[7.20]
```
bcrypt-pbkdf = "0.10"
```

Replacement in thrussh/src/negotiation.rs at line 54 [4.268386]

B:BD[4.270075] → [8.0:32]

    #[cfg(feature = "openssl")]

[4.270075]

    #[cfg(all(feature = "openssl", feature = "p256"))]
    pub const DEFAULT: Preferred = Preferred {
        kex: &[kex::CURVE25519],
        key: &[
            key::ED25519,
            key::ECDSA_SHA2_NISTP256,
            key::RSA_SHA2_256,
            key::RSA_SHA2_512,
        ],
        cipher: &[cipher::chacha20poly1305::NAME],
        mac: &["none"],
        compression: &["none", "zlib", "zlib@openssh.com"],
    };
    #[cfg(all(not(feature = "openssl"), feature = "p256"))]
    pub const DEFAULT: Preferred = Preferred {
        kex: &[kex::CURVE25519],
        key: &[key::ED25519, key::ECDSA_SHA2_NISTP256],
        cipher: &[cipher::chacha20poly1305::NAME],
        mac: &["none"],
        compression: &["none", "zlib", "zlib@openssh.com"],
    };
    #[cfg(all(feature = "openssl", not(feature = "p256")))]

Replacement in thrussh/src/negotiation.rs at line 86 [4.268386]

B:BD[8.176] → [8.176:213]

    #[cfg(not(feature = "openssl"))]

[8.176]

[8.213]

    #[cfg(all(not(feature = "openssl"), not(feature = "p256")))]

Replacement in thrussh/src/negotiation.rs at line 97 [4.268386]

B:BD[4.270449] → [4.270449:270517]

        key: &[key::ED25519, key::RSA_SHA2_256, key::RSA_SHA2_512],

[4.270449]

[4.270517]

        key: &[
            key::ED25519,
            key::ECDSA_SHA2_NISTP256,
            key::RSA_SHA2_256,
            key::RSA_SHA2_512,
        ],

Replacement in thrussh/src/negotiation.rs at line 127 [4.268386]
B:BD[4.270951] → [3.1141:1174]
```
#[cfg(not(feature = "openssl"))]
```
[4.270951]
[3.1174]
```
#[cfg(feature = "p256")]
use thrussh_keys::key::ECDSA_SHA2_NISTP256;
```
Replacement in thrussh/src/negotiation.rs at line 131 [4.268386]
∅:D[9.541] → [4.270951:270994]
B:BD[4.270951] → [4.270951:270994]
```
use thrussh_keys::key::{ED25519, SSH_RSA};
```
[9.541]
[4.270994]
```
use thrussh_keys::key::SSH_RSA;
```

Insertion in thrussh/src/negotiation.rs at line 139 [4.268386]

[4.271178]

            #[cfg(feature = "p256")]
            &PublicKey::P256(_) => ECDSA_SHA2_NISTP256.0,

Insertion in thrussh/src/negotiation.rs at line 151 [4.268386]

[4.271392]

            #[cfg(feature = "p256")]
            &KeyPair::P256(_) => ECDSA_SHA2_NISTP256.0,

Insertion in thrussh/src/key.rs at line 41 [4.304500]

[4.306065]

            }
            #[cfg(feature = "p256")]
            &PublicKey::P256(_) => {
                use thrussh_keys::PublicKeyBase64;
                buffer.extend(&self.public_key_bytes());

Insertion in thrussh/src/key.rs at line 69 [4.304500]

[4.306888]

            #[cfg(feature = "p256")]
            &KeyPair::P256(_) => {
                use thrussh_keys::PublicKeyBase64;
                buffer.extend(&self.public_key_bytes());
            }

Replacement in thrussh/examples/remote_shell_call.rs at line 9 [10.23]

B:BD[10.169] → [10.169:219]

    let pem = std::fs::read("./my-aws-key.pem")?;

[10.169]

[10.219]

    let pem = std::fs::read_to_string("./my-aws-key.pem")?;

Replacement in thrussh/examples/remote_shell_call.rs at line 42 [10.23]
B:BD[10.1167] → [10.1167:1187]
```
        pem: &[u8],
```
[10.1167]
[10.1187]
```
        pem: &str,
```

Replacement in thrussh/examples/remote_shell_call.rs at line 46 [10.23]

B:BD[10.1288] → [10.1288:1454]

        let key_pair = key::KeyPair::RSA {
            key: openssl::rsa::Rsa::private_key_from_pem(pem)?,
            hash: key::SignatureHash::SHA2_512,
        };

[10.1288]

[10.1454]

        let key_pair = decode_secret_key(pem, None)?;

Insertion in thrussh/Cargo.toml at line 43 [4.426118]

[4.427018]

p256 = [ "thrussh-keys/p256" ]
openssl = [ "thrussh-keys/openssl", "dep:openssl" ]

Replacement in cryptovec/src/lib.rs at line 403 [4.427990]
B:BD[4.439904] → [4.439904:439944]
```
    /// CryptoVec::from_slice(b"test");
```
[4.439904]
[4.439944]
```
    /// cryptovec::CryptoVec::from_slice(b"test");
```