/*

 * authkeys.c - routines to manage the storage of authentication keys

 */

#ifdef HAVE_CONFIG_H

# include <config.h>

#endif

#include <math.h>

#include <stdio.h>

#include "ntp.h"

#include "ntp_fp.h"

#include "ntpd.h"

#include "ntp_lists.h"

#include "ntp_string.h"

#include "ntp_malloc.h"

#include "ntp_stdlib.h"

#include "ntp_keyacc.h"

/*

 * Structure to store keys in in the hash table.

 */

typedef struct savekey symkey;

struct savekey {

  symkey *  hlink;    /* next in hash bucket */

  DECL_DLIST_LINK(symkey, llink); /* for overall & free lists */

  u_char *  secret;   /* shared secret */

  KeyAccT * keyacclist; /* Private key access list */

  u_long    lifetime; /* remaining lifetime */

  keyid_t   keyid;    /* key identifier */

  u_short   type;   /* OpenSSL digest NID */

  size_t    secretsize; /* secret octets */

  u_short   flags;    /* KEY_ flags that wave */

};

/* define the payload region of symkey beyond the list pointers */

#define symkey_payload  secret

#define KEY_TRUSTED 0x001  /* this key is trusted */

#ifdef DEBUG

typedef struct symkey_alloc_tag symkey_alloc;

struct symkey_alloc_tag {

  symkey_alloc *  link;

  void *    mem;    /* enable free() atexit */

};

symkey_alloc *  authallocs;

#endif  /* DEBUG */

static u_short  auth_log2(size_t);

static void   auth_resize_hashtable(void);

static void   allocsymkey(keyid_t,  u_short,

            u_short, u_long, size_t, u_char *, KeyAccT *);

static void   freesymkey(symkey *);

#ifdef DEBUG

static void   free_auth_mem(void);

#endif

symkey  key_listhead;   /* list of all in-use keys */;

/*

 * The hash table. This is indexed by the low order bits of the

 * keyid. We make this fairly big for potentially busy servers.

 */

#define DEF_AUTHHASHSIZE  64

/*#define HASHMASK  ((HASHSIZE)-1)*/

#define KEYHASH(keyid)  ((keyid) & authhashmask)

int authhashdisabled;

u_short authhashbuckets = DEF_AUTHHASHSIZE;

u_short authhashmask = DEF_AUTHHASHSIZE - 1;

symkey **key_hash;

u_long authkeynotfound;   /* keys not found */

u_long authkeylookups;    /* calls to lookup keys */

u_long authnumkeys;   /* number of active keys */

u_long authkeyexpired;    /* key lifetime expirations */

u_long authkeyuncached;   /* cache misses */

u_long authnokey;   /* calls to encrypt with no key */

u_long authencryptions;   /* calls to encrypt */

u_long authdecryptions;   /* calls to decrypt */

/*

 * Storage for free symkey structures.  We malloc() such things but

 * never free them.

 */

symkey *authfreekeys;

int authnumfreekeys;

#define MEMINC  16    /* number of new free ones to get */

/*

 * The key cache. We cache the last key we looked at here.

 * Note: this should hold the last *trusted* key. Also the

 * cache is only loaded when the digest type / MAC algorithm

 * is valid.

 */

keyid_t cache_keyid;    /* key identifier */

u_char *cache_secret;   /* secret */

size_t  cache_secretsize; /* secret length */

int cache_type;   /* OpenSSL digest NID */

u_short cache_flags;    /* flags that wave */

KeyAccT *cache_keyacclist;  /* key access list */

/* --------------------------------------------------------------------

 * manage key access lists

 * --------------------------------------------------------------------

 */

/* allocate and populate new access node and pushes it on the list.

 * Returns the new head.

 */

KeyAccT*

keyacc_new_push(

  KeyAccT          * head,

  const sockaddr_u * addr,

  unsigned int     subnetbits

  )

{

  KeyAccT * node = emalloc(sizeof(KeyAccT));

  memcpy(&node->addr, addr, sizeof(sockaddr_u));

  node->subnetbits = subnetbits;

  node->next = head;

  return node;

}

/* ----------------------------------------------------------------- */

/* pop and deallocate the first node of a list of access nodes, if

 * the list is not empty. Returns the tail of the list.

 */

KeyAccT*

keyacc_pop_free(

  KeyAccT *head

  )

{

  KeyAccT * next = NULL;

  if (head) {

    next = head->next;

    free(head);

  }

  return next;

}

/* ----------------------------------------------------------------- */

/* deallocate the list; returns an empty list. */

KeyAccT*

keyacc_all_free(

  KeyAccT * head

  )

{

  while (head)

    head = keyacc_pop_free(head);

  return head;

}

/* ----------------------------------------------------------------- */

/* scan a list to see if it contains a given address. Return the

 * default result value in case of an empty list.

 */

int /*BOOL*/

keyacc_contains(

  const KeyAccT    *head,

  const sockaddr_u *addr,

  int               defv)

{

  if (head) {

    do {

      if (keyacc_amatch(&head->addr, addr,

            head->subnetbits))

        return TRUE;

    } while (NULL != (head = head->next));

    return FALSE;

  } else {

    return !!defv;

  }

}

#if CHAR_BIT != 8

# error "don't know how to handle bytes with that bit size"

#endif

/* ----------------------------------------------------------------- */

/* check two addresses for a match, taking a prefix length into account

 * when doing the compare.

 *

 * The ISC lib contains a similar function with not entirely specified

 * semantics, so it seemed somewhat cleaner to do this from scratch.

 *

 * Note 1: It *is* assumed that the addresses are stored in network byte

 * order, that is, most significant byte first!

 *

 * Note 2: "no address" compares unequal to all other addresses, even to

 * itself. This has the same semantics as NaNs have for floats: *any*

 * relational or equality operation involving a NaN returns FALSE, even

 * equality with itself. "no address" is either a NULL pointer argument

 * or an address of type AF_UNSPEC.

 */

int/*BOOL*/

keyacc_amatch(

  const sockaddr_u *  a1,

  const sockaddr_u *  a2,

  unsigned int    mbits

  )

{

  const uint8_t * pm1;

  const uint8_t * pm2;

  uint8_t         msk;

  unsigned int    len;

  /* 1st check: If any address is not an address, it's inequal. */

  if ( !a1 || (AF_UNSPEC == AF(a1)) ||

       !a2 || (AF_UNSPEC == AF(a2))  )

    return FALSE;

  /* We could check pointers for equality here and shortcut the

   * other checks if we find object identity. But that use case is

   * too rare to care for it.

   */

  /* 2nd check: Address families must be the same. */

  if (AF(a1) != AF(a2))

    return FALSE;

  /* type check: address family determines buffer & size */

  switch (AF(a1)) {

  case AF_INET:

    /* IPv4 is easy: clamp size, get byte pointers */

    if (mbits > sizeof(NSRCADR(a1)) * 8)

      mbits = sizeof(NSRCADR(a1)) * 8;

    pm1 = (const void*)&NSRCADR(a1);

    pm2 = (const void*)&NSRCADR(a2);

    break;

  case AF_INET6:

    /* IPv6 is slightly different: Both scopes must match,

     * too, before we even consider doing a match!

     */

    if ( ! SCOPE_EQ(a1, a2))

      return FALSE;

    if (mbits > sizeof(NSRCADR6(a1)) * 8)

      mbits = sizeof(NSRCADR6(a1)) * 8;

    pm1 = (const void*)&NSRCADR6(a1);

    pm2 = (const void*)&NSRCADR6(a2);

    break;

  default:

    /* don't know how to compare that!?! */

    return FALSE;

  }

  /* Split bit length into byte length and partial byte mask.

   * Note that the byte mask extends from the MSB of a byte down,

   * and that zero shift (--> mbits % 8 == 0) results in an

   * all-zero mask.

   */

  msk = 0xFFu ^ (0xFFu >> (mbits & 7));

  len = mbits >> 3;

  /* 3rd check: Do memcmp() over full bytes, if any */

  if (len && memcmp(pm1, pm2, len))

    return FALSE;

  /* 4th check: compare last incomplete byte, if any */

  if (msk && ((pm1[len] ^ pm2[len]) & msk))

    return FALSE;

  /* If none of the above failed, we're successfully through. */

  return TRUE;

}

/*

 * init_auth - initialize internal data

 */

void

init_auth(void)

{

  size_t newalloc;

  /*

   * Initialize hash table and free list

   */

  newalloc = authhashbuckets * sizeof(key_hash[0]);

  key_hash = emalloc_zero(newalloc);

  INIT_DLIST(key_listhead, llink);

#ifdef DEBUG

  atexit(&free_auth_mem);

#endif

}

/*

 * free_auth_mem - assist in leak detection by freeing all dynamic

 *       allocations from this module.

 */

#ifdef DEBUG

static void

free_auth_mem(void)

{

  symkey *  sk;

  symkey_alloc *  alloc;

  symkey_alloc *  next_alloc;

  while (NULL != (sk = HEAD_DLIST(key_listhead, llink))) {

    freesymkey(sk);

  }

  free(key_hash);

  key_hash = NULL;

  cache_keyid = 0;

  cache_flags = 0;

  cache_keyacclist = NULL;

  for (alloc = authallocs; alloc != NULL; alloc = next_alloc) {

    next_alloc = alloc->link;

    free(alloc->mem);

  }

  authfreekeys = NULL;

  authnumfreekeys = 0;

}

#endif  /* DEBUG */

/*

 * auth_moremem - get some more free key structures

 */

void

auth_moremem(

  int keycount

  )

{

  symkey *  sk;

  int   i;

#ifdef DEBUG

  void *    base;

  symkey_alloc *  allocrec;

# define MOREMEM_EXTRA_ALLOC  (sizeof(*allocrec))

#else

# define MOREMEM_EXTRA_ALLOC  (0)

#endif

  i = (keycount > 0)

    ? keycount

    : MEMINC;

  sk = eallocarrayxz(i, sizeof(*sk), MOREMEM_EXTRA_ALLOC);

#ifdef DEBUG

  base = sk;

#endif

  authnumfreekeys += i;

  for (; i > 0; i--, sk++) {

    LINK_SLIST(authfreekeys, sk, llink.f);

  }

#ifdef DEBUG

  allocrec = (void *)sk;

  allocrec->mem = base;

  LINK_SLIST(authallocs, allocrec, link);

#endif

}

/*

 * auth_prealloc_symkeys

 */

void

auth_prealloc_symkeys(

  int keycount

  )

{

  int allocated;

  int additional;

  allocated = authnumkeys + authnumfreekeys;

  additional = keycount - allocated;

  if (additional > 0)

    auth_moremem(additional);

  auth_resize_hashtable();

}

static u_short

auth_log2(size_t x)

{

  /*

  ** bithack to calculate floor(log2(x))

  **

  ** This assumes

  **   - (sizeof(size_t) is a power of two

  **   - CHAR_BITS is a power of two

  **   - returning zero for arguments <= 0 is OK.

  **

  ** Does only shifts, masks and sums in integer arithmetic in

  ** log2(CHAR_BIT*sizeof(size_t)) steps. (that is, 5/6 steps for

  ** 32bit/64bit size_t)

  */

  int s;

  int r = 0;

  size_t  m = ~(size_t)0;

  for (s = sizeof(size_t) / 2 * CHAR_BIT; s != 0; s >>= 1) {

    m <<= s;

    if (x & m)

      r += s;

    else

      x <<= s;

  }

  return (u_short)r;

}

int/*BOOL*/

ipaddr_match_masked(const sockaddr_u *,const sockaddr_u *,

        unsigned int mbits);

static void

authcache_flush_id(

  keyid_t id

  )

{

  if (cache_keyid == id) {

    cache_keyid = 0;

    cache_type = 0;

    cache_flags = 0;

    cache_secret = NULL;

    cache_secretsize = 0;

    cache_keyacclist = NULL;

  }

}

/*

 * auth_resize_hashtable

 *

 * Size hash table to average 4 or fewer entries per bucket initially,

 * within the bounds of at least 4 and no more than 15 bits for the hash

 * table index.  Populate the hash table.

 */

static void

auth_resize_hashtable(void)

{

  u_long    totalkeys;

  u_short   hashbits;

  u_short   hash;

  size_t    newalloc;

  symkey *  sk;

  totalkeys = authnumkeys + authnumfreekeys;

  hashbits = auth_log2(totalkeys / 4) + 1;

  hashbits = max(4, hashbits);

  hashbits = min(15, hashbits);

  authhashbuckets = 1 << hashbits;

  authhashmask = authhashbuckets - 1;

  newalloc = authhashbuckets * sizeof(key_hash[0]);

  key_hash = erealloc(key_hash, newalloc);

  zero_mem(key_hash, newalloc);

  ITER_DLIST_BEGIN(key_listhead, sk, llink, symkey)

    hash = KEYHASH(sk->keyid);

    LINK_SLIST(key_hash[hash], sk, hlink);

  ITER_DLIST_END()

}

/*

 * allocsymkey - common code to allocate and link in symkey

 *

 * secret must be allocated with a free-compatible allocator.  It is

 * owned by the referring symkey structure, and will be free()d by

 * freesymkey().

 */

static void

allocsymkey(

  keyid_t   id,

  u_short   flags,

  u_short   type,

  u_long    lifetime,

  size_t    secretsize,

  u_char *  secret,

  KeyAccT * ka

  )

{

  symkey *  sk;

  symkey ** bucket;

  bucket = &key_hash[KEYHASH(id)];

  if (authnumfreekeys < 1)

    auth_moremem(-1);

  UNLINK_HEAD_SLIST(sk, authfreekeys, llink.f);

  DEBUG_ENSURE(sk != NULL);

  sk->keyid = id;

  sk->flags = flags;

  sk->type = type;

  sk->secretsize = secretsize;

  sk->secret = secret;

  sk->keyacclist = ka;

  sk->lifetime = lifetime;

  LINK_SLIST(*bucket, sk, hlink);

  LINK_TAIL_DLIST(key_listhead, sk, llink);

  authnumfreekeys--;

  authnumkeys++;

}

/*

 * freesymkey - common code to remove a symkey and recycle its entry.

 */

static void

freesymkey(

  symkey *  sk

  )

{

  symkey ** bucket;

  symkey *  unlinked;

  if (NULL == sk)

    return;

  authcache_flush_id(sk->keyid);

  keyacc_all_free(sk->keyacclist);

  bucket = &key_hash[KEYHASH(sk->keyid)];

  if (sk->secret != NULL) {

    zero_mem(sk->secret, sk->secretsize);

    free(sk->secret);

  }

  UNLINK_SLIST(unlinked, *bucket, sk, hlink, symkey);

  DEBUG_ENSURE(sk == unlinked);

  UNLINK_DLIST(sk, llink);

  zero_mem((char *)sk + offsetof(symkey, symkey_payload),

     sizeof(*sk) - offsetof(symkey, symkey_payload));

  LINK_SLIST(authfreekeys, sk, llink.f);

  authnumkeys--;

  authnumfreekeys++;

}

/*

 * auth_findkey - find a key in the hash table

 */

struct savekey *

auth_findkey(

  keyid_t   id

  )

{

  symkey *  sk;

  for (sk = key_hash[KEYHASH(id)]; sk != NULL; sk = sk->hlink)

    if (id == sk->keyid)

      return sk;

  return NULL;

}

/*

 * auth_havekey - return TRUE if the key id is zero or known. The

 * key needs not to be trusted.

 */

int

auth_havekey(

  keyid_t   id

  )

{

  return

      (0           == id) ||

      (cache_keyid == id) ||

      (NULL        != auth_findkey(id));

}

/*

 * authhavekey - return TRUE and cache the key, if zero or both known

 *     and trusted.

 */

int

authhavekey(

  keyid_t   id

  )

{

  symkey *  sk;

  authkeylookups++;

  if (0 == id || cache_keyid == id)

    return !!(KEY_TRUSTED & cache_flags);

  /*

   * Search the bin for the key. If not found, or found but the key

   * type is zero, somebody marked it trusted without specifying a

   * key or key type. In this case consider the key missing.

   */

  authkeyuncached++;

  sk = auth_findkey(id);

  if ((sk == NULL) || (sk->type == 0)) {

    authkeynotfound++;

    return FALSE;

  }

  /*

   * If the key is not trusted, the key is not considered found.

   */

  if ( ! (KEY_TRUSTED & sk->flags)) {

    authnokey++;

    return FALSE;

  }

  /*

   * The key is found and trusted. Initialize the key cache.

   * The cache really should be a struct savekey to streamline

   * this code.  Using a sk pointer would be even faster but more

   * fragile around pointing to freed memory.

   */

  cache_keyid = sk->keyid;

  cache_type = sk->type;

  cache_flags = sk->flags;

  cache_secret = sk->secret;

  cache_secretsize = sk->secretsize;

  cache_keyacclist = sk->keyacclist;

  return TRUE;

}

/*

 * authtrust - declare a key to be trusted/untrusted

 */

void

authtrust(

  keyid_t   id,

  u_long    trust

  )

{

  symkey *  sk;

  u_long    lifetime;

  /*

   * Search bin for key; if it does not exist and is untrusted,

   * forget it.

   */

  sk = auth_findkey(id);

  if (!trust && sk == NULL)

    return;

  /*

   * There are two conditions remaining. Either it does not

   * exist and is to be trusted or it does exist and is or is

   * not to be trusted.

   */

  if (sk != NULL) {

    /*

     * Key exists. If it is to be trusted, say so and update

     * its lifetime. If no longer trusted, return it to the

     * free list. Flush the cache first to be sure there are

     * no discrepancies.

     */

    authcache_flush_id(id);

    if (trust > 0) {

      sk->flags |= KEY_TRUSTED;

      if (trust > 1)

        sk->lifetime = current_time + trust;

      else

        sk->lifetime = 0;

    } else {

      freesymkey(sk);

    }

    return;

  }

  /*

   * keyid is not present, but the is to be trusted.  We allocate

   * a new key, but do not specify a key type or secret.

   */

  if (trust > 1) {

    lifetime = current_time + trust;

  } else {

    lifetime = 0;

  }

  allocsymkey(id, KEY_TRUSTED, 0, lifetime, 0, NULL, NULL);

}

/*

 * authistrusted - determine whether a key is trusted

 */

int

authistrusted(

  keyid_t   id

  )

{

  symkey *  sk;

  if (id == cache_keyid)

    return !!(KEY_TRUSTED & cache_flags);

  authkeyuncached++;

  sk = auth_findkey(id);

  if (sk == NULL || !(KEY_TRUSTED & sk->flags)) {

    authkeynotfound++;

    return FALSE;

  }

  return TRUE;

}

/*

 * authistrustedip - determine if the IP is OK for the keyid

 */

 int

 authistrustedip(

  keyid_t   keyno,

  sockaddr_u *  sau

  )

{

  symkey *  sk;

  if (keyno == cache_keyid) {

    return (KEY_TRUSTED & cache_flags) &&

      keyacc_contains(cache_keyacclist, sau, TRUE);

  }

  if (NULL != (sk = auth_findkey(keyno))) {

    authkeyuncached++;

    return (KEY_TRUSTED & sk->flags) &&

      keyacc_contains(sk->keyacclist, sau, TRUE);

  }

  authkeynotfound++;

  return FALSE;

}

/* Note: There are two locations below where 'strncpy()' is used. While

 * this function is a hazard by itself, it's essential that it is used

 * here. Bug 1243 involved that the secret was filled with NUL bytes

 * after the first NUL encountered, and 'strlcpy()' simply does NOT have

 * this behaviour. So disabling the fix and reverting to the buggy

 * behaviour due to compatibility issues MUST also fill with NUL and

 * this needs 'strncpy'. Also, the secret is managed as a byte blob of a

 * given size, and eventually truncating it and replacing the last byte

 * with a NUL would be a bug.

 * perlinger@ntp.org 2015-10-10

 */

void

MD5auth_setkey(

  keyid_t keyno,

  int keytype,

  const u_char *key,

  size_t secretsize,

  KeyAccT *ka

  )

{

  symkey *  sk;

  u_char *  secret;

  DEBUG_ENSURE(keytype <= USHRT_MAX);

  DEBUG_ENSURE(secretsize < 4 * 1024);

  /*

   * See if we already have the key.  If so just stick in the

   * new value.

   */

  sk = auth_findkey(keyno);

  if (sk != NULL && keyno == sk->keyid) {

      /* TALOS-CAN-0054: make sure we have a new buffer! */

    if (NULL != sk->secret) {

      memset(sk->secret, 0, sk->secretsize);

      free(sk->secret);

    }

    sk->secret = emalloc(secretsize + 1);

    sk->type = (u_short)keytype;

    sk->secretsize = secretsize;

    /* make sure access lists don't leak here! */

    if (ka != sk->keyacclist) {

      keyacc_all_free(sk->keyacclist);

      sk->keyacclist = ka;

    }

#ifndef DISABLE_BUG1243_FIX

    memcpy(sk->secret, key, secretsize);

#else

    /* >MUST< use 'strncpy()' here! See above! */

    strncpy((char *)sk->secret, (const char *)key,

      secretsize);

#endif

    authcache_flush_id(keyno);

    return;

  }

  /*

   * Need to allocate new structure.  Do it.

   */

  secret = emalloc(secretsize + 1);

#ifndef DISABLE_BUG1243_FIX

  memcpy(secret, key, secretsize);

#else

  /* >MUST< use 'strncpy()' here! See above! */

  strncpy((char *)secret, (const char *)key, secretsize);

#endif

  allocsymkey(keyno, 0, (u_short)keytype, 0,

        secretsize, secret, ka);

#ifdef DEBUG

  if (debug >= 1) {

    size_t  j;

    printf("auth_setkey: key %d type %d len %d ", (int)keyno,

        keytype, (int)secretsize);

    for (j = 0; j < secretsize; j++) {

      printf("%02x", secret[j]);

    }

    printf("\n");

  }

#endif

}

/*

 * auth_delkeys - delete non-autokey untrusted keys, and clear all info

 *      except the trusted bit of non-autokey trusted keys, in

 *      preparation for rereading the keys file.

 */

void

auth_delkeys(void)

{

  symkey *  sk;

  ITER_DLIST_BEGIN(key_listhead, sk, llink, symkey)

    if (sk->keyid > NTP_MAXKEY) { /* autokey */

      continue;

    }

    /*

     * Don't lose info as to which keys are trusted. Make

     * sure there are no dangling pointers!

     */

    if (KEY_TRUSTED & sk->flags) {

      if (sk->secret != NULL) {

        zero_mem(sk->secret, sk->secretsize);

        free(sk->secret);

        sk->secret = NULL; /* TALOS-CAN-0054 */

      }

      sk->keyacclist = keyacc_all_free(sk->keyacclist);

      sk->secretsize = 0;

      sk->lifetime = 0;

    } else {

      freesymkey(sk);

    }

  ITER_DLIST_END()

}

/*

 * auth_agekeys - delete keys whose lifetimes have expired

 */

void

auth_agekeys(void)

{

  symkey *  sk;

  ITER_DLIST_BEGIN(key_listhead, sk, llink, symkey)

    if (sk->lifetime > 0 && current_time > sk->lifetime) {

      freesymkey(sk);

      authkeyexpired++;

    }

  ITER_DLIST_END()

  DPRINTF(1, ("auth_agekeys: at %lu keys %lu expired %lu\n",

        current_time, authnumkeys, authkeyexpired));

}

/*

 * authencrypt - generate message authenticator

 *

 * Returns length of authenticator field, zero if key not found.

 */

size_t

authencrypt(

  keyid_t   keyno,

  u_int32 * pkt,

  size_t    length

  )

{

  /*

   * A zero key identifier means the sender has not verified

   * the last message was correctly authenticated. The MAC

   * consists of a single word with value zero.

   */

  authencryptions++;

  pkt[length / KEY_MAC_LEN] = htonl(keyno);

  if (0 == keyno) {

    return KEY_MAC_LEN;

  }

  if (!authhavekey(keyno)) {

    return 0;

  }

  return MD5authencrypt(cache_type,

            cache_secret, cache_secretsize,

            pkt, length);

}

/*

 * authdecrypt - verify message authenticator

 *

 * Returns TRUE if authenticator valid, FALSE if invalid or not found.

 */

int

authdecrypt(

  keyid_t   keyno,

  u_int32 * pkt,

  size_t    length,

  size_t    size

  )

{

  /*

   * A zero key identifier means the sender has not verified

   * the last message was correctly authenticated.  For our

   * purpose this is an invalid authenticator.

   */

  authdecryptions++;

  if (0 == keyno || !authhavekey(keyno) || size < 4) {

    return FALSE;

  }

  return MD5authdecrypt(cache_type,

            cache_secret, cache_secretsize,

            pkt, length, size, keyno);

}

/* password decoding helpers */

static size_t

pwdecode_plain(

  u_char *  dst,

  size_t    dstlen,

  const char *  src

  )

{

  size_t    srclen = strlen(src);

  if (srclen > dstlen) {

    errno = ENOMEM;

    return (size_t)-1;

  }

  memcpy(dst, src, srclen);

  return srclen;

}

static size_t

pwdecode_hex(

  u_char *  dst,

  size_t    dstlen,

  const char *  src

  )

{

  static const char hex[] = "00112233445566778899AaBbCcDdEeFf";

  size_t    srclen = strlen(src);

  size_t    reslen = (srclen >> 1) + (srclen & 1);

  u_char    tmp;