upstream: Refactor signing - use sshkey_sign for everything, including the new U2F signatures. Don't use sshsk_ecdsa_sign() directly, instead make it reachable via sshkey_sign() like all other signature operations. This means that we need to add a provider argument to sshkey_sign(), so most of this change is mechanically adding that. Suggested by / ok markus@ OpenBSD-Commit-ID: d5193a03fcfa895085d91b2b83d984a9fde76c8c

commit: 9a14c64c38fc14d0029f1c7bc70cf62cc7f0fdf9 [log] [tgz]
author: djm@openbsd.org <djm@openbsd.org> Thu Oct 31 21:23:19 2019 +0000
committer: Damien Miller <djm@mindrot.org> Fri Nov 01 09:46:10 2019 +1100
tree: d79bb8d66eeba8e353f18dac919cb65d0ad896c7
parent: 07da39f71d36fb547749a5b16aa8892e621a7e4a [diff] [blame]
diff --git a/sshsig.c b/sshsig.c
index b19cd07..8c7aba1 100644
--- a/sshsig.c
+++ b/sshsig.c

@@ -151,8 +151,9 @@
 
 static int
 sshsig_wrap_sign(struct sshkey *key, const char *hashalg,
-    const struct sshbuf *h_message, const char *sig_namespace,
-    struct sshbuf **out, sshsig_signer *signer, void *signer_ctx)
+    const char *sk_provider, const struct sshbuf *h_message,
+    const char *sig_namespace, struct sshbuf **out,
+    sshsig_signer *signer, void *signer_ctx)
 {
 	int r;
 	size_t slen = 0;
@@ -184,14 +185,14 @@
 	if (signer != NULL) {
 		if ((r = signer(key, &sig, &slen,
 		    sshbuf_ptr(tosign), sshbuf_len(tosign),
-		    sign_alg, 0, signer_ctx)) != 0) {
+		    sign_alg, sk_provider, 0, signer_ctx)) != 0) {
 			error("Couldn't sign message: %s", ssh_err(r));
 			goto done;
 		}
 	} else {
 		if ((r = sshkey_sign(key, &sig, &slen,
 		    sshbuf_ptr(tosign), sshbuf_len(tosign),
-		    sign_alg, 0)) != 0) {
+		    sign_alg, sk_provider, 0)) != 0) {
 			error("Couldn't sign message: %s", ssh_err(r));
 			goto done;
 		}
@@ -425,7 +426,7 @@
 }
 
 int
-sshsig_signb(struct sshkey *key, const char *hashalg,
+sshsig_signb(struct sshkey *key, const char *hashalg, const char *sk_provider,
     const struct sshbuf *message, const char *sig_namespace,
     struct sshbuf **out, sshsig_signer *signer, void *signer_ctx)
 {
@@ -440,8 +441,8 @@
 		error("%s: hash_buffer failed: %s", __func__, ssh_err(r));
 		goto out;
 	}
-	if ((r = sshsig_wrap_sign(key, hashalg, b, sig_namespace, out,
-	    signer, signer_ctx)) != 0)
+	if ((r = sshsig_wrap_sign(key, hashalg, sk_provider, b,
+	    sig_namespace, out, signer, signer_ctx)) != 0)
 		goto out;
 	/* success */
 	r = 0;
@@ -551,7 +552,7 @@
 }
 
 int
-sshsig_sign_fd(struct sshkey *key, const char *hashalg,
+sshsig_sign_fd(struct sshkey *key, const char *hashalg, const char *sk_provider,
     int fd, const char *sig_namespace, struct sshbuf **out,
     sshsig_signer *signer, void *signer_ctx)
 {
@@ -566,8 +567,8 @@
 		error("%s: hash_file failed: %s", __func__, ssh_err(r));
 		return r;
 	}
-	if ((r = sshsig_wrap_sign(key, hashalg, b, sig_namespace, out,
-	    signer, signer_ctx)) != 0)
+	if ((r = sshsig_wrap_sign(key, hashalg, sk_provider, b,
+	    sig_namespace, out, signer, signer_ctx)) != 0)
 		goto out;
 	/* success */
 	r = 0;
commit	9a14c64c38fc14d0029f1c7bc70cf62cc7f0fdf9	[log] [tgz]
author	djm@openbsd.org <djm@openbsd.org>	Thu Oct 31 21:23:19 2019 +0000
committer	Damien Miller <djm@mindrot.org>	Fri Nov 01 09:46:10 2019 +1100
tree	d79bb8d66eeba8e353f18dac919cb65d0ad896c7
parent	07da39f71d36fb547749a5b16aa8892e621a7e4a [diff] [blame]