upstream: Refactor signing - use sshkey_sign for everything,
including the new U2F signatures.
Don't use sshsk_ecdsa_sign() directly, instead make it reachable via
sshkey_sign() like all other signature operations. This means that
we need to add a provider argument to sshkey_sign(), so most of this
change is mechanically adding that.
Suggested by / ok markus@
OpenBSD-Commit-ID: d5193a03fcfa895085d91b2b83d984a9fde76c8c
diff --git a/sshsig.c b/sshsig.c
index b19cd07..8c7aba1 100644
--- a/sshsig.c
+++ b/sshsig.c
@@ -151,8 +151,9 @@
static int
sshsig_wrap_sign(struct sshkey *key, const char *hashalg,
- const struct sshbuf *h_message, const char *sig_namespace,
- struct sshbuf **out, sshsig_signer *signer, void *signer_ctx)
+ const char *sk_provider, const struct sshbuf *h_message,
+ const char *sig_namespace, struct sshbuf **out,
+ sshsig_signer *signer, void *signer_ctx)
{
int r;
size_t slen = 0;
@@ -184,14 +185,14 @@
if (signer != NULL) {
if ((r = signer(key, &sig, &slen,
sshbuf_ptr(tosign), sshbuf_len(tosign),
- sign_alg, 0, signer_ctx)) != 0) {
+ sign_alg, sk_provider, 0, signer_ctx)) != 0) {
error("Couldn't sign message: %s", ssh_err(r));
goto done;
}
} else {
if ((r = sshkey_sign(key, &sig, &slen,
sshbuf_ptr(tosign), sshbuf_len(tosign),
- sign_alg, 0)) != 0) {
+ sign_alg, sk_provider, 0)) != 0) {
error("Couldn't sign message: %s", ssh_err(r));
goto done;
}
@@ -425,7 +426,7 @@
}
int
-sshsig_signb(struct sshkey *key, const char *hashalg,
+sshsig_signb(struct sshkey *key, const char *hashalg, const char *sk_provider,
const struct sshbuf *message, const char *sig_namespace,
struct sshbuf **out, sshsig_signer *signer, void *signer_ctx)
{
@@ -440,8 +441,8 @@
error("%s: hash_buffer failed: %s", __func__, ssh_err(r));
goto out;
}
- if ((r = sshsig_wrap_sign(key, hashalg, b, sig_namespace, out,
- signer, signer_ctx)) != 0)
+ if ((r = sshsig_wrap_sign(key, hashalg, sk_provider, b,
+ sig_namespace, out, signer, signer_ctx)) != 0)
goto out;
/* success */
r = 0;
@@ -551,7 +552,7 @@
}
int
-sshsig_sign_fd(struct sshkey *key, const char *hashalg,
+sshsig_sign_fd(struct sshkey *key, const char *hashalg, const char *sk_provider,
int fd, const char *sig_namespace, struct sshbuf **out,
sshsig_signer *signer, void *signer_ctx)
{
@@ -566,8 +567,8 @@
error("%s: hash_file failed: %s", __func__, ssh_err(r));
return r;
}
- if ((r = sshsig_wrap_sign(key, hashalg, b, sig_namespace, out,
- signer, signer_ctx)) != 0)
+ if ((r = sshsig_wrap_sign(key, hashalg, sk_provider, b,
+ sig_namespace, out, signer, signer_ctx)) != 0)
goto out;
/* success */
r = 0;