upstream: Refactor signing - use sshkey_sign for everything,

including the new U2F signatures.

Don't use sshsk_ecdsa_sign() directly, instead make it reachable via
sshkey_sign() like all other signature operations. This means that
we need to add a provider argument to sshkey_sign(), so most of this
change is mechanically adding that.

Suggested by / ok markus@

OpenBSD-Commit-ID: d5193a03fcfa895085d91b2b83d984a9fde76c8c

1 files changed, 11 insertions, 10 deletions

diff --git a/sshsig.c b/sshsig.c
index b19cd077d..8c7aba1b9 100644
--- a/sshsig.c
+++ b/sshsig.c
@@ -151,8 +151,9 @@ done:
 
 static int
 sshsig_wrap_sign(struct sshkey *key, const char *hashalg,
-    const struct sshbuf *h_message, const char *sig_namespace,
-    struct sshbuf **out, sshsig_signer *signer, void *signer_ctx)
+    const char *sk_provider, const struct sshbuf *h_message,
+    const char *sig_namespace, struct sshbuf **out,
+    sshsig_signer *signer, void *signer_ctx)
 {
         int r;
         size_t slen = 0;
@@ -184,14 +185,14 @@ sshsig_wrap_sign(struct sshkey *key, const char *hashalg,
         if (signer != NULL) {
                 if ((r = signer(key, &sig, &slen,
                     sshbuf_ptr(tosign), sshbuf_len(tosign),
-                    sign_alg, 0, signer_ctx)) != 0) {
+                    sign_alg, sk_provider, 0, signer_ctx)) != 0) {
                         error("Couldn't sign message: %s", ssh_err(r));
                         goto done;
                 }
         } else {
                 if ((r = sshkey_sign(key, &sig, &slen,
                     sshbuf_ptr(tosign), sshbuf_len(tosign),
-                    sign_alg, 0)) != 0) {
+                    sign_alg, sk_provider, 0)) != 0) {
                         error("Couldn't sign message: %s", ssh_err(r));
                         goto done;
                 }
@@ -425,7 +426,7 @@ hash_buffer(const struct sshbuf *m, const char *hashalg, struct sshbuf **bp)
 }
 
 int
-sshsig_signb(struct sshkey *key, const char *hashalg,
+sshsig_signb(struct sshkey *key, const char *hashalg, const char *sk_provider,
     const struct sshbuf *message, const char *sig_namespace,
     struct sshbuf **out, sshsig_signer *signer, void *signer_ctx)
 {
@@ -440,8 +441,8 @@ sshsig_signb(struct sshkey *key, const char *hashalg,
                 error("%s: hash_buffer failed: %s", __func__, ssh_err(r));
                 goto out;
         }
-        if ((r = sshsig_wrap_sign(key, hashalg, b, sig_namespace, out,
-            signer, signer_ctx)) != 0)
+        if ((r = sshsig_wrap_sign(key, hashalg, sk_provider, b,
+            sig_namespace, out, signer, signer_ctx)) != 0)
                 goto out;
         /* success */
         r = 0;
@@ -551,7 +552,7 @@ hash_file(int fd, const char *hashalg, struct sshbuf **bp)
 }
 
 int
-sshsig_sign_fd(struct sshkey *key, const char *hashalg,
+sshsig_sign_fd(struct sshkey *key, const char *hashalg, const char *sk_provider,
     int fd, const char *sig_namespace, struct sshbuf **out,
     sshsig_signer *signer, void *signer_ctx)
 {
@@ -566,8 +567,8 @@ sshsig_sign_fd(struct sshkey *key, const char *hashalg,
                 error("%s: hash_file failed: %s", __func__, ssh_err(r));
                 return r;
         }
-        if ((r = sshsig_wrap_sign(key, hashalg, b, sig_namespace, out,
-            signer, signer_ctx)) != 0)
+        if ((r = sshsig_wrap_sign(key, hashalg, sk_provider, b,
+            sig_namespace, out, signer, signer_ctx)) != 0)
                 goto out;
         /* success */
         r = 0;