Introduce a signer interface intented to make TLS privsep simpler

to implement.

Add a tls_config_set_sign_cb() function that allows to register
a callback for the signing operation on a tls_config. When used,
the context installs fake pivate keys internally, and the callback
receives the hash of the public key.

Add a tls_signer_*() set of functions to manage tls_signer objects.
A tls_signer is an opaque structure on which keys are added.
It is used to compute signatures with private keys identified by
their associated public key hash.

Discussed with and ok jsing@ tb@

1 files changed, 17 insertions, 1 deletions

diff --git a/src/lib/libtls/tls.h b/src/lib/libtls/tls.h
index 20f55dcabd..22f04f4023 100644
--- a/src/lib/libtls/tls.h
+++ b/src/lib/libtls/tls.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls.h,v 1.58 2020/01/22 06:44:02 beck Exp $ */
+/* $OpenBSD: tls.h,v 1.59 2022/01/25 21:51:24 eric Exp $ */
 /*
  * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
  *
@@ -79,6 +79,9 @@ typedef ssize_t (*tls_read_cb)(struct tls *_ctx, void *_buf, size_t _buflen,
     void *_cb_arg);
 typedef ssize_t (*tls_write_cb)(struct tls *_ctx, const void *_buf,
     size_t _buflen, void *_cb_arg);
+typedef int (*tls_sign_cb)(void *_cb_arg, const char *_hash,
+    const uint8_t *_dgst, size_t _dgstlen, uint8_t *_psig, size_t *_psiglen,
+    int _padding);
 
 int tls_init(void);
 
@@ -135,6 +138,8 @@ int tls_config_set_ocsp_staple_file(struct tls_config *_config,
 int tls_config_set_protocols(struct tls_config *_config, uint32_t _protocols);
 int tls_config_set_session_fd(struct tls_config *_config, int _session_fd);
 int tls_config_set_verify_depth(struct tls_config *_config, int _verify_depth);
+int tls_config_set_sign_cb(struct tls_config *_config, tls_sign_cb _cb,
+    void *_cb_arg);
 
 void tls_config_prefer_ciphers_client(struct tls_config *_config);
 void tls_config_prefer_ciphers_server(struct tls_config *_config);
@@ -212,6 +217,17 @@ time_t tls_peer_ocsp_revocation_time(struct tls *_ctx);
 time_t tls_peer_ocsp_this_update(struct tls *_ctx);
 const char *tls_peer_ocsp_url(struct tls *_ctx);
 
+struct tls_signer* tls_signer_new(void);
+void tls_signer_free(struct tls_signer * _signer);
+const char *tls_signer_error(struct tls_signer * _signer);
+int tls_signer_add_keypair_file(struct tls_signer *_signer,
+    const char *_cert_file, const char *_key_file);
+int tls_signer_add_keypair_mem(struct tls_signer *_signer, const uint8_t *_cert,
+    size_t _cert_len, const uint8_t *_key, size_t _key_len);
+int tls_signer_sign(struct tls_signer *_signer, const char *_hash,
+    const uint8_t *_dgst, size_t _dgstlen, uint8_t **_psig, size_t *_psiglen,
+    int _padding);
+
 #ifdef __cplusplus
 }
 #endif