Introduce a signer interface intented to make TLS privsep simpler

to implement.

Add a tls_config_set_sign_cb() function that allows to register
a callback for the signing operation on a tls_config. When used,
the context installs fake pivate keys internally, and the callback
receives the hash of the public key.

Add a tls_signer_*() set of functions to manage tls_signer objects.
A tls_signer is an opaque structure on which keys are added.
It is used to compute signatures with private keys identified by
their associated public key hash.

Discussed with and ok jsing@ tb@

1 files changed, 6 insertions, 1 deletions

diff --git a/src/lib/libtls/tls_internal.h b/src/lib/libtls/tls_internal.h
index 5487b123ec..bc5044518b 100644
--- a/src/lib/libtls/tls_internal.h
+++ b/src/lib/libtls/tls_internal.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls_internal.h,v 1.78 2021/01/21 19:09:10 eric Exp $ */
+/* $OpenBSD: tls_internal.h,v 1.79 2022/01/25 21:51:24 eric Exp $ */
 /*
  * Copyright (c) 2014 Jeremie Courreges-Anglas <jca@openbsd.org>
  * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
@@ -112,6 +112,8 @@ struct tls_config {
         int verify_time;
         int skip_private_key_check;
         int use_fake_private_key;
+        tls_sign_cb sign_cb;
+        void *sign_cb_arg;
 };
 
 struct tls_conninfo {
@@ -291,6 +293,9 @@ int tls_cert_pubkey_hash(X509 *_cert, char **_hash);
 
 int tls_password_cb(char *_buf, int _size, int _rwflag, void *_u);
 
+RSA_METHOD *tls_signer_rsa_method(void);
+ECDSA_METHOD *tls_signer_ecdsa_method(void);
+
 __END_HIDDEN_DECLS
 
 /* XXX this function is not fully hidden so relayd can use it */