pki: Migrate ssh_pki_do_sign to new pki.

include/libssh/pki_priv.h

@@ -62,8 +62,9 @@ int pki_signature_verify(ssh_session session,
                          size_t len);
 
 /* SSH Signing Functions */
-struct signature_struct *pki_do_sign(const ssh_key privatekey,
-                                     const unsigned char *hash);
+ssh_signature pki_do_sign(const ssh_key privkey,
+                          const unsigned char *hash,
+                          size_t hlen);
 ssh_signature pki_do_sign_sessionid(const ssh_key key,
                                     const unsigned char *hash);
 #endif /* PKI_PRIV_H_ */

src/pki.c

@@ -1057,51 +1057,57 @@ int ssh_pki_signature_verify_blob(ssh_session session,
 /*
  * This function signs the session id (known as H) as a string then
  * the content of sigbuf */
-ssh_string ssh_pki_do_sign(ssh_session session, ssh_buffer sigbuf,
-        const ssh_key privatekey) {
-    struct ssh_crypto_struct *crypto = session->current_crypto ? session->current_crypto :
+ssh_string ssh_pki_do_sign(ssh_session session,
+                           ssh_buffer sigbuf,
+                           const ssh_key privkey) {
+    struct ssh_crypto_struct *crypto =
+        session->current_crypto ? session->current_crypto :
                                   session->next_crypto;
     unsigned char hash[SHA_DIGEST_LEN + 1] = {0};
-    ssh_string session_str = NULL;
-    ssh_string signature = NULL;
-    struct signature_struct *sign = NULL;
+    ssh_signature sig;
+    ssh_string sig_blob = NULL;
+    ssh_string str = NULL;
     SHACTX ctx = NULL;
+    int rc;
 
-    if (privatekey == NULL || !ssh_key_is_private(privatekey)) {
+    if (privkey == NULL || !ssh_key_is_private(privkey)) {
         return NULL;
     }
 
-    session_str = ssh_string_new(SHA_DIGEST_LEN);
-    if (session_str == NULL) {
+    str = ssh_string_new(SHA_DIGEST_LEN);
+    if (str == NULL) {
         return NULL;
     }
-    ssh_string_fill(session_str, crypto->session_id, SHA_DIGEST_LEN);
+    ssh_string_fill(str, crypto->session_id, SHA_DIGEST_LEN);
 
     ctx = sha1_init();
     if (ctx == NULL) {
-        ssh_string_free(session_str);
+        ssh_string_free(str);
         return NULL;
     }
 
-    sha1_update(ctx, session_str, ssh_string_len(session_str) + 4);
-    ssh_string_free(session_str);
+    sha1_update(ctx, str, ssh_string_len(str) + 4);
+    ssh_string_free(str);
     sha1_update(ctx, buffer_get_rest(sigbuf), buffer_get_rest_len(sigbuf));
-    sha1_final(hash + 1,ctx);
+    sha1_final(hash + 1, ctx);
     hash[0] = 0;
 
 #ifdef DEBUG_CRYPTO
     ssh_print_hexa("Hash being signed with dsa", hash + 1, SHA_DIGEST_LEN);
 #endif
 
-    sign = pki_do_sign(privatekey, hash);
-    if (sign == NULL) {
+    sig = pki_do_sign(privkey, hash, SHA_DIGEST_LEN);
+    if (sig == NULL) {
         return NULL;
     }
 
-    signature = signature_to_string(sign);
-    signature_free(sign);
+    rc = ssh_pki_export_signature_blob(sig, &sig_blob);
+    ssh_signature_free(sig);
+    if (rc < 0) {
+        return NULL;
+    }
 
-    return signature;
+    return sig_blob;
 }
 
 #ifndef _WIN32

src/pki_crypto.c

@@ -720,22 +720,23 @@ int pki_signature_verify(ssh_session session,
     return SSH_OK;
 }
 
-struct signature_struct *pki_do_sign(ssh_key privatekey,
-                                     const unsigned char *hash) {
-    struct signature_struct *sign;
+ssh_signature pki_do_sign(const ssh_key privkey,
+                          const unsigned char *hash,
+                          size_t hlen) {
+    ssh_signature sig;
 
-    sign = malloc(sizeof(SIGNATURE));
-    if (sign == NULL) {
+    sig = ssh_signature_new();
+    if (sig == NULL) {
         return NULL;
     }
-    sign->type = privatekey->type;
 
-    switch(privatekey->type) {
+    sig->type = privkey->type;
+
+    switch(privkey->type) {
         case SSH_KEYTYPE_DSS:
-            sign->dsa_sign = DSA_do_sign(hash + 1, SHA_DIGEST_LEN,
-                    privatekey->dsa);
-            if (sign->dsa_sign == NULL) {
-                signature_free(sign);
+            sig->dsa_sig = DSA_do_sign(hash + 1, hlen, privkey->dsa);
+            if (sig->dsa_sig == NULL) {
+                ssh_signature_free(sig);
                 return NULL;
             }
 
@@ -744,25 +745,23 @@ struct signature_struct *pki_do_sign(ssh_key privatekey,
             ssh_print_bignum("s", sign->dsa_sign->s);
 #endif
 
-            sign->rsa_sign = NULL;
             break;
         case SSH_KEYTYPE_RSA:
         case SSH_KEYTYPE_RSA1:
-            sign->rsa_sign = _RSA_do_sign(hash + 1, SHA_DIGEST_LEN,
-                    privatekey->rsa);
-            if (sign->rsa_sign == NULL) {
-                signature_free(sign);
+            sig->rsa_sig = _RSA_do_sign(hash + 1, hlen, privkey->rsa);
+            if (sig->rsa_sig == NULL) {
+                ssh_signature_free(sig);
                 return NULL;
             }
-            sign->dsa_sign = NULL;
+            sig->dsa_sig = NULL;
             break;
         case SSH_KEYTYPE_ECDSA:
         case SSH_KEYTYPE_UNKNOWN:
-            signature_free(sign);
+            ssh_signature_free(sig);
             return NULL;
     }
 
-    return sign;
+    return sig;
 }
 
 #ifdef WITH_SERVER

src/pki_gcrypt.c

@@ -1384,47 +1384,60 @@ int pki_signature_verify(ssh_session session,
     return SSH_OK;
 }
 
-struct signature_struct *pki_do_sign(ssh_key privatekey,
-                                     const unsigned char *hash) {
-    struct signature_struct *sign;
-    gcry_sexp_t gcryhash;
+ssh_signature pki_do_sign(const ssh_key privkey,
+                          const unsigned char *hash,
+                          size_t hlen) {
+    ssh_signature sig;
+    gcry_sexp_t sexp;
+    gcry_error_t err;
 
-    sign = malloc(sizeof(SIGNATURE));
-    if (sign == NULL) {
+    sig = ssh_signature_new();
+    if (sig == NULL) {
         return NULL;
     }
-    sign->type = privatekey->type;
+    sig->type = privkey->type;
 
-    switch(privatekey->type) {
+    switch (privkey->type) {
         case SSH_KEYTYPE_DSS:
-            if (gcry_sexp_build(&gcryhash, NULL, "%b", SHA_DIGEST_LEN + 1, hash) ||
-                gcry_pk_sign(&sign->dsa_sign, gcryhash, privatekey->dsa)) {
-                gcry_sexp_release(gcryhash);
-                signature_free(sign);
+            err = gcry_sexp_build(&sexp, NULL, "%b", hlen + 1, hash);
+            if (err) {
+                ssh_signature_free(sig);
+                return NULL;
+            }
+
+            err = gcry_pk_sign(&sig->dsa_sig, sexp, privkey->dsa);
+            gcry_sexp_release(sexp);
+            if (err) {
+                ssh_signature_free(sig);
                 return NULL;
             }
-            sign->rsa_sign = NULL;
             break;
         case SSH_KEYTYPE_RSA:
         case SSH_KEYTYPE_RSA1:
-            if (gcry_sexp_build(&gcryhash, NULL, "(data(flags pkcs1)(hash sha1 %b))",
-                                SHA_DIGEST_LEN, hash + 1) ||
-                gcry_pk_sign(&sign->rsa_sign, gcryhash, privatekey->rsa)) {
-                gcry_sexp_release(gcryhash);
-                signature_free(sign);
+            err = gcry_sexp_build(&sexp,
+                                  NULL,
+                                  "(data(flags pkcs1)(hash sha1 %b))",
+                                  hlen,
+                                  hash + 1);
+            if (err) {
+                ssh_signature_free(sig);
+                return NULL;
+            }
+
+            err = gcry_pk_sign(&sig->rsa_sig, sexp, privkey->rsa);
+            gcry_sexp_release(sexp);
+            if (err) {
+                ssh_signature_free(sig);
                 return NULL;
             }
-            sign->dsa_sign = NULL;
             break;
         case SSH_KEYTYPE_ECDSA:
         case SSH_KEYTYPE_UNKNOWN:
-            signature_free(sign);
+            ssh_signature_free(sig);
             return NULL;
     }
 
-    gcry_sexp_release(gcryhash);
-
-    return sign;
+    return sig;
 }
 
 #ifdef WITH_SERVER