Allow setting a keypair on a tls context without specifying the private

key, and fake it internally with the certificate public key instead. It makes it easier for privsep engines like relayd that don't have to use bogus keys anymore. ok beck@ tb@ jsing@
author: eric <> 2021-01-21 19:09:10 +0000
committer: eric <> 2021-01-21 19:09:10 +0000
commit: b6080b52f179de6a4d935e9b00d1daefb76f3f83 (patch)
tree: cef0da52413de065f06dfb4111338c722b5d63c9 /src/lib/libtls/tls_config.c
parent: 56cb8632a04478fa825a640e148efb0caaea8105 (diff)
download: openbsd-b6080b52f179de6a4d935e9b00d1daefb76f3f83.tar.gz
openbsd-b6080b52f179de6a4d935e9b00d1daefb76f3f83.tar.bz2
openbsd-b6080b52f179de6a4d935e9b00d1daefb76f3f83.zip
1 files changed, 11 insertions, 3 deletions
diff --git a/src/lib/libtls/tls_config.c b/src/lib/libtls/tls_config.c
index 7a0d6d8adf..e3e90aaa00 100644
--- a/src/lib/libtls/tls_config.c
+++ b/src/lib/libtls/tls_config.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls_config.c,v 1.61 2020/12/22 13:07:54 bcook Exp $ */
+/* $OpenBSD: tls_config.c,v 1.62 2021/01/21 19:09:10 eric Exp $ */
 /*
 * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
 *
@@ -353,7 +353,8 @@ tls_config_add_keypair_file_internal(struct tls_config *config,
                return (-1);
        if (tls_keypair_set_cert_file(keypair, &config->error, cert_file) != 0)
                goto err;
-        if (tls_keypair_set_key_file(keypair, &config->error, key_file) != 0)
+        if (key_file != NULL &&
+            tls_keypair_set_key_file(keypair, &config->error, key_file) != 0)
                goto err;
        if (ocsp_file != NULL &&
            tls_keypair_set_ocsp_staple_file(keypair, &config->error,
@@ -380,7 +381,8 @@ tls_config_add_keypair_mem_internal(struct tls_config *config, const uint8_t *ce
                return (-1);
        if (tls_keypair_set_cert_mem(keypair, &config->error, cert, cert_len) != 0)
                goto err;
-        if (tls_keypair_set_key_mem(keypair, &config->error, key, key_len) != 0)
+        if (key != NULL &&
+            tls_keypair_set_key_mem(keypair, &config->error, key, key_len) != 0)
                goto err;
        if (staple != NULL &&
            tls_keypair_set_ocsp_staple_mem(keypair, &config->error, staple,
@@ -805,6 +807,12 @@ tls_config_skip_private_key_check(struct tls_config *config)
        config->skip_private_key_check = 1;
 }
+void
+tls_config_use_fake_private_key(struct tls_config *config)
+{
+        config->use_fake_private_key = 1;
+}
 int
 tls_config_set_ocsp_staple_file(struct tls_config *config, const char *staple_file)
 {
author	eric <>	2021-01-21 19:09:10 +0000
committer	eric <>	2021-01-21 19:09:10 +0000
commit	b6080b52f179de6a4d935e9b00d1daefb76f3f83 (patch)
tree	cef0da52413de065f06dfb4111338c722b5d63c9 /src/lib/libtls/tls_config.c
parent	56cb8632a04478fa825a640e148efb0caaea8105 (diff)
download	openbsd-b6080b52f179de6a4d935e9b00d1daefb76f3f83.tar.gz openbsd-b6080b52f179de6a4d935e9b00d1daefb76f3f83.tar.bz2 openbsd-b6080b52f179de6a4d935e9b00d1daefb76f3f83.zip