From 5bc45eb57d3df492a992eb97f4f9efadef0b060c Mon Sep 17 00:00:00 2001 From: eric <> Date: Tue, 25 Jan 2022 21:51:24 +0000 Subject: Introduce a signer interface intented to make TLS privsep simpler to implement. Add a tls_config_set_sign_cb() function that allows to register a callback for the signing operation on a tls_config. When used, the context installs fake pivate keys internally, and the callback receives the hash of the public key. Add a tls_signer_*() set of functions to manage tls_signer objects. A tls_signer is an opaque structure on which keys are added. It is used to compute signatures with private keys identified by their associated public key hash. Discussed with and ok jsing@ tb@ --- src/lib/libtls/tls_config.c | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) (limited to 'src/lib/libtls/tls_config.c') diff --git a/src/lib/libtls/tls_config.c b/src/lib/libtls/tls_config.c index 4ca497a032..15e218b4e0 100644 --- a/src/lib/libtls/tls_config.c +++ b/src/lib/libtls/tls_config.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tls_config.c,v 1.64 2021/10/21 08:33:07 tb Exp $ */ +/* $OpenBSD: tls_config.c,v 1.65 2022/01/25 21:51:24 eric Exp $ */ /* * Copyright (c) 2014 Joel Sing * @@ -737,6 +737,17 @@ tls_config_set_session_fd(struct tls_config *config, int session_fd) return (0); } +int +tls_config_set_sign_cb(struct tls_config *config, tls_sign_cb cb, void *cb_arg) +{ + config->use_fake_private_key = 1; + config->skip_private_key_check = 1; + config->sign_cb = cb; + config->sign_cb_arg = cb_arg; + + return (0); +} + int tls_config_set_verify_depth(struct tls_config *config, int verify_depth) { -- cgit v1.2.3-55-g6feb