Allow setting a keypair on a tls context without specifying the private

key, and fake it internally with the certificate public key instead.
It makes it easier for privsep engines like relayd that don't have to
use bogus keys anymore.

ok beck@ tb@ jsing@

1 files changed, 11 insertions, 3 deletions

diff --git a/lib/libtls/tls_config.c b/lib/libtls/tls_config.c
index 7a0d6d8adf2..e3e90aaa007 100644
--- a/lib/libtls/tls_config.c
+++ b/lib/libtls/tls_config.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls_config.c,v 1.61 2020/12/22 13:07:54 bcook Exp $ */
+/* $OpenBSD: tls_config.c,v 1.62 2021/01/21 19:09:10 eric Exp $ */
 /*
  * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
  *
@@ -353,7 +353,8 @@ tls_config_add_keypair_file_internal(struct tls_config *config,
 		return (-1);
 	if (tls_keypair_set_cert_file(keypair, &config->error, cert_file) != 0)
 		goto err;
-	if (tls_keypair_set_key_file(keypair, &config->error, key_file) != 0)
+	if (key_file != NULL &&
+	    tls_keypair_set_key_file(keypair, &config->error, key_file) != 0)
 		goto err;
 	if (ocsp_file != NULL &&
 	    tls_keypair_set_ocsp_staple_file(keypair, &config->error,
@@ -380,7 +381,8 @@ tls_config_add_keypair_mem_internal(struct tls_config *config, const uint8_t *ce
 		return (-1);
 	if (tls_keypair_set_cert_mem(keypair, &config->error, cert, cert_len) != 0)
 		goto err;
-	if (tls_keypair_set_key_mem(keypair, &config->error, key, key_len) != 0)
+	if (key != NULL &&
+	    tls_keypair_set_key_mem(keypair, &config->error, key, key_len) != 0)
 		goto err;
 	if (staple != NULL &&
 	    tls_keypair_set_ocsp_staple_mem(keypair, &config->error, staple,
@@ -805,6 +807,12 @@ tls_config_skip_private_key_check(struct tls_config *config)
 	config->skip_private_key_check = 1;
 }
 
+void
+tls_config_use_fake_private_key(struct tls_config *config)
+{
+	config->use_fake_private_key = 1;
+}
+
 int
 tls_config_set_ocsp_staple_file(struct tls_config *config, const char *staple_file)
 {