summaryrefslogtreecommitdiff
path: root/usr.sbin/relayd
diff options
context:
space:
mode:
authorEric Faurot <eric@cvs.openbsd.org>2021-01-27 20:33:06 +0000
committerEric Faurot <eric@cvs.openbsd.org>2021-01-27 20:33:06 +0000
commit33a2e6b366eb2afc22c2a84a140fd793af57ebcb (patch)
tree546a39783e8becb387bddec39e4fd2207a08600b /usr.sbin/relayd
parent05a4e662f5af6de5fcaf171dabdadb93953025fd (diff)
remove bogus key hack now that it's handled by libtls
no objection claudio@ ok tb@ jsing@
Diffstat (limited to 'usr.sbin/relayd')
-rw-r--r--usr.sbin/relayd/boguskeys.h200
-rw-r--r--usr.sbin/relayd/relay.c34
-rw-r--r--usr.sbin/relayd/relayd.h3
-rw-r--r--usr.sbin/relayd/ssl.c64
4 files changed, 10 insertions, 291 deletions
diff --git a/usr.sbin/relayd/boguskeys.h b/usr.sbin/relayd/boguskeys.h
deleted file mode 100644
index 2e407312e85..00000000000
--- a/usr.sbin/relayd/boguskeys.h
+++ /dev/null
@@ -1,200 +0,0 @@
-/* $OpenBSD: boguskeys.h,v 1.1 2017/05/27 08:33:25 claudio Exp $ */
-
-/*
- * Placed in the public domain by Claudio Jeker <claudio@openbsd.org>
- * on March 26, 2017.
- */
-
-/* Bogus private key since the private key is privseped away */
-const char bogus_1024[] = "-----BEGIN RSA PRIVATE KEY-----\n"
- "MIICXQIBAAKBgQDXEA8QOA7tgvV0UN50pAf34b0vKD95svTuFNuCn7esdTUly/hF\n"
- "wDckkEznfbGj6o1otpMVaPNwRhhwikF7x9IWPjXw7sfbgvQoa2gkMUMkUr/X49KA\n"
- "7Uu0xqOaKn/IM4yA/ZaTuL99zdn8EBCRyrDVF8iDnVTPMrsLTyg2bE1qhwIDAQAB\n"
- "AoGAHvv/T5TkAbAWcPWdtyxSwZHSUdL4oi34P7zdi0o7iiswxwtF77aruybXDZr8\n"
- "VuNaEDYNps4CFLDkoIIqwQye5bWktBLL9Bv0ZDmR8u1PkQPjwRblg7jPtk46aiWQ\n"
- "9NEVkr2V1GUrzAPDcC23R5PKx//PveTiwrfmo6j+sWkxTxECQQD+9LevrDATY1nt\n"
- "Ce9R1KnduwueeDRRByS+8or8dyGXUR1wZjm2M4pBpigTfPQiSA9O6nixV3xpwNUN\n"
- "G9XpWGO1AkEA1/GE9ZPBWHOut+WYSerq76gZeIaH3tF3FnnLBLzw8+ePf0qm0h4q\n"
- "i2dl/EQV9LH7q0Rf7k2yXgHeo5dK4OkyywJBAM49+kWSvcVBTmJw8fa5WLw0bf7A\n"
- "cFnHtJL+sy3t1O+KP41INJFOeh4HIk45e2gr8K4/AGk9QzhtNCuJg+5igS0CQQDM\n"
- "AyW2TW2w/znmC0ehLgvfd1T5BUCARizYUyB2zXpnNDHh9Mk+YbmYEovLlReZIj2+\n"
- "RM7M+SK2pdWNgHYBns+ZAkAT7fZsAeOxNjM7h2kA0AriUvc2IuDqVGiFKAFCVacF\n"
- "mSQSIplSJU117YTqbVGf++SEj/WFYOTS8G+jjBuMr1d9\n"
- "-----END RSA PRIVATE KEY-----\n";
-const char bogus_2048[] = "-----BEGIN RSA PRIVATE KEY-----\n"
- "MIIEpAIBAAKCAQEA2qsShCATc5n25suEmB+1zaxbrVbSqaEWZ+qizKTLlybJ0TOD\n"
- "Nl/6lo9hIZ+gTqf0GwJRTUwtkjlovrn5p8IWtZUceG0S+ijh7DybzGCVlOFN0JRx\n"
- "z+zTr9eNPkvrJLwYavSzV4BpjelBKManE8sHA6pqXCDi5PfJ0iKfWtHQk2S5ukWA\n"
- "WE33ANLQVW0ATPvtNpHSacNIzWEW7h/66sPJu+iNcekx/Q+1kI+0Msf7m1HFN464\n"
- "eRrm3kqncPsJ6o3Kbu2aoJFk7oO6+HfSyXmxLywuUgyPnqW6zN8pj7jaq33fmHzo\n"
- "3s95Nbk/cYOtYHPzaT5eQWXy120aZ/scuY1laQIDAQABAoIBAClEP6pPo1wdokrL\n"
- "/an30geOj36W9AqvK9tQnIiiUQmleFDSt+B7HH9tb5c42Lf/WkH+nflIdxExZGMa\n"
- "FdNi/YYnLchMTViIfppmlcBsOc5u9pB2c0QaHZkBxNYM3cOA+9qzc2UABuuRKYrY\n"
- "co95sUkv0AKy8h7j5GKTxh8NmZ82+YRkkkMkk7bvXhGppR+jiqeQ4KsZbYWFPAG9\n"
- "WJA+sFVn8WS0oMePfqmeIPY+BiddU0ITn02Hafn9jBhhXI5LKbiiwC8sFDICxPSm\n"
- "moDpmexe1s7jNuSxueEM5XPQP7v2QmnH9KDxDcPEC5Lz8qFa6wkiLBpQ9CRmPlDV\n"
- "pEfF8kECgYEA/5jiItxbt+kEDMm6GuAGy02Zq/9Eb3u1J7szjvvGrL6L0S5FcDic\n"
- "S8M5A5hTvbxQfohr6AEzqog5IQ2EiyxghIfYOs5E+rYVnN4py1ErzR3LoC45bIiO\n"
- "tRbgYGMqFzD+uGaePpCwz/Ptn9KqCoH4hhfCJPMgOSNUvh8EAJfh7HcCgYEA2wNK\n"
- "Y53qfMjsd1qGYMM3J6QtTJWrteejSspouyKAlCD1RHKKzhmOxa5GPkG4NSYi1hij\n"
- "nRywxGvFOm0eoYYMUhPdjdC4Txp646l3HNdEZMWv+NN47+vaHX+KvTyq1xis46JB\n"
- "Y5SK+57RmS7sEQqUVwuqJiuPR1YoM2daBqiUFR8CgYEAymyLE67PGLz7TyFoOaaY\n"
- "2uQPQ098JIqlstyofaHa+65Azx7FMZYz+jCXc8hs8cQ1P7DNPMXO5EzUad/py8sO\n"
- "eYeYcSIxMRmJzl2IXhRgCyeAv9A7/D++PZ7rfoqqqAlOgj4LL2OqFFeMJtpRftbm\n"
- "O1SPlnHSYE4h7BxmMA4ZiAsCgYAeG0Cxmvat+qzO52nLiWpej6oOehClq9b9o/9r\n"
- "oh2Mv08X/qroFAlVUVSkoEIjRD/LsI1lPplqFuqA0plAWP3+lm6BXSzI6vnzq8sM\n"
- "8uaa97Xt/ZwFVyWfonW+98UAVosFq7tTZgsI9dcYOKQI36xuntLf9mL2yngyQMXW\n"
- "XnwkvwKBgQCCoZxoF0o6QWbEowJf/BrozjYa2D0tVokxRr7kfVXt9TTQez5LQ1u4\n"
- "/w6oCEKldPe/6tzO12i9BITmAmoZzswO/ms7J3cRnvoLWM1tPHh3zrGZgIaMdTyv\n"
- "n0QebhOEKeXrhwZVmyhBFgI/4bTZJWByAnr6p3jLywK2NdxJIXZ5cg==\n"
- "-----END RSA PRIVATE KEY-----\n";
-const char bogus_4096[] = "-----BEGIN RSA PRIVATE KEY-----\n"
- "MIIJKAIBAAKCAgEAv+N1MSd69KotAzrgAAaMVrlXJZmI3yqD43RfPo97CCoOETXy\n"
- "taJwFO1rTGp/4RxMT7us89AVJTlb5IeBf2KLobLMwn0CT/mSoc/hNfiz9AQG98fI\n"
- "pjWsQcGcJ5ggY2eAg6O9UpQYBfmbbn5U9MpDWzrmSgTS3cCmKNGl/oJyhRLauM7d\n"
- "bAd7pej9+qTZNu295384l9PI3LLRKrGlhhXM62wdqLJ01vqrtwcmTwY6tJPh8En+\n"
- "Im1RXqLSJ3FLLjIpvUOhCKFrABjPTAslDubT0xUN4xM48ppAhV98AWgY+r2nLbHL\n"
- "fyVfTdjWCzKNVZP0R3MnzBQhg3QOw5TrdpFJ3SRk6I4rWm3Tw/IabTxwVc5Vtemd\n"
- "hQdm35gdib7z+kcCJRx1KpxQr3uaE1xS3SHsOR5O0mZrmZYMgEWBFxmWghVHBZZn\n"
- "vLRwifK3m6VjAwjpOOd4qsGId4wtdv0r/meN+WBmI2SlD8wBtjGHN9kHV8enV6JU\n"
- "zLh1GsHmYSuWST5b54S8IXScVUjWjSqwnYqIMlonGNL1kVIz2KCX6q4MkjRjT8NL\n"
- "y/ZkINib37ima3geqCds1i/tRMIgoCco8bHalDA0zETkHFDdJ4fmP4KIo0zGqz7E\n"
- "a4ph5yD/BGuLRSsiiM7gwEf4iKwqAaayqxMY0qY2fUl4BbPcenNzzfAUTiMCAwEA\n"
- "AQKCAgAoAeSNOw4HtPNtmPjbCIJ6Emp5DGndHaAh7EFvabrdGOeV7wmLlTKJKncU\n"
- "l5/R73R5q0eEDf5apHrkStxVEtbJ/91xL18sDXzk/9KUziW22qAZSS4seURQ8Wz9\n"
- "VFpsX0gMKjdu4DGiDUi64NwVrZYdj0o0ZI0Sbvg1yoAxcEEwPZ4cqgTAYU8GaG2L\n"
- "tJMVQLw3Z+8EuMNIQIAbxq4cJq9y5jfI1GxH5junDXaPQ106CRsyXjr+Moykjo4C\n"
- "azyhhRPuwgrxIbaNbp7J3Aj98mJ3wAwFLBzTeBW7uQzBvlJ29NPGUyt6dvBH6s21\n"
- "x/Rvw0lLHFdP1WKnZasuW/472k7r0BPwmjAB2x70j6WCnqyRmiudUxhy4Quj42uW\n"
- "E3m0qJlVODUYA5OfRbQ7pxhEYoyoqwgVYh0Ad5zoOWUig0bUNAKm+YFdJE7c9SO7\n"
- "jazzA9+qoUwJAISAlGaiWn/HHZPd5UY1viTcMdK9Hd7N8hCmu726SmX/wAQnFXlA\n"
- "IObBKROghgJGCais/HMeQbegepiEZD9w5ak2jh1isgsPVvvraACLNVsvWXpc87O0\n"
- "tqGAuWiivLBbzosneOcslvbZakTLtb/WBaZfnQqk40kGQVs2AIX55iCp/2QxgQ31\n"
- "57UQyPQsmLYT+kiKgXBK8MpKEke99WJuC4FVCeetywj9ROo8AQKCAQEA5HlYdfEm\n"
- "TWO7g7GVRc3hJrPhXG9RB8+LMCnkPg3qq2yisew0zHgHa4YrqmPv/vbtLnlWuyt7\n"
- "IRXJ0pYHriyfdazNAb3ni2wo+1rlfkOA7BytieBE2wvHcR8MaO3Lz9PbW9muqvoo\n"
- "IsahMk1e4T/6oJ43YeEy0kOr9gJjAF2THvkSlaT7NOxWLMSltG1SxlI/jODc9zpl\n"
- "6EgxQEdeBProP6C17WpCWiN7F4kQoktCW3uy4YZ/yQS7W9W+qHYXjf6vpR4ECTlk\n"
- "osxh5J0jnVkso9lJ7J6+etrGa120d1elc67EXFf5BpCYkl5FLyxkDI+ro7oV3Sgd\n"
- "sVCc9Ouy3fIBMwKCAQEA1wG7mIQFJ53nLvhjk21kV1jYxbphr0gZXqs5mvt94N4X\n"
- "+G5G4tA1rWOeCkpwh/WvnWJdgFbaUtbwyQAe2Y1q0FX35z4XmhqJqM+CRFdAcsgT\n"
- "cPSIcCBW6I99JLCti9SU2oEogNAulJEieZtZjRajEMT3VNSI/+ZbuxjySasu7m89\n"
- "+KFqXy/fPQrPFyB6YzfEGVfS2D6Js+OLgjrwvnDx04/hXnRVqdwa/7ZSymYdN3Cr\n"
- "bk9laS0SBEtgoWg0DILAEvdizzgbvNyTnaEPtcuA7oxcTEDzzem7483Y1zf2FhXW\n"
- "MSKex8QtEOZ7snr7jH9BcWRbxVqwCwBUc1Axl7BfUQKCAQEAi9vUUO572efxQ56T\n"
- "mBV9fCmlDOZ/nd5of+VE+M+gFav8tBm6AGiBckrBtB5VLaiObGKOuyjUyN4Dm8uH\n"
- "jBF405oiLKzJbsmZFLUBwxcjdmXfvYTx4X0Ga7Lr79eRaflwUHuitrtHknIw/w/p\n"
- "ws1daLExidNHPvt56rBvVivyAYXK4JwLwsvhvKnsHdTGVOzIRj7oRNcUxupaa9TE\n"
- "Mxw8y6Zfd6QSVgdeNHwNGKwlRMcmK3QgCTfCUWc4vPr9VEjR0KvdIKBngFjInB+t\n"
- "S4bpEqvS2uwaAi6mQ9cqv9uBRp13Smf34xLkssTOaSAtZpsUILeq5qTF+GM2kZ8u\n"
- "8TpRjQKCAQB00ns0pl8KpJBNhCbOnvyLPTojTV7wV1N5jb1yCT3fJa2OjZS0fn77\n"
- "5Aml+8ZjCUpPUHgPWKGtqx4PiKI6gM1Nv7hADAvU7qBnecCFE4dwFmgB0swjaF7w\n"
- "Y66SdfEF7g6nHtB8FSGKFcXOn2sr7uXRIcRlckmyCV9ELIzRHFMWuJjKdCIQ8Djy\n"
- "uOHG5h25tT42qvJkDq7RcEyICTBvuXycACxrHvjAn1iIIm+fi5ZKXky3Vip62ENW\n"
- "1AIAEVdeiNiGNaaZgxoHJy6J0k5v78/xTZCE2jHeayZs45bzcXOjkl/cOLxfPKdj\n"
- "7Ge/lXUCZM6RJv96HwlSIO7B7QvVKL7RAoIBAA4BTjsVQiMFjudlw2n54v+wvmEt\n"
- "qNUje9G6IHmpL+PbpCsbx6ZiTtBHBrDTtbeZ50VlU+U6u6Pev0a1oG4Ww+rvxqlb\n"
- "UmDJA3c29i5S9hwvYusboVAaY1u3+xKg0H+lUj1zOLMVLE50VLqIk0ePewrtQhDk\n"
- "cwWTgNrLVQIFzXnND274LU2Tv8laXWm7ZG7Wdgu0YuFDjGpcHp3zI3ezNiwwtjKr\n"
- "IUqmRWdNw8O2U3tMYMOj1K5rl82XHsxHB6gOYWSn+Xwwg2FRwsDS67sUMu6zkClJ\n"
- "AcD2WgawwxehsKZx3r4GdrZNNa3JBs9NE5Bc4mivROIKSUxBTo44fwws0gE=\n"
- "-----END RSA PRIVATE KEY-----\n";
-const char bogus_8192[] = "-----BEGIN RSA PRIVATE KEY-----\n"
- "MIISKQIBAAKCBAEAzyPE0O2QFkMfOgLRrboLW586Ibh9EgoZaV//pyunvc0ICnyC\n"
- "4bVJ/oRLAhPYOSou2KMIKuy8T7dz6b0JgIhaZJ6Kwt6isE9kIgBgkeKitmNJXou1\n"
- "Q5GKUx28NJeh0jRkGleVbGyL0wGXaud5Q3bV3VBlQV3iCJwstnc2meu8ZzO97PeG\n"
- "6/kadIZY52BY7/9EleZve+zPCr+SBTxeblS2vLgeutoKdmHYRdEzYu2sog0P1690\n"
- "YiNbxwXFNPc63Y6+CpCW69+73jX33OR/Rzk/Kdy3YqKnjM41uQw1oIl4sLIcKiQh\n"
- "WztUNNHV9bhIJ82l7qURc3abNqCOplbgpLEeyGyL6hPv0VQ2u/0+GGGv8Z1cOsJb\n"
- "4iiUSx2evoLJZd4y7ClHKsQB1lRR+XLr8hNoHXaZ1XPEqEWYuYGcs5qDBOGjt8RS\n"
- "YasNW8H6gJed82DFgSGExNNEQFJjf4KIsuTVzCrzMzupx1yJCl/h7hShTyp9v2Wb\n"
- "KcTYe/TJFnutcWgjCazDQ0KBgsfkxjKLD0qDpT2ts+sZCSYUVZ4xZeShjjqmKAsl\n"
- "zLyr2MYd1pYf6pZTVL9s+Uoo/s7Q1GI9aipP46HFVA/2Ej1GPVBzFK7FXCqPgOwh\n"
- "LqTBOIpu3r4CXi2POVetbwiFO8mhbN9L96TbtcencqEYxNTIQLKfq4j2nn2pH7Jp\n"
- "6clplcSPZqOlfJoDIhqyL2hCVo3Vzy3am0k2rzDqFHsajQ62lZWr/fBn+naQhmGl\n"
- "CvinoXhfpaLp8TVmG0xNBkFK7OEsRBeKNpHmUlKKi2DXHptucwnunplr+RiEwO5i\n"
- "90+Sa0VJXgIIv6whw6zoOdV3pKg1P6popqJVtYJBaWZffb7BLYXZKrcTopSRDqzX\n"
- "5JPjqkb2pToqC7RbS0TLfMa/jGIrOO8ky8jcmXWJ2/QWl4pUfbXD4Fg0j3ox4DE1\n"
- "z+MNrJIBSXeD0Un1CqvwoOVDxOILNVL+8y2oDUF76h4iZtA4JWKjeioeZVb/ff1o\n"
- "FXiUEe6BrIiqeZZaB9i9l5MjOL1hBgO/CcCh3F+x82R1sDHoVqvW12t+wFaQzT+l\n"
- "8UEvfr8w5dd0xqwRAg89CjXvtYCqbiAnelpeOTHOwIloRwrxzaV79auh+ITY4ROp\n"
- "GIH0BVfLZZyT9vg1rjcGJq9y4sHkZiYcei9QmiEmlKcCmMTobuocFzTcqPyoOP4m\n"
- "LQ3EbaLOEcpp04Eniq6sc7qgFpJbpEn0PKjORCLdmbcEr/WKTQq55sn0pTJy4bHz\n"
- "WAZMzPz1csfdLqViL3p4RYgHJYbv/1MeciCSQ4E90PviDHaXvnTKLpeHd/LXsXIT\n"
- "2uE+G3IJrPJ9iApsxw9vZpgmE8W73/3WuxS4gwIDAQABAoIEAQC9CeW6zrOqvYMo\n"
- "DB6Tr7Bh44TH9XifF/xtAKFuTRb+zrlB6LQBjNOEpfNWaAny0Z6DMvZnRjntfn0Y\n"
- "md6sIMRuA4qboVdUFIBLz5BSU0Uvspjo4hOBILfedsqmLKQQFKQurjO+Canp3g/0\n"
- "Dl/KxA8VtSNTbny0YuMjetSn0E3W2Y/BTX0iqeoM4fcM4g8IqCxNqUmhDVM+eeqn\n"
- "QJrlkgZbYKUa3Zaix1T7EpsU89eS5NzKeGN8lMxTa964IdDlFjo1phM2HK91ckdM\n"
- "nnPR6lrMt5PdPpgulprM0Gm4ov00NLgjdWnDuvd0ZPQhFhczzChdDORKPboVNp45\n"
- "DBxj8Qko3HcsHxnELljtY4Zh9fT+SiA7t9jnIyWDD/sp3m4yu4A5qso6KzuKANX3\n"
- "E3xlJnTkPrLR7J9S+oEQ+0qpVp+vusURFuggHl1ImlUlOjl6PZzB5ncmsbAeC5Km\n"
- "cdiTeufrNl9RKGgfe0HN6Admogk9GIg+PlpG2lC/f3xtOl3lm6YuVC63mWBcnFUa\n"
- "1FG4mMZf7VQzWKE2ijwQjxiB5w/Rn5C4BsRuftlOMjBVABkMnDhcpX6sW5PiR5ip\n"
- "2yY1V3wlQCO4PgDSUH1jw6HjBEU1gdoJTHZT/SQhl6TrPvkmPenx6SRsqpf9Ilxh\n"
- "4b+QuDGTSix1HrReHdrLwLibcZmwtVReEjOvHYJrAOP25P9g54cE6emJ0YDGi5Mg\n"
- "YA+6B/+MloprNy2AIMCURnOhC+r0/C9k3PAuhMS9CeqpXa+D17zTc0h082U9Gxxs\n"
- "3tVJaxKnk/cawTa/DLQ0VyJAmHbFpF9+fd3E8pLKHU3tW+t6KOaQ0S10o00JN+6+\n"
- "HP8M1nzsAG8W1ZYdP5yUR94/oftU/kPl1F+UidPyVuKc4vwIgGadcbaDIVooe6ml\n"
- "bk14Mkl3fLxQfod7WvuKg/XKzm/1OZUrHskbVE2CVjYJowmPgilB4jeK1KfDar3X\n"
- "3OXCea0IgvtAY8LLBGvhSw60iR/A7k3YukAsnS/YXEVZdxOz0D2eYk5AwhlnmK6w\n"
- "bzqPeXMQNCSctsDnS/vyoKLCGtfn6KvUA1Jcvh83V/U4bfnrTNI0ifcZRuZiTUyE\n"
- "WhIA02WZn2t3DyHATzeVQ+0dfBdmuzVIHX5HBnIwC4BGP0fDsku7mVnU04KbK32u\n"
- "gkTs2CwcTN4d9Nndn+CZaQ8H2wbKD6J/DI86keNRRN/iYzmBaz8c2n8JHmVDL2nf\n"
- "WVDjezjY8cLRS09yE0rCwirl4I9VQTFCD4stPYX1res+b52ubpQbrinxchf3cUkz\n"
- "R82pIpmLK7pn7YmjtPUr4EZa6CsWvstnXfD4bZpP38H5dZ2Q+VMRMt3xQo0YJoYm\n"
- "p4Y01grhAoICAQD3M1rjh+GWq1QN+nZ2ocr2h8IhtFi4Bg8eMIqa1D7aO7aoihg1\n"
- "6IN2mJsw+foixjzzW4rTdY5IREgZa+SHT6sqKb+rVbA3rSOAX+UyKuGE42beP6Lc\n"
- "hjdrLWLG7T0FGmYRo7Q+WNf9Dr21uXtqcDrVJMSQddLieFPhnHbcC9OsIpP4rbCr\n"
- "lINS/JqwqU2+34QxbPc9Bao7UNMxbs0MX4cWeHx/h9dXv9YAaGlin7MiVpnaDd8L\n"
- "ZmC5WV3LH1wLudwgal4mpTZVmPM94DDx7NZwnzIUDXJF/rteHFde0Cw+NCy3/FQa\n"
- "Qv55Ska1TY9sauSL0eLgIWwYEIADErQsev9AbNa0vwHCeawMFue69m1rfPbZyzpf\n"
- "yU81kekCVEODMTYo59Cy4igmqdXxG4V8V7gt/jdg/5Coi4iABurfSuuo4U7qqjYo\n"
- "Gtkwy0wneOEd4sE7MAONBArrgwCiEZGwZk89e8rdiz1OthFxKzlUV5McAIeDevZB\n"
- "8BZy0e2a/dEx3SI0nlx/etkW0n33c0dvuiiJqohmyKDtQT2G7Uf+J+pbpTKSFpJT\n"
- "W6DKj8GKHqXOct3iu6bRy4XK48yVap7qwTYUamwHamozpgbbuY6iBB2wq0ZQ4j+D\n"
- "MMSdmyAD37/ZLz4WbKPc8aEeaUkB92Wzz79k+7zRtdbNae/uaF7U1xt4ewKCAgEA\n"
- "1oNarRzgq1sUqj1a9o2ZKV02PC260tjK923uqFn5Gua59WEePm+qPol+YVYXwj4U\n"
- "8HtMHAB8RoxRzo28vOcjuoNeEC2nClxxTBVAS/lvxB2CFeuJ20NPkKkRdMFMI8Of\n"
- "weI21Duk1/eglOPBAW5r03l9shiip+JR+zdtMLWGwXbLnkOErn9OcaQzPCDQf1Zh\n"
- "36t3lkuqx3Lj6qgt2a3etHPClkrDQycIO7DotGwITDWHV3BZrnLe2AamTGUHGuQT\n"
- "+C/Tb1e/eKze0csd7ahxmLDVwHnjCVAtbvr+FYDJnl2P/EAt2ZxPlrea3VZsOliN\n"
- "QFKEqNjumRH6fBOifoNLYHUlO3woCn4eh99XaZ3OqQP++VD96lIKlatGLPSkxtc2\n"
- "KuihTORYSau2mDoAzrIfkHPJkK2/aho+xvdwxFeTLr49N1F+DtdZAQfYyxp8gmmG\n"
- "gvFzhTnCfQO///K85zu7TMQZdWklxHl3qkG2rHRbke62YZwE3kR3KqTYproaUYyO\n"
- "PE8od+Zge38vRvPULFZlYMd/QibTrlumfjVWauS1+LPMP3r3siMArF3tWgkz8CNh\n"
- "rOxnEJzoy0/Ai872xhNcVxC2YZX04CKfao0A0xd0nMLY4EO7kVVypKiPRpTFQAwb\n"
- "cgP4tzRzlgVF9w3NIeYCti9v9wBBA+dKzjCa5ztU9ZkCggIAa8hhhbm2e7piIOIn\n"
- "CtzKoSlaVNXMpRhHOTOTC6UlboQAxYXIvqCNyYUKjZVBIi5rXvR4GHE2Q346LZNk\n"
- "hjcPe4fOgYcQGYaNZyjoxzH5OLbqIFeAzERdH4cffXrtUy9Kd8B4E4MrUbQ+tWCV\n"
- "Vjhu/oZUimRFOeebM1DEZndlqLU+7XvV/0n25JUtYX/AXUwZ2G8ZcerpaYl5PCGC\n"
- "mDWCsiKArh5tn14Okgj0gkL9mShHVtMbgF34KHi1s54NxTMZrqySNqlsgm/5Bu6c\n"
- "iK9qZJqU/DdMrwY9bfBPjBCaadjX8rS7euPhDsN7Bww1T+FfmzM9h9oqxmdTWYOr\n"
- "OYW7i7yo9RAfVUs13+OQ0G0oEmjfPOEmp6MfvUzMWu6grTAk3DsPPR/sv8bneIQ2\n"
- "dJvOu4cPYGSuDz8fmirp98gz7mOmxBzJFj12m5bYspE7HovDEuqBcdfkZwGsof2l\n"
- "F1PUkwtJzcUrSwmJm11sVsEEbH4yl/piKyfisdekkSLANsyjYGv4CsFmrFPFBsKl\n"
- "0CpMCJJpfN9Xg3sht5X4APIodiMWZKogzOWzuv5pNa7dPqHI61ZEi08BHBCtICzn\n"
- "85Wg3c/1IFqeybxHW0CR10SSKXjUZOnxJWN7Jvj/QZEqlijKGn7uB6T3Sko/wfK7\n"
- "zmXznrVAg/OUH+Zj7gBl8MmFuccCggIBAKnghCKrx9Br5MWcqTivkieLxbOKk3T+\n"
- "cl3YFTQFbJy9M277ZjQTwkKcKBV1VINjHroDKpbSW5iS7wYggOMoOMcv2YH+ZVZz\n"
- "NtYFzlFcTAKHS8mIKjgV6iCpg0Vu/pkkBpRITRtt0HGnjOfcJbC4fXOPttcfY1CI\n"
- "jlvf3PzCBOGY7k97MMvvzXN5kYmAgx0Uj5XN+HpxmeExPwVKAmVsp/1H30WeF1xK\n"
- "wN5kjySymS+hBHleY+ce2RNC0NeW+jV1gcr+NPbsCpnKbPq/XAglaTB+eghffkiV\n"
- "0iUdZ7Int4NOnQQq3ySCARVeeannEvZxwgq6ToxYnzthXXh9JCYEW+EbZEzjWeJV\n"
- "VmBLorHlYw++NmHCnhK+vdshNAXOB9/f9umsKHD4NGLDNWsAJDuMHCsNRwboUbn4\n"
- "5tYyhn82yzwtM9VnF+kw6S9Dw4+0ff3ZC8kO5WkQANF38skCtk54oy977J1qk5ow\n"
- "h2+xcrTHwOykmpJaOBC9L5H50gjXQJhsMwfXuDibnLSwWARcfB5QnSAzXLhKf0CJ\n"
- "HCS+oJ0uWl2GJa3v99B+n73g9GJk/1ig7G1BGa2yVTkNA3K0iAD8vBfHCGfnlXEa\n"
- "ehyrZYfF/3dVZuLTQOsrPArh4fUHQ94guGtmccTEKPUZX/ryVw0NVgBpOMXm0ZYB\n"
- "yN/Y5hNQjUuhAoICABpK5299PXt+4xCWB2jZjA87bdzgFS2r5zcqo8PZWQxoKpGn\n"
- "rsjxXgCR2wfD0jyH1axP/tlDyw8B9dcE3dN5mm3e5puNzDkCnSPwjWSA4mERa308\n"
- "yPESyHo+qAa8j632jxqkwfgR9uXQDvvs3OPtIwU8UwVG8pTqfEyEijDGW0lcZFpr\n"
- "YbHfUX7+iRgtUlyJXwAaUvLwCcvbtoilplavK7H0IkOlBdTQdDZ48yNR75noTdQD\n"
- "ZnMwRnPvXom2MxItHXw25DGXyZYeb9k8Aiz2Ytq/GmfsCVBH13xK9ZA9J7L+rGtw\n"
- "L7pRmp9bgbKk5ReweFAHFXksUUv4zs76a8/5h/T7Nz0z1cGp5+GO8R0EgPr1RJWO\n"
- "zHKNnUYHvUTpt1IIy6Gqq7OwaokISEVSClVnucLDCaveUKG23JF9uJMLHKYeyMGK\n"
- "fkQoLfrXrMnuU85daM3knw2Y7VZ9PnXmxoSXJFLQN/Kzi/ufEVIU2Jhwj0x+Y8X7\n"
- "3RLXxFz9NcWwYQfyDe2zZ+RoKmZbaS4WqsgvotfekmK40JlHZ3hufr5yS4ZZzRSz\n"
- "uQRZgyxBxgoqwEBlXl3bBfTES5N+T/9nL98LudfydkUlrHM7rAF5qoUdEIR2/4R4\n"
- "QwKCccA30QP3OE14uiDlfIBmLGKfveGMMCha9Dj33i3mIu4FWYi0rJg4hv4S\n"
- "-----END RSA PRIVATE KEY-----\n";
diff --git a/usr.sbin/relayd/relay.c b/usr.sbin/relayd/relay.c
index 89716209937..02324f516c2 100644
--- a/usr.sbin/relayd/relay.c
+++ b/usr.sbin/relayd/relay.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: relay.c,v 1.252 2021/01/09 08:53:58 denis Exp $ */
+/* $OpenBSD: relay.c,v 1.253 2021/01/27 20:33:05 eric Exp $ */
/*
* Copyright (c) 2006 - 2014 Reyk Floeter <reyk@openbsd.org>
@@ -2128,7 +2128,7 @@ relay_tls_ctx_create_proto(struct protocol *proto, struct tls_config *tls_cfg)
* This function is not publicy exported because it is a hack until libtls
* has a proper privsep setup
*/
-void tls_config_skip_private_key_check(struct tls_config *config);
+void tls_config_use_fake_private_key(struct tls_config *config);
int
relay_tls_ctx_create(struct relay *rlay)
@@ -2136,8 +2136,7 @@ relay_tls_ctx_create(struct relay *rlay)
struct tls_config *tls_cfg, *tls_client_cfg;
struct tls *tls = NULL;
struct relay_cert *cert;
- const char *fake_key;
- int fake_keylen, keyfound = 0;
+ int keyfound = 0;
char *buf = NULL, *cabuf = NULL, *ocspbuf = NULL;
off_t len = 0, calen = 0, ocsplen = 0;
@@ -2193,10 +2192,8 @@ relay_tls_ctx_create(struct relay *rlay)
* parameters are hidden in an extra process that will be
* contacted by the RSA engine. The SSL/TLS library needs at
* least the public key parameters in the current process.
- * For this we need to skip the private key check done by
- * libtls.
*/
- tls_config_skip_private_key_check(tls_cfg);
+ tls_config_use_fake_private_key(tls_cfg);
TAILQ_FOREACH(cert, env->sc_certs, cert_entry) {
if (cert->cert_relayid != rlay->rl_conf.id ||
@@ -2221,15 +2218,9 @@ relay_tls_ctx_create(struct relay *rlay)
purge_key(&ocspbuf, ocsplen);
cert->cert_ocsp_fd = -1;
- if ((fake_keylen = ssl_ctx_fake_private_key(buf, len,
- &fake_key)) == -1) {
- /* error already printed */
- goto err;
- }
-
if (keyfound == 1 &&
tls_config_set_keypair_ocsp_mem(tls_cfg, buf, len,
- fake_key, fake_keylen, ocspbuf, ocsplen) != 0) {
+ NULL, 0, ocspbuf, ocsplen) != 0) {
log_warnx("failed to set tls certificate: %s",
tls_config_error(tls_cfg));
goto err;
@@ -2241,7 +2232,7 @@ relay_tls_ctx_create(struct relay *rlay)
goto err;
if (tls_config_add_keypair_ocsp_mem(tls_cfg, buf, len,
- fake_key, fake_keylen, ocspbuf, ocsplen) != 0) {
+ NULL, 0, ocspbuf, ocsplen) != 0) {
log_warnx("failed to add tls certificate: %s",
tls_config_error(tls_cfg));
goto err;
@@ -2302,8 +2293,6 @@ relay_tls_inspect_create(struct relay *rlay, struct ctl_relay_event *cre)
{
struct tls_config *tls_cfg;
struct tls *tls = NULL;
- const char *fake_key;
- int fake_keylen;
/* TLS inspection: use session-specific certificate */
if ((tls_cfg = tls_config_new()) == NULL) {
@@ -2315,17 +2304,10 @@ relay_tls_inspect_create(struct relay *rlay, struct ctl_relay_event *cre)
goto err;
}
- tls_config_skip_private_key_check(tls_cfg);
+ tls_config_use_fake_private_key(tls_cfg);
- log_debug("%s: loading intercepted certificate", __func__);
- if ((fake_keylen = ssl_ctx_fake_private_key(cre->tlscert,
- cre->tlscert_len, &fake_key)) == -1) {
- /* error already printed */
- goto err;
- }
if (tls_config_set_keypair_ocsp_mem(tls_cfg,
- cre->tlscert, cre->tlscert_len, fake_key, fake_keylen,
- NULL, 0) != 0) {
+ cre->tlscert, cre->tlscert_len, NULL, 0, NULL, 0) != 0) {
log_warnx("failed to set tls certificate: %s",
tls_config_error(tls_cfg));
goto err;
diff --git a/usr.sbin/relayd/relayd.h b/usr.sbin/relayd/relayd.h
index 9a58a86ff90..735c65081db 100644
--- a/usr.sbin/relayd/relayd.h
+++ b/usr.sbin/relayd/relayd.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: relayd.h,v 1.264 2021/01/27 07:21:54 deraadt Exp $ */
+/* $OpenBSD: relayd.h,v 1.265 2021/01/27 20:33:05 eric Exp $ */
/*
* Copyright (c) 2006 - 2016 Reyk Floeter <reyk@openbsd.org>
@@ -1300,7 +1300,6 @@ char *ssl_load_key(struct relayd *, const char *, off_t *, char *);
uint8_t *ssl_update_certificate(const uint8_t *, size_t, EVP_PKEY *,
EVP_PKEY *, X509 *, size_t *);
int ssl_load_pkey(char *, off_t, X509 **, EVP_PKEY **);
-int ssl_ctx_fake_private_key(char *, off_t, const char **);
/* ca.c */
void ca(struct privsep *, struct privsep_proc *);
diff --git a/usr.sbin/relayd/ssl.c b/usr.sbin/relayd/ssl.c
index 623ca8ac802..d1a4d876424 100644
--- a/usr.sbin/relayd/ssl.c
+++ b/usr.sbin/relayd/ssl.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl.c,v 1.34 2017/07/28 13:58:52 bluhm Exp $ */
+/* $OpenBSD: ssl.c,v 1.35 2021/01/27 20:33:05 eric Exp $ */
/*
* Copyright (c) 2007 - 2014 Reyk Floeter <reyk@openbsd.org>
@@ -30,7 +30,6 @@
#include <openssl/engine.h>
#include "relayd.h"
-#include "boguskeys.h"
int ssl_password_cb(char *, int, int, void *);
@@ -262,64 +261,3 @@ ssl_load_pkey(char *buf, off_t len, X509 **x509ptr, EVP_PKEY **pkeyptr)
return (0);
}
-
-/*
- * This function is a horrible hack but for RSA privsep to work a private key
- * with correct size needs to be loaded into the tls config.
- */
-int
-ssl_ctx_fake_private_key(char *buf, off_t len, const char **fake_key)
-{
- BIO *in;
- EVP_PKEY *pkey = NULL;
- X509 *x509 = NULL;
- int ret = -1, keylen;
-
- if ((in = BIO_new_mem_buf(buf, len)) == NULL) {
- log_warnx("%s: BIO_new_mem_buf failed", __func__);
- return (0);
- }
-
- if ((x509 = PEM_read_bio_X509(in, NULL, NULL, NULL)) == NULL) {
- log_warnx("%s: PEM_read_bio_X509 failed", __func__);
- goto fail;
- }
-
- if ((pkey = X509_get_pubkey(x509)) == NULL) {
- log_warnx("%s: X509_get_pubkey failed", __func__);
- goto fail;
- }
-
- keylen = EVP_PKEY_size(pkey) * 8;
- switch(keylen) {
- case 1024:
- *fake_key = bogus_1024;
- ret = sizeof(bogus_1024);
- break;
- case 2048:
- *fake_key = bogus_2048;
- ret = sizeof(bogus_2048);
- break;
- case 4096:
- *fake_key = bogus_4096;
- ret = sizeof(bogus_4096);
- break;
- case 8192:
- *fake_key = bogus_8192;
- ret = sizeof(bogus_8192);
- break;
- default:
- log_warnx("%s: key size %d not support", __func__, keylen);
- ret = -1;
- break;
- }
-fail:
- BIO_free(in);
-
- if (pkey != NULL)
- EVP_PKEY_free(pkey);
- if (x509 != NULL)
- X509_free(x509);
-
- return (ret);
-}