Correct tls_config_clear_keys() behaviour.

Previously this incorrectly called tls_keypair_clear(), which results in
the private key being cleared, along with the certificate, OCSP staple and
pubkey hash. This breaks OCSP stapling if tls_config_clear_keys() is called
following tls_configure(), as is done by httpd.

Fix this by calling tls_keypair_clear_key() so that only the private key is
cleared, leaving the other public data untouched. While here, remove
tls_keypair_clear() and fold the necessary parts into tls_keypair_free().

ok beck@

1 files changed, 2 insertions, 5 deletions

diff --git a/lib/libtls/tls_config.c b/lib/libtls/tls_config.c
index d32176fe6e1..07019252a7d 100644
--- a/lib/libtls/tls_config.c
+++ b/lib/libtls/tls_config.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls_config.c,v 1.51 2018/03/20 15:40:10 jsing Exp $ */
+/* $OpenBSD: tls_config.c,v 1.52 2018/04/07 16:35:34 jsing Exp $ */
 /*
  * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
  *
@@ -189,10 +189,7 @@ tls_config_clear_keys(struct tls_config *config)
 	struct tls_keypair *kp;
 
 	for (kp = config->keypair; kp != NULL; kp = kp->next)
-		tls_keypair_clear(kp);
-
-	tls_config_set_ca_mem(config, NULL, 0);
-	tls_config_set_crl_mem(config, NULL, 0);
+		tls_keypair_clear_key(kp);
 }
 
 int