Deep down inside OpenSSL, err... LibreSSL, RSA_set_ex_data attempts to

free() the external data when releasing the RSA object.  The
RSA_GET_EX_NEW_INDEX(3) manual page doesn't mention that this is the
default behaviour - it just describes the possible free_func()
callback - and the code path in libcrypto is hiding the fact behind
layers of abstraction.

Fix possible double free by allocating and copying the external data
reference that is used for RSA privsep (pkiname in smtpd's case).

ok eric@ gilles@

1 files changed, 5 insertions, 4 deletions

diff --git a/usr.sbin/smtpd/ssl.h b/usr.sbin/smtpd/ssl.h
index c2df38a66ab..923746eefd6 100644
--- a/usr.sbin/smtpd/ssl.h
+++ b/usr.sbin/smtpd/ssl.h
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ssl.h,v 1.7 2014/04/29 19:13:14 reyk Exp $	*/
+/*	$OpenBSD: ssl.h,v 1.8 2014/05/20 14:21:46 reyk Exp $	*/
 /*
  * Copyright (c) 2013 Gilles Chehade <gilles@poolp.org>
  *
@@ -44,7 +44,7 @@ struct pki {
 /* ssl.c */
 void		ssl_init(void);
 int		ssl_setup(SSL_CTX **, struct pki *);
-SSL_CTX	       *ssl_ctx_create(void *, char *, off_t);
+SSL_CTX	       *ssl_ctx_create(const char *, char *, off_t);
 int	        ssl_cmp(struct pki *, struct pki *);
 DH	       *get_dh1024(void);
 DH	       *get_dh_from_memory(char *, size_t);
@@ -62,9 +62,10 @@ int		ssl_load_keyfile(struct pki *, const char *, const char *);
 int		ssl_load_cafile(struct pki *, const char *);
 int		ssl_load_dhparams(struct pki *, const char *);
 
-int		ssl_ctx_load_pkey(SSL_CTX *, void *, char *, off_t,
+int		ssl_ctx_load_pkey(SSL_CTX *, char *, off_t,
 		    X509 **, EVP_PKEY **);
-int		ssl_ctx_fake_private_key(SSL_CTX *, void *, char *, off_t);
+int		ssl_ctx_fake_private_key(SSL_CTX *, const void *, size_t,
+		    char *, off_t);
 
 /* ssl_privsep.c */
 int		ssl_ctx_use_certificate_chain(SSL_CTX *, char *, off_t);