It is only required to load the keys and certs into the same SSL

context once.  Simplify the code path by moving the loading from three
different places into ssl_ctx_create():

ok gilles@

3 files changed, 21 insertions, 31 deletions

diff --git a/usr.sbin/smtpd/ssl.c b/usr.sbin/smtpd/ssl.c
index ad24e54845f..b636ae0fd38 100644
--- a/usr.sbin/smtpd/ssl.c
+++ b/usr.sbin/smtpd/ssl.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ssl.c,v 1.61 2014/04/19 14:09:19 gilles Exp $	*/
+/*	$OpenBSD: ssl.c,v 1.62 2014/04/29 10:08:55 reyk Exp $	*/
 
 /*
  * Copyright (c) 2008 Pierre-Yves Ritschard <pyr@openbsd.org>
@@ -66,18 +66,10 @@ ssl_setup(SSL_CTX **ctxp, struct pki *pki)
 {
 	DH	*dh;
 	SSL_CTX	*ctx;
-	
-	ctx = ssl_ctx_create();
 
-	if (!ssl_ctx_use_certificate_chain(ctx,
-		pki->pki_cert, pki->pki_cert_len))
-		goto err;
-	if (!ssl_ctx_use_private_key(ctx,
-		pki->pki_key, pki->pki_key_len))
-		goto err;
+	ctx = ssl_ctx_create(pki->pki_cert, pki->pki_cert_len,
+	    pki->pki_key, pki->pki_key_len);
 
-	if (!SSL_CTX_check_private_key(ctx))
-		goto err;
 	if (!SSL_CTX_set_session_id_context(ctx,
 		(const unsigned char *)pki->pki_name,
 		strlen(pki->pki_name) + 1))
@@ -251,7 +243,7 @@ fail:
 }
 
 SSL_CTX *
-ssl_ctx_create()
+ssl_ctx_create(char *cert, off_t cert_len, char *key, off_t key_len)
 {
 	SSL_CTX	*ctx;
 
@@ -273,6 +265,19 @@ ssl_ctx_create()
 		fatal("ssl_ctx_create: could not set cipher list");
 	}
 
+	if (cert != NULL && key != NULL) {
+		if (!ssl_ctx_use_certificate_chain(ctx, cert, cert_len)) {
+			ssl_error("ssl_ctx_create");
+			fatal("ssl_ctx_create: invalid certificate chain");
+		} else if (!ssl_ctx_use_private_key(ctx, key, key_len)) {
+			ssl_error("ssl_ctx_create");
+			fatal("ssl_ctx_create: could not use private key");
+		} else if (!SSL_CTX_check_private_key(ctx)) {
+			ssl_error("ssl_ctx_create");
+			fatal("ssl_ctx_create: invalid private key");
+		}
+	}
+
 	return (ctx);
 }
 
diff --git a/usr.sbin/smtpd/ssl.h b/usr.sbin/smtpd/ssl.h
index d5eebe080c4..eb4e65f0550 100644
--- a/usr.sbin/smtpd/ssl.h
+++ b/usr.sbin/smtpd/ssl.h
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ssl.h,v 1.5 2014/02/04 13:44:41 eric Exp $	*/
+/*	$OpenBSD: ssl.h,v 1.6 2014/04/29 10:08:55 reyk Exp $	*/
 /*
  * Copyright (c) 2013 Gilles Chehade <gilles@poolp.org>
  *
@@ -42,7 +42,7 @@ struct pki {
 /* ssl.c */
 void		ssl_init(void);
 int		ssl_setup(SSL_CTX **, struct pki *);
-SSL_CTX	       *ssl_ctx_create(void);
+SSL_CTX	       *ssl_ctx_create(char *, off_t, char *, off_t);
 int	        ssl_cmp(struct pki *, struct pki *);
 DH	       *get_dh1024(void);
 DH	       *get_dh_from_memory(char *, size_t);
diff --git a/usr.sbin/smtpd/ssl_smtpd.c b/usr.sbin/smtpd/ssl_smtpd.c
index 8d796d51836..bf0c9d22570 100644
--- a/usr.sbin/smtpd/ssl_smtpd.c
+++ b/usr.sbin/smtpd/ssl_smtpd.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ssl_smtpd.c,v 1.4 2014/02/04 13:44:41 eric Exp $	*/
+/*	$OpenBSD: ssl_smtpd.c,v 1.5 2014/04/29 10:08:55 reyk Exp $	*/
 
 /*
  * Copyright (c) 2008 Pierre-Yves Ritschard <pyr@openbsd.org>
@@ -49,16 +49,7 @@ ssl_mta_init(char *cert, off_t cert_len, char *key, off_t key_len)
 	SSL_CTX	*ctx = NULL;
 	SSL	*ssl = NULL;
 
-	ctx = ssl_ctx_create();
-
-	if (cert != NULL && key != NULL) {
-		if (!ssl_ctx_use_certificate_chain(ctx, cert, cert_len)) 
-			goto err;
-		else if (!ssl_ctx_use_private_key(ctx, key, key_len))
-			goto err;
-		else if (!SSL_CTX_check_private_key(ctx))
-			goto err;
-	}
+	ctx = ssl_ctx_create(cert, cert_len, key, key_len);
 
 	if ((ssl = SSL_new(ctx)) == NULL)
 		goto err;
@@ -96,12 +87,6 @@ ssl_smtp_init(void *ssl_ctx, char *cert, off_t cert_len, char *key, off_t key_le
 	int	(*cb)(SSL *,int *,void *) = sni;
 
 	log_debug("debug: session_start_ssl: switching to SSL");
-	if (!ssl_ctx_use_certificate_chain(ssl_ctx, cert, cert_len))
-		goto err;
-	else if (!ssl_ctx_use_private_key(ssl_ctx, key, key_len))
-		goto err;
-	else if (!SSL_CTX_check_private_key(ssl_ctx))
-		goto err;
 
 	SSL_CTX_set_verify(ssl_ctx, SSL_VERIFY_PEER, dummy_verify);