2 files changed, 35 insertions, 35 deletions

diff --git a/usr.sbin/smtpd/ssl.c b/usr.sbin/smtpd/ssl.c
index 6ea7c6b7df0..d402992a604 100644
--- a/usr.sbin/smtpd/ssl.c
+++ b/usr.sbin/smtpd/ssl.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ssl.c,v 1.66 2014/05/20 14:21:45 reyk Exp $	*/
+/*	$OpenBSD: ssl.c,v 1.67 2014/05/20 17:33:36 reyk Exp $	*/
 
 /*
  * Copyright (c) 2008 Pierre-Yves Ritschard <pyr@openbsd.org>
@@ -153,7 +153,7 @@ ssl_password_cb(char *buf, int size, int rwflag, void *u)
 #endif
 
 static int
-ssl_getpass_cb(char *buf, int size, int rwflag, void *u)
+ssl_password_cb(char *buf, int size, int rwflag, void *u)
 {
 	int	ret = 0;
 	size_t	len;
@@ -209,7 +209,7 @@ ssl_load_key(const char *name, off_t *len, char *pass, mode_t perm, const char *
 	}
 
 	(void)snprintf(prompt, sizeof prompt, "passphrase for %s: ", pkiname);
-	key = PEM_read_PrivateKey(fp, NULL, ssl_getpass_cb, prompt);
+	key = PEM_read_PrivateKey(fp, NULL, ssl_password_cb, prompt);
 	fclose(fp);
 	fp = NULL;
 	if (key == NULL)
@@ -276,7 +276,7 @@ ssl_ctx_create(const char *pkiname, char *cert, off_t cert_len)
 			ssl_error("ssl_ctx_create");
 			fatal("ssl_ctx_create: invalid certificate chain");
 		} else if (!ssl_ctx_fake_private_key(ctx,
-		    pkiname, pkinamelen, cert, cert_len)) {
+		    pkiname, pkinamelen, cert, cert_len, NULL, NULL)) {
 			ssl_error("ssl_ctx_create");
 			fatal("ssl_ctx_create: could not fake private key");
 		} else if (!SSL_CTX_check_private_key(ctx)) {
@@ -462,12 +462,14 @@ ssl_set_ecdh_curve(SSL_CTX *ctx, const char *curve)
 }
 
 int
-ssl_ctx_load_pkey(SSL_CTX *ctx, char *buf, off_t len,
+ssl_load_pkey(const void *data, size_t datalen, char *buf, off_t len,
     X509 **x509ptr, EVP_PKEY **pkeyptr)
 {
 	BIO		*in;
 	X509		*x509 = NULL;
 	EVP_PKEY	*pkey = NULL;
+	RSA		*rsa = NULL;
+	void		*exdata = NULL;
 
 	if ((in = BIO_new_mem_buf(buf, len)) == NULL) {
 		SSLerr(SSL_F_SSL_CTX_USE_PRIVATEKEY, ERR_R_BUF_LIB);
@@ -475,7 +477,7 @@ ssl_ctx_load_pkey(SSL_CTX *ctx, char *buf, off_t len,
 	}
 
 	if ((x509 = PEM_read_bio_X509(in, NULL,
-	    ssl_getpass_cb, NULL)) == NULL) {
+	    ssl_password_cb, NULL)) == NULL) {
 		SSLerr(SSL_F_SSL_CTX_USE_PRIVATEKEY, ERR_R_PEM_LIB);
 		goto fail;
 	}
@@ -487,14 +489,26 @@ ssl_ctx_load_pkey(SSL_CTX *ctx, char *buf, off_t len,
 
 	BIO_free(in);
 
+	if (data != NULL && datalen) {
+		if ((rsa = EVP_PKEY_get1_RSA(pkey)) == NULL ||
+		    (exdata = malloc(datalen)) == NULL) {
+			SSLerr(SSL_F_SSL_CTX_USE_PRIVATEKEY, ERR_R_EVP_LIB);
+			goto fail;
+		}
+
+		memcpy(exdata, data, datalen);
+		RSA_set_ex_data(rsa, 0, exdata);
+		RSA_free(rsa); /* dereference, will be cleaned up with pkey */
+	}
+
 	*x509ptr = x509;
 	*pkeyptr = pkey;
 
 	return (1);
 
  fail:
-	ssl_error("ssl_ctx_load_pkey");
-
+	if (rsa != NULL)
+		RSA_free(rsa);
 	if (in != NULL)
 		BIO_free(in);
 	if (pkey != NULL)
@@ -507,28 +521,15 @@ ssl_ctx_load_pkey(SSL_CTX *ctx, char *buf, off_t len,
 
 int
 ssl_ctx_fake_private_key(SSL_CTX *ctx, const void *data, size_t datalen,
-    char *buf, off_t len)
+    char *buf, off_t len, X509 **x509ptr, EVP_PKEY **pkeyptr)
 {
 	int		 ret = 0;
 	EVP_PKEY	*pkey = NULL;
 	X509		*x509 = NULL;
-	RSA		*rsa = NULL;
-	void		*exdata = NULL;
 
-	if (!ssl_ctx_load_pkey(ctx, buf, len, &x509, &pkey))
+	if (!ssl_load_pkey(data, datalen, buf, len, &x509, &pkey))
 		return (0);
 
-	if (data != NULL && datalen) {
-		if ((rsa = EVP_PKEY_get1_RSA(pkey)) == NULL ||
-		    (exdata = malloc(datalen)) == NULL) {
-			SSLerr(SSL_F_SSL_CTX_USE_PRIVATEKEY, ERR_R_EVP_LIB);
-			goto done;
-		}
-
-		memcpy(exdata, data, datalen);
-		RSA_set_ex_data(rsa, 0, exdata);
-	}
-
 	/*
 	 * Use the public key as the "private" key - the secret key
 	 * parameters are hidden in an extra process that will be
@@ -536,17 +537,17 @@ ssl_ctx_fake_private_key(SSL_CTX *ctx, const void *data, size_t datalen,
 	 * least the public key parameters in the current process.
 	 */
 	ret = SSL_CTX_use_PrivateKey(ctx, pkey);
-	if (!ret) {
+	if (!ret)
 		SSLerr(SSL_F_SSL_CTX_USE_PRIVATEKEY, ERR_R_SSL_LIB);
-		ssl_error("ssl_ctx_fake_private_key");
-	}
 
- done:
-	if (rsa != NULL)
-		RSA_free(rsa);
-	if (pkey != NULL)
+	if (pkeyptr != NULL)
+		*pkeyptr = pkey;
+	else if (pkey != NULL)
 		EVP_PKEY_free(pkey);
-	if (x509 != NULL)
+
+	if (x509ptr != NULL)
+		*x509ptr = x509;
+	else if (x509 != NULL)
 		X509_free(x509);
 
 	return (ret);
diff --git a/usr.sbin/smtpd/ssl.h b/usr.sbin/smtpd/ssl.h
index 923746eefd6..414e120e083 100644
--- a/usr.sbin/smtpd/ssl.h
+++ b/usr.sbin/smtpd/ssl.h
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ssl.h,v 1.8 2014/05/20 14:21:46 reyk Exp $	*/
+/*	$OpenBSD: ssl.h,v 1.9 2014/05/20 17:33:36 reyk Exp $	*/
 /*
  * Copyright (c) 2013 Gilles Chehade <gilles@poolp.org>
  *
@@ -61,11 +61,10 @@ int		ssl_load_certificate(struct pki *, const char *);
 int		ssl_load_keyfile(struct pki *, const char *, const char *);
 int		ssl_load_cafile(struct pki *, const char *);
 int		ssl_load_dhparams(struct pki *, const char *);
-
-int		ssl_ctx_load_pkey(SSL_CTX *, char *, off_t,
+int		ssl_load_pkey(const void *, size_t, char *, off_t,
 		    X509 **, EVP_PKEY **);
 int		ssl_ctx_fake_private_key(SSL_CTX *, const void *, size_t,
-		    char *, off_t);
+		    char *, off_t, X509 **, EVP_PKEY **);
 
 /* ssl_privsep.c */
 int		ssl_ctx_use_certificate_chain(SSL_CTX *, char *, off_t);