Explicitly pass in an SSL_CTX * to the functions that operate on one,

instead of assuming that they should use the one associated with the TLS
context. This allows these functions to be used with the additional
SSL contexts that are needed to support server-side SNI.

Also rename tls_configure_keypair() to tls_configure_ssl_keypair(), so that
these functions have a common prefix.

ok reyk@

1 files changed, 6 insertions, 5 deletions

diff --git a/src/lib/libtls/tls_client.c b/src/lib/libtls/tls_client.c
index 3847f4c46c..c360ecad52 100644
--- a/src/lib/libtls/tls_client.c
+++ b/src/lib/libtls/tls_client.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls_client.c,v 1.33 2016/04/28 17:05:59 jsing Exp $ */
+/* $OpenBSD: tls_client.c,v 1.34 2016/08/15 14:04:23 jsing Exp $ */
 /*
  * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
  *
@@ -193,9 +193,10 @@ tls_connect_fds(struct tls *ctx, int fd_read, int fd_write,
                 goto err;
         }
 
-        if (tls_configure_ssl(ctx) != 0)
+        if (tls_configure_ssl(ctx, ctx->ssl_ctx) != 0)
                 goto err;
-        if (tls_configure_keypair(ctx, ctx->ssl_ctx, ctx->config->keypair, 0) != 0)
+        if (tls_configure_ssl_keypair(ctx, ctx->ssl_ctx,
+            ctx->config->keypair, 0) != 0)
                 goto err;
 
         if (ctx->config->verify_name) {
@@ -204,9 +205,9 @@ tls_connect_fds(struct tls *ctx, int fd_read, int fd_write,
                         goto err;
                 }
         }
-
         if (ctx->config->verify_cert &&
-            (tls_configure_ssl_verify(ctx, SSL_VERIFY_PEER) == -1))
+            (tls_configure_ssl_verify(ctx, ctx->ssl_ctx,
+             SSL_VERIFY_PEER) == -1))
                 goto err;
 
         if ((ctx->ssl_conn = SSL_new(ctx->ssl_ctx)) == NULL) {