1 files changed, 62 insertions, 22 deletions
diff --git a/src/lib/libtls/tls.c b/src/lib/libtls/tls.c
index 3d6723bbd9..02ddf447fb 100644
--- a/src/lib/libtls/tls.c
+++ b/src/lib/libtls/tls.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls.c,v 1.85 2020/05/24 15:12:54 jsing Exp $ */
+/* $OpenBSD: tls.c,v 1.86 2021/01/21 19:09:10 eric Exp $ */
 /*
 * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
 *
@@ -326,12 +326,69 @@ tls_cert_pubkey_hash(X509 *cert, char **hash)
        return (rv);
 }
+static int
+tls_keypair_to_pkey(struct tls *ctx, struct tls_keypair *keypair, EVP_PKEY **pkey)
+{
+        BIO *bio = NULL;
+        X509 *x509 = NULL;
+        char *mem;
+        size_t len;
+        int ret = -1;
+        *pkey = NULL;
+        if (ctx->config->use_fake_private_key) {
+                mem = keypair->cert_mem;
+                len = keypair->cert_len;
+        } else {
+                mem = keypair->key_mem;
+                len = keypair->key_len;
+        }
+        if (mem == NULL)
+                return (0);
+        if (len > INT_MAX) {
+                tls_set_errorx(ctx, ctx->config->use_fake_private_key ?
+                    "cert too long" : "key too long");
+                goto err;
+        }
+        if ((bio = BIO_new_mem_buf(mem, len)) == NULL) {
+                tls_set_errorx(ctx, "failed to create buffer");
+                goto err;
+        }
+        if (ctx->config->use_fake_private_key) {
+                if ((x509 = PEM_read_bio_X509(bio, NULL, tls_password_cb,
+                    NULL)) == NULL) {
+                        tls_set_errorx(ctx, "failed to read X509 certificate");
+                        goto err;
+                }
+                if ((*pkey = X509_get_pubkey(x509)) == NULL) {
+                        tls_set_errorx(ctx, "failed to retrieve pubkey");
+                        goto err;
+                }
+        } else {
+                if ((*pkey = PEM_read_bio_PrivateKey(bio, NULL, tls_password_cb,
+                    NULL)) ==  NULL) {
+                        tls_set_errorx(ctx, "failed to read private key");
+                        goto err;
+                }
+        }
+        ret = 0;
+ err:
+        BIO_free(bio);
+        X509_free(x509);
+        return (ret);
+}
 int
 tls_configure_ssl_keypair(struct tls *ctx, SSL_CTX *ssl_ctx,
    struct tls_keypair *keypair, int required)
 {
        EVP_PKEY *pkey = NULL;
-        BIO *bio = NULL;
        if (!required &&
            keypair->cert_mem == NULL &&
@@ -351,23 +408,9 @@ tls_configure_ssl_keypair(struct tls *ctx, SSL_CTX *ssl_ctx,
                }
        }
-        if (keypair->key_mem != NULL) {
+        if (tls_keypair_to_pkey(ctx, keypair, &pkey) == -1)
-                if (keypair->key_len > INT_MAX) {
+                goto err;
-                        tls_set_errorx(ctx, "key too long");
+        if (pkey != NULL) {
-                        goto err;
-                }
-                if ((bio = BIO_new_mem_buf(keypair->key_mem,
-                    keypair->key_len)) == NULL) {
-                        tls_set_errorx(ctx, "failed to create buffer");
-                        goto err;
-                }
-                if ((pkey = PEM_read_bio_PrivateKey(bio, NULL, tls_password_cb,
-                    NULL)) == NULL) {
-                        tls_set_errorx(ctx, "failed to read private key");
-                        goto err;
-                }
                if (keypair->pubkey_hash != NULL) {
                        RSA *rsa;
                        /* XXX only RSA for now for relayd privsep */
@@ -381,8 +424,6 @@ tls_configure_ssl_keypair(struct tls *ctx, SSL_CTX *ssl_ctx,
                        tls_set_errorx(ctx, "failed to load private key");
                        goto err;
                }
-                BIO_free(bio);
-                bio = NULL;
                EVP_PKEY_free(pkey);
                pkey = NULL;
        }
@@ -397,7 +438,6 @@ tls_configure_ssl_keypair(struct tls *ctx, SSL_CTX *ssl_ctx,
 err:
        EVP_PKEY_free(pkey);
-        BIO_free(bio);
        return (1);
 }

diff --git a/src/lib/libtls/tls.c b/src/lib/libtls/tls.c index 3d6723bbd9..02ddf447fb 100644 --- a/src/lib/libtls/tls.c +++ b/src/lib/libtls/tls.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: tls.c,v 1.85 2020/05/24 15:12:54 jsing Exp $ */	1	/* $OpenBSD: tls.c,v 1.86 2021/01/21 19:09:10 eric Exp $ */
2	/*	2	/*
3	* Copyright (c) 2014 Joel Sing <jsing@openbsd.org>	3	* Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
4	*	4	*
@@ -326,12 +326,69 @@ tls_cert_pubkey_hash(X509 cert, char *hash)
326	return (rv);	326	return (rv);
327	}	327	}
328		328
		329	static int
		330	tls_keypair_to_pkey(struct tls ctx, struct tls_keypair keypair, EVP_PKEY **pkey)
		331	{
		332	BIO *bio = NULL;
		333	X509 *x509 = NULL;
		334	char *mem;
		335	size_t len;
		336	int ret = -1;
		337
		338	*pkey = NULL;
		339
		340	if (ctx->config->use_fake_private_key) {
		341	mem = keypair->cert_mem;
		342	len = keypair->cert_len;
		343	} else {
		344	mem = keypair->key_mem;
		345	len = keypair->key_len;
		346	}
		347
		348	if (mem == NULL)
		349	return (0);
		350
		351	if (len > INT_MAX) {
		352	tls_set_errorx(ctx, ctx->config->use_fake_private_key ?
		353	"cert too long" : "key too long");
		354	goto err;
		355	}
		356
		357	if ((bio = BIO_new_mem_buf(mem, len)) == NULL) {
		358	tls_set_errorx(ctx, "failed to create buffer");
		359	goto err;
		360	}
		361
		362	if (ctx->config->use_fake_private_key) {
		363	if ((x509 = PEM_read_bio_X509(bio, NULL, tls_password_cb,
		364	NULL)) == NULL) {
		365	tls_set_errorx(ctx, "failed to read X509 certificate");
		366	goto err;
		367	}
		368	if ((*pkey = X509_get_pubkey(x509)) == NULL) {
		369	tls_set_errorx(ctx, "failed to retrieve pubkey");
		370	goto err;
		371	}
		372	} else {
		373	if ((*pkey = PEM_read_bio_PrivateKey(bio, NULL, tls_password_cb,
		374	NULL)) == NULL) {
		375	tls_set_errorx(ctx, "failed to read private key");
		376	goto err;
		377	}
		378	}
		379
		380	ret = 0;
		381	err:
		382	BIO_free(bio);
		383	X509_free(x509);
		384	return (ret);
		385	}
		386
329	int	387	int
330	tls_configure_ssl_keypair(struct tls ctx, SSL_CTX ssl_ctx,	388	tls_configure_ssl_keypair(struct tls ctx, SSL_CTX ssl_ctx,
331	struct tls_keypair *keypair, int required)	389	struct tls_keypair *keypair, int required)
332	{	390	{
333	EVP_PKEY *pkey = NULL;	391	EVP_PKEY *pkey = NULL;
334	BIO *bio = NULL;
335		392
336	if (!required &&	393	if (!required &&
337	keypair->cert_mem == NULL &&	394	keypair->cert_mem == NULL &&
@@ -351,23 +408,9 @@ tls_configure_ssl_keypair(struct tls ctx, SSL_CTX ssl_ctx,
351	}	408	}
352	}	409	}
353		410
354	if (keypair->key_mem != NULL) {	411	if (tls_keypair_to_pkey(ctx, keypair, &pkey) == -1)
355	if (keypair->key_len > INT_MAX) {	412	goto err;
356	tls_set_errorx(ctx, "key too long");	413	if (pkey != NULL) {
357	goto err;
358	}
359
360	if ((bio = BIO_new_mem_buf(keypair->key_mem,
361	keypair->key_len)) == NULL) {
362	tls_set_errorx(ctx, "failed to create buffer");
363	goto err;
364	}
365	if ((pkey = PEM_read_bio_PrivateKey(bio, NULL, tls_password_cb,
366	NULL)) == NULL) {
367	tls_set_errorx(ctx, "failed to read private key");
368	goto err;
369	}
370
371	if (keypair->pubkey_hash != NULL) {	414	if (keypair->pubkey_hash != NULL) {
372	RSA *rsa;	415	RSA *rsa;
373	/* XXX only RSA for now for relayd privsep */	416	/* XXX only RSA for now for relayd privsep */
@@ -381,8 +424,6 @@ tls_configure_ssl_keypair(struct tls ctx, SSL_CTX ssl_ctx,
381	tls_set_errorx(ctx, "failed to load private key");	424	tls_set_errorx(ctx, "failed to load private key");
382	goto err;	425	goto err;
383	}	426	}
384	BIO_free(bio);
385	bio = NULL;
386	EVP_PKEY_free(pkey);	427	EVP_PKEY_free(pkey);
387	pkey = NULL;	428	pkey = NULL;
388	}	429	}
@@ -397,7 +438,6 @@ tls_configure_ssl_keypair(struct tls ctx, SSL_CTX ssl_ctx,
397		438
398	err:	439	err:
399	EVP_PKEY_free(pkey);	440	EVP_PKEY_free(pkey);
400	BIO_free(bio);
401		441
402	return (1);	442	return (1);
403	}	443	}