4 files changed, 14 insertions, 11 deletions

diff --git a/src/lib/libtls/tls.c b/src/lib/libtls/tls.c
index b75fae7f2b..f64f6d7632 100644
--- a/src/lib/libtls/tls.c
+++ b/src/lib/libtls/tls.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls.c,v 1.66 2017/06/22 17:58:54 jsing Exp $ */
+/* $OpenBSD: tls.c,v 1.67 2017/06/22 18:03:57 jsing Exp $ */
 /*
  * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
  *
@@ -289,11 +289,11 @@ tls_keypair_cert_hash(struct tls_keypair *keypair, char **hash)
 
         *hash = NULL;
 
-        if ((membio = BIO_new_mem_buf(keypair->cert_mem, keypair->cert_len))
-            == NULL)
+        if ((membio = BIO_new_mem_buf(keypair->cert_mem,
+            keypair->cert_len)) == NULL)
                 goto err;
-
-        if ((cert = PEM_read_bio_X509_AUX(membio, NULL, NULL, NULL)) == NULL)
+        if ((cert = PEM_read_bio_X509_AUX(membio, NULL, tls_password_cb,
+            NULL)) == NULL)
                 goto err;
 
         rv = tls_cert_hash(cert, hash);
@@ -344,7 +344,7 @@ tls_configure_ssl_keypair(struct tls *ctx, SSL_CTX *ssl_ctx,
                         tls_set_errorx(ctx, "failed to create buffer");
                         goto err;
                 }
-                if ((pkey = PEM_read_bio_PrivateKey(bio, NULL, NULL,
+                if ((pkey = PEM_read_bio_PrivateKey(bio, NULL, tls_password_cb,
                     NULL)) == NULL) {
                         tls_set_errorx(ctx, "failed to read private key");
                         goto err;
diff --git a/src/lib/libtls/tls_internal.h b/src/lib/libtls/tls_internal.h
index 2b451697dc..c0c55216df 100644
--- a/src/lib/libtls/tls_internal.h
+++ b/src/lib/libtls/tls_internal.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls_internal.h,v 1.60 2017/05/07 03:27:06 jsing Exp $ */
+/* $OpenBSD: tls_internal.h,v 1.61 2017/06/22 18:03:57 jsing Exp $ */
 /*
  * Copyright (c) 2014 Jeremie Courreges-Anglas <jca@openbsd.org>
  * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
@@ -246,6 +246,8 @@ int tls_hex_string(const unsigned char *_in, size_t _inlen, char **_out,
     size_t *_outlen);
 int tls_cert_hash(X509 *_cert, char **_hash);
 
+int tls_password_cb(char *_buf, int _size, int _rwflag, void *_u);
+
 __END_HIDDEN_DECLS
 
 /* XXX this function is not fully hidden so relayd can use it */
diff --git a/src/lib/libtls/tls_server.c b/src/lib/libtls/tls_server.c
index ea8f0ce728..fd5a617582 100644
--- a/src/lib/libtls/tls_server.c
+++ b/src/lib/libtls/tls_server.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls_server.c,v 1.38 2017/06/22 17:34:25 jsing Exp $ */
+/* $OpenBSD: tls_server.c,v 1.39 2017/06/22 18:03:57 jsing Exp $ */
 /*
  * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
  *
@@ -215,7 +215,8 @@ tls_keypair_load_cert(struct tls_keypair *keypair, struct tls_error *error,
                 tls_error_set(error, "failed to create certificate bio");
                 goto err;
         }
-        if ((*cert = PEM_read_bio_X509(cert_bio, NULL, NULL, NULL)) == NULL) {
+        if ((*cert = PEM_read_bio_X509(cert_bio, NULL, tls_password_cb,
+            NULL)) == NULL) {
                 if ((ssl_err = ERR_peek_error()) != 0)
                     errstr = ERR_error_string(ssl_err, NULL);
                 tls_error_set(error, "failed to load certificate: %s", errstr);
diff --git a/src/lib/libtls/tls_util.c b/src/lib/libtls/tls_util.c
index b7dd5ed472..aaa3eef49f 100644
--- a/src/lib/libtls/tls_util.c
+++ b/src/lib/libtls/tls_util.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls_util.c,v 1.8 2017/05/06 21:34:13 jsing Exp $ */
+/* $OpenBSD: tls_util.c,v 1.9 2017/06/22 18:03:57 jsing Exp $ */
 /*
  * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
  * Copyright (c) 2015 Reyk Floeter <reyk@openbsd.org>
@@ -86,7 +86,7 @@ tls_host_port(const char *hostport, char **host, char **port)
         return (rv);
 }
 
-static int
+int
 tls_password_cb(char *buf, int size, int rwflag, void *u)
 {
         size_t len;