From 34002f5dd1e291f68a4219590c2f593048a43634 Mon Sep 17 00:00:00 2001
From: jsing <jsing@openbsd.org>
Date: Thu, 8 Feb 2018 10:19:31 +0000
Subject: [PATCH] Have tls_keypair_pubkey_hash() call tls_keypair_load_cert()
 instead of rolling its own certificate loading. This also means we get better
 error reporting on failure.

---
 lib/libtls/tls.c          |  5 +++--
 lib/libtls/tls_internal.h |  5 +++--
 lib/libtls/tls_keypair.c  | 15 +++++----------
 3 files changed, 11 insertions(+), 14 deletions(-)

diff --git a/lib/libtls/tls.c b/lib/libtls/tls.c
index fdf4a981a86..0e206e2c7ef 100644
--- a/lib/libtls/tls.c
+++ b/lib/libtls/tls.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls.c,v 1.73 2018/02/08 08:09:10 jsing Exp $ */
+/* $OpenBSD: tls.c,v 1.74 2018/02/08 10:19:31 jsing Exp $ */
 /*
  * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
  *
@@ -313,7 +313,8 @@ tls_configure_ssl_keypair(struct tls *ctx, SSL_CTX *ssl_ctx,
 			tls_set_errorx(ctx, "failed to load certificate");
 			goto err;
 		}
-		if (tls_keypair_pubkey_hash(keypair, &keypair->pubkey_hash) == -1)
+		if (tls_keypair_pubkey_hash(keypair, &ctx->error,
+		    &keypair->pubkey_hash) == -1)
 			goto err;
 	}
 
diff --git a/lib/libtls/tls_internal.h b/lib/libtls/tls_internal.h
index 8a164d2e3a5..eb08d470740 100644
--- a/lib/libtls/tls_internal.h
+++ b/lib/libtls/tls_internal.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls_internal.h,v 1.67 2018/02/08 08:09:10 jsing Exp $ */
+/* $OpenBSD: tls_internal.h,v 1.68 2018/02/08 10:19:31 jsing Exp $ */
 /*
  * Copyright (c) 2014 Jeremie Courreges-Anglas <jca@openbsd.org>
  * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
@@ -214,7 +214,8 @@ void tls_keypair_clear(struct tls_keypair *_keypair);
 void tls_keypair_free(struct tls_keypair *_keypair);
 int tls_keypair_load_cert(struct tls_keypair *_keypair,
     struct tls_error *_error, X509 **_cert);
-int tls_keypair_pubkey_hash(struct tls_keypair *_keypair, char **_hash);
+int tls_keypair_pubkey_hash(struct tls_keypair *_keypair,
+    struct tls_error *_error, char **_hash);
 
 struct tls_sni_ctx *tls_sni_ctx_new(void);
 void tls_sni_ctx_free(struct tls_sni_ctx *sni_ctx);
diff --git a/lib/libtls/tls_keypair.c b/lib/libtls/tls_keypair.c
index 57068047de3..626a95853f5 100644
--- a/lib/libtls/tls_keypair.c
+++ b/lib/libtls/tls_keypair.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls_keypair.c,v 1.3 2018/02/08 10:03:19 jsing Exp $ */
+/* $OpenBSD: tls_keypair.c,v 1.4 2018/02/08 10:19:31 jsing Exp $ */
 /*
  * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
  *
@@ -145,9 +145,9 @@ tls_keypair_load_cert(struct tls_keypair *keypair, struct tls_error *error,
 }
 
 int
-tls_keypair_pubkey_hash(struct tls_keypair *keypair, char **hash)
+tls_keypair_pubkey_hash(struct tls_keypair *keypair, struct tls_error *error,
+    char **hash)
 {
-	BIO *membio = NULL;
 	X509 *cert = NULL;
 	char d[EVP_MAX_MD_SIZE], *dhex = NULL;
 	int dlen, rv = -1;
@@ -155,11 +155,7 @@ tls_keypair_pubkey_hash(struct tls_keypair *keypair, char **hash)
 	free(*hash);
 	*hash = NULL;
 
-	if ((membio = BIO_new_mem_buf(keypair->cert_mem,
-	    keypair->cert_len)) == NULL)
-		goto err;
-	if ((cert = PEM_read_bio_X509_AUX(membio, NULL, tls_password_cb,
-	    NULL)) == NULL)
+	if (tls_keypair_load_cert(keypair, error, &cert) == -1)
 		goto err;
 
 	if (X509_pubkey_digest(cert, EVP_sha256(), d, &dlen) != 1)
@@ -176,9 +172,8 @@ tls_keypair_pubkey_hash(struct tls_keypair *keypair, char **hash)
 	rv = 0;
 
  err:
-	free(dhex);
 	X509_free(cert);
-	BIO_free(membio);
+	free(dhex);
 
 	return (rv);
 }
-- 
2.20.1