From 5a039c14f79bc499e0322a443065e96033b9b8ca Mon Sep 17 00:00:00 2001
From: reyk <reyk@openbsd.org>
Date: Tue, 6 May 2014 11:03:02 +0000
Subject: [PATCH] Fix two memory leaks: EVP_PKEY_get1_RSA() returns a
 referenced key that requires to call RSA_free() to dereference it after use. 
 Also free a temporary key that was read by PEM_read_PrivateKey() and
 immediately written into a bio.

ok markus@
---
 usr.sbin/relayd/ssl.c |  7 ++++++-
 usr.sbin/smtpd/ssl.c  | 25 +++++++++++++++----------
 2 files changed, 21 insertions(+), 11 deletions(-)

diff --git a/usr.sbin/relayd/ssl.c b/usr.sbin/relayd/ssl.c
index ffe43d378da..9f09d6ba0b8 100644
--- a/usr.sbin/relayd/ssl.c
+++ b/usr.sbin/relayd/ssl.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ssl.c,v 1.22 2014/04/22 08:04:23 reyk Exp $	*/
+/*	$OpenBSD: ssl.c,v 1.23 2014/05/06 11:03:02 reyk Exp $	*/
 
 /*
  * Copyright (c) 2007 - 2014 Reyk Floeter <reyk@openbsd.org>
@@ -346,6 +346,8 @@ ssl_load_key(struct relayd *env, const char *name, off_t *len, char *pass)
 	memcpy(buf, data, size);
 
 	BIO_free_all(bio);
+	EVP_PKEY_free(key);
+
 	*len = (off_t)size;
 	return (buf);
 
@@ -355,6 +357,8 @@ ssl_load_key(struct relayd *env, const char *name, off_t *len, char *pass)
 	free(buf);
 	if (bio != NULL)
 		BIO_free_all(bio);
+	if (key != NULL)
+		EVP_PKEY_free(key);
 	return (NULL);
 }
 
@@ -432,6 +436,7 @@ ssl_ctx_load_pkey(SSL_CTX *ctx, void *data, char *buf, off_t len,
 	}
 
 	RSA_set_ex_data(rsa, 0, data);
+	RSA_free(rsa); /* dereference, will be cleaned up with pkey */
 
 	*x509ptr = x509;
 	*pkeyptr = pkey;
diff --git a/usr.sbin/smtpd/ssl.c b/usr.sbin/smtpd/ssl.c
index 4387e790dcd..7b68ea43edf 100644
--- a/usr.sbin/smtpd/ssl.c
+++ b/usr.sbin/smtpd/ssl.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ssl.c,v 1.63 2014/04/29 19:13:14 reyk Exp $	*/
+/*	$OpenBSD: ssl.c,v 1.64 2014/05/06 11:03:03 reyk Exp $	*/
 
 /*
  * Copyright (c) 2008 Pierre-Yves Ritschard <pyr@openbsd.org>
@@ -228,6 +228,8 @@ ssl_load_key(const char *name, off_t *len, char *pass, mode_t perm, const char *
 	memcpy(buf, data, size);
 
 	BIO_free_all(bio);
+	EVP_PKEY_free(key);
+
 	*len = (off_t)size + 1;
 	return (buf);
 
@@ -236,6 +238,8 @@ fail:
 	free(buf);
 	if (bio != NULL)
 		BIO_free_all(bio);
+	if (key != NULL)
+		EVP_PKEY_free(key);
 	if (fp)
 		fclose(fp);
 	return (NULL);
@@ -458,7 +462,7 @@ int
 ssl_ctx_load_pkey(SSL_CTX *ctx, void *data, char *buf, off_t len,
     X509 **x509ptr, EVP_PKEY **pkeyptr)
 {
-	int		 ret = 0;
+	int		 ret = 1;
 	BIO		*in;
 	X509		*x509 = NULL;
 	EVP_PKEY	*pkey = NULL;
@@ -480,19 +484,19 @@ ssl_ctx_load_pkey(SSL_CTX *ctx, void *data, char *buf, off_t len,
 		goto fail;
 	}
 
+	*x509ptr = x509;
+	*pkeyptr = pkey;
+
+	if (data == NULL)
+		goto done;
+
 	if ((rsa = EVP_PKEY_get1_RSA(pkey)) == NULL) {
 		SSLerr(SSL_F_SSL_CTX_USE_PRIVATEKEY, ERR_R_EVP_LIB);
 		goto fail;
 	}
 
-	if (data)
-		RSA_set_ex_data(rsa, 0, data);
-
-	*x509ptr = x509;
-	*pkeyptr = pkey;
-	ret = 1;
-
-	goto done;
+	RSA_set_ex_data(rsa, 0, data);
+	RSA_free(rsa); /* dereference, will be cleaned up with pkey */
 
  fail:
 	ssl_error("ssl_ctx_load_pkey");
@@ -501,6 +505,7 @@ ssl_ctx_load_pkey(SSL_CTX *ctx, void *data, char *buf, off_t len,
 		EVP_PKEY_free(pkey);
 	if (x509 != NULL)
 		X509_free(x509);
+	ret = 0;
 
  done:
 	if (in != NULL)
-- 
2.20.1