From c52bd7581e2ed30f0884123263212997c2059eb8 Mon Sep 17 00:00:00 2001
From: reyk <reyk@openbsd.org>
Date: Tue, 29 Apr 2014 21:04:17 +0000
Subject: [PATCH] For RSA private key privsep, only ever load the keys after
 forking the separated process.  This improves the previous because we don't
 trust the PEM and BIO routines to cleanup the keys correctly.

ok gilles@
---
 usr.sbin/smtpd/smtpd.c | 27 ++++++++++++++++++++++++---
 1 file changed, 24 insertions(+), 3 deletions(-)

diff --git a/usr.sbin/smtpd/smtpd.c b/usr.sbin/smtpd/smtpd.c
index 8abf47dda7e..482f9440740 100644
--- a/usr.sbin/smtpd/smtpd.c
+++ b/usr.sbin/smtpd/smtpd.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: smtpd.c,v 1.223 2014/04/29 19:13:13 reyk Exp $	*/
+/*	$OpenBSD: smtpd.c,v 1.224 2014/04/29 21:04:17 reyk Exp $	*/
 
 /*
  * Copyright (c) 2008 Gilles Chehade <gilles@poolp.org>
@@ -76,6 +76,7 @@ static void	purge_task(void);
 static void	log_imsg(int, int, struct imsg *);
 static int	parent_auth_user(const char *, const char *);
 static void	load_pki_tree(void);
+static void	load_pki_keys(void);
 
 enum child_type {
 	CHILD_DAEMON,
@@ -579,6 +580,7 @@ main(int argc, char *argv[])
 
 	if (env->sc_opts & SMTPD_OPT_NOACTION) {
 		load_pki_tree();
+		load_pki_keys();
 		fprintf(stderr, "configuration OK\n");
 		exit(0);
 	}
@@ -691,8 +693,6 @@ load_pki_tree(void)
 
 		if (! ssl_load_certificate(pki, pki->pki_cert_file))
 			fatalx("load_pki_tree: failed to load certificate file");
-		if (! ssl_load_keyfile(pki, pki->pki_key_file, k))
-			fatalx("load_pki_tree: failed to load key file");
 
 		if (pki->pki_ca_file)
 			if (! ssl_load_cafile(pki, pki->pki_ca_file))
@@ -703,6 +703,23 @@ load_pki_tree(void)
 	}
 }
 
+void
+load_pki_keys(void)
+{
+	struct pki	*pki;
+	const char	*k;
+	void		*iter_dict;
+
+	log_debug("debug: init ssl-tree");
+	iter_dict = NULL;
+	while (dict_iter(env->sc_pki_dict, &iter_dict, &k, (void **)&pki)) {
+		log_debug("info: loading pki keys for %s", k);
+
+		if (! ssl_load_keyfile(pki, pki->pki_key_file, k))
+			fatalx("load_pki_keys: failed to load key file");
+	}
+}
+
 static void
 fork_peers(void)
 {
@@ -728,6 +745,10 @@ post_fork(int proc)
 		close(control_socket);
 		control_socket = -1;
 	}
+
+	if (proc == PROC_LKA) {
+		load_pki_keys();
+	}
 }
 
 struct child *
-- 
2.20.1