moved write to pxy_srccert_create, -X to -w, opts_free use

main.c

@@ -112,7 +112,7 @@ main_usage(void)
 "  -k pemfile  use CA key (and cert) from pemfile to sign forged certs\n"
 "  -C pemfile  use CA chain from pemfile (intermediate and root CA certs)\n"
 "  -K pemfile  use key from pemfile for leaf certs (default: generate)\n"
-"  -X gendir   write generated key/cert pairs to gendir\n"
+"  -w gendir   write generated key/cert pairs to gendir\n"
 "  -t certdir  use cert+chain+key PEM files from certdir to target all sites\n"
 "              matching the common names (non-matching: generate if CA)\n"
 "  -O          deny all OCSP requests on all proxyspecs\n"
@@ -276,7 +276,7 @@ main(int argc, char *argv[])
 	}
 
 	while ((ch = getopt(argc, argv, OPT_g OPT_G OPT_Z OPT_i
-	                    "k:c:C:K:t:OPs:r:R:e:Eu:m:j:p:l:L:S:F:dDVhX:")) != -1) {
+	                    "k:c:C:K:t:OPs:r:R:e:Eu:m:j:p:l:L:S:F:dDVhw:")) != -1) {
 		switch (ch) {
 			case 'c':
 				if (opts->cacrt)
@@ -520,7 +520,7 @@ main(int argc, char *argv[])
 				opts->contentlog_isdir = 0;
 				opts->contentlog_isspec = 1;
 				break;
-			case 'X':
+			case 'w':
 				if (opts->certgendir)
 					free(opts->certgendir);
 				opts->certgendir = strdup(optarg);
@@ -563,7 +563,7 @@ main(int argc, char *argv[])
 		exit(EXIT_FAILURE);
 	}
 	if (opts->certgendir && opts->key) {
-		fprintf(stderr, "%s: -K and -X are mutually exclusive.\n",
+		fprintf(stderr, "%s: -K and -w are mutually exclusive.\n",
 		                argv0);
 		exit(EXIT_FAILURE);
 	}

opts.c

@@ -105,6 +105,9 @@ opts_free(opts_t *opts)
 	if (opts->contentlog) {
 		free(opts->contentlog);
 	}
+	if (opts->certgendir) {
+		free(opts->certgendir);
+	}
 	memset(opts, 0, sizeof(opts_t));
 	free(opts);
 }

pxyconn.c

@@ -702,39 +702,6 @@ pxy_srcsslctx_create(pxy_conn_ctx_t *ctx, X509 *crt, STACK_OF(X509) *chain,
 		SSL_CTX_add_extra_chain_cert(sslctx, c);
 	}
 
-	if (ctx->opts->certgendir) {
-		unsigned char origfpr[SSL_X509_FPRSZ], newfpr[SSL_X509_FPRSZ];
-		ssl_x509_fingerprint_sha1(ctx->origcrt, origfpr);
-		ssl_x509_fingerprint_sha1(crt, newfpr);
-		char *origfprstr, *newfprstr;
-		asprintf(&origfprstr,"%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x"
-			 "%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x",
-			 origfpr[0],  origfpr[1],  origfpr[2],  origfpr[3],  origfpr[4],
-			 origfpr[5],  origfpr[6],  origfpr[7],  origfpr[8],  origfpr[9],
-			 origfpr[10], origfpr[11], origfpr[12], origfpr[13], origfpr[14],
-			 origfpr[15], origfpr[16], origfpr[17], origfpr[18], origfpr[19]);
-		asprintf(&newfprstr,"%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x"
-			 "%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x",
-			 newfpr[0],  newfpr[1],  newfpr[2],  newfpr[3],  newfpr[4],
-			 newfpr[5],  newfpr[6],  newfpr[7],  newfpr[8],  newfpr[9],
-			 newfpr[10], newfpr[11], newfpr[12], newfpr[13], newfpr[14],
-			 newfpr[15], newfpr[16], newfpr[17], newfpr[18], newfpr[19]);
-		char *keyfn, *crtfn;
-		asprintf(&keyfn, "%s/%s-%s.key", ctx->opts->certgendir, origfprstr, newfprstr);
-		asprintf(&crtfn, "%s/%s-%s.crt", ctx->opts->certgendir, origfprstr, newfprstr);
-		FILE *keyfd, *crtfd;
-		keyfd = fopen(keyfn, "w");
-		crtfd = fopen(crtfn, "w");
-		if (keyfd) {
-			PEM_write_PrivateKey(keyfd, key, NULL, 0, 0, NULL, NULL);
-			fclose(keyfd);
-		}
-		if (crtfd) {
-			PEM_write_X509(crtfd, crt);
-			fclose(crtfd);
-		}
-	}
-
 #ifdef DEBUG_SESSION_CACHE
 	if (OPTS_DEBUG(ctx->opts)) {
 		int mode = SSL_CTX_get_session_cache_mode(sslctx);
@@ -831,6 +798,39 @@ pxy_srccert_create(pxy_conn_ctx_t *ctx)
 		cert_set_chain(cert, ctx->opts->chain);
 	}
 
+	if (ctx->opts->certgendir) {
+		unsigned char origfpr[SSL_X509_FPRSZ], newfpr[SSL_X509_FPRSZ];
+		ssl_x509_fingerprint_sha1(ctx->origcrt, origfpr);
+		ssl_x509_fingerprint_sha1(cert->crt, newfpr);
+		char *origfprstr, *newfprstr;
+		asprintf(&origfprstr,"%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x"
+			 "%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x",
+			 origfpr[0],  origfpr[1],  origfpr[2],  origfpr[3],  origfpr[4],
+			 origfpr[5],  origfpr[6],  origfpr[7],  origfpr[8],  origfpr[9],
+			 origfpr[10], origfpr[11], origfpr[12], origfpr[13], origfpr[14],
+			 origfpr[15], origfpr[16], origfpr[17], origfpr[18], origfpr[19]);
+		asprintf(&newfprstr,"%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x"
+			 "%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x",
+			 newfpr[0],  newfpr[1],  newfpr[2],  newfpr[3],  newfpr[4],
+			 newfpr[5],  newfpr[6],  newfpr[7],  newfpr[8],  newfpr[9],
+			 newfpr[10], newfpr[11], newfpr[12], newfpr[13], newfpr[14],
+			 newfpr[15], newfpr[16], newfpr[17], newfpr[18], newfpr[19]);
+		char *keyfn, *crtfn;
+		asprintf(&keyfn, "%s/%s-%s.key", ctx->opts->certgendir, origfprstr, newfprstr);
+		asprintf(&crtfn, "%s/%s-%s.crt", ctx->opts->certgendir, origfprstr, newfprstr);
+		FILE *keyfd, *crtfd;
+		keyfd = fopen(keyfn, "w");
+		crtfd = fopen(crtfn, "w");
+		if (keyfd) {
+			PEM_write_PrivateKey(keyfd, cert->key, NULL, 0, 0, NULL, NULL);
+			fclose(keyfd);
+		}
+		if (crtfd) {
+			PEM_write_X509(crtfd, cert->crt);
+			fclose(crtfd);
+		}
+	}
+
 	return cert;
 }
 

sslsplit.1

@@ -30,15 +30,15 @@ sslsplit \-\- transparent and scalable SSL/TLS interception
 .SH SYNOPSIS
 .na
 .B sslsplit
-[\fB-kCKXOPZdDgGsrReumjplLSFi\fP] \fB-c\fP \fIpem\fP
+[\fB-kCKwOPZdDgGsrReumjplLSFi\fP] \fB-c\fP \fIpem\fP
 \fIproxyspecs\fP [...]
 .br
 .B sslsplit
-[\fB-kCKXOPZdDgGsrReumjplLSFi\fP] \fB-c\fP \fIpem\fP \fB-t\fP \fIdir\fP
+[\fB-kCKwOPZdDgGsrReumjplLSFi\fP] \fB-c\fP \fIpem\fP \fB-t\fP \fIdir\fP
 \fIproxyspecs\fP [...]
 .br
 .B sslsplit
-[\fB-OPZXdDgGsrReumjplLSFi\fP] \fB-t\fP \fIdir\fP
+[\fB-OPZwdDgGsrReumjplLSFi\fP] \fB-t\fP \fIdir\fP
 \fIproxyspecs\fP [...]
 .br
 .B sslsplit -E
@@ -185,7 +185,7 @@ no matching certificate in the provided certificate directory.
 Use private key from \fIpemfile\fP for certificates forged on-the-fly.
 If \fB-K\fP is not given, SSLsplit will generate a random 1024-bit RSA key.
 .TP
-.B \-X \fIgendir\fP
+.B \-w \fIgendir\fP
 Write generated keys and certificates to individual files in \fIgendir\fP.
 .TP
 .B \-l \fIlogfile\fP