Use X509_pubkey_digest() like libtls to hash the keys for the TLS privsep

code. This fixes interception mode (since there we rewrite the CERT which would alter the hash of the cert but the keys still remain the same). OK bluhm@ and jsing@
author: claudio <claudio@openbsd.org> 2017-08-09 21:31:16 +0000
committer: claudio <claudio@openbsd.org> 2017-08-09 21:31:16 +0000
commit: 232769814d3bca35d2d53fe91bbf5b072d207133 (patch)
tree: c22ff946519232f7ef686173a8bc32ec5a6603d7
parent: Call tls_config_skip_private_key_check() to disable the key checking in (diff)
download: wireguard-openbsd-232769814d3bca35d2d53fe91bbf5b072d207133.tar.xz
wireguard-openbsd-232769814d3bca35d2d53fe91bbf5b072d207133.zip
1 files changed, 3 insertions, 3 deletions
diff --git a/usr.sbin/relayd/ca.c b/usr.sbin/relayd/ca.c
index c4eb9162d17..b5835d503b2 100644
--- a/usr.sbin/relayd/ca.c
+++ b/usr.sbin/relayd/ca.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ca.c,v 1.27 2017/07/28 13:58:52 bluhm Exp $	*/
+/*	$OpenBSD: ca.c,v 1.28 2017/08/09 21:31:16 claudio Exp $	*/
 
 /*
  * Copyright (c) 2014 Reyk Floeter <reyk@openbsd.org>
@@ -90,8 +90,8 @@ hash_x509(X509 *cert, char *hash, size_t hashlen)
 	char			digest[EVP_MAX_MD_SIZE];
 	int		 	dlen, i;
 
-	if (X509_digest(cert, EVP_sha256(), digest, &dlen) != 1)
-		fatalx("%s: X509_digest failed", __func__);
+	if (X509_pubkey_digest(cert, EVP_sha256(), digest, &dlen) != 1)
+		fatalx("%s: X509_pubkey_digest failed", __func__);
 
 	if (hashlen < 2 * dlen + sizeof("SHA256:"))
 		fatalx("%s: hash buffer to small", __func__);
author	claudio <claudio@openbsd.org>	2017-08-09 21:31:16 +0000
committer	claudio <claudio@openbsd.org>	2017-08-09 21:31:16 +0000
commit	232769814d3bca35d2d53fe91bbf5b072d207133 (patch)
tree	c22ff946519232f7ef686173a8bc32ec5a6603d7
parent	Call tls_config_skip_private_key_check() to disable the key checking in (diff)
download	wireguard-openbsd-232769814d3bca35d2d53fe91bbf5b072d207133.tar.xz wireguard-openbsd-232769814d3bca35d2d53fe91bbf5b072d207133.zip