Don't use tls_cert_hash for the hashing used by the engine offloading magic

for the TLS privsep code. Instead use X509_pubkey_digest() because only the
key should be used as identifier. Relayd is rewriting certificates and then
the hash would change. Rename the hash is struct tls_keypair to pubkey_hash
to make clear what this hash is about.
With input and OK jsing@

3 files changed, 24 insertions, 11 deletions

diff --git a/lib/libtls/tls.c b/lib/libtls/tls.c
index ed857272c46..6df72e24e67 100644
--- a/lib/libtls/tls.c
+++ b/lib/libtls/tls.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls.c,v 1.68 2017/07/06 17:12:22 jsing Exp $ */
+/* $OpenBSD: tls.c,v 1.69 2017/08/09 21:27:24 claudio Exp $ */
 /*
  * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
  *
@@ -283,11 +283,12 @@ tls_cert_hash(X509 *cert, char **hash)
 }
 
 static int
-tls_keypair_cert_hash(struct tls_keypair *keypair, char **hash)
+tls_keypair_pubkey_hash(struct tls_keypair *keypair, char **hash)
 {
 	BIO *membio = NULL;
 	X509 *cert = NULL;
-	int rv = -1;
+	char d[EVP_MAX_MD_SIZE], *dhex = NULL;
+	int dlen, rv = -1;
 
 	*hash = NULL;
 
@@ -298,9 +299,21 @@ tls_keypair_cert_hash(struct tls_keypair *keypair, char **hash)
 	    NULL)) == NULL)
 		goto err;
 
-	rv = tls_cert_hash(cert, hash);
+	if (X509_pubkey_digest(cert, EVP_sha256(), d, &dlen) != 1)
+		goto err;
+
+	if (tls_hex_string(d, dlen, &dhex, NULL) != 0)
+		goto err;
+
+	if (asprintf(hash, "SHA256:%s", dhex) == -1) {
+		*hash = NULL;
+		goto err;
+	}
+
+	rv = 0;
 
  err:
+	free(dhex);
 	X509_free(cert);
 	BIO_free(membio);
 
@@ -331,7 +344,7 @@ tls_configure_ssl_keypair(struct tls *ctx, SSL_CTX *ssl_ctx,
 			tls_set_errorx(ctx, "failed to load certificate");
 			goto err;
 		}
-		if (tls_keypair_cert_hash(keypair, &keypair->cert_hash) == -1)
+		if (tls_keypair_pubkey_hash(keypair, &keypair->pubkey_hash) == -1)
 			goto err;
 	}
 
@@ -352,11 +365,11 @@ tls_configure_ssl_keypair(struct tls *ctx, SSL_CTX *ssl_ctx,
 			goto err;
 		}
 
-		if (keypair->cert_hash != NULL) {
+		if (keypair->pubkey_hash != NULL) {
 			RSA *rsa;
 			/* XXX only RSA for now for relayd privsep */
 			if ((rsa = EVP_PKEY_get1_RSA(pkey)) != NULL) {
-				RSA_set_ex_data(rsa, 0, keypair->cert_hash);
+				RSA_set_ex_data(rsa, 0, keypair->pubkey_hash);
 				RSA_free(rsa);
 			}
 		}
diff --git a/lib/libtls/tls_config.c b/lib/libtls/tls_config.c
index fe049d1e4e5..40374ea2203 100644
--- a/lib/libtls/tls_config.c
+++ b/lib/libtls/tls_config.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls_config.c,v 1.41 2017/07/06 17:12:22 jsing Exp $ */
+/* $OpenBSD: tls_config.c,v 1.42 2017/08/09 21:27:24 claudio Exp $ */
 /*
  * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
  *
@@ -141,7 +141,7 @@ tls_keypair_free(struct tls_keypair *keypair)
 	free(keypair->cert_mem);
 	free(keypair->key_mem);
 	free(keypair->ocsp_staple);
-	free(keypair->cert_hash);
+	free(keypair->pubkey_hash);
 
 	free(keypair);
 }
diff --git a/lib/libtls/tls_internal.h b/lib/libtls/tls_internal.h
index bed9d6e7f4e..6079babccf8 100644
--- a/lib/libtls/tls_internal.h
+++ b/lib/libtls/tls_internal.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls_internal.h,v 1.62 2017/07/06 17:12:22 jsing Exp $ */
+/* $OpenBSD: tls_internal.h,v 1.63 2017/08/09 21:27:24 claudio Exp $ */
 /*
  * Copyright (c) 2014 Jeremie Courreges-Anglas <jca@openbsd.org>
  * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
@@ -53,7 +53,7 @@ struct tls_keypair {
 	size_t key_len;
 	char *ocsp_staple;
 	size_t ocsp_staple_len;
-	char *cert_hash;
+	char *pubkey_hash;
 };
 
 #define TLS_MIN_SESSION_TIMEOUT (4)