Use X509_pubkey_digest() like libtls to hash the keys for the TLS privsep

code. This fixes interception mode (since there we rewrite the CERT which
would alter the hash of the cert but the keys still remain the same).
OK bluhm@ and jsing@

1 files changed, 3 insertions, 3 deletions

diff --git a/usr.sbin/relayd/ca.c b/usr.sbin/relayd/ca.c
index c4eb9162d17..b5835d503b2 100644
--- a/usr.sbin/relayd/ca.c
+++ b/usr.sbin/relayd/ca.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ca.c,v 1.27 2017/07/28 13:58:52 bluhm Exp $	*/
+/*	$OpenBSD: ca.c,v 1.28 2017/08/09 21:31:16 claudio Exp $	*/
 
 /*
  * Copyright (c) 2014 Reyk Floeter <reyk@openbsd.org>
@@ -90,8 +90,8 @@ hash_x509(X509 *cert, char *hash, size_t hashlen)
 	char			digest[EVP_MAX_MD_SIZE];
 	int		 	dlen, i;
 
-	if (X509_digest(cert, EVP_sha256(), digest, &dlen) != 1)
-		fatalx("%s: X509_digest failed", __func__);
+	if (X509_pubkey_digest(cert, EVP_sha256(), digest, &dlen) != 1)
+		fatalx("%s: X509_pubkey_digest failed", __func__);
 
 	if (hashlen < 2 * dlen + sizeof("SHA256:"))
 		fatalx("%s: hash buffer to small", __func__);