OpenSSL: Try SHA256 hash for OCSP certificate matching
Previously, only SHA1 hash -based server certificate matching was used, but the OCSP response may use SHA256 instead of SHA1, so check the match with both hash functions, if needed. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This commit is contained in:
		
							parent
							
								
									d264c2e390
								
							
						
					
					
						commit
						85cff4b0d8
					
				
					 1 changed files with 22 additions and 5 deletions
				
			
		|  | @ -3764,7 +3764,7 @@ static int ocsp_resp_cb(SSL *s, void *arg) | ||||||
| { | { | ||||||
| 	struct tls_connection *conn = arg; | 	struct tls_connection *conn = arg; | ||||||
| 	const unsigned char *p; | 	const unsigned char *p; | ||||||
| 	int len, status, reason; | 	int len, status, reason, res; | ||||||
| 	OCSP_RESPONSE *rsp; | 	OCSP_RESPONSE *rsp; | ||||||
| 	OCSP_BASICRESP *basic; | 	OCSP_BASICRESP *basic; | ||||||
| 	OCSP_CERTID *id; | 	OCSP_CERTID *id; | ||||||
|  | @ -3859,16 +3859,33 @@ static int ocsp_resp_cb(SSL *s, void *arg) | ||||||
| 		return 0; | 		return 0; | ||||||
| 	} | 	} | ||||||
| 
 | 
 | ||||||
| 	id = OCSP_cert_to_id(NULL, conn->peer_cert, conn->peer_issuer); | 	id = OCSP_cert_to_id(EVP_sha256(), conn->peer_cert, conn->peer_issuer); | ||||||
| 	if (!id) { | 	if (!id) { | ||||||
| 		wpa_printf(MSG_DEBUG, "OpenSSL: Could not create OCSP certificate identifier"); | 		wpa_printf(MSG_DEBUG, | ||||||
|  | 			   "OpenSSL: Could not create OCSP certificate identifier (SHA256)"); | ||||||
| 		OCSP_BASICRESP_free(basic); | 		OCSP_BASICRESP_free(basic); | ||||||
| 		OCSP_RESPONSE_free(rsp); | 		OCSP_RESPONSE_free(rsp); | ||||||
| 		return 0; | 		return 0; | ||||||
| 	} | 	} | ||||||
| 
 | 
 | ||||||
| 	if (!OCSP_resp_find_status(basic, id, &status, &reason, &produced_at, | 	res = OCSP_resp_find_status(basic, id, &status, &reason, &produced_at, | ||||||
| 				   &this_update, &next_update)) { | 				    &this_update, &next_update); | ||||||
|  | 	if (!res) { | ||||||
|  | 		id = OCSP_cert_to_id(NULL, conn->peer_cert, conn->peer_issuer); | ||||||
|  | 		if (!id) { | ||||||
|  | 			wpa_printf(MSG_DEBUG, | ||||||
|  | 				   "OpenSSL: Could not create OCSP certificate identifier (SHA1)"); | ||||||
|  | 			OCSP_BASICRESP_free(basic); | ||||||
|  | 			OCSP_RESPONSE_free(rsp); | ||||||
|  | 			return 0; | ||||||
|  | 		} | ||||||
|  | 
 | ||||||
|  | 		res = OCSP_resp_find_status(basic, id, &status, &reason, | ||||||
|  | 					    &produced_at, &this_update, | ||||||
|  | 					    &next_update); | ||||||
|  | 	} | ||||||
|  | 
 | ||||||
|  | 	if (!res) { | ||||||
| 		wpa_printf(MSG_INFO, "OpenSSL: Could not find current server certificate from OCSP response%s", | 		wpa_printf(MSG_INFO, "OpenSSL: Could not find current server certificate from OCSP response%s", | ||||||
| 			   (conn->flags & TLS_CONN_REQUIRE_OCSP) ? "" : | 			   (conn->flags & TLS_CONN_REQUIRE_OCSP) ? "" : | ||||||
| 			   " (OCSP not required)"); | 			   " (OCSP not required)"); | ||||||
|  |  | ||||||
		Loading…
	
		Reference in a new issue
	
	 Jouni Malinen
						Jouni Malinen