OpenSSL: Try SHA256 hash for OCSP certificate matching

Previously, only SHA1 hash -based server certificate matching was used,
but the OCSP response may use SHA256 instead of SHA1, so check the match
with both hash functions, if needed.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This commit is contained in:
Jouni Malinen 2017-05-09 23:31:20 +03:00 committed by Jouni Malinen
parent d264c2e390
commit 85cff4b0d8

View file

@ -3764,7 +3764,7 @@ static int ocsp_resp_cb(SSL *s, void *arg)
{
struct tls_connection *conn = arg;
const unsigned char *p;
int len, status, reason;
int len, status, reason, res;
OCSP_RESPONSE *rsp;
OCSP_BASICRESP *basic;
OCSP_CERTID *id;
@ -3859,16 +3859,33 @@ static int ocsp_resp_cb(SSL *s, void *arg)
return 0;
}
id = OCSP_cert_to_id(NULL, conn->peer_cert, conn->peer_issuer);
id = OCSP_cert_to_id(EVP_sha256(), conn->peer_cert, conn->peer_issuer);
if (!id) {
wpa_printf(MSG_DEBUG, "OpenSSL: Could not create OCSP certificate identifier");
wpa_printf(MSG_DEBUG,
"OpenSSL: Could not create OCSP certificate identifier (SHA256)");
OCSP_BASICRESP_free(basic);
OCSP_RESPONSE_free(rsp);
return 0;
}
if (!OCSP_resp_find_status(basic, id, &status, &reason, &produced_at,
&this_update, &next_update)) {
res = OCSP_resp_find_status(basic, id, &status, &reason, &produced_at,
&this_update, &next_update);
if (!res) {
id = OCSP_cert_to_id(NULL, conn->peer_cert, conn->peer_issuer);
if (!id) {
wpa_printf(MSG_DEBUG,
"OpenSSL: Could not create OCSP certificate identifier (SHA1)");
OCSP_BASICRESP_free(basic);
OCSP_RESPONSE_free(rsp);
return 0;
}
res = OCSP_resp_find_status(basic, id, &status, &reason,
&produced_at, &this_update,
&next_update);
}
if (!res) {
wpa_printf(MSG_INFO, "OpenSSL: Could not find current server certificate from OCSP response%s",
(conn->flags & TLS_CONN_REQUIRE_OCSP) ? "" :
" (OCSP not required)");