OpenSSL: Try SHA256 hash for OCSP certificate matching
Previously, only SHA1 hash -based server certificate matching was used, but the OCSP response may use SHA256 instead of SHA1, so check the match with both hash functions, if needed. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This commit is contained in:
parent
d264c2e390
commit
85cff4b0d8
1 changed files with 22 additions and 5 deletions
|
@ -3764,7 +3764,7 @@ static int ocsp_resp_cb(SSL *s, void *arg)
|
|||
{
|
||||
struct tls_connection *conn = arg;
|
||||
const unsigned char *p;
|
||||
int len, status, reason;
|
||||
int len, status, reason, res;
|
||||
OCSP_RESPONSE *rsp;
|
||||
OCSP_BASICRESP *basic;
|
||||
OCSP_CERTID *id;
|
||||
|
@ -3859,16 +3859,33 @@ static int ocsp_resp_cb(SSL *s, void *arg)
|
|||
return 0;
|
||||
}
|
||||
|
||||
id = OCSP_cert_to_id(NULL, conn->peer_cert, conn->peer_issuer);
|
||||
id = OCSP_cert_to_id(EVP_sha256(), conn->peer_cert, conn->peer_issuer);
|
||||
if (!id) {
|
||||
wpa_printf(MSG_DEBUG, "OpenSSL: Could not create OCSP certificate identifier");
|
||||
wpa_printf(MSG_DEBUG,
|
||||
"OpenSSL: Could not create OCSP certificate identifier (SHA256)");
|
||||
OCSP_BASICRESP_free(basic);
|
||||
OCSP_RESPONSE_free(rsp);
|
||||
return 0;
|
||||
}
|
||||
|
||||
if (!OCSP_resp_find_status(basic, id, &status, &reason, &produced_at,
|
||||
&this_update, &next_update)) {
|
||||
res = OCSP_resp_find_status(basic, id, &status, &reason, &produced_at,
|
||||
&this_update, &next_update);
|
||||
if (!res) {
|
||||
id = OCSP_cert_to_id(NULL, conn->peer_cert, conn->peer_issuer);
|
||||
if (!id) {
|
||||
wpa_printf(MSG_DEBUG,
|
||||
"OpenSSL: Could not create OCSP certificate identifier (SHA1)");
|
||||
OCSP_BASICRESP_free(basic);
|
||||
OCSP_RESPONSE_free(rsp);
|
||||
return 0;
|
||||
}
|
||||
|
||||
res = OCSP_resp_find_status(basic, id, &status, &reason,
|
||||
&produced_at, &this_update,
|
||||
&next_update);
|
||||
}
|
||||
|
||||
if (!res) {
|
||||
wpa_printf(MSG_INFO, "OpenSSL: Could not find current server certificate from OCSP response%s",
|
||||
(conn->flags & TLS_CONN_REQUIRE_OCSP) ? "" :
|
||||
" (OCSP not required)");
|
||||
|
|
Loading…
Reference in a new issue