OpenSSL: Try SHA256 hash for OCSP certificate matching

Previously, only SHA1 hash -based server certificate matching was used,
but the OCSP response may use SHA256 instead of SHA1, so check the match
with both hash functions, if needed.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>

diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c
index fc169e71e1e9c82533f13b13159d9ffa2484ee43..07c61193a19a4eb86cb69d3c1567bd379b627f8c 100644 (file)
--- a/src/crypto/tls_openssl.c
+++ b/src/crypto/tls_openssl.c
@@ -3764,7 +3764,7 @@ static int ocsp_resp_cb(SSL *s, void *arg)
 {
        struct tls_connection *conn = arg;
        const unsigned char *p;
-       int len, status, reason;
+       int len, status, reason, res;
        OCSP_RESPONSE *rsp;
        OCSP_BASICRESP *basic;
        OCSP_CERTID *id;
@@ -3859,16 +3859,33 @@ static int ocsp_resp_cb(SSL *s, void *arg)
                return 0;
        }
 
-       id = OCSP_cert_to_id(NULL, conn->peer_cert, conn->peer_issuer);
+       id = OCSP_cert_to_id(EVP_sha256(), conn->peer_cert, conn->peer_issuer);
        if (!id) {
-               wpa_printf(MSG_DEBUG, "OpenSSL: Could not create OCSP certificate identifier");
+               wpa_printf(MSG_DEBUG,
+                          "OpenSSL: Could not create OCSP certificate identifier (SHA256)");
                OCSP_BASICRESP_free(basic);
                OCSP_RESPONSE_free(rsp);
                return 0;
        }
 
-       if (!OCSP_resp_find_status(basic, id, &status, &reason, &produced_at,
-                                  &this_update, &next_update)) {
+       res = OCSP_resp_find_status(basic, id, &status, &reason, &produced_at,
+                                   &this_update, &next_update);
+       if (!res) {
+               id = OCSP_cert_to_id(NULL, conn->peer_cert, conn->peer_issuer);
+               if (!id) {
+                       wpa_printf(MSG_DEBUG,
+                                  "OpenSSL: Could not create OCSP certificate identifier (SHA1)");
+                       OCSP_BASICRESP_free(basic);
+                       OCSP_RESPONSE_free(rsp);
+                       return 0;
+               }
+
+               res = OCSP_resp_find_status(basic, id, &status, &reason,
+                                           &produced_at, &this_update,
+                                           &next_update);
+       }
+
+       if (!res) {
                wpa_printf(MSG_INFO, "OpenSSL: Could not find current server certificate from OCSP response%s",
                           (conn->flags & TLS_CONN_REQUIRE_OCSP) ? "" :
                           " (OCSP not required)");