HTTP (curl): Try SHA256 hash for OCSP certificate matching

Previously, only SHA1 hash -based server certificate matching was used,
but the OCSP response may use SHA256 instead of SHA1, so check the match
with both hash functions, if needed.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>

diff --git a/src/utils/http_curl.c b/src/utils/http_curl.c
index 6f993e4b774a01b84a132e4f02a39e34f76759a6..735ef382d47c3a2667c07d86010c96558ccd9199 100644 (file)
--- a/src/utils/http_curl.c
+++ b/src/utils/http_curl.c
@@ -1094,7 +1094,7 @@ static int ocsp_resp_cb(SSL *s, void *arg)
 {
        struct http_ctx *ctx = arg;
        const unsigned char *p;
-       int len, status, reason;
+       int len, status, reason, res;
        OCSP_RESPONSE *rsp;
        OCSP_BASICRESP *basic;
        OCSP_CERTID *id;
@@ -1199,17 +1199,36 @@ static int ocsp_resp_cb(SSL *s, void *arg)
                return 0;
        }
 
-       id = OCSP_cert_to_id(NULL, ctx->peer_cert, ctx->peer_issuer);
+       id = OCSP_cert_to_id(EVP_sha256(), ctx->peer_cert, ctx->peer_issuer);
        if (!id) {
-               wpa_printf(MSG_DEBUG, "OpenSSL: Could not create OCSP certificate identifier");
+               wpa_printf(MSG_DEBUG,
+                          "OpenSSL: Could not create OCSP certificate identifier (SHA256)");
                OCSP_BASICRESP_free(basic);
                OCSP_RESPONSE_free(rsp);
                ctx->last_err = "Could not create OCSP certificate identifier";
                return 0;
        }
 
-       if (!OCSP_resp_find_status(basic, id, &status, &reason, &produced_at,
-                                  &this_update, &next_update)) {
+       res = OCSP_resp_find_status(basic, id, &status, &reason, &produced_at,
+                                   &this_update, &next_update);
+       if (!res) {
+               id = OCSP_cert_to_id(NULL, ctx->peer_cert, ctx->peer_issuer);
+               if (!id) {
+                       wpa_printf(MSG_DEBUG,
+                                  "OpenSSL: Could not create OCSP certificate identifier (SHA1)");
+                       OCSP_BASICRESP_free(basic);
+                       OCSP_RESPONSE_free(rsp);
+                       ctx->last_err =
+                               "Could not create OCSP certificate identifier";
+                       return 0;
+               }
+
+               res = OCSP_resp_find_status(basic, id, &status, &reason,
+                                           &produced_at, &this_update,
+                                           &next_update);
+       }
+
+       if (!res) {
                wpa_printf(MSG_INFO, "OpenSSL: Could not find current server certificate from OCSP response%s",
                           (ctx->ocsp == MANDATORY_OCSP) ? "" :
                           " (OCSP not required)");