aboutsummaryrefslogtreecommitdiffstats
path: root/src
diff options
context:
space:
mode:
authorJouni Malinen <jouni@qca.qualcomm.com>2017-05-09 20:31:20 (GMT)
committerJouni Malinen <j@w1.fi>2017-05-09 20:36:36 (GMT)
commit85cff4b0d8f3f44d04292ef954861cfeca292ff5 (patch)
tree6c2950caa950ad59d585a1b79b8526249a4d96ed /src
parentd264c2e390069889ccce8ddb95bdc5c00503f183 (diff)
downloadhostap-85cff4b0d8f3f44d04292ef954861cfeca292ff5.zip
hostap-85cff4b0d8f3f44d04292ef954861cfeca292ff5.tar.gz
hostap-85cff4b0d8f3f44d04292ef954861cfeca292ff5.tar.bz2
OpenSSL: Try SHA256 hash for OCSP certificate matching
Previously, only SHA1 hash -based server certificate matching was used, but the OCSP response may use SHA256 instead of SHA1, so check the match with both hash functions, if needed. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Diffstat (limited to 'src')
-rw-r--r--src/crypto/tls_openssl.c27
1 files changed, 22 insertions, 5 deletions
diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c
index fc169e7..07c6119 100644
--- a/src/crypto/tls_openssl.c
+++ b/src/crypto/tls_openssl.c
@@ -3764,7 +3764,7 @@ static int ocsp_resp_cb(SSL *s, void *arg)
{
struct tls_connection *conn = arg;
const unsigned char *p;
- int len, status, reason;
+ int len, status, reason, res;
OCSP_RESPONSE *rsp;
OCSP_BASICRESP *basic;
OCSP_CERTID *id;
@@ -3859,16 +3859,33 @@ static int ocsp_resp_cb(SSL *s, void *arg)
return 0;
}
- id = OCSP_cert_to_id(NULL, conn->peer_cert, conn->peer_issuer);
+ id = OCSP_cert_to_id(EVP_sha256(), conn->peer_cert, conn->peer_issuer);
if (!id) {
- wpa_printf(MSG_DEBUG, "OpenSSL: Could not create OCSP certificate identifier");
+ wpa_printf(MSG_DEBUG,
+ "OpenSSL: Could not create OCSP certificate identifier (SHA256)");
OCSP_BASICRESP_free(basic);
OCSP_RESPONSE_free(rsp);
return 0;
}
- if (!OCSP_resp_find_status(basic, id, &status, &reason, &produced_at,
- &this_update, &next_update)) {
+ res = OCSP_resp_find_status(basic, id, &status, &reason, &produced_at,
+ &this_update, &next_update);
+ if (!res) {
+ id = OCSP_cert_to_id(NULL, conn->peer_cert, conn->peer_issuer);
+ if (!id) {
+ wpa_printf(MSG_DEBUG,
+ "OpenSSL: Could not create OCSP certificate identifier (SHA1)");
+ OCSP_BASICRESP_free(basic);
+ OCSP_RESPONSE_free(rsp);
+ return 0;
+ }
+
+ res = OCSP_resp_find_status(basic, id, &status, &reason,
+ &produced_at, &this_update,
+ &next_update);
+ }
+
+ if (!res) {
wpa_printf(MSG_INFO, "OpenSSL: Could not find current server certificate from OCSP response%s",
(conn->flags & TLS_CONN_REQUIRE_OCSP) ? "" :
" (OCSP not required)");