dirmngr: Add a compatibility flag for use with newer Libksba versions.HEADmaster

* dirmngr/dirmngr.h (COMPAT_OCSP_SHA256_CERTID): New.
* dirmngr/dirmngr.c (compatibility_flags): Add compat flag.
(my_ksba_hash_buffer): Support SHA256.
* dirmngr/ocsp.c (do_ocsp_request): Make use of the flag.
--

Note that this requires a newer Libksba.  Older Libksba versions
ignore the request to use SHA256.

4 files changed, 28 insertions, 8 deletions

diff --git a/common/percent.c b/common/percent.c
index debf15784..80ebb5387 100644
--- a/common/percent.c
+++ b/common/percent.c
@@ -25,6 +25,7 @@
  *
  * You should have received a copy of the GNU General Public License
  * along with this program; if not, see <https://www.gnu.org/licenses/>.
+ * SPDX-License-Identifier: (LGPL-3.0-or-later OR GPL-2.0-or-later)
  */
 
 #include <config.h>
diff --git a/dirmngr/dirmngr.c b/dirmngr/dirmngr.c
index 32a4df3a9..97780eccc 100644
--- a/dirmngr/dirmngr.c
+++ b/dirmngr/dirmngr.c
@@ -340,6 +340,7 @@ static struct debug_flags_s debug_flags [] =
 static struct compatibility_flags_s compatibility_flags [] =
   {
     { COMPAT_RESTRICT_HTTP_REDIR, "restrict-http-redir" },
+    { COMPAT_OCSP_SHA256_CERTID, "ocsp-sha256-certid" },
     { 0, NULL }
   };
 
@@ -487,9 +488,9 @@ my_strusage( int level )
 
 
 /* Callback from libksba to hash a provided buffer.  Our current
-   implementation does only allow SHA-1 for hashing. This may be
-   extended by mapping the name, testing for algorithm availability
-   and adjust the length checks accordingly. */
+ * implementation does only allow SHA-1 and SHA-256 for hashing. This
+ * may be extended by mapping the name, testing for algorithm
+ * availibility and adjust the length checks accordingly.  */
 static gpg_error_t
 my_ksba_hash_buffer (void *arg, const char *oid,
                      const void *buffer, size_t length, size_t resultsize,
@@ -497,12 +498,22 @@ my_ksba_hash_buffer (void *arg, const char *oid,
 {
   (void)arg;
 
-  if (oid && strcmp (oid, "1.3.14.3.2.26"))
+  if (!oid || !strcmp (oid, "1.3.14.3.2.26"))
+    {
+      if (resultsize < 20)
+        return gpg_error (GPG_ERR_BUFFER_TOO_SHORT);
+      gcry_md_hash_buffer (GCRY_MD_SHA1, result, buffer, length);
+      *resultlen = 20;
+    }
+  else if (!strcmp (oid, "2.16.840.1.101.3.4.2.1"))
+    {
+      if (resultsize < 32)
+        return gpg_error (GPG_ERR_BUFFER_TOO_SHORT);
+      gcry_md_hash_buffer (GCRY_MD_SHA256, result, buffer, length);
+      *resultlen = 32;
+    }
+  else
     return gpg_error (GPG_ERR_NOT_SUPPORTED);
-  if (resultsize < 20)
-    return gpg_error (GPG_ERR_BUFFER_TOO_SHORT);
-  gcry_md_hash_buffer (2, result, buffer, length);
-  *resultlen = 20;
   return 0;
 }
 
diff --git a/dirmngr/dirmngr.h b/dirmngr/dirmngr.h
index d32f125d2..bf267cf72 100644
--- a/dirmngr/dirmngr.h
+++ b/dirmngr/dirmngr.h
@@ -207,6 +207,10 @@ struct
  * https://dev.gnupg.org/T6477.  */
 #define COMPAT_RESTRICT_HTTP_REDIR   1
 
+/* There is a demand to use SHA-256 for hashing elements of the OCSP
+ * CertID.  Allow to enable this with a recent enough Libksba.  */
+#define COMPAT_OCSP_SHA256_CERTID   2
+
 
 /* A simple list of certificate references.  FIXME: Better use
    certlist_t also for references (Store NULL at .cert) */
diff --git a/dirmngr/ocsp.c b/dirmngr/ocsp.c
index 40e282484..eb24e2954 100644
--- a/dirmngr/ocsp.c
+++ b/dirmngr/ocsp.c
@@ -165,6 +165,10 @@ do_ocsp_request (ctrl_t ctrl, ksba_ocsp_t ocsp,
       return err;
     }
 
+  /* Tell Libksba to use SHA256 for hashing elements of the CERTID.  */
+  if ((opt.compat_flags & COMPAT_OCSP_SHA256_CERTID))
+    ksba_ocsp_set_nonce (ocsp, NULL, 32);
+
   {
     size_t n;
     unsigned char nonce[32];