added the ability to disable OCSP nonces

2012-12-19 10:18:11 -08:00
parent 359e86adf6
commit 4e657debfc
6 changed files with 35 additions and 24 deletions
--- a/ctaocrypt/src/asn.c
+++ b/ctaocrypt/src/asn.c
@@ -4635,7 +4635,6 @@ int EncodeOcspRequest(OcspRequest* req)
    byte snArray[MAX_SN_SZ];
    byte extArray[MAX_OCSP_EXT_SZ];
    byte* output = req->dest;
-    RNG rng;
    word32 seqSz[5], algoSz, issuerSz, issuerKeySz, snSz, extSz, totalSz;
    int i;

@@ -4653,14 +4652,17 @@ int EncodeOcspRequest(OcspRequest* req)
    req->serialSz = req->cert->serialSz;
    snSz = SetSerialNumber(req->cert->serial, req->cert->serialSz, snArray);

-    if (InitRng(&rng) != 0) {
-        CYASSL_MSG("\tCannot initialize RNG. Skipping the OSCP Nonce.");
-        extSz = 0;
-    } else {
-        req->nonceSz = MAX_OCSP_NONCE_SZ;
-        RNG_GenerateBlock(&rng, req->nonce, req->nonceSz);
-        extSz = SetOcspReqExtensions(MAX_OCSP_EXT_SZ, extArray,
-                                                    req->nonce, req->nonceSz);
+    if (req->useNonce) {
+        RNG rng;
+        if (InitRng(&rng) != 0) {
+            CYASSL_MSG("\tCannot initialize RNG. Skipping the OSCP Nonce.");
+            extSz = 0;
+        } else {
+            req->nonceSz = MAX_OCSP_NONCE_SZ;
+            RNG_GenerateBlock(&rng, req->nonce, req->nonceSz);
+            extSz = SetOcspReqExtensions(MAX_OCSP_EXT_SZ, extArray,
+                                                      req->nonce, req->nonceSz);
+        }
    }

    totalSz = algoSz + issuerSz + issuerKeySz + snSz;
@@ -4692,12 +4694,13 @@ int EncodeOcspRequest(OcspRequest* req)
 }


-void InitOcspRequest(OcspRequest* req, DecodedCert* cert,
+void InitOcspRequest(OcspRequest* req, DecodedCert* cert, byte useNonce,
                                                    byte* dest, word32 destSz)
 {
    CYASSL_ENTER("InitOcspRequest");

    req->cert = cert;
+    req->useNonce = useNonce;
    req->nonceSz = 0;
    req->issuerHash = NULL;
    req->issuerKeyHash = NULL;
@@ -4725,18 +4728,20 @@ int CompareOcspReqResp(OcspRequest* req, OcspResponse* resp)
        return 1;
    }

-    cmp = req->nonceSz - resp->nonceSz;
-    if (cmp != 0)
-    {
-        CYASSL_MSG("\tnonceSz mismatch");
-        return cmp;
-    }
-
-    cmp = XMEMCMP(req->nonce, resp->nonce, req->nonceSz);
-    if (cmp != 0)
-    {
-        CYASSL_MSG("\tnonce mismatch");
-        return cmp;
+    if (req->useNonce) {
+        cmp = req->nonceSz - resp->nonceSz;
+        if (cmp != 0)
+        {
+            CYASSL_MSG("\tnonceSz mismatch");
+            return cmp;
+        }
+    
+        cmp = XMEMCMP(req->nonce, resp->nonce, req->nonceSz);
+        if (cmp != 0)
+        {
+            CYASSL_MSG("\tnonce mismatch");
+            return cmp;
+        }
    }

    cmp = XMEMCMP(req->issuerHash, resp->issuerHash, SHA_DIGEST_SIZE);
--- a/cyassl/ctaocrypt/asn.h
+++ b/cyassl/ctaocrypt/asn.h
@@ -417,6 +417,7 @@ struct OcspResponse {
 struct OcspRequest {
    DecodedCert* cert;

+    byte    useNonce;
    byte    nonce[MAX_OCSP_NONCE_SZ];
    int     nonceSz;

@@ -433,7 +434,8 @@ struct OcspRequest {
 CYASSL_LOCAL void InitOcspResponse(OcspResponse*, CertStatus*, byte*, word32);
 CYASSL_LOCAL int  OcspResponseDecode(OcspResponse*);

-CYASSL_LOCAL void InitOcspRequest(OcspRequest*, DecodedCert*, byte*, word32);
+CYASSL_LOCAL void InitOcspRequest(OcspRequest*, DecodedCert*,
+                                                          byte, byte*, word32);
 CYASSL_LOCAL int  EncodeOcspRequest(OcspRequest*);

 CYASSL_LOCAL int  CompareOcspReqResp(OcspRequest*, OcspResponse*);
--- a/cyassl/internal.h
+++ b/cyassl/internal.h
@@ -775,6 +775,7 @@ struct OCSP_Entry {
 struct CYASSL_OCSP {
    byte enabled;
    byte useOverrideUrl;
+    byte useNonce;
    char overrideName[80];
    char overridePath[80];
    int  overridePort;
--- a/cyassl/ssl.h
+++ b/cyassl/ssl.h
@@ -885,6 +885,7 @@ CYASSL_API int  CyaSSL_CTX_OCSP_set_override_url(CYASSL_CTX*, const char*);
 #define CYASSL_OCSP_ENABLE       0x0001 /* Enable OCSP lookups */
 #define CYASSL_OCSP_URL_OVERRIDE 0x0002 /* Use the override URL instead of URL
                                         * in certificate */
+#define CYASSL_OCSP_NO_NONCE     0x0004 /* Disables the request nonce. */


 #ifdef __cplusplus
--- a/src/ocsp.c
+++ b/src/ocsp.c
@@ -64,6 +64,7 @@ int CyaSSL_OCSP_Init(CYASSL_OCSP* ocsp)
 {
    if (ocsp != NULL) {
        XMEMSET(ocsp, 0, sizeof(*ocsp));
+        ocsp->useNonce = 1;
        return 0;
    }

@@ -501,7 +502,7 @@ int CyaSSL_OCSP_Lookup_Cert(CYASSL_OCSP* ocsp, DecodedCert* cert)
        }
    }
    
-    InitOcspRequest(&ocspRequest, cert, ocspReqBuf, ocspReqSz);
+    InitOcspRequest(&ocspRequest, cert, ocsp->useNonce, ocspReqBuf, ocspReqSz);
    ocspReqSz = EncodeOcspRequest(&ocspRequest);
    result = http_ocsp_transaction(ocsp, cert,
                                        ocspReqBuf, ocspReqSz, &ocspRespBuf);
--- a/src/ssl.c
+++ b/src/ssl.c
@@ -8220,6 +8220,7 @@ long CyaSSL_CTX_OCSP_set_options(CYASSL_CTX* ctx, long options)
    if (ctx != NULL) {
        ctx->ocsp.enabled = (options & CYASSL_OCSP_ENABLE) != 0;
        ctx->ocsp.useOverrideUrl = (options & CYASSL_OCSP_URL_OVERRIDE) != 0;
+        ctx->ocsp.useNonce = (options & CYASSL_OCSP_NO_NONCE) == 0;
        return 1;
    }
    return 0;