diff --git a/ctaocrypt/src/asn.c b/ctaocrypt/src/asn.c index 56b420298..f0961cd5d 100644 --- a/ctaocrypt/src/asn.c +++ b/ctaocrypt/src/asn.c @@ -4635,7 +4635,6 @@ int EncodeOcspRequest(OcspRequest* req) byte snArray[MAX_SN_SZ]; byte extArray[MAX_OCSP_EXT_SZ]; byte* output = req->dest; - RNG rng; word32 seqSz[5], algoSz, issuerSz, issuerKeySz, snSz, extSz, totalSz; int i; @@ -4653,14 +4652,17 @@ int EncodeOcspRequest(OcspRequest* req) req->serialSz = req->cert->serialSz; snSz = SetSerialNumber(req->cert->serial, req->cert->serialSz, snArray); - if (InitRng(&rng) != 0) { - CYASSL_MSG("\tCannot initialize RNG. Skipping the OSCP Nonce."); - extSz = 0; - } else { - req->nonceSz = MAX_OCSP_NONCE_SZ; - RNG_GenerateBlock(&rng, req->nonce, req->nonceSz); - extSz = SetOcspReqExtensions(MAX_OCSP_EXT_SZ, extArray, - req->nonce, req->nonceSz); + if (req->useNonce) { + RNG rng; + if (InitRng(&rng) != 0) { + CYASSL_MSG("\tCannot initialize RNG. Skipping the OSCP Nonce."); + extSz = 0; + } else { + req->nonceSz = MAX_OCSP_NONCE_SZ; + RNG_GenerateBlock(&rng, req->nonce, req->nonceSz); + extSz = SetOcspReqExtensions(MAX_OCSP_EXT_SZ, extArray, + req->nonce, req->nonceSz); + } } totalSz = algoSz + issuerSz + issuerKeySz + snSz; @@ -4692,12 +4694,13 @@ int EncodeOcspRequest(OcspRequest* req) } -void InitOcspRequest(OcspRequest* req, DecodedCert* cert, +void InitOcspRequest(OcspRequest* req, DecodedCert* cert, byte useNonce, byte* dest, word32 destSz) { CYASSL_ENTER("InitOcspRequest"); req->cert = cert; + req->useNonce = useNonce; req->nonceSz = 0; req->issuerHash = NULL; req->issuerKeyHash = NULL; @@ -4725,18 +4728,20 @@ int CompareOcspReqResp(OcspRequest* req, OcspResponse* resp) return 1; } - cmp = req->nonceSz - resp->nonceSz; - if (cmp != 0) - { - CYASSL_MSG("\tnonceSz mismatch"); - return cmp; - } - - cmp = XMEMCMP(req->nonce, resp->nonce, req->nonceSz); - if (cmp != 0) - { - CYASSL_MSG("\tnonce mismatch"); - return cmp; + if (req->useNonce) { + cmp = req->nonceSz - resp->nonceSz; + if (cmp != 0) + { + CYASSL_MSG("\tnonceSz mismatch"); + return cmp; + } + + cmp = XMEMCMP(req->nonce, resp->nonce, req->nonceSz); + if (cmp != 0) + { + CYASSL_MSG("\tnonce mismatch"); + return cmp; + } } cmp = XMEMCMP(req->issuerHash, resp->issuerHash, SHA_DIGEST_SIZE); diff --git a/cyassl/ctaocrypt/asn.h b/cyassl/ctaocrypt/asn.h index eab0dd2e3..cc3d8a4f0 100644 --- a/cyassl/ctaocrypt/asn.h +++ b/cyassl/ctaocrypt/asn.h @@ -417,6 +417,7 @@ struct OcspResponse { struct OcspRequest { DecodedCert* cert; + byte useNonce; byte nonce[MAX_OCSP_NONCE_SZ]; int nonceSz; @@ -433,7 +434,8 @@ struct OcspRequest { CYASSL_LOCAL void InitOcspResponse(OcspResponse*, CertStatus*, byte*, word32); CYASSL_LOCAL int OcspResponseDecode(OcspResponse*); -CYASSL_LOCAL void InitOcspRequest(OcspRequest*, DecodedCert*, byte*, word32); +CYASSL_LOCAL void InitOcspRequest(OcspRequest*, DecodedCert*, + byte, byte*, word32); CYASSL_LOCAL int EncodeOcspRequest(OcspRequest*); CYASSL_LOCAL int CompareOcspReqResp(OcspRequest*, OcspResponse*); diff --git a/cyassl/internal.h b/cyassl/internal.h index 0b989e112..1bce715ef 100644 --- a/cyassl/internal.h +++ b/cyassl/internal.h @@ -775,6 +775,7 @@ struct OCSP_Entry { struct CYASSL_OCSP { byte enabled; byte useOverrideUrl; + byte useNonce; char overrideName[80]; char overridePath[80]; int overridePort; diff --git a/cyassl/ssl.h b/cyassl/ssl.h index 2bbbfa054..0035e1341 100644 --- a/cyassl/ssl.h +++ b/cyassl/ssl.h @@ -885,6 +885,7 @@ CYASSL_API int CyaSSL_CTX_OCSP_set_override_url(CYASSL_CTX*, const char*); #define CYASSL_OCSP_ENABLE 0x0001 /* Enable OCSP lookups */ #define CYASSL_OCSP_URL_OVERRIDE 0x0002 /* Use the override URL instead of URL * in certificate */ +#define CYASSL_OCSP_NO_NONCE 0x0004 /* Disables the request nonce. */ #ifdef __cplusplus diff --git a/src/ocsp.c b/src/ocsp.c index 343b98c5b..805353341 100644 --- a/src/ocsp.c +++ b/src/ocsp.c @@ -64,6 +64,7 @@ int CyaSSL_OCSP_Init(CYASSL_OCSP* ocsp) { if (ocsp != NULL) { XMEMSET(ocsp, 0, sizeof(*ocsp)); + ocsp->useNonce = 1; return 0; } @@ -501,7 +502,7 @@ int CyaSSL_OCSP_Lookup_Cert(CYASSL_OCSP* ocsp, DecodedCert* cert) } } - InitOcspRequest(&ocspRequest, cert, ocspReqBuf, ocspReqSz); + InitOcspRequest(&ocspRequest, cert, ocsp->useNonce, ocspReqBuf, ocspReqSz); ocspReqSz = EncodeOcspRequest(&ocspRequest); result = http_ocsp_transaction(ocsp, cert, ocspReqBuf, ocspReqSz, &ocspRespBuf); diff --git a/src/ssl.c b/src/ssl.c index 1baa80dab..ef110da2a 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -8220,6 +8220,7 @@ long CyaSSL_CTX_OCSP_set_options(CYASSL_CTX* ctx, long options) if (ctx != NULL) { ctx->ocsp.enabled = (options & CYASSL_OCSP_ENABLE) != 0; ctx->ocsp.useOverrideUrl = (options & CYASSL_OCSP_URL_OVERRIDE) != 0; + ctx->ocsp.useNonce = (options & CYASSL_OCSP_NO_NONCE) == 0; return 1; } return 0;