From aa70ac0be27bbbae8387b281cff8d0a865a3cde3 Mon Sep 17 00:00:00 2001 From: Max Date: Mon, 25 Feb 2019 14:40:19 +0100 Subject: [PATCH 1/3] Added defines to force OCSP nonce check and omit OCSP date before check. --- wolfcrypt/src/asn.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c index a6e5cb41e..ec2f5d195 100644 --- a/wolfcrypt/src/asn.c +++ b/wolfcrypt/src/asn.c @@ -14137,8 +14137,10 @@ static int DecodeSingleResponse(byte* source, return ASN_PARSE_E; #ifndef NO_ASN_TIME +#ifndef WOLFSSL_NO_OCSP_DATE_BEFORE_CHECK if (!XVALIDATE_DATE(cs->thisDate, cs->thisDateFormat, BEFORE)) return ASN_BEFORE_DATE_E; +#endif #endif /* The following items are optional. Only check for them if there is more @@ -14744,7 +14746,11 @@ int CompareOcspReqResp(OcspRequest* req, OcspResponse* resp) /* Nonces are not critical. The responder may not necessarily add * the nonce to the response. */ - if (resp->nonceSz != 0) { + if (req->nonceSz +#ifndef WOLFSSL_FORCE_OCSP_NONCE_CHECK + && resp->nonceSz != 0 +#endif + ) { cmp = req->nonceSz - resp->nonceSz; if (cmp != 0) { From fd089b4b6b5722adbf232342ef7d55a0c1628214 Mon Sep 17 00:00:00 2001 From: Max Date: Thu, 28 Feb 2019 10:49:58 +0100 Subject: [PATCH 2/3] Changed define to configure all date checks in OCSP responses. --- wolfcrypt/src/asn.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c index ec2f5d195..93b4c4c2a 100644 --- a/wolfcrypt/src/asn.c +++ b/wolfcrypt/src/asn.c @@ -14137,7 +14137,7 @@ static int DecodeSingleResponse(byte* source, return ASN_PARSE_E; #ifndef NO_ASN_TIME -#ifndef WOLFSSL_NO_OCSP_DATE_BEFORE_CHECK +#ifndef WOLFSSL_NO_OCSP_DATE_CHECK if (!XVALIDATE_DATE(cs->thisDate, cs->thisDateFormat, BEFORE)) return ASN_BEFORE_DATE_E; #endif @@ -14160,8 +14160,10 @@ static int DecodeSingleResponse(byte* source, return ASN_PARSE_E; #ifndef NO_ASN_TIME +#ifndef WOLFSSL_NO_OCSP_DATE_CHECK if (!XVALIDATE_DATE(cs->nextDate, cs->nextDateFormat, AFTER)) return ASN_AFTER_DATE_E; +#endif #endif } if (((int)(idx - prevIndex) < wrapperSz) && From de869080be4ba3d2aa852cca3b4efc50820b35c0 Mon Sep 17 00:00:00 2001 From: Max Date: Fri, 1 Mar 2019 09:49:49 +0100 Subject: [PATCH 3/3] Added description for added ASN options. --- wolfcrypt/src/asn.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c index 93b4c4c2a..274d868a2 100644 --- a/wolfcrypt/src/asn.c +++ b/wolfcrypt/src/asn.c @@ -47,6 +47,13 @@ ASN Options: * WOLFSSL_SMALL_CERT_VERIFY: Verify the certificate signature without using DecodedCert. Doubles up on some code but allows smaller dynamic memory usage. + * WOLFSSL_NO_OCSP_DATE_CHECK: Disable date checks for OCSP responses. This + may be required when the system's real-time clock is not very accurate. + It is recommended to enforce the nonce check instead if possible. + * WOLFSSL_FORCE_OCSP_NONCE_CHECK: Require nonces to be available in OCSP + responses. The nonces are optional and may not be supported by all + responders. If it can be ensured that the used responder sends nonces this + option may improve security. */ #ifndef NO_ASN