Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[release/8.0-staging] Remove the OCSP nonce #103446

Merged
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
Expand Up @@ -454,7 +454,6 @@ int EVP_DigestFinalXOF(EVP_MD_CTX *ctx, unsigned char *md, size_t len);
REQUIRED_FUNCTION(OCSP_cert_to_id) \
REQUIRED_FUNCTION(OCSP_check_nonce) \
REQUIRED_FUNCTION(OCSP_request_add0_id) \
REQUIRED_FUNCTION(OCSP_request_add1_nonce) \
REQUIRED_FUNCTION(OCSP_REQUEST_free) \
REQUIRED_FUNCTION(OCSP_REQUEST_new) \
REQUIRED_FUNCTION(OCSP_resp_find_status) \
Expand Down Expand Up @@ -969,7 +968,6 @@ FOR_ALL_OPENSSL_FUNCTIONS
#define OCSP_check_nonce OCSP_check_nonce_ptr
#define OCSP_CERTID_free OCSP_CERTID_free_ptr
#define OCSP_request_add0_id OCSP_request_add0_id_ptr
#define OCSP_request_add1_nonce OCSP_request_add1_nonce_ptr
#define OCSP_REQUEST_free OCSP_REQUEST_free_ptr
#define OCSP_REQUEST_new OCSP_REQUEST_new_ptr
#define OCSP_resp_find_status OCSP_resp_find_status_ptr
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -948,7 +948,8 @@ static X509VerifyStatusCode CheckOcspGetExpiry(OCSP_REQUEST* req,
int nonceCheck = req == NULL ? 1 : OCSP_check_nonce(req, basicResp);

// Treat "response has no nonce" as success, since not all responders set the nonce.
if (nonceCheck == -1)
// Treat "neither has a nonce" as success, since we do not send nonces in our requests.
if (nonceCheck == -1 || nonceCheck == 2)
{
nonceCheck = 1;
}
Expand Down Expand Up @@ -1181,8 +1182,9 @@ static OCSP_REQUEST* BuildOcspRequest(X509* subject, X509* issuer)
// Ownership was successfully transferred to req
certId = NULL;

// Add a random nonce.
OCSP_request_add1_nonce(req, NULL, -1);
// We return the request without setting a nonce on it. Most public CA OCSP responders ignore the nonce, and in some
// cases flat out error when presented with a nonce.
// This behavior also matches Windows and Apple platforms.
return req;
}

Expand Down
Loading