x509: Make length of nonces in OCSP requests configurable

Some servers might not support a length of 32 and return a malformed
request error. Lowering the value to the previous default of 16 could
help in that case.

diff --git a/conf/options/charon.opt b/conf/options/charon.opt
index e07f1dd85317a2ec01e7582d675d257e1b96aabe..369a11df58e14cdbe2fd21d359563febfaff2c2c 100644 (file)
--- a/conf/options/charon.opt
+++ b/conf/options/charon.opt
@@ -302,6 +302,13 @@ charon.nbns1
 charon.nbns2
        WINS servers assigned to peer via configuration payload (CP).
 
+charon.ocsp_nonce_len = 32
+       Length of nonces in OCSP requests (1-32).
+
+       Length of nonces in OCSP requests. According to RFC 8954, valid values are
+       between 1 and 32, with new clients required to use 32. Some servers might
+       not support that so lowering the value to e.g. 16 might be necessary.
+
 charon.port = 500
        UDP port used locally. If set to 0 a random port will be allocated.
 

diff --git a/src/libstrongswan/plugins/x509/x509_ocsp_request.c b/src/libstrongswan/plugins/x509/x509_ocsp_request.c
index 4f0362967a62444bfc988463fb669067c583fda3..d04085979480dbed795e9d6814449aafd07cab87 100644 (file)
--- a/src/libstrongswan/plugins/x509/x509_ocsp_request.c
+++ b/src/libstrongswan/plugins/x509/x509_ocsp_request.c
@@ -205,9 +205,13 @@ static chunk_t build_requestList(private_x509_ocsp_request_t *this)
 static chunk_t build_nonce(private_x509_ocsp_request_t *this)
 {
        rng_t *rng;
+       int nonce_len;
+
+       nonce_len = lib->settings->get_int(lib->settings, "%s.ocsp_nonce_len",
+                                                                          NONCE_LEN, lib->ns);
 
        rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
-       if (!rng || !rng->allocate_bytes(rng, NONCE_LEN, &this->nonce))
+       if (!rng || !rng->allocate_bytes(rng, max(1, nonce_len), &this->nonce))
        {
                DBG1(DBG_LIB, "failed to create RNG");
                DESTROY_IF(rng);