[thirdparty/openssl.git] / doc / man3 / OCSP_request_add1_nonce.pod

=pod

=head1 NAME

OCSP_request_add1_nonce, OCSP_basic_add1_nonce, OCSP_check_nonce, OCSP_copy_nonce - OCSP nonce functions

=head1 SYNOPSIS

 #include <openssl/ocsp.h>

 int OCSP_request_add1_nonce(OCSP_REQUEST *req, unsigned char *val, int len);
 int OCSP_basic_add1_nonce(OCSP_BASICRESP *resp, unsigned char *val, int len);
 int OCSP_copy_nonce(OCSP_BASICRESP *resp, OCSP_REQUEST *req);
 int OCSP_check_nonce(OCSP_REQUEST *req, OCSP_BASICRESP *resp);

=head1 DESCRIPTION

OCSP_request_add1_nonce() adds a nonce of value B<val> and length B<len> to
OCSP request B<req>. If B<val> is B<NULL> a random nonce is used. If B<len>
is zero or negative a default length will be used (currently 16 bytes).

OCSP_basic_add1_nonce() is identical to OCSP_request_add1_nonce() except
it adds a nonce to OCSP basic response B<resp>.

OCSP_check_nonce() compares the nonce value in B<req> and B<resp>.

OCSP_copy_nonce() copies any nonce value present in B<req> to B<resp>.

=head1 RETURN VALUES

OCSP_request_add1_nonce() and OCSP_basic_add1_nonce() return 1 for success
and 0 for failure.

OCSP_copy_nonce() returns 1 if a nonce was successfully copied, 2 if no nonce
was present in B<req> and 0 if an error occurred.

OCSP_check_nonce() returns the result of the nonce comparison between B<req>
and B<resp>. The return value indicates the result of the comparison.  If
nonces are present and equal 1 is returned. If the nonces are absent 2 is
returned. If a nonce is present in the response only 3 is returned. If nonces
are present and unequal 0 is returned. If the nonce is present in the request
only then -1 is returned.

=head1 NOTES

For most purposes the nonce value in a request is set to a random value so
the B<val> parameter in OCSP_request_add1_nonce() is usually NULL.

An OCSP nonce is typically added to an OCSP request to thwart replay attacks
by checking the same nonce value appears in the response.

Some responders may include a nonce in all responses even if one is not
supplied.

Some responders cache OCSP responses and do not sign each response for
performance reasons. As a result they do not support nonces.

The return values of OCSP_check_nonce() can be checked to cover each case.  A
positive return value effectively indicates success: nonces are both present
and match, both absent or present in the response only. A nonzero return
additionally covers the case where the nonce is present in the request only:
this will happen if the responder doesn't support nonces. A zero return value
indicates present and mismatched nonces: this should be treated as an error
condition.

=head1 SEE ALSO

L<crypto(7)>,
L<OCSP_cert_to_id(3)>,
L<OCSP_REQUEST_new(3)>,
L<OCSP_resp_find_status(3)>,
L<OCSP_response_status(3)>,
L<OCSP_sendreq_new(3)>

=head1 COPYRIGHT

Copyright 2015-2020 The OpenSSL Project Authors. All Rights Reserved.

Licensed under the Apache License 2.0 (the "License").  You may not use
this file except in compliance with the License.  You can obtain a copy
in the file LICENSE in the source distribution or at
L<https://www.openssl.org/source/license.html>.

=cut
Commit	Line	Data
797a89a1 DSH	1	=pod
797a89a1 DSH	2
aec3ecd0 RL	3	=head1 NAME
aec3ecd0 RL	4
bb9ad09e	5	OCSP_request_add1_nonce, OCSP_basic_add1_nonce, OCSP_check_nonce, OCSP_copy_nonce - OCSP nonce functions
797a89a1 DSH	6
	7	=head1 SYNOPSIS
	8
	9	#include <openssl/ocsp.h>
	10
	11	int OCSP_request_add1_nonce(OCSP_REQUEST req, unsigned char val, int len);
	12	int OCSP_basic_add1_nonce(OCSP_BASICRESP resp, unsigned char val, int len);
	13	int OCSP_copy_nonce(OCSP_BASICRESP resp, OCSP_REQUEST req);
	14	int OCSP_check_nonce(OCSP_REQUEST req, OCSP_BASICRESP resp);
	15
	16	=head1 DESCRIPTION
	17
	18	OCSP_request_add1_nonce() adds a nonce of value B<val> and length B<len> to
	19	OCSP request B<req>. If B<val> is B<NULL> a random nonce is used. If B<len>
	20	is zero or negative a default length will be used (currently 16 bytes).
	21
	22	OCSP_basic_add1_nonce() is identical to OCSP_request_add1_nonce() except
	23	it adds a nonce to OCSP basic response B<resp>.
	24
	25	OCSP_check_nonce() compares the nonce value in B<req> and B<resp>.
	26
7fa8bcfe	27	OCSP_copy_nonce() copies any nonce value present in B<req> to B<resp>.
797a89a1 DSH	28
	29	=head1 RETURN VALUES
	30
	31	OCSP_request_add1_nonce() and OCSP_basic_add1_nonce() return 1 for success
	32	and 0 for failure.
	33
	34	OCSP_copy_nonce() returns 1 if a nonce was successfully copied, 2 if no nonce
	35	was present in B<req> and 0 if an error occurred.
	36
	37	OCSP_check_nonce() returns the result of the nonce comparison between B<req>
	38	and B<resp>. The return value indicates the result of the comparison. If
	39	nonces are present and equal 1 is returned. If the nonces are absent 2 is
	40	returned. If a nonce is present in the response only 3 is returned. If nonces
	41	are present and unequal 0 is returned. If the nonce is present in the request
	42	only then -1 is returned.
	43
	44	=head1 NOTES
	45
	46	For most purposes the nonce value in a request is set to a random value so
	47	the B<val> parameter in OCSP_request_add1_nonce() is usually NULL.
	48
	49	An OCSP nonce is typically added to an OCSP request to thwart replay attacks
	50	by checking the same nonce value appears in the response.
	51
	52	Some responders may include a nonce in all responses even if one is not
	53	supplied.
	54
	55	Some responders cache OCSP responses and do not sign each response for
	56	performance reasons. As a result they do not support nonces.
	57
	58	The return values of OCSP_check_nonce() can be checked to cover each case. A
	59	positive return value effectively indicates success: nonces are both present
9c0586d5	60	and match, both absent or present in the response only. A nonzero return
797a89a1 DSH	61	additionally covers the case where the nonce is present in the request only:
	62	this will happen if the responder doesn't support nonces. A zero return value
	63	indicates present and mismatched nonces: this should be treated as an error
	64	condition.
	65
	66	=head1 SEE ALSO
	67
b97fdb57	68	L<crypto(7)>,
9b86974e RS	69	L<OCSP_cert_to_id(3)>,
9b86974e RS	70	L<OCSP_REQUEST_new(3)>,
b97fdb57	71	L<OCSP_resp_find_status(3)>,
9b86974e RS	72	L<OCSP_response_status(3)>,
9b86974e RS	73	L<OCSP_sendreq_new(3)>
797a89a1	74
e2f92610 RS	75	=head1 COPYRIGHT
e2f92610 RS	76
33388b44	77	Copyright 2015-2020 The OpenSSL Project Authors. All Rights Reserved.
e2f92610	78
4746f25a	79	Licensed under the Apache License 2.0 (the "License"). You may not use
e2f92610 RS	80	this file except in compliance with the License. You can obtain a copy
	81	in the file LICENSE in the source distribution or at
	82	L<https://www.openssl.org/source/license.html>.
	83
	84	=cut