From: Tobias Brunner Date: Thu, 23 Nov 2023 17:10:08 +0000 (+0100) Subject: x509: Make length of nonces in OCSP requests configurable X-Git-Tag: 5.9.13rc1~1^2~2 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=f3af1704d94ed1db5277151d17e0d2661970d3a8;p=thirdparty%2Fstrongswan.git x509: Make length of nonces in OCSP requests configurable Some servers might not support a length of 32 and return a malformed request error. Lowering the value to the previous default of 16 could help in that case. --- diff --git a/conf/options/charon.opt b/conf/options/charon.opt index e07f1dd853..369a11df58 100644 --- a/conf/options/charon.opt +++ b/conf/options/charon.opt @@ -302,6 +302,13 @@ charon.nbns1 charon.nbns2 WINS servers assigned to peer via configuration payload (CP). +charon.ocsp_nonce_len = 32 + Length of nonces in OCSP requests (1-32). + + Length of nonces in OCSP requests. According to RFC 8954, valid values are + between 1 and 32, with new clients required to use 32. Some servers might + not support that so lowering the value to e.g. 16 might be necessary. + charon.port = 500 UDP port used locally. If set to 0 a random port will be allocated. diff --git a/src/libstrongswan/plugins/x509/x509_ocsp_request.c b/src/libstrongswan/plugins/x509/x509_ocsp_request.c index 4f0362967a..d040859794 100644 --- a/src/libstrongswan/plugins/x509/x509_ocsp_request.c +++ b/src/libstrongswan/plugins/x509/x509_ocsp_request.c @@ -205,9 +205,13 @@ static chunk_t build_requestList(private_x509_ocsp_request_t *this) static chunk_t build_nonce(private_x509_ocsp_request_t *this) { rng_t *rng; + int nonce_len; + + nonce_len = lib->settings->get_int(lib->settings, "%s.ocsp_nonce_len", + NONCE_LEN, lib->ns); rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK); - if (!rng || !rng->allocate_bytes(rng, NONCE_LEN, &this->nonce)) + if (!rng || !rng->allocate_bytes(rng, max(1, nonce_len), &this->nonce)) { DBG1(DBG_LIB, "failed to create RNG"); DESTROY_IF(rng);