From f9578ba407934d0a27a7e1f945ee57b2b7b3b26f Mon Sep 17 00:00:00 2001
From: Matthew Newton <mcn4@leicester.ac.uk>
Date: Thu, 12 Jan 2012 16:53:29 +0000
Subject: [PATCH] Add option to be able to disable nonce in OCSP request

Some OCSP responders cannot cope with an OCSP request if nonce
is used so this gives a way to allow freeradius to work with them.
---
 raddb/mods-available/eap | 16 ++++++++++++++++
 src/include/tls.h        |  1 +
 src/main/tls.c           |  8 ++++++--
 3 files changed, 23 insertions(+), 2 deletions(-)

diff --git a/raddb/mods-available/eap b/raddb/mods-available/eap
index 71aa702b0ae..26195d519d1 100644
--- a/raddb/mods-available/eap
+++ b/raddb/mods-available/eap
@@ -443,6 +443,22 @@
 			      #  Responder is running as a vhost.
 			      #
 			      url = "http://127.0.0.1/ocsp/"
+
+			      #
+			      # If the OCSP Responder can not cope with nonce
+			      # in the request, then it can be disabled here.
+			      #
+			      # For security reasons, disabling this option
+			      # is not recommended as nonce protects against
+			      # replay attacks.
+			      #
+			      # Note that Microsoft AD Certificate Services OCSP
+			      # Responder does not enable nonce by default. It is
+			      # more secure to enable nonce on the responder than
+			      # to disable it in the query here.
+			      # See http://technet.microsoft.com/en-us/library/cc770413%28WS.10%29.aspx
+			      #
+			      # use_nonce = yes
 			}
 		}
 
diff --git a/src/include/tls.h b/src/include/tls.h
index c34ea0b0fcf..2e8838344df 100644
--- a/src/include/tls.h
+++ b/src/include/tls.h
@@ -374,6 +374,7 @@ struct fr_tls_server_conf_t {
 	int		ocsp_enable;
 	int		ocsp_override_url;
 	char		*ocsp_url;
+	int		ocsp_use_nonce;
 	X509_STORE	*ocsp_store;
 #endif
 
diff --git a/src/main/tls.c b/src/main/tls.c
index f33841daf00..c9757580f56 100644
--- a/src/main/tls.c
+++ b/src/main/tls.c
@@ -779,6 +779,8 @@ static CONF_PARSER ocsp_config[] = {
 	  offsetof(fr_tls_server_conf_t, ocsp_override_url), NULL, "no"},
 	{ "url", PW_TYPE_STRING_PTR,
 	  offsetof(fr_tls_server_conf_t, ocsp_url), NULL, NULL },
+	{ "use_nonce", PW_TYPE_BOOLEAN,
+	  offsetof(fr_tls_server_conf_t, ocsp_use_nonce), NULL, "yes"},
 	{ NULL, -1, 0, NULL, NULL }           /* end the list */
 };
 #endif
@@ -1074,7 +1076,9 @@ static int ocsp_check(X509_STORE *store, X509 *issuer_cert, X509 *client_cert,
 	certid = OCSP_cert_to_id(NULL, client_cert, issuer_cert);
 	req = OCSP_REQUEST_new();
 	OCSP_request_add0_id(req, certid);
-	OCSP_request_add1_nonce(req, NULL, 8);
+	if(conf->ocsp_use_nonce) {
+		OCSP_request_add1_nonce(req, NULL, 8);
+	}
 
 	/*
 	 * Send OCSP Request and get OCSP Response
@@ -1113,7 +1117,7 @@ static int ocsp_check(X509_STORE *store, X509 *issuer_cert, X509 *client_cert,
 		goto ocsp_end;
 	}
 	bresp = OCSP_response_get1_basic(resp);
-	if(OCSP_check_nonce(req, bresp)!=1) {
+	if(conf->ocsp_use_nonce && OCSP_check_nonce(req, bresp)!=1) {
 		radlog(L_ERR, "Error: OCSP response has wrong nonce value");
 		goto ocsp_end;
 	}
-- 
2.47.3