mirror/openssl
2
0
Fork 0
mirror of https://github.com/openssl/openssl.git synced 2024-11-27 05:21:51 +08:00
Code Issues Packages Projects Releases Wiki Activity

Use an OCTET STRING for the encoding of an OCSP nonce value.

Browse Source 
The old raw format can't be handled by some implementations
and updates to RFC2560 will make this mandatory.
This commit is contained in:
Dr. Stephen Henson 2004-02-19 18:16:38 +00:00
parent 6c43032121
commit dc90f64d56
2 changed files with 24 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
CHANGES
View File

@ -617,6 +617,13 @@
Changes between 0.9.7c and 0.9.7d [xx XXX XXXX]
*) When creating an OCSP nonce use an OCTET STRING inside the extnValue.
A clarification of RFC2560 will require the use of OCTET STRINGs and
some implementations cannot handle the current raw format. Since OpenSSL
copies and compares OCSP nonces as opaque blobs without any attempt at
parsing them this should not create any compatibility issues.
[Steve Henson]
*) New md flag EVP_MD_CTX_FLAG_REUSE this allows md_data to be reused when
calling EVP_MD_CTX_copy_ex() to avoid calling OPENSSL_malloc(). Without
this HMAC (and other) operations are several times slower than OpenSSL

24
crypto/ocsp/ocsp_ext.c
View File

@ -305,6 +305,8 @@ err:
/* Add a nonce to an extension stack. A nonce can be specificed or if NULL
* a random nonce will be generated.
* Note: OpenSSL 0.9.7d and later create an OCTET STRING containing the
* nonce, previous versions used the raw nonce.
*/
static int ocsp_add1_nonce(STACK_OF(X509_EXTENSION) **exts, unsigned char *val, int len)
@ -313,20 +315,28 @@ static int ocsp_add1_nonce(STACK_OF(X509_EXTENSION) **exts, unsigned char *val,
ASN1_OCTET_STRING os;
int ret = 0;
if (len <= 0) len = OCSP_DEFAULT_NONCE_LENGTH;
if (val) tmpval = val;
/* Create the OCTET STRING manually by writing out the header and
* appending the content octets. This avoids an extra memory allocation
* operation in some cases. Applications should *NOT* do this because
* it relies on library internals.
*/
os.length = ASN1_object_size(0, len, V_ASN1_OCTET_STRING);
os.data = OPENSSL_malloc(os.length);
if (os.data == NULL)
goto err;
tmpval = os.data;
ASN1_put_object(&tmpval, 0, len, V_ASN1_OCTET_STRING, V_ASN1_UNIVERSAL);
if (val)
memcpy(tmpval, val, len);
else
{
if (!(tmpval = OPENSSL_malloc(len))) goto err;
RAND_pseudo_bytes(tmpval, len);
}
os.data = tmpval;
os.length = len;
if(!X509V3_add1_i2d(exts, NID_id_pkix_OCSP_Nonce,
&os, 0, X509V3_ADD_REPLACE))
goto err;
ret = 1;
err:
if(!val) OPENSSL_free(tmpval);
if (os.data)
OPENSSL_free(os.data);
return ret;
}