提交 dc90f64d 编写于 作者: D Dr. Stephen Henson

Use an OCTET STRING for the encoding of an OCSP nonce value.

The old raw format can't be handled by some implementations
and updates to RFC2560 will make this mandatory.
上级 6c430321
......@@ -617,6 +617,13 @@
Changes between 0.9.7c and 0.9.7d [xx XXX XXXX]
*) When creating an OCSP nonce use an OCTET STRING inside the extnValue.
A clarification of RFC2560 will require the use of OCTET STRINGs and
some implementations cannot handle the current raw format. Since OpenSSL
copies and compares OCSP nonces as opaque blobs without any attempt at
parsing them this should not create any compatibility issues.
[Steve Henson]
*) New md flag EVP_MD_CTX_FLAG_REUSE this allows md_data to be reused when
calling EVP_MD_CTX_copy_ex() to avoid calling OPENSSL_malloc(). Without
this HMAC (and other) operations are several times slower than OpenSSL
......
......@@ -305,6 +305,8 @@ err:
/* Add a nonce to an extension stack. A nonce can be specificed or if NULL
* a random nonce will be generated.
* Note: OpenSSL 0.9.7d and later create an OCTET STRING containing the
* nonce, previous versions used the raw nonce.
*/
static int ocsp_add1_nonce(STACK_OF(X509_EXTENSION) **exts, unsigned char *val, int len)
......@@ -313,20 +315,28 @@ static int ocsp_add1_nonce(STACK_OF(X509_EXTENSION) **exts, unsigned char *val,
ASN1_OCTET_STRING os;
int ret = 0;
if (len <= 0) len = OCSP_DEFAULT_NONCE_LENGTH;
if (val) tmpval = val;
/* Create the OCTET STRING manually by writing out the header and
* appending the content octets. This avoids an extra memory allocation
* operation in some cases. Applications should *NOT* do this because
* it relies on library internals.
*/
os.length = ASN1_object_size(0, len, V_ASN1_OCTET_STRING);
os.data = OPENSSL_malloc(os.length);
if (os.data == NULL)
goto err;
tmpval = os.data;
ASN1_put_object(&tmpval, 0, len, V_ASN1_OCTET_STRING, V_ASN1_UNIVERSAL);
if (val)
memcpy(tmpval, val, len);
else
{
if (!(tmpval = OPENSSL_malloc(len))) goto err;
RAND_pseudo_bytes(tmpval, len);
}
os.data = tmpval;
os.length = len;
if(!X509V3_add1_i2d(exts, NID_id_pkix_OCSP_Nonce,
&os, 0, X509V3_ADD_REPLACE))
goto err;
ret = 1;
err:
if(!val) OPENSSL_free(tmpval);
if (os.data)
OPENSSL_free(os.data);
return ret;
}
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册