From 6508ac17c253825aec9665f0ad93ba65ac54235f Mon Sep 17 00:00:00 2001
From: Yann Ylavic <ylavic@apache.org>
Date: Sun, 30 Mar 2014 19:25:20 +0000
Subject: [PATCH] mod_ssl: send OCSP request's nonce according to
 SSLOCSPUseRequestNonce on/off. PR 56233.

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1583191 13f79535-47bb-0310-9956-ffa450edef68
---
 modules/ssl/mod_ssl.c           |  2 ++
 modules/ssl/ssl_engine_config.c | 12 ++++++++++++
 modules/ssl/ssl_engine_ocsp.c   | 12 ++++++++----
 modules/ssl/ssl_private.h       |  2 ++
 4 files changed, 24 insertions(+), 4 deletions(-)

diff --git a/modules/ssl/mod_ssl.c b/modules/ssl/mod_ssl.c
index 98896c6f5f..13a7833da2 100644
--- a/modules/ssl/mod_ssl.c
+++ b/modules/ssl/mod_ssl.c
@@ -238,6 +238,8 @@ static const command_rec ssl_config_cmds[] = {
                 "Maximum age of OCSP responses")
     SSL_CMD_SRV(OCSPResponderTimeout, TAKE1,
                 "OCSP responder query timeout")
+    SSL_CMD_SRV(OCSPUseRequestNonce, FLAG,
+                "Whether OCSP queries use a nonce or not ('on', 'off')")
 
 #ifdef HAVE_OCSP_STAPLING
     /*
diff --git a/modules/ssl/ssl_engine_config.c b/modules/ssl/ssl_engine_config.c
index f69b6bfcae..f534288585 100644
--- a/modules/ssl/ssl_engine_config.c
+++ b/modules/ssl/ssl_engine_config.c
@@ -133,6 +133,7 @@ static void modssl_ctx_init(modssl_ctx_t *mctx, apr_pool_t *p)
     mctx->ocsp_resptime_skew  = UNSET;
     mctx->ocsp_resp_maxage    = UNSET;
     mctx->ocsp_responder_timeout = UNSET;
+    mctx->ocsp_use_request_nonce = UNSET;
 
 #ifdef HAVE_OCSP_STAPLING
     mctx->stapling_enabled           = UNSET;
@@ -275,6 +276,7 @@ static void modssl_ctx_cfg_merge(apr_pool_t *p,
     cfgMergeInt(ocsp_resptime_skew);
     cfgMergeInt(ocsp_resp_maxage);
     cfgMergeInt(ocsp_responder_timeout);
+    cfgMergeBool(ocsp_use_request_nonce);
 #ifdef HAVE_OCSP_STAPLING
     cfgMergeBool(stapling_enabled);
     cfgMergeInt(stapling_resptime_skew);
@@ -1605,6 +1607,16 @@ const char *ssl_cmd_SSLOCSPResponderTimeout(cmd_parms *cmd, void *dcfg, const ch
     return NULL;
 }
 
+const char *ssl_cmd_SSLOCSPUseRequestNonce(cmd_parms *cmd, void *dcfg, int flag)
+{
+    SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
+
+    sc->server->ocsp_use_request_nonce = flag ? SSL_ENABLED_TRUE
+                                              : SSL_ENABLED_FALSE;
+
+    return NULL;
+}
+
 const char *ssl_cmd_SSLProxyCheckPeerExpire(cmd_parms *cmd, void *dcfg, int flag)
 {
     SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
diff --git a/modules/ssl/ssl_engine_ocsp.c b/modules/ssl/ssl_engine_ocsp.c
index b9fca6577d..3992dff4b0 100644
--- a/modules/ssl/ssl_engine_ocsp.c
+++ b/modules/ssl/ssl_engine_ocsp.c
@@ -104,7 +104,8 @@ static apr_uri_t *determine_responder_uri(SSLSrvConfigRec *sc, X509 *cert,
  * request object on success, or NULL on error. */
 static OCSP_REQUEST *create_request(X509_STORE_CTX *ctx, X509 *cert,
                                     OCSP_CERTID **certid,
-                                    server_rec *s, apr_pool_t *p)
+                                    server_rec *s, apr_pool_t *p,
+                                    SSLSrvConfigRec *sc)
 {
     OCSP_REQUEST *req = OCSP_REQUEST_new();
 
@@ -116,7 +117,9 @@ static OCSP_REQUEST *create_request(X509_STORE_CTX *ctx, X509 *cert,
         return NULL;
     }
 
-    OCSP_request_add1_nonce(req, 0, -1);
+    if (sc->server->ocsp_use_request_nonce != FALSE) {
+        OCSP_request_add1_nonce(req, 0, -1);
+    }
 
     return req;
 }
@@ -139,7 +142,7 @@ static int verify_ocsp_status(X509 *cert, X509_STORE_CTX *ctx, conn_rec *c,
         return V_OCSP_CERTSTATUS_UNKNOWN;
     }
 
-    request = create_request(ctx, cert, &certID, s, pool);
+    request = create_request(ctx, cert, &certID, s, pool, sc);
     if (request) {
         apr_interval_time_t to = sc->server->ocsp_responder_timeout == UNSET ?
                                  apr_time_from_sec(DEFAULT_OCSP_TIMEOUT) :
@@ -171,7 +174,8 @@ static int verify_ocsp_status(X509 *cert, X509_STORE_CTX *ctx, conn_rec *c,
         }
     }
 
-    if (rc == V_OCSP_CERTSTATUS_GOOD) {
+    if (rc == V_OCSP_CERTSTATUS_GOOD &&
+            sc->server->ocsp_use_request_nonce != FALSE) {
         if (OCSP_check_nonce(request, basicResponse) != 1) {
             ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(01924)
                         "Bad OCSP responder answer (bad nonce)");
diff --git a/modules/ssl/ssl_private.h b/modules/ssl/ssl_private.h
index 3d8f5835c1..318a159a4f 100644
--- a/modules/ssl/ssl_private.h
+++ b/modules/ssl/ssl_private.h
@@ -614,6 +614,7 @@ typedef struct {
     SSL_CONF_CTX *ssl_ctx_config; /* Configuration context */
     apr_array_header_t *ssl_ctx_param; /* parameters to pass to SSL_CTX */
 #endif
+    int ocsp_use_request_nonce;
 } modssl_ctx_t;
 
 struct SSLSrvConfigRec {
@@ -731,6 +732,7 @@ const char *ssl_cmd_SSLOCSPDefaultResponder(cmd_parms *cmd, void *dcfg, const ch
 const char *ssl_cmd_SSLOCSPResponseTimeSkew(cmd_parms *cmd, void *dcfg, const char *arg);
 const char *ssl_cmd_SSLOCSPResponseMaxAge(cmd_parms *cmd, void *dcfg, const char *arg);
 const char *ssl_cmd_SSLOCSPResponderTimeout(cmd_parms *cmd, void *dcfg, const char *arg);
+const char *ssl_cmd_SSLOCSPUseRequestNonce(cmd_parms *cmd, void *dcfg, int flag);
 const char *ssl_cmd_SSLOCSPEnable(cmd_parms *cmd, void *dcfg, int flag);
 
 #ifdef HAVE_SSL_CONF_CMD
-- 
2.40.0