revocation: Validate OCSP nonce only if response actually contains a nonce

Commit 27756b081c1b8 (revocation: Check that nonce in OCSP response matches) introduced strict nonce validation to prevent replay attacks with OCSP responses having a longer lifetime. However, many commercial CAs (such as Digicert) do not support nonces in responses, as they reuse once-issued OCSP responses for the OCSP lifetime. This can be problematic for replay attack scenarios, but is nothing we can fix at our end. With the mentioned commit, such OCSP responses get completely unusable, requiring the fallback to CRL based revocation. CRLs don't provide any replay protection either, so there is nothing gained security-wise, but may require a download of several megabytes CRL data. To make use of replay protection where available, but fix OCSP verification where it is not, do nonce verification only if the response actually contains a nonce. To be safe against replay attacks, one has to fix the OCSP responder or use a different CA, but this is not something we can enforce. Fixes #3557.
2025-10-04 00:00:14 -04:00 · 2020-08-10 18:29:52 +02:00 · 2020-08-10 18:29:52 +02:00 · 7efe92130a
commit 7efe92130a
parent 706a579e96
1 changed files with 2 additions and 1 deletions
--- a/src/libstrongswan/plugins/revocation/revocation_validator.c
+++ b/src/libstrongswan/plugins/revocation/revocation_validator.c
@ -112,7 +112,8 @@ static certificate_t *fetch_ocsp(char *url, certificate_t *subject,
 	}
 	ocsp_request = (ocsp_request_t*)request;
 	ocsp_response = (ocsp_response_t*)response;
-	if (!chunk_equals_const(ocsp_request->get_nonce(ocsp_request),
+	if (ocsp_response->get_nonce(ocsp_response).len &&
+		!chunk_equals_const(ocsp_request->get_nonce(ocsp_request),
 							ocsp_response->get_nonce(ocsp_response)))
 	{
 		DBG1(DBG_CFG, "nonce in ocsp response doesn't match");