1=pod 2 3=head1 NAME 4 5OCSP_request_add1_nonce, OCSP_basic_add1_nonce, OCSP_check_nonce, OCSP_copy_nonce - OCSP nonce functions 6 7=head1 SYNOPSIS 8 9 #include <openssl/ocsp.h> 10 11 int OCSP_request_add1_nonce(OCSP_REQUEST *req, unsigned char *val, int len); 12 int OCSP_basic_add1_nonce(OCSP_BASICRESP *resp, unsigned char *val, int len); 13 int OCSP_copy_nonce(OCSP_BASICRESP *resp, OCSP_REQUEST *req); 14 int OCSP_check_nonce(OCSP_REQUEST *req, OCSP_BASICRESP *resp); 15 16=head1 DESCRIPTION 17 18OCSP_request_add1_nonce() adds a nonce of value B<val> and length B<len> to 19OCSP request B<req>. If B<val> is B<NULL> a random nonce is used. If B<len> 20is zero or negative a default length will be used (currently 16 bytes). 21 22OCSP_basic_add1_nonce() is identical to OCSP_request_add1_nonce() except 23it adds a nonce to OCSP basic response B<resp>. 24 25OCSP_check_nonce() compares the nonce value in B<req> and B<resp>. 26 27OCSP_copy_nonce() copys any nonce value present in B<req> to B<resp>. 28 29=head1 RETURN VALUES 30 31OCSP_request_add1_nonce() and OCSP_basic_add1_nonce() return 1 for success 32and 0 for failure. 33 34OCSP_copy_nonce() returns 1 if a nonce was successfully copied, 2 if no nonce 35was present in B<req> and 0 if an error occurred. 36 37OCSP_check_nonce() returns the result of the nonce comparison between B<req> 38and B<resp>. The return value indicates the result of the comparison. If 39nonces are present and equal 1 is returned. If the nonces are absent 2 is 40returned. If a nonce is present in the response only 3 is returned. If nonces 41are present and unequal 0 is returned. If the nonce is present in the request 42only then -1 is returned. 43 44=head1 NOTES 45 46For most purposes the nonce value in a request is set to a random value so 47the B<val> parameter in OCSP_request_add1_nonce() is usually NULL. 48 49An OCSP nonce is typically added to an OCSP request to thwart replay attacks 50by checking the same nonce value appears in the response. 51 52Some responders may include a nonce in all responses even if one is not 53supplied. 54 55Some responders cache OCSP responses and do not sign each response for 56performance reasons. As a result they do not support nonces. 57 58The return values of OCSP_check_nonce() can be checked to cover each case. A 59positive return value effectively indicates success: nonces are both present 60and match, both absent or present in the response only. A non-zero return 61additionally covers the case where the nonce is present in the request only: 62this will happen if the responder doesn't support nonces. A zero return value 63indicates present and mismatched nonces: this should be treated as an error 64condition. 65 66=head1 SEE ALSO 67 68L<crypto(7)>, 69L<OCSP_cert_to_id(3)>, 70L<OCSP_REQUEST_new(3)>, 71L<OCSP_resp_find_status(3)>, 72L<OCSP_response_status(3)>, 73L<OCSP_sendreq_new(3)> 74 75=head1 COPYRIGHT 76 77Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved. 78 79Licensed under the OpenSSL license (the "License"). You may not use 80this file except in compliance with the License. You can obtain a copy 81in the file LICENSE in the source distribution or at 82L<https://www.openssl.org/source/license.html>. 83 84=cut 85