From 67b1b00a2c689be8bddc7c3589fd2ebb1cb35c3f Mon Sep 17 00:00:00 2001
From: John Safranek <john@wolfssl.com>
Date: Wed, 20 Nov 2013 13:46:46 -0800
Subject: [PATCH] OCSP Nonces are not critical extensions. Allow a response to
 be missing the nonce.

---
 ctaocrypt/src/asn.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/ctaocrypt/src/asn.c b/ctaocrypt/src/asn.c
index ce5ccc988..10dcf6337 100644
--- a/ctaocrypt/src/asn.c
+++ b/ctaocrypt/src/asn.c
@@ -5738,7 +5738,9 @@ int CompareOcspReqResp(OcspRequest* req, OcspResponse* resp)
         return 1;
     }
 
-    if (req->useNonce) {
+    /* Nonces are not critical. The responder may not necessarily add
+     * the nonce to the response. */
+    if (req->useNonce && resp->nonceSz != 0) {
         cmp = req->nonceSz - resp->nonceSz;
         if (cmp != 0)
         {