From 026e95a74d5ddc53540f66dd7750c831b1399ee0 Mon Sep 17 00:00:00 2001
From: Andres Amaya Garcia <andres.amayagarcia@arm.com>
Date: Thu, 24 Aug 2017 16:48:29 +0100
Subject: [PATCH] Parse the OCSP response status

Populate the function x509_ocsp_get_response_status() that parses the
OCSPResponseStatus:

   OCSPResponseStatus ::= ENUMERATED {
       successful            (0),  -- Response has valid confirmations
       malformedRequest      (1),  -- Illegal confirmation request
       internalError         (2),  -- Internal error in issuer
       tryLater              (3),  -- Try again later
                                   -- (4) is not used
       sigRequired           (5),  -- Must sign the request
       unauthorized          (6)   -- Request unauthorized
   }

The function writes the value into the resp_status field of the
mbedtls_x509_ocsp_response struct.
---
 include/mbedtls/asn1.h      |  1 +
 include/mbedtls/x509_ocsp.h | 10 ++++++++++
 library/x509_ocsp.c         | 29 +++++++++++++++++++++++++++++
 3 files changed, 40 insertions(+)

diff --git a/include/mbedtls/asn1.h b/include/mbedtls/asn1.h
index e159e57ea0..0fc881166b 100644
--- a/include/mbedtls/asn1.h
+++ b/include/mbedtls/asn1.h
@@ -74,6 +74,7 @@
 #define MBEDTLS_ASN1_OCTET_STRING            0x04
 #define MBEDTLS_ASN1_NULL                    0x05
 #define MBEDTLS_ASN1_OID                     0x06
+#define MBEDTLS_ASN1_ENUMERATED              0x0A
 #define MBEDTLS_ASN1_UTF8_STRING             0x0C
 #define MBEDTLS_ASN1_SEQUENCE                0x10
 #define MBEDTLS_ASN1_SET                     0x11
diff --git a/include/mbedtls/x509_ocsp.h b/include/mbedtls/x509_ocsp.h
index bcaca48ea6..fbc1281d26 100644
--- a/include/mbedtls/x509_ocsp.h
+++ b/include/mbedtls/x509_ocsp.h
@@ -36,6 +36,16 @@
 
 #include <stdint.h>
 
+#define MBEDTLS_ERR_X509_OCSP_INVALID_RESPONSE_STATUS    -0x9010 /**< The OCSP response status is invalid */
+
+/* OCSP response status values as defined in RFC 6960 Section 4.2.1 */
+#define MBEDTLS_X509_OCSP_RESPONSE_STATUS_SUCCESSFUL        0
+#define MBEDTLS_X509_OCSP_RESPONSE_STATUS_MALFORMED_REQ     1
+#define MBEDTLS_X509_OCSP_RESPONSE_STATUS_INTERNAL_ERR      2
+#define MBEDTLS_X509_OCSP_RESPONSE_STATUS_TRY_LATER         3
+#define MBEDTLS_X509_OCSP_RESPONSE_STATUS_SIG_REQUIRED      5
+#define MBEDTLS_X509_OCSP_RESPONSE_STATUS_UNAUTHORIZED      6
+
 /**
  * \addtogroup x509_module
  * \{
diff --git a/library/x509_ocsp.c b/library/x509_ocsp.c
index 0fea2d980e..4d58492034 100644
--- a/library/x509_ocsp.c
+++ b/library/x509_ocsp.c
@@ -56,6 +56,35 @@ static int x509_ocsp_get_response_status( unsigned char **p,
                                           const unsigned char *end,
                                           uint8_t *resp_status )
 {
+    int ret;
+    size_t len;
+
+    if( ( ret = mbedtls_asn1_get_tag( p, end, &len,
+                                      MBEDTLS_ASN1_ENUMERATED ) ) != 0 )
+    {
+        return( MBEDTLS_ERR_X509_INVALID_FORMAT + ret );
+    }
+
+    if( len != 1 )
+        return( MBEDTLS_ERR_X509_INVALID_FORMAT +
+                MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
+
+    *resp_status = *( *p )++;
+
+    /* Ensure the parsed response status is valid */
+    switch( *resp_status )
+    {
+        case MBEDTLS_X509_OCSP_RESPONSE_STATUS_SUCCESSFUL:
+        case MBEDTLS_X509_OCSP_RESPONSE_STATUS_MALFORMED_REQ:
+        case MBEDTLS_X509_OCSP_RESPONSE_STATUS_INTERNAL_ERR:
+        case MBEDTLS_X509_OCSP_RESPONSE_STATUS_TRY_LATER:
+        case MBEDTLS_X509_OCSP_RESPONSE_STATUS_SIG_REQUIRED:
+        case MBEDTLS_X509_OCSP_RESPONSE_STATUS_UNAUTHORIZED:
+            break;
+        default:
+            return( MBEDTLS_ERR_X509_OCSP_INVALID_RESPONSE_STATUS );
+    }
+
     return( 0 );
 }