From cf1e28f77a91093292b4c3b7ef2016e93a917300 Mon Sep 17 00:00:00 2001
From: Andres Amaya Garcia <Andres.AmayaGarcia@arm.com>
Date: Sat, 11 Nov 2017 11:05:28 +0000
Subject: [PATCH] Verify OCSP response SingleResponse timestamps

Add code to verify the thisUpdate and nextUpdate fields of the
SingleResponse.
---
 library/x509_ocsp.c | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)

diff --git a/library/x509_ocsp.c b/library/x509_ocsp.c
index 4b66775d8f..73624dec34 100644
--- a/library/x509_ocsp.c
+++ b/library/x509_ocsp.c
@@ -1425,6 +1425,27 @@ static int x509_ocsp_verify_responses( mbedtls_x509_ocsp_response *resp,
             *flags |= MBEDTLS_X509_BADOCSP_RESPONSE_INCOMPLETE;
             continue;
         }
+
+        /*
+         * Check that nextUpdate is an later than now (if available).
+         *
+         * RFC 6960 Section 4.2.2.1: Responses whose nextUpdate value is
+         * earlier than the local system time SHOULD be considered unreliable
+         */
+        if( single_resp->has_next_update == 1 &&
+            mbedtls_x509_time_is_past( &single_resp->next_update ) != 0 )
+        {
+            *flags |= MBEDTLS_X509_BADOCSP_RESPONSE_EXPIRED;
+        }
+
+        /*
+         * Check that thisUpdate is earlier than now.
+         *
+         * RFC 6960 Section 4.2.2.1: Responses whose thisUpdate time is later
+         * than the local system time SHOULD be considered unreliable
+         */
+        if( mbedtls_x509_time_is_future( &single_resp->this_update ) != 0 )
+            *flags |= MBEDTLS_X509_BADOCSP_RESPONSE_FUTURE;
     }
 
     return( 0 );