From fc3afe5c6b69ee3adddfd760fb30c58cdb7281bf Mon Sep 17 00:00:00 2001
From: Andres Amaya Garcia <andres.amayagarcia@arm.com>
Date: Thu, 31 Aug 2017 12:03:59 +0100
Subject: [PATCH] Ensure that the responseType is OCSP Basic

The responseType indicates a large portion of the syntax of an OCSP
response message. At this stage we only support OCSP Basic, so this
change ensure that the parser returns a failure code if the
responseType does not match the OID id-pkix-ocsp-basic.
---
 library/x509_ocsp.c | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/library/x509_ocsp.c b/library/x509_ocsp.c
index 2e62705042..8f0cd0e877 100644
--- a/library/x509_ocsp.c
+++ b/library/x509_ocsp.c
@@ -175,11 +175,13 @@ static int x509_ocsp_get_response_type( unsigned char **p,
     resp_type->len = len;
     resp_type->p = *p;
 
-    if( MBEDTLS_OID_CMP( MBEDTLS_OID_OCSP, resp_type ) != 0 &&
-        MBEDTLS_OID_CMP( MBEDTLS_OID_OCSP_BASIC, resp_type ) != 0 )
-    {
+    /*
+     * At this stage we only support id-pkix-ocsp-basic. This defines the
+     * ASN.1 syntax of the remaining OCSP response so return a failure if the
+     * response type is not OCSP Basic.
+     */
+    if( MBEDTLS_OID_CMP( MBEDTLS_OID_OCSP_BASIC, resp_type ) != 0 )
         return( MBEDTLS_ERR_X509_INVALID_RESPONSE_TYPE );
-    }
 
     *p = *p + len;