From fec7119fc8b940adeebd86e3c46e2cd3331cdc82 Mon Sep 17 00:00:00 2001
From: Andres Amaya Garcia <andres.amayagarcia@arm.com>
Date: Fri, 25 Aug 2017 11:07:40 +0100
Subject: [PATCH] Add wrapper for parsing time in X.509

Add a wrapper around the function mbedtls_x509_get_time() to ensure
that only GeneralizedTime tags are parsed. This is necesary for
parsing OCSP responses as the RFC 6960 demands that all time-related
components be in GeneralizedTime format.
---
 library/x509_ocsp.c | 22 ++++++++++++++++++++++
 1 file changed, 22 insertions(+)

diff --git a/library/x509_ocsp.c b/library/x509_ocsp.c
index e33c9aac31..299c8b8ed8 100644
--- a/library/x509_ocsp.c
+++ b/library/x509_ocsp.c
@@ -226,6 +226,28 @@ static int x509_ocsp_get_generalized_time( unsigned char **p,
                                            const unsigned char *end,
                                            mbedtls_x509_time *t )
 {
+    int ret;
+    unsigned char tag;
+
+    /*
+     * mbedtls_x509_get_time() can parse both UTCTime and GeneralizedTime
+     * and there is no way to tell from the output which version it parsed.
+     * However, OCSP responses require GeneralizedTime only, so we must check
+     * the tag manually.
+     */
+
+    if( ( end - *p ) < 1 )
+        return( MBEDTLS_ERR_X509_INVALID_DATE +
+                MBEDTLS_ERR_ASN1_OUT_OF_DATA );
+
+    tag = **p;
+
+    if( tag != MBEDTLS_ASN1_GENERALIZED_TIME )
+        return( MBEDTLS_ERR_X509_INVALID_FORMAT );
+
+    if( ( ret = mbedtls_x509_get_time( p, end, t ) ) != 0 )
+        return( ret );
+
     return( 0 );
 }