From 1fa9ffd934429f140edcfbaf76d2f32cc21e449b Mon Sep 17 00:00:00 2001
From: Rob Percival <robpercival@google.com>
Date: Thu, 8 Sep 2016 16:02:46 +0100
Subject: Check that SCT timestamps are not in the future

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1554)
---
 doc/man3/CT_POLICY_EVAL_CTX_new.pod             | 16 ++++++++++++++--
 doc/man3/SCT_validate.pod                       |  8 +++++---
 doc/man3/SSL_CTX_set_ct_validation_callback.pod |  6 +++++-
 3 files changed, 24 insertions(+), 6 deletions(-)

(limited to 'doc')

diff --git a/doc/man3/CT_POLICY_EVAL_CTX_new.pod b/doc/man3/CT_POLICY_EVAL_CTX_new.pod
index 37f3ed598a..0f50078b51 100644
--- a/doc/man3/CT_POLICY_EVAL_CTX_new.pod
+++ b/doc/man3/CT_POLICY_EVAL_CTX_new.pod
@@ -5,7 +5,8 @@
 CT_POLICY_EVAL_CTX_new, CT_POLICY_EVAL_CTX_free,
 CT_POLICY_EVAL_CTX_get0_cert, CT_POLICY_EVAL_CTX_set1_cert,
 CT_POLICY_EVAL_CTX_get0_issuer, CT_POLICY_EVAL_CTX_set1_issuer,
-CT_POLICY_EVAL_CTX_get0_log_store, CT_POLICY_EVAL_CTX_set_shared_CTLOG_STORE -
+CT_POLICY_EVAL_CTX_get0_log_store, CT_POLICY_EVAL_CTX_set_shared_CTLOG_STORE,
+CT_POLICY_EVAL_CTX_get_time, CT_POLICY_EVAL_CTX_set_time -
 Encapsulates the data required to evaluate whether SCTs meet a Certificate Transparency policy
 
 =head1 SYNOPSIS
@@ -20,13 +21,16 @@ Encapsulates the data required to evaluate whether SCTs meet a Certificate Trans
  int CT_POLICY_EVAL_CTX_set1_issuer(CT_POLICY_EVAL_CTX *ctx, X509 *issuer);
  const CTLOG_STORE *CT_POLICY_EVAL_CTX_get0_log_store(const CT_POLICY_EVAL_CTX *ctx);
  void CT_POLICY_EVAL_CTX_set_shared_CTLOG_STORE(CT_POLICY_EVAL_CTX *ctx, CTLOG_STORE *log_store);
+ uint64_t CT_POLICY_EVAL_CTX_get_time(const CT_POLICY_EVAL_CTX *ctx);
+ void CT_POLICY_EVAL_CTX_set_time(CT_POLICY_EVAL_CTX *ctx, uint64_t time_in_ms);
 
 =head1 DESCRIPTION
 
 A B<CT_POLICY_EVAL_CTX> is used by functions that evaluate whether Signed
 Certificate Timestamps (SCTs) fulfil a Certificate Transparency (CT) policy.
 This policy may be, for example, that at least one valid SCT is available. To
-determine this, an SCT's signature must be verified. This requires:
+determine this, an SCT's timestamp and signature must be verified.
+This requires:
 
 =over
 
@@ -36,6 +40,8 @@ determine this, an SCT's signature must be verified. This requires:
 
 =item * the issuer certificate (if the SCT was issued for a pre-certificate)
 
+=item * the current time
+
 =back
 
 The above requirements are met using the setters described below.
@@ -58,6 +64,12 @@ Increments the reference count of the certificate.
 Holds a pointer to the CTLOG_STORE, so the CTLOG_STORE must outlive the
 CT_POLICY_EVAL_CTX.
 
+=item * CT_POLICY_EVAL_CTX_set_time() to provide the current time
+
+The SCT timestamp will be compared to this time to check whether the SCT was
+supposedly issued in the future. RFC6962 states that "TLS clients MUST reject
+SCTs whose timestamp is in the future".
+
 =back
 
 Each setter has a matching getter for accessing the current value.
diff --git a/doc/man3/SCT_validate.pod b/doc/man3/SCT_validate.pod
index 98ae61822e..9868a282b5 100644
--- a/doc/man3/SCT_validate.pod
+++ b/doc/man3/SCT_validate.pod
@@ -54,9 +54,11 @@ status will be SCT_VALIDATION_STATUS_UNKNOWN_LOG.
 If the SCT is of an unsupported version (only v1 is currently supported), the
 validation status will be SCT_VALIDATION_STATUS_UNKNOWN_VERSION.
 
-If the SCT's signature is incorrect, the validation status will be
-SCT_VALIDATION_STATUS_INVALID. Otherwise, if all checks have passed, the
-validation status will be SCT_VALIDATION_STATUS_VALID.
+If the SCT's signature is incorrect, its timestamp is in the future (relative to
+the time in CT_POLICY_EVAL_CTX), or if it is otherwise invalid, the validation
+status will be SCT_VALIDATION_STATUS_INVALID.
+
+If all checks pass, the validation status will be SCT_VALIDATION_STATUS_VALID.
 
 =head1 NOTES
 
diff --git a/doc/man3/SSL_CTX_set_ct_validation_callback.pod b/doc/man3/SSL_CTX_set_ct_validation_callback.pod
index a6cbe8f527..d818e00fc5 100644
--- a/doc/man3/SSL_CTX_set_ct_validation_callback.pod
+++ b/doc/man3/SSL_CTX_set_ct_validation_callback.pod
@@ -97,6 +97,9 @@ otherwise.
 When SCT processing is enabled, OCSP stapling will be enabled. This is because
 one possible source of SCTs is the OCSP response from a server.
 
+The time returned by SSL_SESSION_get_time() will be used to evaluate whether any
+presented SCTs have timestamps that are in the future (and therefore invalid).
+
 =head1 RESTRICTIONS
 
 Certificate Transparency validation cannot be enabled and so a callback cannot
@@ -124,7 +127,8 @@ L<ssl(7)>,
 L<SSL_session_reused(3)>,
 L<SSL_set_verify(3)>,
 L<SSL_CTX_set_verify(3)>,
-L<ssl_ct_validation_cb(3)>
+L<ssl_ct_validation_cb(3)>,
+L<SSL_SESSION_get_time(3)>
 
 =head1 COPYRIGHT
 
-- 
cgit v1.2.3