From 7fc33d509a8de4dd328386a7f155a52d4c347833 Mon Sep 17 00:00:00 2001
From: Sachin Agrawal <sachin.agrawal@intel.com>
Date: Wed, 23 Sep 2015 14:28:53 -0700
Subject: [PATCH] Add check for expired symmetric keys

Iotivity should refuse DTLS session formation with devices whose
credentials have been expired.

Change-Id: Ic4708fbdd50ebc59e57f09c37211e7f36dbcf931
Signed-off-by: Sachin Agrawal <sachin.agrawal@intel.com>
Reviewed-on: https://gerrit.iotivity.org/gerrit/3015
Tested-by: jenkins-iotivity <jenkins-iotivity@opendaylight.org>
---
 resource/csdk/security/src/credresource.c                 | 15 +++++++++++++++
 .../stack/samples/linux/secure/oic_svr_db_client.json     |  1 +
 2 files changed, 16 insertions(+)

diff --git a/resource/csdk/security/src/credresource.c b/resource/csdk/security/src/credresource.c
index 79163ea..e7235b5 100644
--- a/resource/csdk/security/src/credresource.c
+++ b/resource/csdk/security/src/credresource.c
@@ -35,6 +35,7 @@
 #include "cainterface.h"
 #include "pbkdf2.h"
 #include <stdlib.h>
+#include "iotvticalendar.h"
 #ifdef WITH_ARDUINO
 #include <string.h>
 #else
@@ -906,6 +907,20 @@ int32_t GetDtlsPskCredentials( CADtlsPskCredType_t type,
                     if ((desc_len == sizeof(cred->subject.id)) &&
                         (memcmp(desc, cred->subject.id, sizeof(cred->subject.id)) == 0))
                     {
+                        /*
+                         * If the credentials are valid for limited time,
+                         * check their expiry.
+                         */
+                        if (cred->period)
+                        {
+                            if(IOTVTICAL_VALID_ACCESS != IsRequestWithinValidTime(cred->period, NULL))
+                            {
+                                OC_LOG (INFO, TAG, "Credentials are expired.");
+                                ret = -1;
+                                return ret;
+                            }
+                        }
+
                         // Convert PSK from Base64 encoding to binary before copying
                         uint32_t outLen = 0;
                         B64Result b64Ret = b64Decode(cred->privateData.data,
diff --git a/resource/csdk/stack/samples/linux/secure/oic_svr_db_client.json b/resource/csdk/stack/samples/linux/secure/oic_svr_db_client.json
index c4719f6..ca8fed4 100644
--- a/resource/csdk/stack/samples/linux/secure/oic_svr_db_client.json
+++ b/resource/csdk/stack/samples/linux/secure/oic_svr_db_client.json
@@ -45,6 +45,7 @@
 		"credid": 1,
 		"sub": "MTExMTExMTExMTExMTExMQ==",
 		"credtyp": 1,
+		"prd": "20150630T060000/20990920T220000",
 		"pvdata": "QUFBQUFBQUFBQUFBQUFBQQ==",
         "ownrs" : ["MjIyMjIyMjIyMjIyMjIyMg=="]
 	}]
-- 
2.7.4