narenas
/
opengnsys_ipxe
mirror of https://github.com/ipxe/ipxe.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

[crypto] Fix margin of error for OCSP checks 

Signed-off-by: Michael Brown <mcb30@ipxe.org>
pull/6/head
Michael Brown 2012-05-21 23:00:46 +01:00
parent b278094902
commit 57de8b6272
1 changed files with 2 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
src/crypto/ocsp.c
View File

@ -720,12 +720,12 @@ int ocsp_validate ( struct ocsp_check *ocsp, time_t time ) {
/* Check OCSP response is valid at the specified time /* Check OCSP response is valid at the specified time
* (allowing for some margin of error). * (allowing for some margin of error).
*/ */
if ( response->this_update > ( time - OCSP_ERROR_MARGIN_TIME ) ) { if ( response->this_update > ( time + OCSP_ERROR_MARGIN_TIME ) ) {
DBGC ( ocsp, "OCSP %p \"%s\" response is not yet valid (at " DBGC ( ocsp, "OCSP %p \"%s\" response is not yet valid (at "
"time %lld)\n", ocsp, ocsp->cert->subject.name, time ); "time %lld)\n", ocsp, ocsp->cert->subject.name, time );
return -EACCES_STALE; return -EACCES_STALE;
} }
if ( response->next_update < ( time + OCSP_ERROR_MARGIN_TIME ) ) { if ( response->next_update < ( time - OCSP_ERROR_MARGIN_TIME ) ) {
DBGC ( ocsp, "OCSP %p \"%s\" response is stale (at time " DBGC ( ocsp, "OCSP %p \"%s\" response is stale (at time "
"%lld)\n", ocsp, ocsp->cert->subject.name, time ); "%lld)\n", ocsp, ocsp->cert->subject.name, time );
return -EACCES_STALE; return -EACCES_STALE;