robin.thoni
/
ipxe
Watch 1
Star 0
Fork 0
Code Issues 0 Pull Requests 0 Releases 11 Wiki Activity
Browse Source

[crypto] Fix margin of error for OCSP checks 

Signed-off-by: Michael Brown <mcb30@ipxe.org>
tags/v1.20.1
Michael Brown 12 years ago
parent
b278094902
commit
57de8b6272
1 changed files with 2 additions and 2 deletions
Split View Show Diff Stats
  1. 2
    2
      src/crypto/ocsp.c

+ 2
- 2
src/crypto/ocsp.c View File 

@@ -720,12 +720,12 @@ int ocsp_validate ( struct ocsp_check *ocsp, time_t time ) {
720 720 
 	/* Check OCSP response is valid at the specified time
721 721 
 	 * (allowing for some margin of error).
722 722 
 	 */
723 
-	if ( response->this_update > ( time - OCSP_ERROR_MARGIN_TIME ) ) {
723 
+	if ( response->this_update > ( time + OCSP_ERROR_MARGIN_TIME ) ) {
724 724 
 		DBGC ( ocsp, "OCSP %p \"%s\" response is not yet valid (at "
725 725 
 		       "time %lld)\n", ocsp, ocsp->cert->subject.name, time );
726 726 
 		return -EACCES_STALE;
727 727 
 	}
728 
-	if ( response->next_update < ( time + OCSP_ERROR_MARGIN_TIME ) ) {
728 
+	if ( response->next_update < ( time - OCSP_ERROR_MARGIN_TIME ) ) {
729 729 
 		DBGC ( ocsp, "OCSP %p \"%s\" response is stale (at time "
730 730 
 		       "%lld)\n", ocsp, ocsp->cert->subject.name, time );
731 731 
 		return -EACCES_STALE;

Write Preview
Loading…
Cancel
Save