robin.thoni
/
ipxe
Watch 1
Star 0
Fork 0
Code Issues 0 Pull Requests 0 Releases 11 Wiki Activity
Browse Source

[crypto] Fix margin of error for OCSP checks 

Signed-off-by: Michael Brown <mcb30@ipxe.org>
tags/v1.20.1
Michael Brown 12 years ago
parent
b278094902
commit
57de8b6272
1 changed files with 2 additions and 2 deletions
Unified View Show Diff Stats
  1. 2
    2
      src/crypto/ocsp.c

+ 2
- 2
src/crypto/ocsp.c View File

720 
 	/* Check OCSP response is valid at the specified time
 720 
 	/* Check OCSP response is valid at the specified time
721 
 	 * (allowing for some margin of error).
 721 
 	 * (allowing for some margin of error).
722 
 	 */
 722 
 	 */
723 
-	if ( response->this_update > ( time - OCSP_ERROR_MARGIN_TIME ) ) {
723 
+	if ( response->this_update > ( time + OCSP_ERROR_MARGIN_TIME ) ) {
724 
 		DBGC ( ocsp, "OCSP %p \"%s\" response is not yet valid (at "
 724 
 		DBGC ( ocsp, "OCSP %p \"%s\" response is not yet valid (at "
725 
 		       "time %lld)\n", ocsp, ocsp->cert->subject.name, time );
 725 
 		       "time %lld)\n", ocsp, ocsp->cert->subject.name, time );
726 
 		return -EACCES_STALE;
 726 
 		return -EACCES_STALE;
727 
 	}
 727 
 	}
728 
-	if ( response->next_update < ( time + OCSP_ERROR_MARGIN_TIME ) ) {
728 
+	if ( response->next_update < ( time - OCSP_ERROR_MARGIN_TIME ) ) {
729 
 		DBGC ( ocsp, "OCSP %p \"%s\" response is stale (at time "
 729 
 		DBGC ( ocsp, "OCSP %p \"%s\" response is stale (at time "
730 
 		       "%lld)\n", ocsp, ocsp->cert->subject.name, time );
 730 
 		       "%lld)\n", ocsp, ocsp->cert->subject.name, time );
731 
 		return -EACCES_STALE;
 731 
 		return -EACCES_STALE;

Write Preview
Loading…
Cancel
Save