robin.thoni
/
ipxe
Watch 1
Star 0
Fork 0
Code Issues 0 Pull Requests 0 Releases 11 Wiki Activity
Browse Source

[crypto] Allow signed timestamp error margin to be configured at build time 

Signed-off-by: Michael Brown <mcb30@ipxe.org>
tags/v1.20.1
Michael Brown 10 years ago
parent
d90490578d
commit
7c7c957094
4 changed files with 28 additions and 12 deletions
Split View Show Diff Stats
  1. 22
    0
      src/config/crypto.h
  2. 3
    2
      src/crypto/ocsp.c
  3. 3
    2
      src/crypto/x509.c
  4. 0
    8
      src/include/ipxe/x509.h

+ 22
- 0
src/config/crypto.h View File 

@@ -0,0 +1,22 @@
1 
+#ifndef CONFIG_CRYPTO_H
2 
+#define CONFIG_CRYPTO_H
3 
+
4 
+/** @file
5 
+ *
6 
+ * Cryptographic configuration
7 
+ *
8 
+ */
9 
+
10 
+FILE_LICENCE ( GPL2_OR_LATER );
11 
+
12 
+/** Margin of error (in seconds) allowed in signed timestamps
13 
+ *
14 
+ * We default to allowing a reasonable margin of error: 12 hours to
15 
+ * allow for the local time zone being non-GMT, plus 30 minutes to
16 
+ * allow for general clock drift.
17 
+ */
18 
+#define TIMESTAMP_ERROR_MARGIN ( ( 12 * 60 + 30 ) * 60 )
19 
+
20 
+#include <config/local/crypto.h>
21 
+
22 
+#endif /* CONFIG_CRYPTO_H */

+ 3
- 2
src/crypto/ocsp.c View File 

@@ -30,6 +30,7 @@ FILE_LICENCE ( GPL2_OR_LATER );
30 30 
 #include <ipxe/base64.h>
31 31 
 #include <ipxe/uri.h>
32 32 
 #include <ipxe/ocsp.h>
33 
+#include <config/crypto.h>
33 34
34 35 
 /** @file
35 36 
  *
 
@@ -923,12 +924,12 @@ int ocsp_validate ( struct ocsp_check *ocsp, time_t time ) {
923 924 
 	/* Check OCSP response is valid at the specified time
924 925 
 	 * (allowing for some margin of error).
925 926 
 	 */
926 
-	if ( response->this_update > ( time + X509_ERROR_MARGIN_TIME ) ) {
927 
+	if ( response->this_update > ( time + TIMESTAMP_ERROR_MARGIN ) ) {
927 928 
 		DBGC ( ocsp, "OCSP %p \"%s\" response is not yet valid (at "
928 929 
 		       "time %lld)\n", ocsp, x509_name ( ocsp->cert ), time );
929 930 
 		return -EACCES_STALE;
930 931 
 	}
931 
-	if ( response->next_update < ( time - X509_ERROR_MARGIN_TIME ) ) {
932 
+	if ( response->next_update < ( time - TIMESTAMP_ERROR_MARGIN ) ) {
932 933 
 		DBGC ( ocsp, "OCSP %p \"%s\" response is stale (at time "
933 934 
 		       "%lld)\n", ocsp, x509_name ( ocsp->cert ), time );
934 935 
 		return -EACCES_STALE;

+ 3
- 2
src/crypto/x509.c View File 

@@ -34,6 +34,7 @@ FILE_LICENCE ( GPL2_OR_LATER );
34 34 
 #include <ipxe/rootcert.h>
35 35 
 #include <ipxe/certstore.h>
36 36 
 #include <ipxe/x509.h>
37 
+#include <config/crypto.h>
37 38
38 39 
 /** @file
39 40 
  *
 
@@ -1233,12 +1234,12 @@ int x509_check_time ( struct x509_certificate *cert, time_t time ) {
1233 1234 
 	struct x509_validity *validity = &cert->validity;
1234 1235
1235 1236 
 	/* Check validity period */
1236 
-	if ( validity->not_before.time > ( time + X509_ERROR_MARGIN_TIME ) ) {
1237 
+	if ( validity->not_before.time > ( time + TIMESTAMP_ERROR_MARGIN ) ) {
1237 1238 
 		DBGC ( cert, "X509 %p \"%s\" is not yet valid (at time %lld)\n",
1238 1239 
 		       cert, x509_name ( cert ), time );
1239 1240 
 		return -EACCES_EXPIRED;
1240 1241 
 	}
1241 
-	if ( validity->not_after.time < ( time - X509_ERROR_MARGIN_TIME ) ) {
1242 
+	if ( validity->not_after.time < ( time - TIMESTAMP_ERROR_MARGIN ) ) {
1242 1243 
 		DBGC ( cert, "X509 %p \"%s\" has expired (at time %lld)\n",
1243 1244 
 		       cert, x509_name ( cert ), time );
1244 1245 
 		return -EACCES_EXPIRED;

+ 0
- 8
src/include/ipxe/x509.h View File 

@@ -42,14 +42,6 @@ struct x509_validity {
42 42 
 	struct x509_time not_after;
43 43 
 };
44 44
45 
-/** Margin of error allowed in X.509 response times
46 
- *
47 
- * We allow a generous margin of error: 12 hours to allow for the
48 
- * local time zone being non-GMT, plus 30 minutes to allow for general
49 
- * clock drift.
50 
- */
51 
-#define X509_ERROR_MARGIN_TIME ( ( 12 * 60 + 30 ) * 60 )
52 
-
53 45 
 /** An X.509 certificate public key */
54 46 
 struct x509_public_key {
55 47 
 	/** Raw public key information */

Write Preview
Loading…
Cancel
Save