diff options
author | Michael Brown | 2014-03-30 21:07:14 +0200 |
---|---|---|
committer | Michael Brown | 2014-03-30 21:08:00 +0200 |
commit | 7c7c95709482c769fb081471f2ff8701dbd5b068 (patch) | |
tree | f4f30b3d4d00794351b5e00cc6da173759d0dec8 | |
parent | [crypto] Use fingerprint when no common name is available for debug messages (diff) | |
download | ipxe-7c7c95709482c769fb081471f2ff8701dbd5b068.tar.gz ipxe-7c7c95709482c769fb081471f2ff8701dbd5b068.tar.xz ipxe-7c7c95709482c769fb081471f2ff8701dbd5b068.zip |
[crypto] Allow signed timestamp error margin to be configured at build time
Signed-off-by: Michael Brown <mcb30@ipxe.org>
-rw-r--r-- | src/config/crypto.h | 22 | ||||
-rw-r--r-- | src/crypto/ocsp.c | 5 | ||||
-rw-r--r-- | src/crypto/x509.c | 5 | ||||
-rw-r--r-- | src/include/ipxe/x509.h | 8 |
4 files changed, 28 insertions, 12 deletions
diff --git a/src/config/crypto.h b/src/config/crypto.h new file mode 100644 index 00000000..95c73d47 --- /dev/null +++ b/src/config/crypto.h @@ -0,0 +1,22 @@ +#ifndef CONFIG_CRYPTO_H +#define CONFIG_CRYPTO_H + +/** @file + * + * Cryptographic configuration + * + */ + +FILE_LICENCE ( GPL2_OR_LATER ); + +/** Margin of error (in seconds) allowed in signed timestamps + * + * We default to allowing a reasonable margin of error: 12 hours to + * allow for the local time zone being non-GMT, plus 30 minutes to + * allow for general clock drift. + */ +#define TIMESTAMP_ERROR_MARGIN ( ( 12 * 60 + 30 ) * 60 ) + +#include <config/local/crypto.h> + +#endif /* CONFIG_CRYPTO_H */ diff --git a/src/crypto/ocsp.c b/src/crypto/ocsp.c index 75d9a092..d4815a1b 100644 --- a/src/crypto/ocsp.c +++ b/src/crypto/ocsp.c @@ -30,6 +30,7 @@ FILE_LICENCE ( GPL2_OR_LATER ); #include <ipxe/base64.h> #include <ipxe/uri.h> #include <ipxe/ocsp.h> +#include <config/crypto.h> /** @file * @@ -923,12 +924,12 @@ int ocsp_validate ( struct ocsp_check *ocsp, time_t time ) { /* Check OCSP response is valid at the specified time * (allowing for some margin of error). */ - if ( response->this_update > ( time + X509_ERROR_MARGIN_TIME ) ) { + if ( response->this_update > ( time + TIMESTAMP_ERROR_MARGIN ) ) { DBGC ( ocsp, "OCSP %p \"%s\" response is not yet valid (at " "time %lld)\n", ocsp, x509_name ( ocsp->cert ), time ); return -EACCES_STALE; } - if ( response->next_update < ( time - X509_ERROR_MARGIN_TIME ) ) { + if ( response->next_update < ( time - TIMESTAMP_ERROR_MARGIN ) ) { DBGC ( ocsp, "OCSP %p \"%s\" response is stale (at time " "%lld)\n", ocsp, x509_name ( ocsp->cert ), time ); return -EACCES_STALE; diff --git a/src/crypto/x509.c b/src/crypto/x509.c index fa361474..87b924c8 100644 --- a/src/crypto/x509.c +++ b/src/crypto/x509.c @@ -34,6 +34,7 @@ FILE_LICENCE ( GPL2_OR_LATER ); #include <ipxe/rootcert.h> #include <ipxe/certstore.h> #include <ipxe/x509.h> +#include <config/crypto.h> /** @file * @@ -1233,12 +1234,12 @@ int x509_check_time ( struct x509_certificate *cert, time_t time ) { struct x509_validity *validity = &cert->validity; /* Check validity period */ - if ( validity->not_before.time > ( time + X509_ERROR_MARGIN_TIME ) ) { + if ( validity->not_before.time > ( time + TIMESTAMP_ERROR_MARGIN ) ) { DBGC ( cert, "X509 %p \"%s\" is not yet valid (at time %lld)\n", cert, x509_name ( cert ), time ); return -EACCES_EXPIRED; } - if ( validity->not_after.time < ( time - X509_ERROR_MARGIN_TIME ) ) { + if ( validity->not_after.time < ( time - TIMESTAMP_ERROR_MARGIN ) ) { DBGC ( cert, "X509 %p \"%s\" has expired (at time %lld)\n", cert, x509_name ( cert ), time ); return -EACCES_EXPIRED; diff --git a/src/include/ipxe/x509.h b/src/include/ipxe/x509.h index 52302aea..c9254723 100644 --- a/src/include/ipxe/x509.h +++ b/src/include/ipxe/x509.h @@ -42,14 +42,6 @@ struct x509_validity { struct x509_time not_after; }; -/** Margin of error allowed in X.509 response times - * - * We allow a generous margin of error: 12 hours to allow for the - * local time zone being non-GMT, plus 30 minutes to allow for general - * clock drift. - */ -#define X509_ERROR_MARGIN_TIME ( ( 12 * 60 + 30 ) * 60 ) - /** An X.509 certificate public key */ struct x509_public_key { /** Raw public key information */ |