diff options
| author | Michael Brown | 2012-05-22 00:00:46 +0200 |
|---|---|---|
| committer | Michael Brown | 2012-05-22 00:21:37 +0200 |
| commit | 57de8b6272c38e92d48b815997c81e103fc172ee (patch) | |
| tree | 6b551e927285a0d7dc1f34fd6f9d3634148af636 /src/crypto | |
| parent | [crypto] Return a NULL OCSP check if construction fails (diff) | |
| download | ipxe-57de8b6272c38e92d48b815997c81e103fc172ee.tar.gz ipxe-57de8b6272c38e92d48b815997c81e103fc172ee.tar.xz ipxe-57de8b6272c38e92d48b815997c81e103fc172ee.zip | |
[crypto] Fix margin of error for OCSP checks
Signed-off-by: Michael Brown <mcb30@ipxe.org>
Diffstat (limited to 'src/crypto')
| -rw-r--r-- | src/crypto/ocsp.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/src/crypto/ocsp.c b/src/crypto/ocsp.c index 58b987d4..02edd9d3 100644 --- a/src/crypto/ocsp.c +++ b/src/crypto/ocsp.c @@ -720,12 +720,12 @@ int ocsp_validate ( struct ocsp_check *ocsp, time_t time ) { /* Check OCSP response is valid at the specified time * (allowing for some margin of error). */ - if ( response->this_update > ( time - OCSP_ERROR_MARGIN_TIME ) ) { + if ( response->this_update > ( time + OCSP_ERROR_MARGIN_TIME ) ) { DBGC ( ocsp, "OCSP %p \"%s\" response is not yet valid (at " "time %lld)\n", ocsp, ocsp->cert->subject.name, time ); return -EACCES_STALE; } - if ( response->next_update < ( time + OCSP_ERROR_MARGIN_TIME ) ) { + if ( response->next_update < ( time - OCSP_ERROR_MARGIN_TIME ) ) { DBGC ( ocsp, "OCSP %p \"%s\" response is stale (at time " "%lld)\n", ocsp, ocsp->cert->subject.name, time ); return -EACCES_STALE; |