From 7c7c95709482c769fb081471f2ff8701dbd5b068 Mon Sep 17 00:00:00 2001
From: Michael Brown
Date: Sun, 30 Mar 2014 20:07:14 +0100
Subject: [crypto] Allow signed timestamp error margin to be configured at
 build time

Signed-off-by: Michael Brown <mcb30@ipxe.org>
---
 src/crypto/ocsp.c | 5 +++--
 src/crypto/x509.c | 5 +++--
 2 files changed, 6 insertions(+), 4 deletions(-)

(limited to 'src/crypto')

diff --git a/src/crypto/ocsp.c b/src/crypto/ocsp.c
index 75d9a092..d4815a1b 100644
--- a/src/crypto/ocsp.c
+++ b/src/crypto/ocsp.c
@@ -30,6 +30,7 @@ FILE_LICENCE ( GPL2_OR_LATER );
 #include <ipxe/base64.h>
 #include <ipxe/uri.h>
 #include <ipxe/ocsp.h>
+#include <config/crypto.h>
 
 /** @file
  *
@@ -923,12 +924,12 @@ int ocsp_validate ( struct ocsp_check *ocsp, time_t time ) {
 	/* Check OCSP response is valid at the specified time
 	 * (allowing for some margin of error).
 	 */
-	if ( response->this_update > ( time + X509_ERROR_MARGIN_TIME ) ) {
+	if ( response->this_update > ( time + TIMESTAMP_ERROR_MARGIN ) ) {
 		DBGC ( ocsp, "OCSP %p \"%s\" response is not yet valid (at "
 		       "time %lld)\n", ocsp, x509_name ( ocsp->cert ), time );
 		return -EACCES_STALE;
 	}
-	if ( response->next_update < ( time - X509_ERROR_MARGIN_TIME ) ) {
+	if ( response->next_update < ( time - TIMESTAMP_ERROR_MARGIN ) ) {
 		DBGC ( ocsp, "OCSP %p \"%s\" response is stale (at time "
 		       "%lld)\n", ocsp, x509_name ( ocsp->cert ), time );
 		return -EACCES_STALE;
diff --git a/src/crypto/x509.c b/src/crypto/x509.c
index fa361474..87b924c8 100644
--- a/src/crypto/x509.c
+++ b/src/crypto/x509.c
@@ -34,6 +34,7 @@ FILE_LICENCE ( GPL2_OR_LATER );
 #include <ipxe/rootcert.h>
 #include <ipxe/certstore.h>
 #include <ipxe/x509.h>
+#include <config/crypto.h>
 
 /** @file
  *
@@ -1233,12 +1234,12 @@ int x509_check_time ( struct x509_certificate *cert, time_t time ) {
 	struct x509_validity *validity = &cert->validity;
 
 	/* Check validity period */
-	if ( validity->not_before.time > ( time + X509_ERROR_MARGIN_TIME ) ) {
+	if ( validity->not_before.time > ( time + TIMESTAMP_ERROR_MARGIN ) ) {
 		DBGC ( cert, "X509 %p \"%s\" is not yet valid (at time %lld)\n",
 		       cert, x509_name ( cert ), time );
 		return -EACCES_EXPIRED;
 	}
-	if ( validity->not_after.time < ( time - X509_ERROR_MARGIN_TIME ) ) {
+	if ( validity->not_after.time < ( time - TIMESTAMP_ERROR_MARGIN ) ) {
 		DBGC ( cert, "X509 %p \"%s\" has expired (at time %lld)\n",
 		       cert, x509_name ( cert ), time );
 		return -EACCES_EXPIRED;
-- 
cgit v1.2.3-55-g7522