diff options
author | jpierre%netscape.com <devnull@localhost> | 2002-08-04 02:50:40 +0000 |
---|---|---|
committer | jpierre%netscape.com <devnull@localhost> | 2002-08-04 02:50:40 +0000 |
commit | bb3a95d5e2610e65d972f40df988baddcd256c96 (patch) | |
tree | 285b96f3827fbf46faf336f73c0e826f4fc87a7b | |
parent | d670347f4db39c287ed40c0fc43a5b5ef6154ce7 (diff) | |
download | nss-hg-bb3a95d5e2610e65d972f40df988baddcd256c96.tar.gz |
Fix for 158141 - add 5 minute slop time for OCSP
-rw-r--r-- | security/nss/lib/certhigh/ocsp.c | 14 |
1 files changed, 12 insertions, 2 deletions
diff --git a/security/nss/lib/certhigh/ocsp.c b/security/nss/lib/certhigh/ocsp.c index b84e36148..7f7030b92 100644 --- a/security/nss/lib/certhigh/ocsp.c +++ b/security/nss/lib/certhigh/ocsp.c @@ -2892,6 +2892,11 @@ ocsp_TimeIsRecent(int64 checkTime) return PR_TRUE; } +#define OCSP_SLOP (5L*60L) /* OCSP responses are allowed to be 5 minutes + in the future by default */ + +static PRUint32 ocspsloptime = OCSP_SLOP; /* seconds */ + /* * Check that this single response is okay. A return of SECSuccess means: * 1. The signer (represented by "signerCert") is authorized to give status @@ -2922,7 +2927,7 @@ ocsp_VerifySingleResponse(CERTOCSPSingleResponse *single, int64 producedAt) { CERTOCSPCertID *certID = single->certID; - int64 now, thisUpdate, nextUpdate; + int64 now, thisUpdate, nextUpdate, tmstamp, tmp; SECStatus rv; /* @@ -2955,7 +2960,12 @@ ocsp_VerifySingleResponse(CERTOCSPSingleResponse *single, * Now check the time stuff, as described above. */ now = PR_Now(); - if (LL_CMP(thisUpdate, >, now) || LL_CMP(producedAt, <, thisUpdate)) { + /* allow slop time for future response */ + LL_UI2L(tmstamp, ocspsloptime); /* get slop time in seconds */ + LL_UI2L(tmp, PR_USEC_PER_SEC); + LL_MUL(tmstamp, tmstamp, tmp); /* convert the slop time to PRTime */ + LL_ADD(tmstamp, tmstamp, now); /* add current time to it */ + if (LL_CMP(thisUpdate, >, tmstamp) || LL_CMP(producedAt, <, thisUpdate)) { PORT_SetError(SEC_ERROR_OCSP_FUTURE_RESPONSE); return SECFailure; } |