[crypto] Fix margin of error for OCSP checks

Signed-off-by: Michael Brown <mcb30@ipxe.org>
author: Michael Brown <mcb30@ipxe.org> 2012-05-21 23:00:46 +0100
committer: Michael Brown <mcb30@ipxe.org> 2012-05-21 23:21:37 +0100
commit: 57de8b6272c38e92d48b815997c81e103fc172ee (patch)
tree: 6b551e927285a0d7dc1f34fd6f9d3634148af636 /src/crypto/ocsp.c
parent: b27809490207e02647add54288ec2c3ce2e4da50 (diff)
download: ipxe-57de8b6272c38e92d48b815997c81e103fc172ee.tar.gz
1 files changed, 2 insertions, 2 deletions
diff --git a/src/crypto/ocsp.c b/src/crypto/ocsp.c
index 58b987d42..02edd9d38 100644
--- a/src/crypto/ocsp.c
+++ b/src/crypto/ocsp.c
@@ -720,12 +720,12 @@ int ocsp_validate ( struct ocsp_check *ocsp, time_t time ) {
 	/* Check OCSP response is valid at the specified time
 	 * (allowing for some margin of error).
 	 */
-	if ( response->this_update > ( time - OCSP_ERROR_MARGIN_TIME ) ) {
+	if ( response->this_update > ( time + OCSP_ERROR_MARGIN_TIME ) ) {
 		DBGC ( ocsp, "OCSP %p \"%s\" response is not yet valid (at "
 		       "time %lld)\n", ocsp, ocsp->cert->subject.name, time );
 		return -EACCES_STALE;
 	}
-	if ( response->next_update < ( time + OCSP_ERROR_MARGIN_TIME ) ) {
+	if ( response->next_update < ( time - OCSP_ERROR_MARGIN_TIME ) ) {
 		DBGC ( ocsp, "OCSP %p \"%s\" response is stale (at time "
 		       "%lld)\n", ocsp, ocsp->cert->subject.name, time );
 		return -EACCES_STALE;
author	Michael Brown <mcb30@ipxe.org>	2012-05-21 23:00:46 +0100
committer	Michael Brown <mcb30@ipxe.org>	2012-05-21 23:21:37 +0100
commit	57de8b6272c38e92d48b815997c81e103fc172ee (patch)
tree	6b551e927285a0d7dc1f34fd6f9d3634148af636 /src/crypto/ocsp.c
parent	b27809490207e02647add54288ec2c3ce2e4da50 (diff)
download	ipxe-57de8b6272c38e92d48b815997c81e103fc172ee.tar.gz