Use "slop time" in nextUpdate validity check for CRLs. Bug 242146.

r=julien.pierre
This commit is contained in:
nelsonb%netscape.com 2004-05-22 01:03:26 +00:00
Родитель df07cea047
Коммит 9dc64ba0b2
1 изменённых файлов: 6 добавлений и 4 удалений

Просмотреть файл

@ -38,7 +38,7 @@
* Implementation of OCSP services, for both client and server. * Implementation of OCSP services, for both client and server.
* (XXX, really, mostly just for client right now, but intended to do both.) * (XXX, really, mostly just for client right now, but intended to do both.)
* *
* $Id: ocsp.c,v 1.19 2004-04-25 15:03:03 gerv%gerv.net Exp $ * $Id: ocsp.c,v 1.20 2004-05-22 01:03:26 nelsonb%netscape.com Exp $
*/ */
#include "prerror.h" #include "prerror.h"
@ -2992,8 +2992,9 @@ ocsp_VerifySingleResponse(CERTOCSPSingleResponse *single,
/* allow slop time for future response */ /* allow slop time for future response */
LL_UI2L(tmstamp, ocspsloptime); /* get slop time in seconds */ LL_UI2L(tmstamp, ocspsloptime); /* get slop time in seconds */
LL_UI2L(tmp, PR_USEC_PER_SEC); LL_UI2L(tmp, PR_USEC_PER_SEC);
LL_MUL(tmstamp, tmstamp, tmp); /* convert the slop time to PRTime */ LL_MUL(tmp, tmstamp, tmp); /* convert the slop time to PRTime */
LL_ADD(tmstamp, tmstamp, now); /* add current time to it */ LL_ADD(tmstamp, tmp, now); /* add current time to it */
if (LL_CMP(thisUpdate, >, tmstamp) || LL_CMP(producedAt, <, thisUpdate)) { if (LL_CMP(thisUpdate, >, tmstamp) || LL_CMP(producedAt, <, thisUpdate)) {
PORT_SetError(SEC_ERROR_OCSP_FUTURE_RESPONSE); PORT_SetError(SEC_ERROR_OCSP_FUTURE_RESPONSE);
return SECFailure; return SECFailure;
@ -3003,7 +3004,8 @@ ocsp_VerifySingleResponse(CERTOCSPSingleResponse *single,
if (rv != SECSuccess) if (rv != SECSuccess)
return rv; return rv;
if (LL_CMP(nextUpdate, <, now) || LL_CMP(producedAt, >, nextUpdate)) { LL_ADD(tmp, tmp, nextUpdate);
if (LL_CMP(tmp, <, now) || LL_CMP(producedAt, >, nextUpdate)) {
PORT_SetError(SEC_ERROR_OCSP_OLD_RESPONSE); PORT_SetError(SEC_ERROR_OCSP_OLD_RESPONSE);
return SECFailure; return SECFailure;
} }