diff options
author | Rob Percival <robpercival@google.com> | 2016-09-12 17:02:58 +0100 |
---|---|---|
committer | Rich Salz <rsalz@openssl.org> | 2016-11-15 16:12:41 -0500 |
commit | c22aa33e29ce162c672c9b2f0df591db977d4e9b (patch) | |
tree | f4e768aa4e49b050a01c8d740d1e326d523e4c7d /crypto/ct | |
parent | f0f535e92b096db4a308ecc49ba7f0fd3f0f7945 (diff) | |
download | openssl-c22aa33e29ce162c672c9b2f0df591db977d4e9b.zip openssl-c22aa33e29ce162c672c9b2f0df591db977d4e9b.tar.gz openssl-c22aa33e29ce162c672c9b2f0df591db977d4e9b.tar.bz2 |
By default, allow SCT timestamps to be up to 5 minutes in the future
As requested in
https://github.com/openssl/openssl/pull/1554#issuecomment-246371575.
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1554)
Diffstat (limited to 'crypto/ct')
-rw-r--r-- | crypto/ct/ct_policy.c | 8 |
1 files changed, 7 insertions, 1 deletions
diff --git a/crypto/ct/ct_policy.c b/crypto/ct/ct_policy.c index 1bc2274..adee331 100644 --- a/crypto/ct/ct_policy.c +++ b/crypto/ct/ct_policy.c @@ -17,6 +17,12 @@ #include "ct_locl.h" +// Number of seconds in the future that an SCT timestamp can be, by default, +// without being considered invalid. This is added to time() when setting a +// default value for CT_POLICY_EVAL_CTX.epoch_time_in_ms. +// It can be overridden by calling CT_POLICY_EVAL_CTX_set_time(). +static const time_t SCT_CLOCK_DRIFT_TOLERANCE = 300; + CT_POLICY_EVAL_CTX *CT_POLICY_EVAL_CTX_new(void) { CT_POLICY_EVAL_CTX *ctx = OPENSSL_zalloc(sizeof(CT_POLICY_EVAL_CTX)); @@ -27,7 +33,7 @@ CT_POLICY_EVAL_CTX *CT_POLICY_EVAL_CTX_new(void) } // time(NULL) shouldn't ever fail, so don't bother checking for -1. - ctx->epoch_time_in_ms = time(NULL) * 1000; + ctx->epoch_time_in_ms = (time(NULL) + SCT_CLOCK_DRIFT_TOLERANCE) * 1000; return ctx; } |