[crypto] Fix margin of error for OCSP checks

Signed-off-by: Michael Brown <mcb30@ipxe.org>
ipxe · May 21, 2012 · 57de8b6 · 57de8b6
1 parent b278094
commit 57de8b6
Showing 1 changed file with 2 additions and 2 deletions.
diff --git a/src/crypto/ocsp.c b/src/crypto/ocsp.c
@@ -720,12 +720,12 @@ int ocsp_validate ( struct ocsp_check *ocsp, time_t time ) {
 	/* Check OCSP response is valid at the specified time
 	 * (allowing for some margin of error).
 	 */
-	if ( response->this_update > ( time - OCSP_ERROR_MARGIN_TIME ) ) {
+	if ( response->this_update > ( time + OCSP_ERROR_MARGIN_TIME ) ) {
 		DBGC ( ocsp, "OCSP %p \"%s\" response is not yet valid (at "
 		       "time %lld)\n", ocsp, ocsp->cert->subject.name, time );
 		return -EACCES_STALE;
 	}
-	if ( response->next_update < ( time + OCSP_ERROR_MARGIN_TIME ) ) {
+	if ( response->next_update < ( time - OCSP_ERROR_MARGIN_TIME ) ) {
 		DBGC ( ocsp, "OCSP %p \"%s\" response is stale (at time "
 		       "%lld)\n", ocsp, ocsp->cert->subject.name, time );
 		return -EACCES_STALE;