Commit 81d58080 authored by Rob Percival's avatar Rob Percival Committed by Rich Salz
Browse files

By default, allow SCT timestamps to be up to 5 minutes in the future 

As requested in
https://github.com/openssl/openssl/pull/1554#issuecomment-246371575

.

Reviewed-by: default avatarViktor Dukhovni <viktor@openssl.org>
Reviewed-by: default avatarRich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1554)
(cherry picked from commit c22aa33e)
parent 6d1584ae

crypto/ct/ct_policy.c

+7 −1
Original line number Diff line number Diff line
@@ -17,6 +17,12 @@ 


#include "ct_locl.h"



// Number of seconds in the future that an SCT timestamp can be, by default,

// without being considered invalid. This is added to time() when setting a

// default value for CT_POLICY_EVAL_CTX.epoch_time_in_ms.

// It can be overridden by calling CT_POLICY_EVAL_CTX_set_time().

static const time_t SCT_CLOCK_DRIFT_TOLERANCE = 300;



CT_POLICY_EVAL_CTX *CT_POLICY_EVAL_CTX_new(void)

{

    CT_POLICY_EVAL_CTX *ctx = OPENSSL_zalloc(sizeof(CT_POLICY_EVAL_CTX));
@@ -27,7 +33,7 @@ CT_POLICY_EVAL_CTX *CT_POLICY_EVAL_CTX_new(void) 
    }



    // time(NULL) shouldn't ever fail, so don't bother checking for -1.

    ctx->epoch_time_in_ms = time(NULL) * 1000;

    ctx->epoch_time_in_ms = (time(NULL) + SCT_CLOCK_DRIFT_TOLERANCE) * 1000;

    return ctx;

}