[crypto] Fix margin of error for OCSP checks

Signed-off-by: Michael Brown <mcb30@ipxe.org>

diff --git a/src/crypto/ocsp.c b/src/crypto/ocsp.c
index 58b987d429c22f3dff197350df00fe8eaaac0017..02edd9d38ea8b10fe811853bdc8fc10a41be31e8 100644 (file)
--- a/src/crypto/ocsp.c
+++ b/src/crypto/ocsp.c
@@ -720,12 +720,12 @@ int ocsp_validate ( struct ocsp_check *ocsp, time_t time ) {
        /* Check OCSP response is valid at the specified time
         * (allowing for some margin of error).
         */
-       if ( response->this_update > ( time - OCSP_ERROR_MARGIN_TIME ) ) {
+       if ( response->this_update > ( time + OCSP_ERROR_MARGIN_TIME ) ) {
                DBGC ( ocsp, "OCSP %p \"%s\" response is not yet valid (at "
                       "time %lld)\n", ocsp, ocsp->cert->subject.name, time );
                return -EACCES_STALE;
        }
-       if ( response->next_update < ( time + OCSP_ERROR_MARGIN_TIME ) ) {
+       if ( response->next_update < ( time - OCSP_ERROR_MARGIN_TIME ) ) {
                DBGC ( ocsp, "OCSP %p \"%s\" response is stale (at time "
                       "%lld)\n", ocsp, ocsp->cert->subject.name, time );
                return -EACCES_STALE;