[crypto] Allow signed timestamp error margin to be configured at build time

Signed-off-by: Michael Brown <mcb30@ipxe.org>

diff --git a/src/config/crypto.h b/src/config/crypto.h
new file mode 100644 (file)
index 0000000..95c73d4
--- /dev/null
+++ b/src/config/crypto.h
@@ -0,0 +1,22 @@
+#ifndef CONFIG_CRYPTO_H
+#define CONFIG_CRYPTO_H
+
+/** @file
+ *
+ * Cryptographic configuration
+ *
+ */
+
+FILE_LICENCE ( GPL2_OR_LATER );
+
+/** Margin of error (in seconds) allowed in signed timestamps
+ *
+ * We default to allowing a reasonable margin of error: 12 hours to
+ * allow for the local time zone being non-GMT, plus 30 minutes to
+ * allow for general clock drift.
+ */
+#define TIMESTAMP_ERROR_MARGIN ( ( 12 * 60 + 30 ) * 60 )
+
+#include <config/local/crypto.h>
+
+#endif /* CONFIG_CRYPTO_H */

diff --git a/src/crypto/ocsp.c b/src/crypto/ocsp.c
index 75d9a09207d7769b78222641d52623092330d4b7..d4815a1b5071b726d6cbe89cd98ce5c46ee1824e 100644 (file)
--- a/src/crypto/ocsp.c
+++ b/src/crypto/ocsp.c
@@ -30,6 +30,7 @@ FILE_LICENCE ( GPL2_OR_LATER );
 #include <ipxe/base64.h>
 #include <ipxe/uri.h>
 #include <ipxe/ocsp.h>
+#include <config/crypto.h>
 
 /** @file
  *
@@ -923,12 +924,12 @@ int ocsp_validate ( struct ocsp_check *ocsp, time_t time ) {
        /* Check OCSP response is valid at the specified time
         * (allowing for some margin of error).
         */
-       if ( response->this_update > ( time + X509_ERROR_MARGIN_TIME ) ) {
+       if ( response->this_update > ( time + TIMESTAMP_ERROR_MARGIN ) ) {
                DBGC ( ocsp, "OCSP %p \"%s\" response is not yet valid (at "
                       "time %lld)\n", ocsp, x509_name ( ocsp->cert ), time );
                return -EACCES_STALE;
        }
-       if ( response->next_update < ( time - X509_ERROR_MARGIN_TIME ) ) {
+       if ( response->next_update < ( time - TIMESTAMP_ERROR_MARGIN ) ) {
                DBGC ( ocsp, "OCSP %p \"%s\" response is stale (at time "
                       "%lld)\n", ocsp, x509_name ( ocsp->cert ), time );
                return -EACCES_STALE;

diff --git a/src/crypto/x509.c b/src/crypto/x509.c
index fa361474247c66dd7e670588c6faac818e3a7050..87b924c84f9553fa0f5caa2a8a30d4ea710bea8a 100644 (file)
--- a/src/crypto/x509.c
+++ b/src/crypto/x509.c
@@ -34,6 +34,7 @@ FILE_LICENCE ( GPL2_OR_LATER );
 #include <ipxe/rootcert.h>
 #include <ipxe/certstore.h>
 #include <ipxe/x509.h>
+#include <config/crypto.h>
 
 /** @file
  *
@@ -1233,12 +1234,12 @@ int x509_check_time ( struct x509_certificate *cert, time_t time ) {
        struct x509_validity *validity = &cert->validity;
 
        /* Check validity period */
-       if ( validity->not_before.time > ( time + X509_ERROR_MARGIN_TIME ) ) {
+       if ( validity->not_before.time > ( time + TIMESTAMP_ERROR_MARGIN ) ) {
                DBGC ( cert, "X509 %p \"%s\" is not yet valid (at time %lld)\n",
                       cert, x509_name ( cert ), time );
                return -EACCES_EXPIRED;
        }
-       if ( validity->not_after.time < ( time - X509_ERROR_MARGIN_TIME ) ) {
+       if ( validity->not_after.time < ( time - TIMESTAMP_ERROR_MARGIN ) ) {
                DBGC ( cert, "X509 %p \"%s\" has expired (at time %lld)\n",
                       cert, x509_name ( cert ), time );
                return -EACCES_EXPIRED;

diff --git a/src/include/ipxe/x509.h b/src/include/ipxe/x509.h
index 52302aeab56bba9be40a136f2272a45ed40f92d6..c925472373b54dd8ceb7745306f6816bb857f77c 100644 (file)
--- a/src/include/ipxe/x509.h
+++ b/src/include/ipxe/x509.h
@@ -42,14 +42,6 @@ struct x509_validity {
        struct x509_time not_after;
 };
 
-/** Margin of error allowed in X.509 response times
- *
- * We allow a generous margin of error: 12 hours to allow for the
- * local time zone being non-GMT, plus 30 minutes to allow for general
- * clock drift.
- */
-#define X509_ERROR_MARGIN_TIME ( ( 12 * 60 + 30 ) * 60 )
-
 /** An X.509 certificate public key */
 struct x509_public_key {
        /** Raw public key information */