diff options
-rw-r--r-- | crypto/ct/ct_policy.c | 8 |
1 files changed, 7 insertions, 1 deletions
diff --git a/crypto/ct/ct_policy.c b/crypto/ct/ct_policy.c index 1bc22749d3..adee331366 100644 --- a/crypto/ct/ct_policy.c +++ b/crypto/ct/ct_policy.c @@ -17,6 +17,12 @@ #include "ct_locl.h" +// Number of seconds in the future that an SCT timestamp can be, by default, +// without being considered invalid. This is added to time() when setting a +// default value for CT_POLICY_EVAL_CTX.epoch_time_in_ms. +// It can be overridden by calling CT_POLICY_EVAL_CTX_set_time(). +static const time_t SCT_CLOCK_DRIFT_TOLERANCE = 300; + CT_POLICY_EVAL_CTX *CT_POLICY_EVAL_CTX_new(void) { CT_POLICY_EVAL_CTX *ctx = OPENSSL_zalloc(sizeof(CT_POLICY_EVAL_CTX)); @@ -27,7 +33,7 @@ CT_POLICY_EVAL_CTX *CT_POLICY_EVAL_CTX_new(void) } // time(NULL) shouldn't ever fail, so don't bother checking for -1. - ctx->epoch_time_in_ms = time(NULL) * 1000; + ctx->epoch_time_in_ms = (time(NULL) + SCT_CLOCK_DRIFT_TOLERANCE) * 1000; return ctx; } |