diff options
| author | Rob Percival <robpercival@google.com> | 2016-09-12 11:28:21 +0200 |
|---|---|---|
| committer | Rich Salz <rsalz@openssl.org> | 2016-11-15 22:12:41 +0100 |
| commit | 1871a5aa8a538c2b8ac3d302c1e9e72867f5ee0f (patch) | |
| tree | 2822832d6d469ab7044b702f10eaee7dbe73a577 /crypto/ct | |
| parent | Remove obsolete error constant CT_F_CTLOG_NEW_NULL (diff) | |
| download | openssl-1871a5aa8a538c2b8ac3d302c1e9e72867f5ee0f.tar.xz openssl-1871a5aa8a538c2b8ac3d302c1e9e72867f5ee0f.zip | |
Reword documentation for {SCT_CTX/CT_POLICY_EVAL_CTX}_set_time
Do not call the time "current", as a different time can be provided.
For example, a time slightly in the future, to provide tolerance for
CT logs with a clock that is running fast.
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1554)
Diffstat (limited to 'crypto/ct')
| -rw-r--r-- | crypto/ct/ct_locl.h | 9 |
1 files changed, 5 insertions, 4 deletions
diff --git a/crypto/ct/ct_locl.h b/crypto/ct/ct_locl.h index 4b5e344191..9f983c91be 100644 --- a/crypto/ct/ct_locl.h +++ b/crypto/ct/ct_locl.h @@ -155,10 +155,11 @@ __owur int SCT_CTX_set1_issuer_pubkey(SCT_CTX *sctx, X509_PUBKEY *pubkey); __owur int SCT_CTX_set1_pubkey(SCT_CTX *sctx, X509_PUBKEY *pubkey); /* - * Sets the current time, in milliseconds since the Unix epoch. - * The timestamp of the SCT will be compared to this, to check that it was not - * issued in the future. RFC6962 states that "TLS clients MUST reject SCTs whose - * timestamp is in the future", so SCT verification will fail in this case. + * Sets the time to evaluate the SCT against, in milliseconds since the Unix + * epoch. If the SCT's timestamp is after this time, it will be interpreted as + * having been issued in the future. RFC6962 states that "TLS clients MUST + * reject SCTs whose timestamp is in the future", so an SCT will not validate + * in this case. */ void SCT_CTX_set_time(SCT_CTX *sctx, uint64_t time_in_ms); |