diff options
author | Matt Caswell <matt@openssl.org> | 2023-02-27 11:18:26 +0000 |
---|---|---|
committer | Pauli <pauli@openssl.org> | 2023-03-01 13:04:14 +1100 |
commit | 0513a38364a7a45c946fdd8f7d87b8a3ae01ffbb (patch) | |
tree | af7d78d148f354dcf3067d00b9913fa12f8f0aca /ssl/statem | |
parent | 3307338e26862070eaacad6ec7537a63a63b8a90 (diff) | |
download | openssl-new-0513a38364a7a45c946fdd8f7d87b8a3ae01ffbb.tar.gz |
Fix early_data age calculation
The ticket_age/age_add values use ms granualarity. We were incorrectly
treating them as seconds and so the ticket was always being rejected for
early data. We also clarify a comment which could have been the source of
the confusion.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20387)
Diffstat (limited to 'ssl/statem')
-rw-r--r-- | ssl/statem/extensions_srvr.c | 16 |
1 files changed, 9 insertions, 7 deletions
diff --git a/ssl/statem/extensions_srvr.c b/ssl/statem/extensions_srvr.c index a0a48e405f..ff1f2a77e0 100644 --- a/ssl/statem/extensions_srvr.c +++ b/ssl/statem/extensions_srvr.c @@ -1155,16 +1155,18 @@ int tls_parse_ctos_psk(SSL_CONNECTION *s, PACKET *pkt, unsigned int context, continue; } - age = ossl_time_subtract(ossl_seconds2time(ticket_agel), - ossl_seconds2time(sess->ext.tick_age_add)); + age = ossl_time_subtract(ossl_ms2time(ticket_agel), + ossl_ms2time(sess->ext.tick_age_add)); t = ossl_time_subtract(ossl_time_now(), sess->time); /* - * Beause we use second granuality, it could appear that - * the client's ticket age is longer than ours (our ticket - * age calculation should always be slightly longer than the - * client's due to the network latency). Therefore we add - * 1000ms to our age calculation to adjust for rounding errors. + * Although internally we use OSS_TIME which has ns granularity, + * when SSL_SESSION structures are serialised/deserialised we use + * second granularity for the sess->time field. Therefore it could + * appear that the client's ticket age is longer than ours (our + * ticket age calculation should always be slightly longer than the + * client's due to the network latency). Therefore we add 1000ms to + * our age calculation to adjust for rounding errors. */ expire = ossl_time_add(t, ossl_ms2time(1000)); |