From: Matt Caswell Date: Mon, 27 Feb 2023 11:18:26 +0000 (+0000) Subject: Fix early_data age calculation X-Git-Tag: openssl-3.2.0-alpha1~1216 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=0513a38364a7a45c946fdd8f7d87b8a3ae01ffbb;p=thirdparty%2Fopenssl.git Fix early_data age calculation The ticket_age/age_add values use ms granualarity. We were incorrectly treating them as seconds and so the ticket was always being rejected for early data. We also clarify a comment which could have been the source of the confusion. Reviewed-by: Tomas Mraz Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/20387) --- diff --git a/ssl/statem/extensions_srvr.c b/ssl/statem/extensions_srvr.c index a0a48e405fb..ff1f2a77e06 100644 --- a/ssl/statem/extensions_srvr.c +++ b/ssl/statem/extensions_srvr.c @@ -1155,16 +1155,18 @@ int tls_parse_ctos_psk(SSL_CONNECTION *s, PACKET *pkt, unsigned int context, continue; } - age = ossl_time_subtract(ossl_seconds2time(ticket_agel), - ossl_seconds2time(sess->ext.tick_age_add)); + age = ossl_time_subtract(ossl_ms2time(ticket_agel), + ossl_ms2time(sess->ext.tick_age_add)); t = ossl_time_subtract(ossl_time_now(), sess->time); /* - * Beause we use second granuality, it could appear that - * the client's ticket age is longer than ours (our ticket - * age calculation should always be slightly longer than the - * client's due to the network latency). Therefore we add - * 1000ms to our age calculation to adjust for rounding errors. + * Although internally we use OSS_TIME which has ns granularity, + * when SSL_SESSION structures are serialised/deserialised we use + * second granularity for the sess->time field. Therefore it could + * appear that the client's ticket age is longer than ours (our + * ticket age calculation should always be slightly longer than the + * client's due to the network latency). Therefore we add 1000ms to + * our age calculation to adjust for rounding errors. */ expire = ossl_time_add(t, ossl_ms2time(1000));