Merge pull request #6787 from yuhaoth/pr/workaround-gnutls_anti_replay_fail

TLS 1.3: EarlyData: Workaround anti replay fail from GnuTLS
2023-01-11 09:05:36 +01:00 · 2023-01-11 09:05:36 +01:00 · 83c5ad4873
commit 83c5ad4873
parent 3900bddd77 3e60cada5d
5 changed files with 33 additions and 14 deletions
--- a/library/ssl_tls13_client.c
+++ b/library/ssl_tls13_client.c
@ -946,6 +946,21 @@ int mbedtls_ssl_tls13_write_identities_of_pre_shared_key_ext(
        uint32_t obfuscated_ticket_age =
                                (uint32_t)( now - session->ticket_received );

+        /*
+         * The ticket timestamp is in seconds but the ticket age is in
+         * milliseconds. If the ticket was received at the end of a second and
+         * re-used here just at the beginning of the next second, the computed
+         * age `now - session->ticket_received` is equal to 1s thus 1000 ms
+         * while the actual age could be just a few milliseconds or tens of
+         * milliseconds. If the server has more accurate ticket timestamps
+         * (typically timestamps in milliseconds), as part of the processing of
+         * the ClientHello, it may compute a ticket lifetime smaller than the
+         * one computed here and potentially reject the ticket. To avoid that,
+         * remove one second to the ticket age if possible.
+         */
+        if( obfuscated_ticket_age > 0 )
+            obfuscated_ticket_age -= 1;
+
        obfuscated_ticket_age *= 1000;
        obfuscated_ticket_age += session->ticket_age_add;