ms vs. seconds error in ticket lifetime check?
Matt Caswell
matt at openssl.org
Tue Feb 28 16:34:58 UTC 2023
It's a known master-only bug that I stumbled over myself independently
yesterday.
The fix is here:
https://github.com/openssl/openssl/pull/20387
It got its final approval earlier today, so should go in tomorrow.
Matt
On 28/02/2023 16:32, Stephen Farrell wrote:
>
> Hiya,
>
> I had problems with some ECH tests doing early data part
> of which seems to be an underlying bug. Happy to create a
> PR to fix if this is right, but figured worth checking I
> wasn't getting something wrong first.
>
> The issue seems to be interpreting ticket lifetimes on the
> server in seconds when those are in ms, but then comparing
> that to a ms expiry, giving basically ~1s for using any
> ticket.
>
> The fix seems to be this change (top one working) in
> ssl/statem/extensions_srvr.c:
>
> < age = ossl_time_subtract(ossl_ms2time(ticket_agel),
> < ossl_ms2time(sess->ext.tick_age_add));
> ---
> > age = ossl_time_subtract(ossl_seconds2time(ticket_agel),
> > ossl_seconds2time(sess->ext.tick_age_add)
>
> As I say if that's right, happy to make a PR but it
> seems a bit odd that that'd not have been caught in
> tests. (Though maybe automated tests all run too
> quickly to hit the problem?)
>
> Cheers,
> S.
More information about the openssl-users
mailing list