ms vs. seconds error in ticket lifetime check?

[Stephen Farrell]

Hiya,

On 28/02/2023 16:34, Matt Caswell wrote:
> It's a known master-only bug that I stumbled over myself independently 
> yesterday.

Ah great.

Cheers,
S.

> 
> The fix is here:
> 
> https://github.com/openssl/openssl/pull/20387
> 
> It got its final approval earlier today, so should go in tomorrow.
> 
> Matt
> 
> 
> On 28/02/2023 16:32, Stephen Farrell wrote:
>>
>> Hiya,
>>
>> I had problems with some ECH tests doing early data part
>> of which seems to be an underlying bug. Happy to create a
>> PR to fix if this is right, but figured worth checking I
>> wasn't getting something wrong first.
>>
>> The issue seems to be interpreting ticket lifetimes on the
>> server in seconds when those are in ms, but then comparing
>> that to a ms expiry, giving basically ~1s for using any
>> ticket.
>>
>> The fix seems to be this change (top one working) in
>> ssl/statem/extensions_srvr.c:
>>
>>     <             age = ossl_time_subtract(ossl_ms2time(ticket_agel),
>>     < ossl_ms2time(sess->ext.tick_age_add));
>>     ---
>>     >             age = 
>> ossl_time_subtract(ossl_seconds2time(ticket_agel),
>>     > ossl_seconds2time(sess->ext.tick_age_add)
>>
>> As I say if that's right, happy to make a PR but it
>> seems a bit odd that that'd not have been caught in
>> tests. (Though maybe automated tests all run too
>> quickly to hit the problem?)
>>
>> Cheers,
>> S.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_0xE4D8E9F997A833DD.asc
Type: application/pgp-keys
Size: 1197 bytes
Desc: OpenPGP public key
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20230228/cc0f9422/attachment-0001.asc>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 236 bytes
Desc: OpenPGP digital signature
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20230228/cc0f9422/attachment-0001.sig>