TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls.git / 3e60cada5d4bf2980096cd4c222c6d884eae096b^! / .
commit3e60cada5d4bf2980096cd4c222c6d884eae096b[log] [tgz]
authorJerry Yu <jerry.h.yu@arm.com>Tue Jan 10 14:58:08 2023 +0800
committerJerry Yu <jerry.h.yu@arm.com>Tue Jan 10 14:58:08 2023 +0800
treea90abaf1bee631cb2b0322c85012ebb759c49307
parent99e902f479f1a8fe104f3485b7a51fe2ed1a2318 [diff]
Improve comment and changlog

Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>

diff --git a/ChangeLog.d/workaround_gnutls_anti_replay_fail.txt b/ChangeLog.d/workaround_gnutls_anti_replay_fail.txt
index fba6f78..cebc2b7 100644
--- a/ChangeLog.d/workaround_gnutls_anti_replay_fail.txt
+++ b/ChangeLog.d/workaround_gnutls_anti_replay_fail.txt

@@ -1,6 +1,7 @@
 Bugfix
-    * Workaround #6623. That is time unit issue. The unit of ticket age is
-      seconds in MBedTLS and milliseconds in GnuTLS. If the real age is 10ms,
-      it might be 1s(1000ms), as a result, the age of MBedTLS is greater than
-      GnuTLS server. Reduce 1 if the age is greater than 1 second to workaround
-      it.
+    * In TLS 1.3, when using a ticket for session resumption, tweak its age
+      calculation on the client side. It prevents a server with more accurate
+      ticket timestamps (typically timestamps in milliseconds) compared to the
+      Mbed TLS ticket timestamps (in seconds) to compute a ticket age smaller
+      than the age computed and transmitted by the client and thus potentially
+      reject the ticket. Fix #6623.

diff --git a/library/ssl_tls13_client.c b/library/ssl_tls13_client.c
index b8ca482..1cd2ac5 100644
--- a/library/ssl_tls13_client.c
+++ b/library/ssl_tls13_client.c

@@ -947,12 +947,17 @@
         uint32_t obfuscated_ticket_age =
                                 (uint32_t)( now - session->ticket_received );
 
-        /* Workaround for anti replay fail of GnuTLS server.
-         *
-         * The time unit of ticket age is milliseconds, but current unit is
-         * seconds. If the ticket was received at the end of first second and
-         * sent in next second, GnuTLS think it is replay attack.
-         *
+        /*
+         * The ticket timestamp is in seconds but the ticket age is in
+         * milliseconds. If the ticket was received at the end of a second and
+         * re-used here just at the beginning of the next second, the computed
+         * age `now - session->ticket_received` is equal to 1s thus 1000 ms
+         * while the actual age could be just a few milliseconds or tens of
+         * milliseconds. If the server has more accurate ticket timestamps
+         * (typically timestamps in milliseconds), as part of the processing of
+         * the ClientHello, it may compute a ticket lifetime smaller than the
+         * one computed here and potentially reject the ticket. To avoid that,
+         * remove one second to the ticket age if possible.
          */
         if( obfuscated_ticket_age > 0 )
             obfuscated_ticket_age -= 1;