change time unit of ticket to milliseconds
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
diff --git a/library/ssl_tls13_server.c b/library/ssl_tls13_server.c
index b418ee6..8bcb0e4 100644
--- a/library/ssl_tls13_server.c
+++ b/library/ssl_tls13_server.c
@@ -111,9 +111,10 @@
unsigned char *ticket_buffer;
unsigned int key_exchanges;
#if defined(MBEDTLS_HAVE_TIME)
- mbedtls_time_t now;
- uint64_t age_in_s;
- int64_t age_diff_in_ms;
+ mbedtls_ms_time_t now;
+ mbedtls_ms_time_t server_age;
+ mbedtls_ms_time_t client_age;
+ mbedtls_ms_time_t age_diff;
#endif
((void) obfuscated_ticket_age);
@@ -190,17 +191,16 @@
ret = MBEDTLS_ERR_SSL_SESSION_TICKET_EXPIRED;
#if defined(MBEDTLS_HAVE_TIME)
- now = mbedtls_time(NULL);
+ now = mbedtls_ms_time();
if (now < session->start) {
MBEDTLS_SSL_DEBUG_MSG(
- 3, ("Invalid ticket start time ( now=%" MBEDTLS_PRINTF_LONGLONG
- ", start=%" MBEDTLS_PRINTF_LONGLONG " )",
- (long long) now, (long long) session->start));
+ 3, ("Invalid ticket start time ( now=%" MBEDTLS_PRINTF_MS_TIME
+ ", start=%" MBEDTLS_PRINTF_MS_TIME " )", now, session->start));
goto exit;
}
- age_in_s = (uint64_t) (now - session->start);
+ server_age = now - session->start;
/* RFC 8446 section 4.6.1
*
@@ -213,10 +213,10 @@
*
* For time being, the age MUST be less than 604800 seconds (7 days).
*/
- if (age_in_s > 604800) {
+ if (server_age > 604800*1000) {
MBEDTLS_SSL_DEBUG_MSG(
- 3, ("Ticket age exceeds limitation ticket_age=%lu",
- (long unsigned int) age_in_s));
+ 3, ("Ticket age exceeds limitation ticket_age=%" MBEDTLS_PRINTF_MS_TIME,
+ server_age));
goto exit;
}
@@ -227,18 +227,19 @@
* ticket_age_add from PskIdentity.obfuscated_ticket_age modulo 2^32) is
* within a small tolerance of the time since the ticket was issued.
*
- * NOTE: When `now == session->start`, `age_diff_in_ms` may be negative
- * as the age units are different on the server (s) and in the
- * client (ms) side. Add a -1000 ms tolerance window to take this
- * into account.
+ * NOTE: Typical crystal RTC accuracy specifications are from ±100 to ±20
+ * parts per million (360 to 72 million seconds per hour). Defualt
+ * tolerance windows is 6000 millionsections, that means client host
+ * MUST sync up system time every 16 hours. Otherwise, the ticket will
+ * be invalid.
*/
- age_diff_in_ms = age_in_s * 1000;
- age_diff_in_ms -= (obfuscated_ticket_age - session->ticket_age_add);
- if (age_diff_in_ms <= -1000 ||
- age_diff_in_ms > MBEDTLS_SSL_TLS1_3_TICKET_AGE_TOLERANCE) {
+ client_age = obfuscated_ticket_age - session->ticket_age_add;
+ age_diff = server_age - client_age;
+ if (age_diff < -1000 ||
+ age_diff > MBEDTLS_SSL_TLS1_3_TICKET_AGE_TOLERANCE) {
MBEDTLS_SSL_DEBUG_MSG(
- 3, ("Ticket age outside tolerance window ( diff=%d )",
- (int) age_diff_in_ms));
+ 3, ("Ticket age outside tolerance window ( diff=%" MBEDTLS_PRINTF_MS_TIME ")",
+ age_diff));
goto exit;
}
@@ -2877,7 +2878,7 @@
MBEDTLS_SSL_DEBUG_MSG(2, ("=> prepare NewSessionTicket msg"));
#if defined(MBEDTLS_HAVE_TIME)
- session->start = mbedtls_time(NULL);
+ session->start = mbedtls_ms_time();
#endif
/* Set ticket_flags depends on the advertised psk key exchange mode */