From 3e60cada5d4bf2980096cd4c222c6d884eae096b Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Tue, 10 Jan 2023 14:58:08 +0800 Subject: [PATCH] Improve comment and changlog Signed-off-by: Jerry Yu --- .../workaround_gnutls_anti_replay_fail.txt | 11 ++++++----- library/ssl_tls13_client.c | 17 +++++++++++------ 2 files changed, 17 insertions(+), 11 deletions(-) diff --git a/ChangeLog.d/workaround_gnutls_anti_replay_fail.txt b/ChangeLog.d/workaround_gnutls_anti_replay_fail.txt index fba6f78401..cebc2b7ef4 100644 --- a/ChangeLog.d/workaround_gnutls_anti_replay_fail.txt +++ b/ChangeLog.d/workaround_gnutls_anti_replay_fail.txt @@ -1,6 +1,7 @@ Bugfix - * Workaround #6623. That is time unit issue. The unit of ticket age is - seconds in MBedTLS and milliseconds in GnuTLS. If the real age is 10ms, - it might be 1s(1000ms), as a result, the age of MBedTLS is greater than - GnuTLS server. Reduce 1 if the age is greater than 1 second to workaround - it. + * In TLS 1.3, when using a ticket for session resumption, tweak its age + calculation on the client side. It prevents a server with more accurate + ticket timestamps (typically timestamps in milliseconds) compared to the + Mbed TLS ticket timestamps (in seconds) to compute a ticket age smaller + than the age computed and transmitted by the client and thus potentially + reject the ticket. Fix #6623. diff --git a/library/ssl_tls13_client.c b/library/ssl_tls13_client.c index b8ca482b8c..1cd2ac5752 100644 --- a/library/ssl_tls13_client.c +++ b/library/ssl_tls13_client.c @@ -947,12 +947,17 @@ int mbedtls_ssl_tls13_write_identities_of_pre_shared_key_ext( uint32_t obfuscated_ticket_age = (uint32_t)( now - session->ticket_received ); - /* Workaround for anti replay fail of GnuTLS server. - * - * The time unit of ticket age is milliseconds, but current unit is - * seconds. If the ticket was received at the end of first second and - * sent in next second, GnuTLS think it is replay attack. - * + /* + * The ticket timestamp is in seconds but the ticket age is in + * milliseconds. If the ticket was received at the end of a second and + * re-used here just at the beginning of the next second, the computed + * age `now - session->ticket_received` is equal to 1s thus 1000 ms + * while the actual age could be just a few milliseconds or tens of + * milliseconds. If the server has more accurate ticket timestamps + * (typically timestamps in milliseconds), as part of the processing of + * the ClientHello, it may compute a ticket lifetime smaller than the + * one computed here and potentially reject the ticket. To avoid that, + * remove one second to the ticket age if possible. */ if( obfuscated_ticket_age > 0 ) obfuscated_ticket_age -= 1;