From 392f714153d31b10634831df6f522eb05d57f8fc Mon Sep 17 00:00:00 2001 From: Dave Rodgman Date: Wed, 17 Aug 2022 11:19:41 +0100 Subject: [PATCH 1/3] Fix type used for capturing TLS ticket generation time Signed-off-by: Dave Rodgman --- include/mbedtls/ssl_ticket.h | 3 ++- library/ssl_ticket.c | 8 ++++---- 2 files changed, 6 insertions(+), 5 deletions(-) diff --git a/include/mbedtls/ssl_ticket.h b/include/mbedtls/ssl_ticket.h index 98fd28707..fc86542c1 100644 --- a/include/mbedtls/ssl_ticket.h +++ b/include/mbedtls/ssl_ticket.h @@ -33,6 +33,7 @@ #include "mbedtls/ssl.h" #include "mbedtls/cipher.h" +#include "mbedtls/platform_time.h" #if defined(MBEDTLS_USE_PSA_CRYPTO) #include "psa/crypto.h" @@ -56,7 +57,7 @@ typedef struct mbedtls_ssl_ticket_key { unsigned char MBEDTLS_PRIVATE(name)[MBEDTLS_SSL_TICKET_KEY_NAME_BYTES]; /*!< random key identifier */ - uint32_t MBEDTLS_PRIVATE(generation_time); /*!< key generation timestamp (seconds) */ + mbedtls_time_t MBEDTLS_PRIVATE(generation_time); /*!< key generation timestamp (seconds) */ #if !defined(MBEDTLS_USE_PSA_CRYPTO) mbedtls_cipher_context_t MBEDTLS_PRIVATE(ctx); /*!< context for auth enc/decryption */ #else diff --git a/library/ssl_ticket.c b/library/ssl_ticket.c index 28c4d3e55..cdccf2e17 100644 --- a/library/ssl_ticket.c +++ b/library/ssl_ticket.c @@ -79,7 +79,7 @@ static int ssl_ticket_gen_key( mbedtls_ssl_ticket_context *ctx, #endif #if defined(MBEDTLS_HAVE_TIME) - key->generation_time = (uint32_t) mbedtls_time( NULL ); + key->generation_time = mbedtls_time( NULL ); #endif if( ( ret = ctx->f_rng( ctx->p_rng, key->name, sizeof( key->name ) ) ) != 0 ) @@ -122,8 +122,8 @@ static int ssl_ticket_update_keys( mbedtls_ssl_ticket_context *ctx ) #else if( ctx->ticket_lifetime != 0 ) { - uint32_t current_time = (uint32_t) mbedtls_time( NULL ); - uint32_t key_time = ctx->keys[ctx->active].generation_time; + mbedtls_time_t current_time = mbedtls_time( NULL ); + mbedtls_time_t key_time = ctx->keys[ctx->active].generation_time; #if defined(MBEDTLS_USE_PSA_CRYPTO) psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; @@ -204,7 +204,7 @@ int mbedtls_ssl_ticket_rotate( mbedtls_ssl_ticket_context *ctx, ctx->ticket_lifetime = lifetime; memcpy( key->name, name, TICKET_KEY_NAME_BYTES ); #if defined(MBEDTLS_HAVE_TIME) - key->generation_time = (uint32_t) mbedtls_time( NULL ); + key->generation_time = mbedtls_time( NULL ); #endif return 0; } From 536f28c89258ea2be13bf8cd4bc64807a4090d2a Mon Sep 17 00:00:00 2001 From: Dave Rodgman Date: Wed, 17 Aug 2022 14:20:36 +0100 Subject: [PATCH 2/3] Respect MBEDTLS_HAVE_TIME in ssl_ticket Make use of ticket generation time and associated fields conditional on MBEDTLS_HAVE_TIME, to avoid compile errors on baremetal. Signed-off-by: Dave Rodgman --- include/mbedtls/ssl_ticket.h | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/include/mbedtls/ssl_ticket.h b/include/mbedtls/ssl_ticket.h index fc86542c1..b8a8a246f 100644 --- a/include/mbedtls/ssl_ticket.h +++ b/include/mbedtls/ssl_ticket.h @@ -33,7 +33,10 @@ #include "mbedtls/ssl.h" #include "mbedtls/cipher.h" + +#if defined(MBEDTLS_HAVE_TIME) #include "mbedtls/platform_time.h" +#endif #if defined(MBEDTLS_USE_PSA_CRYPTO) #include "psa/crypto.h" @@ -57,7 +60,9 @@ typedef struct mbedtls_ssl_ticket_key { unsigned char MBEDTLS_PRIVATE(name)[MBEDTLS_SSL_TICKET_KEY_NAME_BYTES]; /*!< random key identifier */ +#if defined(MBEDTLS_HAVE_TIME) mbedtls_time_t MBEDTLS_PRIVATE(generation_time); /*!< key generation timestamp (seconds) */ +#endif #if !defined(MBEDTLS_USE_PSA_CRYPTO) mbedtls_cipher_context_t MBEDTLS_PRIVATE(ctx); /*!< context for auth enc/decryption */ #else From 86c333e79ee9bcbe35d5acff2e2d6e1ba242e529 Mon Sep 17 00:00:00 2001 From: Dave Rodgman Date: Wed, 17 Aug 2022 16:57:26 +0100 Subject: [PATCH 3/3] Add explicit cast to satisfy compiler Signed-off-by: Dave Rodgman --- library/ssl_ticket.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/library/ssl_ticket.c b/library/ssl_ticket.c index cdccf2e17..359686afa 100644 --- a/library/ssl_ticket.c +++ b/library/ssl_ticket.c @@ -130,7 +130,7 @@ static int ssl_ticket_update_keys( mbedtls_ssl_ticket_context *ctx ) #endif if( current_time >= key_time && - current_time - key_time < ctx->ticket_lifetime ) + (uint64_t) ( current_time - key_time ) < ctx->ticket_lifetime ) { return( 0 ); }