yuzu-emu/mbedtls
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

fix various issues

Browse source 
- Naming
- format
- Reduce negative tolerance window

Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
This commit is contained in:
Jerry Yu 2022-09-14 22:31:39 +08:00
parent acff823846
commit f7dad3cfbe
2 changed files with 17 additions and 16 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

10
library/ssl_tls13_client.c
View file

@ -665,9 +665,7 @@ static int ssl_tls13_write_psk_key_exchange_modes_ext( mbedtls_ssl_context *ssl,
return ( 0 );
}
/* Check if we have any PSK to offer, returns 0 if PSK is available.
* Assign the psk and ticket if pointers are present.
*/
/* Check if we have any PSK to offer, returns 0 if a PSK is available. */
MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_tls13_get_psk_to_offer(
const mbedtls_ssl_context *ssl,
@ -810,12 +808,10 @@ int mbedtls_ssl_tls13_write_identities_of_pre_shared_key_ext(
{
#if defined(MBEDTLS_HAVE_TIME)
mbedtls_time_t now = mbedtls_time( NULL );
uint64_t age_in_ms =
( now - ssl->session_negotiate->ticket_received ) * 1000;
obfuscated_ticket_age =
(uint32_t)( ( age_in_ms + ssl->session_negotiate->ticket_age_add )
& ( ( 1LL << 32 ) - 1 ) );
( (uint32_t)( now - ssl->session_negotiate->ticket_received ) * 1000 )
+ ssl->session_negotiate->ticket_age_add;
#endif
}
else

23
library/ssl_tls13_server.c
View file

@ -137,7 +137,7 @@ static int ssl_tls13_offered_psks_check_identity_match_ticket(
#if defined(MBEDTLS_HAVE_TIME)
mbedtls_time_t now;
uint64_t age_in_s;
int64_t diff_in_ms;
int64_t age_diff_in_ms;
#endif
((void) obfuscated_ticket_age);
@ -183,7 +183,6 @@ static int ssl_tls13_offered_psks_check_identity_match_ticket(
#if defined(MBEDTLS_HAVE_TIME)
now = mbedtls_time( NULL );
ret = MBEDTLS_ERR_SSL_SESSION_TICKET_EXPIRED;
if( now < session->start )
{
MBEDTLS_SSL_DEBUG_MSG(
@ -220,15 +219,20 @@ static int ssl_tls13_offered_psks_check_identity_match_ticket(
* the ticket age for the selected PSK identity (computed by subtracting
* ticket_age_add from PskIdentity.obfuscated_ticket_age modulo 2^32) is
* within a small tolerance of the time since the ticket was issued.
*
* NOTE: When `now == session->start`, `age_diff_in_ms` will get a negative
* result. That's reasonable, the age units are different between
* server and client sides. Add a -1000 tolerance window to resolve
* that.
*/
diff_in_ms = age_in_s * 1000;
diff_in_ms -= ( obfuscated_ticket_age - session->ticket_age_add );
diff_in_ms += MBEDTLS_SSL_TLS1_3_TICKET_AGE_TOLERANCE / 2;
if( diff_in_ms < 0 || diff_in_ms > MBEDTLS_SSL_TLS1_3_TICKET_AGE_TOLERANCE )
age_diff_in_ms = age_in_s * 1000;
age_diff_in_ms -= ( obfuscated_ticket_age - session->ticket_age_add );
if( age_diff_in_ms <= -1000 ||
age_diff_in_ms > MBEDTLS_SSL_TLS1_3_TICKET_AGE_TOLERANCE )
{
MBEDTLS_SSL_DEBUG_MSG(
3, ( "Ticket expired: Ticket age outside tolerance window "
"( diff=%d )", (int)diff_in_ms ) );
"( diff=%d )", (int)age_diff_in_ms ) );
goto exit;
}
@ -264,7 +268,7 @@ static int ssl_tls13_offered_psks_check_identity_match(
#if defined(MBEDTLS_SSL_SESSION_TICKETS)
if( ssl_tls13_offered_psks_check_identity_match_ticket(
ssl, identity, identity_len, obfuscated_ticket_age,
(mbedtls_ssl_session *)session ) == SSL_TLS1_3_OFFERED_PSK_MATCH )
session ) == SSL_TLS1_3_OFFERED_PSK_MATCH )
{
mbedtls_ssl_session *i_session=(mbedtls_ssl_session *)session;
ssl->handshake->resume = 1;
@ -626,7 +630,8 @@ static int ssl_tls13_parse_pre_shared_key_ext( mbedtls_ssl_context *ssl,
#if defined(MBEDTLS_SSL_SESSION_TICKETS)
if( psk_type == MBEDTLS_SSL_TLS1_3_PSK_RESUMPTION )
{
ret = ssl_tls13_session_copy_ticket(ssl->session_negotiate, &session );
ret = ssl_tls13_session_copy_ticket( ssl->session_negotiate,
&session );
mbedtls_ssl_session_free( &session );
if( ret != 0 )
return( ret );