From af1b6284119b22adc311facd7c808a6dac0c561e Mon Sep 17 00:00:00 2001 From: James Mayclin Date: Wed, 12 Jun 2024 23:09:48 +0000 Subject: [PATCH 1/2] fix(s2n_session_ticket_test): correct clock mocking --- tests/unit/s2n_session_ticket_test.c | 9 +++++---- tls/s2n_resume.c | 6 +++++- 2 files changed, 10 insertions(+), 5 deletions(-) diff --git a/tests/unit/s2n_session_ticket_test.c b/tests/unit/s2n_session_ticket_test.c index 460df185a94..470d72fdbfa 100644 --- a/tests/unit/s2n_session_ticket_test.c +++ b/tests/unit/s2n_session_ticket_test.c @@ -1241,6 +1241,11 @@ int main(int argc, char **argv) if (s2n_is_tls13_fully_supported()) { struct s2n_config *config = s2n_config_new(); EXPECT_NOT_NULL(config); + + /* Freeze time */ + POSIX_GUARD(config->wall_clock(config->sys_clock_ctx, &now)); + EXPECT_OK(s2n_config_mock_wall_clock(config, &now)); + EXPECT_SUCCESS(s2n_config_add_cert_chain_and_key_to_store(config, ecdsa_chain_and_key)); EXPECT_SUCCESS(s2n_config_set_unsafe_for_testing(config)); EXPECT_SUCCESS(s2n_config_set_session_tickets_onoff(config, 1)); @@ -1248,10 +1253,6 @@ int main(int argc, char **argv) ticket_key1, s2n_array_len(ticket_key1), 0)); EXPECT_SUCCESS(s2n_config_set_cipher_preferences(config, "default_tls13")); - /* Freeze time */ - POSIX_GUARD(config->wall_clock(config->sys_clock_ctx, &now)); - EXPECT_OK(s2n_config_mock_wall_clock(config, &now)); - /* Send one NewSessionTicket */ cb_session_data_len = 0; EXPECT_SUCCESS(s2n_config_set_session_ticket_cb(config, s2n_test_session_ticket_callback, NULL)); diff --git a/tls/s2n_resume.c b/tls/s2n_resume.c index 812fe114040..c75028c3752 100644 --- a/tls/s2n_resume.c +++ b/tls/s2n_resume.c @@ -710,7 +710,11 @@ struct s2n_ticket_key *s2n_get_ticket_encrypt_decrypt_key(struct s2n_config *con PTR_GUARD_RESULT(s2n_set_get(config->ticket_keys, idx, (void **) &ticket_key)); uint64_t key_intro_time = ticket_key->intro_timestamp; - if (key_intro_time < now + /** + * A key can be used at it's intro time (<=) and it can be used up to (<) + * it's expiration. + */ + if (key_intro_time <= now && now < key_intro_time + config->encrypt_decrypt_key_lifetime_in_nanos) { encrypt_decrypt_keys_index[num_encrypt_decrypt_keys] = idx; num_encrypt_decrypt_keys++; From 2d7dbe17c0d0cfd990e660ea5b1c4fe0ed74514c Mon Sep 17 00:00:00 2001 From: James Mayclin Date: Thu, 13 Jun 2024 13:58:34 -0700 Subject: [PATCH 2/2] Update tls/s2n_resume.c Co-authored-by: Lindsay Stewart --- tls/s2n_resume.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/tls/s2n_resume.c b/tls/s2n_resume.c index c75028c3752..2c4ae497e60 100644 --- a/tls/s2n_resume.c +++ b/tls/s2n_resume.c @@ -710,9 +710,8 @@ struct s2n_ticket_key *s2n_get_ticket_encrypt_decrypt_key(struct s2n_config *con PTR_GUARD_RESULT(s2n_set_get(config->ticket_keys, idx, (void **) &ticket_key)); uint64_t key_intro_time = ticket_key->intro_timestamp; - /** - * A key can be used at it's intro time (<=) and it can be used up to (<) - * it's expiration. + /* A key can be used at its intro time (<=) and it can be used up to (<) + * its expiration time. */ if (key_intro_time <= now && now < key_intro_time + config->encrypt_decrypt_key_lifetime_in_nanos) {