commit 35ac5b7500f4beb3061e6da48adb112e3067501b
author David Benjamin <davidben@google.com> Fri Mar 03 15:05:56 2017 -0500
committer CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org> Wed Mar 08 14:59:01 2017 +0000
tree 44cf6f31b5d5aa0ccad69656368ed6f8eaa5ca17
parent fe36672bf5baa3d407be2a6fb61ed9d9c1cc6dc4

Export server-side ticket_age skew.

We'll measure this value to guide what tolerance to use in the 0-RTT
anti-replay mechanism. This also fixes a bug where we were previously
minting ticket_age_add-less tickets on the server. Add a check to reject
all those tickets.

BUG=113

Change-Id: I68e690c0794234234e0d0500b4b9a7f79aea641e
Reviewed-on: https://boringssl-review.googlesource.com/14068
Reviewed-by: Steven Valdez <svaldez@google.com>
Commit-Queue: Steven Valdez <svaldez@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>

include/openssl/ssl.h

diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h
index c938a41..2446f8e 100644
--- a/include/openssl/ssl.h
+++ b/include/openssl/ssl.h
@@ -3223,6 +3223,11 @@
  * record with |ssl|. */
 OPENSSL_EXPORT size_t SSL_max_seal_overhead(const SSL *ssl);
 
+/* SSL_get_ticket_age_skew returns the difference, in seconds, between the
+ * client-sent ticket age and the server-computed value in TLS 1.3 server
+ * connections which resumed a session. */
+OPENSSL_EXPORT int32_t SSL_get_ticket_age_skew(const SSL *ssl);
+
 
 /* Deprecated functions. */