Google Git
Sign in
boringssl/boringssl.git/35ac5b7500f4beb3061e6da48adb112e3067501b^!/./ssl/ssl_lib.c
commit
35ac5b7500f4beb3061e6da48adb112e3067501b
[log]
author
David Benjamin <davidben@google.com>
Fri Mar 03 15:05:56 2017 -0500
committer
CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
Wed Mar 08 14:59:01 2017 +0000
tree
44cf6f31b5d5aa0ccad69656368ed6f8eaa5ca17
parent
fe36672bf5baa3d407be2a6fb61ed9d9c1cc6dc4 [diff] [blame]
Export server-side ticket_age skew.

We'll measure this value to guide what tolerance to use in the 0-RTT
anti-replay mechanism. This also fixes a bug where we were previously
minting ticket_age_add-less tickets on the server. Add a check to reject
all those tickets.

BUG=113

Change-Id: I68e690c0794234234e0d0500b4b9a7f79aea641e
Reviewed-on: https://boringssl-review.googlesource.com/14068
Reviewed-by: Steven Valdez <svaldez@google.com>
Commit-Queue: Steven Valdez <svaldez@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>

diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index 856fba2..b207e92 100644
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c

@@ -2557,6 +2557,10 @@
   ctx->grease_enabled = !!enabled;
 }
 
+int32_t SSL_get_ticket_age_skew(const SSL *ssl) {
+  return ssl->s3->ticket_age_skew;
+}
+
 int SSL_clear(SSL *ssl) {
   /* In OpenSSL, reusing a client |SSL| with |SSL_clear| causes the previously
    * established session to be offered the next time around. wpa_supplicant