From 1bc19494f8f371e2e1f111a74cc1315836588b33 Mon Sep 17 00:00:00 2001
From: Filippo Valsorda <filippo@cloudflare.com>
Date: Mon, 5 Dec 2016 17:41:00 -0500
Subject: [PATCH] tris: tolerate NSS sending obfuscated_ticket_age as seconds

---
 13.go | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/13.go b/13.go
index 9d2f57a..442545d 100644
--- a/13.go
+++ b/13.go
@@ -437,7 +437,11 @@ func (hs *serverHandshakeState) checkPSK() (earlySecret []byte, ok bool) {
 		clientAge := time.Duration(hs.clientHello.psks[i].obfTicketAge-s.ageAdd) * time.Millisecond
 		serverAge := time.Since(time.Unix(int64(s.createdAt), 0))
 		if clientAge-serverAge > ticketAgeSkewAllowance || clientAge-serverAge < -ticketAgeSkewAllowance {
-			continue
+			// XXX: NSS is off spec and sends obfuscated_ticket_age as seconds
+			clientAge = time.Duration(hs.clientHello.psks[i].obfTicketAge-s.ageAdd) * time.Second
+			if clientAge-serverAge > ticketAgeSkewAllowance || clientAge-serverAge < -ticketAgeSkewAllowance {
+				continue
+			}
 		}
 
 		// This enforces the stricter 0-RTT requirements on all ticket uses.