fix(s2n_session_ticket_test): correct clock mocking (#4602)

tests/unit/s2n_session_ticket_test.c

@@ -1241,17 +1241,18 @@ int main(int argc, char **argv)
     if (s2n_is_tls13_fully_supported()) {
         struct s2n_config *config = s2n_config_new();
         EXPECT_NOT_NULL(config);
+
+        /* Freeze time */
+        POSIX_GUARD(config->wall_clock(config->sys_clock_ctx, &now));
+        EXPECT_OK(s2n_config_mock_wall_clock(config, &now));
+
         EXPECT_SUCCESS(s2n_config_add_cert_chain_and_key_to_store(config, ecdsa_chain_and_key));
         EXPECT_SUCCESS(s2n_config_set_unsafe_for_testing(config));
         EXPECT_SUCCESS(s2n_config_set_session_tickets_onoff(config, 1));
         EXPECT_SUCCESS(s2n_config_add_ticket_crypto_key(config, ticket_key_name1, s2n_array_len(ticket_key_name1),
                 ticket_key1, s2n_array_len(ticket_key1), 0));
         EXPECT_SUCCESS(s2n_config_set_cipher_preferences(config, "default_tls13"));
 
-        /* Freeze time */
-        POSIX_GUARD(config->wall_clock(config->sys_clock_ctx, &now));
-        EXPECT_OK(s2n_config_mock_wall_clock(config, &now));
-
         /* Send one NewSessionTicket */
         cb_session_data_len = 0;
         EXPECT_SUCCESS(s2n_config_set_session_ticket_cb(config, s2n_test_session_ticket_callback, NULL));

tls/s2n_resume.c

@@ -710,7 +710,10 @@ struct s2n_ticket_key *s2n_get_ticket_encrypt_decrypt_key(struct s2n_config *con
         PTR_GUARD_RESULT(s2n_set_get(config->ticket_keys, idx, (void **) &ticket_key));
         uint64_t key_intro_time = ticket_key->intro_timestamp;
 
-        if (key_intro_time < now
+        /* A key can be used at its intro time (<=) and it can be used up to (<) 
+         * its expiration time.
+         */
+        if (key_intro_time <= now
                 && now < key_intro_time + config->encrypt_decrypt_key_lifetime_in_nanos) {
             encrypt_decrypt_keys_index[num_encrypt_decrypt_keys] = idx;
             num_encrypt_decrypt_keys++;