From: Alexander Kanavin Date: Tue, 30 Apr 2024 09:54:42 +0000 (+0200) Subject: ssl_sess.c: deprecate SSL_SESSION_get_time/SSL_SESSION_set_time X-Git-Tag: openssl-3.4.0-alpha1~506 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=00a6d0743a38e179f5f9b5de4b73be9fcec0bb4c;p=thirdparty%2Fopenssl.git ssl_sess.c: deprecate SSL_SESSION_get_time/SSL_SESSION_set_time Adjust the manpages at the same time so that only the new functions are being presented. Fixes: #23648 Signed-off-by: Alexander Kanavin Reviewed-by: Matt Caswell Reviewed-by: Neil Horman Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/24307) --- diff --git a/doc/man3/SSL_CTX_set_ct_validation_callback.pod b/doc/man3/SSL_CTX_set_ct_validation_callback.pod index 962f5ebd798..37f05644845 100644 --- a/doc/man3/SSL_CTX_set_ct_validation_callback.pod +++ b/doc/man3/SSL_CTX_set_ct_validation_callback.pod @@ -101,7 +101,7 @@ otherwise. When SCT processing is enabled, OCSP stapling will be enabled. This is because one possible source of SCTs is the OCSP response from a server. -The time returned by SSL_SESSION_get_time() will be used to evaluate whether any +The time returned by SSL_SESSION_get_time_ex() will be used to evaluate whether any presented SCTs have timestamps that are in the future (and therefore invalid). =head1 RESTRICTIONS diff --git a/doc/man3/SSL_SESSION_get_time.pod b/doc/man3/SSL_SESSION_get_time.pod index 5c9adc1ee51..38ef35cd34c 100644 --- a/doc/man3/SSL_SESSION_get_time.pod +++ b/doc/man3/SSL_SESSION_get_time.pod @@ -11,26 +11,31 @@ SSL_get_time, SSL_set_time, SSL_get_timeout, SSL_set_timeout #include - long SSL_SESSION_get_time(const SSL_SESSION *s); - long SSL_SESSION_set_time(SSL_SESSION *s, long tm); long SSL_SESSION_get_timeout(const SSL_SESSION *s); long SSL_SESSION_set_timeout(SSL_SESSION *s, long tm); - long SSL_get_time(const SSL_SESSION *s); - long SSL_set_time(SSL_SESSION *s, long tm); long SSL_get_timeout(const SSL_SESSION *s); long SSL_set_timeout(SSL_SESSION *s, long tm); time_t SSL_SESSION_get_time_ex(const SSL_SESSION *s); time_t SSL_SESSION_set_time_ex(SSL_SESSION *s, time_t tm); +The following functions have been deprecated since OpenSSL 3.4, and can be +hidden entirely by defining B with a suitable version value, +see L: + + long SSL_SESSION_get_time(const SSL_SESSION *s); + long SSL_SESSION_set_time(SSL_SESSION *s, long tm); + long SSL_get_time(const SSL_SESSION *s); + long SSL_set_time(SSL_SESSION *s, long tm); + =head1 DESCRIPTION -SSL_SESSION_get_time() returns the time at which the session B was +SSL_SESSION_get_time_ex() returns the time at which the session B was established. The time is given in seconds since the Epoch and therefore compatible to the time delivered by the time() call. -SSL_SESSION_set_time() replaces the creation time of the session B with +SSL_SESSION_set_time_ex() replaces the creation time of the session B with the chosen value B. SSL_SESSION_get_timeout() returns the timeout value set for session B @@ -39,9 +44,10 @@ in seconds. SSL_SESSION_set_timeout() sets the timeout value for session B in seconds to B. -SSL_SESSION_get_time_ex() and SSL_SESSION_set_time_ex() extended functions use -the time_t datatype instead of long to fix the Y2038 problem on systems with -64 bit time_t type. +SSL_SESSION_get_time() and SSL_SESSION_set_time() functions use +the long datatype instead of time_t and are therefore deprecated due to not +being Y2038-safe on 32 bit systems. Note that such systems still need +to be configured to use 64 bit time_t to be able to avoid overflow in system time. The SSL_get_time(), SSL_set_time(), SSL_get_timeout(), and SSL_set_timeout() functions are synonyms for the SSL_SESSION_*() counterparts. @@ -57,10 +63,10 @@ of the session. =head1 RETURN VALUES -SSL_SESSION_get_time() and SSL_SESSION_get_timeout() return the currently +SSL_SESSION_get_time_ex() and SSL_SESSION_get_timeout() return the currently valid values. -SSL_SESSION_set_time() and SSL_SESSION_set_timeout() return 1 on success. +SSL_SESSION_set_time_ex() and SSL_SESSION_set_timeout() return 1 on success. If any of the function is passed the NULL pointer for the session B, 0 is returned. diff --git a/include/openssl/ssl.h.in b/include/openssl/ssl.h.in index 6ed3ce5ba70..c4a40c95c34 100644 --- a/include/openssl/ssl.h.in +++ b/include/openssl/ssl.h.in @@ -1685,8 +1685,13 @@ __owur const char *SSL_state_string(const SSL *s); __owur const char *SSL_rstate_string(const SSL *s); __owur const char *SSL_state_string_long(const SSL *s); __owur const char *SSL_rstate_string_long(const SSL *s); + +#ifndef OPENSSL_NO_DEPRECATED_3_4 +OSSL_DEPRECATEDIN_3_4_FOR("not Y2038-safe, replace with SSL_SESSION_get_time_ex()") __owur long SSL_SESSION_get_time(const SSL_SESSION *s); +OSSL_DEPRECATEDIN_3_4_FOR("not Y2038-safe, replace with SSL_SESSION_set_time_ex()") __owur long SSL_SESSION_set_time(SSL_SESSION *s, long t); +#endif __owur long SSL_SESSION_get_timeout(const SSL_SESSION *s); __owur long SSL_SESSION_set_timeout(SSL_SESSION *s, long t); __owur int SSL_SESSION_get_protocol_version(const SSL_SESSION *s); diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c index 178ccd07342..05047e91639 100644 --- a/ssl/ssl_lib.c +++ b/ssl/ssl_lib.c @@ -6363,7 +6363,7 @@ int ssl_validate_ct(SSL_CONNECTION *s) CT_POLICY_EVAL_CTX_set_shared_CTLOG_STORE(ctx, SSL_CONNECTION_GET_CTX(s)->ctlog_store); CT_POLICY_EVAL_CTX_set_time( - ctx, (uint64_t)SSL_SESSION_get_time(s->session) * 1000); + ctx, (uint64_t)SSL_SESSION_get_time_ex(s->session) * 1000); scts = SSL_get0_peer_scts(SSL_CONNECTION_GET_SSL(s)); diff --git a/ssl/ssl_sess.c b/ssl/ssl_sess.c index c57d18984cc..d326eadb048 100644 --- a/ssl/ssl_sess.c +++ b/ssl/ssl_sess.c @@ -941,10 +941,12 @@ long SSL_SESSION_get_timeout(const SSL_SESSION *s) return (long)ossl_time_to_time_t(s->timeout); } +#ifndef OPENSSL_NO_DEPRECATED_3_4 long SSL_SESSION_get_time(const SSL_SESSION *s) { return (long) SSL_SESSION_get_time_ex(s); } +#endif time_t SSL_SESSION_get_time_ex(const SSL_SESSION *s) { @@ -973,10 +975,12 @@ time_t SSL_SESSION_set_time_ex(SSL_SESSION *s, time_t t) return t; } +#ifndef OPENSSL_NO_DEPRECATED_3_4 long SSL_SESSION_set_time(SSL_SESSION *s, long t) { return (long) SSL_SESSION_set_time_ex(s, (time_t) t); } +#endif int SSL_SESSION_get_protocol_version(const SSL_SESSION *s) { diff --git a/test/clienthellotest.c b/test/clienthellotest.c index a86f1ab4898..935396a1c14 100644 --- a/test/clienthellotest.c +++ b/test/clienthellotest.c @@ -164,7 +164,7 @@ static int test_client_hello(int currtest) * We reset the creation time so that we don't discard the session as * too old. */ - if (!TEST_true(SSL_SESSION_set_time(sess, (long)time(NULL))) + if (!TEST_true(SSL_SESSION_set_time_ex(sess, time(NULL))) || !TEST_true(SSL_set_session(con, sess))) goto end; } diff --git a/test/sslapitest.c b/test/sslapitest.c index 8a88558458e..e013838bd1d 100644 --- a/test/sslapitest.c +++ b/test/sslapitest.c @@ -2330,9 +2330,9 @@ static int execute_test_session(int maxprot, int use_int_cache, */ /* Make sess1 expire before sess2 */ - if (!TEST_long_gt(SSL_SESSION_set_time(sess1, 1000), 0) + if (!TEST_time_t_gt(SSL_SESSION_set_time_ex(sess1, 1000), 0) || !TEST_long_gt(SSL_SESSION_set_timeout(sess1, 1000), 0) - || !TEST_long_gt(SSL_SESSION_set_time(sess2, 2000), 0) + || !TEST_time_t_gt(SSL_SESSION_set_time_ex(sess2, 2000), 0) || !TEST_long_gt(SSL_SESSION_set_timeout(sess2, 2000), 0)) goto end; @@ -3991,7 +3991,7 @@ static int early_data_skip_helper(int testtype, int cipher, int idx) * time. It could be any value as long as it is not within tolerance. * This should mean the ticket is rejected. */ - if (!TEST_true(SSL_SESSION_set_time(sess, (long)(time(NULL) - 20)))) + if (!TEST_true(SSL_SESSION_set_time_ex(sess, time(NULL) - 20))) goto end; } @@ -9325,7 +9325,7 @@ static int test_session_timeout(int test) SSL_SESSION *late = NULL; SSL_CTX *ctx; int testresult = 0; - long now = (long)time(NULL); + time_t now = time(NULL); #define TIMEOUT 10 if (!TEST_ptr(ctx = SSL_CTX_new_ex(libctx, NULL, TLS_method())) @@ -9353,9 +9353,9 @@ static int test_session_timeout(int test) || !TEST_ptr(late->prev)) goto end; - if (!TEST_int_ne(SSL_SESSION_set_time(early, now - 10), 0) - || !TEST_int_ne(SSL_SESSION_set_time(middle, now), 0) - || !TEST_int_ne(SSL_SESSION_set_time(late, now + 10), 0)) + if (!TEST_time_t_ne(SSL_SESSION_set_time_ex(early, now - 10), 0) + || !TEST_time_t_ne(SSL_SESSION_set_time_ex(middle, now), 0) + || !TEST_time_t_ne(SSL_SESSION_set_time_ex(late, now + 10), 0)) goto end; if (!TEST_int_ne(SSL_SESSION_set_timeout(early, TIMEOUT), 0) @@ -9421,9 +9421,9 @@ static int test_session_timeout(int test) /* make sure |now| is NOT equal to the current time */ now -= 10; - if (!TEST_int_ne(SSL_SESSION_set_time(early, now), 0) + if (!TEST_time_t_ne(SSL_SESSION_set_time_ex(early, now), 0) || !TEST_int_eq(SSL_CTX_add_session(ctx, early), 1) - || !TEST_long_ne(SSL_SESSION_get_time(early), now)) + || !TEST_time_t_ne(SSL_SESSION_get_time_ex(early), now)) goto end; testresult = 1; diff --git a/util/libssl.num b/util/libssl.num index d7c7ff09b7f..e232d3efd4c 100644 --- a/util/libssl.num +++ b/util/libssl.num @@ -147,7 +147,7 @@ SSL_set_security_callback 147 3_0_0 EXIST::FUNCTION: SSL_SRP_CTX_init 148 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0,SRP ERR_load_SSL_strings 149 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0 SSL_CTX_SRP_CTX_init 150 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0,SRP -SSL_SESSION_set_time 151 3_0_0 EXIST::FUNCTION: +SSL_SESSION_set_time 151 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_4 i2d_SSL_SESSION 152 3_0_0 EXIST::FUNCTION: SSL_SESSION_get_master_key 153 3_0_0 EXIST::FUNCTION: SSL_COMP_get_compression_methods 154 3_0_0 EXIST::FUNCTION: @@ -246,7 +246,7 @@ SSL_get_verify_mode 246 3_0_0 EXIST::FUNCTION: SSL_CIPHER_get_id 247 3_0_0 EXIST::FUNCTION: SSL_SESSION_print_keylog 248 3_0_0 EXIST::FUNCTION: SSL_CTX_set_psk_client_callback 249 3_0_0 EXIST::FUNCTION:PSK -SSL_SESSION_get_time 250 3_0_0 EXIST::FUNCTION: +SSL_SESSION_get_time 250 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_4 SSL_set_debug 251 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_1_1_0 SSL_get_security_level 252 3_0_0 EXIST::FUNCTION: SSL_CIPHER_description 253 3_0_0 EXIST::FUNCTION: