diff --git a/ssl/d1_lib.c b/ssl/d1_lib.c index e569b986bc..81de55af97 100644 --- a/ssl/d1_lib.c +++ b/ssl/d1_lib.c @@ -14,7 +14,6 @@ #include "ssl_local.h" #include "internal/time.h" -static void get_current_time(struct timeval *t); static int dtls1_handshake_write(SSL_CONNECTION *s); static size_t dtls1_link_min_mtu(void); @@ -56,13 +55,13 @@ const SSL3_ENC_METHOD DTLSv1_2_enc_data = { dtls1_handshake_write }; -long dtls1_default_timeout(void) +OSSL_TIME dtls1_default_timeout(void) { /* * 2 hours, the 24 hours mentioned in the DTLSv1 spec is way too long for * http, the cache would over fill */ - return (60 * 60 * 2); + return ossl_seconds2time(60 * 60 * 2); } int dtls1_new(SSL *ssl) @@ -222,6 +221,7 @@ int dtls1_clear(SSL *ssl) long dtls1_ctrl(SSL *ssl, int cmd, long larg, void *parg) { int ret = 0; + OSSL_TIME t; SSL_CONNECTION *s = SSL_CONNECTION_FROM_SSL_ONLY(ssl); if (s == NULL) @@ -229,7 +229,8 @@ long dtls1_ctrl(SSL *ssl, int cmd, long larg, void *parg) switch (cmd) { case DTLS_CTRL_GET_TIMEOUT: - if (dtls1_get_timeout(s, (struct timeval *)parg) != NULL) { + if (dtls1_get_timeout(s, &t) != NULL) { + *(struct timeval *)parg = ossl_time_to_timeval(t); ret = 1; } break; @@ -261,13 +262,14 @@ long dtls1_ctrl(SSL *ssl, int cmd, long larg, void *parg) void dtls1_start_timer(SSL_CONNECTION *s) { - unsigned int sec, usec; + struct timeval tv; + OSSL_TIME duration; SSL *ssl = SSL_CONNECTION_GET_SSL(s); #ifndef OPENSSL_NO_SCTP /* Disable timer for SCTP */ if (BIO_dgram_is_sctp(SSL_get_wbio(ssl))) { - memset(&s->d1->next_timeout, 0, sizeof(s->d1->next_timeout)); + s->d1->next_timeout = ossl_time_zero(); return; } #endif @@ -276,77 +278,46 @@ void dtls1_start_timer(SSL_CONNECTION *s) * If timer is not set, initialize duration with 1 second or * a user-specified value if the timer callback is installed. */ - if (s->d1->next_timeout.tv_sec == 0 && s->d1->next_timeout.tv_usec == 0) { - + if (ossl_time_is_zero(s->d1->next_timeout)) { if (s->d1->timer_cb != NULL) s->d1->timeout_duration_us = s->d1->timer_cb(ssl, 0); else s->d1->timeout_duration_us = 1000000; } - /* Set timeout to current time */ - get_current_time(&(s->d1->next_timeout)); + /* Set timeout to current time plus duration */ + duration = ossl_us2time(s->d1->timeout_duration_us); + s->d1->next_timeout = ossl_time_add(ossl_time_now(), duration); - /* Add duration to current time */ - - sec = s->d1->timeout_duration_us / 1000000; - usec = s->d1->timeout_duration_us - (sec * 1000000); - - s->d1->next_timeout.tv_sec += sec; - s->d1->next_timeout.tv_usec += usec; - - if (s->d1->next_timeout.tv_usec >= 1000000) { - s->d1->next_timeout.tv_sec++; - s->d1->next_timeout.tv_usec -= 1000000; - } - - BIO_ctrl(SSL_get_rbio(ssl), BIO_CTRL_DGRAM_SET_NEXT_TIMEOUT, 0, - &(s->d1->next_timeout)); + tv = ossl_time_to_timeval(s->d1->next_timeout); + BIO_ctrl(SSL_get_rbio(ssl), BIO_CTRL_DGRAM_SET_NEXT_TIMEOUT, 0, &tv); } -struct timeval *dtls1_get_timeout(SSL_CONNECTION *s, struct timeval *timeleft) +OSSL_TIME *dtls1_get_timeout(SSL_CONNECTION *s, OSSL_TIME *timeleft) { - struct timeval timenow; + OSSL_TIME timenow; /* If no timeout is set, just return NULL */ - if (s->d1->next_timeout.tv_sec == 0 && s->d1->next_timeout.tv_usec == 0) { + if (ossl_time_is_zero(s->d1->next_timeout)) return NULL; - } /* Get current time */ - get_current_time(&timenow); - - /* If timer already expired, set remaining time to 0 */ - if (s->d1->next_timeout.tv_sec < timenow.tv_sec || - (s->d1->next_timeout.tv_sec == timenow.tv_sec && - s->d1->next_timeout.tv_usec <= timenow.tv_usec)) { - memset(timeleft, 0, sizeof(*timeleft)); - return timeleft; - } - - /* Calculate time left until timer expires */ - memcpy(timeleft, &(s->d1->next_timeout), sizeof(struct timeval)); - timeleft->tv_sec -= timenow.tv_sec; - timeleft->tv_usec -= timenow.tv_usec; - if (timeleft->tv_usec < 0) { - timeleft->tv_sec--; - timeleft->tv_usec += 1000000; - } + timenow = ossl_time_now(); /* - * If remaining time is less than 15 ms, set it to 0 to prevent issues - * because of small divergences with socket timeouts. + * If timer already expired or if remaining time is less than 15 ms, + * set it to 0 to prevent issues because of small divergences with + * socket timeouts. */ - if (timeleft->tv_sec == 0 && timeleft->tv_usec < 15000) { - memset(timeleft, 0, sizeof(*timeleft)); - } - + *timeleft = ossl_time_subtract(s->d1->next_timeout, timenow); + if (ossl_time_compare(*timeleft, ossl_ms2time(15)) <= 0) + *timeleft = ossl_time_zero(); return timeleft; } int dtls1_is_timer_expired(SSL_CONNECTION *s) { - struct timeval timeleft; + OSSL_TIME timeleft; /* Get time left until timeout, return false if no timer running */ if (dtls1_get_timeout(s, &timeleft) == NULL) { @@ -354,7 +325,7 @@ int dtls1_is_timer_expired(SSL_CONNECTION *s) } /* Return false if timer is not expired yet */ - if (timeleft.tv_sec > 0 || timeleft.tv_usec > 0) { + if (!ossl_time_is_zero(timeleft)) { return 0; } @@ -371,12 +342,14 @@ static void dtls1_double_timeout(SSL_CONNECTION *s) void dtls1_stop_timer(SSL_CONNECTION *s) { + struct timeval tv; + /* Reset everything */ s->d1->timeout_num_alerts = 0; - memset(&s->d1->next_timeout, 0, sizeof(s->d1->next_timeout)); + s->d1->next_timeout = ossl_time_zero(); s->d1->timeout_duration_us = 1000000; - BIO_ctrl(s->rbio, BIO_CTRL_DGRAM_SET_NEXT_TIMEOUT, 0, - &(s->d1->next_timeout)); + tv = ossl_time_to_timeval(s->d1->next_timeout); + BIO_ctrl(s->rbio, BIO_CTRL_DGRAM_SET_NEXT_TIMEOUT, 0, &tv); /* Clear retransmission buffer */ dtls1_clear_sent_buffer(s); } @@ -429,11 +402,6 @@ int dtls1_handle_timeout(SSL_CONNECTION *s) return dtls1_retransmit_buffered_messages(s); } -static void get_current_time(struct timeval *t) -{ - ossl_time_time_to_timeval(ossl_time_now(), t); -} - #define LISTEN_SUCCESS 2 #define LISTEN_SEND_VERIFY_REQUEST 1 diff --git a/ssl/quic/quic_impl.c b/ssl/quic/quic_impl.c index 6ccc24bb22..6d5c1995f8 100644 --- a/ssl/quic/quic_impl.c +++ b/ssl/quic/quic_impl.c @@ -197,9 +197,9 @@ size_t ossl_quic_pending(const SSL *s) return 0; } -long ossl_quic_default_timeout(void) +OSSL_TIME ossl_quic_default_timeout(void) { - return 0; + return ossl_time_zero(); } int ossl_quic_num_ciphers(void) diff --git a/ssl/quic/quic_local.h b/ssl/quic/quic_local.h index 385fd70101..3f589bba0b 100644 --- a/ssl/quic/quic_local.h +++ b/ssl/quic/quic_local.h @@ -103,7 +103,7 @@ __owur long ossl_quic_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg); __owur long ossl_quic_callback_ctrl(SSL *s, int cmd, void (*fp) (void)); __owur long ossl_quic_ctx_callback_ctrl(SSL_CTX *ctx, int cmd, void (*fp) (void)); __owur size_t ossl_quic_pending(const SSL *s); -__owur long ossl_quic_default_timeout(void); +__owur OSSL_TIME ossl_quic_default_timeout(void); __owur int ossl_quic_num_ciphers(void); __owur const SSL_CIPHER *ossl_quic_get_cipher(unsigned int u); int ossl_quic_renegotiate_check(SSL *ssl, int initok); diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c index ceae7faf9f..126ac4c2bf 100644 --- a/ssl/s3_lib.c +++ b/ssl/s3_lib.c @@ -3286,13 +3286,13 @@ const SSL3_ENC_METHOD SSLv3_enc_data = { ssl3_handshake_write }; -long ssl3_default_timeout(void) +OSSL_TIME ssl3_default_timeout(void) { /* * 2 hours, the 24 hours mentioned in the SSLv3 spec is way too long for * http, the cache would over fill */ - return (60 * 60 * 2); + return ossl_seconds2time(60 * 60 * 2); } int ssl3_num_ciphers(void) diff --git a/ssl/ssl_asn1.c b/ssl/ssl_asn1.c index 3503fdc210..9336fb2cc9 100644 --- a/ssl/ssl_asn1.c +++ b/ssl/ssl_asn1.c @@ -163,8 +163,8 @@ int i2d_SSL_SESSION(const SSL_SESSION *in, unsigned char **pp) ssl_session_oinit(&as.session_id_context, &sid_ctx, in->sid_ctx, in->sid_ctx_length); - as.time = (int64_t)in->time; - as.timeout = (int64_t)in->timeout; + as.time = (int64_t)ossl_time_to_time_t(in->time); + as.timeout = (int64_t)ossl_time2seconds(in->timeout); as.verify_result = in->verify_result; as.peer = in->peer; @@ -302,14 +302,14 @@ SSL_SESSION *d2i_SSL_SESSION(SSL_SESSION **a, const unsigned char **pp, ret->master_key_length = tmpl; if (as->time != 0) - ret->time = (time_t)as->time; + ret->time = ossl_time_from_time_t(as->time); else - ret->time = time(NULL); + ret->time = ossl_time_now(); if (as->timeout != 0) - ret->timeout = (time_t)as->timeout; + ret->timeout = ossl_seconds2time(as->timeout); else - ret->timeout = 3; + ret->timeout = ossl_seconds2time(3); ssl_session_calculate_timeout(ret); X509_free(ret->peer); diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c index 9b384b9429..5409c5b577 100644 --- a/ssl/ssl_lib.c +++ b/ssl/ssl_lib.c @@ -2047,7 +2047,7 @@ int SSL_connect(SSL *s) long SSL_get_default_timeout(const SSL *s) { - return s->method->get_timeout(); + return (long int)ossl_time2seconds(s->method->get_timeout()); } static int ssl_async_wait_ctx_cb(void *arg) diff --git a/ssl/ssl_local.h b/ssl/ssl_local.h index fec587ee8a..e1c90cfca4 100644 --- a/ssl/ssl_local.h +++ b/ssl/ssl_local.h @@ -520,7 +520,7 @@ struct ssl_method_st { size_t (*ssl_pending) (const SSL *s); int (*num_ciphers) (void); const SSL_CIPHER *(*get_cipher) (unsigned ncipher); - long (*get_timeout) (void); + OSSL_TIME (*get_timeout) (void); const struct ssl3_enc_method *ssl3_enc; /* Extra SSLv3/TLS stuff */ int (*ssl_version) (void); long (*ssl_callback_ctrl) (SSL *s, int cb_id, void (*fp) (void)); @@ -601,8 +601,8 @@ struct ssl_session_st { */ long verify_result; /* only for servers */ CRYPTO_REF_COUNT references; - time_t timeout; - time_t time; + OSSL_TIME timeout; + OSSL_TIME time; OSSL_TIME calc_timeout; unsigned int compress_meth; /* Need to lookup the method */ const SSL_CIPHER *cipher; @@ -701,11 +701,11 @@ typedef enum { /* * The allowance we have between the client's calculated ticket age and our own. - * We allow for 10 seconds (units are in ms). If a ticket is presented and the + * We allow for 10 seconds. If a ticket is presented and the * client's age calculation is different by more than this than our own then we * do not allow that ticket for early_data. */ -# define TICKET_AGE_ALLOWANCE (10 * 1000) +# define TICKET_AGE_ALLOWANCE ossl_seconds2time(10) #define MAX_COMPRESSIONS_SIZE 255 @@ -874,7 +874,7 @@ struct ssl_ctx_st { * SSL_new() is called. This has been put in to make life easier to set * things up */ - long session_timeout; + OSSL_TIME session_timeout; /* * If this callback is not null, it will be called each time a session id * is added to the cache. If this function returns 1, it means that the @@ -1973,7 +1973,7 @@ typedef struct dtls1_state_st { /* * Indicates when the last handshake msg sent will timeout */ - struct timeval next_timeout; + OSSL_TIME next_timeout; /* Timeout duration */ unsigned int timeout_duration_us; @@ -2602,7 +2602,7 @@ __owur long ssl3_callback_ctrl(SSL *s, int cmd, void (*fp) (void)); __owur long ssl3_ctx_callback_ctrl(SSL_CTX *s, int cmd, void (*fp) (void)); __owur int ssl3_do_change_cipher_spec(SSL_CONNECTION *s); -__owur long ssl3_default_timeout(void); +__owur OSSL_TIME ssl3_default_timeout(void); __owur int ssl3_set_handshake_header(SSL_CONNECTION *s, WPACKET *pkt, int htype); @@ -2627,7 +2627,7 @@ __owur int ssl_choose_client_version(SSL_CONNECTION *s, int version, __owur int ssl_get_min_max_version(const SSL_CONNECTION *s, int *min_version, int *max_version, int *real_max); -__owur long tls1_default_timeout(void); +__owur OSSL_TIME tls1_default_timeout(void); __owur int dtls1_do_write(SSL_CONNECTION *s, int type); void dtls1_set_message_header(SSL_CONNECTION *s, unsigned char mt, @@ -2647,9 +2647,8 @@ void dtls1_clear_received_buffer(SSL_CONNECTION *s); void dtls1_clear_sent_buffer(SSL_CONNECTION *s); void dtls1_get_message_header(unsigned char *data, struct hm_header_st *msg_hdr); -__owur long dtls1_default_timeout(void); -__owur struct timeval *dtls1_get_timeout(SSL_CONNECTION *s, - struct timeval *timeleft); +__owur OSSL_TIME dtls1_default_timeout(void); +__owur OSSL_TIME *dtls1_get_timeout(SSL_CONNECTION *s, OSSL_TIME *timeleft); __owur int dtls1_check_timeout_num(SSL_CONNECTION *s); __owur int dtls1_handle_timeout(SSL_CONNECTION *s); void dtls1_start_timer(SSL_CONNECTION *s); diff --git a/ssl/ssl_sess.c b/ssl/ssl_sess.c index e52635d087..720ea4bc18 100644 --- a/ssl/ssl_sess.c +++ b/ssl/ssl_sess.c @@ -26,9 +26,9 @@ static int remove_session_lock(SSL_CTX *ctx, SSL_SESSION *c, int lck); DEFINE_STACK_OF(SSL_SESSION) -__owur static ossl_inline int sess_timedout(time_t t, SSL_SESSION *ss) +__owur static ossl_inline int sess_timedout(OSSL_TIME t, SSL_SESSION *ss) { - return ossl_time_compare(ossl_time_from_time_t(t), ss->calc_timeout) > 0; + return ossl_time_compare(t, ss->calc_timeout) > 0; } /* @@ -46,12 +46,7 @@ __owur static ossl_inline int timeoutcmp(SSL_SESSION *a, SSL_SESSION *b) */ void ssl_session_calculate_timeout(SSL_SESSION *ss) { - /* Force positive timeout */ - if (ss->timeout < 0) - ss->timeout = 0; - - ss->calc_timeout = ossl_time_add(ossl_time_from_time_t(ss->time), - ossl_time_from_time_t(ss->timeout)); + ss->calc_timeout = ossl_time_add(ss->time, ss->timeout); } /* @@ -118,8 +113,9 @@ SSL_SESSION *SSL_SESSION_new(void) ss->verify_result = 1; /* avoid 0 (= X509_V_OK) just in case */ ss->references = 1; - ss->timeout = 60 * 5 + 4; /* 5 minute timeout by default */ - ss->time = time(NULL); + /* 5 minute timeout by default */ + ss->timeout = ossl_seconds2time(60 * 5 + 4); + ss->time = ossl_time_now(); ssl_session_calculate_timeout(ss); ss->lock = CRYPTO_THREAD_lock_new(); if (ss->lock == NULL) { @@ -418,8 +414,8 @@ int ssl_get_new_session(SSL_CONNECTION *s, int session) } /* If the context has a default timeout, use it */ - if (s->session_ctx->session_timeout == 0) - ss->timeout = SSL_get_default_timeout(SSL_CONNECTION_GET_SSL(s)); + if (ossl_time_is_zero(s->session_ctx->session_timeout)) + ss->timeout = SSL_CONNECTION_GET_SSL(s)->method->get_timeout(); else ss->timeout = s->session_ctx->session_timeout; ssl_session_calculate_timeout(ss); @@ -629,7 +625,7 @@ int ssl_get_prev_session(SSL_CONNECTION *s, CLIENTHELLO_MSG *hello) goto err; } - if (sess_timedout(time(NULL), ret)) { + if (sess_timedout(ossl_time_now(), ret)) { ssl_tsan_counter(s->session_ctx, &s->session_ctx->stats.sess_timeout); if (try_session_cache) { /* session was from the cache, so remove it */ @@ -732,7 +728,7 @@ int SSL_CTX_add_session(SSL_CTX *ctx, SSL_SESSION *c) /* Adjust last used time, and add back into the cache at the appropriate spot */ if (ctx->session_cache_mode & SSL_SESS_CACHE_UPDATE_TIME) { - c->time = time(NULL); + c->time = ossl_time_now(); ssl_session_calculate_timeout(c); } @@ -886,7 +882,7 @@ int SSL_SESSION_set1_id(SSL_SESSION *s, const unsigned char *sid, long SSL_SESSION_set_timeout(SSL_SESSION *s, long t) { - time_t new_timeout = (time_t)t; + OSSL_TIME new_timeout = ossl_seconds2time(t); if (s == NULL || t < 0) return 0; @@ -908,19 +904,19 @@ long SSL_SESSION_get_timeout(const SSL_SESSION *s) { if (s == NULL) return 0; - return (long)s->timeout; + return (long)ossl_time_to_time_t(s->timeout); } long SSL_SESSION_get_time(const SSL_SESSION *s) { if (s == NULL) return 0; - return (long)s->time; + return (long)ossl_time_to_time_t(s->time); } long SSL_SESSION_set_time(SSL_SESSION *s, long t) { - time_t new_time = (time_t)t; + OSSL_TIME new_time = ossl_time_from_time_t((time_t)t); if (s == NULL) return 0; @@ -1066,10 +1062,11 @@ int SSL_SESSION_is_resumable(const SSL_SESSION *s) long SSL_CTX_set_timeout(SSL_CTX *s, long t) { long l; + if (s == NULL) return 0; - l = s->session_timeout; - s->session_timeout = t; + l = (long)ossl_time2seconds(s->session_timeout); + s->session_timeout = ossl_seconds2time(t); return l; } @@ -1077,7 +1074,7 @@ long SSL_CTX_get_timeout(const SSL_CTX *s) { if (s == NULL) return 0; - return s->session_timeout; + return (long)ossl_time2seconds(s->session_timeout); } int SSL_set_session_secret_cb(SSL *s, @@ -1144,6 +1141,7 @@ void SSL_CTX_flush_sessions(SSL_CTX *s, long t) STACK_OF(SSL_SESSION) *sk; SSL_SESSION *current; unsigned long i; + const OSSL_TIME timeout = ossl_time_from_time_t(t); if (!CRYPTO_THREAD_write_lock(s->lock)) return; @@ -1161,7 +1159,7 @@ void SSL_CTX_flush_sessions(SSL_CTX *s, long t) */ while (s->session_cache_tail != NULL) { current = s->session_cache_tail; - if (t == 0 || sess_timedout((time_t)t, current)) { + if (t == 0 || sess_timedout(timeout, current)) { lh_SSL_SESSION_delete(s->sessions, current); SSL_SESSION_list_remove(s, current); current->not_resumable = 1; diff --git a/ssl/ssl_txt.c b/ssl/ssl_txt.c index 212fe00962..68f15d6182 100644 --- a/ssl/ssl_txt.c +++ b/ssl/ssl_txt.c @@ -128,12 +128,14 @@ int SSL_SESSION_print(BIO *bp, const SSL_SESSION *x) } } #endif - if (x->time != 0L) { - if (BIO_printf(bp, "\n Start Time: %lld", (long long)x->time) <= 0) + if (!ossl_time_is_zero(x->time)) { + if (BIO_printf(bp, "\n Start Time: %lld", + (long long)ossl_time_to_time_t(x->time)) <= 0) goto err; } - if (x->timeout != 0L) { - if (BIO_printf(bp, "\n Timeout : %lld (sec)", (long long)x->timeout) <= 0) + if (!ossl_time_is_zero(x->timeout)) { + if (BIO_printf(bp, "\n Timeout : %lld (sec)", + (long long)ossl_time2seconds(x->timeout)) <= 0) goto err; } if (BIO_puts(bp, "\n") <= 0) diff --git a/ssl/statem/extensions_clnt.c b/ssl/statem/extensions_clnt.c index 3a315cb65f..3a1f3e8105 100644 --- a/ssl/statem/extensions_clnt.c +++ b/ssl/statem/extensions_clnt.c @@ -1011,6 +1011,7 @@ EXT_RETURN tls_construct_ctos_psk(SSL_CONNECTION *s, WPACKET *pkt, const EVP_MD *handmd = NULL, *mdres = NULL, *mdpsk = NULL; int dores = 0; SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s); + OSSL_TIME t; s->ext.tick_identity = 0; @@ -1062,7 +1063,8 @@ EXT_RETURN tls_construct_ctos_psk(SSL_CONNECTION *s, WPACKET *pkt, * this in multiple places in the code, so portability shouldn't be an * issue. */ - agesec = (uint32_t)(time(NULL) - s->session->time); + t = ossl_time_subtract(ossl_time_now(), s->session->time); + agesec = (uint32_t)ossl_time2seconds(t); /* * We calculate the age in seconds but the server may work in ms. Due to * rounding errors we could overestimate the age by up to 1s. It is diff --git a/ssl/statem/extensions_srvr.c b/ssl/statem/extensions_srvr.c index 747b9fe9a4..413ee5a1dc 100644 --- a/ssl/statem/extensions_srvr.c +++ b/ssl/statem/extensions_srvr.c @@ -1102,7 +1102,7 @@ int tls_parse_ctos_psk(SSL_CONNECTION *s, PACKET *pkt, unsigned int context, s->ext.early_data_ok = 1; s->ext.ticket_expected = 1; } else { - uint32_t ticket_age = 0, agesec, agems; + OSSL_TIME t, age, expire; int ret; /* @@ -1141,24 +1141,24 @@ int tls_parse_ctos_psk(SSL_CONNECTION *s, PACKET *pkt, unsigned int context, continue; } - ticket_age = (uint32_t)ticket_agel; - agesec = (uint32_t)(time(NULL) - sess->time); - agems = agesec * (uint32_t)1000; - ticket_age -= sess->ext.tick_age_add; + age = ossl_time_subtract(ossl_seconds2time(ticket_agel), + ossl_seconds2time(sess->ext.tick_age_add)); + t = ossl_time_subtract(ossl_time_now(), sess->time); /* - * For simplicity we do our age calculations in seconds. If the - * client does it in ms then it could appear that their ticket age - * is longer than ours (our ticket age calculation should always be - * slightly longer than the client's due to the network latency). - * Therefore we add 1000ms to our age calculation to adjust for - * rounding errors. + * Beause we use second granuality, it could appear that + * the client's ticket age is longer than ours (our ticket + * age calculation should always be slightly longer than the + * client's due to the network latency). Therefore we add + * 1000ms to our age calculation to adjust for rounding errors. */ + expire = ossl_time_add(t, ossl_ms2time(1000)); + if (id == 0 - && sess->timeout >= (long)agesec - && agems / (uint32_t)1000 == agesec - && ticket_age <= agems + 1000 - && ticket_age + TICKET_AGE_ALLOWANCE >= agems + 1000) { + && ossl_time_compare(sess->timeout, t) >= 0 + && ossl_time_compare(age, expire) <= 0 + && ossl_time_compare(ossl_time_add(age, TICKET_AGE_ALLOWANCE), + expire) >= 0) { /* * Ticket age is within tolerance and not expired. We allow it * for early data diff --git a/ssl/statem/statem_clnt.c b/ssl/statem/statem_clnt.c index 2bfa9a2abf..1bccd6b27c 100644 --- a/ssl/statem/statem_clnt.c +++ b/ssl/statem/statem_clnt.c @@ -2542,7 +2542,7 @@ MSG_PROCESS_RETURN tls_process_new_session_ticket(SSL_CONNECTION *s, s->session = new_sess; } - s->session->time = time(NULL); + s->session->time = ossl_time_now(); ssl_session_calculate_timeout(s->session); OPENSSL_free(s->session->ext.tick); diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c index d7acc5c879..2b549bc22e 100644 --- a/ssl/statem/statem_srvr.c +++ b/ssl/statem/statem_srvr.c @@ -3656,7 +3656,7 @@ int tls_construct_server_certificate(SSL_CONNECTION *s, WPACKET *pkt) static int create_ticket_prequel(SSL_CONNECTION *s, WPACKET *pkt, uint32_t age_add, unsigned char *tick_nonce) { - uint32_t timeout = (uint32_t)s->session->timeout; + uint32_t timeout = (uint32_t)ossl_time2seconds(s->session->timeout); /* * Ticket lifetime hint: @@ -3668,7 +3668,8 @@ static int create_ticket_prequel(SSL_CONNECTION *s, WPACKET *pkt, #define ONE_WEEK_SEC (7 * 24 * 60 * 60) if (SSL_CONNECTION_IS_TLS13(s)) { - if (s->session->timeout > ONE_WEEK_SEC) + if (ossl_time_compare(s->session->timeout, + ossl_seconds2time(ONE_WEEK_SEC)) > 0) timeout = ONE_WEEK_SEC; } else if (s->hit) timeout = 0; @@ -3978,7 +3979,7 @@ int tls_construct_new_session_ticket(SSL_CONNECTION *s, WPACKET *pkt) } s->session->master_key_length = hashlen; - s->session->time = time(NULL); + s->session->time = ossl_time_now(); ssl_session_calculate_timeout(s->session); if (s->s3.alpn_selected != NULL) { OPENSSL_free(s->session->ext.alpn_selected); diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c index 10e11125b8..b165a4c4f0 100644 --- a/ssl/t1_lib.c +++ b/ssl/t1_lib.c @@ -98,13 +98,13 @@ SSL3_ENC_METHOD const TLSv1_3_enc_data = { ssl3_handshake_write }; -long tls1_default_timeout(void) +OSSL_TIME tls1_default_timeout(void) { /* * 2 hours, the 24 hours mentioned in the TLSv1 spec is way too long for * http, the cache would over fill */ - return (60 * 60 * 2); + return ossl_seconds2time(60 * 60 * 2); } int tls1_new(SSL *s)