ssl: modify libssl so that it uses OSSL_TIME

This is instead of time_t and struct timeval. Some public APIs mandate a presence of these two types, but they are converted to OSSL_TIME internally. Reviewed-by: Todd Short <todd.short@me.com> Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/19082)
2025-02-05 14:10:53 +08:00 · 2022-08-29 14:17:25 +10:00 · 2022-08-29 14:17:25 +10:00 · f0131dc04a
commit f0131dc04a
parent 364c3b7b1a
14 changed files with 105 additions and 135 deletions
--- a/ssl/d1_lib.c
+++ b/ssl/d1_lib.c
@ -14,7 +14,6 @@
 #include "ssl_local.h"
 #include "internal/time.h"
 static void get_current_time(struct timeval *t);
 static int dtls1_handshake_write(SSL_CONNECTION *s);
 static size_t dtls1_link_min_mtu(void);
@ -56,13 +55,13 @@ const SSL3_ENC_METHOD DTLSv1_2_enc_data = {
    dtls1_handshake_write
 };
-long dtls1_default_timeout(void)
+OSSL_TIME dtls1_default_timeout(void)
 {
    /*
     * 2 hours, the 24 hours mentioned in the DTLSv1 spec is way too long for
     * http, the cache would over fill
     */
-    return (60 * 60 * 2);
+    return ossl_seconds2time(60 * 60 * 2);
 }
 int dtls1_new(SSL *ssl)
@ -222,6 +221,7 @@ int dtls1_clear(SSL *ssl)
 long dtls1_ctrl(SSL *ssl, int cmd, long larg, void *parg)
 {
    int ret = 0;
    OSSL_TIME t;
    SSL_CONNECTION *s = SSL_CONNECTION_FROM_SSL_ONLY(ssl);
    if (s == NULL)
@ -229,7 +229,8 @@ long dtls1_ctrl(SSL *ssl, int cmd, long larg, void *parg)
    switch (cmd) {
    case DTLS_CTRL_GET_TIMEOUT:
-        if (dtls1_get_timeout(s, (struct timeval *)parg) != NULL) {
+        if (dtls1_get_timeout(s, &t) != NULL) {
            *(struct timeval *)parg = ossl_time_to_timeval(t);
            ret = 1;
        }
        break;
@ -261,13 +262,14 @@ long dtls1_ctrl(SSL *ssl, int cmd, long larg, void *parg)
 void dtls1_start_timer(SSL_CONNECTION *s)
 {
-    unsigned int sec, usec;
+    struct timeval tv;
    OSSL_TIME duration;
    SSL *ssl = SSL_CONNECTION_GET_SSL(s);
 #ifndef OPENSSL_NO_SCTP
    /* Disable timer for SCTP */
    if (BIO_dgram_is_sctp(SSL_get_wbio(ssl))) {
-        memset(&s->d1->next_timeout, 0, sizeof(s->d1->next_timeout));
+        s->d1->next_timeout = ossl_time_zero();
        return;
    }
 #endif
@ -276,77 +278,46 @@ void dtls1_start_timer(SSL_CONNECTION *s)
     * If timer is not set, initialize duration with 1 second or
     * a user-specified value if the timer callback is installed.
     */
-    if (s->d1->next_timeout.tv_sec == 0 && s->d1->next_timeout.tv_usec == 0) {
+    if (ossl_time_is_zero(s->d1->next_timeout)) {
        if (s->d1->timer_cb != NULL)
            s->d1->timeout_duration_us = s->d1->timer_cb(ssl, 0);
        else
            s->d1->timeout_duration_us = 1000000;
    }
-    /* Set timeout to current time */
+    /* Set timeout to current time plus duration */
-    get_current_time(&(s->d1->next_timeout));
+    duration = ossl_us2time(s->d1->timeout_duration_us);
    s->d1->next_timeout = ossl_time_add(ossl_time_now(), duration);
-    /* Add duration to current time */
+    tv = ossl_time_to_timeval(s->d1->next_timeout);
-
+    BIO_ctrl(SSL_get_rbio(ssl), BIO_CTRL_DGRAM_SET_NEXT_TIMEOUT, 0, &tv);
    sec  = s->d1->timeout_duration_us / 1000000;
    usec = s->d1->timeout_duration_us - (sec * 1000000);
    s->d1->next_timeout.tv_sec  += sec;
    s->d1->next_timeout.tv_usec += usec;
    if (s->d1->next_timeout.tv_usec >= 1000000) {
        s->d1->next_timeout.tv_sec++;
        s->d1->next_timeout.tv_usec -= 1000000;
    }
    BIO_ctrl(SSL_get_rbio(ssl), BIO_CTRL_DGRAM_SET_NEXT_TIMEOUT, 0,
             &(s->d1->next_timeout));
 }
-struct timeval *dtls1_get_timeout(SSL_CONNECTION *s, struct timeval *timeleft)
+OSSL_TIME *dtls1_get_timeout(SSL_CONNECTION *s, OSSL_TIME *timeleft)
 {
-    struct timeval timenow;
+    OSSL_TIME timenow;
    /* If no timeout is set, just return NULL */
-    if (s->d1->next_timeout.tv_sec == 0 && s->d1->next_timeout.tv_usec == 0) {
+    if (ossl_time_is_zero(s->d1->next_timeout))
        return NULL;
    }
    /* Get current time */
-    get_current_time(&timenow);
+    timenow = ossl_time_now();
    /* If timer already expired, set remaining time to 0 */
    if (s->d1->next_timeout.tv_sec < timenow.tv_sec ||
        (s->d1->next_timeout.tv_sec == timenow.tv_sec &&
         s->d1->next_timeout.tv_usec <= timenow.tv_usec)) {
        memset(timeleft, 0, sizeof(*timeleft));
        return timeleft;
    }
    /* Calculate time left until timer expires */
    memcpy(timeleft, &(s->d1->next_timeout), sizeof(struct timeval));
    timeleft->tv_sec -= timenow.tv_sec;
    timeleft->tv_usec -= timenow.tv_usec;
    if (timeleft->tv_usec < 0) {
        timeleft->tv_sec--;
        timeleft->tv_usec += 1000000;
    }
    /*
-     * If remaining time is less than 15 ms, set it to 0 to prevent issues
+     * If timer already expired or if remaining time is less than 15 ms,
-     * because of small divergences with socket timeouts.
+     * set it to 0 to prevent issues because of small divergences with
     * socket timeouts.
     */
-    if (timeleft->tv_sec == 0 && timeleft->tv_usec < 15000) {
+    *timeleft = ossl_time_subtract(s->d1->next_timeout, timenow);
-        memset(timeleft, 0, sizeof(*timeleft));
+    if (ossl_time_compare(*timeleft, ossl_ms2time(15)) <= 0)
-    }
+        *timeleft = ossl_time_zero();
    return timeleft;
 }
 int dtls1_is_timer_expired(SSL_CONNECTION *s)
 {
-    struct timeval timeleft;
+    OSSL_TIME timeleft;
    /* Get time left until timeout, return false if no timer running */
    if (dtls1_get_timeout(s, &timeleft) == NULL) {
@ -354,7 +325,7 @@ int dtls1_is_timer_expired(SSL_CONNECTION *s)
    }
    /* Return false if timer is not expired yet */
-    if (timeleft.tv_sec > 0 || timeleft.tv_usec > 0) {
+    if (!ossl_time_is_zero(timeleft)) {
        return 0;
    }
@ -371,12 +342,14 @@ static void dtls1_double_timeout(SSL_CONNECTION *s)
 void dtls1_stop_timer(SSL_CONNECTION *s)
 {
    struct timeval tv;
    /* Reset everything */
    s->d1->timeout_num_alerts = 0;
-    memset(&s->d1->next_timeout, 0, sizeof(s->d1->next_timeout));
+    s->d1->next_timeout = ossl_time_zero();
    s->d1->timeout_duration_us = 1000000;
-    BIO_ctrl(s->rbio, BIO_CTRL_DGRAM_SET_NEXT_TIMEOUT, 0,
+    tv = ossl_time_to_timeval(s->d1->next_timeout);
-             &(s->d1->next_timeout));
+    BIO_ctrl(s->rbio, BIO_CTRL_DGRAM_SET_NEXT_TIMEOUT, 0, &tv);
    /* Clear retransmission buffer */
    dtls1_clear_sent_buffer(s);
 }
@ -429,11 +402,6 @@ int dtls1_handle_timeout(SSL_CONNECTION *s)
    return dtls1_retransmit_buffered_messages(s);
 }
 static void get_current_time(struct timeval *t)
 {
    ossl_time_time_to_timeval(ossl_time_now(), t);
 }
 #define LISTEN_SUCCESS              2
 #define LISTEN_SEND_VERIFY_REQUEST  1
--- a/ssl/quic/quic_impl.c
+++ b/ssl/quic/quic_impl.c
@ -197,9 +197,9 @@ size_t ossl_quic_pending(const SSL *s)
    return 0;
 }
-long ossl_quic_default_timeout(void)
+OSSL_TIME ossl_quic_default_timeout(void)
 {
-    return 0;
+    return ossl_time_zero();
 }
 int ossl_quic_num_ciphers(void)
--- a/ssl/quic/quic_local.h
+++ b/ssl/quic/quic_local.h
@ -103,7 +103,7 @@ __owur long ossl_quic_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg);
 __owur long ossl_quic_callback_ctrl(SSL *s, int cmd, void (*fp) (void));
 __owur long ossl_quic_ctx_callback_ctrl(SSL_CTX *ctx, int cmd, void (*fp) (void));
 __owur size_t ossl_quic_pending(const SSL *s);
-__owur long ossl_quic_default_timeout(void);
+__owur OSSL_TIME ossl_quic_default_timeout(void);
 __owur int ossl_quic_num_ciphers(void);
 __owur const SSL_CIPHER *ossl_quic_get_cipher(unsigned int u);
 int ossl_quic_renegotiate_check(SSL *ssl, int initok);
--- a/ssl/s3_lib.c
+++ b/ssl/s3_lib.c
@ -3286,13 +3286,13 @@ const SSL3_ENC_METHOD SSLv3_enc_data = {
    ssl3_handshake_write
 };
-long ssl3_default_timeout(void)
+OSSL_TIME ssl3_default_timeout(void)
 {
    /*
     * 2 hours, the 24 hours mentioned in the SSLv3 spec is way too long for
     * http, the cache would over fill
     */
-    return (60 * 60 * 2);
+    return ossl_seconds2time(60 * 60 * 2);
 }
 int ssl3_num_ciphers(void)
--- a/ssl/ssl_asn1.c
+++ b/ssl/ssl_asn1.c
@ -163,8 +163,8 @@ int i2d_SSL_SESSION(const SSL_SESSION *in, unsigned char **pp)
    ssl_session_oinit(&as.session_id_context, &sid_ctx,
                      in->sid_ctx, in->sid_ctx_length);
-    as.time = (int64_t)in->time;
+    as.time = (int64_t)ossl_time_to_time_t(in->time);
-    as.timeout = (int64_t)in->timeout;
+    as.timeout = (int64_t)ossl_time2seconds(in->timeout);
    as.verify_result = in->verify_result;
    as.peer = in->peer;
@ -302,14 +302,14 @@ SSL_SESSION *d2i_SSL_SESSION(SSL_SESSION **a, const unsigned char **pp,
    ret->master_key_length = tmpl;
    if (as->time != 0)
-        ret->time = (time_t)as->time;
+        ret->time = ossl_time_from_time_t(as->time);
    else
-        ret->time = time(NULL);
+        ret->time = ossl_time_now();
    if (as->timeout != 0)
-        ret->timeout = (time_t)as->timeout;
+        ret->timeout = ossl_seconds2time(as->timeout);
    else
-        ret->timeout = 3;
+        ret->timeout = ossl_seconds2time(3);
    ssl_session_calculate_timeout(ret);
    X509_free(ret->peer);
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@ -2047,7 +2047,7 @@ int SSL_connect(SSL *s)
 long SSL_get_default_timeout(const SSL *s)
 {
-    return s->method->get_timeout();
+    return (long int)ossl_time2seconds(s->method->get_timeout());
 }
 static int ssl_async_wait_ctx_cb(void *arg)
--- a/ssl/ssl_local.h
+++ b/ssl/ssl_local.h
@ -520,7 +520,7 @@ struct ssl_method_st {
    size_t (*ssl_pending) (const SSL *s);
    int (*num_ciphers) (void);
    const SSL_CIPHER *(*get_cipher) (unsigned ncipher);
-    long (*get_timeout) (void);
+    OSSL_TIME (*get_timeout) (void);
    const struct ssl3_enc_method *ssl3_enc; /* Extra SSLv3/TLS stuff */
    int (*ssl_version) (void);
    long (*ssl_callback_ctrl) (SSL *s, int cb_id, void (*fp) (void));
@ -601,8 +601,8 @@ struct ssl_session_st {
     */
    long verify_result;         /* only for servers */
    CRYPTO_REF_COUNT references;
-    time_t timeout;
+    OSSL_TIME timeout;
-    time_t time;
+    OSSL_TIME time;
    OSSL_TIME calc_timeout;
    unsigned int compress_meth; /* Need to lookup the method */
    const SSL_CIPHER *cipher;
@ -701,11 +701,11 @@ typedef enum {
 /*
 * The allowance we have between the client's calculated ticket age and our own.
- * We allow for 10 seconds (units are in ms). If a ticket is presented and the
+ * We allow for 10 seconds. If a ticket is presented and the
 * client's age calculation is different by more than this than our own then we
 * do not allow that ticket for early_data.
 */
-# define TICKET_AGE_ALLOWANCE   (10 * 1000)
+# define TICKET_AGE_ALLOWANCE   ossl_seconds2time(10)
 #define MAX_COMPRESSIONS_SIZE   255
@ -874,7 +874,7 @@ struct ssl_ctx_st {
     * SSL_new() is called.  This has been put in to make life easier to set
     * things up
     */
-    long session_timeout;
+    OSSL_TIME session_timeout;
    /*
     * If this callback is not null, it will be called each time a session id
     * is added to the cache.  If this function returns 1, it means that the
@ -1973,7 +1973,7 @@ typedef struct dtls1_state_st {
    /*
     * Indicates when the last handshake msg sent will timeout
     */
-    struct timeval next_timeout;
+    OSSL_TIME next_timeout;
    /* Timeout duration */
    unsigned int timeout_duration_us;
@ -2602,7 +2602,7 @@ __owur long ssl3_callback_ctrl(SSL *s, int cmd, void (*fp) (void));
 __owur long ssl3_ctx_callback_ctrl(SSL_CTX *s, int cmd, void (*fp) (void));
 __owur int ssl3_do_change_cipher_spec(SSL_CONNECTION *s);
-__owur long ssl3_default_timeout(void);
+__owur OSSL_TIME ssl3_default_timeout(void);
 __owur int ssl3_set_handshake_header(SSL_CONNECTION *s, WPACKET *pkt,
                                     int htype);
@ -2627,7 +2627,7 @@ __owur int ssl_choose_client_version(SSL_CONNECTION *s, int version,
 __owur int ssl_get_min_max_version(const SSL_CONNECTION *s, int *min_version,
                                   int *max_version, int *real_max);
-__owur long tls1_default_timeout(void);
+__owur OSSL_TIME tls1_default_timeout(void);
 __owur int dtls1_do_write(SSL_CONNECTION *s, int type);
 void dtls1_set_message_header(SSL_CONNECTION *s,
                              unsigned char mt,
@ -2647,9 +2647,8 @@ void dtls1_clear_received_buffer(SSL_CONNECTION *s);
 void dtls1_clear_sent_buffer(SSL_CONNECTION *s);
 void dtls1_get_message_header(unsigned char *data,
                              struct hm_header_st *msg_hdr);
-__owur long dtls1_default_timeout(void);
+__owur OSSL_TIME dtls1_default_timeout(void);
-__owur struct timeval *dtls1_get_timeout(SSL_CONNECTION *s,
+__owur OSSL_TIME *dtls1_get_timeout(SSL_CONNECTION *s, OSSL_TIME *timeleft);
                                         struct timeval *timeleft);
 __owur int dtls1_check_timeout_num(SSL_CONNECTION *s);
 __owur int dtls1_handle_timeout(SSL_CONNECTION *s);
 void dtls1_start_timer(SSL_CONNECTION *s);
--- a/ssl/ssl_sess.c
+++ b/ssl/ssl_sess.c
@ -26,9 +26,9 @@ static int remove_session_lock(SSL_CTX *ctx, SSL_SESSION *c, int lck);
 DEFINE_STACK_OF(SSL_SESSION)
-__owur static ossl_inline int sess_timedout(time_t t, SSL_SESSION *ss)
+__owur static ossl_inline int sess_timedout(OSSL_TIME t, SSL_SESSION *ss)
 {
-    return ossl_time_compare(ossl_time_from_time_t(t), ss->calc_timeout) > 0;
+    return ossl_time_compare(t, ss->calc_timeout) > 0;
 }
 /*
@ -46,12 +46,7 @@ __owur static ossl_inline int timeoutcmp(SSL_SESSION *a, SSL_SESSION *b)
 */
 void ssl_session_calculate_timeout(SSL_SESSION *ss)
 {
-    /* Force positive timeout */
+    ss->calc_timeout = ossl_time_add(ss->time, ss->timeout);
    if (ss->timeout < 0)
        ss->timeout = 0;
    ss->calc_timeout = ossl_time_add(ossl_time_from_time_t(ss->time),
                                     ossl_time_from_time_t(ss->timeout));
 }
 /*
@ -118,8 +113,9 @@ SSL_SESSION *SSL_SESSION_new(void)
    ss->verify_result = 1;      /* avoid 0 (= X509_V_OK) just in case */
    ss->references = 1;
-    ss->timeout = 60 * 5 + 4;   /* 5 minute timeout by default */
+   /* 5 minute timeout by default */
-    ss->time = time(NULL);
+    ss->timeout = ossl_seconds2time(60 * 5 + 4);
    ss->time = ossl_time_now();
    ssl_session_calculate_timeout(ss);
    ss->lock = CRYPTO_THREAD_lock_new();
    if (ss->lock == NULL) {
@ -418,8 +414,8 @@ int ssl_get_new_session(SSL_CONNECTION *s, int session)
    }
    /* If the context has a default timeout, use it */
-    if (s->session_ctx->session_timeout == 0)
+    if (ossl_time_is_zero(s->session_ctx->session_timeout))
-        ss->timeout = SSL_get_default_timeout(SSL_CONNECTION_GET_SSL(s));
+        ss->timeout = SSL_CONNECTION_GET_SSL(s)->method->get_timeout();
    else
        ss->timeout = s->session_ctx->session_timeout;
    ssl_session_calculate_timeout(ss);
@ -629,7 +625,7 @@ int ssl_get_prev_session(SSL_CONNECTION *s, CLIENTHELLO_MSG *hello)
        goto err;
    }
-    if (sess_timedout(time(NULL), ret)) {
+    if (sess_timedout(ossl_time_now(), ret)) {
        ssl_tsan_counter(s->session_ctx, &s->session_ctx->stats.sess_timeout);
        if (try_session_cache) {
            /* session was from the cache, so remove it */
@ -732,7 +728,7 @@ int SSL_CTX_add_session(SSL_CTX *ctx, SSL_SESSION *c)
    /* Adjust last used time, and add back into the cache at the appropriate spot */
    if (ctx->session_cache_mode & SSL_SESS_CACHE_UPDATE_TIME) {
-        c->time = time(NULL);
+        c->time = ossl_time_now();
        ssl_session_calculate_timeout(c);
    }
@ -886,7 +882,7 @@ int SSL_SESSION_set1_id(SSL_SESSION *s, const unsigned char *sid,
 long SSL_SESSION_set_timeout(SSL_SESSION *s, long t)
 {
-    time_t new_timeout = (time_t)t;
+    OSSL_TIME new_timeout = ossl_seconds2time(t);
    if (s == NULL || t < 0)
        return 0;
@ -908,19 +904,19 @@ long SSL_SESSION_get_timeout(const SSL_SESSION *s)
 {
    if (s == NULL)
        return 0;
-    return (long)s->timeout;
+    return (long)ossl_time_to_time_t(s->timeout);
 }
 long SSL_SESSION_get_time(const SSL_SESSION *s)
 {
    if (s == NULL)
        return 0;
-    return (long)s->time;
+    return (long)ossl_time_to_time_t(s->time);
 }
 long SSL_SESSION_set_time(SSL_SESSION *s, long t)
 {
-    time_t new_time = (time_t)t;
+    OSSL_TIME new_time = ossl_time_from_time_t((time_t)t);
    if (s == NULL)
        return 0;
@ -1066,10 +1062,11 @@ int SSL_SESSION_is_resumable(const SSL_SESSION *s)
 long SSL_CTX_set_timeout(SSL_CTX *s, long t)
 {
    long l;
    if (s == NULL)
        return 0;
-    l = s->session_timeout;
+    l = (long)ossl_time2seconds(s->session_timeout);
-    s->session_timeout = t;
+    s->session_timeout = ossl_seconds2time(t);
    return l;
 }
@ -1077,7 +1074,7 @@ long SSL_CTX_get_timeout(const SSL_CTX *s)
 {
    if (s == NULL)
        return 0;
-    return s->session_timeout;
+    return (long)ossl_time2seconds(s->session_timeout);
 }
 int SSL_set_session_secret_cb(SSL *s,
@ -1144,6 +1141,7 @@ void SSL_CTX_flush_sessions(SSL_CTX *s, long t)
    STACK_OF(SSL_SESSION) *sk;
    SSL_SESSION *current;
    unsigned long i;
    const OSSL_TIME timeout = ossl_time_from_time_t(t);
    if (!CRYPTO_THREAD_write_lock(s->lock))
        return;
@ -1161,7 +1159,7 @@ void SSL_CTX_flush_sessions(SSL_CTX *s, long t)
     */
    while (s->session_cache_tail != NULL) {
        current = s->session_cache_tail;
-        if (t == 0 || sess_timedout((time_t)t, current)) {
+        if (t == 0 || sess_timedout(timeout, current)) {
            lh_SSL_SESSION_delete(s->sessions, current);
            SSL_SESSION_list_remove(s, current);
            current->not_resumable = 1;
--- a/ssl/ssl_txt.c
+++ b/ssl/ssl_txt.c
@ -128,12 +128,14 @@ int SSL_SESSION_print(BIO *bp, const SSL_SESSION *x)
        }
    }
 #endif
-    if (x->time != 0L) {
+    if (!ossl_time_is_zero(x->time)) {
-        if (BIO_printf(bp, "\n    Start Time: %lld", (long long)x->time) <= 0)
+        if (BIO_printf(bp, "\n    Start Time: %lld",
                       (long long)ossl_time_to_time_t(x->time)) <= 0)
            goto err;
    }
-    if (x->timeout != 0L) {
+    if (!ossl_time_is_zero(x->timeout)) {
-        if (BIO_printf(bp, "\n    Timeout   : %lld (sec)", (long long)x->timeout) <= 0)
+        if (BIO_printf(bp, "\n    Timeout   : %lld (sec)",
                       (long long)ossl_time2seconds(x->timeout)) <= 0)
            goto err;
    }
    if (BIO_puts(bp, "\n") <= 0)
--- a/ssl/statem/extensions_clnt.c
+++ b/ssl/statem/extensions_clnt.c
@ -1011,6 +1011,7 @@ EXT_RETURN tls_construct_ctos_psk(SSL_CONNECTION *s, WPACKET *pkt,
    const EVP_MD *handmd = NULL, *mdres = NULL, *mdpsk = NULL;
    int dores = 0;
    SSL_CTX *sctx = SSL_CONNECTION_GET_CTX(s);
    OSSL_TIME t;
    s->ext.tick_identity = 0;
@ -1062,7 +1063,8 @@ EXT_RETURN tls_construct_ctos_psk(SSL_CONNECTION *s, WPACKET *pkt,
         * this in multiple places in the code, so portability shouldn't be an
         * issue.
         */
-        agesec = (uint32_t)(time(NULL) - s->session->time);
+        t = ossl_time_subtract(ossl_time_now(), s->session->time);
        agesec = (uint32_t)ossl_time2seconds(t);
        /*
         * We calculate the age in seconds but the server may work in ms. Due to
         * rounding errors we could overestimate the age by up to 1s. It is
--- a/ssl/statem/extensions_srvr.c
+++ b/ssl/statem/extensions_srvr.c
@ -1102,7 +1102,7 @@ int tls_parse_ctos_psk(SSL_CONNECTION *s, PACKET *pkt, unsigned int context,
                s->ext.early_data_ok = 1;
            s->ext.ticket_expected = 1;
        } else {
-            uint32_t ticket_age = 0, agesec, agems;
+            OSSL_TIME t, age, expire;
            int ret;
            /*
@ -1141,24 +1141,24 @@ int tls_parse_ctos_psk(SSL_CONNECTION *s, PACKET *pkt, unsigned int context,
                continue;
            }
-            ticket_age = (uint32_t)ticket_agel;
+            age = ossl_time_subtract(ossl_seconds2time(ticket_agel),
-            agesec = (uint32_t)(time(NULL) - sess->time);
+                                     ossl_seconds2time(sess->ext.tick_age_add));
-            agems = agesec * (uint32_t)1000;
+            t = ossl_time_subtract(ossl_time_now(), sess->time);
            ticket_age -= sess->ext.tick_age_add;
            /*
-             * For simplicity we do our age calculations in seconds. If the
+             * Beause we use second granuality, it could appear that
-             * client does it in ms then it could appear that their ticket age
+             * the client's ticket age is longer than ours (our ticket
-             * is longer than ours (our ticket age calculation should always be
+             * age calculation should always be slightly longer than the
-             * slightly longer than the client's due to the network latency).
+             * client's due to the network latency).  Therefore we add
-             * Therefore we add 1000ms to our age calculation to adjust for
+             * 1000ms to our age calculation to adjust for rounding errors.
             * rounding errors.
             */
            expire = ossl_time_add(t, ossl_ms2time(1000));
            if (id == 0
-                    && sess->timeout >= (long)agesec
+                    && ossl_time_compare(sess->timeout, t) >= 0
-                    && agems / (uint32_t)1000 == agesec
+                    && ossl_time_compare(age, expire) <= 0
-                    && ticket_age <= agems + 1000
+                    && ossl_time_compare(ossl_time_add(age, TICKET_AGE_ALLOWANCE),
-                    && ticket_age + TICKET_AGE_ALLOWANCE >= agems + 1000) {
+                                         expire) >= 0) {
                /*
                 * Ticket age is within tolerance and not expired. We allow it
                 * for early data
--- a/ssl/statem/statem_clnt.c
+++ b/ssl/statem/statem_clnt.c
@ -2542,7 +2542,7 @@ MSG_PROCESS_RETURN tls_process_new_session_ticket(SSL_CONNECTION *s,
        s->session = new_sess;
    }
-    s->session->time = time(NULL);
+    s->session->time = ossl_time_now();
    ssl_session_calculate_timeout(s->session);
    OPENSSL_free(s->session->ext.tick);
--- a/ssl/statem/statem_srvr.c
+++ b/ssl/statem/statem_srvr.c
@ -3656,7 +3656,7 @@ int tls_construct_server_certificate(SSL_CONNECTION *s, WPACKET *pkt)
 static int create_ticket_prequel(SSL_CONNECTION *s, WPACKET *pkt,
                                 uint32_t age_add, unsigned char *tick_nonce)
 {
-    uint32_t timeout = (uint32_t)s->session->timeout;
+    uint32_t timeout = (uint32_t)ossl_time2seconds(s->session->timeout);
    /*
     * Ticket lifetime hint:
@ -3668,7 +3668,8 @@ static int create_ticket_prequel(SSL_CONNECTION *s, WPACKET *pkt,
 #define ONE_WEEK_SEC (7 * 24 * 60 * 60)
    if (SSL_CONNECTION_IS_TLS13(s)) {
-        if (s->session->timeout > ONE_WEEK_SEC)
+        if (ossl_time_compare(s->session->timeout,
                              ossl_seconds2time(ONE_WEEK_SEC)) > 0)
            timeout = ONE_WEEK_SEC;
    } else if (s->hit)
        timeout = 0;
@ -3978,7 +3979,7 @@ int tls_construct_new_session_ticket(SSL_CONNECTION *s, WPACKET *pkt)
        }
        s->session->master_key_length = hashlen;
-        s->session->time = time(NULL);
+        s->session->time = ossl_time_now();
        ssl_session_calculate_timeout(s->session);
        if (s->s3.alpn_selected != NULL) {
            OPENSSL_free(s->session->ext.alpn_selected);
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@ -98,13 +98,13 @@ SSL3_ENC_METHOD const TLSv1_3_enc_data = {
    ssl3_handshake_write
 };
-long tls1_default_timeout(void)
+OSSL_TIME tls1_default_timeout(void)
 {
    /*
     * 2 hours, the 24 hours mentioned in the TLSv1 spec is way too long for
     * http, the cache would over fill
     */
-    return (60 * 60 * 2);
+    return ossl_seconds2time(60 * 60 * 2);
 }
 int tls1_new(SSL *s)