ssl_sess.c: deprecate SSL_SESSION_get_time/SSL_SESSION_set_time

Adjust the manpages at the same time so that only the new
functions are being presented.

Fixes: #23648

Signed-off-by: Alexander Kanavin <alex@linutronix.de>

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24307)

doc/man3/SSL_CTX_set_ct_validation_callback.pod

@@ -101,7 +101,7 @@ otherwise.
 When SCT processing is enabled, OCSP stapling will be enabled. This is because
 one possible source of SCTs is the OCSP response from a server.
 
-The time returned by SSL_SESSION_get_time() will be used to evaluate whether any
+The time returned by SSL_SESSION_get_time_ex() will be used to evaluate whether any
 presented SCTs have timestamps that are in the future (and therefore invalid).
 
 =head1 RESTRICTIONS

doc/man3/SSL_SESSION_get_time.pod

@@ -11,26 +11,31 @@ SSL_get_time, SSL_set_time, SSL_get_timeout, SSL_set_timeout
 
  #include <openssl/ssl.h>
 
- long SSL_SESSION_get_time(const SSL_SESSION *s);
- long SSL_SESSION_set_time(SSL_SESSION *s, long tm);
  long SSL_SESSION_get_timeout(const SSL_SESSION *s);
  long SSL_SESSION_set_timeout(SSL_SESSION *s, long tm);
 
- long SSL_get_time(const SSL_SESSION *s);
- long SSL_set_time(SSL_SESSION *s, long tm);
  long SSL_get_timeout(const SSL_SESSION *s);
  long SSL_set_timeout(SSL_SESSION *s, long tm);
 
  time_t SSL_SESSION_get_time_ex(const SSL_SESSION *s);
  time_t SSL_SESSION_set_time_ex(SSL_SESSION *s, time_t tm);
 
+The following functions have been deprecated since OpenSSL 3.4, and can be
+hidden entirely by defining B<OPENSSL_API_COMPAT> with a suitable version value,
+see L<openssl_user_macros(7)>:
+
+ long SSL_SESSION_get_time(const SSL_SESSION *s);
+ long SSL_SESSION_set_time(SSL_SESSION *s, long tm);
+ long SSL_get_time(const SSL_SESSION *s);
+ long SSL_set_time(SSL_SESSION *s, long tm);
+
 =head1 DESCRIPTION
 
-SSL_SESSION_get_time() returns the time at which the session B<s> was
+SSL_SESSION_get_time_ex() returns the time at which the session B<s> was
 established. The time is given in seconds since the Epoch and therefore
 compatible to the time delivered by the time() call.
 
-SSL_SESSION_set_time() replaces the creation time of the session B<s> with
+SSL_SESSION_set_time_ex() replaces the creation time of the session B<s> with
 the chosen value B<tm>.
 
 SSL_SESSION_get_timeout() returns the timeout value set for session B<s>
@@ -39,9 +44,10 @@ in seconds.
 SSL_SESSION_set_timeout() sets the timeout value for session B<s> in seconds
 to B<tm>.
 
-SSL_SESSION_get_time_ex() and SSL_SESSION_set_time_ex() extended functions use
-the time_t datatype instead of long to fix the Y2038 problem on systems with
-64 bit time_t type.
+SSL_SESSION_get_time() and SSL_SESSION_set_time() functions use
+the long datatype instead of time_t and are therefore deprecated due to not
+being Y2038-safe on 32 bit systems. Note that such systems still need
+to be configured to use 64 bit time_t to be able to avoid overflow in system time.
 
 The SSL_get_time(), SSL_set_time(), SSL_get_timeout(), and SSL_set_timeout()
 functions are synonyms for the SSL_SESSION_*() counterparts.
@@ -57,10 +63,10 @@ of the session.
 
 =head1 RETURN VALUES
 
-SSL_SESSION_get_time() and SSL_SESSION_get_timeout() return the currently
+SSL_SESSION_get_time_ex() and SSL_SESSION_get_timeout() return the currently
 valid values.
 
-SSL_SESSION_set_time() and SSL_SESSION_set_timeout() return 1 on success.
+SSL_SESSION_set_time_ex() and SSL_SESSION_set_timeout() return 1 on success.
 
 If any of the function is passed the NULL pointer for the session B<s>,
 0 is returned.

include/openssl/ssl.h.in

@@ -1685,8 +1685,13 @@ __owur const char *SSL_state_string(const SSL *s);
 __owur const char *SSL_rstate_string(const SSL *s);
 __owur const char *SSL_state_string_long(const SSL *s);
 __owur const char *SSL_rstate_string_long(const SSL *s);
+
+#ifndef OPENSSL_NO_DEPRECATED_3_4
+OSSL_DEPRECATEDIN_3_4_FOR("not Y2038-safe, replace with SSL_SESSION_get_time_ex()")
 __owur long SSL_SESSION_get_time(const SSL_SESSION *s);
+OSSL_DEPRECATEDIN_3_4_FOR("not Y2038-safe, replace with SSL_SESSION_set_time_ex()")
 __owur long SSL_SESSION_set_time(SSL_SESSION *s, long t);
+#endif
 __owur long SSL_SESSION_get_timeout(const SSL_SESSION *s);
 __owur long SSL_SESSION_set_timeout(SSL_SESSION *s, long t);
 __owur int SSL_SESSION_get_protocol_version(const SSL_SESSION *s);

ssl/ssl_lib.c

@@ -6363,7 +6363,7 @@ int ssl_validate_ct(SSL_CONNECTION *s)
     CT_POLICY_EVAL_CTX_set_shared_CTLOG_STORE(ctx,
             SSL_CONNECTION_GET_CTX(s)->ctlog_store);
     CT_POLICY_EVAL_CTX_set_time(
-            ctx, (uint64_t)SSL_SESSION_get_time(s->session) * 1000);
+            ctx, (uint64_t)SSL_SESSION_get_time_ex(s->session) * 1000);
 
     scts = SSL_get0_peer_scts(SSL_CONNECTION_GET_SSL(s));
 

ssl/ssl_sess.c

@@ -941,10 +941,12 @@ long SSL_SESSION_get_timeout(const SSL_SESSION *s)
     return (long)ossl_time_to_time_t(s->timeout);
 }
 
+#ifndef OPENSSL_NO_DEPRECATED_3_4
 long SSL_SESSION_get_time(const SSL_SESSION *s)
 {
     return (long) SSL_SESSION_get_time_ex(s);
 }
+#endif
 
 time_t SSL_SESSION_get_time_ex(const SSL_SESSION *s)
 {
@@ -973,10 +975,12 @@ time_t SSL_SESSION_set_time_ex(SSL_SESSION *s, time_t t)
     return t;
 }
 
+#ifndef OPENSSL_NO_DEPRECATED_3_4
 long SSL_SESSION_set_time(SSL_SESSION *s, long t)
 {
     return (long) SSL_SESSION_set_time_ex(s, (time_t) t);
 }
+#endif
 
 int SSL_SESSION_get_protocol_version(const SSL_SESSION *s)
 {

test/clienthellotest.c

@@ -164,7 +164,7 @@ static int test_client_hello(int currtest)
          * We reset the creation time so that we don't discard the session as
          * too old.
          */
-        if (!TEST_true(SSL_SESSION_set_time(sess, (long)time(NULL)))
+        if (!TEST_true(SSL_SESSION_set_time_ex(sess, time(NULL)))
                 || !TEST_true(SSL_set_session(con, sess)))
             goto end;
     }

test/sslapitest.c

@@ -2330,9 +2330,9 @@ static int execute_test_session(int maxprot, int use_int_cache,
      */
 
     /* Make sess1 expire before sess2 */
-    if (!TEST_long_gt(SSL_SESSION_set_time(sess1, 1000), 0)
+    if (!TEST_time_t_gt(SSL_SESSION_set_time_ex(sess1, 1000), 0)
             || !TEST_long_gt(SSL_SESSION_set_timeout(sess1, 1000), 0)
-            || !TEST_long_gt(SSL_SESSION_set_time(sess2, 2000), 0)
+            || !TEST_time_t_gt(SSL_SESSION_set_time_ex(sess2, 2000), 0)
             || !TEST_long_gt(SSL_SESSION_set_timeout(sess2, 2000), 0))
         goto end;
 
@@ -3991,7 +3991,7 @@ static int early_data_skip_helper(int testtype, int cipher, int idx)
          * time. It could be any value as long as it is not within tolerance.
          * This should mean the ticket is rejected.
          */
-        if (!TEST_true(SSL_SESSION_set_time(sess, (long)(time(NULL) - 20))))
+        if (!TEST_true(SSL_SESSION_set_time_ex(sess, time(NULL) - 20)))
             goto end;
     }
 
@@ -9325,7 +9325,7 @@ static int test_session_timeout(int test)
     SSL_SESSION *late = NULL;
     SSL_CTX *ctx;
     int testresult = 0;
-    long now = (long)time(NULL);
+    time_t now = time(NULL);
 #define TIMEOUT 10
 
     if (!TEST_ptr(ctx = SSL_CTX_new_ex(libctx, NULL, TLS_method()))
@@ -9353,9 +9353,9 @@ static int test_session_timeout(int test)
         || !TEST_ptr(late->prev))
         goto end;
 
-    if (!TEST_int_ne(SSL_SESSION_set_time(early, now - 10), 0)
-        || !TEST_int_ne(SSL_SESSION_set_time(middle, now), 0)
-        || !TEST_int_ne(SSL_SESSION_set_time(late, now + 10), 0))
+    if (!TEST_time_t_ne(SSL_SESSION_set_time_ex(early, now - 10), 0)
+        || !TEST_time_t_ne(SSL_SESSION_set_time_ex(middle, now), 0)
+        || !TEST_time_t_ne(SSL_SESSION_set_time_ex(late, now + 10), 0))
         goto end;
 
     if (!TEST_int_ne(SSL_SESSION_set_timeout(early, TIMEOUT), 0)
@@ -9421,9 +9421,9 @@ static int test_session_timeout(int test)
 
     /* make sure |now| is NOT  equal to the current time */
     now -= 10;
-    if (!TEST_int_ne(SSL_SESSION_set_time(early, now), 0)
+    if (!TEST_time_t_ne(SSL_SESSION_set_time_ex(early, now), 0)
         || !TEST_int_eq(SSL_CTX_add_session(ctx, early), 1)
-        || !TEST_long_ne(SSL_SESSION_get_time(early), now))
+        || !TEST_time_t_ne(SSL_SESSION_get_time_ex(early), now))
         goto end;
 
     testresult = 1;

util/libssl.num

@@ -147,7 +147,7 @@ SSL_set_security_callback               147	3_0_0	EXIST::FUNCTION:
 SSL_SRP_CTX_init                        148	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0,SRP
 ERR_load_SSL_strings                    149	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0
 SSL_CTX_SRP_CTX_init                    150	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0,SRP
-SSL_SESSION_set_time                    151	3_0_0	EXIST::FUNCTION:
+SSL_SESSION_set_time                    151	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_4
 i2d_SSL_SESSION                         152	3_0_0	EXIST::FUNCTION:
 SSL_SESSION_get_master_key              153	3_0_0	EXIST::FUNCTION:
 SSL_COMP_get_compression_methods        154	3_0_0	EXIST::FUNCTION:
@@ -246,7 +246,7 @@ SSL_get_verify_mode                     246	3_0_0	EXIST::FUNCTION:
 SSL_CIPHER_get_id                       247	3_0_0	EXIST::FUNCTION:
 SSL_SESSION_print_keylog                248	3_0_0	EXIST::FUNCTION:
 SSL_CTX_set_psk_client_callback         249	3_0_0	EXIST::FUNCTION:PSK
-SSL_SESSION_get_time                    250	3_0_0	EXIST::FUNCTION:
+SSL_SESSION_get_time                    250	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_4
 SSL_set_debug                           251	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_1_1_0
 SSL_get_security_level                  252	3_0_0	EXIST::FUNCTION:
 SSL_CIPHER_description                  253	3_0_0	EXIST::FUNCTION: