Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ssl_sess.c: deprecate SSL_SESSION_get_time/SSL_SESSION_set_time #24307

Open
wants to merge 5 commits into
base: master
Choose a base branch
from
Open

ssl_sess.c: deprecate SSL_SESSION_get_time/SSL_SESSION_set_time #24307

wants to merge 5 commits into from

Conversation

kanavin
Copy link

@kanavin kanavin commented Apr 30, 2024

Fixes: #23648

@openssl-machine openssl-machine added the hold: cla required The contributor needs to submit a license agreement label Apr 30, 2024
@kanavin kanavin closed this Apr 30, 2024
@kanavin kanavin reopened this Apr 30, 2024
@kanavin
Copy link
Author

kanavin commented Apr 30, 2024

Signed CLA sent by email as specified in https://www.openssl.org/policies/cla.html

@t8m t8m added branch: master Merge to master branch triaged: feature The issue/pr requests/adds a feature tests: exempted The PR is exempt from requirements for testing labels Apr 30, 2024
@kanavin kanavin force-pushed the deprecate-time branch 2 times, most recently from 7a3b572 to 992fb43 Compare May 6, 2024 09:45
@t8m t8m added approval: review pending This pull request needs review by a committer approval: otc review pending This pull request needs review by an OTC member labels May 6, 2024
@github-actions github-actions bot added the severity: fips change The pull request changes FIPS provider sources label May 6, 2024
@kanavin kanavin closed this May 17, 2024
@kanavin kanavin reopened this May 17, 2024
@openssl-machine openssl-machine removed the hold: cla required The contributor needs to submit a license agreement label May 17, 2024
@kanavin
Copy link
Author

kanavin commented May 17, 2024

CLA issue fixed, please re-trigger the CI.

@t8m
Copy link
Member

t8m commented May 17, 2024

This is strange. The CI failure is relevant but I do not see what is causing it.

mattcaswell
mattcaswell requested changes May 17, 2024
View reviewed changes
Copy link
Member

@mattcaswell mattcaswell left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Probably this should have an entry in CHANGES.md. We should also update the documentation to show that these are deprecated (in the same style as we have done other deprecations in the docs)

@t8m
Copy link
Member

t8m commented May 17, 2024

This is strange. The CI failure is relevant but I do not see what is causing it.

Ah, this is most probably caused by using the OSSL_DEPRECATEDIN...FOR() macro instead of just OSSL_DEPRECATED_IN_... macro. The parser updating the .num files would have to be changed. Please use just OSSL_DEPRECATED_IN_....

@kanavin
Copy link
Author

kanavin commented May 17, 2024

This is strange. The CI failure is relevant but I do not see what is causing it.

Ah, this is most probably caused by using the OSSL_DEPRECATEDIN...FOR() macro instead of just OSSL_DEPRECATED_IN_... macro. The parser updating the .num files would have to be changed. Please use just OSSL_DEPRECATED_IN_....

But that doesn't include a message advising what to use instead. You ok with that?

@mattcaswell
Copy link
Member

Ah, yeah OSSL_DEPRECATEDIN..FOR() is quite a new addition

The parser updating the .num files would have to be changed.

We should really do that

@kanavin
Copy link
Author

kanavin commented May 17, 2024
edited

I'm also baffled by the other fail as the lines don't match to where I think the problem is:

sslapitest.c
..\test\sslapitest.c(9380): error C2220: the following warning is treated as an error
..\test\sslapitest.c(9380): warning C4244: 'function': conversion from 'time_t' to 'long', possible loss of data
..\test\sslapitest.c(9387): warning C4244: 'function': conversion from 'time_t' to 'long', possible loss of data
..\test\sslapitest.c(9394): warning C4244: 'function': conversion from 'time_t' to 'long', possible loss of data

The culprit I believe is:

void SSL_CTX_flush_sessions(SSL_CTX *ctx, long tm);

I guess SSL_CTX_flush_sessions_ex is needed as well, taking time_t?

@mattcaswell
Copy link
Member

I'm also baffled by the other fail as the lines don't match to where I think the problem is:

That's github playing tricks on you. When the CI runs it automatically merges your PR against the latest master and tests the resulting code. Most likely there have been changes in sslapitest.c on master since you opened this PR which have shifted the line numbers. The problem is definitely the 3 SSL_CTX_flush_sessions calls.

@kanavin
Copy link
Author

kanavin commented May 17, 2024

So should SSL_CTX_flush_sessions_ex() introduction be a separate PR or can I bundle that here?

@t8m
Copy link
Member

t8m commented May 17, 2024

So should SSL_CTX_flush_sessions_ex() introduction be a separate PR or can I bundle that here?

IMO you can bundle it here (in a separate commit for clarity).

@mattcaswell
Copy link
Member

The parser updating the .num files would have to be changed.

This seems to fix it. @kanavin - do you want to incorporate that into this PR?

diff --git a/util/perl/OpenSSL/ParseC.pm b/util/perl/OpenSSL/ParseC.pm
index 661bd11818..f7f8a5827e 100644
--- a/util/perl/OpenSSL/ParseC.pm
+++ b/util/perl/OpenSSL/ParseC.pm
@@ -266,9 +266,15 @@ my @opensslchandlers = (
     { regexp   => qr/OSSL_DEPRECATEDIN_\d+_\d+(?:_\d+)?\s+(.*)/,
       massager => sub { return $1; },
     },
+    { regexp   => qr/OSSL_DEPRECATEDIN_\d+_\d+(?:_\d+)?_FOR<<<.*>>>(.*)/,
+      massager => sub { return $1; },
+    },
     { regexp   => qr/(.*?)\s+OSSL_DEPRECATEDIN_\d+_\d+(?:_\d+)?\s+(.*)/,
       massager => sub { return "$1 $2"; },
     },
+    { regexp   => qr/(.*?)\s+OSSL_DEPRECATEDIN_\d+_\d+(?:_\d+)?_FOR<<<.*>>>(.*)/,
+      massager => sub { return "$1 $2"; },
+    },
 
     #####
     # Core stuff

@kanavin
Copy link
Author

kanavin commented May 17, 2024

The parser updating the .num files would have to be changed.

This seems to fix it. @kanavin - do you want to incorporate that into this PR?

diff --git a/util/perl/OpenSSL/ParseC.pm b/util/perl/OpenSSL/ParseC.pm
index 661bd11818..f7f8a5827e 100644
--- a/util/perl/OpenSSL/ParseC.pm
+++ b/util/perl/OpenSSL/ParseC.pm
@@ -266,9 +266,15 @@ my @opensslchandlers = (
     { regexp   => qr/OSSL_DEPRECATEDIN_\d+_\d+(?:_\d+)?\s+(.*)/,
       massager => sub { return $1; },
     },
+    { regexp   => qr/OSSL_DEPRECATEDIN_\d+_\d+(?:_\d+)?_FOR<<<.*>>>(.*)/,
+      massager => sub { return $1; },
+    },
     { regexp   => qr/(.*?)\s+OSSL_DEPRECATEDIN_\d+_\d+(?:_\d+)?\s+(.*)/,
       massager => sub { return "$1 $2"; },
     },
+    { regexp   => qr/(.*?)\s+OSSL_DEPRECATEDIN_\d+_\d+(?:_\d+)?_FOR<<<.*>>>(.*)/,
+      massager => sub { return "$1 $2"; },
+    },
 
     #####
     # Core stuff

Yes, of course. Thanks!

util/perl/OpenSSL/ParseC.pm: correctly parse OSSL_DEPRECATEDIN_..._FOR
5900ed3 
Suggested by Matt Caswell.

Signed-off-by: Alexander Kanavin <[email protected]>
@kanavin kanavin requested a review from mattcaswell May 17, 2024 11:55
@kanavin
Copy link
Author

kanavin commented May 17, 2024

Alright, I hopefully have addressed both CI fails and review comments.

mattcaswell
mattcaswell requested changes May 17, 2024
View reviewed changes
include/openssl/ssl.h.in Outdated Show resolved Hide resolved
@kanavin kanavin requested a review from mattcaswell May 17, 2024 15:48
@t8m t8m added the hold: need otc decision The OTC needs to make a decision label May 20, 2024
@t8m
Copy link
Member

t8m commented May 20, 2024

OTC: Do we want to deprecate SSL_SESSION_get_time()/SSL_SESSION_set_time()/SSL_CTX_flush_sessions() in 3.4 or at some later point?

@github-actions github-actions bot added the severity: ABI change This pull request contains ABI changes label May 20, 2024
Alexander Kanavin added 3 commits May 21, 2024 11:51
ssl_sess.c: deprecate SSL_CTX_flush_sessions in favour of _ex() repla…
9cea86d 
…cement

The original function is using long for time and is therefore
not Y2038-safe.

Signed-off-by: Alexander Kanavin <[email protected]>
ssl_sess.c: deprecate SSL_SESSION_get_time/SSL_SESSION_set_time
d840b95 
Adjust the manpages at the same time so that only the new
functions are being presented.

Fixes: openssl#23648

Signed-off-by: Alexander Kanavin <[email protected]>
CHANGES.md: add an entry about newly deprecated time-related functions
c75c0af 
Signed-off-by: Alexander Kanavin <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mattcaswell mattcaswell Awaiting requested review from mattcaswell

Assignees
No one assigned
Labels
approval: otc review pending This pull request needs review by an OTC member approval: review pending This pull request needs review by a committer branch: master Merge to master branch hold: need otc decision The OTC needs to make a decision severity: ABI change This pull request contains ABI changes severity: fips change The pull request changes FIPS provider sources tests: exempted The PR is exempt from requirements for testing triaged: feature The issue/pr requests/adds a feature
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Y2038: SSL_SESSION_get_time, SSL_SESSION_set_time should be deprecated (and eventually removed)
4 participants
@kanavin @t8m @mattcaswell @openssl-machine