1 files changed, 24 insertions, 45 deletions

diff --git a/security/nss/lib/ssl/sslnonce.c b/security/nss/lib/ssl/sslnonce.c
index f8fb5d50f..b7b5b7fe5 100644
--- a/security/nss/lib/ssl/sslnonce.c
+++ b/security/nss/lib/ssl/sslnonce.c
@@ -20,8 +20,6 @@
 #include <time.h>
 #endif
 
-PRUint32 ssl3_sid_timeout = 86400L; /* 24 hours */
-
 static sslSessionID *cache = NULL;
 static PZLock *cacheLock = NULL;
 
@@ -259,30 +257,28 @@ ssl_ReferenceSID(sslSessionID *sid)
 */
 
 sslSessionID *
-ssl_LookupSID(const PRIPv6Addr *addr, PRUint16 port, const char *peerID,
+ssl_LookupSID(PRTime now, const PRIPv6Addr *addr, PRUint16 port, const char *peerID,
               const char *urlSvrName)
 {
     sslSessionID **sidp;
     sslSessionID *sid;
-    PRUint32 now;
 
     if (!urlSvrName)
         return NULL;
-    now = ssl_TimeSec();
     LOCK_CACHE;
     sidp = &cache;
     while ((sid = *sidp) != 0) {
         PORT_Assert(sid->cached == in_client_cache);
         PORT_Assert(sid->references >= 1);
 
-        SSL_TRC(8, ("SSL: Lookup1: sid=0x%x", sid));
+        SSL_TRC(8, ("SSL: lookup: sid=0x%x", sid));
 
         if (sid->expirationTime < now) {
             /*
             ** This session-id timed out.
             ** Don't even care who it belongs to, blow it out of our cache.
             */
-            SSL_TRC(7, ("SSL: lookup1, throwing sid out, age=%d refs=%d",
+            SSL_TRC(7, ("SSL: lookup, throwing sid out, age=%d refs=%d",
                         now - sid->creationTime, sid->references));
 
             *sidp = sid->next;                                      /* delink it from the list. */
@@ -316,7 +312,7 @@ ssl_LookupSID(const PRIPv6Addr *addr, PRUint16 port, const char *peerID,
 ** Although this is static, it is called via ss->sec.cache().
 */
 static void
-CacheSID(sslSessionID *sid)
+CacheSID(sslSessionID *sid, PRTime creationTime)
 {
     PORT_Assert(sid);
     PORT_Assert(sid->cached == never_cached);
@@ -353,11 +349,16 @@ CacheSID(sslSessionID *sid)
     if (!sid->u.ssl3.lock) {
         return;
     }
-    PORT_Assert(sid->creationTime != 0 && sid->expirationTime != 0);
-    if (!sid->creationTime)
-        sid->lastAccessTime = sid->creationTime = ssl_TimeUsec();
-    if (!sid->expirationTime)
-        sid->expirationTime = sid->creationTime + ssl3_sid_timeout * PR_USEC_PER_SEC;
+    PORT_Assert(sid->creationTime != 0);
+    if (!sid->creationTime) {
+        sid->lastAccessTime = sid->creationTime = creationTime;
+    }
+    PORT_Assert(sid->expirationTime != 0);
+    if (!sid->expirationTime) {
+        sid->expirationTime = sid->creationTime + (PR_MIN(ssl_ticket_lifetime,
+                                                          sid->u.ssl3.locked.sessionTicket.ticket_lifetime_hint) *
+                                                   PR_USEC_PER_SEC);
+    }
 
     /*
      * Put sid into the cache.  Bump reference count to indicate that
@@ -726,13 +727,13 @@ ssl_IsResumptionTokenUsable(sslSocket *ss, sslSessionID *sid)
     if (ticket->ticket_lifetime_hint != 0) {
         endTime = ticket->received_timestamp +
                   (PRTime)(ticket->ticket_lifetime_hint * PR_USEC_PER_SEC);
-        if (endTime < ssl_TimeUsec()) {
+        if (endTime <= ssl_Time(ss)) {
             return PR_FALSE;
         }
     }
 
     // Check that the session entry didn't expire.
-    if (sid->expirationTime < ssl_TimeUsec()) {
+    if (sid->expirationTime < ssl_Time(ss)) {
         return PR_FALSE;
     }
 
@@ -1087,10 +1088,12 @@ ssl_CacheExternalToken(sslSocket *ss)
     }
 
     if (!sid->creationTime) {
-        sid->lastAccessTime = sid->creationTime = ssl_TimeUsec();
+        sid->lastAccessTime = sid->creationTime = ssl_Time(ss);
     }
     if (!sid->expirationTime) {
-        sid->expirationTime = sid->creationTime + ssl3_sid_timeout;
+        sid->expirationTime = sid->creationTime + (PR_MIN(ssl_ticket_lifetime,
+                                                          sid->u.ssl3.locked.sessionTicket.ticket_lifetime_hint) *
+                                                   PR_USEC_PER_SEC);
     }
 
     sslBuffer encodedToken = SSL_BUFFER_EMPTY;
@@ -1129,11 +1132,11 @@ ssl_CacheSessionID(sslSocket *ss)
 
     PORT_Assert(!ss->resumptionTokenCallback);
     if (sec->isServer) {
-        ssl_ServerCacheSessionID(sec->ci.sid);
+        ssl_ServerCacheSessionID(sec->ci.sid, ssl_Time(ss));
         return;
     }
 
-    CacheSID(sec->ci.sid);
+    CacheSID(sec->ci.sid, ssl_Time(ss));
 }
 
 void
@@ -1165,32 +1168,8 @@ SSL_ClearSessionCache(void)
     UNLOCK_CACHE;
 }
 
-/* returns an unsigned int containing the number of seconds in PR_Now() */
-PRUint32
-ssl_TimeSec(void)
-{
-#ifdef UNSAFE_FUZZER_MODE
-    return 1234;
-#endif
-
-    PRUint32 myTime;
-#if defined(XP_UNIX) || defined(XP_WIN) || defined(_WINDOWS) || defined(XP_BEOS)
-    myTime = time(NULL); /* accurate until the year 2038. */
-#else
-    /* portable, but possibly slower */
-    PRTime now;
-    PRInt64 ll;
-
-    now = PR_Now();
-    LL_I2L(ll, 1000000L);
-    LL_DIV(now, now, ll);
-    LL_L2UI(myTime, now);
-#endif
-    return myTime;
-}
-
 PRBool
-ssl_TicketTimeValid(const NewSessionTicket *ticket)
+ssl_TicketTimeValid(const sslSocket *ss, const NewSessionTicket *ticket)
 {
     PRTime endTime;
 
@@ -1200,7 +1179,7 @@ ssl_TicketTimeValid(const NewSessionTicket *ticket)
 
     endTime = ticket->received_timestamp +
               (PRTime)(ticket->ticket_lifetime_hint * PR_USEC_PER_SEC);
-    return endTime > ssl_TimeUsec();
+    return endTime > ssl_Time(ss);
 }
 
 void