From 71d6ded93deb4d1edc464874b5359ece0ef857d2 Mon Sep 17 00:00:00 2001 From: guenther <> Date: Sun, 20 Apr 2014 12:48:19 +0000 Subject: Chop off more SSLv2 tentacles and start fixing and noting y2038 issues. APIs that pass times as longs will have to change at some point... Bump major on both libcrypto and libssl. ok tedu@ --- src/lib/libcrypto/crypto/shlib_version | 2 +- src/lib/libcrypto/shlib_version | 2 +- src/lib/libssl/shlib_version | 2 +- src/lib/libssl/src/ssl/s3_enc.c | 2 -- src/lib/libssl/src/ssl/ssl.h | 20 +++++++------------- src/lib/libssl/src/ssl/ssl_asn1.c | 24 +++--------------------- src/lib/libssl/src/ssl/ssl_lib.c | 7 ++----- src/lib/libssl/src/ssl/ssl_sess.c | 10 ++++++---- src/lib/libssl/src/ssl/ssl_txt.c | 14 ++------------ src/lib/libssl/src/ssl/t1_enc.c | 1 - src/lib/libssl/ssl.h | 20 +++++++------------- src/lib/libssl/ssl/shlib_version | 2 +- src/lib/libssl/ssl_asn1.c | 24 +++--------------------- src/lib/libssl/ssl_lib.c | 7 ++----- src/lib/libssl/ssl_sess.c | 10 ++++++---- src/lib/libssl/ssl_txt.c | 14 ++------------ src/lib/libssl/t1_enc.c | 1 - 17 files changed, 44 insertions(+), 118 deletions(-) (limited to 'src/lib') diff --git a/src/lib/libcrypto/crypto/shlib_version b/src/lib/libcrypto/crypto/shlib_version index 361604a5eb..c622cb8cdf 100644 --- a/src/lib/libcrypto/crypto/shlib_version +++ b/src/lib/libcrypto/crypto/shlib_version @@ -1,2 +1,2 @@ -major=25 +major=26 minor=0 diff --git a/src/lib/libcrypto/shlib_version b/src/lib/libcrypto/shlib_version index 361604a5eb..c622cb8cdf 100644 --- a/src/lib/libcrypto/shlib_version +++ b/src/lib/libcrypto/shlib_version @@ -1,2 +1,2 @@ -major=25 +major=26 minor=0 diff --git a/src/lib/libssl/shlib_version b/src/lib/libssl/shlib_version index df4de0fc4d..906022aa66 100644 --- a/src/lib/libssl/shlib_version +++ b/src/lib/libssl/shlib_version @@ -1,2 +1,2 @@ -major=23 +major=24 minor=0 diff --git a/src/lib/libssl/src/ssl/s3_enc.c b/src/lib/libssl/src/ssl/s3_enc.c index 4d12631694..2b02c5ba06 100644 --- a/src/lib/libssl/src/ssl/s3_enc.c +++ b/src/lib/libssl/src/ssl/s3_enc.c @@ -361,8 +361,6 @@ ssl3_change_cipher_state(SSL *s, int which) } } - s->session->key_arg_length = 0; - EVP_CipherInit_ex(dd, c, NULL, key, iv,(which & SSL3_CC_WRITE)); OPENSSL_cleanse(&(exp_key[0]), sizeof(exp_key)); diff --git a/src/lib/libssl/src/ssl/ssl.h b/src/lib/libssl/src/ssl/ssl.h index f3ca8c5c4e..3624bdcccd 100644 --- a/src/lib/libssl/src/ssl/ssl.h +++ b/src/lib/libssl/src/ssl/ssl.h @@ -399,7 +399,7 @@ struct ssl_cipher_st { }; -/* Used to hold functions for SSLv2 or SSLv3/TLSv1 functions */ +/* Used to hold functions for SSLv3/TLSv1 functions */ struct ssl_method_st { int version; int (*ssl_new)(SSL *s); @@ -442,7 +442,6 @@ struct ssl_method_st { * Session_ID OCTET STRING, -- the Session ID * Master_key OCTET STRING, -- the master key * KRB5_principal OCTET STRING -- optional Kerberos principal - * Key_Arg [ 0 ] IMPLICIT OCTET STRING, -- the optional Key argument * Time [ 1 ] EXPLICIT INTEGER, -- optional Start Time * Timeout [ 2 ] EXPLICIT INTEGER, -- optional Timeout ins seconds * Peer [ 3 ] EXPLICIT X509, -- optional Peer Certificate @@ -463,9 +462,6 @@ struct ssl_session_st { int ssl_version; /* what ssl version session info is * being kept in here? */ - /* only really used in SSLv2 */ - unsigned int key_arg_length; - unsigned char key_arg[SSL_MAX_KEY_ARG_LENGTH]; int master_key_length; unsigned char master_key[SSL_MAX_MASTER_KEY_LENGTH]; /* session_id - valid? */ @@ -502,9 +498,9 @@ struct ssl_session_st { * is not ok, we must remember the error for session reuse: */ long verify_result; /* only for servers */ - int references; long timeout; - long time; + time_t time; + int references; unsigned int compress_meth; /* Need to lookup the method */ @@ -845,9 +841,8 @@ struct ssl_ctx_st { CRYPTO_EX_DATA ex_data; - const EVP_MD *rsa_md5; /* For SSLv2 - name is 'ssl2-md5' */ const EVP_MD *md5; /* For SSLv3/TLSv1 'ssl3-md5' */ - const EVP_MD *sha1; /* For SSLv3/TLSv1 'ssl3->sha1' */ + const EVP_MD *sha1; /* For SSLv3/TLSv1 'ssl3-sha1' */ STACK_OF(X509) *extra_certs; STACK_OF(SSL_COMP) *comp_methods; /* stack of SSL_COMP, SSLv3/TLSv1 */ @@ -1155,7 +1150,6 @@ struct ssl_st { unsigned char *packet; unsigned int packet_length; - struct ssl2_state_st *s2; /* SSLv2 variables */ struct ssl3_state_st *s3; /* SSLv3 variables */ struct dtls1_state_st *d1; /* DTLSv1 variables */ @@ -1828,9 +1822,9 @@ const SSL_METHOD *SSLv3_method(void); /* SSLv3 */ const SSL_METHOD *SSLv3_server_method(void); /* SSLv3 */ const SSL_METHOD *SSLv3_client_method(void); /* SSLv3 */ -const SSL_METHOD *SSLv23_method(void); /* SSLv3 but can rollback to v2 */ -const SSL_METHOD *SSLv23_server_method(void); /* SSLv3 but can rollback to v2 */ -const SSL_METHOD *SSLv23_client_method(void); /* SSLv3 but can rollback to v2 */ +const SSL_METHOD *SSLv23_method(void); /* SSLv3 or TLSv1.* */ +const SSL_METHOD *SSLv23_server_method(void); /* SSLv3 or TLSv1.* */ +const SSL_METHOD *SSLv23_client_method(void); /* SSLv3 or TLSv1.* */ const SSL_METHOD *TLSv1_method(void); /* TLSv1.0 */ const SSL_METHOD *TLSv1_server_method(void); /* TLSv1.0 */ diff --git a/src/lib/libssl/src/ssl/ssl_asn1.c b/src/lib/libssl/src/ssl/ssl_asn1.c index c551ec4877..1d2590268c 100644 --- a/src/lib/libssl/src/ssl/ssl_asn1.c +++ b/src/lib/libssl/src/ssl/ssl_asn1.c @@ -97,7 +97,6 @@ typedef struct ssl_session_asn1_st { ASN1_OCTET_STRING master_key; ASN1_OCTET_STRING session_id; ASN1_OCTET_STRING session_id_context; - ASN1_OCTET_STRING key_arg; #ifndef OPENSSL_NO_KRB5 ASN1_OCTET_STRING krb5_princ; #endif /* OPENSSL_NO_KRB5 */ @@ -190,10 +189,6 @@ i2d_SSL_SESSION(SSL_SESSION *in, unsigned char **pp) a.session_id_context.type = V_ASN1_OCTET_STRING; a.session_id_context.data = in->sid_ctx; - a.key_arg.length = in->key_arg_length; - a.key_arg.type = V_ASN1_OCTET_STRING; - a.key_arg.data = in->key_arg; - #ifndef OPENSSL_NO_KRB5 if (in->krb5_client_princ_len) { a.krb5_princ.length = in->krb5_client_princ_len; @@ -206,7 +201,7 @@ i2d_SSL_SESSION(SSL_SESSION *in, unsigned char **pp) a.time.length = LSIZE2; a.time.type = V_ASN1_INTEGER; a.time.data = ibuf3; - ASN1_INTEGER_set(&(a.time), in->time); + ASN1_INTEGER_set(&(a.time), in->time); /* XXX 2038 */ } if (in->timeout != 0L) { @@ -270,8 +265,6 @@ i2d_SSL_SESSION(SSL_SESSION *in, unsigned char **pp) if (in->krb5_client_princ_len) M_ASN1_I2D_len(&(a.krb5_princ), i2d_ASN1_OCTET_STRING); #endif /* OPENSSL_NO_KRB5 */ - if (in->key_arg_length > 0) - M_ASN1_I2D_len_IMP_opt(&(a.key_arg), i2d_ASN1_OCTET_STRING); if (in->time != 0L) M_ASN1_I2D_len_EXP_opt(&(a.time), i2d_ASN1_INTEGER, 1, v1); if (in->timeout != 0L) @@ -316,8 +309,6 @@ i2d_SSL_SESSION(SSL_SESSION *in, unsigned char **pp) if (in->krb5_client_princ_len) M_ASN1_I2D_put(&(a.krb5_princ), i2d_ASN1_OCTET_STRING); #endif /* OPENSSL_NO_KRB5 */ - if (in->key_arg_length > 0) - M_ASN1_I2D_put_IMP_opt(&(a.key_arg), i2d_ASN1_OCTET_STRING, 0); if (in->time != 0L) M_ASN1_I2D_put_EXP_opt(&(a.time), i2d_ASN1_INTEGER, 1, v1); if (in->timeout != 0L) @@ -445,24 +436,15 @@ d2i_SSL_SESSION(SSL_SESSION **a, const unsigned char **pp, long length) ret->krb5_client_princ_len = 0; #endif /* OPENSSL_NO_KRB5 */ - M_ASN1_D2I_get_IMP_opt(osp, d2i_ASN1_OCTET_STRING, 0, V_ASN1_OCTET_STRING); - if (os.length > SSL_MAX_KEY_ARG_LENGTH) - ret->key_arg_length = SSL_MAX_KEY_ARG_LENGTH; - else - ret->key_arg_length = os.length; - memcpy(ret->key_arg, os.data, ret->key_arg_length); - if (os.data != NULL) - free(os.data); - ai.length = 0; - M_ASN1_D2I_get_EXP_opt(aip, d2i_ASN1_INTEGER, 1); + M_ASN1_D2I_get_EXP_opt(aip, d2i_ASN1_INTEGER, 1); /* XXX 2038 */ if (ai.data != NULL) { ret->time = ASN1_INTEGER_get(aip); free(ai.data); ai.data = NULL; ai.length = 0; } else - ret->time = (unsigned long)time(NULL); + ret->time = time(NULL); ai.length = 0; M_ASN1_D2I_get_EXP_opt(aip, d2i_ASN1_INTEGER, 2); diff --git a/src/lib/libssl/src/ssl/ssl_lib.c b/src/lib/libssl/src/ssl/ssl_lib.c index 3ab353b8eb..21d6835b98 100644 --- a/src/lib/libssl/src/ssl/ssl_lib.c +++ b/src/lib/libssl/src/ssl/ssl_lib.c @@ -1712,11 +1712,8 @@ SSL_CTX_new(const SSL_METHOD *meth) ret->references = 1; ret->quiet_shutdown = 0; -/* ret->cipher=NULL;*/ -/* ret->s2->challenge=NULL; +/* ret->cipher=NULL; ret->master_key=NULL; - ret->key_arg=NULL; - ret->s2->conn_id=NULL; */ ret->info_callback = NULL; @@ -2340,7 +2337,7 @@ ssl_update_cache(SSL *s, int mode) if ((((mode & SSL_SESS_CACHE_CLIENT) ?s->session_ctx->stats.sess_connect_good :s->session_ctx->stats.sess_accept_good) & 0xff) == 0xff) { - SSL_CTX_flush_sessions(s->session_ctx,(unsigned long)time(NULL)); + SSL_CTX_flush_sessions(s->session_ctx, time(NULL)); } } } diff --git a/src/lib/libssl/src/ssl/ssl_sess.c b/src/lib/libssl/src/ssl/ssl_sess.c index c67ae1c22f..c032154d48 100644 --- a/src/lib/libssl/src/ssl/ssl_sess.c +++ b/src/lib/libssl/src/ssl/ssl_sess.c @@ -205,7 +205,7 @@ SSL_SESSION_new(void) ss->verify_result = 1; /* avoid 0 (= X509_V_OK) just in case */ ss->references = 1; ss->timeout=60*5+4; /* 5 minute timeout by default */ - ss->time = (unsigned long)time(NULL); + ss->time = time(NULL); ss->prev = NULL; ss->next = NULL; ss->compress_meth = 0; @@ -555,7 +555,7 @@ ssl_get_prev_session(SSL *s, unsigned char *session_id, int len, goto err; } - if (ret->timeout < (long)(time(NULL) - ret->time)) /* timeout */ + if (ret->timeout < (time(NULL) - ret->time)) /* timeout */ { s->session_ctx->stats.sess_timeout++; if (try_session_cache) { @@ -699,7 +699,6 @@ SSL_SESSION_free(SSL_SESSION *ss) CRYPTO_free_ex_data(CRYPTO_EX_INDEX_SSL_SESSION, ss, &ss->ex_data); - OPENSSL_cleanse(ss->key_arg, sizeof ss->key_arg); OPENSSL_cleanse(ss->master_key, sizeof ss->master_key); OPENSSL_cleanse(ss->session_id, sizeof ss->session_id); if (ss->sess_cert != NULL) @@ -807,6 +806,7 @@ SSL_SESSION_get_timeout(const SSL_SESSION *s) return (s->timeout); } +/* XXX 2038 */ long SSL_SESSION_get_time(const SSL_SESSION *s) { @@ -815,6 +815,7 @@ SSL_SESSION_get_time(const SSL_SESSION *s) return (s->time); } +/* XXX 2038 */ long SSL_SESSION_set_time(SSL_SESSION *s, long t) { @@ -926,7 +927,7 @@ typedef struct timeout_param_st { static void timeout_doall_arg(SSL_SESSION *s, TIMEOUT_PARAM *p) { - if ((p->time == 0) || (p->time > (s->time+s->timeout))) /* timeout */ + if ((p->time == 0) || (p->time > (s->time + s->timeout))) /* timeout */ { /* The reason we don't call SSL_CTX_remove_session() is to * save on locking overhead */ @@ -942,6 +943,7 @@ timeout_doall_arg(SSL_SESSION *s, TIMEOUT_PARAM *p) static IMPLEMENT_LHASH_DOALL_ARG_FN(timeout, SSL_SESSION, TIMEOUT_PARAM) +/* XXX 2038 */ void SSL_CTX_flush_sessions(SSL_CTX *s, long t) { diff --git a/src/lib/libssl/src/ssl/ssl_txt.c b/src/lib/libssl/src/ssl/ssl_txt.c index 91664ffe43..5538c57562 100644 --- a/src/lib/libssl/src/ssl/ssl_txt.c +++ b/src/lib/libssl/src/ssl/ssl_txt.c @@ -161,16 +161,6 @@ SSL_SESSION_print(BIO *bp, const SSL_SESSION *x) if (BIO_printf(bp, "%02X", x->master_key[i]) <= 0) goto err; } - if (BIO_puts(bp, "\n Key-Arg : ") - <= 0) goto err; - if (x->key_arg_length == 0) { - if (BIO_puts(bp, "None") - <= 0) goto err; - } else - for (i = 0; i < x->key_arg_length; i++) { - if (BIO_printf(bp, "%02X", x->key_arg[i]) - <= 0) goto err; - } #ifndef OPENSSL_NO_KRB5 if (BIO_puts(bp, "\n Krb5 Principal: ") <= 0) goto err; @@ -227,8 +217,8 @@ SSL_SESSION_print(BIO *bp, const SSL_SESSION *x) } } #endif - if (x->time != 0L) { - if (BIO_printf(bp, "\n Start Time: %ld", x->time) + if (x->time != 0) { + if (BIO_printf(bp, "\n Start Time: %lld", (long long)x->time) <= 0) goto err; } if (x->timeout != 0L) { diff --git a/src/lib/libssl/src/ssl/t1_enc.c b/src/lib/libssl/src/ssl/t1_enc.c index 579eaa6ce4..3f5df9ad7a 100644 --- a/src/lib/libssl/src/ssl/t1_enc.c +++ b/src/lib/libssl/src/ssl/t1_enc.c @@ -519,7 +519,6 @@ tls1_change_cipher_state(SSL *s, int which) } } - s->session->key_arg_length = 0; #ifdef KSSL_DEBUG { int i; diff --git a/src/lib/libssl/ssl.h b/src/lib/libssl/ssl.h index f3ca8c5c4e..3624bdcccd 100644 --- a/src/lib/libssl/ssl.h +++ b/src/lib/libssl/ssl.h @@ -399,7 +399,7 @@ struct ssl_cipher_st { }; -/* Used to hold functions for SSLv2 or SSLv3/TLSv1 functions */ +/* Used to hold functions for SSLv3/TLSv1 functions */ struct ssl_method_st { int version; int (*ssl_new)(SSL *s); @@ -442,7 +442,6 @@ struct ssl_method_st { * Session_ID OCTET STRING, -- the Session ID * Master_key OCTET STRING, -- the master key * KRB5_principal OCTET STRING -- optional Kerberos principal - * Key_Arg [ 0 ] IMPLICIT OCTET STRING, -- the optional Key argument * Time [ 1 ] EXPLICIT INTEGER, -- optional Start Time * Timeout [ 2 ] EXPLICIT INTEGER, -- optional Timeout ins seconds * Peer [ 3 ] EXPLICIT X509, -- optional Peer Certificate @@ -463,9 +462,6 @@ struct ssl_session_st { int ssl_version; /* what ssl version session info is * being kept in here? */ - /* only really used in SSLv2 */ - unsigned int key_arg_length; - unsigned char key_arg[SSL_MAX_KEY_ARG_LENGTH]; int master_key_length; unsigned char master_key[SSL_MAX_MASTER_KEY_LENGTH]; /* session_id - valid? */ @@ -502,9 +498,9 @@ struct ssl_session_st { * is not ok, we must remember the error for session reuse: */ long verify_result; /* only for servers */ - int references; long timeout; - long time; + time_t time; + int references; unsigned int compress_meth; /* Need to lookup the method */ @@ -845,9 +841,8 @@ struct ssl_ctx_st { CRYPTO_EX_DATA ex_data; - const EVP_MD *rsa_md5; /* For SSLv2 - name is 'ssl2-md5' */ const EVP_MD *md5; /* For SSLv3/TLSv1 'ssl3-md5' */ - const EVP_MD *sha1; /* For SSLv3/TLSv1 'ssl3->sha1' */ + const EVP_MD *sha1; /* For SSLv3/TLSv1 'ssl3-sha1' */ STACK_OF(X509) *extra_certs; STACK_OF(SSL_COMP) *comp_methods; /* stack of SSL_COMP, SSLv3/TLSv1 */ @@ -1155,7 +1150,6 @@ struct ssl_st { unsigned char *packet; unsigned int packet_length; - struct ssl2_state_st *s2; /* SSLv2 variables */ struct ssl3_state_st *s3; /* SSLv3 variables */ struct dtls1_state_st *d1; /* DTLSv1 variables */ @@ -1828,9 +1822,9 @@ const SSL_METHOD *SSLv3_method(void); /* SSLv3 */ const SSL_METHOD *SSLv3_server_method(void); /* SSLv3 */ const SSL_METHOD *SSLv3_client_method(void); /* SSLv3 */ -const SSL_METHOD *SSLv23_method(void); /* SSLv3 but can rollback to v2 */ -const SSL_METHOD *SSLv23_server_method(void); /* SSLv3 but can rollback to v2 */ -const SSL_METHOD *SSLv23_client_method(void); /* SSLv3 but can rollback to v2 */ +const SSL_METHOD *SSLv23_method(void); /* SSLv3 or TLSv1.* */ +const SSL_METHOD *SSLv23_server_method(void); /* SSLv3 or TLSv1.* */ +const SSL_METHOD *SSLv23_client_method(void); /* SSLv3 or TLSv1.* */ const SSL_METHOD *TLSv1_method(void); /* TLSv1.0 */ const SSL_METHOD *TLSv1_server_method(void); /* TLSv1.0 */ diff --git a/src/lib/libssl/ssl/shlib_version b/src/lib/libssl/ssl/shlib_version index df4de0fc4d..906022aa66 100644 --- a/src/lib/libssl/ssl/shlib_version +++ b/src/lib/libssl/ssl/shlib_version @@ -1,2 +1,2 @@ -major=23 +major=24 minor=0 diff --git a/src/lib/libssl/ssl_asn1.c b/src/lib/libssl/ssl_asn1.c index c551ec4877..1d2590268c 100644 --- a/src/lib/libssl/ssl_asn1.c +++ b/src/lib/libssl/ssl_asn1.c @@ -97,7 +97,6 @@ typedef struct ssl_session_asn1_st { ASN1_OCTET_STRING master_key; ASN1_OCTET_STRING session_id; ASN1_OCTET_STRING session_id_context; - ASN1_OCTET_STRING key_arg; #ifndef OPENSSL_NO_KRB5 ASN1_OCTET_STRING krb5_princ; #endif /* OPENSSL_NO_KRB5 */ @@ -190,10 +189,6 @@ i2d_SSL_SESSION(SSL_SESSION *in, unsigned char **pp) a.session_id_context.type = V_ASN1_OCTET_STRING; a.session_id_context.data = in->sid_ctx; - a.key_arg.length = in->key_arg_length; - a.key_arg.type = V_ASN1_OCTET_STRING; - a.key_arg.data = in->key_arg; - #ifndef OPENSSL_NO_KRB5 if (in->krb5_client_princ_len) { a.krb5_princ.length = in->krb5_client_princ_len; @@ -206,7 +201,7 @@ i2d_SSL_SESSION(SSL_SESSION *in, unsigned char **pp) a.time.length = LSIZE2; a.time.type = V_ASN1_INTEGER; a.time.data = ibuf3; - ASN1_INTEGER_set(&(a.time), in->time); + ASN1_INTEGER_set(&(a.time), in->time); /* XXX 2038 */ } if (in->timeout != 0L) { @@ -270,8 +265,6 @@ i2d_SSL_SESSION(SSL_SESSION *in, unsigned char **pp) if (in->krb5_client_princ_len) M_ASN1_I2D_len(&(a.krb5_princ), i2d_ASN1_OCTET_STRING); #endif /* OPENSSL_NO_KRB5 */ - if (in->key_arg_length > 0) - M_ASN1_I2D_len_IMP_opt(&(a.key_arg), i2d_ASN1_OCTET_STRING); if (in->time != 0L) M_ASN1_I2D_len_EXP_opt(&(a.time), i2d_ASN1_INTEGER, 1, v1); if (in->timeout != 0L) @@ -316,8 +309,6 @@ i2d_SSL_SESSION(SSL_SESSION *in, unsigned char **pp) if (in->krb5_client_princ_len) M_ASN1_I2D_put(&(a.krb5_princ), i2d_ASN1_OCTET_STRING); #endif /* OPENSSL_NO_KRB5 */ - if (in->key_arg_length > 0) - M_ASN1_I2D_put_IMP_opt(&(a.key_arg), i2d_ASN1_OCTET_STRING, 0); if (in->time != 0L) M_ASN1_I2D_put_EXP_opt(&(a.time), i2d_ASN1_INTEGER, 1, v1); if (in->timeout != 0L) @@ -445,24 +436,15 @@ d2i_SSL_SESSION(SSL_SESSION **a, const unsigned char **pp, long length) ret->krb5_client_princ_len = 0; #endif /* OPENSSL_NO_KRB5 */ - M_ASN1_D2I_get_IMP_opt(osp, d2i_ASN1_OCTET_STRING, 0, V_ASN1_OCTET_STRING); - if (os.length > SSL_MAX_KEY_ARG_LENGTH) - ret->key_arg_length = SSL_MAX_KEY_ARG_LENGTH; - else - ret->key_arg_length = os.length; - memcpy(ret->key_arg, os.data, ret->key_arg_length); - if (os.data != NULL) - free(os.data); - ai.length = 0; - M_ASN1_D2I_get_EXP_opt(aip, d2i_ASN1_INTEGER, 1); + M_ASN1_D2I_get_EXP_opt(aip, d2i_ASN1_INTEGER, 1); /* XXX 2038 */ if (ai.data != NULL) { ret->time = ASN1_INTEGER_get(aip); free(ai.data); ai.data = NULL; ai.length = 0; } else - ret->time = (unsigned long)time(NULL); + ret->time = time(NULL); ai.length = 0; M_ASN1_D2I_get_EXP_opt(aip, d2i_ASN1_INTEGER, 2); diff --git a/src/lib/libssl/ssl_lib.c b/src/lib/libssl/ssl_lib.c index 3ab353b8eb..21d6835b98 100644 --- a/src/lib/libssl/ssl_lib.c +++ b/src/lib/libssl/ssl_lib.c @@ -1712,11 +1712,8 @@ SSL_CTX_new(const SSL_METHOD *meth) ret->references = 1; ret->quiet_shutdown = 0; -/* ret->cipher=NULL;*/ -/* ret->s2->challenge=NULL; +/* ret->cipher=NULL; ret->master_key=NULL; - ret->key_arg=NULL; - ret->s2->conn_id=NULL; */ ret->info_callback = NULL; @@ -2340,7 +2337,7 @@ ssl_update_cache(SSL *s, int mode) if ((((mode & SSL_SESS_CACHE_CLIENT) ?s->session_ctx->stats.sess_connect_good :s->session_ctx->stats.sess_accept_good) & 0xff) == 0xff) { - SSL_CTX_flush_sessions(s->session_ctx,(unsigned long)time(NULL)); + SSL_CTX_flush_sessions(s->session_ctx, time(NULL)); } } } diff --git a/src/lib/libssl/ssl_sess.c b/src/lib/libssl/ssl_sess.c index c67ae1c22f..c032154d48 100644 --- a/src/lib/libssl/ssl_sess.c +++ b/src/lib/libssl/ssl_sess.c @@ -205,7 +205,7 @@ SSL_SESSION_new(void) ss->verify_result = 1; /* avoid 0 (= X509_V_OK) just in case */ ss->references = 1; ss->timeout=60*5+4; /* 5 minute timeout by default */ - ss->time = (unsigned long)time(NULL); + ss->time = time(NULL); ss->prev = NULL; ss->next = NULL; ss->compress_meth = 0; @@ -555,7 +555,7 @@ ssl_get_prev_session(SSL *s, unsigned char *session_id, int len, goto err; } - if (ret->timeout < (long)(time(NULL) - ret->time)) /* timeout */ + if (ret->timeout < (time(NULL) - ret->time)) /* timeout */ { s->session_ctx->stats.sess_timeout++; if (try_session_cache) { @@ -699,7 +699,6 @@ SSL_SESSION_free(SSL_SESSION *ss) CRYPTO_free_ex_data(CRYPTO_EX_INDEX_SSL_SESSION, ss, &ss->ex_data); - OPENSSL_cleanse(ss->key_arg, sizeof ss->key_arg); OPENSSL_cleanse(ss->master_key, sizeof ss->master_key); OPENSSL_cleanse(ss->session_id, sizeof ss->session_id); if (ss->sess_cert != NULL) @@ -807,6 +806,7 @@ SSL_SESSION_get_timeout(const SSL_SESSION *s) return (s->timeout); } +/* XXX 2038 */ long SSL_SESSION_get_time(const SSL_SESSION *s) { @@ -815,6 +815,7 @@ SSL_SESSION_get_time(const SSL_SESSION *s) return (s->time); } +/* XXX 2038 */ long SSL_SESSION_set_time(SSL_SESSION *s, long t) { @@ -926,7 +927,7 @@ typedef struct timeout_param_st { static void timeout_doall_arg(SSL_SESSION *s, TIMEOUT_PARAM *p) { - if ((p->time == 0) || (p->time > (s->time+s->timeout))) /* timeout */ + if ((p->time == 0) || (p->time > (s->time + s->timeout))) /* timeout */ { /* The reason we don't call SSL_CTX_remove_session() is to * save on locking overhead */ @@ -942,6 +943,7 @@ timeout_doall_arg(SSL_SESSION *s, TIMEOUT_PARAM *p) static IMPLEMENT_LHASH_DOALL_ARG_FN(timeout, SSL_SESSION, TIMEOUT_PARAM) +/* XXX 2038 */ void SSL_CTX_flush_sessions(SSL_CTX *s, long t) { diff --git a/src/lib/libssl/ssl_txt.c b/src/lib/libssl/ssl_txt.c index 91664ffe43..5538c57562 100644 --- a/src/lib/libssl/ssl_txt.c +++ b/src/lib/libssl/ssl_txt.c @@ -161,16 +161,6 @@ SSL_SESSION_print(BIO *bp, const SSL_SESSION *x) if (BIO_printf(bp, "%02X", x->master_key[i]) <= 0) goto err; } - if (BIO_puts(bp, "\n Key-Arg : ") - <= 0) goto err; - if (x->key_arg_length == 0) { - if (BIO_puts(bp, "None") - <= 0) goto err; - } else - for (i = 0; i < x->key_arg_length; i++) { - if (BIO_printf(bp, "%02X", x->key_arg[i]) - <= 0) goto err; - } #ifndef OPENSSL_NO_KRB5 if (BIO_puts(bp, "\n Krb5 Principal: ") <= 0) goto err; @@ -227,8 +217,8 @@ SSL_SESSION_print(BIO *bp, const SSL_SESSION *x) } } #endif - if (x->time != 0L) { - if (BIO_printf(bp, "\n Start Time: %ld", x->time) + if (x->time != 0) { + if (BIO_printf(bp, "\n Start Time: %lld", (long long)x->time) <= 0) goto err; } if (x->timeout != 0L) { diff --git a/src/lib/libssl/t1_enc.c b/src/lib/libssl/t1_enc.c index 579eaa6ce4..3f5df9ad7a 100644 --- a/src/lib/libssl/t1_enc.c +++ b/src/lib/libssl/t1_enc.c @@ -519,7 +519,6 @@ tls1_change_cipher_state(SSL *s, int which) } } - s->session->key_arg_length = 0; #ifdef KSSL_DEBUG { int i; -- cgit v1.2.3-55-g6feb