From: guenther Date: Sun, 20 Apr 2014 12:48:19 +0000 (+0000) Subject: Chop off more SSLv2 tentacles and start fixing and noting y2038 issues. X-Git-Url: http://artulab.com/gitweb/?a=commitdiff_plain;h=aa8444d1b1189fd1265d520d7e58af29deb94156;p=openbsd Chop off more SSLv2 tentacles and start fixing and noting y2038 issues. APIs that pass times as longs will have to change at some point... Bump major on both libcrypto and libssl. ok tedu@ --- diff --git a/lib/libcrypto/crypto/shlib_version b/lib/libcrypto/crypto/shlib_version index 361604a5eb3..c622cb8cdf3 100644 --- a/lib/libcrypto/crypto/shlib_version +++ b/lib/libcrypto/crypto/shlib_version @@ -1,2 +1,2 @@ -major=25 +major=26 minor=0 diff --git a/lib/libcrypto/shlib_version b/lib/libcrypto/shlib_version index 361604a5eb3..c622cb8cdf3 100644 --- a/lib/libcrypto/shlib_version +++ b/lib/libcrypto/shlib_version @@ -1,2 +1,2 @@ -major=25 +major=26 minor=0 diff --git a/lib/libssl/shlib_version b/lib/libssl/shlib_version index df4de0fc4dc..906022aa66d 100644 --- a/lib/libssl/shlib_version +++ b/lib/libssl/shlib_version @@ -1,2 +1,2 @@ -major=23 +major=24 minor=0 diff --git a/lib/libssl/src/ssl/s3_enc.c b/lib/libssl/src/ssl/s3_enc.c index 4d12631694f..2b02c5ba06b 100644 --- a/lib/libssl/src/ssl/s3_enc.c +++ b/lib/libssl/src/ssl/s3_enc.c @@ -361,8 +361,6 @@ ssl3_change_cipher_state(SSL *s, int which) } } - s->session->key_arg_length = 0; - EVP_CipherInit_ex(dd, c, NULL, key, iv,(which & SSL3_CC_WRITE)); OPENSSL_cleanse(&(exp_key[0]), sizeof(exp_key)); diff --git a/lib/libssl/src/ssl/ssl.h b/lib/libssl/src/ssl/ssl.h index f3ca8c5c4e6..3624bdcccd8 100644 --- a/lib/libssl/src/ssl/ssl.h +++ b/lib/libssl/src/ssl/ssl.h @@ -399,7 +399,7 @@ struct ssl_cipher_st { }; -/* Used to hold functions for SSLv2 or SSLv3/TLSv1 functions */ +/* Used to hold functions for SSLv3/TLSv1 functions */ struct ssl_method_st { int version; int (*ssl_new)(SSL *s); @@ -442,7 +442,6 @@ struct ssl_method_st { * Session_ID OCTET STRING, -- the Session ID * Master_key OCTET STRING, -- the master key * KRB5_principal OCTET STRING -- optional Kerberos principal - * Key_Arg [ 0 ] IMPLICIT OCTET STRING, -- the optional Key argument * Time [ 1 ] EXPLICIT INTEGER, -- optional Start Time * Timeout [ 2 ] EXPLICIT INTEGER, -- optional Timeout ins seconds * Peer [ 3 ] EXPLICIT X509, -- optional Peer Certificate @@ -463,9 +462,6 @@ struct ssl_session_st { int ssl_version; /* what ssl version session info is * being kept in here? */ - /* only really used in SSLv2 */ - unsigned int key_arg_length; - unsigned char key_arg[SSL_MAX_KEY_ARG_LENGTH]; int master_key_length; unsigned char master_key[SSL_MAX_MASTER_KEY_LENGTH]; /* session_id - valid? */ @@ -502,9 +498,9 @@ struct ssl_session_st { * is not ok, we must remember the error for session reuse: */ long verify_result; /* only for servers */ - int references; long timeout; - long time; + time_t time; + int references; unsigned int compress_meth; /* Need to lookup the method */ @@ -845,9 +841,8 @@ struct ssl_ctx_st { CRYPTO_EX_DATA ex_data; - const EVP_MD *rsa_md5; /* For SSLv2 - name is 'ssl2-md5' */ const EVP_MD *md5; /* For SSLv3/TLSv1 'ssl3-md5' */ - const EVP_MD *sha1; /* For SSLv3/TLSv1 'ssl3->sha1' */ + const EVP_MD *sha1; /* For SSLv3/TLSv1 'ssl3-sha1' */ STACK_OF(X509) *extra_certs; STACK_OF(SSL_COMP) *comp_methods; /* stack of SSL_COMP, SSLv3/TLSv1 */ @@ -1155,7 +1150,6 @@ struct ssl_st { unsigned char *packet; unsigned int packet_length; - struct ssl2_state_st *s2; /* SSLv2 variables */ struct ssl3_state_st *s3; /* SSLv3 variables */ struct dtls1_state_st *d1; /* DTLSv1 variables */ @@ -1828,9 +1822,9 @@ const SSL_METHOD *SSLv3_method(void); /* SSLv3 */ const SSL_METHOD *SSLv3_server_method(void); /* SSLv3 */ const SSL_METHOD *SSLv3_client_method(void); /* SSLv3 */ -const SSL_METHOD *SSLv23_method(void); /* SSLv3 but can rollback to v2 */ -const SSL_METHOD *SSLv23_server_method(void); /* SSLv3 but can rollback to v2 */ -const SSL_METHOD *SSLv23_client_method(void); /* SSLv3 but can rollback to v2 */ +const SSL_METHOD *SSLv23_method(void); /* SSLv3 or TLSv1.* */ +const SSL_METHOD *SSLv23_server_method(void); /* SSLv3 or TLSv1.* */ +const SSL_METHOD *SSLv23_client_method(void); /* SSLv3 or TLSv1.* */ const SSL_METHOD *TLSv1_method(void); /* TLSv1.0 */ const SSL_METHOD *TLSv1_server_method(void); /* TLSv1.0 */ diff --git a/lib/libssl/src/ssl/ssl_asn1.c b/lib/libssl/src/ssl/ssl_asn1.c index c551ec48772..1d2590268ce 100644 --- a/lib/libssl/src/ssl/ssl_asn1.c +++ b/lib/libssl/src/ssl/ssl_asn1.c @@ -97,7 +97,6 @@ typedef struct ssl_session_asn1_st { ASN1_OCTET_STRING master_key; ASN1_OCTET_STRING session_id; ASN1_OCTET_STRING session_id_context; - ASN1_OCTET_STRING key_arg; #ifndef OPENSSL_NO_KRB5 ASN1_OCTET_STRING krb5_princ; #endif /* OPENSSL_NO_KRB5 */ @@ -190,10 +189,6 @@ i2d_SSL_SESSION(SSL_SESSION *in, unsigned char **pp) a.session_id_context.type = V_ASN1_OCTET_STRING; a.session_id_context.data = in->sid_ctx; - a.key_arg.length = in->key_arg_length; - a.key_arg.type = V_ASN1_OCTET_STRING; - a.key_arg.data = in->key_arg; - #ifndef OPENSSL_NO_KRB5 if (in->krb5_client_princ_len) { a.krb5_princ.length = in->krb5_client_princ_len; @@ -206,7 +201,7 @@ i2d_SSL_SESSION(SSL_SESSION *in, unsigned char **pp) a.time.length = LSIZE2; a.time.type = V_ASN1_INTEGER; a.time.data = ibuf3; - ASN1_INTEGER_set(&(a.time), in->time); + ASN1_INTEGER_set(&(a.time), in->time); /* XXX 2038 */ } if (in->timeout != 0L) { @@ -270,8 +265,6 @@ i2d_SSL_SESSION(SSL_SESSION *in, unsigned char **pp) if (in->krb5_client_princ_len) M_ASN1_I2D_len(&(a.krb5_princ), i2d_ASN1_OCTET_STRING); #endif /* OPENSSL_NO_KRB5 */ - if (in->key_arg_length > 0) - M_ASN1_I2D_len_IMP_opt(&(a.key_arg), i2d_ASN1_OCTET_STRING); if (in->time != 0L) M_ASN1_I2D_len_EXP_opt(&(a.time), i2d_ASN1_INTEGER, 1, v1); if (in->timeout != 0L) @@ -316,8 +309,6 @@ i2d_SSL_SESSION(SSL_SESSION *in, unsigned char **pp) if (in->krb5_client_princ_len) M_ASN1_I2D_put(&(a.krb5_princ), i2d_ASN1_OCTET_STRING); #endif /* OPENSSL_NO_KRB5 */ - if (in->key_arg_length > 0) - M_ASN1_I2D_put_IMP_opt(&(a.key_arg), i2d_ASN1_OCTET_STRING, 0); if (in->time != 0L) M_ASN1_I2D_put_EXP_opt(&(a.time), i2d_ASN1_INTEGER, 1, v1); if (in->timeout != 0L) @@ -445,24 +436,15 @@ d2i_SSL_SESSION(SSL_SESSION **a, const unsigned char **pp, long length) ret->krb5_client_princ_len = 0; #endif /* OPENSSL_NO_KRB5 */ - M_ASN1_D2I_get_IMP_opt(osp, d2i_ASN1_OCTET_STRING, 0, V_ASN1_OCTET_STRING); - if (os.length > SSL_MAX_KEY_ARG_LENGTH) - ret->key_arg_length = SSL_MAX_KEY_ARG_LENGTH; - else - ret->key_arg_length = os.length; - memcpy(ret->key_arg, os.data, ret->key_arg_length); - if (os.data != NULL) - free(os.data); - ai.length = 0; - M_ASN1_D2I_get_EXP_opt(aip, d2i_ASN1_INTEGER, 1); + M_ASN1_D2I_get_EXP_opt(aip, d2i_ASN1_INTEGER, 1); /* XXX 2038 */ if (ai.data != NULL) { ret->time = ASN1_INTEGER_get(aip); free(ai.data); ai.data = NULL; ai.length = 0; } else - ret->time = (unsigned long)time(NULL); + ret->time = time(NULL); ai.length = 0; M_ASN1_D2I_get_EXP_opt(aip, d2i_ASN1_INTEGER, 2); diff --git a/lib/libssl/src/ssl/ssl_lib.c b/lib/libssl/src/ssl/ssl_lib.c index 3ab353b8eb9..21d6835b98e 100644 --- a/lib/libssl/src/ssl/ssl_lib.c +++ b/lib/libssl/src/ssl/ssl_lib.c @@ -1712,11 +1712,8 @@ SSL_CTX_new(const SSL_METHOD *meth) ret->references = 1; ret->quiet_shutdown = 0; -/* ret->cipher=NULL;*/ -/* ret->s2->challenge=NULL; +/* ret->cipher=NULL; ret->master_key=NULL; - ret->key_arg=NULL; - ret->s2->conn_id=NULL; */ ret->info_callback = NULL; @@ -2340,7 +2337,7 @@ ssl_update_cache(SSL *s, int mode) if ((((mode & SSL_SESS_CACHE_CLIENT) ?s->session_ctx->stats.sess_connect_good :s->session_ctx->stats.sess_accept_good) & 0xff) == 0xff) { - SSL_CTX_flush_sessions(s->session_ctx,(unsigned long)time(NULL)); + SSL_CTX_flush_sessions(s->session_ctx, time(NULL)); } } } diff --git a/lib/libssl/src/ssl/ssl_sess.c b/lib/libssl/src/ssl/ssl_sess.c index c67ae1c22f6..c032154d48f 100644 --- a/lib/libssl/src/ssl/ssl_sess.c +++ b/lib/libssl/src/ssl/ssl_sess.c @@ -205,7 +205,7 @@ SSL_SESSION_new(void) ss->verify_result = 1; /* avoid 0 (= X509_V_OK) just in case */ ss->references = 1; ss->timeout=60*5+4; /* 5 minute timeout by default */ - ss->time = (unsigned long)time(NULL); + ss->time = time(NULL); ss->prev = NULL; ss->next = NULL; ss->compress_meth = 0; @@ -555,7 +555,7 @@ ssl_get_prev_session(SSL *s, unsigned char *session_id, int len, goto err; } - if (ret->timeout < (long)(time(NULL) - ret->time)) /* timeout */ + if (ret->timeout < (time(NULL) - ret->time)) /* timeout */ { s->session_ctx->stats.sess_timeout++; if (try_session_cache) { @@ -699,7 +699,6 @@ SSL_SESSION_free(SSL_SESSION *ss) CRYPTO_free_ex_data(CRYPTO_EX_INDEX_SSL_SESSION, ss, &ss->ex_data); - OPENSSL_cleanse(ss->key_arg, sizeof ss->key_arg); OPENSSL_cleanse(ss->master_key, sizeof ss->master_key); OPENSSL_cleanse(ss->session_id, sizeof ss->session_id); if (ss->sess_cert != NULL) @@ -807,6 +806,7 @@ SSL_SESSION_get_timeout(const SSL_SESSION *s) return (s->timeout); } +/* XXX 2038 */ long SSL_SESSION_get_time(const SSL_SESSION *s) { @@ -815,6 +815,7 @@ SSL_SESSION_get_time(const SSL_SESSION *s) return (s->time); } +/* XXX 2038 */ long SSL_SESSION_set_time(SSL_SESSION *s, long t) { @@ -926,7 +927,7 @@ typedef struct timeout_param_st { static void timeout_doall_arg(SSL_SESSION *s, TIMEOUT_PARAM *p) { - if ((p->time == 0) || (p->time > (s->time+s->timeout))) /* timeout */ + if ((p->time == 0) || (p->time > (s->time + s->timeout))) /* timeout */ { /* The reason we don't call SSL_CTX_remove_session() is to * save on locking overhead */ @@ -942,6 +943,7 @@ timeout_doall_arg(SSL_SESSION *s, TIMEOUT_PARAM *p) static IMPLEMENT_LHASH_DOALL_ARG_FN(timeout, SSL_SESSION, TIMEOUT_PARAM) +/* XXX 2038 */ void SSL_CTX_flush_sessions(SSL_CTX *s, long t) { diff --git a/lib/libssl/src/ssl/ssl_txt.c b/lib/libssl/src/ssl/ssl_txt.c index 91664ffe432..5538c57562a 100644 --- a/lib/libssl/src/ssl/ssl_txt.c +++ b/lib/libssl/src/ssl/ssl_txt.c @@ -161,16 +161,6 @@ SSL_SESSION_print(BIO *bp, const SSL_SESSION *x) if (BIO_printf(bp, "%02X", x->master_key[i]) <= 0) goto err; } - if (BIO_puts(bp, "\n Key-Arg : ") - <= 0) goto err; - if (x->key_arg_length == 0) { - if (BIO_puts(bp, "None") - <= 0) goto err; - } else - for (i = 0; i < x->key_arg_length; i++) { - if (BIO_printf(bp, "%02X", x->key_arg[i]) - <= 0) goto err; - } #ifndef OPENSSL_NO_KRB5 if (BIO_puts(bp, "\n Krb5 Principal: ") <= 0) goto err; @@ -227,8 +217,8 @@ SSL_SESSION_print(BIO *bp, const SSL_SESSION *x) } } #endif - if (x->time != 0L) { - if (BIO_printf(bp, "\n Start Time: %ld", x->time) + if (x->time != 0) { + if (BIO_printf(bp, "\n Start Time: %lld", (long long)x->time) <= 0) goto err; } if (x->timeout != 0L) { diff --git a/lib/libssl/src/ssl/t1_enc.c b/lib/libssl/src/ssl/t1_enc.c index 579eaa6ce44..3f5df9ad7a6 100644 --- a/lib/libssl/src/ssl/t1_enc.c +++ b/lib/libssl/src/ssl/t1_enc.c @@ -519,7 +519,6 @@ tls1_change_cipher_state(SSL *s, int which) } } - s->session->key_arg_length = 0; #ifdef KSSL_DEBUG { int i; diff --git a/lib/libssl/ssl.h b/lib/libssl/ssl.h index f3ca8c5c4e6..3624bdcccd8 100644 --- a/lib/libssl/ssl.h +++ b/lib/libssl/ssl.h @@ -399,7 +399,7 @@ struct ssl_cipher_st { }; -/* Used to hold functions for SSLv2 or SSLv3/TLSv1 functions */ +/* Used to hold functions for SSLv3/TLSv1 functions */ struct ssl_method_st { int version; int (*ssl_new)(SSL *s); @@ -442,7 +442,6 @@ struct ssl_method_st { * Session_ID OCTET STRING, -- the Session ID * Master_key OCTET STRING, -- the master key * KRB5_principal OCTET STRING -- optional Kerberos principal - * Key_Arg [ 0 ] IMPLICIT OCTET STRING, -- the optional Key argument * Time [ 1 ] EXPLICIT INTEGER, -- optional Start Time * Timeout [ 2 ] EXPLICIT INTEGER, -- optional Timeout ins seconds * Peer [ 3 ] EXPLICIT X509, -- optional Peer Certificate @@ -463,9 +462,6 @@ struct ssl_session_st { int ssl_version; /* what ssl version session info is * being kept in here? */ - /* only really used in SSLv2 */ - unsigned int key_arg_length; - unsigned char key_arg[SSL_MAX_KEY_ARG_LENGTH]; int master_key_length; unsigned char master_key[SSL_MAX_MASTER_KEY_LENGTH]; /* session_id - valid? */ @@ -502,9 +498,9 @@ struct ssl_session_st { * is not ok, we must remember the error for session reuse: */ long verify_result; /* only for servers */ - int references; long timeout; - long time; + time_t time; + int references; unsigned int compress_meth; /* Need to lookup the method */ @@ -845,9 +841,8 @@ struct ssl_ctx_st { CRYPTO_EX_DATA ex_data; - const EVP_MD *rsa_md5; /* For SSLv2 - name is 'ssl2-md5' */ const EVP_MD *md5; /* For SSLv3/TLSv1 'ssl3-md5' */ - const EVP_MD *sha1; /* For SSLv3/TLSv1 'ssl3->sha1' */ + const EVP_MD *sha1; /* For SSLv3/TLSv1 'ssl3-sha1' */ STACK_OF(X509) *extra_certs; STACK_OF(SSL_COMP) *comp_methods; /* stack of SSL_COMP, SSLv3/TLSv1 */ @@ -1155,7 +1150,6 @@ struct ssl_st { unsigned char *packet; unsigned int packet_length; - struct ssl2_state_st *s2; /* SSLv2 variables */ struct ssl3_state_st *s3; /* SSLv3 variables */ struct dtls1_state_st *d1; /* DTLSv1 variables */ @@ -1828,9 +1822,9 @@ const SSL_METHOD *SSLv3_method(void); /* SSLv3 */ const SSL_METHOD *SSLv3_server_method(void); /* SSLv3 */ const SSL_METHOD *SSLv3_client_method(void); /* SSLv3 */ -const SSL_METHOD *SSLv23_method(void); /* SSLv3 but can rollback to v2 */ -const SSL_METHOD *SSLv23_server_method(void); /* SSLv3 but can rollback to v2 */ -const SSL_METHOD *SSLv23_client_method(void); /* SSLv3 but can rollback to v2 */ +const SSL_METHOD *SSLv23_method(void); /* SSLv3 or TLSv1.* */ +const SSL_METHOD *SSLv23_server_method(void); /* SSLv3 or TLSv1.* */ +const SSL_METHOD *SSLv23_client_method(void); /* SSLv3 or TLSv1.* */ const SSL_METHOD *TLSv1_method(void); /* TLSv1.0 */ const SSL_METHOD *TLSv1_server_method(void); /* TLSv1.0 */ diff --git a/lib/libssl/ssl/shlib_version b/lib/libssl/ssl/shlib_version index df4de0fc4dc..906022aa66d 100644 --- a/lib/libssl/ssl/shlib_version +++ b/lib/libssl/ssl/shlib_version @@ -1,2 +1,2 @@ -major=23 +major=24 minor=0 diff --git a/lib/libssl/ssl_asn1.c b/lib/libssl/ssl_asn1.c index c551ec48772..1d2590268ce 100644 --- a/lib/libssl/ssl_asn1.c +++ b/lib/libssl/ssl_asn1.c @@ -97,7 +97,6 @@ typedef struct ssl_session_asn1_st { ASN1_OCTET_STRING master_key; ASN1_OCTET_STRING session_id; ASN1_OCTET_STRING session_id_context; - ASN1_OCTET_STRING key_arg; #ifndef OPENSSL_NO_KRB5 ASN1_OCTET_STRING krb5_princ; #endif /* OPENSSL_NO_KRB5 */ @@ -190,10 +189,6 @@ i2d_SSL_SESSION(SSL_SESSION *in, unsigned char **pp) a.session_id_context.type = V_ASN1_OCTET_STRING; a.session_id_context.data = in->sid_ctx; - a.key_arg.length = in->key_arg_length; - a.key_arg.type = V_ASN1_OCTET_STRING; - a.key_arg.data = in->key_arg; - #ifndef OPENSSL_NO_KRB5 if (in->krb5_client_princ_len) { a.krb5_princ.length = in->krb5_client_princ_len; @@ -206,7 +201,7 @@ i2d_SSL_SESSION(SSL_SESSION *in, unsigned char **pp) a.time.length = LSIZE2; a.time.type = V_ASN1_INTEGER; a.time.data = ibuf3; - ASN1_INTEGER_set(&(a.time), in->time); + ASN1_INTEGER_set(&(a.time), in->time); /* XXX 2038 */ } if (in->timeout != 0L) { @@ -270,8 +265,6 @@ i2d_SSL_SESSION(SSL_SESSION *in, unsigned char **pp) if (in->krb5_client_princ_len) M_ASN1_I2D_len(&(a.krb5_princ), i2d_ASN1_OCTET_STRING); #endif /* OPENSSL_NO_KRB5 */ - if (in->key_arg_length > 0) - M_ASN1_I2D_len_IMP_opt(&(a.key_arg), i2d_ASN1_OCTET_STRING); if (in->time != 0L) M_ASN1_I2D_len_EXP_opt(&(a.time), i2d_ASN1_INTEGER, 1, v1); if (in->timeout != 0L) @@ -316,8 +309,6 @@ i2d_SSL_SESSION(SSL_SESSION *in, unsigned char **pp) if (in->krb5_client_princ_len) M_ASN1_I2D_put(&(a.krb5_princ), i2d_ASN1_OCTET_STRING); #endif /* OPENSSL_NO_KRB5 */ - if (in->key_arg_length > 0) - M_ASN1_I2D_put_IMP_opt(&(a.key_arg), i2d_ASN1_OCTET_STRING, 0); if (in->time != 0L) M_ASN1_I2D_put_EXP_opt(&(a.time), i2d_ASN1_INTEGER, 1, v1); if (in->timeout != 0L) @@ -445,24 +436,15 @@ d2i_SSL_SESSION(SSL_SESSION **a, const unsigned char **pp, long length) ret->krb5_client_princ_len = 0; #endif /* OPENSSL_NO_KRB5 */ - M_ASN1_D2I_get_IMP_opt(osp, d2i_ASN1_OCTET_STRING, 0, V_ASN1_OCTET_STRING); - if (os.length > SSL_MAX_KEY_ARG_LENGTH) - ret->key_arg_length = SSL_MAX_KEY_ARG_LENGTH; - else - ret->key_arg_length = os.length; - memcpy(ret->key_arg, os.data, ret->key_arg_length); - if (os.data != NULL) - free(os.data); - ai.length = 0; - M_ASN1_D2I_get_EXP_opt(aip, d2i_ASN1_INTEGER, 1); + M_ASN1_D2I_get_EXP_opt(aip, d2i_ASN1_INTEGER, 1); /* XXX 2038 */ if (ai.data != NULL) { ret->time = ASN1_INTEGER_get(aip); free(ai.data); ai.data = NULL; ai.length = 0; } else - ret->time = (unsigned long)time(NULL); + ret->time = time(NULL); ai.length = 0; M_ASN1_D2I_get_EXP_opt(aip, d2i_ASN1_INTEGER, 2); diff --git a/lib/libssl/ssl_lib.c b/lib/libssl/ssl_lib.c index 3ab353b8eb9..21d6835b98e 100644 --- a/lib/libssl/ssl_lib.c +++ b/lib/libssl/ssl_lib.c @@ -1712,11 +1712,8 @@ SSL_CTX_new(const SSL_METHOD *meth) ret->references = 1; ret->quiet_shutdown = 0; -/* ret->cipher=NULL;*/ -/* ret->s2->challenge=NULL; +/* ret->cipher=NULL; ret->master_key=NULL; - ret->key_arg=NULL; - ret->s2->conn_id=NULL; */ ret->info_callback = NULL; @@ -2340,7 +2337,7 @@ ssl_update_cache(SSL *s, int mode) if ((((mode & SSL_SESS_CACHE_CLIENT) ?s->session_ctx->stats.sess_connect_good :s->session_ctx->stats.sess_accept_good) & 0xff) == 0xff) { - SSL_CTX_flush_sessions(s->session_ctx,(unsigned long)time(NULL)); + SSL_CTX_flush_sessions(s->session_ctx, time(NULL)); } } } diff --git a/lib/libssl/ssl_sess.c b/lib/libssl/ssl_sess.c index c67ae1c22f6..c032154d48f 100644 --- a/lib/libssl/ssl_sess.c +++ b/lib/libssl/ssl_sess.c @@ -205,7 +205,7 @@ SSL_SESSION_new(void) ss->verify_result = 1; /* avoid 0 (= X509_V_OK) just in case */ ss->references = 1; ss->timeout=60*5+4; /* 5 minute timeout by default */ - ss->time = (unsigned long)time(NULL); + ss->time = time(NULL); ss->prev = NULL; ss->next = NULL; ss->compress_meth = 0; @@ -555,7 +555,7 @@ ssl_get_prev_session(SSL *s, unsigned char *session_id, int len, goto err; } - if (ret->timeout < (long)(time(NULL) - ret->time)) /* timeout */ + if (ret->timeout < (time(NULL) - ret->time)) /* timeout */ { s->session_ctx->stats.sess_timeout++; if (try_session_cache) { @@ -699,7 +699,6 @@ SSL_SESSION_free(SSL_SESSION *ss) CRYPTO_free_ex_data(CRYPTO_EX_INDEX_SSL_SESSION, ss, &ss->ex_data); - OPENSSL_cleanse(ss->key_arg, sizeof ss->key_arg); OPENSSL_cleanse(ss->master_key, sizeof ss->master_key); OPENSSL_cleanse(ss->session_id, sizeof ss->session_id); if (ss->sess_cert != NULL) @@ -807,6 +806,7 @@ SSL_SESSION_get_timeout(const SSL_SESSION *s) return (s->timeout); } +/* XXX 2038 */ long SSL_SESSION_get_time(const SSL_SESSION *s) { @@ -815,6 +815,7 @@ SSL_SESSION_get_time(const SSL_SESSION *s) return (s->time); } +/* XXX 2038 */ long SSL_SESSION_set_time(SSL_SESSION *s, long t) { @@ -926,7 +927,7 @@ typedef struct timeout_param_st { static void timeout_doall_arg(SSL_SESSION *s, TIMEOUT_PARAM *p) { - if ((p->time == 0) || (p->time > (s->time+s->timeout))) /* timeout */ + if ((p->time == 0) || (p->time > (s->time + s->timeout))) /* timeout */ { /* The reason we don't call SSL_CTX_remove_session() is to * save on locking overhead */ @@ -942,6 +943,7 @@ timeout_doall_arg(SSL_SESSION *s, TIMEOUT_PARAM *p) static IMPLEMENT_LHASH_DOALL_ARG_FN(timeout, SSL_SESSION, TIMEOUT_PARAM) +/* XXX 2038 */ void SSL_CTX_flush_sessions(SSL_CTX *s, long t) { diff --git a/lib/libssl/ssl_txt.c b/lib/libssl/ssl_txt.c index 91664ffe432..5538c57562a 100644 --- a/lib/libssl/ssl_txt.c +++ b/lib/libssl/ssl_txt.c @@ -161,16 +161,6 @@ SSL_SESSION_print(BIO *bp, const SSL_SESSION *x) if (BIO_printf(bp, "%02X", x->master_key[i]) <= 0) goto err; } - if (BIO_puts(bp, "\n Key-Arg : ") - <= 0) goto err; - if (x->key_arg_length == 0) { - if (BIO_puts(bp, "None") - <= 0) goto err; - } else - for (i = 0; i < x->key_arg_length; i++) { - if (BIO_printf(bp, "%02X", x->key_arg[i]) - <= 0) goto err; - } #ifndef OPENSSL_NO_KRB5 if (BIO_puts(bp, "\n Krb5 Principal: ") <= 0) goto err; @@ -227,8 +217,8 @@ SSL_SESSION_print(BIO *bp, const SSL_SESSION *x) } } #endif - if (x->time != 0L) { - if (BIO_printf(bp, "\n Start Time: %ld", x->time) + if (x->time != 0) { + if (BIO_printf(bp, "\n Start Time: %lld", (long long)x->time) <= 0) goto err; } if (x->timeout != 0L) { diff --git a/lib/libssl/t1_enc.c b/lib/libssl/t1_enc.c index 579eaa6ce44..3f5df9ad7a6 100644 --- a/lib/libssl/t1_enc.c +++ b/lib/libssl/t1_enc.c @@ -519,7 +519,6 @@ tls1_change_cipher_state(SSL *s, int which) } } - s->session->key_arg_length = 0; #ifdef KSSL_DEBUG { int i;