diff options
| author | David Benjamin <davidben@google.com> | 2016-09-23 14:57:05 -0400 |
|---|---|---|
| committer | David Benjamin <davidben@google.com> | 2016-09-23 18:07:42 -0400 |
| commit | 5a3de7f1137f650c5b4da38fcf3da3a00be905d2 (patch) | |
| tree | 7a5d901ceae854480658ef2cf630e24a39433608 | |
| parent | 5277834396f52a760bb237044d5539fc4aaa87bb (diff) | |
| download | tlsdate-5a3de7f1137f650c5b4da38fcf3da3a00be905d2.tar.gz | |
Don't reach into BoringSSL structs.android-n-mr1-preview-2android-n-mr1-preview-1
Instead, use the corresponding accessor.
Note that SSL_get0_param is not quite what the old code was doing, but
is the correct way to do this. I've confirmed the time still gets set
either way. (The parameters ultimately used in the X509_STORE_CTX are
first seeded from the X509_STORE, where the old code was modifying
things, and then any parameters set via SSL_get0_param are applied.)
See upstream docs here:
https://www.openssl.org/docs/manmaster/ssl/SSL_get0_param.html
Test: mmma -j200 external/tlsdate
Change-Id: I6bffe27d1016ed4abad7f7c90ed72d5971fc7b23
| -rw-r--r-- | src/tlsdate-helper.c | 9 |
1 files changed, 5 insertions, 4 deletions
diff --git a/src/tlsdate-helper.c b/src/tlsdate-helper.c index d923efd..319497f 100644 --- a/src/tlsdate-helper.c +++ b/src/tlsdate-helper.c @@ -358,7 +358,8 @@ void openssl_time_callback (const SSL* ssl, int where, int ret) { if (where == SSL_CB_CONNECT_LOOP && - (ssl->state == SSL3_ST_CR_SRVR_HELLO_A || ssl->state == SSL3_ST_CR_SRVR_HELLO_B)) + (SSL_state(ssl) == SSL3_ST_CR_SRVR_HELLO_A || + SSL_state(ssl) == SSL3_ST_CR_SRVR_HELLO_B)) { // XXX TODO: If we want to trust the remote system for time, // can we just read that time out of the remote system and if the @@ -371,7 +372,7 @@ openssl_time_callback (const SSL* ssl, int where, int ret) uint32_t max_reasonable_time = MAX_REASONABLE_TIME; uint32_t server_time; verb("V: freezing time for x509 verification"); - memcpy(&server_time, ssl->s3->server_random, sizeof(uint32_t)); + SSL_get_server_random(ssl, (unsigned char*)&server_time, sizeof(uint32_t)); if (compiled_time < ntohl(server_time) && ntohl(server_time) < max_reasonable_time) @@ -379,7 +380,7 @@ openssl_time_callback (const SSL* ssl, int where, int ret) verb("V: remote peer provided: %d, preferred over compile time: %d", ntohl(server_time), compiled_time); verb("V: freezing time with X509_VERIFY_PARAM_set_time"); - X509_VERIFY_PARAM_set_time(ssl->ctx->cert_store->param, + X509_VERIFY_PARAM_set_time(SSL_get0_param((SSL*)ssl), (time_t) ntohl(server_time) + 86400); } else { die("V: the remote server is a false ticker! server: %d compile: %d", @@ -1189,7 +1190,7 @@ run_ssl (uint32_t *time_map, int time_is_an_illusion, int http) // from /usr/include/openssl/ssl3.h // ssl->s3->server_random is an unsigned char of 32 bits - memcpy(&result_time, ssl->s3->server_random, sizeof (uint32_t)); + SSL_get_server_random(ssl, (unsigned char*)&result_time, sizeof(uint32_t)); verb("V: In TLS response, T=%lu", (unsigned long)ntohl(result_time)); if (http) { |