Google Git
Sign in
android / platform / external / tlsdate / 5a3de7f1137f650c5b4da38fcf3da3a00be905d2^! / .
commit5a3de7f1137f650c5b4da38fcf3da3a00be905d2[log] [tgz]
authorDavid Benjamin <[email protected]>Fri Sep 23 14:57:05 2016 -0400
committerDavid Benjamin <[email protected]>Fri Sep 23 18:07:42 2016 -0400
tree7a5d901ceae854480658ef2cf630e24a39433608
parent5277834396f52a760bb237044d5539fc4aaa87bb [diff]
Don't reach into BoringSSL structs.

Instead, use the corresponding accessor.

Note that SSL_get0_param is not quite what the old code was doing, but
is the correct way to do this. I've confirmed the time still gets set
either way.  (The parameters ultimately used in the X509_STORE_CTX are
first seeded from the X509_STORE, where the old code was modifying
things, and then any parameters set via SSL_get0_param are applied.)

See upstream docs here:
https://www.openssl.org/docs/manmaster/ssl/SSL_get0_param.html

Test: mmma -j200 external/tlsdate
Change-Id: I6bffe27d1016ed4abad7f7c90ed72d5971fc7b23

diff --git a/src/tlsdate-helper.c b/src/tlsdate-helper.c
index d923efd..319497f 100644
--- a/src/tlsdate-helper.c
+++ b/src/tlsdate-helper.c

@@ -358,7 +358,8 @@
 openssl_time_callback (const SSL* ssl, int where, int ret)
 {
   if (where == SSL_CB_CONNECT_LOOP &&
-      (ssl->state == SSL3_ST_CR_SRVR_HELLO_A || ssl->state == SSL3_ST_CR_SRVR_HELLO_B))
+      (SSL_state(ssl) == SSL3_ST_CR_SRVR_HELLO_A ||
+       SSL_state(ssl) == SSL3_ST_CR_SRVR_HELLO_B))
   {
     // XXX TODO: If we want to trust the remote system for time,
     // can we just read that time out of the remote system and if the
@@ -371,7 +372,7 @@
     uint32_t max_reasonable_time = MAX_REASONABLE_TIME;
     uint32_t server_time;
     verb("V: freezing time for x509 verification");
-    memcpy(&server_time, ssl->s3->server_random, sizeof(uint32_t));
+    SSL_get_server_random(ssl, (unsigned char*)&server_time, sizeof(uint32_t));
     if (compiled_time < ntohl(server_time)
         &&
         ntohl(server_time) < max_reasonable_time)
@@ -379,7 +380,7 @@
       verb("V: remote peer provided: %d, preferred over compile time: %d",
             ntohl(server_time), compiled_time);
       verb("V: freezing time with X509_VERIFY_PARAM_set_time");
-      X509_VERIFY_PARAM_set_time(ssl->ctx->cert_store->param,
+      X509_VERIFY_PARAM_set_time(SSL_get0_param((SSL*)ssl),
                                  (time_t) ntohl(server_time) + 86400);
     } else {
       die("V: the remote server is a false ticker! server: %d compile: %d",
@@ -1189,7 +1190,7 @@
 
   // from /usr/include/openssl/ssl3.h
   //  ssl->s3->server_random is an unsigned char of 32 bits
-  memcpy(&result_time, ssl->s3->server_random, sizeof (uint32_t));
+  SSL_get_server_random(ssl, (unsigned char*)&result_time, sizeof(uint32_t));
   verb("V: In TLS response, T=%lu", (unsigned long)ntohl(result_time));
 
   if (http) {