Re: libssl remove SSL_(set|get)_(time|timeout)

2014-05-29 Thread Theo de Raadt 
> On Thu, May 29, 2014 at 21:00, Alexander Schrijver wrote:
> > I'm not sure how much, and if this breaks anything in Ports.
> > 
> > According to github it isn't used much.
> 
> We're going to keep this for a while. We would like to keep as much
> API compatibility as possible, even when the API is mostly useless.
> 
> The exceptions are generally for APIs which simply cannot be used in a
> secure manner. Of course, there were other exceptions, when we tried
> to delete what appeared to be obsolete functions, but then we
> discovered people still use them, which created a mess.
> 
> These functions don't appear particularly harmful.

I want to throw in a few words.

A fair amount of application code is written in a style of

  #ifdef LINUX

  a whole whack of code

  #elif ANOTHERSYSTEM

  the same code, with
  with a small difference

   #...

The abstractions taken by the developers are sometimes not as fine
as they could be.

The problem with removing APIs too quickly in libressl, is that while
we might see the OpenBSD ports works fine, the other code blocks on
other systems may use the API, and then fail.

At a much later time, after libressl is tried on those systems.

So for "fairly uncommon, not so scary, but stupid" APIs, we would
prefer to defer the deletion till a bit later.

Re: libssl remove SSL_(set|get)_(time|timeout)

2014-05-29 Thread Ted Unangst 
On Thu, May 29, 2014 at 21:00, Alexander Schrijver wrote:
> I'm not sure how much, and if this breaks anything in Ports.
> 
> According to github it isn't used much.

We're going to keep this for a while. We would like to keep as much
API compatibility as possible, even when the API is mostly useless.

The exceptions are generally for APIs which simply cannot be used in a
secure manner. Of course, there were other exceptions, when we tried
to delete what appeared to be obsolete functions, but then we
discovered people still use them, which created a mess.

These functions don't appear particularly harmful.

Re: libssl remove SSL_(set|get)_(time|timeout)

2014-05-29 Thread Theo de Raadt 
> I'm not sure how much, and if this breaks anything in Ports.

Then you need to go find out.

> According to github it isn't used much.

Whoa.  Think about that for a while.

You want to disrupt the application authors ... now?

libssl remove SSL_(set|get)_(time|timeout)

2014-05-29 Thread Alexander Schrijver 
I'm not sure how much, and if this breaks anything in Ports.

According to github it isn't used much.

https://github.com/search?q=SSL_get_time+extension%3Ac+language%3Ac&type=Code&ref=searchresults
https://github.com/search?q=SSL_set_time+extension%3Ac+language%3Ac&type=Code&ref=searchresults
https://github.com/search?q=SSL_get_timeout+extension%3Ac+language%3Ac&type=Code&ref=searchresults
https://github.com/search?q=SSL_set_timeout+extension%3Ac+language%3Ac&type=Code&ref=searchresults


Index: src/ssl/ssl.h
===
RCS file: /backup/mirrors/cvsync/src/lib/libssl/src/ssl/ssl.h,v
retrieving revision 1.42
diff -u -p -r1.42 ssl.h
--- src/ssl/ssl.h   25 May 2014 13:27:38 -  1.42
+++ src/ssl/ssl.h   29 May 2014 15:03:22 -
@@ -1381,10 +1381,6 @@ size_t SSL_get_peer_finished(const SSL *
SSL_CIPHER_get_version(SSL_get_current_cipher(s))
 #define SSL_get_cipher_name(s) \
SSL_CIPHER_get_name(SSL_get_current_cipher(s))
-#define SSL_get_time(a)SSL_SESSION_get_time(a)
-#define SSL_set_time(a,b)  SSL_SESSION_set_time((a),(b))
-#define SSL_get_timeout(a) SSL_SESSION_get_timeout(a)
-#define SSL_set_timeout(a,b)   SSL_SESSION_set_timeout((a),(b))
 
 #define d2i_SSL_SESSION_bio(bp,s_id) 
ASN1_d2i_bio_of(SSL_SESSION,SSL_SESSION_new,d2i_SSL_SESSION,bp,s_id)
 #define i2d_SSL_SESSION_bio(bp,s_id) 
ASN1_i2d_bio_of(SSL_SESSION,i2d_SSL_SESSION,bp,s_id)
Index: src/doc/ssl/ssl.pod
===
RCS file: /backup/mirrors/cvsync/src/lib/libssl/src/doc/ssl/ssl.pod,v
retrieving revision 1.11
diff -u -p -r1.11 ssl.pod
--- src/doc/ssl/ssl.pod 13 Apr 2014 15:25:34 -  1.11
+++ src/doc/ssl/ssl.pod 29 May 2014 15:03:22 -
@@ -525,10 +525,6 @@ connection defined in the B structu
 
 =item int B(const SSL *ssl);
 
-=item long B(const SSL *ssl);
-
-=item long B(const SSL *ssl);
-
 =item int (*B(const SSL *ssl))(int,X509_STORE_CTX *)
 
 =item int B(const SSL *ssl);
@@ -606,10 +602,6 @@ connection defined in the B structu
 =item void B(SSL *ssl, int mode);
 
 =item int B(SSL *ssl, const SSL_METHOD *meth);
-
-=item void B(SSL *ssl, long t);
-
-=item void B(SSL *ssl, long t);
 
 =item void B(SSL *ssl, int mode, int (*callback);(void))
 
Index: src/doc/ssl/SSL_SESSION_get_time.pod
===
RCS file: 
/backup/mirrors/cvsync/src/lib/libssl/src/doc/ssl/SSL_SESSION_get_time.pod,v
retrieving revision 1.6
diff -u -p -r1.6 SSL_SESSION_get_time.pod
--- src/doc/ssl/SSL_SESSION_get_time.pod4 May 2014 21:13:41 -   
1.6
+++ src/doc/ssl/SSL_SESSION_get_time.pod29 May 2014 15:03:22 -
@@ -15,11 +15,6 @@ settings
  long SSL_SESSION_get_timeout(const SSL_SESSION *s);
  long SSL_SESSION_set_timeout(SSL_SESSION *s, long tm);
 
- long SSL_get_time(const SSL_SESSION *s);
- long SSL_set_time(SSL_SESSION *s, long tm);
- long SSL_get_timeout(const SSL_SESSION *s);
- long SSL_set_timeout(SSL_SESSION *s, long tm);
-
 =head1 DESCRIPTION
 
 SSL_SESSION_get_time() returns the time at which the session B was
@@ -34,9 +29,6 @@ in seconds.
 
 SSL_SESSION_set_timeout() sets the timeout value for session B in seconds
 to B.
-
-The SSL_get_time(), SSL_set_time(), SSL_get_timeout(), and SSL_set_timeout()
-functions are synonyms for the SSL_SESSION_*() counterparts.
 
 =head1 NOTES
 
Index: man/Makefile
===
RCS file: /backup/mirrors/cvsync/src/lib/libssl/man/Makefile,v
retrieving revision 1.25
diff -u -p -r1.25 Makefile
--- man/Makefile16 Apr 2014 09:50:10 -  1.25
+++ man/Makefile29 May 2014 15:03:22 -
@@ -206,10 +206,6 @@ MLINKS+=\
SSL_SESSION_get_time.3 SSL_SESSION_get_timeout.3 \
SSL_SESSION_get_time.3 SSL_SESSION_set_time.3 \
SSL_SESSION_get_time.3 SSL_SESSION_set_timeout.3 \
-   SSL_SESSION_get_time.3 SSL_get_time.3 \
-   SSL_SESSION_get_time.3 SSL_get_timeout.3 \
-   SSL_SESSION_get_time.3 SSL_set_time.3 \
-   SSL_SESSION_get_time.3 SSL_set_timeout.3 \
SSL_alert_type_string.3 SSL_alert_desc_string.3 \
SSL_alert_type_string.3 SSL_alert_desc_string_long.3 \
SSL_alert_type_string.3 SSL_alert_type_string_long.3 \