From 9e9858d1cf28e39cfd214b5c508188d5016728fd Mon Sep 17 00:00:00 2001 From: Rich Salz Date: Fri, 6 Feb 2015 10:52:12 -0500 Subject: [PATCH] dead code cleanup: #if 0 in ssl I left many "#if 0" lines, usually because I thought we would probably want to revisit them later, or because they provided some useful internal documentation tips. Reviewed-by: Andy Polyakov --- ssl/bio_ssl.c | 12 ---- ssl/d1_both.c | 27 -------- ssl/d1_clnt.c | 17 ----- ssl/d1_pkt.c | 173 ------------------------------------------------- ssl/d1_srtp.c | 10 --- ssl/d1_srvr.c | 5 -- ssl/kssl.c | 11 ---- ssl/s23_clnt.c | 7 -- ssl/s23_srvr.c | 3 - ssl/s3_clnt.c | 28 ++------ ssl/s3_lib.c | 35 ---------- ssl/s3_pkt.c | 69 -------------------- ssl/ssl_cert.c | 14 ++-- ssl/ssl_lib.c | 50 -------------- ssl/t1_enc.c | 5 -- ssl/t1_lib.c | 29 --------- ssl/t1_trce.c | 8 --- 17 files changed, 10 insertions(+), 493 deletions(-) diff --git a/ssl/bio_ssl.c b/ssl/bio_ssl.c index 458e071872..e2831af7f3 100644 --- a/ssl/bio_ssl.c +++ b/ssl/bio_ssl.c @@ -150,18 +150,6 @@ static int ssl_read(BIO *b, char *out, int outl) BIO_clear_retry_flags(b); -#if 0 - if (!SSL_is_init_finished(ssl)) { -/* ret=SSL_do_handshake(ssl); */ - if (ret > 0) { - - outflags = (BIO_FLAGS_READ | BIO_FLAGS_SHOULD_RETRY); - ret = -1; - goto end; - } - } -#endif -/* if (ret > 0) */ ret = SSL_read(ssl, out, outl); switch (SSL_get_error(ssl, ret)) { diff --git a/ssl/d1_both.c b/ssl/d1_both.c index 487bc6c80d..7d48cc4df3 100644 --- a/ssl/d1_both.c +++ b/ssl/d1_both.c @@ -144,14 +144,6 @@ if (is_complete) for (ii = (((msg_len) - 1) >> 3) - 1; ii >= 0 ; ii--) \ if (bitmask[ii] != 0xff) { is_complete = 0; break; } } -#if 0 -# define RSMBLY_BITMASK_PRINT(bitmask, msg_len) { \ - long ii; \ - printf("bitmask: "); for (ii = 0; ii < (msg_len); ii++) \ - printf("%d ", (bitmask[ii >> 3] & (1 << (ii & 7))) >> (ii & 7)); \ - printf("\n"); } -#endif - static unsigned char bitmask_start_values[] = { 0xff, 0xfe, 0xfc, 0xf8, 0xf0, 0xe0, 0xc0, 0x80 }; static unsigned char bitmask_end_values[] = @@ -1031,20 +1023,6 @@ int dtls1_read_failed(SSL *s, int code) BIO_set_flags(SSL_get_rbio(s), BIO_FLAGS_READ); return code; } -#if 0 /* for now, each alert contains only one - * record number */ - item = pqueue_peek(state->rcvd_records); - if (item) { - /* send an alert immediately for all the missing records */ - } else -#endif - -#if 0 /* no more alert sending, just retransmit the - * last set of messages */ - if (state->timeout.read_timeouts >= DTLS1_TMO_READ_COUNT) - ssl3_send_alert(s, SSL3_AL_WARNING, - DTLS1_AD_MISSING_HANDSHAKE_MESSAGE); -#endif return dtls1_handle_timeout(s); } @@ -1144,11 +1122,6 @@ int dtls1_buffer_message(SSL *s, int is_ccs) dtls1_hm_fragment_free(frag); return 0; } -#if 0 - fprintf(stderr, "buffered messge: \ttype = %xx\n", msg_buf->type); - fprintf(stderr, "\t\t\t\t\tlen = %d\n", msg_buf->len); - fprintf(stderr, "\t\t\t\t\tseq_num = %d\n", msg_buf->seq_num); -#endif pqueue_insert(s->d1->sent_messages, item); return 1; diff --git a/ssl/d1_clnt.c b/ssl/d1_clnt.c index 1858263e19..151dd47285 100644 --- a/ssl/d1_clnt.c +++ b/ssl/d1_clnt.c @@ -714,13 +714,6 @@ int dtls1_connect(SSL *s) /* clean a few things up */ ssl3_cleanup_key_block(s); -#if 0 - if (s->init_buf != NULL) { - BUF_MEM_free(s->init_buf); - s->init_buf = NULL; - } -#endif - /* * If we are not 'joining' the last two packets, remove the * buffering now @@ -816,16 +809,6 @@ static int dtls1_get_hello_verify(SSL *s) } data = (unsigned char *)s->init_msg; -#if 0 - if (s->method->version != DTLS_ANY_VERSION && - ((data[0] != (s->version >> 8)) || (data[1] != (s->version & 0xff)))) - { - SSLerr(SSL_F_DTLS1_GET_HELLO_VERIFY, SSL_R_WRONG_SSL_VERSION); - s->version = (s->version & 0xff00) | data[1]; - al = SSL_AD_PROTOCOL_VERSION; - goto f_err; - } -#endif data += 2; cookie_len = *(data++); diff --git a/ssl/d1_pkt.c b/ssl/d1_pkt.c index 331a50f515..d66ecf5c77 100644 --- a/ssl/d1_pkt.c +++ b/ssl/d1_pkt.c @@ -187,11 +187,6 @@ static int dtls1_record_replay_check(SSL *s, DTLS1_BITMAP *bitmap); static void dtls1_record_bitmap_update(SSL *s, DTLS1_BITMAP *bitmap); static DTLS1_BITMAP *dtls1_get_bitmap(SSL *s, SSL3_RECORD *rr, unsigned int *is_next_epoch); -#if 0 -static int dtls1_record_needs_buffering(SSL *s, SSL3_RECORD *rr, - unsigned short *priority, - unsigned long *offset); -#endif static int dtls1_buffer_record(SSL *s, record_pqueue *q, unsigned char *priority); static int dtls1_process_record(SSL *s); @@ -347,50 +342,6 @@ static int dtls1_process_buffered_records(SSL *s) return (1); } -#if 0 - -static int dtls1_get_buffered_record(SSL *s) -{ - pitem *item; - PQ_64BIT priority = - (((PQ_64BIT) s->d1->handshake_read_seq) << 32) | - ((PQ_64BIT) s->d1->r_msg_hdr.frag_off); - - /* if we're not (re)negotiating, nothing buffered */ - if (!SSL_in_init(s)) - return 0; - - item = pqueue_peek(s->d1->rcvd_records); - if (item && item->priority == priority) { - /* - * Check if we've received the record of interest. It must be a - * handshake record, since data records as passed up without - * buffering - */ - DTLS1_RECORD_DATA *rdata; - item = pqueue_pop(s->d1->rcvd_records); - rdata = (DTLS1_RECORD_DATA *)item->data; - - if (s->s3->rbuf.buf != NULL) - OPENSSL_free(s->s3->rbuf.buf); - - s->packet = rdata->packet; - s->packet_length = rdata->packet_length; - memcpy(&(s->s3->rbuf), &(rdata->rbuf), sizeof(SSL3_BUFFER)); - memcpy(&(s->s3->rrec), &(rdata->rrec), sizeof(SSL3_RECORD)); - - OPENSSL_free(item->data); - pitem_free(item); - - /* s->d1->next_expected_seq_num++; */ - return (1); - } - - return 0; -} - -#endif - static int dtls1_process_record(SSL *s) { int i, al; @@ -1302,15 +1253,7 @@ int dtls1_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek) if (((s->state & SSL_ST_MASK) == SSL_ST_OK) && !(s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS)) { -#if 0 /* worked only because C operator preferences - * are not as expected (and because this is - * not really needed for clients except for - * detecting protocol violations): */ - s->state = SSL_ST_BEFORE | (s->server) - ? SSL_ST_ACCEPT : SSL_ST_CONNECT; -#else s->state = s->server ? SSL_ST_ACCEPT : SSL_ST_CONNECT; -#endif s->renegotiate = 1; s->new_session = 1; } @@ -1526,41 +1469,6 @@ int do_dtls1_write(SSL *s, int type, const unsigned char *buf, goto err; } - /* DTLS implements explicit IV, so no need for empty fragments */ -#if 0 - /* - * 'create_empty_fragment' is true only when this function calls itself - */ - if (!clear && !create_empty_fragment && !s->s3->empty_fragment_done - && SSL_version(s) != DTLS1_VERSION && SSL_version(s) != DTLS1_BAD_VER) - { - /* - * countermeasure against known-IV weakness in CBC ciphersuites (see - * http://www.openssl.org/~bodo/tls-cbc.txt) - */ - - if (s->s3->need_empty_fragments && type == SSL3_RT_APPLICATION_DATA) { - /* - * recursive function call with 'create_empty_fragment' set; this - * prepares and buffers the data for an empty fragment (these - * 'prefix_len' bytes are sent out later together with the actual - * payload) - */ - prefix_len = s->method->do_ssl_write(s, type, buf, 0, 1); - if (prefix_len <= 0) - goto err; - - if (s->s3->wbuf.len < - (size_t)prefix_len + SSL3_RT_MAX_PACKET_SIZE) { - /* insufficient space */ - SSLerr(SSL_F_DO_DTLS1_WRITE, ERR_R_INTERNAL_ERROR); - goto err; - } - } - - s->s3->empty_fragment_done = 1; - } -#endif p = wb->buf + prefix_len; /* write the header */ @@ -1672,13 +1580,6 @@ int do_dtls1_write(SSL *s, int type, const unsigned char *buf, wr->type = type; /* not needed but helps for debugging */ wr->length += DTLS1_RT_HEADER_LENGTH; -#if 0 /* this is now done at the message layer */ - /* buffer the record, making it easy to handle retransmits */ - if (type == SSL3_RT_HANDSHAKE || type == SSL3_RT_CHANGE_CIPHER_SPEC) - dtls1_buffer_record(s, wr->data, wr->length, - *((PQ_64BIT *) & (s->s3->write_sequence[0]))); -#endif - ssl3_record_sequence_update(&(s->s3->write_sequence[0])); if (create_empty_fragment) { @@ -1766,20 +1667,6 @@ int dtls1_dispatch_alert(SSL *s) #ifdef DTLS1_AD_MISSING_HANDSHAKE_MESSAGE if (s->s3->send_alert[1] == DTLS1_AD_MISSING_HANDSHAKE_MESSAGE) { s2n(s->d1->handshake_read_seq, ptr); -# if 0 - if (s->d1->r_msg_hdr.frag_off == 0) - /* - * waiting for a new msg - */ - else - s2n(s->d1->r_msg_hdr.seq, ptr); /* partial msg read */ -# endif - -# if 0 - fprintf(stderr, - "s->d1->handshake_read_seq = %d, s->d1->r_msg_hdr.seq = %d\n", - s->d1->handshake_read_seq, s->d1->r_msg_hdr.seq); -# endif l2n3(s->d1->r_msg_hdr.frag_off, ptr); } #endif @@ -1833,66 +1720,6 @@ static DTLS1_BITMAP *dtls1_get_bitmap(SSL *s, SSL3_RECORD *rr, return NULL; } -#if 0 -static int -dtls1_record_needs_buffering(SSL *s, SSL3_RECORD *rr, - unsigned short *priority, unsigned long *offset) -{ - - /* alerts are passed up immediately */ - if (rr->type == SSL3_RT_APPLICATION_DATA || rr->type == SSL3_RT_ALERT) - return 0; - - /* - * Only need to buffer if a handshake is underway. (this implies that - * Hello Request and Client Hello are passed up immediately) - */ - if (SSL_in_init(s)) { - unsigned char *data = rr->data; - /* need to extract the HM/CCS sequence number here */ - if (rr->type == SSL3_RT_HANDSHAKE || - rr->type == SSL3_RT_CHANGE_CIPHER_SPEC) { - unsigned short seq_num; - struct hm_header_st msg_hdr; - struct ccs_header_st ccs_hdr; - - if (rr->type == SSL3_RT_HANDSHAKE) { - dtls1_get_message_header(data, &msg_hdr); - seq_num = msg_hdr.seq; - *offset = msg_hdr.frag_off; - } else { - dtls1_get_ccs_header(data, &ccs_hdr); - seq_num = ccs_hdr.seq; - *offset = 0; - } - - /* - * this is either a record we're waiting for, or a retransmit of - * something we happened to previously receive (higher layers - * will drop the repeat silently - */ - if (seq_num < s->d1->handshake_read_seq) - return 0; - if (rr->type == SSL3_RT_HANDSHAKE && - seq_num == s->d1->handshake_read_seq && - msg_hdr.frag_off < s->d1->r_msg_hdr.frag_off) - return 0; - else if (seq_num == s->d1->handshake_read_seq && - (rr->type == SSL3_RT_CHANGE_CIPHER_SPEC || - msg_hdr.frag_off == s->d1->r_msg_hdr.frag_off)) - return 0; - else { - *priority = seq_num; - return 1; - } - } else /* unknown record type */ - return 0; - } - - return 0; -} -#endif - void dtls1_reset_seq_numbers(SSL *s, int rw) { unsigned char *seq; diff --git a/ssl/d1_srtp.c b/ssl/d1_srtp.c index c7861b8c8f..0d62de6aea 100644 --- a/ssl/d1_srtp.c +++ b/ssl/d1_srtp.c @@ -129,16 +129,6 @@ static SRTP_PROTECTION_PROFILE srtp_known_profiles[] = { "SRTP_AES128_CM_SHA1_32", SRTP_AES128_CM_SHA1_32, }, -# if 0 - { - "SRTP_NULL_SHA1_80", - SRTP_NULL_SHA1_80, - }, - { - "SRTP_NULL_SHA1_32", - SRTP_NULL_SHA1_32, - }, -# endif {0} }; diff --git a/ssl/d1_srvr.c b/ssl/d1_srvr.c index 55d37e78b0..c5a59249dd 100644 --- a/ssl/d1_srvr.c +++ b/ssl/d1_srvr.c @@ -842,11 +842,6 @@ int dtls1_accept(SSL *s) /* clean a few things up */ ssl3_cleanup_key_block(s); -#if 0 - BUF_MEM_free(s->init_buf); - s->init_buf = NULL; -#endif - /* remove buffering on output */ ssl_free_wbio_buffer(s); diff --git a/ssl/kssl.c b/ssl/kssl.c index df8df59367..6ec3742430 100644 --- a/ssl/kssl.c +++ b/ssl/kssl.c @@ -962,17 +962,6 @@ void print_krb5_authdata(char *label, krb5_authdata **adata) return; } fprintf(stderr, "%s [%p]\n", label, (void *)adata); -# if 0 - { - int i; - fprintf(stderr, "%s[at%d:%d] ", label, adata->ad_type, adata->length); - for (i = 0; i < adata->length; i++) { - fprintf(stderr, (isprint(adata->contents[i])) ? "%c " : "%02x", - adata->contents[i]); - } - fprintf(stderr, "\n"); - } -# endif } /* diff --git a/ssl/s23_clnt.c b/ssl/s23_clnt.c index 05fef3cbeb..e04d3af9f6 100644 --- a/ssl/s23_clnt.c +++ b/ssl/s23_clnt.c @@ -324,13 +324,6 @@ static int ssl23_client_hello(SSL *s) buf = (unsigned char *)s->init_buf->data; if (s->state == SSL23_ST_CW_CLNT_HELLO_A) { -#if 0 - /* don't reuse session-id's */ - if (!ssl_get_new_session(s, 0)) { - return (-1); - } -#endif - p = s->s3->client_random; if (ssl_fill_hello_random(s, 0, p, SSL3_RANDOM_SIZE) <= 0) return -1; diff --git a/ssl/s23_srvr.c b/ssl/s23_srvr.c index 1c6cf49690..6ac6e4edad 100644 --- a/ssl/s23_srvr.c +++ b/ssl/s23_srvr.c @@ -569,9 +569,6 @@ int ssl23_get_client_hello(SSL *s) s->s3->rbuf.left = 0; s->s3->rbuf.offset = 0; } -#if 0 /* ssl3_get_client_hello does this */ - s->client_version = (v[0] << 8) | v[1]; -#endif s->handshake_func = s->method->ssl_accept; } else { /* bad, very bad */ diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c index 4d7d05b608..1e437b2e1e 100644 --- a/ssl/s3_clnt.c +++ b/ssl/s3_clnt.c @@ -755,14 +755,8 @@ int ssl3_client_hello(SSL *s) * client_version in client hello and not resetting it to * the negotiated version. */ -#if 0 - *(p++) = s->version >> 8; - *(p++) = s->version & 0xff; - s->client_version = s->version; -#else *(p++) = s->client_version >> 8; *(p++) = s->client_version & 0xff; -#endif /* Random stuff */ memcpy(p, s->s3->client_random, SSL3_RANDOM_SIZE); @@ -1036,16 +1030,10 @@ int ssl3_get_server_hello(SSL *s) if (s->session->cipher) s->session->cipher_id = s->session->cipher->id; if (s->hit && (s->session->cipher_id != c->id)) { -/* Workaround is now obsolete */ -#if 0 - if (!(s->options & SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG)) -#endif - { - al = SSL_AD_ILLEGAL_PARAMETER; - SSLerr(SSL_F_SSL3_GET_SERVER_HELLO, - SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED); - goto f_err; - } + al = SSL_AD_ILLEGAL_PARAMETER; + SSLerr(SSL_F_SSL3_GET_SERVER_HELLO, + SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED); + goto f_err; } s->s3->tmp.new_cipher = c; /* @@ -2091,14 +2079,6 @@ int ssl3_get_certificate_request(SSL *s) /* get the CA RDNs */ n2s(p, llen); -#if 0 - { - FILE *out; - out = fopen("/tmp/vsign.der", "w"); - fwrite(p, 1, llen, out); - fclose(out); - } -#endif if ((unsigned long)(p - d + llen) != n) { ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR); diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c index 320d4a514c..ab19eebaea 100644 --- a/ssl/s3_lib.c +++ b/ssl/s3_lib.c @@ -1213,41 +1213,6 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = { #endif /* OPENSSL_NO_CAMELLIA */ #if TLS1_ALLOW_EXPERIMENTAL_CIPHERSUITES - /* New TLS Export CipherSuites from expired ID */ -# if 0 - /* Cipher 60 */ - { - 1, - TLS1_TXT_RSA_EXPORT1024_WITH_RC4_56_MD5, - TLS1_CK_RSA_EXPORT1024_WITH_RC4_56_MD5, - SSL_kRSA, - SSL_aRSA, - SSL_RC4, - SSL_MD5, - SSL_TLSV1, - SSL_EXPORT | SSL_EXP56, - SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, - 56, - 128, - }, - - /* Cipher 61 */ - { - 1, - TLS1_TXT_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5, - TLS1_CK_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5, - SSL_kRSA, - SSL_aRSA, - SSL_RC2, - SSL_MD5, - SSL_TLSV1, - SSL_EXPORT | SSL_EXP56, - SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF, - 56, - 128, - }, -# endif - /* Cipher 62 */ { 1, diff --git a/ssl/s3_pkt.c b/ssl/s3_pkt.c index 5b8fe5c56d..11b1c5532e 100644 --- a/ssl/s3_pkt.c +++ b/ssl/s3_pkt.c @@ -352,9 +352,6 @@ static int ssl3_get_record(SSL *s) ssl_minor = *(p++); version = (ssl_major << 8) | ssl_minor; n2s(p, rr->length); -#if 0 - fprintf(stderr, "Record type=%d, Length=%d\n", rr->type, rr->length); -#endif /* Lets check version */ if (!s->first_packet) { @@ -585,10 +582,6 @@ static int ssl3_get_record(SSL *s) } goto again; } -#if 0 - fprintf(stderr, "Ultimate Record type=%d, Length=%d\n", rr->type, - rr->length); -#endif return (1); @@ -914,60 +907,6 @@ static int do_ssl3_write(SSL *s, int type, const unsigned char *buf, goto err; } -#if 0 && !defined(OPENSSL_NO_MULTIBLOCK) && EVP_CIPH_FLAG_TLS1_1_MULTIBLOCK - if (type == SSL3_RT_APPLICATION_DATA && s->compress == NULL && - !SSL_USE_ETM(s) && SSL_USE_EXPLICIT_IV(s) && - EVP_CIPHER_flags(s->enc_write_ctx->cipher) & - EVP_CIPH_FLAG_TLS1_1_MULTIBLOCK) - do { - unsigned char aad[13]; - EVP_CTRL_TLS1_1_MULTIBLOCK_PARAM mb_param = - { NULL, aad, sizeof(aad), 0 }; - int packlen; - - memcpy(aad, s->s3->write_sequence, 8); - aad[8] = type; - aad[9] = (unsigned char)(s->version >> 8); - aad[10] = (unsigned char)(s->version); - aad[11] = (unsigned char)(len >> 8); - aad[12] = (unsigned char)len; - packlen = EVP_CIPHER_CTX_ctrl(s->enc_write_ctx, - EVP_CTRL_TLS1_1_MULTIBLOCK_AAD, - sizeof(mb_param), &mb_param); - - if (packlen == 0 || packlen > wb->len) - break; - - mb_param.out = wb->buf; - mb_param.inp = buf; - mb_param.len = len; - EVP_CIPHER_CTX_ctrl(s->enc_write_ctx, - EVP_CTRL_TLS1_1_MULTIBLOCK_ENCRYPT, - sizeof(mb_param), &mb_param); - - s->s3->write_sequence[7] += mb_param.interleave; - if (s->s3->write_sequence[7] < mb_param.interleave) { - int j = 6; - while (j >= 0 && (++s->s3->write_sequence[j--]) == 0) ; - } - - wb->offset = 0; - wb->left = packlen; - - /* - * memorize arguments so that ssl3_write_pending can detect bad - * write retries later - */ - s->s3->wpend_tot = len; - s->s3->wpend_buf = buf; - s->s3->wpend_type = type; - s->s3->wpend_ret = len; - - /* we now just need to write the buffer */ - return ssl3_write_pending(s, type, buf, len); - } while (0); -#endif - /* * 'create_empty_fragment' is true only when this function calls itself */ @@ -1604,15 +1543,7 @@ int ssl3_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek) if ((s->s3->handshake_fragment_len >= 4) && !s->in_handshake) { if (((s->state & SSL_ST_MASK) == SSL_ST_OK) && !(s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS)) { -#if 0 /* worked only because C operator preferences - * are not as expected (and because this is - * not really needed for clients except for - * detecting protocol violations): */ - s->state = SSL_ST_BEFORE | (s->server) - ? SSL_ST_ACCEPT : SSL_ST_CONNECT; -#else s->state = s->server ? SSL_ST_ACCEPT : SSL_ST_CONNECT; -#endif s->renegotiate = 1; s->new_session = 1; } diff --git a/ssl/ssl_cert.c b/ssl/ssl_cert.c index d81e06b582..974259969f 100644 --- a/ssl/ssl_cert.c +++ b/ssl/ssl_cert.c @@ -664,10 +664,12 @@ void ssl_sess_cert_free(SESS_CERT *sc) for (i = 0; i < SSL_PKEY_NUM; i++) { if (sc->peer_pkeys[i].x509 != NULL) X509_free(sc->peer_pkeys[i].x509); -#if 0 /* We don't have the peer's private key. - * These lines are just * here as a reminder - * that we're still using a - * not-quite-appropriate * data structure. */ +#if 0 + /* + * We don't have the peer's private key. These lines are just + * here as a reminder that we're still using a not-quite-appropriate + * data structure. + */ if (sc->peer_pkeys[i].privatekey != NULL) EVP_PKEY_free(sc->peer_pkeys[i].privatekey); #endif @@ -717,10 +719,6 @@ int ssl_verify_cert_chain(SSL *s, STACK_OF(X509) *sk) } /* Set suite B flags if needed */ X509_STORE_CTX_set_flags(&ctx, tls1_suiteb(s)); -#if 0 - if (SSL_get_verify_depth(s) >= 0) - X509_STORE_CTX_set_depth(&ctx, SSL_get_verify_depth(s)); -#endif X509_STORE_CTX_set_ex_data(&ctx, SSL_get_ex_data_X509_STORE_CTX_idx(), s); /* diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c index 2bb1866b8c..ed987c0ff5 100644 --- a/ssl/ssl_lib.c +++ b/ssl/ssl_lib.c @@ -204,23 +204,10 @@ int SSL_clear(SSL *s) s->hit = 0; s->shutdown = 0; -#if 0 - /* - * Disabled since version 1.10 of this file (early return not - * needed because SSL_clear is not called when doing renegotiation) - */ - /* - * This is set if we are doing dynamic renegotiation so keep - * the old cipher. It is sort of a SSL_clear_lite :-) - */ - if (s->renegotiate) - return (1); -#else if (s->renegotiate) { SSLerr(SSL_F_SSL_CLEAR, ERR_R_INTERNAL_ERROR); return 0; } -#endif s->type = 0; @@ -230,9 +217,6 @@ int SSL_clear(SSL *s) s->client_version = s->version; s->rwstate = SSL_NOTHING; s->rstate = SSL_ST_READ_HEADER; -#if 0 - s->read_ahead = s->ctx->read_ahead; -#endif if (s->init_buf != NULL) { BUF_MEM_free(s->init_buf); @@ -326,9 +310,6 @@ SSL *SSL_new(SSL_CTX *ctx) s->msg_callback_arg = ctx->msg_callback_arg; s->verify_mode = ctx->verify_mode; s->not_resumable_session_cb = ctx->not_resumable_session_cb; -#if 0 - s->verify_depth = ctx->verify_depth; -#endif s->sid_ctx_length = ctx->sid_ctx_length; OPENSSL_assert(s->sid_ctx_length <= sizeof s->sid_ctx); memcpy(&s->sid_ctx, &ctx->sid_ctx, sizeof(s->sid_ctx)); @@ -339,10 +320,6 @@ SSL *SSL_new(SSL_CTX *ctx) if (!s->param) goto err; X509_VERIFY_PARAM_inherit(s->param, ctx->param); -#if 0 - s->purpose = ctx->purpose; - s->trust = ctx->trust; -#endif s->quiet_shutdown = ctx->quiet_shutdown; s->max_send_fragment = ctx->max_send_fragment; @@ -1915,26 +1892,14 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth) ret->references = 1; ret->quiet_shutdown = 0; - -/* ret->cipher=NULL;*/ -/*- - ret->s2->challenge=NULL; - ret->master_key=NULL; - ret->s2->conn_id=NULL; */ - ret->info_callback = NULL; - ret->app_verify_callback = 0; ret->app_verify_arg = NULL; - ret->max_cert_list = SSL_MAX_CERT_LIST_DEFAULT; ret->read_ahead = 0; ret->msg_callback = 0; ret->msg_callback_arg = NULL; ret->verify_mode = SSL_VERIFY_NONE; -#if 0 - ret->verify_depth = -1; /* Don't impose a limit (but x509_lu.c does) */ -#endif ret->sid_ctx_length = 0; ret->default_verify_callback = NULL; if ((ret->cert = ssl_cert_new()) == NULL) @@ -2097,13 +2062,7 @@ void SSL_CTX_free(SSL_CTX *a) sk_X509_NAME_pop_free(a->client_CA, X509_NAME_free); if (a->extra_certs != NULL) sk_X509_pop_free(a->extra_certs, X509_free); -#if 0 /* This should never be done, since it - * removes a global database */ - if (a->comp_methods != NULL) - sk_SSL_COMP_pop_free(a->comp_methods, SSL_COMP_free); -#else a->comp_methods = NULL; -#endif #ifndef OPENSSL_NO_SRTP if (a->srtp_profiles) @@ -2265,15 +2224,6 @@ void ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher) if (rsa_enc_export || (rsa_tmp_export && (rsa_sign || rsa_enc))) emask_k |= SSL_kRSA; -#if 0 - /* The match needs to be both kDHE and aRSA or aDSA, so don't worry */ - if ((dh_tmp || dh_rsa || dh_dsa) && (rsa_enc || rsa_sign || dsa_sign)) - mask_k |= SSL_kDHE; - if ((dh_tmp_export || dh_rsa_export || dh_dsa_export) && - (rsa_enc || rsa_sign || dsa_sign)) - emask_k |= SSL_kDHE; -#endif - if (dh_tmp_export) emask_k |= SSL_kDHE; diff --git a/ssl/t1_enc.c b/ssl/t1_enc.c index a432dca8c3..0c49619b5d 100644 --- a/ssl/t1_enc.c +++ b/ssl/t1_enc.c @@ -1302,11 +1302,6 @@ int tls1_alert_code(int code) return (TLS1_AD_UNKNOWN_PSK_IDENTITY); case SSL_AD_INAPPROPRIATE_FALLBACK: return (TLS1_AD_INAPPROPRIATE_FALLBACK); -#if 0 - /* not appropriate for TLS, not used for DTLS */ - case DTLS1_AD_MISSING_HANDSHAKE_MESSAGE: - return (DTLS1_AD_MISSING_HANDSHAKE_MESSAGE); -#endif default: return (-1); } diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c index 22f7047916..c91b761647 100644 --- a/ssl/t1_lib.c +++ b/ssl/t1_lib.c @@ -1923,9 +1923,6 @@ static int ssl_scan_clienthello_tlsext(SSL *s, unsigned char **p, if (data + size > (d + n)) goto ri_check; -# if 0 - fprintf(stderr, "Received extension type %d size %d\n", type, size); -# endif if (s->tlsext_debug_cb) s->tlsext_debug_cb(s, 0, type, data, size, s->tlsext_debug_arg); if (type == TLSEXT_TYPE_renegotiate) { @@ -2080,15 +2077,6 @@ static int ssl_scan_clienthello_tlsext(SSL *s, unsigned char **p, memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpointformatlist_length); } -# if 0 - fprintf(stderr, - "ssl_parse_clienthello_tlsext s->session->tlsext_ecpointformatlist (length=%i) ", - s->session->tlsext_ecpointformatlist_length); - sdata = s->session->tlsext_ecpointformatlist; - for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++) - fprintf(stderr, "%i ", *(sdata++)); - fprintf(stderr, "\n"); -# endif } else if (type == TLSEXT_TYPE_elliptic_curves) { unsigned char *sdata = data; int ellipticcurvelist_length = (*(sdata++) << 8); @@ -2117,15 +2105,6 @@ static int ssl_scan_clienthello_tlsext(SSL *s, unsigned char **p, memcpy(s->session->tlsext_ellipticcurvelist, sdata, ellipticcurvelist_length); } -# if 0 - fprintf(stderr, - "ssl_parse_clienthello_tlsext s->session->tlsext_ellipticcurvelist (length=%i) ", - s->session->tlsext_ellipticcurvelist_length); - sdata = s->session->tlsext_ellipticcurvelist; - for (i = 0; i < s->session->tlsext_ellipticcurvelist_length; i++) - fprintf(stderr, "%i ", *(sdata++)); - fprintf(stderr, "\n"); -# endif } # endif /* OPENSSL_NO_EC */ else if (type == TLSEXT_TYPE_session_ticket) { @@ -2462,14 +2441,6 @@ static int ssl_scan_serverhello_tlsext(SSL *s, unsigned char **p, memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpointformatlist_length); } -# if 0 - fprintf(stderr, - "ssl_parse_serverhello_tlsext s->session->tlsext_ecpointformatlist "); - sdata = s->session->tlsext_ecpointformatlist; - for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++) - fprintf(stderr, "%i ", *(sdata++)); - fprintf(stderr, "\n"); -# endif } # endif /* OPENSSL_NO_EC */ diff --git a/ssl/t1_trce.c b/ssl/t1_trce.c index 4161750b49..77f2a9f176 100644 --- a/ssl/t1_trce.c +++ b/ssl/t1_trce.c @@ -1214,14 +1214,6 @@ void SSL_trace(int write_p, int version, int content_type, (msg[3] << 8 | msg[4]), (msg[5] << 8 | msg[6]), (msg[7] << 8 | msg[8]), (msg[9] << 8 | msg[10])); -# if 0 - /* - * Just print handshake type so we can see what is going on - * during fragmentation. - */ - BIO_printf(bio, "(%s)\n", - ssl_trace_str(msg[msglen], ssl_handshake_tbl)); -# endif } BIO_printf(bio, " Content Type = %s (%d)\n Length = %d", -- 2.25.1