generic-library/openssl
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

dead code cleanup: #if 0 in ssl

Browse Source 
I left many "#if 0" lines, usually because I thought we would
probably want to revisit them later, or because they provided
some useful internal documentation tips.

Reviewed-by: Andy Polyakov <appro@openssl.org>
This commit is contained in:
Rich Salz 2015-02-06 10:52:12 -05:00
parent 5b18d3025c
commit 9e9858d1cf
17 changed files with 10 additions and 493 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
ssl/bio_ssl.c
View File

@ -150,18 +150,6 @@ static int ssl_read(BIO *b, char *out, int outl)
BIO_clear_retry_flags(b); BIO_clear_retry_flags(b);
#if 0
if (!SSL_is_init_finished(ssl)) {
/* ret=SSL_do_handshake(ssl); */
if (ret > 0) {
outflags = (BIO_FLAGS_READ | BIO_FLAGS_SHOULD_RETRY);
ret = -1;
goto end;
}
}
#endif
/* if (ret > 0) */
ret = SSL_read(ssl, out, outl); ret = SSL_read(ssl, out, outl);
switch (SSL_get_error(ssl, ret)) { switch (SSL_get_error(ssl, ret)) {

27
ssl/d1_both.c
View File

@ -144,14 +144,6 @@
if (is_complete) for (ii = (((msg_len) - 1) >> 3) - 1; ii >= 0 ; ii--) \ if (is_complete) for (ii = (((msg_len) - 1) >> 3) - 1; ii >= 0 ; ii--) \
if (bitmask[ii] != 0xff) { is_complete = 0; break; } } if (bitmask[ii] != 0xff) { is_complete = 0; break; } }
#if 0
# define RSMBLY_BITMASK_PRINT(bitmask, msg_len) { \
long ii; \
printf("bitmask: "); for (ii = 0; ii < (msg_len); ii++) \
printf("%d ", (bitmask[ii >> 3] & (1 << (ii & 7))) >> (ii & 7)); \
printf("\n"); }
#endif
static unsigned char bitmask_start_values[] = static unsigned char bitmask_start_values[] =
{ 0xff, 0xfe, 0xfc, 0xf8, 0xf0, 0xe0, 0xc0, 0x80 }; { 0xff, 0xfe, 0xfc, 0xf8, 0xf0, 0xe0, 0xc0, 0x80 };
static unsigned char bitmask_end_values[] = static unsigned char bitmask_end_values[] =
@ -1031,20 +1023,6 @@ int dtls1_read_failed(SSL *s, int code)
BIO_set_flags(SSL_get_rbio(s), BIO_FLAGS_READ); BIO_set_flags(SSL_get_rbio(s), BIO_FLAGS_READ);
return code; return code;
} }
#if 0 /* for now, each alert contains only one
* record number */
item = pqueue_peek(state->rcvd_records);
if (item) {
/* send an alert immediately for all the missing records */
} else
#endif
#if 0 /* no more alert sending, just retransmit the
* last set of messages */
if (state->timeout.read_timeouts >= DTLS1_TMO_READ_COUNT)
ssl3_send_alert(s, SSL3_AL_WARNING,
DTLS1_AD_MISSING_HANDSHAKE_MESSAGE);
#endif
return dtls1_handle_timeout(s); return dtls1_handle_timeout(s);
} }
@ -1144,11 +1122,6 @@ int dtls1_buffer_message(SSL *s, int is_ccs)
dtls1_hm_fragment_free(frag); dtls1_hm_fragment_free(frag);
return 0; return 0;
} }
#if 0
fprintf(stderr, "buffered messge: \ttype = %xx\n", msg_buf->type);
fprintf(stderr, "\t\t\t\t\tlen = %d\n", msg_buf->len);
fprintf(stderr, "\t\t\t\t\tseq_num = %d\n", msg_buf->seq_num);
#endif
pqueue_insert(s->d1->sent_messages, item); pqueue_insert(s->d1->sent_messages, item);
return 1; return 1;

17
ssl/d1_clnt.c
View File

@ -714,13 +714,6 @@ int dtls1_connect(SSL *s)
/* clean a few things up */ /* clean a few things up */
ssl3_cleanup_key_block(s); ssl3_cleanup_key_block(s);
#if 0
if (s->init_buf != NULL) {
BUF_MEM_free(s->init_buf);
s->init_buf = NULL;
}
#endif
/* /*
* If we are not 'joining' the last two packets, remove the * If we are not 'joining' the last two packets, remove the
* buffering now * buffering now
@ -816,16 +809,6 @@ static int dtls1_get_hello_verify(SSL *s)
} }
data = (unsigned char *)s->init_msg; data = (unsigned char *)s->init_msg;
#if 0
if (s->method->version != DTLS_ANY_VERSION &&
((data[0] != (s->version >> 8)) || (data[1] != (s->version & 0xff))))
{
SSLerr(SSL_F_DTLS1_GET_HELLO_VERIFY, SSL_R_WRONG_SSL_VERSION);
s->version = (s->version & 0xff00) | data[1];
al = SSL_AD_PROTOCOL_VERSION;
goto f_err;
}
#endif
data += 2; data += 2;
cookie_len = *(data++); cookie_len = *(data++);

173
ssl/d1_pkt.c
View File

@ -187,11 +187,6 @@ static int dtls1_record_replay_check(SSL *s, DTLS1_BITMAP *bitmap);
static void dtls1_record_bitmap_update(SSL *s, DTLS1_BITMAP *bitmap); static void dtls1_record_bitmap_update(SSL *s, DTLS1_BITMAP *bitmap);
static DTLS1_BITMAP *dtls1_get_bitmap(SSL *s, SSL3_RECORD *rr, static DTLS1_BITMAP *dtls1_get_bitmap(SSL *s, SSL3_RECORD *rr,
unsigned int *is_next_epoch); unsigned int *is_next_epoch);
#if 0
static int dtls1_record_needs_buffering(SSL *s, SSL3_RECORD *rr,
unsigned short *priority,
unsigned long *offset);
#endif
static int dtls1_buffer_record(SSL *s, record_pqueue *q, static int dtls1_buffer_record(SSL *s, record_pqueue *q,
unsigned char *priority); unsigned char *priority);
static int dtls1_process_record(SSL *s); static int dtls1_process_record(SSL *s);
@ -347,50 +342,6 @@ static int dtls1_process_buffered_records(SSL *s)
return (1); return (1);
} }
#if 0
static int dtls1_get_buffered_record(SSL *s)
{
pitem *item;
PQ_64BIT priority =
(((PQ_64BIT) s->d1->handshake_read_seq) << 32) |
((PQ_64BIT) s->d1->r_msg_hdr.frag_off);
/* if we're not (re)negotiating, nothing buffered */
if (!SSL_in_init(s))
return 0;
item = pqueue_peek(s->d1->rcvd_records);
if (item && item->priority == priority) {
/*
* Check if we've received the record of interest. It must be a
* handshake record, since data records as passed up without
* buffering
*/
DTLS1_RECORD_DATA *rdata;
item = pqueue_pop(s->d1->rcvd_records);
rdata = (DTLS1_RECORD_DATA *)item->data;
if (s->s3->rbuf.buf != NULL)
OPENSSL_free(s->s3->rbuf.buf);
s->packet = rdata->packet;
s->packet_length = rdata->packet_length;
memcpy(&(s->s3->rbuf), &(rdata->rbuf), sizeof(SSL3_BUFFER));
memcpy(&(s->s3->rrec), &(rdata->rrec), sizeof(SSL3_RECORD));
OPENSSL_free(item->data);
pitem_free(item);
/* s->d1->next_expected_seq_num++; */
return (1);
}
return 0;
}
#endif
static int dtls1_process_record(SSL *s) static int dtls1_process_record(SSL *s)
{ {
int i, al; int i, al;
@ -1302,15 +1253,7 @@ int dtls1_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek)
if (((s->state & SSL_ST_MASK) == SSL_ST_OK) && if (((s->state & SSL_ST_MASK) == SSL_ST_OK) &&
!(s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS)) { !(s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS)) {
#if 0 /* worked only because C operator preferences
* are not as expected (and because this is
* not really needed for clients except for
* detecting protocol violations): */
s->state = SSL_ST_BEFORE | (s->server)
? SSL_ST_ACCEPT : SSL_ST_CONNECT;
#else
s->state = s->server ? SSL_ST_ACCEPT : SSL_ST_CONNECT; s->state = s->server ? SSL_ST_ACCEPT : SSL_ST_CONNECT;
#endif
s->renegotiate = 1; s->renegotiate = 1;
s->new_session = 1; s->new_session = 1;
} }
@ -1526,41 +1469,6 @@ int do_dtls1_write(SSL *s, int type, const unsigned char *buf,
goto err; goto err;
} }
/* DTLS implements explicit IV, so no need for empty fragments */
#if 0
/*
* 'create_empty_fragment' is true only when this function calls itself
*/
if (!clear && !create_empty_fragment && !s->s3->empty_fragment_done
&& SSL_version(s) != DTLS1_VERSION && SSL_version(s) != DTLS1_BAD_VER)
{
/*
* countermeasure against known-IV weakness in CBC ciphersuites (see
* http://www.openssl.org/~bodo/tls-cbc.txt)
*/
if (s->s3->need_empty_fragments && type == SSL3_RT_APPLICATION_DATA) {
/*
* recursive function call with 'create_empty_fragment' set; this
* prepares and buffers the data for an empty fragment (these
* 'prefix_len' bytes are sent out later together with the actual
* payload)
*/
prefix_len = s->method->do_ssl_write(s, type, buf, 0, 1);
if (prefix_len <= 0)
goto err;
if (s->s3->wbuf.len <
(size_t)prefix_len + SSL3_RT_MAX_PACKET_SIZE) {
/* insufficient space */
SSLerr(SSL_F_DO_DTLS1_WRITE, ERR_R_INTERNAL_ERROR);
goto err;
}
}
s->s3->empty_fragment_done = 1;
}
#endif
p = wb->buf + prefix_len; p = wb->buf + prefix_len;
/* write the header */ /* write the header */
@ -1672,13 +1580,6 @@ int do_dtls1_write(SSL *s, int type, const unsigned char *buf,
wr->type = type; /* not needed but helps for debugging */ wr->type = type; /* not needed but helps for debugging */
wr->length += DTLS1_RT_HEADER_LENGTH; wr->length += DTLS1_RT_HEADER_LENGTH;
#if 0 /* this is now done at the message layer */
/* buffer the record, making it easy to handle retransmits */
if (type == SSL3_RT_HANDSHAKE || type == SSL3_RT_CHANGE_CIPHER_SPEC)
dtls1_buffer_record(s, wr->data, wr->length,
*((PQ_64BIT *) & (s->s3->write_sequence[0])));
#endif
ssl3_record_sequence_update(&(s->s3->write_sequence[0])); ssl3_record_sequence_update(&(s->s3->write_sequence[0]));
if (create_empty_fragment) { if (create_empty_fragment) {
@ -1766,20 +1667,6 @@ int dtls1_dispatch_alert(SSL *s)
#ifdef DTLS1_AD_MISSING_HANDSHAKE_MESSAGE #ifdef DTLS1_AD_MISSING_HANDSHAKE_MESSAGE
if (s->s3->send_alert[1] == DTLS1_AD_MISSING_HANDSHAKE_MESSAGE) { if (s->s3->send_alert[1] == DTLS1_AD_MISSING_HANDSHAKE_MESSAGE) {
s2n(s->d1->handshake_read_seq, ptr); s2n(s->d1->handshake_read_seq, ptr);
# if 0
if (s->d1->r_msg_hdr.frag_off == 0)
/*
* waiting for a new msg
*/
else
s2n(s->d1->r_msg_hdr.seq, ptr); /* partial msg read */
# endif
# if 0
fprintf(stderr,
"s->d1->handshake_read_seq = %d, s->d1->r_msg_hdr.seq = %d\n",
s->d1->handshake_read_seq, s->d1->r_msg_hdr.seq);
# endif
l2n3(s->d1->r_msg_hdr.frag_off, ptr); l2n3(s->d1->r_msg_hdr.frag_off, ptr);
} }
#endif #endif
@ -1833,66 +1720,6 @@ static DTLS1_BITMAP *dtls1_get_bitmap(SSL *s, SSL3_RECORD *rr,
return NULL; return NULL;
} }
#if 0
static int
dtls1_record_needs_buffering(SSL *s, SSL3_RECORD *rr,
unsigned short *priority, unsigned long *offset)
{
/* alerts are passed up immediately */
if (rr->type == SSL3_RT_APPLICATION_DATA || rr->type == SSL3_RT_ALERT)
return 0;
/*
* Only need to buffer if a handshake is underway. (this implies that
* Hello Request and Client Hello are passed up immediately)
*/
if (SSL_in_init(s)) {
unsigned char *data = rr->data;
/* need to extract the HM/CCS sequence number here */
if (rr->type == SSL3_RT_HANDSHAKE ||
rr->type == SSL3_RT_CHANGE_CIPHER_SPEC) {
unsigned short seq_num;
struct hm_header_st msg_hdr;
struct ccs_header_st ccs_hdr;
if (rr->type == SSL3_RT_HANDSHAKE) {
dtls1_get_message_header(data, &msg_hdr);
seq_num = msg_hdr.seq;
*offset = msg_hdr.frag_off;
} else {
dtls1_get_ccs_header(data, &ccs_hdr);
seq_num = ccs_hdr.seq;
*offset = 0;
}
/*
* this is either a record we're waiting for, or a retransmit of
* something we happened to previously receive (higher layers
* will drop the repeat silently
*/
if (seq_num < s->d1->handshake_read_seq)
return 0;
if (rr->type == SSL3_RT_HANDSHAKE &&
seq_num == s->d1->handshake_read_seq &&
msg_hdr.frag_off < s->d1->r_msg_hdr.frag_off)
return 0;
else if (seq_num == s->d1->handshake_read_seq &&
(rr->type == SSL3_RT_CHANGE_CIPHER_SPEC ||
msg_hdr.frag_off == s->d1->r_msg_hdr.frag_off))
return 0;
else {
*priority = seq_num;
return 1;
}
} else /* unknown record type */
return 0;
}
return 0;
}
#endif
void dtls1_reset_seq_numbers(SSL *s, int rw) void dtls1_reset_seq_numbers(SSL *s, int rw)
{ {
unsigned char *seq; unsigned char *seq;

10
ssl/d1_srtp.c
View File

@ -129,16 +129,6 @@ static SRTP_PROTECTION_PROFILE srtp_known_profiles[] = {
"SRTP_AES128_CM_SHA1_32", "SRTP_AES128_CM_SHA1_32",
SRTP_AES128_CM_SHA1_32, SRTP_AES128_CM_SHA1_32,
}, },
# if 0
{
"SRTP_NULL_SHA1_80",
SRTP_NULL_SHA1_80,
},
{
"SRTP_NULL_SHA1_32",
SRTP_NULL_SHA1_32,
},
# endif
{0} {0}
}; };

5
ssl/d1_srvr.c
View File

@ -842,11 +842,6 @@ int dtls1_accept(SSL *s)
/* clean a few things up */ /* clean a few things up */
ssl3_cleanup_key_block(s); ssl3_cleanup_key_block(s);
#if 0
BUF_MEM_free(s->init_buf);
s->init_buf = NULL;
#endif
/* remove buffering on output */ /* remove buffering on output */
ssl_free_wbio_buffer(s); ssl_free_wbio_buffer(s);

11
ssl/kssl.c
View File

@ -962,17 +962,6 @@ void print_krb5_authdata(char *label, krb5_authdata **adata)
return; return;
} }
fprintf(stderr, "%s [%p]\n", label, (void *)adata); fprintf(stderr, "%s [%p]\n", label, (void *)adata);
# if 0
{
int i;
fprintf(stderr, "%s[at%d:%d] ", label, adata->ad_type, adata->length);
for (i = 0; i < adata->length; i++) {
fprintf(stderr, (isprint(adata->contents[i])) ? "%c " : "%02x",
adata->contents[i]);
}
fprintf(stderr, "\n");
}
# endif
} }
/* /*

7
ssl/s23_clnt.c
View File

@ -324,13 +324,6 @@ static int ssl23_client_hello(SSL *s)
buf = (unsigned char *)s->init_buf->data; buf = (unsigned char *)s->init_buf->data;
if (s->state == SSL23_ST_CW_CLNT_HELLO_A) { if (s->state == SSL23_ST_CW_CLNT_HELLO_A) {
#if 0
/* don't reuse session-id's */
if (!ssl_get_new_session(s, 0)) {
return (-1);
}
#endif
p = s->s3->client_random; p = s->s3->client_random;
if (ssl_fill_hello_random(s, 0, p, SSL3_RANDOM_SIZE) <= 0) if (ssl_fill_hello_random(s, 0, p, SSL3_RANDOM_SIZE) <= 0)
return -1; return -1;

3
ssl/s23_srvr.c
View File

@ -569,9 +569,6 @@ int ssl23_get_client_hello(SSL *s)
s->s3->rbuf.left = 0; s->s3->rbuf.left = 0;
s->s3->rbuf.offset = 0; s->s3->rbuf.offset = 0;
} }
#if 0 /* ssl3_get_client_hello does this */
s->client_version = (v[0] << 8) | v[1];
#endif
s->handshake_func = s->method->ssl_accept; s->handshake_func = s->method->ssl_accept;
} else { } else {
/* bad, very bad */ /* bad, very bad */

28
ssl/s3_clnt.c
View File

@ -755,14 +755,8 @@ int ssl3_client_hello(SSL *s)
* client_version in client hello and not resetting it to * client_version in client hello and not resetting it to
* the negotiated version. * the negotiated version.
*/ */
#if 0
*(p++) = s->version >> 8;
*(p++) = s->version & 0xff;
s->client_version = s->version;
#else
*(p++) = s->client_version >> 8; *(p++) = s->client_version >> 8;
*(p++) = s->client_version & 0xff; *(p++) = s->client_version & 0xff;
#endif
/* Random stuff */ /* Random stuff */
memcpy(p, s->s3->client_random, SSL3_RANDOM_SIZE); memcpy(p, s->s3->client_random, SSL3_RANDOM_SIZE);
@ -1036,16 +1030,10 @@ int ssl3_get_server_hello(SSL *s)
if (s->session->cipher) if (s->session->cipher)
s->session->cipher_id = s->session->cipher->id; s->session->cipher_id = s->session->cipher->id;
if (s->hit && (s->session->cipher_id != c->id)) { if (s->hit && (s->session->cipher_id != c->id)) {
/* Workaround is now obsolete */ al = SSL_AD_ILLEGAL_PARAMETER;
#if 0 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,
if (!(s->options & SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG)) SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED);
#endif goto f_err;
{
al = SSL_AD_ILLEGAL_PARAMETER;
SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,
SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED);
goto f_err;
}
} }
s->s3->tmp.new_cipher = c; s->s3->tmp.new_cipher = c;
/* /*
@ -2091,14 +2079,6 @@ int ssl3_get_certificate_request(SSL *s)
/* get the CA RDNs */ /* get the CA RDNs */
n2s(p, llen); n2s(p, llen);
#if 0
{
FILE *out;
out = fopen("/tmp/vsign.der", "w");
fwrite(p, 1, llen, out);
fclose(out);
}
#endif
if ((unsigned long)(p - d + llen) != n) { if ((unsigned long)(p - d + llen) != n) {
ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR); ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);

35
ssl/s3_lib.c
View File

@ -1213,41 +1213,6 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
#endif /* OPENSSL_NO_CAMELLIA */ #endif /* OPENSSL_NO_CAMELLIA */
#if TLS1_ALLOW_EXPERIMENTAL_CIPHERSUITES #if TLS1_ALLOW_EXPERIMENTAL_CIPHERSUITES
/* New TLS Export CipherSuites from expired ID */
# if 0
/* Cipher 60 */
{
1,
TLS1_TXT_RSA_EXPORT1024_WITH_RC4_56_MD5,
TLS1_CK_RSA_EXPORT1024_WITH_RC4_56_MD5,
SSL_kRSA,
SSL_aRSA,
SSL_RC4,
SSL_MD5,
SSL_TLSV1,
SSL_EXPORT | SSL_EXP56,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
56,
128,
},
/* Cipher 61 */
{
1,
TLS1_TXT_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5,
TLS1_CK_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5,
SSL_kRSA,
SSL_aRSA,
SSL_RC2,
SSL_MD5,
SSL_TLSV1,
SSL_EXPORT | SSL_EXP56,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
56,
128,
},
# endif
/* Cipher 62 */ /* Cipher 62 */
{ {
1, 1,

69
ssl/s3_pkt.c
View File

@ -352,9 +352,6 @@ static int ssl3_get_record(SSL *s)
ssl_minor = *(p++); ssl_minor = *(p++);
version = (ssl_major << 8) | ssl_minor; version = (ssl_major << 8) | ssl_minor;
n2s(p, rr->length); n2s(p, rr->length);
#if 0
fprintf(stderr, "Record type=%d, Length=%d\n", rr->type, rr->length);
#endif
/* Lets check version */ /* Lets check version */
if (!s->first_packet) { if (!s->first_packet) {
@ -585,10 +582,6 @@ static int ssl3_get_record(SSL *s)
} }
goto again; goto again;
} }
#if 0
fprintf(stderr, "Ultimate Record type=%d, Length=%d\n", rr->type,
rr->length);
#endif
return (1); return (1);
@ -914,60 +907,6 @@ static int do_ssl3_write(SSL *s, int type, const unsigned char *buf,
goto err; goto err;
} }
#if 0 && !defined(OPENSSL_NO_MULTIBLOCK) && EVP_CIPH_FLAG_TLS1_1_MULTIBLOCK
if (type == SSL3_RT_APPLICATION_DATA && s->compress == NULL &&
!SSL_USE_ETM(s) && SSL_USE_EXPLICIT_IV(s) &&
EVP_CIPHER_flags(s->enc_write_ctx->cipher) &
EVP_CIPH_FLAG_TLS1_1_MULTIBLOCK)
do {
unsigned char aad[13];
EVP_CTRL_TLS1_1_MULTIBLOCK_PARAM mb_param =
{ NULL, aad, sizeof(aad), 0 };
int packlen;
memcpy(aad, s->s3->write_sequence, 8);
aad[8] = type;
aad[9] = (unsigned char)(s->version >> 8);
aad[10] = (unsigned char)(s->version);
aad[11] = (unsigned char)(len >> 8);
aad[12] = (unsigned char)len;
packlen = EVP_CIPHER_CTX_ctrl(s->enc_write_ctx,
EVP_CTRL_TLS1_1_MULTIBLOCK_AAD,
sizeof(mb_param), &mb_param);
if (packlen == 0 || packlen > wb->len)
break;
mb_param.out = wb->buf;
mb_param.inp = buf;
mb_param.len = len;
EVP_CIPHER_CTX_ctrl(s->enc_write_ctx,
EVP_CTRL_TLS1_1_MULTIBLOCK_ENCRYPT,
sizeof(mb_param), &mb_param);
s->s3->write_sequence[7] += mb_param.interleave;
if (s->s3->write_sequence[7] < mb_param.interleave) {
int j = 6;
while (j >= 0 && (++s->s3->write_sequence[j--]) == 0) ;
}
wb->offset = 0;
wb->left = packlen;
/*
* memorize arguments so that ssl3_write_pending can detect bad
* write retries later
*/
s->s3->wpend_tot = len;
s->s3->wpend_buf = buf;
s->s3->wpend_type = type;
s->s3->wpend_ret = len;
/* we now just need to write the buffer */
return ssl3_write_pending(s, type, buf, len);
} while (0);
#endif
/* /*
* 'create_empty_fragment' is true only when this function calls itself * 'create_empty_fragment' is true only when this function calls itself
*/ */
@ -1604,15 +1543,7 @@ int ssl3_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek)
if ((s->s3->handshake_fragment_len >= 4) && !s->in_handshake) { if ((s->s3->handshake_fragment_len >= 4) && !s->in_handshake) {
if (((s->state & SSL_ST_MASK) == SSL_ST_OK) && if (((s->state & SSL_ST_MASK) == SSL_ST_OK) &&
!(s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS)) { !(s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS)) {
#if 0 /* worked only because C operator preferences
* are not as expected (and because this is
* not really needed for clients except for
* detecting protocol violations): */
s->state = SSL_ST_BEFORE | (s->server)
? SSL_ST_ACCEPT : SSL_ST_CONNECT;
#else
s->state = s->server ? SSL_ST_ACCEPT : SSL_ST_CONNECT; s->state = s->server ? SSL_ST_ACCEPT : SSL_ST_CONNECT;
#endif
s->renegotiate = 1; s->renegotiate = 1;
s->new_session = 1; s->new_session = 1;
} }

14
ssl/ssl_cert.c
View File

@ -664,10 +664,12 @@ void ssl_sess_cert_free(SESS_CERT *sc)
for (i = 0; i < SSL_PKEY_NUM; i++) { for (i = 0; i < SSL_PKEY_NUM; i++) {
if (sc->peer_pkeys[i].x509 != NULL) if (sc->peer_pkeys[i].x509 != NULL)
X509_free(sc->peer_pkeys[i].x509); X509_free(sc->peer_pkeys[i].x509);
#if 0 /* We don't have the peer's private key. #if 0
* These lines are just * here as a reminder /*
* that we're still using a * We don't have the peer's private key. These lines are just
* not-quite-appropriate * data structure. */ * here as a reminder that we're still using a not-quite-appropriate
* data structure.
*/
if (sc->peer_pkeys[i].privatekey != NULL) if (sc->peer_pkeys[i].privatekey != NULL)
EVP_PKEY_free(sc->peer_pkeys[i].privatekey); EVP_PKEY_free(sc->peer_pkeys[i].privatekey);
#endif #endif
@ -717,10 +719,6 @@ int ssl_verify_cert_chain(SSL *s, STACK_OF(X509) *sk)
} }
/* Set suite B flags if needed */ /* Set suite B flags if needed */
X509_STORE_CTX_set_flags(&ctx, tls1_suiteb(s)); X509_STORE_CTX_set_flags(&ctx, tls1_suiteb(s));
#if 0
if (SSL_get_verify_depth(s) >= 0)
X509_STORE_CTX_set_depth(&ctx, SSL_get_verify_depth(s));
#endif
X509_STORE_CTX_set_ex_data(&ctx, SSL_get_ex_data_X509_STORE_CTX_idx(), s); X509_STORE_CTX_set_ex_data(&ctx, SSL_get_ex_data_X509_STORE_CTX_idx(), s);
/* /*

50
ssl/ssl_lib.c
View File

@ -204,23 +204,10 @@ int SSL_clear(SSL *s)
s->hit = 0; s->hit = 0;
s->shutdown = 0; s->shutdown = 0;
#if 0
/*
* Disabled since version 1.10 of this file (early return not
* needed because SSL_clear is not called when doing renegotiation)
*/
/*
* This is set if we are doing dynamic renegotiation so keep
* the old cipher. It is sort of a SSL_clear_lite :-)
*/
if (s->renegotiate)
return (1);
#else
if (s->renegotiate) { if (s->renegotiate) {
SSLerr(SSL_F_SSL_CLEAR, ERR_R_INTERNAL_ERROR); SSLerr(SSL_F_SSL_CLEAR, ERR_R_INTERNAL_ERROR);
return 0; return 0;
} }
#endif
s->type = 0; s->type = 0;
@ -230,9 +217,6 @@ int SSL_clear(SSL *s)
s->client_version = s->version; s->client_version = s->version;
s->rwstate = SSL_NOTHING; s->rwstate = SSL_NOTHING;
s->rstate = SSL_ST_READ_HEADER; s->rstate = SSL_ST_READ_HEADER;
#if 0
s->read_ahead = s->ctx->read_ahead;
#endif
if (s->init_buf != NULL) { if (s->init_buf != NULL) {
BUF_MEM_free(s->init_buf); BUF_MEM_free(s->init_buf);
@ -326,9 +310,6 @@ SSL *SSL_new(SSL_CTX *ctx)
s->msg_callback_arg = ctx->msg_callback_arg; s->msg_callback_arg = ctx->msg_callback_arg;
s->verify_mode = ctx->verify_mode; s->verify_mode = ctx->verify_mode;
s->not_resumable_session_cb = ctx->not_resumable_session_cb; s->not_resumable_session_cb = ctx->not_resumable_session_cb;
#if 0
s->verify_depth = ctx->verify_depth;
#endif
s->sid_ctx_length = ctx->sid_ctx_length; s->sid_ctx_length = ctx->sid_ctx_length;
OPENSSL_assert(s->sid_ctx_length <= sizeof s->sid_ctx); OPENSSL_assert(s->sid_ctx_length <= sizeof s->sid_ctx);
memcpy(&s->sid_ctx, &ctx->sid_ctx, sizeof(s->sid_ctx)); memcpy(&s->sid_ctx, &ctx->sid_ctx, sizeof(s->sid_ctx));
@ -339,10 +320,6 @@ SSL *SSL_new(SSL_CTX *ctx)
if (!s->param) if (!s->param)
goto err; goto err;
X509_VERIFY_PARAM_inherit(s->param, ctx->param); X509_VERIFY_PARAM_inherit(s->param, ctx->param);
#if 0
s->purpose = ctx->purpose;
s->trust = ctx->trust;
#endif
s->quiet_shutdown = ctx->quiet_shutdown; s->quiet_shutdown = ctx->quiet_shutdown;
s->max_send_fragment = ctx->max_send_fragment; s->max_send_fragment = ctx->max_send_fragment;
@ -1915,26 +1892,14 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth)
ret->references = 1; ret->references = 1;
ret->quiet_shutdown = 0; ret->quiet_shutdown = 0;
/* ret->cipher=NULL;*/
/*-
ret->s2->challenge=NULL;
ret->master_key=NULL;
ret->s2->conn_id=NULL; */
ret->info_callback = NULL; ret->info_callback = NULL;
ret->app_verify_callback = 0; ret->app_verify_callback = 0;
ret->app_verify_arg = NULL; ret->app_verify_arg = NULL;
ret->max_cert_list = SSL_MAX_CERT_LIST_DEFAULT; ret->max_cert_list = SSL_MAX_CERT_LIST_DEFAULT;
ret->read_ahead = 0; ret->read_ahead = 0;
ret->msg_callback = 0; ret->msg_callback = 0;
ret->msg_callback_arg = NULL; ret->msg_callback_arg = NULL;
ret->verify_mode = SSL_VERIFY_NONE; ret->verify_mode = SSL_VERIFY_NONE;
#if 0
ret->verify_depth = -1; /* Don't impose a limit (but x509_lu.c does) */
#endif
ret->sid_ctx_length = 0; ret->sid_ctx_length = 0;
ret->default_verify_callback = NULL; ret->default_verify_callback = NULL;
if ((ret->cert = ssl_cert_new()) == NULL) if ((ret->cert = ssl_cert_new()) == NULL)
@ -2097,13 +2062,7 @@ void SSL_CTX_free(SSL_CTX *a)
sk_X509_NAME_pop_free(a->client_CA, X509_NAME_free); sk_X509_NAME_pop_free(a->client_CA, X509_NAME_free);
if (a->extra_certs != NULL) if (a->extra_certs != NULL)
sk_X509_pop_free(a->extra_certs, X509_free); sk_X509_pop_free(a->extra_certs, X509_free);
#if 0 /* This should never be done, since it
* removes a global database */
if (a->comp_methods != NULL)
sk_SSL_COMP_pop_free(a->comp_methods, SSL_COMP_free);
#else
a->comp_methods = NULL; a->comp_methods = NULL;
#endif
#ifndef OPENSSL_NO_SRTP #ifndef OPENSSL_NO_SRTP
if (a->srtp_profiles) if (a->srtp_profiles)
@ -2265,15 +2224,6 @@ void ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher)
if (rsa_enc_export || (rsa_tmp_export && (rsa_sign || rsa_enc))) if (rsa_enc_export || (rsa_tmp_export && (rsa_sign || rsa_enc)))
emask_k |= SSL_kRSA; emask_k |= SSL_kRSA;
#if 0
/* The match needs to be both kDHE and aRSA or aDSA, so don't worry */
if ((dh_tmp || dh_rsa || dh_dsa) && (rsa_enc || rsa_sign || dsa_sign))
mask_k |= SSL_kDHE;
if ((dh_tmp_export || dh_rsa_export || dh_dsa_export) &&
(rsa_enc || rsa_sign || dsa_sign))
emask_k |= SSL_kDHE;
#endif
if (dh_tmp_export) if (dh_tmp_export)
emask_k |= SSL_kDHE; emask_k |= SSL_kDHE;

5
ssl/t1_enc.c
View File

@ -1302,11 +1302,6 @@ int tls1_alert_code(int code)
return (TLS1_AD_UNKNOWN_PSK_IDENTITY); return (TLS1_AD_UNKNOWN_PSK_IDENTITY);
case SSL_AD_INAPPROPRIATE_FALLBACK: case SSL_AD_INAPPROPRIATE_FALLBACK:
return (TLS1_AD_INAPPROPRIATE_FALLBACK); return (TLS1_AD_INAPPROPRIATE_FALLBACK);
#if 0
/* not appropriate for TLS, not used for DTLS */
case DTLS1_AD_MISSING_HANDSHAKE_MESSAGE:
return (DTLS1_AD_MISSING_HANDSHAKE_MESSAGE);
#endif
default: default:
return (-1); return (-1);
} }

29
ssl/t1_lib.c
View File

@ -1923,9 +1923,6 @@ static int ssl_scan_clienthello_tlsext(SSL *s, unsigned char **p,
if (data + size > (d + n)) if (data + size > (d + n))
goto ri_check; goto ri_check;
# if 0
fprintf(stderr, "Received extension type %d size %d\n", type, size);
# endif
if (s->tlsext_debug_cb) if (s->tlsext_debug_cb)
s->tlsext_debug_cb(s, 0, type, data, size, s->tlsext_debug_arg); s->tlsext_debug_cb(s, 0, type, data, size, s->tlsext_debug_arg);
if (type == TLSEXT_TYPE_renegotiate) { if (type == TLSEXT_TYPE_renegotiate) {
@ -2080,15 +2077,6 @@ static int ssl_scan_clienthello_tlsext(SSL *s, unsigned char **p,
memcpy(s->session->tlsext_ecpointformatlist, sdata, memcpy(s->session->tlsext_ecpointformatlist, sdata,
ecpointformatlist_length); ecpointformatlist_length);
} }
# if 0
fprintf(stderr,
"ssl_parse_clienthello_tlsext s->session->tlsext_ecpointformatlist (length=%i) ",
s->session->tlsext_ecpointformatlist_length);
sdata = s->session->tlsext_ecpointformatlist;
for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++)
fprintf(stderr, "%i ", *(sdata++));
fprintf(stderr, "\n");
# endif
} else if (type == TLSEXT_TYPE_elliptic_curves) { } else if (type == TLSEXT_TYPE_elliptic_curves) {
unsigned char *sdata = data; unsigned char *sdata = data;
int ellipticcurvelist_length = (*(sdata++) << 8); int ellipticcurvelist_length = (*(sdata++) << 8);
@ -2117,15 +2105,6 @@ static int ssl_scan_clienthello_tlsext(SSL *s, unsigned char **p,
memcpy(s->session->tlsext_ellipticcurvelist, sdata, memcpy(s->session->tlsext_ellipticcurvelist, sdata,
ellipticcurvelist_length); ellipticcurvelist_length);
} }
# if 0
fprintf(stderr,
"ssl_parse_clienthello_tlsext s->session->tlsext_ellipticcurvelist (length=%i) ",
s->session->tlsext_ellipticcurvelist_length);
sdata = s->session->tlsext_ellipticcurvelist;
for (i = 0; i < s->session->tlsext_ellipticcurvelist_length; i++)
fprintf(stderr, "%i ", *(sdata++));
fprintf(stderr, "\n");
# endif
} }
# endif /* OPENSSL_NO_EC */ # endif /* OPENSSL_NO_EC */
else if (type == TLSEXT_TYPE_session_ticket) { else if (type == TLSEXT_TYPE_session_ticket) {
@ -2462,14 +2441,6 @@ static int ssl_scan_serverhello_tlsext(SSL *s, unsigned char **p,
memcpy(s->session->tlsext_ecpointformatlist, sdata, memcpy(s->session->tlsext_ecpointformatlist, sdata,
ecpointformatlist_length); ecpointformatlist_length);
} }
# if 0
fprintf(stderr,
"ssl_parse_serverhello_tlsext s->session->tlsext_ecpointformatlist ");
sdata = s->session->tlsext_ecpointformatlist;
for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++)
fprintf(stderr, "%i ", *(sdata++));
fprintf(stderr, "\n");
# endif
} }
# endif /* OPENSSL_NO_EC */ # endif /* OPENSSL_NO_EC */

8
ssl/t1_trce.c
View File

@ -1214,14 +1214,6 @@ void SSL_trace(int write_p, int version, int content_type,
(msg[3] << 8 | msg[4]), (msg[3] << 8 | msg[4]),
(msg[5] << 8 | msg[6]), (msg[5] << 8 | msg[6]),
(msg[7] << 8 | msg[8]), (msg[9] << 8 | msg[10])); (msg[7] << 8 | msg[8]), (msg[9] << 8 | msg[10]));
# if 0
/*
* Just print handshake type so we can see what is going on
* during fragmentation.
*/
BIO_printf(bio, "(%s)\n",
ssl_trace_str(msg[msglen], ssl_handshake_tbl));
# endif
} }
BIO_printf(bio, " Content Type = %s (%d)\n Length = %d", BIO_printf(bio, " Content Type = %s (%d)\n Length = %d",