summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--ssl/bio_ssl.c12
-rw-r--r--ssl/d1_both.c27
-rw-r--r--ssl/d1_clnt.c17
-rw-r--r--ssl/d1_pkt.c173
-rw-r--r--ssl/d1_srtp.c10
-rw-r--r--ssl/d1_srvr.c5
-rw-r--r--ssl/kssl.c11
-rw-r--r--ssl/s23_clnt.c7
-rw-r--r--ssl/s23_srvr.c3
-rw-r--r--ssl/s3_clnt.c28
-rw-r--r--ssl/s3_lib.c35
-rw-r--r--ssl/s3_pkt.c69
-rw-r--r--ssl/ssl_cert.c14
-rw-r--r--ssl/ssl_lib.c50
-rw-r--r--ssl/t1_enc.c5
-rw-r--r--ssl/t1_lib.c29
-rw-r--r--ssl/t1_trce.c8
17 files changed, 10 insertions, 493 deletions
diff --git a/ssl/bio_ssl.c b/ssl/bio_ssl.c
index 458e071872..e2831af7f3 100644
--- a/ssl/bio_ssl.c
+++ b/ssl/bio_ssl.c
@@ -150,18 +150,6 @@ static int ssl_read(BIO *b, char *out, int outl)
BIO_clear_retry_flags(b);
-#if 0
- if (!SSL_is_init_finished(ssl)) {
-/* ret=SSL_do_handshake(ssl); */
- if (ret > 0) {
-
- outflags = (BIO_FLAGS_READ | BIO_FLAGS_SHOULD_RETRY);
- ret = -1;
- goto end;
- }
- }
-#endif
-/* if (ret > 0) */
ret = SSL_read(ssl, out, outl);
switch (SSL_get_error(ssl, ret)) {
diff --git a/ssl/d1_both.c b/ssl/d1_both.c
index 487bc6c80d..7d48cc4df3 100644
--- a/ssl/d1_both.c
+++ b/ssl/d1_both.c
@@ -144,14 +144,6 @@
if (is_complete) for (ii = (((msg_len) - 1) >> 3) - 1; ii >= 0 ; ii--) \
if (bitmask[ii] != 0xff) { is_complete = 0; break; } }
-#if 0
-# define RSMBLY_BITMASK_PRINT(bitmask, msg_len) { \
- long ii; \
- printf("bitmask: "); for (ii = 0; ii < (msg_len); ii++) \
- printf("%d ", (bitmask[ii >> 3] & (1 << (ii & 7))) >> (ii & 7)); \
- printf("\n"); }
-#endif
-
static unsigned char bitmask_start_values[] =
{ 0xff, 0xfe, 0xfc, 0xf8, 0xf0, 0xe0, 0xc0, 0x80 };
static unsigned char bitmask_end_values[] =
@@ -1031,20 +1023,6 @@ int dtls1_read_failed(SSL *s, int code)
BIO_set_flags(SSL_get_rbio(s), BIO_FLAGS_READ);
return code;
}
-#if 0 /* for now, each alert contains only one
- * record number */
- item = pqueue_peek(state->rcvd_records);
- if (item) {
- /* send an alert immediately for all the missing records */
- } else
-#endif
-
-#if 0 /* no more alert sending, just retransmit the
- * last set of messages */
- if (state->timeout.read_timeouts >= DTLS1_TMO_READ_COUNT)
- ssl3_send_alert(s, SSL3_AL_WARNING,
- DTLS1_AD_MISSING_HANDSHAKE_MESSAGE);
-#endif
return dtls1_handle_timeout(s);
}
@@ -1144,11 +1122,6 @@ int dtls1_buffer_message(SSL *s, int is_ccs)
dtls1_hm_fragment_free(frag);
return 0;
}
-#if 0
- fprintf(stderr, "buffered messge: \ttype = %xx\n", msg_buf->type);
- fprintf(stderr, "\t\t\t\t\tlen = %d\n", msg_buf->len);
- fprintf(stderr, "\t\t\t\t\tseq_num = %d\n", msg_buf->seq_num);
-#endif
pqueue_insert(s->d1->sent_messages, item);
return 1;
diff --git a/ssl/d1_clnt.c b/ssl/d1_clnt.c
index 1858263e19..151dd47285 100644
--- a/ssl/d1_clnt.c
+++ b/ssl/d1_clnt.c
@@ -714,13 +714,6 @@ int dtls1_connect(SSL *s)
/* clean a few things up */
ssl3_cleanup_key_block(s);
-#if 0
- if (s->init_buf != NULL) {
- BUF_MEM_free(s->init_buf);
- s->init_buf = NULL;
- }
-#endif
-
/*
* If we are not 'joining' the last two packets, remove the
* buffering now
@@ -816,16 +809,6 @@ static int dtls1_get_hello_verify(SSL *s)
}
data = (unsigned char *)s->init_msg;
-#if 0
- if (s->method->version != DTLS_ANY_VERSION &&
- ((data[0] != (s->version >> 8)) || (data[1] != (s->version & 0xff))))
- {
- SSLerr(SSL_F_DTLS1_GET_HELLO_VERIFY, SSL_R_WRONG_SSL_VERSION);
- s->version = (s->version & 0xff00) | data[1];
- al = SSL_AD_PROTOCOL_VERSION;
- goto f_err;
- }
-#endif
data += 2;
cookie_len = *(data++);
diff --git a/ssl/d1_pkt.c b/ssl/d1_pkt.c
index 331a50f515..d66ecf5c77 100644
--- a/ssl/d1_pkt.c
+++ b/ssl/d1_pkt.c
@@ -187,11 +187,6 @@ static int dtls1_record_replay_check(SSL *s, DTLS1_BITMAP *bitmap);
static void dtls1_record_bitmap_update(SSL *s, DTLS1_BITMAP *bitmap);
static DTLS1_BITMAP *dtls1_get_bitmap(SSL *s, SSL3_RECORD *rr,
unsigned int *is_next_epoch);
-#if 0
-static int dtls1_record_needs_buffering(SSL *s, SSL3_RECORD *rr,
- unsigned short *priority,
- unsigned long *offset);
-#endif
static int dtls1_buffer_record(SSL *s, record_pqueue *q,
unsigned char *priority);
static int dtls1_process_record(SSL *s);
@@ -347,50 +342,6 @@ static int dtls1_process_buffered_records(SSL *s)
return (1);
}
-#if 0
-
-static int dtls1_get_buffered_record(SSL *s)
-{
- pitem *item;
- PQ_64BIT priority =
- (((PQ_64BIT) s->d1->handshake_read_seq) << 32) |
- ((PQ_64BIT) s->d1->r_msg_hdr.frag_off);
-
- /* if we're not (re)negotiating, nothing buffered */
- if (!SSL_in_init(s))
- return 0;
-
- item = pqueue_peek(s->d1->rcvd_records);
- if (item && item->priority == priority) {
- /*
- * Check if we've received the record of interest. It must be a
- * handshake record, since data records as passed up without
- * buffering
- */
- DTLS1_RECORD_DATA *rdata;
- item = pqueue_pop(s->d1->rcvd_records);
- rdata = (DTLS1_RECORD_DATA *)item->data;
-
- if (s->s3->rbuf.buf != NULL)
- OPENSSL_free(s->s3->rbuf.buf);
-
- s->packet = rdata->packet;
- s->packet_length = rdata->packet_length;
- memcpy(&(s->s3->rbuf), &(rdata->rbuf), sizeof(SSL3_BUFFER));
- memcpy(&(s->s3->rrec), &(rdata->rrec), sizeof(SSL3_RECORD));
-
- OPENSSL_free(item->data);
- pitem_free(item);
-
- /* s->d1->next_expected_seq_num++; */
- return (1);
- }
-
- return 0;
-}
-
-#endif
-
static int dtls1_process_record(SSL *s)
{
int i, al;
@@ -1302,15 +1253,7 @@ int dtls1_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek)
if (((s->state & SSL_ST_MASK) == SSL_ST_OK) &&
!(s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS)) {
-#if 0 /* worked only because C operator preferences
- * are not as expected (and because this is
- * not really needed for clients except for
- * detecting protocol violations): */
- s->state = SSL_ST_BEFORE | (s->server)
- ? SSL_ST_ACCEPT : SSL_ST_CONNECT;
-#else
s->state = s->server ? SSL_ST_ACCEPT : SSL_ST_CONNECT;
-#endif
s->renegotiate = 1;
s->new_session = 1;
}
@@ -1526,41 +1469,6 @@ int do_dtls1_write(SSL *s, int type, const unsigned char *buf,
goto err;
}
- /* DTLS implements explicit IV, so no need for empty fragments */
-#if 0
- /*
- * 'create_empty_fragment' is true only when this function calls itself
- */
- if (!clear && !create_empty_fragment && !s->s3->empty_fragment_done
- && SSL_version(s) != DTLS1_VERSION && SSL_version(s) != DTLS1_BAD_VER)
- {
- /*
- * countermeasure against known-IV weakness in CBC ciphersuites (see
- * http://www.openssl.org/~bodo/tls-cbc.txt)
- */
-
- if (s->s3->need_empty_fragments && type == SSL3_RT_APPLICATION_DATA) {
- /*
- * recursive function call with 'create_empty_fragment' set; this
- * prepares and buffers the data for an empty fragment (these
- * 'prefix_len' bytes are sent out later together with the actual
- * payload)
- */
- prefix_len = s->method->do_ssl_write(s, type, buf, 0, 1);
- if (prefix_len <= 0)
- goto err;
-
- if (s->s3->wbuf.len <
- (size_t)prefix_len + SSL3_RT_MAX_PACKET_SIZE) {
- /* insufficient space */
- SSLerr(SSL_F_DO_DTLS1_WRITE, ERR_R_INTERNAL_ERROR);
- goto err;
- }
- }
-
- s->s3->empty_fragment_done = 1;
- }
-#endif
p = wb->buf + prefix_len;
/* write the header */
@@ -1672,13 +1580,6 @@ int do_dtls1_write(SSL *s, int type, const unsigned char *buf,
wr->type = type; /* not needed but helps for debugging */
wr->length += DTLS1_RT_HEADER_LENGTH;
-#if 0 /* this is now done at the message layer */
- /* buffer the record, making it easy to handle retransmits */
- if (type == SSL3_RT_HANDSHAKE || type == SSL3_RT_CHANGE_CIPHER_SPEC)
- dtls1_buffer_record(s, wr->data, wr->length,
- *((PQ_64BIT *) & (s->s3->write_sequence[0])));
-#endif
-
ssl3_record_sequence_update(&(s->s3->write_sequence[0]));
if (create_empty_fragment) {
@@ -1766,20 +1667,6 @@ int dtls1_dispatch_alert(SSL *s)
#ifdef DTLS1_AD_MISSING_HANDSHAKE_MESSAGE
if (s->s3->send_alert[1] == DTLS1_AD_MISSING_HANDSHAKE_MESSAGE) {
s2n(s->d1->handshake_read_seq, ptr);
-# if 0
- if (s->d1->r_msg_hdr.frag_off == 0)
- /*
- * waiting for a new msg
- */
- else
- s2n(s->d1->r_msg_hdr.seq, ptr); /* partial msg read */
-# endif
-
-# if 0
- fprintf(stderr,
- "s->d1->handshake_read_seq = %d, s->d1->r_msg_hdr.seq = %d\n",
- s->d1->handshake_read_seq, s->d1->r_msg_hdr.seq);
-# endif
l2n3(s->d1->r_msg_hdr.frag_off, ptr);
}
#endif
@@ -1833,66 +1720,6 @@ static DTLS1_BITMAP *dtls1_get_bitmap(SSL *s, SSL3_RECORD *rr,
return NULL;
}
-#if 0
-static int
-dtls1_record_needs_buffering(SSL *s, SSL3_RECORD *rr,
- unsigned short *priority, unsigned long *offset)
-{
-
- /* alerts are passed up immediately */
- if (rr->type == SSL3_RT_APPLICATION_DATA || rr->type == SSL3_RT_ALERT)
- return 0;
-
- /*
- * Only need to buffer if a handshake is underway. (this implies that
- * Hello Request and Client Hello are passed up immediately)
- */
- if (SSL_in_init(s)) {
- unsigned char *data = rr->data;
- /* need to extract the HM/CCS sequence number here */
- if (rr->type == SSL3_RT_HANDSHAKE ||
- rr->type == SSL3_RT_CHANGE_CIPHER_SPEC) {
- unsigned short seq_num;
- struct hm_header_st msg_hdr;
- struct ccs_header_st ccs_hdr;
-
- if (rr->type == SSL3_RT_HANDSHAKE) {
- dtls1_get_message_header(data, &msg_hdr);
- seq_num = msg_hdr.seq;
- *offset = msg_hdr.frag_off;
- } else {
- dtls1_get_ccs_header(data, &ccs_hdr);
- seq_num = ccs_hdr.seq;
- *offset = 0;
- }
-
- /*
- * this is either a record we're waiting for, or a retransmit of
- * something we happened to previously receive (higher layers
- * will drop the repeat silently
- */
- if (seq_num < s->d1->handshake_read_seq)
- return 0;
- if (rr->type == SSL3_RT_HANDSHAKE &&
- seq_num == s->d1->handshake_read_seq &&
- msg_hdr.frag_off < s->d1->r_msg_hdr.frag_off)
- return 0;
- else if (seq_num == s->d1->handshake_read_seq &&
- (rr->type == SSL3_RT_CHANGE_CIPHER_SPEC ||
- msg_hdr.frag_off == s->d1->r_msg_hdr.frag_off))
- return 0;
- else {
- *priority = seq_num;
- return 1;
- }
- } else /* unknown record type */
- return 0;
- }
-
- return 0;
-}
-#endif
-
void dtls1_reset_seq_numbers(SSL *s, int rw)
{
unsigned char *seq;
diff --git a/ssl/d1_srtp.c b/ssl/d1_srtp.c
index c7861b8c8f..0d62de6aea 100644
--- a/ssl/d1_srtp.c
+++ b/ssl/d1_srtp.c
@@ -129,16 +129,6 @@ static SRTP_PROTECTION_PROFILE srtp_known_profiles[] = {
"SRTP_AES128_CM_SHA1_32",
SRTP_AES128_CM_SHA1_32,
},
-# if 0
- {
- "SRTP_NULL_SHA1_80",
- SRTP_NULL_SHA1_80,
- },
- {
- "SRTP_NULL_SHA1_32",
- SRTP_NULL_SHA1_32,
- },
-# endif
{0}
};
diff --git a/ssl/d1_srvr.c b/ssl/d1_srvr.c
index 55d37e78b0..c5a59249dd 100644
--- a/ssl/d1_srvr.c
+++ b/ssl/d1_srvr.c
@@ -842,11 +842,6 @@ int dtls1_accept(SSL *s)
/* clean a few things up */
ssl3_cleanup_key_block(s);
-#if 0
- BUF_MEM_free(s->init_buf);
- s->init_buf = NULL;
-#endif
-
/* remove buffering on output */
ssl_free_wbio_buffer(s);
diff --git a/ssl/kssl.c b/ssl/kssl.c
index df8df59367..6ec3742430 100644
--- a/ssl/kssl.c
+++ b/ssl/kssl.c
@@ -962,17 +962,6 @@ void print_krb5_authdata(char *label, krb5_authdata **adata)
return;
}
fprintf(stderr, "%s [%p]\n", label, (void *)adata);
-# if 0
- {
- int i;
- fprintf(stderr, "%s[at%d:%d] ", label, adata->ad_type, adata->length);
- for (i = 0; i < adata->length; i++) {
- fprintf(stderr, (isprint(adata->contents[i])) ? "%c " : "%02x",
- adata->contents[i]);
- }
- fprintf(stderr, "\n");
- }
-# endif
}
/*
diff --git a/ssl/s23_clnt.c b/ssl/s23_clnt.c
index 05fef3cbeb..e04d3af9f6 100644
--- a/ssl/s23_clnt.c
+++ b/ssl/s23_clnt.c
@@ -324,13 +324,6 @@ static int ssl23_client_hello(SSL *s)
buf = (unsigned char *)s->init_buf->data;
if (s->state == SSL23_ST_CW_CLNT_HELLO_A) {
-#if 0
- /* don't reuse session-id's */
- if (!ssl_get_new_session(s, 0)) {
- return (-1);
- }
-#endif
-
p = s->s3->client_random;
if (ssl_fill_hello_random(s, 0, p, SSL3_RANDOM_SIZE) <= 0)
return -1;
diff --git a/ssl/s23_srvr.c b/ssl/s23_srvr.c
index 1c6cf49690..6ac6e4edad 100644
--- a/ssl/s23_srvr.c
+++ b/ssl/s23_srvr.c
@@ -569,9 +569,6 @@ int ssl23_get_client_hello(SSL *s)
s->s3->rbuf.left = 0;
s->s3->rbuf.offset = 0;
}
-#if 0 /* ssl3_get_client_hello does this */
- s->client_version = (v[0] << 8) | v[1];
-#endif
s->handshake_func = s->method->ssl_accept;
} else {
/* bad, very bad */
diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c
index 4d7d05b608..1e437b2e1e 100644
--- a/ssl/s3_clnt.c
+++ b/ssl/s3_clnt.c
@@ -755,14 +755,8 @@ int ssl3_client_hello(SSL *s)
* client_version in client hello and not resetting it to
* the negotiated version.
*/
-#if 0
- *(p++) = s->version >> 8;
- *(p++) = s->version & 0xff;
- s->client_version = s->version;
-#else
*(p++) = s->client_version >> 8;
*(p++) = s->client_version & 0xff;
-#endif
/* Random stuff */
memcpy(p, s->s3->client_random, SSL3_RANDOM_SIZE);
@@ -1036,16 +1030,10 @@ int ssl3_get_server_hello(SSL *s)
if (s->session->cipher)
s->session->cipher_id = s->session->cipher->id;
if (s->hit && (s->session->cipher_id != c->id)) {
-/* Workaround is now obsolete */
-#if 0
- if (!(s->options & SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG))
-#endif
- {
- al = SSL_AD_ILLEGAL_PARAMETER;
- SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,
- SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED);
- goto f_err;
- }
+ al = SSL_AD_ILLEGAL_PARAMETER;
+ SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,
+ SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED);
+ goto f_err;
}
s->s3->tmp.new_cipher = c;
/*
@@ -2091,14 +2079,6 @@ int ssl3_get_certificate_request(SSL *s)
/* get the CA RDNs */
n2s(p, llen);
-#if 0
- {
- FILE *out;
- out = fopen("/tmp/vsign.der", "w");
- fwrite(p, 1, llen, out);
- fclose(out);
- }
-#endif
if ((unsigned long)(p - d + llen) != n) {
ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c
index 320d4a514c..ab19eebaea 100644
--- a/ssl/s3_lib.c
+++ b/ssl/s3_lib.c
@@ -1213,41 +1213,6 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
#endif /* OPENSSL_NO_CAMELLIA */
#if TLS1_ALLOW_EXPERIMENTAL_CIPHERSUITES
- /* New TLS Export CipherSuites from expired ID */
-# if 0
- /* Cipher 60 */
- {
- 1,
- TLS1_TXT_RSA_EXPORT1024_WITH_RC4_56_MD5,
- TLS1_CK_RSA_EXPORT1024_WITH_RC4_56_MD5,
- SSL_kRSA,
- SSL_aRSA,
- SSL_RC4,
- SSL_MD5,
- SSL_TLSV1,
- SSL_EXPORT | SSL_EXP56,
- SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
- 56,
- 128,
- },
-
- /* Cipher 61 */
- {
- 1,
- TLS1_TXT_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5,
- TLS1_CK_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5,
- SSL_kRSA,
- SSL_aRSA,
- SSL_RC2,
- SSL_MD5,
- SSL_TLSV1,
- SSL_EXPORT | SSL_EXP56,
- SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
- 56,
- 128,
- },
-# endif
-
/* Cipher 62 */
{
1,
diff --git a/ssl/s3_pkt.c b/ssl/s3_pkt.c
index 5b8fe5c56d..11b1c5532e 100644
--- a/ssl/s3_pkt.c
+++ b/ssl/s3_pkt.c
@@ -352,9 +352,6 @@ static int ssl3_get_record(SSL *s)
ssl_minor = *(p++);
version = (ssl_major << 8) | ssl_minor;
n2s(p, rr->length);
-#if 0
- fprintf(stderr, "Record type=%d, Length=%d\n", rr->type, rr->length);
-#endif
/* Lets check version */
if (!s->first_packet) {
@@ -585,10 +582,6 @@ static int ssl3_get_record(SSL *s)
}
goto again;
}
-#if 0
- fprintf(stderr, "Ultimate Record type=%d, Length=%d\n", rr->type,
- rr->length);
-#endif
return (1);
@@ -914,60 +907,6 @@ static int do_ssl3_write(SSL *s, int type, const unsigned char *buf,
goto err;
}
-#if 0 && !defined(OPENSSL_NO_MULTIBLOCK) && EVP_CIPH_FLAG_TLS1_1_MULTIBLOCK
- if (type == SSL3_RT_APPLICATION_DATA && s->compress == NULL &&
- !SSL_USE_ETM(s) && SSL_USE_EXPLICIT_IV(s) &&
- EVP_CIPHER_flags(s->enc_write_ctx->cipher) &
- EVP_CIPH_FLAG_TLS1_1_MULTIBLOCK)
- do {
- unsigned char aad[13];
- EVP_CTRL_TLS1_1_MULTIBLOCK_PARAM mb_param =
- { NULL, aad, sizeof(aad), 0 };
- int packlen;
-
- memcpy(aad, s->s3->write_sequence, 8);
- aad[8] = type;
- aad[9] = (unsigned char)(s->version >> 8);
- aad[10] = (unsigned char)(s->version);
- aad[11] = (unsigned char)(len >> 8);
- aad[12] = (unsigned char)len;
- packlen = EVP_CIPHER_CTX_ctrl(s->enc_write_ctx,
- EVP_CTRL_TLS1_1_MULTIBLOCK_AAD,
- sizeof(mb_param), &mb_param);
-
- if (packlen == 0 || packlen > wb->len)
- break;
-
- mb_param.out = wb->buf;
- mb_param.inp = buf;
- mb_param.len = len;
- EVP_CIPHER_CTX_ctrl(s->enc_write_ctx,
- EVP_CTRL_TLS1_1_MULTIBLOCK_ENCRYPT,
- sizeof(mb_param), &mb_param);
-
- s->s3->write_sequence[7] += mb_param.interleave;
- if (s->s3->write_sequence[7] < mb_param.interleave) {
- int j = 6;
- while (j >= 0 && (++s->s3->write_sequence[j--]) == 0) ;
- }
-
- wb->offset = 0;
- wb->left = packlen;
-
- /*
- * memorize arguments so that ssl3_write_pending can detect bad
- * write retries later
- */
- s->s3->wpend_tot = len;
- s->s3->wpend_buf = buf;
- s->s3->wpend_type = type;
- s->s3->wpend_ret = len;
-
- /* we now just need to write the buffer */
- return ssl3_write_pending(s, type, buf, len);
- } while (0);
-#endif
-
/*
* 'create_empty_fragment' is true only when this function calls itself
*/
@@ -1604,15 +1543,7 @@ int ssl3_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek)
if ((s->s3->handshake_fragment_len >= 4) && !s->in_handshake) {
if (((s->state & SSL_ST_MASK) == SSL_ST_OK) &&
!(s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS)) {
-#if 0 /* worked only because C operator preferences
- * are not as expected (and because this is
- * not really needed for clients except for
- * detecting protocol violations): */
- s->state = SSL_ST_BEFORE | (s->server)
- ? SSL_ST_ACCEPT : SSL_ST_CONNECT;
-#else
s->state = s->server ? SSL_ST_ACCEPT : SSL_ST_CONNECT;
-#endif
s->renegotiate = 1;
s->new_session = 1;
}
diff --git a/ssl/ssl_cert.c b/ssl/ssl_cert.c
index d81e06b582..974259969f 100644
--- a/ssl/ssl_cert.c
+++ b/ssl/ssl_cert.c
@@ -664,10 +664,12 @@ void ssl_sess_cert_free(SESS_CERT *sc)
for (i = 0; i < SSL_PKEY_NUM; i++) {
if (sc->peer_pkeys[i].x509 != NULL)
X509_free(sc->peer_pkeys[i].x509);
-#if 0 /* We don't have the peer's private key.
- * These lines are just * here as a reminder
- * that we're still using a
- * not-quite-appropriate * data structure. */
+#if 0
+ /*
+ * We don't have the peer's private key. These lines are just
+ * here as a reminder that we're still using a not-quite-appropriate
+ * data structure.
+ */
if (sc->peer_pkeys[i].privatekey != NULL)
EVP_PKEY_free(sc->peer_pkeys[i].privatekey);
#endif
@@ -717,10 +719,6 @@ int ssl_verify_cert_chain(SSL *s, STACK_OF(X509) *sk)
}
/* Set suite B flags if needed */
X509_STORE_CTX_set_flags(&ctx, tls1_suiteb(s));
-#if 0
- if (SSL_get_verify_depth(s) >= 0)
- X509_STORE_CTX_set_depth(&ctx, SSL_get_verify_depth(s));
-#endif
X509_STORE_CTX_set_ex_data(&ctx, SSL_get_ex_data_X509_STORE_CTX_idx(), s);
/*
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index 2bb1866b8c..ed987c0ff5 100644
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -204,23 +204,10 @@ int SSL_clear(SSL *s)
s->hit = 0;
s->shutdown = 0;
-#if 0
- /*
- * Disabled since version 1.10 of this file (early return not
- * needed because SSL_clear is not called when doing renegotiation)
- */
- /*
- * This is set if we are doing dynamic renegotiation so keep
- * the old cipher. It is sort of a SSL_clear_lite :-)
- */
- if (s->renegotiate)
- return (1);
-#else
if (s->renegotiate) {
SSLerr(SSL_F_SSL_CLEAR, ERR_R_INTERNAL_ERROR);
return 0;
}
-#endif
s->type = 0;
@@ -230,9 +217,6 @@ int SSL_clear(SSL *s)
s->client_version = s->version;
s->rwstate = SSL_NOTHING;
s->rstate = SSL_ST_READ_HEADER;
-#if 0
- s->read_ahead = s->ctx->read_ahead;
-#endif
if (s->init_buf != NULL) {
BUF_MEM_free(s->init_buf);
@@ -326,9 +310,6 @@ SSL *SSL_new(SSL_CTX *ctx)
s->msg_callback_arg = ctx->msg_callback_arg;
s->verify_mode = ctx->verify_mode;
s->not_resumable_session_cb = ctx->not_resumable_session_cb;
-#if 0
- s->verify_depth = ctx->verify_depth;
-#endif
s->sid_ctx_length = ctx->sid_ctx_length;
OPENSSL_assert(s->sid_ctx_length <= sizeof s->sid_ctx);
memcpy(&s->sid_ctx, &ctx->sid_ctx, sizeof(s->sid_ctx));
@@ -339,10 +320,6 @@ SSL *SSL_new(SSL_CTX *ctx)
if (!s->param)
goto err;
X509_VERIFY_PARAM_inherit(s->param, ctx->param);
-#if 0
- s->purpose = ctx->purpose;
- s->trust = ctx->trust;
-#endif
s->quiet_shutdown = ctx->quiet_shutdown;
s->max_send_fragment = ctx->max_send_fragment;
@@ -1915,26 +1892,14 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth)
ret->references = 1;
ret->quiet_shutdown = 0;
-
-/* ret->cipher=NULL;*/
-/*-
- ret->s2->challenge=NULL;
- ret->master_key=NULL;
- ret->s2->conn_id=NULL; */
-
ret->info_callback = NULL;
-
ret->app_verify_callback = 0;
ret->app_verify_arg = NULL;
-
ret->max_cert_list = SSL_MAX_CERT_LIST_DEFAULT;
ret->read_ahead = 0;
ret->msg_callback = 0;
ret->msg_callback_arg = NULL;
ret->verify_mode = SSL_VERIFY_NONE;
-#if 0
- ret->verify_depth = -1; /* Don't impose a limit (but x509_lu.c does) */
-#endif
ret->sid_ctx_length = 0;
ret->default_verify_callback = NULL;
if ((ret->cert = ssl_cert_new()) == NULL)
@@ -2097,13 +2062,7 @@ void SSL_CTX_free(SSL_CTX *a)
sk_X509_NAME_pop_free(a->client_CA, X509_NAME_free);
if (a->extra_certs != NULL)
sk_X509_pop_free(a->extra_certs, X509_free);
-#if 0 /* This should never be done, since it
- * removes a global database */
- if (a->comp_methods != NULL)
- sk_SSL_COMP_pop_free(a->comp_methods, SSL_COMP_free);
-#else
a->comp_methods = NULL;
-#endif
#ifndef OPENSSL_NO_SRTP
if (a->srtp_profiles)
@@ -2265,15 +2224,6 @@ void ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher)
if (rsa_enc_export || (rsa_tmp_export && (rsa_sign || rsa_enc)))
emask_k |= SSL_kRSA;
-#if 0
- /* The match needs to be both kDHE and aRSA or aDSA, so don't worry */
- if ((dh_tmp || dh_rsa || dh_dsa) && (rsa_enc || rsa_sign || dsa_sign))
- mask_k |= SSL_kDHE;
- if ((dh_tmp_export || dh_rsa_export || dh_dsa_export) &&
- (rsa_enc || rsa_sign || dsa_sign))
- emask_k |= SSL_kDHE;
-#endif
-
if (dh_tmp_export)
emask_k |= SSL_kDHE;
diff --git a/ssl/t1_enc.c b/ssl/t1_enc.c
index a432dca8c3..0c49619b5d 100644
--- a/ssl/t1_enc.c
+++ b/ssl/t1_enc.c
@@ -1302,11 +1302,6 @@ int tls1_alert_code(int code)
return (TLS1_AD_UNKNOWN_PSK_IDENTITY);
case SSL_AD_INAPPROPRIATE_FALLBACK:
return (TLS1_AD_INAPPROPRIATE_FALLBACK);
-#if 0
- /* not appropriate for TLS, not used for DTLS */
- case DTLS1_AD_MISSING_HANDSHAKE_MESSAGE:
- return (DTLS1_AD_MISSING_HANDSHAKE_MESSAGE);
-#endif
default:
return (-1);
}
diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
index 22f7047916..c91b761647 100644
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -1923,9 +1923,6 @@ static int ssl_scan_clienthello_tlsext(SSL *s, unsigned char **p,
if (data + size > (d + n))
goto ri_check;
-# if 0
- fprintf(stderr, "Received extension type %d size %d\n", type, size);
-# endif
if (s->tlsext_debug_cb)
s->tlsext_debug_cb(s, 0, type, data, size, s->tlsext_debug_arg);
if (type == TLSEXT_TYPE_renegotiate) {
@@ -2080,15 +2077,6 @@ static int ssl_scan_clienthello_tlsext(SSL *s, unsigned char **p,
memcpy(s->session->tlsext_ecpointformatlist, sdata,
ecpointformatlist_length);
}
-# if 0
- fprintf(stderr,
- "ssl_parse_clienthello_tlsext s->session->tlsext_ecpointformatlist (length=%i) ",
- s->session->tlsext_ecpointformatlist_length);
- sdata = s->session->tlsext_ecpointformatlist;
- for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++)
- fprintf(stderr, "%i ", *(sdata++));
- fprintf(stderr, "\n");
-# endif
} else if (type == TLSEXT_TYPE_elliptic_curves) {
unsigned char *sdata = data;
int ellipticcurvelist_length = (*(sdata++) << 8);
@@ -2117,15 +2105,6 @@ static int ssl_scan_clienthello_tlsext(SSL *s, unsigned char **p,
memcpy(s->session->tlsext_ellipticcurvelist, sdata,
ellipticcurvelist_length);
}
-# if 0
- fprintf(stderr,
- "ssl_parse_clienthello_tlsext s->session->tlsext_ellipticcurvelist (length=%i) ",
- s->session->tlsext_ellipticcurvelist_length);
- sdata = s->session->tlsext_ellipticcurvelist;
- for (i = 0; i < s->session->tlsext_ellipticcurvelist_length; i++)
- fprintf(stderr, "%i ", *(sdata++));
- fprintf(stderr, "\n");
-# endif
}
# endif /* OPENSSL_NO_EC */
else if (type == TLSEXT_TYPE_session_ticket) {
@@ -2462,14 +2441,6 @@ static int ssl_scan_serverhello_tlsext(SSL *s, unsigned char **p,
memcpy(s->session->tlsext_ecpointformatlist, sdata,
ecpointformatlist_length);
}
-# if 0
- fprintf(stderr,
- "ssl_parse_serverhello_tlsext s->session->tlsext_ecpointformatlist ");
- sdata = s->session->tlsext_ecpointformatlist;
- for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++)
- fprintf(stderr, "%i ", *(sdata++));
- fprintf(stderr, "\n");
-# endif
}
# endif /* OPENSSL_NO_EC */
diff --git a/ssl/t1_trce.c b/ssl/t1_trce.c
index 4161750b49..77f2a9f176 100644
--- a/ssl/t1_trce.c
+++ b/ssl/t1_trce.c
@@ -1214,14 +1214,6 @@ void SSL_trace(int write_p, int version, int content_type,
(msg[3] << 8 | msg[4]),
(msg[5] << 8 | msg[6]),
(msg[7] << 8 | msg[8]), (msg[9] << 8 | msg[10]));
-# if 0
<