[openssl-commits] [openssl] master update

Rich Salz rsalz at openssl.org
Fri Feb 6 15:53:05 UTC 2015


The branch master has been updated
       via  9e9858d1cf28e39cfd214b5c508188d5016728fd (commit)
      from  5b18d3025c1c1d36be8f81f137265b46da58f881 (commit)


- Log -----------------------------------------------------------------
commit 9e9858d1cf28e39cfd214b5c508188d5016728fd
Author: Rich Salz <rsalz at openssl.org>
Date:   Fri Feb 6 10:52:12 2015 -0500

    dead code cleanup: #if 0 in ssl
    
    I left many "#if 0" lines, usually because I thought we would
    probably want to revisit them later, or because they provided
    some useful internal documentation tips.
    
    Reviewed-by: Andy Polyakov <appro at openssl.org>

-----------------------------------------------------------------------

Summary of changes:
 ssl/bio_ssl.c  |   12 ----
 ssl/d1_both.c  |   27 ---------
 ssl/d1_clnt.c  |   17 ------
 ssl/d1_pkt.c   |  173 --------------------------------------------------------
 ssl/d1_srtp.c  |   10 ----
 ssl/d1_srvr.c  |    5 --
 ssl/kssl.c     |   11 ----
 ssl/s23_clnt.c |    7 ---
 ssl/s23_srvr.c |    3 -
 ssl/s3_clnt.c  |   28 ++-------
 ssl/s3_lib.c   |   35 ------------
 ssl/s3_pkt.c   |   69 ----------------------
 ssl/ssl_cert.c |   14 ++---
 ssl/ssl_lib.c  |   50 ----------------
 ssl/t1_enc.c   |    5 --
 ssl/t1_lib.c   |   29 ----------
 ssl/t1_trce.c  |    8 ---
 17 files changed, 10 insertions(+), 493 deletions(-)

diff --git a/ssl/bio_ssl.c b/ssl/bio_ssl.c
index 458e071..e2831af 100644
--- a/ssl/bio_ssl.c
+++ b/ssl/bio_ssl.c
@@ -150,18 +150,6 @@ static int ssl_read(BIO *b, char *out, int outl)
 
     BIO_clear_retry_flags(b);
 
-#if 0
-    if (!SSL_is_init_finished(ssl)) {
-/*              ret=SSL_do_handshake(ssl); */
-        if (ret > 0) {
-
-            outflags = (BIO_FLAGS_READ | BIO_FLAGS_SHOULD_RETRY);
-            ret = -1;
-            goto end;
-        }
-    }
-#endif
-/*      if (ret > 0) */
     ret = SSL_read(ssl, out, outl);
 
     switch (SSL_get_error(ssl, ret)) {
diff --git a/ssl/d1_both.c b/ssl/d1_both.c
index 487bc6c..7d48cc4 100644
--- a/ssl/d1_both.c
+++ b/ssl/d1_both.c
@@ -144,14 +144,6 @@
                         if (is_complete) for (ii = (((msg_len) - 1) >> 3) - 1; ii >= 0 ; ii--) \
                                 if (bitmask[ii] != 0xff) { is_complete = 0; break; } }
 
-#if 0
-# define RSMBLY_BITMASK_PRINT(bitmask, msg_len) { \
-                        long ii; \
-                        printf("bitmask: "); for (ii = 0; ii < (msg_len); ii++) \
-                        printf("%d ", (bitmask[ii >> 3] & (1 << (ii & 7))) >> (ii & 7)); \
-                        printf("\n"); }
-#endif
-
 static unsigned char bitmask_start_values[] =
     { 0xff, 0xfe, 0xfc, 0xf8, 0xf0, 0xe0, 0xc0, 0x80 };
 static unsigned char bitmask_end_values[] =
@@ -1031,20 +1023,6 @@ int dtls1_read_failed(SSL *s, int code)
         BIO_set_flags(SSL_get_rbio(s), BIO_FLAGS_READ);
         return code;
     }
-#if 0                           /* for now, each alert contains only one
-                                 * record number */
-    item = pqueue_peek(state->rcvd_records);
-    if (item) {
-        /* send an alert immediately for all the missing records */
-    } else
-#endif
-
-#if 0                           /* no more alert sending, just retransmit the
-                                 * last set of messages */
-    if (state->timeout.read_timeouts >= DTLS1_TMO_READ_COUNT)
-        ssl3_send_alert(s, SSL3_AL_WARNING,
-                        DTLS1_AD_MISSING_HANDSHAKE_MESSAGE);
-#endif
 
     return dtls1_handle_timeout(s);
 }
@@ -1144,11 +1122,6 @@ int dtls1_buffer_message(SSL *s, int is_ccs)
         dtls1_hm_fragment_free(frag);
         return 0;
     }
-#if 0
-    fprintf(stderr, "buffered messge: \ttype = %xx\n", msg_buf->type);
-    fprintf(stderr, "\t\t\t\t\tlen = %d\n", msg_buf->len);
-    fprintf(stderr, "\t\t\t\t\tseq_num = %d\n", msg_buf->seq_num);
-#endif
 
     pqueue_insert(s->d1->sent_messages, item);
     return 1;
diff --git a/ssl/d1_clnt.c b/ssl/d1_clnt.c
index 1858263..151dd47 100644
--- a/ssl/d1_clnt.c
+++ b/ssl/d1_clnt.c
@@ -714,13 +714,6 @@ int dtls1_connect(SSL *s)
             /* clean a few things up */
             ssl3_cleanup_key_block(s);
 
-#if 0
-            if (s->init_buf != NULL) {
-                BUF_MEM_free(s->init_buf);
-                s->init_buf = NULL;
-            }
-#endif
-
             /*
              * If we are not 'joining' the last two packets, remove the
              * buffering now
@@ -816,16 +809,6 @@ static int dtls1_get_hello_verify(SSL *s)
     }
 
     data = (unsigned char *)s->init_msg;
-#if 0
-    if (s->method->version != DTLS_ANY_VERSION &&
-        ((data[0] != (s->version >> 8)) || (data[1] != (s->version & 0xff))))
-    {
-        SSLerr(SSL_F_DTLS1_GET_HELLO_VERIFY, SSL_R_WRONG_SSL_VERSION);
-        s->version = (s->version & 0xff00) | data[1];
-        al = SSL_AD_PROTOCOL_VERSION;
-        goto f_err;
-    }
-#endif
     data += 2;
 
     cookie_len = *(data++);
diff --git a/ssl/d1_pkt.c b/ssl/d1_pkt.c
index 331a50f..d66ecf5 100644
--- a/ssl/d1_pkt.c
+++ b/ssl/d1_pkt.c
@@ -187,11 +187,6 @@ static int dtls1_record_replay_check(SSL *s, DTLS1_BITMAP *bitmap);
 static void dtls1_record_bitmap_update(SSL *s, DTLS1_BITMAP *bitmap);
 static DTLS1_BITMAP *dtls1_get_bitmap(SSL *s, SSL3_RECORD *rr,
                                       unsigned int *is_next_epoch);
-#if 0
-static int dtls1_record_needs_buffering(SSL *s, SSL3_RECORD *rr,
-                                        unsigned short *priority,
-                                        unsigned long *offset);
-#endif
 static int dtls1_buffer_record(SSL *s, record_pqueue *q,
                                unsigned char *priority);
 static int dtls1_process_record(SSL *s);
@@ -347,50 +342,6 @@ static int dtls1_process_buffered_records(SSL *s)
     return (1);
 }
 
-#if 0
-
-static int dtls1_get_buffered_record(SSL *s)
-{
-    pitem *item;
-    PQ_64BIT priority =
-        (((PQ_64BIT) s->d1->handshake_read_seq) << 32) |
-        ((PQ_64BIT) s->d1->r_msg_hdr.frag_off);
-
-    /* if we're not (re)negotiating, nothing buffered */
-    if (!SSL_in_init(s))
-        return 0;
-
-    item = pqueue_peek(s->d1->rcvd_records);
-    if (item && item->priority == priority) {
-        /*
-         * Check if we've received the record of interest.  It must be a
-         * handshake record, since data records as passed up without
-         * buffering
-         */
-        DTLS1_RECORD_DATA *rdata;
-        item = pqueue_pop(s->d1->rcvd_records);
-        rdata = (DTLS1_RECORD_DATA *)item->data;
-
-        if (s->s3->rbuf.buf != NULL)
-            OPENSSL_free(s->s3->rbuf.buf);
-
-        s->packet = rdata->packet;
-        s->packet_length = rdata->packet_length;
-        memcpy(&(s->s3->rbuf), &(rdata->rbuf), sizeof(SSL3_BUFFER));
-        memcpy(&(s->s3->rrec), &(rdata->rrec), sizeof(SSL3_RECORD));
-
-        OPENSSL_free(item->data);
-        pitem_free(item);
-
-        /* s->d1->next_expected_seq_num++; */
-        return (1);
-    }
-
-    return 0;
-}
-
-#endif
-
 static int dtls1_process_record(SSL *s)
 {
     int i, al;
@@ -1302,15 +1253,7 @@ int dtls1_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek)
 
         if (((s->state & SSL_ST_MASK) == SSL_ST_OK) &&
             !(s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS)) {
-#if 0                           /* worked only because C operator preferences
-                                 * are not as expected (and because this is
-                                 * not really needed for clients except for
-                                 * detecting protocol violations): */
-            s->state = SSL_ST_BEFORE | (s->server)
-                ? SSL_ST_ACCEPT : SSL_ST_CONNECT;
-#else
             s->state = s->server ? SSL_ST_ACCEPT : SSL_ST_CONNECT;
-#endif
             s->renegotiate = 1;
             s->new_session = 1;
         }
@@ -1526,41 +1469,6 @@ int do_dtls1_write(SSL *s, int type, const unsigned char *buf,
             goto err;
     }
 
-    /* DTLS implements explicit IV, so no need for empty fragments */
-#if 0
-    /*
-     * 'create_empty_fragment' is true only when this function calls itself
-     */
-    if (!clear && !create_empty_fragment && !s->s3->empty_fragment_done
-        && SSL_version(s) != DTLS1_VERSION && SSL_version(s) != DTLS1_BAD_VER)
-    {
-        /*
-         * countermeasure against known-IV weakness in CBC ciphersuites (see
-         * http://www.openssl.org/~bodo/tls-cbc.txt)
-         */
-
-        if (s->s3->need_empty_fragments && type == SSL3_RT_APPLICATION_DATA) {
-            /*
-             * recursive function call with 'create_empty_fragment' set; this
-             * prepares and buffers the data for an empty fragment (these
-             * 'prefix_len' bytes are sent out later together with the actual
-             * payload)
-             */
-            prefix_len = s->method->do_ssl_write(s, type, buf, 0, 1);
-            if (prefix_len <= 0)
-                goto err;
-
-            if (s->s3->wbuf.len <
-                (size_t)prefix_len + SSL3_RT_MAX_PACKET_SIZE) {
-                /* insufficient space */
-                SSLerr(SSL_F_DO_DTLS1_WRITE, ERR_R_INTERNAL_ERROR);
-                goto err;
-            }
-        }
-
-        s->s3->empty_fragment_done = 1;
-    }
-#endif
     p = wb->buf + prefix_len;
 
     /* write the header */
@@ -1672,13 +1580,6 @@ int do_dtls1_write(SSL *s, int type, const unsigned char *buf,
     wr->type = type;            /* not needed but helps for debugging */
     wr->length += DTLS1_RT_HEADER_LENGTH;
 
-#if 0                           /* this is now done at the message layer */
-    /* buffer the record, making it easy to handle retransmits */
-    if (type == SSL3_RT_HANDSHAKE || type == SSL3_RT_CHANGE_CIPHER_SPEC)
-        dtls1_buffer_record(s, wr->data, wr->length,
-                            *((PQ_64BIT *) & (s->s3->write_sequence[0])));
-#endif
-
     ssl3_record_sequence_update(&(s->s3->write_sequence[0]));
 
     if (create_empty_fragment) {
@@ -1766,20 +1667,6 @@ int dtls1_dispatch_alert(SSL *s)
 #ifdef DTLS1_AD_MISSING_HANDSHAKE_MESSAGE
     if (s->s3->send_alert[1] == DTLS1_AD_MISSING_HANDSHAKE_MESSAGE) {
         s2n(s->d1->handshake_read_seq, ptr);
-# if 0
-        if (s->d1->r_msg_hdr.frag_off == 0)
-            /*
-             * waiting for a new msg
-             */
-            else
-            s2n(s->d1->r_msg_hdr.seq, ptr); /* partial msg read */
-# endif
-
-# if 0
-        fprintf(stderr,
-                "s->d1->handshake_read_seq = %d, s->d1->r_msg_hdr.seq = %d\n",
-                s->d1->handshake_read_seq, s->d1->r_msg_hdr.seq);
-# endif
         l2n3(s->d1->r_msg_hdr.frag_off, ptr);
     }
 #endif
@@ -1833,66 +1720,6 @@ static DTLS1_BITMAP *dtls1_get_bitmap(SSL *s, SSL3_RECORD *rr,
     return NULL;
 }
 
-#if 0
-static int
-dtls1_record_needs_buffering(SSL *s, SSL3_RECORD *rr,
-                             unsigned short *priority, unsigned long *offset)
-{
-
-    /* alerts are passed up immediately */
-    if (rr->type == SSL3_RT_APPLICATION_DATA || rr->type == SSL3_RT_ALERT)
-        return 0;
-
-    /*
-     * Only need to buffer if a handshake is underway. (this implies that
-     * Hello Request and Client Hello are passed up immediately)
-     */
-    if (SSL_in_init(s)) {
-        unsigned char *data = rr->data;
-        /* need to extract the HM/CCS sequence number here */
-        if (rr->type == SSL3_RT_HANDSHAKE ||
-            rr->type == SSL3_RT_CHANGE_CIPHER_SPEC) {
-            unsigned short seq_num;
-            struct hm_header_st msg_hdr;
-            struct ccs_header_st ccs_hdr;
-
-            if (rr->type == SSL3_RT_HANDSHAKE) {
-                dtls1_get_message_header(data, &msg_hdr);
-                seq_num = msg_hdr.seq;
-                *offset = msg_hdr.frag_off;
-            } else {
-                dtls1_get_ccs_header(data, &ccs_hdr);
-                seq_num = ccs_hdr.seq;
-                *offset = 0;
-            }
-
-            /*
-             * this is either a record we're waiting for, or a retransmit of
-             * something we happened to previously receive (higher layers
-             * will drop the repeat silently
-             */
-            if (seq_num < s->d1->handshake_read_seq)
-                return 0;
-            if (rr->type == SSL3_RT_HANDSHAKE &&
-                seq_num == s->d1->handshake_read_seq &&
-                msg_hdr.frag_off < s->d1->r_msg_hdr.frag_off)
-                return 0;
-            else if (seq_num == s->d1->handshake_read_seq &&
-                     (rr->type == SSL3_RT_CHANGE_CIPHER_SPEC ||
-                      msg_hdr.frag_off == s->d1->r_msg_hdr.frag_off))
-                return 0;
-            else {
-                *priority = seq_num;
-                return 1;
-            }
-        } else                  /* unknown record type */
-            return 0;
-    }
-
-    return 0;
-}
-#endif
-
 void dtls1_reset_seq_numbers(SSL *s, int rw)
 {
     unsigned char *seq;
diff --git a/ssl/d1_srtp.c b/ssl/d1_srtp.c
index c7861b8..0d62de6 100644
--- a/ssl/d1_srtp.c
+++ b/ssl/d1_srtp.c
@@ -129,16 +129,6 @@ static SRTP_PROTECTION_PROFILE srtp_known_profiles[] = {
      "SRTP_AES128_CM_SHA1_32",
      SRTP_AES128_CM_SHA1_32,
      },
-# if 0
-    {
-     "SRTP_NULL_SHA1_80",
-     SRTP_NULL_SHA1_80,
-     },
-    {
-     "SRTP_NULL_SHA1_32",
-     SRTP_NULL_SHA1_32,
-     },
-# endif
     {0}
 };
 
diff --git a/ssl/d1_srvr.c b/ssl/d1_srvr.c
index 55d37e7..c5a5924 100644
--- a/ssl/d1_srvr.c
+++ b/ssl/d1_srvr.c
@@ -842,11 +842,6 @@ int dtls1_accept(SSL *s)
             /* clean a few things up */
             ssl3_cleanup_key_block(s);
 
-#if 0
-            BUF_MEM_free(s->init_buf);
-            s->init_buf = NULL;
-#endif
-
             /* remove buffering on output */
             ssl_free_wbio_buffer(s);
 
diff --git a/ssl/kssl.c b/ssl/kssl.c
index df8df59..6ec3742 100644
--- a/ssl/kssl.c
+++ b/ssl/kssl.c
@@ -962,17 +962,6 @@ void print_krb5_authdata(char *label, krb5_authdata **adata)
         return;
     }
     fprintf(stderr, "%s [%p]\n", label, (void *)adata);
-# if 0
-    {
-        int i;
-        fprintf(stderr, "%s[at%d:%d] ", label, adata->ad_type, adata->length);
-        for (i = 0; i < adata->length; i++) {
-            fprintf(stderr, (isprint(adata->contents[i])) ? "%c " : "%02x",
-                    adata->contents[i]);
-        }
-        fprintf(stderr, "\n");
-    }
-# endif
 }
 
 /*
diff --git a/ssl/s23_clnt.c b/ssl/s23_clnt.c
index 05fef3c..e04d3af 100644
--- a/ssl/s23_clnt.c
+++ b/ssl/s23_clnt.c
@@ -324,13 +324,6 @@ static int ssl23_client_hello(SSL *s)
 
     buf = (unsigned char *)s->init_buf->data;
     if (s->state == SSL23_ST_CW_CLNT_HELLO_A) {
-#if 0
-        /* don't reuse session-id's */
-        if (!ssl_get_new_session(s, 0)) {
-            return (-1);
-        }
-#endif
-
         p = s->s3->client_random;
         if (ssl_fill_hello_random(s, 0, p, SSL3_RANDOM_SIZE) <= 0)
             return -1;
diff --git a/ssl/s23_srvr.c b/ssl/s23_srvr.c
index 1c6cf49..6ac6e4e 100644
--- a/ssl/s23_srvr.c
+++ b/ssl/s23_srvr.c
@@ -569,9 +569,6 @@ int ssl23_get_client_hello(SSL *s)
             s->s3->rbuf.left = 0;
             s->s3->rbuf.offset = 0;
         }
-#if 0                           /* ssl3_get_client_hello does this */
-        s->client_version = (v[0] << 8) | v[1];
-#endif
         s->handshake_func = s->method->ssl_accept;
     } else {
         /* bad, very bad */
diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c
index 4d7d05b..1e437b2 100644
--- a/ssl/s3_clnt.c
+++ b/ssl/s3_clnt.c
@@ -755,14 +755,8 @@ int ssl3_client_hello(SSL *s)
          * client_version in client hello and not resetting it to
          * the negotiated version.
          */
-#if 0
-        *(p++) = s->version >> 8;
-        *(p++) = s->version & 0xff;
-        s->client_version = s->version;
-#else
         *(p++) = s->client_version >> 8;
         *(p++) = s->client_version & 0xff;
-#endif
 
         /* Random stuff */
         memcpy(p, s->s3->client_random, SSL3_RANDOM_SIZE);
@@ -1036,16 +1030,10 @@ int ssl3_get_server_hello(SSL *s)
     if (s->session->cipher)
         s->session->cipher_id = s->session->cipher->id;
     if (s->hit && (s->session->cipher_id != c->id)) {
-/* Workaround is now obsolete */
-#if 0
-        if (!(s->options & SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG))
-#endif
-        {
-            al = SSL_AD_ILLEGAL_PARAMETER;
-            SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,
-                   SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED);
-            goto f_err;
-        }
+        al = SSL_AD_ILLEGAL_PARAMETER;
+        SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,
+               SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED);
+        goto f_err;
     }
     s->s3->tmp.new_cipher = c;
     /*
@@ -2091,14 +2079,6 @@ int ssl3_get_certificate_request(SSL *s)
 
     /* get the CA RDNs */
     n2s(p, llen);
-#if 0
-    {
-        FILE *out;
-        out = fopen("/tmp/vsign.der", "w");
-        fwrite(p, 1, llen, out);
-        fclose(out);
-    }
-#endif
 
     if ((unsigned long)(p - d + llen) != n) {
         ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c
index 320d4a5..ab19eeb 100644
--- a/ssl/s3_lib.c
+++ b/ssl/s3_lib.c
@@ -1213,41 +1213,6 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl3_ciphers[] = {
 #endif                          /* OPENSSL_NO_CAMELLIA */
 
 #if TLS1_ALLOW_EXPERIMENTAL_CIPHERSUITES
-    /* New TLS Export CipherSuites from expired ID */
-# if 0
-    /* Cipher 60 */
-    {
-     1,
-     TLS1_TXT_RSA_EXPORT1024_WITH_RC4_56_MD5,
-     TLS1_CK_RSA_EXPORT1024_WITH_RC4_56_MD5,
-     SSL_kRSA,
-     SSL_aRSA,
-     SSL_RC4,
-     SSL_MD5,
-     SSL_TLSV1,
-     SSL_EXPORT | SSL_EXP56,
-     SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
-     56,
-     128,
-     },
-
-    /* Cipher 61 */
-    {
-     1,
-     TLS1_TXT_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5,
-     TLS1_CK_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5,
-     SSL_kRSA,
-     SSL_aRSA,
-     SSL_RC2,
-     SSL_MD5,
-     SSL_TLSV1,
-     SSL_EXPORT | SSL_EXP56,
-     SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
-     56,
-     128,
-     },
-# endif
-
     /* Cipher 62 */
     {
      1,
diff --git a/ssl/s3_pkt.c b/ssl/s3_pkt.c
index 5b8fe5c..11b1c55 100644
--- a/ssl/s3_pkt.c
+++ b/ssl/s3_pkt.c
@@ -352,9 +352,6 @@ static int ssl3_get_record(SSL *s)
         ssl_minor = *(p++);
         version = (ssl_major << 8) | ssl_minor;
         n2s(p, rr->length);
-#if 0
-        fprintf(stderr, "Record type=%d, Length=%d\n", rr->type, rr->length);
-#endif
 
         /* Lets check version */
         if (!s->first_packet) {
@@ -585,10 +582,6 @@ static int ssl3_get_record(SSL *s)
         }
         goto again;
     }
-#if 0
-    fprintf(stderr, "Ultimate Record type=%d, Length=%d\n", rr->type,
-            rr->length);
-#endif
 
     return (1);
 
@@ -914,60 +907,6 @@ static int do_ssl3_write(SSL *s, int type, const unsigned char *buf,
             goto err;
     }
 
-#if 0 && !defined(OPENSSL_NO_MULTIBLOCK) && EVP_CIPH_FLAG_TLS1_1_MULTIBLOCK
-    if (type == SSL3_RT_APPLICATION_DATA && s->compress == NULL &&
-        !SSL_USE_ETM(s) && SSL_USE_EXPLICIT_IV(s) &&
-        EVP_CIPHER_flags(s->enc_write_ctx->cipher) &
-        EVP_CIPH_FLAG_TLS1_1_MULTIBLOCK)
-        do {
-            unsigned char aad[13];
-            EVP_CTRL_TLS1_1_MULTIBLOCK_PARAM mb_param =
-                { NULL, aad, sizeof(aad), 0 };
-            int packlen;
-
-            memcpy(aad, s->s3->write_sequence, 8);
-            aad[8] = type;
-            aad[9] = (unsigned char)(s->version >> 8);
-            aad[10] = (unsigned char)(s->version);
-            aad[11] = (unsigned char)(len >> 8);
-            aad[12] = (unsigned char)len;
-            packlen = EVP_CIPHER_CTX_ctrl(s->enc_write_ctx,
-                                          EVP_CTRL_TLS1_1_MULTIBLOCK_AAD,
-                                          sizeof(mb_param), &mb_param);
-
-            if (packlen == 0 || packlen > wb->len)
-                break;
-
-            mb_param.out = wb->buf;
-            mb_param.inp = buf;
-            mb_param.len = len;
-            EVP_CIPHER_CTX_ctrl(s->enc_write_ctx,
-                                EVP_CTRL_TLS1_1_MULTIBLOCK_ENCRYPT,
-                                sizeof(mb_param), &mb_param);
-
-            s->s3->write_sequence[7] += mb_param.interleave;
-            if (s->s3->write_sequence[7] < mb_param.interleave) {
-                int j = 6;
-                while (j >= 0 && (++s->s3->write_sequence[j--]) == 0) ;
-            }
-
-            wb->offset = 0;
-            wb->left = packlen;
-
-            /*
-             * memorize arguments so that ssl3_write_pending can detect bad
-             * write retries later
-             */
-            s->s3->wpend_tot = len;
-            s->s3->wpend_buf = buf;
-            s->s3->wpend_type = type;
-            s->s3->wpend_ret = len;
-
-            /* we now just need to write the buffer */
-            return ssl3_write_pending(s, type, buf, len);
-        } while (0);
-#endif
-
     /*
      * 'create_empty_fragment' is true only when this function calls itself
      */
@@ -1604,15 +1543,7 @@ int ssl3_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek)
     if ((s->s3->handshake_fragment_len >= 4) && !s->in_handshake) {
         if (((s->state & SSL_ST_MASK) == SSL_ST_OK) &&
             !(s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS)) {
-#if 0                           /* worked only because C operator preferences
-                                 * are not as expected (and because this is
-                                 * not really needed for clients except for
-                                 * detecting protocol violations): */
-            s->state = SSL_ST_BEFORE | (s->server)
-                ? SSL_ST_ACCEPT : SSL_ST_CONNECT;
-#else
             s->state = s->server ? SSL_ST_ACCEPT : SSL_ST_CONNECT;
-#endif
             s->renegotiate = 1;
             s->new_session = 1;
         }
diff --git a/ssl/ssl_cert.c b/ssl/ssl_cert.c
index d81e06b..9742599 100644
--- a/ssl/ssl_cert.c
+++ b/ssl/ssl_cert.c
@@ -664,10 +664,12 @@ void ssl_sess_cert_free(SESS_CERT *sc)
     for (i = 0; i < SSL_PKEY_NUM; i++) {
         if (sc->peer_pkeys[i].x509 != NULL)
             X509_free(sc->peer_pkeys[i].x509);
-#if 0                           /* We don't have the peer's private key.
-                                 * These lines are just * here as a reminder
-                                 * that we're still using a
-                                 * not-quite-appropriate * data structure. */
+#if 0
+        /*
+         * We don't have the peer's private key. These lines are just
+         * here as a reminder that we're still using a not-quite-appropriate
+         *  data structure.
+         */
         if (sc->peer_pkeys[i].privatekey != NULL)
             EVP_PKEY_free(sc->peer_pkeys[i].privatekey);
 #endif
@@ -717,10 +719,6 @@ int ssl_verify_cert_chain(SSL *s, STACK_OF(X509) *sk)
     }
     /* Set suite B flags if needed */
     X509_STORE_CTX_set_flags(&ctx, tls1_suiteb(s));
-#if 0
-    if (SSL_get_verify_depth(s) >= 0)
-        X509_STORE_CTX_set_depth(&ctx, SSL_get_verify_depth(s));
-#endif
     X509_STORE_CTX_set_ex_data(&ctx, SSL_get_ex_data_X509_STORE_CTX_idx(), s);
 
     /*
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index 2bb1866..ed987c0 100644
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -204,23 +204,10 @@ int SSL_clear(SSL *s)
     s->hit = 0;
     s->shutdown = 0;
 
-#if 0
-    /*
-     * Disabled since version 1.10 of this file (early return not
-     * needed because SSL_clear is not called when doing renegotiation)
-     */
-    /*
-     * This is set if we are doing dynamic renegotiation so keep
-     * the old cipher.  It is sort of a SSL_clear_lite :-)
-     */
-    if (s->renegotiate)
-        return (1);
-#else
     if (s->renegotiate) {
         SSLerr(SSL_F_SSL_CLEAR, ERR_R_INTERNAL_ERROR);
         return 0;
     }
-#endif
 
     s->type = 0;
 
@@ -230,9 +217,6 @@ int SSL_clear(SSL *s)
     s->client_version = s->version;
     s->rwstate = SSL_NOTHING;
     s->rstate = SSL_ST_READ_HEADER;
-#if 0
-    s->read_ahead = s->ctx->read_ahead;
-#endif
 
     if (s->init_buf != NULL) {
         BUF_MEM_free(s->init_buf);
@@ -326,9 +310,6 @@ SSL *SSL_new(SSL_CTX *ctx)
     s->msg_callback_arg = ctx->msg_callback_arg;
     s->verify_mode = ctx->verify_mode;
     s->not_resumable_session_cb = ctx->not_resumable_session_cb;
-#if 0
-    s->verify_depth = ctx->verify_depth;
-#endif
     s->sid_ctx_length = ctx->sid_ctx_length;
     OPENSSL_assert(s->sid_ctx_length <= sizeof s->sid_ctx);
     memcpy(&s->sid_ctx, &ctx->sid_ctx, sizeof(s->sid_ctx));
@@ -339,10 +320,6 @@ SSL *SSL_new(SSL_CTX *ctx)
     if (!s->param)
         goto err;
     X509_VERIFY_PARAM_inherit(s->param, ctx->param);
-#if 0
-    s->purpose = ctx->purpose;
-    s->trust = ctx->trust;
-#endif
     s->quiet_shutdown = ctx->quiet_shutdown;
     s->max_send_fragment = ctx->max_send_fragment;
 
@@ -1915,26 +1892,14 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth)
 
     ret->references = 1;
     ret->quiet_shutdown = 0;
-
-/*  ret->cipher=NULL;*/
-/*-
-    ret->s2->challenge=NULL;
-    ret->master_key=NULL;
-    ret->s2->conn_id=NULL; */
-
     ret->info_callback = NULL;
-
     ret->app_verify_callback = 0;
     ret->app_verify_arg = NULL;
-
     ret->max_cert_list = SSL_MAX_CERT_LIST_DEFAULT;
     ret->read_ahead = 0;
     ret->msg_callback = 0;
     ret->msg_callback_arg = NULL;
     ret->verify_mode = SSL_VERIFY_NONE;
-#if 0
-    ret->verify_depth = -1;     /* Don't impose a limit (but x509_lu.c does) */
-#endif
     ret->sid_ctx_length = 0;
     ret->default_verify_callback = NULL;
     if ((ret->cert = ssl_cert_new()) == NULL)
@@ -2097,13 +2062,7 @@ void SSL_CTX_free(SSL_CTX *a)
         sk_X509_NAME_pop_free(a->client_CA, X509_NAME_free);
     if (a->extra_certs != NULL)
         sk_X509_pop_free(a->extra_certs, X509_free);
-#if 0                           /* This should never be done, since it
-                                 * removes a global database */
-    if (a->comp_methods != NULL)
-        sk_SSL_COMP_pop_free(a->comp_methods, SSL_COMP_free);
-#else
     a->comp_methods = NULL;
-#endif
 
 #ifndef OPENSSL_NO_SRTP
     if (a->srtp_profiles)
@@ -2265,15 +2224,6 @@ void ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher)
     if (rsa_enc_export || (rsa_tmp_export && (rsa_sign || rsa_enc)))
         emask_k |= SSL_kRSA;
 
-#if 0
-    /* The match needs to be both kDHE and aRSA or aDSA, so don't worry */
-    if ((dh_tmp || dh_rsa || dh_dsa) && (rsa_enc || rsa_sign || dsa_sign))
-        mask_k |= SSL_kDHE;
-    if ((dh_tmp_export || dh_rsa_export || dh_dsa_export) &&
-        (rsa_enc || rsa_sign || dsa_sign))
-        emask_k |= SSL_kDHE;
-#endif
-
     if (dh_tmp_export)
         emask_k |= SSL_kDHE;
 
diff --git a/ssl/t1_enc.c b/ssl/t1_enc.c
index a432dca..0c49619 100644
--- a/ssl/t1_enc.c
+++ b/ssl/t1_enc.c
@@ -1302,11 +1302,6 @@ int tls1_alert_code(int code)
         return (TLS1_AD_UNKNOWN_PSK_IDENTITY);
     case SSL_AD_INAPPROPRIATE_FALLBACK:
         return (TLS1_AD_INAPPROPRIATE_FALLBACK);
-#if 0
-        /* not appropriate for TLS, not used for DTLS */
-    case DTLS1_AD_MISSING_HANDSHAKE_MESSAGE:
-        return (DTLS1_AD_MISSING_HANDSHAKE_MESSAGE);
-#endif
     default:
         return (-1);
     }
diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
index 22f7047..c91b761 100644
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -1923,9 +1923,6 @@ static int ssl_scan_clienthello_tlsext(SSL *s, unsigned char **p,
 
         if (data + size > (d + n))
             goto ri_check;
-# if 0
-        fprintf(stderr, "Received extension type %d size %d\n", type, size);
-# endif
         if (s->tlsext_debug_cb)
             s->tlsext_debug_cb(s, 0, type, data, size, s->tlsext_debug_arg);
         if (type == TLSEXT_TYPE_renegotiate) {
@@ -2080,15 +2077,6 @@ static int ssl_scan_clienthello_tlsext(SSL *s, unsigned char **p,
                 memcpy(s->session->tlsext_ecpointformatlist, sdata,
                        ecpointformatlist_length);
             }
-#  if 0
-            fprintf(stderr,
-                    "ssl_parse_clienthello_tlsext s->session->tlsext_ecpointformatlist (length=%i) ",
-                    s->session->tlsext_ecpointformatlist_length);
-            sdata = s->session->tlsext_ecpointformatlist;
-            for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++)
-                fprintf(stderr, "%i ", *(sdata++));
-            fprintf(stderr, "\n");
-#  endif
         } else if (type == TLSEXT_TYPE_elliptic_curves) {
             unsigned char *sdata = data;
             int ellipticcurvelist_length = (*(sdata++) << 8);
@@ -2117,15 +2105,6 @@ static int ssl_scan_clienthello_tlsext(SSL *s, unsigned char **p,
                 memcpy(s->session->tlsext_ellipticcurvelist, sdata,
                        ellipticcurvelist_length);
             }
-#  if 0
-            fprintf(stderr,
-                    "ssl_parse_clienthello_tlsext s->session->tlsext_ellipticcurvelist (length=%i) ",
-                    s->session->tlsext_ellipticcurvelist_length);
-            sdata = s->session->tlsext_ellipticcurvelist;
-            for (i = 0; i < s->session->tlsext_ellipticcurvelist_length; i++)
-                fprintf(stderr, "%i ", *(sdata++));
-            fprintf(stderr, "\n");
-#  endif
         }
 # endif                         /* OPENSSL_NO_EC */
         else if (type == TLSEXT_TYPE_session_ticket) {
@@ -2462,14 +2441,6 @@ static int ssl_scan_serverhello_tlsext(SSL *s, unsigned char **p,
                 memcpy(s->session->tlsext_ecpointformatlist, sdata,
                        ecpointformatlist_length);
             }
-#  if 0
-            fprintf(stderr,
-                    "ssl_parse_serverhello_tlsext s->session->tlsext_ecpointformatlist ");
-            sdata = s->session->tlsext_ecpointformatlist;
-            for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++)
-                fprintf(stderr, "%i ", *(sdata++));
-            fprintf(stderr, "\n");
-#  endif
         }
 # endif                         /* OPENSSL_NO_EC */
 
diff --git a/ssl/t1_trce.c b/ssl/t1_trce.c
index 4161750..77f2a9f 100644
--- a/ssl/t1_trce.c
+++ b/ssl/t1_trce.c
@@ -1214,14 +1214,6 @@ void SSL_trace(int write_p, int version, int content_type,
                            (msg[3] << 8 | msg[4]),
                            (msg[5] << 8 | msg[6]),
                            (msg[7] << 8 | msg[8]), (msg[9] << 8 | msg[10]));
-# if 0
-                /*
-                 * Just print handshake type so we can see what is going on
-                 * during fragmentation.
-                 */
-                BIO_printf(bio, "(%s)\n",
-                           ssl_trace_str(msg[msglen], ssl_handshake_tbl));
-# endif
             }
 
             BIO_printf(bio, "  Content Type = %s (%d)\n  Length = %d",


More information about the openssl-commits mailing list