diff options
| author | Rich Salz <rsalz@akamai.com> | 2016-02-18 11:33:21 -0500 |
|---|---|---|
| committer | Rich Salz <rsalz@openssl.org> | 2016-02-18 17:14:50 -0500 |
| commit | d63a5e5e7d96f173e2bbf711e3f1f813bf0df05e (patch) | |
| tree | 6e7edc889b0c944a4f43c467b9733cc838b046e4 | |
| parent | 1bd8bc558d7c0b41286d276e62088d7186bd5c34 (diff) | |
| download | openssl-d63a5e5e7d96f173e2bbf711e3f1f813bf0df05e.tar.gz | |
Remove outdated DEBUG flags.
Add -DBIO_DEBUG to --strict-warnings.
Remove comments about outdated debugging ifdef guards.
Remove md_rand ifdef guarding an assert; it doesn't seem used.
Remove the conf guards in conf_api since we use OPENSSL_assert, not assert.
For pkcs12 stuff put OPENSSL_ in front of the macro name.
Merge TLS_DEBUG into SSL_DEBUG.
Various things just turned on/off asserts, mainly for checking non-NULL
arguments, which is now removed: camellia, bn_ctx, crypto/modes.
Remove some old debug code, that basically just printed things to stderr:
DEBUG_PRINT_UNKNOWN_CIPHERSUITES, DEBUG_ZLIB, OPENSSL_RI_DEBUG,
RL_DEBUG, RSA_DEBUG, SCRYPT_DEBUG.
Remove OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL.
Reviewed-by: Richard Levitte <levitte@openssl.org>
42 files changed, 30 insertions, 469 deletions
@@ -76,7 +76,7 @@ my $usage="Usage: Configure [no-<cipher> ...] [enable-<cipher> ...] [-Dxxx] [-lx # Minimum warning options... any contributions to OpenSSL should at least get # past these. -my $gcc_devteam_warn = "-DPEDANTIC -DREF_DEBUG -DDEBUG_UNUSED" +my $gcc_devteam_warn = "-DPEDANTIC -DREF_DEBUG -DDEBUG_UNUSED -DBIO_DEBUG" . " -pedantic" . " -Wall" . " -Wno-long-long" diff --git a/apps/apps.c b/apps/apps.c index 1ba86050e6..d4a4d23269 100644 --- a/apps/apps.c +++ b/apps/apps.c @@ -1462,9 +1462,6 @@ int save_serial(char *serialfile, char *suffix, BIGNUM *serial, j = BIO_snprintf(buf[0], sizeof buf[0], "%s-%s", serialfile, suffix); #endif } -#ifdef RL_DEBUG - BIO_printf(bio_err, "DEBUG: writing \"%s\"\n", buf[0]); -#endif out = BIO_new_file(buf[0], "w"); if (out == NULL) { ERR_print_errors(bio_err); @@ -1503,18 +1500,11 @@ int rotate_serial(char *serialfile, char *new_suffix, char *old_suffix) } #ifndef OPENSSL_SYS_VMS j = BIO_snprintf(buf[0], sizeof buf[0], "%s.%s", serialfile, new_suffix); -#else - j = BIO_snprintf(buf[0], sizeof buf[0], "%s-%s", serialfile, new_suffix); -#endif -#ifndef OPENSSL_SYS_VMS j = BIO_snprintf(buf[1], sizeof buf[1], "%s.%s", serialfile, old_suffix); #else + j = BIO_snprintf(buf[0], sizeof buf[0], "%s-%s", serialfile, new_suffix); j = BIO_snprintf(buf[1], sizeof buf[1], "%s-%s", serialfile, old_suffix); #endif -#ifdef RL_DEBUG - BIO_printf(bio_err, "DEBUG: renaming \"%s\" to \"%s\"\n", - serialfile, buf[1]); -#endif if (rename(serialfile, buf[1]) < 0 && errno != ENOENT #ifdef ENOTDIR && errno != ENOTDIR @@ -1525,10 +1515,6 @@ int rotate_serial(char *serialfile, char *new_suffix, char *old_suffix) perror("reason"); goto err; } -#ifdef RL_DEBUG - BIO_printf(bio_err, "DEBUG: renaming \"%s\" to \"%s\"\n", - buf[0], serialfile); -#endif if (rename(buf[0], serialfile) < 0) { BIO_printf(bio_err, "unable to rename %s to %s\n", buf[0], serialfile); @@ -1604,10 +1590,6 @@ CA_DB *load_index(char *dbfile, DB_ATTR *db_attr) if (dbattr_conf) { char *p = NCONF_get_string(dbattr_conf, NULL, "unique_subject"); if (p) { -#ifdef RL_DEBUG - BIO_printf(bio_err, - "DEBUG[load_index]: unique_subject = \"%s\"\n", p); -#endif retdb->attributes.unique_subject = parse_yesno(p, 1); } } @@ -1654,22 +1636,13 @@ int save_index(const char *dbfile, const char *suffix, CA_DB *db) } #ifndef OPENSSL_SYS_VMS j = BIO_snprintf(buf[2], sizeof buf[2], "%s.attr", dbfile); -#else - j = BIO_snprintf(buf[2], sizeof buf[2], "%s-attr", dbfile); -#endif -#ifndef OPENSSL_SYS_VMS j = BIO_snprintf(buf[1], sizeof buf[1], "%s.attr.%s", dbfile, suffix); -#else - j = BIO_snprintf(buf[1], sizeof buf[1], "%s-attr-%s", dbfile, suffix); -#endif -#ifndef OPENSSL_SYS_VMS j = BIO_snprintf(buf[0], sizeof buf[0], "%s.%s", dbfile, suffix); #else + j = BIO_snprintf(buf[2], sizeof buf[2], "%s-attr", dbfile); + j = BIO_snprintf(buf[1], sizeof buf[1], "%s-attr-%s", dbfile, suffix); j = BIO_snprintf(buf[0], sizeof buf[0], "%s-%s", dbfile, suffix); #endif -#ifdef RL_DEBUG - BIO_printf(bio_err, "DEBUG: writing \"%s\"\n", buf[0]); -#endif out = BIO_new_file(buf[0], "w"); if (out == NULL) { perror(dbfile); @@ -1682,9 +1655,6 @@ int save_index(const char *dbfile, const char *suffix, CA_DB *db) goto err; out = BIO_new_file(buf[1], "w"); -#ifdef RL_DEBUG - BIO_printf(bio_err, "DEBUG: writing \"%s\"\n", buf[1]); -#endif if (out == NULL) { perror(buf[2]); BIO_printf(bio_err, "unable to open '%s'\n", buf[2]); @@ -1715,31 +1685,16 @@ int rotate_index(const char *dbfile, const char *new_suffix, } #ifndef OPENSSL_SYS_VMS j = BIO_snprintf(buf[4], sizeof buf[4], "%s.attr", dbfile); -#else - j = BIO_snprintf(buf[4], sizeof buf[4], "%s-attr", dbfile); -#endif -#ifndef OPENSSL_SYS_VMS + j = BIO_snprintf(buf[3], sizeof buf[3], "%s.attr.%s", dbfile, old_suffix); j = BIO_snprintf(buf[2], sizeof buf[2], "%s.attr.%s", dbfile, new_suffix); -#else - j = BIO_snprintf(buf[2], sizeof buf[2], "%s-attr-%s", dbfile, new_suffix); -#endif -#ifndef OPENSSL_SYS_VMS - j = BIO_snprintf(buf[0], sizeof buf[0], "%s.%s", dbfile, new_suffix); -#else - j = BIO_snprintf(buf[0], sizeof buf[0], "%s-%s", dbfile, new_suffix); -#endif -#ifndef OPENSSL_SYS_VMS j = BIO_snprintf(buf[1], sizeof buf[1], "%s.%s", dbfile, old_suffix); + j = BIO_snprintf(buf[0], sizeof buf[0], "%s.%s", dbfile, new_suffix); #else - j = BIO_snprintf(buf[1], sizeof buf[1], "%s-%s", dbfile, old_suffix); -#endif -#ifndef OPENSSL_SYS_VMS - j = BIO_snprintf(buf[3], sizeof buf[3], "%s.attr.%s", dbfile, old_suffix); -#else + j = BIO_snprintf(buf[4], sizeof buf[4], "%s-attr", dbfile); j = BIO_snprintf(buf[3], sizeof buf[3], "%s-attr-%s", dbfile, old_suffix); -#endif -#ifdef RL_DEBUG - BIO_printf(bio_err, "DEBUG: renaming \"%s\" to \"%s\"\n", dbfile, buf[1]); + j = BIO_snprintf(buf[2], sizeof buf[2], "%s-attr-%s", dbfile, new_suffix); + j = BIO_snprintf(buf[1], sizeof buf[1], "%s-%s", dbfile, old_suffix); + j = BIO_snprintf(buf[0], sizeof buf[0], "%s-%s", dbfile, new_suffix); #endif if (rename(dbfile, buf[1]) < 0 && errno != ENOENT #ifdef ENOTDIR @@ -1750,18 +1705,12 @@ int rotate_index(const char *dbfile, const char *new_suffix, perror("reason"); goto err; } -#ifdef RL_DEBUG - BIO_printf(bio_err, "DEBUG: renaming \"%s\" to \"%s\"\n", buf[0], dbfile); -#endif if (rename(buf[0], dbfile) < 0) { BIO_printf(bio_err, "unable to rename %s to %s\n", buf[0], dbfile); perror("reason"); rename(buf[1], dbfile); goto err; } -#ifdef RL_DEBUG - BIO_printf(bio_err, "DEBUG: renaming \"%s\" to \"%s\"\n", buf[4], buf[3]); -#endif if (rename(buf[4], buf[3]) < 0 && errno != ENOENT #ifdef ENOTDIR && errno != ENOTDIR @@ -1773,9 +1722,6 @@ int rotate_index(const char *dbfile, const char *new_suffix, rename(buf[1], dbfile); goto err; } -#ifdef RL_DEBUG - BIO_printf(bio_err, "DEBUG: renaming \"%s\" to \"%s\"\n", buf[2], buf[4]); -#endif if (rename(buf[2], buf[4]) < 0) { BIO_printf(bio_err, "unable to rename %s to %s\n", buf[2], buf[4]); perror("reason"); diff --git a/apps/x509.c b/apps/x509.c index 831d59db44..2b9cb25a8e 100644 --- a/apps/x509.c +++ b/apps/x509.c @@ -89,10 +89,6 @@ static int x509_certify(X509_STORE *ctx, char *CAfile, const EVP_MD *digest, char *section, ASN1_INTEGER *sno, int reqfile); static int purpose_print(BIO *bio, X509 *cert, X509_PURPOSE *pt); -#ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL -static int force_version = 2; -#endif - typedef enum OPTION_choice { OPT_ERR = -1, OPT_EOF = 0, OPT_HELP, OPT_INFORM, OPT_OUTFORM, OPT_KEYFORM, OPT_REQ, OPT_CAFORM, @@ -108,7 +104,6 @@ typedef enum OPTION_choice { OPT_CLRREJECT, OPT_ALIAS, OPT_CACREATESERIAL, OPT_CLREXT, OPT_OCSPID, OPT_SUBJECT_HASH_OLD, OPT_ISSUER_HASH_OLD, - OPT_FORCE_VERSION, OPT_BADSIG, OPT_MD, OPT_ENGINE, OPT_NOCERT } OPTION_CHOICE; @@ -189,9 +184,6 @@ OPTIONS x509_options[] = { {"issuer_hash_old", OPT_ISSUER_HASH_OLD, '-', "Print old-style (MD5) subject hash value"}, #endif -#ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL - {"force_version", OPT_FORCE_VERSION, 'p'}, -#endif #ifndef OPENSSL_NO_ENGINE {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"}, #endif @@ -288,11 +280,6 @@ int x509_main(int argc, char **argv) if (!sigopts || !sk_OPENSSL_STRING_push(sigopts, opt_arg())) goto opthelp; break; - case OPT_FORCE_VERSION: -#ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL - force_version = atoi(opt_arg()) - 1; -#endif - break; case OPT_DAYS: days = atoi(opt_arg()); break; @@ -1046,11 +1033,7 @@ static int x509_certify(X509_STORE *ctx, char *CAfile, const EVP_MD *digest, if (conf) { X509V3_CTX ctx2; -#ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL - X509_set_version(x, force_version); -#else X509_set_version(x, 2); /* version 3 certificate */ -#endif X509V3_set_ctx(&ctx2, xca, x, NULL, NULL, 0); X509V3_set_nconf(&ctx2, conf); if (!X509V3_EXT_add_nconf(conf, &ctx2, section, x)) @@ -1123,11 +1106,7 @@ static int sign(X509 *x, EVP_PKEY *pkey, int days, int clrext, } if (conf) { X509V3_CTX ctx; -#ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL - X509_set_version(x, force_version); -#else X509_set_version(x, 2); /* version 3 certificate */ -#endif X509V3_set_ctx(&ctx, x, x, NULL, NULL, 0); X509V3_set_nconf(&ctx, conf); if (!X509V3_EXT_add_nconf(conf, &ctx, section, x)) diff --git a/crypto/bn/bn_ctx.c b/crypto/bn/bn_ctx.c index 88f5ac814f..700234be6f 100644 --- a/crypto/bn/bn_ctx.c +++ b/crypto/bn/bn_ctx.c @@ -53,14 +53,6 @@ * */ -#if !defined(BN_CTX_DEBUG) && !defined(BN_DEBUG) -# ifndef NDEBUG -# define NDEBUG -# endif -#endif - -#include <assert.h> - #include "internal/cryptlib.h" #include "bn_lcl.h" diff --git a/crypto/camellia/cmll_ecb.c b/crypto/camellia/cmll_ecb.c index d8dfb2bfc5..4edaa6d7a9 100644 --- a/crypto/camellia/cmll_ecb.c +++ b/crypto/camellia/cmll_ecb.c @@ -48,23 +48,12 @@ * */ -#ifndef CAMELLIA_DEBUG -# ifndef NDEBUG -# define NDEBUG -# endif -#endif -#include <assert.h> - #include <openssl/camellia.h> #include "cmll_locl.h" void Camellia_ecb_encrypt(const unsigned char *in, unsigned char *out, const CAMELLIA_KEY *key, const int enc) { - - assert(in && out && key); - assert((CAMELLIA_ENCRYPT == enc) || (CAMELLIA_DECRYPT == enc)); - if (CAMELLIA_ENCRYPT == enc) Camellia_encrypt(in, out, key); else diff --git a/crypto/comp/c_zlib.c b/crypto/comp/c_zlib.c index baad9c66ee..c78bbcfde8 100644 --- a/crypto/comp/c_zlib.c +++ b/crypto/comp/c_zlib.c @@ -224,11 +224,6 @@ static int zlib_stateful_compress_block(COMP_CTX *ctx, unsigned char *out, err = deflate(&state->ostream, Z_SYNC_FLUSH); if (err != Z_OK) return -1; -# ifdef DEBUG_ZLIB - fprintf(stderr, "compress(%4d)->%4d %s\n", - ilen, olen - state->ostream.avail_out, - (ilen != olen - state->ostream.avail_out) ? "zlib" : "clear"); -# endif return olen - state->ostream.avail_out; } @@ -250,11 +245,6 @@ static int zlib_stateful_expand_block(COMP_CTX *ctx, unsigned char *out, err = inflate(&state->istream, Z_SYNC_FLUSH); if (err != Z_OK) return -1; -# ifdef DEBUG_ZLIB - fprintf(stderr, "expand(%4d)->%4d %s\n", - ilen, olen - state->istream.avail_out, - (ilen != olen - state->istream.avail_out) ? "zlib" : "clear"); -# endif return olen - state->istream.avail_out; } diff --git a/crypto/conf/conf_api.c b/crypto/conf/conf_api.c index 78e932e3d7..5365c97e78 100644 --- a/crypto/conf/conf_api.c +++ b/crypto/conf/conf_api.c @@ -57,12 +57,6 @@ /* Part of the code in here was originally in conf.c, which is now removed */ -#ifndef CONF_DEBUG -# undef NDEBUG /* avoid conflicting definitions */ -# define NDEBUG -#endif - -#include <assert.h> #include <stdlib.h> #include <string.h> #include <openssl/conf.h> diff --git a/crypto/engine/tb_cipher.c b/crypto/engine/tb_cipher.c index fcfb2efd8f..7df01caf12 100644 --- a/crypto/engine/tb_cipher.c +++ b/crypto/engine/tb_cipher.c @@ -54,13 +54,6 @@ #include "eng_int.h" -/* - * If this symbol is defined then ENGINE_get_cipher_engine(), the function - * that is used by EVP to hook in cipher code and cache defaults (etc), will - * display brief debugging summaries to stderr with the 'nid'. - */ -/* #define ENGINE_CIPHER_DEBUG */ - static ENGINE_TABLE *cipher_table = NULL; void ENGINE_unregister_ciphers(ENGINE *e) diff --git a/crypto/engine/tb_dh.c b/crypto/engine/tb_dh.c index 8114afa63a..4f68975ba5 100644 --- a/crypto/engine/tb_dh.c +++ b/crypto/engine/tb_dh.c @@ -54,13 +54,6 @@ #include "eng_int.h" -/* - * If this symbol is defined then ENGINE_get_default_DH(), the function that - * is used by DH to hook in implementation code and cache defaults (etc), - * will display brief debugging summaries to stderr with the 'nid'. - */ -/* #define ENGINE_DH_DEBUG */ - static ENGINE_TABLE *dh_table = NULL; static const int dummy_nid = 1; diff --git a/crypto/engine/tb_digest.c b/crypto/engine/tb_digest.c index de1ad9c01b..03096b30fa 100644 --- a/crypto/engine/tb_digest.c +++ b/crypto/engine/tb_digest.c @@ -54,13 +54,6 @@ #include "eng_int.h" -/* - * If this symbol is defined then ENGINE_get_digest_engine(), the function - * that is used by EVP to hook in digest code and cache defaults (etc), will - * display brief debugging summaries to stderr with the 'nid'. - */ -/* #define ENGINE_DIGEST_DEBUG */ - static ENGINE_TABLE *digest_table = NULL; void ENGINE_unregister_digests(ENGINE *e) diff --git a/crypto/engine/tb_dsa.c b/crypto/engine/tb_dsa.c index c1f57f146c..adfb11fe37 100644 --- a/crypto/engine/tb_dsa.c +++ b/crypto/engine/tb_dsa.c @@ -54,13 +54,6 @@ #include "eng_int.h" -/* - * If this symbol is defined then ENGINE_get_default_DSA(), the function that - * is used by DSA to hook in implementation code and cache defaults (etc), - * will display brief debugging summaries to stderr with the 'nid'. - */ -/* #define ENGINE_DSA_DEBUG */ - static ENGINE_TABLE *dsa_table = NULL; static const int dummy_nid = 1; diff --git a/crypto/engine/tb_eckey.c b/crypto/engine/tb_eckey.c index dbb41396c9..7c05c01d10 100644 --- a/crypto/engine/tb_eckey.c +++ b/crypto/engine/tb_eckey.c @@ -54,13 +54,6 @@ #include "eng_int.h" -/* - * If this symbol is defined then ENGINE_get_default_EC_KEY(), the function that - * is used by EC_KEY to hook in implementation code and cache defaults (etc), - * will display brief debugging summaries to stderr with the 'nid'. - */ -/* #define ENGINE_EC_KEY_DEBUG */ - static ENGINE_TABLE *dh_table = NULL; static const int dummy_nid = 1; diff --git a/crypto/engine/tb_pkmeth.c b/crypto/engine/tb_pkmeth.c index 29e65be1ad..947e139e2f 100644 --- a/crypto/engine/tb_pkmeth.c +++ b/crypto/engine/tb_pkmeth.c @@ -55,13 +55,6 @@ #include "eng_int.h" #include <openssl/evp.h> -/* - * If this symbol is defined then ENGINE_get_pkey_meth_engine(), the function - * that is used by EVP to hook in pkey_meth code and cache defaults (etc), - * will display brief debugging summaries to stderr with the 'nid'. - */ -/* #define ENGINE_PKEY_METH_DEBUG */ - static ENGINE_TABLE *pkey_meth_table = NULL; void ENGINE_unregister_pkey_meths(ENGINE *e) diff --git a/crypto/engine/tb_rand.c b/crypto/engine/tb_rand.c index a522264d04..b67cff54f5 100644 --- a/crypto/engine/tb_rand.c +++ b/crypto/engine/tb_rand.c @@ -54,13 +54,6 @@ #include "eng_int.h" -/* - * If this symbol is defined then ENGINE_get_default_RAND(), the function - * that is used by RAND to hook in implementation code and cache defaults - * (etc), will display brief debugging summaries to stderr with the 'nid'. - */ -/* #define ENGINE_RAND_DEBUG */ - static ENGINE_TABLE *rand_table = NULL; static const int dummy_nid = 1; diff --git a/crypto/engine/tb_rsa.c b/crypto/engine/tb_rsa.c index 2790a82192..4405d678f3 100644 --- a/crypto/engine/tb_rsa.c +++ b/crypto/engine/tb_rsa.c @@ -54,13 +54,6 @@ #include "eng_int.h" -/* - * If this symbol is defined then ENGINE_get_default_RSA(), the function that - * is used by RSA to hook in implementation code and cache defaults (etc), - * will display brief debugging summaries to stderr with the 'nid'. - */ -/* #define ENGINE_RSA_DEBUG */ - static ENGINE_TABLE *rsa_table = NULL; static const int dummy_nid = 1; diff --git a/crypto/evp/p5_crpt2.c b/crypto/evp/p5_crpt2.c index b9ff5de07a..76dcf02ad1 100644 --- a/crypto/evp/p5_crpt2.c +++ b/crypto/evp/p5_crpt2.c @@ -64,9 +64,9 @@ # include "evp_locl.h" /* set this to print out info about the keygen algorithm */ -/* #define DEBUG_PKCS5V2 */ +/* #define OPENSSL_DEBUG_PKCS5V2 */ -# ifdef DEBUG_PKCS5V2 +# ifdef OPENSSL_DEBUG_PKCS5V2 static void h__dump(const unsigned char *p, int len); # endif @@ -157,7 +157,7 @@ int PKCS5_PBKDF2_HMAC(const char *pass, int passlen, } HMAC_CTX_free(hctx); HMAC_CTX_free(hctx_tpl); -# ifdef DEBUG_PKCS5V2 +# ifdef OPENSSL_DEBUG_PKCS5V2 fprintf(stderr, "Password:\n"); h__dump(pass, passlen); fprintf(stderr, "Salt:\n"); @@ -315,7 +315,7 @@ int PKCS5_v2_PBKDF2_keyivgen(EVP_CIPHER_CTX *ctx, const char *pass, return rv; } -# ifdef DEBUG_PKCS5V2 +# ifdef OPENSSL_DEBUG_PKCS5V2 static void h__dump(const unsigned char *p, int len) { for (; len--; p++) diff --git a/crypto/evp/scrypt.c b/crypto/evp/scrypt.c index 20e5dd4854..f9b368b365 100644 --- a/crypto/evp/scrypt.c +++ b/crypto/evp/scrypt.c @@ -290,16 +290,6 @@ int EVP_PBE_scrypt(const char *pass, size_t passlen, keylen, key) == 0) goto err; rv = 1; -#ifdef SCRYPT_DEBUG - fprintf(stderr, "scrypt parameters:\n"); - fprintf(stderr, "N=%lu, p=%lu, r=%lu\n", N, p, r); - fprintf(stderr, "Salt:\n"); - BIO_dump_fp(stderr, (char *)salt, saltlen); - fprintf(stderr, "Password:\n"); - BIO_dump_fp(stderr, (char *)pass, passlen); - fprintf(stderr, "Key:\n"); - BIO_dump_fp(stderr, (char *)key, keylen); -#endif err: OPENSSL_clear_free(B, allocsize); return rv; diff --git a/crypto/modes/cbc128.c b/crypto/modes/cbc128.c index c13caea535..bf2210c39e 100644 --- a/crypto/modes/cbc128.c +++ b/crypto/modes/cbc128.c @@ -52,13 +52,6 @@ #include "modes_lcl.h" #include <string.h> -#ifndef MODES_DEBUG -# ifndef NDEBUG -# define NDEBUG -# endif -#endif -#include <assert.h> - #if !defined(STRICT_ALIGNMENT) && !defined(PEDANTIC) # define STRICT_ALIGNMENT 0 #endif @@ -70,8 +63,6 @@ void CRYPTO_cbc128_encrypt(const unsigned char *in, unsigned char *out, size_t n; const unsigned char *iv = ivec; - assert(in && out && key && ivec); - #if !defined(OPENSSL_SMALL_FOOTPRINT) if (STRICT_ALIGNMENT && ((size_t)in | (size_t)out | (size_t)ivec) % sizeof(size_t) != 0) { @@ -123,8 +114,6 @@ void CRYPTO_cbc128_decrypt(const unsigned char *in, unsigned char *out, unsigned char c[16]; } tmp; - assert(in && out && key && ivec); - #if !defined(OPENSSL_SMALL_FOOTPRINT) if (in != out) { const unsigned char *iv = ivec; diff --git a/crypto/modes/ccm128.c b/crypto/modes/ccm128.c index c1ded0f914..ef99eb15d5 100644 --- a/crypto/modes/ccm128.c +++ b/crypto/modes/ccm128.c @@ -51,13 +51,6 @@ #include "modes_lcl.h" #include <string.h> -#ifndef MODES_DEBUG -# ifndef NDEBUG -# define NDEBUG -# endif -#endif -#include <assert.h> - /* * First you setup M and L parameters and pass the key schedule. This is * called once per session setup... diff --git a/crypto/modes/cfb128.c b/crypto/modes/cfb128.c index c4395bcab5..8d3af57b77 100644 --- a/crypto/modes/cfb128.c +++ b/crypto/modes/cfb128.c @@ -52,13 +52,6 @@ #include "modes_lcl.h" #include <string.h> -#ifndef MODES_DEBUG -# ifndef NDEBUG -# define NDEBUG -# endif -#endif -#include <assert.h> - /* * The input and output encrypted as though 128bit cfb mode is being used. * The extra state information to record how much of the 128bit block we have @@ -72,8 +65,6 @@ void CRYPTO_cfb128_encrypt(const unsigned char *in, unsigned char *out, unsigned int n; size_t l = 0; - assert(in && out && key && ivec && num); - n = *num; if (enc) { @@ -228,9 +219,6 @@ void CRYPTO_cfb128_1_encrypt(const unsigned char *in, unsigned char *out, size_t n; unsigned char c[1], d[1]; - assert(in && out && key && ivec && num); - assert(*num == 0); - for (n = 0; n < bits; ++n) { c[0] = (in[n / 8] & (1 << (7 - n % 8))) ? 0x80 : 0; cfbr_encrypt_block(c, d, 1, key, ivec, enc, block); @@ -246,9 +234,6 @@ void CRYPTO_cfb128_8_encrypt(const unsigned char *in, unsigned char *out, { size_t n; - assert(in && out && key && ivec && num); - assert(*num == 0); - for (n = 0; n < length; ++n) cfbr_encrypt_block(&in[n], &out[n], 8, key, ivec, enc, block); } diff --git a/crypto/modes/ctr128.c b/crypto/modes/ctr128.c index 4397494efb..5bdbbcf764 100644 --- a/crypto/modes/ctr128.c +++ b/crypto/modes/ctr128.c @@ -52,13 +52,6 @@ #include "modes_lcl.h" #include <string.h> -#ifndef MODES_DEBUG -# ifndef NDEBUG -# define NDEBUG -# endif -#endif -#include <assert.h> - /* * NOTE: the IV/counter CTR mode is big-endian. The code itself is * endian-neutral. @@ -125,9 +118,6 @@ void CRYPTO_ctr128_encrypt(const unsigned char *in, unsigned char *out, unsigned int n; size_t l = 0; - assert(in && out && key && ecount_buf && num); - assert(*num < 16); - n = *num; #if !defined(OPENSSL_SMALL_FOOTPRINT) @@ -203,9 +193,6 @@ void CRYPTO_ctr128_encrypt_ctr32(const unsigned char *in, unsigned char *out, { unsigned int n, ctr32; - assert(in && out && key && ecount_buf && num); - assert(*num < 16); - n = *num; while (n && len) { diff --git a/crypto/modes/cts128.c b/crypto/modes/cts128.c index 137be595a1..ed233d5d79 100644 --- a/crypto/modes/cts128.c +++ b/crypto/modes/cts128.c @@ -9,13 +9,6 @@ #include "modes_lcl.h" #include <string.h> -#ifndef MODES_DEBUG -# ifndef NDEBUG -# define NDEBUG -# endif -#endif -#include <assert.h> - /* * Trouble with Ciphertext Stealing, CTS, mode is that there is no * common official specification, but couple of cipher/application @@ -36,8 +29,6 @@ size_t CRYPTO_cts128_encrypt_block(const unsigned char *in, { size_t residue, n; - assert(in && out && key && ivec); - if (len <= 16) return 0; @@ -68,8 +59,6 @@ size_t CRYPTO_nistcts128_encrypt_block(const unsigned char *in, { size_t residue, n; - assert(in && out && key && ivec); - if (len < 16) return 0; @@ -103,8 +92,6 @@ size_t CRYPTO_cts128_encrypt(const unsigned char *in, unsigned char *out, unsigned char c[16]; } tmp; - assert(in && out && key && ivec); - if (len <= 16) return 0; @@ -141,8 +128,6 @@ size_t CRYPTO_nistcts128_encrypt(const unsigned char *in, unsigned char *out, unsigned char c[16]; } tmp; - assert(in && out && key && ivec); - if (len < 16) return 0; @@ -179,8 +164,6 @@ size_t CRYPTO_cts128_decrypt_block(const unsigned char *in, unsigned char c[32]; } tmp; - assert(in && out && key && ivec); - if (len <= 16) return 0; @@ -224,8 +207,6 @@ size_t CRYPTO_nistcts128_decrypt_block(const unsigned char *in, unsigned char c[32]; } tmp; - assert(in && out && key && ivec); - if (len < 16) return 0; @@ -272,8 +253,6 @@ size_t CRYPTO_cts128_decrypt(const unsigned char *in, unsigned char *out, unsigned char c[32]; } tmp; - assert(in && out && key && ivec); - if (len <= 16) return 0; @@ -314,8 +293,6 @@ size_t CRYPTO_nistcts128_decrypt(const unsigned char *in, unsigned char *out, unsigned char c[32]; } tmp; - assert(in && out && key && ivec); - if (len < 16) return 0; diff --git a/crypto/modes/gcm128.c b/crypto/modes/gcm128.c index 0615224dd0..8a8b110268 100644 --- a/crypto/modes/gcm128.c +++ b/crypto/modes/gcm128.c @@ -51,13 +51,6 @@ #include "modes_lcl.h" #include <string.h> -#ifndef MODES_DEBUG -# ifndef NDEBUG -# define NDEBUG -# endif -#endif -#include <assert.h> - #if defined(BSWAP4) && defined(STRICT_ALIGNMENT) /* redefine, because alignment is ensured */ # undef GETU32 diff --git a/crypto/modes/ofb128.c b/crypto/modes/ofb128.c index 4dbaccd7a6..0870f08aed 100644 --- a/crypto/modes/ofb128.c +++ b/crypto/modes/ofb128.c @@ -52,13 +52,6 @@ #include "modes_lcl.h" #include <string.h> -#ifndef MODES_DEBUG -# ifndef NDEBUG -# define NDEBUG -# endif -#endif -#include <assert.h> - /* * The input and output encrypted as though 128bit ofb mode is being used. * The extra state information to record how much of the 128bit block we have @@ -71,8 +64,6 @@ void CRYPTO_ofb128_encrypt(const unsigned char *in, unsigned char *out, unsigned int n; size_t l = 0; - assert(in && out && key && ivec && num); - n = *num; #if !defined(OPENSSL_SMALL_FOOTPRINT) diff --git a/crypto/modes/xts128.c b/crypto/modes/xts128.c index 8f2af588b2..55fa654478 100644 --- a/crypto/modes/xts128.c +++ b/crypto/modes/xts128.c @@ -51,13 +51,6 @@ #include "modes_lcl.h" #include <string.h> -#ifndef MODES_DEBUG -# ifndef NDEBUG -# define NDEBUG -# endif -#endif -#include <assert.h> - int CRYPTO_xts128_encrypt(const XTS128_CONTEXT *ctx, const unsigned char iv[16], const unsigned char *inp, unsigned char *out, diff --git a/crypto/pkcs12/p12_decr.c b/crypto/pkcs12/p12_decr.c index 953d938742..2a89a4894e 100644 --- a/crypto/pkcs12/p12_decr.c +++ b/crypto/pkcs12/p12_decr.c @@ -62,7 +62,7 @@ /* Define this to dump decrypted output to files called DERnnn */ /* - * #define DEBUG_DECRYPT + * #define OPENSSL_DEBUG_DECRYPT */ /* @@ -144,7 +144,7 @@ void *PKCS12_item_decrypt_d2i(X509_ALGOR *algor, const ASN1_ITEM *it, return NULL; } p = out; -#ifdef DEBUG_DECRYPT +#ifdef OPENSSL_DEBUG_DECRYPT { FILE *op; diff --git a/crypto/pkcs12/p12_key.c b/crypto/pkcs12/p12_key.c index 4256452cd2..6a9a3254b1 100644 --- a/crypto/pkcs12/p12_key.c +++ b/crypto/pkcs12/p12_key.c @@ -63,9 +63,9 @@ /* Uncomment out this line to get debugging info about key generation */ /* - * #define DEBUG_KEYGEN + * #define OPENSSL_DEBUG_KEYGEN */ -#ifdef DEBUG_KEYGEN +#ifdef OPENSSL_DEBUG_KEYGEN # include <openssl/bio.h> extern BIO *bio_err; void h__dump(unsigned char *p, int len); @@ -109,7 +109,7 @@ int PKCS12_key_gen_uni(unsigned char *pass, int passlen, unsigned char *salt, int ret = 0; BIGNUM *Ij = NULL, *Bpl1 = NULL; /* These hold Ij and B + 1 */ EVP_MD_CTX *ctx = NULL; -#ifdef DEBUG_KEYGEN +#ifdef OPENSSL_DEBUG_KEYGEN unsigned char *tmpout = out; int tmpn = n; #endif @@ -118,7 +118,7 @@ int PKCS12_key_gen_uni(unsigned char *pass, int passlen, unsigned char *salt, if (ctx == NULL) goto err; -#ifdef DEBUG_KEYGEN +#ifdef OPENSSL_DEBUG_KEYGEN fprintf(stderr, "KEYGEN DEBUG\n"); fprintf(stderr, "ID %d, ITER %d\n", id, iter); fprintf(stderr, "Password (length %d):\n", passlen); @@ -166,7 +166,7 @@ int PKCS12_key_gen_uni(unsigned char *pass, int passlen, unsigned char *salt, } memcpy(out, Ai, min(n, u)); if (u >= n) { -#ifdef DEBUG_KEYGEN +#ifdef OPENSSL_DEBUG_KEYGEN fprintf(stderr, "Output KEY (length %d)\n", tmpn); h__dump(tmpout, tmpn); #endif @@ -221,7 +221,7 @@ int PKCS12_key_gen_uni(unsigned char *pass, int passlen, unsigned char *salt, return ret; } -#ifdef DEBUG_KEYGEN +#ifdef OPENSSL_DEBUG_KEYGEN void h__dump(unsigned char *p, int len) { for (; len--; p++) diff --git a/crypto/rand/md_rand.c b/crypto/rand/md_rand.c index c7be2783da..fa36918760 100644 --- a/crypto/rand/md_rand.c +++ b/crypto/rand/md_rand.c @@ -108,13 +108,6 @@ * */ -#ifdef MD_RAND_DEBUG -# ifndef NDEBUG -# define NDEBUG -# endif -#endif - -#include <assert.h> #include <stdio.h> #include <string.h> @@ -350,9 +343,6 @@ static int rand_add(const void *buf, int num, double add) if (!do_not_lock) CRYPTO_w_unlock(CRYPTO_LOCK_RAND); -#if !defined(OPENSSL_THREADS) && !defined(OPENSSL_SYS_WIN32) - assert(md_c[1] == md_count[1]); -#endif rv = 1; err: EVP_MD_CTX_free(m); diff --git a/crypto/rsa/rsa_sign.c b/crypto/rsa/rsa_sign.c index 7c9c528ff4..61f91b9856 100644 --- a/crypto/rsa/rsa_sign.c +++ b/crypto/rsa/rsa_sign.c @@ -235,11 +235,6 @@ int int_rsa_verify(int dtype, const unsigned char *m, sigtype = OBJ_obj2nid(sig->algor->algorithm); -#ifdef RSA_DEBUG - /* put a backward compatibility flag in EAY */ - fprintf(stderr, "in(%s) expect(%s)\n", OBJ_nid2ln(sigtype), - OBJ_nid2ln(dtype)); -#endif if (sigtype != dtype) { RSAerr(RSA_F_INT_RSA_VERIFY, RSA_R_ALGORITHM_MISMATCH); goto err; diff --git a/doc/ssl/SSL_CONF_cmd.pod b/doc/ssl/SSL_CONF_cmd.pod index b3c9df9cde..4f83f59967 100644 --- a/doc/ssl/SSL_CONF_cmd.pod +++ b/doc/ssl/SSL_CONF_cmd.pod @@ -174,13 +174,6 @@ Set by default. enables strict mode protocol handling. Equivalent to setting B<SSL_CERT_FLAG_TLS_STRICT>. -=item B<-debug_broken_protocol> - -disables various checks and permits several kinds of broken protocol behaviour -for testing purposes: it should B<NEVER> be used in anything other than a test -environment. Only supported if OpenSSL is configured with -B<-DOPENSSL_SSL_DEBUG_BROKEN_PROTOCOL>. - =back =head1 SUPPORTED CONFIGURATION FILE COMMANDS diff --git a/ssl/record/ssl3_record.c b/ssl/record/ssl3_record.c index d7e821d49e..5eb152eeb5 100644 --- a/ssl/record/ssl3_record.c +++ b/ssl/record/ssl3_record.c @@ -394,7 +394,7 @@ int ssl3_get_record(SSL *s) SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_BLOCK_CIPHER_PAD_IS_WRONG); goto f_err; } -#ifdef TLS_DEBUG +#ifdef SSL_DEBUG printf("dec %d\n", rr->length); { unsigned int z; @@ -973,7 +973,7 @@ int tls1_mac(SSL *ssl, unsigned char *md, int send) EVP_MD_CTX_free(hmac); -#ifdef TLS_DEBUG +#ifdef SSL_DEBUG fprintf(stderr, "seq="); { int z; @@ -997,7 +997,7 @@ int tls1_mac(SSL *ssl, unsigned char *md, int send) break; } } -#ifdef TLS_DEBUG +#ifdef SSL_DEBUG { unsigned int z; for (z = 0; z < md_size; z++) @@ -1267,7 +1267,7 @@ int dtls1_process_record(SSL *s) RECORD_LAYER_reset_packet_length(&s->rlayer); goto err; } -#ifdef TLS_DEBUG +#ifdef SSL_DEBUG printf("dec %d\n", rr->length); { unsigned int z; diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c index 8f6eda2c71..967840f19e 100644 --- a/ssl/s3_lib.c +++ b/ssl/s3_lib.c @@ -1627,23 +1627,6 @@ static const SSL_CIPHER ssl3_ciphers[] = { }, #endif -#ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL - /* Cipher FF */ - { - 1, - "SCSV", - SSL3_CK_SCSV, - 0, - 0, - 0, - 0, - 0, - 0, - 0, - 0, - 0}, -#endif - #ifndef OPENSSL_NO_EC /* Cipher C006 */ @@ -3743,10 +3726,6 @@ const SSL_CIPHER *ssl3_get_cipher_by_char(const unsigned char *p) id = 0x03000000 | ((uint32_t)p[0] << 8L) | (uint32_t)p[1]; c.id = id; cp = OBJ_bsearch_ssl_cipher_id(&c, ssl3_ciphers, SSL3_NUM_CIPHERS); -#ifdef DEBUG_PRINT_UNKNOWN_CIPHERSUITES - if (cp == NULL) - fprintf(stderr, "Unknown cipher ID %x\n", (p[0] << 8) | p[1]); -#endif return cp; } diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c index 984918538d..f78984cff9 100644 --- a/ssl/ssl_ciph.c +++ b/ssl/ssl_ciph.c @@ -941,10 +941,6 @@ static void ssl_cipher_apply_rule(uint32_t cipher_id, uint32_t alg_mkey, cp->algorithm_enc, cp->algorithm_mac, cp->algorithm_ssl, cp->algo_strength); #endif -#ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL - if (cipher_id && cipher_id != cp->id) - continue; -#endif if (alg_mkey && !(alg_mkey & cp->algorithm_mkey)) continue; if (alg_auth && !(alg_auth & cp->algorithm_auth)) diff --git a/ssl/ssl_conf.c b/ssl/ssl_conf.c index 809ce7a872..157bf8ba0d 100644 --- a/ssl/ssl_conf.c +++ b/ssl/ssl_conf.c @@ -588,9 +588,6 @@ static const ssl_conf_cmd_tbl ssl_conf_cmds[] = { SSL_CONF_CMD_SWITCH("no_resumption_on_reneg", SSL_CONF_FLAG_SERVER), SSL_CONF_CMD_SWITCH("no_legacy_server_connect", SSL_CONF_FLAG_SERVER), SSL_CONF_CMD_SWITCH("strict", 0), -#ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL - SSL_CONF_CMD_SWITCH("debug_broken_protocol", 0), -#endif SSL_CONF_CMD_STRING(SignatureAlgorithms, "sigalgs", 0), SSL_CONF_CMD_STRING(ClientSignatureAlgorithms, "client_sigalgs", 0), SSL_CONF_CMD_STRING(Curves, "curves", 0), @@ -652,9 +649,6 @@ static const ssl_switch_tbl ssl_cmd_switches[] = { /* no_legacy_server_connect */ {SSL_OP_LEGACY_SERVER_CONNECT, SSL_TFLAG_INV}, {SSL_CERT_FLAG_TLS_STRICT, SSL_TFLAG_CERT}, /* strict */ -#ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL - {SSL_CERT_FLAG_BROKEN_PROTOCOL, SSL_TFLAG_CERT} /* debug_broken_protocol */ -#endif }; static int ssl_conf_cmd_skip_prefix(SSL_CONF_CTX *cctx, const char **pcmd) diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c index c10ab8656d..fecd39200e 100644 --- a/ssl/ssl_lib.c +++ b/ssl/ssl_lib.c @@ -2648,15 +2648,6 @@ CERT_PKEY *ssl_get_server_send_pkey(SSL *s) return NULL; ssl_set_masks(s, s->s3->tmp.new_cipher); -#ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL - /* - * Broken protocol test: return last used certificate: which may mismatch - * the one expected. - */ - if (c->cert_flags & SSL_CERT_FLAG_BROKEN_PROTOCOL) - return c->key; -#endif - i = ssl_get_server_cert_index(s); /* This may or may not be an error. */ @@ -2677,16 +2668,6 @@ EVP_PKEY *ssl_get_sign_pkey(SSL *s, const SSL_CIPHER *cipher, alg_a = cipher->algorithm_auth; c = s->cert; -#ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL - /* - * Broken protocol test: use last key: which may mismatch the one - * expected. - */ - if (c->cert_flags & SSL_CERT_FLAG_BROKEN_PROTOCOL) - idx = c->key - c->pkeys; - else -#endif - if ((alg_a & SSL_aDSS) && (c->pkeys[SSL_PKEY_DSA_SIGN].privatekey != NULL)) idx = SSL_PKEY_DSA_SIGN; diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h index 4946cfa64a..30c868f655 100644 --- a/ssl/ssl_locl.h +++ b/ssl/ssl_locl.h @@ -1593,35 +1593,6 @@ struct tls_sigalgs_st { unsigned char rhash; }; -/* - * #define MAC_DEBUG - */ - -/* - * #define ERR_DEBUG - */ -/* - * #define ABORT_DEBUG - */ -/* - * #define PKT_DEBUG 1 - */ -/* - * #define DES_DEBUG - */ -/* - * #define DES_OFB_DEBUG - */ -/* - * #define SSL_DEBUG - */ -/* - * #define RSA_DEBUG - */ -/* - * #define IDEA_DEBUG - */ - # define FP_ICC (int (*)(const void *,const void *)) /* diff --git a/ssl/statem/statem_clnt.c b/ssl/statem/statem_clnt.c index 302618784c..31b18caa7b 100644 --- a/ssl/statem/statem_clnt.c +++ b/ssl/statem/statem_clnt.c @@ -2870,14 +2870,6 @@ int ssl_cipher_list_to_bytes(SSL *s, STACK_OF(SSL_CIPHER) *sk, /* Skip disabled ciphers */ if (ssl_cipher_disabled(s, c, SSL_SECOP_CIPHER_SUPPORTED)) continue; -#ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL - if (c->id == SSL3_CK_SCSV) { - if (!empty_reneg_info_scsv) - continue; - else - empty_reneg_info_scsv = 0; - } -#endif j = s->method->put_cipher_by_char(c, p); p += j; } @@ -2892,10 +2884,6 @@ int ssl_cipher_list_to_bytes(SSL *s, STACK_OF(SSL_CIPHER) *sk, }; j = s->method->put_cipher_by_char(&scsv, p); p += j; -#ifdef OPENSSL_RI_DEBUG - fprintf(stderr, - "TLS_EMPTY_RENEGOTIATION_INFO_SCSV sent by client\n"); -#endif } if (s->mode & SSL_MODE_SEND_FALLBACK_SCSV) { static SSL_CIPHER scsv = { diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c index e4c018a9db..6b372232e1 100644 --- a/ssl/statem/statem_srvr.c +++ b/ssl/statem/statem_srvr.c @@ -3222,9 +3222,6 @@ STACK_OF(SSL_CIPHER) *ssl_bytes_to_cipher_list(SSL *s, goto err; } s->s3->send_connection_binding = 1; -#ifdef OPENSSL_RI_DEBUG - fprintf(stderr, "SCSV received by server\n"); -#endif continue; } diff --git a/ssl/t1_enc.c b/ssl/t1_enc.c index 804803aadc..995ae404f5 100644 --- a/ssl/t1_enc.c +++ b/ssl/t1_enc.c @@ -364,7 +364,7 @@ int tls1_change_cipher_state(SSL *s, int which) } EVP_PKEY_free(mac_key); } -#ifdef TLS_DEBUG +#ifdef SSL_DEBUG printf("which = %04X\nmac key=", which); { int z; @@ -426,7 +426,7 @@ int tls1_change_cipher_state(SSL *s, int which) } #endif -#ifdef TLS_DEBUG +#ifdef SSL_DEBUG printf("which = %04X\nkey=", which); { int z; @@ -495,7 +495,7 @@ int tls1_setup_key_block(SSL *s) s->s3->tmp.key_block_length = num; s->s3->tmp.key_block = p; -#ifdef TLS_DEBUG +#ifdef SSL_DEBUG printf("client random\n"); { int z; @@ -520,7 +520,7 @@ int tls1_setup_key_block(SSL *s) #endif if (!tls1_generate_key_block(s, p, num)) goto err; -#ifdef TLS_DEBUG +#ifdef SSL_DEBUG printf("\nkey block\n"); { int z; diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c index 586048acd4..7a2047dcca 100644 --- a/ssl/t1_lib.c +++ b/ssl/t1_lib.c @@ -788,11 +788,6 @@ static int tls1_check_cert_param(SSL *s, X509 *x, int set_ee_md) */ int tls1_check_ec_tmp_key(SSL *s, unsigned long cid) { -# ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL - /* Allow any curve: not just those peer supports */ - if (s->cert->cert_flags & SSL_CERT_FLAG_BROKEN_PROTOCOL) - return 1; -# endif /* * If Suite B, AES128 MUST use P-256 and AES256 MUST use P-384, no other * curves permitted. @@ -3451,30 +3446,6 @@ int tls1_process_sigalgs(SSL *s) if (!tls1_set_shared_sigalgs(s)) return 0; -#ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL - if (s->cert->cert_flags & SSL_CERT_FLAG_BROKEN_PROTOCOL) { - /* - * Use first set signature preference to force message digest, - * ignoring any peer preferences. - */ - const unsigned char *sigs = NULL; - if (s->server) - sigs = c->conf_sigalgs; - else - sigs = c->client_sigalgs; - if (sigs) { - idx = tls12_get_pkey_idx(sigs[1]); - md = tls12_get_hash(sigs[0]); - pmd[idx] = md; - pvalid[idx] = CERT_PKEY_EXPLICIT_SIGN; - if (idx == SSL_PKEY_RSA_SIGN) { - pvalid[SSL_PKEY_RSA_ENC] = CERT_PKEY_EXPLICIT_SIGN; - pmd[SSL_PKEY_RSA_ENC] = md; - } - } - } -#endif - for (i = 0, sigptr = c->shared_sigalgs; i < c->shared_sigalgslen; i++, sigptr++) { idx = tls12_get_pkey_idx(sigptr->rsign); @@ -3748,15 +3719,6 @@ int tls1_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain, /* If no cert or key, forget it */ if (!x || !pk) goto end; -#ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL - /* Allow any certificate to pass test */ - if (s->cert->cert_flags & SSL_CERT_FLAG_BROKEN_PROTOCOL) { - rv = CERT_PKEY_STRICT_FLAGS | CERT_PKEY_EXPLICIT_SIGN | - CERT_PKEY_VALID | CERT_PKEY_SIGN; - *pvalid = rv; - return rv; - } -#endif } else { if (!x || !pk) return 0; diff --git a/ssl/t1_reneg.c b/ssl/t1_reneg.c index 0c090a282d..5c0d82537e 100644 --- a/ssl/t1_reneg.c +++ b/ssl/t1_reneg.c @@ -128,10 +128,6 @@ int ssl_add_clienthello_renegotiate_ext(SSL *s, unsigned char *p, int *len, memcpy(p, s->s3->previous_client_finished, s->s3->previous_client_finished_len); -#ifdef OPENSSL_RI_DEBUG - fprintf(stderr, "%s RI extension sent by client\n", - s->s3->previous_client_finished_len ? "Non-empty" : "Empty"); -#endif } *len = s->s3->previous_client_finished_len + 1; @@ -171,10 +167,6 @@ int ssl_parse_clienthello_renegotiate_ext(SSL *s, PACKET *pkt, int *al) *al = SSL_AD_HANDSHAKE_FAILURE; return 0; } -#ifdef OPENSSL_RI_DEBUG - fprintf(stderr, "%s RI extension received by server\n", - ilen ? "Non-empty" : "Empty"); -#endif s->s3->send_connection_binding = 1; @@ -204,10 +196,6 @@ int ssl_add_serverhello_renegotiate_ext(SSL *s, unsigned char *p, int *len, memcpy(p, s->s3->previous_server_finished, s->s3->previous_server_finished_len); -#ifdef OPENSSL_RI_DEBUG - fprintf(stderr, "%s RI extension sent by server\n", - s->s3->previous_client_finished_len ? "Non-empty" : "Empty"); -#endif } *len = s->s3->previous_client_finished_len @@ -271,10 +259,6 @@ int ssl_parse_serverhello_renegotiate_ext(SSL *s, PACKET *pkt, int *al) *al = SSL_AD_ILLEGAL_PARAMETER; return 0; } -#ifdef OPENSSL_RI_DEBUG - fprintf(stderr, "%s RI extension received by client\n", - ilen ? "Non-empty" : "Empty"); -#endif s->s3->send_connection_binding = 1; return 1; diff --git a/util/mkdef.pl b/util/mkdef.pl index 4ada9ad528..a2fedc541a 100755 --- a/util/mkdef.pl +++ b/util/mkdef.pl @@ -174,7 +174,6 @@ foreach (@ARGV, split(/ /, $config{options})) $do_ctest=1 if $_ eq "ctest"; $do_ctestall=1 if $_ eq "ctestall"; $do_checkexist=1 if $_ eq "exist"; - #$safe_stack_def=1 if $_ eq "-DDEBUG_SAFESTACK"; if (/^--api=(\d+)\.(\d+)\.(\d+)$/) { my $apiv = sprintf "%x%02x%02x", $1, $2, $3; foreach (keys %disabled_algorithms) { |