From d63a5e5e7d96f173e2bbf711e3f1f813bf0df05e Mon Sep 17 00:00:00 2001 From: Rich Salz Date: Thu, 18 Feb 2016 11:33:21 -0500 Subject: Remove outdated DEBUG flags. Add -DBIO_DEBUG to --strict-warnings. Remove comments about outdated debugging ifdef guards. Remove md_rand ifdef guarding an assert; it doesn't seem used. Remove the conf guards in conf_api since we use OPENSSL_assert, not assert. For pkcs12 stuff put OPENSSL_ in front of the macro name. Merge TLS_DEBUG into SSL_DEBUG. Various things just turned on/off asserts, mainly for checking non-NULL arguments, which is now removed: camellia, bn_ctx, crypto/modes. Remove some old debug code, that basically just printed things to stderr: DEBUG_PRINT_UNKNOWN_CIPHERSUITES, DEBUG_ZLIB, OPENSSL_RI_DEBUG, RL_DEBUG, RSA_DEBUG, SCRYPT_DEBUG. Remove OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL. Reviewed-by: Richard Levitte --- ssl/record/ssl3_record.c | 8 ++++---- ssl/s3_lib.c | 21 --------------------- ssl/ssl_ciph.c | 4 ---- ssl/ssl_conf.c | 6 ------ ssl/ssl_lib.c | 19 ------------------- ssl/ssl_locl.h | 29 ----------------------------- ssl/statem/statem_clnt.c | 12 ------------ ssl/statem/statem_srvr.c | 3 --- ssl/t1_enc.c | 8 ++++---- ssl/t1_lib.c | 38 -------------------------------------- ssl/t1_reneg.c | 16 ---------------- 11 files changed, 8 insertions(+), 156 deletions(-) (limited to 'ssl') diff --git a/ssl/record/ssl3_record.c b/ssl/record/ssl3_record.c index d7e821d49e..5eb152eeb5 100644 --- a/ssl/record/ssl3_record.c +++ b/ssl/record/ssl3_record.c @@ -394,7 +394,7 @@ int ssl3_get_record(SSL *s) SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_BLOCK_CIPHER_PAD_IS_WRONG); goto f_err; } -#ifdef TLS_DEBUG +#ifdef SSL_DEBUG printf("dec %d\n", rr->length); { unsigned int z; @@ -973,7 +973,7 @@ int tls1_mac(SSL *ssl, unsigned char *md, int send) EVP_MD_CTX_free(hmac); -#ifdef TLS_DEBUG +#ifdef SSL_DEBUG fprintf(stderr, "seq="); { int z; @@ -997,7 +997,7 @@ int tls1_mac(SSL *ssl, unsigned char *md, int send) break; } } -#ifdef TLS_DEBUG +#ifdef SSL_DEBUG { unsigned int z; for (z = 0; z < md_size; z++) @@ -1267,7 +1267,7 @@ int dtls1_process_record(SSL *s) RECORD_LAYER_reset_packet_length(&s->rlayer); goto err; } -#ifdef TLS_DEBUG +#ifdef SSL_DEBUG printf("dec %d\n", rr->length); { unsigned int z; diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c index 8f6eda2c71..967840f19e 100644 --- a/ssl/s3_lib.c +++ b/ssl/s3_lib.c @@ -1627,23 +1627,6 @@ static const SSL_CIPHER ssl3_ciphers[] = { }, #endif -#ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL - /* Cipher FF */ - { - 1, - "SCSV", - SSL3_CK_SCSV, - 0, - 0, - 0, - 0, - 0, - 0, - 0, - 0, - 0}, -#endif - #ifndef OPENSSL_NO_EC /* Cipher C006 */ @@ -3743,10 +3726,6 @@ const SSL_CIPHER *ssl3_get_cipher_by_char(const unsigned char *p) id = 0x03000000 | ((uint32_t)p[0] << 8L) | (uint32_t)p[1]; c.id = id; cp = OBJ_bsearch_ssl_cipher_id(&c, ssl3_ciphers, SSL3_NUM_CIPHERS); -#ifdef DEBUG_PRINT_UNKNOWN_CIPHERSUITES - if (cp == NULL) - fprintf(stderr, "Unknown cipher ID %x\n", (p[0] << 8) | p[1]); -#endif return cp; } diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c index 984918538d..f78984cff9 100644 --- a/ssl/ssl_ciph.c +++ b/ssl/ssl_ciph.c @@ -940,10 +940,6 @@ static void ssl_cipher_apply_rule(uint32_t cipher_id, uint32_t alg_mkey, cp->name, cp->algorithm_mkey, cp->algorithm_auth, cp->algorithm_enc, cp->algorithm_mac, cp->algorithm_ssl, cp->algo_strength); -#endif -#ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL - if (cipher_id && cipher_id != cp->id) - continue; #endif if (alg_mkey && !(alg_mkey & cp->algorithm_mkey)) continue; diff --git a/ssl/ssl_conf.c b/ssl/ssl_conf.c index 809ce7a872..157bf8ba0d 100644 --- a/ssl/ssl_conf.c +++ b/ssl/ssl_conf.c @@ -588,9 +588,6 @@ static const ssl_conf_cmd_tbl ssl_conf_cmds[] = { SSL_CONF_CMD_SWITCH("no_resumption_on_reneg", SSL_CONF_FLAG_SERVER), SSL_CONF_CMD_SWITCH("no_legacy_server_connect", SSL_CONF_FLAG_SERVER), SSL_CONF_CMD_SWITCH("strict", 0), -#ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL - SSL_CONF_CMD_SWITCH("debug_broken_protocol", 0), -#endif SSL_CONF_CMD_STRING(SignatureAlgorithms, "sigalgs", 0), SSL_CONF_CMD_STRING(ClientSignatureAlgorithms, "client_sigalgs", 0), SSL_CONF_CMD_STRING(Curves, "curves", 0), @@ -652,9 +649,6 @@ static const ssl_switch_tbl ssl_cmd_switches[] = { /* no_legacy_server_connect */ {SSL_OP_LEGACY_SERVER_CONNECT, SSL_TFLAG_INV}, {SSL_CERT_FLAG_TLS_STRICT, SSL_TFLAG_CERT}, /* strict */ -#ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL - {SSL_CERT_FLAG_BROKEN_PROTOCOL, SSL_TFLAG_CERT} /* debug_broken_protocol */ -#endif }; static int ssl_conf_cmd_skip_prefix(SSL_CONF_CTX *cctx, const char **pcmd) diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c index c10ab8656d..fecd39200e 100644 --- a/ssl/ssl_lib.c +++ b/ssl/ssl_lib.c @@ -2648,15 +2648,6 @@ CERT_PKEY *ssl_get_server_send_pkey(SSL *s) return NULL; ssl_set_masks(s, s->s3->tmp.new_cipher); -#ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL - /* - * Broken protocol test: return last used certificate: which may mismatch - * the one expected. - */ - if (c->cert_flags & SSL_CERT_FLAG_BROKEN_PROTOCOL) - return c->key; -#endif - i = ssl_get_server_cert_index(s); /* This may or may not be an error. */ @@ -2677,16 +2668,6 @@ EVP_PKEY *ssl_get_sign_pkey(SSL *s, const SSL_CIPHER *cipher, alg_a = cipher->algorithm_auth; c = s->cert; -#ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL - /* - * Broken protocol test: use last key: which may mismatch the one - * expected. - */ - if (c->cert_flags & SSL_CERT_FLAG_BROKEN_PROTOCOL) - idx = c->key - c->pkeys; - else -#endif - if ((alg_a & SSL_aDSS) && (c->pkeys[SSL_PKEY_DSA_SIGN].privatekey != NULL)) idx = SSL_PKEY_DSA_SIGN; diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h index 4946cfa64a..30c868f655 100644 --- a/ssl/ssl_locl.h +++ b/ssl/ssl_locl.h @@ -1593,35 +1593,6 @@ struct tls_sigalgs_st { unsigned char rhash; }; -/* - * #define MAC_DEBUG - */ - -/* - * #define ERR_DEBUG - */ -/* - * #define ABORT_DEBUG - */ -/* - * #define PKT_DEBUG 1 - */ -/* - * #define DES_DEBUG - */ -/* - * #define DES_OFB_DEBUG - */ -/* - * #define SSL_DEBUG - */ -/* - * #define RSA_DEBUG - */ -/* - * #define IDEA_DEBUG - */ - # define FP_ICC (int (*)(const void *,const void *)) /* diff --git a/ssl/statem/statem_clnt.c b/ssl/statem/statem_clnt.c index 302618784c..31b18caa7b 100644 --- a/ssl/statem/statem_clnt.c +++ b/ssl/statem/statem_clnt.c @@ -2870,14 +2870,6 @@ int ssl_cipher_list_to_bytes(SSL *s, STACK_OF(SSL_CIPHER) *sk, /* Skip disabled ciphers */ if (ssl_cipher_disabled(s, c, SSL_SECOP_CIPHER_SUPPORTED)) continue; -#ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL - if (c->id == SSL3_CK_SCSV) { - if (!empty_reneg_info_scsv) - continue; - else - empty_reneg_info_scsv = 0; - } -#endif j = s->method->put_cipher_by_char(c, p); p += j; } @@ -2892,10 +2884,6 @@ int ssl_cipher_list_to_bytes(SSL *s, STACK_OF(SSL_CIPHER) *sk, }; j = s->method->put_cipher_by_char(&scsv, p); p += j; -#ifdef OPENSSL_RI_DEBUG - fprintf(stderr, - "TLS_EMPTY_RENEGOTIATION_INFO_SCSV sent by client\n"); -#endif } if (s->mode & SSL_MODE_SEND_FALLBACK_SCSV) { static SSL_CIPHER scsv = { diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c index e4c018a9db..6b372232e1 100644 --- a/ssl/statem/statem_srvr.c +++ b/ssl/statem/statem_srvr.c @@ -3222,9 +3222,6 @@ STACK_OF(SSL_CIPHER) *ssl_bytes_to_cipher_list(SSL *s, goto err; } s->s3->send_connection_binding = 1; -#ifdef OPENSSL_RI_DEBUG - fprintf(stderr, "SCSV received by server\n"); -#endif continue; } diff --git a/ssl/t1_enc.c b/ssl/t1_enc.c index 804803aadc..995ae404f5 100644 --- a/ssl/t1_enc.c +++ b/ssl/t1_enc.c @@ -364,7 +364,7 @@ int tls1_change_cipher_state(SSL *s, int which) } EVP_PKEY_free(mac_key); } -#ifdef TLS_DEBUG +#ifdef SSL_DEBUG printf("which = %04X\nmac key=", which); { int z; @@ -426,7 +426,7 @@ int tls1_change_cipher_state(SSL *s, int which) } #endif -#ifdef TLS_DEBUG +#ifdef SSL_DEBUG printf("which = %04X\nkey=", which); { int z; @@ -495,7 +495,7 @@ int tls1_setup_key_block(SSL *s) s->s3->tmp.key_block_length = num; s->s3->tmp.key_block = p; -#ifdef TLS_DEBUG +#ifdef SSL_DEBUG printf("client random\n"); { int z; @@ -520,7 +520,7 @@ int tls1_setup_key_block(SSL *s) #endif if (!tls1_generate_key_block(s, p, num)) goto err; -#ifdef TLS_DEBUG +#ifdef SSL_DEBUG printf("\nkey block\n"); { int z; diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c index 586048acd4..7a2047dcca 100644 --- a/ssl/t1_lib.c +++ b/ssl/t1_lib.c @@ -788,11 +788,6 @@ static int tls1_check_cert_param(SSL *s, X509 *x, int set_ee_md) */ int tls1_check_ec_tmp_key(SSL *s, unsigned long cid) { -# ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL - /* Allow any curve: not just those peer supports */ - if (s->cert->cert_flags & SSL_CERT_FLAG_BROKEN_PROTOCOL) - return 1; -# endif /* * If Suite B, AES128 MUST use P-256 and AES256 MUST use P-384, no other * curves permitted. @@ -3451,30 +3446,6 @@ int tls1_process_sigalgs(SSL *s) if (!tls1_set_shared_sigalgs(s)) return 0; -#ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL - if (s->cert->cert_flags & SSL_CERT_FLAG_BROKEN_PROTOCOL) { - /* - * Use first set signature preference to force message digest, - * ignoring any peer preferences. - */ - const unsigned char *sigs = NULL; - if (s->server) - sigs = c->conf_sigalgs; - else - sigs = c->client_sigalgs; - if (sigs) { - idx = tls12_get_pkey_idx(sigs[1]); - md = tls12_get_hash(sigs[0]); - pmd[idx] = md; - pvalid[idx] = CERT_PKEY_EXPLICIT_SIGN; - if (idx == SSL_PKEY_RSA_SIGN) { - pvalid[SSL_PKEY_RSA_ENC] = CERT_PKEY_EXPLICIT_SIGN; - pmd[SSL_PKEY_RSA_ENC] = md; - } - } - } -#endif - for (i = 0, sigptr = c->shared_sigalgs; i < c->shared_sigalgslen; i++, sigptr++) { idx = tls12_get_pkey_idx(sigptr->rsign); @@ -3748,15 +3719,6 @@ int tls1_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain, /* If no cert or key, forget it */ if (!x || !pk) goto end; -#ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL - /* Allow any certificate to pass test */ - if (s->cert->cert_flags & SSL_CERT_FLAG_BROKEN_PROTOCOL) { - rv = CERT_PKEY_STRICT_FLAGS | CERT_PKEY_EXPLICIT_SIGN | - CERT_PKEY_VALID | CERT_PKEY_SIGN; - *pvalid = rv; - return rv; - } -#endif } else { if (!x || !pk) return 0; diff --git a/ssl/t1_reneg.c b/ssl/t1_reneg.c index 0c090a282d..5c0d82537e 100644 --- a/ssl/t1_reneg.c +++ b/ssl/t1_reneg.c @@ -128,10 +128,6 @@ int ssl_add_clienthello_renegotiate_ext(SSL *s, unsigned char *p, int *len, memcpy(p, s->s3->previous_client_finished, s->s3->previous_client_finished_len); -#ifdef OPENSSL_RI_DEBUG - fprintf(stderr, "%s RI extension sent by client\n", - s->s3->previous_client_finished_len ? "Non-empty" : "Empty"); -#endif } *len = s->s3->previous_client_finished_len + 1; @@ -171,10 +167,6 @@ int ssl_parse_clienthello_renegotiate_ext(SSL *s, PACKET *pkt, int *al) *al = SSL_AD_HANDSHAKE_FAILURE; return 0; } -#ifdef OPENSSL_RI_DEBUG - fprintf(stderr, "%s RI extension received by server\n", - ilen ? "Non-empty" : "Empty"); -#endif s->s3->send_connection_binding = 1; @@ -204,10 +196,6 @@ int ssl_add_serverhello_renegotiate_ext(SSL *s, unsigned char *p, int *len, memcpy(p, s->s3->previous_server_finished, s->s3->previous_server_finished_len); -#ifdef OPENSSL_RI_DEBUG - fprintf(stderr, "%s RI extension sent by server\n", - s->s3->previous_client_finished_len ? "Non-empty" : "Empty"); -#endif } *len = s->s3->previous_client_finished_len @@ -271,10 +259,6 @@ int ssl_parse_serverhello_renegotiate_ext(SSL *s, PACKET *pkt, int *al) *al = SSL_AD_ILLEGAL_PARAMETER; return 0; } -#ifdef OPENSSL_RI_DEBUG - fprintf(stderr, "%s RI extension received by client\n", - ilen ? "Non-empty" : "Empty"); -#endif s->s3->send_connection_binding = 1; return 1; -- cgit v1.2.3