remove some #if 0 code. we don't need any more reminders that we're using

a not quite appropriate data structure. ok jsing
author: tedu <> 2014-05-30 14:30:50 +0000
committer: tedu <> 2014-05-30 14:30:50 +0000
commit: d970fd597dc43c71716f5ce1db8f102515a73ad8 (patch)
tree: cbf937e75b5dc1f5e8f2452d45ad4d6942a9b1d4
parent: d7bb67cc99974281f55641afa52a0f9e8f1ff938 (diff)
download: openbsd-d970fd597dc43c71716f5ce1db8f102515a73ad8.tar.gz
openbsd-d970fd597dc43c71716f5ce1db8f102515a73ad8.tar.bz2
openbsd-d970fd597dc43c71716f5ce1db8f102515a73ad8.zip
38 files changed, 2 insertions, 802 deletions
diff --git a/src/lib/libssl/bio_ssl.c b/src/lib/libssl/bio_ssl.c
index 8ffbe0a67a..3cd462e06f 100644
--- a/src/lib/libssl/bio_ssl.c
+++ b/src/lib/libssl/bio_ssl.c
@@ -152,18 +152,6 @@ ssl_read(BIO *b, char *out, int outl)
        BIO_clear_retry_flags(b);
-#if 0
-        if (!SSL_is_init_finished(ssl)) {
-/*              ret=SSL_do_handshake(ssl); */
-                if (ret > 0) {
-                        outflags = (BIO_FLAGS_READ|BIO_FLAGS_SHOULD_RETRY);
-                        ret = -1;
-                        goto end;
-                }
-        }
-#endif
-/*      if (ret > 0) */
        ret = SSL_read(ssl, out, outl);
        switch (SSL_get_error(ssl, ret)) {
@@ -448,12 +436,7 @@ ssl_ctrl(BIO *b, int cmd, long num, void *ptr)
                break;
        case BIO_CTRL_SET_CALLBACK:
                {
-#if 0 /* FIXME: Should this be used?  -- Richard Levitte */
-                        SSLerr(SSL_F_SSL_CTRL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
-                        ret = -1;
-#else
                        ret = 0;
-#endif
                }
                break;
        case BIO_CTRL_GET_CALLBACK:
diff --git a/src/lib/libssl/d1_both.c b/src/lib/libssl/d1_both.c
index 59987bc1d8..d62362e69a 100644
--- a/src/lib/libssl/d1_both.c
+++ b/src/lib/libssl/d1_both.c
@@ -146,14 +146,6 @@
                        if (is_complete) for (ii = (((msg_len) - 1) >> 3) - 1; ii >= 0 ; ii--) \
                                if (bitmask[ii] != 0xff) { is_complete = 0; break; } }
-#if 0
-#define RSMBLY_BITMASK_PRINT(bitmask, msg_len) { \
-                        long ii; \
-                        printf("bitmask: "); for (ii = 0; ii < (msg_len); ii++) \
-                        printf("%d ", (bitmask[ii >> 3] & (1 << (ii & 7))) >> (ii & 7)); \
-                        printf("\n"); }
-#endif
 static unsigned char bitmask_start_values[] = {
        0xff, 0xfe, 0xfc, 0xf8, 0xf0, 0xe0, 0xc0, 0x80
 };
@@ -250,28 +242,6 @@ dtls1_do_write(SSL *s, int type)
                            s->d1->mtu, NULL);
                }
        }
-#if 0
-        mtu = s->d1->mtu;
-        fprintf(stderr, "using MTU = %d\n", mtu);
-        mtu -= (DTLS1_HM_HEADER_LENGTH + DTLS1_RT_HEADER_LENGTH);
-        curr_mtu = mtu - BIO_wpending(SSL_get_wbio(s));
-        if (curr_mtu > 0)
-                mtu = curr_mtu;
-        else if (( ret = BIO_flush(SSL_get_wbio(s))) <= 0)
-                return ret;
-        if (BIO_wpending(SSL_get_wbio(s)) + s->init_num >= mtu) {
-                ret = BIO_flush(SSL_get_wbio(s));
-                if (ret <= 0)
-                        return ret;
-                mtu = s->d1->mtu - (DTLS1_HM_HEADER_LENGTH +
-                    DTLS1_RT_HEADER_LENGTH);
-        }
-#endif
        OPENSSL_assert(s->d1->mtu >= dtls1_min_mtu());
        /* should have something reasonable now */
@@ -1064,19 +1034,6 @@ dtls1_read_failed(SSL *s, int code)
                return code;
        }
-#if 0 /* for now, each alert contains only one record number */
-        item = pqueue_peek(state->rcvd_records);
-        if (item ) {
-                /* send an alert immediately for all the missing records */
-        } else
-#endif
-#if 0  /* no more alert sending, just retransmit the last set of messages */
-        if (state->timeout.read_timeouts >= DTLS1_TMO_READ_COUNT)
-                ssl3_send_alert(s, SSL3_AL_WARNING,
-                    DTLS1_AD_MISSING_HANDSHAKE_MESSAGE);
-#endif
        return dtls1_handle_timeout(s);
 }
@@ -1172,12 +1129,6 @@ dtls1_buffer_message(SSL *s, int is_ccs)
                return 0;
        }
-#if 0
-        fprintf(stderr, "buffered messge: \ttype = %xx\n", msg_buf->type);
-        fprintf(stderr, "\t\t\t\t\tlen = %d\n", msg_buf->len);
-        fprintf(stderr, "\t\t\t\t\tseq_num = %d\n", msg_buf->seq_num);
-#endif
        pqueue_insert(s->d1->sent_messages, item);
        return 1;
 }
diff --git a/src/lib/libssl/d1_clnt.c b/src/lib/libssl/d1_clnt.c
index 4b8a11426f..e8b43f3268 100644
--- a/src/lib/libssl/d1_clnt.c
+++ b/src/lib/libssl/d1_clnt.c
@@ -703,13 +703,6 @@ dtls1_connect(SSL *s)
                        /* clean a few things up */
                        ssl3_cleanup_key_block(s);
-#if 0
-                        if (s->init_buf != NULL) {
-                                BUF_MEM_free(s->init_buf);
-                                s->init_buf = NULL;
-                        }
-#endif
                        /* If we are not 'joining' the last two packets,
                         * remove the buffering now */
                        if (!(s->s3->flags & SSL3_FLAGS_POP_BUFFER))
diff --git a/src/lib/libssl/d1_pkt.c b/src/lib/libssl/d1_pkt.c
index d2f63b890b..87916eb763 100644
--- a/src/lib/libssl/d1_pkt.c
+++ b/src/lib/libssl/d1_pkt.c
@@ -181,10 +181,6 @@ static int dtls1_record_replay_check(SSL *s, DTLS1_BITMAP *bitmap);
 static void dtls1_record_bitmap_update(SSL *s, DTLS1_BITMAP *bitmap);
 static DTLS1_BITMAP *dtls1_get_bitmap(SSL *s, SSL3_RECORD *rr,
    unsigned int *is_next_epoch);
-#if 0
-static int dtls1_record_needs_buffering(SSL *s, SSL3_RECORD *rr,
-    unsigned short *priority, unsigned long *offset);
-#endif
 static int dtls1_buffer_record(SSL *s, record_pqueue *q,
    unsigned char *priority);
 static int dtls1_process_record(SSL *s);
@@ -323,50 +319,6 @@ dtls1_process_buffered_records(SSL *s)
        return (1);
 }
-#if 0
-static int
-dtls1_get_buffered_record(SSL *s)
-{
-        pitem *item;
-        PQ_64BIT priority =
-            (((PQ_64BIT)s->d1->handshake_read_seq) << 32) |
-            ((PQ_64BIT)s->d1->r_msg_hdr.frag_off);
-        if (!SSL_in_init(s))  /* if we're not (re)negotiating,
-                                   nothing buffered */
-                return 0;
-        item = pqueue_peek(s->d1->rcvd_records);
-        if (item && item->priority == priority) {
-                /* Check if we've received the record of interest.  It must be
-                 * a handshake record, since data records as passed up without
-                 * buffering */
-                DTLS1_RECORD_DATA *rdata;
-                item = pqueue_pop(s->d1->rcvd_records);
-                rdata = (DTLS1_RECORD_DATA *)item->data;
-                free(s->s3->rbuf.buf);
-                s->packet = rdata->packet;
-                s->packet_length = rdata->packet_length;
-                memcpy(&(s->s3->rbuf), &(rdata->rbuf), sizeof(SSL3_BUFFER));
-                memcpy(&(s->s3->rrec), &(rdata->rrec), sizeof(SSL3_RECORD));
-                free(item->data);
-                pitem_free(item);
-                /* s->d1->next_expected_seq_num++; */
-                return (1);
-        }
-        return 0;
-}
-#endif
 static int
 dtls1_process_record(SSL *s)
 {
@@ -1069,29 +1021,6 @@ start:
                                s->shutdown |= SSL_RECEIVED_SHUTDOWN;
                                return (0);
                        }
-#if 0
-                        /* XXX: this is a possible improvement in the future */
-                        /* now check if it's a missing record */
-                        if (alert_descr == DTLS1_AD_MISSING_HANDSHAKE_MESSAGE) {
-                                unsigned short seq;
-                                unsigned int frag_off;
-                                unsigned char *p = &(s->d1->alert_fragment[2]);
-                                n2s(p, seq);
-                                n2l3(p, frag_off);
-                                dtls1_retransmit_message(s,
-                                dtls1_get_queue_priority(frag->msg_header.seq, 0),
-                                frag_off, &found);
-                                if (!found  && SSL_in_init(s)) {
-                                        /* fprintf( stderr,"in init = %d\n", SSL_in_init(s)); */
-                                        /* requested a message not yet sent, 
-                                           send an alert ourselves */
-                                        ssl3_send_alert(s, SSL3_AL_WARNING,
-                                        DTLS1_AD_MISSING_HANDSHAKE_MESSAGE);
-                                }
-                        }
-#endif
                } else if (alert_level == 2) /* fatal */
                {
                        s->rwstate = SSL_NOTHING;
@@ -1506,13 +1435,6 @@ do_dtls1_write(SSL *s, int type, const unsigned char *buf, unsigned int len)
        wr->type=type; /* not needed but helps for debugging */
        wr->length += DTLS1_RT_HEADER_LENGTH;
-#if 0  /* this is now done at the message layer */
-        /* buffer the record, making it easy to handle retransmits */
-        if (type == SSL3_RT_HANDSHAKE || type == SSL3_RT_CHANGE_CIPHER_SPEC)
-                dtls1_buffer_record(s, wr->data, wr->length,
-        *((PQ_64BIT *)&(s->s3->write_sequence[0])));
-#endif
        ssl3_record_sequence_update(&(s->s3->write_sequence[0]));
        /* now let's set up wb */
@@ -1596,16 +1518,6 @@ dtls1_dispatch_alert(SSL *s)
 #ifdef DTLS1_AD_MISSING_HANDSHAKE_MESSAGE
        if (s->s3->send_alert[1] == DTLS1_AD_MISSING_HANDSHAKE_MESSAGE) {
                s2n(s->d1->handshake_read_seq, ptr);
-#if 0
-                if ( s->d1->r_msg_hdr.frag_off == 0)  /* waiting for a new msg */
-                else
-                        s2n(s->d1->r_msg_hdr.seq, ptr); /* partial msg read */
-#endif
-#if 0
-                fprintf(stderr, "s->d1->handshake_read_seq = %d, s->d1->r_msg_hdr.seq = %d\n", s->d1->handshake_read_seq, s->d1->r_msg_hdr.seq);
-#endif
                l2n3(s->d1->r_msg_hdr.frag_off, ptr);
        }
 #endif
@@ -1660,64 +1572,6 @@ dtls1_get_bitmap(SSL *s, SSL3_RECORD *rr, unsigned int *is_next_epoch)
        return NULL;
 }
-#if 0
-static int
-dtls1_record_needs_buffering(SSL *s, SSL3_RECORD *rr, unsigned short *priority,
-    unsigned long *offset)
-{
-        /* alerts are passed up immediately */
-        if (rr->type == SSL3_RT_APPLICATION_DATA || rr->type == SSL3_RT_ALERT)
-                return 0;
-        /* Only need to buffer if a handshake is underway.
-         * (this implies that Hello Request and Client Hello are passed up
-         * immediately) */
-        if (SSL_in_init(s)) {
-                unsigned char *data = rr->data;
-                /* need to extract the HM/CCS sequence number here */
-                if (rr->type == SSL3_RT_HANDSHAKE ||
-                    rr->type == SSL3_RT_CHANGE_CIPHER_SPEC) {
-                        unsigned short seq_num;
-                        struct hm_header_st msg_hdr;
-                        struct ccs_header_st ccs_hdr;
-                        if (rr->type == SSL3_RT_HANDSHAKE) {
-                                dtls1_get_message_header(data, &msg_hdr);
-                                seq_num = msg_hdr.seq;
-                                *offset = msg_hdr.frag_off;
-                        } else {
-                                dtls1_get_ccs_header(data, &ccs_hdr);
-                                seq_num = ccs_hdr.seq;
-                                *offset = 0;
-                        }
-                        /* this is either a record we're waiting for, or a
-                         * retransmit of something we happened to previously 
-                         * receive (higher layers will drop the repeat silently */
-                        if (seq_num < s->d1->handshake_read_seq)
-                                return 0;
-                        if (rr->type == SSL3_RT_HANDSHAKE &&
-                            seq_num == s->d1->handshake_read_seq &&
-                            msg_hdr.frag_off < s->d1->r_msg_hdr.frag_off)
-                                return 0;
-                        else if (seq_num == s->d1->handshake_read_seq &&
-                            (rr->type == SSL3_RT_CHANGE_CIPHER_SPEC ||
-                            msg_hdr.frag_off == s->d1->r_msg_hdr.frag_off))
-                                return 0;
-                        else {
-                                *priority = seq_num;
-                                return 1;
-                        }
-                }
-                else /* unknown record type */
-                        return 0;
-        }
-        return 0;
-}
-#endif
 void
 dtls1_reset_seq_numbers(SSL *s, int rw)
 {
diff --git a/src/lib/libssl/d1_srtp.c b/src/lib/libssl/d1_srtp.c
index 146ce321c8..f069848b7e 100644
--- a/src/lib/libssl/d1_srtp.c
+++ b/src/lib/libssl/d1_srtp.c
@@ -133,16 +133,6 @@ static SRTP_PROTECTION_PROFILE srtp_known_profiles[]= {
                "SRTP_AES128_CM_SHA1_32",
                SRTP_AES128_CM_SHA1_32,
        },
-#if 0
-        {
-                "SRTP_NULL_SHA1_80",
-                SRTP_NULL_SHA1_80,
-        },
-        {
-                "SRTP_NULL_SHA1_32",
-                SRTP_NULL_SHA1_32,
-        },
-#endif
        {0}
 };
diff --git a/src/lib/libssl/d1_srvr.c b/src/lib/libssl/d1_srvr.c
index 3f872de48b..368afda77a 100644
--- a/src/lib/libssl/d1_srvr.c
+++ b/src/lib/libssl/d1_srvr.c
@@ -782,11 +782,6 @@ dtls1_accept(SSL *s)
                        /* clean a few things up */
                        ssl3_cleanup_key_block(s);
-#if 0
-                        BUF_MEM_free(s->init_buf);
-                        s->init_buf = NULL;
-#endif
                        /* remove buffering on output */
                        ssl_free_wbio_buffer(s);
diff --git a/src/lib/libssl/dtls1.h b/src/lib/libssl/dtls1.h
index 2fbb815b6d..b0cf839b78 100644
--- a/src/lib/libssl/dtls1.h
+++ b/src/lib/libssl/dtls1.h
@@ -73,11 +73,6 @@ extern "C" {
 #define DTLS1_VERSION                   0xFEFF
 #define DTLS1_BAD_VER                   0x0100
-#if 0
-/* this alert description is not specified anywhere... */
-#define DTLS1_AD_MISSING_HANDSHAKE_MESSAGE    110
-#endif
 /* lengths of messages */
 #define DTLS1_COOKIE_LENGTH                     256
diff --git a/src/lib/libssl/s23_clnt.c b/src/lib/libssl/s23_clnt.c
index 897ac7efe3..5361d5bea8 100644
--- a/src/lib/libssl/s23_clnt.c
+++ b/src/lib/libssl/s23_clnt.c
@@ -351,13 +351,6 @@ ssl23_client_hello(SSL *s)
        buf = (unsigned char *)s->init_buf->data;
        if (s->state == SSL23_ST_CW_CLNT_HELLO_A) {
-#if 0
-                /* don't reuse session-id's */
-                if (!ssl_get_new_session(s, 0)) {
-                        return (-1);
-                }
-#endif
                p = s->s3->client_random;
                if (ssl_fill_hello_random(s, 0, p, SSL3_RANDOM_SIZE) <= 0)
                        return -1;
diff --git a/src/lib/libssl/s23_srvr.c b/src/lib/libssl/s23_srvr.c
index 53e06706e3..a6c5d1b8a9 100644
--- a/src/lib/libssl/s23_srvr.c
+++ b/src/lib/libssl/s23_srvr.c
@@ -490,14 +490,6 @@ ssl23_get_client_hello(SSL *s)
                *(d++) = 1;
                *(d++) = 0;
-#if 0
-                /* copy any remaining data with may be extensions */
-                p = p + csl + sil + cl;
-                while (p <  s->packet + s->packet_length) {
-                        *(d++)=*(p++);
-                }
-#endif
                i = (d - (unsigned char *)s->init_buf->data) - 4;
                l2n3((long)i, d_len);
@@ -550,9 +542,6 @@ ssl23_get_client_hello(SSL *s)
                        s->method = TLSv1_server_method();
                else
                        s->method = SSLv3_server_method();
-#if 0 /* ssl3_get_client_hello does this */
-                s->client_version = (v[0]<<8)|v[1];
-#endif
                s->handshake_func = s->method->ssl_accept;
        }
diff --git a/src/lib/libssl/s3_clnt.c b/src/lib/libssl/s3_clnt.c
index abe5c5a86b..bda14069c1 100644
--- a/src/lib/libssl/s3_clnt.c
+++ b/src/lib/libssl/s3_clnt.c
@@ -730,14 +730,8 @@ ssl3_client_hello(SSL *s)
                 * client_version in client hello and not resetting it to
                 * the negotiated version.
                 */
-#if 0
-                *(p++) = s->version >> 8;
-                *(p++) = s->version&0xff;
-                s->client_version = s->version;
-#else
                *(p++) = s->client_version >> 8;
                *(p++) = s->client_version & 0xff;
-#endif
                /* Random stuff */
                memcpy(p, s->s3->client_random, SSL3_RANDOM_SIZE);
diff --git a/src/lib/libssl/s3_lib.c b/src/lib/libssl/s3_lib.c
index da69caa6dd..477c53b15b 100644
--- a/src/lib/libssl/s3_lib.c
+++ b/src/lib/libssl/s3_lib.c
@@ -2999,17 +2999,12 @@ SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
        /* Let's see which ciphers we can support */
        cert = s->cert;
-#if 0
        /*
         * Do not set the compare functions, because this may lead to a
         * reordering by "id". We want to keep the original ordering.
         * We may pay a price in performance during sk_SSL_CIPHER_find(),
         * but would have to pay with the price of sk_SSL_CIPHER_dup().
         */
-        sk_SSL_CIPHER_set_cmp_func(srvr, ssl_cipher_ptr_id_cmp);
-        sk_SSL_CIPHER_set_cmp_func(clnt, ssl_cipher_ptr_id_cmp);
-#endif
        if (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE) {
                prio = srvr;
@@ -3267,9 +3262,7 @@ ssl3_shutdown(SSL *s)
        if (!(s->shutdown & SSL_SENT_SHUTDOWN)) {
                s->shutdown|=SSL_SENT_SHUTDOWN;
-#if 1
                ssl3_send_alert(s, SSL3_AL_WARNING, SSL_AD_CLOSE_NOTIFY);
-#endif
                /*
                 * Our shutdown alert has been sent now, and if it still needs
                 * to be written, s->s3->alert_dispatch will be true
@@ -3278,7 +3271,6 @@ ssl3_shutdown(SSL *s)
                        return(-1);     /* return WANT_WRITE */
        } else if (s->s3->alert_dispatch) {
                /* resend it if not sent */
-#if 1
                ret = s->method->ssl_dispatch_alert(s);
                if (ret == -1) {
                        /*
@@ -3289,7 +3281,6 @@ ssl3_shutdown(SSL *s)
                         */
                        return (ret);
                }
-#endif
        } else if (!(s->shutdown & SSL_RECEIVED_SHUTDOWN)) {
                /* If we are waiting for a close from our peer, we are closed */
                s->method->ssl_read_bytes(s, 0, NULL, 0, 0);
diff --git a/src/lib/libssl/s3_pkt.c b/src/lib/libssl/s3_pkt.c
index b8be8b5255..f8f31f2a4a 100644
--- a/src/lib/libssl/s3_pkt.c
+++ b/src/lib/libssl/s3_pkt.c
@@ -645,11 +645,7 @@ do_ssl3_write(SSL *s, int type, const unsigned char *buf,
        if ((sess == NULL) || (s->enc_write_ctx == NULL) ||
            (EVP_MD_CTX_md(s->write_hash) == NULL)) {
-#if 1
                clear = s->enc_write_ctx ? 0 : 1; /* must be AEAD cipher */
-#else
-                clear = 1;
-#endif
                mac_size = 0;
        } else {
                mac_size = EVP_MD_CTX_size(s->write_hash);
diff --git a/src/lib/libssl/src/ssl/bio_ssl.c b/src/lib/libssl/src/ssl/bio_ssl.c
index 8ffbe0a67a..3cd462e06f 100644
--- a/src/lib/libssl/src/ssl/bio_ssl.c
+++ b/src/lib/libssl/src/ssl/bio_ssl.c
@@ -152,18 +152,6 @@ ssl_read(BIO *b, char *out, int outl)
        BIO_clear_retry_flags(b);
-#if 0
-        if (!SSL_is_init_finished(ssl)) {
-/*              ret=SSL_do_handshake(ssl); */
-                if (ret > 0) {
-                        outflags = (BIO_FLAGS_READ|BIO_FLAGS_SHOULD_RETRY);
-                        ret = -1;
-                        goto end;
-                }
-        }
-#endif
-/*      if (ret > 0) */
        ret = SSL_read(ssl, out, outl);
        switch (SSL_get_error(ssl, ret)) {
@@ -448,12 +436,7 @@ ssl_ctrl(BIO *b, int cmd, long num, void *ptr)
                break;
        case BIO_CTRL_SET_CALLBACK:
                {
-#if 0 /* FIXME: Should this be used?  -- Richard Levitte */
-                        SSLerr(SSL_F_SSL_CTRL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
-                        ret = -1;
-#else
                        ret = 0;
-#endif
                }
                break;
        case BIO_CTRL_GET_CALLBACK:
diff --git a/src/lib/libssl/src/ssl/d1_both.c b/src/lib/libssl/src/ssl/d1_both.c
index 59987bc1d8..d62362e69a 100644
--- a/src/lib/libssl/src/ssl/d1_both.c
+++ b/src/lib/libssl/src/ssl/d1_both.c
@@ -146,14 +146,6 @@
                        if (is_complete) for (ii = (((msg_len) - 1) >> 3) - 1; ii >= 0 ; ii--) \
                                if (bitmask[ii] != 0xff) { is_complete = 0; break; } }
-#if 0
-#define RSMBLY_BITMASK_PRINT(bitmask, msg_len) { \
-                        long ii; \
-                        printf("bitmask: "); for (ii = 0; ii < (msg_len); ii++) \
-                        printf("%d ", (bitmask[ii >> 3] & (1 << (ii & 7))) >> (ii & 7)); \
-                        printf("\n"); }
-#endif
 static unsigned char bitmask_start_values[] = {
        0xff, 0xfe, 0xfc, 0xf8, 0xf0, 0xe0, 0xc0, 0x80
 };
@@ -250,28 +242,6 @@ dtls1_do_write(SSL *s, int type)
                            s->d1->mtu, NULL);
                }
        }
-#if 0
-        mtu = s->d1->mtu;
-        fprintf(stderr, "using MTU = %d\n", mtu);
-        mtu -= (DTLS1_HM_HEADER_LENGTH + DTLS1_RT_HEADER_LENGTH);
-        curr_mtu = mtu - BIO_wpending(SSL_get_wbio(s));
-        if (curr_mtu > 0)
-                mtu = curr_mtu;
-        else if (( ret = BIO_flush(SSL_get_wbio(s))) <= 0)
-                return ret;
-        if (BIO_wpending(SSL_get_wbio(s)) + s->init_num >= mtu) {
-                ret = BIO_flush(SSL_get_wbio(s));
-                if (ret <= 0)
-                        return ret;
-                mtu = s->d1->mtu - (DTLS1_HM_HEADER_LENGTH +
-                    DTLS1_RT_HEADER_LENGTH);
-        }
-#endif
        OPENSSL_assert(s->d1->mtu >= dtls1_min_mtu());
        /* should have something reasonable now */
@@ -1064,19 +1034,6 @@ dtls1_read_failed(SSL *s, int code)
                return code;
        }
-#if 0 /* for now, each alert contains only one record number */
-        item = pqueue_peek(state->rcvd_records);
-        if (item ) {
-                /* send an alert immediately for all the missing records */
-        } else
-#endif
-#if 0  /* no more alert sending, just retransmit the last set of messages */
-        if (state->timeout.read_timeouts >= DTLS1_TMO_READ_COUNT)
-                ssl3_send_alert(s, SSL3_AL_WARNING,
-                    DTLS1_AD_MISSING_HANDSHAKE_MESSAGE);
-#endif
        return dtls1_handle_timeout(s);
 }
@@ -1172,12 +1129,6 @@ dtls1_buffer_message(SSL *s, int is_ccs)
                return 0;
        }
-#if 0
-        fprintf(stderr, "buffered messge: \ttype = %xx\n", msg_buf->type);
-        fprintf(stderr, "\t\t\t\t\tlen = %d\n", msg_buf->len);
-        fprintf(stderr, "\t\t\t\t\tseq_num = %d\n", msg_buf->seq_num);
-#endif
        pqueue_insert(s->d1->sent_messages, item);
        return 1;
 }
diff --git a/src/lib/libssl/src/ssl/d1_clnt.c b/src/lib/libssl/src/ssl/d1_clnt.c
index 4b8a11426f..e8b43f3268 100644
--- a/src/lib/libssl/src/ssl/d1_clnt.c
+++ b/src/lib/libssl/src/ssl/d1_clnt.c
@@ -703,13 +703,6 @@ dtls1_connect(SSL *s)
                        /* clean a few things up */
                        ssl3_cleanup_key_block(s);
-#if 0
-                        if (s->init_buf != NULL) {
-                                BUF_MEM_free(s->init_buf);
-                                s->init_buf = NULL;
-                        }
-#endif
                        /* If we are not 'joining' the last two packets,
                         * remove the buffering now */
                        if (!(s->s3->flags & SSL3_FLAGS_POP_BUFFER))
diff --git a/src/lib/libssl/src/ssl/d1_pkt.c b/src/lib/libssl/src/ssl/d1_pkt.c
index d2f63b890b..87916eb763 100644
--- a/src/lib/libssl/src/ssl/d1_pkt.c
+++ b/src/lib/libssl/src/ssl/d1_pkt.c
@@ -181,10 +181,6 @@ static int dtls1_record_replay_check(SSL *s, DTLS1_BITMAP *bitmap);
 static void dtls1_record_bitmap_update(SSL *s, DTLS1_BITMAP *bitmap);
 static DTLS1_BITMAP *dtls1_get_bitmap(SSL *s, SSL3_RECORD *rr,
    unsigned int *is_next_epoch);
-#if 0
-static int dtls1_record_needs_buffering(SSL *s, SSL3_RECORD *rr,
-    unsigned short *priority, unsigned long *offset);
-#endif
 static int dtls1_buffer_record(SSL *s, record_pqueue *q,
    unsigned char *priority);
 static int dtls1_process_record(SSL *s);
@@ -323,50 +319,6 @@ dtls1_process_buffered_records(SSL *s)
        return (1);
 }
-#if 0
-static int
-dtls1_get_buffered_record(SSL *s)
-{
-        pitem *item;
-        PQ_64BIT priority =
-            (((PQ_64BIT)s->d1->handshake_read_seq) << 32) |
-            ((PQ_64BIT)s->d1->r_msg_hdr.frag_off);
-        if (!SSL_in_init(s))  /* if we're not (re)negotiating,
-                                   nothing buffered */
-                return 0;
-        item = pqueue_peek(s->d1->rcvd_records);
-        if (item && item->priority == priority) {
-                /* Check if we've received the record of interest.  It must be
-                 * a handshake record, since data records as passed up without
-                 * buffering */
-                DTLS1_RECORD_DATA *rdata;
-                item = pqueue_pop(s->d1->rcvd_records);
-                rdata = (DTLS1_RECORD_DATA *)item->data;
-                free(s->s3->rbuf.buf);
-                s->packet = rdata->packet;
-                s->packet_length = rdata->packet_length;
-                memcpy(&(s->s3->rbuf), &(rdata->rbuf), sizeof(SSL3_BUFFER));
-                memcpy(&(s->s3->rrec), &(rdata->rrec), sizeof(SSL3_RECORD));
-                free(item->data);
-                pitem_free(item);
-                /* s->d1->next_expected_seq_num++; */
-                return (1);
-        }
-        return 0;
-}
-#endif
 static int
 dtls1_process_record(SSL *s)
 {
@@ -1069,29 +1021,6 @@ start:
                                s->shutdown |= SSL_RECEIVED_SHUTDOWN;
                                return (0);
                        }
-#if 0
-                        /* XXX: this is a possible improvement in the future */
-                        /* now check if it's a missing record */
-                        if (alert_descr == DTLS1_AD_MISSING_HANDSHAKE_MESSAGE) {
-                                unsigned short seq;
-                                unsigned int frag_off;
-                                unsigned char *p = &(s->d1->alert_fragment[2]);
-                                n2s(p, seq);
-                                n2l3(p, frag_off);
-                                dtls1_retransmit_message(s,
-                                dtls1_get_queue_priority(frag->msg_header.seq, 0),
-                                frag_off, &found);
-                                if (!found  && SSL_in_init(s)) {
-                                        /* fprintf( stderr,"in init = %d\n", SSL_in_init(s)); */
-                                        /* requested a message not yet sent, 
-                                           send an alert ourselves */
-                                        ssl3_send_alert(s, SSL3_AL_WARNING,
-                                        DTLS1_AD_MISSING_HANDSHAKE_MESSAGE);
-                                }
-                        }
-#endif
                } else if (alert_level == 2) /* fatal */
                {
                        s->rwstate = SSL_NOTHING;
@@ -1506,13 +1435,6 @@ do_dtls1_write(SSL *s, int type, const unsigned char *buf, unsigned int len)
        wr->type=type; /* not needed but helps for debugging */
        wr->length += DTLS1_RT_HEADER_LENGTH;
-#if 0  /* this is now done at the message layer */
-        /* buffer the record, making it easy to handle retransmits */
-        if (type == SSL3_RT_HANDSHAKE || type == SSL3_RT_CHANGE_CIPHER_SPEC)
-                dtls1_buffer_record(s, wr->data, wr->length,
-        *((PQ_64BIT *)&(s->s3->write_sequence[0])));
-#endif
        ssl3_record_sequence_update(&(s->s3->write_sequence[0]));
        /* now let's set up wb */
@@ -1596,16 +1518,6 @@ dtls1_dispatch_alert(SSL *s)
 #ifdef DTLS1_AD_MISSING_HANDSHAKE_MESSAGE
        if (s->s3->send_alert[1] == DTLS1_AD_MISSING_HANDSHAKE_MESSAGE) {
                s2n(s->d1->handshake_read_seq, ptr);
-#if 0
-                if ( s->d1->r_msg_hdr.frag_off == 0)  /* waiting for a new msg */
-                else
-                        s2n(s->d1->r_msg_hdr.seq, ptr); /* partial msg read */
-#endif
-#if 0
-                fprintf(stderr, "s->d1->handshake_read_seq = %d, s->d1->r_msg_hdr.seq = %d\n", s->d1->handshake_read_seq, s->d1->r_msg_hdr.seq);
-#endif
                l2n3(s->d1->r_msg_hdr.frag_off, ptr);
        }
 #endif
@@ -1660,64 +1572,6 @@ dtls1_get_bitmap(SSL *s, SSL3_RECORD *rr, unsigned int *is_next_epoch)
        return NULL;
 }
-#if 0
-static int
-dtls1_record_needs_buffering(SSL *s, SSL3_RECORD *rr, unsigned short *priority,
-    unsigned long *offset)
-{
-        /* alerts are passed up immediately */
-        if (rr->type == SSL3_RT_APPLICATION_DATA || rr->type == SSL3_RT_ALERT)
-                return 0;
-        /* Only need to buffer if a handshake is underway.
-         * (this implies that Hello Request and Client Hello are passed up
-         * immediately) */
-        if (SSL_in_init(s)) {
-                unsigned char *data = rr->data;
-                /* need to extract the HM/CCS sequence number here */
-                if (rr->type == SSL3_RT_HANDSHAKE ||
-                    rr->type == SSL3_RT_CHANGE_CIPHER_SPEC) {
-                        unsigned short seq_num;
-                        struct hm_header_st msg_hdr;
-                        struct ccs_header_st ccs_hdr;
-                        if (rr->type == SSL3_RT_HANDSHAKE) {
-                                dtls1_get_message_header(data, &msg_hdr);
-                                seq_num = msg_hdr.seq;
-                                *offset = msg_hdr.frag_off;
-                        } else {
-                                dtls1_get_ccs_header(data, &ccs_hdr);
-                                seq_num = ccs_hdr.seq;
-                                *offset = 0;
-                        }
-                        /* this is either a record we're waiting for, or a
-                         * retransmit of something we happened to previously 
-                         * receive (higher layers will drop the repeat silently */
-                        if (seq_num < s->d1->handshake_read_seq)
-                                return 0;
-                        if (rr->type == SSL3_RT_HANDSHAKE &&
-                            seq_num == s->d1->handshake_read_seq &&
-                            msg_hdr.frag_off < s->d1->r_msg_hdr.frag_off)
-                                return 0;
-                        else if (seq_num == s->d1->handshake_read_seq &&
-                            (rr->type == SSL3_RT_CHANGE_CIPHER_SPEC ||
-                            msg_hdr.frag_off == s->d1->r_msg_hdr.frag_off))
-                                return 0;
-                        else {
-                                *priority = seq_num;
-                                return 1;
-                        }
-                }
-                else /* unknown record type */
-                        return 0;
-        }
-        return 0;
-}
-#endif
 void
 dtls1_reset_seq_numbers(SSL *s, int rw)
 {
diff --git a/src/lib/libssl/src/ssl/d1_srtp.c b/src/lib/libssl/src/ssl/d1_srtp.c
index 146ce321c8..f069848b7e 100644
--- a/src/lib/libssl/src/ssl/d1_srtp.c
+++ b/src/lib/libssl/src/ssl/d1_srtp.c
@@ -133,16 +133,6 @@ static SRTP_PROTECTION_PROFILE srtp_known_profiles[]= {
                "SRTP_AES128_CM_SHA1_32",
                SRTP_AES128_CM_SHA1_32,
        },
-#if 0
-        {
-                "SRTP_NULL_SHA1_80",
-                SRTP_NULL_SHA1_80,
-        },
-        {
-                "SRTP_NULL_SHA1_32",
-                SRTP_NULL_SHA1_32,
-        },
-#endif
        {0}
 };
diff --git a/src/lib/libssl/src/ssl/d1_srvr.c b/src/lib/libssl/src/ssl/d1_srvr.c
index 3f872de48b..368afda77a 100644
--- a/src/lib/libssl/src/ssl/d1_srvr.c
+++ b/src/lib/libssl/src/ssl/d1_srvr.c
@@ -782,11 +782,6 @@ dtls1_accept(SSL *s)
                        /* clean a few things up */
                        ssl3_cleanup_key_block(s);
-#if 0
-                        BUF_MEM_free(s->init_buf);
-                        s->init_buf = NULL;
-#endif
                        /* remove buffering on output */
                        ssl_free_wbio_buffer(s);
diff --git a/src/lib/libssl/src/ssl/dtls1.h b/src/lib/libssl/src/ssl/dtls1.h
index 2fbb815b6d..b0cf839b78 100644
--- a/src/lib/libssl/src/ssl/dtls1.h
+++ b/src/lib/libssl/src/ssl/dtls1.h
@@ -73,11 +73,6 @@ extern "C" {
 #define DTLS1_VERSION                   0xFEFF
 #define DTLS1_BAD_VER                   0x0100
-#if 0
-/* this alert description is not specified anywhere... */
-#define DTLS1_AD_MISSING_HANDSHAKE_MESSAGE    110
-#endif
 /* lengths of messages */
 #define DTLS1_COOKIE_LENGTH                     256
diff --git a/src/lib/libssl/src/ssl/s23_clnt.c b/src/lib/libssl/src/ssl/s23_clnt.c
index 897ac7efe3..5361d5bea8 100644
--- a/src/lib/libssl/src/ssl/s23_clnt.c
+++ b/src/lib/libssl/src/ssl/s23_clnt.c
@@ -351,13 +351,6 @@ ssl23_client_hello(SSL *s)
        buf = (unsigned char *)s->init_buf->data;
        if (s->state == SSL23_ST_CW_CLNT_HELLO_A) {
-#if 0
-                /* don't reuse session-id's */
-                if (!ssl_get_new_session(s, 0)) {
-                        return (-1);
-                }
-#endif
                p = s->s3->client_random;
                if (ssl_fill_hello_random(s, 0, p, SSL3_RANDOM_SIZE) <= 0)
                        return -1;
diff --git a/src/lib/libssl/src/ssl/s23_srvr.c b/src/lib/libssl/src/ssl/s23_srvr.c
index 53e06706e3..a6c5d1b8a9 100644
--- a/src/lib/libssl/src/ssl/s23_srvr.c
+++ b/src/lib/libssl/src/ssl/s23_srvr.c
@@ -490,14 +490,6 @@ ssl23_get_client_hello(SSL *s)
                *(d++) = 1;
                *(d++) = 0;
-#if 0
-                /* copy any remaining data with may be extensions */
-                p = p + csl + sil + cl;
-                while (p <  s->packet + s->packet_length) {
-                        *(d++)=*(p++);
-                }
-#endif
                i = (d - (unsigned char *)s->init_buf->data) - 4;
                l2n3((long)i, d_len);
@@ -550,9 +542,6 @@ ssl23_get_client_hello(SSL *s)
                        s->method = TLSv1_server_method();
                else
                        s->method = SSLv3_server_method();
-#if 0 /* ssl3_get_client_hello does this */
-                s->client_version = (v[0]<<8)|v[1];
-#endif
                s->handshake_func = s->method->ssl_accept;
        }
diff --git a/src/lib/libssl/src/ssl/s3_clnt.c b/src/lib/libssl/src/ssl/s3_clnt.c
index abe5c5a86b..bda14069c1 100644
--- a/src/lib/libssl/src/ssl/s3_clnt.c
+++ b/src/lib/libssl/src/ssl/s3_clnt.c
@@ -730,14 +730,8 @@ ssl3_client_hello(SSL *s)
                 * client_version in client hello and not resetting it to
                 * the negotiated version.
                 */
-#if 0
-                *(p++) = s->version >> 8;
-                *(p++) = s->version&0xff;
-                s->client_version = s->version;
-#else
                *(p++) = s->client_version >> 8;
                *(p++) = s->client_version & 0xff;
-#endif
                /* Random stuff */
                memcpy(p, s->s3->client_random, SSL3_RANDOM_SIZE);
diff --git a/src/lib/libssl/src/ssl/s3_lib.c b/src/lib/libssl/src/ssl/s3_lib.c
index da69caa6dd..477c53b15b 100644
--- a/src/lib/libssl/src/ssl/s3_lib.c
+++ b/src/lib/libssl/src/ssl/s3_lib.c
@@ -2999,17 +2999,12 @@ SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
        /* Let's see which ciphers we can support */
        cert = s->cert;
-#if 0
        /*
         * Do not set the compare functions, because this may lead to a
         * reordering by "id". We want to keep the original ordering.
         * We may pay a price in performance during sk_SSL_CIPHER_find(),
         * but would have to pay with the price of sk_SSL_CIPHER_dup().
         */
-        sk_SSL_CIPHER_set_cmp_func(srvr, ssl_cipher_ptr_id_cmp);
-        sk_SSL_CIPHER_set_cmp_func(clnt, ssl_cipher_ptr_id_cmp);
-#endif
        if (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE) {
                prio = srvr;
@@ -3267,9 +3262,7 @@ ssl3_shutdown(SSL *s)
        if (!(s->shutdown & SSL_SENT_SHUTDOWN)) {
                s->shutdown|=SSL_SENT_SHUTDOWN;
-#if 1
                ssl3_send_alert(s, SSL3_AL_WARNING, SSL_AD_CLOSE_NOTIFY);
-#endif
                /*
                 * Our shutdown alert has been sent now, and if it still needs
                 * to be written, s->s3->alert_dispatch will be true
@@ -3278,7 +3271,6 @@ ssl3_shutdown(SSL *s)
                        return(-1);     /* return WANT_WRITE */
        } else if (s->s3->alert_dispatch) {
                /* resend it if not sent */
-#if 1
                ret = s->method->ssl_dispatch_alert(s);
                if (ret == -1) {
                        /*
@@ -3289,7 +3281,6 @@ ssl3_shutdown(SSL *s)
                         */
                        return (ret);
                }
-#endif
        } else if (!(s->shutdown & SSL_RECEIVED_SHUTDOWN)) {
                /* If we are waiting for a close from our peer, we are closed */
                s->method->ssl_read_bytes(s, 0, NULL, 0, 0);
diff --git a/src/lib/libssl/src/ssl/s3_pkt.c b/src/lib/libssl/src/ssl/s3_pkt.c
index b8be8b5255..f8f31f2a4a 100644
--- a/src/lib/libssl/src/ssl/s3_pkt.c
+++ b/src/lib/libssl/src/ssl/s3_pkt.c
@@ -645,11 +645,7 @@ do_ssl3_write(SSL *s, int type, const unsigned char *buf,
        if ((sess == NULL) || (s->enc_write_ctx == NULL) ||
            (EVP_MD_CTX_md(s->write_hash) == NULL)) {
-#if 1
                clear = s->enc_write_ctx ? 0 : 1; /* must be AEAD cipher */
-#else
-                clear = 1;
-#endif
                mac_size = 0;
        } else {
                mac_size = EVP_MD_CTX_size(s->write_hash);
diff --git a/src/lib/libssl/src/ssl/ssl.h b/src/lib/libssl/src/ssl/ssl.h
index ac2030a0a5..45968ce16a 100644
--- a/src/lib/libssl/src/ssl/ssl.h
+++ b/src/lib/libssl/src/ssl/ssl.h
@@ -827,11 +827,6 @@ struct ssl_ctx_st {
        X509_VERIFY_PARAM *param;
-#if 0
-        int purpose;            /* Purpose setting */
-        int trust;              /* Trust setting */
-#endif
        int quiet_shutdown;
        /* Maximum amount of data to send in one fragment.
@@ -1109,11 +1104,6 @@ struct ssl_st {
        X509_VERIFY_PARAM *param;
-#if 0
-        int purpose;            /* Purpose setting */
-        int trust;              /* Trust setting */
-#endif
        /* crypto */
        STACK_OF(SSL_CIPHER) *cipher_list;
        STACK_OF(SSL_CIPHER) *cipher_list_by_id;
diff --git a/src/lib/libssl/src/ssl/ssl3.h b/src/lib/libssl/src/ssl/ssl3.h
index 2840b1320f..8633dae521 100644
--- a/src/lib/libssl/src/ssl/ssl3.h
+++ b/src/lib/libssl/src/ssl/ssl3.h
@@ -162,16 +162,6 @@ extern "C" {
 #define SSL3_CK_ADH_DES_64_CBC_SHA              0x0300001A
 #define SSL3_CK_ADH_DES_192_CBC_SHA             0x0300001B
-#if 0
-#define SSL3_CK_FZA_DMS_NULL_SHA                0x0300001C
-#define SSL3_CK_FZA_DMS_FZA_SHA                 0x0300001D
-#if 0 /* Because it clashes with KRB5, is never used any more, and is safe
-         to remove according to David Hopwood <david.hopwood@zetnet.co.uk>
-         of the ietf-tls list */
-#define SSL3_CK_FZA_DMS_RC4_SHA                 0x0300001E
-#endif
-#endif
 /*    VRS Additional Kerberos5 entries
 */
 #define SSL3_CK_KRB5_DES_64_CBC_SHA             0x0300001E
@@ -221,12 +211,6 @@ extern "C" {
 #define SSL3_TXT_ADH_DES_64_CBC_SHA             "ADH-DES-CBC-SHA"
 #define SSL3_TXT_ADH_DES_192_CBC_SHA            "ADH-DES-CBC3-SHA"
-#if 0
-#define SSL3_TXT_FZA_DMS_NULL_SHA               "FZA-NULL-SHA"
-#define SSL3_TXT_FZA_DMS_FZA_SHA                "FZA-FZA-CBC-SHA"
-#define SSL3_TXT_FZA_DMS_RC4_SHA                "FZA-RC4-SHA"
-#endif
 #define SSL3_TXT_KRB5_DES_64_CBC_SHA            "KRB5-DES-CBC-SHA"
 #define SSL3_TXT_KRB5_DES_192_CBC3_SHA          "KRB5-DES-CBC3-SHA"
 #define SSL3_TXT_KRB5_RC4_128_SHA               "KRB5-RC4-SHA"
diff --git a/src/lib/libssl/src/ssl/ssl_cert.c b/src/lib/libssl/src/ssl/ssl_cert.c
index c4099ca24f..3a16644cf4 100644
--- a/src/lib/libssl/src/ssl/ssl_cert.c
+++ b/src/lib/libssl/src/ssl/ssl_cert.c
@@ -340,10 +340,6 @@ ssl_cert_free(CERT *c)
                        X509_free(c->pkeys[i].x509);
                if (c->pkeys[i].privatekey != NULL)
                        EVP_PKEY_free(c->pkeys[i].privatekey);
-#if 0
-                if (c->pkeys[i].publickey != NULL)
-                        EVP_PKEY_free(c->pkeys[i].publickey);
-#endif
        }
        free(c);
 }
@@ -409,12 +405,6 @@ ssl_sess_cert_free(SESS_CERT *sc)
        for (i = 0; i < SSL_PKEY_NUM; i++) {
                if (sc->peer_pkeys[i].x509 != NULL)
                        X509_free(sc->peer_pkeys[i].x509);
-#if 0 /* We don't have the peer's private key.  These lines are just
-       * here as a reminder that we're still using a not-quite-appropriate
-       * data structure. */
-                if (sc->peer_pkeys[i].privatekey != NULL)
-                        EVP_PKEY_free(sc->peer_pkeys[i].privatekey);
-#endif
        }
        if (sc->peer_rsa_tmp != NULL)
@@ -449,10 +439,6 @@ ssl_verify_cert_chain(SSL *s, STACK_OF(X509) *sk)
                SSLerr(SSL_F_SSL_VERIFY_CERT_CHAIN, ERR_R_X509_LIB);
                return (0);
        }
-#if 0
-        if (SSL_get_verify_depth(s) >= 0)
-                X509_STORE_CTX_set_depth(&ctx, SSL_get_verify_depth(s));
-#endif
        X509_STORE_CTX_set_ex_data(&ctx, SSL_get_ex_data_X509_STORE_CTX_idx(), s);
        /* We need to inherit the verify parameters. These can be determined by
diff --git a/src/lib/libssl/src/ssl/ssl_lib.c b/src/lib/libssl/src/ssl/ssl_lib.c
index e3b67817cc..94792c6d51 100644
--- a/src/lib/libssl/src/ssl/ssl_lib.c
+++ b/src/lib/libssl/src/ssl/ssl_lib.c
@@ -215,9 +215,6 @@ SSL_clear(SSL *s)
        s->client_version = s->version;
        s->rwstate = SSL_NOTHING;
        s->rstate = SSL_ST_READ_HEADER;
-#if 0
-        s->read_ahead = s->ctx->read_ahead;
-#endif
        if (s->init_buf != NULL) {
                BUF_MEM_free(s->init_buf);
@@ -230,7 +227,6 @@ SSL_clear(SSL *s)
        s->first_packet = 0;
-#if 1
        /*
         * Check to see if we were changed into a different method, if
         * so, revert back if we are not doing session-id reuse.
@@ -242,7 +238,6 @@ SSL_clear(SSL *s)
                if (!s->method->ssl_new(s))
                        return (0);
        } else
-#endif
                s->method->ssl_clear(s);
        return (1);
 }
@@ -312,9 +307,6 @@ SSL_new(SSL_CTX *ctx)
        s->msg_callback = ctx->msg_callback;
        s->msg_callback_arg = ctx->msg_callback_arg;
        s->verify_mode = ctx->verify_mode;
-#if 0
-        s->verify_depth = ctx->verify_depth;
-#endif
        s->sid_ctx_length = ctx->sid_ctx_length;
        OPENSSL_assert(s->sid_ctx_length <= sizeof s->sid_ctx);
        memcpy(&s->sid_ctx, &ctx->sid_ctx, sizeof(s->sid_ctx));
@@ -325,10 +317,6 @@ SSL_new(SSL_CTX *ctx)
        if (!s->param)
                goto err;
        X509_VERIFY_PARAM_inherit(s->param, ctx->param);
-#if 0
-        s->purpose = ctx->purpose;
-        s->trust = ctx->trust;
-#endif
        s->quiet_shutdown = ctx->quiet_shutdown;
        s->max_send_fragment = ctx->max_send_fragment;
@@ -1766,9 +1754,6 @@ SSL_CTX_new(const SSL_METHOD *meth)
        ret->msg_callback = 0;
        ret->msg_callback_arg = NULL;
        ret->verify_mode = SSL_VERIFY_NONE;
-#if 0
-        ret->verify_depth=-1; /* Don't impose a limit (but x509_lu.c does) */
-#endif
        ret->sid_ctx_length = 0;
        ret->default_verify_callback = NULL;
        if ((ret->cert = ssl_cert_new()) == NULL)
@@ -1881,14 +1866,6 @@ err2:
        return (NULL);
 }
-#if 0
-static void
-SSL_COMP_free(SSL_COMP *comp)
-{
-        free(comp);
-}
-#endif
 void
 SSL_CTX_free(SSL_CTX *a)
 {
@@ -1933,12 +1910,8 @@ SSL_CTX_free(SSL_CTX *a)
                sk_X509_NAME_pop_free(a->client_CA, X509_NAME_free);
        if (a->extra_certs != NULL)
                sk_X509_pop_free(a->extra_certs, X509_free);
-#if 0 /* This should never be done, since it removes a global database */
+        /* Don't free, since it removes a global database */
-        if (a->comp_methods != NULL)
-                sk_SSL_COMP_pop_free(a->comp_methods, SSL_COMP_free);
-#else
        a->comp_methods = NULL;
-#endif
 #ifndef OPENSSL_NO_SRTP
        if (a->srtp_profiles)
@@ -2056,16 +2029,6 @@ ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher)
        if (rsa_enc_export || (rsa_tmp_export && (rsa_sign || rsa_enc)))
                emask_k|=SSL_kRSA;
-#if 0
-        /* The match needs to be both kEDH and aRSA or aDSA, so don't worry */
-        if ((dh_tmp || dh_rsa || dh_dsa) &&
-                (rsa_enc || rsa_sign || dsa_sign))
-        mask_k|=SSL_kEDH;
-        if ((dh_tmp_export || dh_rsa_export || dh_dsa_export) &&
-                (rsa_enc || rsa_sign || dsa_sign))
-        emask_k|=SSL_kEDH;
-#endif
        if (dh_tmp_export)
                emask_k|=SSL_kEDH;
diff --git a/src/lib/libssl/src/ssl/t1_enc.c b/src/lib/libssl/src/ssl/t1_enc.c
index 9d47bde6c6..96c28e14cf 100644
--- a/src/lib/libssl/src/ssl/t1_enc.c
+++ b/src/lib/libssl/src/ssl/t1_enc.c
@@ -1108,10 +1108,6 @@ tls1_alert_code(int code)
                return (TLS1_AD_BAD_CERTIFICATE_HASH_VALUE);
        case SSL_AD_UNKNOWN_PSK_IDENTITY:
                return (TLS1_AD_UNKNOWN_PSK_IDENTITY);
-#if 0 /* not appropriate for TLS, not used for DTLS */
-        case DTLS1_AD_MISSING_HANDSHAKE_MESSAGE : return
-                (DTLS1_AD_MISSING_HANDSHAKE_MESSAGE);
-#endif
        default:
                return (-1);
        }
diff --git a/src/lib/libssl/src/ssl/t1_lib.c b/src/lib/libssl/src/ssl/t1_lib.c
index fa70f21f95..5ad69f5ce9 100644
--- a/src/lib/libssl/src/ssl/t1_lib.c
+++ b/src/lib/libssl/src/ssl/t1_lib.c
@@ -998,9 +998,6 @@ ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d,
                if (data + size > (d + n))
                        goto ri_check;
-#if 0
-                fprintf(stderr, "Received extension type %d size %d\n", type, size);
-#endif
                if (s->tlsext_debug_cb)
                        s->tlsext_debug_cb(s, 0, type, data, size,
                            s->tlsext_debug_arg);
@@ -1124,13 +1121,6 @@ ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d,
                                s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length;
                                memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpointformatlist_length);
                        }
-#if 0
-                        fprintf(stderr, "ssl_parse_clienthello_tlsext s->session->tlsext_ecpointformatlist (length=%i) ", s->session->tlsext_ecpointformatlist_length);
-                        sdata = s->session->tlsext_ecpointformatlist;
-                        for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++)
-                                fprintf(stderr, "%i ", *(sdata++));
-                        fprintf(stderr, "\n");
-#endif
                } else if (type == TLSEXT_TYPE_elliptic_curves &&
                    s->version != DTLS1_VERSION) {
                        unsigned char *sdata = data;
@@ -1156,13 +1146,6 @@ ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d,
                                s->session->tlsext_ellipticcurvelist_length = ellipticcurvelist_length;
                                memcpy(s->session->tlsext_ellipticcurvelist, sdata, ellipticcurvelist_length);
                        }
-#if 0
-                        fprintf(stderr, "ssl_parse_clienthello_tlsext s->session->tlsext_ellipticcurvelist (length=%i) ", s->session->tlsext_ellipticcurvelist_length);
-                        sdata = s->session->tlsext_ellipticcurvelist;
-                        for (i = 0; i < s->session->tlsext_ellipticcurvelist_length; i++)
-                                fprintf(stderr, "%i ", *(sdata++));
-                        fprintf(stderr, "\n");
-#endif
                }
 #endif /* OPENSSL_NO_EC */
 #ifdef TLSEXT_TYPE_opaque_prf_input
@@ -1451,13 +1434,6 @@ ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d,
                        }
                        s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length;
                        memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpointformatlist_length);
-#if 0
-                        fprintf(stderr, "ssl_parse_serverhello_tlsext s->session->tlsext_ecpointformatlist ");
-                        sdata = s->session->tlsext_ecpointformatlist;
-                        for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++)
-                                fprintf(stderr, "%i ", *(sdata++));
-                        fprintf(stderr, "\n");
-#endif
                }
 #endif /* OPENSSL_NO_EC */
                else if (type == TLSEXT_TYPE_session_ticket) {
@@ -2230,18 +2206,6 @@ tls12_find_id(int nid, tls12_lookup *table, size_t tlen)
        }
        return -1;
 }
-#if 0
-static int
-tls12_find_nid(int id, tls12_lookup *table, size_t tlen)
-{
-        size_t i;
-        for (i = 0; i < tlen; i++) {
-                if (table[i].id == id)
-                        return table[i].nid;
-        }
-        return -1;
-}
-#endif
 int
 tls12_get_sigandhash(unsigned char *p, const EVP_PKEY *pk, const EVP_MD *md)
diff --git a/src/lib/libssl/src/ssl/tls1.h b/src/lib/libssl/src/ssl/tls1.h
index e05168cffe..400deca6d4 100644
--- a/src/lib/libssl/src/ssl/tls1.h
+++ b/src/lib/libssl/src/ssl/tls1.h
@@ -239,13 +239,6 @@ extern "C" {
 /* ExtensionType value from RFC4507 */
 #define TLSEXT_TYPE_session_ticket              35
-/* ExtensionType value from draft-rescorla-tls-opaque-prf-input-00.txt */
-#if 0   /* will have to be provided externally for now ,
-         * i.e. build with - DTLSEXT_TYPE_opaque_prf_input = 38183
-         * using whatever extension number you'd like to try */
-# define TLSEXT_TYPE_opaque_prf_input           ?? */
-#endif
 /* Temporary extension type */
 #define TLSEXT_TYPE_renegotiate                 0xff01
diff --git a/src/lib/libssl/ssl.h b/src/lib/libssl/ssl.h
index ac2030a0a5..45968ce16a 100644
--- a/src/lib/libssl/ssl.h
+++ b/src/lib/libssl/ssl.h
@@ -827,11 +827,6 @@ struct ssl_ctx_st {
        X509_VERIFY_PARAM *param;
-#if 0
-        int purpose;            /* Purpose setting */
-        int trust;              /* Trust setting */
-#endif
        int quiet_shutdown;
        /* Maximum amount of data to send in one fragment.
@@ -1109,11 +1104,6 @@ struct ssl_st {
        X509_VERIFY_PARAM *param;
-#if 0
-        int purpose;            /* Purpose setting */
-        int trust;              /* Trust setting */
-#endif
        /* crypto */
        STACK_OF(SSL_CIPHER) *cipher_list;
        STACK_OF(SSL_CIPHER) *cipher_list_by_id;
diff --git a/src/lib/libssl/ssl3.h b/src/lib/libssl/ssl3.h
index 2840b1320f..8633dae521 100644
--- a/src/lib/libssl/ssl3.h
+++ b/src/lib/libssl/ssl3.h
@@ -162,16 +162,6 @@ extern "C" {
 #define SSL3_CK_ADH_DES_64_CBC_SHA              0x0300001A
 #define SSL3_CK_ADH_DES_192_CBC_SHA             0x0300001B
-#if 0
-#define SSL3_CK_FZA_DMS_NULL_SHA                0x0300001C
-#define SSL3_CK_FZA_DMS_FZA_SHA                 0x0300001D
-#if 0 /* Because it clashes with KRB5, is never used any more, and is safe
-         to remove according to David Hopwood <david.hopwood@zetnet.co.uk>
-         of the ietf-tls list */
-#define SSL3_CK_FZA_DMS_RC4_SHA                 0x0300001E
-#endif
-#endif
 /*    VRS Additional Kerberos5 entries
 */
 #define SSL3_CK_KRB5_DES_64_CBC_SHA             0x0300001E
@@ -221,12 +211,6 @@ extern "C" {
 #define SSL3_TXT_ADH_DES_64_CBC_SHA             "ADH-DES-CBC-SHA"
 #define SSL3_TXT_ADH_DES_192_CBC_SHA            "ADH-DES-CBC3-SHA"
-#if 0
-#define SSL3_TXT_FZA_DMS_NULL_SHA               "FZA-NULL-SHA"
-#define SSL3_TXT_FZA_DMS_FZA_SHA                "FZA-FZA-CBC-SHA"
-#define SSL3_TXT_FZA_DMS_RC4_SHA                "FZA-RC4-SHA"
-#endif
 #define SSL3_TXT_KRB5_DES_64_CBC_SHA            "KRB5-DES-CBC-SHA"
 #define SSL3_TXT_KRB5_DES_192_CBC3_SHA          "KRB5-DES-CBC3-SHA"
 #define SSL3_TXT_KRB5_RC4_128_SHA               "KRB5-RC4-SHA"
diff --git a/src/lib/libssl/ssl_cert.c b/src/lib/libssl/ssl_cert.c
index c4099ca24f..3a16644cf4 100644
--- a/src/lib/libssl/ssl_cert.c
+++ b/src/lib/libssl/ssl_cert.c
@@ -340,10 +340,6 @@ ssl_cert_free(CERT *c)
                        X509_free(c->pkeys[i].x509);
                if (c->pkeys[i].privatekey != NULL)
                        EVP_PKEY_free(c->pkeys[i].privatekey);
-#if 0
-                if (c->pkeys[i].publickey != NULL)
-                        EVP_PKEY_free(c->pkeys[i].publickey);
-#endif
        }
        free(c);
 }
@@ -409,12 +405,6 @@ ssl_sess_cert_free(SESS_CERT *sc)
        for (i = 0; i < SSL_PKEY_NUM; i++) {
                if (sc->peer_pkeys[i].x509 != NULL)
                        X509_free(sc->peer_pkeys[i].x509);
-#if 0 /* We don't have the peer's private key.  These lines are just
-       * here as a reminder that we're still using a not-quite-appropriate
-       * data structure. */
-                if (sc->peer_pkeys[i].privatekey != NULL)
-                        EVP_PKEY_free(sc->peer_pkeys[i].privatekey);
-#endif
        }
        if (sc->peer_rsa_tmp != NULL)
@@ -449,10 +439,6 @@ ssl_verify_cert_chain(SSL *s, STACK_OF(X509) *sk)
                SSLerr(SSL_F_SSL_VERIFY_CERT_CHAIN, ERR_R_X509_LIB);
                return (0);
        }
-#if 0
-        if (SSL_get_verify_depth(s) >= 0)
-                X509_STORE_CTX_set_depth(&ctx, SSL_get_verify_depth(s));
-#endif
        X509_STORE_CTX_set_ex_data(&ctx, SSL_get_ex_data_X509_STORE_CTX_idx(), s);
        /* We need to inherit the verify parameters. These can be determined by
diff --git a/src/lib/libssl/ssl_lib.c b/src/lib/libssl/ssl_lib.c
index e3b67817cc..94792c6d51 100644
--- a/src/lib/libssl/ssl_lib.c
+++ b/src/lib/libssl/ssl_lib.c
@@ -215,9 +215,6 @@ SSL_clear(SSL *s)
        s->client_version = s->version;
        s->rwstate = SSL_NOTHING;
        s->rstate = SSL_ST_READ_HEADER;
-#if 0
-        s->read_ahead = s->ctx->read_ahead;
-#endif
        if (s->init_buf != NULL) {
                BUF_MEM_free(s->init_buf);
@@ -230,7 +227,6 @@ SSL_clear(SSL *s)
        s->first_packet = 0;
-#if 1
        /*
         * Check to see if we were changed into a different method, if
         * so, revert back if we are not doing session-id reuse.
@@ -242,7 +238,6 @@ SSL_clear(SSL *s)
                if (!s->method->ssl_new(s))
                        return (0);
        } else
-#endif
                s->method->ssl_clear(s);
        return (1);
 }
@@ -312,9 +307,6 @@ SSL_new(SSL_CTX *ctx)
        s->msg_callback = ctx->msg_callback;
        s->msg_callback_arg = ctx->msg_callback_arg;
        s->verify_mode = ctx->verify_mode;
-#if 0
-        s->verify_depth = ctx->verify_depth;
-#endif
        s->sid_ctx_length = ctx->sid_ctx_length;
        OPENSSL_assert(s->sid_ctx_length <= sizeof s->sid_ctx);
        memcpy(&s->sid_ctx, &ctx->sid_ctx, sizeof(s->sid_ctx));
@@ -325,10 +317,6 @@ SSL_new(SSL_CTX *ctx)
        if (!s->param)
                goto err;
        X509_VERIFY_PARAM_inherit(s->param, ctx->param);
-#if 0
-        s->purpose = ctx->purpose;
-        s->trust = ctx->trust;
-#endif
        s->quiet_shutdown = ctx->quiet_shutdown;
        s->max_send_fragment = ctx->max_send_fragment;
@@ -1766,9 +1754,6 @@ SSL_CTX_new(const SSL_METHOD *meth)
        ret->msg_callback = 0;
        ret->msg_callback_arg = NULL;
        ret->verify_mode = SSL_VERIFY_NONE;
-#if 0
-        ret->verify_depth=-1; /* Don't impose a limit (but x509_lu.c does) */
-#endif
        ret->sid_ctx_length = 0;
        ret->default_verify_callback = NULL;
        if ((ret->cert = ssl_cert_new()) == NULL)
@@ -1881,14 +1866,6 @@ err2:
        return (NULL);
 }
-#if 0
-static void
-SSL_COMP_free(SSL_COMP *comp)
-{
-        free(comp);
-}
-#endif
 void
 SSL_CTX_free(SSL_CTX *a)
 {
@@ -1933,12 +1910,8 @@ SSL_CTX_free(SSL_CTX *a)
                sk_X509_NAME_pop_free(a->client_CA, X509_NAME_free);
        if (a->extra_certs != NULL)
                sk_X509_pop_free(a->extra_certs, X509_free);
-#if 0 /* This should never be done, since it removes a global database */
+        /* Don't free, since it removes a global database */
-        if (a->comp_methods != NULL)
-                sk_SSL_COMP_pop_free(a->comp_methods, SSL_COMP_free);
-#else
        a->comp_methods = NULL;
-#endif
 #ifndef OPENSSL_NO_SRTP
        if (a->srtp_profiles)
@@ -2056,16 +2029,6 @@ ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher)
        if (rsa_enc_export || (rsa_tmp_export && (rsa_sign || rsa_enc)))
                emask_k|=SSL_kRSA;
-#if 0
-        /* The match needs to be both kEDH and aRSA or aDSA, so don't worry */
-        if ((dh_tmp || dh_rsa || dh_dsa) &&
-                (rsa_enc || rsa_sign || dsa_sign))
-        mask_k|=SSL_kEDH;
-        if ((dh_tmp_export || dh_rsa_export || dh_dsa_export) &&
-                (rsa_enc || rsa_sign || dsa_sign))
-        emask_k|=SSL_kEDH;
-#endif
        if (dh_tmp_export)
                emask_k|=SSL_kEDH;
diff --git a/src/lib/libssl/t1_enc.c b/src/lib/libssl/t1_enc.c
index 9d47bde6c6..96c28e14cf 100644
--- a/src/lib/libssl/t1_enc.c
+++ b/src/lib/libssl/t1_enc.c
@@ -1108,10 +1108,6 @@ tls1_alert_code(int code)
                return (TLS1_AD_BAD_CERTIFICATE_HASH_VALUE);
        case SSL_AD_UNKNOWN_PSK_IDENTITY:
                return (TLS1_AD_UNKNOWN_PSK_IDENTITY);
-#if 0 /* not appropriate for TLS, not used for DTLS */
-        case DTLS1_AD_MISSING_HANDSHAKE_MESSAGE : return
-                (DTLS1_AD_MISSING_HANDSHAKE_MESSAGE);
-#endif
        default:
                return (-1);
        }
diff --git a/src/lib/libssl/t1_lib.c b/src/lib/libssl/t1_lib.c
index fa70f21f95..5ad69f5ce9 100644
--- a/src/lib/libssl/t1_lib.c
+++ b/src/lib/libssl/t1_lib.c
@@ -998,9 +998,6 @@ ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d,
                if (data + size > (d + n))
                        goto ri_check;
-#if 0
-                fprintf(stderr, "Received extension type %d size %d\n", type, size);
-#endif
                if (s->tlsext_debug_cb)
                        s->tlsext_debug_cb(s, 0, type, data, size,
                            s->tlsext_debug_arg);
@@ -1124,13 +1121,6 @@ ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d,
                                s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length;
                                memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpointformatlist_length);
                        }
-#if 0
-                        fprintf(stderr, "ssl_parse_clienthello_tlsext s->session->tlsext_ecpointformatlist (length=%i) ", s->session->tlsext_ecpointformatlist_length);
-                        sdata = s->session->tlsext_ecpointformatlist;
-                        for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++)
-                                fprintf(stderr, "%i ", *(sdata++));
-                        fprintf(stderr, "\n");
-#endif
                } else if (type == TLSEXT_TYPE_elliptic_curves &&
                    s->version != DTLS1_VERSION) {
                        unsigned char *sdata = data;
@@ -1156,13 +1146,6 @@ ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d,
                                s->session->tlsext_ellipticcurvelist_length = ellipticcurvelist_length;
                                memcpy(s->session->tlsext_ellipticcurvelist, sdata, ellipticcurvelist_length);
                        }
-#if 0
-                        fprintf(stderr, "ssl_parse_clienthello_tlsext s->session->tlsext_ellipticcurvelist (length=%i) ", s->session->tlsext_ellipticcurvelist_length);
-                        sdata = s->session->tlsext_ellipticcurvelist;
-                        for (i = 0; i < s->session->tlsext_ellipticcurvelist_length; i++)
-                                fprintf(stderr, "%i ", *(sdata++));
-                        fprintf(stderr, "\n");
-#endif
                }
 #endif /* OPENSSL_NO_EC */
 #ifdef TLSEXT_TYPE_opaque_prf_input
@@ -1451,13 +1434,6 @@ ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d,
                        }
                        s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length;
                        memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpointformatlist_length);
-#if 0
-                        fprintf(stderr, "ssl_parse_serverhello_tlsext s->session->tlsext_ecpointformatlist ");
-                        sdata = s->session->tlsext_ecpointformatlist;
-                        for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++)
-                                fprintf(stderr, "%i ", *(sdata++));
-                        fprintf(stderr, "\n");
-#endif
                }
 #endif /* OPENSSL_NO_EC */
                else if (type == TLSEXT_TYPE_session_ticket) {
@@ -2230,18 +2206,6 @@ tls12_find_id(int nid, tls12_lookup *table, size_t tlen)
        }
        return -1;
 }
-#if 0
-static int
-tls12_find_nid(int id, tls12_lookup *table, size_t tlen)
-{
-        size_t i;
-        for (i = 0; i < tlen; i++) {
-                if (table[i].id == id)
-                        return table[i].nid;
-        }
-        return -1;
-}
-#endif
 int
 tls12_get_sigandhash(unsigned char *p, const EVP_PKEY *pk, const EVP_MD *md)
diff --git a/src/lib/libssl/tls1.h b/src/lib/libssl/tls1.h
index e05168cffe..400deca6d4 100644
--- a/src/lib/libssl/tls1.h
+++ b/src/lib/libssl/tls1.h
@@ -239,13 +239,6 @@ extern "C" {
 /* ExtensionType value from RFC4507 */
 #define TLSEXT_TYPE_session_ticket              35
-/* ExtensionType value from draft-rescorla-tls-opaque-prf-input-00.txt */
-#if 0   /* will have to be provided externally for now ,
-         * i.e. build with - DTLSEXT_TYPE_opaque_prf_input = 38183
-         * using whatever extension number you'd like to try */
-# define TLSEXT_TYPE_opaque_prf_input           ?? */
-#endif
 /* Temporary extension type */
 #define TLSEXT_TYPE_renegotiate                 0xff01
author	tedu <>	2014-05-30 14:30:50 +0000
committer	tedu <>	2014-05-30 14:30:50 +0000
commit	d970fd597dc43c71716f5ce1db8f102515a73ad8 (patch)
tree	cbf937e75b5dc1f5e8f2452d45ad4d6942a9b1d4
parent	d7bb67cc99974281f55641afa52a0f9e8f1ff938 (diff)
download	openbsd-d970fd597dc43c71716f5ce1db8f102515a73ad8.tar.gz openbsd-d970fd597dc43c71716f5ce1db8f102515a73ad8.tar.bz2 openbsd-d970fd597dc43c71716f5ce1db8f102515a73ad8.zip