Remove some unused state and code.
Change-Id: I1f917d1fe70ef5046eeea8fed27cc402bcd674b9
Reviewed-on: https://boringssl-review.googlesource.com/1568
Reviewed-by: Adam Langley <agl@google.com>
diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h
index 7299cd2..3c64237 100644
--- a/include/openssl/ssl.h
+++ b/include/openssl/ssl.h
@@ -929,12 +929,6 @@
*/
unsigned int max_send_fragment;
-#ifndef OPENSSL_ENGINE
- /* Engine to pass requests for client certs to
- */
- ENGINE *client_cert_engine;
-#endif
-
/* TLS extensions servername callback */
int (*tlsext_servername_callback)(SSL*, int *, void *);
void *tlsext_servername_arg;
@@ -1091,9 +1085,6 @@
OPENSSL_EXPORT int (*SSL_CTX_get_client_cert_cb(SSL_CTX *ctx))(SSL *ssl, X509 **x509, EVP_PKEY **pkey);
OPENSSL_EXPORT void SSL_CTX_set_channel_id_cb(SSL_CTX *ctx, void (*channel_id_cb)(SSL *ssl, EVP_PKEY **pkey));
OPENSSL_EXPORT void (*SSL_CTX_get_channel_id_cb(SSL_CTX *ctx))(SSL *ssl, EVP_PKEY **pkey);
-#ifndef OPENSSL_NO_ENGINE
-OPENSSL_EXPORT int SSL_CTX_set_client_cert_engine(SSL_CTX *ctx, ENGINE *e);
-#endif
OPENSSL_EXPORT void SSL_CTX_set_cookie_generate_cb(SSL_CTX *ctx, int (*app_gen_cookie_cb)(SSL *ssl, uint8_t *cookie, size_t *cookie_len));
OPENSSL_EXPORT void SSL_CTX_set_cookie_verify_cb(SSL_CTX *ctx, int (*app_verify_cookie_cb)(SSL *ssl, const uint8_t *cookie, size_t cookie_len));
#ifndef OPENSSL_NO_NEXTPROTONEG
@@ -1302,9 +1293,6 @@
void (*info_callback)(const SSL *ssl,int type,int val); /* optional informational callback */
- int error; /* error bytes to be written */
- int error_code; /* actual code */
-
/* PSK identity hint is stored here only to enable setting a hint on an SSL object before an
* SSL_SESSION is associated with it. Once an SSL_SESSION is associated with this SSL object,
* the psk_identity_hint from the session takes precedence over this one. */
diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c
index ce2758b..9c2129c 100644
--- a/ssl/s3_clnt.c
+++ b/ssl/s3_clnt.c
@@ -2774,19 +2774,6 @@
int ssl_do_client_cert_cb(SSL *s, X509 **px509, EVP_PKEY **ppkey)
{
int i = 0;
- /* TODO(fork): remove */
-#if 0
-#ifndef OPENSSL_NO_ENGINE
- if (s->ctx->client_cert_engine)
- {
- i = ENGINE_load_ssl_client_cert(s->ctx->client_cert_engine, s,
- SSL_get_client_CA_list(s),
- px509, ppkey, NULL, NULL, NULL);
- if (i != 0)
- return i;
- }
-#endif
-#endif
if (s->ctx->client_cert_cb)
i = s->ctx->client_cert_cb(s,px509,ppkey);
return i;
diff --git a/ssl/ssl_cert.c b/ssl/ssl_cert.c
index 3e82fdf..bab0eff 100644
--- a/ssl/ssl_cert.c
+++ b/ssl/ssl_cert.c
@@ -564,7 +564,6 @@
memset(ret, 0 ,sizeof *ret);
ret->peer_key = &(ret->peer_pkeys[SSL_PKEY_RSA_ENC]);
- ret->references = 1;
return ret;
}
@@ -576,21 +575,6 @@
if (sc == NULL)
return;
- i = CRYPTO_add(&sc->references, -1, CRYPTO_LOCK_SSL_SESS_CERT);
-#ifdef REF_PRINT
- REF_PRINT("SESS_CERT", sc);
-#endif
- if (i > 0)
- return;
-#ifdef REF_CHECK
- if (i < 0)
- {
- fprintf(stderr,"ssl_sess_cert_free, bad reference count\n");
- abort(); /* ok */
- }
-#endif
-
- /* i == 0 */
if (sc->cert_chain != NULL)
sk_X509_pop_free(sc->cert_chain, X509_free);
for (i = 0; i < SSL_PKEY_NUM; i++)
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index 16b5b3d..43ce97b 100644
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -187,7 +187,6 @@
s->session=NULL;
}
- s->error=0;
s->hit=0;
s->shutdown=0;
@@ -2011,26 +2010,7 @@
ret->psk_identity_hint=NULL;
ret->psk_client_callback=NULL;
ret->psk_server_callback=NULL;
-#ifndef OPENSSL_NO_ENGINE
- ret->client_cert_engine = NULL;
-#ifdef OPENSSL_SSL_CLIENT_ENGINE_AUTO
-#define eng_strx(x) #x
-#define eng_str(x) eng_strx(x)
- /* Use specific client engine automatically... ignore errors */
- {
- ENGINE *eng;
- eng = ENGINE_by_id(eng_str(OPENSSL_SSL_CLIENT_ENGINE_AUTO));
- if (!eng)
- {
- ERR_clear_error();
- ENGINE_load_builtin_engines();
- eng = ENGINE_by_id(eng_str(OPENSSL_SSL_CLIENT_ENGINE_AUTO));
- }
- if (!eng || !SSL_CTX_set_client_cert_engine(ret, eng))
- ERR_clear_error();
- }
-#endif
-#endif
+
/* Default is to connect to non-RI servers. When RI is more widely
* deployed might change this.
*/
@@ -2105,14 +2085,6 @@
if (a->psk_identity_hint)
OPENSSL_free(a->psk_identity_hint);
- /* TODO(fork): remove. */
-#if 0
-#ifndef OPENSSL_NO_ENGINE
- if (a->client_cert_engine)
- ENGINE_finish(a->client_cert_engine);
-#endif
-#endif
-
# ifndef OPENSSL_NO_EC
if (a->tlsext_ecpointformatlist)
OPENSSL_free(a->tlsext_ecpointformatlist);
diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h
index 952805b..3bc618e 100644
--- a/ssl/ssl_locl.h
+++ b/ssl/ssl_locl.h
@@ -551,8 +551,6 @@
#ifndef OPENSSL_NO_ECDH
EC_KEY *peer_ecdh_tmp;
#endif
-
- int references; /* actually always 1 at the moment */
} SESS_CERT;
/* Structure containing decoded values of signature algorithms extension */
struct tls_sigalgs_st
@@ -833,7 +831,6 @@
int ssl_cipher_get_evp(const SSL_SESSION *s,const EVP_CIPHER **enc,
const EVP_MD **md,int *mac_pkey_type,int *mac_secret_size);
int ssl_cipher_get_mac(const SSL_SESSION *s, const EVP_MD **md, int *mac_pkey_type, int *mac_secret_size);
-int ssl_get_handshake_digest(int i,long *mask,const EVP_MD **md);
int ssl_get_handshake_digest(int i,long *mask,const EVP_MD **md);
int ssl_cipher_get_cert_index(const SSL_CIPHER *c);
int ssl_cipher_has_server_public_key(const SSL_CIPHER *cipher);
@@ -1146,8 +1143,4 @@
unsigned mac_secret_length,
char is_sslv3);
-void tls_fips_digest_extra(
- const EVP_CIPHER_CTX *cipher_ctx, EVP_MD_CTX *mac_ctx,
- const unsigned char *data, size_t data_len, size_t orig_len);
-
#endif
diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
index d5cb5f4..855d1d0 100644
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -3141,73 +3141,6 @@
return 1;
}
-/* TODO(fork): remove */
-#if 0
-#define MAX_SIGALGLEN (TLSEXT_hash_num * TLSEXT_signature_num * 2)
-
-typedef struct
- {
- size_t sigalgcnt;
- int sigalgs[MAX_SIGALGLEN];
- } sig_cb_st;
-
-static int sig_cb(const char *elem, int len, void *arg)
- {
- sig_cb_st *sarg = arg;
- size_t i;
- char etmp[20], *p;
- int sig_alg, hash_alg;
- if (sarg->sigalgcnt == MAX_SIGALGLEN)
- return 0;
- if (len > (int)(sizeof(etmp) - 1))
- return 0;
- memcpy(etmp, elem, len);
- etmp[len] = 0;
- p = strchr(etmp, '+');
- if (!p)
- return 0;
- *p = 0;
- p++;
- if (!*p)
- return 0;
-
- if (!strcmp(etmp, "RSA"))
- sig_alg = EVP_PKEY_RSA;
- else if (!strcmp(etmp, "ECDSA"))
- sig_alg = EVP_PKEY_EC;
- else return 0;
-
- hash_alg = OBJ_sn2nid(p);
- if (hash_alg == NID_undef)
- hash_alg = OBJ_ln2nid(p);
- if (hash_alg == NID_undef)
- return 0;
-
- for (i = 0; i < sarg->sigalgcnt; i+=2)
- {
- if (sarg->sigalgs[i] == sig_alg
- && sarg->sigalgs[i + 1] == hash_alg)
- return 0;
- }
- sarg->sigalgs[sarg->sigalgcnt++] = hash_alg;
- sarg->sigalgs[sarg->sigalgcnt++] = sig_alg;
- return 1;
- }
-
-/* Set suppored signature algorithms based on a colon separated list
- * of the form sig+hash e.g. RSA+SHA512:DSA+SHA512 */
-int tls1_set_sigalgs_list(CERT *c, const char *str, int client)
- {
- sig_cb_st sig;
- sig.sigalgcnt = 0;
- if (!CONF_parse_list(str, ':', 1, sig_cb, &sig))
- return 0;
- if (c == NULL)
- return 1;
- return tls1_set_sigalgs(c, sig.sigalgs, sig.sigalgcnt, client);
- }
-#endif
-
int tls1_set_sigalgs(CERT *c, const int *psig_nids, size_t salglen, int client)
{
unsigned char *sigalgs, *sptr;