Remove some obsolete/obscure internal define switches:

- FLAT_INC
- PKCS1_CHECK (the SSL_OP_PKCS1_CHECK options have been
  no-oped)
- PKCS_TESTVECT (debugging leftovers)
- SSL_AD_MISSING_SRP_USERNAME (unfinished feature)
- DTLS_AD_MISSING_HANDSHAKE_MESSAGE (unfinished feature)
- USE_OBJ_MAC (note this removes a define from the public header but
   very unlikely someone would be depending on it)
- SSL_FORBID_ENULL
Reviewed-by: NRich Salz <rsalz@openssl.org>
Reviewed-by: NStephen Henson <steve@openssl.org>
Reviewed-by: NAndy Polyakov <appro@openssl.org>

crypto/cryptlib.c

@@ -167,7 +167,13 @@ void OPENSSL_showfatal(const char *fmta, ...)
     va_list ap;
     TCHAR buf[256];
     const TCHAR *fmt;
-# ifdef STD_ERROR_HANDLE        /* what a dirty trick! */
+    /*
+     * First check if it's a console application, in which case the
+     * error message would be printed to standard error.
+     * Windows CE does not have a concept of a console application,
+     * so we need to guard the check.
+     */
+# ifdef STD_ERROR_HANDLE
     HANDLE h;
 
     if ((h = GetStdHandle(STD_ERROR_HANDLE)) != NULL &&

crypto/rsa/rsa_oaep.c

@@ -78,11 +78,6 @@ int RSA_padding_add_PKCS1_OAEP_mgf1(unsigned char *to, int tlen,
     memcpy(db + emlen - flen - mdlen, from, (unsigned int)flen);
     if (RAND_bytes(seed, mdlen) <= 0)
         return 0;
-#ifdef PKCS_TESTVECT
-    memcpy(seed,
-           "\xaa\xfd\x12\xf6\x59\xca\xe6\x34\x89\xb4\x79\xe5\x07\x6d\xde\xc2\xf0\x6c\xb5\x8f",
-           20);
-#endif
 
     dbmask = OPENSSL_malloc(emlen - mdlen);
     if (dbmask == NULL) {

demos/engines/e_chil.c

@@ -35,11 +35,7 @@
  * The hwcryptohook.h included here is from May 2000.
  * [Richard Levitte]
  */
-#  ifdef FLAT_INC
-#   include "hwcryptohook.h"
-#  else
-#   include "vendor_defns/hwcryptohook.h"
-#  endif
+# include "vendor_defns/hwcryptohook.h"
 
 #  define HWCRHK_LIB_NAME "CHIL engine"
 #  include "e_chil_err.c"

include/openssl/dtls1.h

@@ -37,12 +37,7 @@ extern "C" {
 
 # define DTLS1_CCS_HEADER_LENGTH                  1
 
-# ifdef DTLS1_AD_MISSING_HANDSHAKE_MESSAGE
-#  define DTLS1_AL_HEADER_LENGTH                   7
-# else
-#  define DTLS1_AL_HEADER_LENGTH                   2
-# endif
-
+# define DTLS1_AL_HEADER_LENGTH                   2
 
 /* Timeout multipliers (timeout slice is defined in apps/timeouts.h */
 # define DTLS1_TMO_READ_COUNT                      2

ssl/d1_msg.c

@@ -59,23 +59,12 @@ int dtls1_dispatch_alert(SSL *s)
     *ptr++ = s->s3->send_alert[0];
     *ptr++ = s->s3->send_alert[1];
 
-#ifdef DTLS1_AD_MISSING_HANDSHAKE_MESSAGE
-    if (s->s3->send_alert[1] == DTLS1_AD_MISSING_HANDSHAKE_MESSAGE) {
-        s2n(s->d1->handshake_read_seq, ptr);
-        l2n3(s->d1->r_msg_hdr.frag_off, ptr);
-    }
-#endif
-
     i = do_dtls1_write(s, SSL3_RT_ALERT, &buf[0], sizeof(buf), 0, &written);
     if (i <= 0) {
         s->s3->alert_dispatch = 1;
         /* fprintf( stderr, "not done with alert\n" ); */
     } else {
-        if (s->s3->send_alert[0] == SSL3_AL_FATAL
-#ifdef DTLS1_AD_MISSING_HANDSHAKE_MESSAGE
-            || s->s3->send_alert[1] == DTLS1_AD_MISSING_HANDSHAKE_MESSAGE
-#endif
-            )
+        if (s->s3->send_alert[0] == SSL3_AL_FATAL)
             (void)BIO_flush(s->wbio);
 
         if (s->msg_callback)

ssl/record/rec_layer_d1.c

@@ -599,14 +599,6 @@ int dtls1_read_bytes(SSL *s, int type, int *recvd_type, unsigned char *buf,
              * fragmented--don't always expect dest_maxlen bytes
              */
             if (SSL3_RECORD_get_length(rr) < dest_maxlen) {
-#ifdef DTLS1_AD_MISSING_HANDSHAKE_MESSAGE
-                /*
-                 * for normal alerts rr->length is 2, while
-                 * dest_maxlen is 7 if we were to handle this
-                 * non-existing alert...
-                 */
-                FIX ME;
-#endif
                 s->rlayer.rstate = SSL_ST_READ_HEADER;
                 SSL3_RECORD_set_length(rr, 0);
                 goto start;
@@ -678,34 +670,6 @@ int dtls1_read_bytes(SSL *s, int type, int *recvd_type, unsigned char *buf,
                 s->shutdown |= SSL_RECEIVED_SHUTDOWN;
                 return 0;
             }
-#if 0
-            /* XXX: this is a possible improvement in the future */
-            /* now check if it's a missing record */
-            if (alert_descr == DTLS1_AD_MISSING_HANDSHAKE_MESSAGE) {
-                unsigned short seq;
-                unsigned int frag_off;
-                unsigned char *p = &(s->rlayer.d->alert_fragment[2]);
-
-                n2s(p, seq);
-                n2l3(p, frag_off);
-
-                dtls1_retransmit_message(s,
-                                         dtls1_get_queue_priority
-                                         (frag->msg_header.seq, 0), frag_off,
-                                         &found);
-                if (!found && SSL_in_init(s)) {
-                    /*
-                     * fprintf( stderr,"in init = %d\n", SSL_in_init(s));
-                     */
-                    /*
-                     * requested a message not yet sent, send an alert
-                     * ourselves
-                     */
-                    ssl3_send_alert(s, SSL3_AL_WARNING,
-                                    DTLS1_AD_MISSING_HANDSHAKE_MESSAGE);
-                }
-            }
-#endif
         } else if (alert_level == SSL3_AL_FATAL) {
             char tmp[16];
 

ssl/record/rec_layer_s3.c

@@ -1429,10 +1429,6 @@ int ssl3_read_bytes(SSL *s, int type, int *recvd_type, unsigned char *buf,
                 SSLerr(SSL_F_SSL3_READ_BYTES, SSL_R_NO_RENEGOTIATION);
                 goto f_err;
             }
-#ifdef SSL_AD_MISSING_SRP_USERNAME
-            else if (alert_descr == SSL_AD_MISSING_SRP_USERNAME)
-                return (0);
-#endif
         } else if (alert_level == SSL3_AL_FATAL) {
             char tmp[16];
 

ssl/ssl_ciph.c

@@ -388,9 +388,6 @@ void ssl_load_ciphers(void)
                 disabled_enc_mask |= t->mask;
         }
     }
-#ifdef SSL_FORBID_ENULL
-    disabled_enc_mask |= SSL_eNULL;
-#endif
     disabled_mac_mask = 0;
     for (i = 0, t = ssl_cipher_table_mac; i < SSL_MD_NUM_IDX; i++, t++) {
         const EVP_MD *md = EVP_get_digestbynid(t->nid);

ssl/ssl_locl.h

@@ -73,8 +73,6 @@
 #  define OPENSSL_EXTERN OPENSSL_EXPORT
 # endif
 
-# undef PKCS1_CHECK
-
 # define c2l(c,l)        (l = ((unsigned long)(*((c)++)))     , \
                          l|=(((unsigned long)(*((c)++)))<< 8), \
                          l|=(((unsigned long)(*((c)++)))<<16), \

ssl/statem/statem_clnt.c

@@ -2752,12 +2752,6 @@ static int tls_construct_cke_rsa(SSL *s, WPACKET *pkt, int *al)
     }
     EVP_PKEY_CTX_free(pctx);
     pctx = NULL;
-# ifdef PKCS1_CHECK
-    if (s->options & SSL_OP_PKCS1_CHECK_1)
-        (*p)[1]++;
-    if (s->options & SSL_OP_PKCS1_CHECK_2)
-        tmp_buf[0] = 0x70;
-# endif
 
     /* Fix buf for TLS and beyond */
     if (s->version > SSL3_VERSION && !WPACKET_close(pkt)) {

test/build.info

@@ -47,7 +47,7 @@ IF[{- !$disabled{tests} -}]
   DEPEND[bntest]=../libcrypto
 
   SOURCE[ectest]=ectest.c
-  INCLUDE[ectest]=../include
+  INCLUDE[ectest]=.. ../include
   DEPEND[ectest]=../libcrypto
 
   SOURCE[ecdsatest]=ecdsatest.c

test/ectest.c

@@ -23,14 +23,11 @@
 
 #include <stdio.h>
 #include <stdlib.h>
-#ifdef FLAT_INC
-# include "e_os.h"
-#else
-# include "../e_os.h"
-#endif
 #include <string.h>
 #include <time.h>
 
+#include "e_os.h"
+
 #ifdef OPENSSL_NO_EC
 int main(int argc, char *argv[])
 {

test/rsa_test.c

@@ -292,11 +292,7 @@ int main(int argc, char *argv[])
         } else if (memcmp(ctext, ctext_ex, num) == 0)
             printf("OAEP test vector %d passed!\n", v);
 
-        /*
-         * Different ciphertexts (rsa_oaep.c without -DPKCS_TESTVECT). Try
-         * decrypting ctext_ex
-         */
-
+        /* Different ciphertexts. Try decrypting ctext_ex */
         num = RSA_private_decrypt(clen, ctext_ex, ptext, key,
                                   RSA_PKCS1_OAEP_PADDING);