Remove OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL.
We patch bugs into the runner implementation for testing, not our own.
Change-Id: I0a8ac73eaeb70db131c01a0fd9c84f258589a884
Reviewed-on: https://boringssl-review.googlesource.com/1845
Reviewed-by: Adam Langley <agl@google.com>
diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h
index 48ad549..de75b92 100644
--- a/include/openssl/ssl.h
+++ b/include/openssl/ssl.h
@@ -564,9 +564,6 @@
*/
#define SSL_CERT_FLAG_TLS_STRICT 0x00000001L
-/* Perform all sorts of protocol violations for testing purposes */
-#define SSL_CERT_FLAG_BROKEN_PROTOCOL 0x10000000
-
/* Flags for building certificate chains */
/* Treat any existing certificates as untrusted CAs */
#define SSL_BUILD_CHAIN_FLAG_UNTRUSTED 0x1
diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c
index fbed548..040a2db 100644
--- a/ssl/ssl_ciph.c
+++ b/ssl/ssl_ciph.c
@@ -579,10 +579,6 @@
#ifdef CIPHER_DEBUG
printf("\nName: %s:\nAlgo = %08lx/%08lx/%08lx/%08lx/%08lx Algo_strength = %08lx\n", cp->name, cp->algorithm_mkey, cp->algorithm_auth, cp->algorithm_enc, cp->algorithm_mac, cp->algorithm_ssl, cp->algo_strength);
#endif
-#ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL
- if (cipher_id && cipher_id != cp->id)
- continue;
-#endif
if (alg_mkey && !(alg_mkey & cp->algorithm_mkey))
continue;
if (alg_auth && !(alg_auth & cp->algorithm_auth))
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index 7270dde..5562e20 100644
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -2282,14 +2282,6 @@
c = s->cert;
ssl_set_cert_masks(c, s->s3->tmp.new_cipher);
-#ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL
- /* Broken protocol test: return last used certificate: which may
- * mismatch the one expected.
- */
- if (c->cert_flags & SSL_CERT_FLAG_BROKEN_PROTOCOL)
- return c->key;
-#endif
-
i = ssl_get_server_cert_index(s);
/* This may or may not be an error. */
@@ -2309,15 +2301,6 @@
alg_a = cipher->algorithm_auth;
c=s->cert;
-#ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL
- /* Broken protocol test: use last key: which may
- * mismatch the one expected.
- */
- if (c->cert_flags & SSL_CERT_FLAG_BROKEN_PROTOCOL)
- idx = c->key - c->pkeys;
- else
-#endif
-
if (alg_a & SSL_aRSA)
{
if (c->pkeys[SSL_PKEY_RSA_SIGN].privatekey != NULL)
diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
index 1741bdb..5993ffd 100644
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -2672,32 +2672,6 @@
tls1_set_shared_sigalgs(s);
-#ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL
- if (s->cert->cert_flags & SSL_CERT_FLAG_BROKEN_PROTOCOL)
- {
- /* Use first set signature preference to force message
- * digest, ignoring any peer preferences.
- */
- const unsigned char *sigs = NULL;
- if (s->server)
- sigs = c->conf_sigalgs;
- else
- sigs = c->client_sigalgs;
- if (sigs)
- {
- idx = tls12_get_pkey_idx(sigs[1]);
- md = tls12_get_hash(sigs[0]);
- c->pkeys[idx].digest = md;
- c->pkeys[idx].valid_flags = CERT_PKEY_EXPLICIT_SIGN;
- if (idx == SSL_PKEY_RSA_SIGN)
- {
- c->pkeys[SSL_PKEY_RSA_ENC].valid_flags = CERT_PKEY_EXPLICIT_SIGN;
- c->pkeys[SSL_PKEY_RSA_ENC].digest = md;
- }
- }
- }
-#endif
-
for (i = 0, sigptr = c->shared_sigalgs;
i < c->shared_sigalgslen; i++, sigptr++)
{
@@ -2960,15 +2934,6 @@
/* If no cert or key, forget it */
if (!x || !pk)
goto end;
-#ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL
- /* Allow any certificate to pass test */
- if (s->cert->cert_flags & SSL_CERT_FLAG_BROKEN_PROTOCOL)
- {
- rv = CERT_PKEY_STRICT_FLAGS|CERT_PKEY_EXPLICIT_SIGN|CERT_PKEY_VALID|CERT_PKEY_SIGN;
- cpk->valid_flags = rv;
- return rv;
- }
-#endif
}
else
{
