Remove OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL.

We patch bugs into the runner implementation for testing, not our own.

Change-Id: I0a8ac73eaeb70db131c01a0fd9c84f258589a884
Reviewed-on: https://boringssl-review.googlesource.com/1845
Reviewed-by: Adam Langley <agl@google.com>

include/openssl/ssl.h

@@ -564,9 +564,6 @@ struct ssl_session_st
  */
 #define SSL_CERT_FLAG_TLS_STRICT		0x00000001L
 
-/* Perform all sorts of protocol violations for testing purposes */
-#define SSL_CERT_FLAG_BROKEN_PROTOCOL		0x10000000
-
 /* Flags for building certificate chains */
 /* Treat any existing certificates as untrusted CAs */
 #define SSL_BUILD_CHAIN_FLAG_UNTRUSTED		0x1

ssl/ssl_ciph.c

@@ -578,10 +578,6 @@ static void ssl_cipher_apply_rule(unsigned long cipher_id,
 			{
 #ifdef CIPHER_DEBUG
 			printf("\nName: %s:\nAlgo = %08lx/%08lx/%08lx/%08lx/%08lx Algo_strength = %08lx\n", cp->name, cp->algorithm_mkey, cp->algorithm_auth, cp->algorithm_enc, cp->algorithm_mac, cp->algorithm_ssl, cp->algo_strength);
-#endif
-#ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL
-			if (cipher_id && cipher_id != cp->id)
-				continue;
 #endif
 			if (alg_mkey && !(alg_mkey & cp->algorithm_mkey))
 				continue;

ssl/ssl_lib.c

@@ -2282,14 +2282,6 @@ CERT_PKEY *ssl_get_server_send_pkey(const SSL *s)
 	c = s->cert;
 	ssl_set_cert_masks(c, s->s3->tmp.new_cipher);
 
-#ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL
-	/* Broken protocol test: return last used certificate: which may
-	 * mismatch the one expected.
-	 */
-	if (c->cert_flags & SSL_CERT_FLAG_BROKEN_PROTOCOL)
-		return c->key;
-#endif
-
 	i = ssl_get_server_cert_index(s);
 
 	/* This may or may not be an error. */
@@ -2309,15 +2301,6 @@ EVP_PKEY *ssl_get_sign_pkey(SSL *s,const SSL_CIPHER *cipher, const EVP_MD **pmd)
 	alg_a = cipher->algorithm_auth;
 	c=s->cert;
 
-#ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL
-	/* Broken protocol test: use last key: which may
-	 * mismatch the one expected.
-	 */
-	if (c->cert_flags & SSL_CERT_FLAG_BROKEN_PROTOCOL)
-		idx = c->key - c->pkeys;
-	else
-#endif
-
 	if (alg_a & SSL_aRSA)
 		{
 		if (c->pkeys[SSL_PKEY_RSA_SIGN].privatekey != NULL)

ssl/t1_lib.c

@@ -2672,32 +2672,6 @@ int tls1_process_sigalgs(SSL *s, const CBS *sigalgs)
 
 	tls1_set_shared_sigalgs(s);
 
-#ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL
-	if (s->cert->cert_flags & SSL_CERT_FLAG_BROKEN_PROTOCOL)
-		{
-		/* Use first set signature preference to force message
-		 * digest, ignoring any peer preferences.
-		 */
-		const unsigned char *sigs = NULL;
-		if (s->server)
-			sigs = c->conf_sigalgs;
-		else
-			sigs = c->client_sigalgs;
-		if (sigs)
-			{
-			idx = tls12_get_pkey_idx(sigs[1]);
-			md = tls12_get_hash(sigs[0]);
-			c->pkeys[idx].digest = md;
-			c->pkeys[idx].valid_flags = CERT_PKEY_EXPLICIT_SIGN;
-			if (idx == SSL_PKEY_RSA_SIGN)
-				{
-				c->pkeys[SSL_PKEY_RSA_ENC].valid_flags = CERT_PKEY_EXPLICIT_SIGN;
-				c->pkeys[SSL_PKEY_RSA_ENC].digest = md;
-				}
-			}
-		}
-#endif
-
 	for (i = 0, sigptr = c->shared_sigalgs;
 			i < c->shared_sigalgslen; i++, sigptr++)
 		{
@@ -2960,15 +2934,6 @@ int tls1_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain,
 		/* If no cert or key, forget it */
 		if (!x || !pk)
 			goto end;
-#ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL
-		/* Allow any certificate to pass test */
-		if (s->cert->cert_flags & SSL_CERT_FLAG_BROKEN_PROTOCOL)
-			{
-			rv = CERT_PKEY_STRICT_FLAGS|CERT_PKEY_EXPLICIT_SIGN|CERT_PKEY_VALID|CERT_PKEY_SIGN;
-			cpk->valid_flags = rv;
-			return rv;
-			}
-#endif
 		}
 	else
 		{