[openssl-commits] [openssl] master update

Rich Salz rsalz at openssl.org
Thu Feb 18 22:15:00 UTC 2016


The branch master has been updated
       via  d63a5e5e7d96f173e2bbf711e3f1f813bf0df05e (commit)
      from  1bd8bc558d7c0b41286d276e62088d7186bd5c34 (commit)


- Log -----------------------------------------------------------------
commit d63a5e5e7d96f173e2bbf711e3f1f813bf0df05e
Author: Rich Salz <rsalz at akamai.com>
Date:   Thu Feb 18 11:33:21 2016 -0500

    Remove outdated DEBUG flags.
    
    Add -DBIO_DEBUG to --strict-warnings.
    Remove comments about outdated debugging ifdef guards.
    Remove md_rand ifdef guarding an assert; it doesn't seem used.
    Remove the conf guards in conf_api since we use OPENSSL_assert, not assert.
    For pkcs12 stuff put OPENSSL_ in front of the macro name.
    Merge TLS_DEBUG into SSL_DEBUG.
    Various things just turned on/off asserts, mainly for checking non-NULL
    arguments, which is now removed: camellia, bn_ctx, crypto/modes.
    Remove some old debug code, that basically just printed things to stderr:
      DEBUG_PRINT_UNKNOWN_CIPHERSUITES, DEBUG_ZLIB, OPENSSL_RI_DEBUG,
      RL_DEBUG, RSA_DEBUG, SCRYPT_DEBUG.
    Remove OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL.
    
    Reviewed-by: Richard Levitte <levitte at openssl.org>

-----------------------------------------------------------------------

Summary of changes:
 Configure                  |  2 +-
 apps/apps.c                | 72 ++++++----------------------------------------
 apps/x509.c                | 21 --------------
 crypto/bn/bn_ctx.c         |  8 ------
 crypto/camellia/cmll_ecb.c | 11 -------
 crypto/comp/c_zlib.c       | 10 -------
 crypto/conf/conf_api.c     |  6 ----
 crypto/engine/tb_cipher.c  |  7 -----
 crypto/engine/tb_dh.c      |  7 -----
 crypto/engine/tb_digest.c  |  7 -----
 crypto/engine/tb_dsa.c     |  7 -----
 crypto/engine/tb_eckey.c   |  7 -----
 crypto/engine/tb_pkmeth.c  |  7 -----
 crypto/engine/tb_rand.c    |  7 -----
 crypto/engine/tb_rsa.c     |  7 -----
 crypto/evp/p5_crpt2.c      |  8 +++---
 crypto/evp/scrypt.c        | 10 -------
 crypto/modes/cbc128.c      | 11 -------
 crypto/modes/ccm128.c      |  7 -----
 crypto/modes/cfb128.c      | 15 ----------
 crypto/modes/ctr128.c      | 13 ---------
 crypto/modes/cts128.c      | 23 ---------------
 crypto/modes/gcm128.c      |  7 -----
 crypto/modes/ofb128.c      |  9 ------
 crypto/modes/xts128.c      |  7 -----
 crypto/pkcs12/p12_decr.c   |  4 +--
 crypto/pkcs12/p12_key.c    | 12 ++++----
 crypto/rand/md_rand.c      | 10 -------
 crypto/rsa/rsa_sign.c      |  5 ----
 doc/ssl/SSL_CONF_cmd.pod   |  7 -----
 ssl/record/ssl3_record.c   |  8 +++---
 ssl/s3_lib.c               | 21 --------------
 ssl/ssl_ciph.c             |  4 ---
 ssl/ssl_conf.c             |  6 ----
 ssl/ssl_lib.c              | 19 ------------
 ssl/ssl_locl.h             | 29 -------------------
 ssl/statem/statem_clnt.c   | 12 --------
 ssl/statem/statem_srvr.c   |  3 --
 ssl/t1_enc.c               |  8 +++---
 ssl/t1_lib.c               | 38 ------------------------
 ssl/t1_reneg.c             | 16 -----------
 util/mkdef.pl              |  1 -
 42 files changed, 30 insertions(+), 469 deletions(-)

diff --git a/Configure b/Configure
index 7e0882a..3bf2e88 100755
--- a/Configure
+++ b/Configure
@@ -76,7 +76,7 @@ my $usage="Usage: Configure [no-<cipher> ...] [enable-<cipher> ...] [-Dxxx] [-lx
 # Minimum warning options... any contributions to OpenSSL should at least get
 # past these.
 
-my $gcc_devteam_warn = "-DPEDANTIC -DREF_DEBUG -DDEBUG_UNUSED"
+my $gcc_devteam_warn = "-DPEDANTIC -DREF_DEBUG -DDEBUG_UNUSED -DBIO_DEBUG"
         . " -pedantic"
         . " -Wall"
         . " -Wno-long-long"
diff --git a/apps/apps.c b/apps/apps.c
index 1ba8605..d4a4d23 100644
--- a/apps/apps.c
+++ b/apps/apps.c
@@ -1462,9 +1462,6 @@ int save_serial(char *serialfile, char *suffix, BIGNUM *serial,
         j = BIO_snprintf(buf[0], sizeof buf[0], "%s-%s", serialfile, suffix);
 #endif
     }
-#ifdef RL_DEBUG
-    BIO_printf(bio_err, "DEBUG: writing \"%s\"\n", buf[0]);
-#endif
     out = BIO_new_file(buf[0], "w");
     if (out == NULL) {
         ERR_print_errors(bio_err);
@@ -1503,18 +1500,11 @@ int rotate_serial(char *serialfile, char *new_suffix, char *old_suffix)
     }
 #ifndef OPENSSL_SYS_VMS
     j = BIO_snprintf(buf[0], sizeof buf[0], "%s.%s", serialfile, new_suffix);
-#else
-    j = BIO_snprintf(buf[0], sizeof buf[0], "%s-%s", serialfile, new_suffix);
-#endif
-#ifndef OPENSSL_SYS_VMS
     j = BIO_snprintf(buf[1], sizeof buf[1], "%s.%s", serialfile, old_suffix);
 #else
+    j = BIO_snprintf(buf[0], sizeof buf[0], "%s-%s", serialfile, new_suffix);
     j = BIO_snprintf(buf[1], sizeof buf[1], "%s-%s", serialfile, old_suffix);
 #endif
-#ifdef RL_DEBUG
-    BIO_printf(bio_err, "DEBUG: renaming \"%s\" to \"%s\"\n",
-               serialfile, buf[1]);
-#endif
     if (rename(serialfile, buf[1]) < 0 && errno != ENOENT
 #ifdef ENOTDIR
         && errno != ENOTDIR
@@ -1525,10 +1515,6 @@ int rotate_serial(char *serialfile, char *new_suffix, char *old_suffix)
         perror("reason");
         goto err;
     }
-#ifdef RL_DEBUG
-    BIO_printf(bio_err, "DEBUG: renaming \"%s\" to \"%s\"\n",
-               buf[0], serialfile);
-#endif
     if (rename(buf[0], serialfile) < 0) {
         BIO_printf(bio_err,
                    "unable to rename %s to %s\n", buf[0], serialfile);
@@ -1604,10 +1590,6 @@ CA_DB *load_index(char *dbfile, DB_ATTR *db_attr)
     if (dbattr_conf) {
         char *p = NCONF_get_string(dbattr_conf, NULL, "unique_subject");
         if (p) {
-#ifdef RL_DEBUG
-            BIO_printf(bio_err,
-                       "DEBUG[load_index]: unique_subject = \"%s\"\n", p);
-#endif
             retdb->attributes.unique_subject = parse_yesno(p, 1);
         }
     }
@@ -1654,22 +1636,13 @@ int save_index(const char *dbfile, const char *suffix, CA_DB *db)
     }
 #ifndef OPENSSL_SYS_VMS
     j = BIO_snprintf(buf[2], sizeof buf[2], "%s.attr", dbfile);
-#else
-    j = BIO_snprintf(buf[2], sizeof buf[2], "%s-attr", dbfile);
-#endif
-#ifndef OPENSSL_SYS_VMS
     j = BIO_snprintf(buf[1], sizeof buf[1], "%s.attr.%s", dbfile, suffix);
-#else
-    j = BIO_snprintf(buf[1], sizeof buf[1], "%s-attr-%s", dbfile, suffix);
-#endif
-#ifndef OPENSSL_SYS_VMS
     j = BIO_snprintf(buf[0], sizeof buf[0], "%s.%s", dbfile, suffix);
 #else
+    j = BIO_snprintf(buf[2], sizeof buf[2], "%s-attr", dbfile);
+    j = BIO_snprintf(buf[1], sizeof buf[1], "%s-attr-%s", dbfile, suffix);
     j = BIO_snprintf(buf[0], sizeof buf[0], "%s-%s", dbfile, suffix);
 #endif
-#ifdef RL_DEBUG
-    BIO_printf(bio_err, "DEBUG: writing \"%s\"\n", buf[0]);
-#endif
     out = BIO_new_file(buf[0], "w");
     if (out == NULL) {
         perror(dbfile);
@@ -1682,9 +1655,6 @@ int save_index(const char *dbfile, const char *suffix, CA_DB *db)
         goto err;
 
     out = BIO_new_file(buf[1], "w");
-#ifdef RL_DEBUG
-    BIO_printf(bio_err, "DEBUG: writing \"%s\"\n", buf[1]);
-#endif
     if (out == NULL) {
         perror(buf[2]);
         BIO_printf(bio_err, "unable to open '%s'\n", buf[2]);
@@ -1715,31 +1685,16 @@ int rotate_index(const char *dbfile, const char *new_suffix,
     }
 #ifndef OPENSSL_SYS_VMS
     j = BIO_snprintf(buf[4], sizeof buf[4], "%s.attr", dbfile);
-#else
-    j = BIO_snprintf(buf[4], sizeof buf[4], "%s-attr", dbfile);
-#endif
-#ifndef OPENSSL_SYS_VMS
+    j = BIO_snprintf(buf[3], sizeof buf[3], "%s.attr.%s", dbfile, old_suffix);
     j = BIO_snprintf(buf[2], sizeof buf[2], "%s.attr.%s", dbfile, new_suffix);
-#else
-    j = BIO_snprintf(buf[2], sizeof buf[2], "%s-attr-%s", dbfile, new_suffix);
-#endif
-#ifndef OPENSSL_SYS_VMS
-    j = BIO_snprintf(buf[0], sizeof buf[0], "%s.%s", dbfile, new_suffix);
-#else
-    j = BIO_snprintf(buf[0], sizeof buf[0], "%s-%s", dbfile, new_suffix);
-#endif
-#ifndef OPENSSL_SYS_VMS
     j = BIO_snprintf(buf[1], sizeof buf[1], "%s.%s", dbfile, old_suffix);
+    j = BIO_snprintf(buf[0], sizeof buf[0], "%s.%s", dbfile, new_suffix);
 #else
-    j = BIO_snprintf(buf[1], sizeof buf[1], "%s-%s", dbfile, old_suffix);
-#endif
-#ifndef OPENSSL_SYS_VMS
-    j = BIO_snprintf(buf[3], sizeof buf[3], "%s.attr.%s", dbfile, old_suffix);
-#else
+    j = BIO_snprintf(buf[4], sizeof buf[4], "%s-attr", dbfile);
     j = BIO_snprintf(buf[3], sizeof buf[3], "%s-attr-%s", dbfile, old_suffix);
-#endif
-#ifdef RL_DEBUG
-    BIO_printf(bio_err, "DEBUG: renaming \"%s\" to \"%s\"\n", dbfile, buf[1]);
+    j = BIO_snprintf(buf[2], sizeof buf[2], "%s-attr-%s", dbfile, new_suffix);
+    j = BIO_snprintf(buf[1], sizeof buf[1], "%s-%s", dbfile, old_suffix);
+    j = BIO_snprintf(buf[0], sizeof buf[0], "%s-%s", dbfile, new_suffix);
 #endif
     if (rename(dbfile, buf[1]) < 0 && errno != ENOENT
 #ifdef ENOTDIR
@@ -1750,18 +1705,12 @@ int rotate_index(const char *dbfile, const char *new_suffix,
         perror("reason");
         goto err;
     }
-#ifdef RL_DEBUG
-    BIO_printf(bio_err, "DEBUG: renaming \"%s\" to \"%s\"\n", buf[0], dbfile);
-#endif
     if (rename(buf[0], dbfile) < 0) {
         BIO_printf(bio_err, "unable to rename %s to %s\n", buf[0], dbfile);
         perror("reason");
         rename(buf[1], dbfile);
         goto err;
     }
-#ifdef RL_DEBUG
-    BIO_printf(bio_err, "DEBUG: renaming \"%s\" to \"%s\"\n", buf[4], buf[3]);
-#endif
     if (rename(buf[4], buf[3]) < 0 && errno != ENOENT
 #ifdef ENOTDIR
         && errno != ENOTDIR
@@ -1773,9 +1722,6 @@ int rotate_index(const char *dbfile, const char *new_suffix,
         rename(buf[1], dbfile);
         goto err;
     }
-#ifdef RL_DEBUG
-    BIO_printf(bio_err, "DEBUG: renaming \"%s\" to \"%s\"\n", buf[2], buf[4]);
-#endif
     if (rename(buf[2], buf[4]) < 0) {
         BIO_printf(bio_err, "unable to rename %s to %s\n", buf[2], buf[4]);
         perror("reason");
diff --git a/apps/x509.c b/apps/x509.c
index 831d59d..2b9cb25 100644
--- a/apps/x509.c
+++ b/apps/x509.c
@@ -89,10 +89,6 @@ static int x509_certify(X509_STORE *ctx, char *CAfile, const EVP_MD *digest,
                         char *section, ASN1_INTEGER *sno, int reqfile);
 static int purpose_print(BIO *bio, X509 *cert, X509_PURPOSE *pt);
 
-#ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL
-static int force_version = 2;
-#endif
-
 typedef enum OPTION_choice {
     OPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
     OPT_INFORM, OPT_OUTFORM, OPT_KEYFORM, OPT_REQ, OPT_CAFORM,
@@ -108,7 +104,6 @@ typedef enum OPTION_choice {
     OPT_CLRREJECT, OPT_ALIAS, OPT_CACREATESERIAL, OPT_CLREXT, OPT_OCSPID,
     OPT_SUBJECT_HASH_OLD,
     OPT_ISSUER_HASH_OLD,
-    OPT_FORCE_VERSION,
     OPT_BADSIG, OPT_MD, OPT_ENGINE, OPT_NOCERT
 } OPTION_CHOICE;
 
@@ -189,9 +184,6 @@ OPTIONS x509_options[] = {
     {"issuer_hash_old", OPT_ISSUER_HASH_OLD, '-',
      "Print old-style (MD5) subject hash value"},
 #endif
-#ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL
-    {"force_version", OPT_FORCE_VERSION, 'p'},
-#endif
 #ifndef OPENSSL_NO_ENGINE
     {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
 #endif
@@ -288,11 +280,6 @@ int x509_main(int argc, char **argv)
             if (!sigopts || !sk_OPENSSL_STRING_push(sigopts, opt_arg()))
                 goto opthelp;
             break;
-        case OPT_FORCE_VERSION:
-#ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL
-            force_version = atoi(opt_arg()) - 1;
-#endif
-            break;
         case OPT_DAYS:
             days = atoi(opt_arg());
             break;
@@ -1046,11 +1033,7 @@ static int x509_certify(X509_STORE *ctx, char *CAfile, const EVP_MD *digest,
 
     if (conf) {
         X509V3_CTX ctx2;
-#ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL
-        X509_set_version(x, force_version);
-#else
         X509_set_version(x, 2); /* version 3 certificate */
-#endif
         X509V3_set_ctx(&ctx2, xca, x, NULL, NULL, 0);
         X509V3_set_nconf(&ctx2, conf);
         if (!X509V3_EXT_add_nconf(conf, &ctx2, section, x))
@@ -1123,11 +1106,7 @@ static int sign(X509 *x, EVP_PKEY *pkey, int days, int clrext,
     }
     if (conf) {
         X509V3_CTX ctx;
-#ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL
-        X509_set_version(x, force_version);
-#else
         X509_set_version(x, 2); /* version 3 certificate */
-#endif
         X509V3_set_ctx(&ctx, x, x, NULL, NULL, 0);
         X509V3_set_nconf(&ctx, conf);
         if (!X509V3_EXT_add_nconf(conf, &ctx, section, x))
diff --git a/crypto/bn/bn_ctx.c b/crypto/bn/bn_ctx.c
index 88f5ac8..700234b 100644
--- a/crypto/bn/bn_ctx.c
+++ b/crypto/bn/bn_ctx.c
@@ -53,14 +53,6 @@
  *
  */
 
-#if !defined(BN_CTX_DEBUG) && !defined(BN_DEBUG)
-# ifndef NDEBUG
-#  define NDEBUG
-# endif
-#endif
-
-#include <assert.h>
-
 #include "internal/cryptlib.h"
 #include "bn_lcl.h"
 
diff --git a/crypto/camellia/cmll_ecb.c b/crypto/camellia/cmll_ecb.c
index d8dfb2b..4edaa6d 100644
--- a/crypto/camellia/cmll_ecb.c
+++ b/crypto/camellia/cmll_ecb.c
@@ -48,23 +48,12 @@
  *
  */
 
-#ifndef CAMELLIA_DEBUG
-# ifndef NDEBUG
-#  define NDEBUG
-# endif
-#endif
-#include <assert.h>
-
 #include <openssl/camellia.h>
 #include "cmll_locl.h"
 
 void Camellia_ecb_encrypt(const unsigned char *in, unsigned char *out,
                           const CAMELLIA_KEY *key, const int enc)
 {
-
-    assert(in && out && key);
-    assert((CAMELLIA_ENCRYPT == enc) || (CAMELLIA_DECRYPT == enc));
-
     if (CAMELLIA_ENCRYPT == enc)
         Camellia_encrypt(in, out, key);
     else
diff --git a/crypto/comp/c_zlib.c b/crypto/comp/c_zlib.c
index baad9c6..c78bbcf 100644
--- a/crypto/comp/c_zlib.c
+++ b/crypto/comp/c_zlib.c
@@ -224,11 +224,6 @@ static int zlib_stateful_compress_block(COMP_CTX *ctx, unsigned char *out,
         err = deflate(&state->ostream, Z_SYNC_FLUSH);
     if (err != Z_OK)
         return -1;
-# ifdef DEBUG_ZLIB
-    fprintf(stderr, "compress(%4d)->%4d %s\n",
-            ilen, olen - state->ostream.avail_out,
-            (ilen != olen - state->ostream.avail_out) ? "zlib" : "clear");
-# endif
     return olen - state->ostream.avail_out;
 }
 
@@ -250,11 +245,6 @@ static int zlib_stateful_expand_block(COMP_CTX *ctx, unsigned char *out,
         err = inflate(&state->istream, Z_SYNC_FLUSH);
     if (err != Z_OK)
         return -1;
-# ifdef DEBUG_ZLIB
-    fprintf(stderr, "expand(%4d)->%4d %s\n",
-            ilen, olen - state->istream.avail_out,
-            (ilen != olen - state->istream.avail_out) ? "zlib" : "clear");
-# endif
     return olen - state->istream.avail_out;
 }
 
diff --git a/crypto/conf/conf_api.c b/crypto/conf/conf_api.c
index 78e932e..5365c97 100644
--- a/crypto/conf/conf_api.c
+++ b/crypto/conf/conf_api.c
@@ -57,12 +57,6 @@
 
 /* Part of the code in here was originally in conf.c, which is now removed */
 
-#ifndef CONF_DEBUG
-# undef NDEBUG                  /* avoid conflicting definitions */
-# define NDEBUG
-#endif
-
-#include <assert.h>
 #include <stdlib.h>
 #include <string.h>
 #include <openssl/conf.h>
diff --git a/crypto/engine/tb_cipher.c b/crypto/engine/tb_cipher.c
index fcfb2ef..7df01ca 100644
--- a/crypto/engine/tb_cipher.c
+++ b/crypto/engine/tb_cipher.c
@@ -54,13 +54,6 @@
 
 #include "eng_int.h"
 
-/*
- * If this symbol is defined then ENGINE_get_cipher_engine(), the function
- * that is used by EVP to hook in cipher code and cache defaults (etc), will
- * display brief debugging summaries to stderr with the 'nid'.
- */
-/* #define ENGINE_CIPHER_DEBUG */
-
 static ENGINE_TABLE *cipher_table = NULL;
 
 void ENGINE_unregister_ciphers(ENGINE *e)
diff --git a/crypto/engine/tb_dh.c b/crypto/engine/tb_dh.c
index 8114afa..4f68975 100644
--- a/crypto/engine/tb_dh.c
+++ b/crypto/engine/tb_dh.c
@@ -54,13 +54,6 @@
 
 #include "eng_int.h"
 
-/*
- * If this symbol is defined then ENGINE_get_default_DH(), the function that
- * is used by DH to hook in implementation code and cache defaults (etc),
- * will display brief debugging summaries to stderr with the 'nid'.
- */
-/* #define ENGINE_DH_DEBUG */
-
 static ENGINE_TABLE *dh_table = NULL;
 static const int dummy_nid = 1;
 
diff --git a/crypto/engine/tb_digest.c b/crypto/engine/tb_digest.c
index de1ad9c..03096b3 100644
--- a/crypto/engine/tb_digest.c
+++ b/crypto/engine/tb_digest.c
@@ -54,13 +54,6 @@
 
 #include "eng_int.h"
 
-/*
- * If this symbol is defined then ENGINE_get_digest_engine(), the function
- * that is used by EVP to hook in digest code and cache defaults (etc), will
- * display brief debugging summaries to stderr with the 'nid'.
- */
-/* #define ENGINE_DIGEST_DEBUG */
-
 static ENGINE_TABLE *digest_table = NULL;
 
 void ENGINE_unregister_digests(ENGINE *e)
diff --git a/crypto/engine/tb_dsa.c b/crypto/engine/tb_dsa.c
index c1f57f1..adfb11f 100644
--- a/crypto/engine/tb_dsa.c
+++ b/crypto/engine/tb_dsa.c
@@ -54,13 +54,6 @@
 
 #include "eng_int.h"
 
-/*
- * If this symbol is defined then ENGINE_get_default_DSA(), the function that
- * is used by DSA to hook in implementation code and cache defaults (etc),
- * will display brief debugging summaries to stderr with the 'nid'.
- */
-/* #define ENGINE_DSA_DEBUG */
-
 static ENGINE_TABLE *dsa_table = NULL;
 static const int dummy_nid = 1;
 
diff --git a/crypto/engine/tb_eckey.c b/crypto/engine/tb_eckey.c
index dbb4139..7c05c01 100644
--- a/crypto/engine/tb_eckey.c
+++ b/crypto/engine/tb_eckey.c
@@ -54,13 +54,6 @@
 
 #include "eng_int.h"
 
-/*
- * If this symbol is defined then ENGINE_get_default_EC_KEY(), the function that
- * is used by EC_KEY to hook in implementation code and cache defaults (etc),
- * will display brief debugging summaries to stderr with the 'nid'.
- */
-/* #define ENGINE_EC_KEY_DEBUG */
-
 static ENGINE_TABLE *dh_table = NULL;
 static const int dummy_nid = 1;
 
diff --git a/crypto/engine/tb_pkmeth.c b/crypto/engine/tb_pkmeth.c
index 29e65be..947e139 100644
--- a/crypto/engine/tb_pkmeth.c
+++ b/crypto/engine/tb_pkmeth.c
@@ -55,13 +55,6 @@
 #include "eng_int.h"
 #include <openssl/evp.h>
 
-/*
- * If this symbol is defined then ENGINE_get_pkey_meth_engine(), the function
- * that is used by EVP to hook in pkey_meth code and cache defaults (etc),
- * will display brief debugging summaries to stderr with the 'nid'.
- */
-/* #define ENGINE_PKEY_METH_DEBUG */
-
 static ENGINE_TABLE *pkey_meth_table = NULL;
 
 void ENGINE_unregister_pkey_meths(ENGINE *e)
diff --git a/crypto/engine/tb_rand.c b/crypto/engine/tb_rand.c
index a522264..b67cff5 100644
--- a/crypto/engine/tb_rand.c
+++ b/crypto/engine/tb_rand.c
@@ -54,13 +54,6 @@
 
 #include "eng_int.h"
 
-/*
- * If this symbol is defined then ENGINE_get_default_RAND(), the function
- * that is used by RAND to hook in implementation code and cache defaults
- * (etc), will display brief debugging summaries to stderr with the 'nid'.
- */
-/* #define ENGINE_RAND_DEBUG */
-
 static ENGINE_TABLE *rand_table = NULL;
 static const int dummy_nid = 1;
 
diff --git a/crypto/engine/tb_rsa.c b/crypto/engine/tb_rsa.c
index 2790a82..4405d67 100644
--- a/crypto/engine/tb_rsa.c
+++ b/crypto/engine/tb_rsa.c
@@ -54,13 +54,6 @@
 
 #include "eng_int.h"
 
-/*
- * If this symbol is defined then ENGINE_get_default_RSA(), the function that
- * is used by RSA to hook in implementation code and cache defaults (etc),
- * will display brief debugging summaries to stderr with the 'nid'.
- */
-/* #define ENGINE_RSA_DEBUG */
-
 static ENGINE_TABLE *rsa_table = NULL;
 static const int dummy_nid = 1;
 
diff --git a/crypto/evp/p5_crpt2.c b/crypto/evp/p5_crpt2.c
index b9ff5de..76dcf02 100644
--- a/crypto/evp/p5_crpt2.c
+++ b/crypto/evp/p5_crpt2.c
@@ -64,9 +64,9 @@
 # include "evp_locl.h"
 
 /* set this to print out info about the keygen algorithm */
-/* #define DEBUG_PKCS5V2 */
+/* #define OPENSSL_DEBUG_PKCS5V2 */
 
-# ifdef DEBUG_PKCS5V2
+# ifdef OPENSSL_DEBUG_PKCS5V2
 static void h__dump(const unsigned char *p, int len);
 # endif
 
@@ -157,7 +157,7 @@ int PKCS5_PBKDF2_HMAC(const char *pass, int passlen,
     }
     HMAC_CTX_free(hctx);
     HMAC_CTX_free(hctx_tpl);
-# ifdef DEBUG_PKCS5V2
+# ifdef OPENSSL_DEBUG_PKCS5V2
     fprintf(stderr, "Password:\n");
     h__dump(pass, passlen);
     fprintf(stderr, "Salt:\n");
@@ -315,7 +315,7 @@ int PKCS5_v2_PBKDF2_keyivgen(EVP_CIPHER_CTX *ctx, const char *pass,
     return rv;
 }
 
-# ifdef DEBUG_PKCS5V2
+# ifdef OPENSSL_DEBUG_PKCS5V2
 static void h__dump(const unsigned char *p, int len)
 {
     for (; len--; p++)
diff --git a/crypto/evp/scrypt.c b/crypto/evp/scrypt.c
index 20e5dd4..f9b368b 100644
--- a/crypto/evp/scrypt.c
+++ b/crypto/evp/scrypt.c
@@ -290,16 +290,6 @@ int EVP_PBE_scrypt(const char *pass, size_t passlen,
                           keylen, key) == 0)
         goto err;
     rv = 1;
-#ifdef SCRYPT_DEBUG
-    fprintf(stderr, "scrypt parameters:\n");
-    fprintf(stderr, "N=%lu, p=%lu, r=%lu\n", N, p, r);
-    fprintf(stderr, "Salt:\n");
-    BIO_dump_fp(stderr, (char *)salt, saltlen);
-    fprintf(stderr, "Password:\n");
-    BIO_dump_fp(stderr, (char *)pass, passlen);
-    fprintf(stderr, "Key:\n");
-    BIO_dump_fp(stderr, (char *)key, keylen);
-#endif
  err:
     OPENSSL_clear_free(B, allocsize);
     return rv;
diff --git a/crypto/modes/cbc128.c b/crypto/modes/cbc128.c
index c13caea..bf2210c 100644
--- a/crypto/modes/cbc128.c
+++ b/crypto/modes/cbc128.c
@@ -52,13 +52,6 @@
 #include "modes_lcl.h"
 #include <string.h>
 
-#ifndef MODES_DEBUG
-# ifndef NDEBUG
-#  define NDEBUG
-# endif
-#endif
-#include <assert.h>
-
 #if !defined(STRICT_ALIGNMENT) && !defined(PEDANTIC)
 # define STRICT_ALIGNMENT 0
 #endif
@@ -70,8 +63,6 @@ void CRYPTO_cbc128_encrypt(const unsigned char *in, unsigned char *out,
     size_t n;
     const unsigned char *iv = ivec;
 
-    assert(in && out && key && ivec);
-
 #if !defined(OPENSSL_SMALL_FOOTPRINT)
     if (STRICT_ALIGNMENT &&
         ((size_t)in | (size_t)out | (size_t)ivec) % sizeof(size_t) != 0) {
@@ -123,8 +114,6 @@ void CRYPTO_cbc128_decrypt(const unsigned char *in, unsigned char *out,
         unsigned char c[16];
     } tmp;
 
-    assert(in && out && key && ivec);
-
 #if !defined(OPENSSL_SMALL_FOOTPRINT)
     if (in != out) {
         const unsigned char *iv = ivec;
diff --git a/crypto/modes/ccm128.c b/crypto/modes/ccm128.c
index c1ded0f..ef99eb1 100644
--- a/crypto/modes/ccm128.c
+++ b/crypto/modes/ccm128.c
@@ -51,13 +51,6 @@
 #include "modes_lcl.h"
 #include <string.h>
 
-#ifndef MODES_DEBUG
-# ifndef NDEBUG
-#  define NDEBUG
-# endif
-#endif
-#include <assert.h>
-
 /*
  * First you setup M and L parameters and pass the key schedule. This is
  * called once per session setup...
diff --git a/crypto/modes/cfb128.c b/crypto/modes/cfb128.c
index c4395bc..8d3af57 100644
--- a/crypto/modes/cfb128.c
+++ b/crypto/modes/cfb128.c
@@ -52,13 +52,6 @@
 #include "modes_lcl.h"
 #include <string.h>
 
-#ifndef MODES_DEBUG
-# ifndef NDEBUG
-#  define NDEBUG
-# endif
-#endif
-#include <assert.h>
-
 /*
  * The input and output encrypted as though 128bit cfb mode is being used.
  * The extra state information to record how much of the 128bit block we have
@@ -72,8 +65,6 @@ void CRYPTO_cfb128_encrypt(const unsigned char *in, unsigned char *out,
     unsigned int n;
     size_t l = 0;
 
-    assert(in && out && key && ivec && num);
-
     n = *num;
 
     if (enc) {
@@ -228,9 +219,6 @@ void CRYPTO_cfb128_1_encrypt(const unsigned char *in, unsigned char *out,
     size_t n;
     unsigned char c[1], d[1];
 
-    assert(in && out && key && ivec && num);
-    assert(*num == 0);
-
     for (n = 0; n < bits; ++n) {
         c[0] = (in[n / 8] & (1 << (7 - n % 8))) ? 0x80 : 0;
         cfbr_encrypt_block(c, d, 1, key, ivec, enc, block);
@@ -246,9 +234,6 @@ void CRYPTO_cfb128_8_encrypt(const unsigned char *in, unsigned char *out,
 {
     size_t n;
 
-    assert(in && out && key && ivec && num);
-    assert(*num == 0);
-
     for (n = 0; n < length; ++n)
         cfbr_encrypt_block(&in[n], &out[n], 8, key, ivec, enc, block);
 }
diff --git a/crypto/modes/ctr128.c b/crypto/modes/ctr128.c
index 4397494..5bdbbcf 100644
--- a/crypto/modes/ctr128.c
+++ b/crypto/modes/ctr128.c
@@ -52,13 +52,6 @@
 #include "modes_lcl.h"
 #include <string.h>
 
-#ifndef MODES_DEBUG
-# ifndef NDEBUG
-#  define NDEBUG
-# endif
-#endif
-#include <assert.h>
-
 /*
  * NOTE: the IV/counter CTR mode is big-endian.  The code itself is
  * endian-neutral.
@@ -125,9 +118,6 @@ void CRYPTO_ctr128_encrypt(const unsigned char *in, unsigned char *out,
     unsigned int n;
     size_t l = 0;
 
-    assert(in && out && key && ecount_buf && num);
-    assert(*num < 16);
-
     n = *num;
 
 #if !defined(OPENSSL_SMALL_FOOTPRINT)
@@ -203,9 +193,6 @@ void CRYPTO_ctr128_encrypt_ctr32(const unsigned char *in, unsigned char *out,
 {
     unsigned int n, ctr32;
 
-    assert(in && out && key && ecount_buf && num);
-    assert(*num < 16);
-
     n = *num;
 
     while (n && len) {
diff --git a/crypto/modes/cts128.c b/crypto/modes/cts128.c
index 137be59..ed233d5 100644
--- a/crypto/modes/cts128.c
+++ b/crypto/modes/cts128.c
@@ -9,13 +9,6 @@
 #include "modes_lcl.h"
 #include <string.h>
 
-#ifndef MODES_DEBUG
-# ifndef NDEBUG
-#  define NDEBUG
-# endif
-#endif
-#include <assert.h>
-
 /*
  * Trouble with Ciphertext Stealing, CTS, mode is that there is no
  * common official specification, but couple of cipher/application
@@ -36,8 +29,6 @@ size_t CRYPTO_cts128_encrypt_block(const unsigned char *in,
 {
     size_t residue, n;
 
-    assert(in && out && key && ivec);
-
     if (len <= 16)
         return 0;
 
@@ -68,8 +59,6 @@ size_t CRYPTO_nistcts128_encrypt_block(const unsigned char *in,
 {
     size_t residue, n;
 
-    assert(in && out && key && ivec);
-
     if (len < 16)
         return 0;
 
@@ -103,8 +92,6 @@ size_t CRYPTO_cts128_encrypt(const unsigned char *in, unsigned char *out,
         unsigned char c[16];
     } tmp;
 
-    assert(in && out && key && ivec);
-
     if (len <= 16)
         return 0;
 
@@ -141,8 +128,6 @@ size_t CRYPTO_nistcts128_encrypt(const unsigned char *in, unsigned char *out,
         unsigned char c[16];
     } tmp;
 
-    assert(in && out && key && ivec);
-
     if (len < 16)
         return 0;
 
@@ -179,8 +164,6 @@ size_t CRYPTO_cts128_decrypt_block(const unsigned char *in,
         unsigned char c[32];
     } tmp;
 
-    assert(in && out && key && ivec);
-
     if (len <= 16)
         return 0;
 
@@ -224,8 +207,6 @@ size_t CRYPTO_nistcts128_decrypt_block(const unsigned char *in,
         unsigned char c[32];
     } tmp;
 
-    assert(in && out && key && ivec);
-
     if (len < 16)
         return 0;
 
@@ -272,8 +253,6 @@ size_t CRYPTO_cts128_decrypt(const unsigned char *in, unsigned char *out,
         unsigned char c[32];
     } tmp;
 
-    assert(in && out && key && ivec);
-
     if (len <= 16)
         return 0;
 
@@ -314,8 +293,6 @@ size_t CRYPTO_nistcts128_decrypt(const unsigned char *in, unsigned char *out,
         unsigned char c[32];
     } tmp;
 
-    assert(in && out && key && ivec);
-
     if (len < 16)
         return 0;
 
diff --git a/crypto/modes/gcm128.c b/crypto/modes/gcm128.c
index 0615224..8a8b110 100644
--- a/crypto/modes/gcm128.c
+++ b/crypto/modes/gcm128.c
@@ -51,13 +51,6 @@
 #include "modes_lcl.h"
 #include <string.h>
 
-#ifndef MODES_DEBUG
-# ifndef NDEBUG
-#  define NDEBUG
-# endif
-#endif
-#include <assert.h>
-
 #if defined(BSWAP4) && defined(STRICT_ALIGNMENT)
 /* redefine, because alignment is ensured */
 # undef  GETU32
diff --git a/crypto/modes/ofb128.c b/crypto/modes/ofb128.c
index 4dbaccd..0870f08 100644
--- a/crypto/modes/ofb128.c
+++ b/crypto/modes/ofb128.c
@@ -52,13 +52,6 @@
 #include "modes_lcl.h"
 #include <string.h>
 
-#ifndef MODES_DEBUG
-# ifndef NDEBUG
-#  define NDEBUG
-# endif
-#endif
-#include <assert.h>
-
 /*
  * The input and output encrypted as though 128bit ofb mode is being used.
  * The extra state information to record how much of the 128bit block we have
@@ -71,8 +64,6 @@ void CRYPTO_ofb128_encrypt(const unsigned char *in, unsigned char *out,
     unsigned int n;
     size_t l = 0;
 
-    assert(in && out && key && ivec && num);
-
     n = *num;
 
 #if !defined(OPENSSL_SMALL_FOOTPRINT)
diff --git a/crypto/modes/xts128.c b/crypto/modes/xts128.c
index 8f2af58..55fa654 100644
--- a/crypto/modes/xts128.c
+++ b/crypto/modes/xts128.c
@@ -51,13 +51,6 @@
 #include "modes_lcl.h"
 #include <string.h>
 
-#ifndef MODES_DEBUG
-# ifndef NDEBUG
-#  define NDEBUG
-# endif
-#endif
-#include <assert.h>
-
 int CRYPTO_xts128_encrypt(const XTS128_CONTEXT *ctx,
                           const unsigned char iv[16],
                           const unsigned char *inp, unsigned char *out,
diff --git a/crypto/pkcs12/p12_decr.c b/crypto/pkcs12/p12_decr.c
index 953d938..2a89a48 100644
--- a/crypto/pkcs12/p12_decr.c
+++ b/crypto/pkcs12/p12_decr.c
@@ -62,7 +62,7 @@
 
 /* Define this to dump decrypted output to files called DERnnn */
 /*
- * #define DEBUG_DECRYPT
+ * #define OPENSSL_DEBUG_DECRYPT
  */
 
 /*
@@ -144,7 +144,7 @@ void *PKCS12_item_decrypt_d2i(X509_ALGOR *algor, const ASN1_ITEM *it,
         return NULL;
     }
     p = out;
-#ifdef DEBUG_DECRYPT
+#ifdef OPENSSL_DEBUG_DECRYPT
     {
         FILE *op;
 
diff --git a/crypto/pkcs12/p12_key.c b/crypto/pkcs12/p12_key.c
index 4256452..6a9a325 100644
--- a/crypto/pkcs12/p12_key.c
+++ b/crypto/pkcs12/p12_key.c
@@ -63,9 +63,9 @@
 
 /* Uncomment out this line to get debugging info about key generation */
 /*
- * #define DEBUG_KEYGEN
+ * #define OPENSSL_DEBUG_KEYGEN
  */
-#ifdef DEBUG_KEYGEN
+#ifdef OPENSSL_DEBUG_KEYGEN
 # include <openssl/bio.h>
 extern BIO *bio_err;
 void h__dump(unsigned char *p, int len);
@@ -109,7 +109,7 @@ int PKCS12_key_gen_uni(unsigned char *pass, int passlen, unsigned char *salt,
     int ret = 0;
     BIGNUM *Ij = NULL, *Bpl1 = NULL; /* These hold Ij and B + 1 */
     EVP_MD_CTX *ctx = NULL;
-#ifdef  DEBUG_KEYGEN
+#ifdef  OPENSSL_DEBUG_KEYGEN
     unsigned char *tmpout = out;
     int tmpn = n;
 #endif
@@ -118,7 +118,7 @@ int PKCS12_key_gen_uni(unsigned char *pass, int passlen, unsigned char *salt,
     if (ctx == NULL)
         goto err;
 
-#ifdef  DEBUG_KEYGEN
+#ifdef  OPENSSL_DEBUG_KEYGEN
     fprintf(stderr, "KEYGEN DEBUG\n");
     fprintf(stderr, "ID %d, ITER %d\n", id, iter);
     fprintf(stderr, "Password (length %d):\n", passlen);
@@ -166,7 +166,7 @@ int PKCS12_key_gen_uni(unsigned char *pass, int passlen, unsigned char *salt,
         }
         memcpy(out, Ai, min(n, u));
         if (u >= n) {
-#ifdef DEBUG_KEYGEN
+#ifdef OPENSSL_DEBUG_KEYGEN
             fprintf(stderr, "Output KEY (length %d)\n", tmpn);
             h__dump(tmpout, tmpn);
 #endif
@@ -221,7 +221,7 @@ int PKCS12_key_gen_uni(unsigned char *pass, int passlen, unsigned char *salt,
     return ret;
 }
 
-#ifdef DEBUG_KEYGEN
+#ifdef OPENSSL_DEBUG_KEYGEN
 void h__dump(unsigned char *p, int len)
 {
     for (; len--; p++)
diff --git a/crypto/rand/md_rand.c b/crypto/rand/md_rand.c
index c7be278..fa36918 100644
--- a/crypto/rand/md_rand.c
+++ b/crypto/rand/md_rand.c
@@ -108,13 +108,6 @@
  *
  */
 
-#ifdef MD_RAND_DEBUG
-# ifndef NDEBUG
-#  define NDEBUG
-# endif
-#endif
-
-#include <assert.h>
 #include <stdio.h>
 #include <string.h>
 
@@ -350,9 +343,6 @@ static int rand_add(const void *buf, int num, double add)
     if (!do_not_lock)
         CRYPTO_w_unlock(CRYPTO_LOCK_RAND);
 
-#if !defined(OPENSSL_THREADS) && !defined(OPENSSL_SYS_WIN32)
-    assert(md_c[1] == md_count[1]);
-#endif
     rv = 1;
  err:
     EVP_MD_CTX_free(m);
diff --git a/crypto/rsa/rsa_sign.c b/crypto/rsa/rsa_sign.c
index 7c9c528..61f91b9 100644
--- a/crypto/rsa/rsa_sign.c
+++ b/crypto/rsa/rsa_sign.c
@@ -235,11 +235,6 @@ int int_rsa_verify(int dtype, const unsigned char *m,
 
         sigtype = OBJ_obj2nid(sig->algor->algorithm);
 
-#ifdef RSA_DEBUG
-        /* put a backward compatibility flag in EAY */
-        fprintf(stderr, "in(%s) expect(%s)\n", OBJ_nid2ln(sigtype),
-                OBJ_nid2ln(dtype));
-#endif
         if (sigtype != dtype) {
             RSAerr(RSA_F_INT_RSA_VERIFY, RSA_R_ALGORITHM_MISMATCH);
             goto err;
diff --git a/doc/ssl/SSL_CONF_cmd.pod b/doc/ssl/SSL_CONF_cmd.pod
index b3c9df9..4f83f59 100644
--- a/doc/ssl/SSL_CONF_cmd.pod
+++ b/doc/ssl/SSL_CONF_cmd.pod
@@ -174,13 +174,6 @@ Set by default.
 enables strict mode protocol handling. Equivalent to setting
 B<SSL_CERT_FLAG_TLS_STRICT>.
 
-=item B<-debug_broken_protocol>
-
-disables various checks and permits several kinds of broken protocol behaviour
-for testing purposes: it should B<NEVER> be used in anything other than a test
-environment. Only supported if OpenSSL is configured with
-B<-DOPENSSL_SSL_DEBUG_BROKEN_PROTOCOL>.
-
 =back
 
 =head1 SUPPORTED CONFIGURATION FILE COMMANDS
diff --git a/ssl/record/ssl3_record.c b/ssl/record/ssl3_record.c
index d7e821d..5eb152e 100644
--- a/ssl/record/ssl3_record.c
+++ b/ssl/record/ssl3_record.c
@@ -394,7 +394,7 @@ int ssl3_get_record(SSL *s)
         SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_BLOCK_CIPHER_PAD_IS_WRONG);
         goto f_err;
     }
-#ifdef TLS_DEBUG
+#ifdef SSL_DEBUG
     printf("dec %d\n", rr->length);
     {
         unsigned int z;
@@ -973,7 +973,7 @@ int tls1_mac(SSL *ssl, unsigned char *md, int send)
 
     EVP_MD_CTX_free(hmac);
 
-#ifdef TLS_DEBUG
+#ifdef SSL_DEBUG
     fprintf(stderr, "seq=");
     {
         int z;
@@ -997,7 +997,7 @@ int tls1_mac(SSL *ssl, unsigned char *md, int send)
                 break;
         }
     }
-#ifdef TLS_DEBUG
+#ifdef SSL_DEBUG
     {
         unsigned int z;
         for (z = 0; z < md_size; z++)
@@ -1267,7 +1267,7 @@ int dtls1_process_record(SSL *s)
         RECORD_LAYER_reset_packet_length(&s->rlayer);
         goto err;
     }
-#ifdef TLS_DEBUG
+#ifdef SSL_DEBUG
     printf("dec %d\n", rr->length);
     {
         unsigned int z;
diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c
index 8f6eda2..967840f 100644
--- a/ssl/s3_lib.c
+++ b/ssl/s3_lib.c
@@ -1627,23 +1627,6 @@ static const SSL_CIPHER ssl3_ciphers[] = {
      },
 #endif
 
-#ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL
-    /* Cipher FF */
-    {
-     1,
-     "SCSV",
-     SSL3_CK_SCSV,
-     0,
-     0,
-     0,
-     0,
-     0,
-     0,
-     0,
-     0,
-     0},
-#endif
-
 #ifndef OPENSSL_NO_EC
 
     /* Cipher C006 */
@@ -3743,10 +3726,6 @@ const SSL_CIPHER *ssl3_get_cipher_by_char(const unsigned char *p)
     id = 0x03000000 | ((uint32_t)p[0] << 8L) | (uint32_t)p[1];
     c.id = id;
     cp = OBJ_bsearch_ssl_cipher_id(&c, ssl3_ciphers, SSL3_NUM_CIPHERS);
-#ifdef DEBUG_PRINT_UNKNOWN_CIPHERSUITES
-    if (cp == NULL)
-        fprintf(stderr, "Unknown cipher ID %x\n", (p[0] << 8) | p[1]);
-#endif
     return cp;
 }
 
diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c
index 9849185..f78984c 100644
--- a/ssl/ssl_ciph.c
+++ b/ssl/ssl_ciph.c
@@ -941,10 +941,6 @@ static void ssl_cipher_apply_rule(uint32_t cipher_id, uint32_t alg_mkey,
                     cp->algorithm_enc, cp->algorithm_mac, cp->algorithm_ssl,
                     cp->algo_strength);
 #endif
-#ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL
-            if (cipher_id && cipher_id != cp->id)
-                continue;
-#endif
             if (alg_mkey && !(alg_mkey & cp->algorithm_mkey))
                 continue;
             if (alg_auth && !(alg_auth & cp->algorithm_auth))
diff --git a/ssl/ssl_conf.c b/ssl/ssl_conf.c
index 809ce7a..157bf8b 100644
--- a/ssl/ssl_conf.c
+++ b/ssl/ssl_conf.c
@@ -588,9 +588,6 @@ static const ssl_conf_cmd_tbl ssl_conf_cmds[] = {
     SSL_CONF_CMD_SWITCH("no_resumption_on_reneg", SSL_CONF_FLAG_SERVER),
     SSL_CONF_CMD_SWITCH("no_legacy_server_connect", SSL_CONF_FLAG_SERVER),
     SSL_CONF_CMD_SWITCH("strict", 0),
-#ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL
-    SSL_CONF_CMD_SWITCH("debug_broken_protocol", 0),
-#endif
     SSL_CONF_CMD_STRING(SignatureAlgorithms, "sigalgs", 0),
     SSL_CONF_CMD_STRING(ClientSignatureAlgorithms, "client_sigalgs", 0),
     SSL_CONF_CMD_STRING(Curves, "curves", 0),
@@ -652,9 +649,6 @@ static const ssl_switch_tbl ssl_cmd_switches[] = {
     /* no_legacy_server_connect */
     {SSL_OP_LEGACY_SERVER_CONNECT, SSL_TFLAG_INV},
     {SSL_CERT_FLAG_TLS_STRICT, SSL_TFLAG_CERT}, /* strict */
-#ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL
-    {SSL_CERT_FLAG_BROKEN_PROTOCOL, SSL_TFLAG_CERT} /* debug_broken_protocol */
-#endif
 };
 
 static int ssl_conf_cmd_skip_prefix(SSL_CONF_CTX *cctx, const char **pcmd)
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index c10ab86..fecd392 100644
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -2648,15 +2648,6 @@ CERT_PKEY *ssl_get_server_send_pkey(SSL *s)
         return NULL;
     ssl_set_masks(s, s->s3->tmp.new_cipher);
 
-#ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL
-    /*
-     * Broken protocol test: return last used certificate: which may mismatch
-     * the one expected.
-     */
-    if (c->cert_flags & SSL_CERT_FLAG_BROKEN_PROTOCOL)
-        return c->key;
-#endif
-
     i = ssl_get_server_cert_index(s);
 
     /* This may or may not be an error. */
@@ -2677,16 +2668,6 @@ EVP_PKEY *ssl_get_sign_pkey(SSL *s, const SSL_CIPHER *cipher,
     alg_a = cipher->algorithm_auth;
     c = s->cert;
 
-#ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL
-    /*
-     * Broken protocol test: use last key: which may mismatch the one
-     * expected.
-     */
-    if (c->cert_flags & SSL_CERT_FLAG_BROKEN_PROTOCOL)
-        idx = c->key - c->pkeys;
-    else
-#endif
-
     if ((alg_a & SSL_aDSS) &&
             (c->pkeys[SSL_PKEY_DSA_SIGN].privatekey != NULL))
         idx = SSL_PKEY_DSA_SIGN;
diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h
index 4946cfa..30c868f 100644
--- a/ssl/ssl_locl.h
+++ b/ssl/ssl_locl.h
@@ -1593,35 +1593,6 @@ struct tls_sigalgs_st {
     unsigned char rhash;
 };
 
-/*
- * #define MAC_DEBUG
- */
-
-/*
- * #define ERR_DEBUG
- */
-/*
- * #define ABORT_DEBUG
- */
-/*
- * #define PKT_DEBUG 1
- */
-/*
- * #define DES_DEBUG
- */
-/*
- * #define DES_OFB_DEBUG
- */
-/*
- * #define SSL_DEBUG
- */
-/*
- * #define RSA_DEBUG
- */
-/*
- * #define IDEA_DEBUG
- */
-
 # define FP_ICC  (int (*)(const void *,const void *))
 
 /*
diff --git a/ssl/statem/statem_clnt.c b/ssl/statem/statem_clnt.c
index 3026187..31b18ca 100644
--- a/ssl/statem/statem_clnt.c
+++ b/ssl/statem/statem_clnt.c
@@ -2870,14 +2870,6 @@ int ssl_cipher_list_to_bytes(SSL *s, STACK_OF(SSL_CIPHER) *sk,
         /* Skip disabled ciphers */
         if (ssl_cipher_disabled(s, c, SSL_SECOP_CIPHER_SUPPORTED))
             continue;
-#ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL
-        if (c->id == SSL3_CK_SCSV) {
-            if (!empty_reneg_info_scsv)
-                continue;
-            else
-                empty_reneg_info_scsv = 0;
-        }
-#endif
         j = s->method->put_cipher_by_char(c, p);
         p += j;
     }
@@ -2892,10 +2884,6 @@ int ssl_cipher_list_to_bytes(SSL *s, STACK_OF(SSL_CIPHER) *sk,
             };
             j = s->method->put_cipher_by_char(&scsv, p);
             p += j;
-#ifdef OPENSSL_RI_DEBUG
-            fprintf(stderr,
-                    "TLS_EMPTY_RENEGOTIATION_INFO_SCSV sent by client\n");
-#endif
         }
         if (s->mode & SSL_MODE_SEND_FALLBACK_SCSV) {
             static SSL_CIPHER scsv = {
diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c
index e4c018a..6b37223 100644
--- a/ssl/statem/statem_srvr.c
+++ b/ssl/statem/statem_srvr.c
@@ -3222,9 +3222,6 @@ STACK_OF(SSL_CIPHER) *ssl_bytes_to_cipher_list(SSL *s,
                 goto err;
             }
             s->s3->send_connection_binding = 1;
-#ifdef OPENSSL_RI_DEBUG
-            fprintf(stderr, "SCSV received by server\n");
-#endif
             continue;
         }
 
diff --git a/ssl/t1_enc.c b/ssl/t1_enc.c
index 804803a..995ae40 100644
--- a/ssl/t1_enc.c
+++ b/ssl/t1_enc.c
@@ -364,7 +364,7 @@ int tls1_change_cipher_state(SSL *s, int which)
         }
         EVP_PKEY_free(mac_key);
     }
-#ifdef TLS_DEBUG
+#ifdef SSL_DEBUG
     printf("which = %04X\nmac key=", which);
     {
         int z;
@@ -426,7 +426,7 @@ int tls1_change_cipher_state(SSL *s, int which)
     }
 #endif
 
-#ifdef TLS_DEBUG
+#ifdef SSL_DEBUG
     printf("which = %04X\nkey=", which);
     {
         int z;
@@ -495,7 +495,7 @@ int tls1_setup_key_block(SSL *s)
     s->s3->tmp.key_block_length = num;
     s->s3->tmp.key_block = p;
 
-#ifdef TLS_DEBUG
+#ifdef SSL_DEBUG
     printf("client random\n");
     {
         int z;
@@ -520,7 +520,7 @@ int tls1_setup_key_block(SSL *s)
 #endif
     if (!tls1_generate_key_block(s, p, num))
         goto err;
-#ifdef TLS_DEBUG
+#ifdef SSL_DEBUG
     printf("\nkey block\n");
     {
         int z;
diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
index 586048a..7a2047d 100644
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -788,11 +788,6 @@ static int tls1_check_cert_param(SSL *s, X509 *x, int set_ee_md)
  */
 int tls1_check_ec_tmp_key(SSL *s, unsigned long cid)
 {
-#  ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL
-    /* Allow any curve: not just those peer supports */
-    if (s->cert->cert_flags & SSL_CERT_FLAG_BROKEN_PROTOCOL)
-        return 1;
-#  endif
     /*
      * If Suite B, AES128 MUST use P-256 and AES256 MUST use P-384, no other
      * curves permitted.
@@ -3451,30 +3446,6 @@ int tls1_process_sigalgs(SSL *s)
     if (!tls1_set_shared_sigalgs(s))
         return 0;
 
-#ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL
-    if (s->cert->cert_flags & SSL_CERT_FLAG_BROKEN_PROTOCOL) {
-        /*
-         * Use first set signature preference to force message digest,
-         * ignoring any peer preferences.
-         */
-        const unsigned char *sigs = NULL;
-        if (s->server)
-            sigs = c->conf_sigalgs;
-        else
-            sigs = c->client_sigalgs;
-        if (sigs) {
-            idx = tls12_get_pkey_idx(sigs[1]);
-            md = tls12_get_hash(sigs[0]);
-            pmd[idx] = md;
-            pvalid[idx] = CERT_PKEY_EXPLICIT_SIGN;
-            if (idx == SSL_PKEY_RSA_SIGN) {
-                pvalid[SSL_PKEY_RSA_ENC] = CERT_PKEY_EXPLICIT_SIGN;
-                pmd[SSL_PKEY_RSA_ENC] = md;
-            }
-        }
-    }
-#endif
-
     for (i = 0, sigptr = c->shared_sigalgs;
          i < c->shared_sigalgslen; i++, sigptr++) {
         idx = tls12_get_pkey_idx(sigptr->rsign);
@@ -3748,15 +3719,6 @@ int tls1_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain,
         /* If no cert or key, forget it */
         if (!x || !pk)
             goto end;
-#ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL
-        /* Allow any certificate to pass test */
-        if (s->cert->cert_flags & SSL_CERT_FLAG_BROKEN_PROTOCOL) {
-            rv = CERT_PKEY_STRICT_FLAGS | CERT_PKEY_EXPLICIT_SIGN |
-                CERT_PKEY_VALID | CERT_PKEY_SIGN;
-            *pvalid = rv;
-            return rv;
-        }
-#endif
     } else {
         if (!x || !pk)
             return 0;
diff --git a/ssl/t1_reneg.c b/ssl/t1_reneg.c
index 0c090a2..5c0d825 100644
--- a/ssl/t1_reneg.c
+++ b/ssl/t1_reneg.c
@@ -128,10 +128,6 @@ int ssl_add_clienthello_renegotiate_ext(SSL *s, unsigned char *p, int *len,
 
         memcpy(p, s->s3->previous_client_finished,
                s->s3->previous_client_finished_len);
-#ifdef OPENSSL_RI_DEBUG
-        fprintf(stderr, "%s RI extension sent by client\n",
-                s->s3->previous_client_finished_len ? "Non-empty" : "Empty");
-#endif
     }
 
     *len = s->s3->previous_client_finished_len + 1;
@@ -171,10 +167,6 @@ int ssl_parse_clienthello_renegotiate_ext(SSL *s, PACKET *pkt, int *al)
         *al = SSL_AD_HANDSHAKE_FAILURE;
         return 0;
     }
-#ifdef OPENSSL_RI_DEBUG
-    fprintf(stderr, "%s RI extension received by server\n",
-            ilen ? "Non-empty" : "Empty");
-#endif
 
     s->s3->send_connection_binding = 1;
 
@@ -204,10 +196,6 @@ int ssl_add_serverhello_renegotiate_ext(SSL *s, unsigned char *p, int *len,
 
         memcpy(p, s->s3->previous_server_finished,
                s->s3->previous_server_finished_len);
-#ifdef OPENSSL_RI_DEBUG
-        fprintf(stderr, "%s RI extension sent by server\n",
-                s->s3->previous_client_finished_len ? "Non-empty" : "Empty");
-#endif
     }
 
     *len = s->s3->previous_client_finished_len
@@ -271,10 +259,6 @@ int ssl_parse_serverhello_renegotiate_ext(SSL *s, PACKET *pkt, int *al)
         *al = SSL_AD_ILLEGAL_PARAMETER;
         return 0;
     }
-#ifdef OPENSSL_RI_DEBUG
-    fprintf(stderr, "%s RI extension received by client\n",
-            ilen ? "Non-empty" : "Empty");
-#endif
     s->s3->send_connection_binding = 1;
 
     return 1;
diff --git a/util/mkdef.pl b/util/mkdef.pl
index 4ada9ad..a2fedc5 100755
--- a/util/mkdef.pl
+++ b/util/mkdef.pl
@@ -174,7 +174,6 @@ foreach (@ARGV, split(/ /, $config{options}))
 	$do_ctest=1 if $_ eq "ctest";
 	$do_ctestall=1 if $_ eq "ctestall";
 	$do_checkexist=1 if $_ eq "exist";
-	#$safe_stack_def=1 if $_ eq "-DDEBUG_SAFESTACK";
 	if (/^--api=(\d+)\.(\d+)\.(\d+)$/) {
 		my $apiv = sprintf "%x%02x%02x", $1, $2, $3;
 		foreach (keys %disabled_algorithms) {


More information about the openssl-commits mailing list