Remove SRP and Kerberos support from libssl. These are complex protocols

author tedu <tedu@openbsd.org>

Mon, 5 May 2014 15:03:22 +0000 (15:03 +0000)

committer tedu <tedu@openbsd.org>

Mon, 5 May 2014 15:03:22 +0000 (15:03 +0000)
author tedu <tedu@openbsd.org>
Mon, 5 May 2014 15:03:22 +0000 (15:03 +0000)
committer tedu <tedu@openbsd.org>
Mon, 5 May 2014 15:03:22 +0000 (15:03 +0000)
diff --git a/lib/libssl/d1_clnt.c b/lib/libssl/d1_clnt.c

index 38118b1..8967879 100644 (file)
--- a/lib/libssl/d1_clnt.c
+++ b/lib/libssl/d1_clnt.c
@@ -115,9 +115,6 @@
  
  #include <stdio.h>
  #include "ssl_locl.h"
-#ifndef OPENSSL_NO_KRB5
-#include "kssl_lcl.h"
-#endif
  #include <openssl/buffer.h>
  #include <openssl/rand.h>
  #include <openssl/objects.h>
@@ -926,9 +923,6 @@ dtls1_send_client_key_exchange(SSL *s)
         unsigned long alg_k;
         unsigned char *q;
         EVP_PKEY *pkey = NULL;
-#ifndef OPENSSL_NO_KRB5
-       KSSL_ERR kssl_err;
-#endif /* OPENSSL_NO_KRB5 */
  #ifndef OPENSSL_NO_ECDH
         EC_KEY *clnt_ecdh = NULL;
         const EC_POINT *srvr_ecpoint = NULL;
@@ -992,134 +986,6 @@ dtls1_send_client_key_exchange(SSL *s)
                         tmp_buf, sizeof tmp_buf);
                         OPENSSL_cleanse(tmp_buf, sizeof tmp_buf);
                 }
-#ifndef OPENSSL_NO_KRB5
-               else if (alg_k & SSL_kKRB5) {
-                       krb5_error_code krb5rc;
-                       KSSL_CTX        *kssl_ctx = s->kssl_ctx;
-                       /*  krb5_data   krb5_ap_req;  */
-                       krb5_data       *enc_ticket;
-                       krb5_data       authenticator, *authp = NULL;
-                       EVP_CIPHER_CTX  ciph_ctx;
-                       const EVP_CIPHER *enc = NULL;
-                       unsigned char   iv[EVP_MAX_IV_LENGTH];
-                       unsigned char   tmp_buf[SSL_MAX_MASTER_KEY_LENGTH];
-                       unsigned char   epms[SSL_MAX_MASTER_KEY_LENGTH
-                       + EVP_MAX_IV_LENGTH];
-                       int             padl, outl = sizeof(epms);
-
-                       EVP_CIPHER_CTX_init(&ciph_ctx);
-
-#ifdef KSSL_DEBUG
-                       printf("ssl3_send_client_key_exchange(%lx & %lx)\n",
-                       alg_k, SSL_kKRB5);
-#endif /* KSSL_DEBUG */
-
-                       authp = NULL;
-#ifdef KRB5SENDAUTH
-                       if (KRB5SENDAUTH)
-                               authp = &authenticator;
-#endif /* KRB5SENDAUTH */
-
-                       krb5rc = kssl_cget_tkt(kssl_ctx, &enc_ticket, authp,
-                       &kssl_err);
-                       enc = kssl_map_enc(kssl_ctx->enctype);
-                       if (enc == NULL)
-                               goto err;
-#ifdef KSSL_DEBUG
-                       {
-                               printf("kssl_cget_tkt rtn %d\n", krb5rc);
-                               if (krb5rc && kssl_err.text)
-                                       printf("kssl_cget_tkt kssl_err=%s\n", kssl_err.text);
-                       }
-#endif /* KSSL_DEBUG */
-
-                       if (krb5rc) {
-                               ssl3_send_alert(s, SSL3_AL_FATAL,
-                               SSL_AD_HANDSHAKE_FAILURE);
-                               SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE,
-                               kssl_err.reason);
-                               goto err;
-                       }
-
-                       /*  20010406 VRS - Earlier versions used KRB5 AP_REQ
-                       **  in place of RFC 2712 KerberosWrapper, as in:
-                       **
-                        **  Send ticket (copy to *p, set n = length)
-                        **  n = krb5_ap_req.length;
-                        **  memcpy(p, krb5_ap_req.data, krb5_ap_req.length);
-                        **  if (krb5_ap_req.data)  
-                        **    kssl_krb5_free_data_contents(NULL,&krb5_ap_req);
-                        **
-                       **  Now using real RFC 2712 KerberosWrapper
-                       **  (Thanks to Simon Wilkinson <sxw@sxw.org.uk>)
-                       **  Note: 2712 "opaque" types are here replaced
-                       **  with a 2-byte length followed by the value.
-                       **  Example:
-                       **  KerberosWrapper= xx xx asn1ticket 0 0 xx xx encpms
-                       **  Where "xx xx" = length bytes.  Shown here with
-                       **  optional authenticator omitted.
-                       */
-
-                       /*  KerberosWrapper.Ticket              */
-                       s2n(enc_ticket->length, p);
-                       memcpy(p, enc_ticket->data, enc_ticket->length);
-                       p += enc_ticket->length;
-                       n = enc_ticket->length + 2;
-
-                       /*  KerberosWrapper.Authenticator       */
-                       if (authp && authp->length) {
-                               s2n(authp->length, p);
-                               memcpy(p, authp->data, authp->length);
-                               p += authp->length;
-                               n += authp->length + 2;
-
-                               free(authp->data);
-                               authp->data = NULL;
-                               authp->length = 0;
-                       } else {
-                               s2n(0, p);/*  null authenticator length */
-                               n += 2;
-                       }
-
-                       if (RAND_bytes(tmp_buf, sizeof tmp_buf) <= 0)
-                               goto err;
-
-                       /*  20010420 VRS.  Tried it this way; failed.
-                       **      EVP_EncryptInit_ex(&ciph_ctx,enc, NULL,NULL);
-                       **      EVP_CIPHER_CTX_set_key_length(&ciph_ctx,
-                       **                              kssl_ctx->length);
-                       **      EVP_EncryptInit_ex(&ciph_ctx,NULL, key,iv);
-                       */
-
-                       memset(iv, 0, sizeof iv);
-                       /* per RFC 1510 */
-                       EVP_EncryptInit_ex(&ciph_ctx, enc, NULL,
-                           kssl_ctx->key, iv);
-                       EVP_EncryptUpdate(&ciph_ctx, epms, &outl, tmp_buf,
-                           sizeof tmp_buf);
-                       EVP_EncryptFinal_ex(&ciph_ctx, &(epms[outl]), &padl);
-                       outl += padl;
-                       if (outl > (int)sizeof epms) {
-                               SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
-                               goto err;
-                       }
-                       EVP_CIPHER_CTX_cleanup(&ciph_ctx);
-
-                       /*  KerberosWrapper.EncryptedPreMasterSecret    */
-                       s2n(outl, p);
-                       memcpy(p, epms, outl);
-                       p += outl;
-                       n += outl + 2;
-
-                       s->session->master_key_length =
-                           s->method->ssl3_enc->generate_master_secret(s,
-                               s->session->master_key,
-                               tmp_buf, sizeof tmp_buf);
-
-                       OPENSSL_cleanse(tmp_buf, sizeof tmp_buf);
-                       OPENSSL_cleanse(epms, outl);
-               }
-#endif
  #ifndef OPENSSL_NO_DH
                 else if (alg_k & (SSL_kEDH|SSL_kDHr|SSL_kDHd)) {
                         DH *dh_srvr, *dh_clnt;
diff --git a/lib/libssl/d1_srvr.c b/lib/libssl/d1_srvr.c

index 9995278..6183815 100644 (file)
--- a/lib/libssl/d1_srvr.c
+++ b/lib/libssl/d1_srvr.c
@@ -429,9 +429,6 @@ dtls1_accept(SSL *s)
                         /* clear this, it may get reset by
                          * send_server_key_exchange */
                         if ((s->options & SSL_OP_EPHEMERAL_RSA)
-#ifndef OPENSSL_NO_KRB5
-                       && !(alg_k & SSL_kKRB5)
-#endif /* OPENSSL_NO_KRB5 */
                         )
                                 /* option SSL_OP_EPHEMERAL_RSA sends temporary RSA key
                                  * even when forbidden by protocol specs
diff --git a/lib/libssl/s3_clnt.c b/lib/libssl/s3_clnt.c

index eb55fc9..68817cd 100644 (file)
--- a/lib/libssl/s3_clnt.c
+++ b/lib/libssl/s3_clnt.c
@@ -369,17 +369,6 @@ ssl3_connect(SSL *s)
                         ret = ssl3_get_server_done(s);
                         if (ret <= 0)
                                 goto end;
-#ifndef OPENSSL_NO_SRP
-                       if (s->s3->tmp.new_cipher->algorithm_mkey & SSL_kSRP) {
-                               if ((ret = SRP_Calc_A_param(s)) <= 0) {
-                                       SSLerr(SSL_F_SSL3_CONNECT,
-                                           SSL_R_SRP_A_CALC);
-                                       ssl3_send_alert(s, SSL3_AL_FATAL,
-                                           SSL_AD_INTERNAL_ERROR);
-                                       goto end;
-                               }
-                       }
-#endif
                         if (s->s3->tmp.cert_req)
                                 s->state = SSL3_ST_CW_CERT_A;
                         else
@@ -1137,10 +1126,6 @@ ssl3_get_server_certificate(SSL *s)
  
         i = ssl_verify_cert_chain(s, sk);
         if ((s->verify_mode != SSL_VERIFY_NONE) && (i <= 0)
-#ifndef OPENSSL_NO_KRB5
-           && !((s->s3->tmp.new_cipher->algorithm_mkey & SSL_kKRB5) &&
-           (s->s3->tmp.new_cipher->algorithm_auth & SSL_aKRB5))
-#endif /* OPENSSL_NO_KRB5 */
             ) {
                 al = ssl_verify_alarm_type(s->verify_result);
                 SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,
@@ -1361,81 +1346,6 @@ ssl3_get_key_exchange(SSL *s)
                 n -= param_len;
         } else
  #endif /* !OPENSSL_NO_PSK */
-#ifndef OPENSSL_NO_SRP
-       if (alg_k & SSL_kSRP) {
-               n2s(p, i);
-               param_len = i + 2;
-               if (param_len > n) {
-                       al = SSL_AD_DECODE_ERROR;
-                       SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,
-                           SSL_R_BAD_SRP_N_LENGTH);
-                       goto f_err;
-               }
-               if (!(s->srp_ctx.N = BN_bin2bn(p, i, NULL))) {
-                       SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,
-                           ERR_R_BN_LIB);
-                       goto err;
-               }
-               p += i;
-
-               n2s(p, i);
-               param_len += i + 2;
-               if (param_len > n) {
-                       al = SSL_AD_DECODE_ERROR;
-                       SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,
-                           SSL_R_BAD_SRP_G_LENGTH);
-                       goto f_err;
-               }
-               if (!(s->srp_ctx.g = BN_bin2bn(p, i, NULL))) {
-                       SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,
-                           ERR_R_BN_LIB);
-                       goto err;
-               }
-               p += i;
-
-               i = (unsigned int)(p[0]);
-               p++;
-               param_len += i + 1;
-               if (param_len > n) {
-                       al = SSL_AD_DECODE_ERROR;
-                       SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,
-                           SSL_R_BAD_SRP_S_LENGTH);
-                       goto f_err;
-               }
-               if (!(s->srp_ctx.s = BN_bin2bn(p, i, NULL))) {
-                       SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,
-                           ERR_R_BN_LIB);
-                       goto err;
-               }
-               p += i;
-
-               n2s(p, i);
-               param_len += i + 2;
-               if (param_len > n) {
-                       al = SSL_AD_DECODE_ERROR;
-                       SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,
-                           SSL_R_BAD_SRP_B_LENGTH);
-                       goto f_err;
-               }
-               if (!(s->srp_ctx.B = BN_bin2bn(p, i, NULL))) {
-                       SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,
-                           ERR_R_BN_LIB);
-                       goto err;
-               }
-               p += i;
-               n -= param_len;
-
-               /* We must check if there is a certificate */
-               if (alg_a & SSL_aRSA)
-                       pkey = X509_get_pubkey(
-                           s->session->sess_cert->peer_pkeys[
-                           SSL_PKEY_RSA_ENC].x509);
-               else if (alg_a & SSL_aDSS)
-                       pkey = X509_get_pubkey(
-                           s->session->sess_cert->peer_pkeys[
-                           SSL_PKEY_DSA_SIGN].x509);
-       } else
-#endif /* !OPENSSL_NO_SRP */
         if (alg_k & SSL_kRSA) {
                 if ((rsa = RSA_new()) == NULL) {
                         SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,
@@ -2156,9 +2066,6 @@ ssl3_send_client_key_exchange(SSL *s)
         unsigned long    alg_k;
         unsigned char   *q;
         EVP_PKEY        *pkey = NULL;
-#ifndef OPENSSL_NO_KRB5
-       KSSL_ERR         kssl_err;
-#endif /* OPENSSL_NO_KRB5 */
  #ifndef OPENSSL_NO_ECDH
         EC_KEY          *clnt_ecdh = NULL;
         const EC_POINT  *srvr_ecpoint = NULL;
@@ -2226,140 +2133,6 @@ ssl3_send_client_key_exchange(SSL *s)
                             s, s->session->master_key, tmp_buf, sizeof tmp_buf);
                         OPENSSL_cleanse(tmp_buf, sizeof tmp_buf);
                 }
-#ifndef OPENSSL_NO_KRB5
-               else if (alg_k & SSL_kKRB5) {
-                       krb5_error_code krb5rc;
-                       KSSL_CTX        *kssl_ctx = s->kssl_ctx;
-                       /*  krb5_data   krb5_ap_req;  */
-                       krb5_data       *enc_ticket;
-                       krb5_data       authenticator, *authp = NULL;
-                       EVP_CIPHER_CTX  ciph_ctx;
-                       const EVP_CIPHER *enc = NULL;
-                       unsigned char   iv[EVP_MAX_IV_LENGTH];
-                       unsigned char   tmp_buf[SSL_MAX_MASTER_KEY_LENGTH];
-                       unsigned char   epms[SSL_MAX_MASTER_KEY_LENGTH
-                                           + EVP_MAX_IV_LENGTH];
-                       int             padl, outl = sizeof(epms);
-
-                       EVP_CIPHER_CTX_init(&ciph_ctx);
-
-#ifdef KSSL_DEBUG
-                       printf("ssl3_send_client_key_exchange(%lx & %lx)\n",
-                           alg_k, SSL_kKRB5);
-#endif /* KSSL_DEBUG */
-
-                       authp = NULL;
-#ifdef KRB5SENDAUTH
-                       if (KRB5SENDAUTH)
-                               authp = &authenticator;
-#endif /* KRB5SENDAUTH */
-
-                       krb5rc = kssl_cget_tkt(kssl_ctx, &enc_ticket,
-                           authp, &kssl_err);
-                       enc = kssl_map_enc(kssl_ctx->enctype);
-                       if (enc == NULL)
-                               goto err;
-#ifdef KSSL_DEBUG
-                       {
-                               printf("kssl_cget_tkt rtn %d\n", krb5rc);
-                               if (krb5rc && kssl_err.text)
-                                       printf("kssl_cget_tkt kssl_err=%s\n",
-                                           kssl_err.text);
-                       }
-#endif /* KSSL_DEBUG */
-
-                       if (krb5rc) {
-                               ssl3_send_alert(s, SSL3_AL_FATAL,
-                                   SSL_AD_HANDSHAKE_FAILURE);
-                               SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
-                                   kssl_err.reason);
-                               goto err;
-                       }
-
-                       /*
-                        * 20010406 VRS - Earlier versions used KRB5 AP_REQ
-                        * in place of RFC 2712 KerberosWrapper, as in:
-                        *
-                        * Send ticket (copy to *p, set n = length)
-                        * n = krb5_ap_req.length;
-                        * memcpy(p, krb5_ap_req.data, krb5_ap_req.length);
-                        * if (krb5_ap_req.data)
-                        *   kssl_krb5_free_data_contents(NULL,&krb5_ap_req);
-                        *
-                        * Now using real RFC 2712 KerberosWrapper
-                        * (Thanks to Simon Wilkinson <sxw@sxw.org.uk>)
-                        * Note: 2712 "opaque" types are here replaced
-                        * with a 2-byte length followed by the value.
-                        * Example:
-                        * KerberosWrapper= xx xx asn1ticket 0 0 xx xx encpms
-                        * Where "xx xx" = length bytes.  Shown here with
-                        * optional authenticator omitted.
-                        */
-
-                       /*  KerberosWrapper.Ticket */
-                       s2n(enc_ticket->length, p);
-                       memcpy(p, enc_ticket->data, enc_ticket->length);
-                       p += enc_ticket->length;
-                       n = enc_ticket->length + 2;
-
-                       /*  KerberosWrapper.Authenticator */
-                       if (authp && authp->length) {
-                               s2n(authp->length, p);
-                               memcpy(p, authp->data, authp->length);
-                               p += authp->length;
-                               n += authp->length + 2;
-
-                               free(authp->data);
-                               authp->data = NULL;
-                               authp->length = 0;
-                       } else {
-                               s2n(0,p);/*  null authenticator length  */
-                               n += 2;
-                       }
-
-                       tmp_buf[0] = s->client_version >> 8;
-                       tmp_buf[1] = s->client_version & 0xff;
-                       if (RAND_bytes(&(tmp_buf[2]), sizeof tmp_buf - 2) <= 0)
-                               goto err;
-
-                       /*
-                        * 20010420 VRS.  Tried it this way; failed.
-                        * EVP_EncryptInit_ex(&ciph_ctx,enc, NULL,NULL);
-                        * EVP_CIPHER_CTX_set_key_length(&ciph_ctx,
-                        *     kssl_ctx->length);
-                        * EVP_EncryptInit_ex(&ciph_ctx,NULL, key,iv);
-                        */
-
-                       memset(iv, 0, sizeof iv);
-                       /* per RFC 1510 */
-                       EVP_EncryptInit_ex(&ciph_ctx, enc, NULL,
-                           kssl_ctx->key, iv);
-                       EVP_EncryptUpdate(&ciph_ctx, epms, &outl, tmp_buf,
-                           sizeof tmp_buf);
-                       EVP_EncryptFinal_ex(&ciph_ctx, &(epms[outl]), &padl);
-                       outl += padl;
-                       if (outl > (int)sizeof epms) {
-                               SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
-                                   ERR_R_INTERNAL_ERROR);
-                               goto err;
-                       }
-                       EVP_CIPHER_CTX_cleanup(&ciph_ctx);
-
-                       /* KerberosWrapper.EncryptedPreMasterSecret */
-                       s2n(outl, p);
-                       memcpy(p, epms, outl);
-                       p += outl;
-                       n += outl + 2;
-
-                       s->session->master_key_length =
-                       s->method->ssl3_enc->generate_master_secret(s,
-                       s->session->master_key,
-                       tmp_buf, sizeof tmp_buf);
-
-                       OPENSSL_cleanse(tmp_buf, sizeof tmp_buf);
-                       OPENSSL_cleanse(epms, outl);
-               }
-#endif
  #ifndef OPENSSL_NO_DH
                 else if (alg_k & (SSL_kEDH|SSL_kDHr|SSL_kDHd)) {
                         DH *dh_srvr, *dh_clnt;
@@ -2716,37 +2489,6 @@ ssl3_send_client_key_exchange(SSL *s)
                             EVP_PKEY_free(pub_key);
  
                 }
-#ifndef OPENSSL_NO_SRP
-               else if (alg_k & SSL_kSRP) {
-                       if (s->srp_ctx.A != NULL) {
-                               /* send off the data */
-                               n = BN_num_bytes(s->srp_ctx.A);
-                               s2n(n, p);
-                               BN_bn2bin(s->srp_ctx.A, p);
-                               n += 2;
-                       } else {
-                               SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
-                                   ERR_R_INTERNAL_ERROR);
-                               goto err;
-                       }
-                       if (s->session->srp_username != NULL)
-                               free(s->session->srp_username);
-                       s->session->srp_username = BUF_strdup(s->srp_ctx.login);
-                       if (s->session->srp_username == NULL) {
-                               SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
-                                   ERR_R_MALLOC_FAILURE);
-                               goto err;
-                       }
-
-                       if ((s->session->master_key_length =
-                           SRP_generate_client_master_secret(s,
-                           s->session->master_key)) < 0) {
-                               SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
-                                   ERR_R_INTERNAL_ERROR);
-                               goto err;
-                       }
-               }
-#endif
  #ifndef OPENSSL_NO_PSK
                 else if (alg_k & SSL_kPSK) {
                         char identity[PSK_MAX_IDENTITY_LEN];
diff --git a/lib/libssl/s3_lib.c b/lib/libssl/s3_lib.c

index 12ce8a1..c687488 100644 (file)
--- a/lib/libssl/s3_lib.c
+++ b/lib/libssl/s3_lib.c
@@ -605,232 +605,6 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
                 168,
                 168,
         },
-#ifndef OPENSSL_NO_KRB5
-/* The Kerberos ciphers*/
-/* Cipher 1E */
-       {
-               1,
-               SSL3_TXT_KRB5_DES_64_CBC_SHA,
-               SSL3_CK_KRB5_DES_64_CBC_SHA,
-               SSL_kKRB5,
-               SSL_aKRB5,
-               SSL_DES,
-               SSL_SHA1,
-               SSL_SSLV3,
-               SSL_NOT_EXP|SSL_LOW,
-               SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
-               56,
-               56,
-       },
-
-/* Cipher 1F */
-       {
-               1,
-               SSL3_TXT_KRB5_DES_192_CBC3_SHA,
-               SSL3_CK_KRB5_DES_192_CBC3_SHA,
-               SSL_kKRB5,
-               SSL_aKRB5,
-               SSL_3DES,
-               SSL_SHA1,
-               SSL_SSLV3,
-               SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
-               SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
-               168,
-               168,
-       },
-
-/* Cipher 20 */
-       {
-               1,
-               SSL3_TXT_KRB5_RC4_128_SHA,
-               SSL3_CK_KRB5_RC4_128_SHA,
-               SSL_kKRB5,
-               SSL_aKRB5,
-               SSL_RC4,
-               SSL_SHA1,
-               SSL_SSLV3,
-               SSL_NOT_EXP|SSL_MEDIUM,
-               SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
-               128,
-               128,
-       },
-
-/* Cipher 21 */
-       {
-               1,
-               SSL3_TXT_KRB5_IDEA_128_CBC_SHA,
-               SSL3_CK_KRB5_IDEA_128_CBC_SHA,
-               SSL_kKRB5,
-               SSL_aKRB5,
-               SSL_IDEA,
-               SSL_SHA1,
-               SSL_SSLV3,
-               SSL_NOT_EXP|SSL_MEDIUM,
-               SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
-               128,
-               128,
-       },
-
-/* Cipher 22 */
-       {
-               1,
-               SSL3_TXT_KRB5_DES_64_CBC_MD5,
-               SSL3_CK_KRB5_DES_64_CBC_MD5,
-               SSL_kKRB5,
-               SSL_aKRB5,
-               SSL_DES,
-               SSL_MD5,
-               SSL_SSLV3,
-               SSL_NOT_EXP|SSL_LOW,
-               SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
-               56,
-               56,
-       },
-
-/* Cipher 23 */
-       {
-               1,
-               SSL3_TXT_KRB5_DES_192_CBC3_MD5,
-               SSL3_CK_KRB5_DES_192_CBC3_MD5,
-               SSL_kKRB5,
-               SSL_aKRB5,
-               SSL_3DES,
-               SSL_MD5,
-               SSL_SSLV3,
-               SSL_NOT_EXP|SSL_HIGH,
-               SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
-               168,
-               168,
-       },
-
-/* Cipher 24 */
-       {
-               1,
-               SSL3_TXT_KRB5_RC4_128_MD5,
-               SSL3_CK_KRB5_RC4_128_MD5,
-               SSL_kKRB5,
-               SSL_aKRB5,
-               SSL_RC4,
-               SSL_MD5,
-               SSL_SSLV3,
-               SSL_NOT_EXP|SSL_MEDIUM,
-               SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
-               128,
-               128,
-       },
-
-/* Cipher 25 */
-       {
-               1,
-               SSL3_TXT_KRB5_IDEA_128_CBC_MD5,
-               SSL3_CK_KRB5_IDEA_128_CBC_MD5,
-               SSL_kKRB5,
-               SSL_aKRB5,
-               SSL_IDEA,
-               SSL_MD5,
-               SSL_SSLV3,
-               SSL_NOT_EXP|SSL_MEDIUM,
-               SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
-               128,
-               128,
-       },
-
-/* Cipher 26 */
-       {
-               1,
-               SSL3_TXT_KRB5_DES_40_CBC_SHA,
-               SSL3_CK_KRB5_DES_40_CBC_SHA,
-               SSL_kKRB5,
-               SSL_aKRB5,
-               SSL_DES,
-               SSL_SHA1,
-               SSL_SSLV3,
-               SSL_EXPORT|SSL_EXP40,
-               SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
-               40,
-               56,
-       },
-
-/* Cipher 27 */
-       {
-               1,
-               SSL3_TXT_KRB5_RC2_40_CBC_SHA,
-               SSL3_CK_KRB5_RC2_40_CBC_SHA,
-               SSL_kKRB5,
-               SSL_aKRB5,
-               SSL_RC2,
-               SSL_SHA1,
-               SSL_SSLV3,
-               SSL_EXPORT|SSL_EXP40,
-               SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
-               40,
-               128,
-       },
-
-/* Cipher 28 */
-       {
-               1,
-               SSL3_TXT_KRB5_RC4_40_SHA,
-               SSL3_CK_KRB5_RC4_40_SHA,
-               SSL_kKRB5,
-               SSL_aKRB5,
-               SSL_RC4,
-               SSL_SHA1,
-               SSL_SSLV3,
-               SSL_EXPORT|SSL_EXP40,
-               SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
-               40,
-               128,
-       },
-
-/* Cipher 29 */
-       {
-               1,
-               SSL3_TXT_KRB5_DES_40_CBC_MD5,
-               SSL3_CK_KRB5_DES_40_CBC_MD5,
-               SSL_kKRB5,
-               SSL_aKRB5,
-               SSL_DES,
-               SSL_MD5,
-               SSL_SSLV3,
-               SSL_EXPORT|SSL_EXP40,
-               SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
-               40,
-               56,
-       },
-
-/* Cipher 2A */
-       {
-               1,
-               SSL3_TXT_KRB5_RC2_40_CBC_MD5,
-               SSL3_CK_KRB5_RC2_40_CBC_MD5,
-               SSL_kKRB5,
-               SSL_aKRB5,
-               SSL_RC2,
-               SSL_MD5,
-               SSL_SSLV3,
-               SSL_EXPORT|SSL_EXP40,
-               SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
-               40,
-               128,
-       },
-
-/* Cipher 2B */
-       {
-               1,
-               SSL3_TXT_KRB5_RC4_40_MD5,
-               SSL3_CK_KRB5_RC4_40_MD5,
-               SSL_kKRB5,
-               SSL_aKRB5,
-               SSL_RC4,
-               SSL_MD5,
-               SSL_SSLV3,
-               SSL_EXPORT|SSL_EXP40,
-               SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
-               40,
-               128,
-       },
-#endif /* OPENSSL_NO_KRB5 */
  
  /* New AES ciphersuites */
  /* Cipher 2F */
@@ -2250,151 +2024,6 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
         },
  #endif /* OPENSSL_NO_ECDH */
  
-#ifndef OPENSSL_NO_SRP
-       /* Cipher C01A */
-       {
-               1,
-               TLS1_TXT_SRP_SHA_WITH_3DES_EDE_CBC_SHA,
-               TLS1_CK_SRP_SHA_WITH_3DES_EDE_CBC_SHA,
-               SSL_kSRP,
-               SSL_aNULL,
-               SSL_3DES,
-               SSL_SHA1,
-               SSL_TLSV1,
-               SSL_NOT_EXP|SSL_HIGH,
-               SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
-               168,
-               168,
-       },
-
-       /* Cipher C01B */
-       {
-               1,
-               TLS1_TXT_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA,
-               TLS1_CK_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA,
-               SSL_kSRP,
-               SSL_aRSA,
-               SSL_3DES,
-               SSL_SHA1,
-               SSL_TLSV1,
-               SSL_NOT_EXP|SSL_HIGH,
-               SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
-               168,
-               168,
-       },
-
-       /* Cipher C01C */
-       {
-               1,
-               TLS1_TXT_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA,
-               TLS1_CK_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA,
-               SSL_kSRP,
-               SSL_aDSS,
-               SSL_3DES,
-               SSL_SHA1,
-               SSL_TLSV1,
-               SSL_NOT_EXP|SSL_HIGH,
-               SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
-               168,
-               168,
-       },
-
-       /* Cipher C01D */
-       {
-               1,
-               TLS1_TXT_SRP_SHA_WITH_AES_128_CBC_SHA,
-               TLS1_CK_SRP_SHA_WITH_AES_128_CBC_SHA,
-               SSL_kSRP,
-               SSL_aNULL,
-               SSL_AES128,
-               SSL_SHA1,
-               SSL_TLSV1,
-               SSL_NOT_EXP|SSL_HIGH,
-               SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
-               128,
-               128,
-       },
-
-       /* Cipher C01E */
-       {
-               1,
-               TLS1_TXT_SRP_SHA_RSA_WITH_AES_128_CBC_SHA,
-               TLS1_CK_SRP_SHA_RSA_WITH_AES_128_CBC_SHA,
-               SSL_kSRP,
-               SSL_aRSA,
-               SSL_AES128,
-               SSL_SHA1,
-               SSL_TLSV1,
-               SSL_NOT_EXP|SSL_HIGH,
-               SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
-               128,
-               128,
-       },
-
-       /* Cipher C01F */
-       {
-               1,
-               TLS1_TXT_SRP_SHA_DSS_WITH_AES_128_CBC_SHA,
-               TLS1_CK_SRP_SHA_DSS_WITH_AES_128_CBC_SHA,
-               SSL_kSRP,
-               SSL_aDSS,
-               SSL_AES128,
-               SSL_SHA1,
-               SSL_TLSV1,
-               SSL_NOT_EXP|SSL_HIGH,
-               SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
-               128,
-               128,
-       },
-
-       /* Cipher C020 */
-       {
-               1,
-               TLS1_TXT_SRP_SHA_WITH_AES_256_CBC_SHA,
-               TLS1_CK_SRP_SHA_WITH_AES_256_CBC_SHA,
-               SSL_kSRP,
-               SSL_aNULL,
-               SSL_AES256,
-               SSL_SHA1,
-               SSL_TLSV1,
-               SSL_NOT_EXP|SSL_HIGH,
-               SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
-               256,
-               256,
-       },
-
-       /* Cipher C021 */
-       {
-               1,
-               TLS1_TXT_SRP_SHA_RSA_WITH_AES_256_CBC_SHA,
-               TLS1_CK_SRP_SHA_RSA_WITH_AES_256_CBC_SHA,
-               SSL_kSRP,
-               SSL_aRSA,
-               SSL_AES256,
-               SSL_SHA1,
-               SSL_TLSV1,
-               SSL_NOT_EXP|SSL_HIGH,
-               SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
-               256,
-               256,
-       },
-
-       /* Cipher C022 */
-       {
-               1,
-               TLS1_TXT_SRP_SHA_DSS_WITH_AES_256_CBC_SHA,
-               TLS1_CK_SRP_SHA_DSS_WITH_AES_256_CBC_SHA,
-               SSL_kSRP,
-               SSL_aDSS,
-               SSL_AES256,
-               SSL_SHA1,
-               SSL_TLSV1,
-               SSL_NOT_EXP|SSL_HIGH,
-               SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
-               256,
-               256,
-       },
-#endif  /* OPENSSL_NO_SRP */
  #ifndef OPENSSL_NO_ECDH
  
         /* HMAC based TLS v1.2 ciphersuites from RFC5289 */
@@ -2787,9 +2416,6 @@ ssl3_new(SSL *s)
  
         s->s3 = s3;
  
-#ifndef OPENSSL_NO_SRP
-       SSL_SRP_CTX_init(s);
-#endif
         s->method->ssl_clear(s);
         return (1);
  err:
@@ -2832,9 +2458,6 @@ ssl3_free(SSL *s)
         }
         if (s->s3->handshake_dgst)
                 ssl3_free_digest_list(s);
-#ifndef OPENSSL_NO_SRP
-       SSL_SRP_CTX_free(s);
-#endif
         OPENSSL_cleanse(s->s3, sizeof *s->s3);
         free(s->s3);
         s->s3 = NULL;
@@ -2919,13 +2542,6 @@ ssl3_clear(SSL *s)
  #endif
  }
  
-#ifndef OPENSSL_NO_SRP
-static char *
-srp_password_from_info_cb(SSL *s, void *arg)
-{
-       return BUF_strdup(s->srp_ctx.info);
-}
-#endif
  
  long
  ssl3_ctrl(SSL *s, int cmd, long larg, void *parg)
@@ -3380,40 +2996,6 @@ ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg)
                 return 1;
                 break;
  
-#ifndef OPENSSL_NO_SRP
-       case SSL_CTRL_SET_TLS_EXT_SRP_USERNAME:
-               ctx->srp_ctx.srp_Mask|=SSL_kSRP;
-               if (ctx->srp_ctx.login != NULL)
-                       free(ctx->srp_ctx.login);
-               ctx->srp_ctx.login = NULL;
-               if (parg == NULL)
-                       break;
-               if (strlen((const char *)parg) > 255 ||
-                   strlen((const char *)parg) < 1) {
-                       SSLerr(SSL_F_SSL3_CTX_CTRL,
-                           SSL_R_INVALID_SRP_USERNAME);
-                       return 0;
-               }
-               if ((ctx->srp_ctx.login = BUF_strdup((char *)parg)) == NULL) {
-                       SSLerr(SSL_F_SSL3_CTX_CTRL,
-                           ERR_R_INTERNAL_ERROR);
-                       return 0;
-               }
-               break;
-       case SSL_CTRL_SET_TLS_EXT_SRP_PASSWORD:
-               ctx->srp_ctx.SRP_give_srp_client_pwd_callback =
-                   srp_password_from_info_cb;
-               ctx->srp_ctx.info = parg;
-               break;
-       case SSL_CTRL_SET_SRP_ARG:
-               ctx->srp_ctx.srp_Mask|=SSL_kSRP;
-               ctx->srp_ctx.SRP_cb_arg = parg;
-               break;
-
-       case SSL_CTRL_SET_TLS_EXT_SRP_STRENGTH:
-               ctx->srp_ctx.strength = larg;
-               break;
-#endif
  #endif /* !OPENSSL_NO_TLSEXT */
  
                 /* A Thawte special :-) */
@@ -3491,23 +3073,6 @@ ssl3_ctx_callback_ctrl(SSL_CTX *ctx, int cmd, void (*fp)(void))
                     unsigned char *, EVP_CIPHER_CTX *, HMAC_CTX *, int))fp;
                 break;
  
-#ifndef OPENSSL_NO_SRP
-       case SSL_CTRL_SET_SRP_VERIFY_PARAM_CB:
-               ctx->srp_ctx.srp_Mask|=SSL_kSRP;
-               ctx->srp_ctx.SRP_verify_param_callback =
-                   (int (*)(SSL *, void *))fp;
-               break;
-       case SSL_CTRL_SET_TLS_EXT_SRP_USERNAME_CB:
-               ctx->srp_ctx.srp_Mask|=SSL_kSRP;
-               ctx->srp_ctx.TLS_ext_srp_username_callback =
-                   (int (*)(SSL *, int *, void *))fp;
-               break;
-       case SSL_CTRL_SET_SRP_GIVE_CLIENT_PWD_CB:
-               ctx->srp_ctx.srp_Mask|=SSL_kSRP;
-               ctx->srp_ctx.SRP_give_srp_client_pwd_callback =
-                   (char *(*)(SSL *, void *))fp;
-               break;
-#endif
  #endif
         default:
                 return (0);
@@ -3616,10 +3181,6 @@ SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
                 mask_a = cert->mask_a;
                 emask_k = cert->export_mask_k;
                 emask_a = cert->export_mask_a;
-#ifndef OPENSSL_NO_SRP
-               mask_k = cert->mask_k | s->srp_ctx.srp_Mask;
-               emask_k = cert->export_mask_k | s->srp_ctx.srp_Mask;
-#endif
  
  #ifdef KSSL_DEBUG
  /*             printf("ssl3_choose_cipher %d alg= %lx\n", i,c->algorithms);*/
@@ -3628,12 +3189,6 @@ SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
                 alg_k = c->algorithm_mkey;
                 alg_a = c->algorithm_auth;
  
-#ifndef OPENSSL_NO_KRB5
-               if (alg_k & SSL_kKRB5) {
-                       if (!kssl_keytab_is_available(s->kssl_ctx) )
-                               continue;
-               }
-#endif /* OPENSSL_NO_KRB5 */
  #ifndef OPENSSL_NO_PSK
                 /* with PSK there must be server callback set */
                 if ((alg_k & SSL_kPSK) && s->psk_server_callback == NULL)
diff --git a/lib/libssl/s3_srvr.c b/lib/libssl/s3_srvr.c

index 6d8ccd6..081aebf 100644 (file)
--- a/lib/libssl/s3_srvr.c
+++ b/lib/libssl/s3_srvr.c
@@ -164,9 +164,6 @@
  #include <openssl/dh.h>
  #endif
  #include <openssl/bn.h>
-#ifndef OPENSSL_NO_KRB5
-#include <openssl/krb5_asn.h>
-#endif
  #include <openssl/md5.h>
  
  static const SSL_METHOD *ssl3_get_server_method(int ver);
@@ -179,30 +176,6 @@ ssl3_get_server_method(int ver)
         return (NULL);
  }
  
-#ifndef OPENSSL_NO_SRP
-static int
-ssl_check_srp_ext_ClientHello(SSL *s, int *al)
-{
-       int ret = SSL_ERROR_NONE;
-
-       *al = SSL_AD_UNRECOGNIZED_NAME;
-
-       if ((s->s3->tmp.new_cipher->algorithm_mkey & SSL_kSRP) &&
-               (s->srp_ctx.TLS_ext_srp_username_callback != NULL)) {
-               if (s->srp_ctx.login == NULL) {
-                       /*
-                        * RFC 5054 says SHOULD reject,
-                        * we do so if There is no srp login name
-                        */
-                       ret = SSL3_AL_FATAL;
-                       *al = SSL_AD_UNKNOWN_PSK_IDENTITY;
-               } else {
-                       ret = SSL_srp_server_param_with_username(s, al);
-               }
-       }
-       return (ret);
-}
-#endif
  
  IMPLEMENT_ssl3_meth_func(SSLv3_server_method,
      ssl3_accept, ssl_undefined_function, ssl3_get_server_method)
@@ -342,39 +315,6 @@ ssl3_accept(SSL *s)
                                 if (ret <= 0)
                                         goto end;
                         }
-#ifndef OPENSSL_NO_SRP
-                       {
-                               int al;
-                               if ((ret =
-                                   ssl_check_srp_ext_ClientHello(s, &al))
-                                   < 0) {
-                                       /*
-                                        * Callback indicates further work to
-                                        * be done.
-                                        */
-                                       s->rwstate = SSL_X509_LOOKUP;
-                                       goto end;
-                               }
-                               if (ret != SSL_ERROR_NONE) {
-                                       ssl3_send_alert(s, SSL3_AL_FATAL, al);
-
-                                       /*
-                                        * This is not really an error but the
-                                        * only means for a client to detect
-                                        * whether srp is supported.
-                                        */
-                                       if (al != TLS1_AD_UNKNOWN_PSK_IDENTITY)
-                                               SSLerr(SSL_F_SSL3_ACCEPT,
-                                                   SSL_R_CLIENTHELLO_TLSEXT);
-
-                                       ret = SSL_TLSEXT_ERR_ALERT_FATAL;
-
-                                       ret = -1;
-                                       goto end;
-
-                               }
-                       }
-#endif         
  
                         s->renegotiate = 2;
                         s->state = SSL3_ST_SW_SRVR_HELLO_A;
@@ -441,9 +381,6 @@ ssl3_accept(SSL *s)
                          * send_server_key_exchange.
                          */
                         if ((s->options & SSL_OP_EPHEMERAL_RSA)
-#ifndef OPENSSL_NO_KRB5
-                           && !(alg_k & SSL_kKRB5)
-#endif /* OPENSSL_NO_KRB5 */
                             )
                                 /*
                                  * option SSL_OP_EPHEMERAL_RSA sends temporary
@@ -472,10 +409,6 @@ ssl3_accept(SSL *s)
                          * hint if provided */
  #ifndef OPENSSL_NO_PSK
                             || ((alg_k & SSL_kPSK) && s->ctx->psk_identity_hint)
-#endif
-#ifndef OPENSSL_NO_SRP
-                       /* SRP: send ServerKeyExchange */
-                           || (alg_k & SSL_kSRP)
  #endif
                             || (alg_k & (SSL_kDHr|SSL_kDHd|SSL_kEDH))
                             || (alg_k & SSL_kEECDH)
@@ -1796,20 +1729,6 @@ ssl3_send_server_key_exchange(SSL *s)
                         n += 2 + pskhintlen;
                 } else
  #endif /* !OPENSSL_NO_PSK */
-#ifndef OPENSSL_NO_SRP
-               if (type & SSL_kSRP) {
-                       if ((s->srp_ctx.N == NULL) || (s->srp_ctx.g == NULL) ||
-                           (s->srp_ctx.s == NULL) || (s->srp_ctx.B == NULL)) {
-                               SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,
-                                   SSL_R_MISSING_SRP_PARAM);
-                               goto err;
-                       }
-                       r[0] = s->srp_ctx.N;
-                       r[1] = s->srp_ctx.g;
-                       r[2] = s->srp_ctx.s;
-                       r[3] = s->srp_ctx.B;
-               } else
-#endif
                 {
                         al = SSL_AD_HANDSHAKE_FAILURE;
                         SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,
@@ -1818,11 +1737,6 @@ ssl3_send_server_key_exchange(SSL *s)
                 }
                 for (i = 0; i < 4 && r[i] != NULL; i++) {
                         nr[i] = BN_num_bytes(r[i]);
-#ifndef OPENSSL_NO_SRP
-                       if ((i == 2) && (type & SSL_kSRP))
-                               n += 1 + nr[i];
-                       else
-#endif
                         n += 2 + nr[i];
                 }
  
@@ -1848,12 +1762,6 @@ ssl3_send_server_key_exchange(SSL *s)
                 p = &(d[4]);
  
                 for (i = 0; i < 4 && r[i] != NULL; i++) {
-#ifndef OPENSSL_NO_SRP
-                       if ((i == 2) && (type & SSL_kSRP)) {
-                               *p = nr[i];
-                               p++;
-                       } else
-#endif
                         s2n(nr[i], p);
                         BN_bn2bin(r[i], p);
                         p += nr[i];
@@ -2112,9 +2020,6 @@ ssl3_get_client_key_exchange(SSL *s)
         BIGNUM *pub = NULL;
         DH *dh_srvr;
  #endif
-#ifndef OPENSSL_NO_KRB5
-       KSSL_ERR kssl_err;
-#endif /* OPENSSL_NO_KRB5 */
  
  #ifndef OPENSSL_NO_ECDH
         EC_KEY *srvr_ecdh = NULL;
@@ -2299,191 +2204,6 @@ ssl3_get_client_key_exchange(SSL *s)
                 OPENSSL_cleanse(p, i);
         } else
  #endif
-#ifndef OPENSSL_NO_KRB5
-       if (alg_k & SSL_kKRB5) {
-               krb5_error_code         krb5rc;
-               krb5_data               enc_ticket;
-               krb5_data               authenticator;
-               krb5_data               enc_pms;
-               KSSL_CTX                *kssl_ctx = s->kssl_ctx;
-               EVP_CIPHER_CTX          ciph_ctx;
-               const EVP_CIPHER        *enc = NULL;
-               unsigned char           iv[EVP_MAX_IV_LENGTH];
-               unsigned char           pms[SSL_MAX_MASTER_KEY_LENGTH
-               + EVP_MAX_BLOCK_LENGTH];
-               int                  padl, outl;
-               krb5_timestamp          authtime = 0;
-               krb5_ticket_times       ttimes;
-
-               EVP_CIPHER_CTX_init(&ciph_ctx);
-
-               if (!kssl_ctx)
-                       kssl_ctx = kssl_ctx_new();
-
-               n2s(p, i);
-               enc_ticket.length = i;
-
-               if (n < (long)(enc_ticket.length + 6)) {
-                       SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
-                           SSL_R_DATA_LENGTH_TOO_LONG);
-                       goto err;
-               }
-
-               enc_ticket.data = (char *)p;
-               p += enc_ticket.length;
-
-               n2s(p, i);
-               authenticator.length = i;
-
-               if (n < (long)(enc_ticket.length + authenticator.length + 6)) {
-                       SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
-                           SSL_R_DATA_LENGTH_TOO_LONG);
-                       goto err;
-               }
-
-               authenticator.data = (char *)p;
-               p += authenticator.length;
-
-               n2s(p, i);
-               enc_pms.length = i;
-               enc_pms.data = (char *)p;
-               p += enc_pms.length;
-
-               /*
-                * Note that the length is checked again below,
-                * after decryption
-                */
-               if (enc_pms.length > sizeof pms) {
-                       SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
-                           SSL_R_DATA_LENGTH_TOO_LONG);
-                       goto err;
-               }
-
-               if (n != (long)(enc_ticket.length + authenticator.length +
-                   enc_pms.length + 6)) {
-                       SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
-                           SSL_R_DATA_LENGTH_TOO_LONG);
-                       goto err;
-               }
-
-               if ((krb5rc = kssl_sget_tkt(kssl_ctx, &enc_ticket, &ttimes,
-                   &kssl_err)) != 0) {
-#ifdef KSSL_DEBUG
-                       printf("kssl_sget_tkt rtn %d [%d]\n",
-                       krb5rc, kssl_err.reason);
-                       if (kssl_err.text)
-                               printf("kssl_err text= %s\n", kssl_err.text);
-#endif /* KSSL_DEBUG */
-                       SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
-                       kssl_err.reason);
-                       goto err;
-               }
-
-               /*  Note: no authenticator is not considered an error,
-               **  but will return authtime == 0.
-               */
-               if ((krb5rc = kssl_check_authent(kssl_ctx, &authenticator,
-                   &authtime, &kssl_err)) != 0) {
-#ifdef KSSL_DEBUG
-                       printf("kssl_check_authent rtn %d [%d]\n",
-                       krb5rc, kssl_err.reason);
-                       if (kssl_err.text)
-                               printf("kssl_err text= %s\n", kssl_err.text);
-#endif /* KSSL_DEBUG */
-                       SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
-                           kssl_err.reason);
-                       goto err;
-               }
-
-               if ((krb5rc = kssl_validate_times(authtime, &ttimes)) != 0) {
-                       SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
-                           krb5rc);
-                       goto err;
-               }
-
-#ifdef KSSL_DEBUG
-               kssl_ctx_show(kssl_ctx);
-#endif /* KSSL_DEBUG */
-
-               enc = kssl_map_enc(kssl_ctx->enctype);
-               if (enc == NULL)
-                       goto err;
-
-               memset(iv, 0, sizeof iv);       /* per RFC 1510 */
-
-               if (!EVP_DecryptInit_ex(&ciph_ctx, enc, NULL,
-                   kssl_ctx->key, iv)) {
-                       SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
-                           SSL_R_DECRYPTION_FAILED);
-                       goto err;
-               }
-               if (!EVP_DecryptUpdate(&ciph_ctx, pms, &outl,
-                   (unsigned char *)enc_pms.data, enc_pms.length)) {
-                       SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
-                           SSL_R_DECRYPTION_FAILED);
-                       goto err;
-               }
-               if (outl > SSL_MAX_MASTER_KEY_LENGTH) {
-                       SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
-                           SSL_R_DATA_LENGTH_TOO_LONG);
-                       goto err;
-               }
-               if (!EVP_DecryptFinal_ex(&ciph_ctx, &(pms[outl]), &padl)) {
-                       SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
-                           SSL_R_DECRYPTION_FAILED);
-                       goto err;
-               }
-               outl += padl;
-               if (outl > SSL_MAX_MASTER_KEY_LENGTH) {
-                       SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
-                           SSL_R_DATA_LENGTH_TOO_LONG);
-                       goto err;
-               }
-               if (!((pms[0] == (s->client_version >> 8)) && (pms[1] == (s->client_version & 0xff)))) {
-                       /*
-                        * The premaster secret must contain the same version
-                        * number as the ClientHello to detect version rollback
-                        * attacks (strangely, the protocol does not offer such
-                        * protection for DH ciphersuites).
-                        * However, buggy clients exist that send random bytes
-                        * instead of the protocol version.
-                        *
-                        * If SSL_OP_TLS_ROLLBACK_BUG is set, tolerate such
-                        * clients.
-                        * (Perhaps we should have a separate BUG value for
-                        * the Kerberos cipher)
-                        */
-                       if (!(s->options & SSL_OP_TLS_ROLLBACK_BUG)) {
-                               SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
-                                   SSL_AD_DECODE_ERROR);
-                               goto err;
-                       }
-               }
-
-               EVP_CIPHER_CTX_cleanup(&ciph_ctx);
-
-               s->session->master_key_length =
-               s->method->ssl3_enc->generate_master_secret(s,
-                   s->session->master_key, pms, outl);
-
-               if (kssl_ctx->client_princ) {
-                       size_t len = strlen(kssl_ctx->client_princ);
-                       if (len < SSL_MAX_KRB5_PRINCIPAL_LENGTH ) {
-                               s->session->krb5_client_princ_len = len;
-                               memcpy(s->session->krb5_client_princ,
-                                   kssl_ctx->client_princ, len);
-                       }
-               }
-
-
-               /*
-                * Was doing kssl_ctx_free() here, but it caused problems for
-                * apache.
-                * kssl_ctx = kssl_ctx_free(kssl_ctx);
-                * if (s->kssl_ctx)  s->kssl_ctx = NULL;
-                */
-       } else
-#endif /* OPENSSL_NO_KRB5 */
  
  #ifndef OPENSSL_NO_ECDH
         if (alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)) {
@@ -2717,43 +2437,6 @@ ssl3_get_client_key_exchange(SSL *s)
                         goto f_err;
         } else
  #endif
-#ifndef OPENSSL_NO_SRP
-       if (alg_k & SSL_kSRP) {
-               int param_len;
-
-               n2s(p, i);
-               param_len = i + 2;
-               if (param_len > n) {
-                       al = SSL_AD_DECODE_ERROR;
-                       SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
-                           SSL_R_BAD_SRP_A_LENGTH);
-                       goto f_err;
-               }
-               if (!(s->srp_ctx.A = BN_bin2bn(p, i, NULL))) {
-                       SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
-                           ERR_R_BN_LIB);
-                       goto err;
-               }
-               if (s->session->srp_username != NULL)
-                       free(s->session->srp_username);
-               s->session->srp_username = BUF_strdup(s->srp_ctx.login);
-               if (s->session->srp_username == NULL) {
-                       SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
-                           ERR_R_MALLOC_FAILURE);
-                       goto err;
-               }
-
-               if ((s->session->master_key_length =
-                   SRP_generate_server_master_secret(s,
-                   s->session->master_key)) < 0) {
-                       SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
-                           ERR_R_INTERNAL_ERROR);
-                       goto err;
-               }
-
-               p += i;
-       } else
-#endif /* OPENSSL_NO_SRP */
         if (alg_k & SSL_kGOST) {
                 int ret = 0;
                 EVP_PKEY_CTX *pkey_ctx;
diff --git a/lib/libssl/src/ssl/d1_clnt.c b/lib/libssl/src/ssl/d1_clnt.c

index 38118b1..8967879 100644 (file)
--- a/lib/libssl/src/ssl/d1_clnt.c
+++ b/lib/libssl/src/ssl/d1_clnt.c
@@ -115,9 +115,6 @@
  
  #include <stdio.h>
  #include "ssl_locl.h"
-#ifndef OPENSSL_NO_KRB5
-#include "kssl_lcl.h"
-#endif
  #include <openssl/buffer.h>
  #include <openssl/rand.h>
  #include <openssl/objects.h>
@@ -926,9 +923,6 @@ dtls1_send_client_key_exchange(SSL *s)
         unsigned long alg_k;
         unsigned char *q;
         EVP_PKEY *pkey = NULL;
-#ifndef OPENSSL_NO_KRB5
-       KSSL_ERR kssl_err;
-#endif /* OPENSSL_NO_KRB5 */
  #ifndef OPENSSL_NO_ECDH
         EC_KEY *clnt_ecdh = NULL;
         const EC_POINT *srvr_ecpoint = NULL;
@@ -992,134 +986,6 @@ dtls1_send_client_key_exchange(SSL *s)
                         tmp_buf, sizeof tmp_buf);
                         OPENSSL_cleanse(tmp_buf, sizeof tmp_buf);
                 }
-#ifndef OPENSSL_NO_KRB5
-               else if (alg_k & SSL_kKRB5) {
-                       krb5_error_code krb5rc;
-                       KSSL_CTX        *kssl_ctx = s->kssl_ctx;
-                       /*  krb5_data   krb5_ap_req;  */
-                       krb5_data       *enc_ticket;
-                       krb5_data       authenticator, *authp = NULL;
-                       EVP_CIPHER_CTX  ciph_ctx;
-                       const EVP_CIPHER *enc = NULL;
-                       unsigned char   iv[EVP_MAX_IV_LENGTH];
-                       unsigned char   tmp_buf[SSL_MAX_MASTER_KEY_LENGTH];
-                       unsigned char   epms[SSL_MAX_MASTER_KEY_LENGTH
-                       + EVP_MAX_IV_LENGTH];
-                       int             padl, outl = sizeof(epms);
-
-                       EVP_CIPHER_CTX_init(&ciph_ctx);
-
-#ifdef KSSL_DEBUG
-                       printf("ssl3_send_client_key_exchange(%lx & %lx)\n",
-                       alg_k, SSL_kKRB5);
-#endif /* KSSL_DEBUG */
-
-                       authp = NULL;
-#ifdef KRB5SENDAUTH
-                       if (KRB5SENDAUTH)
-                               authp = &authenticator;
-#endif /* KRB5SENDAUTH */
-
-                       krb5rc = kssl_cget_tkt(kssl_ctx, &enc_ticket, authp,
-                       &kssl_err);
-                       enc = kssl_map_enc(kssl_ctx->enctype);
-                       if (enc == NULL)
-                               goto err;
-#ifdef KSSL_DEBUG
-                       {
-                               printf("kssl_cget_tkt rtn %d\n", krb5rc);
-                               if (krb5rc && kssl_err.text)
-                                       printf("kssl_cget_tkt kssl_err=%s\n", kssl_err.text);
-                       }
-#endif /* KSSL_DEBUG */
-
-                       if (krb5rc) {
-                               ssl3_send_alert(s, SSL3_AL_FATAL,
-                               SSL_AD_HANDSHAKE_FAILURE);
-                               SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE,
-                               kssl_err.reason);
-                               goto err;
-                       }
-
-                       /*  20010406 VRS - Earlier versions used KRB5 AP_REQ
-                       **  in place of RFC 2712 KerberosWrapper, as in:
-                       **
-                        **  Send ticket (copy to *p, set n = length)
-                        **  n = krb5_ap_req.length;
-                        **  memcpy(p, krb5_ap_req.data, krb5_ap_req.length);
-                        **  if (krb5_ap_req.data)  
-                        **    kssl_krb5_free_data_contents(NULL,&krb5_ap_req);
-                        **
-                       **  Now using real RFC 2712 KerberosWrapper
-                       **  (Thanks to Simon Wilkinson <sxw@sxw.org.uk>)
-                       **  Note: 2712 "opaque" types are here replaced
-                       **  with a 2-byte length followed by the value.
-                       **  Example:
-                       **  KerberosWrapper= xx xx asn1ticket 0 0 xx xx encpms
-                       **  Where "xx xx" = length bytes.  Shown here with
-                       **  optional authenticator omitted.
-                       */
-
-                       /*  KerberosWrapper.Ticket              */
-                       s2n(enc_ticket->length, p);
-                       memcpy(p, enc_ticket->data, enc_ticket->length);
-                       p += enc_ticket->length;
-                       n = enc_ticket->length + 2;
-
-                       /*  KerberosWrapper.Authenticator       */
-                       if (authp && authp->length) {
-                               s2n(authp->length, p);
-                               memcpy(p, authp->data, authp->length);
-                               p += authp->length;
-                               n += authp->length + 2;
-
-                               free(authp->data);
-                               authp->data = NULL;
-                               authp->length = 0;
-                       } else {
-                               s2n(0, p);/*  null authenticator length */
-                               n += 2;
-                       }
-
-                       if (RAND_bytes(tmp_buf, sizeof tmp_buf) <= 0)
-                               goto err;
-
-                       /*  20010420 VRS.  Tried it this way; failed.
-                       **      EVP_EncryptInit_ex(&ciph_ctx,enc, NULL,NULL);
-                       **      EVP_CIPHER_CTX_set_key_length(&ciph_ctx,
-                       **                              kssl_ctx->length);
-                       **      EVP_EncryptInit_ex(&ciph_ctx,NULL, key,iv);
-                       */
-
-                       memset(iv, 0, sizeof iv);
-                       /* per RFC 1510 */
-                       EVP_EncryptInit_ex(&ciph_ctx, enc, NULL,
-                           kssl_ctx->key, iv);
-                       EVP_EncryptUpdate(&ciph_ctx, epms, &outl, tmp_buf,
-                           sizeof tmp_buf);
-                       EVP_EncryptFinal_ex(&ciph_ctx, &(epms[outl]), &padl);
-                       outl += padl;
-                       if (outl > (int)sizeof epms) {
-                               SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
-                               goto err;
-                       }
-                       EVP_CIPHER_CTX_cleanup(&ciph_ctx);
-
-                       /*  KerberosWrapper.EncryptedPreMasterSecret    */
-                       s2n(outl, p);
-                       memcpy(p, epms, outl);
-                       p += outl;
-                       n += outl + 2;
-
-                       s->session->master_key_length =
-                           s->method->ssl3_enc->generate_master_secret(s,
-                               s->session->master_key,
-                               tmp_buf, sizeof tmp_buf);
-
-                       OPENSSL_cleanse(tmp_buf, sizeof tmp_buf);
-                       OPENSSL_cleanse(epms, outl);
-               }
-#endif
  #ifndef OPENSSL_NO_DH
                 else if (alg_k & (SSL_kEDH|SSL_kDHr|SSL_kDHd)) {
                         DH *dh_srvr, *dh_clnt;
diff --git a/lib/libssl/src/ssl/d1_srvr.c b/lib/libssl/src/ssl/d1_srvr.c

index 9995278..6183815 100644 (file)
--- a/lib/libssl/src/ssl/d1_srvr.c
+++ b/lib/libssl/src/ssl/d1_srvr.c
@@ -429,9 +429,6 @@ dtls1_accept(SSL *s)
                         /* clear this, it may get reset by
                          * send_server_key_exchange */
                         if ((s->options & SSL_OP_EPHEMERAL_RSA)
-#ifndef OPENSSL_NO_KRB5
-                       && !(alg_k & SSL_kKRB5)
-#endif /* OPENSSL_NO_KRB5 */
                         )
                                 /* option SSL_OP_EPHEMERAL_RSA sends temporary RSA key
                                  * even when forbidden by protocol specs
diff --git a/lib/libssl/src/ssl/kssl.c b/lib/libssl/src/ssl/kssl.c

deleted file mode 100644 (file)

index b04c83e..0000000
--- a/lib/libssl/src/ssl/kssl.c
+++ /dev/null
@@ -1,1549 +0,0 @@
-/* ssl/kssl.c -*- mode: C; c-file-style: "eay" -*- */
-/* Written by Vern Staats <staatsvr@asc.hpc.mil> for the OpenSSL project 2000.
- */
-/* ====================================================================
- * Copyright (c) 2000 The OpenSSL Project.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in
- *    the documentation and/or other materials provided with the
- *    distribution.
- *
- * 3. All advertising materials mentioning features or use of this
- *    software must display the following acknowledgment:
- *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
- *
- * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
- *    endorse or promote products derived from this software without
- *    prior written permission. For written permission, please contact
- *    licensing@OpenSSL.org.
- *
- * 5. Products derived from this software may not be called "OpenSSL"
- *    nor may "OpenSSL" appear in their names without prior written
- *    permission of the OpenSSL Project.
- *
- * 6. Redistributions of any form whatsoever must retain the following
- *    acknowledgment:
- *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
- *
- * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
- * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
- * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
- * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- * ====================================================================
- *
- * This product includes cryptographic software written by Eric Young
- * (eay@cryptsoft.com).  This product includes software written by Tim
- * Hudson (tjh@cryptsoft.com).
- *
- */
-
-
-/*  ssl/kssl.c  --  Routines to support (& debug) Kerberos5 auth for openssl
-**
-**  19990701   VRS     Started.
-**  200011??   Jeffrey Altman, Richard Levitte
-**                     Generalized for Heimdal, Newer MIT, & Win32.
-**                     Integrated into main OpenSSL 0.9.7 snapshots.
-**  20010413   Simon Wilkinson, VRS
-**                     Real RFC2712 KerberosWrapper replaces AP_REQ.
-*/
-
-#include <openssl/opensslconf.h>
-
-#include <string.h>
-
-#define KRB5_PRIVATE   1
-
-#include <openssl/ssl.h>
-#include <openssl/evp.h>
-#include <openssl/objects.h>
-#include <openssl/krb5_asn.h>
-#include "kssl_lcl.h"
-
-#ifndef OPENSSL_NO_KRB5
-
-#ifndef ENOMEM
-#define ENOMEM KRB5KRB_ERR_GENERIC
-#endif
-
-char *
-kstring(char *string)
-{
-       static char     *null = "[NULL]";
-
-       return ((string == NULL) ? null : string);
-}
-
-/*     Given KRB5 enctype (basically DES or 3DES),
-**     return closest match openssl EVP_ encryption algorithm.
-**     Return NULL for unknown or problematic (krb5_dk_encrypt) enctypes.
-**     Assume ENCTYPE_*_RAW (krb5_raw_encrypt) are OK.
-*/
-const EVP_CIPHER *
-kssl_map_enc(krb5_enctype enctype)
-{
-       switch (enctype) {
-       case ENCTYPE_DES_HMAC_SHA1: /*    EVP_des_cbc(); */
-       case ENCTYPE_DES_CBC_CRC:
-       case ENCTYPE_DES_CBC_MD4:
-       case ENCTYPE_DES_CBC_MD5:
-       case ENCTYPE_DES_CBC_RAW:
-               return EVP_des_cbc();
-               break;
-       case ENCTYPE_DES3_CBC_SHA1: /*    EVP_des_ede3_cbc(); */
-       case ENCTYPE_DES3_CBC_SHA:
-       case ENCTYPE_DES3_CBC_RAW:
-               return EVP_des_ede3_cbc();
-               break;
-       default:
-               return NULL;
-               break;
-       }
-}
-
-
-/*     Return true:1 if p "looks like" the start of the real authenticator
-**     described in kssl_skip_confound() below.  The ASN.1 pattern is
-**     "62 xx 30 yy" (APPLICATION-2, SEQUENCE), where xx-yy =~ 2, and
-**     xx and yy are possibly multi-byte length fields.
-*/
-static int
-kssl_test_confound(unsigned char *p)
-{
-       int     len = 2;
-       int     xx = 0, yy = 0;
-
-       if (*p++ != 0x62)
-               return 0;
-       if (*p > 0x82)
-               return 0;
-       switch (*p)  {
-       case 0x82:
-               p++;
-               xx = (*p++ << 8);
-               xx += *p++;
-               break;
-       case 0x81:
-               p++;
-               xx =  *p++;
-               break;
-       case 0x80:
-               return 0;
-       default:
-               xx = *p++;
-               break;
-       }
-       if (*p++ != 0x30)
-               return 0;
-       if (*p > 0x82)
-               return 0;
-       switch (*p)  {
-       case 0x82:
-               p++;
-               len += 2;
-               yy = (*p++ << 8);
-               yy += *p++;
-               break;
-       case 0x81:
-               p++;
-               len++;
-               yy =  *p++;
-               break;
-       case 0x80:
-               return 0;
-       default:
-               yy = *p++;
-               break;
-       }
-
-       return (xx - len == yy) ? 1 : 0;
-}
-
-/*     Allocate, fill, and return cksumlens array of checksum lengths.
-**     This array holds just the unique elements from the krb5_cksumarray[].
-**     array[n] == 0 signals end of data.
-**
-**      The krb5_cksumarray[] was an internal variable that has since been
-**      replaced by a more general method for storing the data.  It should
-**      not be used.  Instead we use real API calls and make a guess for
-**      what the highest assigned CKSUMTYPE_ constant is.  As of 1.2.2
-**      it is 0x000c (CKSUMTYPE_HMAC_SHA1_DES3).  So we will use 0x0010.
-*/
-static size_t *
-populate_cksumlens(void)
-{
-       int             i, j, n;
-       static size_t   *cklens = NULL;
-
-#ifdef KRB5_MIT_OLD11
-       n = krb5_max_cksum;
-#else
-       n = 0x0010;
-#endif /* KRB5_MIT_OLD11 */
-
-#ifdef KRB5CHECKAUTH
-       if (!cklens && !(cklens = (size_t *)
-               calloc(sizeof(int), n + 1)))  return NULL;
-
-       for (i = 0; i < n; i++) {
-               if (!valid_cksumtype(i))
-                       continue;       /*  array has holes  */
-               for (j = 0; j < n; j++) {
-                       if (cklens[j] == 0) {
-                               cklens[j] = krb5_checksum_size(NULL, i);
-                               break;
-                               /*  krb5 elem was new: add   */
-                       }
-                       if (cklens[j] == krb5_checksum_size(NULL, i)) {
-                               break;
-                               /*  ignore duplicate elements */
-                       }
-               }
-       }
-#endif /* KRB5CHECKAUTH */
-
-       return cklens;
-}
-
-/*     Return pointer to start of real authenticator within authenticator, or
-**     return NULL on error.
-**     Decrypted authenticator looks like this:
-**             [0 or 8 byte confounder] [4-24 byte checksum] [real authent'r]
-**     This hackery wouldn't be necessary if MIT KRB5 1.0.6 had the
-**     krb5_auth_con_getcksumtype() function advertised in its krb5.h.
-*/
-unsigned char *
-kssl_skip_confound(krb5_enctype etype, unsigned char *a)
-{
-       int             i, conlen;
-       size_t          cklen;
-       static size_t   *cksumlens = NULL;
-       unsigned char   *test_auth;
-
-       conlen = (etype) ? 8 : 0;
-
-       if (!cksumlens && !(cksumlens = populate_cksumlens()))
-               return NULL;
-       for (i = 0; (cklen = cksumlens[i]) != 0; i++) {
-               test_auth = a + conlen + cklen;
-               if (kssl_test_confound(test_auth))
-                       return test_auth;
-       }
-
-       return NULL;
-}
-
-
-/*     Set kssl_err error info when reason text is a simple string
-**             kssl_err = struct { int reason; char text[KSSL_ERR_MAX]; }
-*/
-void
-kssl_err_set(KSSL_ERR *kssl_err, int reason, char *text)
-{
-       if (kssl_err == NULL)
-               return;
-
-       kssl_err->reason = reason;
-       (void) snprintf(kssl_err->text, KSSL_ERR_MAX, "%s", text);
-       return;
-}
-
-
-/*     Display contents of krb5_data struct, for debugging
-*/
-void
-print_krb5_data(char *label, krb5_data *kdata)
-{
-       int i;
-
-       printf("%s[%d] ", label, kdata->length);
-       for (i = 0; i < (int)kdata->length; i++) {
-               if (0 && isprint((int) kdata->data[i]))
-                       printf( "%c ",  kdata->data[i]);
-               else
-                       printf( "%02x ", (unsigned char) kdata->data[i]);
-       }
-       printf("\n");
-}
-
-
-/*     Display contents of krb5_authdata struct, for debugging
-*/
-void
-print_krb5_authdata(char *label, krb5_authdata **adata)
-{
-       if (adata == NULL) {
-               printf("%s, authdata==0\n", label);
-               return;
-       }
-       printf("%s [%p]\n", label, (void *)adata);
-#if 0
-       {
-               int     i;
-               printf("%s[at%d:%d] ", label, adata->ad_type, adata->length);
-               for (i = 0; i < adata->length; i++) {
-                       printf((isprint(adata->contents[i]))? "%c ": "%02x",
-                           adata->contents[i]);
-               }
-               printf("\n");
-       }
-#endif
-}
-
-
-/*     Display contents of krb5_keyblock struct, for debugging
-*/
-void
-print_krb5_keyblock(char *label, krb5_keyblock *keyblk)
-{
-       int i;
-
-       if (keyblk == NULL) {
-               printf("%s, keyblk==0\n", label);
-               return;
-       }
-#ifdef KRB5_HEIMDAL
-       printf("%s\n\t[et%d:%d]: ", label, keyblk->keytype,
-           keyblk->keyvalue->length);
-       for (i = 0; i < (int)keyblk->keyvalue->length; i++) {
-               printf("%02x",(unsigned char *)(keyblk->keyvalue->contents)[i]);
-       }
-       printf("\n");
-#else
-       printf("%s\n\t[et%d:%d]: ", label, keyblk->enctype, keyblk->length);
-       for (i = 0; i < (int)keyblk->length; i++) {
-               printf("%02x", keyblk->contents[i]);
-       }
-       printf("\n");
-#endif
-}
-
-
-/*     Display contents of krb5_principal_data struct, for debugging
-**     (krb5_principal is typedef'd == krb5_principal_data *)
-*/
-static void
-print_krb5_princ(char *label, krb5_principal_data *princ)
-{
-       int i, ui, uj;
-
-       printf("%s principal Realm: ", label);
-       if (princ == NULL)
-               return;
-       for (ui = 0; ui < (int)princ->realm.length; ui++)
-               putchar(princ->realm.data[ui]);
-       printf(" (nametype %d) has %d strings:\n", princ->type, princ->length);
-       for (i = 0; i < (int)princ->length; i++) {
-               printf("\t%d [%d]: ", i, princ->data[i].length);
-               for (uj = 0; uj < (int)princ->data[i].length; uj++) {
-                       putchar(princ->data[i].data[uj]);
-               }
-               printf("\n");
-       }
-       return;
-}
-
-
-/*     Given krb5 service (typically "kssl") and hostname in kssl_ctx,
-**     Return encrypted Kerberos ticket for service @ hostname.
-**     If authenp is non-NULL, also return encrypted authenticator,
-**     whose data should be freed by caller.
-**     (Originally was: Create Kerberos AP_REQ message for SSL Client.)
-**
-**     19990628        VRS     Started; Returns Kerberos AP_REQ message.
-**     20010409        VRS     Modified for RFC2712; Returns enc tkt.
-**     20010606        VRS     May also return optional authenticator.
-*/
-krb5_error_code
-kssl_cget_tkt(
-       /* UPDATE */    KSSL_CTX *kssl_ctx,
-       /* OUT    */    krb5_data **enc_ticketp,
-       /* UPDATE */    krb5_data *authenp,
-       /* OUT    */    KSSL_ERR *kssl_err)
-{
-       krb5_error_code         krb5rc = KRB5KRB_ERR_GENERIC;
-       krb5_context            krb5context = NULL;
-       krb5_auth_context       krb5auth_context = NULL;
-       krb5_ccache             krb5ccdef = NULL;
-       krb5_creds              krb5creds, *krb5credsp = NULL;
-       krb5_data               krb5_app_req;
-
-       kssl_err_set(kssl_err, 0, "");
-       memset((char *)&krb5creds, 0, sizeof(krb5creds));
-
-       if (!kssl_ctx) {
-               kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT,
-                   "No kssl_ctx defined.\n");
-               goto err;
-       } else if (!kssl_ctx->service_host) {
-               kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT,
-                   "kssl_ctx service_host undefined.\n");
-               goto err;
-       }
-
-       if ((krb5rc = krb5_init_context(&krb5context)) != 0) {
-               (void) snprintf(kssl_err->text, KSSL_ERR_MAX,
-                   "krb5_init_context() fails: %d\n", krb5rc);
-               kssl_err->reason = SSL_R_KRB5_C_INIT;
-               goto err;
-       }
-
-       if ((krb5rc = krb5_sname_to_principal(krb5context,
-           kssl_ctx->service_host,
-           (kssl_ctx->service_name) ? kssl_ctx->service_name : KRB5SVC,
-           KRB5_NT_SRV_HST, &krb5creds.server)) != 0) {
-               (void) snprintf(kssl_err->text, KSSL_ERR_MAX,
-                   "krb5_sname_to_principal() fails for %s/%s\n",
-                   kssl_ctx->service_host, (kssl_ctx->service_name) ?
-                   kssl_ctx->service_name : KRB5SVC);
-               kssl_err->reason = SSL_R_KRB5_C_INIT;
-               goto err;
-       }
-
-       if ((krb5rc = krb5_cc_default(krb5context, &krb5ccdef)) != 0) {
-               kssl_err_set(kssl_err, SSL_R_KRB5_C_CC_PRINC,
-                   "krb5_cc_default fails.\n");
-               goto err;
-       }
-
-       if ((krb5rc = krb5_cc_get_principal(krb5context, krb5ccdef,
-           &krb5creds.client)) != 0) {
-               kssl_err_set(kssl_err, SSL_R_KRB5_C_CC_PRINC,
-                   "krb5_cc_get_principal() fails.\n");
-               goto err;
-       }
-
-       if ((krb5rc = krb5_get_credentials(krb5context, 0, krb5ccdef,
-           &krb5creds, &krb5credsp)) != 0) {
-               kssl_err_set(kssl_err, SSL_R_KRB5_C_GET_CRED,
-                   "krb5_get_credentials() fails.\n");
-               goto err;
-       }
-
-       *enc_ticketp = &krb5credsp->ticket;
-#ifdef KRB5_HEIMDAL
-       kssl_ctx->enctype = krb5credsp->session.keytype;
-#else
-       kssl_ctx->enctype = krb5credsp->keyblock.enctype;
-#endif
-
-       krb5rc = KRB5KRB_ERR_GENERIC;
-       /*      caller should free data of krb5_app_req  */
-       /*  20010406 VRS deleted for real KerberosWrapper
-       **  20010605 VRS reinstated to offer Authenticator to KerberosWrapper
-       */
-       krb5_app_req.length = 0;
-       if (authenp) {
-               krb5_data       krb5in_data;
-               const unsigned char     *p;
-               long            arlen;
-               KRB5_APREQBODY  *ap_req;
-
-               authenp->length = 0;
-               krb5in_data.data = NULL;
-               krb5in_data.length = 0;
-               if ((krb5rc = krb5_mk_req_extended(krb5context,
-                   &krb5auth_context, 0, &krb5in_data, krb5credsp,
-                   &krb5_app_req)) != 0) {
-                       kssl_err_set(kssl_err, SSL_R_KRB5_C_MK_REQ,
-                           "krb5_mk_req_extended() fails.\n");
-                       goto err;
-               }
-
-               arlen = krb5_app_req.length;
-               p = (unsigned char *)krb5_app_req.data;
-               ap_req = (KRB5_APREQBODY *) d2i_KRB5_APREQ(NULL, &p, arlen);
-               if (ap_req) {
-                       authenp->length = i2d_KRB5_ENCDATA(
-                           ap_req->authenticator, NULL);
-                       if (authenp->length &&
-                           (authenp->data = malloc(authenp->length))) {
-                               unsigned char   *adp = (unsigned char *)authenp->data;
-                               authenp->length = i2d_KRB5_ENCDATA(
-                                   ap_req->authenticator, &adp);
-                       }
-               }
-
-               if (ap_req)
-                       KRB5_APREQ_free((KRB5_APREQ *) ap_req);
-               if (krb5_app_req.length)
-                       kssl_krb5_free_data_contents(krb5context, &krb5_app_req);
-       }
-#ifdef KRB5_HEIMDAL
-       if (kssl_ctx_setkey(kssl_ctx, &krb5credsp->session)) {
-               kssl_err_set(kssl_err, SSL_R_KRB5_C_INIT,
-                   "kssl_ctx_setkey() fails.\n");
-       }
-#else
-       if (kssl_ctx_setkey(kssl_ctx, &krb5credsp->keyblock)) {
-               kssl_err_set(kssl_err, SSL_R_KRB5_C_INIT,
-                   "kssl_ctx_setkey() fails.\n");
-       }
-#endif
-       else
-               krb5rc = 0;
-
-err:
-#ifdef KSSL_DEBUG
-       kssl_ctx_show(kssl_ctx);
-#endif /* KSSL_DEBUG */
-
-       if (krb5creds.client)
-               krb5_free_principal(krb5context, krb5creds.client);
-       if (krb5creds.server)
-               krb5_free_principal(krb5context, krb5creds.server);
-       if (krb5auth_context)
-               krb5_auth_con_free(krb5context, krb5auth_context);
-       if (krb5context)
-               krb5_free_context(krb5context);
-       return (krb5rc);
-}
-
-
-/*  Given d2i_-decoded asn1ticket, allocate and return a new krb5_ticket.
-**  Return Kerberos error code and kssl_err struct on error.
-**  Allocates krb5_ticket and krb5_principal; caller should free these.
-**
-**     20010410        VRS     Implemented krb5_decode_ticket() as
-**                             old_krb5_decode_ticket(). Missing from MIT1.0.6.
-**     20010615        VRS     Re-cast as openssl/asn1 d2i_*() functions.
-**                             Re-used some of the old krb5_decode_ticket()
-**                             code here.  This tkt should alloc/free just
-**                             like the real thing.
-*/
-static krb5_error_code
-kssl_TKT2tkt(
-       /* IN     */    krb5_context    krb5context,
-       /* IN     */    KRB5_TKTBODY    *asn1ticket,
-       /* OUT    */    krb5_ticket     **krb5ticket,
-       /* OUT    */    KSSL_ERR *kssl_err  )
-{
-       krb5_error_code                 krb5rc = KRB5KRB_ERR_GENERIC;
-       krb5_ticket                     *new5ticket = NULL;
-       ASN1_GENERALSTRING              *gstr_svc, *gstr_host;
-
-       *krb5ticket = NULL;
-
-       if (asn1ticket == NULL || asn1ticket->realm == NULL ||
-           asn1ticket->sname == NULL ||
-           sk_ASN1_GENERALSTRING_num(asn1ticket->sname->namestring) < 2) {
-               (void) snprintf(kssl_err->text, KSSL_ERR_MAX,
-                   "Null field in asn1ticket.\n");
-               kssl_err->reason = SSL_R_KRB5_S_RD_REQ;
-               return KRB5KRB_ERR_GENERIC;
-       }
-
-       if ((new5ticket = calloc(1, sizeof(krb5_ticket))) == NULL) {
-               (void) snprintf(kssl_err->text, KSSL_ERR_MAX,
-                   "Unable to allocate new krb5_ticket.\n");
-               kssl_err->reason = SSL_R_KRB5_S_RD_REQ;
-               return ENOMEM; /*  or  KRB5KRB_ERR_GENERIC; */
-       }
-
-       gstr_svc = sk_ASN1_GENERALSTRING_value(asn1ticket->sname->namestring, 0);
-       gstr_host = sk_ASN1_GENERALSTRING_value(asn1ticket->sname->namestring, 1);
-
-       if ((krb5rc = kssl_build_principal_2(krb5context, &new5ticket->server,
-           asn1ticket->realm->length, (char *)asn1ticket->realm->data,
-           gstr_svc->length, (char *)gstr_svc->data, gstr_host->length,
-           (char *)gstr_host->data)) != 0) {
-               free(new5ticket);
-               (void) snprintf(kssl_err->text, KSSL_ERR_MAX,
-                   "Error building ticket server principal.\n");
-               kssl_err->reason = SSL_R_KRB5_S_RD_REQ;
-               return krb5rc; /*  or  KRB5KRB_ERR_GENERIC; */
-       }
-
-       krb5_princ_type(krb5context, new5ticket->server) =
-           asn1ticket->sname->nametype->data[0];
-       new5ticket->enc_part.enctype = asn1ticket->encdata->etype->data[0];
-       new5ticket->enc_part.kvno = asn1ticket->encdata->kvno->data[0];
-       new5ticket->enc_part.ciphertext.length =
-           asn1ticket->encdata->cipher->length;
-       if ((new5ticket->enc_part.ciphertext.data =
-           calloc(1, asn1ticket->encdata->cipher->length)) == NULL) {
-               free(new5ticket);
-               (void) snprintf(kssl_err->text, KSSL_ERR_MAX,
-                   "Error allocating cipher in krb5ticket.\n");
-               kssl_err->reason = SSL_R_KRB5_S_RD_REQ;
-               return KRB5KRB_ERR_GENERIC;
-       } else {
-               memcpy(new5ticket->enc_part.ciphertext.data,
-                   asn1ticket->encdata->cipher->data,
-                   asn1ticket->encdata->cipher->length);
-       }
-
-       *krb5ticket = new5ticket;
-       return 0;
-}
-
-
-/*     Given krb5 service name in KSSL_CTX *kssl_ctx (typically "kssl"),
-**             and krb5 AP_REQ message & message length,
-**     Return Kerberos session key and client principle
-**             to SSL Server in KSSL_CTX *kssl_ctx.
-**
-**     19990702        VRS     Started.
-*/
-krb5_error_code
-kssl_sget_tkt(
-       /* UPDATE */    KSSL_CTX                *kssl_ctx,
-       /* IN     */    krb5_data               *indata,
-       /* OUT    */    krb5_ticket_times       *ttimes,
-       /* OUT    */    KSSL_ERR                *kssl_err  )
-{
-       krb5_error_code                 krb5rc = KRB5KRB_ERR_GENERIC;
-       static krb5_context             krb5context = NULL;
-       static krb5_auth_context        krb5auth_context = NULL;
-       krb5_ticket                     *krb5ticket = NULL;
-       KRB5_TKTBODY                    *asn1ticket = NULL;
-       const unsigned char             *p;
-       krb5_keytab                     krb5keytab = NULL;
-       krb5_keytab_entry               kt_entry;
-       krb5_principal                  krb5server;
-       krb5_rcache                     rcache = NULL;
-
-       kssl_err_set(kssl_err, 0, "");
-
-       if (!kssl_ctx) {
-               kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT,
-                   "No kssl_ctx defined.\n");
-               goto err;
-       }
-
-#ifdef KSSL_DEBUG
-       printf("in kssl_sget_tkt(%s)\n", kstring(kssl_ctx->service_name));
-#endif /* KSSL_DEBUG */
-
-       if (!krb5context && (krb5rc = krb5_init_context(&krb5context))) {
-               kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT,
-                   "krb5_init_context() fails.\n");
-               goto err;
-       }
-       if (krb5auth_context &&
-           (krb5rc = krb5_auth_con_free(krb5context, krb5auth_context))) {
-               kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT,
-                   "krb5_auth_con_free() fails.\n");
-               goto err;
-       } else
-               krb5auth_context = NULL;
-       if (!krb5auth_context &&
-           (krb5rc = krb5_auth_con_init(krb5context, &krb5auth_context))) {
-               kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT,
-                   "krb5_auth_con_init() fails.\n");
-               goto err;
-       }
-
-       if ((krb5rc = krb5_auth_con_getrcache(krb5context, krb5auth_context,
-           &rcache))) {
-               kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT,
-                   "krb5_auth_con_getrcache() fails.\n");
-               goto err;
-       }
-
-       if ((krb5rc = krb5_sname_to_principal(krb5context, NULL,
-           (kssl_ctx->service_name) ? kssl_ctx->service_name : KRB5SVC,
-           KRB5_NT_SRV_HST, &krb5server)) != 0) {
-               kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT,
-                   "krb5_sname_to_principal() fails.\n");
-               goto err;
-       }
-
-       if (rcache == NULL) {
-               if ((krb5rc = krb5_get_server_rcache(krb5context,
-                   krb5_princ_component(krb5context, krb5server, 0),
-                   &rcache))) {
-                       kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT,
-                           "krb5_get_server_rcache() fails.\n");
-                       goto err;
-               }
-       }
-
-       if ((krb5rc = krb5_auth_con_setrcache(krb5context, krb5auth_context,
-           rcache))) {
-               kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT,
-                   "krb5_auth_con_setrcache() fails.\n");
-               goto err;
-       }
-
-
-       /*      kssl_ctx->keytab_file == NULL ==> use Kerberos default
-       */
-       if (kssl_ctx->keytab_file) {
-               krb5rc = krb5_kt_resolve(krb5context, kssl_ctx->keytab_file,
-                   &krb5keytab);
-               if (krb5rc) {
-                       kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT,
-                           "krb5_kt_resolve() fails.\n");
-                       goto err;
-               }
-       } else {
-               krb5rc = krb5_kt_default(krb5context, &krb5keytab);
-               if (krb5rc) {
-                       kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT,
-                           "krb5_kt_default() fails.\n");
-                       goto err;
-               }
-       }
-
-       /*      Actual Kerberos5 krb5_recvauth() has initial conversation here
-       **      o       check KRB5_SENDAUTH_BADAUTHVERS
-       **              unless KRB5_RECVAUTH_SKIP_VERSION
-       **      o       check KRB5_SENDAUTH_BADAPPLVERS
-       **      o       send "0" msg if all OK
-       */
-
-       /*  20010411 was using AP_REQ instead of true KerberosWrapper
-       **
-       **  if ((krb5rc = krb5_rd_req(krb5context, &krb5auth_context,
-       **                      &krb5in_data, krb5server, krb5keytab,
-       **                      &ap_option, &krb5ticket)) != 0)  { Error }
-       */
-
-       p = (unsigned char *)indata->data;
-       if ((asn1ticket = (KRB5_TKTBODY *) d2i_KRB5_TICKET(NULL, &p,
-           (long)indata->length)) == NULL) {
-               (void) snprintf(kssl_err->text, KSSL_ERR_MAX,
-                   "d2i_KRB5_TICKET() ASN.1 decode failure.\n");
-               kssl_err->reason = SSL_R_KRB5_S_RD_REQ;
-               goto err;
-       }
-
-       /* Was:  krb5rc = krb5_decode_ticket(krb5in_data,&krb5ticket)) != 0) */
-       if ((krb5rc = kssl_TKT2tkt(krb5context, asn1ticket, &krb5ticket,
-           kssl_err)) != 0) {
-               (void) snprintf(kssl_err->text, KSSL_ERR_MAX,
-                   "Error converting ASN.1 ticket to krb5_ticket.\n");
-               kssl_err->reason = SSL_R_KRB5_S_RD_REQ;
-               goto err;
-       }
-
-       if (!krb5_principal_compare(krb5context, krb5server,
-           krb5ticket->server))  {
-               krb5rc = KRB5_PRINC_NOMATCH;
-               (void) snprintf(kssl_err->text, KSSL_ERR_MAX,
-                   "server principal != ticket principal\n");
-               kssl_err->reason = SSL_R_KRB5_S_RD_REQ;
-               goto err;
-       }
-       if ((krb5rc = krb5_kt_get_entry(krb5context, krb5keytab,
-           krb5ticket->server, krb5ticket->enc_part.kvno,
-           krb5ticket->enc_part.enctype, &kt_entry)) != 0)  {
-               (void) snprintf(kssl_err->text, KSSL_ERR_MAX,
-                   "krb5_kt_get_entry() fails with %x.\n", krb5rc);
-               kssl_err->reason = SSL_R_KRB5_S_RD_REQ;
-               goto err;
-       }
-       if ((krb5rc = krb5_decrypt_tkt_part(krb5context, &kt_entry.key,
-           krb5ticket)) != 0)  {
-               (void) snprintf(kssl_err->text, KSSL_ERR_MAX,
-                   "krb5_decrypt_tkt_part() failed.\n");
-               kssl_err->reason = SSL_R_KRB5_S_RD_REQ;
-               goto err;
-       } else {
-               krb5_kt_free_entry(krb5context, &kt_entry);
-#ifdef KSSL_DEBUG
-               {
-                       int i;
-                       krb5_address **paddr = krb5ticket->enc_part2->caddrs;
-                       printf("Decrypted ticket fields:\n");
-                       printf("\tflags: %X, transit-type: %X",
-                           krb5ticket->enc_part2->flags,
-                           krb5ticket->enc_part2->transited.tr_type);
-                       print_krb5_data("\ttransit-data: ",
-                           &(krb5ticket->enc_part2->transited.tr_contents));
-                       printf("\tcaddrs: %p, authdata: %p\n",
-                           krb5ticket->enc_part2->caddrs,
-                           krb5ticket->enc_part2->authorization_data);
-                       if (paddr) {
-                               printf("\tcaddrs:\n");
-                               for (i = 0; paddr[i] != NULL; i++) {
-                                       krb5_data d;
-                                       d.length = paddr[i]->length;
-                                       d.data = paddr[i]->contents;
-                                       print_krb5_data("\t\tIP: ", &d);
-                               }
-                       }
-                       printf("\tstart/auth/end times: %d / %d / %d\n",
-                           krb5ticket->enc_part2->times.starttime,
-                           krb5ticket->enc_part2->times.authtime,
-                           krb5ticket->enc_part2->times.endtime);
-               }
-#endif /* KSSL_DEBUG */
-       }
-
-       krb5rc = KRB5_NO_TKT_SUPPLIED;
-       if (!krb5ticket || !krb5ticket->enc_part2 ||
-           !krb5ticket->enc_part2->client ||
-           !krb5ticket->enc_part2->client->data ||
-           !krb5ticket->enc_part2->session) {
-               kssl_err_set(kssl_err, SSL_R_KRB5_S_BAD_TICKET,
-                   "bad ticket from krb5_rd_req.\n");
-       } else if (kssl_ctx_setprinc(kssl_ctx, KSSL_CLIENT,
-           &krb5ticket->enc_part2->client->realm,
-           krb5ticket->enc_part2->client->data,
-           krb5ticket->enc_part2->client->length)) {
-               kssl_err_set(kssl_err, SSL_R_KRB5_S_BAD_TICKET,
-                   "kssl_ctx_setprinc() fails.\n");
-       } else if (kssl_ctx_setkey(kssl_ctx, krb5ticket->enc_part2->session)) {
-               kssl_err_set(kssl_err, SSL_R_KRB5_S_BAD_TICKET,
-                   "kssl_ctx_setkey() fails.\n");
-       } else if (krb5ticket->enc_part2->flags & TKT_FLG_INVALID) {
-               krb5rc = KRB5KRB_AP_ERR_TKT_INVALID;
-               kssl_err_set(kssl_err, SSL_R_KRB5_S_BAD_TICKET,
-                   "invalid ticket from krb5_rd_req.\n");
-       } else
-               krb5rc = 0;
-
-       kssl_ctx->enctype = krb5ticket->enc_part.enctype;
-       ttimes->authtime = krb5ticket->enc_part2->times.authtime;
-       ttimes->starttime = krb5ticket->enc_part2->times.starttime;
-       ttimes->endtime = krb5ticket->enc_part2->times.endtime;
-       ttimes->renew_till = krb5ticket->enc_part2->times.renew_till;
-
-err:
-#ifdef KSSL_DEBUG
-       kssl_ctx_show(kssl_ctx);
-#endif /* KSSL_DEBUG */
-
-       if (asn1ticket)
-               KRB5_TICKET_free((KRB5_TICKET *) asn1ticket);
-       if (krb5keytab)
-               krb5_kt_close(krb5context, krb5keytab);
-       if (krb5ticket)
-               krb5_free_ticket(krb5context, krb5ticket);
-       if (krb5server)
-               krb5_free_principal(krb5context, krb5server);
-       return (krb5rc);
-}
-
-
-/*     Allocate & return a new kssl_ctx struct.
-*/
-KSSL_CTX *
-kssl_ctx_new(void)
-{
-       return (calloc(1, sizeof(KSSL_CTX)));
-}
-
-
-/*     Frees a kssl_ctx struct and any allocated memory it holds.
-**     Returns NULL.
-*/
-KSSL_CTX *
-kssl_ctx_free(KSSL_CTX *kssl_ctx)
-{
-       if (kssl_ctx == NULL)
-               return kssl_ctx;
-
-       if (kssl_ctx->key)
-               OPENSSL_cleanse(kssl_ctx->key, kssl_ctx->length);
-       if (kssl_ctx->key)
-               free(kssl_ctx->key);
-       if (kssl_ctx->client_princ)
-               free(kssl_ctx->client_princ);
-       if (kssl_ctx->service_host)
-               free(kssl_ctx->service_host);
-       if (kssl_ctx->service_name)
-               free(kssl_ctx->service_name);
-       if (kssl_ctx->keytab_file)
-               free(kssl_ctx->keytab_file);
-
-       free(kssl_ctx);
-       return (KSSL_CTX *) NULL;
-}
-
-
-/*     Given an array of (krb5_data *) entity (and optional realm),
-**     set the plain (char *) client_princ or service_host member
-**     of the kssl_ctx struct.
-*/
-krb5_error_code
-kssl_ctx_setprinc(KSSL_CTX *kssl_ctx, int which, krb5_data *realm,
-    krb5_data *entity, int nentities)
-{
-       char    **princ;
-       int     length;
-       int i;
-
-       if (kssl_ctx == NULL || entity == NULL)
-               return KSSL_CTX_ERR;
-
-       switch (which) {
-       case KSSL_CLIENT:
-               princ = &kssl_ctx->client_princ;
-               break;
-       case KSSL_SERVER:
-               princ = &kssl_ctx->service_host;
-               break;
-       default:
-               return KSSL_CTX_ERR;
-               break;
-       }
-       free(*princ);
-       *princ = NULL;
-
-       /* Add up all the entity->lengths */
-       length = 0;
-       for (i = 0; i < nentities; i++) {
-               length += entity[i].length;
-       }
-       /* Add in space for the '/' character(s) (if any) */
-       length += nentities - 1;
-       /* Space for the ('@'+realm+NULL | NULL) */
-       length += ((realm) ? realm->length + 2 : 1);
-
-       if ((*princ = calloc(1, length)) == NULL)
-               return KSSL_CTX_ERR;
-       else {
-               for (i = 0; i < nentities; i++) {
-                       strncat(*princ, entity[i].data, entity[i].length);
-                       if (i < nentities - 1) {
-                               strcat (*princ, "/");
-                       }
-               }
-               if (realm) {
-                       strcat (*princ, "@");
-                       (void) strncat(*princ, realm->data, realm->length);
-               }
-       }
-
-       return KSSL_CTX_OK;
-}
-
-
-/*     Set one of the plain (char *) string members of the kssl_ctx struct.
-**     Default values should be:
-**             which == KSSL_SERVICE   =>      "khost" (KRB5SVC)
-**             which == KSSL_KEYTAB    =>      "/etc/krb5.keytab" (KRB5KEYTAB)
-*/
-krb5_error_code
-kssl_ctx_setstring(KSSL_CTX *kssl_ctx, int which, char *text)
-{
-       char    **string;
-
-       if (!kssl_ctx)
-               return KSSL_CTX_ERR;
-
-       switch (which) {
-       case KSSL_SERVICE:
-               string = &kssl_ctx->service_name;
-               break;
-       case KSSL_SERVER:
-               string = &kssl_ctx->service_host;
-               break;
-       case KSSL_CLIENT:
-               string = &kssl_ctx->client_princ;
-               break;
-       case KSSL_KEYTAB:
-               string = &kssl_ctx->keytab_file;
-               break;
-       default:
-               return KSSL_CTX_ERR;
-               break;
-       }
-       free(*string);
-       *string = NULL;
-
-       if (text && (*string = strdup(text)) == NULL)
-               return KSSL_CTX_ERR;
-
-       return KSSL_CTX_OK;
-}
-
-
-/*     Copy the Kerberos session key from a (krb5_keyblock *) to a kssl_ctx
-**     struct.  Clear kssl_ctx->key if Kerberos session key is NULL.
-*/
-krb5_error_code
-kssl_ctx_setkey(KSSL_CTX *kssl_ctx, krb5_keyblock *session)
-{
-       int             length;
-       krb5_enctype    enctype;
-       krb5_octet FAR  *contents = NULL;
-
-       if (!kssl_ctx)
-               return KSSL_CTX_ERR;
-
-       if (kssl_ctx->key) {
-               OPENSSL_cleanse(kssl_ctx->key, kssl_ctx->length);
-               free(kssl_ctx->key);
-               kssl_ctx->key = NULL;
-       }
-
-       if (session) {
-
-#ifdef KRB5_HEIMDAL
-               length = session->keyvalue->length;
-               enctype = session->keytype;
-               contents = session->keyvalue->contents;
-#else
-               length = session->length;
-               enctype = session->enctype;
-               contents = session->contents;
-#endif
-               kssl_ctx->enctype = enctype;
-               kssl_ctx->length = length;
-       } else {
-               kssl_ctx->enctype = ENCTYPE_UNKNOWN;
-               kssl_ctx->length = 0;
-               return KSSL_CTX_OK;
-       }
-
-       if ((kssl_ctx->key = calloc(1, kssl_ctx->length)) == NULL) {
-               kssl_ctx->length = 0;
-               return KSSL_CTX_ERR;
-       } else
-               memcpy(kssl_ctx->key, contents, length);
-
-       return KSSL_CTX_OK;
-}
-
-
-/*     Display contents of kssl_ctx struct
-*/
-void
-kssl_ctx_show(KSSL_CTX *kssl_ctx)
-{
-       int     i;
-
-       printf("kssl_ctx: ");
-       if (kssl_ctx == NULL) {
-               printf("NULL\n");
-               return;
-       } else
-               printf("%p\n", (void *)kssl_ctx);
-
-       printf("\tservice:\t%s\n",
-           (kssl_ctx->service_name) ? kssl_ctx->service_name : "NULL");
-       printf("\tclient:\t%s\n",
-           (kssl_ctx->client_princ) ? kssl_ctx->client_princ : "NULL");
-       printf("\tserver:\t%s\n",
-           (kssl_ctx->service_host) ? kssl_ctx->service_host : "NULL");
-       printf("\tkeytab:\t%s\n",
-           (kssl_ctx->keytab_file) ? kssl_ctx->keytab_file : "NULL");
-       printf("\tkey [%d:%d]:\t",
-           kssl_ctx->enctype, kssl_ctx->length);
-
-       for (i = 0; i < kssl_ctx->length && kssl_ctx->key; i++) {
-               printf("%02x", kssl_ctx->key[i]);
-       }
-       printf("\n");
-       return;
-}
-
-int
-kssl_keytab_is_available(KSSL_CTX *kssl_ctx)
-{
-       krb5_context            krb5context = NULL;
-       krb5_keytab             krb5keytab = NULL;
-       krb5_keytab_entry           entry;
-       krb5_principal              princ = NULL;
-       krb5_error_code                 krb5rc = KRB5KRB_ERR_GENERIC;
-       int rc = 0;
-
-       if ((krb5rc = krb5_init_context(&krb5context)))
-               return (0);
-
-    /* kssl_ctx->keytab_file == NULL ==> use Kerberos default
-    */
-       if (kssl_ctx->keytab_file) {
-               krb5rc = krb5_kt_resolve(krb5context, kssl_ctx->keytab_file,
-                   &krb5keytab);
-               if (krb5rc)
-                       goto exit;
-       } else {
-               krb5rc = krb5_kt_default(krb5context, &krb5keytab);
-               if (krb5rc)
-                       goto exit;
-       }
-
-       /* the host key we are looking for */
-       krb5rc = krb5_sname_to_principal(krb5context, NULL,
-           kssl_ctx->service_name ? kssl_ctx->service_name : KRB5SVC,
-           KRB5_NT_SRV_HST, &princ);
-
-       if (krb5rc)
-               goto exit;
-
-       krb5rc = krb5_kt_get_entry(krb5context, krb5keytab, princ,
-           0 /* IGNORE_VNO */,
-           0 /* IGNORE_ENCTYPE */,
-           &entry);
-       if (krb5rc == KRB5_KT_NOTFOUND) {
-               rc = 1;
-               goto exit;
-       } else if (krb5rc)
-               goto exit;
-
-       krb5_kt_free_entry(krb5context, &entry);
-       rc = 1;
-
-exit:
-       if (krb5keytab)
-               krb5_kt_close(krb5context, krb5keytab);
-       if (princ)
-               krb5_free_principal(krb5context, princ);
-       if (krb5context)
-               krb5_free_context(krb5context);
-       return (rc);
-}
-
-int
-kssl_tgt_is_available(KSSL_CTX *kssl_ctx)
-{
-       krb5_error_code         krb5rc = KRB5KRB_ERR_GENERIC;
-       krb5_context            krb5context = NULL;
-       krb5_ccache             krb5ccdef = NULL;
-       krb5_creds              krb5creds, *krb5credsp = NULL;
-       int                     rc = 0;
-
-       memset((char *)&krb5creds, 0, sizeof(krb5creds));
-
-       if (!kssl_ctx)
-               return (0);
-
-       if (!kssl_ctx->service_host)
-               return (0);
-
-       if ((krb5rc = krb5_init_context(&krb5context)) != 0)
-               goto err;
-
-       if ((krb5rc = krb5_sname_to_principal(
-           krb5context, kssl_ctx->service_host,
-           (kssl_ctx->service_name) ? kssl_ctx->service_name : KRB5SVC,
-           KRB5_NT_SRV_HST, &krb5creds.server)) != 0)
-               goto err;
-
-       if ((krb5rc = krb5_cc_default(krb5context, &krb5ccdef)) != 0)
-               goto err;
-
-       if ((krb5rc = krb5_cc_get_principal(krb5context, krb5ccdef,
-           &krb5creds.client)) != 0)
-               goto err;
-
-       if ((krb5rc = krb5_get_credentials(krb5context, 0, krb5ccdef,
-           &krb5creds, &krb5credsp)) != 0)
-               goto err;
-
-       rc = 1;
-
-err:
-#ifdef KSSL_DEBUG
-       kssl_ctx_show(kssl_ctx);
-#endif /* KSSL_DEBUG */
-
-       if (krb5creds.client)
-               krb5_free_principal(krb5context, krb5creds.client);
-       if (krb5creds.server)
-               krb5_free_principal(krb5context, krb5creds.server);
-       if (krb5context)
-               krb5_free_context(krb5context);
-       return (rc);
-}
-
-void
-kssl_krb5_free_data_contents(krb5_context context, krb5_data *data)
-{
-#ifdef KRB5_HEIMDAL
-       data->length = 0;
-       if (data->data)
-               free(data->data);
-#elif defined(KRB5_MIT_OLD11)
-       if (data->data)  {
-               krb5_xfree(data->data);
-               data->data = 0;
-       }
-#else
-       krb5_free_data_contents(NULL, data);
-#endif
-}
-
-/*  Given pointers to KerberosTime and struct tm structs, convert the
-**  KerberosTime string to struct tm.  Note that KerberosTime is a
-**  ASN1_GENERALIZEDTIME value, constrained to GMT with no fractional
-**  seconds as defined in RFC 1510.
-**  Return pointer to the (partially) filled in struct tm on success,
-**  return NULL on failure.
-*/
-static struct tm *
-k_gmtime(ASN1_GENERALIZEDTIME *gtime, struct tm *k_tm)
-{
-       char            c, *p;
-
-       if (!k_tm)
-               return NULL;
-       if (gtime == NULL || gtime->length < 14)
-               return NULL;
-       if (gtime->data == NULL)
-               return NULL;
-
-       p = (char *)&gtime->data[14];
-
-       c = *p;
-       *p = '\0';
-       p -= 2;
-       k_tm->tm_sec = atoi(p);
-       *(p + 2) = c;
-       c = *p;
-       *p = '\0';
-       p -= 2;
-       k_tm->tm_min = atoi(p);
-       *(p + 2) = c;
-       c = *p;
-       *p = '\0';
-       p -= 2;
-       k_tm->tm_hour = atoi(p);
-       *(p + 2) = c;
-       c = *p;
-       *p = '\0';
-       p -= 2;
-       k_tm->tm_mday = atoi(p);
-       *(p + 2) = c;
-       c = *p;
-       *p = '\0';
-       p -= 2;
-       k_tm->tm_mon = atoi(p) - 1;
-       *(p + 2) = c;
-       c = *p;
-       *p = '\0';
-       p -= 4;
-       k_tm->tm_year = atoi(p) - 1900;
-       *(p + 4) = c;
-
-       return k_tm;
-}
-
-
-/*  Helper function for kssl_validate_times().
-**  We need context->clockskew, but krb5_context is an opaque struct.
-**  So we try to sneek the clockskew out through the replay cache.
-**     If that fails just return a likely default (300 seconds).
-*/
-static krb5_deltat
-get_rc_clockskew(krb5_context context)
-{
-       krb5_rcache     rc;
-       krb5_deltat     clockskew;
-
-       if (krb5_rc_default(context, &rc))
-               return KSSL_CLOCKSKEW;
-       if (krb5_rc_initialize(context, rc, 0))
-               return KSSL_CLOCKSKEW;
-       if (krb5_rc_get_lifespan(context, rc, &clockskew))  {
-               clockskew = KSSL_CLOCKSKEW;
-       }
-       (void)krb5_rc_destroy(context, rc);
-       return clockskew;
-}
-
-
-/*  kssl_validate_times() combines (and more importantly exposes)
-**  the MIT KRB5 internal function krb5_validate_times() and the
-**  in_clock_skew() macro.  The authenticator client time is checked
-**  to be within clockskew secs of the current time and the current
-**  time is checked to be within the ticket start and expire times.
-**  Either check may be omitted by supplying a NULL value.
-**  Returns 0 for valid times, SSL_R_KRB5* error codes otherwise.
-**  See Also: (Kerberos source)/krb5/lib/krb5/krb/valid_times.c
-**  20010420 VRS
-*/
-krb5_error_code
-kssl_validate_times(krb5_timestamp atime, krb5_ticket_times *ttimes)
-{
-       krb5_deltat     skew;
-       krb5_timestamp  start, now;
-       krb5_error_code rc;
-       krb5_context    context;
-
-       if ((rc = krb5_init_context(&context)))
-               return SSL_R_KRB5_S_BAD_TICKET;
-       skew = get_rc_clockskew(context);
-
-       if ((rc = krb5_timeofday(context, &now)))
-               return SSL_R_KRB5_S_BAD_TICKET;
-       krb5_free_context(context);
-
-       if (atime && labs(atime - now) >= skew)
-               return SSL_R_KRB5_S_TKT_SKEW;
-
-       if (!ttimes)
-               return 0;
-
-       start = (ttimes->starttime != 0) ? ttimes->starttime : ttimes->authtime;
-       if (start - now > skew)
-               return SSL_R_KRB5_S_TKT_NYV;
-       if ((now - ttimes->endtime) > skew)
-               return SSL_R_KRB5_S_TKT_EXPIRED;
-
-#ifdef KSSL_DEBUG
-       printf("kssl_validate_times: %d |<-  | %d - %d | < %d  ->| %d\n",
-           start, atime, now, skew, ttimes->endtime);
-#endif /* KSSL_DEBUG */
-
-       return 0;
-}
-
-
-/*  Decode and decrypt given DER-encoded authenticator, then pass
-**  authenticator ctime back in *atimep (or 0 if time unavailable).
-**  Returns krb5_error_code and kssl_err on error.  A NULL
-**  authenticator (authentp->length == 0) is not considered an error.
-**  Note that kssl_check_authent() makes use of the KRB5 session key;
-**  you must call kssl_sget_tkt() to get the key before calling this routine.
-*/
-krb5_error_code
-kssl_check_authent(
-       /* IN     */    KSSL_CTX        *kssl_ctx,
-       /* IN     */    krb5_data       *authentp,
-       /* OUT    */    krb5_timestamp  *atimep,
-       /* OUT    */    KSSL_ERR        *kssl_err  )
-{
-       krb5_error_code         krb5rc = 0;
-       KRB5_ENCDATA            *dec_authent = NULL;
-       KRB5_AUTHENTBODY        *auth = NULL;
-       krb5_enctype            enctype;
-       EVP_CIPHER_CTX          ciph_ctx;
-       const EVP_CIPHER        *enc = NULL;
-       unsigned char           iv[EVP_MAX_IV_LENGTH];
-       const unsigned char     *p;
-       unsigned char           *unenc_authent;
-       int                     outl, unencbufsize;
-       struct tm               tm_time, *tm_l, *tm_g;
-       time_t                  now, tl, tg, tr, tz_offset;
-
-       EVP_CIPHER_CTX_init(&ciph_ctx);
-       *atimep = 0;
-       kssl_err_set(kssl_err, 0, "");
-
-#ifndef KRB5CHECKAUTH
-       authentp = NULL;
-#else
-#if    KRB5CHECKAUTH == 0
-       authentp = NULL;
-#endif
-#endif /* KRB5CHECKAUTH */
-
-       if (authentp == NULL || authentp->length == 0)
-               return 0;
-
-#ifdef KSSL_DEBUG
-       {
-               unsigned int ui;
-               printf("kssl_check_authent: authenticator[%d]:\n", authentp->length);
-               p = authentp->data;
-
-               for (ui = 0; ui < authentp->length; ui++)  printf("%02x ", p[ui]);
-                       printf("\n");
-       }
-#endif /* KSSL_DEBUG */
-
-       unencbufsize = 2 * authentp->length;
-       if ((unenc_authent = calloc(1, unencbufsize)) == NULL) {
-               kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT,
-                   "Unable to allocate authenticator buffer.\n");
-               krb5rc = KRB5KRB_ERR_GENERIC;
-               goto err;
-       }
-
-       p = (unsigned char *)authentp->data;
-       if ((dec_authent = d2i_KRB5_ENCDATA(NULL, &p,
-           (long)authentp->length)) == NULL) {
-               kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT,
-                   "Error decoding authenticator.\n");
-               krb5rc = KRB5KRB_AP_ERR_BAD_INTEGRITY;
-               goto err;
-       }
-
-       enctype = dec_authent->etype->data[0];  /* should = kssl_ctx->enctype */
-#if !defined(KRB5_MIT_OLD11)
-       switch (enctype ) {
-       case ENCTYPE_DES3_CBC_SHA1: /*    EVP_des_ede3_cbc(); */
-       case ENCTYPE_DES3_CBC_SHA:
-       case ENCTYPE_DES3_CBC_RAW:
-               krb5rc = 0;
-               /* Skip, can't handle derived keys */
-               goto err;
-       }
-#endif
-       enc = kssl_map_enc(enctype);
-       memset(iv, 0, sizeof iv);
-       /* per RFC 1510 */
-
-       if (enc == NULL) {
-               /*  Disable kssl_check_authent for ENCTYPE_DES3_CBC_SHA1.
-               **  This enctype indicates the authenticator was encrypted
-               **  using key-usage derived keys which openssl cannot decrypt.
-               */
-               goto err;
-       }
-
-       if (!EVP_CipherInit(&ciph_ctx, enc, kssl_ctx->key, iv, 0)) {
-               kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT,
-                   "EVP_CipherInit error decrypting authenticator.\n");
-               krb5rc = KRB5KRB_AP_ERR_BAD_INTEGRITY;
-               goto err;
-       }
-       outl = dec_authent->cipher->length;
-       if (!EVP_Cipher(&ciph_ctx, unenc_authent, dec_authent->cipher->data, outl)) {
-               kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT,
-                   "EVP_Cipher error decrypting authenticator.\n");
-               krb5rc = KRB5KRB_AP_ERR_BAD_INTEGRITY;
-               goto err;
-       }
-       EVP_CIPHER_CTX_cleanup(&ciph_ctx);
-
-#ifdef KSSL_DEBUG
-       {
-               int padl;
-               printf("kssl_check_authent: decrypted authenticator[%d] =\n", outl);
-               for (padl = 0; padl < outl; padl++) printf("%02x ", unenc_authent[padl]);
-                       printf("\n");
-       }
-#endif /* KSSL_DEBUG */
-
-       if ((p = kssl_skip_confound(enctype, unenc_authent)) == NULL) {
-               kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT,
-                   "confounded by authenticator.\n");
-               krb5rc = KRB5KRB_AP_ERR_BAD_INTEGRITY;
-               goto err;
-       }
-       outl -= p - unenc_authent;
-
-       if ((auth = (KRB5_AUTHENTBODY *)d2i_KRB5_AUTHENT(NULL, &p,
-           (long)outl)) == NULL) {
-               kssl_err_set(kssl_err, SSL_R_KRB5_S_INIT,
-                   "Error decoding authenticator body.\n");
-               krb5rc = KRB5KRB_AP_ERR_BAD_INTEGRITY;
-               goto err;
-       }
-
-       memset(&tm_time, 0, sizeof(struct tm));
-       if (k_gmtime(auth->ctime, &tm_time) &&
-           ((tr = mktime(&tm_time)) != (time_t)(-1))) {
-               now = time(&now);
-               tm_l = localtime(&now);
-               tl = mktime(tm_l);
-               tm_g = gmtime(&now);
-               tg = mktime(tm_g);
-               tz_offset = tg - tl;
-
-               *atimep = (krb5_timestamp)(tr - tz_offset);
-       }
-
-#ifdef KSSL_DEBUG
-       printf("kssl_check_authent: returns %d for client time ", *atimep);
-       if (auth && auth->ctime && auth->ctime->length && auth->ctime->data)
-               printf("%.*s\n", auth->ctime->length, auth->ctime->data);
-       else
-               printf("NULL\n");
-#endif /* KSSL_DEBUG */
-
-err:
-       if (auth)
-               KRB5_AUTHENT_free((KRB5_AUTHENT *) auth);
-       if (dec_authent)
-               KRB5_ENCDATA_free(dec_authent);
-       if (unenc_authent)
-               free(unenc_authent);
-       EVP_CIPHER_CTX_cleanup(&ciph_ctx);
-       return krb5rc;
-}
-
-
-/*  Replaces krb5_build_principal_ext(), with varargs length == 2 (svc, host),
-**  because I dont't know how to stub varargs.
-**  Returns krb5_error_code == ENOMEM on alloc error, otherwise
-**  passes back newly constructed principal, which should be freed by caller.
-*/
-krb5_error_code
-kssl_build_principal_2(
-       /* UPDATE */    krb5_context    context,
-       /* OUT    */    krb5_principal  *princ,
-       /* IN     */    int rlen,  const char *realm,
-       /* IN     */    int slen,  const char *svc,
-       /* IN     */    int hlen,  const char *host)
-{
-       krb5_data               *p_data = NULL;
-       krb5_principal          new_p = NULL;
-       char                    *new_r = NULL;
-
-       if ((p_data = calloc(2, sizeof(krb5_data))) == NULL ||
-           (new_p = calloc(1, sizeof(krb5_principal_data))) == NULL)
-               goto err;
-       new_p->length = 2;
-       new_p->data = p_data;
-
-       if ((new_r = calloc(1, rlen + 1)) == NULL)
-               goto err;
-       memcpy(new_r, realm, rlen);
-       krb5_princ_set_realm_length(context, new_p, rlen);
-       krb5_princ_set_realm_data(context, new_p, new_r);
-
-       if ((new_p->data[0].data = calloc(1, slen + 1)) == NULL)
-               goto err;
-       memcpy(new_p->data[0].data, svc, slen);
-       new_p->data[0].length = slen;
-
-       if ((new_p->data[1].data = calloc(1, hlen + 1)) == NULL)
-               goto err;
-       memcpy(new_p->data[1].data, host, hlen);
-       new_p->data[1].length = hlen;
-
-       krb5_princ_type(context, new_p) = KRB5_NT_UNKNOWN;
-       *princ = new_p;
-       return 0;
-
-err:
-       if (new_p && new_p[0].data)
-               free(new_p[0].data);
-       if (new_p && new_p[1].data)
-               free(new_p[1].data);
-       if (new_p)
-               free(new_p);
-       if (new_r)
-               free(new_r);
-       return ENOMEM;
-}
-
-void
-SSL_set0_kssl_ctx(SSL *s, KSSL_CTX *kctx)
-{
-       s->kssl_ctx = kctx;
-}
-
-KSSL_CTX *
-SSL_get0_kssl_ctx(SSL *s)
-{
-       return s->kssl_ctx;
-}
-
-char *
-kssl_ctx_get0_client_princ(KSSL_CTX *kctx)
-{
-       if (kctx)
-               return kctx->client_princ;
-       return NULL;
-}
-
-#else /* !OPENSSL_NO_KRB5 */
-
-#endif /* !OPENSSL_NO_KRB5     */
diff --git a/lib/libssl/src/ssl/kssl.h b/lib/libssl/src/ssl/kssl.h

index ec75188..5070066 100644 (file)
--- a/lib/libssl/src/ssl/kssl.h
+++ b/lib/libssl/src/ssl/kssl.h
@@ -65,118 +65,4 @@
  
  #include <openssl/opensslconf.h>
  
-#ifndef OPENSSL_NO_KRB5
-
-#include <stdio.h>
-#include <ctype.h>
-#include <krb5.h>
-
-#ifdef  __cplusplus
-extern "C" {
-#endif
-
-/*
-**     Depending on which KRB5 implementation used, some types from
-**     the other may be missing.  Resolve that here and now
-*/
-#ifdef KRB5_HEIMDAL
-typedef unsigned char krb5_octet;
-#define FAR
-#else
-
-#ifndef FAR
-#define FAR
-#endif
-
-#endif
-
-/*     Uncomment this to debug kssl problems or
-**     to trace usage of the Kerberos session key
-**
-**     #define         KSSL_DEBUG
-*/
-
-#ifndef        KRB5SVC
-#define KRB5SVC        "host"
-#endif
-
-#ifndef        KRB5KEYTAB
-#define KRB5KEYTAB     "/etc/krb5.keytab"
-#endif
-
-#ifndef KRB5SENDAUTH
-#define KRB5SENDAUTH   1
-#endif
-
-#ifndef KRB5CHECKAUTH
-#define KRB5CHECKAUTH  1
-#endif
-
-#ifndef KSSL_CLOCKSKEW
-#define        KSSL_CLOCKSKEW  300;
-#endif
-
-#define        KSSL_ERR_MAX    256
-typedef struct kssl_err_st {
-       int  reason;
-       char text[KSSL_ERR_MAX];
-} KSSL_ERR;
-
-
-/*     Context for passing
-**             (1) Kerberos session key to SSL, and
-**             (2)     Config data between application and SSL lib
-*/
-typedef struct kssl_ctx_st {
-                               /*      used by:    disposition:            */
-       char *service_name;     /*      C,S         default ok (kssl)       */
-       char *service_host;     /*      C           input, REQUIRED         */
-       char *client_princ;     /*      S           output from krb5 ticket */
-       char *keytab_file;      /*      S           NULL (/etc/krb5.keytab) */
-       char *cred_cache;       /*      C           NULL (default)          */
-       krb5_enctype enctype;
-       int length;
-       krb5_octet FAR *key;
-} KSSL_CTX;
-
-#define        KSSL_CLIENT     1
-#define KSSL_SERVER    2
-#define        KSSL_SERVICE    3
-#define        KSSL_KEYTAB     4
-
-#define KSSL_CTX_OK    0
-#define KSSL_CTX_ERR   1
-#define KSSL_NOMEM     2
-
-/* Public (for use by applications that use OpenSSL with Kerberos 5 support */
-krb5_error_code kssl_ctx_setstring(KSSL_CTX *kssl_ctx, int which, char *text);
-KSSL_CTX *kssl_ctx_new(void);
-KSSL_CTX *kssl_ctx_free(KSSL_CTX *kssl_ctx);
-void kssl_ctx_show(KSSL_CTX *kssl_ctx);
-krb5_error_code kssl_ctx_setprinc(KSSL_CTX *kssl_ctx, int which,
-    krb5_data *realm, krb5_data *entity, int nentities);
-krb5_error_code kssl_cget_tkt(KSSL_CTX *kssl_ctx, krb5_data **enc_tktp,
-    krb5_data *authenp, KSSL_ERR *kssl_err);
-krb5_error_code kssl_sget_tkt(KSSL_CTX *kssl_ctx, krb5_data *indata,
-    krb5_ticket_times *ttimes, KSSL_ERR *kssl_err);
-krb5_error_code kssl_ctx_setkey(KSSL_CTX *kssl_ctx, krb5_keyblock *session);
-void kssl_err_set(KSSL_ERR *kssl_err, int reason, char *text);
-void kssl_krb5_free_data_contents(krb5_context context, krb5_data *data);
-krb5_error_code kssl_build_principal_2(krb5_context context,
-    krb5_principal *princ, int rlen, const char *realm, int slen,
-    const char *svc, int hlen, const char *host);
-krb5_error_code kssl_validate_times(krb5_timestamp atime,
-    krb5_ticket_times *ttimes);
-krb5_error_code kssl_check_authent(KSSL_CTX *kssl_ctx, krb5_data *authentp,
-    krb5_timestamp *atimep, KSSL_ERR *kssl_err);
-unsigned char *kssl_skip_confound(krb5_enctype enctype, unsigned char *authn);
-
-void SSL_set0_kssl_ctx(SSL *s, KSSL_CTX *kctx);
-KSSL_CTX *SSL_get0_kssl_ctx(SSL *s);
-char *kssl_ctx_get0_client_princ(KSSL_CTX *kctx);
-
-#ifdef  __cplusplus
-}
-#endif
-#endif /* OPENSSL_NO_KRB5      */
  #endif /* KSSL_H       */
diff --git a/lib/libssl/src/ssl/kssl_lcl.h b/lib/libssl/src/ssl/kssl_lcl.h

index c039c91..35e203b 100644 (file)
--- a/lib/libssl/src/ssl/kssl_lcl.h
+++ b/lib/libssl/src/ssl/kssl_lcl.h
@@ -61,27 +61,4 @@
  
  #include <openssl/kssl.h>
  
-#ifndef OPENSSL_NO_KRB5
-
-#ifdef  __cplusplus
-extern "C" {
-#endif
-
-/* Private (internal to OpenSSL) */
-void print_krb5_data(char *label, krb5_data *kdata);
-void print_krb5_authdata(char *label, krb5_authdata **adata);
-void print_krb5_keyblock(char *label, krb5_keyblock *keyblk);
-
-char *kstring(char *string);
-char *knumber(int len, krb5_octet *contents);
-
-const EVP_CIPHER *kssl_map_enc(krb5_enctype enctype);
-
-int kssl_keytab_is_available(KSSL_CTX *kssl_ctx);
-int kssl_tgt_is_available(KSSL_CTX *kssl_ctx);
-
-#ifdef  __cplusplus
-}
-#endif
-#endif /* OPENSSL_NO_KRB5      */
  #endif /* KSSL_LCL_H   */
diff --git a/lib/libssl/src/ssl/s3_clnt.c b/lib/libssl/src/ssl/s3_clnt.c

index eb55fc9..68817cd 100644 (file)
--- a/lib/libssl/src/ssl/s3_clnt.c
+++ b/lib/libssl/src/ssl/s3_clnt.c
@@ -369,17 +369,6 @@ ssl3_connect(SSL *s)
                         ret = ssl3_get_server_done(s);
                         if (ret <= 0)
                                 goto end;
-#ifndef OPENSSL_NO_SRP
-                       if (s->s3->tmp.new_cipher->algorithm_mkey & SSL_kSRP) {
-                               if ((ret = SRP_Calc_A_param(s)) <= 0) {
-                                       SSLerr(SSL_F_SSL3_CONNECT,
-                                           SSL_R_SRP_A_CALC);
-                                       ssl3_send_alert(s, SSL3_AL_FATAL,
-                                           SSL_AD_INTERNAL_ERROR);
-                                       goto end;
-                               }
-                       }
-#endif
                         if (s->s3->tmp.cert_req)
                                 s->state = SSL3_ST_CW_CERT_A;
                         else
@@ -1137,10 +1126,6 @@ ssl3_get_server_certificate(SSL *s)
  
         i = ssl_verify_cert_chain(s, sk);
         if ((s->verify_mode != SSL_VERIFY_NONE) && (i <= 0)
-#ifndef OPENSSL_NO_KRB5
-           && !((s->s3->tmp.new_cipher->algorithm_mkey & SSL_kKRB5) &&
-           (s->s3->tmp.new_cipher->algorithm_auth & SSL_aKRB5))
-#endif /* OPENSSL_NO_KRB5 */
             ) {
                 al = ssl_verify_alarm_type(s->verify_result);
                 SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,
@@ -1361,81 +1346,6 @@ ssl3_get_key_exchange(SSL *s)
                 n -= param_len;
         } else
  #endif /* !OPENSSL_NO_PSK */
-#ifndef OPENSSL_NO_SRP
-       if (alg_k & SSL_kSRP) {
-               n2s(p, i);
-               param_len = i + 2;
-               if (param_len > n) {
-                       al = SSL_AD_DECODE_ERROR;
-                       SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,
-                           SSL_R_BAD_SRP_N_LENGTH);
-                       goto f_err;
-               }
-               if (!(s->srp_ctx.N = BN_bin2bn(p, i, NULL))) {
-                       SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,
-                           ERR_R_BN_LIB);
-                       goto err;
-               }
-               p += i;
-
-               n2s(p, i);
-               param_len += i + 2;
-               if (param_len > n) {
-                       al = SSL_AD_DECODE_ERROR;
-                       SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,
-                           SSL_R_BAD_SRP_G_LENGTH);
-                       goto f_err;
-               }
-               if (!(s->srp_ctx.g = BN_bin2bn(p, i, NULL))) {
-                       SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,
-                           ERR_R_BN_LIB);
-                       goto err;
-               }
-               p += i;
-
-               i = (unsigned int)(p[0]);
-               p++;
-               param_len += i + 1;
-               if (param_len > n) {
-                       al = SSL_AD_DECODE_ERROR;
-                       SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,
-                           SSL_R_BAD_SRP_S_LENGTH);
-                       goto f_err;
-               }
-               if (!(s->srp_ctx.s = BN_bin2bn(p, i, NULL))) {
-                       SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,
-                           ERR_R_BN_LIB);
-                       goto err;
-               }
-               p += i;
-
-               n2s(p, i);
-               param_len += i + 2;
-               if (param_len > n) {
-                       al = SSL_AD_DECODE_ERROR;
-                       SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,
-                           SSL_R_BAD_SRP_B_LENGTH);
-                       goto f_err;
-               }
-               if (!(s->srp_ctx.B = BN_bin2bn(p, i, NULL))) {
-                       SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,
-                           ERR_R_BN_LIB);
-                       goto err;
-               }
-               p += i;
-               n -= param_len;
-
-               /* We must check if there is a certificate */
-               if (alg_a & SSL_aRSA)
-                       pkey = X509_get_pubkey(
-                           s->session->sess_cert->peer_pkeys[
-                           SSL_PKEY_RSA_ENC].x509);
-               else if (alg_a & SSL_aDSS)
-                       pkey = X509_get_pubkey(
-                           s->session->sess_cert->peer_pkeys[
-                           SSL_PKEY_DSA_SIGN].x509);
-       } else
-#endif /* !OPENSSL_NO_SRP */
         if (alg_k & SSL_kRSA) {
                 if ((rsa = RSA_new()) == NULL) {
                         SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,
@@ -2156,9 +2066,6 @@ ssl3_send_client_key_exchange(SSL *s)
         unsigned long    alg_k;
         unsigned char   *q;
         EVP_PKEY        *pkey = NULL;
-#ifndef OPENSSL_NO_KRB5
-       KSSL_ERR         kssl_err;
-#endif /* OPENSSL_NO_KRB5 */
  #ifndef OPENSSL_NO_ECDH
         EC_KEY          *clnt_ecdh = NULL;
         const EC_POINT  *srvr_ecpoint = NULL;
@@ -2226,140 +2133,6 @@ ssl3_send_client_key_exchange(SSL *s)
                             s, s->session->master_key, tmp_buf, sizeof tmp_buf);
                         OPENSSL_cleanse(tmp_buf, sizeof tmp_buf);
                 }
-#ifndef OPENSSL_NO_KRB5
-               else if (alg_k & SSL_kKRB5) {
-                       krb5_error_code krb5rc;
-                       KSSL_CTX        *kssl_ctx = s->kssl_ctx;
-                       /*  krb5_data   krb5_ap_req;  */
-                       krb5_data       *enc_ticket;
-                       krb5_data       authenticator, *authp = NULL;
-                       EVP_CIPHER_CTX  ciph_ctx;
-                       const EVP_CIPHER *enc = NULL;
-                       unsigned char   iv[EVP_MAX_IV_LENGTH];
-                       unsigned char   tmp_buf[SSL_MAX_MASTER_KEY_LENGTH];
-                       unsigned char   epms[SSL_MAX_MASTER_KEY_LENGTH
-                                           + EVP_MAX_IV_LENGTH];
-                       int             padl, outl = sizeof(epms);
-
-                       EVP_CIPHER_CTX_init(&ciph_ctx);
-
-#ifdef KSSL_DEBUG
-                       printf("ssl3_send_client_key_exchange(%lx & %lx)\n",
-                           alg_k, SSL_kKRB5);
-#endif /* KSSL_DEBUG */
-
-                       authp = NULL;
-#ifdef KRB5SENDAUTH
-                       if (KRB5SENDAUTH)
-                               authp = &authenticator;
-#endif /* KRB5SENDAUTH */
-
-                       krb5rc = kssl_cget_tkt(kssl_ctx, &enc_ticket,
-                           authp, &kssl_err);
-                       enc = kssl_map_enc(kssl_ctx->enctype);
-                       if (enc == NULL)
-                               goto err;
-#ifdef KSSL_DEBUG
-                       {
-                               printf("kssl_cget_tkt rtn %d\n", krb5rc);
-                               if (krb5rc && kssl_err.text)
-                                       printf("kssl_cget_tkt kssl_err=%s\n",
-                                           kssl_err.text);
-                       }
-#endif /* KSSL_DEBUG */
-
-                       if (krb5rc) {
-                               ssl3_send_alert(s, SSL3_AL_FATAL,
-                                   SSL_AD_HANDSHAKE_FAILURE);
-                               SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
-                                   kssl_err.reason);
-                               goto err;
-                       }
-
-                       /*
-                        * 20010406 VRS - Earlier versions used KRB5 AP_REQ
-                        * in place of RFC 2712 KerberosWrapper, as in:
-                        *
-                        * Send ticket (copy to *p, set n = length)
-                        * n = krb5_ap_req.length;
-                        * memcpy(p, krb5_ap_req.data, krb5_ap_req.length);
-                        * if (krb5_ap_req.data)
-                        *   kssl_krb5_free_data_contents(NULL,&krb5_ap_req);
-                        *
-                        * Now using real RFC 2712 KerberosWrapper
-                        * (Thanks to Simon Wilkinson <sxw@sxw.org.uk>)
-                        * Note: 2712 "opaque" types are here replaced
-                        * with a 2-byte length followed by the value.
-                        * Example:
-                        * KerberosWrapper= xx xx asn1ticket 0 0 xx xx encpms
-                        * Where "xx xx" = length bytes.  Shown here with
-                        * optional authenticator omitted.
-                        */
-
-                       /*  KerberosWrapper.Ticket */
-                       s2n(enc_ticket->length, p);
-                       memcpy(p, enc_ticket->data, enc_ticket->length);
-                       p += enc_ticket->length;
-                       n = enc_ticket->length + 2;
-
-                       /*  KerberosWrapper.Authenticator */
-                       if (authp && authp->length) {
-                               s2n(authp->length, p);
-                               memcpy(p, authp->data, authp->length);
-                               p += authp->length;
-                               n += authp->length + 2;
-
-                               free(authp->data);
-                               authp->data = NULL;
-                               authp->length = 0;
-                       } else {
-                               s2n(0,p);/*  null authenticator length  */
-                               n += 2;
-                       }
-
-                       tmp_buf[0] = s->client_version >> 8;
-                       tmp_buf[1] = s->client_version & 0xff;
-                       if (RAND_bytes(&(tmp_buf[2]), sizeof tmp_buf - 2) <= 0)
-                               goto err;
-
-                       /*
-                        * 20010420 VRS.  Tried it this way; failed.
-                        * EVP_EncryptInit_ex(&ciph_ctx,enc, NULL,NULL);
-                        * EVP_CIPHER_CTX_set_key_length(&ciph_ctx,
-                        *     kssl_ctx->length);
-                        * EVP_EncryptInit_ex(&ciph_ctx,NULL, key,iv);
-                        */
-
-                       memset(iv, 0, sizeof iv);
-                       /* per RFC 1510 */
-                       EVP_EncryptInit_ex(&ciph_ctx, enc, NULL,
-                           kssl_ctx->key, iv);
-                       EVP_EncryptUpdate(&ciph_ctx, epms, &outl, tmp_buf,
-                           sizeof tmp_buf);
-                       EVP_EncryptFinal_ex(&ciph_ctx, &(epms[outl]), &padl);
-                       outl += padl;
-                       if (outl > (int)sizeof epms) {
-                               SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
-                                   ERR_R_INTERNAL_ERROR);
-                               goto err;
-                       }
-                       EVP_CIPHER_CTX_cleanup(&ciph_ctx);
-
-                       /* KerberosWrapper.EncryptedPreMasterSecret */
-                       s2n(outl, p);
-                       memcpy(p, epms, outl);
-                       p += outl;
-                       n += outl + 2;
-
-                       s->session->master_key_length =
-                       s->method->ssl3_enc->generate_master_secret(s,
-                       s->session->master_key,
-                       tmp_buf, sizeof tmp_buf);
-
-                       OPENSSL_cleanse(tmp_buf, sizeof tmp_buf);
-                       OPENSSL_cleanse(epms, outl);
-               }
-#endif
  #ifndef OPENSSL_NO_DH
                 else if (alg_k & (SSL_kEDH|SSL_kDHr|SSL_kDHd)) {
                         DH *dh_srvr, *dh_clnt;
@@ -2716,37 +2489,6 @@ ssl3_send_client_key_exchange(SSL *s)
                             EVP_PKEY_free(pub_key);
  
                 }
-#ifndef OPENSSL_NO_SRP
-               else if (alg_k & SSL_kSRP) {
-                       if (s->srp_ctx.A != NULL) {
-                               /* send off the data */
-                               n = BN_num_bytes(s->srp_ctx.A);
-                               s2n(n, p);
-                               BN_bn2bin(s->srp_ctx.A, p);
-                               n += 2;
-                       } else {
-                               SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
-                                   ERR_R_INTERNAL_ERROR);
-                               goto err;
-                       }
-                       if (s->session->srp_username != NULL)
-                               free(s->session->srp_username);
-                       s->session->srp_username = BUF_strdup(s->srp_ctx.login);
-                       if (s->session->srp_username == NULL) {
-                               SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
-                                   ERR_R_MALLOC_FAILURE);
-                               goto err;
-                       }
-
-                       if ((s->session->master_key_length =
-                           SRP_generate_client_master_secret(s,
-                           s->session->master_key)) < 0) {
-                               SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
-                                   ERR_R_INTERNAL_ERROR);
-                               goto err;
-                       }
-               }
-#endif
  #ifndef OPENSSL_NO_PSK
                 else if (alg_k & SSL_kPSK) {
                         char identity[PSK_MAX_IDENTITY_LEN];
diff --git a/lib/libssl/src/ssl/s3_lib.c b/lib/libssl/src/ssl/s3_lib.c

index 12ce8a1..c687488 100644 (file)
--- a/lib/libssl/src/ssl/s3_lib.c
+++ b/lib/libssl/src/ssl/s3_lib.c
@@ -605,232 +605,6 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
                 168,
                 168,
         },
-#ifndef OPENSSL_NO_KRB5
-/* The Kerberos ciphers*/
-/* Cipher 1E */
-       {
-               1,
-               SSL3_TXT_KRB5_DES_64_CBC_SHA,
-               SSL3_CK_KRB5_DES_64_CBC_SHA,
-               SSL_kKRB5,
-               SSL_aKRB5,
-               SSL_DES,
-               SSL_SHA1,
-               SSL_SSLV3,
-               SSL_NOT_EXP|SSL_LOW,
-               SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
-               56,
-               56,
-       },
-
-/* Cipher 1F */
-       {
-               1,
-               SSL3_TXT_KRB5_DES_192_CBC3_SHA,
-               SSL3_CK_KRB5_DES_192_CBC3_SHA,
-               SSL_kKRB5,
-               SSL_aKRB5,
-               SSL_3DES,
-               SSL_SHA1,
-               SSL_SSLV3,
-               SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
-               SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
-               168,
-               168,
-       },
-
-/* Cipher 20 */
-       {
-               1,
-               SSL3_TXT_KRB5_RC4_128_SHA,
-               SSL3_CK_KRB5_RC4_128_SHA,
-               SSL_kKRB5,
-               SSL_aKRB5,
-               SSL_RC4,
-               SSL_SHA1,
-               SSL_SSLV3,
-               SSL_NOT_EXP|SSL_MEDIUM,
-               SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
-               128,
-               128,
-       },
-
-/* Cipher 21 */
-       {
-               1,
-               SSL3_TXT_KRB5_IDEA_128_CBC_SHA,
-               SSL3_CK_KRB5_IDEA_128_CBC_SHA,
-               SSL_kKRB5,
-               SSL_aKRB5,
-               SSL_IDEA,
-               SSL_SHA1,
-               SSL_SSLV3,
-               SSL_NOT_EXP|SSL_MEDIUM,
-               SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
-               128,
-               128,
-       },
-
-/* Cipher 22 */
-       {
-               1,
-               SSL3_TXT_KRB5_DES_64_CBC_MD5,
-               SSL3_CK_KRB5_DES_64_CBC_MD5,
-               SSL_kKRB5,
-               SSL_aKRB5,
-               SSL_DES,
-               SSL_MD5,
-               SSL_SSLV3,
-               SSL_NOT_EXP|SSL_LOW,
-               SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
-               56,
-               56,
-       },
-
-/* Cipher 23 */
-       {
-               1,
-               SSL3_TXT_KRB5_DES_192_CBC3_MD5,
-               SSL3_CK_KRB5_DES_192_CBC3_MD5,
-               SSL_kKRB5,
-               SSL_aKRB5,
-               SSL_3DES,
-               SSL_MD5,
-               SSL_SSLV3,
-               SSL_NOT_EXP|SSL_HIGH,
-               SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
-               168,
-               168,
-       },
-
-/* Cipher 24 */
-       {
-               1,
-               SSL3_TXT_KRB5_RC4_128_MD5,
-               SSL3_CK_KRB5_RC4_128_MD5,
-               SSL_kKRB5,
-               SSL_aKRB5,
-               SSL_RC4,
-               SSL_MD5,
-               SSL_SSLV3,
-               SSL_NOT_EXP|SSL_MEDIUM,
-               SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
-               128,
-               128,
-       },
-
-/* Cipher 25 */
-       {
-               1,
-               SSL3_TXT_KRB5_IDEA_128_CBC_MD5,
-               SSL3_CK_KRB5_IDEA_128_CBC_MD5,
-               SSL_kKRB5,
-               SSL_aKRB5,
-               SSL_IDEA,
-               SSL_MD5,
-               SSL_SSLV3,
-               SSL_NOT_EXP|SSL_MEDIUM,
-               SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
-               128,
-               128,
-       },
-
-/* Cipher 26 */
-       {
-               1,
-               SSL3_TXT_KRB5_DES_40_CBC_SHA,
-               SSL3_CK_KRB5_DES_40_CBC_SHA,
-               SSL_kKRB5,
-               SSL_aKRB5,
-               SSL_DES,
-               SSL_SHA1,
-               SSL_SSLV3,
-               SSL_EXPORT|SSL_EXP40,
-               SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
-               40,
-               56,
-       },
-
-/* Cipher 27 */
-       {
-               1,
-               SSL3_TXT_KRB5_RC2_40_CBC_SHA,
-               SSL3_CK_KRB5_RC2_40_CBC_SHA,
-               SSL_kKRB5,
-               SSL_aKRB5,
-               SSL_RC2,
-               SSL_SHA1,
-               SSL_SSLV3,
-               SSL_EXPORT|SSL_EXP40,
-               SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
-               40,
-               128,
-       },
-
-/* Cipher 28 */
-       {
-               1,
-               SSL3_TXT_KRB5_RC4_40_SHA,
-               SSL3_CK_KRB5_RC4_40_SHA,
-               SSL_kKRB5,
-               SSL_aKRB5,
-               SSL_RC4,
-               SSL_SHA1,
-               SSL_SSLV3,
-               SSL_EXPORT|SSL_EXP40,
-               SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
-               40,
-               128,
-       },
-
-/* Cipher 29 */
-       {
-               1,
-               SSL3_TXT_KRB5_DES_40_CBC_MD5,
-               SSL3_CK_KRB5_DES_40_CBC_MD5,
-               SSL_kKRB5,
-               SSL_aKRB5,
-               SSL_DES,
-               SSL_MD5,
-               SSL_SSLV3,
-               SSL_EXPORT|SSL_EXP40,
-               SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
-               40,
-               56,
-       },
-
-/* Cipher 2A */
-       {
-               1,
-               SSL3_TXT_KRB5_RC2_40_CBC_MD5,
-               SSL3_CK_KRB5_RC2_40_CBC_MD5,
-               SSL_kKRB5,
-               SSL_aKRB5,
-               SSL_RC2,
-               SSL_MD5,
-               SSL_SSLV3,
-               SSL_EXPORT|SSL_EXP40,
-               SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
-               40,
-               128,
-       },
-
-/* Cipher 2B */
-       {
-               1,
-               SSL3_TXT_KRB5_RC4_40_MD5,
-               SSL3_CK_KRB5_RC4_40_MD5,
-               SSL_kKRB5,
-               SSL_aKRB5,
-               SSL_RC4,
-               SSL_MD5,
-               SSL_SSLV3,
-               SSL_EXPORT|SSL_EXP40,
-               SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
-               40,
-               128,
-       },
-#endif /* OPENSSL_NO_KRB5 */
  
  /* New AES ciphersuites */
  /* Cipher 2F */
@@ -2250,151 +2024,6 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
         },
  #endif /* OPENSSL_NO_ECDH */
  
-#ifndef OPENSSL_NO_SRP
-       /* Cipher C01A */
-       {
-               1,
-               TLS1_TXT_SRP_SHA_WITH_3DES_EDE_CBC_SHA,
-               TLS1_CK_SRP_SHA_WITH_3DES_EDE_CBC_SHA,
-               SSL_kSRP,
-               SSL_aNULL,
-               SSL_3DES,
-               SSL_SHA1,
-               SSL_TLSV1,
-               SSL_NOT_EXP|SSL_HIGH,
-               SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
-               168,
-               168,
-       },
-
-       /* Cipher C01B */
-       {
-               1,
-               TLS1_TXT_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA,
-               TLS1_CK_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA,
-               SSL_kSRP,
-               SSL_aRSA,
-               SSL_3DES,
-               SSL_SHA1,
-               SSL_TLSV1,
-               SSL_NOT_EXP|SSL_HIGH,
-               SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
-               168,
-               168,
-       },
-
-       /* Cipher C01C */
-       {
-               1,
-               TLS1_TXT_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA,
-               TLS1_CK_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA,
-               SSL_kSRP,
-               SSL_aDSS,
-               SSL_3DES,
-               SSL_SHA1,
-               SSL_TLSV1,
-               SSL_NOT_EXP|SSL_HIGH,
-               SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
-               168,
-               168,
-       },
-
-       /* Cipher C01D */
-       {
-               1,
-               TLS1_TXT_SRP_SHA_WITH_AES_128_CBC_SHA,
-               TLS1_CK_SRP_SHA_WITH_AES_128_CBC_SHA,
-               SSL_kSRP,
-               SSL_aNULL,
-               SSL_AES128,
-               SSL_SHA1,
-               SSL_TLSV1,
-               SSL_NOT_EXP|SSL_HIGH,
-               SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
-               128,
-               128,
-       },
-
-       /* Cipher C01E */
-       {
-               1,
-               TLS1_TXT_SRP_SHA_RSA_WITH_AES_128_CBC_SHA,
-               TLS1_CK_SRP_SHA_RSA_WITH_AES_128_CBC_SHA,
-               SSL_kSRP,
-               SSL_aRSA,
-               SSL_AES128,
-               SSL_SHA1,
-               SSL_TLSV1,
-               SSL_NOT_EXP|SSL_HIGH,
-               SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
-               128,
-               128,
-       },
-
-       /* Cipher C01F */
-       {
-               1,
-               TLS1_TXT_SRP_SHA_DSS_WITH_AES_128_CBC_SHA,
-               TLS1_CK_SRP_SHA_DSS_WITH_AES_128_CBC_SHA,
-               SSL_kSRP,
-               SSL_aDSS,
-               SSL_AES128,
-               SSL_SHA1,
-               SSL_TLSV1,
-               SSL_NOT_EXP|SSL_HIGH,
-               SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
-               128,
-               128,
-       },
-
-       /* Cipher C020 */
-       {
-               1,
-               TLS1_TXT_SRP_SHA_WITH_AES_256_CBC_SHA,
-               TLS1_CK_SRP_SHA_WITH_AES_256_CBC_SHA,
-               SSL_kSRP,
-               SSL_aNULL,
-               SSL_AES256,
-               SSL_SHA1,
-               SSL_TLSV1,
-               SSL_NOT_EXP|SSL_HIGH,
-               SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
-               256,
-               256,
-       },
-
-       /* Cipher C021 */
-       {
-               1,
-               TLS1_TXT_SRP_SHA_RSA_WITH_AES_256_CBC_SHA,
-               TLS1_CK_SRP_SHA_RSA_WITH_AES_256_CBC_SHA,
-               SSL_kSRP,
-               SSL_aRSA,
-               SSL_AES256,
-               SSL_SHA1,
-               SSL_TLSV1,
-               SSL_NOT_EXP|SSL_HIGH,
-               SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
-               256,
-               256,
-       },
-
-       /* Cipher C022 */
-       {
-               1,
-               TLS1_TXT_SRP_SHA_DSS_WITH_AES_256_CBC_SHA,
-               TLS1_CK_SRP_SHA_DSS_WITH_AES_256_CBC_SHA,
-               SSL_kSRP,
-               SSL_aDSS,
-               SSL_AES256,
-               SSL_SHA1,
-               SSL_TLSV1,
-               SSL_NOT_EXP|SSL_HIGH,
-               SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
-               256,
-               256,
-       },
-#endif  /* OPENSSL_NO_SRP */
  #ifndef OPENSSL_NO_ECDH
  
         /* HMAC based TLS v1.2 ciphersuites from RFC5289 */
@@ -2787,9 +2416,6 @@ ssl3_new(SSL *s)
  
         s->s3 = s3;
  
-#ifndef OPENSSL_NO_SRP
-       SSL_SRP_CTX_init(s);
-#endif
         s->method->ssl_clear(s);
         return (1);
  err:
@@ -2832,9 +2458,6 @@ ssl3_free(SSL *s)
         }
         if (s->s3->handshake_dgst)
                 ssl3_free_digest_list(s);
-#ifndef OPENSSL_NO_SRP
-       SSL_SRP_CTX_free(s);
-#endif
         OPENSSL_cleanse(s->s3, sizeof *s->s3);
         free(s->s3);
         s->s3 = NULL;
@@ -2919,13 +2542,6 @@ ssl3_clear(SSL *s)
  #endif
  }
  
-#ifndef OPENSSL_NO_SRP
-static char *
-srp_password_from_info_cb(SSL *s, void *arg)
-{
-       return BUF_strdup(s->srp_ctx.info);
-}
-#endif
  
  long
  ssl3_ctrl(SSL *s, int cmd, long larg, void *parg)
@@ -3380,40 +2996,6 @@ ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg)
                 return 1;
                 break;
  
-#ifndef OPENSSL_NO_SRP
-       case SSL_CTRL_SET_TLS_EXT_SRP_USERNAME:
-               ctx->srp_ctx.srp_Mask|=SSL_kSRP;
-               if (ctx->srp_ctx.login != NULL)
-                       free(ctx->srp_ctx.login);
-               ctx->srp_ctx.login = NULL;
-               if (parg == NULL)
-                       break;
-               if (strlen((const char *)parg) > 255 ||
-                   strlen((const char *)parg) < 1) {
-                       SSLerr(SSL_F_SSL3_CTX_CTRL,
-                           SSL_R_INVALID_SRP_USERNAME);
-                       return 0;
-               }
-               if ((ctx->srp_ctx.login = BUF_strdup((char *)parg)) == NULL) {
-                       SSLerr(SSL_F_SSL3_CTX_CTRL,
-                           ERR_R_INTERNAL_ERROR);
-                       return 0;
-               }
-               break;
-       case SSL_CTRL_SET_TLS_EXT_SRP_PASSWORD:
-               ctx->srp_ctx.SRP_give_srp_client_pwd_callback =
-                   srp_password_from_info_cb;
-               ctx->srp_ctx.info = parg;
-               break;
-       case SSL_CTRL_SET_SRP_ARG:
-               ctx->srp_ctx.srp_Mask|=SSL_kSRP;
-               ctx->srp_ctx.SRP_cb_arg = parg;
-               break;
-
-       case SSL_CTRL_SET_TLS_EXT_SRP_STRENGTH:
-               ctx->srp_ctx.strength = larg;
-               break;
-#endif
  #endif /* !OPENSSL_NO_TLSEXT */
  
                 /* A Thawte special :-) */
@@ -3491,23 +3073,6 @@ ssl3_ctx_callback_ctrl(SSL_CTX *ctx, int cmd, void (*fp)(void))
                     unsigned char *, EVP_CIPHER_CTX *, HMAC_CTX *, int))fp;
                 break;
  
-#ifndef OPENSSL_NO_SRP
-       case SSL_CTRL_SET_SRP_VERIFY_PARAM_CB:
-               ctx->srp_ctx.srp_Mask|=SSL_kSRP;
-               ctx->srp_ctx.SRP_verify_param_callback =
-                   (int (*)(SSL *, void *))fp;
-               break;
-       case SSL_CTRL_SET_TLS_EXT_SRP_USERNAME_CB:
-               ctx->srp_ctx.srp_Mask|=SSL_kSRP;
-               ctx->srp_ctx.TLS_ext_srp_username_callback =
-                   (int (*)(SSL *, int *, void *))fp;
-               break;
-       case SSL_CTRL_SET_SRP_GIVE_CLIENT_PWD_CB:
-               ctx->srp_ctx.srp_Mask|=SSL_kSRP;
-               ctx->srp_ctx.SRP_give_srp_client_pwd_callback =
-                   (char *(*)(SSL *, void *))fp;
-               break;
-#endif
  #endif
         default:
                 return (0);
@@ -3616,10 +3181,6 @@ SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
                 mask_a = cert->mask_a;
                 emask_k = cert->export_mask_k;
                 emask_a = cert->export_mask_a;
-#ifndef OPENSSL_NO_SRP
-               mask_k = cert->mask_k | s->srp_ctx.srp_Mask;
-               emask_k = cert->export_mask_k | s->srp_ctx.srp_Mask;
-#endif
  
  #ifdef KSSL_DEBUG
  /*             printf("ssl3_choose_cipher %d alg= %lx\n", i,c->algorithms);*/
@@ -3628,12 +3189,6 @@ SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
                 alg_k = c->algorithm_mkey;
                 alg_a = c->algorithm_auth;
  
-#ifndef OPENSSL_NO_KRB5
-               if (alg_k & SSL_kKRB5) {
-                       if (!kssl_keytab_is_available(s->kssl_ctx) )
-                               continue;
-               }
-#endif /* OPENSSL_NO_KRB5 */
  #ifndef OPENSSL_NO_PSK
                 /* with PSK there must be server callback set */
                 if ((alg_k & SSL_kPSK) && s->psk_server_callback == NULL)
diff --git a/lib/libssl/src/ssl/s3_srvr.c b/lib/libssl/src/ssl/s3_srvr.c

index 6d8ccd6..081aebf 100644 (file)
--- a/lib/libssl/src/ssl/s3_srvr.c
+++ b/lib/libssl/src/ssl/s3_srvr.c
@@ -164,9 +164,6 @@
  #include <openssl/dh.h>
  #endif
  #include <openssl/bn.h>
-#ifndef OPENSSL_NO_KRB5
-#include <openssl/krb5_asn.h>
-#endif
  #include <openssl/md5.h>
  
  static const SSL_METHOD *ssl3_get_server_method(int ver);
@@ -179,30 +176,6 @@ ssl3_get_server_method(int ver)
         return (NULL);
  }
  
-#ifndef OPENSSL_NO_SRP
-static int
-ssl_check_srp_ext_ClientHello(SSL *s, int *al)
-{
-       int ret = SSL_ERROR_NONE;
-
-       *al = SSL_AD_UNRECOGNIZED_NAME;
-
-       if ((s->s3->tmp.new_cipher->algorithm_mkey & SSL_kSRP) &&
-               (s->srp_ctx.TLS_ext_srp_username_callback != NULL)) {
-               if (s->srp_ctx.login == NULL) {
-                       /*
-                        * RFC 5054 says SHOULD reject,
-                        * we do so if There is no srp login name
-                        */
-                       ret = SSL3_AL_FATAL;
-                       *al = SSL_AD_UNKNOWN_PSK_IDENTITY;
-               } else {
-                       ret = SSL_srp_server_param_with_username(s, al);
-               }
-       }
-       return (ret);
-}
-#endif
  
  IMPLEMENT_ssl3_meth_func(SSLv3_server_method,
      ssl3_accept, ssl_undefined_function, ssl3_get_server_method)
@@ -342,39 +315,6 @@ ssl3_accept(SSL *s)
                                 if (ret <= 0)
                                         goto end;
                         }
-#ifndef OPENSSL_NO_SRP
-                       {
-                               int al;
-                               if ((ret =
-                                   ssl_check_srp_ext_ClientHello(s, &al))
-                                   < 0) {
-                                       /*
-                                        * Callback indicates further work to
-                                        * be done.
-                                        */
-                                       s->rwstate = SSL_X509_LOOKUP;
-                                       goto end;
-                               }
-                               if (ret != SSL_ERROR_NONE) {
-                                       ssl3_send_alert(s, SSL3_AL_FATAL, al);
-
-                                       /*
-                                        * This is not really an error but the
-                                        * only means for a client to detect
-                                        * whether srp is supported.
-                                        */
-                                       if (al != TLS1_AD_UNKNOWN_PSK_IDENTITY)
-                                               SSLerr(SSL_F_SSL3_ACCEPT,
-                                                   SSL_R_CLIENTHELLO_TLSEXT);
-
-                                       ret = SSL_TLSEXT_ERR_ALERT_FATAL;
-
-                                       ret = -1;
-                                       goto end;
-
-                               }
-                       }
-#endif         
  
                         s->renegotiate = 2;
                         s->state = SSL3_ST_SW_SRVR_HELLO_A;
@@ -441,9 +381,6 @@ ssl3_accept(SSL *s)
                          * send_server_key_exchange.
                          */
                         if ((s->options & SSL_OP_EPHEMERAL_RSA)
-#ifndef OPENSSL_NO_KRB5
-                           && !(alg_k & SSL_kKRB5)
-#endif /* OPENSSL_NO_KRB5 */
                             )
                                 /*
                                  * option SSL_OP_EPHEMERAL_RSA sends temporary
@@ -472,10 +409,6 @@ ssl3_accept(SSL *s)
                          * hint if provided */
  #ifndef OPENSSL_NO_PSK
                             || ((alg_k & SSL_kPSK) && s->ctx->psk_identity_hint)
-#endif
-#ifndef OPENSSL_NO_SRP
-                       /* SRP: send ServerKeyExchange */
-                           || (alg_k & SSL_kSRP)
  #endif
                             || (alg_k & (SSL_kDHr|SSL_kDHd|SSL_kEDH))
                             || (alg_k & SSL_kEECDH)
@@ -1796,20 +1729,6 @@ ssl3_send_server_key_exchange(SSL *s)
                         n += 2 + pskhintlen;
                 } else
  #endif /* !OPENSSL_NO_PSK */
-#ifndef OPENSSL_NO_SRP
-               if (type & SSL_kSRP) {
-                       if ((s->srp_ctx.N == NULL) || (s->srp_ctx.g == NULL) ||
-                           (s->srp_ctx.s == NULL) || (s->srp_ctx.B == NULL)) {
-                               SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,
-                                   SSL_R_MISSING_SRP_PARAM);
-                               goto err;
-                       }
-                       r[0] = s->srp_ctx.N;
-                       r[1] = s->srp_ctx.g;
-                       r[2] = s->srp_ctx.s;
-                       r[3] = s->srp_ctx.B;
-               } else
-#endif
                 {
                         al = SSL_AD_HANDSHAKE_FAILURE;
                         SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,
@@ -1818,11 +1737,6 @@ ssl3_send_server_key_exchange(SSL *s)
                 }
                 for (i = 0; i < 4 && r[i] != NULL; i++) {
                         nr[i] = BN_num_bytes(r[i]);
-#ifndef OPENSSL_NO_SRP
-                       if ((i == 2) && (type & SSL_kSRP))
-                               n += 1 + nr[i];
-                       else
-#endif
                         n += 2 + nr[i];
                 }
  
@@ -1848,12 +1762,6 @@ ssl3_send_server_key_exchange(SSL *s)
                 p = &(d[4]);
  
                 for (i = 0; i < 4 && r[i] != NULL; i++) {
-#ifndef OPENSSL_NO_SRP
-                       if ((i == 2) && (type & SSL_kSRP)) {
-                               *p = nr[i];
-                               p++;
-                       } else
-#endif
                         s2n(nr[i], p);
                         BN_bn2bin(r[i], p);
                         p += nr[i];
@@ -2112,9 +2020,6 @@ ssl3_get_client_key_exchange(SSL *s)
         BIGNUM *pub = NULL;
         DH *dh_srvr;
  #endif
-#ifndef OPENSSL_NO_KRB5
-       KSSL_ERR kssl_err;
-#endif /* OPENSSL_NO_KRB5 */
  
  #ifndef OPENSSL_NO_ECDH
         EC_KEY *srvr_ecdh = NULL;
@@ -2299,191 +2204,6 @@ ssl3_get_client_key_exchange(SSL *s)
                 OPENSSL_cleanse(p, i);
         } else
  #endif
-#ifndef OPENSSL_NO_KRB5
-       if (alg_k & SSL_kKRB5) {
-               krb5_error_code         krb5rc;
-               krb5_data               enc_ticket;
-               krb5_data               authenticator;
-               krb5_data               enc_pms;
-               KSSL_CTX                *kssl_ctx = s->kssl_ctx;
-               EVP_CIPHER_CTX          ciph_ctx;
-               const EVP_CIPHER        *enc = NULL;
-               unsigned char           iv[EVP_MAX_IV_LENGTH];
-               unsigned char           pms[SSL_MAX_MASTER_KEY_LENGTH
-               + EVP_MAX_BLOCK_LENGTH];
-               int                  padl, outl;
-               krb5_timestamp          authtime = 0;
-               krb5_ticket_times       ttimes;
-
-               EVP_CIPHER_CTX_init(&ciph_ctx);
-
-               if (!kssl_ctx)
-                       kssl_ctx = kssl_ctx_new();
-
-               n2s(p, i);
-               enc_ticket.length = i;
-
-               if (n < (long)(enc_ticket.length + 6)) {
-                       SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
-                           SSL_R_DATA_LENGTH_TOO_LONG);
-                       goto err;
-               }
-
-               enc_ticket.data = (char *)p;
-               p += enc_ticket.length;
-
-               n2s(p, i);
-               authenticator.length = i;
-
-               if (n < (long)(enc_ticket.length + authenticator.length + 6)) {
-                       SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
-                           SSL_R_DATA_LENGTH_TOO_LONG);
-                       goto err;
-               }
-
-               authenticator.data = (char *)p;
-               p += authenticator.length;
-
-               n2s(p, i);
-               enc_pms.length = i;
-               enc_pms.data = (char *)p;
-               p += enc_pms.length;
-
-               /*
-                * Note that the length is checked again below,
-                * after decryption
-                */
-               if (enc_pms.length > sizeof pms) {
-                       SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
-                           SSL_R_DATA_LENGTH_TOO_LONG);
-                       goto err;
-               }
-
-               if (n != (long)(enc_ticket.length + authenticator.length +
-                   enc_pms.length + 6)) {
-                       SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
-                           SSL_R_DATA_LENGTH_TOO_LONG);
-                       goto err;
-               }
-
-               if ((krb5rc = kssl_sget_tkt(kssl_ctx, &enc_ticket, &ttimes,
-                   &kssl_err)) != 0) {
-#ifdef KSSL_DEBUG
-                       printf("kssl_sget_tkt rtn %d [%d]\n",
-                       krb5rc, kssl_err.reason);
-                       if (kssl_err.text)
-                               printf("kssl_err text= %s\n", kssl_err.text);
-#endif /* KSSL_DEBUG */
-                       SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
-                       kssl_err.reason);
-                       goto err;
-               }
-
-               /*  Note: no authenticator is not considered an error,
-               **  but will return authtime == 0.
-               */
-               if ((krb5rc = kssl_check_authent(kssl_ctx, &authenticator,
-                   &authtime, &kssl_err)) != 0) {
-#ifdef KSSL_DEBUG
-                       printf("kssl_check_authent rtn %d [%d]\n",
-                       krb5rc, kssl_err.reason);
-                       if (kssl_err.text)
-                               printf("kssl_err text= %s\n", kssl_err.text);
-#endif /* KSSL_DEBUG */
-                       SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
-                           kssl_err.reason);
-                       goto err;
-               }
-
-               if ((krb5rc = kssl_validate_times(authtime, &ttimes)) != 0) {
-                       SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
-                           krb5rc);
-                       goto err;
-               }
-
-#ifdef KSSL_DEBUG
-               kssl_ctx_show(kssl_ctx);
-#endif /* KSSL_DEBUG */
-
-               enc = kssl_map_enc(kssl_ctx->enctype);
-               if (enc == NULL)
-                       goto err;
-
-               memset(iv, 0, sizeof iv);       /* per RFC 1510 */
-
-               if (!EVP_DecryptInit_ex(&ciph_ctx, enc, NULL,
-                   kssl_ctx->key, iv)) {
-                       SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
-                           SSL_R_DECRYPTION_FAILED);
-                       goto err;
-               }
-               if (!EVP_DecryptUpdate(&ciph_ctx, pms, &outl,
-                   (unsigned char *)enc_pms.data, enc_pms.length)) {
-                       SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
-                           SSL_R_DECRYPTION_FAILED);
-                       goto err;
-               }
-               if (outl > SSL_MAX_MASTER_KEY_LENGTH) {
-                       SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
-                           SSL_R_DATA_LENGTH_TOO_LONG);
-                       goto err;
-               }
-               if (!EVP_DecryptFinal_ex(&ciph_ctx, &(pms[outl]), &padl)) {
-                       SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
-                           SSL_R_DECRYPTION_FAILED);
-                       goto err;
-               }
-               outl += padl;
-               if (outl > SSL_MAX_MASTER_KEY_LENGTH) {
-                       SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
-                           SSL_R_DATA_LENGTH_TOO_LONG);
-                       goto err;
-               }
-               if (!((pms[0] == (s->client_version >> 8)) && (pms[1] == (s->client_version & 0xff)))) {
-                       /*
-                        * The premaster secret must contain the same version
-                        * number as the ClientHello to detect version rollback
-                        * attacks (strangely, the protocol does not offer such
-                        * protection for DH ciphersuites).
-                        * However, buggy clients exist that send random bytes
-                        * instead of the protocol version.
-                        *
-                        * If SSL_OP_TLS_ROLLBACK_BUG is set, tolerate such
-                        * clients.
-                        * (Perhaps we should have a separate BUG value for
-                        * the Kerberos cipher)
-                        */
-                       if (!(s->options & SSL_OP_TLS_ROLLBACK_BUG)) {
-                               SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
-                                   SSL_AD_DECODE_ERROR);
-                               goto err;
-                       }
-               }
-
-               EVP_CIPHER_CTX_cleanup(&ciph_ctx);
-
-               s->session->master_key_length =
-               s->method->ssl3_enc->generate_master_secret(s,
-                   s->session->master_key, pms, outl);
-
-               if (kssl_ctx->client_princ) {
-                       size_t len = strlen(kssl_ctx->client_princ);
-                       if (len < SSL_MAX_KRB5_PRINCIPAL_LENGTH ) {
-                               s->session->krb5_client_princ_len = len;
-                               memcpy(s->session->krb5_client_princ,
-                                   kssl_ctx->client_princ, len);
-                       }
-               }
-
-
-               /*
-                * Was doing kssl_ctx_free() here, but it caused problems for
-                * apache.
-                * kssl_ctx = kssl_ctx_free(kssl_ctx);
-                * if (s->kssl_ctx)  s->kssl_ctx = NULL;
-                */
-       } else
-#endif /* OPENSSL_NO_KRB5 */
  
  #ifndef OPENSSL_NO_ECDH
         if (alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)) {
@@ -2717,43 +2437,6 @@ ssl3_get_client_key_exchange(SSL *s)
                         goto f_err;
         } else
  #endif
-#ifndef OPENSSL_NO_SRP
-       if (alg_k & SSL_kSRP) {
-               int param_len;
-
-               n2s(p, i);
-               param_len = i + 2;
-               if (param_len > n) {
-                       al = SSL_AD_DECODE_ERROR;
-                       SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
-                           SSL_R_BAD_SRP_A_LENGTH);
-                       goto f_err;
-               }
-               if (!(s->srp_ctx.A = BN_bin2bn(p, i, NULL))) {
-                       SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
-                           ERR_R_BN_LIB);
-                       goto err;
-               }
-               if (s->session->srp_username != NULL)
-                       free(s->session->srp_username);
-               s->session->srp_username = BUF_strdup(s->srp_ctx.login);
-               if (s->session->srp_username == NULL) {
-                       SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
-                           ERR_R_MALLOC_FAILURE);
-                       goto err;
-               }
-
-               if ((s->session->master_key_length =
-                   SRP_generate_server_master_secret(s,
-                   s->session->master_key)) < 0) {
-                       SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
-                           ERR_R_INTERNAL_ERROR);
-                       goto err;
-               }
-
-               p += i;
-       } else
-#endif /* OPENSSL_NO_SRP */
         if (alg_k & SSL_kGOST) {
                 int ret = 0;
                 EVP_PKEY_CTX *pkey_ctx;
diff --git a/lib/libssl/src/ssl/ssl.h b/lib/libssl/src/ssl/ssl.h

index 0e117db..dc56aba 100644 (file)
--- a/lib/libssl/src/ssl/ssl.h
+++ b/lib/libssl/src/ssl/ssl.h
@@ -466,10 +466,6 @@ struct ssl_session_st {
         unsigned int sid_ctx_length;
         unsigned char sid_ctx[SSL_MAX_SID_CTX_LENGTH];
  
-#ifndef OPENSSL_NO_KRB5
-       unsigned int krb5_client_princ_len;
-       unsigned char krb5_client_princ[SSL_MAX_KRB5_PRINCIPAL_LENGTH];
-#endif /* OPENSSL_NO_KRB5 */
  #ifndef OPENSSL_NO_PSK
         char *psk_identity_hint;
         char *psk_identity;
@@ -522,9 +518,6 @@ struct ssl_session_st {
         size_t tlsext_ticklen;          /* Session ticket length */
         long tlsext_tick_lifetime_hint; /* Session lifetime hint in seconds */
  #endif
-#ifndef OPENSSL_NO_SRP
-       char *srp_username;
-#endif
  };
  
  #endif
@@ -672,42 +665,6 @@ void SSL_set_msg_callback(SSL *ssl, void (*cb)(int write_p, int version,
  #define SSL_CTX_set_msg_callback_arg(ctx, arg) SSL_CTX_ctrl((ctx), SSL_CTRL_SET_MSG_CALLBACK_ARG, 0, (arg))
  #define SSL_set_msg_callback_arg(ssl, arg) SSL_ctrl((ssl), SSL_CTRL_SET_MSG_CALLBACK_ARG, 0, (arg))
  
-#ifndef OPENSSL_NO_SRP
-
-#ifndef OPENSSL_NO_SSL_INTERN
-
-typedef struct srp_ctx_st {
-       /* param for all the callbacks */
-       void *SRP_cb_arg;
-       /* set client Hello login callback */
-       int (*TLS_ext_srp_username_callback)(SSL *, int *, void *);
-       /* set SRP N/g param callback for verification */
-       int (*SRP_verify_param_callback)(SSL *, void *);
-       /* set SRP client passwd callback */
-       char *(*SRP_give_srp_client_pwd_callback)(SSL *, void *);
-
-       char *login;
-       BIGNUM *N, *g, *s, *B, *A;
-       BIGNUM *a, *b, *v;
-       char *info;
-       int strength;
-
-       unsigned long srp_Mask;
-} SRP_CTX;
-
-#endif
-
-/* see tls_srp.c */
-int SSL_SRP_CTX_init(SSL *s);
-int SSL_CTX_SRP_CTX_init(SSL_CTX *ctx);
-int SSL_SRP_CTX_free(SSL *ctx);
-int SSL_CTX_SRP_CTX_free(SSL_CTX *ctx);
-int SSL_srp_server_param_with_username(SSL *s, int *ad);
-int SRP_generate_server_master_secret(SSL *s, unsigned char *master_key);
-int SRP_Calc_A_param(SSL *s);
-int SRP_generate_client_master_secret(SSL *s, unsigned char *master_key);
-
-#endif
  
  #define SSL_MAX_CERT_LIST_DEFAULT 1024*100 /* 100k max cert list :-) */
  
@@ -922,9 +879,6 @@ struct ssl_ctx_st {
             unsigned char *psk, unsigned int max_psk_len);
  #endif
  
-#ifndef OPENSSL_NO_SRP
-       SRP_CTX srp_ctx; /* ctx for SRP authentication */
-#endif
  
  #ifndef OPENSSL_NO_TLSEXT
  
@@ -1213,9 +1167,6 @@ struct ssl_st {
         int error;              /* error bytes to be written */
         int error_code;         /* actual code */
  
-#ifndef OPENSSL_NO_KRB5
-       KSSL_CTX *kssl_ctx;     /* Kerberos 5 context */
-#endif /* OPENSSL_NO_KRB5 */
  
  #ifndef OPENSSL_NO_PSK
         unsigned int (*psk_client_callback)(SSL *ssl, const char *hint,
@@ -1327,9 +1278,6 @@ struct ssl_st {
                          * 2 if we are a server and are inside a handshake
                          * (i.e. not just sending a HelloRequest) */
  
-#ifndef OPENSSL_NO_SRP
-       SRP_CTX srp_ctx; /* ctx for SRP authentication */
-#endif
  };
  
  #endif
@@ -1771,24 +1719,6 @@ int SSL_set_trust(SSL *s, int trust);
  int SSL_CTX_set1_param(SSL_CTX *ctx, X509_VERIFY_PARAM *vpm);
  int SSL_set1_param(SSL *ssl, X509_VERIFY_PARAM *vpm);
  
-#ifndef OPENSSL_NO_SRP
-int SSL_CTX_set_srp_username(SSL_CTX *ctx, char *name);
-int SSL_CTX_set_srp_password(SSL_CTX *ctx, char *password);
-int SSL_CTX_set_srp_strength(SSL_CTX *ctx, int strength);
-int SSL_CTX_set_srp_client_pwd_callback(SSL_CTX *ctx, char *(*cb)(SSL *, void *));
-int SSL_CTX_set_srp_verify_param_callback(SSL_CTX *ctx, int (*cb)(SSL *, void *));
-int SSL_CTX_set_srp_username_callback(SSL_CTX *ctx, int (*cb)(SSL *, int *, void *));
-int SSL_CTX_set_srp_cb_arg(SSL_CTX *ctx, void *arg);
-
-int SSL_set_srp_server_param(SSL *s, const BIGNUM *N, const BIGNUM *g, BIGNUM *sa, BIGNUM *v, char *info);
-int SSL_set_srp_server_param_pw(SSL *s, const char *user, const char *pass, const char *grp);
-
-BIGNUM *SSL_get_srp_g(SSL *s);
-BIGNUM *SSL_get_srp_N(SSL *s);
-
-char *SSL_get_srp_username(SSL *s);
-char *SSL_get_srp_userinfo(SSL *s);
-#endif
  
  void   SSL_free(SSL *ssl);
  int    SSL_accept(SSL *ssl);
diff --git a/lib/libssl/src/ssl/ssl_asn1.c b/lib/libssl/src/ssl/ssl_asn1.c

index 1d25902..566590f 100644 (file)
--- a/lib/libssl/src/ssl/ssl_asn1.c
+++ b/lib/libssl/src/ssl/ssl_asn1.c
@@ -97,9 +97,6 @@ typedef struct ssl_session_asn1_st {
         ASN1_OCTET_STRING master_key;
         ASN1_OCTET_STRING session_id;
         ASN1_OCTET_STRING session_id_context;
-#ifndef OPENSSL_NO_KRB5
-       ASN1_OCTET_STRING krb5_princ;
-#endif /* OPENSSL_NO_KRB5 */
         ASN1_INTEGER time;
         ASN1_INTEGER timeout;
         ASN1_INTEGER verify_result;
@@ -112,9 +109,6 @@ typedef struct ssl_session_asn1_st {
         ASN1_OCTET_STRING psk_identity_hint;
         ASN1_OCTET_STRING psk_identity;
  #endif /* OPENSSL_NO_PSK */
-#ifndef OPENSSL_NO_SRP
-       ASN1_OCTET_STRING srp_username;
-#endif /* OPENSSL_NO_SRP */
  } SSL_SESSION_ASN1;
  
  int
@@ -131,9 +125,6 @@ i2d_SSL_SESSION(SSL_SESSION *in, unsigned char **pp)
  #ifndef OPENSSL_NO_COMP
         unsigned char cbuf;
         int v11 = 0;
-#endif
-#ifndef OPENSSL_NO_SRP
-       int v12 = 0;
  #endif
         long l;
         SSL_SESSION_ASN1 a;
@@ -189,13 +180,6 @@ i2d_SSL_SESSION(SSL_SESSION *in, unsigned char **pp)
         a.session_id_context.type = V_ASN1_OCTET_STRING;
         a.session_id_context.data = in->sid_ctx;
  
-#ifndef OPENSSL_NO_KRB5
-       if (in->krb5_client_princ_len) {
-               a.krb5_princ.length = in->krb5_client_princ_len;
-               a.krb5_princ.type = V_ASN1_OCTET_STRING;
-               a.krb5_princ.data = in->krb5_client_princ;
-       }
-#endif /* OPENSSL_NO_KRB5 */
  
         if (in->time != 0L) {
                 a.time.length = LSIZE2;
@@ -248,23 +232,12 @@ i2d_SSL_SESSION(SSL_SESSION *in, unsigned char **pp)
                 a.psk_identity.data = (unsigned char *)(in->psk_identity);
         }
  #endif /* OPENSSL_NO_PSK */
-#ifndef OPENSSL_NO_SRP
-       if (in->srp_username) {
-               a.srp_username.length = strlen(in->srp_username);
-               a.srp_username.type = V_ASN1_OCTET_STRING;
-               a.srp_username.data = (unsigned char *)(in->srp_username);
-       }
-#endif /* OPENSSL_NO_SRP */
  
         M_ASN1_I2D_len(&(a.version),            i2d_ASN1_INTEGER);
         M_ASN1_I2D_len(&(a.ssl_version),        i2d_ASN1_INTEGER);
         M_ASN1_I2D_len(&(a.cipher),             i2d_ASN1_OCTET_STRING);
         M_ASN1_I2D_len(&(a.session_id),         i2d_ASN1_OCTET_STRING);
         M_ASN1_I2D_len(&(a.master_key),         i2d_ASN1_OCTET_STRING);
-#ifndef OPENSSL_NO_KRB5
-       if (in->krb5_client_princ_len)
-               M_ASN1_I2D_len(&(a.krb5_princ), i2d_ASN1_OCTET_STRING);
-#endif /* OPENSSL_NO_KRB5 */
         if (in->time != 0L)
                 M_ASN1_I2D_len_EXP_opt(&(a.time), i2d_ASN1_INTEGER, 1, v1);
         if (in->timeout != 0L)
@@ -293,10 +266,6 @@ i2d_SSL_SESSION(SSL_SESSION *in, unsigned char **pp)
         if (in->psk_identity)
                 M_ASN1_I2D_len_EXP_opt(&(a.psk_identity), i2d_ASN1_OCTET_STRING, 8, v8);
  #endif /* OPENSSL_NO_PSK */
-#ifndef OPENSSL_NO_SRP
-       if (in->srp_username)
-               M_ASN1_I2D_len_EXP_opt(&(a.srp_username), i2d_ASN1_OCTET_STRING, 12, v12);
-#endif /* OPENSSL_NO_SRP */
  
         M_ASN1_I2D_seq_total();
  
@@ -305,10 +274,6 @@ i2d_SSL_SESSION(SSL_SESSION *in, unsigned char **pp)
         M_ASN1_I2D_put(&(a.cipher),             i2d_ASN1_OCTET_STRING);
         M_ASN1_I2D_put(&(a.session_id),         i2d_ASN1_OCTET_STRING);
         M_ASN1_I2D_put(&(a.master_key),         i2d_ASN1_OCTET_STRING);
-#ifndef OPENSSL_NO_KRB5
-       if (in->krb5_client_princ_len)
-               M_ASN1_I2D_put(&(a.krb5_princ), i2d_ASN1_OCTET_STRING);
-#endif /* OPENSSL_NO_KRB5 */
         if (in->time != 0L)
                 M_ASN1_I2D_put_EXP_opt(&(a.time), i2d_ASN1_INTEGER, 1, v1);
         if (in->timeout != 0L)
@@ -339,10 +304,6 @@ i2d_SSL_SESSION(SSL_SESSION *in, unsigned char **pp)
         if (in->compress_meth)
                 M_ASN1_I2D_put_EXP_opt(&(a.comp_id), i2d_ASN1_OCTET_STRING, 11, v11);
  #endif
-#ifndef OPENSSL_NO_SRP
-       if (in->srp_username)
-               M_ASN1_I2D_put_EXP_opt(&(a.srp_username), i2d_ASN1_OCTET_STRING, 12, v12);
-#endif /* OPENSSL_NO_SRP */
         M_ASN1_I2D_finish();
  }
  
@@ -420,21 +381,6 @@ d2i_SSL_SESSION(SSL_SESSION **a, const unsigned char **pp, long length)
  
         os.length = 0;
  
-#ifndef OPENSSL_NO_KRB5
-       os.length = 0;
-       M_ASN1_D2I_get_opt(osp, d2i_ASN1_OCTET_STRING, V_ASN1_OCTET_STRING);
-       if (os.data) {
-               if (os.length > SSL_MAX_KRB5_PRINCIPAL_LENGTH)
-                       ret->krb5_client_princ_len = 0;
-               else
-                       ret->krb5_client_princ_len = os.length;
-               memcpy(ret->krb5_client_princ, os.data, ret->krb5_client_princ_len);
-               free(os.data);
-               os.data = NULL;
-               os.length = 0;
-       } else
-               ret->krb5_client_princ_len = 0;
-#endif /* OPENSSL_NO_KRB5 */
  
         ai.length = 0;
         M_ASN1_D2I_get_EXP_opt(aip, d2i_ASN1_INTEGER, 1);       /* XXX 2038 */
@@ -561,18 +507,6 @@ d2i_SSL_SESSION(SSL_SESSION **a, const unsigned char **pp, long length)
         }
  #endif
  
-#ifndef OPENSSL_NO_SRP
-       os.length = 0;
-       os.data = NULL;
-       M_ASN1_D2I_get_EXP_opt(osp, d2i_ASN1_OCTET_STRING, 12);
-       if (os.data) {
-               ret->srp_username = BUF_strndup((char *)os.data, os.length);
-               free(os.data);
-               os.data = NULL;
-               os.length = 0;
-       } else
-               ret->srp_username = NULL;
-#endif /* OPENSSL_NO_SRP */
  
         M_ASN1_D2I_Finish(a, SSL_SESSION_free, SSL_F_D2I_SSL_SESSION);
  }
diff --git a/lib/libssl/src/ssl/ssl_ciph.c b/lib/libssl/src/ssl/ssl_ciph.c

index 00ab752..a152352 100644 (file)
--- a/lib/libssl/src/ssl/ssl_ciph.c
+++ b/lib/libssl/src/ssl/ssl_ciph.c
@@ -702,10 +702,8 @@ ssl_cipher_get_disabled(unsigned long *mkey, unsigned long *auth, unsigned long
         *mkey |= SSL_kDHr|SSL_kDHd|SSL_kEDH;
         *auth |= SSL_aDH;
  #endif
-#ifdef OPENSSL_NO_KRB5
         *mkey |= SSL_kKRB5;
         *auth |= SSL_aKRB5;
-#endif
  #ifdef OPENSSL_NO_ECDSA
         *auth |= SSL_aECDSA;
  #endif
@@ -717,9 +715,7 @@ ssl_cipher_get_disabled(unsigned long *mkey, unsigned long *auth, unsigned long
         *mkey |= SSL_kPSK;
         *auth |= SSL_aPSK;
  #endif
-#ifdef OPENSSL_NO_SRP
         *mkey |= SSL_kSRP;
-#endif
         /* Check for presence of GOST 34.10 algorithms, and if they
          * do not present, disable  appropriate auth and key exchange */
         if (!get_optional_pkey_id("gost94")) {
diff --git a/lib/libssl/src/ssl/ssl_lib.c b/lib/libssl/src/ssl/ssl_lib.c

index 195271a..d046480 100644 (file)
--- a/lib/libssl/src/ssl/ssl_lib.c
+++ b/lib/libssl/src/ssl/ssl_lib.c
@@ -284,9 +284,6 @@ SSL_new(SSL_CTX *ctx)
         if (s == NULL)
                 goto err;
  
-#ifndef        OPENSSL_NO_KRB5
-       s->kssl_ctx = kssl_ctx_new();
-#endif /* OPENSSL_NO_KRB5 */
  
         s->options = ctx->options;
         s->mode = ctx->mode;
@@ -580,10 +577,6 @@ SSL_free(SSL *s)
         if (s->ctx)
                 SSL_CTX_free(s->ctx);
  
-#ifndef        OPENSSL_NO_KRB5
-       if (s->kssl_ctx != NULL)
-               kssl_ctx_free(s->kssl_ctx);
-#endif /* OPENSSL_NO_KRB5 */
  
  #if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG)
         if (s->next_proto_negotiated)
@@ -1415,9 +1408,6 @@ ssl_cipher_list_to_bytes(SSL *s, STACK_OF(SSL_CIPHER) *sk, unsigned char *p,
         int              i, j = 0;
         SSL_CIPHER      *c;
         unsigned char   *q;
-#ifndef OPENSSL_NO_KRB5
-       int              nokrb5 = !kssl_tgt_is_available(s->kssl_ctx);
-#endif /* OPENSSL_NO_KRB5 */
  
         if (sk == NULL)
                 return (0);
@@ -1429,11 +1419,6 @@ ssl_cipher_list_to_bytes(SSL *s, STACK_OF(SSL_CIPHER) *sk, unsigned char *p,
                 if ((c->algorithm_ssl & SSL_TLSV1_2) &&
                     (TLS1_get_client_version(s) < TLS1_2_VERSION))
                         continue;
-#ifndef OPENSSL_NO_KRB5
-               if (((c->algorithm_mkey & SSL_kKRB5) ||
-                   (c->algorithm_auth & SSL_aKRB5)) && nokrb5)
-                       continue;
-#endif /* OPENSSL_NO_KRB5 */
  #ifndef OPENSSL_NO_PSK
                 /* with PSK there must be client callback set */
                 if (((c->algorithm_mkey & SSL_kPSK) ||
@@ -1877,9 +1862,6 @@ SSL_CTX_new(const SSL_METHOD *meth)
         ret->psk_client_callback = NULL;
         ret->psk_server_callback = NULL;
  #endif
-#ifndef OPENSSL_NO_SRP
-       SSL_CTX_SRP_CTX_init(ret);
-#endif
  #ifndef OPENSSL_NO_ENGINE
         ret->client_cert_engine = NULL;
  #ifdef OPENSSL_SSL_CLIENT_ENGINE_AUTO
@@ -1983,9 +1965,6 @@ SSL_CTX_free(SSL_CTX *a)
         if (a->psk_identity_hint)
                 free(a->psk_identity_hint);
  #endif
-#ifndef OPENSSL_NO_SRP
-       SSL_CTX_SRP_CTX_free(a);
-#endif
  #ifndef OPENSSL_NO_ENGINE
         if (a->client_cert_engine)
                 ENGINE_finish(a->client_cert_engine);
@@ -2147,12 +2126,6 @@ ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher)
         mask_a|=SSL_aNULL;
         emask_a|=SSL_aNULL;
  
-#ifndef OPENSSL_NO_KRB5
-       mask_k|=SSL_kKRB5;
-       mask_a|=SSL_aKRB5;
-       emask_k|=SSL_kKRB5;
-       emask_a|=SSL_aKRB5;
-#endif
  
         /*
          * An ECC certificate may be usable for ECDH and/or
diff --git a/lib/libssl/src/ssl/ssl_sess.c b/lib/libssl/src/ssl/ssl_sess.c

index 2b8da1c..05c6948 100644 (file)
--- a/lib/libssl/src/ssl/ssl_sess.c
+++ b/lib/libssl/src/ssl/ssl_sess.c
@@ -222,9 +222,6 @@ SSL_SESSION_new(void)
  #ifndef OPENSSL_NO_PSK
         ss->psk_identity_hint = NULL;
         ss->psk_identity = NULL;
-#endif
-#ifndef OPENSSL_NO_SRP
-       ss->srp_username = NULL;
  #endif
         return (ss);
  }
@@ -725,10 +722,6 @@ SSL_SESSION_free(SSL_SESSION *ss)
                 free(ss->psk_identity_hint);
         if (ss->psk_identity != NULL)
                 free(ss->psk_identity);
-#endif
-#ifndef OPENSSL_NO_SRP
-       if (ss->srp_username != NULL)
-               free(ss->srp_username);
  #endif
         OPENSSL_cleanse(ss, sizeof(*ss));
         free(ss);
@@ -754,15 +747,6 @@ SSL_set_session(SSL *s, SSL_SESSION *session)
                                 return (0);
                 }
  
-#ifndef OPENSSL_NO_KRB5
-               if (s->kssl_ctx && !s->kssl_ctx->client_princ &&
-                   session->krb5_client_princ_len > 0) {
-                       s->kssl_ctx->client_princ = malloc(session->krb5_client_princ_len + 1);
-                       memcpy(s->kssl_ctx->client_princ, session->krb5_client_princ,
-                           session->krb5_client_princ_len);
-                       s->kssl_ctx->client_princ[session->krb5_client_princ_len] = '\0';
-               }
-#endif /* OPENSSL_NO_KRB5 */
  
                 /* CRYPTO_w_lock(CRYPTO_LOCK_SSL);*/
                 CRYPTO_add(&session->references, 1, CRYPTO_LOCK_SSL_SESSION);
diff --git a/lib/libssl/src/ssl/ssl_txt.c b/lib/libssl/src/ssl/ssl_txt.c

index c6bfd68..01dd846 100644 (file)
--- a/lib/libssl/src/ssl/ssl_txt.c
+++ b/lib/libssl/src/ssl/ssl_txt.c
@@ -161,19 +161,6 @@ SSL_SESSION_print(BIO *bp, const SSL_SESSION *x)
                 if (BIO_printf(bp, "%02X", x->master_key[i]) <= 0)
                         goto err;
         }
-#ifndef OPENSSL_NO_KRB5
-       if (BIO_puts(bp, "\n    Krb5 Principal: ") <= 0)
-               goto err;
-       if (x->krb5_client_princ_len == 0) {
-               if (BIO_puts(bp, "None") <= 0)
-                       goto err;
-       } else {
-               for (i = 0; i < x->krb5_client_princ_len; i++) {
-                       if (BIO_printf(bp, "%02X", x->krb5_client_princ[i]) <= 0)
-                               goto err;
-               }
-       }
-#endif /* OPENSSL_NO_KRB5 */
  #ifndef OPENSSL_NO_PSK
         if (BIO_puts(bp, "\n    PSK identity: ") <= 0)
                 goto err;
@@ -184,12 +171,6 @@ SSL_SESSION_print(BIO *bp, const SSL_SESSION *x)
         if (BIO_printf(bp, "%s", x->psk_identity_hint ? x->psk_identity_hint : "None") <= 0)
                 goto err;
  #endif
-#ifndef OPENSSL_NO_SRP
-       if (BIO_puts(bp, "\n    SRP username: ") <= 0)
-               goto err;
-       if (BIO_printf(bp, "%s", x->srp_username ? x->srp_username : "None") <= 0)
-               goto err;
-#endif
  #ifndef OPENSSL_NO_TLSEXT
         if (x->tlsext_tick_lifetime_hint) {
                 if (BIO_printf(bp,
diff --git a/lib/libssl/src/ssl/ssltest.c b/lib/libssl/src/ssl/ssltest.c

index 1f5014b..879bf4b 100644 (file)
--- a/lib/libssl/src/ssl/ssltest.c
+++ b/lib/libssl/src/ssl/ssltest.c
@@ -178,9 +178,6 @@
  #ifndef OPENSSL_NO_DH
  #include <openssl/dh.h>
  #endif
-#ifndef OPENSSL_NO_SRP
-#include <openssl/srp.h>
-#endif
  #include <openssl/bn.h>
  
  #define _XOPEN_SOURCE_EXTENDED 1
@@ -227,46 +224,6 @@ static unsigned int psk_server_callback(SSL *ssl, const char *identity,
      unsigned char *psk, unsigned int max_psk_len);
  #endif
  
-#ifndef OPENSSL_NO_SRP
-/* SRP client */
-/* This is a context that we pass to all callbacks */
-typedef struct srp_client_arg_st {
-       char *srppassin;
-       char *srplogin;
-} SRP_CLIENT_ARG;
-
-#define PWD_STRLEN 1024
-
-static char *
-ssl_give_srp_client_pwd_cb(SSL *s, void *arg)
-{
-       SRP_CLIENT_ARG *srp_client_arg = (SRP_CLIENT_ARG *)arg;
-       return BUF_strdup((char *)srp_client_arg->srppassin);
-}
-
-/* SRP server */
-/* This is a context that we pass to SRP server callbacks */
-typedef struct srp_server_arg_st {
-       char *expected_user;
-       char *pass;
-} SRP_SERVER_ARG;
-
-static int
-ssl_srp_server_param_cb(SSL *s, int *ad, void *arg)
-{
-       SRP_SERVER_ARG *p = (SRP_SERVER_ARG *) arg;
-
-       if (strcmp(p->expected_user, SSL_get_srp_username(s)) != 0) {
-               fprintf(stderr, "User %s doesn't exist\n", SSL_get_srp_username(s));
-               return SSL3_AL_FATAL;
-       }
-       if (SSL_set_srp_server_param_pw(s, p->expected_user, p->pass, "1024") < 0) {
-               *ad = SSL_AD_INTERNAL_ERROR;
-               return SSL3_AL_FATAL;
-       }
-       return SSL_ERROR_NONE;
-}
-#endif
  
  static BIO *bio_err = NULL;
  static BIO *bio_stdout = NULL;
@@ -310,10 +267,6 @@ sv_usage(void)
  #endif
  #ifndef OPENSSL_NO_PSK
         fprintf(stderr, " -psk arg      - PSK in hex (without 0x)\n");
-#endif
-#ifndef OPENSSL_NO_SRP
-       fprintf(stderr, " -srpuser user  - SRP username to use\n");
-       fprintf(stderr, " -srppass arg   - password for 'user'\n");
  #endif
         fprintf(stderr, " -ssl3         - use SSLv3\n");
         fprintf(stderr, " -tls1         - use TLSv1\n");
@@ -483,12 +436,6 @@ main(int argc, char *argv[])
  #endif
  #ifndef OPENSSL_NO_ECDH
         EC_KEY *ecdh = NULL;
-#endif
-#ifndef OPENSSL_NO_SRP
-       /* client */
-       SRP_CLIENT_ARG srp_client_arg = {NULL, NULL};
-       /* server */
-       SRP_SERVER_ARG srp_server_arg = {NULL, NULL};
  #endif
         int no_dhe = 0;
         int no_ecdhe = 0;
@@ -577,19 +524,6 @@ main(int argc, char *argv[])
                         no_psk = 1;
  #endif
                 }
-#ifndef OPENSSL_NO_SRP
-               else if (strcmp(*argv, "-srpuser") == 0) {
-                       if (--argc < 1)
-                               goto bad;
-                       srp_server_arg.expected_user = srp_client_arg.srplogin= *(++argv);
-                       tls1 = 1;
-               } else if (strcmp(*argv, "-srppass") == 0) {
-                       if (--argc < 1)
-                               goto bad;
-                       srp_server_arg.pass = srp_client_arg.srppassin= *(++argv);
-                       tls1 = 1;
-               }
-#endif
                 else if (strcmp(*argv, "-ssl2") == 0)
                         ssl2 = 1;
                 else if (strcmp(*argv, "-tls1") == 0)
@@ -895,42 +829,10 @@ bad:
                 }
  #endif
         }
-#ifndef OPENSSL_NO_SRP
-       if (srp_client_arg.srplogin) {
-               if (!SSL_CTX_set_srp_username(c_ctx, srp_client_arg.srplogin)) {
-                       BIO_printf(bio_err, "Unable to set SRP username\n");
-                       goto end;
-               }
-               SSL_CTX_set_srp_cb_arg(c_ctx, &srp_client_arg);
-               SSL_CTX_set_srp_client_pwd_callback(c_ctx, ssl_give_srp_client_pwd_cb);
-               /*SSL_CTX_set_srp_strength(c_ctx, srp_client_arg.strength);*/
-       }
-
-       if (srp_server_arg.expected_user != NULL) {
-               SSL_CTX_set_verify(s_ctx, SSL_VERIFY_NONE, verify_callback);
-               SSL_CTX_set_srp_cb_arg(s_ctx, &srp_server_arg);
-               SSL_CTX_set_srp_username_callback(s_ctx, ssl_srp_server_param_cb);
-       }
-#endif
  
         c_ssl = SSL_new(c_ctx);
         s_ssl = SSL_new(s_ctx);
  
-#ifndef OPENSSL_NO_KRB5
-       if (c_ssl && c_ssl->kssl_ctx) {
-               char    localhost[MAXHOSTNAMELEN + 2];
-
-               if (gethostname(localhost, sizeof localhost - 1) == 0) {
-                       localhost[sizeof localhost - 1] = '\0';
-                       if (strlen(localhost) == sizeof localhost - 1) {
-                               BIO_printf(bio_err, "localhost name too long\n");
-                               goto end;
-                       }
-                       kssl_ctx_setstring(c_ssl->kssl_ctx, KSSL_SERVER,
-                       localhost);
-               }
-       }
-#endif    /* OPENSSL_NO_KRB5  */
  
         for (i = 0; i < number; i++) {
                 if (!reuse)
diff --git a/lib/libssl/src/ssl/t1_lib.c b/lib/libssl/src/ssl/t1_lib.c

index bb33331..2e183bb 100644 (file)
--- a/lib/libssl/src/ssl/t1_lib.c
+++ b/lib/libssl/src/ssl/t1_lib.c
@@ -415,35 +415,6 @@ ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned char *limit)
                 ret += el;
         }
  
-#ifndef OPENSSL_NO_SRP
-       /* Add SRP username if there is one */
-       if (s->srp_ctx.login != NULL) {
-               /* Add TLS extension SRP username to the Client Hello message */
-
-               int login_len = strlen(s->srp_ctx.login);
-
-               if (login_len > 255 || login_len == 0) {
-                       SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
-                       return NULL;
-               }
-
-               /* check for enough space.
-                  4 for the srp type type and entension length
-                  1 for the srp user identity
-                  + srp user identity length 
-               */
-               if ((limit - ret - 5 - login_len) < 0)
-                       return NULL;
-
-
-               /* fill in the extension */
-               s2n(TLSEXT_TYPE_srp, ret);
-               s2n(login_len + 1, ret);
-               (*ret++) = (unsigned char) login_len;
-               memcpy(ret, s->srp_ctx.login, login_len);
-               ret += login_len;
-       }
-#endif
  
  #ifndef OPENSSL_NO_EC
         if (s->tlsext_ecpointformatlist != NULL &&
@@ -1063,27 +1034,6 @@ ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d,
                         }
  
                 }
-#ifndef OPENSSL_NO_SRP
-               else if (type == TLSEXT_TYPE_srp) {
-                       if (size <= 0 || ((len = data[0])) != (size - 1)) {
-                               *al = SSL_AD_DECODE_ERROR;
-                               return 0;
-                       }
-                       if (s->srp_ctx.login != NULL) {
-                               *al = SSL_AD_DECODE_ERROR;
-                               return 0;
-                       }
-                       if ((s->srp_ctx.login = malloc(len + 1)) == NULL)
-                               return -1;
-                       memcpy(s->srp_ctx.login, &data[1], len);
-                       s->srp_ctx.login[len] = '\0';
-
-                       if (strlen(s->srp_ctx.login) != len) {
-                               *al = SSL_AD_DECODE_ERROR;
-                               return 0;
-                       }
-               }
-#endif
  
  #ifndef OPENSSL_NO_EC
                 else if (type == TLSEXT_TYPE_ec_point_formats &&
diff --git a/lib/libssl/src/ssl/tls_srp.c b/lib/libssl/src/ssl/tls_srp.c

deleted file mode 100644 (file)

index e03eabc..0000000
--- a/lib/libssl/src/ssl/tls_srp.c
+++ /dev/null
@@ -1,516 +0,0 @@
-/* ssl/tls_srp.c */
-/* Written by Christophe Renou (christophe.renou@edelweb.fr) with
- * the precious help of Peter Sylvester (peter.sylvester@edelweb.fr)
- * for the EdelKey project and contributed to the OpenSSL project 2004.
- */
-/* ====================================================================
- * Copyright (c) 2004-2011 The OpenSSL Project.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in
- *    the documentation and/or other materials provided with the
- *    distribution.
- *
- * 3. All advertising materials mentioning features or use of this
- *    software must display the following acknowledgment:
- *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
- *
- * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
- *    endorse or promote products derived from this software without
- *    prior written permission. For written permission, please contact
- *    licensing@OpenSSL.org.
- *
- * 5. Products derived from this software may not be called "OpenSSL"
- *    nor may "OpenSSL" appear in their names without prior written
- *    permission of the OpenSSL Project.
- *
- * 6. Redistributions of any form whatsoever must retain the following
- *    acknowledgment:
- *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
- *
- * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
- * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
- * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
- * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- * ====================================================================
- *
- * This product includes cryptographic software written by Eric Young
- * (eay@cryptsoft.com).  This product includes software written by Tim
- * Hudson (tjh@cryptsoft.com).
- *
- */
-#include "ssl_locl.h"
-#ifndef OPENSSL_NO_SRP
-
-#include <openssl/rand.h>
-#include <openssl/srp.h>
-#include <openssl/err.h>
-
-int
-SSL_CTX_SRP_CTX_free(struct ssl_ctx_st *ctx)
-{
-       if (ctx == NULL)
-               return 0;
-       free(ctx->srp_ctx.login);
-       BN_free(ctx->srp_ctx.N);
-       BN_free(ctx->srp_ctx.g);
-       BN_free(ctx->srp_ctx.s);
-       BN_free(ctx->srp_ctx.B);
-       BN_free(ctx->srp_ctx.A);
-       BN_free(ctx->srp_ctx.a);
-       BN_free(ctx->srp_ctx.b);
-       BN_free(ctx->srp_ctx.v);
-       ctx->srp_ctx.TLS_ext_srp_username_callback = NULL;
-       ctx->srp_ctx.SRP_cb_arg = NULL;
-       ctx->srp_ctx.SRP_verify_param_callback = NULL;
-       ctx->srp_ctx.SRP_give_srp_client_pwd_callback = NULL;
-       ctx->srp_ctx.N = NULL;
-       ctx->srp_ctx.g = NULL;
-       ctx->srp_ctx.s = NULL;
-       ctx->srp_ctx.B = NULL;
-       ctx->srp_ctx.A = NULL;
-       ctx->srp_ctx.a = NULL;
-       ctx->srp_ctx.b = NULL;
-       ctx->srp_ctx.v = NULL;
-       ctx->srp_ctx.login = NULL;
-       ctx->srp_ctx.info = NULL;
-       ctx->srp_ctx.strength = SRP_MINIMAL_N;
-       ctx->srp_ctx.srp_Mask = 0;
-       return (1);
-}
-
-int
-SSL_SRP_CTX_free(struct ssl_st *s)
-{
-       if (s == NULL)
-               return 0;
-       free(s->srp_ctx.login);
-       BN_free(s->srp_ctx.N);
-       BN_free(s->srp_ctx.g);
-       BN_free(s->srp_ctx.s);
-       BN_free(s->srp_ctx.B);
-       BN_free(s->srp_ctx.A);
-       BN_free(s->srp_ctx.a);
-       BN_free(s->srp_ctx.b);
-       BN_free(s->srp_ctx.v);
-       s->srp_ctx.TLS_ext_srp_username_callback = NULL;
-       s->srp_ctx.SRP_cb_arg = NULL;
-       s->srp_ctx.SRP_verify_param_callback = NULL;
-       s->srp_ctx.SRP_give_srp_client_pwd_callback = NULL;
-       s->srp_ctx.N = NULL;
-       s->srp_ctx.g = NULL;
-       s->srp_ctx.s = NULL;
-       s->srp_ctx.B = NULL;
-       s->srp_ctx.A = NULL;
-       s->srp_ctx.a = NULL;
-       s->srp_ctx.b = NULL;
-       s->srp_ctx.v = NULL;
-       s->srp_ctx.login = NULL;
-       s->srp_ctx.info = NULL;
-       s->srp_ctx.strength = SRP_MINIMAL_N;
-       s->srp_ctx.srp_Mask = 0;
-       return (1);
-}
-
-int
-SSL_SRP_CTX_init(struct ssl_st *s)
-{
-       SSL_CTX *ctx;
-
-       if ((s == NULL) || ((ctx = s->ctx) == NULL))
-               return 0;
-       s->srp_ctx.SRP_cb_arg = ctx->srp_ctx.SRP_cb_arg;
-       /* set client Hello login callback */
-       s->srp_ctx.TLS_ext_srp_username_callback = ctx->srp_ctx.TLS_ext_srp_username_callback;
-       /* set SRP N/g param callback for verification */
-       s->srp_ctx.SRP_verify_param_callback = ctx->srp_ctx.SRP_verify_param_callback;
-       /* set SRP client passwd callback */
-       s->srp_ctx.SRP_give_srp_client_pwd_callback = ctx->srp_ctx.SRP_give_srp_client_pwd_callback;
-
-       s->srp_ctx.N = NULL;
-       s->srp_ctx.g = NULL;
-       s->srp_ctx.s = NULL;
-       s->srp_ctx.B = NULL;
-       s->srp_ctx.A = NULL;
-       s->srp_ctx.a = NULL;
-       s->srp_ctx.b = NULL;
-       s->srp_ctx.v = NULL;
-       s->srp_ctx.login = NULL;
-       s->srp_ctx.info = ctx->srp_ctx.info;
-       s->srp_ctx.strength = ctx->srp_ctx.strength;
-
-       if (((ctx->srp_ctx.N != NULL) &&
-           ((s->srp_ctx.N = BN_dup(ctx->srp_ctx.N)) == NULL)) ||
-           ((ctx->srp_ctx.g != NULL) &&
-           ((s->srp_ctx.g = BN_dup(ctx->srp_ctx.g)) == NULL)) ||
-           ((ctx->srp_ctx.s != NULL) &&
-           ((s->srp_ctx.s = BN_dup(ctx->srp_ctx.s)) == NULL)) ||
-           ((ctx->srp_ctx.B != NULL) &&
-           ((s->srp_ctx.B = BN_dup(ctx->srp_ctx.B)) == NULL)) ||
-           ((ctx->srp_ctx.A != NULL) &&
-           ((s->srp_ctx.A = BN_dup(ctx->srp_ctx.A)) == NULL)) ||
-           ((ctx->srp_ctx.a != NULL) &&
-           ((s->srp_ctx.a = BN_dup(ctx->srp_ctx.a)) == NULL)) ||
-           ((ctx->srp_ctx.v != NULL) &&
-           ((s->srp_ctx.v = BN_dup(ctx->srp_ctx.v)) == NULL)) ||
-           ((ctx->srp_ctx.b != NULL) &&
-           ((s->srp_ctx.b = BN_dup(ctx->srp_ctx.b)) == NULL))) {
-               SSLerr(SSL_F_SSL_SRP_CTX_INIT, ERR_R_BN_LIB);
-               goto err;
-       }
-       if ((ctx->srp_ctx.login != NULL) &&
-           ((s->srp_ctx.login = BUF_strdup(ctx->srp_ctx.login)) == NULL)) {
-               SSLerr(SSL_F_SSL_SRP_CTX_INIT, ERR_R_INTERNAL_ERROR);
-               goto err;
-       }
-       s->srp_ctx.srp_Mask = ctx->srp_ctx.srp_Mask;
-
-       return (1);
-err:
-       free(s->srp_ctx.login);
-       BN_free(s->srp_ctx.N);
-       BN_free(s->srp_ctx.g);
-       BN_free(s->srp_ctx.s);
-       BN_free(s->srp_ctx.B);
-       BN_free(s->srp_ctx.A);
-       BN_free(s->srp_ctx.a);
-       BN_free(s->srp_ctx.b);
-       BN_free(s->srp_ctx.v);
-       return (0);
-}
-
-int
-SSL_CTX_SRP_CTX_init(struct ssl_ctx_st *ctx)
-{
-       if (ctx == NULL)
-               return 0;
-
-       ctx->srp_ctx.SRP_cb_arg = NULL;
-       /* set client Hello login callback */
-       ctx->srp_ctx.TLS_ext_srp_username_callback = NULL;
-       /* set SRP N/g param callback for verification */
-       ctx->srp_ctx.SRP_verify_param_callback = NULL;
-       /* set SRP client passwd callback */
-       ctx->srp_ctx.SRP_give_srp_client_pwd_callback = NULL;
-
-       ctx->srp_ctx.N = NULL;
-       ctx->srp_ctx.g = NULL;
-       ctx->srp_ctx.s = NULL;
-       ctx->srp_ctx.B = NULL;
-       ctx->srp_ctx.A = NULL;
-       ctx->srp_ctx.a = NULL;
-       ctx->srp_ctx.b = NULL;
-       ctx->srp_ctx.v = NULL;
-       ctx->srp_ctx.login = NULL;
-       ctx->srp_ctx.srp_Mask = 0;
-       ctx->srp_ctx.info = NULL;
-       ctx->srp_ctx.strength = SRP_MINIMAL_N;
-
-       return (1);
-}
-
-/* server side */
-int
-SSL_srp_server_param_with_username(SSL *s, int *ad)
-{
-       unsigned char b[SSL_MAX_MASTER_KEY_LENGTH];
-       int al;
-
-       *ad = SSL_AD_UNKNOWN_PSK_IDENTITY;
-       if ((s->srp_ctx.TLS_ext_srp_username_callback !=NULL) &&
-           ((al = s->srp_ctx.TLS_ext_srp_username_callback(s, ad,
-           s->srp_ctx.SRP_cb_arg)) != SSL_ERROR_NONE))
-               return al;
-
-       *ad = SSL_AD_INTERNAL_ERROR;
-       if ((s->srp_ctx.N == NULL) || (s->srp_ctx.g == NULL) ||
-           (s->srp_ctx.s == NULL) || (s->srp_ctx.v == NULL))
-               return SSL3_AL_FATAL;
-
-       if (RAND_bytes(b, sizeof(b)) <= 0)
-               return SSL3_AL_FATAL;
-       s->srp_ctx.b = BN_bin2bn(b, sizeof(b), NULL);
-       OPENSSL_cleanse(b, sizeof(b));
-
-       /* Calculate:  B = (kv + g^b) % N  */
-
-       return ((s->srp_ctx.B = SRP_Calc_B(s->srp_ctx.b, s->srp_ctx.N, s->srp_ctx.g, s->srp_ctx.v)) != NULL) ?  SSL_ERROR_NONE : SSL3_AL_FATAL;
-}
-
-/* If the server just has the raw password, make up a verifier entry on the fly */
-int
-SSL_set_srp_server_param_pw(SSL *s, const char *user, const char *pass, const char *grp)
-{
-       SRP_gN *GN = SRP_get_default_gN(grp);
-       if (GN == NULL)
-               return -1;
-       s->srp_ctx.N = BN_dup(GN->N);
-       s->srp_ctx.g = BN_dup(GN->g);
-       if (s->srp_ctx.v != NULL) {
-               BN_clear_free(s->srp_ctx.v);
-               s->srp_ctx.v = NULL;
-       }
-       if (s->srp_ctx.s != NULL) {
-               BN_clear_free(s->srp_ctx.s);
-               s->srp_ctx.s = NULL;
-       }
-       if (!SRP_create_verifier_BN(user, pass, &s->srp_ctx.s, &s->srp_ctx.v,
-           GN->N, GN->g))
-               return -1;
-
-       return 1;
-}
-
-int
-SSL_set_srp_server_param(SSL *s, const BIGNUM *N, const BIGNUM *g,
-    BIGNUM *sa, BIGNUM *v, char *info)
-{
-       if (N != NULL) {
-               if (s->srp_ctx.N != NULL) {
-                       if (!BN_copy(s->srp_ctx.N, N)) {
-                               BN_free(s->srp_ctx.N);
-                               s->srp_ctx.N = NULL;
-                       }
-               } else
-                       s->srp_ctx.N = BN_dup(N);
-       }
-       if (g != NULL) {
-               if (s->srp_ctx.g != NULL) {
-                       if (!BN_copy(s->srp_ctx.g, g)) {
-                               BN_free(s->srp_ctx.g);
-                               s->srp_ctx.g = NULL;
-                       }
-               } else
-                       s->srp_ctx.g = BN_dup(g);
-       }
-       if (sa != NULL) {
-               if (s->srp_ctx.s != NULL) {
-                       if (!BN_copy(s->srp_ctx.s, sa)) {
-                               BN_free(s->srp_ctx.s);
-                               s->srp_ctx.s = NULL;
-                       }
-               } else
-                       s->srp_ctx.s = BN_dup(sa);
-       }
-       if (v != NULL) {
-               if (s->srp_ctx.v != NULL) {
-                       if (!BN_copy(s->srp_ctx.v, v)) {
-                               BN_free(s->srp_ctx.v);
-                               s->srp_ctx.v = NULL;
-                       }
-               } else
-                       s->srp_ctx.v = BN_dup(v);
-       }
-       s->srp_ctx.info = info;
-
-       if (!(s->srp_ctx.N) || !(s->srp_ctx.g) ||
-           !(s->srp_ctx.s) || !(s->srp_ctx.v))
-               return -1;
-
-       return 1;
-}
-
-int
-SRP_generate_server_master_secret(SSL *s, unsigned char *master_key)
-{
-       BIGNUM *K = NULL, *u = NULL;
-       int ret = -1, tmp_len;
-       unsigned char *tmp = NULL;
-
-       if (!SRP_Verify_A_mod_N(s->srp_ctx.A, s->srp_ctx.N))
-               goto err;
-       if (!(u = SRP_Calc_u(s->srp_ctx.A, s->srp_ctx.B, s->srp_ctx.N)))
-               goto err;
-       if (!(K = SRP_Calc_server_key(s->srp_ctx.A, s->srp_ctx.v, u, s->srp_ctx.b, s->srp_ctx.N)))
-               goto err;
-
-       tmp_len = BN_num_bytes(K);
-       if ((tmp = malloc(tmp_len)) == NULL)
-               goto err;
-       BN_bn2bin(K, tmp);
-       ret = s->method->ssl3_enc->generate_master_secret(s, master_key, tmp, tmp_len);
-err:
-       if (tmp) {
-               OPENSSL_cleanse(tmp, tmp_len);
-               free(tmp);
-       }
-       BN_clear_free(K);
-       BN_clear_free(u);
-       return ret;
-}
-
-/* client side */
-int
-SRP_generate_client_master_secret(SSL *s, unsigned char *master_key)
-{
-       BIGNUM *x = NULL, *u = NULL, *K = NULL;
-       int ret = -1, tmp_len;
-       char *passwd = NULL;
-       unsigned char *tmp = NULL;
-
-       /* Checks if b % n == 0
-        */
-       if (SRP_Verify_B_mod_N(s->srp_ctx.B, s->srp_ctx.N) == 0)
-               goto err;
-       if (!(u = SRP_Calc_u(s->srp_ctx.A, s->srp_ctx.B, s->srp_ctx.N)))
-               goto err;
-       if (s->srp_ctx.SRP_give_srp_client_pwd_callback == NULL)
-               goto err;
-       if (!(passwd = s->srp_ctx.SRP_give_srp_client_pwd_callback(s,
-           s->srp_ctx.SRP_cb_arg)))
-               goto err;
-       if (!(x = SRP_Calc_x(s->srp_ctx.s, s->srp_ctx.login, passwd)))
-               goto err;
-       if (!(K = SRP_Calc_client_key(s->srp_ctx.N, s->srp_ctx.B, s->srp_ctx.g,
-           x, s->srp_ctx.a, u)))
-               goto err;
-
-       tmp_len = BN_num_bytes(K);
-       if ((tmp = malloc(tmp_len)) == NULL)
-               goto err;
-       BN_bn2bin(K, tmp);
-       ret = s->method->ssl3_enc->generate_master_secret(s, master_key,
-           tmp, tmp_len);
-err:
-       if (tmp) {
-               OPENSSL_cleanse(tmp, tmp_len);
-               free(tmp);
-       }
-       BN_clear_free(K);
-       BN_clear_free(x);
-       if (passwd) {
-               OPENSSL_cleanse(passwd, strlen(passwd));
-               free(passwd);
-       }
-       BN_clear_free(u);
-       return ret;
-}
-
-int
-SRP_Calc_A_param(SSL *s)
-{
-       unsigned char rnd[SSL_MAX_MASTER_KEY_LENGTH];
-
-       if (BN_num_bits(s->srp_ctx.N) < s->srp_ctx.strength)
-               return -1;
-
-       if (s->srp_ctx.SRP_verify_param_callback ==NULL &&
-           !SRP_check_known_gN_param(s->srp_ctx.g, s->srp_ctx.N))
-               return -1;
-
-       RAND_bytes(rnd, sizeof(rnd));
-       s->srp_ctx.a = BN_bin2bn(rnd, sizeof(rnd), s->srp_ctx.a);
-       OPENSSL_cleanse(rnd, sizeof(rnd));
-
-       if (!(s->srp_ctx.A = SRP_Calc_A(s->srp_ctx.a, s->srp_ctx.N,
-           s->srp_ctx.g)))
-               return -1;
-
-       /* We can have a callback to verify SRP param!! */
-       if (s->srp_ctx.SRP_verify_param_callback !=NULL)
-               return s->srp_ctx.SRP_verify_param_callback(s,
-                   s->srp_ctx.SRP_cb_arg);
-
-       return 1;
-}
-
-BIGNUM *
-SSL_get_srp_g(SSL *s)
-{
-       if (s->srp_ctx.g != NULL)
-               return s->srp_ctx.g;
-       return s->ctx->srp_ctx.g;
-}
-
-BIGNUM *
-SSL_get_srp_N(SSL *s)
-{
-       if (s->srp_ctx.N != NULL)
-               return s->srp_ctx.N;
-       return s->ctx->srp_ctx.N;
-}
-
-char *
-SSL_get_srp_username(SSL *s)
-{
-       if (s->srp_ctx.login != NULL)
-               return s->srp_ctx.login;
-       return s->ctx->srp_ctx.login;
-}
-
-char *
-SSL_get_srp_userinfo(SSL *s)
-{
-       if (s->srp_ctx.info != NULL)
-               return s->srp_ctx.info;
-       return s->ctx->srp_ctx.info;
-}
-
-#define tls1_ctx_ctrl ssl3_ctx_ctrl
-#define tls1_ctx_callback_ctrl ssl3_ctx_callback_ctrl
-
-int
-SSL_CTX_set_srp_username(SSL_CTX *ctx, char *name)
-{
-       return tls1_ctx_ctrl(ctx, SSL_CTRL_SET_TLS_EXT_SRP_USERNAME, 0, name);
-}
-
-int
-SSL_CTX_set_srp_password(SSL_CTX *ctx, char *password)
-{
-       return tls1_ctx_ctrl(ctx, SSL_CTRL_SET_TLS_EXT_SRP_PASSWORD, 0, password);
-}
-
-int
-SSL_CTX_set_srp_strength(SSL_CTX *ctx, int strength)
-{
-       return tls1_ctx_ctrl(ctx, SSL_CTRL_SET_TLS_EXT_SRP_STRENGTH, strength,
-           NULL);
-}
-
-int
-SSL_CTX_set_srp_verify_param_callback(SSL_CTX *ctx, int (*cb)(SSL *, void *))
-{
-       return tls1_ctx_callback_ctrl(ctx, SSL_CTRL_SET_SRP_VERIFY_PARAM_CB,
-           (void (*)(void))cb);
-}
-
-int
-SSL_CTX_set_srp_cb_arg(SSL_CTX *ctx, void *arg)
-{
-       return tls1_ctx_ctrl(ctx, SSL_CTRL_SET_SRP_ARG, 0, arg);
-}
-
-int
-SSL_CTX_set_srp_username_callback(SSL_CTX *ctx,
-    int (*cb)(SSL *, int *, void *))
-{
-       return tls1_ctx_callback_ctrl(ctx, SSL_CTRL_SET_TLS_EXT_SRP_USERNAME_CB,
-           (void (*)(void))cb);
-}
-
-int
-SSL_CTX_set_srp_client_pwd_callback(SSL_CTX *ctx, char *(*cb)(SSL *, void *))
-{
-       return tls1_ctx_callback_ctrl(ctx, SSL_CTRL_SET_SRP_GIVE_CLIENT_PWD_CB,
-           (void (*)(void))cb);
-}
-
-#endif
diff --git a/lib/libssl/ssl.h b/lib/libssl/ssl.h

index 0e117db..dc56aba 100644 (file)
--- a/lib/libssl/ssl.h
+++ b/lib/libssl/ssl.h
@@ -466,10 +466,6 @@ struct ssl_session_st {
         unsigned int sid_ctx_length;
         unsigned char sid_ctx[SSL_MAX_SID_CTX_LENGTH];
  
-#ifndef OPENSSL_NO_KRB5
-       unsigned int krb5_client_princ_len;
-       unsigned char krb5_client_princ[SSL_MAX_KRB5_PRINCIPAL_LENGTH];
-#endif /* OPENSSL_NO_KRB5 */
  #ifndef OPENSSL_NO_PSK
         char *psk_identity_hint;
         char *psk_identity;
@@ -522,9 +518,6 @@ struct ssl_session_st {
         size_t tlsext_ticklen;          /* Session ticket length */
         long tlsext_tick_lifetime_hint; /* Session lifetime hint in seconds */
  #endif
-#ifndef OPENSSL_NO_SRP
-       char *srp_username;
-#endif
  };
  
  #endif
@@ -672,42 +665,6 @@ void SSL_set_msg_callback(SSL *ssl, void (*cb)(int write_p, int version,
  #define SSL_CTX_set_msg_callback_arg(ctx, arg) SSL_CTX_ctrl((ctx), SSL_CTRL_SET_MSG_CALLBACK_ARG, 0, (arg))
  #define SSL_set_msg_callback_arg(ssl, arg) SSL_ctrl((ssl), SSL_CTRL_SET_MSG_CALLBACK_ARG, 0, (arg))
  
-#ifndef OPENSSL_NO_SRP
-
-#ifndef OPENSSL_NO_SSL_INTERN
-
-typedef struct srp_ctx_st {
-       /* param for all the callbacks */
-       void *SRP_cb_arg;
-       /* set client Hello login callback */
-       int (*TLS_ext_srp_username_callback)(SSL *, int *, void *);
-       /* set SRP N/g param callback for verification */
-       int (*SRP_verify_param_callback)(SSL *, void *);
-       /* set SRP client passwd callback */
-       char *(*SRP_give_srp_client_pwd_callback)(SSL *, void *);
-
-       char *login;
-       BIGNUM *N, *g, *s, *B, *A;
-       BIGNUM *a, *b, *v;
-       char *info;
-       int strength;
-
-       unsigned long srp_Mask;
-} SRP_CTX;
-
-#endif
-
-/* see tls_srp.c */
-int SSL_SRP_CTX_init(SSL *s);
-int SSL_CTX_SRP_CTX_init(SSL_CTX *ctx);
-int SSL_SRP_CTX_free(SSL *ctx);
-int SSL_CTX_SRP_CTX_free(SSL_CTX *ctx);
-int SSL_srp_server_param_with_username(SSL *s, int *ad);
-int SRP_generate_server_master_secret(SSL *s, unsigned char *master_key);
-int SRP_Calc_A_param(SSL *s);
-int SRP_generate_client_master_secret(SSL *s, unsigned char *master_key);
-
-#endif
  
  #define SSL_MAX_CERT_LIST_DEFAULT 1024*100 /* 100k max cert list :-) */
  
@@ -922,9 +879,6 @@ struct ssl_ctx_st {
             unsigned char *psk, unsigned int max_psk_len);
  #endif
  
-#ifndef OPENSSL_NO_SRP
-       SRP_CTX srp_ctx; /* ctx for SRP authentication */
-#endif
  
  #ifndef OPENSSL_NO_TLSEXT
  
@@ -1213,9 +1167,6 @@ struct ssl_st {
         int error;              /* error bytes to be written */
         int error_code;         /* actual code */
  
-#ifndef OPENSSL_NO_KRB5
-       KSSL_CTX *kssl_ctx;     /* Kerberos 5 context */
-#endif /* OPENSSL_NO_KRB5 */
  
  #ifndef OPENSSL_NO_PSK
         unsigned int (*psk_client_callback)(SSL *ssl, const char *hint,
@@ -1327,9 +1278,6 @@ struct ssl_st {
                          * 2 if we are a server and are inside a handshake
                          * (i.e. not just sending a HelloRequest) */
  
-#ifndef OPENSSL_NO_SRP
-       SRP_CTX srp_ctx; /* ctx for SRP authentication */
-#endif
  };
  
  #endif
@@ -1771,24 +1719,6 @@ int SSL_set_trust(SSL *s, int trust);
  int SSL_CTX_set1_param(SSL_CTX *ctx, X509_VERIFY_PARAM *vpm);
  int SSL_set1_param(SSL *ssl, X509_VERIFY_PARAM *vpm);
  
-#ifndef OPENSSL_NO_SRP
-int SSL_CTX_set_srp_username(SSL_CTX *ctx, char *name);
-int SSL_CTX_set_srp_password(SSL_CTX *ctx, char *password);
-int SSL_CTX_set_srp_strength(SSL_CTX *ctx, int strength);
-int SSL_CTX_set_srp_client_pwd_callback(SSL_CTX *ctx, char *(*cb)(SSL *, void *));
-int SSL_CTX_set_srp_verify_param_callback(SSL_CTX *ctx, int (*cb)(SSL *, void *));
-int SSL_CTX_set_srp_username_callback(SSL_CTX *ctx, int (*cb)(SSL *, int *, void *));
-int SSL_CTX_set_srp_cb_arg(SSL_CTX *ctx, void *arg);
-
-int SSL_set_srp_server_param(SSL *s, const BIGNUM *N, const BIGNUM *g, BIGNUM *sa, BIGNUM *v, char *info);
-int SSL_set_srp_server_param_pw(SSL *s, const char *user, const char *pass, const char *grp);
-
-BIGNUM *SSL_get_srp_g(SSL *s);
-BIGNUM *SSL_get_srp_N(SSL *s);
-
-char *SSL_get_srp_username(SSL *s);
-char *SSL_get_srp_userinfo(SSL *s);
-#endif
  
  void   SSL_free(SSL *ssl);
  int    SSL_accept(SSL *ssl);
diff --git a/lib/libssl/ssl/Makefile b/lib/libssl/ssl/Makefile

index 64dd10b..737121f 100644 (file)
--- a/lib/libssl/ssl/Makefile
+++ b/lib/libssl/ssl/Makefile
@@ -1,4 +1,4 @@
-# $OpenBSD: Makefile,v 1.40 2014/04/23 05:13:57 beck Exp $
+# $OpenBSD: Makefile,v 1.41 2014/05/05 15:03:22 tedu Exp $
  
  LIB=   ssl
  
@@ -19,7 +19,7 @@ SRCS=\
         ssl_lib.c ssl_err2.c ssl_cert.c ssl_sess.c \
         ssl_ciph.c ssl_stat.c ssl_rsa.c \
         ssl_asn1.c ssl_txt.c ssl_algs.c \
-       bio_ssl.c ssl_err.c kssl.c tls_srp.c t1_reneg.c
+       bio_ssl.c ssl_err.c t1_reneg.c
  SRCS+= s3_cbc.c
  
  HDRS=  srtp.h ssl.h ssl2.h ssl3.h ssl23.h tls1.h dtls1.h kssl.h
diff --git a/lib/libssl/ssl_asn1.c b/lib/libssl/ssl_asn1.c

index 1d25902..566590f 100644 (file)
--- a/lib/libssl/ssl_asn1.c
+++ b/lib/libssl/ssl_asn1.c
@@ -97,9 +97,6 @@ typedef struct ssl_session_asn1_st {
         ASN1_OCTET_STRING master_key;
         ASN1_OCTET_STRING session_id;
         ASN1_OCTET_STRING session_id_context;
-#ifndef OPENSSL_NO_KRB5
-       ASN1_OCTET_STRING krb5_princ;
-#endif /* OPENSSL_NO_KRB5 */
         ASN1_INTEGER time;
         ASN1_INTEGER timeout;
         ASN1_INTEGER verify_result;
@@ -112,9 +109,6 @@ typedef struct ssl_session_asn1_st {
         ASN1_OCTET_STRING psk_identity_hint;
         ASN1_OCTET_STRING psk_identity;
  #endif /* OPENSSL_NO_PSK */
-#ifndef OPENSSL_NO_SRP
-       ASN1_OCTET_STRING srp_username;
-#endif /* OPENSSL_NO_SRP */
  } SSL_SESSION_ASN1;
  
  int
@@ -131,9 +125,6 @@ i2d_SSL_SESSION(SSL_SESSION *in, unsigned char **pp)
  #ifndef OPENSSL_NO_COMP
         unsigned char cbuf;
         int v11 = 0;
-#endif
-#ifndef OPENSSL_NO_SRP
-       int v12 = 0;
  #endif
         long l;
         SSL_SESSION_ASN1 a;
@@ -189,13 +180,6 @@ i2d_SSL_SESSION(SSL_SESSION *in, unsigned char **pp)
         a.session_id_context.type = V_ASN1_OCTET_STRING;
         a.session_id_context.data = in->sid_ctx;
  
-#ifndef OPENSSL_NO_KRB5
-       if (in->krb5_client_princ_len) {
-               a.krb5_princ.length = in->krb5_client_princ_len;
-               a.krb5_princ.type = V_ASN1_OCTET_STRING;
-               a.krb5_princ.data = in->krb5_client_princ;
-       }
-#endif /* OPENSSL_NO_KRB5 */
  
         if (in->time != 0L) {
                 a.time.length = LSIZE2;
@@ -248,23 +232,12 @@ i2d_SSL_SESSION(SSL_SESSION *in, unsigned char **pp)
                 a.psk_identity.data = (unsigned char *)(in->psk_identity);
         }
  #endif /* OPENSSL_NO_PSK */
-#ifndef OPENSSL_NO_SRP
-       if (in->srp_username) {
-               a.srp_username.length = strlen(in->srp_username);
-               a.srp_username.type = V_ASN1_OCTET_STRING;
-               a.srp_username.data = (unsigned char *)(in->srp_username);
-       }
-#endif /* OPENSSL_NO_SRP */
  
         M_ASN1_I2D_len(&(a.version),            i2d_ASN1_INTEGER);
         M_ASN1_I2D_len(&(a.ssl_version),        i2d_ASN1_INTEGER);
         M_ASN1_I2D_len(&(a.cipher),             i2d_ASN1_OCTET_STRING);
         M_ASN1_I2D_len(&(a.session_id),         i2d_ASN1_OCTET_STRING);
         M_ASN1_I2D_len(&(a.master_key),         i2d_ASN1_OCTET_STRING);
-#ifndef OPENSSL_NO_KRB5
-       if (in->krb5_client_princ_len)
-               M_ASN1_I2D_len(&(a.krb5_princ), i2d_ASN1_OCTET_STRING);
-#endif /* OPENSSL_NO_KRB5 */
         if (in->time != 0L)
                 M_ASN1_I2D_len_EXP_opt(&(a.time), i2d_ASN1_INTEGER, 1, v1);
         if (in->timeout != 0L)
@@ -293,10 +266,6 @@ i2d_SSL_SESSION(SSL_SESSION *in, unsigned char **pp)
         if (in->psk_identity)
                 M_ASN1_I2D_len_EXP_opt(&(a.psk_identity), i2d_ASN1_OCTET_STRING, 8, v8);
  #endif /* OPENSSL_NO_PSK */
-#ifndef OPENSSL_NO_SRP
-       if (in->srp_username)
-               M_ASN1_I2D_len_EXP_opt(&(a.srp_username), i2d_ASN1_OCTET_STRING, 12, v12);
-#endif /* OPENSSL_NO_SRP */
  
         M_ASN1_I2D_seq_total();
  
@@ -305,10 +274,6 @@ i2d_SSL_SESSION(SSL_SESSION *in, unsigned char **pp)
         M_ASN1_I2D_put(&(a.cipher),             i2d_ASN1_OCTET_STRING);
         M_ASN1_I2D_put(&(a.session_id),         i2d_ASN1_OCTET_STRING);
         M_ASN1_I2D_put(&(a.master_key),         i2d_ASN1_OCTET_STRING);
-#ifndef OPENSSL_NO_KRB5
-       if (in->krb5_client_princ_len)
-               M_ASN1_I2D_put(&(a.krb5_princ), i2d_ASN1_OCTET_STRING);
-#endif /* OPENSSL_NO_KRB5 */
         if (in->time != 0L)
                 M_ASN1_I2D_put_EXP_opt(&(a.time), i2d_ASN1_INTEGER, 1, v1);
         if (in->timeout != 0L)
@@ -339,10 +304,6 @@ i2d_SSL_SESSION(SSL_SESSION *in, unsigned char **pp)
         if (in->compress_meth)
                 M_ASN1_I2D_put_EXP_opt(&(a.comp_id), i2d_ASN1_OCTET_STRING, 11, v11);
  #endif
-#ifndef OPENSSL_NO_SRP
-       if (in->srp_username)
-               M_ASN1_I2D_put_EXP_opt(&(a.srp_username), i2d_ASN1_OCTET_STRING, 12, v12);
-#endif /* OPENSSL_NO_SRP */
         M_ASN1_I2D_finish();
  }
  
@@ -420,21 +381,6 @@ d2i_SSL_SESSION(SSL_SESSION **a, const unsigned char **pp, long length)
  
         os.length = 0;
  
-#ifndef OPENSSL_NO_KRB5
-       os.length = 0;
-       M_ASN1_D2I_get_opt(osp, d2i_ASN1_OCTET_STRING, V_ASN1_OCTET_STRING);
-       if (os.data) {
-               if (os.length > SSL_MAX_KRB5_PRINCIPAL_LENGTH)
-                       ret->krb5_client_princ_len = 0;
-               else
-                       ret->krb5_client_princ_len = os.length;
-               memcpy(ret->krb5_client_princ, os.data, ret->krb5_client_princ_len);
-               free(os.data);
-               os.data = NULL;
-               os.length = 0;
-       } else
-               ret->krb5_client_princ_len = 0;
-#endif /* OPENSSL_NO_KRB5 */
  
         ai.length = 0;
         M_ASN1_D2I_get_EXP_opt(aip, d2i_ASN1_INTEGER, 1);       /* XXX 2038 */
@@ -561,18 +507,6 @@ d2i_SSL_SESSION(SSL_SESSION **a, const unsigned char **pp, long length)
         }
  #endif
  
-#ifndef OPENSSL_NO_SRP
-       os.length = 0;
-       os.data = NULL;
-       M_ASN1_D2I_get_EXP_opt(osp, d2i_ASN1_OCTET_STRING, 12);
-       if (os.data) {
-               ret->srp_username = BUF_strndup((char *)os.data, os.length);
-               free(os.data);
-               os.data = NULL;
-               os.length = 0;
-       } else
-               ret->srp_username = NULL;
-#endif /* OPENSSL_NO_SRP */
  
         M_ASN1_D2I_Finish(a, SSL_SESSION_free, SSL_F_D2I_SSL_SESSION);
  }
diff --git a/lib/libssl/ssl_ciph.c b/lib/libssl/ssl_ciph.c

index 00ab752..a152352 100644 (file)
--- a/lib/libssl/ssl_ciph.c
+++ b/lib/libssl/ssl_ciph.c
@@ -702,10 +702,8 @@ ssl_cipher_get_disabled(unsigned long *mkey, unsigned long *auth, unsigned long
         *mkey |= SSL_kDHr|SSL_kDHd|SSL_kEDH;
         *auth |= SSL_aDH;
  #endif
-#ifdef OPENSSL_NO_KRB5
         *mkey |= SSL_kKRB5;
         *auth |= SSL_aKRB5;
-#endif
  #ifdef OPENSSL_NO_ECDSA
         *auth |= SSL_aECDSA;
  #endif
@@ -717,9 +715,7 @@ ssl_cipher_get_disabled(unsigned long *mkey, unsigned long *auth, unsigned long
         *mkey |= SSL_kPSK;
         *auth |= SSL_aPSK;
  #endif
-#ifdef OPENSSL_NO_SRP
         *mkey |= SSL_kSRP;
-#endif
         /* Check for presence of GOST 34.10 algorithms, and if they
          * do not present, disable  appropriate auth and key exchange */
         if (!get_optional_pkey_id("gost94")) {
diff --git a/lib/libssl/ssl_lib.c b/lib/libssl/ssl_lib.c

index 195271a..d046480 100644 (file)
--- a/lib/libssl/ssl_lib.c
+++ b/lib/libssl/ssl_lib.c
@@ -284,9 +284,6 @@ SSL_new(SSL_CTX *ctx)
         if (s == NULL)
                 goto err;
  
-#ifndef        OPENSSL_NO_KRB5
-       s->kssl_ctx = kssl_ctx_new();
-#endif /* OPENSSL_NO_KRB5 */
  
         s->options = ctx->options;
         s->mode = ctx->mode;
@@ -580,10 +577,6 @@ SSL_free(SSL *s)
         if (s->ctx)
                 SSL_CTX_free(s->ctx);
  
-#ifndef        OPENSSL_NO_KRB5
-       if (s->kssl_ctx != NULL)
-               kssl_ctx_free(s->kssl_ctx);
-#endif /* OPENSSL_NO_KRB5 */
  
  #if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG)
         if (s->next_proto_negotiated)
@@ -1415,9 +1408,6 @@ ssl_cipher_list_to_bytes(SSL *s, STACK_OF(SSL_CIPHER) *sk, unsigned char *p,
         int              i, j = 0;
         SSL_CIPHER      *c;
         unsigned char   *q;
-#ifndef OPENSSL_NO_KRB5
-       int              nokrb5 = !kssl_tgt_is_available(s->kssl_ctx);
-#endif /* OPENSSL_NO_KRB5 */
  
         if (sk == NULL)
                 return (0);
@@ -1429,11 +1419,6 @@ ssl_cipher_list_to_bytes(SSL *s, STACK_OF(SSL_CIPHER) *sk, unsigned char *p,
                 if ((c->algorithm_ssl & SSL_TLSV1_2) &&
                     (TLS1_get_client_version(s) < TLS1_2_VERSION))
                         continue;
-#ifndef OPENSSL_NO_KRB5
-               if (((c->algorithm_mkey & SSL_kKRB5) ||
-                   (c->algorithm_auth & SSL_aKRB5)) && nokrb5)
-                       continue;
-#endif /* OPENSSL_NO_KRB5 */
  #ifndef OPENSSL_NO_PSK
                 /* with PSK there must be client callback set */
                 if (((c->algorithm_mkey & SSL_kPSK) ||
@@ -1877,9 +1862,6 @@ SSL_CTX_new(const SSL_METHOD *meth)
         ret->psk_client_callback = NULL;
         ret->psk_server_callback = NULL;
  #endif
-#ifndef OPENSSL_NO_SRP
-       SSL_CTX_SRP_CTX_init(ret);
-#endif
  #ifndef OPENSSL_NO_ENGINE
         ret->client_cert_engine = NULL;
  #ifdef OPENSSL_SSL_CLIENT_ENGINE_AUTO
@@ -1983,9 +1965,6 @@ SSL_CTX_free(SSL_CTX *a)
         if (a->psk_identity_hint)
                 free(a->psk_identity_hint);
  #endif
-#ifndef OPENSSL_NO_SRP
-       SSL_CTX_SRP_CTX_free(a);
-#endif
  #ifndef OPENSSL_NO_ENGINE
         if (a->client_cert_engine)
                 ENGINE_finish(a->client_cert_engine);
@@ -2147,12 +2126,6 @@ ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher)
         mask_a|=SSL_aNULL;
         emask_a|=SSL_aNULL;
  
-#ifndef OPENSSL_NO_KRB5
-       mask_k|=SSL_kKRB5;
-       mask_a|=SSL_aKRB5;
-       emask_k|=SSL_kKRB5;
-       emask_a|=SSL_aKRB5;
-#endif
  
         /*
          * An ECC certificate may be usable for ECDH and/or
diff --git a/lib/libssl/ssl_sess.c b/lib/libssl/ssl_sess.c

index 2b8da1c..05c6948 100644 (file)
--- a/lib/libssl/ssl_sess.c
+++ b/lib/libssl/ssl_sess.c
@@ -222,9 +222,6 @@ SSL_SESSION_new(void)
  #ifndef OPENSSL_NO_PSK
         ss->psk_identity_hint = NULL;
         ss->psk_identity = NULL;
-#endif
-#ifndef OPENSSL_NO_SRP
-       ss->srp_username = NULL;
  #endif
         return (ss);
  }
@@ -725,10 +722,6 @@ SSL_SESSION_free(SSL_SESSION *ss)
                 free(ss->psk_identity_hint);
         if (ss->psk_identity != NULL)
                 free(ss->psk_identity);
-#endif
-#ifndef OPENSSL_NO_SRP
-       if (ss->srp_username != NULL)
-               free(ss->srp_username);
  #endif
         OPENSSL_cleanse(ss, sizeof(*ss));
         free(ss);
@@ -754,15 +747,6 @@ SSL_set_session(SSL *s, SSL_SESSION *session)
                                 return (0);
                 }
  
-#ifndef OPENSSL_NO_KRB5
-               if (s->kssl_ctx && !s->kssl_ctx->client_princ &&
-                   session->krb5_client_princ_len > 0) {
-                       s->kssl_ctx->client_princ = malloc(session->krb5_client_princ_len + 1);
-                       memcpy(s->kssl_ctx->client_princ, session->krb5_client_princ,
-                           session->krb5_client_princ_len);
-                       s->kssl_ctx->client_princ[session->krb5_client_princ_len] = '\0';
-               }
-#endif /* OPENSSL_NO_KRB5 */
  
                 /* CRYPTO_w_lock(CRYPTO_LOCK_SSL);*/
                 CRYPTO_add(&session->references, 1, CRYPTO_LOCK_SSL_SESSION);
diff --git a/lib/libssl/ssl_txt.c b/lib/libssl/ssl_txt.c

index c6bfd68..01dd846 100644 (file)
--- a/lib/libssl/ssl_txt.c
+++ b/lib/libssl/ssl_txt.c
@@ -161,19 +161,6 @@ SSL_SESSION_print(BIO *bp, const SSL_SESSION *x)
                 if (BIO_printf(bp, "%02X", x->master_key[i]) <= 0)
                         goto err;
         }
-#ifndef OPENSSL_NO_KRB5
-       if (BIO_puts(bp, "\n    Krb5 Principal: ") <= 0)
-               goto err;
-       if (x->krb5_client_princ_len == 0) {
-               if (BIO_puts(bp, "None") <= 0)
-                       goto err;
-       } else {
-               for (i = 0; i < x->krb5_client_princ_len; i++) {
-                       if (BIO_printf(bp, "%02X", x->krb5_client_princ[i]) <= 0)
-                               goto err;
-               }
-       }
-#endif /* OPENSSL_NO_KRB5 */
  #ifndef OPENSSL_NO_PSK
         if (BIO_puts(bp, "\n    PSK identity: ") <= 0)
                 goto err;
@@ -184,12 +171,6 @@ SSL_SESSION_print(BIO *bp, const SSL_SESSION *x)
         if (BIO_printf(bp, "%s", x->psk_identity_hint ? x->psk_identity_hint : "None") <= 0)
                 goto err;
  #endif
-#ifndef OPENSSL_NO_SRP
-       if (BIO_puts(bp, "\n    SRP username: ") <= 0)
-               goto err;
-       if (BIO_printf(bp, "%s", x->srp_username ? x->srp_username : "None") <= 0)
-               goto err;
-#endif
  #ifndef OPENSSL_NO_TLSEXT
         if (x->tlsext_tick_lifetime_hint) {
                 if (BIO_printf(bp,
diff --git a/lib/libssl/t1_lib.c b/lib/libssl/t1_lib.c

index bb33331..2e183bb 100644 (file)
--- a/lib/libssl/t1_lib.c
+++ b/lib/libssl/t1_lib.c
@@ -415,35 +415,6 @@ ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned char *limit)
                 ret += el;
         }
  
-#ifndef OPENSSL_NO_SRP
-       /* Add SRP username if there is one */
-       if (s->srp_ctx.login != NULL) {
-               /* Add TLS extension SRP username to the Client Hello message */
-
-               int login_len = strlen(s->srp_ctx.login);
-
-               if (login_len > 255 || login_len == 0) {
-                       SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
-                       return NULL;
-               }
-
-               /* check for enough space.
-                  4 for the srp type type and entension length
-                  1 for the srp user identity
-                  + srp user identity length 
-               */
-               if ((limit - ret - 5 - login_len) < 0)
-                       return NULL;
-
-
-               /* fill in the extension */
-               s2n(TLSEXT_TYPE_srp, ret);
-               s2n(login_len + 1, ret);
-               (*ret++) = (unsigned char) login_len;
-               memcpy(ret, s->srp_ctx.login, login_len);
-               ret += login_len;
-       }
-#endif
  
  #ifndef OPENSSL_NO_EC
         if (s->tlsext_ecpointformatlist != NULL &&
@@ -1063,27 +1034,6 @@ ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d,
                         }
  
                 }
-#ifndef OPENSSL_NO_SRP
-               else if (type == TLSEXT_TYPE_srp) {
-                       if (size <= 0 || ((len = data[0])) != (size - 1)) {
-                               *al = SSL_AD_DECODE_ERROR;
-                               return 0;
-                       }
-                       if (s->srp_ctx.login != NULL) {
-                               *al = SSL_AD_DECODE_ERROR;
-                               return 0;
-                       }
-                       if ((s->srp_ctx.login = malloc(len + 1)) == NULL)
-                               return -1;
-                       memcpy(s->srp_ctx.login, &data[1], len);
-                       s->srp_ctx.login[len] = '\0';
-
-                       if (strlen(s->srp_ctx.login) != len) {
-                               *al = SSL_AD_DECODE_ERROR;
-                               return 0;
-                       }
-               }
-#endif
  
  #ifndef OPENSSL_NO_EC
                 else if (type == TLSEXT_TYPE_ec_point_formats &&
author	tedu <tedu@openbsd.org>
	Mon, 5 May 2014 15:03:22 +0000 (15:03 +0000)
committer	tedu <tedu@openbsd.org>
	Mon, 5 May 2014 15:03:22 +0000 (15:03 +0000)
lib/libssl/d1_clnt.c		patch \| blob \| history
lib/libssl/d1_srvr.c		patch \| blob \| history
lib/libssl/s3_clnt.c		patch \| blob \| history
lib/libssl/s3_lib.c		patch \| blob \| history
lib/libssl/s3_srvr.c		patch \| blob \| history
lib/libssl/src/ssl/d1_clnt.c		patch \| blob \| history
lib/libssl/src/ssl/d1_srvr.c		patch \| blob \| history
lib/libssl/src/ssl/kssl.c	[deleted file]	patch \| blob \| history
lib/libssl/src/ssl/kssl.h		patch \| blob \| history
lib/libssl/src/ssl/kssl_lcl.h		patch \| blob \| history
lib/libssl/src/ssl/s3_clnt.c		patch \| blob \| history
lib/libssl/src/ssl/s3_lib.c		patch \| blob \| history
lib/libssl/src/ssl/s3_srvr.c		patch \| blob \| history
lib/libssl/src/ssl/ssl.h		patch \| blob \| history
lib/libssl/src/ssl/ssl_asn1.c		patch \| blob \| history
lib/libssl/src/ssl/ssl_ciph.c		patch \| blob \| history
lib/libssl/src/ssl/ssl_lib.c		patch \| blob \| history
lib/libssl/src/ssl/ssl_sess.c		patch \| blob \| history
lib/libssl/src/ssl/ssl_txt.c		patch \| blob \| history
lib/libssl/src/ssl/ssltest.c		patch \| blob \| history
lib/libssl/src/ssl/t1_lib.c		patch \| blob \| history
lib/libssl/src/ssl/tls_srp.c	[deleted file]	patch \| blob \| history
lib/libssl/ssl.h		patch \| blob \| history
lib/libssl/ssl/Makefile		patch \| blob \| history
lib/libssl/ssl_asn1.c		patch \| blob \| history
lib/libssl/ssl_ciph.c		patch \| blob \| history
lib/libssl/ssl_lib.c		patch \| blob \| history
lib/libssl/ssl_sess.c		patch \| blob \| history
lib/libssl/ssl_txt.c		patch \| blob \| history
lib/libssl/t1_lib.c		patch \| blob \| history