Remove SRP and Kerberos support from libssl. These are complex protocols

all on their own and we can't effectively maintain them without using them, which we don't. If the need arises, the code can be resurrected.
author: tedu <> 2014-05-05 15:03:22 +0000
committer: tedu <> 2014-05-05 15:03:22 +0000
commit: 5b4326f23352be2e7084f2020795d8aa042c746f (patch)
tree: c342d9903092a19dfda173837629fd04c429eda9 /src/lib/libssl/d1_clnt.c
parent: 77dd1ca11ad22b323b27beea447edd1e35c3b24e (diff)
download: openbsd-5b4326f23352be2e7084f2020795d8aa042c746f.tar.gz
openbsd-5b4326f23352be2e7084f2020795d8aa042c746f.tar.bz2
openbsd-5b4326f23352be2e7084f2020795d8aa042c746f.zip
1 files changed, 0 insertions, 134 deletions
diff --git a/src/lib/libssl/d1_clnt.c b/src/lib/libssl/d1_clnt.c
index 38118b1385..8967879f70 100644
--- a/src/lib/libssl/d1_clnt.c
+++ b/src/lib/libssl/d1_clnt.c
@@ -115,9 +115,6 @@
 #include <stdio.h>
 #include "ssl_locl.h"
-#ifndef OPENSSL_NO_KRB5
-#include "kssl_lcl.h"
-#endif
 #include <openssl/buffer.h>
 #include <openssl/rand.h>
 #include <openssl/objects.h>
@@ -926,9 +923,6 @@ dtls1_send_client_key_exchange(SSL *s)
        unsigned long alg_k;
        unsigned char *q;
        EVP_PKEY *pkey = NULL;
-#ifndef OPENSSL_NO_KRB5
-        KSSL_ERR kssl_err;
-#endif /* OPENSSL_NO_KRB5 */
 #ifndef OPENSSL_NO_ECDH
        EC_KEY *clnt_ecdh = NULL;
        const EC_POINT *srvr_ecpoint = NULL;
@@ -992,134 +986,6 @@ dtls1_send_client_key_exchange(SSL *s)
                        tmp_buf, sizeof tmp_buf);
                        OPENSSL_cleanse(tmp_buf, sizeof tmp_buf);
                }
-#ifndef OPENSSL_NO_KRB5
-                else if (alg_k & SSL_kKRB5) {
-                        krb5_error_code krb5rc;
-                        KSSL_CTX        *kssl_ctx = s->kssl_ctx;
-                        /*  krb5_data   krb5_ap_req;  */
-                        krb5_data       *enc_ticket;
-                        krb5_data       authenticator, *authp = NULL;
-                        EVP_CIPHER_CTX  ciph_ctx;
-                        const EVP_CIPHER *enc = NULL;
-                        unsigned char   iv[EVP_MAX_IV_LENGTH];
-                        unsigned char   tmp_buf[SSL_MAX_MASTER_KEY_LENGTH];
-                        unsigned char   epms[SSL_MAX_MASTER_KEY_LENGTH
-                        + EVP_MAX_IV_LENGTH];
-                        int             padl, outl = sizeof(epms);
-                        EVP_CIPHER_CTX_init(&ciph_ctx);
-#ifdef KSSL_DEBUG
-                        printf("ssl3_send_client_key_exchange(%lx & %lx)\n",
-                        alg_k, SSL_kKRB5);
-#endif  /* KSSL_DEBUG */
-                        authp = NULL;
-#ifdef KRB5SENDAUTH
-                        if (KRB5SENDAUTH)
-                                authp = &authenticator;
-#endif  /* KRB5SENDAUTH */
-                        krb5rc = kssl_cget_tkt(kssl_ctx, &enc_ticket, authp,
-                        &kssl_err);
-                        enc = kssl_map_enc(kssl_ctx->enctype);
-                        if (enc == NULL)
-                                goto err;
-#ifdef KSSL_DEBUG
-                        {
-                                printf("kssl_cget_tkt rtn %d\n", krb5rc);
-                                if (krb5rc && kssl_err.text)
-                                        printf("kssl_cget_tkt kssl_err=%s\n", kssl_err.text);
-                        }
-#endif  /* KSSL_DEBUG */
-                        if (krb5rc) {
-                                ssl3_send_alert(s, SSL3_AL_FATAL,
-                                SSL_AD_HANDSHAKE_FAILURE);
-                                SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE,
-                                kssl_err.reason);
-                                goto err;
-                        }
-                        /*  20010406 VRS - Earlier versions used KRB5 AP_REQ
-                        **  in place of RFC 2712 KerberosWrapper, as in:
-                        **
-                        **  Send ticket (copy to *p, set n = length)
-                        **  n = krb5_ap_req.length;
-                        **  memcpy(p, krb5_ap_req.data, krb5_ap_req.length);
-                        **  if (krb5_ap_req.data)  
-                        **    kssl_krb5_free_data_contents(NULL,&krb5_ap_req);
-                        **
-                        **  Now using real RFC 2712 KerberosWrapper
-                        **  (Thanks to Simon Wilkinson <sxw@sxw.org.uk>)
-                        **  Note: 2712 "opaque" types are here replaced
-                        **  with a 2-byte length followed by the value.
-                        **  Example:
-                        **  KerberosWrapper= xx xx asn1ticket 0 0 xx xx encpms
-                        **  Where "xx xx" = length bytes.  Shown here with
-                        **  optional authenticator omitted.
-                        */
-                        /*  KerberosWrapper.Ticket              */
-                        s2n(enc_ticket->length, p);
-                        memcpy(p, enc_ticket->data, enc_ticket->length);
-                        p += enc_ticket->length;
-                        n = enc_ticket->length + 2;
-                        /*  KerberosWrapper.Authenticator       */
-                        if (authp && authp->length) {
-                                s2n(authp->length, p);
-                                memcpy(p, authp->data, authp->length);
-                                p += authp->length;
-                                n += authp->length + 2;
-                                free(authp->data);
-                                authp->data = NULL;
-                                authp->length = 0;
-                        } else {
-                                s2n(0, p);/*  null authenticator length */
-                                n += 2;
-                        }
-                        if (RAND_bytes(tmp_buf, sizeof tmp_buf) <= 0)
-                                goto err;
-                        /*  20010420 VRS.  Tried it this way; failed.
-                        **      EVP_EncryptInit_ex(&ciph_ctx,enc, NULL,NULL);
-                        **      EVP_CIPHER_CTX_set_key_length(&ciph_ctx,
-                        **                              kssl_ctx->length);
-                        **      EVP_EncryptInit_ex(&ciph_ctx,NULL, key,iv);
-                        */
-                        memset(iv, 0, sizeof iv);
-                        /* per RFC 1510 */
-                        EVP_EncryptInit_ex(&ciph_ctx, enc, NULL,
-                            kssl_ctx->key, iv);
-                        EVP_EncryptUpdate(&ciph_ctx, epms, &outl, tmp_buf,
-                            sizeof tmp_buf);
-                        EVP_EncryptFinal_ex(&ciph_ctx, &(epms[outl]), &padl);
-                        outl += padl;
-                        if (outl > (int)sizeof epms) {
-                                SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
-                                goto err;
-                        }
-                        EVP_CIPHER_CTX_cleanup(&ciph_ctx);
-                        /*  KerberosWrapper.EncryptedPreMasterSecret    */
-                        s2n(outl, p);
-                        memcpy(p, epms, outl);
-                        p += outl;
-                        n += outl + 2;
-                        s->session->master_key_length =
-                            s->method->ssl3_enc->generate_master_secret(s,
-                                s->session->master_key,
-                                tmp_buf, sizeof tmp_buf);
-                        OPENSSL_cleanse(tmp_buf, sizeof tmp_buf);
-                        OPENSSL_cleanse(epms, outl);
-                }
-#endif
 #ifndef OPENSSL_NO_DH
                else if (alg_k & (SSL_kEDH|SSL_kDHr|SSL_kDHd)) {
                        DH *dh_srvr, *dh_clnt;
author	tedu <>	2014-05-05 15:03:22 +0000
committer	tedu <>	2014-05-05 15:03:22 +0000
commit	5b4326f23352be2e7084f2020795d8aa042c746f (patch)
tree	c342d9903092a19dfda173837629fd04c429eda9 /src/lib/libssl/d1_clnt.c
parent	77dd1ca11ad22b323b27beea447edd1e35c3b24e (diff)
download	openbsd-5b4326f23352be2e7084f2020795d8aa042c746f.tar.gz openbsd-5b4326f23352be2e7084f2020795d8aa042c746f.tar.bz2 openbsd-5b4326f23352be2e7084f2020795d8aa042c746f.zip

diff --git a/src/lib/libssl/d1_clnt.c b/src/lib/libssl/d1_clnt.c index 38118b1385..8967879f70 100644 --- a/src/lib/libssl/d1_clnt.c +++ b/src/lib/libssl/d1_clnt.c
@@ -115,9 +115,6 @@
115		115
116	#include <stdio.h>	116	#include <stdio.h>
117	#include "ssl_locl.h"	117	#include "ssl_locl.h"
118	#ifndef OPENSSL_NO_KRB5
119	#include "kssl_lcl.h"
120	#endif
121	#include <openssl/buffer.h>	118	#include <openssl/buffer.h>
122	#include <openssl/rand.h>	119	#include <openssl/rand.h>
123	#include <openssl/objects.h>	120	#include <openssl/objects.h>
@@ -926,9 +923,6 @@ dtls1_send_client_key_exchange(SSL *s)
926	unsigned long alg_k;	923	unsigned long alg_k;
927	unsigned char *q;	924	unsigned char *q;
928	EVP_PKEY *pkey = NULL;	925	EVP_PKEY *pkey = NULL;
929	#ifndef OPENSSL_NO_KRB5
930	KSSL_ERR kssl_err;
931	#endif /* OPENSSL_NO_KRB5 */
932	#ifndef OPENSSL_NO_ECDH	926	#ifndef OPENSSL_NO_ECDH
933	EC_KEY *clnt_ecdh = NULL;	927	EC_KEY *clnt_ecdh = NULL;
934	const EC_POINT *srvr_ecpoint = NULL;	928	const EC_POINT *srvr_ecpoint = NULL;
@@ -992,134 +986,6 @@ dtls1_send_client_key_exchange(SSL *s)
992	tmp_buf, sizeof tmp_buf);	986	tmp_buf, sizeof tmp_buf);
993	OPENSSL_cleanse(tmp_buf, sizeof tmp_buf);	987	OPENSSL_cleanse(tmp_buf, sizeof tmp_buf);
994	}	988	}
995	#ifndef OPENSSL_NO_KRB5
996	else if (alg_k & SSL_kKRB5) {
997	krb5_error_code krb5rc;
998	KSSL_CTX *kssl_ctx = s->kssl_ctx;
999	/* krb5_data krb5_ap_req; */
1000	krb5_data *enc_ticket;
1001	krb5_data authenticator, *authp = NULL;
1002	EVP_CIPHER_CTX ciph_ctx;
1003	const EVP_CIPHER *enc = NULL;
1004	unsigned char iv[EVP_MAX_IV_LENGTH];
1005	unsigned char tmp_buf[SSL_MAX_MASTER_KEY_LENGTH];
1006	unsigned char epms[SSL_MAX_MASTER_KEY_LENGTH
1007	+ EVP_MAX_IV_LENGTH];
1008	int padl, outl = sizeof(epms);
1009
1010	EVP_CIPHER_CTX_init(&ciph_ctx);
1011
1012	#ifdef KSSL_DEBUG
1013	printf("ssl3_send_client_key_exchange(%lx & %lx)\n",
1014	alg_k, SSL_kKRB5);
1015	#endif /* KSSL_DEBUG */
1016
1017	authp = NULL;
1018	#ifdef KRB5SENDAUTH
1019	if (KRB5SENDAUTH)
1020	authp = &authenticator;
1021	#endif /* KRB5SENDAUTH */
1022
1023	krb5rc = kssl_cget_tkt(kssl_ctx, &enc_ticket, authp,
1024	&kssl_err);
1025	enc = kssl_map_enc(kssl_ctx->enctype);
1026	if (enc == NULL)
1027	goto err;
1028	#ifdef KSSL_DEBUG
1029	{
1030	printf("kssl_cget_tkt rtn %d\n", krb5rc);
1031	if (krb5rc && kssl_err.text)
1032	printf("kssl_cget_tkt kssl_err=%s\n", kssl_err.text);
1033	}
1034	#endif /* KSSL_DEBUG */
1035
1036	if (krb5rc) {
1037	ssl3_send_alert(s, SSL3_AL_FATAL,
1038	SSL_AD_HANDSHAKE_FAILURE);
1039	SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE,
1040	kssl_err.reason);
1041	goto err;
1042	}
1043
1044	/* 20010406 VRS - Earlier versions used KRB5 AP_REQ
1045	** in place of RFC 2712 KerberosWrapper, as in:
1046	**
1047	** Send ticket (copy to *p, set n = length)
1048	** n = krb5_ap_req.length;
1049	** memcpy(p, krb5_ap_req.data, krb5_ap_req.length);
1050	** if (krb5_ap_req.data)
1051	** kssl_krb5_free_data_contents(NULL,&krb5_ap_req);
1052	**
1053	** Now using real RFC 2712 KerberosWrapper
1054	** (Thanks to Simon Wilkinson <sxw@sxw.org.uk>)
1055	** Note: 2712 "opaque" types are here replaced
1056	** with a 2-byte length followed by the value.
1057	** Example:
1058	** KerberosWrapper= xx xx asn1ticket 0 0 xx xx encpms
1059	** Where "xx xx" = length bytes. Shown here with
1060	** optional authenticator omitted.
1061	*/
1062
1063	/* KerberosWrapper.Ticket */
1064	s2n(enc_ticket->length, p);
1065	memcpy(p, enc_ticket->data, enc_ticket->length);
1066	p += enc_ticket->length;
1067	n = enc_ticket->length + 2;
1068
1069	/* KerberosWrapper.Authenticator */
1070	if (authp && authp->length) {
1071	s2n(authp->length, p);
1072	memcpy(p, authp->data, authp->length);
1073	p += authp->length;
1074	n += authp->length + 2;
1075
1076	free(authp->data);
1077	authp->data = NULL;
1078	authp->length = 0;
1079	} else {
1080	s2n(0, p);/* null authenticator length */
1081	n += 2;
1082	}
1083
1084	if (RAND_bytes(tmp_buf, sizeof tmp_buf) <= 0)
1085	goto err;
1086
1087	/* 20010420 VRS. Tried it this way; failed.
1088	** EVP_EncryptInit_ex(&ciph_ctx,enc, NULL,NULL);
1089	** EVP_CIPHER_CTX_set_key_length(&ciph_ctx,
1090	** kssl_ctx->length);
1091	** EVP_EncryptInit_ex(&ciph_ctx,NULL, key,iv);
1092	*/
1093
1094	memset(iv, 0, sizeof iv);
1095	/* per RFC 1510 */
1096	EVP_EncryptInit_ex(&ciph_ctx, enc, NULL,
1097	kssl_ctx->key, iv);
1098	EVP_EncryptUpdate(&ciph_ctx, epms, &outl, tmp_buf,
1099	sizeof tmp_buf);
1100	EVP_EncryptFinal_ex(&ciph_ctx, &(epms[outl]), &padl);
1101	outl += padl;
1102	if (outl > (int)sizeof epms) {
1103	SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
1104	goto err;
1105	}
1106	EVP_CIPHER_CTX_cleanup(&ciph_ctx);
1107
1108	/* KerberosWrapper.EncryptedPreMasterSecret */
1109	s2n(outl, p);
1110	memcpy(p, epms, outl);
1111	p += outl;
1112	n += outl + 2;
1113
1114	s->session->master_key_length =
1115	s->method->ssl3_enc->generate_master_secret(s,
1116	s->session->master_key,
1117	tmp_buf, sizeof tmp_buf);
1118
1119	OPENSSL_cleanse(tmp_buf, sizeof tmp_buf);
1120	OPENSSL_cleanse(epms, outl);
1121	}
1122	#endif
1123	#ifndef OPENSSL_NO_DH	989	#ifndef OPENSSL_NO_DH
1124	else if (alg_k & (SSL_kEDH\|SSL_kDHr\|SSL_kDHd)) {	990	else if (alg_k & (SSL_kEDH\|SSL_kDHr\|SSL_kDHd)) {
1125	DH dh_srvr, dh_clnt;	991	DH dh_srvr, dh_clnt;