1 files changed, 0 insertions, 258 deletions
diff --git a/src/lib/libssl/s3_clnt.c b/src/lib/libssl/s3_clnt.c
index eb55fc9682..68817cd33a 100644
--- a/src/lib/libssl/s3_clnt.c
+++ b/src/lib/libssl/s3_clnt.c
@@ -369,17 +369,6 @@ ssl3_connect(SSL *s)
                        ret = ssl3_get_server_done(s);
                        if (ret <= 0)
                                goto end;
-#ifndef OPENSSL_NO_SRP
-                        if (s->s3->tmp.new_cipher->algorithm_mkey & SSL_kSRP) {
-                                if ((ret = SRP_Calc_A_param(s)) <= 0) {
-                                        SSLerr(SSL_F_SSL3_CONNECT,
-                                            SSL_R_SRP_A_CALC);
-                                        ssl3_send_alert(s, SSL3_AL_FATAL,
-                                            SSL_AD_INTERNAL_ERROR);
-                                        goto end;
-                                }
-                        }
-#endif
                        if (s->s3->tmp.cert_req)
                                s->state = SSL3_ST_CW_CERT_A;
                        else
@@ -1137,10 +1126,6 @@ ssl3_get_server_certificate(SSL *s)
        i = ssl_verify_cert_chain(s, sk);
        if ((s->verify_mode != SSL_VERIFY_NONE) && (i <= 0)
-#ifndef OPENSSL_NO_KRB5
-            && !((s->s3->tmp.new_cipher->algorithm_mkey & SSL_kKRB5) &&
-            (s->s3->tmp.new_cipher->algorithm_auth & SSL_aKRB5))
-#endif /* OPENSSL_NO_KRB5 */
            ) {
                al = ssl_verify_alarm_type(s->verify_result);
                SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,
@@ -1361,81 +1346,6 @@ ssl3_get_key_exchange(SSL *s)
                n -= param_len;
        } else
 #endif /* !OPENSSL_NO_PSK */
-#ifndef OPENSSL_NO_SRP
-        if (alg_k & SSL_kSRP) {
-                n2s(p, i);
-                param_len = i + 2;
-                if (param_len > n) {
-                        al = SSL_AD_DECODE_ERROR;
-                        SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,
-                            SSL_R_BAD_SRP_N_LENGTH);
-                        goto f_err;
-                }
-                if (!(s->srp_ctx.N = BN_bin2bn(p, i, NULL))) {
-                        SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,
-                            ERR_R_BN_LIB);
-                        goto err;
-                }
-                p += i;
-                n2s(p, i);
-                param_len += i + 2;
-                if (param_len > n) {
-                        al = SSL_AD_DECODE_ERROR;
-                        SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,
-                            SSL_R_BAD_SRP_G_LENGTH);
-                        goto f_err;
-                }
-                if (!(s->srp_ctx.g = BN_bin2bn(p, i, NULL))) {
-                        SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,
-                            ERR_R_BN_LIB);
-                        goto err;
-                }
-                p += i;
-                i = (unsigned int)(p[0]);
-                p++;
-                param_len += i + 1;
-                if (param_len > n) {
-                        al = SSL_AD_DECODE_ERROR;
-                        SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,
-                            SSL_R_BAD_SRP_S_LENGTH);
-                        goto f_err;
-                }
-                if (!(s->srp_ctx.s = BN_bin2bn(p, i, NULL))) {
-                        SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,
-                            ERR_R_BN_LIB);
-                        goto err;
-                }
-                p += i;
-                n2s(p, i);
-                param_len += i + 2;
-                if (param_len > n) {
-                        al = SSL_AD_DECODE_ERROR;
-                        SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,
-                            SSL_R_BAD_SRP_B_LENGTH);
-                        goto f_err;
-                }
-                if (!(s->srp_ctx.B = BN_bin2bn(p, i, NULL))) {
-                        SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,
-                            ERR_R_BN_LIB);
-                        goto err;
-                }
-                p += i;
-                n -= param_len;
-                /* We must check if there is a certificate */
-                if (alg_a & SSL_aRSA)
-                        pkey = X509_get_pubkey(
-                            s->session->sess_cert->peer_pkeys[
-                            SSL_PKEY_RSA_ENC].x509);
-                else if (alg_a & SSL_aDSS)
-                        pkey = X509_get_pubkey(
-                            s->session->sess_cert->peer_pkeys[
-                            SSL_PKEY_DSA_SIGN].x509);
-        } else
-#endif /* !OPENSSL_NO_SRP */
        if (alg_k & SSL_kRSA) {
                if ((rsa = RSA_new()) == NULL) {
                        SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,
@@ -2156,9 +2066,6 @@ ssl3_send_client_key_exchange(SSL *s)
        unsigned long    alg_k;
        unsigned char   *q;
        EVP_PKEY        *pkey = NULL;
-#ifndef OPENSSL_NO_KRB5
-        KSSL_ERR         kssl_err;
-#endif /* OPENSSL_NO_KRB5 */
 #ifndef OPENSSL_NO_ECDH
        EC_KEY          *clnt_ecdh = NULL;
        const EC_POINT  *srvr_ecpoint = NULL;
@@ -2226,140 +2133,6 @@ ssl3_send_client_key_exchange(SSL *s)
                            s, s->session->master_key, tmp_buf, sizeof tmp_buf);
                        OPENSSL_cleanse(tmp_buf, sizeof tmp_buf);
                }
-#ifndef OPENSSL_NO_KRB5
-                else if (alg_k & SSL_kKRB5) {
-                        krb5_error_code krb5rc;
-                        KSSL_CTX        *kssl_ctx = s->kssl_ctx;
-                        /*  krb5_data   krb5_ap_req;  */
-                        krb5_data       *enc_ticket;
-                        krb5_data       authenticator, *authp = NULL;
-                        EVP_CIPHER_CTX  ciph_ctx;
-                        const EVP_CIPHER *enc = NULL;
-                        unsigned char   iv[EVP_MAX_IV_LENGTH];
-                        unsigned char   tmp_buf[SSL_MAX_MASTER_KEY_LENGTH];
-                        unsigned char   epms[SSL_MAX_MASTER_KEY_LENGTH
-                                            + EVP_MAX_IV_LENGTH];
-                        int             padl, outl = sizeof(epms);
-                        EVP_CIPHER_CTX_init(&ciph_ctx);
-#ifdef KSSL_DEBUG
-                        printf("ssl3_send_client_key_exchange(%lx & %lx)\n",
-                            alg_k, SSL_kKRB5);
-#endif  /* KSSL_DEBUG */
-                        authp = NULL;
-#ifdef KRB5SENDAUTH
-                        if (KRB5SENDAUTH)
-                                authp = &authenticator;
-#endif  /* KRB5SENDAUTH */
-                        krb5rc = kssl_cget_tkt(kssl_ctx, &enc_ticket,
-                            authp, &kssl_err);
-                        enc = kssl_map_enc(kssl_ctx->enctype);
-                        if (enc == NULL)
-                                goto err;
-#ifdef KSSL_DEBUG
-                        {
-                                printf("kssl_cget_tkt rtn %d\n", krb5rc);
-                                if (krb5rc && kssl_err.text)
-                                        printf("kssl_cget_tkt kssl_err=%s\n",
-                                            kssl_err.text);
-                        }
-#endif  /* KSSL_DEBUG */
-                        if (krb5rc) {
-                                ssl3_send_alert(s, SSL3_AL_FATAL,
-                                    SSL_AD_HANDSHAKE_FAILURE);
-                                SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
-                                    kssl_err.reason);
-                                goto err;
-                        }
-                        /*
-                         * 20010406 VRS - Earlier versions used KRB5 AP_REQ
-                         * in place of RFC 2712 KerberosWrapper, as in:
-                         *
-                         * Send ticket (copy to *p, set n = length)
-                         * n = krb5_ap_req.length;
-                         * memcpy(p, krb5_ap_req.data, krb5_ap_req.length);
-                         * if (krb5_ap_req.data)
-                         *   kssl_krb5_free_data_contents(NULL,&krb5_ap_req);
-                         *
-                         * Now using real RFC 2712 KerberosWrapper
-                         * (Thanks to Simon Wilkinson <sxw@sxw.org.uk>)
-                         * Note: 2712 "opaque" types are here replaced
-                         * with a 2-byte length followed by the value.
-                         * Example:
-                         * KerberosWrapper= xx xx asn1ticket 0 0 xx xx encpms
-                         * Where "xx xx" = length bytes.  Shown here with
-                         * optional authenticator omitted.
-                         */
-                        /*  KerberosWrapper.Ticket */
-                        s2n(enc_ticket->length, p);
-                        memcpy(p, enc_ticket->data, enc_ticket->length);
-                        p += enc_ticket->length;
-                        n = enc_ticket->length + 2;
-                        /*  KerberosWrapper.Authenticator */
-                        if (authp && authp->length) {
-                                s2n(authp->length, p);
-                                memcpy(p, authp->data, authp->length);
-                                p += authp->length;
-                                n += authp->length + 2;
-                                free(authp->data);
-                                authp->data = NULL;
-                                authp->length = 0;
-                        } else {
-                                s2n(0,p);/*  null authenticator length  */
-                                n += 2;
-                        }
-                        tmp_buf[0] = s->client_version >> 8;
-                        tmp_buf[1] = s->client_version & 0xff;
-                        if (RAND_bytes(&(tmp_buf[2]), sizeof tmp_buf - 2) <= 0)
-                                goto err;
-                        /*
-                         * 20010420 VRS.  Tried it this way; failed.
-                         * EVP_EncryptInit_ex(&ciph_ctx,enc, NULL,NULL);
-                         * EVP_CIPHER_CTX_set_key_length(&ciph_ctx,
-                         *     kssl_ctx->length);
-                         * EVP_EncryptInit_ex(&ciph_ctx,NULL, key,iv);
-                         */
-                        memset(iv, 0, sizeof iv);
-                        /* per RFC 1510 */
-                        EVP_EncryptInit_ex(&ciph_ctx, enc, NULL,
-                            kssl_ctx->key, iv);
-                        EVP_EncryptUpdate(&ciph_ctx, epms, &outl, tmp_buf,
-                            sizeof tmp_buf);
-                        EVP_EncryptFinal_ex(&ciph_ctx, &(epms[outl]), &padl);
-                        outl += padl;
-                        if (outl > (int)sizeof epms) {
-                                SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
-                                    ERR_R_INTERNAL_ERROR);
-                                goto err;
-                        }
-                        EVP_CIPHER_CTX_cleanup(&ciph_ctx);
-                        /* KerberosWrapper.EncryptedPreMasterSecret */
-                        s2n(outl, p);
-                        memcpy(p, epms, outl);
-                        p += outl;
-                        n += outl + 2;
-                        s->session->master_key_length =
-                        s->method->ssl3_enc->generate_master_secret(s,
-                        s->session->master_key,
-                        tmp_buf, sizeof tmp_buf);
-                        OPENSSL_cleanse(tmp_buf, sizeof tmp_buf);
-                        OPENSSL_cleanse(epms, outl);
-                }
-#endif
 #ifndef OPENSSL_NO_DH
                else if (alg_k & (SSL_kEDH|SSL_kDHr|SSL_kDHd)) {
                        DH *dh_srvr, *dh_clnt;
@@ -2716,37 +2489,6 @@ ssl3_send_client_key_exchange(SSL *s)
                            EVP_PKEY_free(pub_key);
                }
-#ifndef OPENSSL_NO_SRP
-                else if (alg_k & SSL_kSRP) {
-                        if (s->srp_ctx.A != NULL) {
-                                /* send off the data */
-                                n = BN_num_bytes(s->srp_ctx.A);
-                                s2n(n, p);
-                                BN_bn2bin(s->srp_ctx.A, p);
-                                n += 2;
-                        } else {
-                                SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
-                                    ERR_R_INTERNAL_ERROR);
-                                goto err;
-                        }
-                        if (s->session->srp_username != NULL)
-                                free(s->session->srp_username);
-                        s->session->srp_username = BUF_strdup(s->srp_ctx.login);
-                        if (s->session->srp_username == NULL) {
-                                SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
-                                    ERR_R_MALLOC_FAILURE);
-                                goto err;
-                        }
-                        if ((s->session->master_key_length =
-                            SRP_generate_client_master_secret(s,
-                            s->session->master_key)) < 0) {
-                                SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
-                                    ERR_R_INTERNAL_ERROR);
-                                goto err;
-                        }
-                }
-#endif
 #ifndef OPENSSL_NO_PSK
                else if (alg_k & SSL_kPSK) {
                        char identity[PSK_MAX_IDENTITY_LEN];

diff --git a/src/lib/libssl/s3_clnt.c b/src/lib/libssl/s3_clnt.c index eb55fc9682..68817cd33a 100644 --- a/src/lib/libssl/s3_clnt.c +++ b/src/lib/libssl/s3_clnt.c
@@ -369,17 +369,6 @@ ssl3_connect(SSL *s)
369	ret = ssl3_get_server_done(s);	369	ret = ssl3_get_server_done(s);
370	if (ret <= 0)	370	if (ret <= 0)
371	goto end;	371	goto end;
372	#ifndef OPENSSL_NO_SRP
373	if (s->s3->tmp.new_cipher->algorithm_mkey & SSL_kSRP) {
374	if ((ret = SRP_Calc_A_param(s)) <= 0) {
375	SSLerr(SSL_F_SSL3_CONNECT,
376	SSL_R_SRP_A_CALC);
377	ssl3_send_alert(s, SSL3_AL_FATAL,
378	SSL_AD_INTERNAL_ERROR);
379	goto end;
380	}
381	}
382	#endif
383	if (s->s3->tmp.cert_req)	372	if (s->s3->tmp.cert_req)
384	s->state = SSL3_ST_CW_CERT_A;	373	s->state = SSL3_ST_CW_CERT_A;
385	else	374	else
@@ -1137,10 +1126,6 @@ ssl3_get_server_certificate(SSL *s)
1137		1126
1138	i = ssl_verify_cert_chain(s, sk);	1127	i = ssl_verify_cert_chain(s, sk);
1139	if ((s->verify_mode != SSL_VERIFY_NONE) && (i <= 0)	1128	if ((s->verify_mode != SSL_VERIFY_NONE) && (i <= 0)
1140	#ifndef OPENSSL_NO_KRB5
1141	&& !((s->s3->tmp.new_cipher->algorithm_mkey & SSL_kKRB5) &&
1142	(s->s3->tmp.new_cipher->algorithm_auth & SSL_aKRB5))
1143	#endif /* OPENSSL_NO_KRB5 */
1144	) {	1129	) {
1145	al = ssl_verify_alarm_type(s->verify_result);	1130	al = ssl_verify_alarm_type(s->verify_result);
1146	SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,	1131	SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,
@@ -1361,81 +1346,6 @@ ssl3_get_key_exchange(SSL *s)
1361	n -= param_len;	1346	n -= param_len;
1362	} else	1347	} else
1363	#endif /* !OPENSSL_NO_PSK */	1348	#endif /* !OPENSSL_NO_PSK */
1364	#ifndef OPENSSL_NO_SRP
1365	if (alg_k & SSL_kSRP) {
1366	n2s(p, i);
1367	param_len = i + 2;
1368	if (param_len > n) {
1369	al = SSL_AD_DECODE_ERROR;
1370	SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,
1371	SSL_R_BAD_SRP_N_LENGTH);
1372	goto f_err;
1373	}
1374	if (!(s->srp_ctx.N = BN_bin2bn(p, i, NULL))) {
1375	SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,
1376	ERR_R_BN_LIB);
1377	goto err;
1378	}
1379	p += i;
1380
1381	n2s(p, i);
1382	param_len += i + 2;
1383	if (param_len > n) {
1384	al = SSL_AD_DECODE_ERROR;
1385	SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,
1386	SSL_R_BAD_SRP_G_LENGTH);
1387	goto f_err;
1388	}
1389	if (!(s->srp_ctx.g = BN_bin2bn(p, i, NULL))) {
1390	SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,
1391	ERR_R_BN_LIB);
1392	goto err;
1393	}
1394	p += i;
1395
1396	i = (unsigned int)(p[0]);
1397	p++;
1398	param_len += i + 1;
1399	if (param_len > n) {
1400	al = SSL_AD_DECODE_ERROR;
1401	SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,
1402	SSL_R_BAD_SRP_S_LENGTH);
1403	goto f_err;
1404	}
1405	if (!(s->srp_ctx.s = BN_bin2bn(p, i, NULL))) {
1406	SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,
1407	ERR_R_BN_LIB);
1408	goto err;
1409	}
1410	p += i;
1411
1412	n2s(p, i);
1413	param_len += i + 2;
1414	if (param_len > n) {
1415	al = SSL_AD_DECODE_ERROR;
1416	SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,
1417	SSL_R_BAD_SRP_B_LENGTH);
1418	goto f_err;
1419	}
1420	if (!(s->srp_ctx.B = BN_bin2bn(p, i, NULL))) {
1421	SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,
1422	ERR_R_BN_LIB);
1423	goto err;
1424	}
1425	p += i;
1426	n -= param_len;
1427
1428	/* We must check if there is a certificate */
1429	if (alg_a & SSL_aRSA)
1430	pkey = X509_get_pubkey(
1431	s->session->sess_cert->peer_pkeys[
1432	SSL_PKEY_RSA_ENC].x509);
1433	else if (alg_a & SSL_aDSS)
1434	pkey = X509_get_pubkey(
1435	s->session->sess_cert->peer_pkeys[
1436	SSL_PKEY_DSA_SIGN].x509);
1437	} else
1438	#endif /* !OPENSSL_NO_SRP */
1439	if (alg_k & SSL_kRSA) {	1349	if (alg_k & SSL_kRSA) {
1440	if ((rsa = RSA_new()) == NULL) {	1350	if ((rsa = RSA_new()) == NULL) {
1441	SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,	1351	SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,
@@ -2156,9 +2066,6 @@ ssl3_send_client_key_exchange(SSL *s)
2156	unsigned long alg_k;	2066	unsigned long alg_k;
2157	unsigned char *q;	2067	unsigned char *q;
2158	EVP_PKEY *pkey = NULL;	2068	EVP_PKEY *pkey = NULL;
2159	#ifndef OPENSSL_NO_KRB5
2160	KSSL_ERR kssl_err;
2161	#endif /* OPENSSL_NO_KRB5 */
2162	#ifndef OPENSSL_NO_ECDH	2069	#ifndef OPENSSL_NO_ECDH
2163	EC_KEY *clnt_ecdh = NULL;	2070	EC_KEY *clnt_ecdh = NULL;
2164	const EC_POINT *srvr_ecpoint = NULL;	2071	const EC_POINT *srvr_ecpoint = NULL;
@@ -2226,140 +2133,6 @@ ssl3_send_client_key_exchange(SSL *s)
2226	s, s->session->master_key, tmp_buf, sizeof tmp_buf);	2133	s, s->session->master_key, tmp_buf, sizeof tmp_buf);
2227	OPENSSL_cleanse(tmp_buf, sizeof tmp_buf);	2134	OPENSSL_cleanse(tmp_buf, sizeof tmp_buf);
2228	}	2135	}
2229	#ifndef OPENSSL_NO_KRB5
2230	else if (alg_k & SSL_kKRB5) {
2231	krb5_error_code krb5rc;
2232	KSSL_CTX *kssl_ctx = s->kssl_ctx;
2233	/* krb5_data krb5_ap_req; */
2234	krb5_data *enc_ticket;
2235	krb5_data authenticator, *authp = NULL;
2236	EVP_CIPHER_CTX ciph_ctx;
2237	const EVP_CIPHER *enc = NULL;
2238	unsigned char iv[EVP_MAX_IV_LENGTH];
2239	unsigned char tmp_buf[SSL_MAX_MASTER_KEY_LENGTH];
2240	unsigned char epms[SSL_MAX_MASTER_KEY_LENGTH
2241	+ EVP_MAX_IV_LENGTH];
2242	int padl, outl = sizeof(epms);
2243
2244	EVP_CIPHER_CTX_init(&ciph_ctx);
2245
2246	#ifdef KSSL_DEBUG
2247	printf("ssl3_send_client_key_exchange(%lx & %lx)\n",
2248	alg_k, SSL_kKRB5);
2249	#endif /* KSSL_DEBUG */
2250
2251	authp = NULL;
2252	#ifdef KRB5SENDAUTH
2253	if (KRB5SENDAUTH)
2254	authp = &authenticator;
2255	#endif /* KRB5SENDAUTH */
2256
2257	krb5rc = kssl_cget_tkt(kssl_ctx, &enc_ticket,
2258	authp, &kssl_err);
2259	enc = kssl_map_enc(kssl_ctx->enctype);
2260	if (enc == NULL)
2261	goto err;
2262	#ifdef KSSL_DEBUG
2263	{
2264	printf("kssl_cget_tkt rtn %d\n", krb5rc);
2265	if (krb5rc && kssl_err.text)
2266	printf("kssl_cget_tkt kssl_err=%s\n",
2267	kssl_err.text);
2268	}
2269	#endif /* KSSL_DEBUG */
2270
2271	if (krb5rc) {
2272	ssl3_send_alert(s, SSL3_AL_FATAL,
2273	SSL_AD_HANDSHAKE_FAILURE);
2274	SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
2275	kssl_err.reason);
2276	goto err;
2277	}
2278
2279	/*
2280	* 20010406 VRS - Earlier versions used KRB5 AP_REQ
2281	* in place of RFC 2712 KerberosWrapper, as in:
2282	*
2283	* Send ticket (copy to *p, set n = length)
2284	* n = krb5_ap_req.length;
2285	* memcpy(p, krb5_ap_req.data, krb5_ap_req.length);
2286	* if (krb5_ap_req.data)
2287	* kssl_krb5_free_data_contents(NULL,&krb5_ap_req);
2288	*
2289	* Now using real RFC 2712 KerberosWrapper
2290	* (Thanks to Simon Wilkinson <sxw@sxw.org.uk>)
2291	* Note: 2712 "opaque" types are here replaced
2292	* with a 2-byte length followed by the value.
2293	* Example:
2294	* KerberosWrapper= xx xx asn1ticket 0 0 xx xx encpms
2295	* Where "xx xx" = length bytes. Shown here with
2296	* optional authenticator omitted.
2297	*/
2298
2299	/* KerberosWrapper.Ticket */
2300	s2n(enc_ticket->length, p);
2301	memcpy(p, enc_ticket->data, enc_ticket->length);
2302	p += enc_ticket->length;
2303	n = enc_ticket->length + 2;
2304
2305	/* KerberosWrapper.Authenticator */
2306	if (authp && authp->length) {
2307	s2n(authp->length, p);
2308	memcpy(p, authp->data, authp->length);
2309	p += authp->length;
2310	n += authp->length + 2;
2311
2312	free(authp->data);
2313	authp->data = NULL;
2314	authp->length = 0;
2315	} else {
2316	s2n(0,p);/* null authenticator length */
2317	n += 2;
2318	}
2319
2320	tmp_buf[0] = s->client_version >> 8;
2321	tmp_buf[1] = s->client_version & 0xff;
2322	if (RAND_bytes(&(tmp_buf[2]), sizeof tmp_buf - 2) <= 0)
2323	goto err;
2324
2325	/*
2326	* 20010420 VRS. Tried it this way; failed.
2327	* EVP_EncryptInit_ex(&ciph_ctx,enc, NULL,NULL);
2328	* EVP_CIPHER_CTX_set_key_length(&ciph_ctx,
2329	* kssl_ctx->length);
2330	* EVP_EncryptInit_ex(&ciph_ctx,NULL, key,iv);
2331	*/
2332
2333	memset(iv, 0, sizeof iv);
2334	/* per RFC 1510 */
2335	EVP_EncryptInit_ex(&ciph_ctx, enc, NULL,
2336	kssl_ctx->key, iv);
2337	EVP_EncryptUpdate(&ciph_ctx, epms, &outl, tmp_buf,
2338	sizeof tmp_buf);
2339	EVP_EncryptFinal_ex(&ciph_ctx, &(epms[outl]), &padl);
2340	outl += padl;
2341	if (outl > (int)sizeof epms) {
2342	SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
2343	ERR_R_INTERNAL_ERROR);
2344	goto err;
2345	}
2346	EVP_CIPHER_CTX_cleanup(&ciph_ctx);
2347
2348	/* KerberosWrapper.EncryptedPreMasterSecret */
2349	s2n(outl, p);
2350	memcpy(p, epms, outl);
2351	p += outl;
2352	n += outl + 2;
2353
2354	s->session->master_key_length =
2355	s->method->ssl3_enc->generate_master_secret(s,
2356	s->session->master_key,
2357	tmp_buf, sizeof tmp_buf);
2358
2359	OPENSSL_cleanse(tmp_buf, sizeof tmp_buf);
2360	OPENSSL_cleanse(epms, outl);
2361	}
2362	#endif
2363	#ifndef OPENSSL_NO_DH	2136	#ifndef OPENSSL_NO_DH
2364	else if (alg_k & (SSL_kEDH\|SSL_kDHr\|SSL_kDHd)) {	2137	else if (alg_k & (SSL_kEDH\|SSL_kDHr\|SSL_kDHd)) {
2365	DH dh_srvr, dh_clnt;	2138	DH dh_srvr, dh_clnt;
@@ -2716,37 +2489,6 @@ ssl3_send_client_key_exchange(SSL *s)
2716	EVP_PKEY_free(pub_key);	2489	EVP_PKEY_free(pub_key);
2717		2490
2718	}	2491	}
2719	#ifndef OPENSSL_NO_SRP
2720	else if (alg_k & SSL_kSRP) {
2721	if (s->srp_ctx.A != NULL) {
2722	/* send off the data */
2723	n = BN_num_bytes(s->srp_ctx.A);
2724	s2n(n, p);
2725	BN_bn2bin(s->srp_ctx.A, p);
2726	n += 2;
2727	} else {
2728	SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
2729	ERR_R_INTERNAL_ERROR);
2730	goto err;
2731	}
2732	if (s->session->srp_username != NULL)
2733	free(s->session->srp_username);
2734	s->session->srp_username = BUF_strdup(s->srp_ctx.login);
2735	if (s->session->srp_username == NULL) {
2736	SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
2737	ERR_R_MALLOC_FAILURE);
2738	goto err;
2739	}
2740
2741	if ((s->session->master_key_length =
2742	SRP_generate_client_master_secret(s,
2743	s->session->master_key)) < 0) {
2744	SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
2745	ERR_R_INTERNAL_ERROR);
2746	goto err;
2747	}
2748	}
2749	#endif
2750	#ifndef OPENSSL_NO_PSK	2492	#ifndef OPENSSL_NO_PSK
2751	else if (alg_k & SSL_kPSK) {	2493	else if (alg_k & SSL_kPSK) {
2752	char identity[PSK_MAX_IDENTITY_LEN];	2494	char identity[PSK_MAX_IDENTITY_LEN];