From 5b4326f23352be2e7084f2020795d8aa042c746f Mon Sep 17 00:00:00 2001
From: tedu <>
Date: Mon, 5 May 2014 15:03:22 +0000
Subject: Remove SRP and Kerberos support from libssl. These are complex
 protocols all on their own and we can't effectively maintain them without
 using them, which we don't. If the need arises, the code can be resurrected.

---
 src/lib/libssl/d1_clnt.c | 134 -----------------------------------------------
 1 file changed, 134 deletions(-)

(limited to 'src/lib/libssl/d1_clnt.c')

diff --git a/src/lib/libssl/d1_clnt.c b/src/lib/libssl/d1_clnt.c
index 38118b1385..8967879f70 100644
--- a/src/lib/libssl/d1_clnt.c
+++ b/src/lib/libssl/d1_clnt.c
@@ -115,9 +115,6 @@
 
 #include <stdio.h>
 #include "ssl_locl.h"
-#ifndef OPENSSL_NO_KRB5
-#include "kssl_lcl.h"
-#endif
 #include <openssl/buffer.h>
 #include <openssl/rand.h>
 #include <openssl/objects.h>
@@ -926,9 +923,6 @@ dtls1_send_client_key_exchange(SSL *s)
 	unsigned long alg_k;
 	unsigned char *q;
 	EVP_PKEY *pkey = NULL;
-#ifndef OPENSSL_NO_KRB5
-	KSSL_ERR kssl_err;
-#endif /* OPENSSL_NO_KRB5 */
 #ifndef OPENSSL_NO_ECDH
 	EC_KEY *clnt_ecdh = NULL;
 	const EC_POINT *srvr_ecpoint = NULL;
@@ -992,134 +986,6 @@ dtls1_send_client_key_exchange(SSL *s)
 			tmp_buf, sizeof tmp_buf);
 			OPENSSL_cleanse(tmp_buf, sizeof tmp_buf);
 		}
-#ifndef OPENSSL_NO_KRB5
-		else if (alg_k & SSL_kKRB5) {
-			krb5_error_code	krb5rc;
-			KSSL_CTX	*kssl_ctx = s->kssl_ctx;
-			/*  krb5_data	krb5_ap_req;  */
-			krb5_data	*enc_ticket;
-			krb5_data	authenticator, *authp = NULL;
-			EVP_CIPHER_CTX	ciph_ctx;
-			const EVP_CIPHER *enc = NULL;
-			unsigned char	iv[EVP_MAX_IV_LENGTH];
-			unsigned char	tmp_buf[SSL_MAX_MASTER_KEY_LENGTH];
-			unsigned char	epms[SSL_MAX_MASTER_KEY_LENGTH
-			+ EVP_MAX_IV_LENGTH];
-			int 		padl, outl = sizeof(epms);
-
-			EVP_CIPHER_CTX_init(&ciph_ctx);
-
-#ifdef KSSL_DEBUG
-			printf("ssl3_send_client_key_exchange(%lx & %lx)\n",
-			alg_k, SSL_kKRB5);
-#endif	/* KSSL_DEBUG */
-
-			authp = NULL;
-#ifdef KRB5SENDAUTH
-			if (KRB5SENDAUTH)
-				authp = &authenticator;
-#endif	/* KRB5SENDAUTH */
-
-			krb5rc = kssl_cget_tkt(kssl_ctx, &enc_ticket, authp,
-			&kssl_err);
-			enc = kssl_map_enc(kssl_ctx->enctype);
-			if (enc == NULL)
-				goto err;
-#ifdef KSSL_DEBUG
-			{
-				printf("kssl_cget_tkt rtn %d\n", krb5rc);
-				if (krb5rc && kssl_err.text)
-					printf("kssl_cget_tkt kssl_err=%s\n", kssl_err.text);
-			}
-#endif	/* KSSL_DEBUG */
-
-			if (krb5rc) {
-				ssl3_send_alert(s, SSL3_AL_FATAL,
-				SSL_AD_HANDSHAKE_FAILURE);
-				SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE,
-				kssl_err.reason);
-				goto err;
-			}
-
-			/*  20010406 VRS - Earlier versions used KRB5 AP_REQ
-			**  in place of RFC 2712 KerberosWrapper, as in:
-			**
-                        **  Send ticket (copy to *p, set n = length)
-                        **  n = krb5_ap_req.length;
-                        **  memcpy(p, krb5_ap_req.data, krb5_ap_req.length);
-                        **  if (krb5_ap_req.data)  
-                        **    kssl_krb5_free_data_contents(NULL,&krb5_ap_req);
-                        **
-			**  Now using real RFC 2712 KerberosWrapper
-			**  (Thanks to Simon Wilkinson <sxw@sxw.org.uk>)
-			**  Note: 2712 "opaque" types are here replaced
-			**  with a 2-byte length followed by the value.
-			**  Example:
-			**  KerberosWrapper= xx xx asn1ticket 0 0 xx xx encpms
-			**  Where "xx xx" = length bytes.  Shown here with
-			**  optional authenticator omitted.
-			*/
-
-			/*  KerberosWrapper.Ticket		*/
-			s2n(enc_ticket->length, p);
-			memcpy(p, enc_ticket->data, enc_ticket->length);
-			p += enc_ticket->length;
-			n = enc_ticket->length + 2;
-
-			/*  KerberosWrapper.Authenticator	*/
-			if (authp && authp->length) {
-				s2n(authp->length, p);
-				memcpy(p, authp->data, authp->length);
-				p += authp->length;
-				n += authp->length + 2;
-
-				free(authp->data);
-				authp->data = NULL;
-				authp->length = 0;
-			} else {
-				s2n(0, p);/*  null authenticator length	*/
-				n += 2;
-			}
-
-			if (RAND_bytes(tmp_buf, sizeof tmp_buf) <= 0)
-				goto err;
-
-			/*  20010420 VRS.  Tried it this way; failed.
-			**	EVP_EncryptInit_ex(&ciph_ctx,enc, NULL,NULL);
-			**	EVP_CIPHER_CTX_set_key_length(&ciph_ctx,
-			**				kssl_ctx->length);
-			**	EVP_EncryptInit_ex(&ciph_ctx,NULL, key,iv);
-			*/
-
-			memset(iv, 0, sizeof iv);
-			/* per RFC 1510 */
-			EVP_EncryptInit_ex(&ciph_ctx, enc, NULL,
-			    kssl_ctx->key, iv);
-			EVP_EncryptUpdate(&ciph_ctx, epms, &outl, tmp_buf,
-			    sizeof tmp_buf);
-			EVP_EncryptFinal_ex(&ciph_ctx, &(epms[outl]), &padl);
-			outl += padl;
-			if (outl > (int)sizeof epms) {
-				SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
-				goto err;
-			}
-			EVP_CIPHER_CTX_cleanup(&ciph_ctx);
-
-			/*  KerberosWrapper.EncryptedPreMasterSecret	*/
-			s2n(outl, p);
-			memcpy(p, epms, outl);
-			p += outl;
-			n += outl + 2;
-
-			s->session->master_key_length =
-			    s->method->ssl3_enc->generate_master_secret(s,
-			        s->session->master_key,
-			        tmp_buf, sizeof tmp_buf);
-
-			OPENSSL_cleanse(tmp_buf, sizeof tmp_buf);
-			OPENSSL_cleanse(epms, outl);
-		}
-#endif
 #ifndef OPENSSL_NO_DH
 		else if (alg_k & (SSL_kEDH|SSL_kDHr|SSL_kDHd)) {
 			DH *dh_srvr, *dh_clnt;
-- 
cgit v1.2.3-55-g6feb