From 5b4326f23352be2e7084f2020795d8aa042c746f Mon Sep 17 00:00:00 2001
From: tedu <>
Date: Mon, 5 May 2014 15:03:22 +0000
Subject: Remove SRP and Kerberos support from libssl. These are complex
 protocols all on their own and we can't effectively maintain them without
 using them, which we don't. If the need arises, the code can be resurrected.

---
 src/lib/libssl/ssl_lib.c | 27 ---------------------------
 1 file changed, 27 deletions(-)

(limited to 'src/lib/libssl/ssl_lib.c')

diff --git a/src/lib/libssl/ssl_lib.c b/src/lib/libssl/ssl_lib.c
index 195271a554..d046480feb 100644
--- a/src/lib/libssl/ssl_lib.c
+++ b/src/lib/libssl/ssl_lib.c
@@ -284,9 +284,6 @@ SSL_new(SSL_CTX *ctx)
 	if (s == NULL)
 		goto err;
 
-#ifndef	OPENSSL_NO_KRB5
-	s->kssl_ctx = kssl_ctx_new();
-#endif	/* OPENSSL_NO_KRB5 */
 
 	s->options = ctx->options;
 	s->mode = ctx->mode;
@@ -580,10 +577,6 @@ SSL_free(SSL *s)
 	if (s->ctx)
 		SSL_CTX_free(s->ctx);
 
-#ifndef	OPENSSL_NO_KRB5
-	if (s->kssl_ctx != NULL)
-		kssl_ctx_free(s->kssl_ctx);
-#endif	/* OPENSSL_NO_KRB5 */
 
 #if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG)
 	if (s->next_proto_negotiated)
@@ -1415,9 +1408,6 @@ ssl_cipher_list_to_bytes(SSL *s, STACK_OF(SSL_CIPHER) *sk, unsigned char *p,
 	int		 i, j = 0;
 	SSL_CIPHER	*c;
 	unsigned char	*q;
-#ifndef OPENSSL_NO_KRB5
-	int		 nokrb5 = !kssl_tgt_is_available(s->kssl_ctx);
-#endif /* OPENSSL_NO_KRB5 */
 
 	if (sk == NULL)
 		return (0);
@@ -1429,11 +1419,6 @@ ssl_cipher_list_to_bytes(SSL *s, STACK_OF(SSL_CIPHER) *sk, unsigned char *p,
 		if ((c->algorithm_ssl & SSL_TLSV1_2) &&
 		    (TLS1_get_client_version(s) < TLS1_2_VERSION))
 			continue;
-#ifndef OPENSSL_NO_KRB5
-		if (((c->algorithm_mkey & SSL_kKRB5) ||
-		    (c->algorithm_auth & SSL_aKRB5)) && nokrb5)
-			continue;
-#endif /* OPENSSL_NO_KRB5 */
 #ifndef OPENSSL_NO_PSK
 		/* with PSK there must be client callback set */
 		if (((c->algorithm_mkey & SSL_kPSK) ||
@@ -1877,9 +1862,6 @@ SSL_CTX_new(const SSL_METHOD *meth)
 	ret->psk_client_callback = NULL;
 	ret->psk_server_callback = NULL;
 #endif
-#ifndef OPENSSL_NO_SRP
-	SSL_CTX_SRP_CTX_init(ret);
-#endif
 #ifndef OPENSSL_NO_ENGINE
 	ret->client_cert_engine = NULL;
 #ifdef OPENSSL_SSL_CLIENT_ENGINE_AUTO
@@ -1983,9 +1965,6 @@ SSL_CTX_free(SSL_CTX *a)
 	if (a->psk_identity_hint)
 		free(a->psk_identity_hint);
 #endif
-#ifndef OPENSSL_NO_SRP
-	SSL_CTX_SRP_CTX_free(a);
-#endif
 #ifndef OPENSSL_NO_ENGINE
 	if (a->client_cert_engine)
 		ENGINE_finish(a->client_cert_engine);
@@ -2147,12 +2126,6 @@ ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher)
 	mask_a|=SSL_aNULL;
 	emask_a|=SSL_aNULL;
 
-#ifndef OPENSSL_NO_KRB5
-	mask_k|=SSL_kKRB5;
-	mask_a|=SSL_aKRB5;
-	emask_k|=SSL_kKRB5;
-	emask_a|=SSL_aKRB5;
-#endif
 
 	/*
 	 * An ECC certificate may be usable for ECDH and/or
-- 
cgit v1.2.3-55-g6feb