From 5561419a6033f8ccad9399d5386d6941c0aa44ae Mon Sep 17 00:00:00 2001 From: Matt Caswell Date: Tue, 12 May 2015 10:35:51 +0100 Subject: [PATCH] Remove Kerberos support from apps Remove Kerberos related options from the apps to prepare for the subsequent commits which will remove libcrypto and libssl support for Kerberos. Reviewed-by: Rich Salz --- apps/Makefile | 7 ++----- apps/s_client.c | 22 +------------------- apps/s_server.c | 54 ++----------------------------------------------- 3 files changed, 5 insertions(+), 78 deletions(-) diff --git a/apps/Makefile b/apps/Makefile index 62536872c4..14a9fdba49 100644 --- a/apps/Makefile +++ b/apps/Makefile @@ -5,14 +5,11 @@ DIR= apps TOP= .. CC= cc -INCLUDES= -I$(TOP) -I../include $(KRB5_INCLUDES) +INCLUDES= -I$(TOP) -I../include CFLAG= -g -static -Wswitch MAKEFILE= Makefile PERL= perl RM= rm -f -# KRB5 stuff -KRB5_INCLUDES= -LIBKRB5= PEX_LIBS= EX_LIBS= @@ -149,7 +146,7 @@ $(EXE): progs.h $(EXE_OBJ) $(DLIBCRYPTO) $(DLIBSSL) shlib_target=; if [ -n "$(SHARED_LIBS)" ]; then \ shlib_target="$(SHLIB_TARGET)"; \ fi; \ - LIBRARIES="$(LIBSSL) $(LIBKRB5) $(LIBCRYPTO)" ; \ + LIBRARIES="$(LIBSSL) $(LIBCRYPTO)" ; \ $(MAKE) -f $(TOP)/Makefile.shared -e \ APPNAME=$(EXE) OBJECTS="$(EXE_OBJ)" \ LIBDEPS="$(PEX_LIBS) $$LIBRARIES $(EX_LIBS)" \ diff --git a/apps/s_client.c b/apps/s_client.c index b257727edb..8d78dc7df2 100644 --- a/apps/s_client.c +++ b/apps/s_client.c @@ -474,7 +474,7 @@ typedef enum OPTION_choice { OPT_TLS1_2, OPT_TLS1_1, OPT_TLS1, OPT_DTLS, OPT_DTLS1, OPT_DTLS1_2, OPT_TIMEOUT, OPT_MTU, OPT_KEYFORM, OPT_PASS, OPT_CERT_CHAIN, OPT_CAPATH, OPT_CHAINCAPATH, OPT_VERIFYCAPATH, - OPT_KEY, OPT_RECONNECT, OPT_BUILD_CHAIN, OPT_CAFILE, OPT_KRB5SVC, + OPT_KEY, OPT_RECONNECT, OPT_BUILD_CHAIN, OPT_CAFILE, OPT_CHAINCAFILE, OPT_VERIFYCAFILE, OPT_NEXTPROTONEG, OPT_ALPN, OPT_SERVERINFO, OPT_STARTTLS, OPT_SERVERNAME, OPT_JPAKE, OPT_USE_SRTP, OPT_KEYMATEXPORT, OPT_KEYMATEXPORTLEN, OPT_SMTPHOST, @@ -551,9 +551,6 @@ OPTIONS s_client_options[] = { {"jpake", OPT_JPAKE, 's', "JPAKE secret to use"}, # endif #endif -#ifndef OPENSSL_NO_KRB5 - {"krb5svc", OPT_KRB5SVC, 's', "Kerberos service name"}, -#endif #ifndef OPENSSL_NO_SRP {"srpuser", OPT_SRPUSER, 's', "SRP authentification for 'user'"}, {"srppass", OPT_SRPPASS, 's', "Password for 'user'"}, @@ -666,10 +663,6 @@ int s_client_main(int argc, char **argv) long socket_mtu = 0, randamt = 0; unsigned short port = PORT; OPTION_CHOICE o; -#ifndef OPENSSL_NO_KRB5 - KSSL_CTX *kctx; - const char *krb5svc = NULL; -#endif #ifndef OPENSSL_NO_ENGINE ENGINE *ssl_client_engine = NULL; #endif @@ -829,11 +822,6 @@ int s_client_main(int argc, char **argv) case OPT_NOCMDS: cmdletters = 0; break; - case OPT_KRB5SVC: -#ifndef OPENSSL_NO_KRB5 - krb5svc = opt_arg(); -#endif - break; case OPT_ENGINE: e = setup_engine(opt_arg(), 1); break; @@ -1333,14 +1321,6 @@ int s_client_main(int argc, char **argv) } } #endif -#ifndef OPENSSL_NO_KRB5 - if (con && (kctx = kssl_ctx_new()) != NULL) { - SSL_set0_kssl_ctx(con, kctx); - kssl_ctx_setstring(kctx, KSSL_SERVER, host); - if (krb5svc) - kssl_ctx_setstring(kctx, KSSL_SERVICE, krb5svc); - } -#endif /* OPENSSL_NO_KRB5 */ re_start: #ifdef NO_SYS_UN_H diff --git a/apps/s_server.c b/apps/s_server.c index ba281e0950..c54caa6fe2 100644 --- a/apps/s_server.c +++ b/apps/s_server.c @@ -228,8 +228,7 @@ static int s_server_verify = SSL_VERIFY_NONE; static int s_server_session_id_context = 1; /* anything will do */ static const char *s_cert_file = TEST_CERT, *s_key_file = NULL, *s_chain_file = NULL; -static const char *krb5svc = NULL; -static const char *krb5tab = NULL; + #ifndef OPENSSL_NO_TLSEXT static const char *s_cert_file2 = TEST_CERT2, *s_key_file2 = NULL; #endif @@ -833,8 +832,7 @@ typedef enum OPTION_choice { OPT_SRTP_PROFILES, OPT_KEYMATEXPORT, OPT_KEYMATEXPORTLEN, OPT_S_ENUM, OPT_V_ENUM, - OPT_X_ENUM, - OPT_KRB5SVC, OPT_KRBTAB + OPT_X_ENUM } OPTION_CHOICE; OPTIONS s_server_options[] = { @@ -892,8 +890,6 @@ OPTIONS s_server_options[] = { {"jpake", OPT_JPAKE, 's', "JPAKE secret to use"}, # endif #endif - {"krb5svc", OPT_KRB5SVC, 's', "Kerberos service name"}, - {"keytab", OPT_KRBTAB, '<', "Kerberos keytab file"}, #ifndef OPENSSL_NO_SRP {"srpvfile", OPT_SRPVFILE, '<', "The verifier file for SRP"}, {"srpuserseed", OPT_SRPUSERSEED, 's', @@ -1410,12 +1406,6 @@ int s_server_main(int argc, char *argv[]) case OPT_JPAKE: goto opthelp; #endif - case OPT_KRB5SVC: - krb5svc = opt_arg(); - break; - case OPT_KRBTAB: - krb5tab = opt_arg(); - break; case OPT_SRTP_PROFILES: srtp_profiles = opt_arg(); break; @@ -1988,9 +1978,6 @@ static int sv_body(char *hostname, int s, int stype, unsigned char *context) unsigned long l; SSL *con = NULL; BIO *sbio; -#ifndef OPENSSL_NO_KRB5 - KSSL_CTX *kctx; -#endif struct timeval timeout; #if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_NETWARE) struct timeval tv; @@ -2022,15 +2009,6 @@ static int sv_body(char *hostname, int s, int stype, unsigned char *context) SSL_CTX_set_tlsext_status_arg(ctx, &tlscstatp); } #endif -#ifndef OPENSSL_NO_KRB5 - if ((kctx = kssl_ctx_new()) != NULL) { - SSL_set0_kssl_ctx(con, kctx); - kssl_ctx_setstring(kctx, KSSL_SERVICE, - krb5svc ? krb5svc : KRB5SVC); - if (krb5tab) - kssl_ctx_setstring(kctx, KSSL_KEYTAB, krb5tab); - } -#endif /* OPENSSL_NO_KRB5 */ if (context && !SSL_set_session_id_context(con, context, strlen((char *)context))) { @@ -2400,9 +2378,6 @@ static int init_ssl_connection(SSL *con) X509 *peer; long verify_error; char buf[BUFSIZ]; -#ifndef OPENSSL_NO_KRB5 - char *client_princ; -#endif #if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG) const unsigned char *next_proto_neg; unsigned next_proto_neg_len; @@ -2503,13 +2478,6 @@ static int init_ssl_connection(SSL *con) if (SSL_ctrl(con, SSL_CTRL_GET_FLAGS, 0, NULL) & TLS1_FLAGS_TLS_PADDING_BUG) BIO_printf(bio_s_out, "Peer has incorrect TLSv1 block padding\n"); -#ifndef OPENSSL_NO_KRB5 - client_princ = kssl_ctx_get0_client_princ(SSL_get0_kssl_ctx(con)); - if (client_princ != NULL) { - BIO_printf(bio_s_out, "Kerberos peer principal is %s\n", - client_princ); - } -#endif /* OPENSSL_NO_KRB5 */ BIO_printf(bio_s_out, "Secure Renegotiation IS%s supported\n", SSL_get_secure_renegotiation_support(con) ? "" : " NOT"); if (keymatexportlabel != NULL) { @@ -2558,9 +2526,6 @@ static int www_body(char *hostname, int s, int stype, unsigned char *context) SSL *con; const SSL_CIPHER *c; BIO *io, *ssl_bio, *sbio; -#ifndef OPENSSL_NO_KRB5 - KSSL_CTX *kctx; -#endif #ifdef RENEG int total_bytes = 0; #endif @@ -2594,12 +2559,6 @@ static int www_body(char *hostname, int s, int stype, unsigned char *context) SSL_set_tlsext_debug_arg(con, bio_s_out); } #endif -#ifndef OPENSSL_NO_KRB5 - if ((kctx = kssl_ctx_new()) != NULL) { - kssl_ctx_setstring(kctx, KSSL_SERVICE, KRB5SVC); - kssl_ctx_setstring(kctx, KSSL_KEYTAB, KRB5KEYTAB); - } -#endif /* OPENSSL_NO_KRB5 */ if (context && !SSL_set_session_id_context(con, context, strlen((char *)context))) goto err; @@ -2927,9 +2886,6 @@ static int rev_body(char *hostname, int s, int stype, unsigned char *context) int ret = 1; SSL *con; BIO *io, *ssl_bio, *sbio; -#ifndef OPENSSL_NO_KRB5 - KSSL_CTX *kctx; -#endif buf = app_malloc(bufsize, "server rev buffer"); io = BIO_new(BIO_f_buffer()); @@ -2949,12 +2905,6 @@ static int rev_body(char *hostname, int s, int stype, unsigned char *context) SSL_set_tlsext_debug_arg(con, bio_s_out); } #endif -#ifndef OPENSSL_NO_KRB5 - if ((kctx = kssl_ctx_new()) != NULL) { - kssl_ctx_setstring(kctx, KSSL_SERVICE, KRB5SVC); - kssl_ctx_setstring(kctx, KSSL_KEYTAB, KRB5KEYTAB); - } -#endif /* OPENSSL_NO_KRB5 */ if (context && !SSL_set_session_id_context(con, context, strlen((char *)context))) { ERR_print_errors(bio_err); -- 2.25.1