Remove remnants of KRB5 support.
This drops the bits of logic that allowed Certificate messages to be optional
for a KRB5 cipher suite.
Change-Id: I2a71b7c13d7e76f4f5542d4074169f80f3617240
Reviewed-on: https://boringssl-review.googlesource.com/1154
Reviewed-by: Adam Langley <agl@google.com>
diff --git a/ssl/d1_srvr.c b/ssl/d1_srvr.c
index 148b8c8..f0dbe37 100644
--- a/ssl/d1_srvr.c
+++ b/ssl/d1_srvr.c
@@ -433,11 +433,9 @@
/* ... except when the application insists on verification
* (against the specs, but s3_clnt.c accepts this for SSL 3) */
!(s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) ||
- /* never request cert in Kerberos ciphersuites */
- (s->s3->tmp.new_cipher->algorithm_auth & SSL_aKRB5)
/* With normal PSK Certificates and
* Certificate Requests are omitted */
- || (s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK))
+ (s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK))
{
/* no cert request */
skip=1;
diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c
index f7cc488..35c399f 100644
--- a/ssl/s3_clnt.c
+++ b/ssl/s3_clnt.c
@@ -1112,7 +1112,6 @@
STACK_OF(X509) *sk=NULL;
SESS_CERT *sc;
EVP_PKEY *pkey=NULL;
- int need_cert = 1; /* VRS: 0=> will allow null cert if auth == KRB5 */
CBS cbs, certificate_list;
const uint8_t* data;
@@ -1125,9 +1124,7 @@
if (!ok) return((int)n);
- if ((s->s3->tmp.message_type == SSL3_MT_SERVER_KEY_EXCHANGE) ||
- ((s->s3->tmp.new_cipher->algorithm_auth & SSL_aKRB5) &&
- (s->s3->tmp.message_type == SSL3_MT_SERVER_DONE)))
+ if (s->s3->tmp.message_type == SSL3_MT_SERVER_KEY_EXCHANGE)
{
s->s3->tmp.reuse_message=1;
return(1);
@@ -1217,19 +1214,7 @@
pkey=X509_get_pubkey(x);
- /* VRS: allow null cert if auth == KRB5 */
- need_cert = ((s->s3->tmp.new_cipher->algorithm_mkey & SSL_kKRB5) &&
- (s->s3->tmp.new_cipher->algorithm_auth & SSL_aKRB5))
- ? 0 : 1;
-
-#ifdef KSSL_DEBUG
- printf("pkey,x = %p, %p\n", pkey,x);
- printf("ssl_cert_type(x,pkey) = %d\n", ssl_cert_type(x,pkey));
- printf("cipher, alg, nc = %s, %lx, %lx, %d\n", s->s3->tmp.new_cipher->name,
- s->s3->tmp.new_cipher->algorithm_mkey, s->s3->tmp.new_cipher->algorithm_auth, need_cert);
-#endif /* KSSL_DEBUG */
-
- if (need_cert && ((pkey == NULL) || EVP_PKEY_missing_parameters(pkey)))
+ if ((pkey == NULL) || EVP_PKEY_missing_parameters(pkey))
{
x=NULL;
al=SSL3_AL_FATAL;
@@ -1238,7 +1223,7 @@
}
i=ssl_cert_type(x,pkey);
- if (need_cert && i < 0)
+ if (i < 0)
{
x=NULL;
al=SSL3_AL_FATAL;
@@ -1246,39 +1231,28 @@
goto f_err;
}
- if (need_cert)
+ int exp_idx = ssl_cipher_get_cert_index(s->s3->tmp.new_cipher);
+ if (exp_idx >= 0 && i != exp_idx)
{
- int exp_idx = ssl_cipher_get_cert_index(s->s3->tmp.new_cipher);
- if (exp_idx >= 0 && i != exp_idx)
- {
- x=NULL;
- al=SSL_AD_ILLEGAL_PARAMETER;
- OPENSSL_PUT_ERROR(SSL, ssl3_get_server_certificate, SSL_R_WRONG_CERTIFICATE_TYPE);
- goto f_err;
- }
- sc->peer_cert_type=i;
- CRYPTO_add(&x->references,1,CRYPTO_LOCK_X509);
- /* Why would the following ever happen?
- * We just created sc a couple of lines ago. */
- if (sc->peer_pkeys[i].x509 != NULL)
- X509_free(sc->peer_pkeys[i].x509);
- sc->peer_pkeys[i].x509=x;
- sc->peer_key= &(sc->peer_pkeys[i]);
-
- if (s->session->peer != NULL)
- X509_free(s->session->peer);
- CRYPTO_add(&x->references,1,CRYPTO_LOCK_X509);
- s->session->peer=x;
+ x=NULL;
+ al=SSL_AD_ILLEGAL_PARAMETER;
+ OPENSSL_PUT_ERROR(SSL, ssl3_get_server_certificate, SSL_R_WRONG_CERTIFICATE_TYPE);
+ goto f_err;
}
- else
- {
- sc->peer_cert_type=i;
- sc->peer_key= NULL;
+ sc->peer_cert_type=i;
+ CRYPTO_add(&x->references,1,CRYPTO_LOCK_X509);
+ /* Why would the following ever happen?
+ * We just created sc a couple of lines ago. */
+ if (sc->peer_pkeys[i].x509 != NULL)
+ X509_free(sc->peer_pkeys[i].x509);
+ sc->peer_pkeys[i].x509=x;
+ sc->peer_key= &(sc->peer_pkeys[i]);
- if (s->session->peer != NULL)
- X509_free(s->session->peer);
- s->session->peer=NULL;
- }
+ if (s->session->peer != NULL)
+ X509_free(s->session->peer);
+ CRYPTO_add(&x->references,1,CRYPTO_LOCK_X509);
+ s->session->peer=x;
+
s->session->verify_result = s->verify_result;
x=NULL;
@@ -2946,7 +2920,7 @@
alg_a=s->s3->tmp.new_cipher->algorithm_auth;
/* we don't have a certificate */
- if ((alg_a & (SSL_aNULL|SSL_aKRB5)) || ((alg_a & SSL_aPSK) && !(alg_k & SSL_kRSA)))
+ if ((alg_a & SSL_aNULL) || ((alg_a & SSL_aPSK) && !(alg_k & SSL_kRSA)))
return(1);
sc=s->session->sess_cert;
diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c
index f1da158..2a57edf 100644
--- a/ssl/s3_srvr.c
+++ b/ssl/s3_srvr.c
@@ -352,12 +352,11 @@
case SSL3_ST_SW_CERT_A:
case SSL3_ST_SW_CERT_B:
/* Check if it is anon DH or anon ECDH, */
- /* non-RSA PSK or KRB5 or SRP */
+ /* non-RSA PSK or SRP */
if (!(s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL)
/* Among PSK ciphersuites only RSA_PSK uses server certificate */
&& !(s->s3->tmp.new_cipher->algorithm_auth & SSL_aPSK &&
- !(s->s3->tmp.new_cipher->algorithm_mkey & SSL_kRSA))
- && !(s->s3->tmp.new_cipher->algorithm_auth & SSL_aKRB5))
+ !(s->s3->tmp.new_cipher->algorithm_mkey & SSL_kRSA)))
{
ret=ssl3_send_server_certificate(s);
if (ret <= 0) goto end;
@@ -449,11 +448,9 @@
/* ... except when the application insists on verification
* (against the specs, but s3_clnt.c accepts this for SSL 3) */
!(s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) ||
- /* never request cert in Kerberos ciphersuites */
- (s->s3->tmp.new_cipher->algorithm_auth & SSL_aKRB5)
/* With normal PSK Certificates and
* Certificate Requests are omitted */
- || (s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK))
+ (s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK))
{
/* no cert request */
skip=1;
@@ -3011,13 +3008,8 @@
cpk=ssl_get_server_send_pkey(s);
if (cpk == NULL)
{
- /* VRS: allow null cert if auth == KRB5 */
- if ((s->s3->tmp.new_cipher->algorithm_auth != SSL_aKRB5) ||
- (s->s3->tmp.new_cipher->algorithm_mkey & SSL_kKRB5))
- {
- OPENSSL_PUT_ERROR(SSL, ssl3_send_server_certificate, ERR_R_INTERNAL_ERROR);
- return(0);
- }
+ OPENSSL_PUT_ERROR(SSL, ssl3_send_server_certificate, ERR_R_INTERNAL_ERROR);
+ return(0);
}
ssl3_output_cert_chain(s,cpk);
diff --git a/ssl/ssl.h b/ssl/ssl.h
index 87ffe9b..21cc5d1 100644
--- a/ssl/ssl.h
+++ b/ssl/ssl.h
@@ -178,32 +178,6 @@
#define SSL_TXT_DES_192_EDE3_CBC_WITH_MD5 SSL2_TXT_DES_192_EDE3_CBC_WITH_MD5
#define SSL_TXT_DES_192_EDE3_CBC_WITH_SHA SSL2_TXT_DES_192_EDE3_CBC_WITH_SHA
-/* VRS Additional Kerberos5 entries
- */
-#define SSL_TXT_KRB5_DES_64_CBC_SHA SSL3_TXT_KRB5_DES_64_CBC_SHA
-#define SSL_TXT_KRB5_DES_192_CBC3_SHA SSL3_TXT_KRB5_DES_192_CBC3_SHA
-#define SSL_TXT_KRB5_RC4_128_SHA SSL3_TXT_KRB5_RC4_128_SHA
-#define SSL_TXT_KRB5_IDEA_128_CBC_SHA SSL3_TXT_KRB5_IDEA_128_CBC_SHA
-#define SSL_TXT_KRB5_DES_64_CBC_MD5 SSL3_TXT_KRB5_DES_64_CBC_MD5
-#define SSL_TXT_KRB5_DES_192_CBC3_MD5 SSL3_TXT_KRB5_DES_192_CBC3_MD5
-#define SSL_TXT_KRB5_RC4_128_MD5 SSL3_TXT_KRB5_RC4_128_MD5
-#define SSL_TXT_KRB5_IDEA_128_CBC_MD5 SSL3_TXT_KRB5_IDEA_128_CBC_MD5
-
-#define SSL_TXT_KRB5_DES_40_CBC_SHA SSL3_TXT_KRB5_DES_40_CBC_SHA
-#define SSL_TXT_KRB5_RC2_40_CBC_SHA SSL3_TXT_KRB5_RC2_40_CBC_SHA
-#define SSL_TXT_KRB5_RC4_40_SHA SSL3_TXT_KRB5_RC4_40_SHA
-#define SSL_TXT_KRB5_DES_40_CBC_MD5 SSL3_TXT_KRB5_DES_40_CBC_MD5
-#define SSL_TXT_KRB5_RC2_40_CBC_MD5 SSL3_TXT_KRB5_RC2_40_CBC_MD5
-#define SSL_TXT_KRB5_RC4_40_MD5 SSL3_TXT_KRB5_RC4_40_MD5
-
-#define SSL_TXT_KRB5_DES_40_CBC_SHA SSL3_TXT_KRB5_DES_40_CBC_SHA
-#define SSL_TXT_KRB5_DES_40_CBC_MD5 SSL3_TXT_KRB5_DES_40_CBC_MD5
-#define SSL_TXT_KRB5_DES_64_CBC_SHA SSL3_TXT_KRB5_DES_64_CBC_SHA
-#define SSL_TXT_KRB5_DES_64_CBC_MD5 SSL3_TXT_KRB5_DES_64_CBC_MD5
-#define SSL_TXT_KRB5_DES_192_CBC3_SHA SSL3_TXT_KRB5_DES_192_CBC3_SHA
-#define SSL_TXT_KRB5_DES_192_CBC3_MD5 SSL3_TXT_KRB5_DES_192_CBC3_MD5
-#define SSL_MAX_KRB5_PRINCIPAL_LENGTH 256
-
#define SSL_MAX_SSL_SESSION_ID_LENGTH 32
#define SSL_MAX_SID_CTX_LENGTH 32
@@ -235,7 +209,6 @@
#define SSL_TXT_kDHd "kDHd"
#define SSL_TXT_kDH "kDH"
#define SSL_TXT_kEDH "kEDH"
-#define SSL_TXT_kKRB5 "kKRB5"
#define SSL_TXT_kECDHr "kECDHr"
#define SSL_TXT_kECDHe "kECDHe"
#define SSL_TXT_kECDH "kECDH"
@@ -248,7 +221,6 @@
#define SSL_TXT_aDSS "aDSS"
#define SSL_TXT_aDH "aDH"
#define SSL_TXT_aECDH "aECDH"
-#define SSL_TXT_aKRB5 "aKRB5"
#define SSL_TXT_aECDSA "aECDSA"
#define SSL_TXT_aPSK "aPSK"
#define SSL_TXT_aGOST94 "aGOST94"
@@ -264,7 +236,6 @@
#define SSL_TXT_EECDH "EECDH" /* same as "kEECDH:-AECDH" */
#define SSL_TXT_AECDH "AECDH"
#define SSL_TXT_ECDSA "ECDSA"
-#define SSL_TXT_KRB5 "KRB5"
#define SSL_TXT_PSK "PSK"
#define SSL_TXT_SRP "SRP"
@@ -438,7 +409,6 @@
* Cipher OCTET STRING, -- the 3 byte cipher ID
* Session_ID OCTET STRING, -- the Session ID
* Master_key OCTET STRING, -- the master key
- * KRB5_principal OCTET STRING -- optional Kerberos principal
* Key_Arg [ 0 ] IMPLICIT OCTET STRING, -- the optional Key argument
* Time [ 1 ] EXPLICIT INTEGER, -- optional Start Time
* Timeout [ 2 ] EXPLICIT INTEGER, -- optional Timeout ins seconds
diff --git a/ssl/ssl3.h b/ssl/ssl3.h
index fc2f2b0..182edb3 100644
--- a/ssl/ssl3.h
+++ b/ssl/ssl3.h
@@ -162,34 +162,6 @@
#define SSL3_CK_ADH_DES_64_CBC_SHA 0x0300001A
#define SSL3_CK_ADH_DES_192_CBC_SHA 0x0300001B
-#if 0
- #define SSL3_CK_FZA_DMS_NULL_SHA 0x0300001C
- #define SSL3_CK_FZA_DMS_FZA_SHA 0x0300001D
- #if 0 /* Because it clashes with KRB5, is never used any more, and is safe
- to remove according to David Hopwood <david.hopwood@zetnet.co.uk>
- of the ietf-tls list */
- #define SSL3_CK_FZA_DMS_RC4_SHA 0x0300001E
- #endif
-#endif
-
-/* VRS Additional Kerberos5 entries
- */
-#define SSL3_CK_KRB5_DES_64_CBC_SHA 0x0300001E
-#define SSL3_CK_KRB5_DES_192_CBC3_SHA 0x0300001F
-#define SSL3_CK_KRB5_RC4_128_SHA 0x03000020
-#define SSL3_CK_KRB5_IDEA_128_CBC_SHA 0x03000021
-#define SSL3_CK_KRB5_DES_64_CBC_MD5 0x03000022
-#define SSL3_CK_KRB5_DES_192_CBC3_MD5 0x03000023
-#define SSL3_CK_KRB5_RC4_128_MD5 0x03000024
-#define SSL3_CK_KRB5_IDEA_128_CBC_MD5 0x03000025
-
-#define SSL3_CK_KRB5_DES_40_CBC_SHA 0x03000026
-#define SSL3_CK_KRB5_RC2_40_CBC_SHA 0x03000027
-#define SSL3_CK_KRB5_RC4_40_SHA 0x03000028
-#define SSL3_CK_KRB5_DES_40_CBC_MD5 0x03000029
-#define SSL3_CK_KRB5_RC2_40_CBC_MD5 0x0300002A
-#define SSL3_CK_KRB5_RC4_40_MD5 0x0300002B
-
#define SSL3_TXT_RSA_NULL_MD5 "NULL-MD5"
#define SSL3_TXT_RSA_NULL_SHA "NULL-SHA"
#define SSL3_TXT_RSA_RC4_40_MD5 "EXP-RC4-MD5"
@@ -221,28 +193,6 @@
#define SSL3_TXT_ADH_DES_64_CBC_SHA "ADH-DES-CBC-SHA"
#define SSL3_TXT_ADH_DES_192_CBC_SHA "ADH-DES-CBC3-SHA"
-#if 0
- #define SSL3_TXT_FZA_DMS_NULL_SHA "FZA-NULL-SHA"
- #define SSL3_TXT_FZA_DMS_FZA_SHA "FZA-FZA-CBC-SHA"
- #define SSL3_TXT_FZA_DMS_RC4_SHA "FZA-RC4-SHA"
-#endif
-
-#define SSL3_TXT_KRB5_DES_64_CBC_SHA "KRB5-DES-CBC-SHA"
-#define SSL3_TXT_KRB5_DES_192_CBC3_SHA "KRB5-DES-CBC3-SHA"
-#define SSL3_TXT_KRB5_RC4_128_SHA "KRB5-RC4-SHA"
-#define SSL3_TXT_KRB5_IDEA_128_CBC_SHA "KRB5-IDEA-CBC-SHA"
-#define SSL3_TXT_KRB5_DES_64_CBC_MD5 "KRB5-DES-CBC-MD5"
-#define SSL3_TXT_KRB5_DES_192_CBC3_MD5 "KRB5-DES-CBC3-MD5"
-#define SSL3_TXT_KRB5_RC4_128_MD5 "KRB5-RC4-MD5"
-#define SSL3_TXT_KRB5_IDEA_128_CBC_MD5 "KRB5-IDEA-CBC-MD5"
-
-#define SSL3_TXT_KRB5_DES_40_CBC_SHA "EXP-KRB5-DES-CBC-SHA"
-#define SSL3_TXT_KRB5_RC2_40_CBC_SHA "EXP-KRB5-RC2-CBC-SHA"
-#define SSL3_TXT_KRB5_RC4_40_SHA "EXP-KRB5-RC4-SHA"
-#define SSL3_TXT_KRB5_DES_40_CBC_MD5 "EXP-KRB5-DES-CBC-MD5"
-#define SSL3_TXT_KRB5_RC2_40_CBC_MD5 "EXP-KRB5-RC2-CBC-MD5"
-#define SSL3_TXT_KRB5_RC4_40_MD5 "EXP-KRB5-RC4-MD5"
-
#define SSL3_SSL_SESSION_ID_LENGTH 32
#define SSL3_MAX_SSL_SESSION_ID_LENGTH 32
diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c
index 766cc85..d7f3fba 100644
--- a/ssl/ssl_ciph.c
+++ b/ssl/ssl_ciph.c
@@ -240,8 +240,6 @@
{0,SSL_TXT_kEDH,0, SSL_kEDH, 0,0,0,0,0,0,0,0},
{0,SSL_TXT_DH,0, SSL_kDHr|SSL_kDHd|SSL_kEDH,0,0,0,0,0,0,0,0},
- {0,SSL_TXT_kKRB5,0, SSL_kKRB5, 0,0,0,0,0,0,0,0},
-
{0,SSL_TXT_kECDHr,0, SSL_kECDHr,0,0,0,0,0,0,0,0},
{0,SSL_TXT_kECDHe,0, SSL_kECDHe,0,0,0,0,0,0,0,0},
{0,SSL_TXT_kECDH,0, SSL_kECDHr|SSL_kECDHe,0,0,0,0,0,0,0,0},
@@ -256,7 +254,6 @@
{0,SSL_TXT_aRSA,0, 0,SSL_aRSA, 0,0,0,0,0,0,0},
{0,SSL_TXT_aDSS,0, 0,SSL_aDSS, 0,0,0,0,0,0,0},
{0,SSL_TXT_DSS,0, 0,SSL_aDSS, 0,0,0,0,0,0,0},
- {0,SSL_TXT_aKRB5,0, 0,SSL_aKRB5, 0,0,0,0,0,0,0},
{0,SSL_TXT_aNULL,0, 0,SSL_aNULL, 0,0,0,0,0,0,0},
{0,SSL_TXT_aDH,0, 0,SSL_aDH, 0,0,0,0,0,0,0}, /* no such ciphersuites supported! */
{0,SSL_TXT_aECDH,0, 0,SSL_aECDH, 0,0,0,0,0,0,0},
@@ -271,7 +268,6 @@
{0,SSL_TXT_EDH,0, SSL_kEDH,~SSL_aNULL,0,0,0,0,0,0,0},
{0,SSL_TXT_EECDH,0, SSL_kEECDH,~SSL_aNULL,0,0,0,0,0,0,0},
{0,SSL_TXT_NULL,0, 0,0,SSL_eNULL, 0,0,0,0,0,0},
- {0,SSL_TXT_KRB5,0, SSL_kKRB5,SSL_aKRB5,0,0,0,0,0,0,0},
{0,SSL_TXT_RSA,0, SSL_kRSA,SSL_aRSA,0,0,0,0,0,0,0},
{0,SSL_TXT_ADH,0, SSL_kEDH,SSL_aNULL,0,0,0,0,0,0,0},
{0,SSL_TXT_AECDH,0, SSL_kEECDH,SSL_aNULL,0,0,0,0,0,0,0},
@@ -1419,7 +1415,6 @@
/* ssl_cipher_apply_rule(0, 0, SSL_aDH, 0, 0, 0, 0, CIPHER_ORD, -1, 0, &head, &tail); */
ssl_cipher_apply_rule(0, SSL_kRSA, 0, 0, 0, 0, 0, CIPHER_ORD, -1, 0, &head, &tail);
ssl_cipher_apply_rule(0, SSL_kPSK, 0,0, 0, 0, 0, CIPHER_ORD, -1, 0, &head, &tail);
- ssl_cipher_apply_rule(0, SSL_kKRB5, 0,0, 0, 0, 0, CIPHER_ORD, -1, 0, &head, &tail);
/* RC4 is sort-of broken -- move the the end */
ssl_cipher_apply_rule(0, 0, 0, SSL_RC4, 0, 0, 0, CIPHER_ORD, -1, 0, &head, &tail);
@@ -1605,9 +1600,6 @@
case SSL_kDHd:
kx="DH/DSS";
break;
- case SSL_kKRB5:
- kx="KRB5";
- break;
case SSL_kEDH:
kx=is_export?(pkl == 512 ? "DH(512)" : "DH(1024)"):"DH";
break;
@@ -1641,9 +1633,6 @@
case SSL_aDH:
au="DH";
break;
- case SSL_aKRB5:
- au="KRB5";
- break;
case SSL_aECDH:
au="ECDH";
break;
@@ -1858,9 +1847,6 @@
return SSL_PKEY_DSA_SIGN;
else if (alg_a & SSL_aRSA)
return SSL_PKEY_RSA_ENC;
- else if (alg_a & SSL_aKRB5)
- /* VRS something else here? */
- return -1;
else if (alg_a & SSL_aGOST94)
return SSL_PKEY_GOST94;
else if (alg_a & SSL_aGOST01)
diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h
index d2a8dc5..63e7dcc 100644
--- a/ssl/ssl_locl.h
+++ b/ssl/ssl_locl.h
@@ -280,13 +280,12 @@
#define SSL_kDHr 0x00000002L /* DH cert, RSA CA cert */
#define SSL_kDHd 0x00000004L /* DH cert, DSA CA cert */
#define SSL_kEDH 0x00000008L /* tmp DH key no DH cert */
-#define SSL_kKRB5 0x00000010L /* Kerberos5 key exchange */
-#define SSL_kECDHr 0x00000020L /* ECDH cert, RSA CA cert */
-#define SSL_kECDHe 0x00000040L /* ECDH cert, ECDSA CA cert */
-#define SSL_kEECDH 0x00000080L /* ephemeral ECDH */
-#define SSL_kPSK 0x00000100L /* PSK */
-#define SSL_kGOST 0x00000200L /* GOST key exchange */
-#define SSL_kSRP 0x00000400L /* SRP */
+#define SSL_kECDHr 0x00000010L /* ECDH cert, RSA CA cert */
+#define SSL_kECDHe 0x00000020L /* ECDH cert, ECDSA CA cert */
+#define SSL_kEECDH 0x00000040L /* ephemeral ECDH */
+#define SSL_kPSK 0x00000080L /* PSK */
+#define SSL_kGOST 0x00000100L /* GOST key exchange */
+#define SSL_kSRP 0x00000200L /* SRP */
/* Bits for algorithm_auth (server authentication) */
#define SSL_aRSA 0x00000001L /* RSA auth */
@@ -294,11 +293,10 @@
#define SSL_aNULL 0x00000004L /* no auth (i.e. use ADH or AECDH) */
#define SSL_aDH 0x00000008L /* Fixed DH auth (kDHd or kDHr) */
#define SSL_aECDH 0x00000010L /* Fixed ECDH auth (kECDHe or kECDHr) */
-#define SSL_aKRB5 0x00000020L /* KRB5 auth */
-#define SSL_aECDSA 0x00000040L /* ECDSA auth*/
-#define SSL_aPSK 0x00000080L /* PSK auth */
-#define SSL_aGOST94 0x00000100L /* GOST R 34.10-94 signature auth */
-#define SSL_aGOST01 0x00000200L /* GOST R 34.10-2001 signature auth */
+#define SSL_aECDSA 0x00000020L /* ECDSA auth*/
+#define SSL_aPSK 0x00000040L /* PSK auth */
+#define SSL_aGOST94 0x00000080L /* GOST R 34.10-94 signature auth */
+#define SSL_aGOST01 0x00000100L /* GOST R 34.10-2001 signature auth */
/* Bits for algorithm_enc (symmetric encryption) */
