Adapt to headers being included in a different order in sendto_kdc.c.

Drop portions which drop checkhost.c and checkhost.h.

commit 472349d2a47fbc7db82e46ba46411b95c312fc1f

Author: Greg Hudson <ghudson@mit.edu>

Date:   Sun Jun 22 10:42:14 2014 -0400

    Move KKDCP OpenSSL code to an internal plugin

    Create an internal pluggable interface "tls" with one in-tree dynamic

    plugin module named "k5tls".  Move all of the OpenSSL calls to the

    plugin module, and make the libkrb5 code load and invoke the plugin.

    This way we do not load or initialize libssl unless an HTTP proxy is

    used.

    ticket: 7929

diff --git a/src/Makefile.in b/src/Makefile.in

index 5e2cf4e..92bb60a 100644

--- a/src/Makefile.in

+++ b/src/Makefile.in

@@ -20,6 +20,7 @@ SUBDIRS=util include lib \

 	@ldap_plugin_dir@ \

 	plugins/preauth/otp \

 	plugins/preauth/pkinit \

+	plugins/tls/k5tls \

 	kdc kadmin slave clients appl tests \

 	config-files build-tools man doc @po@

 WINSUBDIRS=include util lib ccapi windows clients appl

@@ -62,7 +63,7 @@ INSTALLMKDIRS = $(KRB5ROOT) $(KRB5MANROOT) $(KRB5OTHERMKDIRS) \

 		$(KRB5_LIBDIR) $(KRB5_INCDIR) \

 		$(KRB5_DB_MODULE_DIR) $(KRB5_PA_MODULE_DIR) \

 		$(KRB5_AD_MODULE_DIR) \

-		$(KRB5_LIBKRB5_MODULE_DIR) \

+		$(KRB5_LIBKRB5_MODULE_DIR) $(KRB5_TLS_MODULE_DIR) \

 		@localstatedir@ @localstatedir@/krb5kdc \

 		$(KRB5_INCSUBDIRS) $(datadir) $(EXAMPLEDIR) \

 		$(PKGCONFIG_DIR)

diff --git a/src/config/pre.in b/src/config/pre.in

index e1d7e4b..fd8ee56 100644

--- a/src/config/pre.in

+++ b/src/config/pre.in

@@ -213,6 +213,7 @@ KRB5_DB_MODULE_DIR = $(MODULE_DIR)/kdb

 KRB5_PA_MODULE_DIR = $(MODULE_DIR)/preauth

 KRB5_AD_MODULE_DIR = $(MODULE_DIR)/authdata

 KRB5_LIBKRB5_MODULE_DIR = $(MODULE_DIR)/libkrb5

+KRB5_TLS_MODULE_DIR = $(MODULE_DIR)/tls

 KRB5_LOCALEDIR = @localedir@

 GSS_MODULE_DIR = @libdir@/gss

 KRB5_INCSUBDIRS = \

diff --git a/src/configure.in b/src/configure.in

index 8aa513e..43509ab 100644

--- a/src/configure.in

+++ b/src/configure.in

@@ -308,6 +308,11 @@ no)

   ;;

 esac

+if test "$PROXY_TLS_IMPL" = no; then

+   AC_DEFINE(PROXY_TLS_IMPL_NONE,1,

+             [Define if no HTTP TLS implementation is selected])

+fi

+

 AC_SUBST(PROXY_TLS_IMPL)

 AC_SUBST(PROXY_TLS_IMPL_CFLAGS)

 AC_SUBST(PROXY_TLS_IMPL_LIBS)

@@ -1386,6 +1391,7 @@ dnl	ccapi ccapi/lib ccapi/lib/unix ccapi/server ccapi/server/unix ccapi/test

 	plugins/authdata/greet

 	plugins/authdata/greet_client

 	plugins/authdata/greet_server

+	plugins/tls/k5tls

 	clients clients/klist clients/kinit clients/kvno

 	clients/kdestroy clients/kpasswd clients/ksu clients/kswitch

diff --git a/src/include/k5-int.h b/src/include/k5-int.h

index 9f14ee0..38846eb 100644

--- a/src/include/k5-int.h

+++ b/src/include/k5-int.h

@@ -1083,7 +1083,8 @@ struct plugin_interface {

 #define PLUGIN_INTERFACE_LOCALAUTH   5

 #define PLUGIN_INTERFACE_HOSTREALM   6

 #define PLUGIN_INTERFACE_AUDIT       7

-#define PLUGIN_NUM_INTERFACES        8

+#define PLUGIN_INTERFACE_TLS         8

+#define PLUGIN_NUM_INTERFACES        9

 /* Retrieve the plugin module of type interface_id and name modname,

  * storing the result into module. */

@@ -1126,6 +1127,7 @@ typedef struct krb5_preauth_context_st krb5_preauth_context;

 struct ccselect_module_handle;

 struct localauth_module_handle;

 struct hostrealm_module_handle;

+struct k5_tls_vtable_st;

 struct _krb5_context {

     krb5_magic      magic;

     krb5_enctype    *in_tkt_etypes;

@@ -1169,6 +1171,9 @@ struct _krb5_context {

     /* hostrealm module stuff */

     struct hostrealm_module_handle **hostrealm_handles;

+    /* TLS module vtable (if loaded) */

+    struct k5_tls_vtable_st *tls;

+

     /* error detail info */

     struct errinfo err;

diff --git a/src/include/k5-tls.h b/src/include/k5-tls.h

new file mode 100644

index 0000000..0661c05

--- /dev/null

+++ b/src/include/k5-tls.h

@@ -0,0 +1,104 @@

+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */

+/* include/k5-tls.h - internal pluggable interface for TLS */

+/*

+ * Copyright (C) 2014 by the Massachusetts Institute of Technology.

+ * All rights reserved.

+ *

+ * Redistribution and use in source and binary forms, with or without

+ * modification, are permitted provided that the following conditions

+ * are met:

+ *

+ * * Redistributions of source code must retain the above copyright

+ *   notice, this list of conditions and the following disclaimer.

+ *

+ * * Redistributions in binary form must reproduce the above copyright

+ *   notice, this list of conditions and the following disclaimer in

+ *   the documentation and/or other materials provided with the

+ *   distribution.

+ *

+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS

+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT

+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS

+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE

+ * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,

+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES

+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR

+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)

+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,

+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)

+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED

+ * OF THE POSSIBILITY OF SUCH DAMAGE.

+ */

+

+/*

+ * This internal pluggable interface allows libkrb5 to load an in-tree module

+ * providing TLS support at runtime.  It is currently tailored for the needs of

+ * the OpenSSL module as used for HTTP proxy support.  As an internal

+ * interface, it can be changed to fit different implementations and consumers

+ * without regard for backward compatibility.

+ */

+

+#ifndef K5_TLS_H

+#define K5_TLS_H

+

+#include "k5-int.h"

+

+/* An abstract type for localauth module data. */

+typedef struct k5_tls_handle_st *k5_tls_handle;

+

+typedef enum {

+    DATA_READ, DONE, WANT_READ, WANT_WRITE, ERROR_TLS

+} k5_tls_status;

+

+/*

+ * Create a handle for fd, where the server certificate must match servername

+ * and be trusted according to anchors.  anchors is a null-terminated list

+ * using the DIR:/FILE:/ENV: syntax borrowed from PKINIT.  If anchors is null,

+ * use the system default trust anchors.

+ */

+typedef krb5_error_code

+(*k5_tls_setup_fn)(krb5_context context, SOCKET fd, const char *servername,

+                   char **anchors, k5_tls_handle *handle_out);

+

+/*

+ * Write len bytes of data using TLS.  Return DONE if writing is complete,

+ * WANT_READ or WANT_WRITE if the underlying socket must be readable or

+ * writable to continue, and ERROR_TLS if the TLS channel or underlying socket

+ * experienced an error.  After WANT_READ or WANT_WRITE, the operation will be

+ * retried with the same arguments even if some data has already been written.

+ * (OpenSSL makes this contract easy to fulfill.  For other implementations we

+ * might want to change it.)

+ */

+typedef k5_tls_status

+(*k5_tls_write_fn)(krb5_context context, k5_tls_handle handle,

+                   const void *data, size_t len);

+

+/*

+ * Read up to data_size bytes of data using TLS.  Return DATA_READ and set

+ * *len_out if any data is read.  Return DONE if there is no more data to be

+ * read on the connection, WANT_READ or WANT_WRITE if the underlying socket

+ * must be readable or writable to continue, and ERROR_TLS if the TLS channel

+ * or underlying socket experienced an error.

+ *

+ * After DATA_READ, there may still be pending buffered data to read.  The

+ * caller must call this method again with additional buffer space before

+ * selecting for reading on the underlying socket.

+ */

+typedef k5_tls_status

+(*k5_tls_read_fn)(krb5_context context, k5_tls_handle handle, void *data,

+                  size_t data_size, size_t *len_out);

+

+/* Release a handle.  Do not pass a null pointer. */

+typedef void

+(*k5_tls_free_handle_fn)(krb5_context context, k5_tls_handle handle);

+

+/* All functions are mandatory unless they are all null, in which case the

+ * caller should assume that TLS is unsupported. */

+typedef struct k5_tls_vtable_st {

+    k5_tls_setup_fn setup;

+    k5_tls_write_fn write;

+    k5_tls_read_fn read;

+    k5_tls_free_handle_fn free_handle;

+} *k5_tls_vtable;

+

+#endif /* K5_TLS_H */

diff --git a/src/include/k5-trace.h b/src/include/k5-trace.h

index 9e75b29..a0aa85a 100644

--- a/src/include/k5-trace.h

+++ b/src/include/k5-trace.h

@@ -324,23 +324,11 @@ void krb5int_trace(krb5_context context, const char *fmt, ...);

     TRACE(c, "Resolving hostname {str}", hostname)

 #define TRACE_SENDTO_KDC_RESPONSE(c, len, raddr)                        \

     TRACE(c, "Received answer ({int} bytes) from {raddr}", len, raddr)

-#define TRACE_SENDTO_KDC_HTTPS_SERVER_NAME_MISMATCH(c, hostname)        \

-    TRACE(c, "HTTPS certificate name mismatch: server certificate is "  \

-          "not for \"{str}\"", hostname)

-#define TRACE_SENDTO_KDC_HTTPS_SERVER_NAME_MATCH(c, hostname)           \

-    TRACE(c, "HTTPS certificate name matched \"{str}\"", hostname)

-#define TRACE_SENDTO_KDC_HTTPS_NO_REMOTE_CERTIFICATE(c)                 \

-    TRACE(c, "HTTPS server certificate not received")

-#define TRACE_SENDTO_KDC_HTTPS_PROXY_CERTIFICATE_ERROR(c, depth,        \

-                                                       namelen, name,   \

-                                                       err, errs)       \

-    TRACE(c, "HTTPS certificate error at {int} ({lenstr}): "            \

-          "{int} ({str})", depth, namelen, name, err, errs)

-#define TRACE_SENDTO_KDC_HTTPS_ERROR_CONNECT(c, raddr)                  \

+#define TRACE_SENDTO_KDC_HTTPS_ERROR_CONNECT(c, raddr)          \

     TRACE(c, "HTTPS error connecting to {raddr}", raddr)

-#define TRACE_SENDTO_KDC_HTTPS_ERROR_RECV(c, raddr, err)                \

-    TRACE(c, "HTTPS error receiving from {raddr}: {errno}", raddr, err)

-#define TRACE_SENDTO_KDC_HTTPS_ERROR_SEND(c, raddr)                     \

+#define TRACE_SENDTO_KDC_HTTPS_ERROR_RECV(c, raddr)             \

+    TRACE(c, "HTTPS error receiving from {raddr}", raddr)

+#define TRACE_SENDTO_KDC_HTTPS_ERROR_SEND(c, raddr)     \

     TRACE(c, "HTTPS error sending to {raddr}", raddr)

 #define TRACE_SENDTO_KDC_HTTPS_SEND(c, raddr)                           \

     TRACE(c, "Sending HTTPS request to {raddr}", raddr)

@@ -383,6 +371,19 @@ void krb5int_trace(krb5_context context, const char *fmt, ...);

     TRACE(c, "TGS reply didn't decode with subkey; trying session key " \

           "({keyblock)}", keyblock)

+#define TRACE_TLS_ERROR(c, errs)                \

+    TRACE(c, "TLS error: {str}", errs)

+#define TRACE_TLS_NO_REMOTE_CERTIFICATE(c)              \

+    TRACE(c, "TLS server certificate not received")

+#define TRACE_TLS_CERT_ERROR(c, depth, namelen, name, err, errs)        \

+    TRACE(c, "TLS certificate error at {int} ({lenstr}): {int} ({str})", \

+          depth, namelen, name, err, errs)

+#define TRACE_TLS_SERVER_NAME_MISMATCH(c, hostname)                     \

+    TRACE(c, "TLS certificate name mismatch: server certificate is "    \

+          "not for \"{str}\"", hostname)

+#define TRACE_TLS_SERVER_NAME_MATCH(c, hostname)                        \

+    TRACE(c, "TLS certificate name matched \"{str}\"", hostname)

+

 #define TRACE_TKT_CREDS(c, creds, cache)                            \

     TRACE(c, "Getting credentials {creds} using ccache {ccache}",   \

           creds, cache)

diff --git a/src/lib/krb5/Makefile.in b/src/lib/krb5/Makefile.in

index 472c008..d9cddc1 100644

--- a/src/lib/krb5/Makefile.in

+++ b/src/lib/krb5/Makefile.in

@@ -56,8 +56,7 @@ RELDIR=krb5

 SHLIB_EXPDEPS = \

 	$(TOPLIBD)/libk5crypto$(SHLIBEXT) \

 	$(COM_ERR_DEPLIB) $(SUPPORT_DEPLIB)

-SHLIB_EXPLIBS=-lk5crypto -lcom_err $(PROXY_TLS_IMPL_LIBS) $(SUPPORT_LIB) \

-	@GEN_LIB@ $(LIBS)

+SHLIB_EXPLIBS=-lk5crypto -lcom_err $(SUPPORT_LIB) @GEN_LIB@ $(LIBS)

 all-unix:: all-liblinks

diff --git a/src/lib/krb5/krb/copy_ctx.c b/src/lib/krb5/krb/copy_ctx.c

index 4237023..322c288 100644

--- a/src/lib/krb5/krb/copy_ctx.c

+++ b/src/lib/krb5/krb/copy_ctx.c

@@ -81,6 +81,7 @@ krb5_copy_context(krb5_context ctx, krb5_context *nctx_out)

     nctx->ccselect_handles = NULL;

     nctx->localauth_handles = NULL;

     nctx->hostrealm_handles = NULL;

+    nctx->tls = NULL;

     nctx->kdblog_context = NULL;

     nctx->trace_callback = NULL;

     nctx->trace_callback_data = NULL;

diff --git a/src/lib/krb5/krb/init_ctx.c b/src/lib/krb5/krb/init_ctx.c

index 6801bb1..6548f36 100644

--- a/src/lib/krb5/krb/init_ctx.c

+++ b/src/lib/krb5/krb/init_ctx.c

@@ -319,6 +319,7 @@ krb5_free_context(krb5_context ctx)

     k5_localauth_free_context(ctx);

     k5_plugin_free_context(ctx);

     free(ctx->plugin_base_dir);

+    free(ctx->tls);

     ctx->magic = 0;

     free(ctx);

diff --git a/src/lib/krb5/krb/plugin.c b/src/lib/krb5/krb/plugin.c

index 8b62c7b..7375f51 100644

--- a/src/lib/krb5/krb/plugin.c

+++ b/src/lib/krb5/krb/plugin.c

@@ -55,7 +55,8 @@ const char *interface_names[] = {

     "ccselect",

     "localauth",

     "hostrealm",

-    "audit"

+    "audit",

+    "tls"

 };

 /* Return the context's interface structure for id, or NULL if invalid. */

diff --git a/src/lib/krb5/krb5_libinit.c b/src/lib/krb5/krb5_libinit.c

index b72bc58..eb40124 100644

--- a/src/lib/krb5/krb5_libinit.c

+++ b/src/lib/krb5/krb5_libinit.c

@@ -55,8 +55,6 @@ int krb5int_lib_init(void)

     if (err)

         return err;

-    k5_sendto_kdc_initialize();

-

     return 0;

 }

diff --git a/src/lib/krb5/os/Makefile.in b/src/lib/krb5/os/Makefile.in

index fa8a093..ea68990 100644

--- a/src/lib/krb5/os/Makefile.in

+++ b/src/lib/krb5/os/Makefile.in

@@ -2,7 +2,7 @@ mydir=lib$(S)krb5$(S)os

 BUILDTOP=$(REL)..$(S)..$(S)..

 DEFINES=-DLIBDIR=\"$(KRB5_LIBDIR)\" -DBINDIR=\"$(CLIENT_BINDIR)\" \

 	-DSBINDIR=\"$(ADMIN_BINDIR)\"

-LOCALINCLUDES= $(PROXY_TLS_IMPL_CFLAGS) -I$(top_srcdir)/util/profile

+LOCALINCLUDES= -I$(top_srcdir)/util/profile

 ##DOS##BUILDTOP = ..\..\..

 ##DOS##PREFIXDIR=os

@@ -13,7 +13,6 @@ STLIBOBJS= \

 	c_ustime.o	\

 	ccdefname.o	\

 	changepw.o	\

-	checkhost.o	\

 	dnsglue.o	\

 	dnssrv.o	\

 	expand_path.o	\

diff --git a/src/lib/krb5/os/deps b/src/lib/krb5/os/deps

index d56ff30..211354c 100644

--- a/src/lib/krb5/os/deps

+++ b/src/lib/krb5/os/deps

@@ -49,17 +49,6 @@ changepw.so changepw.po $(OUTPRE)changepw.$(OBJEXT): \

   $(top_srcdir)/include/krb5/locate_plugin.h $(top_srcdir)/include/krb5/plugin.h \

   $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \

   changepw.c os-proto.h

-checkhost.so checkhost.po $(OUTPRE)checkhost.$(OBJEXT): \

-  $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \

-  $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \

-  $(COM_ERR_DEPS) $(top_srcdir)/include/k5-buf.h $(top_srcdir)/include/k5-err.h \

-  $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \

-  $(top_srcdir)/include/k5-int.h $(top_srcdir)/include/k5-platform.h \

-  $(top_srcdir)/include/k5-plugin.h $(top_srcdir)/include/k5-thread.h \

-  $(top_srcdir)/include/k5-trace.h $(top_srcdir)/include/k5-utf8.h \

-  $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \

-  $(top_srcdir)/include/krb5/plugin.h $(top_srcdir)/include/port-sockets.h \

-  $(top_srcdir)/include/socket-utils.h checkhost.c checkhost.h

 dnsglue.so dnsglue.po $(OUTPRE)dnsglue.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \

   $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \

   $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(top_srcdir)/include/k5-buf.h \

@@ -429,7 +418,7 @@ sendto_kdc.so sendto_kdc.po $(OUTPRE)sendto_kdc.$(OBJEXT): \

   $(top_srcdir)/include/k5-trace.h $(top_srcdir)/include/krb5.h \

   $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/locate_plugin.h \

   $(top_srcdir)/include/krb5/plugin.h $(top_srcdir)/include/port-sockets.h \

-  $(top_srcdir)/include/socket-utils.h checkhost.h os-proto.h \

+  $(top_srcdir)/include/socket-utils.h os-proto.h \

   sendto_kdc.c

 sn2princ.so sn2princ.po $(OUTPRE)sn2princ.$(OBJEXT): \

   $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \

diff --git a/src/lib/krb5/os/locate_kdc.c b/src/lib/krb5/os/locate_kdc.c

index 1f2039c..160a2d0 100644

--- a/src/lib/krb5/os/locate_kdc.c

+++ b/src/lib/krb5/os/locate_kdc.c

@@ -177,7 +177,6 @@ oom:

     return ENOMEM;

 }

-#ifdef PROXY_TLS_IMPL_OPENSSL

 static void

 parse_uri_if_https(char *host_or_uri, k5_transport *transport, char **host,

                    char **uri_path)

@@ -195,13 +194,6 @@ parse_uri_if_https(char *host_or_uri, k5_transport *transport, char **host,

         }

     }

 }

-#else

-static void

-parse_uri_if_https(char *host_or_uri, k5_transport *transport, char **host,

-                   char **uri)

-{

-}

-#endif

 /* Return true if server is identical to an entry in list. */

 static krb5_boolean

diff --git a/src/lib/krb5/os/os-proto.h b/src/lib/krb5/os/os-proto.h

index 34bf028..69ee376 100644

--- a/src/lib/krb5/os/os-proto.h

+++ b/src/lib/krb5/os/os-proto.h

@@ -187,6 +187,5 @@ krb5_error_code localauth_k5login_initvt(krb5_context context, int maj_ver,

                                          krb5_plugin_vtable vtable);

 krb5_error_code localauth_an2ln_initvt(krb5_context context, int maj_ver,

                                        int min_ver, krb5_plugin_vtable vtable);

-void k5_sendto_kdc_initialize(void);

 #endif /* KRB5_LIBOS_INT_PROTO__ */

diff --git a/src/lib/krb5/os/sendto_kdc.c b/src/lib/krb5/os/sendto_kdc.c

index a572831..2242240 100644

--- a/src/lib/krb5/os/sendto_kdc.c

+++ b/src/lib/krb5/os/sendto_kdc.c

@@ -54,6 +54,7 @@

  * as necessary. */

 #include "fake-addrinfo.h"

+#include "k5-tls.h"

 #include "k5-int.h"

 #include "os-proto.h"

@@ -74,15 +75,6 @@

 #endif

 #endif

-#ifdef PROXY_TLS_IMPL_OPENSSL

-#include <openssl/err.h>

-#include <openssl/ssl.h>

-#include <openssl/x509.h>

-#include <openssl/x509v3.h>

-#include <dirent.h>

-#include "checkhost.h"

-#endif

-

 #define MAX_PASS                    3

 #define DEFAULT_UDP_PREF_LIMIT   1465

 #define HARD_UDP_LIMIT          32700 /* could probably do 64K-epsilon ? */

@@ -147,29 +139,30 @@ struct conn_state {

         const char *uri_path;

         const char *servername;

         char *https_request;

-#ifdef PROXY_TLS_IMPL_OPENSSL

-        SSL *ssl;

-#endif

+        k5_tls_handle tls;

     } http;

 };

-#ifdef PROXY_TLS_IMPL_OPENSSL

-/* Extra-data identifier, used to pass context into the verify callback. */

-static int ssl_ex_context_id = -1;

-static int ssl_ex_conn_id = -1;

-#endif

-

-void

-k5_sendto_kdc_initialize(void)

+/* Set up context->tls.  On allocation failure, return ENOMEM.  On plugin load

+ * failure, set context->tls to point to a nulled vtable and return 0. */

+static krb5_error_code

+init_tls_vtable(krb5_context context)

 {

-#ifdef PROXY_TLS_IMPL_OPENSSL

-    SSL_library_init();

-    SSL_load_error_strings();

-    OpenSSL_add_all_algorithms();

+    krb5_plugin_initvt_fn initfn;

-    ssl_ex_context_id = SSL_get_ex_new_index(0, NULL, NULL, NULL, NULL);

-    ssl_ex_conn_id = SSL_get_ex_new_index(0, NULL, NULL, NULL, NULL);

-#endif

+    if (context->tls != NULL)

+        return 0;

+

+    context->tls = calloc(1, sizeof(*context->tls));

+    if (context->tls == NULL)

+        return ENOMEM;

+

+    /* Attempt to load the module; just let it stay nulled out on failure. */

+    k5_plugin_register_dyn(context, PLUGIN_INTERFACE_TLS, "k5tls", "tls");

+    if (k5_plugin_load(context, PLUGIN_INTERFACE_TLS, "k5tls", &initfn) == 0)

+        (*initfn)(context, 0, 0, (krb5_plugin_vtable)context->tls);

+

+    return 0;

 }

 /* Get current time in milliseconds. */

@@ -184,21 +177,15 @@ get_curtime_ms(time_ms *time_out)

     return 0;

 }

-#ifdef PROXY_TLS_IMPL_OPENSSL

 static void

-free_http_ssl_data(struct conn_state *state)

+free_http_tls_data(krb5_context context, struct conn_state *state)

 {

-    SSL_free(state->http.ssl);

-    state->http.ssl = NULL;

+    if (state->http.tls != NULL)

+        context->tls->free_handle(context, state->http.tls);

+    state->http.tls = NULL;

     free(state->http.https_request);

     state->http.https_request = NULL;

 }

-#else

-static void

-free_http_ssl_data(struct conn_state *state)

-{

-}

-#endif

 #ifdef USE_POLL

@@ -532,7 +519,6 @@ static fd_handler_fn service_udp_read;

 static fd_handler_fn service_https_write;

 static fd_handler_fn service_https_read;

-#ifdef PROXY_TLS_IMPL_OPENSSL

 static krb5_error_code

 make_proxy_request(struct conn_state *state, const krb5_data *realm,

                    const krb5_data *message, char **req_out, size_t *len_out)

@@ -585,14 +571,6 @@ cleanup:

     krb5_free_data(NULL, encoded_pm);

     return ret;

 }

-#else

-static krb5_error_code

-make_proxy_request(struct conn_state *state, const krb5_data *realm,

-                   const krb5_data *message, char **req_out, size_t *len_out)

-{

-    abort();

-}

-#endif

 /* Set up the actual message we will send across the underlying transport to

  * communicate the payload message, using one or both of state->out.sgbuf. */

@@ -963,7 +941,7 @@ static void

 kill_conn(krb5_context context, struct conn_state *conn,

           struct select_state *selstate)

 {

-    free_http_ssl_data(conn);

+    free_http_tls_data(context, conn);

     if (socktype_for_transport(conn->addr.transport) == SOCK_STREAM)

         TRACE_SENDTO_KDC_TCP_DISCONNECT(context, &conn->addr);

@@ -1145,249 +1123,44 @@ service_udp_read(krb5_context context, const krb5_data *realm,

     return TRUE;

 }

-#ifdef PROXY_TLS_IMPL_OPENSSL

-/* Output any error strings that OpenSSL's accumulated as tracing messages. */

-static void

-flush_ssl_errors(krb5_context context)

-{

-    unsigned long err;

-    char buf[128];

-

-    while ((err = ERR_get_error()) != 0) {

-        ERR_error_string_n(err, buf, sizeof(buf));

-        TRACE_SENDTO_KDC_HTTPS_ERROR(context, buf);

-    }

-}

-

-static krb5_error_code

-load_http_anchor_file(X509_STORE *store, const char *path)

-{

-    FILE *fp;

-    STACK_OF(X509_INFO) *sk = NULL;

-    X509_INFO *xi;

-    int i;

-

-    fp = fopen(path, "r");

-    if (fp == NULL)

-        return errno;

-    sk = PEM_X509_INFO_read(fp, NULL, NULL, NULL);

-    fclose(fp);

-    if (sk == NULL)

-        return ENOENT;

-    for (i = 0; i < sk_X509_INFO_num(sk); i++) {

-        xi = sk_X509_INFO_value(sk, i);

-        if (xi->x509 != NULL)

-            X509_STORE_add_cert(store, xi->x509);

-    }

-    sk_X509_INFO_pop_free(sk, X509_INFO_free);

-    return 0;

-}

-

-static krb5_error_code

-load_http_anchor_dir(X509_STORE *store, const char *path)

-{

-    DIR *d = NULL;

-    struct dirent *dentry = NULL;

-    char filename[1024];

-    krb5_boolean found_any = FALSE;

-

-    d = opendir(path);

-    if (d == NULL)

-        return ENOENT;

-    while ((dentry = readdir(d)) != NULL) {

-        if (dentry->d_name[0] != '.') {

-            snprintf(filename, sizeof(filename), "%s/%s",

-                     path, dentry->d_name);

-            if (load_http_anchor_file(store, filename) == 0)

-                found_any = TRUE;

-        }

-    }

-    closedir(d);

-    return found_any ? 0 : ENOENT;

-}

-

-static krb5_error_code

-load_http_anchor(SSL_CTX *ctx, const char *location)

+/* Set up conn->http.tls.  Return true on success. */

+static krb5_boolean

+setup_tls(krb5_context context, const krb5_data *realm,

+          struct conn_state *conn, struct select_state *selstate)

 {

-    X509_STORE *store;

-    const char *envloc;

-

-    store = SSL_CTX_get_cert_store(ctx);

-    if (strncmp(location, "FILE:", 5) == 0) {

-        return load_http_anchor_file(store, location + 5);

-    } else if (strncmp(location, "DIR:", 4) == 0) {

-        return load_http_anchor_dir(store, location + 4);

-    } else if (strncmp(location, "ENV:", 4) == 0) {

-        envloc = getenv(location + 4);

-        if (envloc == NULL)

-            return ENOENT;

-        return load_http_anchor(ctx, envloc);

-    }

-    return EINVAL;

-}

+    krb5_error_code ret;

+    krb5_boolean ok = FALSE;

+    char **anchors = NULL, *realmstr = NULL;

+    const char *names[4];

-static krb5_error_code

-load_http_verify_anchors(krb5_context context, const krb5_data *realm,

-                         SSL_CTX *sctx)

-{

-    const char *anchors[4];

-    char **values = NULL, *realmz;

-    unsigned int i;

-    krb5_error_code err;

+    if (init_tls_vtable(context) != 0 || context->tls->setup == NULL)

+        return FALSE;

-    realmz = k5memdup0(realm->data, realm->length, &err;;

-    if (realmz == NULL)

+    realmstr = k5memdup0(realm->data, realm->length, &ret;;

+    if (realmstr == NULL)

         goto cleanup;

     /* Load the configured anchors. */

-    anchors[0] = KRB5_CONF_REALMS;

-    anchors[1] = realmz;

-    anchors[2] = KRB5_CONF_HTTP_ANCHORS;

-    anchors[3] = NULL;

-    if (profile_get_values(context->profile, anchors, &values) == 0) {

-        for (i = 0; values[i] != NULL; i++) {

-            err = load_http_anchor(sctx, values[i]);

-            if (err != 0)

-                break;

-        }

-        profile_free_list(values);

-    } else {

-        /* Use the library defaults. */

-        if (SSL_CTX_set_default_verify_paths(sctx) != 1)

-            err = ENOENT;

-    }

-

-cleanup:

-    free(realmz);

-    return err;

-}

-

-static krb5_boolean

-ssl_check_name_or_ip(X509 *x, const char *expected_name)

-{

-    struct in_addr in;

-    struct in6_addr in6;

-

-    if (inet_aton(expected_name, &in) != 0 ||

-        inet_pton(AF_INET6, expected_name, &in6) != 0) {

-        return k5_check_cert_address(x, expected_name);

-    } else {

-        return k5_check_cert_servername(x, expected_name);

-    }

-}

+    names[0] = KRB5_CONF_REALMS;

+    names[1] = realmstr;

+    names[2] = KRB5_CONF_HTTP_ANCHORS;

+    names[3] = NULL;

+    ret = profile_get_values(context->profile, names, &anchors);

+    if (ret != 0 && ret != PROF_NO_RELATION)

+        goto cleanup;

-static int

-ssl_verify_callback(int preverify_ok, X509_STORE_CTX *store_ctx)

-{

-    X509 *x;

-    SSL *ssl;

-    BIO *bio;

-    krb5_context context;

-    int err, depth;