+#endif
+#ifndef NO_KRB5
+ else if (l & SSL_kKRB5)
+ {
+ krb5_error_code krb5rc;
+ KSSL_CTX *kssl_ctx = s->kssl_ctx;
+ krb5_data krb5_ap_req;
+
+#ifdef KSSL_DEBUG
+ printf("ssl3_send_client_key_exchange(%lx & %lx)\n",
+ l, SSL_kKRB5);
+#endif /* KSSL_DEBUG */
+
+ /*
+ ** Tried to send random tmp_buf[] as PMS in Kerberos ticket
+ ** by passing krb5_mk_req_extended(ctx,authctx,opts, tmp_buf, ...)
+ ** but: I can't retrieve the PMS on the other side! There is
+ ** some indication in the krb5 source that this is only used
+ ** to generate a checksum. OTOH, the Tung book shows data
+ ** ("GET widget01.txt") being passed in krb5_mk_req_extended()
+ ** by way of krb5_sendauth(). I don't get it.
+ ** Until Kerberos goes 3DES, the big PMS secret would only be
+ ** encrypted in 1-DES anyway. So losing the PMS shouldn't be
+ ** a big deal.
+ */
+ krb5rc = kssl_cget_tkt(kssl_ctx, &krb5_ap_req,
+ &kssl_err);
+#ifdef KSSL_DEBUG
+ {
+ printf("kssl_cget_tkt rtn %d\n", krb5rc);
+ kssl_ctx_show(kssl_ctx);
+ if (krb5rc && kssl_err.text)
+ printf("kssl_cget_tkt kssl_err=%s\n", kssl_err.text);
+ }
+#endif /* KSSL_DEBUG */
+
+ if (krb5rc)
+ {
+ ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_HANDSHAKE_FAILURE);
+ SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE, kssl_err.reason);
+ goto err;
+ }
+
+ /* Send ticket (copy to *p, set n = length)
+ */
+ n = krb5_ap_req.length;
+ memcpy(p, krb5_ap_req.data, krb5_ap_req.length);
+ if (krb5_ap_req.data)
+ kssl_krb5_free_data_contents(NULL,&krb5_ap_req);
+
+ /* 19991013 VRS - 3DES is kind of bogus here,
+ ** at least until Kerberos supports 3DES. The only
+ ** real secret is the 8-byte Kerberos session key;
+ ** the other key material ((s->) client_random, server_random)
+ ** could be sniffed. Mixing in these nonces should help
+ ** protect against replay attacks, however.
+ **
+ ** Alternate code for Kerberos Purists:
+ **
+ ** memcpy(s->session->master_key, kssl_ctx->key, kssl_ctx->length);
+ ** s->session->master_key_length = kssl_ctx->length;
+ */
+ s->session->master_key_length=
+ s->method->ssl3_enc->generate_master_secret(s,
+ s->session->master_key, kssl_ctx->key,kssl_ctx->length);
+ }