devssl, cpu, import, oexportfs: delete

SSL is implemented by devssl. It's extremely
obsolete by now, and is not used anywhere but
cpu, import, and oexportfs.

This change strips out the devssl bits, but
does not (yet) remove the code from libsec.

sys/include/libc.h

@@ -536,7 +536,6 @@ extern	int	reject(int, char*, char*);
 /*
  *  encryption
  */
-extern	int	pushssl(int, char*, char*, char*, int*);
 extern	int	pushtls(int, char*, char*, int, char*, char*);
 
 /*

sys/man/1/cpu

@@ -1,237 +0,0 @@
-.TH CPU 1
-.SH NAME
-cpu \- connection to CPU server
-.SH SYNOPSIS
-.B cpu
-[
-.B -p
-] [
-.B -h
-.I server
-] [
-.B -u
-.I user
-] [
-.B -a
-.I auth-method
-] [
-.B -P
-.I patternfile
-] [
-.B -e
-.I encryption-hash-algs
-] [
-.B -k
-.I keypattern
-] [
-.B -c
-.I cmd args ...
-]
-.PP
-.B cpu
-[
-.B -n
-] [
-.B -A
-.I address
-] [
-.B -R
-]
-.SH DESCRIPTION
-This tool is deprecated and has been replaced by
-.IR rcpu (1).
-.PP
-.I Cpu
-starts an
-.IR rc (1)
-running on the
-.I server
-machine, or the machine named in the
-.B $cpu
-environment variable if there is no
-.B -h
-option.
-.IR Rc 's
-standard input, output, and error files will be
-.B /dev/cons
-in the name space where the
-.I cpu
-command was invoked.
-Normally,
-.I cpu
-is run in an
-.IR rio (1)
-window on a terminal, so
-.IR rc
-output goes to that window, and input comes from the keyboard
-when that window is current.
-.IR Rc 's
-current directory is
-the working directory of the
-.I cpu
-command itself.
-.PP
-The name space for the new
-.I rc
-is an analogue of the name space where the
-.I cpu
-command was invoked:
-it is the same except for architecture-dependent bindings such as
-.B /bin
-and the use of fast paths to file servers, if available.
-.PP
-If a
-.B -u
-argument is present,
-.I cpu
-uses the argument as the remote user id.
-.PP
-If a
-.B -c
-argument is present, the remainder of the command line is executed by
-.I rc
-on the server, and then
-.I cpu
-exits.
-.PP
-If a
-.B -P
-argument is present, the
-.I patternfile
-is passed to
-.IR oexportfs (4)
-to control how much of the local name space will be exported to
-the remote system.
-.PP
-The
-.B -a
-command allows the user to specify the authentication mechanism used
-when connecting to the remote system.  The two possibilities for
-.I auth-method
-are:
-.TF netkey
-.TP
-.B p9
-This is the default.  Authentication is done using the standard Plan 9
-mechanisms, (see
-.IR authsrv (6)).
-No user interaction is required.
-.TP
-.B netkey
-Authentication is done using challenge/response and a hand held
-authenticator or the
-.I netkey
-program
-(see
-.IR passwd (1)).
-The user must encrypt the challenge and type the encryption
-back to
-.IR cpu .
-This is used if the local host is in a different protection domain than
-the server or if the user wants to log into the server as a different
-user.
-.TP
-.B none
-This skips authentication. This requires the
-.IR -n
-flag to be specified on the remote side.
-.PD
-.PP
-The
-.B -e
-option specifies an encryption and/or hash algorithm to
-use for the connection.  If both are specified, they must
-be space separated and comprise a single argument, so they
-must be quoted if in a shell command.  The default is
-.L rc4_256
-encryption and
-.L sha1
-hashing.  See
-.IR ssl (3)
-for details on possible algorithms.  The argument
-.L clear
-specifies no encryption algorithm and can be used to talk
-to older versions of the
-.I cpu
-service.
-.PP
-The
-.B -k
-flag specifies a key pattern to use to restrict the keys
-selected by the
-.I auth_proxy
-call used for authentication.
-.PP
-The name space is built by running
-.B /usr/$user/lib/profile
-with the root of the invoking name space bound to
-.BR /mnt/term .
-The
-.B service
-environment variable is set to
-.BR cpu ;
-the
-.B cputype
-and
-.B objtype
-environment variables reflect the server's architecture.
-.PP
-The
-.B -R
-flag causes
-.I cpu
-to run the server (remote) side of the protocol.
-It is run from service files such as
-.BR /bin/service/tcp17010 .
-The
-.B -n
-option allows using the
-.B none
-authentication method for incoming connections and must be
-specified before the
-.B -R
-flag.
-.PP
-The
-.B -p
-flag pushes the
-.IR aan (8)
-filter onto the connection to protect against temporary
-network outages.
-.PP
-The
-.B -A
-flag sets the announce-string
-.I address
-to use for
-.IR aan (8)
-connections, if requested by the initial protocol.
-.SH FILES
-The name space of the terminal side of the
-.I cpu
-command is mounted, via
-.IR oexportfs (4),
-on the CPU side on directory
-.BR /mnt/term .
-The files such as
-.B /dev/cons
-are bound to their standard locations from there.
-.SH SOURCE
-.B /sys/src/cmd/cpu.c
-.SH SEE ALSO
-.IR rcpu (1) ,
-.IR rc (1) ,
-.IR rio (1) ,
-.IR oexportfs (4) ,
-.IR aan (8)
-.SH BUGS
-Binds and mounts done after the terminal
-.B lib/profile
-is run are not reflected in the new name space.
-.PP
-By default, the entire namespace of the local system is
-exported to the remote system. Use of the
-.B -P
-option in conjunction with a customized patternfile can
-limit this exposure, but also limits the usefulness of
-.B /mnt/term.

sys/man/4/import

@@ -1,221 +0,0 @@
-.TH IMPORT 4
-.SH NAME
-import \- import a name space from a remote system
-.SH SYNOPSIS
-.B import
-[
-.I options
-]
-.I system
-.I file
-[
-.I mountpoint
-]
-.PP
-.B import
-.B -B
-[
-.I options
-]
-.I mountpoint
-[
-.I cmd
-[
-.I args ...
-]
-]
-.SH DESCRIPTION
-This tool is deprecated and has been replaced by
-.I rimport
-(see
-.IR rcpu (1)).
-.PP
-.I Import
-allows an arbitrary
-.I file
-on a remote
-.I system
-to be imported into the local name space.
-Usually
-.I file
-is a directory, so the complete
-file tree under the directory is made available.
-.PP
-A process is started on the
-remote machine, with authority of the user of
-.IR import ,
-to perform work for the local machine using the
-.IR oexportfs (4)
-service.
-The default port used is TCP 17007.
-If
-.I mountpoint
-is omitted
-.I import
-uses the name of the remote
-.I file
-as the local mount point.
-.PP
-The options are:
-.TF "-s namexxx"
-.PD
-.TP
-.B -a -b -c -C
-Control the construction of union directories, as in
-.I mount
-and
-.IR bind (1).
-Only valid when 
-.I file
-is a directory.
-.TP
-.B -A
-Skip the authentication protocol.
-This is useful for connecting to foreign systems like Inferno.
-.TP
-.B -z
-Bypass the initial protocol request for which remote tree to serve.
-This is necessary when the remote 
-.IR oexportfs (4) 
-is running with the 
-.B -r 
-or 
-.B -S 
-options which pre-select a file tree to serve. The exception is if both sides are
-operating in the
-.B -B
-backwards mode.
-.TP
-.B -B
-Run in ``backwards'' mode, described below.
-.TP
-.B -E \fIenc
-Push an encryption protocol on its network connection.
-The supported protocols are
-.B clear
-(the default, no protocol)
-and
-.BR ssl .
-There are plans to make
-.B tls
-available.
-.TP
-.B -e '\fIenc hash\fR'
-Specify the encryption and hash algorithms to use for
-encrypting and authenticating the wire traffic
-(see
-.IR ssl (3)).
-The defaults are
-.B rc4_256
-and
-.BR sha1 .
-.TP
-.B -k \fIkeypattern
-Use
-.I keypattern
-to select a key to authenticate to the remote side
-(see
-.IR auth (2)).
-.TP
-.B -p
-Push the
-.IR aan (8)
-filter onto the connection to protect against
-temporary network outages.
-.TP
-.B -n
-Specify announce string for
-.IR aan (8)
-filter when run in ``backwards'' mode.
-.TP
-.B -s \fIname
-Post the connection's mountable file descriptor as
-.BI /srv/ name\fR.
-.PD
-.PP
-The 
-.B -B
-option runs
-.I import
-in ``backwards'' mode.
-In this mode,
-.I import
-runs a
-.I p9any
-authentication (as server) over its file descriptor 0
-(expected to be an incoming network connection from
-.B oexportfs
-.BR -B ),
-mounts the connection onto
-.IR mntpt ,
-and optionally runs
-.I cmd
-.IR args .
-.SH EXAMPLES
-Assume a machine
-.B kremvax
-that has IP interfaces for the company intranet and the global
-internet mounted on
-.I /net
-and
-.I /net.alt
-respectively.
-Any machine inside the company can get telnet out to the global
-internet using:
-.IP
-.EX
-import -a kremvax /net.alt
-telnet /net.alt/tcp!ucbvax
-.EE
-.PP
-Suppose that the machine
-.B moscvax
-has access to a private file server containing public web pages
-that need to be served by the less-trusted server
-.BR webvax .
-.B Webvax
-runs the following listener 
-(see
-.IR listen (8))
-on TCP port 999:
-.IP
-.EX
-#!/bin/rc
-import -B -s rowebfs /usr/web /bin/restarthttpd
-.EE
-.PP
-When
-.B moscvax
-boots, it runs
-.IP
-.EX
-oexportfs -R -r /usr/web -B tcp!webvax!999
-.EE
-.PP
-to serve a read-only copy of
-.B /usr/web
-to
-.BR webvax .
-When
-.B webvax
-gets the call, 
-.B import
-mounts the served tree onto its own
-.B /usr/web
-and then runs
-.B /bin/restarthttpd
-to restart
-.IR httpd (8).
-.SH SOURCE
-.B /sys/src/cmd/import.c
-.SH SEE ALSO
-.IR rcpu (1),
-.IR bind (1),
-.IR ssl (3),
-.IR oexportfs (4),
-.IR srv (4),
-.IR aan (8),
-.IR listen (8),
-.B cs
-in
-.IR ndb (8)

sys/man/4/oexportfs

@@ -1,143 +0,0 @@
-.TH OEXPORTFS 4
-.SH NAME
-oexportfs \- legacy exportfs for cpu and import
-.SH SYNOPSIS
-.PP
-.B oexportfs
-[
-.I options
-]
-.SH DESCRIPTION
-.I Oexportfs
-is older version of the
-.IR exportfs (4)
-program that handles an initial protocol to establish a root directory
-for the exported name space.
-It also provides authentication and encryption using
-the
-.IR ssl (3)
-device.
-.PP
-It is used exclusively by the deprecated
-.IR cpu (1)
-and
-.IR import (4)
-services.
-.PP
-The options are:
-.TP
-.B -d
-Log all 9P traffic to standard error.
-.TP
-.B -P \fIpatternfile
-Restrict the set of exported files.
-.I Patternfile
-contains one regular expression per line,
-to be matched against path names
-relative to the current working directory
-and starting with
-.BR / .
-For a file to be exported, all lines with a prefix
-.B +
-must match and all those with prefix
-.B -
-must not match.
-.TP
-.B -R
-Make the served name space read only.
-.TP
-.B -r \fIroot
-Serve the name space rooted at
-.IR root .
-.TP
-.B -S \fIservice
-Serve the result of mounting
-.IR service .
-A separate mount is used for each
-.IR attach (5)
-message,
-to correctly handle servers in which each mount
-corresponds to a different client
-.IR e.g. , (
-.IR rio (4)).
-.TP
-.B -s
-equivalent to
-.B -r
-.BR / ;
-kept for compatibility.
-.TP
-.B -m \fImsize
-Set the maximum message size that 
-.I oexportfs
-should offer to send (see
-.IR version (5));
-this helps tunneled
-9P connections to avoid unnecessary fragmentation.
-.TP
-.B -A \fIaddress
-Use the network
-.I address
-to announce
-.IR aan (8)
-connections,
-if requested by the initial protocol.
-.TP
-.B -a
-Authenticate the user with the
-.I p9any
-protocol before running the regular
-.I oexportfs
-session; used when 
-.I oexportfs
-is invoked to handle an incoming network connection.
-.I Exportfs
-creates a new name space for each connection, using
-.B /lib/namespace
-by default (see
-.IR namespace (6)).
-.TP
-.B -B \fIaddress
-Dial
-.IR address ,
-authenticate as a
-.I p9any
-client, and then
-serve that network connection.
-Requires setting the root of the name space with 
-.B -r
-or
-.BR -s .
-The remote system should run
-.B import
-.B -B
-to handle the call.
-See
-.IR import (4)
-for an example.
-.TP
-.B -e '\fIenc auth\fL'
-Set the encryption and authentication algorithms to use for
-encrypting the wire traffic (see
-.IR ssl (3)).
-The defaults are
-.B rc4_256
-and
-.BR sha1 .
-.TP
-.B -N \fInsfile
-Serve the name space described by
-.IR nsfile .
-.TP
-.B -n
-Disallow mounts by user
-.BR none .
-.EE
-.SH SOURCE
-.B /sys/src/cmd/exportfs/oexportfs.c
-.SH SEE ALSO
-.IR dial (2),
-.IR exportfs (4),
-.IR import (4),
-.IR aan (8),
-.IR listen (8)

sys/src/9/bcm/pi

@@ -10,7 +10,6 @@ dev
 	shr
 	dup
 	arch
-	ssl
 	tls
 	cap
 	fs

sys/src/9/bcm/pi2

@@ -10,7 +10,6 @@ dev
 	shr
 	dup
 	arch
-	ssl
 	tls
 	cap
 	fs

sys/src/9/bcm/picpuf

@@ -10,7 +10,6 @@ dev
 	shr
 	dup
 	arch
-	ssl
 	tls
 	cap
 	fs

sys/src/9/bcm64/pi3

@@ -10,7 +10,6 @@ dev
 	shr
 	dup
 	arch
-	ssl
 	tls
 	cap
 	fs

sys/src/9/bcm64/pi4

@@ -10,7 +10,6 @@ dev
 	shr
 	dup
 	arch
-	ssl
 	tls
 	cap
 	fs

sys/src/9/cycv/cycv

@@ -13,7 +13,6 @@ dev
 	dup
 	ether netif
 	ip		arp chandial ip ipv6 ipaux iproute netlog nullmedium pktmedium inferno
-	ssl
 	tls
 #	cap
 #	kprof

sys/src/9/kw/plug

@@ -13,7 +13,6 @@ dev
 	dup
 	rtc
 	arch
-	ssl
 	tls
 	cap
 	kprof

sys/src/9/mtx/mtx

@@ -10,7 +10,6 @@ dev
 	mnt
 	srv
 	dup
-	ssl
 	cap
 	kprof
 	uart

sys/src/9/omap/beagle

@@ -11,7 +11,6 @@ dev
 	shr
 	dup
 	arch
-	ssl
 	tls
 	bridge		log
 	sdp		thwack unthwack

sys/src/9/pc/pc

@@ -13,7 +13,6 @@ dev
 	shr
 	dup
 	rtc
-	ssl
 	tls
 	cap
 	kprof

sys/src/9/pc64/pc64

@@ -13,7 +13,6 @@ dev
 	shr
 	dup
 	rtc
-	ssl
 	tls
 	cap
 	kprof

sys/src/9/port/portmkfile

@@ -102,7 +102,6 @@ auth.$O devcons.$O:	/sys/include/authsrv.h
 devcap.$O:	/sys/include/libsec.h
 devfs.$O:	/sys/include/libsec.h
 devsdp.$O:	/sys/include/libsec.h
-devssl.$O:	/sys/include/libsec.h
 devtls.$O:	/sys/include/libsec.h
 devswap.$O:	/sys/include/libsec.h
 random.$O:	/sys/include/libsec.h

sys/src/libc/9sys/mkfile

@@ -33,7 +33,6 @@ OFILES=\
 	postnote.$O\
 	privalloc.$O\
 	procsetname.$O\
-	pushssl.$O\
 	pushtls.$O\
 	putenv.$O\
 	qlock.$O\