Remove Kerberos support from libssl

Remove RFC2712 Kerberos support from libssl. This code and the associated
standard is no longer considered fit-for-purpose.

Reviewed-by: Rich Salz <rsalz@openssl.org>

1 files changed, 2 insertions, 37 deletions

diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c
index ddedf5cef9..39b5a71094 100644
--- a/ssl/ssl_ciph.c
+++ b/ssl/ssl_ciph.c
@@ -305,8 +305,6 @@ static const SSL_CIPHER cipher_aliases[] = {
     {0, SSL_TXT_DH, 0, SSL_kDHr | SSL_kDHd | SSL_kDHE, 0, 0, 0, 0, 0, 0, 0,
      0},
 
-    {0, SSL_TXT_kKRB5, 0, SSL_kKRB5, 0, 0, 0, 0, 0, 0, 0, 0},
-
     {0, SSL_TXT_kECDHr, 0, SSL_kECDHr, 0, 0, 0, 0, 0, 0, 0, 0},
     {0, SSL_TXT_kECDHe, 0, SSL_kECDHe, 0, 0, 0, 0, 0, 0, 0, 0},
     {0, SSL_TXT_kECDH, 0, SSL_kECDHr | SSL_kECDHe, 0, 0, 0, 0, 0, 0, 0, 0},
@@ -323,7 +321,6 @@ static const SSL_CIPHER cipher_aliases[] = {
     {0, SSL_TXT_aRSA, 0, 0, SSL_aRSA, 0, 0, 0, 0, 0, 0, 0},
     {0, SSL_TXT_aDSS, 0, 0, SSL_aDSS, 0, 0, 0, 0, 0, 0, 0},
     {0, SSL_TXT_DSS, 0, 0, SSL_aDSS, 0, 0, 0, 0, 0, 0, 0},
-    {0, SSL_TXT_aKRB5, 0, 0, SSL_aKRB5, 0, 0, 0, 0, 0, 0, 0},
     {0, SSL_TXT_aNULL, 0, 0, SSL_aNULL, 0, 0, 0, 0, 0, 0, 0},
     /* no such ciphersuites supported! */
     {0, SSL_TXT_aDH, 0, 0, SSL_aDH, 0, 0, 0, 0, 0, 0, 0},
@@ -342,7 +339,6 @@ static const SSL_CIPHER cipher_aliases[] = {
     {0, SSL_TXT_EECDH, 0, SSL_kECDHE, ~SSL_aNULL, 0, 0, 0, 0, 0, 0, 0},
     {0, SSL_TXT_ECDHE, 0, SSL_kECDHE, ~SSL_aNULL, 0, 0, 0, 0, 0, 0, 0},
     {0, SSL_TXT_NULL, 0, 0, 0, SSL_eNULL, 0, 0, 0, 0, 0, 0},
-    {0, SSL_TXT_KRB5, 0, SSL_kKRB5, SSL_aKRB5, 0, 0, 0, 0, 0, 0, 0},
     {0, SSL_TXT_RSA, 0, SSL_kRSA, SSL_aRSA, 0, 0, 0, 0, 0, 0, 0},
     {0, SSL_TXT_ADH, 0, SSL_kDHE, SSL_aNULL, 0, 0, 0, 0, 0, 0, 0},
     {0, SSL_TXT_AECDH, 0, SSL_kECDHE, SSL_aNULL, 0, 0, 0, 0, 0, 0, 0},
@@ -693,10 +689,6 @@ static void ssl_cipher_get_disabled(unsigned long *mkey, unsigned long *auth,
     *mkey |= SSL_kDHr | SSL_kDHd | SSL_kDHE;
     *auth |= SSL_aDH;
 #endif
-#ifdef OPENSSL_NO_KRB5
-    *mkey |= SSL_kKRB5;
-    *auth |= SSL_aKRB5;
-#endif
 #ifdef OPENSSL_NO_EC
     *mkey |= SSL_kECDHe | SSL_kECDHr;
     *auth |= SSL_aECDSA | SSL_aECDH;
@@ -801,10 +793,6 @@ static void ssl_cipher_collect_ciphers(const SSL_METHOD *ssl_method,
             co_list[co_list_num].prev = NULL;
             co_list[co_list_num].active = 0;
             co_list_num++;
-#ifdef KSSL_DEBUG
-            fprintf(stderr, "\t%d: %s %lx %lx %lx\n", i, c->name, c->id,
-                    c->algorithm_mkey, c->algorithm_auth);
-#endif                          /* KSSL_DEBUG */
             /*
              * if (!sk_push(ca_list,(char *)c)) goto err;
              */
@@ -1446,10 +1434,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method, STACK
      * it is used for allocation.
      */
     num_of_ciphers = ssl_method->num_ciphers();
-#ifdef KSSL_DEBUG
-    fprintf(stderr, "ssl_create_cipher_list() for %d ciphers\n",
-            num_of_ciphers);
-#endif                          /* KSSL_DEBUG */
+
     co_list = OPENSSL_malloc(sizeof(*co_list) * num_of_ciphers);
     if (co_list == NULL) {
         SSLerr(SSL_F_SSL_CREATE_CIPHER_LIST, ERR_R_MALLOC_FAILURE);
@@ -1502,8 +1487,6 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method, STACK
                           &tail);
     ssl_cipher_apply_rule(0, SSL_kPSK, 0, 0, 0, 0, 0, CIPHER_ORD, -1, &head,
                           &tail);
-    ssl_cipher_apply_rule(0, SSL_kKRB5, 0, 0, 0, 0, 0, CIPHER_ORD, -1, &head,
-                          &tail);
 
     /* RC4 is sort-of broken -- move the the end */
     ssl_cipher_apply_rule(0, 0, 0, SSL_RC4, 0, 0, 0, CIPHER_ORD, -1, &head,
@@ -1616,13 +1599,8 @@ char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len)
     const char *ver, *exp_str;
     const char *kx, *au, *enc, *mac;
     unsigned long alg_mkey, alg_auth, alg_enc, alg_mac, alg_ssl;
-#ifdef KSSL_DEBUG
-    static const char *format =
-        "%-23s %s Kx=%-8s Au=%-4s Enc=%-9s Mac=%-4s%s AL=%lx/%lx/%lx/%lx/%lx\n";
-#else
     static const char *format =
         "%-23s %s Kx=%-8s Au=%-4s Enc=%-9s Mac=%-4s%s\n";
-#endif                          /* KSSL_DEBUG */
 
     alg_mkey = cipher->algorithm_mkey;
     alg_auth = cipher->algorithm_auth;
@@ -1652,9 +1630,6 @@ char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len)
     case SSL_kDHd:
         kx = "DH/DSS";
         break;
-    case SSL_kKRB5:
-        kx = "KRB5";
-        break;
     case SSL_kDHE:
         kx = is_export ? (pkl == 512 ? "DH(512)" : "DH(1024)") : "DH";
         break;
@@ -1690,9 +1665,6 @@ char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len)
     case SSL_aDH:
         au = "DH";
         break;
-    case SSL_aKRB5:
-        au = "KRB5";
-        break;
     case SSL_aECDH:
         au = "ECDH";
         break;
@@ -1802,13 +1774,9 @@ char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len)
     } else if (len < 128)
         return ("Buffer too small");
 
-#ifdef KSSL_DEBUG
-    BIO_snprintf(buf, len, format, cipher->name, ver, kx, au, enc, mac,
-                 exp_str, alg_mkey, alg_auth, alg_enc, alg_mac, alg_ssl);
-#else
     BIO_snprintf(buf, len, format, cipher->name, ver, kx, au, enc, mac,
                  exp_str);
-#endif                          /* KSSL_DEBUG */
+
     return (buf);
 }
 
@@ -2000,9 +1968,6 @@ int ssl_cipher_get_cert_index(const SSL_CIPHER *c)
         return SSL_PKEY_DSA_SIGN;
     else if (alg_a & SSL_aRSA)
         return SSL_PKEY_RSA_ENC;
-    else if (alg_a & SSL_aKRB5)
-        /* VRS something else here? */
-        return -1;
     else if (alg_a & SSL_aGOST94)
         return SSL_PKEY_GOST94;
     else if (alg_a & SSL_aGOST01)