Remove remnants of KRB5 support.

This drops the bits of logic that allowed Certificate messages to be optional for a KRB5 cipher suite. Change-Id: I2a71b7c13d7e76f4f5542d4074169f80f3617240 Reviewed-on: https://boringssl-review.googlesource.com/1154 Reviewed-by: Adam Langley <agl@google.com>
author: David Benjamin <davidben@chromium.org> 2014-07-12 08:13:56 +0400
committer: Adam Langley <agl@google.com> 2014-07-15 00:49:57 +0400
commit: d26aea6c9645badb67f0952e148bcc8905151c9b (patch)
tree: cbf19bcdbc853299e9bb24f82a77f6d122130d72
parent: 0c49ec97f4f4e9e82da19ce694249c2e78de6d88 (diff)
7 files changed, 39 insertions, 171 deletions
diff --git a/ssl/d1_srvr.c b/ssl/d1_srvr.c
index 148b8c8a..f0dbe378 100644
--- a/ssl/d1_srvr.c
+++ b/ssl/d1_srvr.c
@@ -433,11 +433,9 @@ int dtls1_accept(SSL *s)
 				 /* ... except when the application insists on verification
 				  * (against the specs, but s3_clnt.c accepts this for SSL 3) */
 				 !(s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) ||
-				 /* never request cert in Kerberos ciphersuites */
-				(s->s3->tmp.new_cipher->algorithm_auth & SSL_aKRB5)
 				/* With normal PSK Certificates and
 				 * Certificate Requests are omitted */
-				|| (s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK))
+				(s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK))
 				{
 				/* no cert request */
 				skip=1;
diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c
index f7cc4887..35c399ff 100644
--- a/ssl/s3_clnt.c
+++ b/ssl/s3_clnt.c
@@ -1112,7 +1112,6 @@ int ssl3_get_server_certificate(SSL *s)
 	STACK_OF(X509) *sk=NULL;
 	SESS_CERT *sc;
 	EVP_PKEY *pkey=NULL;
-	int need_cert = 1; /* VRS: 0=> will allow null cert if auth == KRB5 */
 	CBS cbs, certificate_list;
 	const uint8_t* data;
 
@@ -1125,9 +1124,7 @@ int ssl3_get_server_certificate(SSL *s)
 
 	if (!ok) return((int)n);
 
-	if ((s->s3->tmp.message_type == SSL3_MT_SERVER_KEY_EXCHANGE) ||
-		((s->s3->tmp.new_cipher->algorithm_auth & SSL_aKRB5) && 
-		(s->s3->tmp.message_type == SSL3_MT_SERVER_DONE)))
+	if (s->s3->tmp.message_type == SSL3_MT_SERVER_KEY_EXCHANGE)
 		{
 		s->s3->tmp.reuse_message=1;
 		return(1);
@@ -1217,19 +1214,7 @@ int ssl3_get_server_certificate(SSL *s)
 
 	pkey=X509_get_pubkey(x);
 
-	/* VRS: allow null cert if auth == KRB5 */
-	need_cert = ((s->s3->tmp.new_cipher->algorithm_mkey & SSL_kKRB5) &&
-	            (s->s3->tmp.new_cipher->algorithm_auth & SSL_aKRB5))
-	            ? 0 : 1;
-
-#ifdef KSSL_DEBUG
-	printf("pkey,x = %p, %p\n", pkey,x);
-	printf("ssl_cert_type(x,pkey) = %d\n", ssl_cert_type(x,pkey));
-	printf("cipher, alg, nc = %s, %lx, %lx, %d\n", s->s3->tmp.new_cipher->name,
-		s->s3->tmp.new_cipher->algorithm_mkey, s->s3->tmp.new_cipher->algorithm_auth, need_cert);
-#endif    /* KSSL_DEBUG */
-
-	if (need_cert && ((pkey == NULL) || EVP_PKEY_missing_parameters(pkey)))
+	if ((pkey == NULL) || EVP_PKEY_missing_parameters(pkey))
 		{
 		x=NULL;
 		al=SSL3_AL_FATAL;
@@ -1238,7 +1223,7 @@ int ssl3_get_server_certificate(SSL *s)
 		}
 
 	i=ssl_cert_type(x,pkey);
-	if (need_cert && i < 0)
+	if (i < 0)
 		{
 		x=NULL;
 		al=SSL3_AL_FATAL;
@@ -1246,39 +1231,28 @@ int ssl3_get_server_certificate(SSL *s)
 		goto f_err;
 		}
 
-	if (need_cert)
+	int exp_idx = ssl_cipher_get_cert_index(s->s3->tmp.new_cipher);
+	if (exp_idx >= 0 && i != exp_idx)
 		{
-		int exp_idx = ssl_cipher_get_cert_index(s->s3->tmp.new_cipher);
-		if (exp_idx >= 0 && i != exp_idx)
-			{
-			x=NULL;
-			al=SSL_AD_ILLEGAL_PARAMETER;
-			OPENSSL_PUT_ERROR(SSL, ssl3_get_server_certificate, SSL_R_WRONG_CERTIFICATE_TYPE);
-			goto f_err;
-			}
-		sc->peer_cert_type=i;
-		CRYPTO_add(&x->references,1,CRYPTO_LOCK_X509);
-		/* Why would the following ever happen?
-		 * We just created sc a couple of lines ago. */
-		if (sc->peer_pkeys[i].x509 != NULL)
-			X509_free(sc->peer_pkeys[i].x509);
-		sc->peer_pkeys[i].x509=x;
-		sc->peer_key= &(sc->peer_pkeys[i]);
-
-		if (s->session->peer != NULL)
-			X509_free(s->session->peer);
-		CRYPTO_add(&x->references,1,CRYPTO_LOCK_X509);
-		s->session->peer=x;
+		x=NULL;
+		al=SSL_AD_ILLEGAL_PARAMETER;
+		OPENSSL_PUT_ERROR(SSL, ssl3_get_server_certificate, SSL_R_WRONG_CERTIFICATE_TYPE);
+		goto f_err;
 		}
-	else
-		{
-		sc->peer_cert_type=i;
-		sc->peer_key= NULL;
+	sc->peer_cert_type=i;
+	CRYPTO_add(&x->references,1,CRYPTO_LOCK_X509);
+	/* Why would the following ever happen?
+	 * We just created sc a couple of lines ago. */
+	if (sc->peer_pkeys[i].x509 != NULL)
+		X509_free(sc->peer_pkeys[i].x509);
+	sc->peer_pkeys[i].x509=x;
+	sc->peer_key= &(sc->peer_pkeys[i]);
+
+	if (s->session->peer != NULL)
+		X509_free(s->session->peer);
+	CRYPTO_add(&x->references,1,CRYPTO_LOCK_X509);
+	s->session->peer=x;
 
-		if (s->session->peer != NULL)
-			X509_free(s->session->peer);
-		s->session->peer=NULL;
-		}
 	s->session->verify_result = s->verify_result;
 
 	x=NULL;
@@ -2946,7 +2920,7 @@ int ssl3_check_cert_and_algorithm(SSL *s)
 	alg_a=s->s3->tmp.new_cipher->algorithm_auth;
 
 	/* we don't have a certificate */
-	if ((alg_a & (SSL_aNULL|SSL_aKRB5)) || ((alg_a & SSL_aPSK) && !(alg_k & SSL_kRSA)))
+	if ((alg_a & SSL_aNULL) || ((alg_a & SSL_aPSK) && !(alg_k & SSL_kRSA)))
 		return(1);
 
 	sc=s->session->sess_cert;
diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c
index f1da1588..2a57edf0 100644
--- a/ssl/s3_srvr.c
+++ b/ssl/s3_srvr.c
@@ -352,12 +352,11 @@ int ssl3_accept(SSL *s)
 		case SSL3_ST_SW_CERT_A:
 		case SSL3_ST_SW_CERT_B:
 			/* Check if it is anon DH or anon ECDH, */
-			/* non-RSA PSK or KRB5 or SRP */
+			/* non-RSA PSK or SRP */
 			if (!(s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL)
 				/* Among PSK ciphersuites only RSA_PSK uses server certificate */
 				&& !(s->s3->tmp.new_cipher->algorithm_auth & SSL_aPSK &&
-					 !(s->s3->tmp.new_cipher->algorithm_mkey & SSL_kRSA))
-				&& !(s->s3->tmp.new_cipher->algorithm_auth & SSL_aKRB5))
+					 !(s->s3->tmp.new_cipher->algorithm_mkey & SSL_kRSA)))
 				{
 				ret=ssl3_send_server_certificate(s);
 				if (ret <= 0) goto end;
@@ -449,11 +448,9 @@ int ssl3_accept(SSL *s)
 				 /* ... except when the application insists on verification
 				  * (against the specs, but s3_clnt.c accepts this for SSL 3) */
 				 !(s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) ||
-				 /* never request cert in Kerberos ciphersuites */
-				(s->s3->tmp.new_cipher->algorithm_auth & SSL_aKRB5)
 				/* With normal PSK Certificates and
 				 * Certificate Requests are omitted */
-				|| (s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK))
+				(s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK))
 				{
 				/* no cert request */
 				skip=1;
@@ -3011,13 +3008,8 @@ int ssl3_send_server_certificate(SSL *s)
 		cpk=ssl_get_server_send_pkey(s);
 		if (cpk == NULL)
 			{
-			/* VRS: allow null cert if auth == KRB5 */
-			if ((s->s3->tmp.new_cipher->algorithm_auth != SSL_aKRB5) ||
-			    (s->s3->tmp.new_cipher->algorithm_mkey & SSL_kKRB5))
-				{
-				OPENSSL_PUT_ERROR(SSL, ssl3_send_server_certificate, ERR_R_INTERNAL_ERROR);
-				return(0);
-				}
+			OPENSSL_PUT_ERROR(SSL, ssl3_send_server_certificate, ERR_R_INTERNAL_ERROR);
+			return(0);
 			}
 
 		ssl3_output_cert_chain(s,cpk);
diff --git a/ssl/ssl.h b/ssl/ssl.h
index 87ffe9b5..21cc5d19 100644
--- a/ssl/ssl.h
+++ b/ssl/ssl.h
@@ -178,32 +178,6 @@ extern "C" {
 #define SSL_TXT_DES_192_EDE3_CBC_WITH_MD5 SSL2_TXT_DES_192_EDE3_CBC_WITH_MD5	
 #define SSL_TXT_DES_192_EDE3_CBC_WITH_SHA SSL2_TXT_DES_192_EDE3_CBC_WITH_SHA	
 
-/*    VRS Additional Kerberos5 entries
- */
-#define SSL_TXT_KRB5_DES_64_CBC_SHA   SSL3_TXT_KRB5_DES_64_CBC_SHA
-#define SSL_TXT_KRB5_DES_192_CBC3_SHA SSL3_TXT_KRB5_DES_192_CBC3_SHA
-#define SSL_TXT_KRB5_RC4_128_SHA      SSL3_TXT_KRB5_RC4_128_SHA
-#define SSL_TXT_KRB5_IDEA_128_CBC_SHA SSL3_TXT_KRB5_IDEA_128_CBC_SHA
-#define SSL_TXT_KRB5_DES_64_CBC_MD5   SSL3_TXT_KRB5_DES_64_CBC_MD5       
-#define SSL_TXT_KRB5_DES_192_CBC3_MD5 SSL3_TXT_KRB5_DES_192_CBC3_MD5       
-#define SSL_TXT_KRB5_RC4_128_MD5      SSL3_TXT_KRB5_RC4_128_MD5
-#define SSL_TXT_KRB5_IDEA_128_CBC_MD5 SSL3_TXT_KRB5_IDEA_128_CBC_MD5 
-
-#define SSL_TXT_KRB5_DES_40_CBC_SHA   SSL3_TXT_KRB5_DES_40_CBC_SHA 
-#define SSL_TXT_KRB5_RC2_40_CBC_SHA   SSL3_TXT_KRB5_RC2_40_CBC_SHA 
-#define SSL_TXT_KRB5_RC4_40_SHA	      SSL3_TXT_KRB5_RC4_40_SHA
-#define SSL_TXT_KRB5_DES_40_CBC_MD5   SSL3_TXT_KRB5_DES_40_CBC_MD5 
-#define SSL_TXT_KRB5_RC2_40_CBC_MD5   SSL3_TXT_KRB5_RC2_40_CBC_MD5 
-#define SSL_TXT_KRB5_RC4_40_MD5	      SSL3_TXT_KRB5_RC4_40_MD5
-
-#define SSL_TXT_KRB5_DES_40_CBC_SHA   SSL3_TXT_KRB5_DES_40_CBC_SHA
-#define SSL_TXT_KRB5_DES_40_CBC_MD5   SSL3_TXT_KRB5_DES_40_CBC_MD5
-#define SSL_TXT_KRB5_DES_64_CBC_SHA   SSL3_TXT_KRB5_DES_64_CBC_SHA
-#define SSL_TXT_KRB5_DES_64_CBC_MD5   SSL3_TXT_KRB5_DES_64_CBC_MD5
-#define SSL_TXT_KRB5_DES_192_CBC3_SHA SSL3_TXT_KRB5_DES_192_CBC3_SHA
-#define SSL_TXT_KRB5_DES_192_CBC3_MD5 SSL3_TXT_KRB5_DES_192_CBC3_MD5
-#define SSL_MAX_KRB5_PRINCIPAL_LENGTH  256
-
 #define SSL_MAX_SSL_SESSION_ID_LENGTH		32
 #define SSL_MAX_SID_CTX_LENGTH			32
 
@@ -235,7 +209,6 @@ extern "C" {
 #define SSL_TXT_kDHd		"kDHd"
 #define SSL_TXT_kDH 		"kDH"
 #define SSL_TXT_kEDH		"kEDH"
-#define SSL_TXT_kKRB5     	"kKRB5"
 #define SSL_TXT_kECDHr		"kECDHr"
 #define SSL_TXT_kECDHe		"kECDHe"
 #define SSL_TXT_kECDH		"kECDH"
@@ -248,7 +221,6 @@ extern "C" {
 #define	SSL_TXT_aDSS		"aDSS"
 #define	SSL_TXT_aDH		"aDH"
 #define	SSL_TXT_aECDH		"aECDH"
-#define SSL_TXT_aKRB5     	"aKRB5"
 #define SSL_TXT_aECDSA		"aECDSA"
 #define SSL_TXT_aPSK            "aPSK"
 #define SSL_TXT_aGOST94	"aGOST94"
@@ -264,7 +236,6 @@ extern "C" {
 #define SSL_TXT_EECDH		"EECDH" /* same as "kEECDH:-AECDH" */
 #define SSL_TXT_AECDH		"AECDH"
 #define SSL_TXT_ECDSA		"ECDSA"
-#define SSL_TXT_KRB5      	"KRB5"
 #define SSL_TXT_PSK             "PSK"
 #define SSL_TXT_SRP		"SRP"
 
@@ -438,7 +409,6 @@ struct ssl_method_st
  *	Cipher 			OCTET STRING,	-- the 3 byte cipher ID
  *	Session_ID 		OCTET STRING,	-- the Session ID
  *	Master_key 		OCTET STRING,	-- the master key
- *	KRB5_principal		OCTET STRING	-- optional Kerberos principal
  *	Key_Arg [ 0 ] IMPLICIT	OCTET STRING,	-- the optional Key argument
  *	Time [ 1 ] EXPLICIT	INTEGER,	-- optional Start Time
  *	Timeout [ 2 ] EXPLICIT	INTEGER,	-- optional Timeout ins seconds
diff --git a/ssl/ssl3.h b/ssl/ssl3.h
index fc2f2b0a..182edb31 100644
--- a/ssl/ssl3.h
+++ b/ssl/ssl3.h
@@ -162,34 +162,6 @@ extern "C" {
 #define SSL3_CK_ADH_DES_64_CBC_SHA		0x0300001A
 #define SSL3_CK_ADH_DES_192_CBC_SHA		0x0300001B
 
-#if 0
-	#define SSL3_CK_FZA_DMS_NULL_SHA		0x0300001C
-	#define SSL3_CK_FZA_DMS_FZA_SHA			0x0300001D
-	#if 0 /* Because it clashes with KRB5, is never used any more, and is safe
-		 to remove according to David Hopwood <david.hopwood@zetnet.co.uk>
-		 of the ietf-tls list */
-	#define SSL3_CK_FZA_DMS_RC4_SHA			0x0300001E
-	#endif
-#endif
-
-/*    VRS Additional Kerberos5 entries
- */
-#define SSL3_CK_KRB5_DES_64_CBC_SHA		0x0300001E
-#define SSL3_CK_KRB5_DES_192_CBC3_SHA		0x0300001F
-#define SSL3_CK_KRB5_RC4_128_SHA		0x03000020
-#define SSL3_CK_KRB5_IDEA_128_CBC_SHA	       	0x03000021
-#define SSL3_CK_KRB5_DES_64_CBC_MD5       	0x03000022
-#define SSL3_CK_KRB5_DES_192_CBC3_MD5       	0x03000023
-#define SSL3_CK_KRB5_RC4_128_MD5	       	0x03000024
-#define SSL3_CK_KRB5_IDEA_128_CBC_MD5 		0x03000025
-
-#define SSL3_CK_KRB5_DES_40_CBC_SHA 		0x03000026
-#define SSL3_CK_KRB5_RC2_40_CBC_SHA 		0x03000027
-#define SSL3_CK_KRB5_RC4_40_SHA	 		0x03000028
-#define SSL3_CK_KRB5_DES_40_CBC_MD5 		0x03000029
-#define SSL3_CK_KRB5_RC2_40_CBC_MD5 		0x0300002A
-#define SSL3_CK_KRB5_RC4_40_MD5	 		0x0300002B
-
 #define SSL3_TXT_RSA_NULL_MD5			"NULL-MD5"
 #define SSL3_TXT_RSA_NULL_SHA			"NULL-SHA"
 #define SSL3_TXT_RSA_RC4_40_MD5 		"EXP-RC4-MD5"
@@ -221,28 +193,6 @@ extern "C" {
 #define SSL3_TXT_ADH_DES_64_CBC_SHA		"ADH-DES-CBC-SHA"
 #define SSL3_TXT_ADH_DES_192_CBC_SHA		"ADH-DES-CBC3-SHA"
 
-#if 0
-	#define SSL3_TXT_FZA_DMS_NULL_SHA		"FZA-NULL-SHA"
-	#define SSL3_TXT_FZA_DMS_FZA_SHA		"FZA-FZA-CBC-SHA"
-	#define SSL3_TXT_FZA_DMS_RC4_SHA		"FZA-RC4-SHA"
-#endif
-
-#define SSL3_TXT_KRB5_DES_64_CBC_SHA		"KRB5-DES-CBC-SHA"
-#define SSL3_TXT_KRB5_DES_192_CBC3_SHA		"KRB5-DES-CBC3-SHA"
-#define SSL3_TXT_KRB5_RC4_128_SHA		"KRB5-RC4-SHA"
-#define SSL3_TXT_KRB5_IDEA_128_CBC_SHA	       	"KRB5-IDEA-CBC-SHA"
-#define SSL3_TXT_KRB5_DES_64_CBC_MD5       	"KRB5-DES-CBC-MD5"
-#define SSL3_TXT_KRB5_DES_192_CBC3_MD5       	"KRB5-DES-CBC3-MD5"
-#define SSL3_TXT_KRB5_RC4_128_MD5		"KRB5-RC4-MD5"
-#define SSL3_TXT_KRB5_IDEA_128_CBC_MD5 		"KRB5-IDEA-CBC-MD5"
-
-#define SSL3_TXT_KRB5_DES_40_CBC_SHA 		"EXP-KRB5-DES-CBC-SHA"
-#define SSL3_TXT_KRB5_RC2_40_CBC_SHA 		"EXP-KRB5-RC2-CBC-SHA"
-#define SSL3_TXT_KRB5_RC4_40_SHA	 	"EXP-KRB5-RC4-SHA"
-#define SSL3_TXT_KRB5_DES_40_CBC_MD5 		"EXP-KRB5-DES-CBC-MD5"
-#define SSL3_TXT_KRB5_RC2_40_CBC_MD5 		"EXP-KRB5-RC2-CBC-MD5"
-#define SSL3_TXT_KRB5_RC4_40_MD5	 	"EXP-KRB5-RC4-MD5"
-
 #define SSL3_SSL_SESSION_ID_LENGTH		32
 #define SSL3_MAX_SSL_SESSION_ID_LENGTH		32
 
diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c
index 766cc851..d7f3fbaf 100644
--- a/ssl/ssl_ciph.c
+++ b/ssl/ssl_ciph.c
@@ -240,8 +240,6 @@ static const SSL_CIPHER cipher_aliases[]={
 	{0,SSL_TXT_kEDH,0,    SSL_kEDH,  0,0,0,0,0,0,0,0},
 	{0,SSL_TXT_DH,0,      SSL_kDHr|SSL_kDHd|SSL_kEDH,0,0,0,0,0,0,0,0},
 
-	{0,SSL_TXT_kKRB5,0,   SSL_kKRB5, 0,0,0,0,0,0,0,0},
-
 	{0,SSL_TXT_kECDHr,0,  SSL_kECDHr,0,0,0,0,0,0,0,0},
 	{0,SSL_TXT_kECDHe,0,  SSL_kECDHe,0,0,0,0,0,0,0,0},
 	{0,SSL_TXT_kECDH,0,   SSL_kECDHr|SSL_kECDHe,0,0,0,0,0,0,0,0},
@@ -256,7 +254,6 @@ static const SSL_CIPHER cipher_aliases[]={
 	{0,SSL_TXT_aRSA,0,    0,SSL_aRSA,  0,0,0,0,0,0,0},
 	{0,SSL_TXT_aDSS,0,    0,SSL_aDSS,  0,0,0,0,0,0,0},
 	{0,SSL_TXT_DSS,0,     0,SSL_aDSS,   0,0,0,0,0,0,0},
-	{0,SSL_TXT_aKRB5,0,   0,SSL_aKRB5, 0,0,0,0,0,0,0},
 	{0,SSL_TXT_aNULL,0,   0,SSL_aNULL, 0,0,0,0,0,0,0},
 	{0,SSL_TXT_aDH,0,     0,SSL_aDH,   0,0,0,0,0,0,0}, /* no such ciphersuites supported! */
 	{0,SSL_TXT_aECDH,0,   0,SSL_aECDH, 0,0,0,0,0,0,0},
@@ -271,7 +268,6 @@ static const SSL_CIPHER cipher_aliases[]={
 	{0,SSL_TXT_EDH,0,     SSL_kEDH,~SSL_aNULL,0,0,0,0,0,0,0},
 	{0,SSL_TXT_EECDH,0,   SSL_kEECDH,~SSL_aNULL,0,0,0,0,0,0,0},
 	{0,SSL_TXT_NULL,0,    0,0,SSL_eNULL, 0,0,0,0,0,0},
-	{0,SSL_TXT_KRB5,0,    SSL_kKRB5,SSL_aKRB5,0,0,0,0,0,0,0},
 	{0,SSL_TXT_RSA,0,     SSL_kRSA,SSL_aRSA,0,0,0,0,0,0,0},
 	{0,SSL_TXT_ADH,0,     SSL_kEDH,SSL_aNULL,0,0,0,0,0,0,0},
 	{0,SSL_TXT_AECDH,0,   SSL_kEECDH,SSL_aNULL,0,0,0,0,0,0,0},
@@ -1419,7 +1415,6 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
 	/* ssl_cipher_apply_rule(0, 0, SSL_aDH, 0, 0, 0, 0, CIPHER_ORD, -1, 0, &head, &tail); */
 	ssl_cipher_apply_rule(0, SSL_kRSA, 0, 0, 0, 0, 0, CIPHER_ORD, -1, 0, &head, &tail);
 	ssl_cipher_apply_rule(0, SSL_kPSK, 0,0, 0, 0, 0, CIPHER_ORD, -1, 0, &head, &tail);
-	ssl_cipher_apply_rule(0, SSL_kKRB5, 0,0, 0, 0, 0, CIPHER_ORD, -1, 0, &head, &tail);
 
 	/* RC4 is sort-of broken -- move the the end */
 	ssl_cipher_apply_rule(0, 0, 0, SSL_RC4, 0, 0, 0, CIPHER_ORD, -1, 0, &head, &tail);
@@ -1605,9 +1600,6 @@ const char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len)
 	case SSL_kDHd:
 		kx="DH/DSS";
 		break;
-        case SSL_kKRB5:
-		kx="KRB5";
-		break;
 	case SSL_kEDH:
 		kx=is_export?(pkl == 512 ? "DH(512)" : "DH(1024)"):"DH";
 		break;
@@ -1641,9 +1633,6 @@ const char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len)
 	case SSL_aDH:
 		au="DH";
 		break;
-        case SSL_aKRB5:
-		au="KRB5";
-		break;
         case SSL_aECDH:
 		au="ECDH";
 		break;
@@ -1858,9 +1847,6 @@ int ssl_cipher_get_cert_index(const SSL_CIPHER *c)
 		return SSL_PKEY_DSA_SIGN;
 	else if (alg_a & SSL_aRSA)
 		return SSL_PKEY_RSA_ENC;
-	else if (alg_a & SSL_aKRB5)
-		/* VRS something else here? */
-		return -1;
 	else if (alg_a & SSL_aGOST94) 
 		return SSL_PKEY_GOST94;
 	else if (alg_a & SSL_aGOST01)
diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h
index d2a8dc58..63e7dccc 100644
--- a/ssl/ssl_locl.h
+++ b/ssl/ssl_locl.h
@@ -280,13 +280,12 @@
 #define SSL_kDHr		0x00000002L /* DH cert, RSA CA cert */
 #define SSL_kDHd		0x00000004L /* DH cert, DSA CA cert */
 #define SSL_kEDH		0x00000008L /* tmp DH key no DH cert */
-#define SSL_kKRB5		0x00000010L /* Kerberos5 key exchange */
-#define SSL_kECDHr		0x00000020L /* ECDH cert, RSA CA cert */
-#define SSL_kECDHe		0x00000040L /* ECDH cert, ECDSA CA cert */
-#define SSL_kEECDH		0x00000080L /* ephemeral ECDH */
-#define SSL_kPSK		0x00000100L /* PSK */
-#define SSL_kGOST       0x00000200L /* GOST key exchange */
-#define SSL_kSRP        0x00000400L /* SRP */
+#define SSL_kECDHr		0x00000010L /* ECDH cert, RSA CA cert */
+#define SSL_kECDHe		0x00000020L /* ECDH cert, ECDSA CA cert */
+#define SSL_kEECDH		0x00000040L /* ephemeral ECDH */
+#define SSL_kPSK		0x00000080L /* PSK */
+#define SSL_kGOST		0x00000100L /* GOST key exchange */
+#define SSL_kSRP		0x00000200L /* SRP */
 
 /* Bits for algorithm_auth (server authentication) */
 #define SSL_aRSA		0x00000001L /* RSA auth */
@@ -294,11 +293,10 @@
 #define SSL_aNULL 		0x00000004L /* no auth (i.e. use ADH or AECDH) */
 #define SSL_aDH 		0x00000008L /* Fixed DH auth (kDHd or kDHr) */
 #define SSL_aECDH 		0x00000010L /* Fixed ECDH auth (kECDHe or kECDHr) */
-#define SSL_aKRB5               0x00000020L /* KRB5 auth */
-#define SSL_aECDSA              0x00000040L /* ECDSA auth*/
-#define SSL_aPSK                0x00000080L /* PSK auth */
-#define SSL_aGOST94				0x00000100L /* GOST R 34.10-94 signature auth */
-#define SSL_aGOST01 			0x00000200L /* GOST R 34.10-2001 signature auth */
+#define SSL_aECDSA              0x00000020L /* ECDSA auth*/
+#define SSL_aPSK                0x00000040L /* PSK auth */
+#define SSL_aGOST94		0x00000080L /* GOST R 34.10-94 signature auth */
+#define SSL_aGOST01 		0x00000100L /* GOST R 34.10-2001 signature auth */
 
 
 /* Bits for algorithm_enc (symmetric encryption) */
author	David Benjamin <davidben@chromium.org>	2014-07-12 08:13:56 +0400
committer	Adam Langley <agl@google.com>	2014-07-15 00:49:57 +0400
commit	d26aea6c9645badb67f0952e148bcc8905151c9b (patch)
tree	cbf19bcdbc853299e9bb24f82a77f6d122130d72
parent	0c49ec97f4f4e9e82da19ce694249c2e78de6d88 (diff)