Remove support for native krb5 authentication

krb5 has been deprecated since 8.3, and the recommended way to do
Kerberos authentication is using the GSSAPI authentication method
(which is still fully supported).

libpq retains the ability to identify krb5 authentication, but only
gives an error message about it being unsupported. Since all authentication
is initiated from the backend, there is no need to keep it at all
in the backend.

1 files changed, 0 insertions, 264 deletions

diff --git a/src/interfaces/libpq/fe-auth.c b/src/interfaces/libpq/fe-auth.c
index 91f7c501c7..e10c970910 100644
--- a/src/interfaces/libpq/fe-auth.c
+++ b/src/interfaces/libpq/fe-auth.c
@@ -43,258 +43,6 @@
 #include "libpq/md5.h"
 
 
-#ifdef KRB5
-/*
- * MIT Kerberos authentication system - protocol version 5
- */
-
-#include <krb5.h>
-/* Some old versions of Kerberos do not include <com_err.h> in <krb5.h> */
-#if !defined(__COM_ERR_H) && !defined(__COM_ERR_H__)
-#include <com_err.h>
-#endif
-
-/*
- * Heimdal doesn't have a free function for unparsed names. Just pass it to
- * standard free() which should work in these cases.
- */
-#ifndef HAVE_KRB5_FREE_UNPARSED_NAME
-static void
-krb5_free_unparsed_name(krb5_context context, char *val)
-{
-	free(val);
-}
-#endif
-
-/*
- * pg_an_to_ln -- return the local name corresponding to an authentication
- *				  name
- *
- * XXX Assumes that the first aname component is the user name.  This is NOT
- *	   necessarily so, since an aname can actually be something out of your
- *	   worst X.400 nightmare, like
- *		  ORGANIZATION=U. C. Berkeley/NAME=Paul M. Aoki@CS.BERKELEY.EDU
- *	   Note that the MIT an_to_ln code does the same thing if you don't
- *	   provide an aname mapping database...it may be a better idea to use
- *	   krb5_an_to_ln, except that it punts if multiple components are found,
- *	   and we can't afford to punt.
- *
- * For WIN32, convert username to lowercase because the Win32 kerberos library
- * generates tickets with the username as the user entered it instead of as
- * it is entered in the directory.
- */
-static char *
-pg_an_to_ln(char *aname)
-{
-	char	   *p;
-
-	if ((p = strchr(aname, '/')) || (p = strchr(aname, '@')))
-		*p = '\0';
-#ifdef WIN32
-	for (p = aname; *p; p++)
-		*p = pg_tolower((unsigned char) *p);
-#endif
-
-	return aname;
-}
-
-
-/*
- * Various krb5 state which is not connection specific, and a flag to
- * indicate whether we have initialised it yet.
- */
-/*
-static int	pg_krb5_initialised;
-static krb5_context pg_krb5_context;
-static krb5_ccache pg_krb5_ccache;
-static krb5_principal pg_krb5_client;
-static char *pg_krb5_name;
-*/
-
-struct krb5_info
-{
-	int			pg_krb5_initialised;
-	krb5_context pg_krb5_context;
-	krb5_ccache pg_krb5_ccache;
-	krb5_principal pg_krb5_client;
-	char	   *pg_krb5_name;
-};
-
-
-static int
-pg_krb5_init(PQExpBuffer errorMessage, struct krb5_info * info)
-{
-	krb5_error_code retval;
-
-	if (info->pg_krb5_initialised)
-		return STATUS_OK;
-
-	retval = krb5_init_context(&(info->pg_krb5_context));
-	if (retval)
-	{
-		printfPQExpBuffer(errorMessage,
-						  "pg_krb5_init: krb5_init_context: %s\n",
-						  error_message(retval));
-		return STATUS_ERROR;
-	}
-
-	retval = krb5_cc_default(info->pg_krb5_context, &(info->pg_krb5_ccache));
-	if (retval)
-	{
-		printfPQExpBuffer(errorMessage,
-						  "pg_krb5_init: krb5_cc_default: %s\n",
-						  error_message(retval));
-		krb5_free_context(info->pg_krb5_context);
-		return STATUS_ERROR;
-	}
-
-	retval = krb5_cc_get_principal(info->pg_krb5_context, info->pg_krb5_ccache,
-								   &(info->pg_krb5_client));
-	if (retval)
-	{
-		printfPQExpBuffer(errorMessage,
-						  "pg_krb5_init: krb5_cc_get_principal: %s\n",
-						  error_message(retval));
-		krb5_cc_close(info->pg_krb5_context, info->pg_krb5_ccache);
-		krb5_free_context(info->pg_krb5_context);
-		return STATUS_ERROR;
-	}
-
-	retval = krb5_unparse_name(info->pg_krb5_context, info->pg_krb5_client, &(info->pg_krb5_name));
-	if (retval)
-	{
-		printfPQExpBuffer(errorMessage,
-						  "pg_krb5_init: krb5_unparse_name: %s\n",
-						  error_message(retval));
-		krb5_free_principal(info->pg_krb5_context, info->pg_krb5_client);
-		krb5_cc_close(info->pg_krb5_context, info->pg_krb5_ccache);
-		krb5_free_context(info->pg_krb5_context);
-		return STATUS_ERROR;
-	}
-
-	info->pg_krb5_name = pg_an_to_ln(info->pg_krb5_name);
-
-	info->pg_krb5_initialised = 1;
-	return STATUS_OK;
-}
-
-static void
-pg_krb5_destroy(struct krb5_info * info)
-{
-	krb5_free_principal(info->pg_krb5_context, info->pg_krb5_client);
-	krb5_cc_close(info->pg_krb5_context, info->pg_krb5_ccache);
-	krb5_free_unparsed_name(info->pg_krb5_context, info->pg_krb5_name);
-	krb5_free_context(info->pg_krb5_context);
-}
-
-
-/*
- * pg_krb5_sendauth -- client routine to send authentication information to
- *					   the server
- */
-static int
-pg_krb5_sendauth(PGconn *conn)
-{
-	krb5_error_code retval;
-	int			ret;
-	krb5_principal server;
-	krb5_auth_context auth_context = NULL;
-	krb5_error *err_ret = NULL;
-	struct krb5_info info;
-
-	info.pg_krb5_initialised = 0;
-
-	if (!(conn->pghost && conn->pghost[0] != '\0'))
-	{
-		printfPQExpBuffer(&conn->errorMessage,
-						  libpq_gettext("host name must be specified\n"));
-		return STATUS_ERROR;
-	}
-
-	ret = pg_krb5_init(&conn->errorMessage, &info);
-	if (ret != STATUS_OK)
-		return ret;
-
-	retval = krb5_sname_to_principal(info.pg_krb5_context, conn->pghost,
-									 conn->krbsrvname,
-									 KRB5_NT_SRV_HST, &server);
-	if (retval)
-	{
-		printfPQExpBuffer(&conn->errorMessage,
-						  "pg_krb5_sendauth: krb5_sname_to_principal: %s\n",
-						  error_message(retval));
-		pg_krb5_destroy(&info);
-		return STATUS_ERROR;
-	}
-
-	/*
-	 * libpq uses a non-blocking socket. But kerberos needs a blocking socket,
-	 * and we have to block somehow to do mutual authentication anyway. So we
-	 * temporarily make it blocking.
-	 */
-	if (!pg_set_block(conn->sock))
-	{
-		char		sebuf[256];
-
-		printfPQExpBuffer(&conn->errorMessage,
-						  libpq_gettext("could not set socket to blocking mode: %s\n"), pqStrerror(errno, sebuf, sizeof(sebuf)));
-		krb5_free_principal(info.pg_krb5_context, server);
-		pg_krb5_destroy(&info);
-		return STATUS_ERROR;
-	}
-
-	retval = krb5_sendauth(info.pg_krb5_context, &auth_context,
-					  (krb5_pointer) & conn->sock, (char *) conn->krbsrvname,
-						   info.pg_krb5_client, server,
-						   AP_OPTS_MUTUAL_REQUIRED,
-						   NULL, 0,		/* no creds, use ccache instead */
-						   info.pg_krb5_ccache, &err_ret, NULL, NULL);
-	if (retval)
-	{
-		if (retval == KRB5_SENDAUTH_REJECTED && err_ret)
-		{
-#if defined(HAVE_KRB5_ERROR_TEXT_DATA)
-			printfPQExpBuffer(&conn->errorMessage,
-				  libpq_gettext("Kerberos 5 authentication rejected: %*s\n"),
-							  (int) err_ret->text.length, err_ret->text.data);
-#elif defined(HAVE_KRB5_ERROR_E_DATA)
-			printfPQExpBuffer(&conn->errorMessage,
-				  libpq_gettext("Kerberos 5 authentication rejected: %*s\n"),
-							  (int) err_ret->e_data->length,
-							  (const char *) err_ret->e_data->data);
-#else
-#error "bogus configuration"
-#endif
-		}
-		else
-		{
-			printfPQExpBuffer(&conn->errorMessage,
-							  "krb5_sendauth: %s\n", error_message(retval));
-		}
-
-		if (err_ret)
-			krb5_free_error(info.pg_krb5_context, err_ret);
-
-		ret = STATUS_ERROR;
-	}
-
-	krb5_free_principal(info.pg_krb5_context, server);
-
-	if (!pg_set_noblock(conn->sock))
-	{
-		char		sebuf[256];
-
-		printfPQExpBuffer(&conn->errorMessage,
-		 libpq_gettext("could not restore nonblocking mode on socket: %s\n"),
-						  pqStrerror(errno, sebuf, sizeof(sebuf)));
-		ret = STATUS_ERROR;
-	}
-	pg_krb5_destroy(&info);
-
-	return ret;
-}
-#endif   /* KRB5 */
-
 #ifdef ENABLE_GSS
 /*
  * GSSAPI authentication system.
@@ -816,21 +564,9 @@ pg_fe_sendauth(AuthRequest areq, PGconn *conn)
 			return STATUS_ERROR;
 
 		case AUTH_REQ_KRB5:
-#ifdef KRB5
-			pglock_thread();
-			if (pg_krb5_sendauth(conn) != STATUS_OK)
-			{
-				/* Error message already filled in */
-				pgunlock_thread();
-				return STATUS_ERROR;
-			}
-			pgunlock_thread();
-			break;
-#else
 			printfPQExpBuffer(&conn->errorMessage,
 				 libpq_gettext("Kerberos 5 authentication not supported\n"));
 			return STATUS_ERROR;
-#endif
 
 #if defined(ENABLE_GSS) || defined(ENABLE_SSPI)
 		case AUTH_REQ_GSS: