krb5 commit: Remove KRB5_KDB_XREALM_NON_TRANSITIVE code
Greg Hudson
ghudson at mit.edu
Tue Aug 20 16:49:07 EDT 2019
https://github.com/krb5/krb5/commit/d5fd778c4ebbaaa385a5694bf4a48d4ea0d6d05a
commit d5fd778c4ebbaaa385a5694bf4a48d4ea0d6d05a
Author: Greg Hudson <ghudson at mit.edu>
Date: Mon Aug 19 00:51:07 2019 -0400
Remove KRB5_KDB_XREALM_NON_TRANSITIVE code
validate_transit_path() was introduced in the mskrb-integ merge, but
the flag it enforces has no documentation and no kadmin support.
Remove the function and the flag. Also remove the
KRB5_KDB_TICKET_GRANTING_SERVICE flag which has no associated code.
src/include/kdb.h | 5 -----
src/kdc/do_tgs_req.c | 8 --------
src/kdc/kdc_util.c | 21 ---------------------
src/kdc/kdc_util.h | 5 -----
4 files changed, 0 insertions(+), 39 deletions(-)
diff --git a/src/include/kdb.h b/src/include/kdb.h
index 0c48da6..d89cd5b 100644
--- a/src/include/kdb.h
+++ b/src/include/kdb.h
@@ -104,11 +104,6 @@
#define KRB5_KDB_CREATE_BTREE 0x00000001
#define KRB5_KDB_CREATE_HASH 0x00000002
-/* Private flag used to indicate principal is local TGS */
-#define KRB5_KDB_TICKET_GRANTING_SERVICE 0x01000000
-/* Private flag used to indicate xrealm relationship is non-transitive */
-#define KRB5_KDB_XREALM_NON_TRANSITIVE 0x02000000
-
/* Entry get flags */
/* Name canonicalization requested */
#define KRB5_KDB_FLAG_CANONICALIZE 0x00000010
diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c
index 1da0993..bf65520 100644
--- a/src/kdc/do_tgs_req.c
+++ b/src/kdc/do_tgs_req.c
@@ -584,14 +584,6 @@ process_tgs_req(krb5_kdc_req *request, krb5_data *pkt,
}
newtransited = 1;
}
- if (isflagset(c_flags, KRB5_KDB_FLAG_CROSS_REALM)) {
- errcode = validate_transit_path(kdc_context, header_enc_tkt->client,
- server, header_server);
- if (errcode) {
- status = "NON_TRANSITIVE";
- goto cleanup;
- }
- }
if (!isflagset (request->kdc_options, KDC_OPT_DISABLE_TRANSITED_CHECK)) {
errcode = kdc_check_transited_list (kdc_active_realm,
&enc_tkt_reply.transited.tr_contents,
diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c
index 2b949cf..450f964 100644
--- a/src/kdc/kdc_util.c
+++ b/src/kdc/kdc_util.c
@@ -1735,27 +1735,6 @@ kdc_check_transited_list(kdc_realm_t *kdc_active_realm,
return krb5_check_transited_list(kdc_context, trans, realm1, realm2);
}
-krb5_error_code
-validate_transit_path(krb5_context context,
- krb5_const_principal client,
- krb5_db_entry *server,
- krb5_db_entry *header_srv)
-{
- /* Incoming */
- if (isflagset(server->attributes, KRB5_KDB_XREALM_NON_TRANSITIVE)) {
- return KRB5KDC_ERR_PATH_NOT_ACCEPTED;
- }
-
- /* Outgoing */
- if (isflagset(header_srv->attributes, KRB5_KDB_XREALM_NON_TRANSITIVE) &&
- (!krb5_principal_compare(context, server->princ, header_srv->princ) ||
- !krb5_realm_compare(context, client, header_srv->princ))) {
- return KRB5KDC_ERR_PATH_NOT_ACCEPTED;
- }
-
- return 0;
-}
-
krb5_boolean
enctype_requires_etype_info_2(krb5_enctype enctype)
{
diff --git a/src/kdc/kdc_util.h b/src/kdc/kdc_util.h
index fea35d7..483a763 100644
--- a/src/kdc/kdc_util.h
+++ b/src/kdc/kdc_util.h
@@ -307,11 +307,6 @@ audit_tgs_request (krb5_kdc_req *request,
krb5_timestamp authtime,
krb5_error_code errcode);
-krb5_error_code
-validate_transit_path(krb5_context context,
- krb5_const_principal client,
- krb5_db_entry *server,
- krb5_db_entry *krbtgt);
void
kdc_get_ticket_endtime(kdc_realm_t *kdc_active_realm,
krb5_timestamp now,
More information about the cvs-krb5
mailing list