diff options
-rw-r--r-- | src/include/kdb.h | 5 | ||||
-rw-r--r-- | src/kdc/do_tgs_req.c | 8 | ||||
-rw-r--r-- | src/kdc/kdc_util.c | 21 | ||||
-rw-r--r-- | src/kdc/kdc_util.h | 5 |
4 files changed, 0 insertions, 39 deletions
diff --git a/src/include/kdb.h b/src/include/kdb.h index 0c48da6..d89cd5b 100644 --- a/src/include/kdb.h +++ b/src/include/kdb.h @@ -104,11 +104,6 @@ #define KRB5_KDB_CREATE_BTREE 0x00000001 #define KRB5_KDB_CREATE_HASH 0x00000002 -/* Private flag used to indicate principal is local TGS */ -#define KRB5_KDB_TICKET_GRANTING_SERVICE 0x01000000 -/* Private flag used to indicate xrealm relationship is non-transitive */ -#define KRB5_KDB_XREALM_NON_TRANSITIVE 0x02000000 - /* Entry get flags */ /* Name canonicalization requested */ #define KRB5_KDB_FLAG_CANONICALIZE 0x00000010 diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c index 1da0993..bf65520 100644 --- a/src/kdc/do_tgs_req.c +++ b/src/kdc/do_tgs_req.c @@ -584,14 +584,6 @@ process_tgs_req(krb5_kdc_req *request, krb5_data *pkt, } newtransited = 1; } - if (isflagset(c_flags, KRB5_KDB_FLAG_CROSS_REALM)) { - errcode = validate_transit_path(kdc_context, header_enc_tkt->client, - server, header_server); - if (errcode) { - status = "NON_TRANSITIVE"; - goto cleanup; - } - } if (!isflagset (request->kdc_options, KDC_OPT_DISABLE_TRANSITED_CHECK)) { errcode = kdc_check_transited_list (kdc_active_realm, &enc_tkt_reply.transited.tr_contents, diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c index 2b949cf..450f964 100644 --- a/src/kdc/kdc_util.c +++ b/src/kdc/kdc_util.c @@ -1735,27 +1735,6 @@ kdc_check_transited_list(kdc_realm_t *kdc_active_realm, return krb5_check_transited_list(kdc_context, trans, realm1, realm2); } -krb5_error_code -validate_transit_path(krb5_context context, - krb5_const_principal client, - krb5_db_entry *server, - krb5_db_entry *header_srv) -{ - /* Incoming */ - if (isflagset(server->attributes, KRB5_KDB_XREALM_NON_TRANSITIVE)) { - return KRB5KDC_ERR_PATH_NOT_ACCEPTED; - } - - /* Outgoing */ - if (isflagset(header_srv->attributes, KRB5_KDB_XREALM_NON_TRANSITIVE) && - (!krb5_principal_compare(context, server->princ, header_srv->princ) || - !krb5_realm_compare(context, client, header_srv->princ))) { - return KRB5KDC_ERR_PATH_NOT_ACCEPTED; - } - - return 0; -} - krb5_boolean enctype_requires_etype_info_2(krb5_enctype enctype) { diff --git a/src/kdc/kdc_util.h b/src/kdc/kdc_util.h index fea35d7..483a763 100644 --- a/src/kdc/kdc_util.h +++ b/src/kdc/kdc_util.h @@ -307,11 +307,6 @@ audit_tgs_request (krb5_kdc_req *request, krb5_timestamp authtime, krb5_error_code errcode); -krb5_error_code -validate_transit_path(krb5_context context, - krb5_const_principal client, - krb5_db_entry *server, - krb5_db_entry *krbtgt); void kdc_get_ticket_endtime(kdc_realm_t *kdc_active_realm, krb5_timestamp now, |