Remove KRB5_KDB_XREALM_NON_TRANSITIVE code

validate_transit_path() was introduced in the mskrb-integ merge, but the flag it enforces has no documentation and no kadmin support. Remove the function and the flag. Also remove the KRB5_KDB_TICKET_GRANTING_SERVICE flag which has no associated code.
krb5 · Aug 20, 2019 · d5fd778 · d5fd778
1 parent afc30bc
commit d5fd778
Show file tree

Hide file tree

Showing 4 changed files with 0 additions and 39 deletions.
diff --git a/src/include/kdb.h b/src/include/kdb.h
@@ -104,11 +104,6 @@
 #define KRB5_KDB_CREATE_BTREE           0x00000001
 #define KRB5_KDB_CREATE_HASH            0x00000002
 
-/* Private flag used to indicate principal is local TGS */
-#define KRB5_KDB_TICKET_GRANTING_SERVICE        0x01000000
-/* Private flag used to indicate xrealm relationship  is non-transitive */
-#define KRB5_KDB_XREALM_NON_TRANSITIVE          0x02000000
-
 /* Entry get flags */
 /* Name canonicalization requested */
 #define KRB5_KDB_FLAG_CANONICALIZE              0x00000010

diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c
@@ -584,14 +584,6 @@ process_tgs_req(krb5_kdc_req *request, krb5_data *pkt,
         }
         newtransited = 1;
     }
-    if (isflagset(c_flags, KRB5_KDB_FLAG_CROSS_REALM)) {
-        errcode = validate_transit_path(kdc_context, header_enc_tkt->client,
-                                        server, header_server);
-        if (errcode) {
-            status = "NON_TRANSITIVE";
-            goto cleanup;
-        }
-    }
     if (!isflagset (request->kdc_options, KDC_OPT_DISABLE_TRANSITED_CHECK)) {
         errcode = kdc_check_transited_list (kdc_active_realm,
                                             &enc_tkt_reply.transited.tr_contents,

diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c
@@ -1735,27 +1735,6 @@ kdc_check_transited_list(kdc_realm_t *kdc_active_realm,
     return krb5_check_transited_list(kdc_context, trans, realm1, realm2);
 }
 
-krb5_error_code
-validate_transit_path(krb5_context context,
-                      krb5_const_principal client,
-                      krb5_db_entry *server,
-                      krb5_db_entry *header_srv)
-{
-    /* Incoming */
-    if (isflagset(server->attributes, KRB5_KDB_XREALM_NON_TRANSITIVE)) {
-        return KRB5KDC_ERR_PATH_NOT_ACCEPTED;
-    }
-
-    /* Outgoing */
-    if (isflagset(header_srv->attributes, KRB5_KDB_XREALM_NON_TRANSITIVE) &&
-        (!krb5_principal_compare(context, server->princ, header_srv->princ) ||
-         !krb5_realm_compare(context, client, header_srv->princ))) {
-        return KRB5KDC_ERR_PATH_NOT_ACCEPTED;
-    }
-
-    return 0;
-}
-
 krb5_boolean
 enctype_requires_etype_info_2(krb5_enctype enctype)
 {

diff --git a/src/kdc/kdc_util.h b/src/kdc/kdc_util.h
@@ -307,11 +307,6 @@ audit_tgs_request (krb5_kdc_req *request,
                    krb5_timestamp authtime,
                    krb5_error_code errcode);
 
-krb5_error_code
-validate_transit_path(krb5_context context,
-                      krb5_const_principal client,
-                      krb5_db_entry *server,
-                      krb5_db_entry *krbtgt);
 void
 kdc_get_ticket_endtime(kdc_realm_t *kdc_active_realm,
                        krb5_timestamp now,