From 8155745026e1f35bf905581575f18380ae4dc451 Mon Sep 17 00:00:00 2001 From: Luke Howard Date: Wed, 21 Oct 2009 16:03:40 +0000 Subject: [PATCH] remove some unneeded extensions from the Novell backend authdata SPI git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@22961 dc483132-0cff-0310-8789-dd5450dbe970 --- src/include/kdb_ext.h | 2 -- src/kdc/kdc_authdata.c | 30 +----------------------------- src/kdc/kdc_util.c | 10 +--------- src/kdc/kdc_util.h | 4 +--- 4 files changed, 3 insertions(+), 43 deletions(-) diff --git a/src/include/kdb_ext.h b/src/include/kdb_ext.h index 384192005..dfa2e0b71 100644 --- a/src/include/kdb_ext.h +++ b/src/include/kdb_ext.h @@ -103,8 +103,6 @@ typedef struct _kdb_sign_auth_data_req { typedef struct _kdb_sign_auth_data_rep { krb5_magic magic; krb5_authdata **auth_data; /* Signed authorization data */ - krb5_db_entry *entry; /* Optional client principal extracted from auth data */ - int nprincs; /* Non-zero if above contains principal data */ } kdb_sign_auth_data_rep; typedef struct _kdb_check_transited_realms_req { diff --git a/src/kdc/kdc_authdata.c b/src/kdc/kdc_authdata.c index 1b70d7c82..d598894d2 100644 --- a/src/kdc/kdc_authdata.c +++ b/src/kdc/kdc_authdata.c @@ -463,8 +463,6 @@ handle_tgt_authdata (krb5_context context, { krb5_error_code code; krb5_authdata **db_authdata = NULL; - krb5_db_entry ad_entry; - int ad_nprincs = 0; krb5_boolean tgs_req = (request->msg_type == KRB5_TGS_REQ); krb5_const_principal actual_client; @@ -531,11 +529,8 @@ handle_tgt_authdata (krb5_context context, enc_tkt_reply->times.authtime, tgs_req ? enc_tkt_request->authorization_data : NULL, enc_tkt_reply->session, - &db_authdata, - &ad_entry, - &ad_nprincs); + &db_authdata); if (code == KRB5_KDB_DBTYPE_NOSUP) { - assert(ad_nprincs == 0); assert(db_authdata == NULL); if (isflagset(flags, KRB5_KDB_FLAG_CONSTRAINED_DELEGATION)) @@ -548,29 +543,6 @@ handle_tgt_authdata (krb5_context context, return 0; } - if (ad_nprincs != 0) { - /* - * This code was submitted by Novell; however there is no - * mention in [MS-SFU] of needing to examine the authorization - * data to clear the forwardable flag. My understanding is that - * the state of the forwardable flag is propagated through the - * cross-realm TGTs. - */ -#if 0 - if (isflagset(flags, KRB5_KDB_FLAG_PROTOCOL_TRANSITION) && - isflagset(ad_entry.attributes, KRB5_KDB_DISALLOW_FORWARDABLE)) - clear(enc_tkt_reply->flags, TKT_FLG_FORWARDABLE); -#endif - - krb5_db_free_principal(context, &ad_entry, ad_nprincs); - - if (ad_nprincs != 1) { - if (db_authdata != NULL) - krb5_free_authdata(context, db_authdata); - return KRB5KDC_ERR_PRINCIPAL_NOT_UNIQUE; - } - } - if (db_authdata != NULL) { code = merge_authdata(context, db_authdata, &enc_tkt_reply->authorization_data, diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c index 9aada8132..ba2c4b53f 100644 --- a/src/kdc/kdc_util.c +++ b/src/kdc/kdc_util.c @@ -1740,9 +1740,7 @@ sign_db_authdata (krb5_context context, krb5_timestamp authtime, krb5_authdata **tgs_authdata, krb5_keyblock *session_key, - krb5_authdata ***ret_authdata, - krb5_db_entry *ad_entry, - int *ad_nprincs) + krb5_authdata ***ret_authdata) { krb5_error_code code; kdb_sign_auth_data_req req; @@ -1751,8 +1749,6 @@ sign_db_authdata (krb5_context context, krb5_data rep_data; *ret_authdata = NULL; - memset(ad_entry, 0, sizeof(*ad_entry)); - *ad_nprincs = 0; memset(&req, 0, sizeof(req)); memset(&rep, 0, sizeof(rep)); @@ -1768,9 +1764,6 @@ sign_db_authdata (krb5_context context, req.auth_data = tgs_authdata; req.session_key = session_key; - rep.entry = ad_entry; - rep.nprincs = 0; - req_data.data = (void *)&req; req_data.length = sizeof(req); @@ -1783,7 +1776,6 @@ sign_db_authdata (krb5_context context, &rep_data); *ret_authdata = rep.auth_data; - *ad_nprincs = rep.nprincs; return code; } diff --git a/src/kdc/kdc_util.h b/src/kdc/kdc_util.h index 26650510d..079492250 100644 --- a/src/kdc/kdc_util.h +++ b/src/kdc/kdc_util.h @@ -239,9 +239,7 @@ krb5_error_code sign_db_authdata krb5_timestamp authtime, krb5_authdata **tgs_authdata, krb5_keyblock *session_key, - krb5_authdata ***ret_authdata, - krb5_db_entry *ad_entry, - int *ad_nprincs); + krb5_authdata ***ret_authdata); krb5_error_code kdc_process_s4u2self_req (krb5_context context, -- 2.26.2