]> git.ipfire.org Git - thirdparty/krb5.git/commitdiff
projects / thirdparty / krb5.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 620275c)
Support authoritative KDB check_transited methods
authorGreg Hudson <ghudson@mit.edu>
Wed, 25 Sep 2013 14:40:23 +0000 (10:40 -0400)
committerGreg Hudson <ghudson@mit.edu>
Wed, 25 Sep 2013 14:49:56 +0000 (10:49 -0400)
In kdc_check_transited_list, consult the KDB module first.  If it
succeeds, treat this as authoritative and do not use the core
transited mechanisms.  Modules can return KRB5_PLUGIN_NO_HANDLE to
fall back to core mechanisms.

ticket: 7709

src/include/kdb.h patch | blob | blame | history
src/kdc/kdc_util.c patch | blob | blame | history

diff --git a/src/include/kdb.h b/src/include/kdb.h
index bc01976f26462712cfa77ff01a2eca89e7b6ce47..69817bcb8762dc2fa3c6003a5c3c33fad7173626 100644 (file)
--- a/src/include/kdb.h
+++ b/src/include/kdb.h
@@ -1261,8 +1261,9 @@ typedef struct _kdb_vftabl {
 
     /*
      * Optional: Perform a policy check on a cross-realm ticket's transited
-     * field and return an error (other than KRB5_PLUGIN_OP_NOTSUPP) if the
-     * check fails.
+     * field.  Return 0 if the check authoritatively succeeds,
+     * KRB5_PLUGIN_NO_HANDLE to use the core transited-checking mechanisms, or
+     * another error (other than KRB5_PLUGIN_OP_NOTSUPP) if the check fails.
      */
     krb5_error_code (*check_transited_realms)(krb5_context kcontext,
                                               const krb5_data *tr_contents,
diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c
index bc638c19bf0fa5c1da938b435495f72049fbca9f..5409078a4486f06c5917acfc26790c74b3f2cb7a 100644 (file)
--- a/src/kdc/kdc_util.c
+++ b/src/kdc/kdc_util.c
@@ -1573,16 +1573,14 @@ kdc_check_transited_list(kdc_realm_t *kdc_active_realm,
 {
     krb5_error_code             code;
 
-    /* Check using krb5.conf */
-    code = krb5_check_transited_list(kdc_context, trans, realm1, realm2);
-    if (code)
+    /* Check against the KDB module.  Treat this answer as authoritative if the
+     * method is supported and doesn't explicitly pass control. */
+    code = krb5_db_check_transited_realms(kdc_context, trans, realm1, realm2);
+    if (code != KRB5_PLUGIN_OP_NOTSUPP && code != KRB5_PLUGIN_NO_HANDLE)
         return code;
 
-    /* Check against the KDB module. */
-    code = krb5_db_check_transited_realms(kdc_context, trans, realm1, realm2);
-    if (code == KRB5_PLUGIN_OP_NOTSUPP)
-        code = 0;
-    return code;
+    /* Check using krb5.conf [capaths] or hierarchical relationships. */
+    return krb5_check_transited_list(kdc_context, trans, realm1, realm2);
 }
 
 krb5_error_code
Mirror of https://github.com/krb5/krb5.git