From: Greg Hudson <ghudson@mit.edu>
Date: Wed, 25 Sep 2013 14:40:23 +0000 (-0400)
Subject: Support authoritative KDB check_transited methods
X-Git-Tag: krb5-1.12-alpha1~20
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=0406cd81ef9d18cd505fffabba3ac78901dc797d;p=thirdparty%2Fkrb5.git

Support authoritative KDB check_transited methods

In kdc_check_transited_list, consult the KDB module first.  If it
succeeds, treat this as authoritative and do not use the core
transited mechanisms.  Modules can return KRB5_PLUGIN_NO_HANDLE to
fall back to core mechanisms.

ticket: 7709
---

diff --git a/src/include/kdb.h b/src/include/kdb.h
index bc01976f26..69817bcb87 100644
--- a/src/include/kdb.h
+++ b/src/include/kdb.h
@@ -1261,8 +1261,9 @@ typedef struct _kdb_vftabl {
 
     /*
      * Optional: Perform a policy check on a cross-realm ticket's transited
-     * field and return an error (other than KRB5_PLUGIN_OP_NOTSUPP) if the
-     * check fails.
+     * field.  Return 0 if the check authoritatively succeeds,
+     * KRB5_PLUGIN_NO_HANDLE to use the core transited-checking mechanisms, or
+     * another error (other than KRB5_PLUGIN_OP_NOTSUPP) if the check fails.
      */
     krb5_error_code (*check_transited_realms)(krb5_context kcontext,
                                               const krb5_data *tr_contents,
diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c
index bc638c19bf..5409078a44 100644
--- a/src/kdc/kdc_util.c
+++ b/src/kdc/kdc_util.c
@@ -1573,16 +1573,14 @@ kdc_check_transited_list(kdc_realm_t *kdc_active_realm,
 {
     krb5_error_code             code;
 
-    /* Check using krb5.conf */
-    code = krb5_check_transited_list(kdc_context, trans, realm1, realm2);
-    if (code)
+    /* Check against the KDB module.  Treat this answer as authoritative if the
+     * method is supported and doesn't explicitly pass control. */
+    code = krb5_db_check_transited_realms(kdc_context, trans, realm1, realm2);
+    if (code != KRB5_PLUGIN_OP_NOTSUPP && code != KRB5_PLUGIN_NO_HANDLE)
         return code;
 
-    /* Check against the KDB module. */
-    code = krb5_db_check_transited_realms(kdc_context, trans, realm1, realm2);
-    if (code == KRB5_PLUGIN_OP_NOTSUPP)
-        code = 0;
-    return code;
+    /* Check using krb5.conf [capaths] or hierarchical relationships. */
+    return krb5_check_transited_list(kdc_context, trans, realm1, realm2);
 }
 
 krb5_error_code