Tree - rpms/krb5 - src.fedoraproject.org

rpms / krb5

Blame krb5-1.11-check_transited.patch

Blob History Raw

Nalin Dahyabhai	5d5a457	`commit 0406cd81ef9d18cd505fffabba3ac78901dc797d`
Nalin Dahyabhai	5d5a457	`Author: Greg Hudson <ghudson@mit.edu>`
Nalin Dahyabhai	5d5a457	`Date: Wed Sep 25 10:40:23 2013 -0400`
Nalin Dahyabhai	5d5a457
Nalin Dahyabhai	5d5a457	`Support authoritative KDB check_transited methods`
Nalin Dahyabhai	5d5a457
Nalin Dahyabhai	5d5a457	`In kdc_check_transited_list, consult the KDB module first. If it`
Nalin Dahyabhai	5d5a457	`succeeds, treat this as authoritative and do not use the core`
Nalin Dahyabhai	5d5a457	`transited mechanisms. Modules can return KRB5_PLUGIN_NO_HANDLE to`
Nalin Dahyabhai	5d5a457	`fall back to core mechanisms.`
Nalin Dahyabhai	5d5a457
Nalin Dahyabhai	5d5a457	`ticket: 7709`
Nalin Dahyabhai	5d5a457
Nalin Dahyabhai	5d5a457	`diff --git a/src/include/kdb.h b/src/include/kdb.h`
Nalin Dahyabhai	5d5a457	`index bc01976..69817bc 100644`
Nalin Dahyabhai	5d5a457	`--- a/src/include/kdb.h`
Nalin Dahyabhai	5d5a457	`+++ b/src/include/kdb.h`
Nalin Dahyabhai	5d5a457	`@@ -1261,8 +1261,9 @@ typedef struct _kdb_vftabl {`
Nalin Dahyabhai	5d5a457
Nalin Dahyabhai	5d5a457	`/*`
Nalin Dahyabhai	5d5a457	`* Optional: Perform a policy check on a cross-realm ticket's transited`
Nalin Dahyabhai	5d5a457	`- * field and return an error (other than KRB5_PLUGIN_OP_NOTSUPP) if the`
Nalin Dahyabhai	5d5a457	`- * check fails.`
Nalin Dahyabhai	5d5a457	`+ * field. Return 0 if the check authoritatively succeeds,`
Nalin Dahyabhai	5d5a457	`+ * KRB5_PLUGIN_NO_HANDLE to use the core transited-checking mechanisms, or`
Nalin Dahyabhai	5d5a457	`+ * another error (other than KRB5_PLUGIN_OP_NOTSUPP) if the check fails.`
Nalin Dahyabhai	5d5a457	`*/`
Nalin Dahyabhai	5d5a457	`krb5_error_code (*check_transited_realms)(krb5_context kcontext,`
Nalin Dahyabhai	5d5a457	`const krb5_data *tr_contents,`
Nalin Dahyabhai	5d5a457	`diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c`
Nalin Dahyabhai	5d5a457	`index bc638c1..5409078 100644`
Nalin Dahyabhai	5d5a457	`--- a/src/kdc/kdc_util.c`
Nalin Dahyabhai	5d5a457	`+++ b/src/kdc/kdc_util.c`
Nalin Dahyabhai	5d5a457	`@@ -1573,16 +1573,14 @@ kdc_check_transited_list(kdc_realm_t *kdc_active_realm,`
Nalin Dahyabhai	5d5a457	`{`
Nalin Dahyabhai	5d5a457	`krb5_error_code code;`
Nalin Dahyabhai	5d5a457
Nalin Dahyabhai	5d5a457	`- /* Check using krb5.conf */`
Nalin Dahyabhai	5d5a457	`- code = krb5_check_transited_list(kdc_context, trans, realm1, realm2);`
Nalin Dahyabhai	5d5a457	`- if (code)`
Nalin Dahyabhai	5d5a457	`+ /* Check against the KDB module. Treat this answer as authoritative if the`
Nalin Dahyabhai	5d5a457	`+ * method is supported and doesn't explicitly pass control. */`
Nalin Dahyabhai	5d5a457	`+ code = krb5_db_check_transited_realms(kdc_context, trans, realm1, realm2);`
Nalin Dahyabhai	5d5a457	`+ if (code != KRB5_PLUGIN_OP_NOTSUPP && code != KRB5_PLUGIN_NO_HANDLE)`
Nalin Dahyabhai	5d5a457	`return code;`
Nalin Dahyabhai	5d5a457
Nalin Dahyabhai	5d5a457	`- /* Check against the KDB module. */`
Nalin Dahyabhai	5d5a457	`- code = krb5_db_check_transited_realms(kdc_context, trans, realm1, realm2);`
Nalin Dahyabhai	5d5a457	`- if (code == KRB5_PLUGIN_OP_NOTSUPP)`
Nalin Dahyabhai	5d5a457	`- code = 0;`
Nalin Dahyabhai	5d5a457	`- return code;`
Nalin Dahyabhai	5d5a457	`+ /* Check using krb5.conf [capaths] or hierarchical relationships. */`
Nalin Dahyabhai	5d5a457	`+ return krb5_check_transited_list(kdc_context, trans, realm1, realm2);`
Nalin Dahyabhai	5d5a457	`}`
Nalin Dahyabhai	5d5a457
Nalin Dahyabhai	5d5a457	`krb5_error_code`

rpms / krb5

Source Code

Blame krb5-1.11-check_transited.patch