diff options
author | Greg Hudson <ghudson@mit.edu> | 2013-09-25 10:40:23 -0400 |
---|---|---|
committer | Greg Hudson <ghudson@mit.edu> | 2013-09-25 10:49:56 -0400 |
commit | 0406cd81ef9d18cd505fffabba3ac78901dc797d (patch) | |
tree | c34f383c3f6ea896168c71c418209d6e9b1869c6 /src/include | |
parent | 620275cd43e237ab273b726b2aee0ae729587772 (diff) | |
download | krb5-0406cd81ef9d18cd505fffabba3ac78901dc797d.tar.gz krb5-0406cd81ef9d18cd505fffabba3ac78901dc797d.tar.xz krb5-0406cd81ef9d18cd505fffabba3ac78901dc797d.zip |
Support authoritative KDB check_transited methods
In kdc_check_transited_list, consult the KDB module first. If it
succeeds, treat this as authoritative and do not use the core
transited mechanisms. Modules can return KRB5_PLUGIN_NO_HANDLE to
fall back to core mechanisms.
ticket: 7709
Diffstat (limited to 'src/include')
-rw-r--r-- | src/include/kdb.h | 5 |
1 files changed, 3 insertions, 2 deletions
diff --git a/src/include/kdb.h b/src/include/kdb.h index bc01976f26..69817bcb87 100644 --- a/src/include/kdb.h +++ b/src/include/kdb.h @@ -1261,8 +1261,9 @@ typedef struct _kdb_vftabl { /* * Optional: Perform a policy check on a cross-realm ticket's transited - * field and return an error (other than KRB5_PLUGIN_OP_NOTSUPP) if the - * check fails. + * field. Return 0 if the check authoritatively succeeds, + * KRB5_PLUGIN_NO_HANDLE to use the core transited-checking mechanisms, or + * another error (other than KRB5_PLUGIN_OP_NOTSUPP) if the check fails. */ krb5_error_code (*check_transited_realms)(krb5_context kcontext, const krb5_data *tr_contents, |