Support authoritative KDB check_transited methods

In kdc_check_transited_list, consult the KDB module first. If it succeeds, treat this as authoritative and do not use the core transited mechanisms. Modules can return KRB5_PLUGIN_NO_HANDLE to fall back to core mechanisms. ticket: 7709
author: Greg Hudson <ghudson@mit.edu> 2013-09-25 10:40:23 -0400
committer: Greg Hudson <ghudson@mit.edu> 2013-09-25 10:49:56 -0400
commit: 0406cd81ef9d18cd505fffabba3ac78901dc797d (patch)
tree: c34f383c3f6ea896168c71c418209d6e9b1869c6 /src/include
parent: 620275cd43e237ab273b726b2aee0ae729587772 (diff)
download: krb5-0406cd81ef9d18cd505fffabba3ac78901dc797d.tar.gz
krb5-0406cd81ef9d18cd505fffabba3ac78901dc797d.tar.xz
krb5-0406cd81ef9d18cd505fffabba3ac78901dc797d.zip
1 files changed, 3 insertions, 2 deletions
diff --git a/src/include/kdb.h b/src/include/kdb.h
index bc01976f26..69817bcb87 100644
--- a/src/include/kdb.h
+++ b/src/include/kdb.h
@@ -1261,8 +1261,9 @@ typedef struct _kdb_vftabl {
 
     /*
      * Optional: Perform a policy check on a cross-realm ticket's transited
-     * field and return an error (other than KRB5_PLUGIN_OP_NOTSUPP) if the
-     * check fails.
+     * field.  Return 0 if the check authoritatively succeeds,
+     * KRB5_PLUGIN_NO_HANDLE to use the core transited-checking mechanisms, or
+     * another error (other than KRB5_PLUGIN_OP_NOTSUPP) if the check fails.
      */
     krb5_error_code (*check_transited_realms)(krb5_context kcontext,
                                               const krb5_data *tr_contents,
author	Greg Hudson <ghudson@mit.edu>	2013-09-25 10:40:23 -0400
committer	Greg Hudson <ghudson@mit.edu>	2013-09-25 10:49:56 -0400
commit	0406cd81ef9d18cd505fffabba3ac78901dc797d (patch)
tree	c34f383c3f6ea896168c71c418209d6e9b1869c6 /src/include
parent	620275cd43e237ab273b726b2aee0ae729587772 (diff)
download	krb5-0406cd81ef9d18cd505fffabba3ac78901dc797d.tar.gz krb5-0406cd81ef9d18cd505fffabba3ac78901dc797d.tar.xz krb5-0406cd81ef9d18cd505fffabba3ac78901dc797d.zip