diff options
author | Greg Hudson <ghudson@mit.edu> | 2013-09-25 10:40:23 -0400 |
---|---|---|
committer | Greg Hudson <ghudson@mit.edu> | 2013-09-25 10:49:56 -0400 |
commit | 0406cd81ef9d18cd505fffabba3ac78901dc797d (patch) | |
tree | c34f383c3f6ea896168c71c418209d6e9b1869c6 /src/kdc/kdc_util.c | |
parent | 620275cd43e237ab273b726b2aee0ae729587772 (diff) | |
download | krb5-0406cd81ef9d18cd505fffabba3ac78901dc797d.tar.gz krb5-0406cd81ef9d18cd505fffabba3ac78901dc797d.tar.xz krb5-0406cd81ef9d18cd505fffabba3ac78901dc797d.zip |
Support authoritative KDB check_transited methods
In kdc_check_transited_list, consult the KDB module first. If it
succeeds, treat this as authoritative and do not use the core
transited mechanisms. Modules can return KRB5_PLUGIN_NO_HANDLE to
fall back to core mechanisms.
ticket: 7709
Diffstat (limited to 'src/kdc/kdc_util.c')
-rw-r--r-- | src/kdc/kdc_util.c | 14 |
1 files changed, 6 insertions, 8 deletions
diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c index bc638c19bf..5409078a44 100644 --- a/src/kdc/kdc_util.c +++ b/src/kdc/kdc_util.c @@ -1573,16 +1573,14 @@ kdc_check_transited_list(kdc_realm_t *kdc_active_realm, { krb5_error_code code; - /* Check using krb5.conf */ - code = krb5_check_transited_list(kdc_context, trans, realm1, realm2); - if (code) + /* Check against the KDB module. Treat this answer as authoritative if the + * method is supported and doesn't explicitly pass control. */ + code = krb5_db_check_transited_realms(kdc_context, trans, realm1, realm2); + if (code != KRB5_PLUGIN_OP_NOTSUPP && code != KRB5_PLUGIN_NO_HANDLE) return code; - /* Check against the KDB module. */ - code = krb5_db_check_transited_realms(kdc_context, trans, realm1, realm2); - if (code == KRB5_PLUGIN_OP_NOTSUPP) - code = 0; - return code; + /* Check using krb5.conf [capaths] or hierarchical relationships. */ + return krb5_check_transited_list(kdc_context, trans, realm1, realm2); } krb5_error_code |