From 0406cd81ef9d18cd505fffabba3ac78901dc797d Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Wed, 25 Sep 2013 10:40:23 -0400
Subject: Support authoritative KDB check_transited methods

In kdc_check_transited_list, consult the KDB module first.  If it
succeeds, treat this as authoritative and do not use the core
transited mechanisms.  Modules can return KRB5_PLUGIN_NO_HANDLE to
fall back to core mechanisms.

ticket: 7709
---
 src/include/kdb.h | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

(limited to 'src/include')

diff --git a/src/include/kdb.h b/src/include/kdb.h
index bc01976f2..69817bcb8 100644
--- a/src/include/kdb.h
+++ b/src/include/kdb.h
@@ -1261,8 +1261,9 @@ typedef struct _kdb_vftabl {
 
     /*
      * Optional: Perform a policy check on a cross-realm ticket's transited
-     * field and return an error (other than KRB5_PLUGIN_OP_NOTSUPP) if the
-     * check fails.
+     * field.  Return 0 if the check authoritatively succeeds,
+     * KRB5_PLUGIN_NO_HANDLE to use the core transited-checking mechanisms, or
+     * another error (other than KRB5_PLUGIN_OP_NOTSUPP) if the check fails.
      */
     krb5_error_code (*check_transited_realms)(krb5_context kcontext,
                                               const krb5_data *tr_contents,
-- 
cgit