From 19bc209a190ea8166cacb92576925c0031da6eb5 Mon Sep 17 00:00:00 2001 From: Nalin Dahyabhai Date: Tue, 15 Oct 2013 17:29:59 -0400 Subject: [PATCH] Drop backport for RT#7709 --- krb5-1.11-check_transited.patch | 56 --------------------------------- krb5.spec | 3 +- 2 files changed, 1 insertion(+), 58 deletions(-) delete mode 100644 krb5-1.11-check_transited.patch diff --git a/krb5-1.11-check_transited.patch b/krb5-1.11-check_transited.patch deleted file mode 100644 index f3ce693..0000000 --- a/krb5-1.11-check_transited.patch +++ /dev/null @@ -1,56 +0,0 @@ -commit 0406cd81ef9d18cd505fffabba3ac78901dc797d -Author: Greg Hudson -Date: Wed Sep 25 10:40:23 2013 -0400 - - Support authoritative KDB check_transited methods - - In kdc_check_transited_list, consult the KDB module first. If it - succeeds, treat this as authoritative and do not use the core - transited mechanisms. Modules can return KRB5_PLUGIN_NO_HANDLE to - fall back to core mechanisms. - - ticket: 7709 - -diff --git a/src/include/kdb.h b/src/include/kdb.h -index bc01976..69817bc 100644 ---- a/src/include/kdb.h -+++ b/src/include/kdb.h -@@ -1261,8 +1261,9 @@ typedef struct _kdb_vftabl { - - /* - * Optional: Perform a policy check on a cross-realm ticket's transited -- * field and return an error (other than KRB5_PLUGIN_OP_NOTSUPP) if the -- * check fails. -+ * field. Return 0 if the check authoritatively succeeds, -+ * KRB5_PLUGIN_NO_HANDLE to use the core transited-checking mechanisms, or -+ * another error (other than KRB5_PLUGIN_OP_NOTSUPP) if the check fails. - */ - krb5_error_code (*check_transited_realms)(krb5_context kcontext, - const krb5_data *tr_contents, -diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c -index bc638c1..5409078 100644 ---- a/src/kdc/kdc_util.c -+++ b/src/kdc/kdc_util.c -@@ -1573,16 +1573,14 @@ kdc_check_transited_list(kdc_realm_t *kdc_active_realm, - { - krb5_error_code code; - -- /* Check using krb5.conf */ -- code = krb5_check_transited_list(kdc_context, trans, realm1, realm2); -- if (code) -+ /* Check against the KDB module. Treat this answer as authoritative if the -+ * method is supported and doesn't explicitly pass control. */ -+ code = krb5_db_check_transited_realms(kdc_context, trans, realm1, realm2); -+ if (code != KRB5_PLUGIN_OP_NOTSUPP && code != KRB5_PLUGIN_NO_HANDLE) - return code; - -- /* Check against the KDB module. */ -- code = krb5_db_check_transited_realms(kdc_context, trans, realm1, realm2); -- if (code == KRB5_PLUGIN_OP_NOTSUPP) -- code = 0; -- return code; -+ /* Check using krb5.conf [capaths] or hierarchical relationships. */ -+ return krb5_check_transited_list(kdc_context, trans, realm1, realm2); - } - - krb5_error_code diff --git a/krb5.spec b/krb5.spec index 32eea08..8d7e3cc 100644 --- a/krb5.spec +++ b/krb5.spec @@ -93,7 +93,6 @@ Patch126: krb5-1.11.2-skew2.patch Patch129: krb5-1.11-run_user_0.patch Patch131: krb5-1.11.3-skew3.patch Patch134: krb5-1.11-kpasswdtest.patch -Patch135: krb5-1.11-check_transited.patch Patch136: krb5-1.11.3-prompter1.patch Patch137: krb5-1.11.3-prompter2.patch Patch138: krb5-master-keyring-offsets.patch @@ -321,7 +320,6 @@ ln -s NOTICE LICENSE %patch131 -p1 -b .skew3 %patch134 -p1 -b .kpasswdtest -%patch135 -p1 -b .check_transited %patch136 -p1 -b .prompter1 %patch137 -p1 -b .prompter2 %patch138 -p1 -b .keyring-offsets @@ -1024,6 +1022,7 @@ exit 0 depend on the portmapper, which are areas where our build systems often give us trouble, too; obsolete - drop backports for RT#7682 + - drop backport for RT#7709 * Wed Oct 16 2013 Nalin Dahyabhai - 1.11.3-26 - create and own /etc/gss (#1019937)