rpms/krb5
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Drop backport for RT#7709

Browse Source
This commit is contained in:
Nalin Dahyabhai 2013-10-15 17:29:59 -04:00
parent 13b2f96a29
commit 19bc209a19
2 changed files with 1 additions and 58 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

56
krb5-1.11-check_transited.patch
View File

@ -1,56 +0,0 @@
commit 0406cd81ef9d18cd505fffabba3ac78901dc797d
Author: Greg Hudson <ghudson@mit.edu>
Date: Wed Sep 25 10:40:23 2013 -0400
Support authoritative KDB check_transited methods
In kdc_check_transited_list, consult the KDB module first. If it
succeeds, treat this as authoritative and do not use the core
transited mechanisms. Modules can return KRB5_PLUGIN_NO_HANDLE to
fall back to core mechanisms.
ticket: 7709
diff --git a/src/include/kdb.h b/src/include/kdb.h
index bc01976..69817bc 100644
--- a/src/include/kdb.h
+++ b/src/include/kdb.h
@@ -1261,8 +1261,9 @@ typedef struct _kdb_vftabl {
/*
* Optional: Perform a policy check on a cross-realm ticket's transited
- * field and return an error (other than KRB5_PLUGIN_OP_NOTSUPP) if the
- * check fails.
+ * field. Return 0 if the check authoritatively succeeds,
+ * KRB5_PLUGIN_NO_HANDLE to use the core transited-checking mechanisms, or
+ * another error (other than KRB5_PLUGIN_OP_NOTSUPP) if the check fails.
*/
krb5_error_code (*check_transited_realms)(krb5_context kcontext,
const krb5_data *tr_contents,
diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c
index bc638c1..5409078 100644
--- a/src/kdc/kdc_util.c
+++ b/src/kdc/kdc_util.c
@@ -1573,16 +1573,14 @@ kdc_check_transited_list(kdc_realm_t *kdc_active_realm,
{
krb5_error_code code;
- /* Check using krb5.conf */
- code = krb5_check_transited_list(kdc_context, trans, realm1, realm2);
- if (code)
+ /* Check against the KDB module. Treat this answer as authoritative if the
+ * method is supported and doesn't explicitly pass control. */
+ code = krb5_db_check_transited_realms(kdc_context, trans, realm1, realm2);
+ if (code != KRB5_PLUGIN_OP_NOTSUPP && code != KRB5_PLUGIN_NO_HANDLE)
return code;
- /* Check against the KDB module. */
- code = krb5_db_check_transited_realms(kdc_context, trans, realm1, realm2);
- if (code == KRB5_PLUGIN_OP_NOTSUPP)
- code = 0;
- return code;
+ /* Check using krb5.conf [capaths] or hierarchical relationships. */
+ return krb5_check_transited_list(kdc_context, trans, realm1, realm2);
}
krb5_error_code

3
krb5.spec
View File

@ -93,7 +93,6 @@ Patch126: krb5-1.11.2-skew2.patch
Patch129: krb5-1.11-run_user_0.patch Patch129: krb5-1.11-run_user_0.patch
Patch131: krb5-1.11.3-skew3.patch Patch131: krb5-1.11.3-skew3.patch
Patch134: krb5-1.11-kpasswdtest.patch Patch134: krb5-1.11-kpasswdtest.patch
Patch135: krb5-1.11-check_transited.patch
Patch136: krb5-1.11.3-prompter1.patch Patch136: krb5-1.11.3-prompter1.patch
Patch137: krb5-1.11.3-prompter2.patch Patch137: krb5-1.11.3-prompter2.patch
Patch138: krb5-master-keyring-offsets.patch Patch138: krb5-master-keyring-offsets.patch
@ -321,7 +320,6 @@ ln -s NOTICE LICENSE
%patch131 -p1 -b .skew3 %patch131 -p1 -b .skew3
%patch134 -p1 -b .kpasswdtest %patch134 -p1 -b .kpasswdtest
%patch135 -p1 -b .check_transited
%patch136 -p1 -b .prompter1 %patch136 -p1 -b .prompter1
%patch137 -p1 -b .prompter2 %patch137 -p1 -b .prompter2
%patch138 -p1 -b .keyring-offsets %patch138 -p1 -b .keyring-offsets
@ -1024,6 +1022,7 @@ exit 0
depend on the portmapper, which are areas where our build systems depend on the portmapper, which are areas where our build systems
often give us trouble, too; obsolete often give us trouble, too; obsolete
- drop backports for RT#7682 - drop backports for RT#7682
- drop backport for RT#7709
* Wed Oct 16 2013 Nalin Dahyabhai <nalin@redhat.com> - 1.11.3-26 * Wed Oct 16 2013 Nalin Dahyabhai <nalin@redhat.com> - 1.11.3-26
- create and own /etc/gss (#1019937) - create and own /etc/gss (#1019937)