diff --git a/krb5-1.11-check_transited.patch b/krb5-1.11-check_transited.patch new file mode 100644 index 0000000..f3ce693 --- /dev/null +++ b/krb5-1.11-check_transited.patch @@ -0,0 +1,56 @@ +commit 0406cd81ef9d18cd505fffabba3ac78901dc797d +Author: Greg Hudson +Date: Wed Sep 25 10:40:23 2013 -0400 + + Support authoritative KDB check_transited methods + + In kdc_check_transited_list, consult the KDB module first. If it + succeeds, treat this as authoritative and do not use the core + transited mechanisms. Modules can return KRB5_PLUGIN_NO_HANDLE to + fall back to core mechanisms. + + ticket: 7709 + +diff --git a/src/include/kdb.h b/src/include/kdb.h +index bc01976..69817bc 100644 +--- a/src/include/kdb.h ++++ b/src/include/kdb.h +@@ -1261,8 +1261,9 @@ typedef struct _kdb_vftabl { + + /* + * Optional: Perform a policy check on a cross-realm ticket's transited +- * field and return an error (other than KRB5_PLUGIN_OP_NOTSUPP) if the +- * check fails. ++ * field. Return 0 if the check authoritatively succeeds, ++ * KRB5_PLUGIN_NO_HANDLE to use the core transited-checking mechanisms, or ++ * another error (other than KRB5_PLUGIN_OP_NOTSUPP) if the check fails. + */ + krb5_error_code (*check_transited_realms)(krb5_context kcontext, + const krb5_data *tr_contents, +diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c +index bc638c1..5409078 100644 +--- a/src/kdc/kdc_util.c ++++ b/src/kdc/kdc_util.c +@@ -1573,16 +1573,14 @@ kdc_check_transited_list(kdc_realm_t *kdc_active_realm, + { + krb5_error_code code; + +- /* Check using krb5.conf */ +- code = krb5_check_transited_list(kdc_context, trans, realm1, realm2); +- if (code) ++ /* Check against the KDB module. Treat this answer as authoritative if the ++ * method is supported and doesn't explicitly pass control. */ ++ code = krb5_db_check_transited_realms(kdc_context, trans, realm1, realm2); ++ if (code != KRB5_PLUGIN_OP_NOTSUPP && code != KRB5_PLUGIN_NO_HANDLE) + return code; + +- /* Check against the KDB module. */ +- code = krb5_db_check_transited_realms(kdc_context, trans, realm1, realm2); +- if (code == KRB5_PLUGIN_OP_NOTSUPP) +- code = 0; +- return code; ++ /* Check using krb5.conf [capaths] or hierarchical relationships. */ ++ return krb5_check_transited_list(kdc_context, trans, realm1, realm2); + } + + krb5_error_code diff --git a/krb5.spec b/krb5.spec index 2d79b6c..472e385 100644 --- a/krb5.spec +++ b/krb5.spec @@ -41,7 +41,7 @@ Summary: The Kerberos network authentication system Name: krb5 Version: 1.11.3 -Release: 19%{?dist} +Release: 20%{?dist} # Maybe we should explode from the now-available-to-everybody tarball instead? # http://web.mit.edu/kerberos/dist/krb5/1.11/krb5-1.11.3-signed.tar Source0: krb5-%{version}.tar.gz @@ -105,6 +105,7 @@ Patch131: krb5-1.11.3-skew3.patch Patch132: krb5-1.11-gss-methods1.patch Patch133: krb5-1.11-gss-methods2.patch Patch134: krb5-1.11-kpasswdtest.patch +Patch135: krb5-1.11-check_transited.patch # Patches for otp plugin backport Patch201: krb5-1.11.2-keycheck.patch @@ -343,6 +344,7 @@ ln -s NOTICE LICENSE %patch132 -p1 -b .gss-methods1 %patch133 -p1 -b .gss-methods2 %patch134 -p1 -b .kpasswdtest +%patch135 -p1 -b .check_transited %patch201 -p1 -b .keycheck %patch202 -p1 -b .otp @@ -990,6 +992,11 @@ exit 0 %{_sbindir}/uuserver %changelog +* Mon Sep 30 2013 Nalin Dahyabhai - 1.11.3-20 +- pull up fix for not calling a kdb plugin's check-transited-path + method before calling the library's default version, which only knows + how to read what's in the configuration file (RT#7709, #1013664) + * Thu Sep 26 2013 Nalin Dahyabhai - 1.11.3-19 - configure --without-krb5-config so that we don't pull in the old default ccache name when we want to stop setting a default ccache name at configure-