pull up fix to call kdb check-transited-path first

- pull up fix for not calling a kdb plugin's check-transited-path
  method before calling the library's default version, which only knows
  how to read what's in the configuration file (RT#7709, #1013664)

krb5-1.11-check_transited.patch

@@ -0,0 +1,56 @@
+commit 0406cd81ef9d18cd505fffabba3ac78901dc797d
+Author: Greg Hudson <ghudson@mit.edu>
+Date:   Wed Sep 25 10:40:23 2013 -0400
+
+    Support authoritative KDB check_transited methods
+    
+    In kdc_check_transited_list, consult the KDB module first.  If it
+    succeeds, treat this as authoritative and do not use the core
+    transited mechanisms.  Modules can return KRB5_PLUGIN_NO_HANDLE to
+    fall back to core mechanisms.
+    
+    ticket: 7709
+
+diff --git a/src/include/kdb.h b/src/include/kdb.h
+index bc01976..69817bc 100644
+--- a/src/include/kdb.h
++++ b/src/include/kdb.h
+@@ -1261,8 +1261,9 @@ typedef struct _kdb_vftabl {
+ 
+     /*
+      * Optional: Perform a policy check on a cross-realm ticket's transited
+-     * field and return an error (other than KRB5_PLUGIN_OP_NOTSUPP) if the
+-     * check fails.
++     * field.  Return 0 if the check authoritatively succeeds,
++     * KRB5_PLUGIN_NO_HANDLE to use the core transited-checking mechanisms, or
++     * another error (other than KRB5_PLUGIN_OP_NOTSUPP) if the check fails.
+      */
+     krb5_error_code (*check_transited_realms)(krb5_context kcontext,
+                                               const krb5_data *tr_contents,
+diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c
+index bc638c1..5409078 100644
+--- a/src/kdc/kdc_util.c
++++ b/src/kdc/kdc_util.c
+@@ -1573,16 +1573,14 @@ kdc_check_transited_list(kdc_realm_t *kdc_active_realm,
+ {
+     krb5_error_code             code;
+ 
+-    /* Check using krb5.conf */
+-    code = krb5_check_transited_list(kdc_context, trans, realm1, realm2);
+-    if (code)
++    /* Check against the KDB module.  Treat this answer as authoritative if the
++     * method is supported and doesn't explicitly pass control. */
++    code = krb5_db_check_transited_realms(kdc_context, trans, realm1, realm2);
++    if (code != KRB5_PLUGIN_OP_NOTSUPP && code != KRB5_PLUGIN_NO_HANDLE)
+         return code;
+ 
+-    /* Check against the KDB module. */
+-    code = krb5_db_check_transited_realms(kdc_context, trans, realm1, realm2);
+-    if (code == KRB5_PLUGIN_OP_NOTSUPP)
+-        code = 0;
+-    return code;
++    /* Check using krb5.conf [capaths] or hierarchical relationships. */
++    return krb5_check_transited_list(kdc_context, trans, realm1, realm2);
+ }
+ 
+ krb5_error_code

krb5.spec

@@ -41,7 +41,7 @@
 Summary: The Kerberos network authentication system
 Name: krb5
 Version: 1.11.3
-Release: 19%{?dist}
+Release: 20%{?dist}
 # Maybe we should explode from the now-available-to-everybody tarball instead?
 # http://web.mit.edu/kerberos/dist/krb5/1.11/krb5-1.11.3-signed.tar
 Source0: krb5-%{version}.tar.gz
@@ -105,6 +105,7 @@ Patch131: krb5-1.11.3-skew3.patch
 Patch132: krb5-1.11-gss-methods1.patch
 Patch133: krb5-1.11-gss-methods2.patch 
 Patch134: krb5-1.11-kpasswdtest.patch
+Patch135: krb5-1.11-check_transited.patch
 
 # Patches for otp plugin backport
 Patch201: krb5-1.11.2-keycheck.patch
@@ -343,6 +344,7 @@ ln -s NOTICE LICENSE
 %patch132 -p1 -b .gss-methods1
 %patch133 -p1 -b .gss-methods2
 %patch134 -p1 -b .kpasswdtest
+%patch135 -p1 -b .check_transited
 
 %patch201 -p1 -b .keycheck
 %patch202 -p1 -b .otp
@@ -990,6 +992,11 @@ exit 0
 %{_sbindir}/uuserver
 
 %changelog
+* Mon Sep 30 2013 Nalin Dahyabhai <nalin@redhat.com> - 1.11.3-20
+- pull up fix for not calling a kdb plugin's check-transited-path
+  method before calling the library's default version, which only knows
+  how to read what's in the configuration file (RT#7709, #1013664)
+
 * Thu Sep 26 2013 Nalin Dahyabhai <nalin@redhat.com> - 1.11.3-19
 - configure --without-krb5-config so that we don't pull in the old default
   ccache name when we want to stop setting a default ccache name at configure-