[krb5/f19] pull up fix to call kdb check-transited-path first
Nalin Dahyabhai
nalin at fedoraproject.org
Thu Oct 24 15:37:22 UTC 2013
commit 5d5a457df725b3b88df3bb8d81fe03f98d6cfcbb
Author: Nalin Dahyabhai <nalin at dahyabhai.net>
Date: Mon Sep 30 11:26:50 2013 -0400
pull up fix to call kdb check-transited-path first
- pull up fix for not calling a kdb plugin's check-transited-path
method before calling the library's default version, which only knows
how to read what's in the configuration file (RT#7709, #1013664)
Conflicts:
krb5.spec
krb5-1.11-check_transited.patch | 56 +++++++++++++++++++++++++++++++++++++++
krb5.spec | 5 +++
2 files changed, 61 insertions(+), 0 deletions(-)
---
diff --git a/krb5-1.11-check_transited.patch b/krb5-1.11-check_transited.patch
new file mode 100644
index 0000000..f3ce693
--- /dev/null
+++ b/krb5-1.11-check_transited.patch
@@ -0,0 +1,56 @@
+commit 0406cd81ef9d18cd505fffabba3ac78901dc797d
+Author: Greg Hudson <ghudson at mit.edu>
+Date: Wed Sep 25 10:40:23 2013 -0400
+
+ Support authoritative KDB check_transited methods
+
+ In kdc_check_transited_list, consult the KDB module first. If it
+ succeeds, treat this as authoritative and do not use the core
+ transited mechanisms. Modules can return KRB5_PLUGIN_NO_HANDLE to
+ fall back to core mechanisms.
+
+ ticket: 7709
+
+diff --git a/src/include/kdb.h b/src/include/kdb.h
+index bc01976..69817bc 100644
+--- a/src/include/kdb.h
++++ b/src/include/kdb.h
+@@ -1261,8 +1261,9 @@ typedef struct _kdb_vftabl {
+
+ /*
+ * Optional: Perform a policy check on a cross-realm ticket's transited
+- * field and return an error (other than KRB5_PLUGIN_OP_NOTSUPP) if the
+- * check fails.
++ * field. Return 0 if the check authoritatively succeeds,
++ * KRB5_PLUGIN_NO_HANDLE to use the core transited-checking mechanisms, or
++ * another error (other than KRB5_PLUGIN_OP_NOTSUPP) if the check fails.
+ */
+ krb5_error_code (*check_transited_realms)(krb5_context kcontext,
+ const krb5_data *tr_contents,
+diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c
+index bc638c1..5409078 100644
+--- a/src/kdc/kdc_util.c
++++ b/src/kdc/kdc_util.c
+@@ -1573,16 +1573,14 @@ kdc_check_transited_list(kdc_realm_t *kdc_active_realm,
+ {
+ krb5_error_code code;
+
+- /* Check using krb5.conf */
+- code = krb5_check_transited_list(kdc_context, trans, realm1, realm2);
+- if (code)
++ /* Check against the KDB module. Treat this answer as authoritative if the
++ * method is supported and doesn't explicitly pass control. */
++ code = krb5_db_check_transited_realms(kdc_context, trans, realm1, realm2);
++ if (code != KRB5_PLUGIN_OP_NOTSUPP && code != KRB5_PLUGIN_NO_HANDLE)
+ return code;
+
+- /* Check against the KDB module. */
+- code = krb5_db_check_transited_realms(kdc_context, trans, realm1, realm2);
+- if (code == KRB5_PLUGIN_OP_NOTSUPP)
+- code = 0;
+- return code;
++ /* Check using krb5.conf [capaths] or hierarchical relationships. */
++ return krb5_check_transited_list(kdc_context, trans, realm1, realm2);
+ }
+
+ krb5_error_code
diff --git a/krb5.spec b/krb5.spec
index 8ca0063..d615327 100644
--- a/krb5.spec
+++ b/krb5.spec
@@ -96,6 +96,7 @@ Patch131: krb5-1.11.3-skew3.patch
Patch132: krb5-1.11-gss-methods1.patch
Patch133: krb5-1.11-gss-methods2.patch
Patch134: krb5-1.11-kpasswdtest.patch
+Patch135: krb5-1.11-check_transited.patch
# Patches for otp plugin backport
Patch201: krb5-1.11.2-keycheck.patch
@@ -325,6 +326,7 @@ ln -s NOTICE LICENSE
%patch132 -p1 -b .gss-methods1
%patch133 -p1 -b .gss-methods2
%patch134 -p1 -b .kpasswdtest
+%patch135 -p1 -b .check_transited
%patch201 -p1 -b .keycheck
%patch202 -p1 -b .otp
@@ -913,6 +915,9 @@ exit 0
%changelog
* Thu Oct 24 2013 Nalin Dahyabhai <nalin at redhat.com> - 1.11.3-10
+- pull up fix for not calling a kdb plugin's check-transited-path
+ method before calling the library's default version, which only knows
+ how to read what's in the configuration file (RT#7709, #1013664)
- configure --without-krb5-config so that we don't pull in the old default
ccache name when we want to stop setting a default ccache name at configure-
time
More information about the scm-commits
mailing list