Support authoritative KDB check_transited methods

In kdc_check_transited_list, consult the KDB module first.  If it
succeeds, treat this as authoritative and do not use the core
transited mechanisms.  Modules can return KRB5_PLUGIN_NO_HANDLE to
fall back to core mechanisms.

ticket: 7709

1 files changed, 6 insertions, 8 deletions

diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c
index bc638c1..5409078 100644
--- a/src/kdc/kdc_util.c
+++ b/src/kdc/kdc_util.c
@@ -1573,16 +1573,14 @@ kdc_check_transited_list(kdc_realm_t *kdc_active_realm,
 {
     krb5_error_code             code;
 
-    /* Check using krb5.conf */
-    code = krb5_check_transited_list(kdc_context, trans, realm1, realm2);
-    if (code)
+    /* Check against the KDB module.  Treat this answer as authoritative if the
+     * method is supported and doesn't explicitly pass control. */
+    code = krb5_db_check_transited_realms(kdc_context, trans, realm1, realm2);
+    if (code != KRB5_PLUGIN_OP_NOTSUPP && code != KRB5_PLUGIN_NO_HANDLE)
         return code;
 
-    /* Check against the KDB module. */
-    code = krb5_db_check_transited_realms(kdc_context, trans, realm1, realm2);
-    if (code == KRB5_PLUGIN_OP_NOTSUPP)
-        code = 0;
-    return code;
+    /* Check using krb5.conf [capaths] or hierarchical relationships. */
+    return krb5_check_transited_list(kdc_context, trans, realm1, realm2);
 }
 
 krb5_error_code