Age | Commit message (Collapse) | Author | Files | Lines |
|
Make kdc_active_realm a local variable in every function that needs
it. Pass it around in various state structures as needed. Keep the
macros that reference its members remain for now.
|
|
Use the provided krb5_context, not kdc_context, which isn't valid when
kdc_free_lookaside() is called.
|
|
Add a preprocessor constant LOOKASIDE_MAX_SIZE (defaulting to 10MB)
which limits the total size of the lookaside cache entries. Purge
stale entries in kdc_insert_lookaside instead of kdc_check_lookaside,
and when doing so, continue purging non-stale entries until the total
cache size (including the new entry) is within the size constraint.
|
|
Use krb5_data structures instead of pointers in the entry structure,
reducing the number of memory allocations.
|
|
Add a hash table to kdc/replay.c for fast lookup of incoming packets.
Continue to keep a time-ordered linked list of all entries for fast
expiry of stale entries. The preprocessor constant
LOOKASIDE_HASH_SIZE can be used to change the size of the hash table.
|
|
Supporting asynchronous preauth modules means that the KDC can receive
a retransmitted request before it finishes processing the initial
request. Ignore those retransmits instead of processing them.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25350 dc483132-0cff-0310-8789-dd5450dbe970
|
|
We do not need to check reply retransmissions for staleness any more
than TCP needs to. A genuinely new request will have a different
nonce.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24936 dc483132-0cff-0310-8789-dd5450dbe970
|
|
and license comments.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24695 dc483132-0cff-0310-8789-dd5450dbe970
|
|
make reindent
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23100 dc483132-0cff-0310-8789-dd5450dbe970
|
|
The replay lookaside cache includes the sending address, but the krb5
library replay cache does not. So, if the same message arrives from
two different source addresses, it is considered a replay by the KDC.
If the client isn't receiving the replies for some reason, and the
client has multiple addresses it uses to contact different addresses
on the KDC (and trying to reach the KDC via both IPv4 and IPv6 is an
obvious such case), this can cause errors to be returned by the KDC.
* replay.c (krb5_kdc_replay_ent): Remove "addrs" field.
(MATCH): Don't check it.
(kdc_check_lookaside, kdc_insert_lookaside): Remove "from" argument.
* kdc_util.h (kdc_check_lookaside, kdc_insert_lookaside): Update decls.
* dispatch.c (dispatch): Update calls.
ticket: new
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@17970 dc483132-0cff-0310-8789-dd5450dbe970
|
|
kdc_free_lookaside() instead of per realm one - which has been
freed by time invoked.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@15113 dc483132-0cff-0310-8789-dd5450dbe970
|
|
realm_tcp_ports data, kdc_realmlist, close the replay cache, and
free the lookaside cache.
* network.c (FREE_SET_DATA): Do not free a NULL pointer.
* replay.c, kdc_util.h: Add kdc_free_lookaside() to clear the lookaside
cache on shutdown - to search for memory leaks.
* rtest.c (main): Do not allocate or free a NULL pointer.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@15080 dc483132-0cff-0310-8789-dd5450dbe970
|
|
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@14841 dc483132-0cff-0310-8789-dd5450dbe970
|
|
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@12103 dc483132-0cff-0310-8789-dd5450dbe970
|
|
const to allow passing a const krb5_fulladdr * and keeping the compiler happy.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@12102 dc483132-0cff-0310-8789-dd5450dbe970
|
|
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@11853 dc483132-0cff-0310-8789-dd5450dbe970
|
|
theoretically make certain attacks more difficult, but the replay cache is
disabled, the attack is very difficult compared to other existing attacks
(would need huge numbers of queries), and under heavy load the lookaside cache
degrades performance.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@11538 dc483132-0cff-0310-8789-dd5450dbe970
|
|
the input address.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@11533 dc483132-0cff-0310-8789-dd5450dbe970
|
|
(kdc_insert_lookaside): Add code to originating address of packet,
as krb4 initial ticket requests don't contain an address. This
would cause a subtle problem wherein two simultaneous krb4 initial
ticket requests for the same principal originating from different
addresses would result in both replies containing the same
address.
* kdc_util.h: Modify prototype for lookaside functions.
* dispatch.c (dispatch): Update to new calling conventions of the
lookaside functions.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@10713 dc483132-0cff-0310-8789-dd5450dbe970
|
|
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@9905 dc483132-0cff-0310-8789-dd5450dbe970
|
|
modification time, so that if the database is modified in
between when it receives a request and when it receives a
replay of the same request, it knows to throw away the
replay cache entry and generate a new response (since the
record in the database on which the response is based may
have been modified).
main.c (kdc_com_err_proc): Use syslog() instead of vsyslog().
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@5233 dc483132-0cff-0310-8789-dd5450dbe970
|
|
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@5031 dc483132-0cff-0310-8789-dd5450dbe970
|
|
Added krb5_context to all krb5_*() routines.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@4815 dc483132-0cff-0310-8789-dd5450dbe970
|
|
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@4190 dc483132-0cff-0310-8789-dd5450dbe970
|
|
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@2667 dc483132-0cff-0310-8789-dd5450dbe970
|
|
to "may require..."
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@2638 dc483132-0cff-0310-8789-dd5450dbe970
|
|
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@2156 dc483132-0cff-0310-8789-dd5450dbe970
|
|
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@2133 dc483132-0cff-0310-8789-dd5450dbe970
|
|
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@1916 dc483132-0cff-0310-8789-dd5450dbe970
|
|
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@1692 dc483132-0cff-0310-8789-dd5450dbe970
|
|
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@1688 dc483132-0cff-0310-8789-dd5450dbe970
|