From: Norman Ziert Date: Tue, 5 Aug 2025 08:31:40 +0000 (+0000) Subject: Bug 5407: Support at least 1000 groups per Kerberos user (#2047) X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=refs%2Fheads%2Fauto;p=thirdparty%2Fsquid.git Bug 5407: Support at least 1000 groups per Kerberos user (#2047) Increase MAX_PAC_GROUP_SIZE to a more reasonable value, so negotiate_kerberos_auth can report more than approximately 200 groups an authenticated user is member of back to Squid. --- diff --git a/CONTRIBUTORS b/CONTRIBUTORS index e95216701e..8d4dd1b6d1 100644 --- a/CONTRIBUTORS +++ b/CONTRIBUTORS @@ -386,6 +386,7 @@ Thank you! Nikita <32056979+Roo4L@users.noreply.github.com> Nikolai Gorchilov noloader + Norman Ziert Ole Christensen Oliver Dumschat Oliver Hookins diff --git a/src/auth/negotiate/kerberos/negotiate_kerberos.h b/src/auth/negotiate/kerberos/negotiate_kerberos.h index 466b4fcc22..d70e919f13 100644 --- a/src/auth/negotiate/kerberos/negotiate_kerberos.h +++ b/src/auth/negotiate/kerberos/negotiate_kerberos.h @@ -114,7 +114,21 @@ char *gethost_name(void); #if (HAVE_GSSKRB5_EXTRACT_AUTHZ_DATA_FROM_SEC_CONTEXT || HAVE_GSS_MAP_NAME_TO_ANY) && HAVE_KRB5_PAC #define HAVE_PAC_SUPPORT 1 -#define MAX_PAC_GROUP_SIZE 200*60 + +/** +* MAX_PAC_GROUP_SIZE limits the string length, wherein group membership per +* authenticated user is reported back to Squid, to a reasonable number +* of groups multiplied by the maximum encoded group entry size. +* +* A group value is reported as the base64 encoded binary representation +* of the objectSID. The theoretical size limit of an objectSID is 68 bytes. +* The base64 representation of this byte array would count max 91 characters. +* +* A single group membership entry gets reported by a key-value pair followed +* by a whitespace character as a delimiter, adding 7 more characters per entry: +* "group= ". +*/ +#define MAX_PAC_GROUP_SIZE (1024*98) typedef struct { uint16_t length; uint16_t maxlength; diff --git a/src/helper.cc b/src/helper.cc index 77aaab79c1..0cead6f48b 100644 --- a/src/helper.cc +++ b/src/helper.cc @@ -39,7 +39,8 @@ #define MAX_RETRIES 2 /// Helpers input buffer size. -const size_t ReadBufSize(32*1024); +/// Keep in sync with MAX_PAC_GROUP_SIZE until converted to SBuf +const size_t ReadBufSize(128*1024); static IOCB helperHandleRead; static IOCB helperStatefulHandleRead;