git.ipfire.org Git - thirdparty/krb5.git/commit

author	Ken Raeburn <raeburn@mit.edu>
	Sat, 29 Apr 2006 07:06:34 +0000 (07:06 +0000)
committer	Ken Raeburn <raeburn@mit.edu>
	Sat, 29 Apr 2006 07:06:34 +0000 (07:06 +0000)
commit	12a34f31e72124879e09adae9b196f04d0daed98
tree	efa1b71c18d18c24a9ce6672476fb4ed774193a3	tree
parent	a48dbb677a47fdd0241cfaab7a602f198061486f	commit \| diff

ipv4+ipv6 messages can trip up KDC replay detection

The replay lookaside cache includes the sending address, but the krb5
library replay cache does not. So, if the same message arrives from
two different source addresses, it is considered a replay by the KDC.
If the client isn't receiving the replies for some reason, and the
client has multiple addresses it uses to contact different addresses
on the KDC (and trying to reach the KDC via both IPv4 and IPv6 is an
obvious such case), this can cause errors to be returned by the KDC.

* replay.c (krb5_kdc_replay_ent): Remove "addrs" field.
(MATCH): Don't check it.
(kdc_check_lookaside, kdc_insert_lookaside): Remove "from" argument.
* kdc_util.h (kdc_check_lookaside, kdc_insert_lookaside): Update decls.
* dispatch.c (dispatch): Update calls.

ticket: new

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@17970 dc483132-0cff-0310-8789-dd5450dbe970

src/kdc/dispatch.c		diff \| blob \| blame \| history
src/kdc/kdc_util.h		diff \| blob \| blame \| history
src/kdc/replay.c		diff \| blob \| blame \| history