[1177] in Kerberos-V5-bugs
krb5b4pl3: KDC replay cache should store database modification time
daemon@ATHENA.MIT.EDU (Jonathan I. Kamens)
Tue Mar 14 16:48:07 1995
From: "Jonathan I. Kamens" <jik@cam.ov.com>
Date: Tue, 14 Mar 1995 16:51:10 -0500
To: krb5-bugs@MIT.EDU
The KDC replay cache needs to store the database modification time, so
that if the database is modified in between when it receives a request
and when it receives a replay of the same request, it knows to throw
away the replay cache entry and generate a new response (since the
record in the database on which the response is based may have been
modified).
Here's a patch:
--- kdc/replay.c 1995/03/09 15:49:55 1.1
+++ kdc/replay.c 1995/03/09 15:50:32 1.2
@@ -36,6 +36,7 @@
struct _krb5_kdc_replay_ent *next;
int num_hits;
krb5_int32 timein;
+ time_t db_age;
krb5_data *req_packet;
krb5_data *reply_packet;
} krb5_kdc_replay_ent;
@@ -48,10 +49,12 @@
static int num_entries = 0;
#define STALE_TIME 2*60 /* two minutes */
-#define STALE(ptr) (abs((ptr)->timein - timenow) >= STALE_TIME)
+#define STALE(ptr) ((abs((ptr)->timein - timenow) >= STALE_TIME) || \
+ ((ptr)->db_age != db_age))
#define MATCH(ptr) (((ptr)->req_packet->length == inpkt->length) && \
- !memcmp((ptr)->req_packet->data, inpkt->data, inpkt->length))
+ !memcmp((ptr)->req_packet->data, inpkt->data, inpkt->length) && \
+ ((ptr)->db_age == db_age))
/* XXX
Todo: quench the size of the queue...
@@ -67,10 +70,18 @@
{
krb5_int32 timenow;
register krb5_kdc_replay_ent *eptr, *last, *hold;
+ time_t db_age;
- if (krb5_timeofday(&timenow))
+ /*
+ * We could modify the MATCH and STALE macros above to only call
+ * krb5_db_get_age when it's actually needed, but it's going to be
+ * needed in most calls to this function, so it's not worth the
+ * effort, especially since it would make the code more
+ * complicated.
+ */
+ if (krb5_timeofday(&timenow) || krb5_db_get_age(0, &db_age))
return FALSE;
-
+
calls++;
/* search for a replay entry in the queue, possibly removing
@@ -119,8 +130,9 @@
{
register krb5_kdc_replay_ent *eptr;
krb5_int32 timenow;
+ time_t db_age;
- if (krb5_timeofday(&timenow))
+ if (krb5_timeofday(&timenow) || krb5_db_get_age(0, &db_age))
return;
/* this is a new entry */
@@ -128,6 +140,7 @@
if (!eptr)
return;
eptr->timein = timenow;
+ eptr->db_age = db_age;
if (krb5_copy_data(inpkt, &eptr->req_packet)) {
krb5_xfree(eptr);
return;
