ipv4+ipv6 messages can trip up KDC replay detection

The replay lookaside cache includes the sending address, but the krb5
library replay cache does not.  So, if the same message arrives from
two different source addresses, it is considered a replay by the KDC.
If the client isn't receiving the replies for some reason, and the
client has multiple addresses it uses to contact different addresses
on the KDC (and trying to reach the KDC via both IPv4 and IPv6 is an
obvious such case), this can cause errors to be returned by the KDC.

* replay.c (krb5_kdc_replay_ent): Remove "addrs" field.
(MATCH): Don't check it.
(kdc_check_lookaside, kdc_insert_lookaside): Remove "from" argument.
* kdc_util.h (kdc_check_lookaside, kdc_insert_lookaside): Update decls.
* dispatch.c (dispatch): Update calls.

ticket: new

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@17970 dc483132-0cff-0310-8789-dd5450dbe970

1 files changed, 2 insertions, 2 deletions

diff --git a/src/kdc/dispatch.c b/src/kdc/dispatch.c
index 0432661d76..84cfe39ac5 100644
--- a/src/kdc/dispatch.c
+++ b/src/kdc/dispatch.c
@@ -49,7 +49,7 @@ dispatch(krb5_data *pkt, const krb5_fulladdr *from, krb5_data **response)
 
 #ifndef NOCACHE
     /* try the replay lookaside buffer */
-    if (kdc_check_lookaside(pkt, from, response)) {
+    if (kdc_check_lookaside(pkt, response)) {
 	/* a hit! */
 	const char *name = 0;
 	char buf[46];
@@ -108,7 +108,7 @@ dispatch(krb5_data *pkt, const krb5_fulladdr *from, krb5_data **response)
 #ifndef NOCACHE
     /* put the response into the lookaside buffer */
     if (!retval)
-	kdc_insert_lookaside(pkt, from, *response);
+	kdc_insert_lookaside(pkt, *response);
 #endif
 
     return retval;