diff options
author | Greg Hudson <ghudson@mit.edu> | 2010-10-19 19:08:38 +0000 |
---|---|---|
committer | Greg Hudson <ghudson@mit.edu> | 2010-10-19 19:08:38 +0000 |
commit | 04e4c9cb9821c5a444f69f13d95333de0d4412ba (patch) | |
tree | 2a9bf3501a7ad53fa7840cade8b0002c1c48d6e2 /src/kdc | |
parent | 7e56b7883283c06e14095644de3734f71c2737ba (diff) | |
download | krb5-04e4c9cb9821c5a444f69f13d95333de0d4412ba.tar.gz krb5-04e4c9cb9821c5a444f69f13d95333de0d4412ba.tar.xz krb5-04e4c9cb9821c5a444f69f13d95333de0d4412ba.zip |
Remove KDC replay cache
Now that SAM1 support has been removed, the KDC does not need a replay
replay cache. Remove all code within USE_RCACHE and associated support.
Rename --disable-kdc-replay-cache to --disable-kdc-lookaside-cache.
ticket: 6804
target_version: 1.9
tags: pullup
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24464 dc483132-0cff-0310-8789-dd5450dbe970
Diffstat (limited to 'src/kdc')
-rw-r--r-- | src/kdc/Makefile.in | 7 | ||||
-rw-r--r-- | src/kdc/extern.c | 1 | ||||
-rw-r--r-- | src/kdc/extern.h | 1 | ||||
-rw-r--r-- | src/kdc/kdc_util.c | 85 | ||||
-rw-r--r-- | src/kdc/kdc_util.h | 3 | ||||
-rw-r--r-- | src/kdc/main.c | 17 |
6 files changed, 3 insertions, 111 deletions
diff --git a/src/kdc/Makefile.in b/src/kdc/Makefile.in index 44f0d21f0f..f46cad3da0 100644 --- a/src/kdc/Makefile.in +++ b/src/kdc/Makefile.in @@ -1,11 +1,6 @@ mydir=kdc BUILDTOP=$(REL).. -# -DUSE_RCACHE - enable replay cache for KDC -# -DNOCACHE - disable lookaside cache, which is used to resend previous -# response to replay (i.e., *don't* define this if you -# define USE_RCACHE) -# These are now set in configure.in. -DEFINES = # -DNOCACHE +DEFINES = RUN_SETUP = @KRB5_RUN_ENV@ PROG_LIBPATH=-L$(TOPLIBD) $(KRB4_LIBPATH) KDB5_LIB_DEPS=$(DL_LIB) $(THREAD_LINKOPTS) diff --git a/src/kdc/extern.c b/src/kdc/extern.c index effa42579a..99f4114f2c 100644 --- a/src/kdc/extern.c +++ b/src/kdc/extern.c @@ -37,6 +37,5 @@ int kdc_numrealms = 0; kdc_realm_t *kdc_active_realm = (kdc_realm_t *) NULL; krb5_data empty_string = {0, 0, ""}; krb5_timestamp kdc_infinity = KRB5_INT32_MAX; /* XXX */ -krb5_rcache kdc_rcache = (krb5_rcache) NULL; krb5_keyblock psr_key; krb5_int32 max_dgram_reply_size = MAX_DGRAM_SIZE; diff --git a/src/kdc/extern.h b/src/kdc/extern.h index bb188e7e57..24bad20a50 100644 --- a/src/kdc/extern.h +++ b/src/kdc/extern.h @@ -99,7 +99,6 @@ kdc_realm_t *find_realm_data (char *, krb5_ui_4); /* various externs for KDC */ extern krb5_data empty_string; /* an empty string */ extern krb5_timestamp kdc_infinity; /* greater than all other timestamps */ -extern krb5_rcache kdc_rcache; /* replay cache */ extern krb5_keyblock psr_key; /* key for predicted sam response */ extern const int kdc_modifies_kdb; extern krb5_int32 max_dgram_reply_size; /* maximum datagram size */ diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c index 7b62b53df5..691ece06c9 100644 --- a/src/kdc/kdc_util.c +++ b/src/kdc/kdc_util.c @@ -66,58 +66,12 @@ #include "net-server.h" #include <limits.h> -#ifdef USE_RCACHE -static char *kdc_current_rcname = (char *) NULL; -krb5_deltat rc_lifetime; /* See kdc_initialize_rcache() */ -#endif - #ifdef KRBCONF_VAGUE_ERRORS const int vague_errors = 1; #else const int vague_errors = 0; #endif -#ifdef USE_RCACHE -/* - * initialize the replay cache. - */ -krb5_error_code -kdc_initialize_rcache(krb5_context kcontext, char *rcache_name) -{ - krb5_error_code retval; - char *rcname; - char *sname; - - rcname = (rcache_name) ? rcache_name : kdc_current_rcname; - - /* rc_lifetime used elsewhere to verify we're not */ - /* replaying really old data */ - rc_lifetime = kcontext->clockskew; - - if (!rcname) - rcname = KDCRCACHE; - if (!(retval = krb5_rc_resolve_full(kcontext, &kdc_rcache, rcname))) { - /* Recover or initialize the replay cache */ - if (!(retval = krb5_rc_recover(kcontext, kdc_rcache)) || - !(retval = krb5_rc_initialize(kcontext, - kdc_rcache, - kcontext->clockskew)) - ) { - /* Expunge the replay cache */ - if (!(retval = krb5_rc_expunge(kcontext, kdc_rcache))) { - sname = kdc_current_rcname; - kdc_current_rcname = strdup(rcname); - if (sname) - free(sname); - } - } - if (retval) - krb5_rc_close(kcontext, kdc_rcache); - } - return(retval); -} -#endif - /* * concatenate first two authdata arrays, returning an allocated replacement. * The replacement should be freed with krb5_free_authdata(). @@ -298,11 +252,6 @@ kdc_process_tgs_req(krb5_kdc_req *request, const krb5_fulladdr *from, if ((retval = krb5_auth_con_setaddrs(kdc_context, auth_context, NULL, from->address)) ) goto cleanup_auth_context; -#ifdef USE_RCACHE - if ((retval = krb5_auth_con_setrcache(kdc_context, auth_context, - kdc_rcache))) - goto cleanup_auth_context; -#endif if ((retval = kdc_get_server_key(apreq->ticket, 0, foreign_server, &krbtgt, tgskey, &kvno))) @@ -317,36 +266,8 @@ kdc_process_tgs_req(krb5_kdc_req *request, const krb5_fulladdr *from, if ((retval = krb5_rd_req_decoded_anyflag(kdc_context, &auth_context, apreq, apreq->ticket->server, kdc_active_realm->realm_keytab, - NULL, ticket))) { -#ifdef USE_RCACHE - /* - * I'm not so sure that this is right, but it's better than nothing - * at all. - * - * If we choke in the rd_req because of the replay cache, then attempt - * to reinitialize the replay cache because somebody could have deleted - * it from underneath us (e.g. a cron job) - */ - if ((retval == KRB5_RC_IO_IO) || - (retval == KRB5_RC_IO_UNKNOWN)) { - (void) krb5_rc_close(kdc_context, kdc_rcache); - kdc_rcache = (krb5_rcache) NULL; - if (!(retval = kdc_initialize_rcache(kdc_context, (char *) NULL))) { - if ((retval = krb5_auth_con_setrcache(kdc_context, auth_context, - kdc_rcache)) || - (retval = krb5_rd_req_decoded_anyflag(kdc_context, &auth_context, - apreq, apreq->ticket->server, - kdc_active_realm->realm_keytab, - NULL, ticket)) - ) - goto cleanup_auth_context; - } - } else - goto cleanup_auth_context; -#else + NULL, ticket))) goto cleanup_auth_context; -#endif - } /* "invalid flag" tickets can must be used to validate */ if (isflagset((*ticket)->enc_part2->flags, TKT_FLG_INVALID) @@ -423,10 +344,6 @@ cleanup_authenticator: krb5_free_authenticator(kdc_context, authenticator); cleanup_auth_context: - /* We do not want the free of the auth_context to close the rcache */ -#ifdef USE_RCACHE - (void) krb5_auth_con_setrcache(kdc_context, auth_context, 0); -#endif krb5_auth_con_free(kdc_context, auth_context); cleanup: diff --git a/src/kdc/kdc_util.h b/src/kdc/kdc_util.h index e969c9db4d..998f295593 100644 --- a/src/kdc/kdc_util.h +++ b/src/kdc/kdc_util.h @@ -138,9 +138,6 @@ dispatch (void *, krb5_data **, int); -/* main.c */ -krb5_error_code kdc_initialize_rcache (krb5_context, char *); - krb5_error_code setup_server_realm (krb5_principal); void diff --git a/src/kdc/main.c b/src/kdc/main.c index 8d5d9a8005..5b90bd5926 100644 --- a/src/kdc/main.c +++ b/src/kdc/main.c @@ -651,7 +651,6 @@ initialize_realms(krb5_context kcontext, int argc, char **argv) char *db_name = (char *) NULL; char *lrealm = (char *) NULL; char *mkey_name = (char *) NULL; - char *rcname = KDCRCACHE; krb5_error_code retval; krb5_enctype menctype = ENCTYPE_UNKNOWN; kdc_realm_t *rdatap = NULL; @@ -805,7 +804,7 @@ initialize_realms(krb5_context kcontext, int argc, char **argv) com_err(argv[0], 0, "invalid enctype %s", optarg); break; case 'R': - rcname = optarg; + /* Replay cache name; defunct since we don't use a replay cache. */ break; case 'P': pid_file = optarg; @@ -860,17 +859,6 @@ initialize_realms(krb5_context kcontext, int argc, char **argv) } } -#ifdef USE_RCACHE - /* - * Now handle the replay cache. - */ - if ((retval = kdc_initialize_rcache(kcontext, rcname))) { - com_err(argv[0], retval, "while initializing KDC replay cache '%s'", - rcname); - exit(1); - } -#endif - /* Ensure that this is set for our first request. */ kdc_active_realm = kdc_realmlist[0]; if (default_udp_ports) @@ -1080,9 +1068,6 @@ int main(int argc, char **argv) finish_realms(); if (kdc_realmlist) free(kdc_realmlist); -#ifdef USE_RCACHE - (void) krb5_rc_close(kcontext, kdc_rcache); -#endif #ifndef NOCACHE kdc_free_lookaside(kcontext); #endif |