1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
|
Implement a "max_dgram_size" parameter for realms, which will control when/if
the server will respond with KRB_ERR_RESPONSE_TOO_BIG errors to requests from
its clients.
Because the reads settings by using libkadm5's krb5_read_realm_params function,
its returned structure type needs to be expanded to hold this information,
which breaks the ABI.
When processing AS or TGS requests, the server needs to keep track of whether
or not the client is issuing a request over a connected socket so that it
won't issue RESPONSE_TOO_BIG errors to connected clients.
The lookaside cache also needs to take note of the distinction so that it
doesn't replay error messages to clients who've switched from using a
connectionless socket to a connected socket and are sending the same request.
--- krb5-1.4.3/doc/definitions.texinfo 2006-01-05 15:12:12.000000000 -0500
+++ krb5-1.4.3/doc/definitions.texinfo 2006-01-05 15:12:50.000000000 -0500
@@ -97,6 +97,8 @@
@set DefaultKDCRCache krb5kdc_rcache
@comment KDCRCACHE
@set DefaultRCTmpDirs /var/tmp, /usr/tmp, /var/usr/tmp, and /tmp
+@comment MAX_DGRAM_SIZE
+@set DefaultMaxDgramSize 4096
@ignore
the following defaults should be consistent with the numbers set in
--- krb5-1.4.3/doc/admin.texinfo 2006-01-05 15:13:04.000000000 -0500
+++ krb5-1.4.3/doc/admin.texinfo 2006-01-05 15:14:22.000000000 -0500
@@ -1264,6 +1264,14 @@
valid ticket may be renewed in this realm. The default value is
@value{DefaultMaxRenewableLife}.
+@itemx max_dgram_size
+(Numeric value.) Specifies the maximum allowed size for responses to
+client requests which are received over unconnected sockets (usually,
+UDP, as opposed to TCP). If the response to a request would be larger
+than the specified size, a KRB_ERR_RESPONSE_TOO_BIG error is sent in
+its stead. The default value is
+@value{DefaultMaxDgramSize}.
+
@itemx supported_enctypes
List of key:salt strings. Specifies the default key/salt combinations of
principals for this realm. Any principals created through @code{kadmin}
--- krb5-1.4.3/src/lib/kadm5/srv/Makefile.in 2004-06-16 21:56:34.000000000 -0400
+++ krb5-1.4.3/src/lib/kadm5/srv/Makefile.in 2006-01-05 15:08:23.000000000 -0500
@@ -9,8 +9,8 @@
##DOSLIBNAME = libkadm5srv.lib
LIBBASE=kadm5srv
-LIBMAJOR=5
-LIBMINOR=1
+LIBMAJOR=6
+LIBMINOR=0
STOBJLISTS=../OBJS.ST OBJS.ST
SHLIB_EXPDEPS=\
--- krb5-1.4.3/src/lib/kadm5/clnt/Makefile.in 2004-06-16 16:18:10.000000000 -0400
+++ krb5-1.4.3/src/lib/kadm5/clnt/Makefile.in 2006-01-05 15:08:23.000000000 -0500
@@ -5,8 +5,8 @@
LOCALINCLUDES = -I$(BUILDTOP)/include/kadm5
LIBBASE=kadm5clnt
-LIBMAJOR=5
-LIBMINOR=1
+LIBMAJOR=6
+LIBMINOR=0
STOBJLISTS=../OBJS.ST OBJS.ST
SHLIB_EXPDEPS=\
$(TOPLIBD)/libgssrpc$(SHLIBEXT) \
--- krb5-1.4.3/src/lib/kadm5/alt_prof.c 2004-06-24 16:08:30.000000000 -0400
+++ krb5-1.4.3/src/lib/kadm5/alt_prof.c 2006-01-05 15:08:23.000000000 -0500
@@ -936,6 +936,13 @@
krb5_xfree(svalue);
}
+ /* Get the value for the maximum datagram response size */
+ hierarchy[2] = "max_dgram_size";
+ if (!krb5_aprof_get_int32(aprofile, hierarchy, TRUE, &ivalue)) {
+ rparams->realm_max_dgram_size = ivalue;
+ rparams->realm_max_dgram_size_valid = 1;
+ }
+
hierarchy[2] = "reject_bad_transit";
if (!krb5_aprof_get_boolean(aprofile, hierarchy, TRUE, &bvalue)) {
rparams->realm_reject_bad_transit = bvalue;
--- krb5-1.4.3/src/kdc/extern.h 2003-06-03 00:32:41.000000000 -0400
+++ krb5-1.4.3/src/kdc/extern.h 2006-01-05 15:08:23.000000000 -0500
@@ -64,6 +64,7 @@
krb5_deltat realm_maxlife; /* Maximum ticket life for realm */
krb5_deltat realm_maxrlife; /* Maximum renewable life for realm */
krb5_boolean realm_reject_bad_transit; /* Accept unverifiable transited_realm ? */
+ int realm_max_dgram_size; /* Maximum datagram response size */
} kdc_realm_t;
extern kdc_realm_t **kdc_realmlist;
@@ -87,6 +88,7 @@
#define dbm_db_name kdc_active_realm->realm_dbname
#define primary_port kdc_active_realm->realm_pport
#define reject_bad_transit kdc_active_realm->realm_reject_bad_transit
+#define max_dgram_size kdc_active_realm->realm_max_dgram_size
/* various externs for KDC */
extern krb5_data empty_string; /* an empty string */
--- krb5-1.4.3/src/lib/kadm5/admin.h 2005-03-22 18:53:59.000000000 -0500
+++ krb5-1.4.3/src/lib/kadm5/admin.h 2006-01-05 15:08:23.000000000 -0500
@@ -263,6 +263,7 @@
krb5_deltat realm_max_rlife;
krb5_timestamp realm_expiration;
krb5_flags realm_flags;
+ int realm_max_dgram_size;
krb5_key_salt_tuple *realm_keysalts;
unsigned int realm_reject_bad_transit:1;
unsigned int realm_kadmind_port_valid:1;
@@ -272,6 +273,7 @@
unsigned int realm_expiration_valid:1;
unsigned int realm_flags_valid:1;
unsigned int realm_reject_bad_transit_valid:1;
+ unsigned int realm_max_dgram_size_valid:1;
krb5_int32 realm_num_keysalts;
} krb5_realm_params;
--- krb5-1.4.3/src/kdc/do_as_req.c 2005-07-12 16:59:52.000000000 -0400
+++ krb5-1.4.3/src/kdc/do_as_req.c 2006-01-05 15:08:23.000000000 -0500
@@ -52,7 +52,7 @@
/*ARGSUSED*/
krb5_error_code
process_as_req(krb5_kdc_req *request, const krb5_fulladdr *from,
- krb5_data **response)
+ krb5_boolean connected, krb5_data **response)
{
krb5_db_entry client, server;
krb5_kdc_rep reply;
@@ -403,6 +403,13 @@
status = "ENCODE_KDC_REP";
goto errout;
}
+
+ if (!connected && ((*response)->length > max_dgram_size)) {
+ errcode = KRB5KRB_ERR_RESPONSE_TOO_BIG;
+ krb5_free_data(kdc_context, *response);
+ *response = NULL;
+ goto errout;
+ }
/* these parts are left on as a courtesy from krb5_encode_kdc_rep so we
can use them in raw form if needed. But, we don't... */
--- krb5-1.4.3/src/kdc/dispatch.c 2002-09-10 23:59:27.000000000 -0400
+++ krb5-1.4.3/src/kdc/dispatch.c 2006-01-05 15:08:23.000000000 -0500
@@ -39,7 +39,8 @@
static krb5_int32 last_usec = 0, last_os_random = 0;
krb5_error_code
-dispatch(krb5_data *pkt, const krb5_fulladdr *from, krb5_data **response)
+dispatch(krb5_data *pkt, const krb5_fulladdr *from, krb5_boolean connected,
+ krb5_data **response)
{
krb5_error_code retval;
@@ -50,7 +51,7 @@
#ifndef NOCACHE
/* try the replay lookaside buffer */
- if (kdc_check_lookaside(pkt, from, response)) {
+ if (kdc_check_lookaside(pkt, from, connected, response)) {
/* a hit! */
const char *name = 0;
char buf[46];
@@ -87,7 +88,7 @@
/* try TGS_REQ first; they are more common! */
if (krb5_is_tgs_req(pkt)) {
- retval = process_tgs_req(pkt, from, response);
+ retval = process_tgs_req(pkt, from, connected, response);
} else if (krb5_is_as_req(pkt)) {
if (!(retval = decode_krb5_as_req(pkt, &as_req))) {
/*
@@ -95,7 +96,7 @@
* pointer.
*/
if (!(retval = setup_server_realm(as_req->server))) {
- retval = process_as_req(as_req, from, response);
+ retval = process_as_req(as_req, from, connected, response);
}
krb5_free_kdc_req(kdc_context, as_req);
}
@@ -109,7 +110,7 @@
#ifndef NOCACHE
/* put the response into the lookaside buffer */
if (!retval)
- kdc_insert_lookaside(pkt, from, *response);
+ kdc_insert_lookaside(pkt, from, connected, *response);
#endif
return retval;
--- krb5-1.4.3/src/kdc/network.c 2005-07-12 16:59:52.000000000 -0400
+++ krb5-1.4.3/src/kdc/network.c 2006-01-05 15:08:23.000000000 -0500
@@ -744,7 +744,7 @@
faddr.address = &addr;
init_addr(&faddr, ss2sa(&saddr));
/* this address is in net order */
- if ((retval = dispatch(&request, &faddr, &response))) {
+ if ((retval = dispatch(&request, &faddr, FALSE, &response))) {
com_err(prog, retval, "while dispatching (udp)");
return;
}
@@ -982,7 +982,7 @@
/* have a complete message, and exactly one message */
request.length = conn->u.tcp.msglen;
request.data = conn->u.tcp.buffer + 4;
- err = dispatch(&request, &conn->u.tcp.faddr,
+ err = dispatch(&request, &conn->u.tcp.faddr, TRUE,
&conn->u.tcp.response);
if (err) {
com_err(prog, err, "while dispatching (tcp)");
--- krb5-1.4.3/src/kdc/kdc_util.h 2004-09-23 22:19:42.000000000 -0400
+++ krb5-1.4.3/src/kdc/kdc_util.h 2006-01-05 15:08:23.000000000 -0500
@@ -107,15 +107,18 @@
/* do_as_req.c */
krb5_error_code process_as_req (krb5_kdc_req *,
const krb5_fulladdr *,
+ krb5_boolean,
krb5_data ** );
/* do_tgs_req.c */
krb5_error_code process_tgs_req (krb5_data *,
const krb5_fulladdr *,
+ krb5_boolean,
krb5_data ** );
/* dispatch.c */
krb5_error_code dispatch (krb5_data *,
const krb5_fulladdr *,
+ krb5_boolean,
krb5_data **);
/* main.c */
@@ -155,9 +158,9 @@
/* replay.c */
krb5_boolean kdc_check_lookaside (krb5_data *, const krb5_fulladdr *,
- krb5_data **);
-void kdc_insert_lookaside (krb5_data *, const krb5_fulladdr *,
- krb5_data *);
+ krb5_boolean, krb5_data **);
+void kdc_insert_lookaside (krb5_data *, const krb5_fulladdr *, krb5_boolean,
+ krb5_data *);
void kdc_free_lookaside(krb5_context);
/* which way to convert key? */
--- krb5-1.4.3/src/kdc/replay.c 2003-01-12 08:07:49.000000000 -0500
+++ krb5-1.4.3/src/kdc/replay.c 2006-01-05 15:08:23.000000000 -0500
@@ -42,6 +42,7 @@
krb5_data *req_packet;
krb5_data *reply_packet;
krb5_address *addr; /* XXX should these not be pointers? */
+ krb5_boolean connected;
} krb5_kdc_replay_ent;
static krb5_kdc_replay_ent root_ptr = {0};
@@ -62,6 +63,7 @@
!memcmp((ptr)->addr->contents, \
from->address->contents, \
from->address->length)&& \
+ (ptr->connected == connected) && \
((ptr)->db_age == db_age))
/* XXX
Todo: quench the size of the queue...
@@ -72,7 +74,7 @@
krb5_boolean
kdc_check_lookaside(krb5_data *inpkt, const krb5_fulladdr *from,
- krb5_data **outpkt)
+ krb5_boolean connected, krb5_data **outpkt)
{
krb5_int32 timenow;
register krb5_kdc_replay_ent *eptr, *last, *hold;
@@ -126,7 +128,7 @@
void
kdc_insert_lookaside(krb5_data *inpkt, const krb5_fulladdr *from,
- krb5_data *outpkt)
+ krb5_boolean connected, krb5_data *outpkt)
{
register krb5_kdc_replay_ent *eptr;
krb5_int32 timenow;
@@ -142,6 +144,7 @@
return;
eptr->timein = timenow;
eptr->db_age = db_age;
+ eptr->connected = connected;
/*
* This is going to hurt a lot malloc()-wise due to the need to
* allocate memory for the krb5_data and krb5_address elements.
--- krb5-1.4.3/src/kdc/main.c 2004-02-24 16:07:22.000000000 -0500
+++ krb5-1.4.3/src/kdc/main.c 2006-01-05 15:08:23.000000000 -0500
@@ -231,6 +231,10 @@
rdp->realm_maxrlife = (rparams && rparams->realm_max_rlife_valid) ?
rparams->realm_max_rlife : KRB5_KDB_MAX_RLIFE;
+ /* Handle maximum datagram response size */
+ rdp->realm_max_dgram_size = (rparams && rparams->realm_max_dgram_size_valid) ?
+ rparams->realm_max_dgram_size : MAX_DGRAM_SIZE;
+
if (rparams)
krb5_free_realm_params(rdp->realm_context, rparams);
--- krb5-1.4.3/src/kdc/do_tgs_req.c 2005-07-12 16:59:52.000000000 -0400
+++ krb5-1.4.3/src/kdc/do_tgs_req.c 2006-01-05 15:08:23.000000000 -0500
@@ -56,7 +56,7 @@
/*ARGSUSED*/
krb5_error_code
process_tgs_req(krb5_data *pkt, const krb5_fulladdr *from,
- krb5_data **response)
+ krb5_boolean connected, krb5_data **response)
{
krb5_keyblock * subkey;
krb5_kdc_req *request = 0;
@@ -630,7 +630,13 @@
if (errcode) {
status = "ENCODE_KDC_REP";
} else {
- status = "ISSUE";
+ if (!connected && ((*response)->length > max_dgram_size)) {
+ errcode = KRB5KRB_ERR_RESPONSE_TOO_BIG;
+ krb5_free_data(kdc_context, *response);
+ *response = NULL;
+ } else {
+ status = "ISSUE";
+ }
}
memset(ticket_reply.enc_part.ciphertext.data, 0,
--- krb5-1.4.3/src/config-files/kdc.conf.M 2006-01-05 15:06:30.000000000 -0500
+++ krb5-1.4.3/src/config-files/kdc.conf.M 2006-01-05 15:08:23.000000000 -0500
@@ -208,6 +208,14 @@
.B key type string
represents the master key's key type.
+.IP max_dgram_size
+This
+.B size
+specifes the maximum size for a response which the KDC will provide
+to clients which use datagrams to communicate with it. Clients whose
+requests require larger responses will instead receive RESPONSE_TOO_BIG
+errors.
+
.IP max_life
This
.B delta time string
--- krb5-1.4.3/src/include/krb5/adm.h 2002-09-18 16:45:36.000000000 -0400
+++ krb5-1.4.3/src/include/krb5/adm.h 2006-01-05 15:08:23.000000000 -0500
@@ -208,6 +208,7 @@
krb5_deltat realm_max_rlife;
krb5_timestamp realm_expiration;
krb5_flags realm_flags;
+ krb5_int32 realm_max_dgram_size;
krb5_key_salt_tuple *realm_keysalts;
unsigned int realm_reject_bad_transit:1;
unsigned int realm_kadmind_port_valid:1;
@@ -217,6 +218,7 @@
unsigned int realm_expiration_valid:1;
unsigned int realm_flags_valid:1;
unsigned int realm_reject_bad_transit_valid:1;
+ unsigned int realm_max_dgram_size_valid:1;
krb5_int32 realm_num_keysalts;
} krb5_realm_params;
#endif /* KRB5_ADM_H__ */
|
