This seems like a good idea (and I'm sorry I didn't get to reviewing it
sooner), but I've got some concerns:
* The lookaside cache is there largely to prevent the libkrb5 replay
cache from reporting a replay error. If a message comes in over UDP, a
response gets sent and lost for some reason (firewall?), and then the
client tries sending the same message over TCP, I think this patch will
cause the library to detect a replay that gets past the lookaside cache.
Perhaps we should cache the "real" result before reporting the too-big
error (or retrieve the cached result and then check its size), though
that would mean some rearranging of code.
* Does it make sense for the maximum size to be a realm parameter? I'm
thinking of a KDC set up to service multiple realms... the realm data
may determine whether large responses are likely to be generated, but I
would think the network environment (or an "I'm testing" flag) would be
the determining factor as to when you'd want to switch to TCP.
Download (untitled) 999b