new --enable/--disable-kdc-replay-cache configure hooks

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@12090 dc483132-0cff-0310-8789-dd5450dbe970

diff --git a/src/ChangeLog b/src/ChangeLog
index bcd24d66af533e7fe0b9d1ee8c53c2ca2abfe931..903449e247e8dfce1f82bf9f43f9fd0bd567455f 100644 (file)
--- a/src/ChangeLog
+++ b/src/ChangeLog
@@ -1,3 +1,8 @@
+2000-02-28  Ken Raeburn  <raeburn@mit.edu>
+
+       * configure.in: Add enable-kdc-replay-cache arg, to make usage
+       message more complete.
+
 2000-02-28  Ezra Peisach  <epeisach@mit.edu>
 
        * aclocal.m4: Define DES425_LIB and DES425_DEPLIB all the time. We

diff --git a/src/configure.in b/src/configure.in
index 26f8f3909cf294bd103dd74cfbb72821988fbb1f..3200c32a4bfcf506277d0fe37e319a66b09b9342 100644 (file)
--- a/src/configure.in
+++ b/src/configure.in
@@ -15,6 +15,12 @@ AC_MSG_RESULT($krb5_cv_prog_gcc)
 dnl
 dnl The following lines are so that configure --help gives some global 
 dnl configuration options.
+dnl
+AC_ARG_ENABLE([kdc-replay-cache],
+[  --enable-kdc-replay-cache   check for replayed/retransmitted KDC requests
+                               (recommended for replay attack detection
+                                when hardware preauthentication is in use)
+  --disable-kdc-replay-cache   omit replay detection])dnl
 KRB5_LIB_AUX
 AC_KRB5_TCL
 AC_ARG_ENABLE([athena],

diff --git a/src/kdc/ChangeLog b/src/kdc/ChangeLog
index a49e84c9ac96c01e20b68cab14edb1b74f39c2a3..6e7892d8552e91c83cd592a1aafdcbb750a753b6 100644 (file)
--- a/src/kdc/ChangeLog
+++ b/src/kdc/ChangeLog
@@ -1,3 +1,10 @@
+2000-02-28  Ken Raeburn  <raeburn@mit.edu>
+
+       * configure.in: New enable-kdc-replay-cache arg.  Define
+       USE_RCACHE when enabled, NOCACHE when disabled.  Defaults to
+       enabled.
+       * Makefile.in (DEFINES): Don't define NOCACHE any more.
+
 2000-02-25  Tom Yu  <tlyu@mit.edu>
 
        * configure.in: Check for sys/sockio.h

diff --git a/src/kdc/Makefile.in b/src/kdc/Makefile.in
index 58b0e4f08a14d8128030fbe3fff699aca8bce170..4d9c4f4efee4c94167514c3c58271c65fae1623f 100644 (file)
--- a/src/kdc/Makefile.in
+++ b/src/kdc/Makefile.in
@@ -6,7 +6,8 @@ BUILDTOP=$(REL)$(U)
 # -DNOCACHE    - disable lookaside cache, which is used to resend previous
 #                response to replay (i.e., *don't* define this if you
 #                define USE_RCACHE)
-DEFINES = -DNOCACHE
+# These are now set in configure.in.
+DEFINES = # -DNOCACHE
 RUN_SETUP = @KRB5_RUN_ENV@
 PROG_LIBPATH=-L$(TOPLIBD) $(KRB4_LIBPATH)
 PROG_RPATH=$(KRB5_LIBDIR)

diff --git a/src/kdc/configure.in b/src/kdc/configure.in
index 6bcd6c4d96f9f6b41e83786548ea3e1e9a6e14a2..b20ccf28208b6a21bfa69757a65ad80b8610a2e6 100644 (file)
--- a/src/kdc/configure.in
+++ b/src/kdc/configure.in
@@ -41,6 +41,30 @@ AC_ARG_ENABLE([athena],
                               includes 32-bit length codings],
 [AC_DEFINE(ATHENA_DES3_KLUDGE)],)
 dnl
+dnl Needed for hw-preauth replay detection on KDC.
+dnl
+dnl USE_RCACHE enables the replay cache
+dnl NOCACHE disables the lookaside cache
+dnl
+dnl The lookaside cache is checked first; if *exactly* the same message
+dnl comes in twice, e.g., because the (legitimate) client resent it,
+dnl the previous response will be resent.  Otherwise, the replay cache
+dnl is used to check for attempts to fake out the KDC.  Some hardware
+dnl preauth methods are weak enough that we *really* want to have this
+dnl checking turned on.
+dnl
+AC_ARG_ENABLE([kdc-replay-cache],
+[  --enable-kdc-replay-cache   check for replayed/retransmitted KDC requests
+                               (recommended for replay attack detection
+                                when hardware preauthentication is in use)
+  --disable-kdc-replay-cache   omit replay detection],
+enableval=yes)dnl
+if test "$enableval" = yes ; then
+       AC_DEFINE(USE_RCACHE)
+else
+       AC_DEFINE(NOCACHE)
+fi
+dnl
 dnl
 KRB5_RUN_FLAGS
 KRB5_BUILD_PROGRAM