From: Greg Hudson Date: Tue, 19 Oct 2010 19:08:38 +0000 (+0000) Subject: Remove KDC replay cache X-Git-Tag: krb5-1.10-alpha1~694 X-Git-Url: http://git.tremily.us/?a=commitdiff_plain;h=04e4c9cb9821c5a444f69f13d95333de0d4412ba;p=krb5.git Remove KDC replay cache Now that SAM1 support has been removed, the KDC does not need a replay replay cache. Remove all code within USE_RCACHE and associated support. Rename --disable-kdc-replay-cache to --disable-kdc-lookaside-cache. ticket: 6804 target_version: 1.9 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24464 dc483132-0cff-0310-8789-dd5450dbe970 --- diff --git a/doc/build.texinfo b/doc/build.texinfo index 990817cb0..003a76613 100644 --- a/doc/build.texinfo +++ b/doc/build.texinfo @@ -561,12 +561,10 @@ locate the KDCs, and @ref{Mapping Hostnames onto Kerberos Realms} for information about using DNS to determine the default realm. By default, DNS lookups are enabled for the former but not for the latter. -@item --enable-kdc-replay-cache +@item --disable-kdc-lookaside-cache -Enable a cache in the KDC to detect retransmitted messages, and resend -the previous responses to them. This protects against certain types of -attempts to extract information from the KDC through some of the -hardware preauthentication systems. +Disables the cache in the KDC which detects retransmitted client +requests and resends the previous responses to them. @item --with-system-et diff --git a/src/configure.in b/src/configure.in index 20e014e90..ab2c689b8 100644 --- a/src/configure.in +++ b/src/configure.in @@ -180,24 +180,12 @@ if test "$withval" = yes; then AC_DEFINE(KRBCONF_KDC_MODIFIES_KDB,1,[Define if KDC should update database with each request]) fi -# Needed for hw-preauth replay detection on KDC. - -# USE_RCACHE enables the replay cache -# NOCACHE disables the lookaside cache - -# The lookaside cache is checked first; if *exactly* the same message -# comes in twice, e.g., because the (legitimate) client resent it, -# the previous response will be resent. Otherwise, the replay cache -# is used to check for attempts to fake out the KDC. Some hardware -# preauth methods are weak enough that we *really* want to have this -# checking turned on. - -AC_ARG_ENABLE([kdc-replay-cache], -AC_HELP_STRING([--enable-kdc-replay-cache],[check for replayed/retransmitted KDC requests (recommended when hardware preauthentication is in use) @<:@disabled@:>@]), , enableval=yes) -if test "$enableval" = yes ; then - AC_DEFINE(USE_RCACHE,1,[Define if the KDC should use a replay cache]) -else - AC_DEFINE(NOCACHE,1,[Define if the KDC should use no replay cache]) +AC_ARG_ENABLE([kdc-lookaside-cache], +AC_HELP_STRING([--disable-kdc-lookaside-cache], + [Disable the cache which detects client retransmits]), , + enableval=yes) +if test "$enableval" = no ; then + AC_DEFINE(NOCACHE,1,[Define if the KDC should use no lookaside cache]) fi KRB5_RUN_FLAGS diff --git a/src/kdc/Makefile.in b/src/kdc/Makefile.in index 44f0d21f0..f46cad3da 100644 --- a/src/kdc/Makefile.in +++ b/src/kdc/Makefile.in @@ -1,11 +1,6 @@ mydir=kdc BUILDTOP=$(REL).. -# -DUSE_RCACHE - enable replay cache for KDC -# -DNOCACHE - disable lookaside cache, which is used to resend previous -# response to replay (i.e., *don't* define this if you -# define USE_RCACHE) -# These are now set in configure.in. -DEFINES = # -DNOCACHE +DEFINES = RUN_SETUP = @KRB5_RUN_ENV@ PROG_LIBPATH=-L$(TOPLIBD) $(KRB4_LIBPATH) KDB5_LIB_DEPS=$(DL_LIB) $(THREAD_LINKOPTS) diff --git a/src/kdc/extern.c b/src/kdc/extern.c index effa42579..99f4114f2 100644 --- a/src/kdc/extern.c +++ b/src/kdc/extern.c @@ -37,6 +37,5 @@ int kdc_numrealms = 0; kdc_realm_t *kdc_active_realm = (kdc_realm_t *) NULL; krb5_data empty_string = {0, 0, ""}; krb5_timestamp kdc_infinity = KRB5_INT32_MAX; /* XXX */ -krb5_rcache kdc_rcache = (krb5_rcache) NULL; krb5_keyblock psr_key; krb5_int32 max_dgram_reply_size = MAX_DGRAM_SIZE; diff --git a/src/kdc/extern.h b/src/kdc/extern.h index bb188e7e5..24bad20a5 100644 --- a/src/kdc/extern.h +++ b/src/kdc/extern.h @@ -99,7 +99,6 @@ kdc_realm_t *find_realm_data (char *, krb5_ui_4); /* various externs for KDC */ extern krb5_data empty_string; /* an empty string */ extern krb5_timestamp kdc_infinity; /* greater than all other timestamps */ -extern krb5_rcache kdc_rcache; /* replay cache */ extern krb5_keyblock psr_key; /* key for predicted sam response */ extern const int kdc_modifies_kdb; extern krb5_int32 max_dgram_reply_size; /* maximum datagram size */ diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c index 7b62b53df..691ece06c 100644 --- a/src/kdc/kdc_util.c +++ b/src/kdc/kdc_util.c @@ -66,58 +66,12 @@ #include "net-server.h" #include -#ifdef USE_RCACHE -static char *kdc_current_rcname = (char *) NULL; -krb5_deltat rc_lifetime; /* See kdc_initialize_rcache() */ -#endif - #ifdef KRBCONF_VAGUE_ERRORS const int vague_errors = 1; #else const int vague_errors = 0; #endif -#ifdef USE_RCACHE -/* - * initialize the replay cache. - */ -krb5_error_code -kdc_initialize_rcache(krb5_context kcontext, char *rcache_name) -{ - krb5_error_code retval; - char *rcname; - char *sname; - - rcname = (rcache_name) ? rcache_name : kdc_current_rcname; - - /* rc_lifetime used elsewhere to verify we're not */ - /* replaying really old data */ - rc_lifetime = kcontext->clockskew; - - if (!rcname) - rcname = KDCRCACHE; - if (!(retval = krb5_rc_resolve_full(kcontext, &kdc_rcache, rcname))) { - /* Recover or initialize the replay cache */ - if (!(retval = krb5_rc_recover(kcontext, kdc_rcache)) || - !(retval = krb5_rc_initialize(kcontext, - kdc_rcache, - kcontext->clockskew)) - ) { - /* Expunge the replay cache */ - if (!(retval = krb5_rc_expunge(kcontext, kdc_rcache))) { - sname = kdc_current_rcname; - kdc_current_rcname = strdup(rcname); - if (sname) - free(sname); - } - } - if (retval) - krb5_rc_close(kcontext, kdc_rcache); - } - return(retval); -} -#endif - /* * concatenate first two authdata arrays, returning an allocated replacement. * The replacement should be freed with krb5_free_authdata(). @@ -298,11 +252,6 @@ kdc_process_tgs_req(krb5_kdc_req *request, const krb5_fulladdr *from, if ((retval = krb5_auth_con_setaddrs(kdc_context, auth_context, NULL, from->address)) ) goto cleanup_auth_context; -#ifdef USE_RCACHE - if ((retval = krb5_auth_con_setrcache(kdc_context, auth_context, - kdc_rcache))) - goto cleanup_auth_context; -#endif if ((retval = kdc_get_server_key(apreq->ticket, 0, foreign_server, &krbtgt, tgskey, &kvno))) @@ -317,36 +266,8 @@ kdc_process_tgs_req(krb5_kdc_req *request, const krb5_fulladdr *from, if ((retval = krb5_rd_req_decoded_anyflag(kdc_context, &auth_context, apreq, apreq->ticket->server, kdc_active_realm->realm_keytab, - NULL, ticket))) { -#ifdef USE_RCACHE - /* - * I'm not so sure that this is right, but it's better than nothing - * at all. - * - * If we choke in the rd_req because of the replay cache, then attempt - * to reinitialize the replay cache because somebody could have deleted - * it from underneath us (e.g. a cron job) - */ - if ((retval == KRB5_RC_IO_IO) || - (retval == KRB5_RC_IO_UNKNOWN)) { - (void) krb5_rc_close(kdc_context, kdc_rcache); - kdc_rcache = (krb5_rcache) NULL; - if (!(retval = kdc_initialize_rcache(kdc_context, (char *) NULL))) { - if ((retval = krb5_auth_con_setrcache(kdc_context, auth_context, - kdc_rcache)) || - (retval = krb5_rd_req_decoded_anyflag(kdc_context, &auth_context, - apreq, apreq->ticket->server, - kdc_active_realm->realm_keytab, - NULL, ticket)) - ) - goto cleanup_auth_context; - } - } else - goto cleanup_auth_context; -#else + NULL, ticket))) goto cleanup_auth_context; -#endif - } /* "invalid flag" tickets can must be used to validate */ if (isflagset((*ticket)->enc_part2->flags, TKT_FLG_INVALID) @@ -423,10 +344,6 @@ cleanup_authenticator: krb5_free_authenticator(kdc_context, authenticator); cleanup_auth_context: - /* We do not want the free of the auth_context to close the rcache */ -#ifdef USE_RCACHE - (void) krb5_auth_con_setrcache(kdc_context, auth_context, 0); -#endif krb5_auth_con_free(kdc_context, auth_context); cleanup: diff --git a/src/kdc/kdc_util.h b/src/kdc/kdc_util.h index e969c9db4..998f29559 100644 --- a/src/kdc/kdc_util.h +++ b/src/kdc/kdc_util.h @@ -138,9 +138,6 @@ dispatch (void *, krb5_data **, int); -/* main.c */ -krb5_error_code kdc_initialize_rcache (krb5_context, char *); - krb5_error_code setup_server_realm (krb5_principal); void diff --git a/src/kdc/main.c b/src/kdc/main.c index 8d5d9a800..5b90bd592 100644 --- a/src/kdc/main.c +++ b/src/kdc/main.c @@ -651,7 +651,6 @@ initialize_realms(krb5_context kcontext, int argc, char **argv) char *db_name = (char *) NULL; char *lrealm = (char *) NULL; char *mkey_name = (char *) NULL; - char *rcname = KDCRCACHE; krb5_error_code retval; krb5_enctype menctype = ENCTYPE_UNKNOWN; kdc_realm_t *rdatap = NULL; @@ -805,7 +804,7 @@ initialize_realms(krb5_context kcontext, int argc, char **argv) com_err(argv[0], 0, "invalid enctype %s", optarg); break; case 'R': - rcname = optarg; + /* Replay cache name; defunct since we don't use a replay cache. */ break; case 'P': pid_file = optarg; @@ -860,17 +859,6 @@ initialize_realms(krb5_context kcontext, int argc, char **argv) } } -#ifdef USE_RCACHE - /* - * Now handle the replay cache. - */ - if ((retval = kdc_initialize_rcache(kcontext, rcname))) { - com_err(argv[0], retval, "while initializing KDC replay cache '%s'", - rcname); - exit(1); - } -#endif - /* Ensure that this is set for our first request. */ kdc_active_realm = kdc_realmlist[0]; if (default_udp_ports) @@ -1080,9 +1068,6 @@ int main(int argc, char **argv) finish_realms(); if (kdc_realmlist) free(kdc_realmlist); -#ifdef USE_RCACHE - (void) krb5_rc_close(kcontext, kdc_rcache); -#endif #ifndef NOCACHE kdc_free_lookaside(kcontext); #endif