From 8f8c45e408e3c6935ec805ecd5433361cd397ca4 Mon Sep 17 00:00:00 2001 From: Ken Raeburn Date: Mon, 28 Feb 2000 22:10:17 +0000 Subject: [PATCH] new --enable/--disable-kdc-replay-cache configure hooks git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@12090 dc483132-0cff-0310-8789-dd5450dbe970 --- src/ChangeLog | 5 +++++ src/configure.in | 6 ++++++ src/kdc/ChangeLog | 7 +++++++ src/kdc/Makefile.in | 3 ++- src/kdc/configure.in | 24 ++++++++++++++++++++++++ 5 files changed, 44 insertions(+), 1 deletion(-) diff --git a/src/ChangeLog b/src/ChangeLog index bcd24d66a..903449e24 100644 --- a/src/ChangeLog +++ b/src/ChangeLog @@ -1,3 +1,8 @@ +2000-02-28 Ken Raeburn + + * configure.in: Add enable-kdc-replay-cache arg, to make usage + message more complete. + 2000-02-28 Ezra Peisach * aclocal.m4: Define DES425_LIB and DES425_DEPLIB all the time. We diff --git a/src/configure.in b/src/configure.in index 26f8f3909..3200c32a4 100644 --- a/src/configure.in +++ b/src/configure.in @@ -15,6 +15,12 @@ AC_MSG_RESULT($krb5_cv_prog_gcc) dnl dnl The following lines are so that configure --help gives some global dnl configuration options. +dnl +AC_ARG_ENABLE([kdc-replay-cache], +[ --enable-kdc-replay-cache check for replayed/retransmitted KDC requests + (recommended for replay attack detection + when hardware preauthentication is in use) + --disable-kdc-replay-cache omit replay detection])dnl KRB5_LIB_AUX AC_KRB5_TCL AC_ARG_ENABLE([athena], diff --git a/src/kdc/ChangeLog b/src/kdc/ChangeLog index a49e84c9a..6e7892d85 100644 --- a/src/kdc/ChangeLog +++ b/src/kdc/ChangeLog @@ -1,3 +1,10 @@ +2000-02-28 Ken Raeburn + + * configure.in: New enable-kdc-replay-cache arg. Define + USE_RCACHE when enabled, NOCACHE when disabled. Defaults to + enabled. + * Makefile.in (DEFINES): Don't define NOCACHE any more. + 2000-02-25 Tom Yu * configure.in: Check for sys/sockio.h diff --git a/src/kdc/Makefile.in b/src/kdc/Makefile.in index 58b0e4f08..4d9c4f4ef 100644 --- a/src/kdc/Makefile.in +++ b/src/kdc/Makefile.in @@ -6,7 +6,8 @@ BUILDTOP=$(REL)$(U) # -DNOCACHE - disable lookaside cache, which is used to resend previous # response to replay (i.e., *don't* define this if you # define USE_RCACHE) -DEFINES = -DNOCACHE +# These are now set in configure.in. +DEFINES = # -DNOCACHE RUN_SETUP = @KRB5_RUN_ENV@ PROG_LIBPATH=-L$(TOPLIBD) $(KRB4_LIBPATH) PROG_RPATH=$(KRB5_LIBDIR) diff --git a/src/kdc/configure.in b/src/kdc/configure.in index 6bcd6c4d9..b20ccf282 100644 --- a/src/kdc/configure.in +++ b/src/kdc/configure.in @@ -41,6 +41,30 @@ AC_ARG_ENABLE([athena], includes 32-bit length codings], [AC_DEFINE(ATHENA_DES3_KLUDGE)],) dnl +dnl Needed for hw-preauth replay detection on KDC. +dnl +dnl USE_RCACHE enables the replay cache +dnl NOCACHE disables the lookaside cache +dnl +dnl The lookaside cache is checked first; if *exactly* the same message +dnl comes in twice, e.g., because the (legitimate) client resent it, +dnl the previous response will be resent. Otherwise, the replay cache +dnl is used to check for attempts to fake out the KDC. Some hardware +dnl preauth methods are weak enough that we *really* want to have this +dnl checking turned on. +dnl +AC_ARG_ENABLE([kdc-replay-cache], +[ --enable-kdc-replay-cache check for replayed/retransmitted KDC requests + (recommended for replay attack detection + when hardware preauthentication is in use) + --disable-kdc-replay-cache omit replay detection], +enableval=yes)dnl +if test "$enableval" = yes ; then + AC_DEFINE(USE_RCACHE) +else + AC_DEFINE(NOCACHE) +fi +dnl dnl KRB5_RUN_FLAGS KRB5_BUILD_PROGRAM -- 2.26.2