From cc404230c2bede6dce78ee19f88d879b5e27b71f Mon Sep 17 00:00:00 2001 From: Ken Raeburn Date: Wed, 30 Jun 1999 19:28:13 +0000 Subject: [PATCH] Disable lookaside cache. It's needed if the replay cache is enabled, and could theoretically make certain attacks more difficult, but the replay cache is disabled, the attack is very difficult compared to other existing attacks (would need huge numbers of queries), and under heavy load the lookaside cache degrades performance. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@11538 dc483132-0cff-0310-8789-dd5450dbe970 --- src/kdc/ChangeLog | 8 ++++++++ src/kdc/Makefile.in | 8 ++++++-- src/kdc/dispatch.c | 4 ++++ src/kdc/replay.c | 4 ++++ 4 files changed, 22 insertions(+), 2 deletions(-) diff --git a/src/kdc/ChangeLog b/src/kdc/ChangeLog index c5162ccf5..40d581f31 100644 --- a/src/kdc/ChangeLog +++ b/src/kdc/ChangeLog @@ -1,3 +1,11 @@ +1999-06-30 Ken Raeburn + + * Makefile.in (CFLAGS): Define NOCACHE. + (DEFINES): Commented out, since it's unused. + * dispatch.c (dispatch): If NOCACHE is defined, don't call + lookaside buffer code. + * replay.c: Disable all code if NOCACHE is defined. + 1999-06-28 Tom Yu * replay.c (MATCH): Fix up to compare the correct components of diff --git a/src/kdc/Makefile.in b/src/kdc/Makefile.in index b1b4f296a..b23d8ab0b 100644 --- a/src/kdc/Makefile.in +++ b/src/kdc/Makefile.in @@ -2,14 +2,18 @@ thisconfigdir=. myfulldir=kdc mydir=. BUILDTOP=$(REL)$(U) -CFLAGS = $(CCOPTS) $(DEFS) $(LOCALINCLUDE) +# -DUSE_RCACHE - enable replay cache for KDC +# -DNOCACHE - disable lookaside cache, which is used to resend previous +# response to replay (i.e., *don't* define this if you +# define USE_RCACHE) +CFLAGS = $(CCOPTS) $(DEFS) $(LOCALINCLUDE) -DNOCACHE RUN_SETUP = @KRB5_RUN_ENV@ PROG_LIBPATH=-L$(TOPLIBD) $(KRB4_LIBPATH) PROG_RPATH=$(KRB5_LIBDIR) all:: krb5kdc rtest -DEFINES = -DBACKWARD_COMPAT $(KRB4DEF) +# DEFINES = -DBACKWARD_COMPAT $(KRB4DEF) LOCALINCLUDE = @KRB4_INCLUDES@ -I. SRCS= \ diff --git a/src/kdc/dispatch.c b/src/kdc/dispatch.c index 7446ea5f8..824a3af0d 100644 --- a/src/kdc/dispatch.c +++ b/src/kdc/dispatch.c @@ -42,12 +42,14 @@ dispatch(pkt, from, portnum, response) /* decode incoming packet, and dispatch */ +#ifndef NOCACHE /* try the replay lookaside buffer */ if (kdc_check_lookaside(pkt, from, response)) { /* a hit! */ krb5_klog_syslog(LOG_INFO, "DISPATCH: replay found and re-transmitted"); return 0; } +#endif /* try TGS_REQ first; they are more common! */ if (krb5_is_tgs_req(pkt)) { @@ -70,9 +72,11 @@ dispatch(pkt, from, portnum, response) #endif else retval = KRB5KRB_AP_ERR_MSG_TYPE; +#ifndef NOCACHE /* put the response into the lookaside buffer */ if (!retval) kdc_insert_lookaside(pkt, from, *response); +#endif return retval; } diff --git a/src/kdc/replay.c b/src/kdc/replay.c index e0f3c8fd1..c3ff2a969 100644 --- a/src/kdc/replay.c +++ b/src/kdc/replay.c @@ -29,6 +29,8 @@ #include "kdc_util.h" #include "extern.h" +#ifndef NOCACHE + typedef struct _krb5_kdc_replay_ent { struct _krb5_kdc_replay_ent *next; int num_hits; @@ -166,3 +168,5 @@ kdc_insert_lookaside(inpkt, from, outpkt) num_entries++; return; } + +#endif /* NOCACHE */ -- 2.26.2