theoretically make certain attacks more difficult, but the replay cache is
disabled, the attack is very difficult compared to other existing attacks
(would need huge numbers of queries), and under heavy load the lookaside cache
degrades performance.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@11538
dc483132-0cff-0310-8789-
dd5450dbe970
+1999-06-30 Ken Raeburn <raeburn@mit.edu>
+
+ * Makefile.in (CFLAGS): Define NOCACHE.
+ (DEFINES): Commented out, since it's unused.
+ * dispatch.c (dispatch): If NOCACHE is defined, don't call
+ lookaside buffer code.
+ * replay.c: Disable all code if NOCACHE is defined.
+
1999-06-28 Tom Yu <tlyu@mit.edu>
* replay.c (MATCH): Fix up to compare the correct components of
myfulldir=kdc
mydir=.
BUILDTOP=$(REL)$(U)
-CFLAGS = $(CCOPTS) $(DEFS) $(LOCALINCLUDE)
+# -DUSE_RCACHE - enable replay cache for KDC
+# -DNOCACHE - disable lookaside cache, which is used to resend previous
+# response to replay (i.e., *don't* define this if you
+# define USE_RCACHE)
+CFLAGS = $(CCOPTS) $(DEFS) $(LOCALINCLUDE) -DNOCACHE
RUN_SETUP = @KRB5_RUN_ENV@
PROG_LIBPATH=-L$(TOPLIBD) $(KRB4_LIBPATH)
PROG_RPATH=$(KRB5_LIBDIR)
all:: krb5kdc rtest
-DEFINES = -DBACKWARD_COMPAT $(KRB4DEF)
+# DEFINES = -DBACKWARD_COMPAT $(KRB4DEF)
LOCALINCLUDE = @KRB4_INCLUDES@ -I.
SRCS= \
/* decode incoming packet, and dispatch */
+#ifndef NOCACHE
/* try the replay lookaside buffer */
if (kdc_check_lookaside(pkt, from, response)) {
/* a hit! */
krb5_klog_syslog(LOG_INFO, "DISPATCH: replay found and re-transmitted");
return 0;
}
+#endif
/* try TGS_REQ first; they are more common! */
if (krb5_is_tgs_req(pkt)) {
#endif
else
retval = KRB5KRB_AP_ERR_MSG_TYPE;
+#ifndef NOCACHE
/* put the response into the lookaside buffer */
if (!retval)
kdc_insert_lookaside(pkt, from, *response);
+#endif
return retval;
}
#include "kdc_util.h"
#include "extern.h"
+#ifndef NOCACHE
+
typedef struct _krb5_kdc_replay_ent {
struct _krb5_kdc_replay_ent *next;
int num_hits;
num_entries++;
return;
}
+
+#endif /* NOCACHE */
projects / krb5.git / commitdiff