diff options
author | Ken Raeburn <raeburn@mit.edu> | 2000-02-28 22:10:17 +0000 |
---|---|---|
committer | Ken Raeburn <raeburn@mit.edu> | 2000-02-28 22:10:17 +0000 |
commit | 8f8c45e408e3c6935ec805ecd5433361cd397ca4 (patch) | |
tree | 250a198b903168ba4535bb27b024dd361ee59074 | |
parent | ecef26eb7635d529456f4b3e347c3c5b59d1cc70 (diff) | |
download | krb5-8f8c45e408e3c6935ec805ecd5433361cd397ca4.tar.gz krb5-8f8c45e408e3c6935ec805ecd5433361cd397ca4.tar.xz krb5-8f8c45e408e3c6935ec805ecd5433361cd397ca4.zip |
new --enable/--disable-kdc-replay-cache configure hooks
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@12090 dc483132-0cff-0310-8789-dd5450dbe970
-rw-r--r-- | src/ChangeLog | 5 | ||||
-rw-r--r-- | src/configure.in | 6 | ||||
-rw-r--r-- | src/kdc/ChangeLog | 7 | ||||
-rw-r--r-- | src/kdc/Makefile.in | 3 | ||||
-rw-r--r-- | src/kdc/configure.in | 24 |
5 files changed, 44 insertions, 1 deletions
diff --git a/src/ChangeLog b/src/ChangeLog index bcd24d66a..903449e24 100644 --- a/src/ChangeLog +++ b/src/ChangeLog @@ -1,3 +1,8 @@ +2000-02-28 Ken Raeburn <raeburn@mit.edu> + + * configure.in: Add enable-kdc-replay-cache arg, to make usage + message more complete. + 2000-02-28 Ezra Peisach <epeisach@mit.edu> * aclocal.m4: Define DES425_LIB and DES425_DEPLIB all the time. We diff --git a/src/configure.in b/src/configure.in index 26f8f3909..3200c32a4 100644 --- a/src/configure.in +++ b/src/configure.in @@ -15,6 +15,12 @@ AC_MSG_RESULT($krb5_cv_prog_gcc) dnl dnl The following lines are so that configure --help gives some global dnl configuration options. +dnl +AC_ARG_ENABLE([kdc-replay-cache], +[ --enable-kdc-replay-cache check for replayed/retransmitted KDC requests + (recommended for replay attack detection + when hardware preauthentication is in use) + --disable-kdc-replay-cache omit replay detection])dnl KRB5_LIB_AUX AC_KRB5_TCL AC_ARG_ENABLE([athena], diff --git a/src/kdc/ChangeLog b/src/kdc/ChangeLog index a49e84c9a..6e7892d85 100644 --- a/src/kdc/ChangeLog +++ b/src/kdc/ChangeLog @@ -1,3 +1,10 @@ +2000-02-28 Ken Raeburn <raeburn@mit.edu> + + * configure.in: New enable-kdc-replay-cache arg. Define + USE_RCACHE when enabled, NOCACHE when disabled. Defaults to + enabled. + * Makefile.in (DEFINES): Don't define NOCACHE any more. + 2000-02-25 Tom Yu <tlyu@mit.edu> * configure.in: Check for sys/sockio.h diff --git a/src/kdc/Makefile.in b/src/kdc/Makefile.in index 58b0e4f08..4d9c4f4ef 100644 --- a/src/kdc/Makefile.in +++ b/src/kdc/Makefile.in @@ -6,7 +6,8 @@ BUILDTOP=$(REL)$(U) # -DNOCACHE - disable lookaside cache, which is used to resend previous # response to replay (i.e., *don't* define this if you # define USE_RCACHE) -DEFINES = -DNOCACHE +# These are now set in configure.in. +DEFINES = # -DNOCACHE RUN_SETUP = @KRB5_RUN_ENV@ PROG_LIBPATH=-L$(TOPLIBD) $(KRB4_LIBPATH) PROG_RPATH=$(KRB5_LIBDIR) diff --git a/src/kdc/configure.in b/src/kdc/configure.in index 6bcd6c4d9..b20ccf282 100644 --- a/src/kdc/configure.in +++ b/src/kdc/configure.in @@ -41,6 +41,30 @@ AC_ARG_ENABLE([athena], includes 32-bit length codings], [AC_DEFINE(ATHENA_DES3_KLUDGE)],) dnl +dnl Needed for hw-preauth replay detection on KDC. +dnl +dnl USE_RCACHE enables the replay cache +dnl NOCACHE disables the lookaside cache +dnl +dnl The lookaside cache is checked first; if *exactly* the same message +dnl comes in twice, e.g., because the (legitimate) client resent it, +dnl the previous response will be resent. Otherwise, the replay cache +dnl is used to check for attempts to fake out the KDC. Some hardware +dnl preauth methods are weak enough that we *really* want to have this +dnl checking turned on. +dnl +AC_ARG_ENABLE([kdc-replay-cache], +[ --enable-kdc-replay-cache check for replayed/retransmitted KDC requests + (recommended for replay attack detection + when hardware preauthentication is in use) + --disable-kdc-replay-cache omit replay detection], +enableval=yes)dnl +if test "$enableval" = yes ; then + AC_DEFINE(USE_RCACHE) +else + AC_DEFINE(NOCACHE) +fi +dnl dnl KRB5_RUN_FLAGS KRB5_BUILD_PROGRAM |