Disable lookaside cache. It's needed if the replay cache is enabled, and could

theoretically make certain attacks more difficult, but the replay cache is
disabled, the attack is very difficult compared to other existing attacks
(would need huge numbers of queries), and under heavy load the lookaside cache
degrades performance.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@11538 dc483132-0cff-0310-8789-dd5450dbe970

4 files changed, 22 insertions, 2 deletions

diff --git a/src/kdc/ChangeLog b/src/kdc/ChangeLog
index c5162ccf5..40d581f31 100644
--- a/src/kdc/ChangeLog
+++ b/src/kdc/ChangeLog
@@ -1,3 +1,11 @@
+1999-06-30  Ken Raeburn  <raeburn@mit.edu>
+
+	* Makefile.in (CFLAGS): Define NOCACHE.
+	(DEFINES): Commented out, since it's unused.
+	* dispatch.c (dispatch): If NOCACHE is defined, don't call
+	lookaside buffer code.
+	* replay.c: Disable all code if NOCACHE is defined.
+
 1999-06-28  Tom Yu  <tlyu@mit.edu>
 
 	* replay.c (MATCH): Fix up to compare the correct components of
diff --git a/src/kdc/Makefile.in b/src/kdc/Makefile.in
index b1b4f296a..b23d8ab0b 100644
--- a/src/kdc/Makefile.in
+++ b/src/kdc/Makefile.in
@@ -2,14 +2,18 @@ thisconfigdir=.
 myfulldir=kdc
 mydir=.
 BUILDTOP=$(REL)$(U)
-CFLAGS = $(CCOPTS) $(DEFS) $(LOCALINCLUDE)
+# -DUSE_RCACHE - enable replay cache for KDC
+# -DNOCACHE    - disable lookaside cache, which is used to resend previous
+#                response to replay (i.e., *don't* define this if you
+#                define USE_RCACHE)
+CFLAGS = $(CCOPTS) $(DEFS) $(LOCALINCLUDE) -DNOCACHE
 RUN_SETUP = @KRB5_RUN_ENV@
 PROG_LIBPATH=-L$(TOPLIBD) $(KRB4_LIBPATH)
 PROG_RPATH=$(KRB5_LIBDIR)
 
 all:: krb5kdc rtest
 
-DEFINES = -DBACKWARD_COMPAT $(KRB4DEF)
+# DEFINES = -DBACKWARD_COMPAT $(KRB4DEF)
 
 LOCALINCLUDE = @KRB4_INCLUDES@ -I.
 SRCS= \
diff --git a/src/kdc/dispatch.c b/src/kdc/dispatch.c
index 7446ea5f8..824a3af0d 100644
--- a/src/kdc/dispatch.c
+++ b/src/kdc/dispatch.c
@@ -42,12 +42,14 @@ dispatch(pkt, from, portnum, response)
 
     /* decode incoming packet, and dispatch */
 
+#ifndef NOCACHE
     /* try the replay lookaside buffer */
     if (kdc_check_lookaside(pkt, from, response)) {
 	/* a hit! */
 	krb5_klog_syslog(LOG_INFO, "DISPATCH: replay found and re-transmitted");
 	return 0;
     }
+#endif
     /* try TGS_REQ first; they are more common! */
 
     if (krb5_is_tgs_req(pkt)) {
@@ -70,9 +72,11 @@ dispatch(pkt, from, portnum, response)
 #endif
     else
 	retval = KRB5KRB_AP_ERR_MSG_TYPE;
+#ifndef NOCACHE
     /* put the response into the lookaside buffer */
     if (!retval)
 	kdc_insert_lookaside(pkt, from, *response);
+#endif
 
     return retval;
 }
diff --git a/src/kdc/replay.c b/src/kdc/replay.c
index e0f3c8fd1..c3ff2a969 100644
--- a/src/kdc/replay.c
+++ b/src/kdc/replay.c
@@ -29,6 +29,8 @@
 #include "kdc_util.h"
 #include "extern.h"
 
+#ifndef NOCACHE
+
 typedef struct _krb5_kdc_replay_ent {
     struct _krb5_kdc_replay_ent *next;
     int num_hits;
@@ -166,3 +168,5 @@ kdc_insert_lookaside(inpkt, from, outpkt)
     num_entries++;
     return;
 }
+
+#endif /* NOCACHE */