From 8f8c45e408e3c6935ec805ecd5433361cd397ca4 Mon Sep 17 00:00:00 2001
From: Ken Raeburn <raeburn@mit.edu>
Date: Mon, 28 Feb 2000 22:10:17 +0000
Subject: new --enable/--disable-kdc-replay-cache configure hooks

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@12090 dc483132-0cff-0310-8789-dd5450dbe970
---
 src/ChangeLog        |  5 +++++
 src/configure.in     |  6 ++++++
 src/kdc/ChangeLog    |  7 +++++++
 src/kdc/Makefile.in  |  3 ++-
 src/kdc/configure.in | 24 ++++++++++++++++++++++++
 5 files changed, 44 insertions(+), 1 deletion(-)

diff --git a/src/ChangeLog b/src/ChangeLog
index bcd24d6..903449e 100644
--- a/src/ChangeLog
+++ b/src/ChangeLog
@@ -1,3 +1,8 @@
+2000-02-28  Ken Raeburn  <raeburn@mit.edu>
+
+	* configure.in: Add enable-kdc-replay-cache arg, to make usage
+	message more complete.
+
 2000-02-28  Ezra Peisach  <epeisach@mit.edu>
 
 	* aclocal.m4: Define DES425_LIB and DES425_DEPLIB all the time. We
diff --git a/src/configure.in b/src/configure.in
index 26f8f39..3200c32 100644
--- a/src/configure.in
+++ b/src/configure.in
@@ -15,6 +15,12 @@ AC_MSG_RESULT($krb5_cv_prog_gcc)
 dnl
 dnl The following lines are so that configure --help gives some global 
 dnl configuration options.
+dnl
+AC_ARG_ENABLE([kdc-replay-cache],
+[  --enable-kdc-replay-cache	check for replayed/retransmitted KDC requests
+				(recommended for replay attack detection
+				 when hardware preauthentication is in use)
+  --disable-kdc-replay-cache	omit replay detection])dnl
 KRB5_LIB_AUX
 AC_KRB5_TCL
 AC_ARG_ENABLE([athena],
diff --git a/src/kdc/ChangeLog b/src/kdc/ChangeLog
index a49e84c..6e7892d 100644
--- a/src/kdc/ChangeLog
+++ b/src/kdc/ChangeLog
@@ -1,3 +1,10 @@
+2000-02-28  Ken Raeburn  <raeburn@mit.edu>
+
+	* configure.in: New enable-kdc-replay-cache arg.  Define
+	USE_RCACHE when enabled, NOCACHE when disabled.  Defaults to
+	enabled.
+	* Makefile.in (DEFINES): Don't define NOCACHE any more.
+
 2000-02-25  Tom Yu  <tlyu@mit.edu>
 
 	* configure.in: Check for sys/sockio.h
diff --git a/src/kdc/Makefile.in b/src/kdc/Makefile.in
index 58b0e4f..4d9c4f4 100644
--- a/src/kdc/Makefile.in
+++ b/src/kdc/Makefile.in
@@ -6,7 +6,8 @@ BUILDTOP=$(REL)$(U)
 # -DNOCACHE    - disable lookaside cache, which is used to resend previous
 #                response to replay (i.e., *don't* define this if you
 #                define USE_RCACHE)
-DEFINES = -DNOCACHE
+# These are now set in configure.in.
+DEFINES = # -DNOCACHE
 RUN_SETUP = @KRB5_RUN_ENV@
 PROG_LIBPATH=-L$(TOPLIBD) $(KRB4_LIBPATH)
 PROG_RPATH=$(KRB5_LIBDIR)
diff --git a/src/kdc/configure.in b/src/kdc/configure.in
index 6bcd6c4..b20ccf2 100644
--- a/src/kdc/configure.in
+++ b/src/kdc/configure.in
@@ -41,6 +41,30 @@ AC_ARG_ENABLE([athena],
                               includes 32-bit length codings],
 [AC_DEFINE(ATHENA_DES3_KLUDGE)],)
 dnl
+dnl Needed for hw-preauth replay detection on KDC.
+dnl
+dnl USE_RCACHE enables the replay cache
+dnl NOCACHE disables the lookaside cache
+dnl
+dnl The lookaside cache is checked first; if *exactly* the same message
+dnl comes in twice, e.g., because the (legitimate) client resent it,
+dnl the previous response will be resent.  Otherwise, the replay cache
+dnl is used to check for attempts to fake out the KDC.  Some hardware
+dnl preauth methods are weak enough that we *really* want to have this
+dnl checking turned on.
+dnl
+AC_ARG_ENABLE([kdc-replay-cache],
+[  --enable-kdc-replay-cache	check for replayed/retransmitted KDC requests
+				(recommended for replay attack detection
+				 when hardware preauthentication is in use)
+  --disable-kdc-replay-cache	omit replay detection],
+enableval=yes)dnl
+if test "$enableval" = yes ; then
+	AC_DEFINE(USE_RCACHE)
+else
+	AC_DEFINE(NOCACHE)
+fi
+dnl
 dnl
 KRB5_RUN_FLAGS
 KRB5_BUILD_PROGRAM
-- 
cgit v1.1