-
Notifications
You must be signed in to change notification settings - Fork 242
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Keeping track of sequence numbers #419
Comments
bodgit
added a commit
to bodgit/gokrb5
that referenced
this issue
Dec 22, 2020
Based on the MIT Kerberos implementation. It tracks the 64 previously seen sequence numbers for the purposes of out of order delivery and replay protection. Fixes jcmturner#419
jcmturner
pushed a commit
to bodgit/gokrb5
that referenced
this issue
Jun 13, 2022
Based on the MIT Kerberos implementation. It tracks the 64 previously seen sequence numbers for the purposes of out of order delivery and replay protection. Fixes jcmturner#419
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
If you specify
gssapi.ContextFlagReplay
orgssapi.ContextFlagSequence
when negotiating your context then you should ideally keep track of the sequence numbers received in MIC or Wrap tokens (possibly in other things too). There doesn't seem to be any way currently to do that.The MIT Kerberos source seems to rely on src/lib/gssapi/generic/util_seqstate.c which keeps track of what is the next expected sequence number as well as the last 64 received sequence numbers which appears to be considered Good Enough in terms of replay protection. Sequence protection appears to just be a stricter variant in terms of gaps in the sequence.
The text was updated successfully, but these errors were encountered: