Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Keeping track of sequence numbers #419

Open
bodgit opened this issue Dec 21, 2020 · 0 comments · May be fixed by #420
Open

Keeping track of sequence numbers #419

bodgit opened this issue Dec 21, 2020 · 0 comments · May be fixed by #420

Comments

@bodgit
Copy link
Contributor

bodgit commented Dec 21, 2020

If you specify gssapi.ContextFlagReplay or gssapi.ContextFlagSequence when negotiating your context then you should ideally keep track of the sequence numbers received in MIC or Wrap tokens (possibly in other things too). There doesn't seem to be any way currently to do that.

The MIT Kerberos source seems to rely on src/lib/gssapi/generic/util_seqstate.c which keeps track of what is the next expected sequence number as well as the last 64 received sequence numbers which appears to be considered Good Enough in terms of replay protection. Sequence protection appears to just be a stricter variant in terms of gaps in the sequence.

bodgit added a commit to bodgit/gokrb5 that referenced this issue Dec 22, 2020
Based on the MIT Kerberos implementation. It tracks the 64 previously seen
sequence numbers for the purposes of out of order delivery and replay
protection.

Fixes jcmturner#419
@bodgit bodgit linked a pull request Dec 22, 2020 that will close this issue
jcmturner pushed a commit to bodgit/gokrb5 that referenced this issue Jun 13, 2022
Based on the MIT Kerberos implementation. It tracks the 64 previously seen
sequence numbers for the purposes of out of order delivery and replay
protection.

Fixes jcmturner#419
# for free to join this conversation on GitHub. Already have an account? # to comment
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

1 participant