[4539] in Kerberos
Re: Interoperability questions regarding the Kerberos GSS-API Mechanism
daemon@ATHENA.MIT.EDU (Jim Miller)
Wed Feb 1 14:55:54 1995
From: jim@bilbo.suite.com (Jim Miller)
Date: Wed, 1 Feb 95 13:29:03 -0600
To: Danny.Nessett@eng.sun.com
Cc: kerberos@MIT.EDU
Reply-To: Jim_Miller@suite.com
Dan Nessett writes:
> When the packet sent by A arrives, its timestamp will be
> "older" than the last received and be rejected.
>
If you are referring to Kerberos replay detection, then this description
is incorrect. The replay logic doesn't do an "if older" test, it does an
"if equal" test. That is to say, a message is considered a replay (and
therefore rejected) if the message's client, server, and timestamp values
match those of a message already received. Here's the code that does the
check (from lib/krb5/rcache/rc_dfl.c):
static int cmp(old, new, t)
krb5_donot_replay *old;
krb5_donot_replay *new;
krb5_deltat t;
{
if ((old->cusec == new->cusec) && /* most likely to distinguish */
(old->ctime == new->ctime) &&
(strcmp(old->client,new->client) == 0) &&
(strcmp(old->server,new->server) == 0)) /* always true */
return CMP_REPLAY;
return CMP_HOHUM;
}
Jim_Miller@suite.com
