[4540] in Kerberos
Re: Interoperability questions regarding the Kerberos GSS-API Mechanism
daemon@ATHENA.MIT.EDU (Dan Nessett)
Wed Feb 1 15:02:19 1995
Date: Wed, 1 Feb 1995 11:44:34 -0800
From: Danny.Nessett@Eng.Sun.COM (Dan Nessett)
To: Jim_Miller@suite.com
Cc: kerberos@MIT.EDU
> From jim@bilbo.suite.com Wed Feb 1 11:30:04 1995
> To: Danny.Nessett@Eng
> Subject: Re: Interoperability questions regarding the Kerberos GSS-API Mechanism
> Cc: kerberos@ATHENA.MIT.EDU
>
>
> Dan Nessett writes:
>
> > When the packet sent by A arrives, its timestamp will be
> > "older" than the last received and be rejected.
> >
>
>
>
> If you are referring to Kerberos replay detection, then this description
> is incorrect. The replay logic doesn't do an "if older" test, it does an
> "if equal" test. That is to say, a message is considered a replay (and
> therefore rejected) if the message's client, server, and timestamp values
> match those of a message already received. Here's the code that does the
> check (from lib/krb5/rcache/rc_dfl.c):
>
>
>
> static int cmp(old, new, t)
> krb5_donot_replay *old;
> krb5_donot_replay *new;
> krb5_deltat t;
> {
> if ((old->cusec == new->cusec) && /* most likely to distinguish */
> (old->ctime == new->ctime) &&
> (strcmp(old->client,new->client) == 0) &&
> (strcmp(old->server,new->server) == 0)) /* always true */
> return CMP_REPLAY;
> return CMP_HOHUM;
> }
>
>
> Jim_Miller@suite.com
>
>
Yes, you are correct. I was confusing the timestamp checks with the sequence
number checks that take place within rd_safe() nad rd_priv(). It is the
sequence number checks that will not work with multi-threading.
Dan
