RFR (+CSR) 8201627: Kerberos sequence number issues

Wang Weijun weijun.wang at oracle.com
Wed Apr 25 00:55:18 UTC 2018


RFC 4120 5.5.1 has
> seq-number

> This optional field includes the initial sequence number to be used by the KRB_PRIV or KRB_SAFE messages when sequence numbers are used to detect replays. (It may also be used by application specific messages.) When included in the authenticator, this field specifies the initial sequence number for messages from the client to the server. When included in the AP-REP message, the initial sequence number is that for messages from the server to the client. When used in KRB_PRIV or KRB_SAFE messages, it is incremented by one after each message is sent. Sequence numbers fall in the range 0 through 2^32 - 1 and wrap to zero following the value 2^32 - 1.


If it wraps, then it’s 4 bytes. 

I will read more on it. 

Thanks
Max

> 在 2018年4月24日,18:08,Valerie Peng <valerie.peng at oracle.com> 写道:
> 
> Hi Max,
> 
> Most changes look good. I have only some comments and questions (see below):
> 
> - InitSecContextToken.java, line 62: bad -> unrecognized?
> - According to the class javadoc of various Token classes and Kerberos spec, the sequence number is 8-byte integer from header byte 8-15, but java int have only 4 bytes. The current code seems to assume the first 4 bytes of the sequence number are always 0. For the sake of compliance and max inter-operability, maybe we should use long to store the sequence number?
> 
> CSR looks good to me.
> Thanks,
> Valerie
> 
> 
> 
>> On 4/18/2018 10:40 AM, Weijun Wang wrote:
>> Please take a review of this fix:
>> 
>>    webrev: http://cr.openjdk.java.net/~weijun/8201627/webrev.00/
>>    CSR: https://bugs.openjdk.java.net/browse/JDK-8201814
>> 
>> Basically we fix some bugs and introduce a system property so we can interop with everyone.
>> 
>> Thanks
>> Max
>> 
> 



More information about the security-dev mailing list