AP_OPTS_MUTUAL_REQUIRED only when using sendauth/recvauth? also, subkey prng priming?

Chris Hecker checker at d6.com
Sat Jul 23 22:38:16 EDT 2011


Do I need to pass AP_OPTS_MUTUAL_REQUIRED to mk_req if I'm doing the 
packet sending myself rather than using the sendauth/recvauth helpers? 
I didn't realize I might need to and was doing 
mk_req->rd_req->mk_rep->rd_rep manually without and it seemed to work 
fine, but then I searched, and it looks like it's actually used in 
rd_req_decoded_opt to do something with the sequence numbers...

     /*
      * If not AP_OPTS_MUTUAL_REQUIRED then and sequence numbers are used
      * then the default sequence number is the one's complement of the
      * sequence number sent ot us.
      */
     if ((!(req->ap_options & AP_OPTS_MUTUAL_REQUIRED)) &&
         (*auth_context)->remote_seq_number) {
         (*auth_context)->local_seq_number ^=
             (*auth_context)->remote_seq_number;
     }

([sic] on the "sent ot us" :)

It looks like I should pass it since this if-statement exists, yes?  I'm 
still a security noob, but I'd assume it wouldn't be there if it wasn't 
important?

Also, a related question, if you're using AP_OPTS_USE_SUBKEY, sendauth 
primes the prng a bit more manually...should I do this in my app?  It 
looks like the normal subkey generation in 
krb5int_generate_and_save_subkey does this as well with the clock before 
generating the subkey.

Thanks,
Chris





More information about the Kerberos mailing list