AP_OPTS_MUTUAL_REQUIRED only when using sendauth/recvauth? also, subkey prng priming?
Chris Hecker
checker at d6.com
Sat Jul 23 22:38:16 EDT 2011
Do I need to pass AP_OPTS_MUTUAL_REQUIRED to mk_req if I'm doing the
packet sending myself rather than using the sendauth/recvauth helpers?
I didn't realize I might need to and was doing
mk_req->rd_req->mk_rep->rd_rep manually without and it seemed to work
fine, but then I searched, and it looks like it's actually used in
rd_req_decoded_opt to do something with the sequence numbers...
/*
* If not AP_OPTS_MUTUAL_REQUIRED then and sequence numbers are used
* then the default sequence number is the one's complement of the
* sequence number sent ot us.
*/
if ((!(req->ap_options & AP_OPTS_MUTUAL_REQUIRED)) &&
(*auth_context)->remote_seq_number) {
(*auth_context)->local_seq_number ^=
(*auth_context)->remote_seq_number;
}
([sic] on the "sent ot us" :)
It looks like I should pass it since this if-statement exists, yes? I'm
still a security noob, but I'd assume it wouldn't be there if it wasn't
important?
Also, a related question, if you're using AP_OPTS_USE_SUBKEY, sendauth
primes the prng a bit more manually...should I do this in my app? It
looks like the normal subkey generation in
krb5int_generate_and_save_subkey does this as well with the clock before
generating the subkey.
Thanks,
Chris
More information about the Kerberos
mailing list