Do I need to pass AP_OPTS_MUTUAL_REQUIRED to mk_req if I'm doing the packet sending myself rather than using the sendauth/recvauth helpers? I didn't realize I might need to and was doing mk_req->rd_req->mk_rep->rd_rep manually without and it seemed to work fine, but then I searched, and it looks like it's actually used in rd_req_decoded_opt to do something with the sequence numbers...
/* * If not AP_OPTS_MUTUAL_REQUIRED then and sequence numbers are used * then the default sequence number is the one's complement of the * sequence number sent ot us. */ if ((!(req->ap_options & AP_OPTS_MUTUAL_REQUIRED)) && (*auth_context)->remote_seq_number) { (*auth_context)->local_seq_number ^= (*auth_context)->remote_seq_number; } ([sic] on the "sent ot us" :) It looks like I should pass it since this if-statement exists, yes? I'm still a security noob, but I'd assume it wouldn't be there if it wasn't important? Also, a related question, if you're using AP_OPTS_USE_SUBKEY, sendauth primes the prng a bit more manually...should I do this in my app? It looks like the normal subkey generation in krb5int_generate_and_save_subkey does this as well with the clock before generating the subkey. Thanks, Chris ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos