svn rev #21573: branches/mskrb-integ/src/lib/gssapi/ generic/ krb5/

lhoward@MIT.EDU lhoward at MIT.EDU
Tue Dec 23 00:25:27 EST 2008 

http://src.mit.edu/fisheye/changelog/krb5/?cs=21573
Commit By: lhoward
Log Message:
For GSS_C_INQ_SESSION_KEY, annotate session key with Kerberos encryption
type



Changed Files:
U   branches/mskrb-integ/src/lib/gssapi/generic/gssapi_ext.h
U   branches/mskrb-integ/src/lib/gssapi/krb5/gssapiP_krb5.h
U   branches/mskrb-integ/src/lib/gssapi/krb5/gssapi_krb5.c
U   branches/mskrb-integ/src/lib/gssapi/krb5/inq_context.c
Modified: branches/mskrb-integ/src/lib/gssapi/generic/gssapi_ext.h
===================================================================
--- branches/mskrb-integ/src/lib/gssapi/generic/gssapi_ext.h	2008-12-23 03:59:26 UTC (rev 21572)
+++ branches/mskrb-integ/src/lib/gssapi/generic/gssapi_ext.h	2008-12-23 05:25:25 UTC (rev 21573)
@@ -70,7 +70,11 @@
 	(OM_uint32 * /*minor_status*/,
 	 gss_buffer_set_t * /*buffer_set*/);
 
-/* returns buffer set with the first member containing session key */
+/*
+ * Returns a buffer set with the first member containing the
+ * session key for SSPI compatibility. The optional second
+ * member contains an OID identifying the session key type.
+ */
 GSS_DLLIMP extern gss_OID GSS_C_INQ_SESSION_KEY;
 
 OM_uint32 KRB5_CALLCONV gss_inquire_sec_context_by_oid

Modified: branches/mskrb-integ/src/lib/gssapi/krb5/gssapiP_krb5.h
===================================================================
--- branches/mskrb-integ/src/lib/gssapi/krb5/gssapiP_krb5.h	2008-12-23 03:59:26 UTC (rev 21572)
+++ branches/mskrb-integ/src/lib/gssapi/krb5/gssapiP_krb5.h	2008-12-23 05:25:25 UTC (rev 21573)
@@ -971,4 +971,8 @@
 #define save_error_info krb5_gss_save_error_info
 extern void krb5_gss_delete_error_info(void *p);
 
+/* Prefix concatenated with Kerberos encryption type */
+#define GSS_KRB5_SESSION_KEY_ENCTYPE_OID_LENGTH 10
+#define GSS_KRB5_SESSION_KEY_ENCTYPE_OID  "\052\206\110\206\367\022\001\002\002\004"
+
 #endif /* _GSSAPIP_KRB5_H_ */

Modified: branches/mskrb-integ/src/lib/gssapi/krb5/gssapi_krb5.c
===================================================================
--- branches/mskrb-integ/src/lib/gssapi/krb5/gssapi_krb5.c	2008-12-23 03:59:26 UTC (rev 21572)
+++ branches/mskrb-integ/src/lib/gssapi/krb5/gssapi_krb5.c	2008-12-23 05:25:25 UTC (rev 21573)
@@ -103,6 +103,10 @@
  * The OID of the proposed standard krb5 v2 mechanism is:
  *      iso(1) member-body(2) US(840) mit(113554) infosys(1) gssapi(2)
  *      krb5v2(3) = 1.2.840.113554.1.2.3
+ * Provisionally reserved for Kerberos session key algorithm
+ * identifiers is:
+ *      iso(1) member-body(2) US(840) mit(113554) infosys(1) gssapi(2)
+ *      krb5(2) krb5_enctype(4) = 1.2.840.113554.1.2.2.4
  *
  */
 

Modified: branches/mskrb-integ/src/lib/gssapi/krb5/inq_context.c
===================================================================
--- branches/mskrb-integ/src/lib/gssapi/krb5/inq_context.c	2008-12-23 03:59:26 UTC (rev 21572)
+++ branches/mskrb-integ/src/lib/gssapi/krb5/inq_context.c	2008-12-23 05:25:25 UTC (rev 21573)
@@ -234,15 +234,60 @@
 {
     krb5_gss_ctx_id_rec *ctx;
     krb5_keyblock *key;
-    gss_buffer_desc rep;
+    gss_buffer_desc keyvalue, keyinfo;
+    OM_uint32 major_status, minor;
+    unsigned char oid_buf[GSS_KRB5_SESSION_KEY_ENCTYPE_OID_LENGTH + 6];
+    unsigned char *op;
+    size_t nbytes;
+    int oenctype, enctype, i;
 
     ctx = (krb5_gss_ctx_id_rec *) context_handle;
     key = ctx->have_acceptor_subkey ? ctx->acceptor_subkey : ctx->subkey;
 
-    rep.value = key->contents;
-    rep.length = key->length;
+    keyvalue.value = key->contents;
+    keyvalue.length = key->length;
+    enctype = key->enctype;
 
-    return generic_gss_add_buffer_set_member(minor_status, &rep, data_set);
+    major_status = generic_gss_add_buffer_set_member(minor_status, &keyvalue, data_set);
+    if (GSS_ERROR(major_status)) {
+	gss_release_buffer_set(&minor, data_set);
+	return major_status;
+    }
+
+    /* Construct the OID 1.2.840.113554.1.2.2.4.<enctype> */
+    memcpy(oid_buf, GSS_KRB5_SESSION_KEY_ENCTYPE_OID,
+	   GSS_KRB5_SESSION_KEY_ENCTYPE_OID_LENGTH);
+
+    nbytes = 0;
+    oenctype = enctype;
+    while (enctype) {
+	nbytes++;
+	enctype >>= 7;
+    }
+    enctype = oenctype;
+    op = oid_buf + GSS_KRB5_SESSION_KEY_ENCTYPE_OID_LENGTH + nbytes;
+    i = -1;
+    while (enctype) {
+	op[i] = (unsigned char)enctype & 0x7f;
+	if (i != -1)
+	    op[i] |= 0x80;
+	i--;
+	enctype >>= 7;
+    }
+
+    keyinfo.value = oid_buf;
+    keyinfo.length = GSS_KRB5_SESSION_KEY_ENCTYPE_OID_LENGTH + nbytes;
+    assert(keyinfo.length <= sizeof(oid_buf));
+
+    major_status = generic_gss_add_buffer_set_member(minor_status, &keyinfo, data_set);
+    if (GSS_ERROR(major_status)) {
+	assert(*data_set != GSS_C_NO_BUFFER_SET);
+	memset((*data_set)->elements[0].value, 0, (*data_set)->elements[0].length);
+	gss_release_buffer_set(&minor, data_set);
+	return major_status;
+    }
+
+    return GSS_S_COMPLETE;
 }
 
 OM_uint32

More information about the cvs-krb5 mailing list