krb5 commit: Add GSS_C_INQ_ODBC_SESSION_KEY
ghudson at mit.edu
ghudson at mit.edu
Mon Apr 10 22:34:21 EDT 2023
https://github.com/krb5/krb5/commit/20b067232c03ce7f63bd883ff5fafc2efd04cb36
commit 20b067232c03ce7f63bd883ff5fafc2efd04cb36
Author: Greg Hudson <ghudson at mit.edu>
Date: Mon Apr 3 11:27:02 2023 -0400
Add GSS_C_INQ_ODBC_SESSION_KEY
The Oracle database wire protocol contains a cipher reinitialization
operation using the ticket session key. Add a query operation
(similar to GSS_C_INQ_SSPI_SESSION_KEY) to retrieve the ticket session
key rather than the subkey.
ticket: 9091 (new)
src/lib/gssapi/generic/gssapi_ext.h | 7 +++
src/lib/gssapi/generic/gssapi_generic.c | 10 ++++
src/lib/gssapi/krb5/gssapiP_krb5.h | 6 ++-
src/lib/gssapi/krb5/gssapi_krb5.c | 6 ++-
src/lib/gssapi/krb5/inq_context.c | 95 +++++++++++++++++++++++----------
5 files changed, 93 insertions(+), 31 deletions(-)
diff --git a/src/lib/gssapi/generic/gssapi_ext.h b/src/lib/gssapi/generic/gssapi_ext.h
index c675e8ebb..38e396161 100644
--- a/src/lib/gssapi/generic/gssapi_ext.h
+++ b/src/lib/gssapi/generic/gssapi_ext.h
@@ -237,6 +237,13 @@ OM_uint32 KRB5_CALLCONV gss_unwrap_aead
*/
GSS_DLLIMP extern gss_OID GSS_C_INQ_SSPI_SESSION_KEY;
+/*
+ * Returns a buffer set with the first member containing the ticket session key
+ * for ODBC compatibility. The optional second member contains an OID
+ * identifying the session key type.
+ */
+GSS_DLLIMP extern gss_OID GSS_C_INQ_ODBC_SESSION_KEY;
+
GSS_DLLIMP extern gss_OID GSS_C_INQ_NEGOEX_KEY;
GSS_DLLIMP extern gss_OID GSS_C_INQ_NEGOEX_VERIFY_KEY;
diff --git a/src/lib/gssapi/generic/gssapi_generic.c b/src/lib/gssapi/generic/gssapi_generic.c
index 3601585fb..7fbecbed8 100644
--- a/src/lib/gssapi/generic/gssapi_generic.c
+++ b/src/lib/gssapi/generic/gssapi_generic.c
@@ -170,6 +170,14 @@ static const gss_OID_desc const_oids[] = {
* infosys(1) gssapi(2) krb5(2) krb5-gssapi-ext(5) sasl-ssf(15)
*/
{11, (void *)"\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x05\x0f"},
+
+ /*
+ * GSS_C_INQ_ODBC_SESSION_KEY 1.2.840.113554.1.2.2.5.19
+ * iso(1) member-body(2) United States(840) mit(113554)
+ * infosys(1) ssapi(2) krb5(2) krb5-gssapi-ext(5)
+ * inq-odbc-session-key(19)
+ */
+ {11, (void *)"\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x05\x05\13"},
};
/* Here are the constants which point to the static structure above.
@@ -235,6 +243,8 @@ GSS_DLLIMP gss_const_OID GSS_C_MA_NEGOEX_AND_SPNEGO = oids+38;
GSS_DLLIMP gss_OID GSS_C_SEC_CONTEXT_SASL_SSF = oids+39;
+GSS_DLLIMP gss_OID GSS_C_INQ_ODBC_SESSION_KEY = oids+40;
+
static gss_OID_set_desc gss_ma_known_attrs_desc = { 28, oids+11 };
gss_OID_set gss_ma_known_attrs = &gss_ma_known_attrs_desc;
diff --git a/src/lib/gssapi/krb5/gssapiP_krb5.h b/src/lib/gssapi/krb5/gssapiP_krb5.h
index a4446530f..736460719 100644
--- a/src/lib/gssapi/krb5/gssapiP_krb5.h
+++ b/src/lib/gssapi/krb5/gssapiP_krb5.h
@@ -1079,9 +1079,13 @@ gss_krb5int_ccache_name(OM_uint32 *minor_status, const gss_OID, const gss_OID,
#define GSS_KRB5_INQ_SSPI_SESSION_KEY_OID_LENGTH 11
#define GSS_KRB5_INQ_SSPI_SESSION_KEY_OID "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x05\x05"
+#define GSS_KRB5_INQ_ODBC_SESSION_KEY_OID_LENGTH 11
+#define GSS_KRB5_INQ_ODBC_SESSION_KEY_OID "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x05\x13"
OM_uint32
-gss_krb5int_inq_session_key(OM_uint32 *, const gss_ctx_id_t, const gss_OID, gss_buffer_set_t *);
+gss_krb5int_inq_sspi_session_key(OM_uint32 *, const gss_ctx_id_t, const gss_OID, gss_buffer_set_t *);
+OM_uint32
+gss_krb5int_inq_odbc_session_key(OM_uint32 *, const gss_ctx_id_t, const gss_OID, gss_buffer_set_t *);
#define GSS_KRB5_SET_ALLOWABLE_ENCTYPES_OID_LENGTH 11
#define GSS_KRB5_SET_ALLOWABLE_ENCTYPES_OID "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x05\x04"
diff --git a/src/lib/gssapi/krb5/gssapi_krb5.c b/src/lib/gssapi/krb5/gssapi_krb5.c
index 9915a8bb5..1e62b07cd 100644
--- a/src/lib/gssapi/krb5/gssapi_krb5.c
+++ b/src/lib/gssapi/krb5/gssapi_krb5.c
@@ -337,7 +337,11 @@ static struct {
},
{
{GSS_KRB5_INQ_SSPI_SESSION_KEY_OID_LENGTH, GSS_KRB5_INQ_SSPI_SESSION_KEY_OID},
- gss_krb5int_inq_session_key
+ gss_krb5int_inq_sspi_session_key
+ },
+ {
+ {GSS_KRB5_INQ_ODBC_SESSION_KEY_OID_LENGTH, GSS_KRB5_INQ_ODBC_SESSION_KEY_OID},
+ gss_krb5int_inq_odbc_session_key
},
{
{GSS_KRB5_EXPORT_LUCID_SEC_CONTEXT_OID_LENGTH, GSS_KRB5_EXPORT_LUCID_SEC_CONTEXT_OID},
diff --git a/src/lib/gssapi/krb5/inq_context.c b/src/lib/gssapi/krb5/inq_context.c
index 51be20252..97678e3ec 100644
--- a/src/lib/gssapi/krb5/inq_context.c
+++ b/src/lib/gssapi/krb5/inq_context.c
@@ -186,58 +186,95 @@ krb5_gss_inquire_context(minor_status, context_handle, initiator_name,
return GSS_S_COMPLETE;
}
-OM_uint32
-gss_krb5int_inq_session_key(
- OM_uint32 *minor_status,
- const gss_ctx_id_t context_handle,
- const gss_OID desired_object,
- gss_buffer_set_t *data_set)
+/* Add two buffers to data_set giving the contents and enctype of key. */
+static OM_uint32
+inq_session_key_result(OM_uint32 *minor_status, krb5_key key,
+ gss_buffer_set_t *data_set)
{
- krb5_gss_ctx_id_rec *ctx;
- krb5_key key;
gss_buffer_desc keyvalue, keyinfo;
- OM_uint32 major_status, minor;
+ OM_uint32 major, tmpmin;
unsigned char oid_buf[GSS_KRB5_SESSION_KEY_ENCTYPE_OID_LENGTH + 6];
gss_OID_desc oid;
- ctx = (krb5_gss_ctx_id_rec *) context_handle;
- key = ctx->have_acceptor_subkey ? ctx->acceptor_subkey : ctx->subkey;
-
keyvalue.value = key->keyblock.contents;
keyvalue.length = key->keyblock.length;
-
- major_status = generic_gss_add_buffer_set_member(minor_status, &keyvalue, data_set);
- if (GSS_ERROR(major_status))
+ major = generic_gss_add_buffer_set_member(minor_status, &keyvalue,
+ data_set);
+ if (GSS_ERROR(major))
goto cleanup;
oid.elements = oid_buf;
oid.length = sizeof(oid_buf);
-
- major_status = generic_gss_oid_compose(minor_status,
- GSS_KRB5_SESSION_KEY_ENCTYPE_OID,
- GSS_KRB5_SESSION_KEY_ENCTYPE_OID_LENGTH,
- key->keyblock.enctype,
- &oid);
- if (GSS_ERROR(major_status))
+ major = generic_gss_oid_compose(minor_status,
+ GSS_KRB5_SESSION_KEY_ENCTYPE_OID,
+ GSS_KRB5_SESSION_KEY_ENCTYPE_OID_LENGTH,
+ key->keyblock.enctype, &oid);
+ if (GSS_ERROR(major))
goto cleanup;
keyinfo.value = oid.elements;
keyinfo.length = oid.length;
-
- major_status = generic_gss_add_buffer_set_member(minor_status, &keyinfo, data_set);
- if (GSS_ERROR(major_status))
+ major = generic_gss_add_buffer_set_member(minor_status, &keyinfo,
+ data_set);
+ if (GSS_ERROR(major))
goto cleanup;
return GSS_S_COMPLETE;
cleanup:
if (*data_set != GSS_C_NO_BUFFER_SET) {
- if ((*data_set)->count != 0)
- memset((*data_set)->elements[0].value, 0, (*data_set)->elements[0].length);
- gss_release_buffer_set(&minor, data_set);
+ if ((*data_set)->count != 0) {
+ zap((*data_set)->elements[0].value,
+ (*data_set)->elements[0].length);
+ }
+ gss_release_buffer_set(&tmpmin, data_set);
}
- return major_status;
+ return major;
+}
+
+OM_uint32
+gss_krb5int_inq_sspi_session_key(OM_uint32 *minor_status,
+ const gss_ctx_id_t context_handle,
+ const gss_OID desired_object,
+ gss_buffer_set_t *data_set)
+{
+ krb5_gss_ctx_id_t ctx = (krb5_gss_ctx_id_t)context_handle;
+ krb5_key key;
+
+ if (ctx->terminated || !ctx->established) {
+ *minor_status = KG_CTX_INCOMPLETE;
+ return GSS_S_NO_CONTEXT;
+ }
+ key = ctx->have_acceptor_subkey ? ctx->acceptor_subkey : ctx->subkey;
+ return inq_session_key_result(minor_status, key, data_set);
+}
+
+OM_uint32
+gss_krb5int_inq_odbc_session_key(OM_uint32 *minor_status,
+ const gss_ctx_id_t context_handle,
+ const gss_OID desired_object,
+ gss_buffer_set_t *data_set)
+{
+ OM_uint32 major;
+ krb5_error_code ret;
+ krb5_gss_ctx_id_t ctx = (krb5_gss_ctx_id_t)context_handle;
+ krb5_key key;
+
+ if (ctx->terminated || !ctx->established) {
+ *minor_status = KG_CTX_INCOMPLETE;
+ return GSS_S_NO_CONTEXT;
+ }
+
+ ret = krb5_auth_con_getkey_k(ctx->k5_context, ctx->auth_context, &key);
+ if (ret) {
+ *minor_status = ret;
+ return GSS_S_FAILURE;
+ }
+
+ major = inq_session_key_result(minor_status, key, data_set);
+ krb5_k_free_key(ctx->k5_context, key);
+ return major;
}
OM_uint32
More information about the cvs-krb5
mailing list