WS-Security and GSS-API: How do I get the session key?

Luke Howard lukeh at padl.com
Tue Feb 24 08:36:54 EST 2009


> I don't recall offhand if there's been an IETF draft proposing the
> specific extension we've got for extracting the session key.

Something like:

#include <gssapi/gssapi.h>
#include <gssapi/gssapi_ext.h>

{
   OM_uint32 major, minor;
   gss_ctx_id_t ctx = GSS_C_NO_CONTEXT;
   gss_buffer_set_t skey = GSS_C_NO_BUFFER_SET;

...

   major = gss_inquire_sec_context_by_oid(&minor,
					 ctx,
					 GSS_C_INQ_SSPI_SESSION_KEY,
					 &skey);
   if (GSS_ERROR(major))
     // handle error

   if (skey == GSS_C_NO_BUFFER_SET ||
       skey->count < 1 ||
       skey->elements[0].value == NULL)
     // optional paranoid error checking

   // session key can be found in skey->elements[0]
   // OID corresponding to enctype can be found in skey->elements[1]

   gss_release_buffer_set(&minor, &skey);

...
}

-- Luke


More information about the Kerberos mailing list