Add DeriveKeyFromSessionKey API for auth #113003
Conversation
Added the DeriveKeyFromSessionKey function to NegotiateAuthentication which can be used to retrieve the session key negotiated between the client and server in a negotiated authentication context. This can be used by protocols that do not use the builtin wrapping mechanisms but instead derive their own authentication method from the session key. Fix dotnet#111099
|
Note regarding the |
1 similar comment
|
Note regarding the |
dotnet-policy-service
bot
added
the
community-contribution
|
The proposed API in #111099 hasn't been approved yet. Generally, pull requests for un-approved APIs should not be opened, per the API review process. |
| Debug.Assert(_securityContext is not null); | ||
|
|
||
| SecPkgContext_SessionKey sessionKey = default; | ||
| int result = Interop.SspiCli.QueryContextAttributesW(ref _securityContext._handle, Interop.SspiCli.ContextAttribute.SECPKG_ATTR_SESSION_KEY, &sessionKey); |
There was a problem hiding this comment.
Some other APIs use SSPIWrapper.QueryBlittableContextAttributes but that doesn't seem to great with this API as:
- It returns a bool to see if it worked or not which makes it hard to get the original error to the caller on a failure
- The whole SafeHandle and freeing setup seems quite complicated
- This is compounded because it seems like I need a custom handle to point to the
SessionKeyfield
- This is compounded because it seems like I need a custom handle to point to the
So in the end I just manually call the API and FreeContextBuffer the required address. Happy to change it if needed but I wasn't fully sure what the benefits really would be
| @@ -56,6 +56,13 @@ static gss_OID_desc gss_mech_ntlm_OID_desc = {.length = STRING_LENGTH(gss_ntlm_o | |||
| .elements = gss_ntlm_oid_value}; | |||
| #endif | |||
|
|
|||
| #if !HAVE_GSS_C_INQ_SSPI_SESSION_KEY | |||
There was a problem hiding this comment.
I'm not 100% sure what I'm doing here. It seems like MIT krb5, Heimdal, and GSS Framework do define GSS_C_INQ_SSPI_SESSION_KEY and works when I compile it from the src/native/libs dir but when I tried to compile .NET from the root project I still needed to manually define it. In the end it didn't seem an issue to just redefine if needed but happy to change this around if needed.
| NetSecurityNative_MoveBuffer(&sessionKey->elements[0], outBuffer); | ||
|
|
||
| for (i = 1; i < sessionKey->count; i++) | ||
| { | ||
| gss_release_buffer(&minorStatusFree, &sessionKey->elements[i]); | ||
| } | ||
| free(sessionKey->elements); | ||
| free(sessionKey); | ||
|
|
||
| return majorStatus; |
There was a problem hiding this comment.
Ideally it would be nice to return the buffer set and have the caller extra the element needed but the use of the shim makes it quite hard to store both the set structure and the elements in there. In the end I found it easier to just set the output buffer to the one that's needed and manually free the remaining buffer set values that gss_release_buffer_set would have done for us anyway.
|
@vcsjones oh sorry I assumed based on the conversation it was approved but if that's not the case I can close this and wait for approval. Is there any steps I'm missing for the approval process or is it just waiting for someone to get to it? |
|
Approved APIs are labeled |
Added the DeriveKeyFromSessionKey function to NegotiateAuthentication which can be used to retrieve the session key negotiated between the client and server in a negotiated authentication context. This can be used by protocols that do not use the builtin wrapping mechanisms but instead derive their own authentication method from the session key.
Fix #111099