[winpr,sspi] skip IP addresses for kerberos auth

kerberos requires hostnames to authenticate, if we connect with a IP address do not try kerberos based authentication
2024-05-06 22:07:21 +01:00 · 2024-05-06 22:07:21 +01:00 · 3049181d9b
parent 61d3f1f201
commit 3049181d9b
1 changed files with 25 additions and 0 deletions
--- a/winpr/libwinpr/sspi/Kerberos/kerberos.c
+++ b/winpr/libwinpr/sspi/Kerberos/kerberos.c
@ -39,6 +39,7 @@
 #include <winpr/crypto.h>
 #include <winpr/path.h>
 #include <winpr/wtypes.h>
+#include <winpr/winsock.h>

 #include "kerberos.h"

@ -198,6 +199,25 @@ static INLINE krb5glue_key get_key(struct krb5glue_keyset* keyset)

 #endif /* WITH_KRB5 */

+static BOOL isValidIPv4(const char* ipAddress)
+{
+	struct sockaddr_in sa = { 0 };
+	int result = inet_pton(AF_INET, ipAddress, &(sa.sin_addr));
+	return result != 0;
+}
+
+static BOOL isValidIPv6(const char* ipAddress)
+{
+	struct sockaddr_in6 sa = { 0 };
+	int result = inet_pton(AF_INET6, ipAddress, &(sa.sin6_addr));
+	return result != 0;
+}
+
+static BOOL isValidIP(const char* ipAddress)
+{
+	return isValidIPv4(ipAddress) || isValidIPv6(ipAddress);
+}
+
 static SECURITY_STATUS SEC_ENTRY kerberos_AcquireCredentialsHandleA(
    SEC_CHAR* pszPrincipal, SEC_CHAR* pszPackage, ULONG fCredentialUse, void* pvLogonID,
    void* pAuthData, SEC_GET_KEY_FN pGetKeyFn, void* pvGetKeyArgument, PCredHandle phCredential,
@ -822,6 +842,11 @@ static SECURITY_STATUS SEC_ENTRY kerberos_InitializeSecurityContextA(
 		}
 		else
 			host = target;
+		if (isValidIP(host))
+		{
+			status = SEC_E_NO_CREDENTIALS;
+			goto cleanup;
+		}
 	}

 	/* SSPI flags are compatible with GSS flags except INTEG_FLAG */