From 3049181d9bcbad17360d20d66093aafd537a240c Mon Sep 17 00:00:00 2001
From: akallabeth <akallabeth@posteo.net>
Date: Mon, 6 May 2024 22:07:21 +0100
Subject: [PATCH] [winpr,sspi] skip IP addresses for kerberos auth

kerberos requires hostnames to authenticate, if we connect with a IP
address do not try kerberos based authentication
---
 winpr/libwinpr/sspi/Kerberos/kerberos.c | 25 +++++++++++++++++++++++++
 1 file changed, 25 insertions(+)

diff --git a/winpr/libwinpr/sspi/Kerberos/kerberos.c b/winpr/libwinpr/sspi/Kerberos/kerberos.c
index cba8038ad..614d94807 100644
--- a/winpr/libwinpr/sspi/Kerberos/kerberos.c
+++ b/winpr/libwinpr/sspi/Kerberos/kerberos.c
@@ -39,6 +39,7 @@
 #include <winpr/crypto.h>
 #include <winpr/path.h>
 #include <winpr/wtypes.h>
+#include <winpr/winsock.h>
 
 #include "kerberos.h"
 
@@ -198,6 +199,25 @@ static INLINE krb5glue_key get_key(struct krb5glue_keyset* keyset)
 
 #endif /* WITH_KRB5 */
 
+static BOOL isValidIPv4(const char* ipAddress)
+{
+	struct sockaddr_in sa = { 0 };
+	int result = inet_pton(AF_INET, ipAddress, &(sa.sin_addr));
+	return result != 0;
+}
+
+static BOOL isValidIPv6(const char* ipAddress)
+{
+	struct sockaddr_in6 sa = { 0 };
+	int result = inet_pton(AF_INET6, ipAddress, &(sa.sin6_addr));
+	return result != 0;
+}
+
+static BOOL isValidIP(const char* ipAddress)
+{
+	return isValidIPv4(ipAddress) || isValidIPv6(ipAddress);
+}
+
 static SECURITY_STATUS SEC_ENTRY kerberos_AcquireCredentialsHandleA(
     SEC_CHAR* pszPrincipal, SEC_CHAR* pszPackage, ULONG fCredentialUse, void* pvLogonID,
     void* pAuthData, SEC_GET_KEY_FN pGetKeyFn, void* pvGetKeyArgument, PCredHandle phCredential,
@@ -822,6 +842,11 @@ static SECURITY_STATUS SEC_ENTRY kerberos_InitializeSecurityContextA(
 		}
 		else
 			host = target;
+		if (isValidIP(host))
+		{
+			status = SEC_E_NO_CREDENTIALS;
+			goto cleanup;
+		}
 	}
 
 	/* SSPI flags are compatible with GSS flags except INTEG_FLAG */