kfw fixes: make leash ignore credentials that store config principals

Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>
ticket: 7050

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25555 dc483132-0cff-0310-8789-dd5450dbe970

diff --git a/src/windows/include/loadfuncs-krb5.h b/src/windows/include/loadfuncs-krb5.h
index 58ff443bff546f2bcf51598e22ef6ec2d45df153..b577a95cda45f62d9b4a3b913ac38684ebdf2a88 100644 (file)
--- a/src/windows/include/loadfuncs-krb5.h
+++ b/src/windows/include/loadfuncs-krb5.h
@@ -1775,4 +1775,11 @@ TYPEDEF_FUNC(
     krb5_clear_error_message,
     (krb5_context)
     );
+
+TYPEDEF_FUNC(
+    krb5_boolean,
+    KRB5_CALLCONV,
+    krb5_is_config_principal,
+    (krb5_context, krb5_const_principal)
+    );
 #endif /* __LOADFUNCS_KRB5_H__ */

diff --git a/src/windows/leashdll/krb5routines.c b/src/windows/leashdll/krb5routines.c
index 521602c6fac9302c97ebca2cc6f2a6108f57d7e2..ccd9dd8ce3d1b7a3c30d166e8cefe90d1f409831 100644 (file)
--- a/src/windows/leashdll/krb5routines.c
+++ b/src/windows/leashdll/krb5routines.c
@@ -450,6 +450,11 @@ not_an_API_LeashKRB5GetTickets(
 
     while (!(code = pkrb5_cc_next_cred(ctx, cache, &KRBv5Cursor, &KRBv5Credentials)))
     {
+        if ((*pkrb5_is_config_principal)(ctx, KRBv5Credentials.server))
+        { /* skip configuration credentials */
+            (*pkrb5_free_cred_contents)(ctx, &KRBv5Credentials);
+            continue;
+        }
         if (!list)
         {
             list = (TicketList*) calloc(1, sizeof(TicketList));

diff --git a/src/windows/leashdll/leashdll.c b/src/windows/leashdll/leashdll.c
index 712a8e68ba1a3f1977b5da99a414067f4600dcc6..eb11a366ff35a59911aab659bf57d039d8ff1304 100644 (file)
--- a/src/windows/leashdll/leashdll.c
+++ b/src/windows/leashdll/leashdll.c
@@ -82,6 +82,7 @@ DECL_FUNC_PTR(krb5_free_addresses);
 DECL_FUNC_PTR(krb5_free_default_realm);
 DECL_FUNC_PTR(krb5_principal_compare);
 DECL_FUNC_PTR(krb5_string_to_deltat);
+DECL_FUNC_PTR(krb5_is_config_principal);
 
 // ComErr functions
 DECL_FUNC_PTR(com_err);
@@ -178,6 +179,7 @@ FUNC_INFO k5_fi[] = {
     MAKE_FUNC_INFO(krb5_free_default_realm),
     MAKE_FUNC_INFO(krb5_principal_compare),
     MAKE_FUNC_INFO(krb5_string_to_deltat),
+    MAKE_FUNC_INFO(krb5_is_config_principal),
     END_FUNC_INFO
 };
 

diff --git a/src/windows/leashdll/leashdll.h b/src/windows/leashdll/leashdll.h
index 74cceab82322d622ba8dd78477891f476863ba92..1b7ddfc12a8c001907619d648e26a054da70c638 100644 (file)
--- a/src/windows/leashdll/leashdll.h
+++ b/src/windows/leashdll/leashdll.h
@@ -221,6 +221,7 @@ extern DECL_FUNC_PTR(krb5_c_random_make_octets);
 extern DECL_FUNC_PTR(krb5_free_default_realm);
 extern DECL_FUNC_PTR(krb5_principal_compare);
 extern DECL_FUNC_PTR(krb5_string_to_deltat);
+extern DECL_FUNC_PTR(krb5_is_config_principal);
 
 #ifndef NO_KRB4
 // Krb524 functions