From: Jeffrey Altman <jaltman@secure-endpoints.com>
Date: Sat, 31 Jan 2004 09:29:13 +0000 (+0000)
Subject: Do not export tickets from the LSA if they contain NULL session keys.
X-Git-Tag: krb5-1.4-beta1~655
X-Git-Url: http://git.tremily.us/?a=commitdiff_plain;h=281b772a8cf77803294b90297a8f785004259d91;p=krb5.git

Do not export tickets from the LSA if they contain NULL session keys.
This is primarily to prevent unusable TGTs from being imported into the
MIT Credential Cache

ticket: 2153
tags: pullup

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@15991 dc483132-0cff-0310-8789-dd5450dbe970
---

diff --git a/src/lib/krb5/ccache/ChangeLog b/src/lib/krb5/ccache/ChangeLog
index cca7ecb01..f9e7d5254 100644
--- a/src/lib/krb5/ccache/ChangeLog
+++ b/src/lib/krb5/ccache/ChangeLog
@@ -1,3 +1,9 @@
+2004-01-31  Jeffrey Altman <jaltman@mit.edu>
+
+   * cc_mslsa.c: Do not return tickets to the caller if they contain
+     NULL session keys.  This is to prevent useless TGTs from being
+     placed into the MIT credential cache.
+
 2004-01-30  Jeffrey Altman <jaltman@mit.edu>
 
    * cc_mslsa.c: As per extensive conversations with Doug Engert we have
diff --git a/src/lib/krb5/ccache/cc_mslsa.c b/src/lib/krb5/ccache/cc_mslsa.c
index 243a86ab1..d5b9ce669 100644
--- a/src/lib/krb5/ccache/cc_mslsa.c
+++ b/src/lib/krb5/ccache/cc_mslsa.c
@@ -249,14 +249,14 @@ PreserveInitialTicketIdentity(void)
 {
     HKEY hKey;
     DWORD size = sizeof(DWORD);
+    DWORD type = REG_DWORD;
     const char *key_path = "Software\\MIT\\Kerberos5";
     const char *value_name = "PreserveInitialTicketIdentity";
     DWORD retval = 1;     /* default to Preserve */
 
-  userkey:
-    if (RegOpenKeyEx(HKEY_CURRENT_USER, key_path, 0, KEY_QUERY_VALUE, &hKey) != ERROR_SUCCESS)
+    if (RegOpenKeyExA(HKEY_CURRENT_USER, key_path, 0, KEY_QUERY_VALUE, &hKey) != ERROR_SUCCESS)
         goto syskey;
-    if (RegQueryValueEx(hKey, value_name, 0, REG_DWORD, &retval, &size) != ERROR_SUCCESS)
+    if (RegQueryValueExA(hKey, value_name, 0, &type, (LPBYTE)&retval, &size) != ERROR_SUCCESS)
     {
         RegCloseKey(hKey);
         goto syskey;
@@ -265,9 +265,9 @@ PreserveInitialTicketIdentity(void)
     goto done;
 
   syskey:
-    if (RegOpenKeyEx(HKEY_LOCAL_MACHINE, key_path, 0, KEY_QUERY_VALUE, &hKey) != ERROR_SUCCESS)
+    if (RegOpenKeyExA(HKEY_LOCAL_MACHINE, key_path, 0, KEY_QUERY_VALUE, &hKey) != ERROR_SUCCESS)
         goto done;
-    if (RegQueryValueEx(hKey, value_name, 0, REG_DWORD, &retval, &size) != ERROR_SUCCESS)
+    if (RegQueryValueExA(hKey, value_name, 0, &type, (LPBYTE)&retval, &size) != ERROR_SUCCESS)
     {
         RegCloseKey(hKey);
         goto done;
@@ -288,7 +288,7 @@ MSCredToMITCred(KERB_EXTERNAL_TICKET *msticket, UNICODE_STRING InitialTicketDoma
     creds->magic=KV5M_CREDS;
 
     // construct Client Principal
-    if ( PreserveInitialTicketIdentity ) {
+    if ( PreserveInitialTicketIdentity() ) {
         wcsncpy(wrealm, InitialTicketDomain.Buffer, InitialTicketDomain.Length/sizeof(WCHAR));
         wrealm[InitialTicketDomain.Length/sizeof(WCHAR)]=0;
     } else {
@@ -1260,6 +1260,7 @@ krb5_lcc_next_cred(krb5_context context, krb5_ccache id, krb5_cc_cursor *cursor,
     krb5_lcc_data *data = (krb5_lcc_data *)id->data;
     KERB_EXTERNAL_TICKET *msticket, * mstgt;
 
+  next_cred:
     if ( lcursor->index >= lcursor->response->CountOfTickets )
         return KRB5_CC_END;
 
@@ -1267,6 +1268,12 @@ krb5_lcc_next_cred(krb5_context context, krb5_ccache id, krb5_cc_cursor *cursor,
                           &lcursor->response->Tickets[lcursor->index++],&msticket))
         return KRB5_FCC_INTERNAL;
 
+    /* Don't return tickets with NULL Session Keys */
+    if ( msticket->SessionKey.KeyType == KERB_ETYPE_NULL) {
+        LsaFreeReturnBuffer(msticket);
+        goto next_cred;
+    }
+
     /* convert the ticket */
     if (GetMSTGT(data->LogonHandle, data->PackageId, &mstgt)) {
         MSCredToMITCred(msticket, mstgt->DomainName, context, creds);