From 17f31adbff44d38bd62d5f39c9ef97b9ab1184b1 Mon Sep 17 00:00:00 2001
From: Jeffrey Altman <jaltman@auristor.com>
Date: Mon, 3 Jun 2024 14:05:37 -0400
Subject: [PATCH] gssapi/krb5: _gsskrb5_display_name return GSS_C_NT_ANONYMOUS

If the Kerberos v5 principal name is

  WELLKNOWN/ANONYMOUS@WELLKNOWN:ANONYMOUS

and the principal type is KRB5_NT_WELLKNOWN, then gss_display_name()
is expected to return GSS_C_NT_ANONYMOUS instead of
GSS_KRB5_NT_PRINCIPAL_NAME.  This change matches the behavior of
MIT Kerberos.
---
 lib/gssapi/krb5/display_name.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/lib/gssapi/krb5/display_name.c b/lib/gssapi/krb5/display_name.c
index 67cb61e7c..c5f717faa 100644
--- a/lib/gssapi/krb5/display_name.c
+++ b/lib/gssapi/krb5/display_name.c
@@ -65,8 +65,12 @@ OM_uint32 GSSAPI_CALLCONV _gsskrb5_display_name
     memcpy (output_name_buffer->value, buf, len);
     ((char *)output_name_buffer->value)[len] = '\0';
     free (buf);
-    if (output_name_type)
-	*output_name_type = GSS_KRB5_NT_PRINCIPAL_NAME;
+    if (output_name_type) {
+	if (krb5_principal_is_anonymous(context, name, 0))
+	    *output_name_type = GSS_C_NT_ANONYMOUS;
+	else
+	    *output_name_type = GSS_KRB5_NT_PRINCIPAL_NAME;
+    }
     *minor_status = 0;
     return GSS_S_COMPLETE;
 }