kdc: use anonymous, not empty, cname when hiding

RFC 6113 5.4.2 says that when hiding client names in the outer reply of a FAST
response, the wellknown anonymous principal MUST be used.

The previous implementation returned an empty client name and realm, which may
not be expected by some clients.
This commit is contained in:
Luke Howard
2021-08-11 12:20:52 +10:00
parent b510b90239
commit b216697924

View File

@@ -1071,9 +1071,16 @@ _kdc_encode_reply(krb5_context context,
* Hide client name of privacy reasons
*/
if (1 /* r->fast_options.hide_client_names */) {
rep->crealm[0] = '\0';
free_PrincipalName(&rep->cname);
rep->cname.name_type = 0;
Realm anon_realm = KRB5_ANON_REALM;
free_Realm(&rep->crealm);
ret = copy_Realm(&anon_realm, &rep->crealm);
if (ret == 0) {
free_PrincipalName(&rep->cname);
ret = _kdc_make_anonymous_principalname(&rep->cname);
}
if (ret)
return ret;
}
}