oysteikt/heimdal
0
0
Fork 0
Code Issues 5 Pull Requests Releases Activity

kdc: use anonymous, not empty, cname when hiding

Browse Source 
RFC 6113 5.4.2 says that when hiding client names in the outer reply of a FAST
response, the wellknown anonymous principal MUST be used.

The previous implementation returned an empty client name and realm, which may
not be expected by some clients.
This commit is contained in:
Luke Howard
2021-08-11 12:20:52 +10:00
parent b510b90239
commit b216697924
1 changed files with 10 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
kdc/kerberos5.c
View File

@@ -1071,9 +1071,16 @@ _kdc_encode_reply(krb5_context context,
* Hide client name of privacy reasons
*/
if (1 /* r->fast_options.hide_client_names */) {
rep->crealm[0] = '\0';
free_PrincipalName(&rep->cname);
rep->cname.name_type = 0;
Realm anon_realm = KRB5_ANON_REALM;
free_Realm(&rep->crealm);
ret = copy_Realm(&anon_realm, &rep->crealm);
if (ret == 0) {
free_PrincipalName(&rep->cname);
ret = _kdc_make_anonymous_principalname(&rep->cname);
}
if (ret)
return ret;
}
}