kdc: use anonymous, not empty, cname when hiding
RFC 6113 5.4.2 says that when hiding client names in the outer reply of a FAST response, the wellknown anonymous principal MUST be used. The previous implementation returned an empty client name and realm, which may not be expected by some clients.
This commit is contained in:
@@ -1071,9 +1071,16 @@ _kdc_encode_reply(krb5_context context,
|
||||
* Hide client name of privacy reasons
|
||||
*/
|
||||
if (1 /* r->fast_options.hide_client_names */) {
|
||||
rep->crealm[0] = '\0';
|
||||
free_PrincipalName(&rep->cname);
|
||||
rep->cname.name_type = 0;
|
||||
Realm anon_realm = KRB5_ANON_REALM;
|
||||
|
||||
free_Realm(&rep->crealm);
|
||||
ret = copy_Realm(&anon_realm, &rep->crealm);
|
||||
if (ret == 0) {
|
||||
free_PrincipalName(&rep->cname);
|
||||
ret = _kdc_make_anonymous_principalname(&rep->cname);
|
||||
}
|
||||
if (ret)
|
||||
return ret;
|
||||
}
|
||||
}
|
||||
|
||||
|
Reference in New Issue
Block a user