From b21669792457beda28ec15014e01ee226b51dcf8 Mon Sep 17 00:00:00 2001 From: Luke Howard Date: Wed, 11 Aug 2021 12:20:52 +1000 Subject: [PATCH] kdc: use anonymous, not empty, cname when hiding RFC 6113 5.4.2 says that when hiding client names in the outer reply of a FAST response, the wellknown anonymous principal MUST be used. The previous implementation returned an empty client name and realm, which may not be expected by some clients. --- kdc/kerberos5.c | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/kdc/kerberos5.c b/kdc/kerberos5.c index b1e65e2ea..219e77547 100644 --- a/kdc/kerberos5.c +++ b/kdc/kerberos5.c @@ -1071,9 +1071,16 @@ _kdc_encode_reply(krb5_context context, * Hide client name of privacy reasons */ if (1 /* r->fast_options.hide_client_names */) { - rep->crealm[0] = '\0'; - free_PrincipalName(&rep->cname); - rep->cname.name_type = 0; + Realm anon_realm = KRB5_ANON_REALM; + + free_Realm(&rep->crealm); + ret = copy_Realm(&anon_realm, &rep->crealm); + if (ret == 0) { + free_PrincipalName(&rep->cname); + ret = _kdc_make_anonymous_principalname(&rep->cname); + } + if (ret) + return ret; } }