krb5 commit: Support FAST hide-client-names option

Tue Sep 3 19:43:49 EDT 2013

https://github.com/krb5/krb5/commit/0ebf39d8787b04b524967cdd48f1f1bcaf6bf8f9
commit 0ebf39d8787b04b524967cdd48f1f1bcaf6bf8f9
Author: Greg Hudson <ghudson at mit.edu>
Date:   Sat Aug 31 11:45:48 2013 -0400

    Support FAST hide-client-names option
    
    In the KDC, if we see the hide-client-names option, identify the
    client as the anonymous principal in KDC-REP and KRB-ERROR responses.
    The actual client name is present in encrypted FAST elements.
    
    ticket: 7700 (new)

 src/include/k5-int.h |    2 +-
 src/kdc/do_as_req.c  |    4 ++++
 src/kdc/do_tgs_req.c |    4 ++++
 src/kdc/fast_util.c  |    6 ++++++
 src/kdc/kdc_util.h   |    4 ++++
 5 files changed, 19 insertions(+), 1 deletions(-)

diff --git a/src/include/k5-int.h b/src/include/k5-int.h
index ab97f40..d6f9325 100644
--- a/src/include/k5-int.h
+++ b/src/include/k5-int.h
@@ -778,7 +778,7 @@ typedef struct _krb5_fast_req {
 
 /* Bits 0-15 are critical in fast options.*/
 #define UNSUPPORTED_CRITICAL_FAST_OPTIONS 0x00ff
-#define KRB5_FAST_OPTION_HIDE_CLIENT_NAMES 0x01
+#define KRB5_FAST_OPTION_HIDE_CLIENT_NAMES  0x40000000
 
 typedef struct _krb5_fast_finished {
     krb5_timestamp timestamp;
diff --git a/src/kdc/do_as_req.c b/src/kdc/do_as_req.c
index 51ac4aa..11ba5a2 100644
--- a/src/kdc/do_as_req.c
+++ b/src/kdc/do_as_req.c
@@ -305,6 +305,8 @@ finish_process_as_req(struct as_req_state *state, krb5_error_code errcode)
         goto egress;
     }
 
+    if (kdc_fast_hide_client(state->rstate))
+        state->reply.client = (krb5_principal)krb5_anonymous_principal();
     errcode = krb5_encode_kdc_rep(kdc_context, KRB5_AS_REP,
                                   &state->reply_encpart, 0,
                                   as_encrypting_key,
@@ -782,6 +784,8 @@ prepare_error_as (struct kdc_request_state *rstate, krb5_kdc_req *request,
     scratch = k5alloc(sizeof(*scratch), &retval);
     if (scratch == NULL)
         goto cleanup;
+    if (kdc_fast_hide_client(rstate) && errpkt.client != NULL)
+        errpkt.client = (krb5_principal)krb5_anonymous_principal();
     retval = krb5_mk_error(kdc_context, &errpkt, scratch);
     if (retval)
         goto cleanup;
diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c
index e66badb..85f07f1 100644
--- a/src/kdc/do_tgs_req.c
+++ b/src/kdc/do_tgs_req.c
@@ -739,6 +739,8 @@ process_tgs_req(struct server_handle *handle, krb5_data *pkt,
         goto cleanup;
     }
 
+    if (kdc_fast_hide_client(state))
+        reply.client = (krb5_principal)krb5_anonymous_principal();
     errcode = krb5_encode_kdc_rep(kdc_context, KRB5_TGS_REP, &reply_encpart,
                                   subkey ? 1 : 0,
                                   reply_key,
@@ -877,6 +879,8 @@ prepare_error_tgs (struct kdc_request_state *state,
     }
     if (fast_edata)
         errpkt.e_data = *fast_edata;
+    if (kdc_fast_hide_client(state) && errpkt.client != NULL)
+        errpkt.client = (krb5_principal)krb5_anonymous_principal();
     retval = krb5_mk_error(kdc_context, &errpkt, scratch);
     free(errpkt.text.data);
     krb5_free_data(kdc_context, e_data_asn1);
diff --git a/src/kdc/fast_util.c b/src/kdc/fast_util.c
index 4fa36c6..14d833f 100644
--- a/src/kdc/fast_util.c
+++ b/src/kdc/fast_util.c
@@ -516,3 +516,9 @@ kdc_preauth_get_cookie(struct kdc_request_state *state,
     *cookie = pa;
     return 0;
 }
+
+krb5_boolean
+kdc_fast_hide_client(struct kdc_request_state *state)
+{
+    return (state->fast_options & KRB5_FAST_OPTION_HIDE_CLIENT_NAMES) != 0;
+}
diff --git a/src/kdc/kdc_util.h b/src/kdc/kdc_util.h
index 8e8d102..c50ee84 100644
--- a/src/kdc/kdc_util.h
+++ b/src/kdc/kdc_util.h
@@ -371,6 +371,10 @@ krb5_error_code kdc_fast_handle_reply_key(struct kdc_request_state *state,
 
 krb5_error_code kdc_preauth_get_cookie(struct kdc_request_state *state,
                                        krb5_pa_data **cookie);
+
+krb5_boolean
+kdc_fast_hide_client(struct kdc_request_state *state);
+
 krb5_error_code
 kdc_handle_protected_negotiation( krb5_context context,
                                   krb5_data *req_pkt, krb5_kdc_req *request,
