From: Greg Hudson Date: Sat, 31 Aug 2013 15:45:48 +0000 (-0400) Subject: Support FAST hide-client-names option X-Git-Tag: krb5-1.12-alpha1~40 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=0ebf39d8787b04b524967cdd48f1f1bcaf6bf8f9;p=thirdparty%2Fkrb5.git Support FAST hide-client-names option In the KDC, if we see the hide-client-names option, identify the client as the anonymous principal in KDC-REP and KRB-ERROR responses. The actual client name is present in encrypted FAST elements. ticket: 7700 (new) --- diff --git a/src/include/k5-int.h b/src/include/k5-int.h index ab97f40bb6..d6f9325eb6 100644 --- a/src/include/k5-int.h +++ b/src/include/k5-int.h @@ -778,7 +778,7 @@ typedef struct _krb5_fast_req { /* Bits 0-15 are critical in fast options.*/ #define UNSUPPORTED_CRITICAL_FAST_OPTIONS 0x00ff -#define KRB5_FAST_OPTION_HIDE_CLIENT_NAMES 0x01 +#define KRB5_FAST_OPTION_HIDE_CLIENT_NAMES 0x40000000 typedef struct _krb5_fast_finished { krb5_timestamp timestamp; diff --git a/src/kdc/do_as_req.c b/src/kdc/do_as_req.c index 51ac4aae39..11ba5a283d 100644 --- a/src/kdc/do_as_req.c +++ b/src/kdc/do_as_req.c @@ -305,6 +305,8 @@ finish_process_as_req(struct as_req_state *state, krb5_error_code errcode) goto egress; } + if (kdc_fast_hide_client(state->rstate)) + state->reply.client = (krb5_principal)krb5_anonymous_principal(); errcode = krb5_encode_kdc_rep(kdc_context, KRB5_AS_REP, &state->reply_encpart, 0, as_encrypting_key, @@ -782,6 +784,8 @@ prepare_error_as (struct kdc_request_state *rstate, krb5_kdc_req *request, scratch = k5alloc(sizeof(*scratch), &retval); if (scratch == NULL) goto cleanup; + if (kdc_fast_hide_client(rstate) && errpkt.client != NULL) + errpkt.client = (krb5_principal)krb5_anonymous_principal(); retval = krb5_mk_error(kdc_context, &errpkt, scratch); if (retval) goto cleanup; diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c index e66badbbad..85f07f171e 100644 --- a/src/kdc/do_tgs_req.c +++ b/src/kdc/do_tgs_req.c @@ -739,6 +739,8 @@ process_tgs_req(struct server_handle *handle, krb5_data *pkt, goto cleanup; } + if (kdc_fast_hide_client(state)) + reply.client = (krb5_principal)krb5_anonymous_principal(); errcode = krb5_encode_kdc_rep(kdc_context, KRB5_TGS_REP, &reply_encpart, subkey ? 1 : 0, reply_key, @@ -877,6 +879,8 @@ prepare_error_tgs (struct kdc_request_state *state, } if (fast_edata) errpkt.e_data = *fast_edata; + if (kdc_fast_hide_client(state) && errpkt.client != NULL) + errpkt.client = (krb5_principal)krb5_anonymous_principal(); retval = krb5_mk_error(kdc_context, &errpkt, scratch); free(errpkt.text.data); krb5_free_data(kdc_context, e_data_asn1); diff --git a/src/kdc/fast_util.c b/src/kdc/fast_util.c index 4fa36c6fc2..14d833fa58 100644 --- a/src/kdc/fast_util.c +++ b/src/kdc/fast_util.c @@ -516,3 +516,9 @@ kdc_preauth_get_cookie(struct kdc_request_state *state, *cookie = pa; return 0; } + +krb5_boolean +kdc_fast_hide_client(struct kdc_request_state *state) +{ + return (state->fast_options & KRB5_FAST_OPTION_HIDE_CLIENT_NAMES) != 0; +} diff --git a/src/kdc/kdc_util.h b/src/kdc/kdc_util.h index 8e8d102745..c50ee848a1 100644 --- a/src/kdc/kdc_util.h +++ b/src/kdc/kdc_util.h @@ -371,6 +371,10 @@ krb5_error_code kdc_fast_handle_reply_key(struct kdc_request_state *state, krb5_error_code kdc_preauth_get_cookie(struct kdc_request_state *state, krb5_pa_data **cookie); + +krb5_boolean +kdc_fast_hide_client(struct kdc_request_state *state); + krb5_error_code kdc_handle_protected_negotiation( krb5_context context, krb5_data *req_pkt, krb5_kdc_req *request,