Support FAST hide-client-names option

In the KDC, if we see the hide-client-names option, identify the
client as the anonymous principal in KDC-REP and KRB-ERROR responses.
The actual client name is present in encrypted FAST elements.

ticket: 7700 (new)

5 files changed, 19 insertions, 1 deletions

diff --git a/src/include/k5-int.h b/src/include/k5-int.h
index ab97f40bb..d6f9325eb 100644
--- a/src/include/k5-int.h
+++ b/src/include/k5-int.h
@@ -778,7 +778,7 @@ typedef struct _krb5_fast_req {
 
 /* Bits 0-15 are critical in fast options.*/
 #define UNSUPPORTED_CRITICAL_FAST_OPTIONS 0x00ff
-#define KRB5_FAST_OPTION_HIDE_CLIENT_NAMES 0x01
+#define KRB5_FAST_OPTION_HIDE_CLIENT_NAMES  0x40000000
 
 typedef struct _krb5_fast_finished {
     krb5_timestamp timestamp;
diff --git a/src/kdc/do_as_req.c b/src/kdc/do_as_req.c
index 51ac4aae3..11ba5a283 100644
--- a/src/kdc/do_as_req.c
+++ b/src/kdc/do_as_req.c
@@ -305,6 +305,8 @@ finish_process_as_req(struct as_req_state *state, krb5_error_code errcode)
         goto egress;
     }
 
+    if (kdc_fast_hide_client(state->rstate))
+        state->reply.client = (krb5_principal)krb5_anonymous_principal();
     errcode = krb5_encode_kdc_rep(kdc_context, KRB5_AS_REP,
                                   &state->reply_encpart, 0,
                                   as_encrypting_key,
@@ -782,6 +784,8 @@ prepare_error_as (struct kdc_request_state *rstate, krb5_kdc_req *request,
     scratch = k5alloc(sizeof(*scratch), &retval);
     if (scratch == NULL)
         goto cleanup;
+    if (kdc_fast_hide_client(rstate) && errpkt.client != NULL)
+        errpkt.client = (krb5_principal)krb5_anonymous_principal();
     retval = krb5_mk_error(kdc_context, &errpkt, scratch);
     if (retval)
         goto cleanup;
diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c
index e66badbba..85f07f171 100644
--- a/src/kdc/do_tgs_req.c
+++ b/src/kdc/do_tgs_req.c
@@ -739,6 +739,8 @@ process_tgs_req(struct server_handle *handle, krb5_data *pkt,
         goto cleanup;
     }
 
+    if (kdc_fast_hide_client(state))
+        reply.client = (krb5_principal)krb5_anonymous_principal();
     errcode = krb5_encode_kdc_rep(kdc_context, KRB5_TGS_REP, &reply_encpart,
                                   subkey ? 1 : 0,
                                   reply_key,
@@ -877,6 +879,8 @@ prepare_error_tgs (struct kdc_request_state *state,
     }
     if (fast_edata)
         errpkt.e_data = *fast_edata;
+    if (kdc_fast_hide_client(state) && errpkt.client != NULL)
+        errpkt.client = (krb5_principal)krb5_anonymous_principal();
     retval = krb5_mk_error(kdc_context, &errpkt, scratch);
     free(errpkt.text.data);
     krb5_free_data(kdc_context, e_data_asn1);
diff --git a/src/kdc/fast_util.c b/src/kdc/fast_util.c
index 4fa36c6fc..14d833fa5 100644
--- a/src/kdc/fast_util.c
+++ b/src/kdc/fast_util.c
@@ -516,3 +516,9 @@ kdc_preauth_get_cookie(struct kdc_request_state *state,
     *cookie = pa;
     return 0;
 }
+
+krb5_boolean
+kdc_fast_hide_client(struct kdc_request_state *state)
+{
+    return (state->fast_options & KRB5_FAST_OPTION_HIDE_CLIENT_NAMES) != 0;
+}
diff --git a/src/kdc/kdc_util.h b/src/kdc/kdc_util.h
index 8e8d10274..c50ee848a 100644
--- a/src/kdc/kdc_util.h
+++ b/src/kdc/kdc_util.h
@@ -371,6 +371,10 @@ krb5_error_code kdc_fast_handle_reply_key(struct kdc_request_state *state,
 
 krb5_error_code kdc_preauth_get_cookie(struct kdc_request_state *state,
                                        krb5_pa_data **cookie);
+
+krb5_boolean
+kdc_fast_hide_client(struct kdc_request_state *state);
+
 krb5_error_code
 kdc_handle_protected_negotiation( krb5_context context,
                                   krb5_data *req_pkt, krb5_kdc_req *request,