krb5 commit [krb5-1.12]: Accept anonymous GSS names in kadmind

Wed Oct 30 17:29:21 EDT 2013

https://github.com/krb5/krb5/commit/b127d93c2bd276e1b1c8506c1ab5cf8a0d735fbe
commit b127d93c2bd276e1b1c8506c1ab5cf8a0d735fbe
Author: Greg Hudson <ghudson at mit.edu>
Date:   Mon Oct 28 13:09:15 2013 -0400

    Accept anonymous GSS names in kadmind
    
    The krb5 implementation of gss_display_name() reports the name type as
    GSS_C_NT_ANONYMOUS if the client uses an anonymous principal.  Accept
    this name type in gss_name_to_string and gss_to_krb5_name so that
    anonymous kadmin can work.
    
    Also improve code hygiene: call gss_name_to_string from
    gss_to_krb5_name to reduce code repetition; use gss_oid_equal instead
    of pointer comparison for name types; and don't assume that the
    gss_display_name result buffer is zero-terminated.
    
    (cherry picked from commit 664f0d779ddc0aaf54a118a98a21ce7d53d81e08)
    
    ticket: 7740
    version_fixed: 1.12
    status: resolved

 src/kadmin/server/server_stubs.c |   25 +++++++++++++++++++------
 1 files changed, 19 insertions(+), 6 deletions(-)

diff --git a/src/kadmin/server/server_stubs.c b/src/kadmin/server/server_stubs.c
index eb50c2f..446eaca 100644
--- a/src/kadmin/server/server_stubs.c
+++ b/src/kadmin/server/server_stubs.c
@@ -214,15 +214,19 @@ static int cmp_gss_krb5_name(kadm5_server_handle_t handle,
 static int gss_to_krb5_name(kadm5_server_handle_t handle,
                             gss_name_t gss_name, krb5_principal *princ)
 {
-    OM_uint32 status, minor_stat;
+    OM_uint32 minor_stat;
     gss_buffer_desc gss_str;
-    gss_OID gss_type;
     int success;
+    char *s;
 
-    status = gss_display_name(&minor_stat, gss_name, &gss_str, &gss_type);
-    if ((status != GSS_S_COMPLETE) || (gss_type != gss_nt_krb5_name))
+    if (gss_name_to_string(gss_name, &gss_str) != 0)
+        return 0;
+    if (asprintf(&s, "%.*s", (int)gss_str.length, (char *)gss_str.value) < 0) {
+        gss_release_buffer(&minor_stat, &gss_str);
         return 0;
-    success = (krb5_parse_name(handle->context, gss_str.value, princ) == 0);
+    }
+    success = (krb5_parse_name(handle->context, s, princ) == 0);
+    free(s);
     gss_release_buffer(&minor_stat, &gss_str);
     return success;
 }
@@ -232,10 +236,19 @@ gss_name_to_string(gss_name_t gss_name, gss_buffer_desc *str)
 {
     OM_uint32 status, minor_stat;
     gss_OID gss_type;
+    const char pref[] = KRB5_WELLKNOWN_NAMESTR "/" KRB5_ANONYMOUS_PRINCSTR "@";
+    const size_t preflen = sizeof(pref) - 1;
 
     status = gss_display_name(&minor_stat, gss_name, str, &gss_type);
-    if ((status != GSS_S_COMPLETE) || (gss_type != gss_nt_krb5_name))
+    if (status != GSS_S_COMPLETE)
+        return 1;
+    if (gss_oid_equal(gss_type, GSS_C_NT_ANONYMOUS)) {
+        /* Guard against non-krb5 mechs with different anonymous displays. */
+        if (str->length < preflen || memcmp(str->value, pref, preflen) != 0)
+            return 1;
+    } else if (!gss_oid_equal(gss_type, GSS_KRB5_NT_PRINCIPAL_NAME)) {
         return 1;
+    }
     return 0;
 }
 
