From 8d3ccb41a40a1a1d91474946678bfd5ac23f931a Mon Sep 17 00:00:00 2001
From: Sam Hartman <hartmans@mit.edu>
Date: Wed, 23 Dec 2009 21:09:56 +0000
Subject: Because there is only one realm field in the kdc request, the KDC
 remaps WELLKNOWN/ANONYMOUS@realm to WELLKNOWN/ANONYMOUS@WELLKNOWN:ANONYMOUS.

In the client pkinit plugin, do not require that the anonymous realm be used for the anonymous principal.

git-svn-id: svn://anonsvn.mit.edu/krb5/branches/anonymous@23494 dc483132-0cff-0310-8789-dd5450dbe970
---
 src/kdc/do_as_req.c                          | 16 ++++++++++++++++
 src/plugins/preauth/pkinit/pkinit_identity.c |  2 +-
 2 files changed, 17 insertions(+), 1 deletion(-)

diff --git a/src/kdc/do_as_req.c b/src/kdc/do_as_req.c
index 23f1ddc..4a845ce 100644
--- a/src/kdc/do_as_req.c
+++ b/src/kdc/do_as_req.c
@@ -389,6 +389,22 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt,
     enc_tkt_reply.caddrs = request->addresses;
     enc_tkt_reply.authorization_data = 0;
 
+    /* If anonymous requests are being used, adjust the realm of the client principal*/
+    if (request->kdc_options & KDC_OPT_REQUEST_ANONYMOUS) {
+        if (!krb5_principal_compare_any_realm(kdc_context, request->client,
+                                              krb5_anonymous_principal())) {
+            errcode = KRB5KDC_ERR_BADOPTION;
+            status = "Anonymous requested but anonymous principal not used.";
+            goto errout;
+        }
+        krb5_free_principal(kdc_context, request->client);
+        errcode = krb5_copy_principal(kdc_context, krb5_anonymous_principal(),
+                                      &request->client);
+        if (errcode) {
+            status = "Copying anonymous principal";
+            goto errout;
+        }
+    }
     /*
      * Check the preauthentication if it is there.
      */
diff --git a/src/plugins/preauth/pkinit/pkinit_identity.c b/src/plugins/preauth/pkinit/pkinit_identity.c
index dfb9dd7..0ab214c 100644
--- a/src/plugins/preauth/pkinit/pkinit_identity.c
+++ b/src/plugins/preauth/pkinit/pkinit_identity.c
@@ -505,7 +505,7 @@ pkinit_identity_initialize(krb5_context context,
     int i;
 
     pkiDebug("%s: %p %p %p\n", __FUNCTION__, context, idopts, id_cryptoctx);
-    if (!krb5_principal_compare (context, princ, krb5_anonymous_principal())) {
+    if (!krb5_principal_compare_any_realm (context, princ, krb5_anonymous_principal())) {
         if (idopts == NULL || id_cryptoctx == NULL)
             goto errout;
 
-- 
cgit v1.1