From 73a5bc84999adb895f43fd9efc5c667f03656fdb Mon Sep 17 00:00:00 2001
From: Luke Howard <lukeh@padl.com>
Date: Tue, 14 Apr 2020 14:46:32 +1000
Subject: [PATCH] gss: make gss_compare_name comply with RFC2743

Anonymous names should always compare FALSE in GSS_Compare_name(). If the names
are being compared at the mechglue layer then we should check for
GSS_C_NT_ANONYMOUS.
---
 lib/gssapi/mech/gss_compare_name.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/lib/gssapi/mech/gss_compare_name.c b/lib/gssapi/mech/gss_compare_name.c
index fdeb6c757..b67ab4785 100644
--- a/lib/gssapi/mech/gss_compare_name.c
+++ b/lib/gssapi/mech/gss_compare_name.c
@@ -46,7 +46,10 @@ gss_compare_name(OM_uint32 *minor_status,
 	 */
 	if (name1->gn_value.value && name2->gn_value.value) {
 		*name_equal = 1;
-		if (!gss_oid_equal(name1->gn_type, name2->gn_type)) {
+		/* RFC 2743: anonymous names always compare false */
+		if (gss_oid_equal(name1->gn_type, GSS_C_NT_ANONYMOUS) ||
+		    gss_oid_equal(name2->gn_type, GSS_C_NT_ANONYMOUS) ||
+		    !gss_oid_equal(name1->gn_type, name2->gn_type)) {
 			*name_equal = 0;
 		} else if (name1->gn_value.length != name2->gn_value.length ||
 		    memcmp(name1->gn_value.value, name2->gn_value.value,
-- 
2.34.1