From 6d8c598d7c226b0fb594892b261386c37b47da1e Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Fri, 3 Aug 2018 11:07:03 -0400
Subject: [PATCH] Don't tag S4U2Proxy result creds as user-to-user

S4U2Proxy and user-to-user tickets are both obtained using a
second-ticket input, but only user-to-user tickets are encrypted in
the session key of the second ticket.  In gc_via_tkt.c, stop deducing
the is_skey flag from the presence of a second ticket and instead set
it based on the request KDC options.

ticket: 8721 (new)
---
 src/lib/krb5/krb/gc_via_tkt.c | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/src/lib/krb5/krb/gc_via_tkt.c b/src/lib/krb5/krb/gc_via_tkt.c
index e7a3b01f83..3d0859b412 100644
--- a/src/lib/krb5/krb/gc_via_tkt.c
+++ b/src/lib/krb5/krb/gc_via_tkt.c
@@ -34,7 +34,8 @@
 #include "fast.h"
 
 static krb5_error_code
-kdcrep2creds(krb5_context context, krb5_kdc_rep *pkdcrep, krb5_address *const *address,
+kdcrep2creds(krb5_context context, krb5_kdc_rep *pkdcrep,
+             krb5_address *const *address, krb5_boolean is_skey,
              krb5_data *psectkt, krb5_creds **ppcreds)
 {
     krb5_error_code retval;
@@ -69,7 +70,7 @@ kdcrep2creds(krb5_context context, krb5_kdc_rep *pkdcrep, krb5_address *const *a
     (*ppcreds)->magic = KV5M_CREDS;
 
     (*ppcreds)->authdata = NULL;                        /* not used */
-    (*ppcreds)->is_skey = psectkt->length != 0;
+    (*ppcreds)->is_skey = is_skey;
 
     if (pkdcrep->enc_part2->caddrs) {
         if ((retval = krb5_copy_addresses(context, pkdcrep->enc_part2->caddrs,
@@ -174,7 +175,7 @@ krb5int_process_tgs_reply(krb5_context context,
     krb5_error_code retval;
     krb5_kdc_rep *dec_rep = NULL;
     krb5_error *err_reply = NULL;
-    krb5_boolean s4u2self;
+    krb5_boolean s4u2self, is_skey;
 
     s4u2self = krb5int_find_pa_data(context, in_padata,
                                     KRB5_PADATA_S4U_X509_USER) ||
@@ -310,7 +311,8 @@ krb5int_process_tgs_reply(krb5_context context,
         dec_rep->enc_part2->enc_padata = NULL;
     }
 
-    retval = kdcrep2creds(context, dec_rep, address,
+    is_skey = (kdcoptions & KDC_OPT_ENC_TKT_IN_SKEY);
+    retval = kdcrep2creds(context, dec_rep, address, is_skey,
                           &in_cred->second_ticket, out_cred);
     if (retval != 0)
         goto cleanup;
-- 
2.47.2