krb5 commit: Don't tag S4U2Proxy result creds as user-to-user

Greg Hudson ghudson at mit.edu
Mon Aug 27 18:19:30 EDT 2018


https://github.com/krb5/krb5/commit/6d8c598d7c226b0fb594892b261386c37b47da1e
commit 6d8c598d7c226b0fb594892b261386c37b47da1e
Author: Greg Hudson <ghudson at mit.edu>
Date:   Fri Aug 3 11:07:03 2018 -0400

    Don't tag S4U2Proxy result creds as user-to-user
    
    S4U2Proxy and user-to-user tickets are both obtained using a
    second-ticket input, but only user-to-user tickets are encrypted in
    the session key of the second ticket.  In gc_via_tkt.c, stop deducing
    the is_skey flag from the presence of a second ticket and instead set
    it based on the request KDC options.
    
    ticket: 8721 (new)

 src/lib/krb5/krb/gc_via_tkt.c |   10 ++++++----
 1 files changed, 6 insertions(+), 4 deletions(-)

diff --git a/src/lib/krb5/krb/gc_via_tkt.c b/src/lib/krb5/krb/gc_via_tkt.c
index e7a3b01..3d0859b 100644
--- a/src/lib/krb5/krb/gc_via_tkt.c
+++ b/src/lib/krb5/krb/gc_via_tkt.c
@@ -34,7 +34,8 @@
 #include "fast.h"
 
 static krb5_error_code
-kdcrep2creds(krb5_context context, krb5_kdc_rep *pkdcrep, krb5_address *const *address,
+kdcrep2creds(krb5_context context, krb5_kdc_rep *pkdcrep,
+             krb5_address *const *address, krb5_boolean is_skey,
              krb5_data *psectkt, krb5_creds **ppcreds)
 {
     krb5_error_code retval;
@@ -69,7 +70,7 @@ kdcrep2creds(krb5_context context, krb5_kdc_rep *pkdcrep, krb5_address *const *a
     (*ppcreds)->magic = KV5M_CREDS;
 
     (*ppcreds)->authdata = NULL;                        /* not used */
-    (*ppcreds)->is_skey = psectkt->length != 0;
+    (*ppcreds)->is_skey = is_skey;
 
     if (pkdcrep->enc_part2->caddrs) {
         if ((retval = krb5_copy_addresses(context, pkdcrep->enc_part2->caddrs,
@@ -174,7 +175,7 @@ krb5int_process_tgs_reply(krb5_context context,
     krb5_error_code retval;
     krb5_kdc_rep *dec_rep = NULL;
     krb5_error *err_reply = NULL;
-    krb5_boolean s4u2self;
+    krb5_boolean s4u2self, is_skey;
 
     s4u2self = krb5int_find_pa_data(context, in_padata,
                                     KRB5_PADATA_S4U_X509_USER) ||
@@ -310,7 +311,8 @@ krb5int_process_tgs_reply(krb5_context context,
         dec_rep->enc_part2->enc_padata = NULL;
     }
 
-    retval = kdcrep2creds(context, dec_rep, address,
+    is_skey = (kdcoptions & KDC_OPT_ENC_TKT_IN_SKEY);
+    retval = kdcrep2creds(context, dec_rep, address, is_skey,
                           &in_cred->second_ticket, out_cred);
     if (retval != 0)
         goto cleanup;


More information about the cvs-krb5 mailing list