CVE-2019-14870: Validate client attributes in protocol-transition

Signed-off-by: Isaac Boukris <iboukris@gmail.com>

kdc/krb5tgs.c

@@ -2035,6 +2035,7 @@ server_lookup:
 
 	sdata = _kdc_find_padata(req, &i, KRB5_PADATA_FOR_USER);
 	if (sdata) {
+	    struct astgs_request_desc imp_req;
 	    krb5_crypto crypto;
 	    krb5_data datack;
 	    PA_S4U2Self self;
@@ -2142,6 +2143,20 @@ server_lookup:
 		goto out;
 	    }
 
+	    /* Ignore require_pwchange and pw_end attributes (as Windows does),
+	     * since S4U2Self is not password authentication. */
+	    s4u2self_impersonated_client->entry.flags.require_pwchange = FALSE;
+	    free(s4u2self_impersonated_client->entry.pw_end);
+	    s4u2self_impersonated_client->entry.pw_end = NULL;
+
+	    imp_req = *priv;
+	    imp_req.client = s4u2self_impersonated_client;
+	    imp_req.client_princ = tp;
+
+	    ret = kdc_check_flags(&imp_req, FALSE);
+	    if (ret)
+		goto out;
+
 	    /* If we were about to put a PAC into the ticket, we better fix it to be the right PAC */
 	    if(rspac.data) {
 		krb5_pac p = NULL;

tests/kdc/check-kdc.in

@@ -811,6 +811,14 @@ echo "test impersonate unknown client"; > messages.log
 ${kgetcred_imp} --forward --impersonate=unknown@${R} ${ps} && \
 	{ ec=1 ; eval "${testfailed}"; }
 
+echo "test impersonate account-expired client"; > messages.log
+${kgetcred_imp} --forward --impersonate=account-expired@${R} ${ps} && \
+	{ ec=1 ; eval "${testfailed}"; }
+
+echo "test impersonate pw-expired client"; > messages.log
+${kgetcred_imp} --forward --impersonate=pw-expired@${R} ${ps} || \
+	{ ec=1 ; eval "${testfailed}"; }
+
 echo "test delegate sensitive client"; > messages.log
 ${kgetcred_imp} --forward --impersonate=sensitive@${R} ${ps} || \
 	{ ec=1 ; eval "${testfailed}"; }