From 77b480d2a07f51ffdec825f700949cffef5163f6 Mon Sep 17 00:00:00 2001
From: Isaac Boukris <iboukris@gmail.com>
Date: Thu, 7 Nov 2019 00:05:05 +0100
Subject: [PATCH] CVE-2019-14870: Validate client attributes in
 protocol-transition

Signed-off-by: Isaac Boukris <iboukris@gmail.com>
---
 kdc/krb5tgs.c          | 15 +++++++++++++++
 tests/kdc/check-kdc.in |  8 ++++++++
 2 files changed, 23 insertions(+)

diff --git a/kdc/krb5tgs.c b/kdc/krb5tgs.c
index e4b7c87fd..d6cd202a4 100644
--- a/kdc/krb5tgs.c
+++ b/kdc/krb5tgs.c
@@ -2035,6 +2035,7 @@ server_lookup:
 
 	sdata = _kdc_find_padata(req, &i, KRB5_PADATA_FOR_USER);
 	if (sdata) {
+	    struct astgs_request_desc imp_req;
 	    krb5_crypto crypto;
 	    krb5_data datack;
 	    PA_S4U2Self self;
@@ -2142,6 +2143,20 @@ server_lookup:
 		goto out;
 	    }
 
+	    /* Ignore require_pwchange and pw_end attributes (as Windows does),
+	     * since S4U2Self is not password authentication. */
+	    s4u2self_impersonated_client->entry.flags.require_pwchange = FALSE;
+	    free(s4u2self_impersonated_client->entry.pw_end);
+	    s4u2self_impersonated_client->entry.pw_end = NULL;
+
+	    imp_req = *priv;
+	    imp_req.client = s4u2self_impersonated_client;
+	    imp_req.client_princ = tp;
+
+	    ret = kdc_check_flags(&imp_req, FALSE);
+	    if (ret)
+		goto out;
+
 	    /* If we were about to put a PAC into the ticket, we better fix it to be the right PAC */
 	    if(rspac.data) {
 		krb5_pac p = NULL;
diff --git a/tests/kdc/check-kdc.in b/tests/kdc/check-kdc.in
index 6874bf3d7..47181f926 100644
--- a/tests/kdc/check-kdc.in
+++ b/tests/kdc/check-kdc.in
@@ -811,6 +811,14 @@ echo "test impersonate unknown client"; > messages.log
 ${kgetcred_imp} --forward --impersonate=unknown@${R} ${ps} && \
 	{ ec=1 ; eval "${testfailed}"; }
 
+echo "test impersonate account-expired client"; > messages.log
+${kgetcred_imp} --forward --impersonate=account-expired@${R} ${ps} && \
+	{ ec=1 ; eval "${testfailed}"; }
+
+echo "test impersonate pw-expired client"; > messages.log
+${kgetcred_imp} --forward --impersonate=pw-expired@${R} ${ps} || \
+	{ ec=1 ; eval "${testfailed}"; }
+
 echo "test delegate sensitive client"; > messages.log
 ${kgetcred_imp} --forward --impersonate=sensitive@${R} ${ps} || \
 	{ ec=1 ; eval "${testfailed}"; }