CVE-2019-14870: Validate client attributes in protocol-transition

Signed-off-by: Isaac Boukris <iboukris@gmail.com>

Gbp-Pq: Name 0020-CVE-2019-14870-Validate-client-attributes-in-protoco.patch

kdc/krb5tgs.c

@@ -2125,6 +2125,17 @@ server_lookup:
 		goto out;
 	    }
 
+	    /* Ignore require_pwchange and pw_end attributes (as Windows does),
+	     * since S4U2Self is not password authentication. */
+	    s4u2self_impersonated_client->entry.flags.require_pwchange = FALSE;
+	    free(s4u2self_impersonated_client->entry.pw_end);
+	    s4u2self_impersonated_client->entry.pw_end = NULL;
+
+	    ret = kdc_check_flags(context, config, s4u2self_impersonated_client, tpn,
+				  NULL, NULL, FALSE);
+	    if (ret)
+		goto out;
+
 	    /* If we were about to put a PAC into the ticket, we better fix it to be the right PAC */
 	    if(rspac.data) {
 		krb5_pac p = NULL;

tests/kdc/check-kdc.in

@@ -811,6 +811,14 @@ echo "test impersonate unknown client"; > messages.log
 ${kgetcred_imp} --forward --impersonate=unknown@${R} ${ps} && \
 	{ ec=1 ; eval "${testfailed}"; }
 
+echo "test impersonate account-expired client"; > messages.log
+${kgetcred_imp} --forward --impersonate=account-expired@${R} ${ps} && \
+	{ ec=1 ; eval "${testfailed}"; }
+
+echo "test impersonate pw-expired client"; > messages.log
+${kgetcred_imp} --forward --impersonate=pw-expired@${R} ${ps} || \
+	{ ec=1 ; eval "${testfailed}"; }
+
 echo "test delegate sensitive client"; > messages.log
 ${kgetcred_imp} --forward --impersonate=sensitive@${R} ${ps} || \
 	{ ec=1 ; eval "${testfailed}"; }