From: Andrew Bartlett <abartlet@samba.org>
Date: Tue, 2 Nov 2021 01:52:22 +0000 (+1300)
Subject: Revert "CVE-2020-25719 heimdal:kdc: Require authdata to be present"
X-Git-Tag: samba-4.13.14~28
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=1c5a0ef89c947545ae63ac67413e29a5f86e8987;p=thirdparty%2Fsamba.git

Revert "CVE-2020-25719 heimdal:kdc: Require authdata to be present"

This reverts an earlier commit that was incorrect.

It is not Samba practice to include a revert, but at this point in
the patch preperation the ripple though the knownfail files is
more trouble than can be justified.

It is not correct to refuse to parse all tickets with no authorization
data, only for the KDC to require that a PAC is found, which is done
in "heimdal:kdc: Require PAC to be present"

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
---

diff --git a/source4/heimdal/lib/krb5/pac.c b/source4/heimdal/lib/krb5/pac.c
index 749d0fdb4eb..05bcc523080 100644
--- a/source4/heimdal/lib/krb5/pac.c
+++ b/source4/heimdal/lib/krb5/pac.c
@@ -1369,7 +1369,7 @@ _krb5_kdc_pac_ticket_parse(krb5_context context,
     *ppac = NULL;
 
     if (ad == NULL || ad->len == 0)
-	return KRB5KDC_ERR_BADOPTION;
+	return 0;
 
     for (i = 0; i < ad->len; i++) {
 	AuthorizationData child;