Proposed change to clpreauth tryagain method

ghudson@MIT.EDU ghudson at MIT.EDU
Mon Nov 21 14:10:40 EST 2011

After some private discussion with Sam, I'd like to make one more
change to the preauth framework before 1.10, to address the client
side of the FAST vs. non-FAST preauth e_data mess.  The interface
change looks like:

 typedef krb5_error_code
 (*krb5_clpreauth_tryagain_fn)(krb5_context context,
                               krb5_clpreauth_moddata moddata,
                               krb5_clpreauth_modreq modreq,
                               krb5_get_init_creds_opt *opt,
                               krb5_clpreauth_callbacks cb,
                               krb5_clpreauth_rock rock,
                               krb5_kdc_req *request,
                               krb5_data *encoded_request_body,
                               krb5_data *encoded_previous_request,
-                              krb5_pa_data *pa_data_in,
+                              krb5_preauthtype pa_type,
                               krb5_error *error,
+                              krb5_pa_data **error_padata,
                               krb5_prompter_fct prompter, void *prompter_data,
                               krb5_pa_data ***pa_data_out);
Right now, the pa_data_in parameter to the method is the padata it
generated in the previous request (it's not from the error reply).
The type is important, but it's confusing to get contents there since
the module generally shouldn't care.  So the first change is to
replace that with a pa_type.

The second change is to add an error_padata parameter.  For a FAST
error this will be the array of padata contained in the decrypted FAST
response.  For a non-FAST error this will be the e_data of the error
reply, decoded as either typed data or padata but always presented as

Currently for FAST errors, krb5int_fast_process_error encodes the FAST
response padata as typed data and stuffs that into the (otherwised
unused) e_data field of the inner error.  This is really just a hack
for PKINIT.  After the change, we will stop doing that since PKINIT
will be able to look at the error_padata parameter.

More information about the krbdev mailing list