Add e-data flags to the check_padata paths. Need to propose. Index: src/plugins/preauth/cksum_body/src/cksum_body.c =================================================================== --- src/plugins/preauth/cksum_body/src/cksum_body.c (revision 18750) +++ src/plugins/preauth/cksum_body/src/cksum_body.c (working copy) @@ -289,7 +289,8 @@ krb5_pa_data *data, preauth_get_entry_data_proc server_get_entry_data, void *pa_module_context, - void **pa_request_context) + void **pa_request_context, + krb5_data **e_data) { krb5_int32 cksumtype; krb5_checksum checksum; Index: src/plugins/preauth/wpse/src/wpse.c =================================================================== --- src/plugins/preauth/wpse/src/wpse.c (revision 18750) +++ src/plugins/preauth/wpse/src/wpse.c (working copy) @@ -213,7 +213,8 @@ krb5_pa_data *data, preauth_get_entry_data_proc server_get_entry_data, void *pa_module_context, - void **pa_request_context) + void **pa_request_context, + krb5_data **e_data) { krb5_int32 nnonce; /* Verify the preauth data. */ Index: src/include/krb5/preauth_plugin.h =================================================================== --- src/include/krb5/preauth_plugin.h (revision 18750) +++ src/include/krb5/preauth_plugin.h (working copy) @@ -262,7 +262,8 @@ krb5_pa_data *data, preauth_get_entry_data_proc, void *pa_module_context, - void **pa_request_context); + void **pa_request_context, + krb5_data **e_data); /* Generate preauthentication response data to send to the client as part * of the AS-REP. If it needs to override the key which is used to encrypt * the response, it can do so. The module is expected (but not required, Index: src/kdc/kdc_util.h =================================================================== --- src/kdc/kdc_util.h (revision 18750) +++ src/kdc/kdc_util.h (working copy) @@ -152,7 +152,7 @@ krb5_error_code check_padata (krb5_context context, krb5_db_entry *client, krb5_data *req_pkt, krb5_kdc_req *request, krb5_enc_tkt_part *enc_tkt_reply, - void **padata_context); + void **padata_context, krb5_data *e_data); krb5_error_code return_padata (krb5_context context, krb5_db_entry *client, Index: src/kdc/kdc_preauth.c =================================================================== --- src/kdc/kdc_preauth.c (revision 18750) +++ src/kdc/kdc_preauth.c (working copy) @@ -84,7 +84,8 @@ krb5_enc_tkt_part * enc_tkt_reply, krb5_pa_data *data, preauth_get_entry_data_proc get_entry_data, void *pa_module_context, - void **pa_request_context); + void **pa_request_context, + krb5_data **e_data); typedef krb5_error_code (*edata_proc) (krb5_context, krb5_kdc_req *request, @@ -133,7 +134,8 @@ krb5_enc_tkt_part * enc_tkt_reply, krb5_pa_data *data, preauth_get_entry_data_proc get_entry_data, void *pa_system_context, - void **pa_request_context); + void **pa_request_context, + krb5_data **e_data); static krb5_error_code get_etype_info (krb5_context, krb5_kdc_req *request, @@ -200,7 +202,8 @@ krb5_enc_tkt_part * enc_tkt_reply, krb5_pa_data *data, preauth_get_entry_data_proc get_entry_data, void *pa_module_context, - void **pa_request_context); + void **pa_request_context, + krb5_data **e_data); static krb5_error_code get_sam_edata (krb5_context, krb5_kdc_req *request, @@ -865,12 +868,13 @@ krb5_error_code check_padata (krb5_context context, krb5_db_entry *client, krb5_data *req_pkt, krb5_kdc_req *request, krb5_enc_tkt_part *enc_tkt_reply, - void **padata_context) + void **padata_context, krb5_data *e_data) { krb5_error_code retval = 0; krb5_pa_data **padata; krb5_preauth_systems *pa_sys; void **pa_context; + krb5_data *pa_e_data = NULL; int pa_ok = 0, pa_found = 0; if (request->padata == 0) @@ -900,7 +904,7 @@ retval = pa_sys->verify_padata(context, client, req_pkt, request, enc_tkt_reply, *padata, get_entry_data, pa_sys->pa_sys_context, - pa_context); + pa_context, &pa_e_data); if (retval) { const char * emsg = krb5_get_error_message (context, retval); krb5_klog_syslog (LOG_INFO, "preauth (%s) verify failure: %s", @@ -918,7 +922,23 @@ if (pa_sys->flags & PA_SUFFICIENT) break; } + if (pa_e_data != NULL) { + krb5_free_data(context, pa_e_data); + pa_e_data = NULL; + } } + + if (pa_e_data != NULL) { + e_data->data = malloc(pa_e_data->length); + if (e_data->data == NULL) { + krb5_free_data(context, pa_e_data); + return KRB5KRB_ERR_GENERIC; + } + memcpy(e_data->data, pa_e_data->data, pa_e_data->length); + e_data->length = pa_e_data->length; + krb5_free_data(context, pa_e_data); + } + if (pa_ok) return 0; @@ -1109,7 +1129,8 @@ krb5_pa_data *pa, preauth_get_entry_data_proc ets_get_entry_data, void *pa_system_context, - void **pa_request_context) + void **pa_request_context, + krb5_data **e_data) { krb5_pa_enc_ts * pa_enc = 0; krb5_error_code retval; @@ -2096,7 +2117,8 @@ krb5_pa_data *pa, preauth_get_entry_data_proc sam_get_entry_data, void *pa_system_context, - void **pa_request_context) + void **pa_request_context, + krb5_data **e_data) { krb5_error_code retval; krb5_data scratch; Index: src/kdc/do_as_req.c =================================================================== --- src/kdc/do_as_req.c (revision 18750) +++ src/kdc/do_as_req.c (working copy) @@ -262,7 +262,7 @@ */ if (request->padata) { errcode = check_padata(kdc_context, &client, req_pkt, request, - &enc_tkt_reply, &pa_context); + &enc_tkt_reply, &pa_context, &e_data); if (errcode) { #ifdef KRBCONF_KDC_MODIFIES_KDB /*