- krb5_pa_data *fx_error_pa;
- krb5_pa_data **result = NULL;
- krb5_data scratch, *encoded_td = NULL;
- krb5_error *fx_error = NULL;
- krb5_fast_response *fast_response = NULL;
- retval = decode_krb5_padata_sequence(&err_reply->e_data, &result);
- if (retval == 0)
- retval = decrypt_fast_reply(context, state, result, &fast_response);
- if (retval) {
- /*This can happen if the KDC does not understand FAST. We
- * don't expect that, but treating it as the fatal error
- * indicated by the KDC seems reasonable.
- */
- *retry = 0;
- krb5_free_pa_data(context, result);
- return 0;
- }
- krb5_free_pa_data(context, result);
- result = NULL;
- if (retval == 0) {
- fx_error_pa = krb5int_find_pa_data(context, fast_response->padata, KRB5_PADATA_FX_ERROR);
- if (fx_error_pa == NULL) {
- krb5_set_error_message(context, KRB5KDC_ERR_PREAUTH_FAILED, "Expecting FX_ERROR pa-data inside FAST container");
- retval = KRB5KDC_ERR_PREAUTH_FAILED;
- }
- }
- if (retval == 0) {
- scratch.data = (char *) fx_error_pa->contents;
- scratch.length = fx_error_pa->length;
- retval = decode_krb5_error(&scratch, &fx_error);
- }
- /*
- * krb5_pa_data and krb5_typed_data are safe to cast between:
- * they have the same type fields in the same order.
- * (krb5_preauthtype is a krb5_int32). If krb5_typed_data is
- * ever changed then this will need to be a copy not a cast.
- */
- if (retval == 0)
- retval = encode_krb5_typed_data( (krb5_typed_data **) fast_response->padata,
- &encoded_td);
- if (retval == 0) {
- fx_error->e_data = *encoded_td;
- free(encoded_td); /*contents owned by fx_error*/
- encoded_td = NULL;
- krb5_free_error(context, err_reply);
- *err_replyptr = fx_error;
- fx_error = NULL;
- *out_padata = fast_response->padata;
- fast_response->padata = NULL;
- /*
- * If there is more than the fx_error padata, then we want
- * to retry the error if a cookie is present
- */
- *retry = (*out_padata)[1] != NULL;
- if (krb5int_find_pa_data(context, *out_padata, KRB5_PADATA_FX_COOKIE) == NULL)
- *retry = 0;
- }
- if (fx_error)
- krb5_free_error(context, fx_error);
- krb5_free_fast_response(context, fast_response);
+ krb5_pa_data *fx_error_pa;
+ krb5_pa_data **result = NULL;
+ krb5_data scratch;
+ krb5_error *fx_error = NULL;
+ krb5_fast_response *fast_response = NULL;
+
+ retval = decode_krb5_padata_sequence(&err_reply->e_data, &result);
+ if (retval == 0)
+ retval = decrypt_fast_reply(context, state, result,
+ &fast_response);
+ if (retval) {
+ /*
+ * This can happen if the KDC does not understand FAST. We don't
+ * expect that, but treating it as the fatal error indicated by the
+ * KDC seems reasonable.
+ */
+ *retry = 0;
+ krb5_free_pa_data(context, result);
+ return 0;
+ }
+ krb5_free_pa_data(context, result);
+ result = NULL;
+ if (retval == 0) {
+ fx_error_pa = krb5int_find_pa_data(context, fast_response->padata,
+ KRB5_PADATA_FX_ERROR);
+ if (fx_error_pa == NULL) {
+ krb5_set_error_message(context, KRB5KDC_ERR_PREAUTH_FAILED,
+ _("Expecting FX_ERROR pa-data inside "
+ "FAST container"));
+ retval = KRB5KDC_ERR_PREAUTH_FAILED;
+ }
+ }
+ if (retval == 0) {
+ scratch.data = (char *) fx_error_pa->contents;
+ scratch.length = fx_error_pa->length;
+ retval = decode_krb5_error(&scratch, &fx_error);
+ }
+ if (retval == 0) {
+ krb5_free_error(context, err_reply);
+ *err_replyptr = fx_error;
+ fx_error = NULL;
+ *out_padata = fast_response->padata;
+ fast_response->padata = NULL;
+ /*
+ * If there is more than the fx_error padata, then we want
+ * to retry the error if a cookie is present
+ */
+ *retry = (*out_padata)[1] != NULL;
+ if (krb5int_find_pa_data(context, *out_padata,
+ KRB5_PADATA_FX_COOKIE) == NULL)
+ *retry = 0;
+ }
+ if (fx_error)
+ krb5_free_error(context, fx_error);
+ krb5_free_fast_response(context, fast_response);