Remove the gak_fct, gak_data, salt, s2kparams, and as_key arguments of krb5_clpreauth_process_fn and krb5_clpreauth_tryagain_fn. To replace them, add two callbacks: one which gets the AS key using the previously selected etype-info2 information, and a second which lets the module replace the AS key with one it has computed. This changes limits module flexibility in a few ways. Modules cannot check whether the AS key was already obtained before asking for it, and they cannot use the etype-info2 salt and s2kparams for purposes other than getting the password-based AS key. It is believed that of existing preauth mechanisms, only SAM-2 preauth needs more flexibility than the new interfaces provide, and as an internal legacy mechanism it can cheat. Future mechanisms should be okay since the current IETF philosophy is that etype-info2 information should not be used for other purposes. https://github.com/krb5/krb5/commit/e389f7a0e7d682a06bc8d2814ad0d86398e815b9 Commit By: ghudson Revision: 25351 Changed Files: U trunk/src/include/k5-int.h U trunk/src/include/krb5/preauth_plugin.h U trunk/src/lib/krb5/krb/get_in_tkt.c U trunk/src/lib/krb5/krb/preauth2.c U trunk/src/lib/krb5/krb/preauth_ec.c U trunk/src/lib/krb5/krb/preauth_encts.c U trunk/src/plugins/preauth/cksum_body/cksum_body_main.c U trunk/src/plugins/preauth/pkinit/pkinit_clnt.c U trunk/src/plugins/preauth/wpse/wpse_main.c