From bf7f31ee0959c20365b68b71540a66df005ba168 Mon Sep 17 00:00:00 2001
From: Chaskiel Grundman <cg2v@andrew.cmu.edu>
Date: Wed, 2 Jul 2014 20:49:16 -0400
Subject: [PATCH] Include empty PKINIT-KX padata

rfc6112 requires kdcs implementing anonymous PKINIT to include an
empty PKINIT-KX padata in PREAUTH_REQUIRED messages.
Including this improves compatibility with MIT kerberos.
---
 kdc/kerberos5.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/kdc/kerberos5.c b/kdc/kerberos5.c
index f30875903..757ca9af2 100644
--- a/kdc/kerberos5.c
+++ b/kdc/kerberos5.c
@@ -717,9 +717,14 @@ static const struct kdc_patypes pat[] = {
 	KRB5_PADATA_PK_AS_REQ_WIN, "PK-INIT(win2k)", PA_ANNOUNCE,
 	pa_pkinit_validate
     },
+    {
+	KRB5_PADATA_PKINIT_KX, "Anonymous PK-INIT", PA_ANNOUNCE,
+	NULL
+    },
 #else
     { KRB5_PADATA_PK_AS_REQ, "PK-INIT(ietf)", 0, NULL },
     { KRB5_PADATA_PK_AS_REQ_WIN, "PK-INIT(win2k)", 0, NULL },
+    { KRB5_PADATA_PKINIT_KX, "Anonymous PK-INIT", 0, NULL },
 #endif
     { KRB5_PADATA_PA_PK_OCSP_RESPONSE , "OCSP", 0, NULL },
     {