krb5: disable automatic kx509 by default

2019-11-13 17:42:25 -06:00
parent 84ffa22c93
commit ba5bb07495
2 changed files with 15 additions and 8 deletions
--- a/lib/krb5/cache.c
+++ b/lib/krb5/cache.c
@@ -809,14 +809,20 @@ krb5_cc_close(krb5_context context,
     */
    if (id->cc_initialized && id->cc_start_tgt_stored && !id->cc_kx509_done &&
        strcmp("MEMORY", krb5_cc_get_type(context, id)) != 0) {
-        _krb5_debug(context, 2, "attempting to fetch a certificate using "
-                    "kx509");
-        ret = krb5_kx509(context, id, NULL);
-        if (ret)
-            _krb5_debug(context, 2, "failed to fetch a certificate");
-        else
-            _krb5_debug(context, 2, "fetched a certificate");
-        ret = 0;
+        krb5_boolean enabled;
+
+        krb5_appdefault_boolean(context, NULL, NULL, "enable_kx509", FALSE,
+                                &enabled);
+        if (enabled) {
+            _krb5_debug(context, 2, "attempting to fetch a certificate using "
+                        "kx509");
+            ret = krb5_kx509(context, id, NULL);
+            if (ret)
+                _krb5_debug(context, 2, "failed to fetch a certificate");
+            else
+                _krb5_debug(context, 2, "fetched a certificate");
+            ret = 0;
+        }
    }

    ret = (*id->ops->close)(context, id);
--- a/tests/kdc/krb5-pkinit.conf.in
+++ b/tests/kdc/krb5-pkinit.conf.in
@@ -2,6 +2,7 @@
 	default_realm = TEST.H5L.SE
 	no-addresses = TRUE
 	allow_weak_crypto = TRUE
+        enable_kx509 = true

 [appdefaults]
 	pkinit_anchors = FILE:@objdir@/ca.crt