From ba5bb074950b029f59f11a44cf20315aae70d4fb Mon Sep 17 00:00:00 2001
From: Nicolas Williams <nico@twosigma.com>
Date: Wed, 13 Nov 2019 17:42:25 -0600
Subject: [PATCH] krb5: disable automatic kx509 by default

---
 lib/krb5/cache.c              | 22 ++++++++++++++--------
 tests/kdc/krb5-pkinit.conf.in |  1 +
 2 files changed, 15 insertions(+), 8 deletions(-)

diff --git a/lib/krb5/cache.c b/lib/krb5/cache.c
index 4fb60d996..709049c21 100644
--- a/lib/krb5/cache.c
+++ b/lib/krb5/cache.c
@@ -809,14 +809,20 @@ krb5_cc_close(krb5_context context,
      */
     if (id->cc_initialized && id->cc_start_tgt_stored && !id->cc_kx509_done &&
         strcmp("MEMORY", krb5_cc_get_type(context, id)) != 0) {
-        _krb5_debug(context, 2, "attempting to fetch a certificate using "
-                    "kx509");
-        ret = krb5_kx509(context, id, NULL);
-        if (ret)
-            _krb5_debug(context, 2, "failed to fetch a certificate");
-        else
-            _krb5_debug(context, 2, "fetched a certificate");
-        ret = 0;
+        krb5_boolean enabled;
+
+        krb5_appdefault_boolean(context, NULL, NULL, "enable_kx509", FALSE,
+                                &enabled);
+        if (enabled) {
+            _krb5_debug(context, 2, "attempting to fetch a certificate using "
+                        "kx509");
+            ret = krb5_kx509(context, id, NULL);
+            if (ret)
+                _krb5_debug(context, 2, "failed to fetch a certificate");
+            else
+                _krb5_debug(context, 2, "fetched a certificate");
+            ret = 0;
+        }
     }
 
     ret = (*id->ops->close)(context, id);
diff --git a/tests/kdc/krb5-pkinit.conf.in b/tests/kdc/krb5-pkinit.conf.in
index 5f3d0ce80..b8fb623f7 100644
--- a/tests/kdc/krb5-pkinit.conf.in
+++ b/tests/kdc/krb5-pkinit.conf.in
@@ -2,6 +2,7 @@
 	default_realm = TEST.H5L.SE
 	no-addresses = TRUE
 	allow_weak_crypto = TRUE
+        enable_kx509 = true
 
 [appdefaults]
 	pkinit_anchors = FILE:@objdir@/ca.crt