oysteikt/heimdal
0
0
Fork 0
Code Issues 5 Pull Requests Releases Activity

krb5: disable automatic kx509 by default

Browse Source
This commit is contained in:
Nicolas Williams
2019-11-13 17:42:25 -06:00
parent 84ffa22c93
commit ba5bb07495
2 changed files with 15 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
lib/krb5/cache.c
View File

@@ -809,6 +809,11 @@ krb5_cc_close(krb5_context context,
*/ */
if (id->cc_initialized && id->cc_start_tgt_stored && !id->cc_kx509_done && if (id->cc_initialized && id->cc_start_tgt_stored && !id->cc_kx509_done &&
strcmp("MEMORY", krb5_cc_get_type(context, id)) != 0) { strcmp("MEMORY", krb5_cc_get_type(context, id)) != 0) {
krb5_boolean enabled;
krb5_appdefault_boolean(context, NULL, NULL, "enable_kx509", FALSE,
&enabled);
if (enabled) {
_krb5_debug(context, 2, "attempting to fetch a certificate using " _krb5_debug(context, 2, "attempting to fetch a certificate using "
"kx509"); "kx509");
ret = krb5_kx509(context, id, NULL); ret = krb5_kx509(context, id, NULL);
@@ -818,6 +823,7 @@ krb5_cc_close(krb5_context context,
_krb5_debug(context, 2, "fetched a certificate"); _krb5_debug(context, 2, "fetched a certificate");
ret = 0; ret = 0;
} }
}
ret = (*id->ops->close)(context, id); ret = (*id->ops->close)(context, id);
free(id); free(id);

1
tests/kdc/krb5-pkinit.conf.in
View File

@@ -2,6 +2,7 @@
default_realm = TEST.H5L.SE default_realm = TEST.H5L.SE
no-addresses = TRUE no-addresses = TRUE
allow_weak_crypto = TRUE allow_weak_crypto = TRUE
enable_kx509 = true
[appdefaults] [appdefaults]
pkinit_anchors = FILE:@objdir@/ca.crt pkinit_anchors = FILE:@objdir@/ca.crt