Temporarily disable FAST PKINIT for 1.7 release

There are protocol issues and implementation defects surrounding the
combination of FAST an PKINIT currently.  To avoid impacting the 1.7
scheduled and to avoid creating interoperability problems later,
disable the combination until the problems are resolved.

ticket: 6501
tags: pullup
target_version: 1.7

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@22381 dc483132-0cff-0310-8789-dd5450dbe970

1 files changed, 12 insertions, 0 deletions

diff --git a/src/plugins/preauth/pkinit/pkinit_clnt.c b/src/plugins/preauth/pkinit/pkinit_clnt.c
index 13651c57aa..f7cd99890c 100644
--- a/src/plugins/preauth/pkinit/pkinit_clnt.c
+++ b/src/plugins/preauth/pkinit/pkinit_clnt.c
@@ -40,6 +40,9 @@
 
 #include "pkinit.h"
 
+/* Remove when FAST PKINIT is settled. */
+#include "../fast_factor.h"
+
 #ifdef LONGHORN_BETA_COMPAT
 /*
  * It is anticipated that all the special checks currently
@@ -1027,10 +1030,19 @@ pkinit_client_process(krb5_context context,
     int processing_request = 0;
     pkinit_context plgctx = (pkinit_context)plugin_context;
     pkinit_req_context reqctx = (pkinit_req_context)request_context;
+    krb5_keyblock *armor_key = NULL;
 
     pkiDebug("pkinit_client_process %p %p %p %p\n",
 	     context, plgctx, reqctx, request);
 
+    /* Remove (along with armor_key) when FAST PKINIT is settled. */
+    retval = fast_get_armor_key(context, get_data_proc, rock, &armor_key);
+    if (retval == 0 && armor_key != NULL) {
+	/* Don't use PKINIT if also using FAST. */
+	krb5_free_keyblock(context, armor_key);
+	return EINVAL;
+    }
+
     if (plgctx == NULL || reqctx == NULL)
 	return EINVAL;