1 files changed, 9 insertions, 14 deletions

diff --git a/src/plugins/preauth/pkinit/pkinit_srv.c b/src/plugins/preauth/pkinit/pkinit_srv.c
index b7aea625ad..4a477afec9 100644
--- a/src/plugins/preauth/pkinit/pkinit_srv.c
+++ b/src/plugins/preauth/pkinit/pkinit_srv.c
@@ -101,24 +101,21 @@ cleanup:
 static krb5_error_code
 pkinit_server_get_edata(krb5_context context,
                         krb5_kdc_req *request,
-                        krb5_kdcpreauth_get_data_fn get,
+                        krb5_kdcpreauth_callbacks cb,
                         krb5_kdcpreauth_rock rock,
                         krb5_kdcpreauth_moddata moddata,
                         krb5_pa_data *data)
 {
     krb5_error_code retval = 0;
     pkinit_kdc_context plgctx = NULL;
-    krb5_keyblock *armor_key = NULL;
+    krb5_keyblock *armor_key = cb->fast_armor(context, rock);
 
     pkiDebug("pkinit_server_get_edata: entered!\n");
 
     /* Remove (along with armor_key) when FAST PKINIT is settled. */
-    retval = fast_kdc_get_armor_key(context, get, rock, &armor_key);
-    if (retval == 0 && armor_key != NULL) {
-        /* Don't advertise PKINIT if the client used FAST. */
-        krb5_free_keyblock(context, armor_key);
+    /* Don't advertise PKINIT if the client used FAST. */
+    if (armor_key != NULL)
         return EINVAL;
-    }
 
     /*
      * If we don't have a realm context for the given realm,
@@ -291,7 +288,7 @@ pkinit_server_verify_padata(krb5_context context,
                             krb5_kdc_req * request,
                             krb5_enc_tkt_part * enc_tkt_reply,
                             krb5_pa_data * data,
-                            krb5_kdcpreauth_get_data_fn get,
+                            krb5_kdcpreauth_callbacks cb,
                             krb5_kdcpreauth_rock rock,
                             krb5_kdcpreauth_moddata moddata,
                             krb5_kdcpreauth_verify_respond_fn respond,
@@ -311,7 +308,7 @@ pkinit_server_verify_padata(krb5_context context,
     krb5_kdc_req *tmp_as_req = NULL;
     krb5_data k5data;
     int is_signed = 1;
-    krb5_keyblock *armor_key;
+    krb5_keyblock *armor_key = cb->fast_armor(context, rock);
     krb5_pa_data **e_data = NULL;
     krb5_kdcpreauth_modreq modreq = NULL;
 
@@ -322,10 +319,8 @@ pkinit_server_verify_padata(krb5_context context,
     }
 
     /* Remove (along with armor_key) when FAST PKINIT is settled. */
-    retval = fast_kdc_get_armor_key(context, get, rock, &armor_key);
-    if (retval == 0 && armor_key != NULL) {
-        /* Don't allow PKINIT if the client used FAST. */
-        krb5_free_keyblock(context, armor_key);
+    /* Don't allow PKINIT if the client used FAST. */
+    if (armor_key != NULL) {
         (*respond)(arg, EINVAL, NULL, NULL, NULL);
         return;
     }
@@ -700,7 +695,7 @@ pkinit_server_return_padata(krb5_context context,
                             krb5_kdc_rep * reply,
                             krb5_keyblock * encrypting_key,
                             krb5_pa_data ** send_pa,
-                            krb5_kdcpreauth_get_data_fn get,
+                            krb5_kdcpreauth_callbacks cb,
                             krb5_kdcpreauth_rock rock,
                             krb5_kdcpreauth_moddata moddata,
                             krb5_kdcpreauth_modreq modreq)