2 files changed, 35 insertions, 0 deletions

diff --git a/src/plugins/preauth/pkinit/pkinit_clnt.c b/src/plugins/preauth/pkinit/pkinit_clnt.c
index 13651c57a..f7cd99890 100644
--- a/src/plugins/preauth/pkinit/pkinit_clnt.c
+++ b/src/plugins/preauth/pkinit/pkinit_clnt.c
@@ -40,6 +40,9 @@
 
 #include "pkinit.h"
 
+/* Remove when FAST PKINIT is settled. */
+#include "../fast_factor.h"
+
 #ifdef LONGHORN_BETA_COMPAT
 /*
  * It is anticipated that all the special checks currently
@@ -1027,10 +1030,19 @@ pkinit_client_process(krb5_context context,
     int processing_request = 0;
     pkinit_context plgctx = (pkinit_context)plugin_context;
     pkinit_req_context reqctx = (pkinit_req_context)request_context;
+    krb5_keyblock *armor_key = NULL;
 
     pkiDebug("pkinit_client_process %p %p %p %p\n",
 	     context, plgctx, reqctx, request);
 
+    /* Remove (along with armor_key) when FAST PKINIT is settled. */
+    retval = fast_get_armor_key(context, get_data_proc, rock, &armor_key);
+    if (retval == 0 && armor_key != NULL) {
+	/* Don't use PKINIT if also using FAST. */
+	krb5_free_keyblock(context, armor_key);
+	return EINVAL;
+    }
+
     if (plgctx == NULL || reqctx == NULL)
 	return EINVAL;
 
diff --git a/src/plugins/preauth/pkinit/pkinit_srv.c b/src/plugins/preauth/pkinit/pkinit_srv.c
index 228815511..031752974 100644
--- a/src/plugins/preauth/pkinit/pkinit_srv.c
+++ b/src/plugins/preauth/pkinit/pkinit_srv.c
@@ -35,6 +35,9 @@
 
 #include "pkinit.h"
 
+/* Remove when FAST PKINIT is settled. */
+#include "../fast_factor.h"
+
 static krb5_error_code
 pkinit_server_get_edata(krb5_context context,
 			krb5_kdc_req * request,
@@ -146,9 +149,19 @@ pkinit_server_get_edata(krb5_context context,
 {
     krb5_error_code retval = 0;
     pkinit_kdc_context plgctx = NULL;
+    krb5_keyblock *armor_key = NULL;
 
     pkiDebug("pkinit_server_get_edata: entered!\n");
 
+    /* Remove (along with armor_key) when FAST PKINIT is settled. */
+    retval = fast_kdc_get_armor_key(context, server_get_entry_data, request,
+				    client, &armor_key);
+    if (retval == 0 && armor_key != NULL) {
+	/* Don't advertise PKINIT if the client used FAST. */
+	krb5_free_keyblock(context, armor_key);
+	return EINVAL;
+    }
+
     /*
      * If we don't have a realm context for the given realm,
      * don't tell the client that we support pkinit! 
@@ -344,11 +357,21 @@ pkinit_server_verify_padata(krb5_context context,
     krb5_authdata **my_authz_data = NULL, *pkinit_authz_data = NULL;
     krb5_kdc_req *tmp_as_req = NULL;
     krb5_data k5data;
+    krb5_keyblock *armor_key;
 
     pkiDebug("pkinit_verify_padata: entered!\n");
     if (data == NULL || data->length <= 0 || data->contents == NULL)
 	return 0;
 
+    /* Remove (along with armor_key) when FAST PKINIT is settled. */
+    retval = fast_kdc_get_armor_key(context, server_get_entry_data, request,
+				    client, &armor_key);
+    if (retval == 0 && armor_key != NULL) {
+	/* Don't allow PKINIT if the client used FAST. */
+	krb5_free_keyblock(context, armor_key);
+	return EINVAL;
+    }
+
     if (pa_plugin_context == NULL || e_data == NULL)
 	return EINVAL;