diff options
author | Greg Hudson <ghudson@mit.edu> | 2020-02-24 15:58:59 -0500 |
---|---|---|
committer | Greg Hudson <ghudson@mit.edu> | 2020-02-27 15:16:35 -0500 |
commit | 50fb43b4a2d97ce2cd53e1ced30e8e8224fede70 (patch) | |
tree | aeded830b2775fd69728621aaa65285b2664302c /src/include | |
parent | 109e30ce22c20f18b8233119f274935bdf573886 (diff) | |
download | krb5-50fb43b4a2d97ce2cd53e1ced30e8e8224fede70.zip krb5-50fb43b4a2d97ce2cd53e1ced30e8e8224fede70.tar.gz krb5-50fb43b4a2d97ce2cd53e1ced30e8e8224fede70.tar.bz2 |
Allow certauth modules to set hw-authent flag
In PKINIT, if a certauth module returns KRB5_CERTAUTH_HWAUTH from its
authorize method, set the hw-authent flag in the ticket.
ticket: 8879 (new)
Diffstat (limited to 'src/include')
-rw-r--r-- | src/include/krb5/certauth_plugin.h | 9 |
1 files changed, 6 insertions, 3 deletions
diff --git a/src/include/krb5/certauth_plugin.h b/src/include/krb5/certauth_plugin.h index 3074790..3466cf3 100644 --- a/src/include/krb5/certauth_plugin.h +++ b/src/include/krb5/certauth_plugin.h @@ -85,14 +85,17 @@ typedef void (*krb5_certauth_fini_fn)(krb5_context context, krb5_certauth_moddata moddata); /* - * Mandatory: - * Return 0 if the DER-encoded cert is authorized for PKINIT authentication by - * princ; otherwise return one of the following error codes: + * Mandatory: return 0 or KRB5_CERTAUTH_HWAUTH if the DER-encoded cert is + * authorized for PKINIT authentication by princ; otherwise return one of the + * following error codes: * - KRB5KDC_ERR_CLIENT_NAME_MISMATCH - incorrect SAN value * - KRB5KDC_ERR_INCONSISTENT_KEY_PURPOSE - incorrect EKU * - KRB5KDC_ERR_CERTIFICATE_MISMATCH - other extension error * - KRB5_PLUGIN_NO_HANDLE - the module has no opinion about cert * + * Returning KRB5_CERTAUTH_HWAUTH will cause the hw-authent flag to be set in + * the issued ticket (new in release 1.19). + * * - opts is used by built-in modules to receive internal data, and must be * ignored by other modules. * - db_entry receives the client principal database entry, and can be ignored |